Your two latest mails.
> The problem that OP_Expire aims to solve is the fact that Carol could prevent
> Bob from learning about the preimage in time, while still getting a chance to
> use the preimage herself. OP_Expire thoroughly solves that problem by ensuring
> that the preimage is either broadcast in the blockchain in a timely fashion, or
> becomes useless.
I respectfully disagree - There is a more general underlying issue for outdated states in multi-party off-chain constructions, where any "revoked" or "updated" consensus-valid state can be used to jam the latest off-chain agreed-on, through techniques like replacement cycling or pinning.
> My suggestion of pre-signing RBF replacements, without anchor outputs, and with
> all outputs rendered unspendable with 1 CSV, is clearly superior: there are
> zero degrees of freedom to the attacker, other than the possibility of
> increasing the fee paid or broadcasting a revoked commitment. The latter of
> course risks the other party punishing the fraud.
Assuming the max RBF replacement is pre-signed at 200 sats / vb, with commitment transaction of ~268 vbytes and at least one second-stage HTLC transaction of ~175 vbytes including witness size, a channel counterparty must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment value. As of today, any payment under $13 has to become trimmed HTLCs. Trimmed HTLCs are coming with their own wormhole of issues, notably making them a target to be stolen by low-hashrate capabilities attackers [0].
> This does have the practical problem that a set of refund transactions will
> also need to be signed for each fee variant. But, eg, signing 10x of each isn't
> so burdensome. And in the future that problem could be avoided with
> SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism with
> a covenant.
I think if you wish to be safe against fees griefing games between counterparties, both counterparties have to maintain their own fee-bumping reserves, which make channel usage less capital efficient, rather than being drawn from a common reserve.
> Using RBF rather than CPFP with package relay also has the advantage of being
> more efficient, as no blockspace needs to be consumed by the anchor outputs or
> transactions spending them. Of course, there are special circumstances where
> BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg by
> reducing the replacement relay fee, or by delta-encoding transaction updates.
It is left as an exercise to the reader how to break the RBF approach for LN channels as proposed.
> As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing both it
> and OP_Expire could make sense.
I think there is one obvious issue of pre-signing RBF replacements combined with LN-symmetry, namely every state has to pre-commit to fee values attached and such states might spend each other in chain. So now you would need `max-rbf-replacement` * `max-theoretical-number-of-states` of fee-bumping reserves unless you can pipe fee value with some covenant magic, I think.
> In existing anchor output transactions, this type of attack wouldn't work as
> when broadcasting the transaction, Alice would be spending her anchor output,
> which Bob can't double spend.
However Bob can double-spend Alice's commitment transaction with his own commitment transaction and a CPFP, as long as it's a better ancestor feerate and absolute fee package, then double-spend his own CPFP. Which is exactly what my test is doing so I don't think your statement of saying this type of advanced replacement cycling attack wouldn't work isn't correct.
Best,
Antoine