* [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts
@ 2018-04-30 15:41 Christian Decker
2018-04-30 23:00 ` Jim Posen
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Christian Decker @ 2018-04-30 15:41 UTC (permalink / raw)
To: lightning-dev, bitcoin-dev
(cross-posting to bitcoin-dev since this serves as motivation behind the
sighash_noinput proposal)
> TL;DR: we announce a new, simple, update mechanism for off-chain protocols,
> see the announcement [1] and the paper [2] :-)
A little over a year ago, the three Lightning Network implementation
teams joined forces to work on a common specification for the protocol
stack. Now that both that specification and our three implementations
are becoming stable and usable, it is time to look forward: to further
improve the protocol, to add new features, to simplify, and to fix
downsides.
One of the core innovations that enabled Lightning in the first place was an
off-chain update mechanism to renegotiate a new state and ensure that the old
state can not be settled on-chain. Today, we're excited to release our latest
research paper on a new, simplified, update mechanism for layer 2 protocols,
called eltoo.
eltoo is a drop-in replacement for the penalty based invalidation
mechanism that is used today in the Lightning specification. It is
similar in many ways to the sequence number mechanism that was already
present in the original Bitcoin implementation. But, while sequence
numbers were unenforceable on the blockchain, eltoo is enforceable by
overriding subsequent states on-chain.
Unlike the current mechanism used in Lightning so far, it is not penalty
based, i.e., publishing an old state does not result in the faulty node
to automatically lose funds, and is most similar to the duplex
micropayment channels construction. It is a symmetric scheme, i.e., all
participants share an identical set of transactions, and it ensures that the
last agreed upon state is settled on-chain, with similar tradeoffs as
today's Lightning (timelock vs. online requirement).
eltoo addresses some of the issues we encountered while speficying and
implementing the Lightning Network. For example outsourcing becomes very
simple since old states becoming public can't hurt us anymore. We
completely remove the need to estimate fees ahead of time. The
construction allows us to attach fees when settling, and even allows for
fees to be bumped using CPFP or RBF.
Beyond Lightning, eltoo can be used as a generic update mechanism for an
off-chain contract, for a larger number of participants. This was not
possible in the current update mechanism since reactions to a
misbehaving participant needed to be tailore to that participant. This
enables other protocols such as the channel factories, and in
combination with Schnorr signatures allows for very large off-chain
contracts with minimal on-chain footprint.
Before we can implement eltoo, we need a minor change to Bitcoin: the
introduction of the SIGHASH_NOINPUT flag for signatures. This was first
discussed a few months ago in the context of watchtowers to help secure
Lightning channels, but was not formally proposed. A formal proposal may
now be found in the eltoo paper.
We invite the community to consider our proposal and to participate in
its discussion. We hope to arrive at a consensus for the usage of
SIGHASH_NOINPUT, so that it can be accepted and included in a future
soft fork of Bitcoin Script. Doing so will put us on the road to a more
reliable and simpler Lightning Network, incorporating a new update
mechanism that can also be used for many other applications.
The full official announcement can be found at [1] and the paper with the full
details can be found at [2].
Looking forward to the communities feedback,
Christian
[1] https://blockstream.com/2018/04/30/eltoo-next-lightning.html
[2] https://blockstream.com/eltoo.pdf
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-04-30 15:41 [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts Christian Decker @ 2018-04-30 23:00 ` Jim Posen 2018-05-01 5:01 ` ZmnSCPxj 2018-05-01 11:36 ` Christian Decker 2018-05-01 5:07 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj [not found] ` <20180619115618.ppycfvdh76rdagfo@email> 2 siblings, 2 replies; 14+ messages in thread From: Jim Posen @ 2018-04-30 23:00 UTC (permalink / raw) To: Christian Decker, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 5250 bytes --] This construction is pretty neat and seems to solve a lot of problems. I find the use of CLTV with past timestamps to provide ordering in particular to be quite clever. If my understanding is correct though, this construction would significantly increase the safe CLTV delta requirements because HTLCs cannot be timed out immediately on the settlement transaction. Consider a case where node B receives an HTLC from A and forwards to C. If the HTLC offered to C times out and C does not fail the HTLC off-chain, Lightning currently guarantees that the CLTV delta is sufficient that I may close the channel to C on-chain and claim the timed-out HTLC before my upstream HTLC to A times out. If the CLTV delta is too small, I may fail the upstream HTLC as soon as it times out, and then C may still claim the downstream HTLC with the preimage on-chain. With eltoo, when B closes the downstream channel on-chain, it must wait the CSV timeout on the update transaction before locking in the timed-out HTLC. This effectively means the CLTV delta has to be greater than the CSV timeout, plus some extra (whereas it is currently safe to make it significantly shorter). Is that true or am I missing something? On Mon, Apr 30, 2018 at 8:41 AM, Christian Decker via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > (cross-posting to bitcoin-dev since this serves as motivation behind the > sighash_noinput proposal) > > > TL;DR: we announce a new, simple, update mechanism for off-chain > protocols, > > see the announcement [1] and the paper [2] :-) > > A little over a year ago, the three Lightning Network implementation > teams joined forces to work on a common specification for the protocol > stack. Now that both that specification and our three implementations > are becoming stable and usable, it is time to look forward: to further > improve the protocol, to add new features, to simplify, and to fix > downsides. > > One of the core innovations that enabled Lightning in the first place was > an > off-chain update mechanism to renegotiate a new state and ensure that the > old > state can not be settled on-chain. Today, we're excited to release our > latest > research paper on a new, simplified, update mechanism for layer 2 > protocols, > called eltoo. > > eltoo is a drop-in replacement for the penalty based invalidation > mechanism that is used today in the Lightning specification. It is > similar in many ways to the sequence number mechanism that was already > present in the original Bitcoin implementation. But, while sequence > numbers were unenforceable on the blockchain, eltoo is enforceable by > overriding subsequent states on-chain. > > Unlike the current mechanism used in Lightning so far, it is not penalty > based, i.e., publishing an old state does not result in the faulty node > to automatically lose funds, and is most similar to the duplex > micropayment channels construction. It is a symmetric scheme, i.e., all > participants share an identical set of transactions, and it ensures that > the > last agreed upon state is settled on-chain, with similar tradeoffs as > today's Lightning (timelock vs. online requirement). > > eltoo addresses some of the issues we encountered while speficying and > implementing the Lightning Network. For example outsourcing becomes very > simple since old states becoming public can't hurt us anymore. We > completely remove the need to estimate fees ahead of time. The > construction allows us to attach fees when settling, and even allows for > fees to be bumped using CPFP or RBF. > > Beyond Lightning, eltoo can be used as a generic update mechanism for an > off-chain contract, for a larger number of participants. This was not > possible in the current update mechanism since reactions to a > misbehaving participant needed to be tailore to that participant. This > enables other protocols such as the channel factories, and in > combination with Schnorr signatures allows for very large off-chain > contracts with minimal on-chain footprint. > > Before we can implement eltoo, we need a minor change to Bitcoin: the > introduction of the SIGHASH_NOINPUT flag for signatures. This was first > discussed a few months ago in the context of watchtowers to help secure > Lightning channels, but was not formally proposed. A formal proposal may > now be found in the eltoo paper. > > We invite the community to consider our proposal and to participate in > its discussion. We hope to arrive at a consensus for the usage of > SIGHASH_NOINPUT, so that it can be accepted and included in a future > soft fork of Bitcoin Script. Doing so will put us on the road to a more > reliable and simpler Lightning Network, incorporating a new update > mechanism that can also be used for many other applications. > > The full official announcement can be found at [1] and the paper with the > full > details can be found at [2]. > > Looking forward to the communities feedback, > Christian > > [1] https://blockstream.com/2018/04/30/eltoo-next-lightning.html > [2] https://blockstream.com/eltoo.pdf > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 6214 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-04-30 23:00 ` Jim Posen @ 2018-05-01 5:01 ` ZmnSCPxj 2018-05-01 11:36 ` Christian Decker 1 sibling, 0 replies; 14+ messages in thread From: ZmnSCPxj @ 2018-05-01 5:01 UTC (permalink / raw) To: Jim Posen, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1462 bytes --] Good morning Jim, > If my understanding is correct though, this construction would significantly increase the safe CLTV delta requirements because HTLCs cannot be timed out immediately on the settlement transaction. Consider a case where node B receives an HTLC from A and forwards to C. If the HTLC offered to C times out and C does not fail the HTLC off-chain, Lightning currently guarantees that the CLTV delta is sufficient that I may close the channel to C on-chain and claim the timed-out HTLC before my upstream HTLC to A times out. If the CLTV delta is too small, I may fail the upstream HTLC as soon as it times out, and then C may still claim the downstream HTLC with the preimage on-chain. With eltoo, when B closes the downstream channel on-chain, it must wait the CSV timeout on the update transaction before locking in the timed-out HTLC. This effectively means the CLTV delta has to be greater than the CSV timeout, plus some extra (whereas it is currently safe to make it significantly shorter). Is that true or am I missing something? I believe this is quite true; indeed only the LN-penalty/Poon-Dryja channels do not have this drawback, as Decker-Wattenhofer invalidation trees also have the same drawback that the CSV and CLTV add up. However the worst-case invalidation tree total CSV timeouts under Decker-Wattenhofer can grow quite massive; it seems the new eltoo Decker-Russell-Osuntokun CSV timeouts can be shorter. Regards, ZmnSCPxj [-- Attachment #2: Type: text/html, Size: 1684 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-04-30 23:00 ` Jim Posen 2018-05-01 5:01 ` ZmnSCPxj @ 2018-05-01 11:36 ` Christian Decker 2018-05-01 15:50 ` Jim Posen 1 sibling, 1 reply; 14+ messages in thread From: Christian Decker @ 2018-05-01 11:36 UTC (permalink / raw) To: Jim Posen, Bitcoin Protocol Discussion Jim Posen <jim.posen@gmail.com> writes: > If my understanding is correct though, this construction would > significantly increase the safe CLTV delta requirements because HTLCs > cannot be timed out immediately on the settlement transaction. Consider a > case where node B receives an HTLC from A and forwards to C. If the HTLC > offered to C times out and C does not fail the HTLC off-chain, Lightning > currently guarantees that the CLTV delta is sufficient that I may close the > channel to C on-chain and claim the timed-out HTLC before my upstream HTLC > to A times out. If the CLTV delta is too small, I may fail the upstream > HTLC as soon as it times out, and then C may still claim the downstream > HTLC with the preimage on-chain. With eltoo, when B closes the downstream > channel on-chain, it must wait the CSV timeout on the update transaction > before locking in the timed-out HTLC. This effectively means the CLTV delta > has to be greater than the CSV timeout, plus some extra (whereas it is > currently safe to make it significantly shorter). Is that true or am I > missing something? That's a good point Jim. We need to make sure that the CLTVs are far enough in the future for the CSV timeout to expire and to grab any preimage downstream and insert it upstream. Overall this results in an offset of all the CLTVs to (less than) the maximum CSV timeout along the path. This would be a fixed offset for each channel and can be announced using the gossip protocol, so senders can take it into consideration when computing the routes. Notice that this is not really the CLTV delta, which would accumulate along the path, but an offset on which the CLTV deltas build on. In today's network we have many nodes that have a CLTV delta of 144 blocks, which quickly results in HTLC funds unavailable for several days depending on the route length, so I don't think that adding a fixed offset is much worse. Once we have watch-towers we can reduce both the offset as well as the CLTV deltas. Since eltoo makes watch-towers less expensive, given the reduced storage costs, I'd argue that it's a net positive for the Lightning network (but then again I'm biased) :-) ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 11:36 ` Christian Decker @ 2018-05-01 15:50 ` Jim Posen 2018-05-01 16:29 ` Christian Decker 0 siblings, 1 reply; 14+ messages in thread From: Jim Posen @ 2018-05-01 15:50 UTC (permalink / raw) To: Christian Decker; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2466 bytes --] Can you explain why a fixed offset along the whole circuit is enough to ensure safely as opposed to an increased delta at each hop? On Tue, May 1, 2018, 5:05 AM Christian Decker <decker.christian@gmail.com> wrote: > Jim Posen <jim.posen@gmail.com> writes: > > If my understanding is correct though, this construction would > > significantly increase the safe CLTV delta requirements because HTLCs > > cannot be timed out immediately on the settlement transaction. Consider a > > case where node B receives an HTLC from A and forwards to C. If the HTLC > > offered to C times out and C does not fail the HTLC off-chain, Lightning > > currently guarantees that the CLTV delta is sufficient that I may close > the > > channel to C on-chain and claim the timed-out HTLC before my upstream > HTLC > > to A times out. If the CLTV delta is too small, I may fail the upstream > > HTLC as soon as it times out, and then C may still claim the downstream > > HTLC with the preimage on-chain. With eltoo, when B closes the downstream > > channel on-chain, it must wait the CSV timeout on the update transaction > > before locking in the timed-out HTLC. This effectively means the CLTV > delta > > has to be greater than the CSV timeout, plus some extra (whereas it is > > currently safe to make it significantly shorter). Is that true or am I > > missing something? > > That's a good point Jim. We need to make sure that the CLTVs are far > enough in the future for the CSV timeout to expire and to grab any > preimage downstream and insert it upstream. Overall this results in an > offset of all the CLTVs to (less than) the maximum CSV timeout along the > path. This would be a fixed offset for each channel and can be announced > using the gossip protocol, so senders can take it into consideration > when computing the routes. Notice that this is not really the CLTV > delta, which would accumulate along the path, but an offset on which the > CLTV deltas build on. > > In today's network we have many nodes that have a CLTV delta of 144 > blocks, which quickly results in HTLC funds unavailable for several days > depending on the route length, so I don't think that adding a fixed > offset is much worse. Once we have watch-towers we can reduce both the > offset as well as the CLTV deltas. Since eltoo makes watch-towers less > expensive, given the reduced storage costs, I'd argue that it's a net > positive for the Lightning network (but then again I'm biased) :-) > [-- Attachment #2: Type: text/html, Size: 2960 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 15:50 ` Jim Posen @ 2018-05-01 16:29 ` Christian Decker 2018-05-01 17:07 ` Jim Posen 0 siblings, 1 reply; 14+ messages in thread From: Christian Decker @ 2018-05-01 16:29 UTC (permalink / raw) To: Jim Posen; +Cc: Bitcoin Protocol Discussion Jim Posen <jim.posen@gmail.com> writes: > Can you explain why a fixed offset along the whole circuit is enough to > ensure safely as opposed to an increased delta at each hop? Sure. Let's assume we have chosen a path `A->B->C->D->E`. For simplicity let's assume they all have a CLTV delta of 144 blocks (lnd's default setting). Furthermore let's assume that the CSV timeout for the channels is also 144. This means that with the current LN-penalty mechanism you'd have the following CLTV deltas in the HTLC: ``` A -(576)-> B -(432)-> C -(288)-> D -(144)-> E ``` Meaning that if the current time is approaching the absolute CLTV we need initiate a channel closure to safely fetch the preimage on-chain, and be able to turn around and send it on the upstream channel. This is minimal, but can be arbitrarily higher, if you follow the best practice of obfuscating the final destination by building a shadow route behind the real recipient, and add it's CLTV deltas and fees to your route. With eltoo you'd need to make sure that you have the settlement transaction confirmed before your desired CLTV timeout delta begins to count down. So if the CLTV of the HTLC is `now + CSV timeout + CLTV delta` you need to initiate a close, whereas Lightning allows you to wait for time `now + CLTV delta`. Effectively this results in the following time deltas: ``` A -(576+144)-> B -(432+144)-> C -(288+144)-> D -(144+144)-> E ``` Taking the last hop for example, if we had a CLTV of 1000 with eltoo we'd need to start closing at height 712, instead of 856 with LN-penalty. However, this increased delta does not accumulate along the path, it's just a fixed offset. The longer the route, the smaller the actual impact of this offset. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 16:29 ` Christian Decker @ 2018-05-01 17:07 ` Jim Posen 2018-05-01 17:31 ` Christian Decker 0 siblings, 1 reply; 14+ messages in thread From: Jim Posen @ 2018-05-01 17:07 UTC (permalink / raw) To: Christian Decker; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2712 bytes --] I'm still not following why this doesn't accumulate. In the example route, let's look at it from the point of view of C. C sees the following regardless of whether D or E or someone behind E is the last hop in the route: B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D So D is not required to reveal the preimage before time X, and in the case of an on-chain settle, C needs to be able to redeem the HTLC output through the timeout clause before time X + delta. C can't redeem the HTLC (with sufficient confirmations) at least until the settlement transaction is confirmed. So it seems to me that regardless of the overall route and the maximum CSV on it, the delta for the C hop has to be greater than the CSV delay on the update transaction. And that this must be true at every hop for the same reason. On Tue, May 1, 2018 at 9:29 AM, Christian Decker <decker.christian@gmail.com > wrote: > Jim Posen <jim.posen@gmail.com> writes: > > Can you explain why a fixed offset along the whole circuit is enough to > > ensure safely as opposed to an increased delta at each hop? > > Sure. Let's assume we have chosen a path `A->B->C->D->E`. For simplicity > let's assume they all have a CLTV delta of 144 blocks (lnd's default > setting). Furthermore let's assume that the CSV timeout for the channels > is also 144. > > This means that with the current LN-penalty mechanism you'd have the > following CLTV deltas in the HTLC: > > ``` > A -(576)-> B -(432)-> C -(288)-> D -(144)-> E > ``` > > Meaning that if the current time is approaching the absolute CLTV we > need initiate a channel closure to safely fetch the preimage on-chain, > and be able to turn around and send it on the upstream channel. > > This is minimal, but can be arbitrarily higher, if you follow the best > practice of obfuscating the final destination by building a shadow route > behind the real recipient, and add it's CLTV deltas and fees to your > route. > > With eltoo you'd need to make sure that you have the settlement > transaction confirmed before your desired CLTV timeout delta begins to > count down. So if the CLTV of the HTLC is `now + CSV timeout + CLTV > delta` you need to initiate a close, whereas Lightning allows you to > wait for time `now + CLTV delta`. Effectively this results in the > following time deltas: > > ``` > A -(576+144)-> B -(432+144)-> C -(288+144)-> D -(144+144)-> E > ``` > > Taking the last hop for example, if we had a CLTV of 1000 with eltoo > we'd need to start closing at height 712, instead of 856 with > LN-penalty. However, this increased delta does not accumulate along the > path, it's just a fixed offset. The longer the route, the smaller the > actual impact of this offset. > [-- Attachment #2: Type: text/html, Size: 3798 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 17:07 ` Jim Posen @ 2018-05-01 17:31 ` Christian Decker 2018-05-02 1:15 ` Jim Posen 0 siblings, 1 reply; 14+ messages in thread From: Christian Decker @ 2018-05-01 17:31 UTC (permalink / raw) To: Jim Posen; +Cc: Bitcoin Protocol Discussion Jim Posen <jim.posen@gmail.com> writes: > I'm still not following why this doesn't accumulate. > > In the example route, let's look at it from the point of view of C. C sees > the following regardless of whether D or E or someone behind E is the last > hop in the route: > > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D > > So D is not required to reveal the preimage before time X, and in the case > of an on-chain settle, C needs to be able to redeem the HTLC output through > the timeout clause before time X + delta. C can't redeem the HTLC (with > sufficient confirmations) at least until the settlement transaction is > confirmed. So it seems to me that regardless of the overall route and the > maximum CSV on it, the delta for the C hop has to be greater than the CSV > delay on the update transaction. And that this must be true at every hop > for the same reason. That'd be a purely reactionary behavior, i.e., chosing the delta in such a way that I can both settle the channel and have enough time to react to turn around and reveal the preimage. So with the assumptions we had before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of 288 on each hop, yes. That's basically the case in which each channel reacts serially. You can trivially parallelize these closures by looking ahead and noticing that each hop really just cares about its own closure deadline, i.e., each node just cares to close 288 blocks before the CLTV expires, not that its delta w.r.t. to the downstream channel is that far in the future. So all we care about is that once we are due to give the upstream hop the preimage we've already closed the downstream channel and can now read the HTLC preimage from that channel. The CSV timeout isn't part of the delta on each hop, but we need to implement the deadline computation as: ``` CLTV - CLTV delta - CSV ``` instead of LN-penaltiy's ``` CLTV - CLTV delta ``` ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 17:31 ` Christian Decker @ 2018-05-02 1:15 ` Jim Posen 2018-05-07 23:26 ` Olaoluwa Osuntokun 0 siblings, 1 reply; 14+ messages in thread From: Jim Posen @ 2018-05-02 1:15 UTC (permalink / raw) To: Christian Decker; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4765 bytes --] OK, I see what you are saying. You are effectively suggesting pipelining the broadcasts of the update transactions. I think this introduces a problem that a node in the circuit that withholds the preimage for too long can force all upstream channels to be closed, at only the expense of their one upstream channel being closed. I believe such an attack could significantly disrupt the network. Let me elaborate on the way I'm thinking about this: So say I'm a routing node with an upstream HTLC with CLTV = X. I need to ensure that if I learn the preimage, that I have time to broadcast and confirm an HTLC-success transaction before height X. We'll call this number of blocks D_success. So if I know the preimage, let's say X - D_success is the latest height that I can safely broadcast the HTLC-success transaction, assuming the settlement transaction is already final (ie. the update transaction is confirmed and the CSV delay has passed). So now I also need to know when to close the channel with the update transaction. I'll assume it will take at most D_update blocks from the time I broadcast the update transaction for it to be mined. So unless the downstream HTLC is already failed, I should always close the upstream channel at height X - D_success - CSV_update - D_update. Now we'll look at the downstream HTLC with CLTV = Y. In order to minimize the safe delta between the upstream and downstream CLTVs, I will want to broadcast and confirm an HTLC-timeout transaction as soon after height Y as possible. So assuming that the downstream settlement transaction is final at height Y and it takes at most D_timeout blocks for the HTLC timeout transaction to confirm once it is final assuming no double spends, then Y + D_timeout is very latest I might learn the payment preimage from the downstream channel on-chain. So I should be safe as long as X - D_success > Y + D_timeout. This assumes that the update transaction for the downstream channel is already mined and the CSV has passed. However, we know from above that I had to close the upstream channel at time X - D_success - CSV_update - D_update, which may very well be before Y. So if the downstream hop waits until just before Y to publish the preimage, they can force me to close my upstream channel. This applies transitively for further upstream hops, assuming a large enough CSV value. Granted, upstream hops can watch the blockchain for preimage reveals in other closings transaction and perhaps fulfill off-chain if there is sufficient time. This would not be possible with payment decorrelation through scriptless scripts or the like. Does that logic sound right to you? On Tue, May 1, 2018 at 10:31 AM, Christian Decker < decker.christian@gmail.com> wrote: > Jim Posen <jim.posen@gmail.com> writes: > > I'm still not following why this doesn't accumulate. > > > > In the example route, let's look at it from the point of view of C. C > sees > > the following regardless of whether D or E or someone behind E is the > last > > hop in the route: > > > > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D > > > > So D is not required to reveal the preimage before time X, and in the > case > > of an on-chain settle, C needs to be able to redeem the HTLC output > through > > the timeout clause before time X + delta. C can't redeem the HTLC (with > > sufficient confirmations) at least until the settlement transaction is > > confirmed. So it seems to me that regardless of the overall route and the > > maximum CSV on it, the delta for the C hop has to be greater than the CSV > > delay on the update transaction. And that this must be true at every hop > > for the same reason. > > That'd be a purely reactionary behavior, i.e., chosing the delta in such > a way that I can both settle the channel and have enough time to react > to turn around and reveal the preimage. So with the assumptions we had > before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of > 288 on each hop, yes. That's basically the case in which each channel > reacts serially. > > You can trivially parallelize these closures by looking ahead and > noticing that each hop really just cares about its own closure deadline, > i.e., each node just cares to close 288 blocks before the CLTV expires, > not that its delta w.r.t. to the downstream channel is that far in the > future. So all we care about is that once we are due to give the > upstream hop the preimage we've already closed the downstream channel > and can now read the HTLC preimage from that channel. > > The CSV timeout isn't part of the delta on each hop, but we need to > implement the deadline computation as: > > ``` > CLTV - CLTV delta - CSV > ``` > > instead of LN-penaltiy's > > ``` > CLTV - CLTV delta > ``` > [-- Attachment #2: Type: text/html, Size: 5516 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-02 1:15 ` Jim Posen @ 2018-05-07 23:26 ` Olaoluwa Osuntokun 2018-05-10 13:57 ` Christian Decker 0 siblings, 1 reply; 14+ messages in thread From: Olaoluwa Osuntokun @ 2018-05-07 23:26 UTC (permalink / raw) To: Jim Posen, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7668 bytes --] Hi Jimpo, You're correct that the introduction of symmetric state now re-introduces the dependency between the CSV value of the commitment, and the HTLC timeouts. It's worth nothing that this issue existed in an earlier version of the BOLT spec, this was pointed out by Mats in the past: [1][2]. The dependency meant that if we wanted to allow very long CSV time outs (like 1 month +), then this would have the adverse effect of increasing the total CLTV timeout along the entire route. As a result, we moved to the 2-stage HTLC scheme which is now implemented and deployed as a part of BOLT 1.0. It may be the case that in the mid to near future, most implementations aren't concerned about long time locks due to the existence of robust and reliable private outsourcers. As a side effect of the way the symmetric state changes the strategy around breach attempts, we may see more breach attempts (and therefore update transactions) on the chain since attempting to cheat w/ vanilla symmetric state is now "costless" (worst case we just use the latest state, best case I can commit the state better for me. This is in stark contrast to punishment/slashing based approaches where a failed breach attempt results in the cheating party losing all their funds. However, with a commitment protocol that uses symmetric state. The 2-stage HTLC scheme doesn't actually apply. Observe that with Lighting's current asymmetric state commitment protocol, the "clock" starts ticking as soon as the commitment hits the chain, and we follow the "if an output pays to me, it must be delayed as I may be attempting a breach". With symmetric state this no longer applies, the clock instead starts "officially" ticking after the latest update transaction has hit the chain, and there are no further challenges. As a result of this, the commitment transaction itself doesn't need to have any CSV delays within the Script branches of the outputs it creates. Instead, each of those outputs can be immediately be spent as the challenge period has already elapsed, and from the PoV of the chain, this is now the "correct" commitment. Due to this, the HTLC outputs would now be symmetric themselves, and look very much like an HTLC output that one would use in a vanilla on-chain cross-chain atomic swap. [1]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000182.html [2]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-November/000339.html On Tue, May 1, 2018 at 6:15 PM Jim Posen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > OK, I see what you are saying. You are effectively suggesting pipelining > the broadcasts of the update transactions. I think this introduces a > problem that a node in the circuit that withholds the preimage for too long > can force all upstream channels to be closed, at only the expense of their > one upstream channel being closed. I believe such an attack could > significantly disrupt the network. > > Let me elaborate on the way I'm thinking about this: > > So say I'm a routing node with an upstream HTLC with CLTV = X. I need to > ensure that if I learn the preimage, that I have time to broadcast and > confirm an HTLC-success transaction before height X. We'll call this number > of blocks D_success. So if I know the preimage, let's say X - D_success is > the latest height that I can safely broadcast the HTLC-success transaction, > assuming the settlement transaction is already final (ie. the update > transaction is confirmed and the CSV delay has passed). So now I also need > to know when to close the channel with the update transaction. I'll assume > it will take at most D_update blocks from the time I broadcast the update > transaction for it to be mined. So unless the downstream HTLC is already > failed, I should always close the upstream channel at height X - D_success > - CSV_update - D_update. > > Now we'll look at the downstream HTLC with CLTV = Y. In order to minimize > the safe delta between the upstream and downstream CLTVs, I will want to > broadcast and confirm an HTLC-timeout transaction as soon after height Y as > possible. So assuming that the downstream settlement transaction is final > at height Y and it takes at most D_timeout blocks for the HTLC timeout > transaction to confirm once it is final assuming no double spends, then Y + > D_timeout is very latest I might learn the payment preimage from the > downstream channel on-chain. So I should be safe as long as X - D_success > > Y + D_timeout. This assumes that the update transaction for the downstream > channel is already mined and the CSV has passed. However, we know from > above that I had to close the upstream channel at time X - D_success - > CSV_update - D_update, which may very well be before Y. So if the > downstream hop waits until just before Y to publish the preimage, they can > force me to close my upstream channel. This applies transitively for > further upstream hops, assuming a large enough CSV value. > > Granted, upstream hops can watch the blockchain for preimage reveals in > other closings transaction and perhaps fulfill off-chain if there is > sufficient time. This would not be possible with payment decorrelation > through scriptless scripts or the like. > > Does that logic sound right to you? > > On Tue, May 1, 2018 at 10:31 AM, Christian Decker < > decker.christian@gmail.com> wrote: > >> Jim Posen <jim.posen@gmail.com> writes: >> > I'm still not following why this doesn't accumulate. >> > >> > In the example route, let's look at it from the point of view of C. C >> sees >> > the following regardless of whether D or E or someone behind E is the >> last >> > hop in the route: >> > >> > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D >> > >> > So D is not required to reveal the preimage before time X, and in the >> case >> > of an on-chain settle, C needs to be able to redeem the HTLC output >> through >> > the timeout clause before time X + delta. C can't redeem the HTLC (with >> > sufficient confirmations) at least until the settlement transaction is >> > confirmed. So it seems to me that regardless of the overall route and >> the >> > maximum CSV on it, the delta for the C hop has to be greater than the >> CSV >> > delay on the update transaction. And that this must be true at every hop >> > for the same reason. >> >> That'd be a purely reactionary behavior, i.e., chosing the delta in such >> a way that I can both settle the channel and have enough time to react >> to turn around and reveal the preimage. So with the assumptions we had >> before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of >> 288 on each hop, yes. That's basically the case in which each channel >> reacts serially. >> >> You can trivially parallelize these closures by looking ahead and >> noticing that each hop really just cares about its own closure deadline, >> i.e., each node just cares to close 288 blocks before the CLTV expires, >> not that its delta w.r.t. to the downstream channel is that far in the >> future. So all we care about is that once we are due to give the >> upstream hop the preimage we've already closed the downstream channel >> and can now read the HTLC preimage from that channel. >> >> The CSV timeout isn't part of the delta on each hop, but we need to >> implement the deadline computation as: >> >> ``` >> CLTV - CLTV delta - CSV >> ``` >> >> instead of LN-penaltiy's >> >> ``` >> CLTV - CLTV delta >> ``` >> > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 9418 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-07 23:26 ` Olaoluwa Osuntokun @ 2018-05-10 13:57 ` Christian Decker 0 siblings, 0 replies; 14+ messages in thread From: Christian Decker @ 2018-05-10 13:57 UTC (permalink / raw) To: Olaoluwa Osuntokun, Bitcoin Protocol Discussion, Jim Posen, Bitcoin Protocol Discussion Olaoluwa Osuntokun via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> writes: > Hi Jimpo, > > You're correct that the introduction of symmetric state now > re-introduces the dependency between the CSV value of the commitment, > and the HTLC timeouts. It's worth nothing that this issue existed in > an earlier version of the BOLT spec, this was pointed out by Mats in > the past: [1][2]. The dependency meant that if we wanted to allow very > long CSV time outs (like 1 month +), then this would have the adverse > effect of increasing the total CLTV timeout along the entire route. As > a result, we moved to the 2-stage HTLC scheme which is now implemented > and deployed as a part of BOLT 1.0. It may be the case that in the mid > to near future, most implementations aren't concerned about long time > locks due to the existence of robust and reliable private > outsourcers. It's worth mentioning that the requirement for extremely large CLTV deltas would already create incredibly long CLTV deltas between the endpoints, since the endpoint delta accumulates along the path. This is true for LN-Penalty as well as eltoo. eltoo's requirement to settle before the HTLCs touch the blockchain adds a stage in which need to start on-chain settlement to ensure the HTLC hits the chain before its CLTV expires. We can imagine this as a separate timewindow, that does not accumulate across multiple hops (settlement ordering is not an issue, CLTV resolution is). My hope is that indeed with the simpler watch-towers we can reduce both the CLTV deltas as well as the settlement timeouts for eltoo, so that they become negligible. > As a side effect of the way the symmetric state changes the strategy > around breach attempts, we may see more breach attempts (and therefore > update transactions) on the chain since attempting to cheat w/ vanilla > symmetric state is now "costless" (worst case we just use the latest > state, best case I can commit the state better for me. This is in > stark contrast to punishment/slashing based approaches where a failed > breach attempt results in the cheating party losing all their funds. Not exactly costless, since the breaching party will have to pay the on-chain fees, and we may be able to reintroduce the reserve in order to add an additional punishment on top of the simple update mechanism (selectively introducing asymmetry). > However, with a commitment protocol that uses symmetric state. The > 2-stage HTLC scheme doesn't actually apply. Observe that with > Lighting's current asymmetric state commitment protocol, the "clock" > starts ticking as soon as the commitment hits the chain, and we follow > the "if an output pays to me, it must be delayed as I may be > attempting a breach". With symmetric state this no longer applies, the > clock instead starts "officially" ticking after the latest update > transaction has hit the chain, and there are no further challenges. As > a result of this, the commitment transaction itself doesn't need to > have any CSV delays within the Script branches of the outputs it > creates. Instead, each of those outputs can be immediately be spent as > the challenge period has already elapsed, and from the PoV of the > chain, this is now the "correct" commitment. Due to this, the HTLC > outputs would now be symmetric themselves, and look very much like an > HTLC output that one would use in a vanilla on-chain cross-chain > atomic swap. In addition to this it is worth pointing out that the old/replaced HTLCs have no way of ever touching the blockchain, so we can throw away a whole heap of data about these HTLCs, that we would have to carry around indefinitely if this were not the case. The same reason the HTLCs start ticking when a settlement touches the chain in LN-penalty is also the reason we need to carry all that data around. eltoo can be said to contain the two stage HTLC commit we added on top of LN-penalty. Cheers, Christian ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-04-30 15:41 [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts Christian Decker 2018-04-30 23:00 ` Jim Posen @ 2018-05-01 5:07 ` ZmnSCPxj 2018-05-01 11:38 ` Christian Decker [not found] ` <20180619115618.ppycfvdh76rdagfo@email> 2 siblings, 1 reply; 14+ messages in thread From: ZmnSCPxj @ 2018-05-01 5:07 UTC (permalink / raw) To: Christian Decker; +Cc: bitcoin-dev, lightning-dev Good morning Christian, This is very interesting indeed! I have started skimming through the paper. I am uncertain if the below text is correct? > Throughout this paper we will use the terms *input script* to refer to `witnessProgram` and `scriptPubKey`, and *output script* to refer to the `witness` or `scriptSig`. Figure 2 contains to what looks to me like a `witnessProgram`, `scriptPubKey`, or `redeemScript` but refers to it as an "output script": > OP_IF > 10 OP_CSV > 2 As Bs 2 OP_CHECKMULTISIGVERIFY > OP_ELSE > 2 Au Bu 2 OP_CHECKMULTISIGVERIFY > OP_ENDIF > > Figure 2: The output script used by the on-chain update transactions. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts 2018-05-01 5:07 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj @ 2018-05-01 11:38 ` Christian Decker 0 siblings, 0 replies; 14+ messages in thread From: Christian Decker @ 2018-05-01 11:38 UTC (permalink / raw) To: ZmnSCPxj; +Cc: bitcoin-dev, lightning-dev ZmnSCPxj <ZmnSCPxj@protonmail.com> writes: > Good morning Christian, > > This is very interesting indeed! > > I have started skimming through the paper. > > I am uncertain if the below text is correct? > >> Throughout this paper we will use the terms *input script* to refer to `witnessProgram` and `scriptPubKey`, and *output script* to refer to the `witness` or `scriptSig`. > > Figure 2 contains to what looks to me like a `witnessProgram`, `scriptPubKey`, or `redeemScript` but refers to it as an "output script": > >> OP_IF >> 10 OP_CSV >> 2 As Bs 2 OP_CHECKMULTISIGVERIFY >> OP_ELSE >> 2 Au Bu 2 OP_CHECKMULTISIGVERIFY >> OP_ENDIF >> >> Figure 2: The output script used by the on-chain update transactions. > > Regards, > ZmnSCPxj Darn last minute changes! Yes, you are right, I seem to have flipped the two definitions. I'll fix that up and push a new version. ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <20180619115618.ppycfvdh76rdagfo@email>]
[parent not found: <87tvpy96lz.fsf@gmail.com>]
[parent not found: <20180619180251.j4l3zvxfmwi5mwlb@email>]
[parent not found: <20180620153150.4mdash2sj7r2aiwo@email>]
* Re: [bitcoin-dev] [Lightning-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts [not found] ` <20180620153150.4mdash2sj7r2aiwo@email> @ 2018-06-22 0:32 ` Rusty Russell 0 siblings, 0 replies; 14+ messages in thread From: Rusty Russell @ 2018-06-22 0:32 UTC (permalink / raw) To: David A. Harding, Christian Decker Cc: Bitcoin Protocol Discussion, lightning-dev "David A. Harding" <dave@dtrt.org> writes: > On Tue, Jun 19, 2018 at 02:02:51PM -0400, David A. Harding wrote: >> Anyone can rewrite a SIGHASH_NOINPUT input's outpoint, but the actual >> transaction containing the settlement is expected to have (at least) two >> inputs, with the second one originating the fees. That second input's >> signature is (I assume) using SIGHASH_ALL to commit to all outpoints in >> the transaction, so it can't be arbitrarily rewritten by a third-party >> to apply to a different state outpoint > > I realized that the fee-paying input could possibly be signed with > SIGHASH_ALL|SIGHASH_ANYONECANPAY to allow anyone to arbitrarily > rewrite the other input signed with SIGHASH_NOINPUT. However, this > reminded me of the well-known DoS against transactions signed with > SIGHASH_ANYONECANPAY[1], which seems to apply generally against > SIGHASH_NOINPUT as well and may allow theft from HTLCs. Yes, RBF Rule #3 again :( It makes RBF unusable in adversarial conditions, and it's not miner incentive-compatible. The only mitigations I have been able to come up with are: 1. Reduce the RBF grouping depth to 2, not 10. This doesn't help here though, since you can still have ~infinite fan-out of txs (create 1000 outputs, spend each with a 400ksipa tx). 2. Revert #3 to a simple "greater feerate" rule, but delay propagation proportional to tx weight, say 60 seconds (fuzzed) for a 400 ksipa tx. That reduces your ability to spam the network (you can always connect directly to nodes and waste their time and bandwidth, but you can do that pretty much today). Frankly, I'd also like a similar mechanism to not reject low-fee txs (above 250 satoshi per ksipa) but simply not propagate them. Drop them after 60 seconds if there's no CPFP to increase their effective feerate. That would allow us to use CPFP on lightning commitment txs today, without having to guess what fees will be sometime in the future. Cheers, Rusty. > ## DoS against Eltoo settlements > > Alice and Mallory have a channel with some state updates. Alice tries > to initiate a cooperate close, but Mallory stalls and instead broadcasts > the trigger transaction and the first state (state 0). Notably, the > first state is bundled into a very large vsize transaction with a low > feerate. State 1 is added to another very large low-feerate > transaction, as are states 2 through 9. > > Alice could in theory RBF the state 0 transaction, but per BIP125 rule > #3, she needs to pay an absolute fee greater than all the transactions > being replaced (not just a higher feerate). That could cost a lot. > Alice could also create a transaction that binds the final state to the > state 9 transaction and attempt CPFP, but increasing the feerate for the > transaction ancestor group to a satisfactory degree would cost the same > amount as RBF. > > So Alice is stuck waiting for states 0-9 to confirm before the final > state can be confirmed. During recent periods of full mempools on > default nodes, the waiting time for 10 nBTC/vbyte transactions has been > more than two weeks. > > ## HTLC theft > > If Mallory is able to introduce significant settlement delays, HTLC > security is compromised. For example, imagine this route: > > Mallory <-> Alice <-> Bob > > Mallory orders a widget from Bob and pays via LN by sending 1 BTC to > Alice hashlocked and timelocked, which Alice forwards to Bob also > hashlocked and timelocked. Mallory releases the preimage to Bob, who > claims the funds from Alice and ships the widget, giving Alice the > preimage. > > At this point, Mallory broadcasts the transactions described in the > preceding section. > > If the low feerate of states 0-9 prevent them from confirming before the > timeout, Mallory can create a transaction containing a dishonest final > state that executes the refund branch. Like before, she can bury this > in an ancestor transaction chain that would be cost prohibitive for Alice > to RBF. > > Considered independently, this is a very expensive attack for Mallory, > and so perhaps impractical. But Mallory can join forces with someone > already creating large low-feerate consolidation transactions. Better > yet, from Mallory's perspective, she can execute the attack against > hundreds of channels at once (creating long chains of ancestor > transactions that are large in aggregate rather than individually > large), using the aggregate size of all the victims' channels against > each of the individual victims. > > Thanks, > > -Dave > > [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2014-August/006438.html > _______________________________________________ > Lightning-dev mailing list > Lightning-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2018-06-22 0:32 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-04-30 15:41 [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts Christian Decker 2018-04-30 23:00 ` Jim Posen 2018-05-01 5:01 ` ZmnSCPxj 2018-05-01 11:36 ` Christian Decker 2018-05-01 15:50 ` Jim Posen 2018-05-01 16:29 ` Christian Decker 2018-05-01 17:07 ` Jim Posen 2018-05-01 17:31 ` Christian Decker 2018-05-02 1:15 ` Jim Posen 2018-05-07 23:26 ` Olaoluwa Osuntokun 2018-05-10 13:57 ` Christian Decker 2018-05-01 5:07 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj 2018-05-01 11:38 ` Christian Decker [not found] ` <20180619115618.ppycfvdh76rdagfo@email> [not found] ` <87tvpy96lz.fsf@gmail.com> [not found] ` <20180619180251.j4l3zvxfmwi5mwlb@email> [not found] ` <20180620153150.4mdash2sj7r2aiwo@email> 2018-06-22 0:32 ` Rusty Russell
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox