From: Olaoluwa Osuntokun <laolu32@gmail.com>
To: Jim Posen <jim.posen@gmail.com>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts
Date: Mon, 07 May 2018 23:26:05 +0000 [thread overview]
Message-ID: <CAO3Pvs8mf-X4T7fJOgZ9L8uSS3vKhZyvJ1SxL=gbk6b96QuMow@mail.gmail.com> (raw)
In-Reply-To: <CADZtCSgHmyYbumDw6bwfYpoqc9b-0JmHM5-22=Y1FXNDiTghrA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 7668 bytes --]
Hi Jimpo,
You're correct that the introduction of symmetric state now re-introduces
the
dependency between the CSV value of the commitment, and the HTLC timeouts.
It's
worth nothing that this issue existed in an earlier version of the BOLT
spec,
this was pointed out by Mats in the past: [1][2]. The dependency meant that
if
we wanted to allow very long CSV time outs (like 1 month +), then this would
have the adverse effect of increasing the total CLTV timeout along the
entire
route. As a result, we moved to the 2-stage HTLC scheme which is now
implemented and deployed as a part of BOLT 1.0. It may be the case that in
the
mid to near future, most implementations aren't concerned about long time
locks
due to the existence of robust and reliable private outsourcers.
As a side effect of the way the symmetric state changes the strategy around
breach attempts, we may see more breach attempts (and therefore update
transactions) on the chain since attempting to cheat w/ vanilla symmetric
state
is now "costless" (worst case we just use the latest state, best case I can
commit the state better for me. This is in stark contrast to
punishment/slashing based approaches where a failed breach attempt results
in
the cheating party losing all their funds.
However, with a commitment protocol that uses symmetric state. The 2-stage
HTLC
scheme doesn't actually apply. Observe that with Lighting's current
asymmetric
state commitment protocol, the "clock" starts ticking as soon as the
commitment
hits the chain, and we follow the "if an output pays to me, it must be
delayed
as I may be attempting a breach". With symmetric state this no longer
applies,
the clock instead starts "officially" ticking after the latest update
transaction has hit the chain, and there are no further challenges. As a
result
of this, the commitment transaction itself doesn't need to have any CSV
delays
within the Script branches of the outputs it creates. Instead, each of those
outputs can be immediately be spent as the challenge period has already
elapsed,
and from the PoV of the chain, this is now the "correct" commitment. Due to
this, the HTLC outputs would now be symmetric themselves, and look very much
like an HTLC output that one would use in a vanilla on-chain cross-chain
atomic
swap.
[1]:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000182.html
[2]:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-November/000339.html
On Tue, May 1, 2018 at 6:15 PM Jim Posen via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> OK, I see what you are saying. You are effectively suggesting pipelining
> the broadcasts of the update transactions. I think this introduces a
> problem that a node in the circuit that withholds the preimage for too long
> can force all upstream channels to be closed, at only the expense of their
> one upstream channel being closed. I believe such an attack could
> significantly disrupt the network.
>
> Let me elaborate on the way I'm thinking about this:
>
> So say I'm a routing node with an upstream HTLC with CLTV = X. I need to
> ensure that if I learn the preimage, that I have time to broadcast and
> confirm an HTLC-success transaction before height X. We'll call this number
> of blocks D_success. So if I know the preimage, let's say X - D_success is
> the latest height that I can safely broadcast the HTLC-success transaction,
> assuming the settlement transaction is already final (ie. the update
> transaction is confirmed and the CSV delay has passed). So now I also need
> to know when to close the channel with the update transaction. I'll assume
> it will take at most D_update blocks from the time I broadcast the update
> transaction for it to be mined. So unless the downstream HTLC is already
> failed, I should always close the upstream channel at height X - D_success
> - CSV_update - D_update.
>
> Now we'll look at the downstream HTLC with CLTV = Y. In order to minimize
> the safe delta between the upstream and downstream CLTVs, I will want to
> broadcast and confirm an HTLC-timeout transaction as soon after height Y as
> possible. So assuming that the downstream settlement transaction is final
> at height Y and it takes at most D_timeout blocks for the HTLC timeout
> transaction to confirm once it is final assuming no double spends, then Y +
> D_timeout is very latest I might learn the payment preimage from the
> downstream channel on-chain. So I should be safe as long as X - D_success >
> Y + D_timeout. This assumes that the update transaction for the downstream
> channel is already mined and the CSV has passed. However, we know from
> above that I had to close the upstream channel at time X - D_success -
> CSV_update - D_update, which may very well be before Y. So if the
> downstream hop waits until just before Y to publish the preimage, they can
> force me to close my upstream channel. This applies transitively for
> further upstream hops, assuming a large enough CSV value.
>
> Granted, upstream hops can watch the blockchain for preimage reveals in
> other closings transaction and perhaps fulfill off-chain if there is
> sufficient time. This would not be possible with payment decorrelation
> through scriptless scripts or the like.
>
> Does that logic sound right to you?
>
> On Tue, May 1, 2018 at 10:31 AM, Christian Decker <
> decker.christian@gmail.com> wrote:
>
>> Jim Posen <jim.posen@gmail.com> writes:
>> > I'm still not following why this doesn't accumulate.
>> >
>> > In the example route, let's look at it from the point of view of C. C
>> sees
>> > the following regardless of whether D or E or someone behind E is the
>> last
>> > hop in the route:
>> >
>> > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D
>> >
>> > So D is not required to reveal the preimage before time X, and in the
>> case
>> > of an on-chain settle, C needs to be able to redeem the HTLC output
>> through
>> > the timeout clause before time X + delta. C can't redeem the HTLC (with
>> > sufficient confirmations) at least until the settlement transaction is
>> > confirmed. So it seems to me that regardless of the overall route and
>> the
>> > maximum CSV on it, the delta for the C hop has to be greater than the
>> CSV
>> > delay on the update transaction. And that this must be true at every hop
>> > for the same reason.
>>
>> That'd be a purely reactionary behavior, i.e., chosing the delta in such
>> a way that I can both settle the channel and have enough time to react
>> to turn around and reveal the preimage. So with the assumptions we had
>> before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of
>> 288 on each hop, yes. That's basically the case in which each channel
>> reacts serially.
>>
>> You can trivially parallelize these closures by looking ahead and
>> noticing that each hop really just cares about its own closure deadline,
>> i.e., each node just cares to close 288 blocks before the CLTV expires,
>> not that its delta w.r.t. to the downstream channel is that far in the
>> future. So all we care about is that once we are due to give the
>> upstream hop the preimage we've already closed the downstream channel
>> and can now read the HTLC preimage from that channel.
>>
>> The CSV timeout isn't part of the delta on each hop, but we need to
>> implement the deadline computation as:
>>
>> ```
>> CLTV - CLTV delta - CSV
>> ```
>>
>> instead of LN-penaltiy's
>>
>> ```
>> CLTV - CLTV delta
>> ```
>>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 9418 bytes --]
next prev parent reply other threads:[~2018-05-07 23:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-30 15:41 [bitcoin-dev] eltoo: A Simplified update Mechanism for Lightning and Off-Chain Contracts Christian Decker
2018-04-30 23:00 ` Jim Posen
2018-05-01 5:01 ` ZmnSCPxj
2018-05-01 11:36 ` Christian Decker
2018-05-01 15:50 ` Jim Posen
2018-05-01 16:29 ` Christian Decker
2018-05-01 17:07 ` Jim Posen
2018-05-01 17:31 ` Christian Decker
2018-05-02 1:15 ` Jim Posen
2018-05-07 23:26 ` Olaoluwa Osuntokun [this message]
2018-05-10 13:57 ` Christian Decker
2018-05-01 5:07 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2018-05-01 11:38 ` Christian Decker
[not found] ` <20180619115618.ppycfvdh76rdagfo@email>
[not found] ` <87tvpy96lz.fsf@gmail.com>
[not found] ` <20180619180251.j4l3zvxfmwi5mwlb@email>
[not found] ` <20180620153150.4mdash2sj7r2aiwo@email>
2018-06-22 0:32 ` Rusty Russell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAO3Pvs8mf-X4T7fJOgZ9L8uSS3vKhZyvJ1SxL=gbk6b96QuMow@mail.gmail.com' \
--to=laolu32@gmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=jim.posen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox