đź“… Original date posted:2023-07-20
🗒️ Summary of this message: The sender thanks the Wolf team for organizing the LN Summit and hopes they become the YC of Bitcoin. Technical observations on package relay and minimum relay fees are discussed.
đź“ť Original message:
Hi Clara,
Thanks for the transcript notes.
I think few technical observations are missing, adding them in-texto to
avoid confusions.
I'm sharing the thanks to the Wolf team for the hard work they have put in
organizing the LN Summit since the announcement at the end of January. I've
been impressed by seeing so young a commercial entity catching up with FOSS
neutrality and decentralization standards in matters of development. I hope
they will have a long future in the Bitcoin space, and wishing them to be
the YC of Bitcoin, bridging the hacker scene with builders, without losing
the ethos.
Looking forward to next year's LN Summit, with a multi-stakeholder approach
to transfer operational how-tos across generations of devs. That type of
moment where every dev is taking time to listen to each other is very
unique, and an experience to carry forward.
Now the technical bullet points
> - The current proposal for package relay is ancestor package relay:
> - One child can have up to 24 ancestors.
> - Right now, we only score mempool transactions by ancestry anyway, so
there isn’t much point in other types of packages.
> - For base package relay, commitment transactions will still need to have
the minimum relay fee.
> - No batch bumping is allowed, because it can open up pinning attacks.
> - With one anchor, we can package RBF.
Current state of nversion=3 allows the minimum relay fee exemption:
https://github.com/bitcoin/bitcoin/pull/25038/files#diff-8fe49384f6ab8be91802eb5d0f528fa521e301440b76508f6911d0dd2ae2cebfR108
And there is a confusion with current state of package relay code:
https://github.com/bitcoin/bitcoin/pull/27742#discussion_r1264309536
There are other type of transaction-relay jamming attacks than "pure
pinnings" that prevent to do batch bumping that were discussed during the
development of mempool package acceptance:
https://github.com/bitcoin/bitcoin/pull/22674#issuecomment-900352202
> - Once we have package relay, it will be easier to get things into the
mempool.
> - Once we have V3 transactions, we can drop minimum relay fees because we
are restricted to one child pays for one parent transaction:
On the reasonable assumption that default parameters of package relay does
not introduce tx-relay peers bandwidth blowup, or at the very least
proportion ar kept with regards to traffic submitted to
DEFAULT_MIN_RELAY_TX_FEE.
> - The size of these transactions is limited.
> - You can’t arbitrarily attach junk to pin them.
> - If we want to get rid of 330 sat anchors, we will need ephemeral
anchors:
> - If there is an OP_TRUE output, it can be any value including zero.
> - It must be spent by a child in the same package.
> - Only one child can spend the anchor (because it’s one output).
> - The parent must be zero fee because we never want it in a block on its
own, or relayed without the child.
> - If the child is evicted, we really want the parent to be evicted as
well (there are some odd edge cases at the bottom of the mempool, so zero
ensures that we’ll definitely be evicted).
The parent *might* still have pre-signed fee as it's drawn up from the
funding input liquidity, which might makes sense to save on spending
external on-chain inputs, especially for mobile.
See corresponding years-long issue on the BOLT repository on drawback of
anchor output fee-bumping reserves.
> - The bigger change is with HLTCs:
> - With SIGHASH_ANYONECANPAY, your counterparty can inflate the size of
your transaction - eg: HTLC success, anyone can attack junk.
> - How much do we want to change here?
> - So, we can get to zero fee commitment transactions and one (ephemeral)
anchor per transaction.
> - With zero fee commitments, where do we put trimmed HTLCs?
> - You can just drop it in an OP_TRUE, and reasonably expect the miner
to take it.
> - In a commitment with to_self and to_remote and an ephemeral anchor that
must be spent, you can drop the 1 block CSV in the transaction that does
not have a revocation path (ie, you can drop it for to_remote).
> - Any spend of this transaction must spend the one anchor in the same
block.
> - No other output is eligible to have a tx attached to it, so we don’t
need the delay anymore.
The 1 block CSV might be kept as a way to make the chain of transactions
"discrete" on the transaction-relay network, to avoid interference with
block-based filters.
Throwing trimmed HTLCs under an OP_TRUE, without timelocks protection opens
the door to miner harvesting attacks, see
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002569.html
> - Theoretically, your counterparty could get hold of your signed
local copy, but then you can just RBF.
> - Since these will be V3 transactions, the size of the child must be
small so you can’t pin it.
> - Both parties can RBF the child spending the ephemeral anchor.
> - This isn’t specifically tailored to lightning, it’s a more general
concept.
> - Child transactions of V3 are implicitly RBF, so we won’t have to worry
about it not being replaceable (no inheritance bug).
> - In general, when we’re changing the mempool policy we want to make the
minimal relaxation that allows the best improvement.
Still the issue of V3 transactions being used to conduct double-spend on
zero-conf infrastructure, if they don't upgrade their software before V3 is
widely deployed (a lightweight mempoolfullrbf=true)
> - We need “top of block” mempool / cluster mempool:
> - The mempool can have clusters of transactions (parents/children
arranged in various topologies) and the whole mempool could even be a
single cluster (think a trellis of parents and > children “zigzagging”).
> - The mining algorithm will pick one “vertical” using ancestor fee rate.
> - There are some situations where you add a single transaction and it
would completely change the order in which our current selection picks
things.
> - Cluster mempool groups transactions into “clusters” that make this
easier to sort and reason about.
> - It can be expensive (which introduces a risk of denial of service),
but if we have limits on cluster sizes then we can limit this.
Nota bene - Cluster mempool as a concept as not yet being evaluated for its
impact on mining block template construction, neither Lightning liquidity
management algorithms, nor the changes in DoS performance of usual tx-relay
peers.
See https://github.com/bitcoin/bitcoin/issues/27677, probably gonna need
the same level of scrutiny than a consensus change.
> - This is the only way to get package RBF.
> - How far along is all of this?
> - BIP331: the P2P part that allows different package types is moving
along and implementation is happening. This is done in a way that would
allow us to add different types of
> packages in future if we need them.
> - There are some improvements being made to core’s orphan pool,
because we need to make sure that peers can’t knock orphans out of your
pool that you may later need to
> retrieve as package ancestors.
> - We reserve some spots with tokens, and if you have a token we keep
some space for you.
> - V3 transactions: implemented on top of package relay, since they don’t
really make sense without it. This is an opt-in regime where you make
things easier to RBF.
> - Ephemeral Anchors: on top of package relay and V3.
> - Cluster Mempool: This is further out, but there’s been some progress.
Right now people are working on the linearization algorithm.
> - If these changes don’t suit lightning’s use case, now is the time to
speak because it’s all being worked on.
State of the discussion is what part of the lightning flows are granted
basic pinning protection under package relay and nVersion=3:
https://github.com/bitcoin/bitcoin/issues/27463
> - In what way does it not fit LN, as it’s currently designed?
> - With the V3 paradigm, to stop all pinning vectors, HTLC transactions
will need to get anchors and you will have to drop ANYONECANPAY (to use
anchors instead).
> - Could we fix this with additional restrictions on V3 (or a V4)?
> - You could do something where V4 means that you can have no ancestors
and no descendants (in the mempool).
> - V3 restricts the child, you could also restrict the parent further.
> - You could have a heuristic on the number of inputs and outputs, but
anyone can pay or add inputs.
> - You could commit to the whole thing being some size by setting a
series of bits in sequence to mark maximum size but that would involve
running script (which is annoying).
> - The history of V3 was to allow a parent of any size because
commitment transactions can be any size.
> - What about keeping HTLCs the way they are today?
> - A lot of other things are less pineapple, maybe that’s ok? It’s a step
forward.
> - The long term solution is to change relay policy to top of mempool. We
shouldn’t be doing things until the long term solution is clear, and we
shouldn’t change the protocol in a way
> that doesn’t fit with the long term.
Current V3 paradigm and package relay, won't stop all pinning vectors, as
you have advanced pinnings due to the distributed nature of network
mempools, see
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-June/002758.html
> - We already do a lot of arbitrary things, if we were starting from day
one we wouldn’t do HTLCs with anchors (it’s too much bloat), and being
unable to RBF is more bloat because you > overpay.
> - If the remote commitment is broadcast, you can spen the HTLC with V2.
You can’t add a V3 child (it won’t get in the mempool).
> - If you want to be consistent, even when it’s the remote commit you
need a presigned transaction, we should just use it as designed today.
> - What is the “top of mempool” assumption?
> - If large transactions are at the top of your mempool, you (a miner)
want transactions with higher fee rates to increase your total revenue.
> - Today, you can’t really easily answer or reason about these questions.
> - We want to accept transactions in our mempool in a denial of service
resistant way that will strictly increase our miner fees.
> - If a transaction is at the top of your mempool, you may be more
willing to accept a replacement fee. If it’s way down in the mempool, you
would probably replace more slowly.
> - It’s conceivable that we could get here, but it’s years off.
> - Once we have this, pinning only happens with large transactions at
the bottom of the mempool. If you just slow roll these transactions, you
can just relay what you’ve got.
> - If somebody comes and replaces the bottom with something small
that’ll be mined in the next two blocks, you clearly want to accept that.
> - Does cluster mempool fix rule 3?
> - No but they help.
> - Today when you get a transaction you don’t know which block it’s going
in - we don’t have a preference ordering.
> - Miners don’t make blocks as they go - with cluster mempool you can
make very fast block templates.
Defining "top of mempool" is function of the source of informations and
configuration settings, and block template construction strategy of a
miner, see
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019846.html
> - When talking about relay, you can ignore block making and just get a
very good estimate.
> - The question is: when do we jump?
> - Wail until V3? Package Relay?
> - Package relay will help. You still negotiate fees but they don’t
matter as much.
> - We’d like to kill upate fee and have a magic number for fees, can we
do that when we get package relay?
> - Package relay is the hard part, V3 should be relatively easier after
that.
> - When we get V3 we can drop to zero fee.
> - Is there a future where miners don’t care about policy at all?
> - Say, the block that I’m mining has V3 transactions. They’re just
maximizing fees so they’ll accept anything out of band, ignoring these new
policy rules.
In a world of limited computing resources, miners will always have to care
about policy, at the very least as a question of transaction ordering
acceptance.
> - Accelerators are already starting to emerge today - how are they doing
it?
> - We’re carving out a small space in which mempool rules work, and it’s
okay to work around it.
> - If a miner mines it, great - that’s what we want. The problem is not
getting mined (ie pinning).
> - Figuring this out is not simple:
> - Today there are times where we accept replacements when we should
reject them and times where we reject replacements when we should accept
them.
> - There can be situations where miners will mine things that aren’t
incentive compatible (ie, not the best block template).
> - What if somebody pays out of band not to mine?
Game of out-of-band payments to not mine LN transactions are already
considered, see
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021395.html
> - Ephemeral anchors are interesting, they never enter the UTXO set - if
the child gets evicted, you get evicted.
> - The first transaction being zero is optimal, want to be sure it’ll be
evicted (there are some mempool quirks).
> - It must be zero fee so that it will be evicted.
> - Should we add trimmed HTLCs to the ephemeral anchor?
> - We don’t want to get above min relay fee because then we could hang
around in the mempool.
> - The eltoo implementation currently does this.
> - You can’t keep things in OP_TRUE because they’ll be taken.
> - You can also just put it in fees as before.
> - More on cluster mempools:
> - It can be used for block selection, but it’s currently focused on
mempool selection.
> - You can simulate template selection with it.
> - When you’re mining, you have to pick from an ancestor downwards.
> - First we lineralize the transactions to flatten the structure
intelligently (by topology and fee rate).
> - Then we figure out the best ordering of this flat structure.
> - Each chunk in a cluster is less than 75 transactions, and a cluster
has chunks of transactions.
> - If you woul include a transaction with the ancestor, it goes in the
same chunk. Otherwise it goes in the next chunk.
> - Miners select the highest fee rate chunks, lower fee rate ones can
safely be evicted.
> - For replacement, you can just check replacement for a single cluster,
rechunk it and then resort the chunks.
> - It must beat the fee rate of the chunks to get in.
> - You can check how much it beats the chunk by, whether it would go
in the next block(s) and then decide.
> - Chunk ordering takes into account transaction size, beyond 25
transactions we just do ancestor set feerate.
With clustering comes the issues of "horizontal" package limits, which is
not the way of checking package validity than Lightning transaction
broadcast backend are currently architectured.
> - One of the limits is going away, one is sticking around. We still have
sibling eviction issues.
> - Is one of the issues with chunks is that they’re limited by
transaction weight, 101 kilo-v-bytes, which is the maximum package size?
> - We should be okay, these limits are higher than present.
> - You can bound chunk size pretty easily.
> - If we get chunk fee rate replacement then you can do batch fee bumping
(eg, a bunch of ephemeral anchors that are all batched together).
> - Are there long term policy implications for privacy for ephemeral
anchors?
> - You’re essentially opting into transaction sponsors?
> - If everyone uses V3 eventually there’s no issue.
> - For right now, it would be nice if V3 is only for unilateral closes.
> - It’s also useful in a custodial wallet setting, where you have one
team creating on chain transactions and the other attaching fees. This is a
common accounting headache. People can also non-interactively fee bump.
In a world where each V3 policy has its own package limits tailored to
deter pinnings, and those limits are designed in the function of the
use-case flow, it is hard to expect uniform deployment of the latest set of
policy rules.
> ### Taproot
> - Spec is still in draft right now, and the code is a bit ahead of the
test vectors.
> - The biggest change that has been made is around anchors, which become
more complicated with taproot:
> - The revocation path on to_local takes the script path, so now we need
to reveal data for the anchor.
> - The downside is that revocation is more expensive - 32 more bytes in
the control block.
> - The to_remote has a NUMS point, previously we just had multisig keys:
> - If you’re doing a rescan, you won’t know those keys.
> - Now you just need to know the NUMS point and you can always rescan.
> - The NUMS point itself is pretty verifiable, you just start with a
string and hash it.
> - It is constant, you just use it randomized with your key.
> - The internal pubkey is constant on to_remote.
LN wallets might have to support "cold" storage of both old BOLT3 secret
and the new taproot ones, as long as you have pre-taproot channels opened
with your counterparties, that might not happen for a while for economic
reasons, and deal with the differentiated sizes of the witness due to the
usage of tapscript vs witness script.
> - Co-op close [broke into several different discussions]:
> - The idea here is to remove negotiation, since we’ve had disagreement
issues in the past.
> - In this version, the initiator just accepts the fee.
> - Do we want negotiation?
> - In the past we’ve had bugs with fee rate estimates that won’t
budge.
> - Why don’t we just pick our fees and send two sets of signatures?
> - This would no longer be symmetric.
> - What if nobody wants to close first? We’d need to work through the
game theory.
> - The person who wants their funds has an incentive.
Fee responsibility assigned on the "first-announcer" can lead to
game-theory stale.
> - Why is RBF so hard for co-op close?
> - Closing should be marked as RBF, there’s no reason not to.
> - Just pick your fee rate, pay it and then come back and RBF if you’d
like. You can bump/broadcast as much as you like.
> - If we’re going to have something like that where we iterate, why
don’t we just do the simple version where we pick a fee and sign?
> - If you have to pay the whole fee, you have less incentive to sign.
> - Why is this linked to taproot work?
> - It needs to change anyway, and we need to add nonces.
> - What about, whoever wants to close sends a fee rate (paying the fees)
and the responder just sends a signature?
> - If you don’t have enough balance, you can’t close. But why do you
care anyway, you have no funds?
Closing old or inactive channels has an impact if you have a limited number
of peers with opened channels slots.
> - For taproot/musig2 we need nonces:
> - Today we store the commitment signature from the remote party. We
don’t need to store our own signature - we can sign at time of broadcast.
> - To be able to sign you need the verification nonce - you could
remember it, or you could use a counter:
> - Counter based:
> - We re-use shachain and then just use it to generate nonces.
> - Start with a seed, derive from that, use it to generate nonces.
> - This way you don’t need to remember state, since it can always be
generated from what you already have.
> - Why is this safe?
> - We never re-use nonces.
> - The remote party never sees your partial signature.
> - The message always stays the same (the dangerous re-use case is
using the same nonce for different messages).
> - If we used the same nonce for different messages we could leak our
key.
> - You can combine the sighash + nonce to make it unique - this also
binds more.
> - Remote party will only see the full signature on chain, never your
partial one.
> - Each party has sign and verify nonces, 4 total.
> - Co-op close only has 2 because it’s symmetric.
(I don't know when mailing list post max size will be reached)
Counter-based nonces versus stateful memorization of them from a user
perspective depends on the hardware capabilities you have access to.
The taproot schnorr flow could be transparent from the underlying signature
scheme (FROST, musig2, TAPS in the future maybe).
> ### Gossip V1.5 vs V2
> - How much do we care about script binding?
> - It it’s loose, it can be any script - you can advertise any UTXO.
> - You revel less information, just providing a full signature with the
full taproot public key.
> - If it’s tight, you have to provide two keys and then use the BIP 86
tweak to check that it’s a 2-of-2 multisig.
> - Should we fully bind to the script, or just allow any taproot output?
> - Don’t see why we’d want additional overhead.
> - Any taproot output can be a channel - let people experiment.
> - We shouldn’t have cared in the first place, so it doesn’t matter what
it’s bound to.
> - It’s just there for anti-DOS, just need to prove that you can sign.
> - Let every taproot output be a lightning channel, amen.
The script binding gone matters in terms of DoS protection in a future
where different types of channels might not have the same "routing
reliability" value in scoring algorithms (e.g size of the satisfying
witness being a function of the off-chain fees in case of probabilistic
force-close).
At scale, peered by the script gossips authentication can be needed to
avoid asymmetries in channel value being exploited in routing.
> - We’re going to decouple:
> - You still need a UTXO but it doesn’t matter what it looks like.
> - This also allows other channel types in future.
> - We send:
> - UTXO: unspent and in the UTXO set
> - Two node pubkeys
> - One signature
> - How much do we care about amount binding?
> - Today it is exact.
> - People use it for capacity graphs.
> - Graph go up.
> - We can watch the chain for spends when we know which UTXO to watch
per-channel.
> - Is there an impact on pathfinding if we over-advertize?
> - We use capacity to pathfind.
> - What’s the worst case if people lie? We don’t use them.
> - If we’ve already agreed that this can be a UTXO that isn’t a channel,
then it shouldn’t matter.
Over-advertize comes as bandwidth drain on the network, and therefore
reduces the ability of low-performance clients to be first-class citizens
of the Lightning routing network, a downside in privacy.
> - If you allow value magnification, we can use a single UTXO to claim for
multiple channels. Even in the most naive version (say 5x), you’re only
revealing 20% of your UTXOs.
> - How much leverage can we allow? The only limit is denial of service.
> - There’s the potential for a market for UTXOs.
> - There’s a privacy trade-off:
> - If you one-to-one map them, then there’s no privacy gain.
> - Do we know that you get substantial privacy?
> - Even if you have two UTXOs and two channels, those UTXOs are now not
linked (because you can just use the first one to advertise).
> - This is only assuming that somebody implements it/ infrastructure is
built out.
> - People could create more elaborate things over time, even if
implementations do the “dumb” way.
Privacy of a UTXO in gossip can be abstracted from the attributes one wish
to reveal, see
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021686.html
> - Gossip 1.5 (ie, with amount binding) fits in the current flow, V2 (ie,
without amount binding) has a very different scope.
> - It’s a big step, and you don’t truly know until you implement it.
> - What about things like: a very large node and a very small node, whose
announced UTXO do you use?
> - We decided not to put UTXOs in node announcement, so we’d put it in
channel announcement:
> - Sometimes there’s a UTXO, sometimes there isn’t.
> - You look at a node’s previous channels to see if they still have
“quota”.
> - If you don’t have “quota” left, you have to include a signature TLV.
> - With the goal of publicly announcing taproot channels, 1.5 gets us
there and is a much smaller code change.
Native announcement bandwidth/rate-limit based "quota" might not reflect
what the end consumer of the gossip is interested for privacy, efficient
paths, payment reliability, etc.
> - We’ve talked alot about capacity for pathfinding, but we haven’t really
touched on control valves like max HTLC:
> - Currently we don’t use these valves to tune our pathfinding, people
don’t use it.
> - If we get better here, we won’t need capacity.
> - This value is already < 50% anyway.
> - If we don’t un-bind amounts now, when will we do it?
Channel policy parameters could be dynamic during channel lifetime to
enable more fine-grained liquidity adjustment, without compromising
security risks due to things like "flood&loot".
> - It’s always a lower priority and everyone is busy.
> - If we allow overcommitting by some factor now, it’s not unrealistic
that it will allow some degree of privacy.
> - Between these features, we have opened the door to leasing UTXOs:
> - Before we do more over-commitment, let’s see if anybody uses it?
> - We add channel capacity to the channel announcement with a feature bit:
> - If we turn the feature off, we are on-to-one mapped.
> - But a node can’t use the upgraded version until everyone is upgraded?
> - Our current “get everyone upgraded” cycle is 18 months (or a CVE).
The Lightning development community as a whole together apologizes for the
current state of Lightning implementations and has never considered
safety-critical CVEs as a "trojan horse" to harmonize gossips and other
minor features across the ecosystem.
> - If you’re upgrading to 2x multiplier, nobody on 1x will accept that
gossip.
> - People will not pay for privacy (via lost revenue of people not
seeing their gossip).
People *might* pay for privacy when their services operations and the
competitive advantage is dependent on it.
> - This is additive to defeating chain analysis.
> - Private UTXO management is already complicated, we don’t know the
ideal that we’re working towards.
> - What about if we just set it to 2 today?
> - Is 2 qualitatively better than 1 (without script binding) today?
> - Will a marketplace magically emerge if we allow over-commitment?
> - We don’t know the implications of setting a global multiplier for
routing or denial of service, and we don’t have a clear view of what
privacy would look like (other than “some” improvement).
> - We agree that adding a multiplier doesn’t break the network.
> - People with a lower value will see a subnet when we upgrade.
> - We’re going to go with gossip “1.75”:
> - Bind to amount but not script.
> - We include a TLV cut out that paves the way to overcommitment.
The data scope of the gossip (and future cryptosystems to cipher them) has
an impact on low-bandwidth and performance-constrained mobile clients.
> - There are a few paths we could take to get multi-sig for one channel
party:
> - Script: just do it on the script level for the UTXO, but it’s heavy
handed.
> - FROSTy: you end up having to do a bunch of things around fault
tolerance which require a more intense setup. You also may not want the
shachain to be known by all of the parties > in the setup (we have an ugly
solution for this, we think).
> - Recursive musig:
> - Context: you have one key in the party, but you actually want it to be
multiple keys under the hood. You don’t want any single party to know the
revocation secrets, so you have to each have a part and combine them
> - Ugliest solution: just create distinct values and store them.
> - Less ugly solution uses multiple shachains:
> - Right now we have a shachan, and we reveal two leaves of it.
> - You have 8 shachains, and you XOR them all together.
> - Why do we need 8? That’ll serve a 5-of-7.
> - Maybe we need 21? 5 choose 7, we’re not sure.
> - How does this work with K-of-N?
> - Each party has a piece, and you can always combine them in
different combinations (of K pieces) to get to the secret you’re using.
Sharding of the revocation secret across multiple device signers requires a
consistent consensus algorithm if fault-tolerance is a design property.
> ### PTLCs
> - We can do PTLCs in two ways:
> - Regular musig
> - Adaptor signatures
> - Do they work with trampoline as defined today?
> - The sender picks all the blinding factors today, so it’s fine.
> - There’s a paper called: splitting locally while routing
interdimensionally:
> - You can let intermediate nodes do splitting because they know all the
local values.
> - Then can generate new blinding factors and split out to the next node.
> - Adaptor signatures could possibly be combined for PTLCs that get fanned
out then combined.
> - There are a few options for redundant overpayment (ie, “stuckless”
payments):
> - Boomerang:
> - Preimages are coefficients of a polynomial, and you commit to the
polynomial itself.
> - If you have a degree P polynomial and you take P+1 shares, then you
can claim in the other direction.
> - Quite complex.
> - You have to agree on the number of splits in advance.
> - Spear:
> - H2TLC: there are two payment hashes per-HTLC, one if from the sender
and one is from the invoice.
> - When you send a payment, the sender only reveals the right number of
sender preimages.
> - This also gives us HTLC acknowledgement, which is nice.
> - You can concurrently split, and then spray and pray.
> - Interaction is required to get preimages.
> - Do we want to add redundant overpayment with PTLCs?
> - We’ll introduce a communication requirement.
> - Do we need to decide that before we do PTLCs?
> - Can we go for the simplest possible option first and then add it?
> - For spear, yes - the intermediate nodes don’t know that it’s two
hashes.
> - We could build them out without thinking about overpayment, and then
mix in a sender secret so that we can claim a subset.
> - We’ll have more round trips, but you also have the ability to ACK HTLCs
that have arrived.
> - Spray and pray uses the same about as you would with our current “send
/ wait / send”, it’s just concurrently not serially.
> - Is it a problem that HLTCs that aren’t settled don’t pay fees?
> - You’re paying the fastest routes.
> - Even if it’s random, you still get a constant factor of what we should
have gotten otherwise.
> - It makes sense to use onion messages if it’s available to us.
> - Are we getting payment acknowledgement? Seems so!
Scripteable PTLCs based on the structure of the elliptic can be advanced by
verifiable encryption, and other cryptosystems, see
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002213.html
Cancellable PTLCs are coming with trade-off in term of interactivity or
default of the point contributing participant.
> ### Hybrid Approach to Channel Jamming
> - We’ve been talking about jamming for 8 years, back and forth on the
mailing list.
> - We’d like to find a way to move forward so that we can get something
done.
> - Generally when we think about jamming, there are three “classes” of
mitigations:
> - Monetary: unconditional fees, implemented in various ways.
> - Reputation: locally assessed (global is terrible)
> - Scarce Resources: POW, stake, tokens.
> - The problem is that none of these solutions work in isolation.
> - Monetary: the cost that will deter an attacker is unreasonable for an
honest user, and the cost that is reasonable for an honest user is too low
for an attacker.
> - Reputation: any system needs to define some threshold that is
considered good behavior, and an attacker can aim to fall just under it.
Eg: if you need a payment to resolve in 1 minute, you can fall just under
that bar.
> - Scarce resources: like with monetary, pricing doesn’t work out.
> - Paper: proof of work doesn’t work for email spam, as an example.
> - Since scarce resources can be purchased, they could be considered a
subset of monetary.
> - There is no silver bullet for jamming mitigation.
This is a good resume of the state of the discussions, It should be noted,
the Tor project is aiming to solve the DoS issues in a peer-to-peer network
like LN with proof-of-work.
Mainstain Internet has been working on Privacy Pass, of which some jamming
mitigation flavors are inspired.
If the Lightning development community solve the jamming issue, a Turing
Award could be recognized as whole (or maybe a Nobel Prize in economics).
> - Combination of unconditional fees and reputation:
> - Good behavior grants access to more resources, bad behavior loses it.
> - If you want to fall just below that threshold, we close the gap with
unconditional fees.
> - Looking a these three classes implemented in isolation, are there any
unresolved questions that people have - “what about this”?
> - Doesn’t POW get you around the cold start problem in reputation where
if you want to put money in to quickly bootstrap you can?
> - Since POW can be rented, it’s essentially a monetary solution - just
extra steps.
BIP154 has been proposed early on and discarded for its drain on mobile
clients batteries.
> - We run into the same pricing issues.
> - Why these combinations?
> - Since scarce resources are essentially monetary, we think that
unconditional fees are the simplest possible monetary solution.
> - Unconditional Fees:
> - As a sender, you’re building a route and losing money if it doesn’t go
through?
> - Yes, but they only need to be trivially small compared to success
case fee budgets.
> - You can also eventually succeed so long as you retry enough, even if
failure rates are very high.
> - How do you know that these fees will be small? The market could decide
otherwise.
Static unconditional fees is a limited tool in a world where rational
economic actors are pricing their liquidity in function of demand.
> - Routing nodes still need to be competitive. If you put an
unconditional fee of 100x the success case, senders will choose to not send
through you because you have no incentive to forward.
> - We could also add an in-protocol limit or sender-side advisory.
> - With unconditional fees, a fast jamming attack is very clearly paid for.
> - Reputation:
> - The easiest way to jam somebody today is to send a bunch of HTLCs
through them and hold them for two weeks. We’re focusing on reputation to
begin with, because in this case we > can quite easily identify that people
are doing something wrong (at the extremes).
> - If you have a reputation score that blows up on failed attempts,
doesn’t that fix it without upfront fees?
The local reputation score of the failed attempts entity might be in a
situation of informational asymmetries, therefore provoking a damage
superior to the reputation acquisition cost.
> - We have to allow some natural rate of failure in the network.
> - An attacker can still aim to fall just below that failure threshold
and go through multiple channels to attack an individual channel.
> - THere isn’t any way to set a bar that an attacker can’t fall just
beneath.
> - Isn’t this the same for reputation? We have a suggestion for
reputation but all of them fail because they can be gamed below the bar.
> - If reputation matches the regular operation of nodes on the network,
you will naturally build reputation up over time.
> - If we do not match reputation accumulation to what normal nodes do,
then an attacker can take some other action to get more reputation than the
rest of the network. We don’t want attackers to be able to get ahead of
regular nodes.
> - Let’s say you get one point for success and one for failure, a
normal node will always have bad reputation. An attacker could then send 1
say payments all day long, pay a fee for it > and gain reputation.
> - Can you define jamming? Is it stuck HTLCs or a lot of 1 sat HTLCS
spamming up your DB?
Jamming is an economic notion, as such relying on the subjectivism of node
appreciation of local ressources.
> - Jamming is holding HTLCs to or streaming constant failed HTLCs to
prevent a channel from operating.
> - This can be achieved with slots or liquidity.
> - Does the system still work if users are playing with reputation?
> - In the steady state, it doesn’t really matter whether a node has a
good reputation or not.
> - If users start to set reputation in a way that doesn’t reflect normal
operation of the network, it will only affect their ability to route when
under attack.
> - Isn’t reputation monetary as well, as you can buy a whole node?
> - There is a connection, and yes in the extreme case you can buy an
entire identity.
> - Even if you do this, the resource bucketing doesn’t give you a “golden
ticket” to consume all slots/liquidity with good reputation, so you’re
still limited in what you can do.
> - Can we learn anything from research elsewhere / the way things are done
on the internet?
> - A lot of our confidence that these solutions don’t work in isolation
is based on previous work looking at spam on the internet.
> - Lightning is also unique because it is a monetary network - we have
money built in, so we have different tools to use.
Spamming and DoS are not solved on the Internet and one of the reason we're
relying on chain of X.509 certificates for modern data communication.
> - To me, it seems like if the scarce resource that we’re trying to
allocate is HTLC slots and upfront fees you can pay me upfront fees for the
worst case (say two weeks) and then if it settles if 5 seconds you give it
back?
> - The dream solution is to only pay for the amount of time that a HTLC
is held in flight.
> - The problem here is that there’s no way to prove time when things go
wrong, and any solution without a universal clock will fall back on
cooperation which breaks down in the case of > an attack.
There is a universal clock in Bitcoin called the chain height advances.
> - No honest user will be willing to pay the price for the worst case,
which gets us back to the pricing issue.
> - There’s also an incentives issue when the “rent” we pay for these two
weeks worst case is more than the forwarding fee, so a router may be
incentivized to just hang on to that amount and bank it.
> - We’ve talked about forwards and backwards fees extensively on the
mailing list:
> - They’re not large enough to be enforceable, so somebody always has
to give the money back off chain.
> - This means that we rely on cooperation for this refund.
> - The complexity of this type of system is very high, and we start to
open up new “non-cooperation” concerns - can we be attacked using this
mechanism itself?
> - Doesn’t an attacker need to be directly connected to you to steal in
the non-cooperative case?
> - At the end of the day, somebody ends up getting robbed when we can’t
pull the money from the source (attacker).
> - Does everybody feel resolved on the statement that we need to take this
hybrid approach to clamp down on jamming? Are there any “what about
solution X” questions left for anyone? Nothing came up.
Hybrid approach sounds the best technical compromise in a world where pure
monetary strategy (i.e pay 100% of worst-liquidity valuation all the time)
is reducing the economic openess of Lightning marginal users.
> Do any of these assumptions change with trampoline? Don’t think it’s
related.
Yes, one will have to price on the HTLC carrying risk in the trampoline
offering service.
> - Your reputation is at stake when you endorse, when do you decide to
endorse my own payments?
> - You do the things you were already doing to figure out a good route.
Paths that you think have good liquidity, and have had success with in the
past.
> - What about redundant overpayment, some of your HTLCs are bound to fail?
> - Provided that they fail fast, it shouldn’t be a problem.
> - Is it possible that the case where general slots are perpetually filled
by attackers becomes the steady state? And we can’t tell the difference
between a regular user and attacker.
> - This is where unconditional fees come in, if somebody wants to
perpetually fill up the general bucket they have to pay for it.
> - Is there anything we’d like to see that will help us have move
confidence here?
> - What do you think is missing from the information presented?
> - We can simulate the steady state / create synthetic data, but can’t
simulate every attack. Would like to spend more time thinking through the
ways this could possibly be abused.
> - Would it help to run this on signet? Or scaling lightning?
> - Its a little easier to produce various profiles of activity on
regtest[.
Generally resource bucketing can be designed with insights from modern
internet protocol in term of TCP congestion control and other scarce
network resource (e.g DNS records). Do not reinvent the wheel.
> - What NACK says is: I’ve ignored all of your updates and I’m
progressing to the next commitment.
If resource bucketing or link-level liquidity management starts to be
involved, one can mask behind "NACK" to halt the channel progress, without
the reputation downgrade. Layer violation issue.
> - How confident are we that we can pull things out? Only things that are
brand new will be easy to do this with.
> - Keeping context in your head is hard, and jumping between documents
breaks up thought.
> - Should we fully copy the current document and copy it?
In a world where users might be slow to upgrade to the latest channel
features, including when they have clear privacy or security advantages for
economic reasons (on-chain fees), old documentation maintenance is
reasonable, and as such doc versioning is better.
> - For small things, we can just throw out the old stuff.
> - If it were possible to modularize and have working groups, that would
be great but it seems like we’d tread on each other’s toes.
IETF has been doing WG for decades, this obviously comes with trade-off to
avoid broken protocols and modules in all sense, though probably the only
socially scalable process to move forward. Interface between WG will come
with time.
> ### Async Payments/ Trampoline
> - Blinded payments are a nice improvement for trampoline because you
don’t know where the recipient is.
> - The high level idea is:
> - Light nodes only see a small part of the network that they are close
to.
> - Recipients only give a few trampolines in the network that they can be
reached via.
> - In the onion for the first trampoline, there will be an onion for the
second trampoline.
> - You just need to give a trampoline a blinded path and they can do the
rest.
> - If you only have one trampoline, they can probably make a good guess
where the payment came from (it’s in the reachable neighborhood).
> - Is there a new sync mode for trampoline gossip?
> - We’d now need radius-based gossip rather than block based.
> - The trust version is just getting this from a LSP.
> - In cold bootstrap, you’re probably going to open a channel so you ask
them for gossip.
> - Can you split MPP over trampoline? Yes.
> - Routing nodes can learn more about the network because they make their
own attempts.
Onion bandwidth cost ain't gonna be free.
Best,
Antoine
Le jeu. 20 juil. 2023 Ă 01:09, Carla Kirk-Cohen <kirkcohenc at gmail.com> a
Ă©crit :
> Hi List,
>
> At the end of June we got together in NYC for the annual specification
> meeting. This time around we made an attempt at taking transcript-style
> notes which are available here:
> https://docs.google.com/document/d/1MZhAH82YLEXWz4bTnSQcdTQ03FpH4JpukK9Pm7V02bk/edit?usp=sharing
> .
> To decrease our dependence on my google drive I've also included the
> full set of notes at the end of this email (no promises about the
> formatting however).
>
> We made a semi-successful attempt at recording larger group topics, so
> these notes roughly follow the structure of the discussions that we had
> at the summit (rather than being a summary). Speakers are not
> attributed, and any mistakes are my own.
>
> Thanks to everyone who traveled far, Wolf for hosting us in style in
> NYC and to Michael Levin for helping out with notes <3
>
> # LN Summit - NYC 2023
>
> ## Day One
>
> ### Package Relay
> - The current proposal for package relay is ancestor package relay:
> - One child can have up to 24 ancestors.
> - Right now, we only score mempool transactions by ancestry anyway, so
> there isn’t much point in other types of packages.
> - For base package relay, commitment transactions will still need to have
> the minimum relay fee.
> - No batch bumping is allowed, because it can open up pinning attacks.
> - With one anchor, we can package RBF.
> - Once we have package relay, it will be easier to get things into the
> mempool.
> - Once we have V3 transactions, we can drop minimum relay fees because we
> are restricted to one child pays for one parent transaction:
> - The size of these transactions is limited.
> - You can’t arbitrarily attach junk to pin them.
> - If we want to get rid of 330 sat anchors, we will need ephemeral
> anchors:
> - If there is an OP_TRUE output, it can be any value including zero.
> - It must be spent by a child in the same package.
> - Only one child can spend the anchor (because it’s one output).
> - The parent must be zero fee because we never want it in a block on its
> own, or relayed without the child.
> - If the child is evicted, we really want the parent to be evicted as
> well (there are some odd edge cases at the bottom of the mempool, so zero
> ensures that we’ll definitely be evicted).
> - The bigger change is with HLTCs:
> - With SIGHASH_ANYONECANPAY, your counterparty can inflate the size of
> your transaction - eg: HTLC success, anyone can attack junk.
> - How much do we want to change here?
> - So, we can get to zero fee commitment transactions and one (ephemeral)
> anchor per transaction.
> - With zero fee commitments, where do we put trimmed HTLCs?
> - You can just drop it in an OP_TRUE, and reasonably expect the miner
> to take it.
> - In a commitment with to_self and to_remote and an ephemeral anchor that
> must be spent, you can drop the 1 block CSV in the transaction that does
> not have a revocation path (ie, you can drop it for to_remote).
> - Any spend of this transaction must spend the one anchor in the same
> block.
> - No other output is eligible to have a tx attached to it, so we don’t
> need the delay anymore.
> - Theoretically, your counterparty could get hold of your signed
> local copy, but then you can just RBF.
> - Since these will be V3 transactions, the size of the child must be small
> so you can’t pin it.
> - Both parties can RBF the child spending the ephemeral anchor.
> - This isn’t specifically tailored to lightning, it’s a more general
> concept.
> - Child transactions of V3 are implicitly RBF, so we won’t have to worry
> about it not being replaceable (no inheritance bug).
> - In general, when we’re changing the mempool policy we want to make the
> minimal relaxation that allows the best improvement.
> - We need “top of block” mempool / cluster mempool:
> - The mempool can have clusters of transactions (parents/children
> arranged in various topologies) and the whole mempool could even be a
> single cluster (think a trellis of parents and children “zigzagging”).
> - The mining algorithm will pick one “vertical” using ancestor fee rate.
> - There are some situations where you add a single transaction and it
> would completely change the order in which our current selection picks
> things.
> - Cluster mempool groups transactions into “clusters” that make this
> easier to sort and reason about.
> - It can be expensive (which introduces a risk of denial of service),
> but if we have limits on cluster sizes then we can limit this.
> - This is the only way to get package RBF.
> - How far along is all of this?
> - BIP331: the P2P part that allows different package types is moving
> along and implementation is happening. This is done in a way that would
> allow us to add different types of packages in future if we need them.
> - There are some improvements being made to core’s orphan pool,
> because we need to make sure that peers can’t knock orphans out of your
> pool that you may later need to retrieve as package ancestors.
> - We reserve some spots with tokens, and if you have a token we keep
> some space for you.
> - V3 transactions: implemented on top of package relay, since they don’t
> really make sense without it. This is an opt-in regime where you make
> things easier to RBF.
> - Ephemeral Anchors: on top of package relay and V3.
> - Cluster Mempool: This is further out, but there’s been some progress.
> Right now people are working on the linearization algorithm.
> - If these changes don’t suit lightning’s use case, now is the time to
> speak because it’s all being worked on.
> - In what way does it not fit LN, as it’s currently designed?
> - With the V3 paradigm, to stop all pinning vectors, HTLC
> transactions will need to get anchors and you will have to drop
> ANYONECANPAY (to use anchors instead).
> - Could we fix this with additional restrictions on V3 (or a V4)?
> - You could do something where V4 means that you can have no
> ancestors and no descendants (in the mempool).
> - V3 restricts the child, you could also restrict the parent further.
> - You could have a heuristic on the number of inputs and outputs, but
> anyone can pay or add inputs.
> - You could commit to the whole thing being some size by setting a
> series of bits in sequence to mark maximum size but that would involve
> running script (which is annoying).
> - The history of V3 was to allow a parent of any size because
> commitment transactions can be any size.
> - What about keeping HTLCs the way they are today?
> - A lot of other things are less pineapple, maybe that’s ok? It’s a step
> forward.
> - The long term solution is to change relay policy to top of mempool. We
> shouldn’t be doing things until the long term solution is clear, and we
> shouldn’t change the protocol in a way that doesn’t fit with the long term.
> - We already do a lot of arbitrary things, if we were starting from day
> one we wouldn’t do HTLCs with anchors (it’s too much bloat), and being
> unable to RBF is more bloat because you overpay.
> - If the remote commitment is broadcast, you can spen the HTLC with V2.
> You can’t add a V3 child (it won’t get in the mempool).
> - If you want to be consistent, even when it’s the remote commit you
> need a presigned transaction, we should just use it as designed today.
> - What is the “top of mempool” assumption?
> - If large transactions are at the top of your mempool, you (a miner)
> want transactions with higher fee rates to increase your total revenue.
> - Today, you can’t really easily answer or reason about these questions.
> - We want to accept transactions in our mempool in a denial of service
> resistant way that will strictly increase our miner fees.
> - If a transaction is at the top of your mempool, you may be more
> willing to accept a replacement fee. If it’s way down in the mempool, you
> would probably replace more slowly.
> - It’s conceivable that we could get here, but it’s years off.
> - Once we have this, pinning only happens with large transactions at
> the bottom of the mempool. If you just slow roll these transactions, you
> can just relay what you’ve got.
> - If somebody comes and replaces the bottom with something small
> that’ll be mined in the next two blocks, you clearly want to accept that.
> - Does cluster mempool fix rule 3?
> - No but they help.
> - Today when you get a transaction you don’t know which block it’s going
> in - we don’t have a preference ordering.
> - Miners don’t make blocks as they go - with cluster mempool you can
> make very fast block templates.
> - When talking about relay, you can ignore block making and just get a
> very good estimate.
> - The question is: when do we jump?
> - Wail until V3? Package Relay?
> - Package relay will help. You still negotiate fees but they don’t
> matter as much.
> - We’d like to kill upate fee and have a magic number for fees, can
> we do that when we get package relay?
> - Package relay is the hard part, V3 should be relatively easier
> after that.
> - When we get V3 we can drop to zero fee.
> - Is there a future where miners don’t care about policy at all?
> - Say, the block that I’m mining has V3 transactions. They’re just
> maximizing fees so they’ll accept anything out of band, ignoring these new
> policy rules.
> - Accelerators are already starting to emerge today - how are they doing
> it?
> - We’re carving out a small space in which mempool rules work, and it’s
> okay to work around it.
> - If a miner mines it, great - that’s what we want. The problem is not
> getting mined (ie pinning).
> - Figuring this out is not simple:
> - Today there are times where we accept replacements when we should
> reject them and times where we reject replacements when we should accept
> them.
> - There can be situations where miners will mine things that aren’t
> incentive compatible (ie, not the best block template).
> - What if somebody pays out of band not to mine?
> - Ephemeral anchors are interesting, they never enter the UTXO set - if
> the child gets evicted, you get evicted.
> - The first transaction being zero is optimal, want to be sure it’ll be
> evicted (there are some mempool quirks).
> - It must be zero fee so that it will be evicted.
> - Should we add trimmed HTLCs to the ephemeral anchor?
> - We don’t want to get above min relay fee because then we could hang
> around in the mempool.
> - The eltoo implementation currently does this.
> - You can’t keep things in OP_TRUE because they’ll be taken.
> - You can also just put it in fees as before.
> - More on cluster mempools:
> - It can be used for block selection, but it’s currently focused on
> mempool selection.
> - You can simulate template selection with it.
> - When you’re mining, you have to pick from an ancestor downwards.
> - First we lineralize the transactions to flatten the structure
> intelligently (by topology and fee rate).
> - Then we figure out the best ordering of this flat structure.
> - Each chunk in a cluster is less than 75 transactions, and a cluster
> has chunks of transactions.
> - If you woul include a transaction with the ancestor, it goes in the
> same chunk. Otherwise it goes in the next chunk.
> - Miners select the highest fee rate chunks, lower fee rate ones can
> safely be evicted.
> - For replacement, you can just check replacement for a single cluster,
> rechunk it and then resort the chunks.
> - It must beat the fee rate of the chunks to get in.
> - You can check how much it beats the chunk by, whether it would go
> in the next block(s) and then decide.
> - Chunk ordering takes into account transaction size, beyond 25
> transactions we just do ancestor set feerate.
> - One of the limits is going away, one is sticking around. We still have
> sibling eviction issues.
> - Is one of the issues with chunks is that they’re limited by
> transaction weight, 101 kilo-v-bytes, which is the maximum package size?
> - We should be okay, these limits are higher than present.
> - You can bound chunk size pretty easily.
> - If we get chunk fee rate replacement then you can do batch fee bumping
> (eg, a bunch of ephemeral anchors that are all batched together).
> - Are there long term policy implications for privacy for ephemeral
> anchors?
> - You’re essentially opting into transaction sponsors?
> - If everyone uses V3 eventually there’s no issue.
> - For right now, it would be nice if V3 is only for unilateral closes.
> - It’s also useful in a custodial wallet setting, where you have one
> team creating on chain transactions and the other attaching fees. This is a
> common accounting headache. People can also non-interactively fee bump.
>
> ### Taproot
> - Spec is still in draft right now, and the code is a bit ahead of the
> test vectors.
> - The biggest change that has been made is around anchors, which become
> more complicated with taproot:
> - The revocation path on to_local takes the script path, so now we need
> to reveal data for the anchor.
> - The downside is that revocation is more expensive - 32 more bytes in
> the control block.
> - The to_remote has a NUMS point, previously we just had multisig keys:
> - If you’re doing a rescan, you won’t know those keys.
> - Now you just need to know the NUMS point and you can always rescan.
> - The NUMS point itself is pretty verifiable, you just start with a
> string and hash it.
> - It is constant, you just use it randomized with your key.
> - The internal pubkey is constant on to_remote.
> - Co-op close [broke into several different discussions]:
> - The idea here is to remove negotiation, since we’ve had disagreement
> issues in the past.
> - In this version, the initiator just accepts the fee.
> - Do we want negotiation?
> - In the past we’ve had bugs with fee rate estimates that won’t
> budge.
> - Why don’t we just pick our fees and send two sets of signatures?
> - This would no longer be symmetric.
> - What if nobody wants to close first? We’d need to work through the
> game theory.
> - The person who wants their funds has an incentive.
> - Why is RBF so hard for co-op close?
> - Closing should be marked as RBF, there’s no reason not to.
> - Just pick your fee rate, pay it and then come back and RBF if you’d
> like. You can bump/broadcast as much as you like.
> - If we’re going to have something like that where we iterate, why
> don’t we just do the simple version where we pick a fee and sign?
> - If you have to pay the whole fee, you have less incentive to sign.
> - Why is this linked to taproot work?
> - It needs to change anyway, and we need to add nonces.
> - What about, whoever wants to close sends a fee rate (paying the fees)
> and the responder just sends a signature?
> - If you don’t have enough balance, you can’t close. But why do you
> care anyway, you have no funds?
> - We can do this as many times as we want.
> - Shutdown is still useful to clear the air on the channel.
> - When you reconnect, you start a new interaction completely.
> - TL;DR:
> - Shutdown message stays.
> - You send a signature with a fee rate.
> - The remote party signs it.
> - If they disagree, you do it again.
> - It’s all RBF-able.
> - You must retransmit shutdown, and you must respond with a shutdown.
> - You can send nonces at any time:
> - In revoke and ack.
> - On channel re-establish.
> - For taproot/musig2 we need nonces:
> - Today we store the commitment signature from the remote party. We
> don’t need to store our own signature - we can sign at time of broadcast.
> - To be able to sign you need the verification nonce - you could
> remember it, or you could use a counter:
> - Counter based:
> - We re-use shachain and then just use it to generate nonces.
> - Start with a seed, derive from that, use it to generate nonces.
> - This way you don’t need to remember state, since it can always be
> generated from what you already have.
> - Why is this safe?
> - We never re-use nonces.
> - The remote party never sees your partial signature.
> - The message always stays the same (the dangerous re-use case is
> using the same nonce for different messages).
> - If we used the same nonce for different messages we could leak our
> key.
> - You can combine the sighash + nonce to make it unique - this also
> binds more.
> - Remote party will only see the full signature on chain, never your
> partial one.
> - Each party has sign and verify nonces, 4 total.
> - Co-op close only has 2 because it’s symmetric.
>
> ### Gossip V1.5 vs V2
> - How much do we care about script binding?
> - It it’s loose, it can be any script - you can advertise any UTXO.
> - You revel less information, just providing a full signature with the
> full taproot public key.
> - If it’s tight, you have to provide two keys and then use the BIP 86
> tweak to check that it’s a 2-of-2 multisig.
> - Should we fully bind to the script, or just allow any taproot output?
> - Don’t see why we’d want additional overhead.
> - Any taproot output can be a channel - let people experiment.
> - We shouldn’t have cared in the first place, so it doesn’t matter what
> it’s bound to.
> - It’s just there for anti-DOS, just need to prove that you can sign.
> - Let every taproot output be a lightning channel, amen.
> - We’re going to decouple:
> - You still need a UTXO but it doesn’t matter what it looks like.
> - This also allows other channel types in future.
> - We send:
> - UTXO: unspent and in the UTXO set
> - Two node pubkeys
> - One signature
> - How much do we care about amount binding?
> - Today it is exact.
> - People use it for capacity graphs.
> - Graph go up.
> - We can watch the chain for spends when we know which UTXO to watch
> per-channel.
> - Is there an impact on pathfinding if we over-advertize?
> - We use capacity to pathfind.
> - What’s the worst case if people lie? We don’t use them.
> - If we’ve already agreed that this can be a UTXO that isn’t a channel,
> then it shouldn’t matter.
> - If you allow value magnification, we can use a single UTXO to claim
> for multiple channels. Even in the most naive version (say 5x), you’re only
> revealing 20% of your UTXOs.
> - How much leverage can we allow? The only limit is denial of service.
> - There’s the potential for a market for UTXOs.
> - There’s a privacy trade-off:
> - If you one-to-one map them, then there’s no privacy gain.
> - Do we know that you get substantial privacy?
> - Even if you have two UTXOs and two channels, those UTXOs are now
> not linked (because you can just use the first one to advertise).
> - This is only assuming that somebody implements it/ infrastructure
> is built out.
> - People could create more elaborate things over time, even if
> implementations do the “dumb” way.
> - Gossip 1.5 (ie, with amount binding) fits in the current flow, V2 (ie,
> without amount binding) has a very different scope.
> - It’s a big step, and you don’t truly know until you implement it.
> - What about things like: a very large node and a very small node, whose
> announced UTXO do you use?
> - We decided not to put UTXOs in node announcement, so we’d put it in
> channel announcement:
> - Sometimes there’s a UTXO, sometimes there isn’t.
> - You look at a node’s previous channels to see if they still have
> “quota”.
> - If you don’t have “quota” left, you have to include a signature TLV.
> - With the goal of publicly announcing taproot channels, 1.5 gets us there
> and is a much smaller code change.
> - We’ve talked alot about capacity for pathfinding, but we haven’t really
> touched on control valves like max HTLC:
> - Currently we don’t use these valves to tune our pathfinding, people
> don’t use it.
> - If we get better here, we won’t need capacity.
> - This value is already < 50% anyway.
> - If we don’t un-bind amounts now, when will we do it?
> - It’s always a lower priority and everyone is busy.
> - If we allow overcommitting by some factor now, it’s not unrealistic
> that it will allow some degree of privacy.
> - Between these features, we have opened the door to leasing UTXOs:
> - Before we do more over-commitment, let’s see if anybody uses it?
> - We add channel capacity to the channel announcement with a feature bit:
> - If we turn the feature off, we are on-to-one mapped.
> - But a node can’t use the upgraded version until everyone is upgraded?
> - Our current “get everyone upgraded” cycle is 18 months (or a CVE).
> - If you’re upgrading to 2x multiplier, nobody on 1x will accept that
> gossip.
> - People will not pay for privacy (via lost revenue of people not
> seeing their gossip).
> - This is additive to defeating chain analysis.
> - Private UTXO management is already complicated, we don’t know the
> ideal that we’re working towards.
> - What about if we just set it to 2 today?
> - Is 2 qualitatively better than 1 (without script binding) today?
> - Will a marketplace magically emerge if we allow over-commitment?
> - We don’t know the implications of setting a global multiplier for
> routing or denial of service, and we don’t have a clear view of what
> privacy would look like (other than “some” improvement).
> - We agree that adding a multiplier doesn’t break the network.
> - People with a lower value will see a subnet when we upgrade.
> - We’re going to go with gossip “1.75”:
> - Bind to amount but not script.
> - We include a TLV cut out that paves the way to overcommitment.
>
> ### Multi-Sig Channel Parties
> - There are a few paths we could take to get multi-sig for one channel
> party:
> - Script: just do it on the script level for the UTXO, but it’s heavy
> handed.
> - FROSTy: you end up having to do a bunch of things around fault
> tolerance which require a more intense setup. You also may not want the
> shachain to be known by all of the parties in the setup (we have an ugly
> solution for this, we think).
> - Recursive musig:
> - Context: you have one key in the party, but you actually want it to be
> multiple keys under the hood. You don’t want any single party to know the
> revocation secrets, so you have to each have a part and combine them.
> - Ugliest solution: just create distinct values and store them.
> - Less ugly solution uses multiple shachains:
> - Right now we have a shachan, and we reveal two leaves of it.
> - You have 8 shachains, and you XOR them all together.
> - Why do we need 8? That’ll serve a 5-of-7.
> - Maybe we need 21? 5 choose 7, we’re not sure.
> - How does this work with K-of-N?
> - Each party has a piece, and you can always combine them in
> different combinations (of K pieces) to get to the secret you’re using.
>
> ### PTLCs
> - We can do PTLCs in two ways:
> - Regular musig
> - Adaptor signatures
> - Do they work with trampoline as defined today?
> - The sender picks all the blinding factors today, so it’s fine.
> - There’s a paper called: splitting locally while routing
> interdimensionally:
> - You can let intermediate nodes do splitting because they know all the
> local values.
> - Then can generate new blinding factors and split out to the next node.
> - Adaptor signatures could possibly be combined for PTLCs that get
> fanned out then combined.
> - There are a few options for redundant overpayment (ie, “stuckless”
> payments):
> - Boomerang:
> - Preimages are coefficients of a polynomial, and you commit to the
> polynomial itself.
> - If you have a degree P polynomial and you take P+1 shares, then you
> can claim in the other direction.
> - Quite complex.
> - You have to agree on the number of splits in advance.
> - Spear:
> - H2TLC: there are two payment hashes per-HTLC, one if from the
> sender and one is from the invoice.
> - When you send a payment, the sender only reveals the right number
> of sender preimages.
> - This also gives us HTLC acknowledgement, which is nice.
> - You can concurrently split, and then spray and pray.
> - Interaction is required to get preimages.
> - Do we want to add redundant overpayment with PTLCs?
> - We’ll introduce a communication requirement.
> - Do we need to decide that before we do PTLCs?
> - Can we go for the simplest possible option first and then add it?
> - For spear, yes - the intermediate nodes don’t know that it’s two
> hashes.
> - We could build them out without thinking about overpayment, and
> then mix in a sender secret so that we can claim a subset.
> - We’ll have more round trips, but you also have the ability to ACK
> HTLCs that have arrived.
> - Spray and pray uses the same about as you would with our current “send
> / wait / send”, it’s just concurrently not serially.
> - Is it a problem that HLTCs that aren’t settled don’t pay fees?
> - You’re paying the fastest routes.
> - Even if it’s random, you still get a constant factor of what we should
> have gotten otherwise.
> - It makes sense to use onion messages if it’s available to us.
> - Are we getting payment acknowledgement? Seems so!
>
> ## Day Two
>
> ### Hybrid Approach to Channel Jamming
> - We’ve been talking about jamming for 8 years, back and forth on the
> mailing list.
> - We’d like to find a way to move forward so that we can get something
> done.
> - Generally when we think about jamming, there are three “classes” of
> mitigations:
> - Monetary: unconditional fees, implemented in various ways.
> - Reputation: locally assessed (global is terrible)
> - Scarce Resources: POW, stake, tokens.
> - The problem is that none of these solutions work in isolation.
> - Monetary: the cost that will deter an attacker is unreasonable for an
> honest user, and the cost that is reasonable for an honest user is too low
> for an attacker.
> - Reputation: any system needs to define some threshold that is
> considered good behavior, and an attacker can aim to fall just under it.
> Eg: if you need a payment to resolve in 1 minute, you can fall just under
> that bar.
> - Scarce resources: like with monetary, pricing doesn’t work out.
> - Paper: proof of work doesn’t work for email spam, as an example.
> - Since scarce resources can be purchased, they could be considered a
> subset of monetary.
> - There is no silver bullet for jamming mitigation.
> - Combination of unconditional fees and reputation:
> - Good behavior grants access to more resources, bad behavior loses it.
> - If you want to fall just below that threshold, we close the gap with
> unconditional fees.
> - Looking a these three classes implemented in isolation, are there any
> unresolved questions that people have - “what about this”?
> - Doesn’t POW get you around the cold start problem in reputation where
> if you want to put money in to quickly bootstrap you can?
> - Since POW can be rented, it’s essentially a monetary solution -
> just extra steps.
> - We run into the same pricing issues.
> - Why these combinations?
> - Since scarce resources are essentially monetary, we think that
> unconditional fees are the simplest possible monetary solution.
> - Unconditional Fees:
> - As a sender, you’re building a route and losing money if it doesn’t go
> through?
> - Yes, but they only need to be trivially small compared to success
> case fee budgets.
> - You can also eventually succeed so long as you retry enough, even
> if failure rates are very high.
> - How do you know that these fees will be small? The market could decide
> otherwise.
> - Routing nodes still need to be competitive. If you put an
> unconditional fee of 100x the success case, senders will choose to not send
> through you because you have no incentive to forward.
> - We could also add an in-protocol limit or sender-side advisory.
> - With unconditional fees, a fast jamming attack is very clearly paid
> for.
> - Reputation:
> - The easiest way to jam somebody today is to send a bunch of HTLCs
> through them and hold them for two weeks. We’re focusing on reputation to
> begin with, because in this case we can quite easily identify that people
> are doing something wrong (at the extremes).
> - If you have a reputation score that blows up on failed attempts,
> doesn’t that fix it without upfront fees?
> - We have to allow some natural rate of failure in the network.
> - An attacker can still aim to fall just below that failure threshold
> and go through multiple channels to attack an individual channel.
> - THere isn’t any way to set a bar that an attacker can’t fall just
> beneath.
> - Isn’t this the same for reputation? We have a suggestion for
> reputation but all of them fail because they can be gamed below the bar.
> - If reputation matches the regular operation of nodes on the network,
> you will naturally build reputation up over time.
> - If we do not match reputation accumulation to what normal nodes do,
> then an attacker can take some other action to get more reputation than the
> rest of the network. We don’t want attackers to be able to get ahead of
> regular nodes.
> - Let’s say you get one point for success and one for failure, a
> normal node will always have bad reputation. An attacker could then send 1
> say payments all day long, pay a fee for it and gain reputation.
> - Can you define jamming? Is it stuck HTLCs or a lot of 1 sat HTLCS
> spamming up your DB?
> - Jamming is holding HTLCs to or streaming constant failed HTLCs to
> prevent a channel from operating.
> - This can be achieved with slots or liquidity.
> - Does the system still work if users are playing with reputation?
> - In the steady state, it doesn’t really matter whether a node has a
> good reputation or not.
> - If users start to set reputation in a way that doesn’t reflect normal
> operation of the network, it will only affect their ability to route when
> under attack.
> - Isn’t reputation monetary as well, as you can buy a whole node?
> - There is a connection, and yes in the extreme case you can buy an
> entire identity.
> - Even if you do this, the resource bucketing doesn’t give you a “golden
> ticket” to consume all slots/liquidity with good reputation, so you’re
> still limited in what you can do.
> - Can we learn anything from research elsewhere / the way things are done
> on the internet?
> - A lot of our confidence that these solutions don’t work in isolation
> is based on previous work looking at spam on the internet.
> - Lightning is also unique because it is a monetary network - we have
> money built in, so we have different tools to use.
> - To me, it seems like if the scarce resource that we’re trying to
> allocate is HTLC slots and upfront fees you can pay me upfront fees for the
> worst case (say two weeks) and then if it settles if 5 seconds you give it
> back?
> - The dream solution is to only pay for the amount of time that a HTLC
> is held in flight.
> - The problem here is that there’s no way to prove time when things go
> wrong, and any solution without a universal clock will fall back on
> cooperation which breaks down in the case of an attack.
> - No honest user will be willing to pay the price for the worst case,
> which gets us back to the pricing issue.
> - There’s also an incentives issue when the “rent” we pay for these two
> weeks worst case is more than the forwarding fee, so a router may be
> incentivized to just hang on to that amount and bank it.
> - We’ve talked about forwards and backwards fees extensively on the
> mailing list:
> - They’re not large enough to be enforceable, so somebody always has
> to give the money back off chain.
> - This means that we rely on cooperation for this refund.
> - The complexity of this type of system is very high, and we start to
> open up new “non-cooperation” concerns - can we be attacked using this
> mechanism itself?
> - Doesn’t an attacker need to be directly connected to you to steal
> in the non-cooperative case?
> - At the end of the day, somebody ends up getting robbed when we
> can’t pull the money from the source (attacker).
> - Does everybody feel resolved on the statement that we need to take this
> hybrid approach to clamp down on jamming? Are there any “what about
> solution X” questions left for anyone? Nothing came up.
>
> ### Reputation for Channel Jamming
> - Resource bucketing allows us to limit the number of slots and amount of
> liquidity that are available for nodes that do not have good reputation.
> - No reputation system is perfect, and we will always have nodes that
> have low-to-no activity, or are new to the network that we can’t form
> reputation scores for.
> - It would be a terrible outcome for lightning to just drop these HTLCs,
> so we reserve some portion of resources for them.
> - We have two buckets: protected and general (split 50/50 for the purposes
> of explanation, but we’ll find more intelligent numbers with further
> research):
> - In the normal operation of the network, it doesn’t matter if you get
> into the protected slots. When everyone is using the network as usual,
> things clear out quickly so the general bucket won’t fill up.
> - When the network comes under attack, an attacker will fill up slots
> and liquidity in the general bucket. When this happens, only nodes with
> good reputation will be able to use the protected slots, other HTLCs will
> be dropped.
> - During an attack, nodes that don’t have a good reputation will
> experience lower quality of service - we’ll gradually degrade.
> - What do you mean by the steady state?
> - Nobody is doing anything malicious, payments are clearing out as usual
> - not sitting on the channel using all 483 slots.
> - We decide which bucket the HTLC goes into using two signals:
> - Reputation: whether the upstream node had good reputation with our
> local node.
> - Endorsement: whether the upstream node has indicated that the HTLC is
> expected to be honest (0 if uncertain, 1 if expected to be honest).
> - If reputation && endorsement, then we’ll allow the HTLC into protected
> slots and forward the HTLC on with endorsed=1.
> - We need reputation to add a local viewpoint to this endorsement signal
> - otherwise we can just trivially be jammed if we just copy what the
> incoming peer said.
> - We need endorsement to be able to propagate this signal over multiple
> hops - once it drops, it’s dropped for good.
> - There’s a privacy questions for when senders set endorsed:
> - You can flip a coin or set the endorsed field for your payments at
> the same proportion as you endorse forwards.
> - We think about reputation in terms of the maximum amount of damage that
> can be done by abusing it:
> - Longest CLTV that we allow in the future from current height 2016
> blocks (~2 weeks): this it the longest that we can be slow jammed.
> - Total route length ~27 hops: this is the largest amplifying factor an
> attacker can have.
> - We use the two week period to calculate the node’s total routing
> revenue, this is what we have to lose if we are jammed.
> - We then look at a longer period, 10x the two week period to see what the
> peer has forwarded us over that longer period.
> - If they have forwarded us more over that longer period than what we have
> to loose in the shorter period, then they have good reputation.
> - This is the damage that is observable to us - there are values outside
> of the protocol that are also affected by jamming:
> - Business reliability, joy of running a node, etc
> - We contend that these values are inherently unmeasurable to protocol
> devs:
> - End users can’t easily put a value on them.
> - If we try to approximate them, users will likely just run the
> defaults.
> - One of the simplest attacks we can expect is an “about turn” where an
> attacker behaves perfectly and then attacks:
> - So, once you have good reputation we can’t just give you full access
> to protected slots.
> - We want to reward behavior that we consider to be honest, so we consider
> “effective” HTLC fees - the fee value that a HTLC has given us relative to
> how long it took to resolve:
> - Resolution period: the amount of time that a HTLC can reasonably take
> to resolve - based on MPP timeout / 1 minute.
> - We calculate opportunity cost for every minute after the first
> “allowed” minute as the fees that we could have earned with that
> liquidity/slot.
> - Reputation is only negatively affected if you endorsed the HTLC.
> - If you did not endorse, then you only gain reputation for fast success
> (allowing bootstrapping).
> - When do I get access to protected slots?
> - When you get good reputation, you can use protected slots for your
> endorsed HTLCs but there is a cap on the number of in flight HLTCs that are
> allowed.
> - We treat every HLTC as if it will resolve with the worst possible
> outcome, and temporarily dock reputation until it resolves:
> - In the good case, it resolves quickly and you get your next HLTC
> endorsed.
> - In the bad case, you don’t get any more HTLCs endorsed and you
> reputation remains docked once it resolves (slowly).
> - Wouldn’t a decaying average be easier to implement, rather than a
> sliding window?
> - If you’re going to use large windows, then a day here or there doesn’t
> matter so much.
> - Have you thought about how to make this more visible to node operators?
> - In the steady state we don’t expect this to have any impact on routing
> operations, so they’ll only need a high level view.
> - Can you elaborate on slots vs liquidity for these buckets?
> - Since we have a proportional fee for HTLCs, this indirectly represents
> liquidity: larger HTLCs will have larger fees so will be more “expensive”
> to get endorsed.
> - Where do we go from here?
> - We would like to dry run with an experimental endorsement field, and
> ask volunteers to gather data for us.
> - Are there any objections to an experimental TLV?
> - No.
> - We could also test multiple endorsement signals / algorithms in
> parallel.
> - In your simulations, have you looked at the ability to segment off
> attacks as they happen? To see how quickly an attacker's reputation drops
> off, and that you have a protected path?
> - Not yet, but plan to.
> - Do any of these assumptions change with trampoline? Don’t think it’s
> related.
> - Your reputation is at stake when you endorse, when do you decide to
> endorse my own payments?
> - You do the things you were already doing to figure out a good route.
> Paths that you think have good liquidity, and have had success with in the
> past.
> - What about redundant overpayment, some of your HTLCs are bound to fail?
> - Provided that they fail fast, it shouldn’t be a problem.
> - Is it possible that the case where general slots are perpetually filled
> by attackers becomes the steady state? And we can’t tell the difference
> between a regular user and attacker.
> - This is where unconditional fees come in, if somebody wants to
> perpetually fill up the general bucket they have to pay for it.
> - Is there anything we’d like to see that will help us have move
> confidence here?
> - What do you think is missing from the information presented?
> - We can simulate the steady state / create synthetic data, but can’t
> simulate every attack. Would like to spend more time thinking through the
> ways this could possibly be abused.
> - Would it help to run this on signet? Or scaling lightning?
> - Its a little easier to produce various profiles of activity on
> regtest[.
>
> ### Simplified Commitments
> - Simplified commitments makes our state machine easier to think about.
> - Advertise option_simplified_commitment: once both peers upgrade, we
> can just use it.
> - Simplify our state machine before we make any more changes to it.
> - Right now Alice and Bob can have changes in flight at the same time:
> - Impossible to debug, though technically optimal.
> - Everyone is afraid of touching the state machine.
> - We can simplify this by introducing turn taking:
> - First turn is taken by the lower pubkey.
> - Alice: update / commit.
> - Bob: revoke and ack.
> - If alice wants to go when it’s bob’s turn, she can just send a
> message.
> - Bob can ignore it, or yield and accept it.
> - This has been implemented in CLN for LNSymmetry
> - It’s less code to not have the ignore message, but for real performance
> we’ll want it. Don’t want to suck up all of that latency.
> - The easiest way is to re-establish is to upgrade on re-establish.
> - If it wasn’t somebody’s turn, you can just do lowest pubkey.
> - If it was somebody’s turn, you can just resume it.
> - We could also add REVOKE and NACK:
> - Right now we have no way to refuse updates.
> - Why do we want a NACK?
> - You currently have to express to the other side what they can put
> in your channel because you can’t handle it if they give you something you
> don't’ like (eg, a HTLC below min_htlc).
> - You can likely force a break by trying to send things that aren't
> allowed, which is a robustness issue.
> - We just force close when we get things we don’t allow.
> - Could possibly trigger force closes.
> - There’s an older proposal called fastball where you send a HTLC and
> advise that you’re going to fail it.
> - If Alice gets it, she can reply with UNADD.
> - If you don’t get it in time,you just go through the regular cycle.
> - When you get commitment signed, you could NACK it. This could mean
> you’re failing the whole commitment, or just a few HTLCs.
> - You can’t fail a HTLC when you’ve sent commitment signed, so you need
> a new cycle to clear it out.
> - What NACK says is: I’ve ignored all of your updates and I’m
> progressing to the next commitment.
> - Revoke and NACK is followed by commitment signed where you clear out all
> the bad HTLCs, ending that set of updates.
> - You have to NACk and then wait for another commitment signature, signing
> for the same revocation number.
> - Bob never has to hold a HTLC that he doesn't want from Alice on his
> commitment.
> - This is bad for latency, good for robustness.
> - Alice can send whatever she wants, and Bob has a way to reject it.
> - There are a whole lot of protocol violations that Alice can force a
> force close with, now they can be NACKed.
> - This is good news for remote signers where policy has been violate
> because we have cases where policy has been violated and our only way right
> now is the close the channel.
> - You still want Alice to know Bob’s limits so that you can avoid endless
> invalid HTLCs.
> - Simplified commitment allows us to do things more easily in the protocol.
> - When we specced this all out, we didn’t foresee that update fee would
> be so complicated, with this we know update fee will be correct.
> - If we don’t do this, we have to change update fee?
> - Sender of the HTLC adds fee.
> - Or fixed fee.
> - Even if we have zero fees, don’t we still have HTLC dust problems?
> - You can have a bit on update add that says the HTLC is dust.
> - You can’t be totally fee agnostic because you have to be able to
> understand when to trim HLTCs.
> - Even update fee aside, shouldn’t things just be simpler?
> - Would a turn based protocol have implications for musig nonces?
> - If you’re taking a turn, it’s a session.
> - You’d need to have different nonces for different sessions.
> - We should probably do this before we make another major change, it
> simplifies things.
> - Upgrade on re-establish is pretty neat because you can just tell them
> what type you’d like.
> - This worked very well for CLN getting rid of static remote.
> - What about parameter exchange?
> - There’s a version of splice that allows you to add new inputs and
> outputs.
> - Splice no splice which means that you can only make a new commitment
> transaction, no on-chain work.
> - Seems like you can get something like dynamic commitments with this,
> and it’s a subset of splicing.
>
> ## Day Three
>
> ### Meta Spec Process
> - Do we want to re-evaluate the concept of a “living document”?
> - It’s only going to get longer.
> - As we continue to update, we have two options:
> - Remove old text and replace entirely.
> - Do an extension and then one day replace.
> - If implementing from scratch, what would you want to use?
> - Nobody is currently doing this.
> - By the time they finished, everything would have move.
> - The protocol isn’t actually that modular:
> - Except for untouched BOLT-08, which can be read in isolation.
> - Other things have tentacles.
> - We should endeavor for things to be as modular as possible.
> - Back in Adelaide we have a version with a set of features.
> - We have not re-visited that discussion.
> - Is it possible for us to come up with versions and hold ourselves
> accountable to them?
> - If we’re going to start having different ideas of what lightning looks
> like, versioning helps.
> - Versioning is not tied one-to-one to the protocol:
> - Features make it less clean because you have a grab bag of features
> on top of any “base” version we decide on.
> - Does a version imply that we’re implementing in lock step?
> - If we do extraction, remove and cleanup, we could say that we’re on
> version X with features A/B/C.
> - How confident are we that we can pull things out? Only things that are
> brand new will be easy to do this with.
> - Keeping context in your head is hard, and jumping between documents
> breaks up thought.
> - Should we fully copy the current document and copy it?
> - Not everything is a rewrite, some things are optional.
> - What’s our design goal?
> - To be able to more easily speak about compatibility.
> - To have a readable document for implementation.
> - A single living document works when we were all making a unified push,
> now it makes less sense:
> - You can’t be compliant “by commit” because things are implemented in
> different orders.
> - We can’t fix that with extensions, they’re hard to keep up to date?
> - RFCs work like this, they have replacement ones.
> - BOLT 9 can act as a control bolt because it defines features.
> - Extensions seem helpful:
> - Can contain more rationale.
> - You can have spaghetti and ravioli code, these could be raviolo
> extensions.
> - If everything is an extension BOLT with minimal references, we avoid
> the if-else-ey structure we have right now.
> - For small things, we can just throw out the old stuff.
> - If it were possible to modularize and have working groups, that would be
> great but it seems like we’d tread on each other’s toes.
> - We must avoid scenarios like vfmanprint:
> - The return value says “vfprintf returns -1 on error”
> - The next sentence says “this was true until version 2”
> - But nobody reads the next sentence.
> - Cleanup PRs won’t be looked at, and need to be maintained as new stuff
> gets in.
> - Eg: legacy onion - we just looked at network use and removed when it was
> unused:
> - Rip out how you generate them.
> - Rip out how you handle them.
> - One of the issues with deleting old text is that existing software that
> delete the old text is annoying when you run into interop issues on the old
> spec version.
> - If there are real things to deal with on the network, we must keep
> them.
> - We must reference old commits so that people at least know what was
> there and can do git archeology to find out what it used to be.
> - We can remove some things today!
> - Static remote
> - Non-zero fee anchors
> - ANYSEGWIT is default (/compulsory)
> - Payment secrets / basic MPP.
> - Should we have regular cleanups?
> - Even if we do, they need review.
> - For now, let’s do wholesale replacement to avoid cleanup.
> - The proposals folder is nice to know what’s touched by what changes.
> - Rationale sections need improvement: sometimes they’re detailed,
> sometimes vague.
> - Once a feature becomes compulsory on the network we can possibly ignore
> it.
> - What about things that are neither bolts nor blips - like inbound fees?
> - Why does it need to be merged anywhere?
> - If it’s an implementation experiment, we can merge it once we’re
> convinced it works.
> - If we reach a stage where we all agree it should be universally done,
> then it should be a bolt.
> - This is a BLIP to BOLT path.
> - Communication:
> - We’re not really using IRC anymore - bring it back!
> - We need a canonical medium, recommit to lightning-dev.
>
> ### Async Payments/ Trampoline
> - Blinded payments are a nice improvement for trampoline because you don’t
> know where the recipient is.
> - The high level idea is:
> - Light nodes only see a small part of the network that they are close
> to.
> - Recipients only give a few trampolines in the network that they can be
> reached via.
> - In the onion for the first trampoline, there will be an onion for the
> second trampoline.
> - You just need to give a trampoline a blinded path and they can do the
> rest.
> - If you only have one trampoline, they can probably make a good guess
> where the payment came from (it’s in the reachable neighborhood).
> - Is there a new sync mode for trampoline gossip?
> - We’d now need radius-based gossip rather than block based.
> - The trust version is just getting this from a LSP.
> - In cold bootstrap, you’re probably going to open a channel so you ask
> them for gossip.
> - Can you split MPP over trampoline? Yes.
> - Routing nodes can learn more about the network because they make their
> own attempts.
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230720/bb6138a8/attachment-0001.html>;
Antoine Riard [ARCHIVE] /
npub1vj…4x8dd
2023-07-24 11:29:47
in reply to nevent1q…s23d
Author Public Key
npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8ddSeen on
wss://relay.noswhere.comPublished at
2023-07-24 11:29:47Event JSON
{
"id": "7347b67077681ae28618cc8203a151e46646c35a35713011440b916e1856addd",
"pubkey": "6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551",
"created_at": 1690198187,
"kind": 1,
"tags": [
[
"e",
"1cdf4a8e54532f1c567c10cf126833af2883f9215f610331d425a625611c883f",
"",
"root"
],
[
"e",
"15f1978cdc535ef0636af235a9009af7ccbe03fe7f2f7b59a4171632fe3b8469",
"",
"reply"
],
[
"p",
"f1b886d687b6df3d9f2de1f8aca780d98495c57be15528ac987a7b5419b62eec"
]
],
"content": "📅 Original date posted:2023-07-20\n🗒️ Summary of this message: The sender thanks the Wolf team for organizing the LN Summit and hopes they become the YC of Bitcoin. Technical observations on package relay and minimum relay fees are discussed.\n📝 Original message:\nHi Clara,\n\nThanks for the transcript notes.\n\nI think few technical observations are missing, adding them in-texto to\navoid confusions.\n\nI'm sharing the thanks to the Wolf team for the hard work they have put in\norganizing the LN Summit since the announcement at the end of January. I've\nbeen impressed by seeing so young a commercial entity catching up with FOSS\nneutrality and decentralization standards in matters of development. I hope\nthey will have a long future in the Bitcoin space, and wishing them to be\nthe YC of Bitcoin, bridging the hacker scene with builders, without losing\nthe ethos.\n\nLooking forward to next year's LN Summit, with a multi-stakeholder approach\nto transfer operational how-tos across generations of devs. That type of\nmoment where every dev is taking time to listen to each other is very\nunique, and an experience to carry forward.\n\nNow the technical bullet points\n\n\u003e - The current proposal for package relay is ancestor package relay:\n\u003e - One child can have up to 24 ancestors.\n\u003e - Right now, we only score mempool transactions by ancestry anyway, so\nthere isn’t much point in other types of packages.\n\u003e - For base package relay, commitment transactions will still need to have\nthe minimum relay fee.\n\u003e - No batch bumping is allowed, because it can open up pinning attacks.\n\u003e - With one anchor, we can package RBF.\n\nCurrent state of nversion=3 allows the minimum relay fee exemption:\nhttps://github.com/bitcoin/bitcoin/pull/25038/files#diff-8fe49384f6ab8be91802eb5d0f528fa521e301440b76508f6911d0dd2ae2cebfR108\nAnd there is a confusion with current state of package relay code:\nhttps://github.com/bitcoin/bitcoin/pull/27742#discussion_r1264309536\n\nThere are other type of transaction-relay jamming attacks than \"pure\npinnings\" that prevent to do batch bumping that were discussed during the\ndevelopment of mempool package acceptance:\nhttps://github.com/bitcoin/bitcoin/pull/22674#issuecomment-900352202\n\n\u003e - Once we have package relay, it will be easier to get things into the\nmempool.\n\u003e - Once we have V3 transactions, we can drop minimum relay fees because we\nare restricted to one child pays for one parent transaction:\n\nOn the reasonable assumption that default parameters of package relay does\nnot introduce tx-relay peers bandwidth blowup, or at the very least\nproportion ar kept with regards to traffic submitted to\nDEFAULT_MIN_RELAY_TX_FEE.\n\n\u003e - The size of these transactions is limited.\n\u003e - You can’t arbitrarily attach junk to pin them.\n\u003e - If we want to get rid of 330 sat anchors, we will need ephemeral\nanchors:\n\u003e - If there is an OP_TRUE output, it can be any value including zero.\n\u003e - It must be spent by a child in the same package.\n\u003e - Only one child can spend the anchor (because it’s one output).\n\u003e - The parent must be zero fee because we never want it in a block on its\nown, or relayed without the child.\n\u003e - If the child is evicted, we really want the parent to be evicted as\nwell (there are some odd edge cases at the bottom of the mempool, so zero\nensures that we’ll definitely be evicted).\n\nThe parent *might* still have pre-signed fee as it's drawn up from the\nfunding input liquidity, which might makes sense to save on spending\nexternal on-chain inputs, especially for mobile.\nSee corresponding years-long issue on the BOLT repository on drawback of\nanchor output fee-bumping reserves.\n\n\u003e - The bigger change is with HLTCs:\n\u003e - With SIGHASH_ANYONECANPAY, your counterparty can inflate the size of\nyour transaction - eg: HTLC success, anyone can attack junk.\n\u003e - How much do we want to change here?\n\u003e - So, we can get to zero fee commitment transactions and one (ephemeral)\nanchor per transaction.\n\u003e - With zero fee commitments, where do we put trimmed HTLCs?\n\u003e - You can just drop it in an OP_TRUE, and reasonably expect the miner\nto take it.\n\u003e - In a commitment with to_self and to_remote and an ephemeral anchor that\nmust be spent, you can drop the 1 block CSV in the transaction that does\nnot have a revocation path (ie, you can drop it for to_remote).\n\u003e - Any spend of this transaction must spend the one anchor in the same\nblock.\n\u003e - No other output is eligible to have a tx attached to it, so we don’t\nneed the delay anymore.\n\nThe 1 block CSV might be kept as a way to make the chain of transactions\n\"discrete\" on the transaction-relay network, to avoid interference with\nblock-based filters.\n\nThrowing trimmed HTLCs under an OP_TRUE, without timelocks protection opens\nthe door to miner harvesting attacks, see\nhttps://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002569.html\n\n\u003e - Theoretically, your counterparty could get hold of your signed\nlocal copy, but then you can just RBF.\n\u003e - Since these will be V3 transactions, the size of the child must be\nsmall so you can’t pin it.\n\u003e - Both parties can RBF the child spending the ephemeral anchor.\n\u003e - This isn’t specifically tailored to lightning, it’s a more general\nconcept.\n\u003e - Child transactions of V3 are implicitly RBF, so we won’t have to worry\nabout it not being replaceable (no inheritance bug).\n\u003e - In general, when we’re changing the mempool policy we want to make the\nminimal relaxation that allows the best improvement.\n\nStill the issue of V3 transactions being used to conduct double-spend on\nzero-conf infrastructure, if they don't upgrade their software before V3 is\nwidely deployed (a lightweight mempoolfullrbf=true)\n\n\u003e - We need “top of block” mempool / cluster mempool:\n\u003e - The mempool can have clusters of transactions (parents/children\narranged in various topologies) and the whole mempool could even be a\nsingle cluster (think a trellis of parents and \u003e children “zigzagging”).\n\u003e - The mining algorithm will pick one “vertical” using ancestor fee rate.\n\u003e - There are some situations where you add a single transaction and it\nwould completely change the order in which our current selection picks\nthings.\n\u003e - Cluster mempool groups transactions into “clusters” that make this\neasier to sort and reason about.\n\u003e - It can be expensive (which introduces a risk of denial of service),\nbut if we have limits on cluster sizes then we can limit this.\n\nNota bene - Cluster mempool as a concept as not yet being evaluated for its\nimpact on mining block template construction, neither Lightning liquidity\nmanagement algorithms, nor the changes in DoS performance of usual tx-relay\npeers.\n\nSee https://github.com/bitcoin/bitcoin/issues/27677, probably gonna need\nthe same level of scrutiny than a consensus change.\n\n\u003e - This is the only way to get package RBF.\n\u003e - How far along is all of this?\n\u003e - BIP331: the P2P part that allows different package types is moving\nalong and implementation is happening. This is done in a way that would\nallow us to add different types of\n\u003e packages in future if we need them.\n\u003e - There are some improvements being made to core’s orphan pool,\nbecause we need to make sure that peers can’t knock orphans out of your\npool that you may later need to\n\u003e retrieve as package ancestors.\n\u003e - We reserve some spots with tokens, and if you have a token we keep\nsome space for you.\n\u003e - V3 transactions: implemented on top of package relay, since they don’t\nreally make sense without it. This is an opt-in regime where you make\nthings easier to RBF.\n\u003e - Ephemeral Anchors: on top of package relay and V3.\n\u003e - Cluster Mempool: This is further out, but there’s been some progress.\nRight now people are working on the linearization algorithm.\n\u003e - If these changes don’t suit lightning’s use case, now is the time to\nspeak because it’s all being worked on.\n\nState of the discussion is what part of the lightning flows are granted\nbasic pinning protection under package relay and nVersion=3:\nhttps://github.com/bitcoin/bitcoin/issues/27463\n\n\u003e - In what way does it not fit LN, as it’s currently designed?\n\u003e - With the V3 paradigm, to stop all pinning vectors, HTLC transactions\nwill need to get anchors and you will have to drop ANYONECANPAY (to use\nanchors instead).\n\u003e - Could we fix this with additional restrictions on V3 (or a V4)?\n\u003e - You could do something where V4 means that you can have no ancestors\nand no descendants (in the mempool).\n\u003e - V3 restricts the child, you could also restrict the parent further.\n\u003e - You could have a heuristic on the number of inputs and outputs, but\nanyone can pay or add inputs.\n\u003e - You could commit to the whole thing being some size by setting a\nseries of bits in sequence to mark maximum size but that would involve\nrunning script (which is annoying).\n\u003e - The history of V3 was to allow a parent of any size because\ncommitment transactions can be any size.\n\u003e - What about keeping HTLCs the way they are today?\n\u003e - A lot of other things are less pineapple, maybe that’s ok? It’s a step\nforward.\n\u003e - The long term solution is to change relay policy to top of mempool. We\nshouldn’t be doing things until the long term solution is clear, and we\nshouldn’t change the protocol in a way\n\u003e that doesn’t fit with the long term.\n\nCurrent V3 paradigm and package relay, won't stop all pinning vectors, as\nyou have advanced pinnings due to the distributed nature of network\nmempools, see\nhttps://lists.linuxfoundation.org/pipermail/lightning-dev/2020-June/002758.html\n\n\u003e - We already do a lot of arbitrary things, if we were starting from day\none we wouldn’t do HTLCs with anchors (it’s too much bloat), and being\nunable to RBF is more bloat because you \u003e overpay.\n\u003e - If the remote commitment is broadcast, you can spen the HTLC with V2.\nYou can’t add a V3 child (it won’t get in the mempool).\n\u003e - If you want to be consistent, even when it’s the remote commit you\nneed a presigned transaction, we should just use it as designed today.\n\u003e - What is the “top of mempool” assumption?\n\u003e - If large transactions are at the top of your mempool, you (a miner)\nwant transactions with higher fee rates to increase your total revenue.\n\u003e - Today, you can’t really easily answer or reason about these questions.\n\u003e - We want to accept transactions in our mempool in a denial of service\nresistant way that will strictly increase our miner fees.\n\u003e - If a transaction is at the top of your mempool, you may be more\nwilling to accept a replacement fee. If it’s way down in the mempool, you\nwould probably replace more slowly.\n\u003e - It’s conceivable that we could get here, but it’s years off.\n\u003e - Once we have this, pinning only happens with large transactions at\nthe bottom of the mempool. If you just slow roll these transactions, you\ncan just relay what you’ve got.\n\u003e - If somebody comes and replaces the bottom with something small\nthat’ll be mined in the next two blocks, you clearly want to accept that.\n\u003e - Does cluster mempool fix rule 3?\n\u003e - No but they help.\n\u003e - Today when you get a transaction you don’t know which block it’s going\nin - we don’t have a preference ordering.\n\u003e - Miners don’t make blocks as they go - with cluster mempool you can\nmake very fast block templates.\n\nDefining \"top of mempool\" is function of the source of informations and\nconfiguration settings, and block template construction strategy of a\nminer, see\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019846.html\n\n\u003e - When talking about relay, you can ignore block making and just get a\nvery good estimate.\n\u003e - The question is: when do we jump?\n\u003e - Wail until V3? Package Relay?\n\u003e - Package relay will help. You still negotiate fees but they don’t\nmatter as much.\n\u003e - We’d like to kill upate fee and have a magic number for fees, can we\ndo that when we get package relay?\n\u003e - Package relay is the hard part, V3 should be relatively easier after\nthat.\n\u003e - When we get V3 we can drop to zero fee.\n\u003e - Is there a future where miners don’t care about policy at all?\n\u003e - Say, the block that I’m mining has V3 transactions. They’re just\nmaximizing fees so they’ll accept anything out of band, ignoring these new\npolicy rules.\n\nIn a world of limited computing resources, miners will always have to care\nabout policy, at the very least as a question of transaction ordering\nacceptance.\n\n\u003e - Accelerators are already starting to emerge today - how are they doing\nit?\n\u003e - We’re carving out a small space in which mempool rules work, and it’s\nokay to work around it.\n\u003e - If a miner mines it, great - that’s what we want. The problem is not\ngetting mined (ie pinning).\n\u003e - Figuring this out is not simple:\n\u003e - Today there are times where we accept replacements when we should\nreject them and times where we reject replacements when we should accept\nthem.\n\u003e - There can be situations where miners will mine things that aren’t\nincentive compatible (ie, not the best block template).\n\u003e - What if somebody pays out of band not to mine?\n\nGame of out-of-band payments to not mine LN transactions are already\nconsidered, see\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021395.html\n\n\u003e - Ephemeral anchors are interesting, they never enter the UTXO set - if\nthe child gets evicted, you get evicted.\n\u003e - The first transaction being zero is optimal, want to be sure it’ll be\nevicted (there are some mempool quirks).\n\u003e - It must be zero fee so that it will be evicted.\n\u003e - Should we add trimmed HTLCs to the ephemeral anchor?\n\u003e - We don’t want to get above min relay fee because then we could hang\naround in the mempool.\n\u003e - The eltoo implementation currently does this.\n\u003e - You can’t keep things in OP_TRUE because they’ll be taken.\n\u003e - You can also just put it in fees as before.\n\u003e - More on cluster mempools:\n\u003e - It can be used for block selection, but it’s currently focused on\nmempool selection.\n\u003e - You can simulate template selection with it.\n\u003e - When you’re mining, you have to pick from an ancestor downwards.\n\u003e - First we lineralize the transactions to flatten the structure\nintelligently (by topology and fee rate).\n\u003e - Then we figure out the best ordering of this flat structure.\n\u003e - Each chunk in a cluster is less than 75 transactions, and a cluster\nhas chunks of transactions.\n\u003e - If you woul include a transaction with the ancestor, it goes in the\nsame chunk. Otherwise it goes in the next chunk.\n\u003e - Miners select the highest fee rate chunks, lower fee rate ones can\nsafely be evicted.\n\u003e - For replacement, you can just check replacement for a single cluster,\nrechunk it and then resort the chunks.\n\u003e - It must beat the fee rate of the chunks to get in.\n\u003e - You can check how much it beats the chunk by, whether it would go\nin the next block(s) and then decide.\n\u003e - Chunk ordering takes into account transaction size, beyond 25\ntransactions we just do ancestor set feerate.\n\nWith clustering comes the issues of \"horizontal\" package limits, which is\nnot the way of checking package validity than Lightning transaction\nbroadcast backend are currently architectured.\n\n\u003e - One of the limits is going away, one is sticking around. We still have\nsibling eviction issues.\n\u003e - Is one of the issues with chunks is that they’re limited by\ntransaction weight, 101 kilo-v-bytes, which is the maximum package size?\n\u003e - We should be okay, these limits are higher than present.\n\u003e - You can bound chunk size pretty easily.\n\u003e - If we get chunk fee rate replacement then you can do batch fee bumping\n(eg, a bunch of ephemeral anchors that are all batched together).\n\u003e - Are there long term policy implications for privacy for ephemeral\nanchors?\n\u003e - You’re essentially opting into transaction sponsors?\n\u003e - If everyone uses V3 eventually there’s no issue.\n\u003e - For right now, it would be nice if V3 is only for unilateral closes.\n\u003e - It’s also useful in a custodial wallet setting, where you have one\nteam creating on chain transactions and the other attaching fees. This is a\ncommon accounting headache. People can also non-interactively fee bump.\n\nIn a world where each V3 policy has its own package limits tailored to\ndeter pinnings, and those limits are designed in the function of the\nuse-case flow, it is hard to expect uniform deployment of the latest set of\npolicy rules.\n\n\u003e ### Taproot\n\u003e - Spec is still in draft right now, and the code is a bit ahead of the\ntest vectors.\n\u003e - The biggest change that has been made is around anchors, which become\nmore complicated with taproot:\n\u003e - The revocation path on to_local takes the script path, so now we need\nto reveal data for the anchor.\n\u003e - The downside is that revocation is more expensive - 32 more bytes in\nthe control block.\n\u003e - The to_remote has a NUMS point, previously we just had multisig keys:\n\u003e - If you’re doing a rescan, you won’t know those keys.\n\u003e - Now you just need to know the NUMS point and you can always rescan.\n\u003e - The NUMS point itself is pretty verifiable, you just start with a\nstring and hash it.\n\u003e - It is constant, you just use it randomized with your key.\n\u003e - The internal pubkey is constant on to_remote.\n\nLN wallets might have to support \"cold\" storage of both old BOLT3 secret\nand the new taproot ones, as long as you have pre-taproot channels opened\nwith your counterparties, that might not happen for a while for economic\nreasons, and deal with the differentiated sizes of the witness due to the\nusage of tapscript vs witness script.\n\n\u003e - Co-op close [broke into several different discussions]:\n\u003e - The idea here is to remove negotiation, since we’ve had disagreement\nissues in the past.\n\u003e - In this version, the initiator just accepts the fee.\n\u003e - Do we want negotiation?\n\u003e - In the past we’ve had bugs with fee rate estimates that won’t\nbudge.\n\u003e - Why don’t we just pick our fees and send two sets of signatures?\n\u003e - This would no longer be symmetric.\n\u003e - What if nobody wants to close first? We’d need to work through the\ngame theory.\n\u003e - The person who wants their funds has an incentive.\n\nFee responsibility assigned on the \"first-announcer\" can lead to\ngame-theory stale.\n\n\u003e - Why is RBF so hard for co-op close?\n\u003e - Closing should be marked as RBF, there’s no reason not to.\n\u003e - Just pick your fee rate, pay it and then come back and RBF if you’d\nlike. You can bump/broadcast as much as you like.\n\u003e - If we’re going to have something like that where we iterate, why\ndon’t we just do the simple version where we pick a fee and sign?\n\u003e - If you have to pay the whole fee, you have less incentive to sign.\n\u003e - Why is this linked to taproot work?\n\u003e - It needs to change anyway, and we need to add nonces.\n\u003e - What about, whoever wants to close sends a fee rate (paying the fees)\nand the responder just sends a signature?\n \u003e - If you don’t have enough balance, you can’t close. But why do you\ncare anyway, you have no funds?\n\nClosing old or inactive channels has an impact if you have a limited number\nof peers with opened channels slots.\n\n\u003e - For taproot/musig2 we need nonces:\n\u003e - Today we store the commitment signature from the remote party. We\ndon’t need to store our own signature - we can sign at time of broadcast.\n\u003e - To be able to sign you need the verification nonce - you could\nremember it, or you could use a counter:\n\u003e - Counter based:\n\u003e - We re-use shachain and then just use it to generate nonces.\n\u003e - Start with a seed, derive from that, use it to generate nonces.\n\u003e - This way you don’t need to remember state, since it can always be\ngenerated from what you already have.\n\u003e - Why is this safe?\n\u003e - We never re-use nonces.\n\u003e - The remote party never sees your partial signature.\n\u003e - The message always stays the same (the dangerous re-use case is\nusing the same nonce for different messages).\n\u003e - If we used the same nonce for different messages we could leak our\nkey.\n\u003e - You can combine the sighash + nonce to make it unique - this also\nbinds more.\n\u003e - Remote party will only see the full signature on chain, never your\npartial one.\n\u003e - Each party has sign and verify nonces, 4 total.\n\u003e - Co-op close only has 2 because it’s symmetric.\n\n(I don't know when mailing list post max size will be reached)\n\nCounter-based nonces versus stateful memorization of them from a user\nperspective depends on the hardware capabilities you have access to.\n\nThe taproot schnorr flow could be transparent from the underlying signature\nscheme (FROST, musig2, TAPS in the future maybe).\n\n\u003e ### Gossip V1.5 vs V2\n\u003e - How much do we care about script binding?\n\u003e - It it’s loose, it can be any script - you can advertise any UTXO.\n\u003e - You revel less information, just providing a full signature with the\nfull taproot public key.\n\u003e - If it’s tight, you have to provide two keys and then use the BIP 86\ntweak to check that it’s a 2-of-2 multisig.\n\u003e - Should we fully bind to the script, or just allow any taproot output?\n\u003e - Don’t see why we’d want additional overhead.\n\u003e - Any taproot output can be a channel - let people experiment.\n\u003e - We shouldn’t have cared in the first place, so it doesn’t matter what\nit’s bound to.\n\u003e - It’s just there for anti-DOS, just need to prove that you can sign.\n\u003e - Let every taproot output be a lightning channel, amen.\n\nThe script binding gone matters in terms of DoS protection in a future\nwhere different types of channels might not have the same \"routing\nreliability\" value in scoring algorithms (e.g size of the satisfying\nwitness being a function of the off-chain fees in case of probabilistic\nforce-close).\n\nAt scale, peered by the script gossips authentication can be needed to\navoid asymmetries in channel value being exploited in routing.\n\n\u003e - We’re going to decouple:\n\u003e - You still need a UTXO but it doesn’t matter what it looks like.\n\u003e - This also allows other channel types in future.\n\u003e - We send:\n\u003e - UTXO: unspent and in the UTXO set\n\u003e - Two node pubkeys\n\u003e - One signature\n\u003e - How much do we care about amount binding?\n\u003e - Today it is exact.\n\u003e - People use it for capacity graphs.\n\u003e - Graph go up.\n\u003e - We can watch the chain for spends when we know which UTXO to watch\nper-channel.\n\u003e - Is there an impact on pathfinding if we over-advertize?\n\u003e - We use capacity to pathfind.\n\u003e - What’s the worst case if people lie? We don’t use them.\n\u003e - If we’ve already agreed that this can be a UTXO that isn’t a channel,\nthen it shouldn’t matter.\n\nOver-advertize comes as bandwidth drain on the network, and therefore\nreduces the ability of low-performance clients to be first-class citizens\nof the Lightning routing network, a downside in privacy.\n\n\u003e - If you allow value magnification, we can use a single UTXO to claim for\nmultiple channels. Even in the most naive version (say 5x), you’re only\nrevealing 20% of your UTXOs.\n\u003e - How much leverage can we allow? The only limit is denial of service.\n\u003e - There’s the potential for a market for UTXOs.\n\u003e - There’s a privacy trade-off:\n\u003e - If you one-to-one map them, then there’s no privacy gain.\n\u003e - Do we know that you get substantial privacy?\n\u003e - Even if you have two UTXOs and two channels, those UTXOs are now not\nlinked (because you can just use the first one to advertise).\n\u003e - This is only assuming that somebody implements it/ infrastructure is\nbuilt out.\n\u003e - People could create more elaborate things over time, even if\nimplementations do the “dumb” way.\n\nPrivacy of a UTXO in gossip can be abstracted from the attributes one wish\nto reveal, see\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021686.html\n\n\u003e - Gossip 1.5 (ie, with amount binding) fits in the current flow, V2 (ie,\nwithout amount binding) has a very different scope.\n\u003e - It’s a big step, and you don’t truly know until you implement it.\n\u003e - What about things like: a very large node and a very small node, whose\nannounced UTXO do you use?\n\u003e - We decided not to put UTXOs in node announcement, so we’d put it in\nchannel announcement:\n\u003e - Sometimes there’s a UTXO, sometimes there isn’t.\n\u003e - You look at a node’s previous channels to see if they still have\n“quota”.\n\u003e - If you don’t have “quota” left, you have to include a signature TLV.\n\u003e - With the goal of publicly announcing taproot channels, 1.5 gets us\nthere and is a much smaller code change.\n\nNative announcement bandwidth/rate-limit based \"quota\" might not reflect\nwhat the end consumer of the gossip is interested for privacy, efficient\npaths, payment reliability, etc.\n\n\u003e - We’ve talked alot about capacity for pathfinding, but we haven’t really\ntouched on control valves like max HTLC:\n\u003e - Currently we don’t use these valves to tune our pathfinding, people\ndon’t use it.\n\u003e - If we get better here, we won’t need capacity.\n\u003e - This value is already \u003c 50% anyway.\n\u003e - If we don’t un-bind amounts now, when will we do it?\n\nChannel policy parameters could be dynamic during channel lifetime to\nenable more fine-grained liquidity adjustment, without compromising\nsecurity risks due to things like \"flood\u0026loot\".\n\n\u003e - It’s always a lower priority and everyone is busy.\n\u003e - If we allow overcommitting by some factor now, it’s not unrealistic\nthat it will allow some degree of privacy.\n\u003e - Between these features, we have opened the door to leasing UTXOs:\n\u003e - Before we do more over-commitment, let’s see if anybody uses it?\n\u003e - We add channel capacity to the channel announcement with a feature bit:\n\u003e - If we turn the feature off, we are on-to-one mapped.\n\u003e - But a node can’t use the upgraded version until everyone is upgraded?\n\u003e - Our current “get everyone upgraded” cycle is 18 months (or a CVE).\n\nThe Lightning development community as a whole together apologizes for the\ncurrent state of Lightning implementations and has never considered\nsafety-critical CVEs as a \"trojan horse\" to harmonize gossips and other\nminor features across the ecosystem.\n\n\u003e - If you’re upgrading to 2x multiplier, nobody on 1x will accept that\ngossip.\n\u003e - People will not pay for privacy (via lost revenue of people not\nseeing their gossip).\n\nPeople *might* pay for privacy when their services operations and the\ncompetitive advantage is dependent on it.\n\n\u003e - This is additive to defeating chain analysis.\n\u003e - Private UTXO management is already complicated, we don’t know the\nideal that we’re working towards.\n\u003e - What about if we just set it to 2 today?\n\u003e - Is 2 qualitatively better than 1 (without script binding) today?\n\u003e - Will a marketplace magically emerge if we allow over-commitment?\n\u003e - We don’t know the implications of setting a global multiplier for\nrouting or denial of service, and we don’t have a clear view of what\nprivacy would look like (other than “some” improvement).\n\u003e - We agree that adding a multiplier doesn’t break the network.\n\u003e - People with a lower value will see a subnet when we upgrade.\n\u003e - We’re going to go with gossip “1.75”:\n\u003e - Bind to amount but not script.\n\u003e - We include a TLV cut out that paves the way to overcommitment.\n\nThe data scope of the gossip (and future cryptosystems to cipher them) has\nan impact on low-bandwidth and performance-constrained mobile clients.\n\n\u003e - There are a few paths we could take to get multi-sig for one channel\nparty:\n\u003e - Script: just do it on the script level for the UTXO, but it’s heavy\nhanded.\n\u003e - FROSTy: you end up having to do a bunch of things around fault\ntolerance which require a more intense setup. You also may not want the\nshachain to be known by all of the parties \u003e in the setup (we have an ugly\nsolution for this, we think).\n\u003e - Recursive musig:\n\u003e - Context: you have one key in the party, but you actually want it to be\nmultiple keys under the hood. You don’t want any single party to know the\nrevocation secrets, so you have to each have a part and combine them\n\u003e - Ugliest solution: just create distinct values and store them.\n\u003e - Less ugly solution uses multiple shachains:\n\u003e - Right now we have a shachan, and we reveal two leaves of it.\n\u003e - You have 8 shachains, and you XOR them all together.\n\u003e - Why do we need 8? That’ll serve a 5-of-7.\n\u003e - Maybe we need 21? 5 choose 7, we’re not sure.\n\u003e - How does this work with K-of-N?\n\u003e - Each party has a piece, and you can always combine them in\ndifferent combinations (of K pieces) to get to the secret you’re using.\n\nSharding of the revocation secret across multiple device signers requires a\nconsistent consensus algorithm if fault-tolerance is a design property.\n\n\u003e ### PTLCs\n\u003e - We can do PTLCs in two ways:\n\u003e - Regular musig\n\u003e - Adaptor signatures\n\u003e - Do they work with trampoline as defined today?\n\u003e - The sender picks all the blinding factors today, so it’s fine.\n\u003e - There’s a paper called: splitting locally while routing\ninterdimensionally:\n\u003e - You can let intermediate nodes do splitting because they know all the\nlocal values.\n\u003e - Then can generate new blinding factors and split out to the next node.\n\u003e - Adaptor signatures could possibly be combined for PTLCs that get fanned\nout then combined.\n\u003e - There are a few options for redundant overpayment (ie, “stuckless”\npayments):\n\u003e - Boomerang:\n\u003e - Preimages are coefficients of a polynomial, and you commit to the\npolynomial itself.\n\u003e - If you have a degree P polynomial and you take P+1 shares, then you\ncan claim in the other direction.\n\u003e - Quite complex.\n\u003e - You have to agree on the number of splits in advance.\n\u003e - Spear:\n\u003e - H2TLC: there are two payment hashes per-HTLC, one if from the sender\nand one is from the invoice.\n \u003e - When you send a payment, the sender only reveals the right number of\nsender preimages.\n\u003e - This also gives us HTLC acknowledgement, which is nice.\n\u003e - You can concurrently split, and then spray and pray.\n\u003e - Interaction is required to get preimages.\n\u003e - Do we want to add redundant overpayment with PTLCs?\n\u003e - We’ll introduce a communication requirement.\n\u003e - Do we need to decide that before we do PTLCs?\n\u003e - Can we go for the simplest possible option first and then add it?\n\u003e - For spear, yes - the intermediate nodes don’t know that it’s two\nhashes.\n\u003e - We could build them out without thinking about overpayment, and then\nmix in a sender secret so that we can claim a subset.\n\u003e - We’ll have more round trips, but you also have the ability to ACK HTLCs\nthat have arrived.\n\u003e - Spray and pray uses the same about as you would with our current “send\n/ wait / send”, it’s just concurrently not serially.\n\u003e - Is it a problem that HLTCs that aren’t settled don’t pay fees?\n\u003e - You’re paying the fastest routes.\n\u003e - Even if it’s random, you still get a constant factor of what we should\nhave gotten otherwise.\n\u003e - It makes sense to use onion messages if it’s available to us.\n\u003e - Are we getting payment acknowledgement? Seems so!\n\nScripteable PTLCs based on the structure of the elliptic can be advanced by\nverifiable encryption, and other cryptosystems, see\nhttps://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002213.html\n\nCancellable PTLCs are coming with trade-off in term of interactivity or\ndefault of the point contributing participant.\n\n\u003e ### Hybrid Approach to Channel Jamming\n\u003e - We’ve been talking about jamming for 8 years, back and forth on the\nmailing list.\n\u003e - We’d like to find a way to move forward so that we can get something\ndone.\n\u003e - Generally when we think about jamming, there are three “classes” of\nmitigations:\n\u003e - Monetary: unconditional fees, implemented in various ways.\n\u003e - Reputation: locally assessed (global is terrible)\n\u003e - Scarce Resources: POW, stake, tokens.\n\u003e - The problem is that none of these solutions work in isolation.\n\u003e - Monetary: the cost that will deter an attacker is unreasonable for an\nhonest user, and the cost that is reasonable for an honest user is too low\nfor an attacker.\n\u003e - Reputation: any system needs to define some threshold that is\nconsidered good behavior, and an attacker can aim to fall just under it.\nEg: if you need a payment to resolve in 1 minute, you can fall just under\nthat bar.\n\u003e - Scarce resources: like with monetary, pricing doesn’t work out.\n\u003e - Paper: proof of work doesn’t work for email spam, as an example.\n\u003e - Since scarce resources can be purchased, they could be considered a\nsubset of monetary.\n\u003e - There is no silver bullet for jamming mitigation.\n\nThis is a good resume of the state of the discussions, It should be noted,\nthe Tor project is aiming to solve the DoS issues in a peer-to-peer network\nlike LN with proof-of-work.\n\nMainstain Internet has been working on Privacy Pass, of which some jamming\nmitigation flavors are inspired.\n\nIf the Lightning development community solve the jamming issue, a Turing\nAward could be recognized as whole (or maybe a Nobel Prize in economics).\n\n\u003e - Combination of unconditional fees and reputation:\n\u003e - Good behavior grants access to more resources, bad behavior loses it.\n\u003e - If you want to fall just below that threshold, we close the gap with\nunconditional fees.\n\u003e - Looking a these three classes implemented in isolation, are there any\nunresolved questions that people have - “what about this”?\n\u003e - Doesn’t POW get you around the cold start problem in reputation where\nif you want to put money in to quickly bootstrap you can?\n\u003e - Since POW can be rented, it’s essentially a monetary solution - just\nextra steps.\n\nBIP154 has been proposed early on and discarded for its drain on mobile\nclients batteries.\n\n\u003e - We run into the same pricing issues.\n\u003e - Why these combinations?\n\u003e - Since scarce resources are essentially monetary, we think that\nunconditional fees are the simplest possible monetary solution.\n\u003e - Unconditional Fees:\n\u003e - As a sender, you’re building a route and losing money if it doesn’t go\nthrough?\n\u003e - Yes, but they only need to be trivially small compared to success\ncase fee budgets.\n\u003e - You can also eventually succeed so long as you retry enough, even if\nfailure rates are very high.\n\u003e - How do you know that these fees will be small? The market could decide\notherwise.\n\nStatic unconditional fees is a limited tool in a world where rational\neconomic actors are pricing their liquidity in function of demand.\n\n\u003e - Routing nodes still need to be competitive. If you put an\nunconditional fee of 100x the success case, senders will choose to not send\nthrough you because you have no incentive to forward.\n\u003e - We could also add an in-protocol limit or sender-side advisory.\n\u003e - With unconditional fees, a fast jamming attack is very clearly paid for.\n\u003e - Reputation:\n\u003e - The easiest way to jam somebody today is to send a bunch of HTLCs\nthrough them and hold them for two weeks. We’re focusing on reputation to\nbegin with, because in this case we \u003e can quite easily identify that people\nare doing something wrong (at the extremes).\n\u003e - If you have a reputation score that blows up on failed attempts,\ndoesn’t that fix it without upfront fees?\n\nThe local reputation score of the failed attempts entity might be in a\nsituation of informational asymmetries, therefore provoking a damage\nsuperior to the reputation acquisition cost.\n\n\u003e - We have to allow some natural rate of failure in the network.\n\u003e - An attacker can still aim to fall just below that failure threshold\nand go through multiple channels to attack an individual channel.\n\u003e - THere isn’t any way to set a bar that an attacker can’t fall just\nbeneath.\n\u003e - Isn’t this the same for reputation? We have a suggestion for\nreputation but all of them fail because they can be gamed below the bar.\n\u003e - If reputation matches the regular operation of nodes on the network,\nyou will naturally build reputation up over time.\n\u003e - If we do not match reputation accumulation to what normal nodes do,\nthen an attacker can take some other action to get more reputation than the\nrest of the network. We don’t want attackers to be able to get ahead of\nregular nodes.\n\u003e - Let’s say you get one point for success and one for failure, a\nnormal node will always have bad reputation. An attacker could then send 1\nsay payments all day long, pay a fee for it \u003e and gain reputation.\n\u003e - Can you define jamming? Is it stuck HTLCs or a lot of 1 sat HTLCS\nspamming up your DB?\n\nJamming is an economic notion, as such relying on the subjectivism of node\nappreciation of local ressources.\n\n\u003e - Jamming is holding HTLCs to or streaming constant failed HTLCs to\nprevent a channel from operating.\n\u003e - This can be achieved with slots or liquidity.\n\u003e - Does the system still work if users are playing with reputation?\n\u003e - In the steady state, it doesn’t really matter whether a node has a\ngood reputation or not.\n\u003e - If users start to set reputation in a way that doesn’t reflect normal\noperation of the network, it will only affect their ability to route when\nunder attack.\n\u003e - Isn’t reputation monetary as well, as you can buy a whole node?\n\u003e - There is a connection, and yes in the extreme case you can buy an\nentire identity.\n\u003e - Even if you do this, the resource bucketing doesn’t give you a “golden\nticket” to consume all slots/liquidity with good reputation, so you’re\nstill limited in what you can do.\n\u003e - Can we learn anything from research elsewhere / the way things are done\non the internet?\n\u003e - A lot of our confidence that these solutions don’t work in isolation\nis based on previous work looking at spam on the internet.\n\u003e - Lightning is also unique because it is a monetary network - we have\nmoney built in, so we have different tools to use.\n\nSpamming and DoS are not solved on the Internet and one of the reason we're\nrelying on chain of X.509 certificates for modern data communication.\n\n\u003e - To me, it seems like if the scarce resource that we’re trying to\nallocate is HTLC slots and upfront fees you can pay me upfront fees for the\nworst case (say two weeks) and then if it settles if 5 seconds you give it\nback?\n\u003e - The dream solution is to only pay for the amount of time that a HTLC\nis held in flight.\n\u003e - The problem here is that there’s no way to prove time when things go\nwrong, and any solution without a universal clock will fall back on\ncooperation which breaks down in the case of \u003e an attack.\n\nThere is a universal clock in Bitcoin called the chain height advances.\n\n\u003e - No honest user will be willing to pay the price for the worst case,\nwhich gets us back to the pricing issue.\n\u003e - There’s also an incentives issue when the “rent” we pay for these two\nweeks worst case is more than the forwarding fee, so a router may be\nincentivized to just hang on to that amount and bank it.\n\u003e - We’ve talked about forwards and backwards fees extensively on the\nmailing list:\n\u003e - They’re not large enough to be enforceable, so somebody always has\nto give the money back off chain.\n\u003e - This means that we rely on cooperation for this refund.\n\u003e - The complexity of this type of system is very high, and we start to\nopen up new “non-cooperation” concerns - can we be attacked using this\nmechanism itself?\n\u003e - Doesn’t an attacker need to be directly connected to you to steal in\nthe non-cooperative case?\n\u003e - At the end of the day, somebody ends up getting robbed when we can’t\npull the money from the source (attacker).\n\u003e - Does everybody feel resolved on the statement that we need to take this\nhybrid approach to clamp down on jamming? Are there any “what about\nsolution X” questions left for anyone? Nothing came up.\n\nHybrid approach sounds the best technical compromise in a world where pure\nmonetary strategy (i.e pay 100% of worst-liquidity valuation all the time)\nis reducing the economic openess of Lightning marginal users.\n\n\u003e Do any of these assumptions change with trampoline? Don’t think it’s\nrelated.\n\nYes, one will have to price on the HTLC carrying risk in the trampoline\noffering service.\n\n\u003e - Your reputation is at stake when you endorse, when do you decide to\nendorse my own payments?\n\u003e - You do the things you were already doing to figure out a good route.\nPaths that you think have good liquidity, and have had success with in the\npast.\n\u003e - What about redundant overpayment, some of your HTLCs are bound to fail?\n\u003e - Provided that they fail fast, it shouldn’t be a problem.\n\u003e - Is it possible that the case where general slots are perpetually filled\nby attackers becomes the steady state? And we can’t tell the difference\nbetween a regular user and attacker.\n\u003e - This is where unconditional fees come in, if somebody wants to\nperpetually fill up the general bucket they have to pay for it.\n\u003e - Is there anything we’d like to see that will help us have move\nconfidence here?\n\u003e - What do you think is missing from the information presented?\n\u003e - We can simulate the steady state / create synthetic data, but can’t\nsimulate every attack. Would like to spend more time thinking through the\nways this could possibly be abused.\n\u003e - Would it help to run this on signet? Or scaling lightning?\n\u003e - Its a little easier to produce various profiles of activity on\nregtest[.\n\nGenerally resource bucketing can be designed with insights from modern\ninternet protocol in term of TCP congestion control and other scarce\nnetwork resource (e.g DNS records). Do not reinvent the wheel.\n\n\u003e - What NACK says is: I’ve ignored all of your updates and I’m\nprogressing to the next commitment.\n\nIf resource bucketing or link-level liquidity management starts to be\ninvolved, one can mask behind \"NACK\" to halt the channel progress, without\nthe reputation downgrade. Layer violation issue.\n\n\u003e - How confident are we that we can pull things out? Only things that are\nbrand new will be easy to do this with.\n\u003e - Keeping context in your head is hard, and jumping between documents\nbreaks up thought.\n\u003e - Should we fully copy the current document and copy it?\n\nIn a world where users might be slow to upgrade to the latest channel\nfeatures, including when they have clear privacy or security advantages for\neconomic reasons (on-chain fees), old documentation maintenance is\nreasonable, and as such doc versioning is better.\n\n\u003e - For small things, we can just throw out the old stuff.\n\u003e - If it were possible to modularize and have working groups, that would\nbe great but it seems like we’d tread on each other’s toes.\n\nIETF has been doing WG for decades, this obviously comes with trade-off to\navoid broken protocols and modules in all sense, though probably the only\nsocially scalable process to move forward. Interface between WG will come\nwith time.\n\n\u003e ### Async Payments/ Trampoline\n\u003e - Blinded payments are a nice improvement for trampoline because you\ndon’t know where the recipient is.\n\u003e - The high level idea is:\n\u003e - Light nodes only see a small part of the network that they are close\nto.\n\u003e - Recipients only give a few trampolines in the network that they can be\nreached via.\n\u003e - In the onion for the first trampoline, there will be an onion for the\nsecond trampoline.\n\u003e - You just need to give a trampoline a blinded path and they can do the\nrest.\n\u003e - If you only have one trampoline, they can probably make a good guess\nwhere the payment came from (it’s in the reachable neighborhood).\n\u003e - Is there a new sync mode for trampoline gossip?\n\u003e - We’d now need radius-based gossip rather than block based.\n\u003e - The trust version is just getting this from a LSP.\n\u003e - In cold bootstrap, you’re probably going to open a channel so you ask\nthem for gossip.\n\u003e - Can you split MPP over trampoline? Yes.\n\u003e - Routing nodes can learn more about the network because they make their\nown attempts.\n\nOnion bandwidth cost ain't gonna be free.\n\nBest,\nAntoine\n\nLe jeu. 20 juil. 2023 à 01:09, Carla Kirk-Cohen \u003ckirkcohenc at gmail.com\u003e a\nécrit :\n\n\u003e Hi List,\n\u003e\n\u003e At the end of June we got together in NYC for the annual specification\n\u003e meeting. This time around we made an attempt at taking transcript-style\n\u003e notes which are available here:\n\u003e https://docs.google.com/document/d/1MZhAH82YLEXWz4bTnSQcdTQ03FpH4JpukK9Pm7V02bk/edit?usp=sharing\n\u003e .\n\u003e To decrease our dependence on my google drive I've also included the\n\u003e full set of notes at the end of this email (no promises about the\n\u003e formatting however).\n\u003e\n\u003e We made a semi-successful attempt at recording larger group topics, so\n\u003e these notes roughly follow the structure of the discussions that we had\n\u003e at the summit (rather than being a summary). Speakers are not\n\u003e attributed, and any mistakes are my own.\n\u003e\n\u003e Thanks to everyone who traveled far, Wolf for hosting us in style in\n\u003e NYC and to Michael Levin for helping out with notes \u003c3\n\u003e\n\u003e # LN Summit - NYC 2023\n\u003e\n\u003e ## Day One\n\u003e\n\u003e ### Package Relay\n\u003e - The current proposal for package relay is ancestor package relay:\n\u003e - One child can have up to 24 ancestors.\n\u003e - Right now, we only score mempool transactions by ancestry anyway, so\n\u003e there isn’t much point in other types of packages.\n\u003e - For base package relay, commitment transactions will still need to have\n\u003e the minimum relay fee.\n\u003e - No batch bumping is allowed, because it can open up pinning attacks.\n\u003e - With one anchor, we can package RBF.\n\u003e - Once we have package relay, it will be easier to get things into the\n\u003e mempool.\n\u003e - Once we have V3 transactions, we can drop minimum relay fees because we\n\u003e are restricted to one child pays for one parent transaction:\n\u003e - The size of these transactions is limited.\n\u003e - You can’t arbitrarily attach junk to pin them.\n\u003e - If we want to get rid of 330 sat anchors, we will need ephemeral\n\u003e anchors:\n\u003e - If there is an OP_TRUE output, it can be any value including zero.\n\u003e - It must be spent by a child in the same package.\n\u003e - Only one child can spend the anchor (because it’s one output).\n\u003e - The parent must be zero fee because we never want it in a block on its\n\u003e own, or relayed without the child.\n\u003e - If the child is evicted, we really want the parent to be evicted as\n\u003e well (there are some odd edge cases at the bottom of the mempool, so zero\n\u003e ensures that we’ll definitely be evicted).\n\u003e - The bigger change is with HLTCs:\n\u003e - With SIGHASH_ANYONECANPAY, your counterparty can inflate the size of\n\u003e your transaction - eg: HTLC success, anyone can attack junk.\n\u003e - How much do we want to change here?\n\u003e - So, we can get to zero fee commitment transactions and one (ephemeral)\n\u003e anchor per transaction.\n\u003e - With zero fee commitments, where do we put trimmed HTLCs?\n\u003e - You can just drop it in an OP_TRUE, and reasonably expect the miner\n\u003e to take it.\n\u003e - In a commitment with to_self and to_remote and an ephemeral anchor that\n\u003e must be spent, you can drop the 1 block CSV in the transaction that does\n\u003e not have a revocation path (ie, you can drop it for to_remote).\n\u003e - Any spend of this transaction must spend the one anchor in the same\n\u003e block.\n\u003e - No other output is eligible to have a tx attached to it, so we don’t\n\u003e need the delay anymore.\n\u003e - Theoretically, your counterparty could get hold of your signed\n\u003e local copy, but then you can just RBF.\n\u003e - Since these will be V3 transactions, the size of the child must be small\n\u003e so you can’t pin it.\n\u003e - Both parties can RBF the child spending the ephemeral anchor.\n\u003e - This isn’t specifically tailored to lightning, it’s a more general\n\u003e concept.\n\u003e - Child transactions of V3 are implicitly RBF, so we won’t have to worry\n\u003e about it not being replaceable (no inheritance bug).\n\u003e - In general, when we’re changing the mempool policy we want to make the\n\u003e minimal relaxation that allows the best improvement.\n\u003e - We need “top of block” mempool / cluster mempool:\n\u003e - The mempool can have clusters of transactions (parents/children\n\u003e arranged in various topologies) and the whole mempool could even be a\n\u003e single cluster (think a trellis of parents and children “zigzagging”).\n\u003e - The mining algorithm will pick one “vertical” using ancestor fee rate.\n\u003e - There are some situations where you add a single transaction and it\n\u003e would completely change the order in which our current selection picks\n\u003e things.\n\u003e - Cluster mempool groups transactions into “clusters” that make this\n\u003e easier to sort and reason about.\n\u003e - It can be expensive (which introduces a risk of denial of service),\n\u003e but if we have limits on cluster sizes then we can limit this.\n\u003e - This is the only way to get package RBF.\n\u003e - How far along is all of this?\n\u003e - BIP331: the P2P part that allows different package types is moving\n\u003e along and implementation is happening. This is done in a way that would\n\u003e allow us to add different types of packages in future if we need them.\n\u003e - There are some improvements being made to core’s orphan pool,\n\u003e because we need to make sure that peers can’t knock orphans out of your\n\u003e pool that you may later need to retrieve as package ancestors.\n\u003e - We reserve some spots with tokens, and if you have a token we keep\n\u003e some space for you.\n\u003e - V3 transactions: implemented on top of package relay, since they don’t\n\u003e really make sense without it. This is an opt-in regime where you make\n\u003e things easier to RBF.\n\u003e - Ephemeral Anchors: on top of package relay and V3.\n\u003e - Cluster Mempool: This is further out, but there’s been some progress.\n\u003e Right now people are working on the linearization algorithm.\n\u003e - If these changes don’t suit lightning’s use case, now is the time to\n\u003e speak because it’s all being worked on.\n\u003e - In what way does it not fit LN, as it’s currently designed?\n\u003e - With the V3 paradigm, to stop all pinning vectors, HTLC\n\u003e transactions will need to get anchors and you will have to drop\n\u003e ANYONECANPAY (to use anchors instead).\n\u003e - Could we fix this with additional restrictions on V3 (or a V4)?\n\u003e - You could do something where V4 means that you can have no\n\u003e ancestors and no descendants (in the mempool).\n\u003e - V3 restricts the child, you could also restrict the parent further.\n\u003e - You could have a heuristic on the number of inputs and outputs, but\n\u003e anyone can pay or add inputs.\n\u003e - You could commit to the whole thing being some size by setting a\n\u003e series of bits in sequence to mark maximum size but that would involve\n\u003e running script (which is annoying).\n\u003e - The history of V3 was to allow a parent of any size because\n\u003e commitment transactions can be any size.\n\u003e - What about keeping HTLCs the way they are today?\n\u003e - A lot of other things are less pineapple, maybe that’s ok? It’s a step\n\u003e forward.\n\u003e - The long term solution is to change relay policy to top of mempool. We\n\u003e shouldn’t be doing things until the long term solution is clear, and we\n\u003e shouldn’t change the protocol in a way that doesn’t fit with the long term.\n\u003e - We already do a lot of arbitrary things, if we were starting from day\n\u003e one we wouldn’t do HTLCs with anchors (it’s too much bloat), and being\n\u003e unable to RBF is more bloat because you overpay.\n\u003e - If the remote commitment is broadcast, you can spen the HTLC with V2.\n\u003e You can’t add a V3 child (it won’t get in the mempool).\n\u003e - If you want to be consistent, even when it’s the remote commit you\n\u003e need a presigned transaction, we should just use it as designed today.\n\u003e - What is the “top of mempool” assumption?\n\u003e - If large transactions are at the top of your mempool, you (a miner)\n\u003e want transactions with higher fee rates to increase your total revenue.\n\u003e - Today, you can’t really easily answer or reason about these questions.\n\u003e - We want to accept transactions in our mempool in a denial of service\n\u003e resistant way that will strictly increase our miner fees.\n\u003e - If a transaction is at the top of your mempool, you may be more\n\u003e willing to accept a replacement fee. If it’s way down in the mempool, you\n\u003e would probably replace more slowly.\n\u003e - It’s conceivable that we could get here, but it’s years off.\n\u003e - Once we have this, pinning only happens with large transactions at\n\u003e the bottom of the mempool. If you just slow roll these transactions, you\n\u003e can just relay what you’ve got.\n\u003e - If somebody comes and replaces the bottom with something small\n\u003e that’ll be mined in the next two blocks, you clearly want to accept that.\n\u003e - Does cluster mempool fix rule 3?\n\u003e - No but they help.\n\u003e - Today when you get a transaction you don’t know which block it’s going\n\u003e in - we don’t have a preference ordering.\n\u003e - Miners don’t make blocks as they go - with cluster mempool you can\n\u003e make very fast block templates.\n\u003e - When talking about relay, you can ignore block making and just get a\n\u003e very good estimate.\n\u003e - The question is: when do we jump?\n\u003e - Wail until V3? Package Relay?\n\u003e - Package relay will help. You still negotiate fees but they don’t\n\u003e matter as much.\n\u003e - We’d like to kill upate fee and have a magic number for fees, can\n\u003e we do that when we get package relay?\n\u003e - Package relay is the hard part, V3 should be relatively easier\n\u003e after that.\n\u003e - When we get V3 we can drop to zero fee.\n\u003e - Is there a future where miners don’t care about policy at all?\n\u003e - Say, the block that I’m mining has V3 transactions. They’re just\n\u003e maximizing fees so they’ll accept anything out of band, ignoring these new\n\u003e policy rules.\n\u003e - Accelerators are already starting to emerge today - how are they doing\n\u003e it?\n\u003e - We’re carving out a small space in which mempool rules work, and it’s\n\u003e okay to work around it.\n\u003e - If a miner mines it, great - that’s what we want. The problem is not\n\u003e getting mined (ie pinning).\n\u003e - Figuring this out is not simple:\n\u003e - Today there are times where we accept replacements when we should\n\u003e reject them and times where we reject replacements when we should accept\n\u003e them.\n\u003e - There can be situations where miners will mine things that aren’t\n\u003e incentive compatible (ie, not the best block template).\n\u003e - What if somebody pays out of band not to mine?\n\u003e - Ephemeral anchors are interesting, they never enter the UTXO set - if\n\u003e the child gets evicted, you get evicted.\n\u003e - The first transaction being zero is optimal, want to be sure it’ll be\n\u003e evicted (there are some mempool quirks).\n\u003e - It must be zero fee so that it will be evicted.\n\u003e - Should we add trimmed HTLCs to the ephemeral anchor?\n\u003e - We don’t want to get above min relay fee because then we could hang\n\u003e around in the mempool.\n\u003e - The eltoo implementation currently does this.\n\u003e - You can’t keep things in OP_TRUE because they’ll be taken.\n\u003e - You can also just put it in fees as before.\n\u003e - More on cluster mempools:\n\u003e - It can be used for block selection, but it’s currently focused on\n\u003e mempool selection.\n\u003e - You can simulate template selection with it.\n\u003e - When you’re mining, you have to pick from an ancestor downwards.\n\u003e - First we lineralize the transactions to flatten the structure\n\u003e intelligently (by topology and fee rate).\n\u003e - Then we figure out the best ordering of this flat structure.\n\u003e - Each chunk in a cluster is less than 75 transactions, and a cluster\n\u003e has chunks of transactions.\n\u003e - If you woul include a transaction with the ancestor, it goes in the\n\u003e same chunk. Otherwise it goes in the next chunk.\n\u003e - Miners select the highest fee rate chunks, lower fee rate ones can\n\u003e safely be evicted.\n\u003e - For replacement, you can just check replacement for a single cluster,\n\u003e rechunk it and then resort the chunks.\n\u003e - It must beat the fee rate of the chunks to get in.\n\u003e - You can check how much it beats the chunk by, whether it would go\n\u003e in the next block(s) and then decide.\n\u003e - Chunk ordering takes into account transaction size, beyond 25\n\u003e transactions we just do ancestor set feerate.\n\u003e - One of the limits is going away, one is sticking around. We still have\n\u003e sibling eviction issues.\n\u003e - Is one of the issues with chunks is that they’re limited by\n\u003e transaction weight, 101 kilo-v-bytes, which is the maximum package size?\n\u003e - We should be okay, these limits are higher than present.\n\u003e - You can bound chunk size pretty easily.\n\u003e - If we get chunk fee rate replacement then you can do batch fee bumping\n\u003e (eg, a bunch of ephemeral anchors that are all batched together).\n\u003e - Are there long term policy implications for privacy for ephemeral\n\u003e anchors?\n\u003e - You’re essentially opting into transaction sponsors?\n\u003e - If everyone uses V3 eventually there’s no issue.\n\u003e - For right now, it would be nice if V3 is only for unilateral closes.\n\u003e - It’s also useful in a custodial wallet setting, where you have one\n\u003e team creating on chain transactions and the other attaching fees. This is a\n\u003e common accounting headache. People can also non-interactively fee bump.\n\u003e\n\u003e ### Taproot\n\u003e - Spec is still in draft right now, and the code is a bit ahead of the\n\u003e test vectors.\n\u003e - The biggest change that has been made is around anchors, which become\n\u003e more complicated with taproot:\n\u003e - The revocation path on to_local takes the script path, so now we need\n\u003e to reveal data for the anchor.\n\u003e - The downside is that revocation is more expensive - 32 more bytes in\n\u003e the control block.\n\u003e - The to_remote has a NUMS point, previously we just had multisig keys:\n\u003e - If you’re doing a rescan, you won’t know those keys.\n\u003e - Now you just need to know the NUMS point and you can always rescan.\n\u003e - The NUMS point itself is pretty verifiable, you just start with a\n\u003e string and hash it.\n\u003e - It is constant, you just use it randomized with your key.\n\u003e - The internal pubkey is constant on to_remote.\n\u003e - Co-op close [broke into several different discussions]:\n\u003e - The idea here is to remove negotiation, since we’ve had disagreement\n\u003e issues in the past.\n\u003e - In this version, the initiator just accepts the fee.\n\u003e - Do we want negotiation?\n\u003e - In the past we’ve had bugs with fee rate estimates that won’t\n\u003e budge.\n\u003e - Why don’t we just pick our fees and send two sets of signatures?\n\u003e - This would no longer be symmetric.\n\u003e - What if nobody wants to close first? We’d need to work through the\n\u003e game theory.\n\u003e - The person who wants their funds has an incentive.\n\u003e - Why is RBF so hard for co-op close?\n\u003e - Closing should be marked as RBF, there’s no reason not to.\n\u003e - Just pick your fee rate, pay it and then come back and RBF if you’d\n\u003e like. You can bump/broadcast as much as you like.\n\u003e - If we’re going to have something like that where we iterate, why\n\u003e don’t we just do the simple version where we pick a fee and sign?\n\u003e - If you have to pay the whole fee, you have less incentive to sign.\n\u003e - Why is this linked to taproot work?\n\u003e - It needs to change anyway, and we need to add nonces.\n\u003e - What about, whoever wants to close sends a fee rate (paying the fees)\n\u003e and the responder just sends a signature?\n\u003e - If you don’t have enough balance, you can’t close. But why do you\n\u003e care anyway, you have no funds?\n\u003e - We can do this as many times as we want.\n\u003e - Shutdown is still useful to clear the air on the channel.\n\u003e - When you reconnect, you start a new interaction completely.\n\u003e - TL;DR:\n\u003e - Shutdown message stays.\n\u003e - You send a signature with a fee rate.\n\u003e - The remote party signs it.\n\u003e - If they disagree, you do it again.\n\u003e - It’s all RBF-able.\n\u003e - You must retransmit shutdown, and you must respond with a shutdown.\n\u003e - You can send nonces at any time:\n\u003e - In revoke and ack.\n\u003e - On channel re-establish.\n\u003e - For taproot/musig2 we need nonces:\n\u003e - Today we store the commitment signature from the remote party. We\n\u003e don’t need to store our own signature - we can sign at time of broadcast.\n\u003e - To be able to sign you need the verification nonce - you could\n\u003e remember it, or you could use a counter:\n\u003e - Counter based:\n\u003e - We re-use shachain and then just use it to generate nonces.\n\u003e - Start with a seed, derive from that, use it to generate nonces.\n\u003e - This way you don’t need to remember state, since it can always be\n\u003e generated from what you already have.\n\u003e - Why is this safe?\n\u003e - We never re-use nonces.\n\u003e - The remote party never sees your partial signature.\n\u003e - The message always stays the same (the dangerous re-use case is\n\u003e using the same nonce for different messages).\n\u003e - If we used the same nonce for different messages we could leak our\n\u003e key.\n\u003e - You can combine the sighash + nonce to make it unique - this also\n\u003e binds more.\n\u003e - Remote party will only see the full signature on chain, never your\n\u003e partial one.\n\u003e - Each party has sign and verify nonces, 4 total.\n\u003e - Co-op close only has 2 because it’s symmetric.\n\u003e\n\u003e ### Gossip V1.5 vs V2\n\u003e - How much do we care about script binding?\n\u003e - It it’s loose, it can be any script - you can advertise any UTXO.\n\u003e - You revel less information, just providing a full signature with the\n\u003e full taproot public key.\n\u003e - If it’s tight, you have to provide two keys and then use the BIP 86\n\u003e tweak to check that it’s a 2-of-2 multisig.\n\u003e - Should we fully bind to the script, or just allow any taproot output?\n\u003e - Don’t see why we’d want additional overhead.\n\u003e - Any taproot output can be a channel - let people experiment.\n\u003e - We shouldn’t have cared in the first place, so it doesn’t matter what\n\u003e it’s bound to.\n\u003e - It’s just there for anti-DOS, just need to prove that you can sign.\n\u003e - Let every taproot output be a lightning channel, amen.\n\u003e - We’re going to decouple:\n\u003e - You still need a UTXO but it doesn’t matter what it looks like.\n\u003e - This also allows other channel types in future.\n\u003e - We send:\n\u003e - UTXO: unspent and in the UTXO set\n\u003e - Two node pubkeys\n\u003e - One signature\n\u003e - How much do we care about amount binding?\n\u003e - Today it is exact.\n\u003e - People use it for capacity graphs.\n\u003e - Graph go up.\n\u003e - We can watch the chain for spends when we know which UTXO to watch\n\u003e per-channel.\n\u003e - Is there an impact on pathfinding if we over-advertize?\n\u003e - We use capacity to pathfind.\n\u003e - What’s the worst case if people lie? We don’t use them.\n\u003e - If we’ve already agreed that this can be a UTXO that isn’t a channel,\n\u003e then it shouldn’t matter.\n\u003e - If you allow value magnification, we can use a single UTXO to claim\n\u003e for multiple channels. Even in the most naive version (say 5x), you’re only\n\u003e revealing 20% of your UTXOs.\n\u003e - How much leverage can we allow? The only limit is denial of service.\n\u003e - There’s the potential for a market for UTXOs.\n\u003e - There’s a privacy trade-off:\n\u003e - If you one-to-one map them, then there’s no privacy gain.\n\u003e - Do we know that you get substantial privacy?\n\u003e - Even if you have two UTXOs and two channels, those UTXOs are now\n\u003e not linked (because you can just use the first one to advertise).\n\u003e - This is only assuming that somebody implements it/ infrastructure\n\u003e is built out.\n\u003e - People could create more elaborate things over time, even if\n\u003e implementations do the “dumb” way.\n\u003e - Gossip 1.5 (ie, with amount binding) fits in the current flow, V2 (ie,\n\u003e without amount binding) has a very different scope.\n\u003e - It’s a big step, and you don’t truly know until you implement it.\n\u003e - What about things like: a very large node and a very small node, whose\n\u003e announced UTXO do you use?\n\u003e - We decided not to put UTXOs in node announcement, so we’d put it in\n\u003e channel announcement:\n\u003e - Sometimes there’s a UTXO, sometimes there isn’t.\n\u003e - You look at a node’s previous channels to see if they still have\n\u003e “quota”.\n\u003e - If you don’t have “quota” left, you have to include a signature TLV.\n\u003e - With the goal of publicly announcing taproot channels, 1.5 gets us there\n\u003e and is a much smaller code change.\n\u003e - We’ve talked alot about capacity for pathfinding, but we haven’t really\n\u003e touched on control valves like max HTLC:\n\u003e - Currently we don’t use these valves to tune our pathfinding, people\n\u003e don’t use it.\n\u003e - If we get better here, we won’t need capacity.\n\u003e - This value is already \u003c 50% anyway.\n\u003e - If we don’t un-bind amounts now, when will we do it?\n\u003e - It’s always a lower priority and everyone is busy.\n\u003e - If we allow overcommitting by some factor now, it’s not unrealistic\n\u003e that it will allow some degree of privacy.\n\u003e - Between these features, we have opened the door to leasing UTXOs:\n\u003e - Before we do more over-commitment, let’s see if anybody uses it?\n\u003e - We add channel capacity to the channel announcement with a feature bit:\n\u003e - If we turn the feature off, we are on-to-one mapped.\n\u003e - But a node can’t use the upgraded version until everyone is upgraded?\n\u003e - Our current “get everyone upgraded” cycle is 18 months (or a CVE).\n\u003e - If you’re upgrading to 2x multiplier, nobody on 1x will accept that\n\u003e gossip.\n\u003e - People will not pay for privacy (via lost revenue of people not\n\u003e seeing their gossip).\n\u003e - This is additive to defeating chain analysis.\n\u003e - Private UTXO management is already complicated, we don’t know the\n\u003e ideal that we’re working towards.\n\u003e - What about if we just set it to 2 today?\n\u003e - Is 2 qualitatively better than 1 (without script binding) today?\n\u003e - Will a marketplace magically emerge if we allow over-commitment?\n\u003e - We don’t know the implications of setting a global multiplier for\n\u003e routing or denial of service, and we don’t have a clear view of what\n\u003e privacy would look like (other than “some” improvement).\n\u003e - We agree that adding a multiplier doesn’t break the network.\n\u003e - People with a lower value will see a subnet when we upgrade.\n\u003e - We’re going to go with gossip “1.75”:\n\u003e - Bind to amount but not script.\n\u003e - We include a TLV cut out that paves the way to overcommitment.\n\u003e\n\u003e ### Multi-Sig Channel Parties\n\u003e - There are a few paths we could take to get multi-sig for one channel\n\u003e party:\n\u003e - Script: just do it on the script level for the UTXO, but it’s heavy\n\u003e handed.\n\u003e - FROSTy: you end up having to do a bunch of things around fault\n\u003e tolerance which require a more intense setup. You also may not want the\n\u003e shachain to be known by all of the parties in the setup (we have an ugly\n\u003e solution for this, we think).\n\u003e - Recursive musig:\n\u003e - Context: you have one key in the party, but you actually want it to be\n\u003e multiple keys under the hood. You don’t want any single party to know the\n\u003e revocation secrets, so you have to each have a part and combine them.\n\u003e - Ugliest solution: just create distinct values and store them.\n\u003e - Less ugly solution uses multiple shachains:\n\u003e - Right now we have a shachan, and we reveal two leaves of it.\n\u003e - You have 8 shachains, and you XOR them all together.\n\u003e - Why do we need 8? That’ll serve a 5-of-7.\n\u003e - Maybe we need 21? 5 choose 7, we’re not sure.\n\u003e - How does this work with K-of-N?\n\u003e - Each party has a piece, and you can always combine them in\n\u003e different combinations (of K pieces) to get to the secret you’re using.\n\u003e\n\u003e ### PTLCs\n\u003e - We can do PTLCs in two ways:\n\u003e - Regular musig\n\u003e - Adaptor signatures\n\u003e - Do they work with trampoline as defined today?\n\u003e - The sender picks all the blinding factors today, so it’s fine.\n\u003e - There’s a paper called: splitting locally while routing\n\u003e interdimensionally:\n\u003e - You can let intermediate nodes do splitting because they know all the\n\u003e local values.\n\u003e - Then can generate new blinding factors and split out to the next node.\n\u003e - Adaptor signatures could possibly be combined for PTLCs that get\n\u003e fanned out then combined.\n\u003e - There are a few options for redundant overpayment (ie, “stuckless”\n\u003e payments):\n\u003e - Boomerang:\n\u003e - Preimages are coefficients of a polynomial, and you commit to the\n\u003e polynomial itself.\n\u003e - If you have a degree P polynomial and you take P+1 shares, then you\n\u003e can claim in the other direction.\n\u003e - Quite complex.\n\u003e - You have to agree on the number of splits in advance.\n\u003e - Spear:\n\u003e - H2TLC: there are two payment hashes per-HTLC, one if from the\n\u003e sender and one is from the invoice.\n\u003e - When you send a payment, the sender only reveals the right number\n\u003e of sender preimages.\n\u003e - This also gives us HTLC acknowledgement, which is nice.\n\u003e - You can concurrently split, and then spray and pray.\n\u003e - Interaction is required to get preimages.\n\u003e - Do we want to add redundant overpayment with PTLCs?\n\u003e - We’ll introduce a communication requirement.\n\u003e - Do we need to decide that before we do PTLCs?\n\u003e - Can we go for the simplest possible option first and then add it?\n\u003e - For spear, yes - the intermediate nodes don’t know that it’s two\n\u003e hashes.\n\u003e - We could build them out without thinking about overpayment, and\n\u003e then mix in a sender secret so that we can claim a subset.\n\u003e - We’ll have more round trips, but you also have the ability to ACK\n\u003e HTLCs that have arrived.\n\u003e - Spray and pray uses the same about as you would with our current “send\n\u003e / wait / send”, it’s just concurrently not serially.\n\u003e - Is it a problem that HLTCs that aren’t settled don’t pay fees?\n\u003e - You’re paying the fastest routes.\n\u003e - Even if it’s random, you still get a constant factor of what we should\n\u003e have gotten otherwise.\n\u003e - It makes sense to use onion messages if it’s available to us.\n\u003e - Are we getting payment acknowledgement? Seems so!\n\u003e\n\u003e ## Day Two\n\u003e\n\u003e ### Hybrid Approach to Channel Jamming\n\u003e - We’ve been talking about jamming for 8 years, back and forth on the\n\u003e mailing list.\n\u003e - We’d like to find a way to move forward so that we can get something\n\u003e done.\n\u003e - Generally when we think about jamming, there are three “classes” of\n\u003e mitigations:\n\u003e - Monetary: unconditional fees, implemented in various ways.\n\u003e - Reputation: locally assessed (global is terrible)\n\u003e - Scarce Resources: POW, stake, tokens.\n\u003e - The problem is that none of these solutions work in isolation.\n\u003e - Monetary: the cost that will deter an attacker is unreasonable for an\n\u003e honest user, and the cost that is reasonable for an honest user is too low\n\u003e for an attacker.\n\u003e - Reputation: any system needs to define some threshold that is\n\u003e considered good behavior, and an attacker can aim to fall just under it.\n\u003e Eg: if you need a payment to resolve in 1 minute, you can fall just under\n\u003e that bar.\n\u003e - Scarce resources: like with monetary, pricing doesn’t work out.\n\u003e - Paper: proof of work doesn’t work for email spam, as an example.\n\u003e - Since scarce resources can be purchased, they could be considered a\n\u003e subset of monetary.\n\u003e - There is no silver bullet for jamming mitigation.\n\u003e - Combination of unconditional fees and reputation:\n\u003e - Good behavior grants access to more resources, bad behavior loses it.\n\u003e - If you want to fall just below that threshold, we close the gap with\n\u003e unconditional fees.\n\u003e - Looking a these three classes implemented in isolation, are there any\n\u003e unresolved questions that people have - “what about this”?\n\u003e - Doesn’t POW get you around the cold start problem in reputation where\n\u003e if you want to put money in to quickly bootstrap you can?\n\u003e - Since POW can be rented, it’s essentially a monetary solution -\n\u003e just extra steps.\n\u003e - We run into the same pricing issues.\n\u003e - Why these combinations?\n\u003e - Since scarce resources are essentially monetary, we think that\n\u003e unconditional fees are the simplest possible monetary solution.\n\u003e - Unconditional Fees:\n\u003e - As a sender, you’re building a route and losing money if it doesn’t go\n\u003e through?\n\u003e - Yes, but they only need to be trivially small compared to success\n\u003e case fee budgets.\n\u003e - You can also eventually succeed so long as you retry enough, even\n\u003e if failure rates are very high.\n\u003e - How do you know that these fees will be small? The market could decide\n\u003e otherwise.\n\u003e - Routing nodes still need to be competitive. If you put an\n\u003e unconditional fee of 100x the success case, senders will choose to not send\n\u003e through you because you have no incentive to forward.\n\u003e - We could also add an in-protocol limit or sender-side advisory.\n\u003e - With unconditional fees, a fast jamming attack is very clearly paid\n\u003e for.\n\u003e - Reputation:\n\u003e - The easiest way to jam somebody today is to send a bunch of HTLCs\n\u003e through them and hold them for two weeks. We’re focusing on reputation to\n\u003e begin with, because in this case we can quite easily identify that people\n\u003e are doing something wrong (at the extremes).\n\u003e - If you have a reputation score that blows up on failed attempts,\n\u003e doesn’t that fix it without upfront fees?\n\u003e - We have to allow some natural rate of failure in the network.\n\u003e - An attacker can still aim to fall just below that failure threshold\n\u003e and go through multiple channels to attack an individual channel.\n\u003e - THere isn’t any way to set a bar that an attacker can’t fall just\n\u003e beneath.\n\u003e - Isn’t this the same for reputation? We have a suggestion for\n\u003e reputation but all of them fail because they can be gamed below the bar.\n\u003e - If reputation matches the regular operation of nodes on the network,\n\u003e you will naturally build reputation up over time.\n\u003e - If we do not match reputation accumulation to what normal nodes do,\n\u003e then an attacker can take some other action to get more reputation than the\n\u003e rest of the network. We don’t want attackers to be able to get ahead of\n\u003e regular nodes.\n\u003e - Let’s say you get one point for success and one for failure, a\n\u003e normal node will always have bad reputation. An attacker could then send 1\n\u003e say payments all day long, pay a fee for it and gain reputation.\n\u003e - Can you define jamming? Is it stuck HTLCs or a lot of 1 sat HTLCS\n\u003e spamming up your DB?\n\u003e - Jamming is holding HTLCs to or streaming constant failed HTLCs to\n\u003e prevent a channel from operating.\n\u003e - This can be achieved with slots or liquidity.\n\u003e - Does the system still work if users are playing with reputation?\n\u003e - In the steady state, it doesn’t really matter whether a node has a\n\u003e good reputation or not.\n\u003e - If users start to set reputation in a way that doesn’t reflect normal\n\u003e operation of the network, it will only affect their ability to route when\n\u003e under attack.\n\u003e - Isn’t reputation monetary as well, as you can buy a whole node?\n\u003e - There is a connection, and yes in the extreme case you can buy an\n\u003e entire identity.\n\u003e - Even if you do this, the resource bucketing doesn’t give you a “golden\n\u003e ticket” to consume all slots/liquidity with good reputation, so you’re\n\u003e still limited in what you can do.\n\u003e - Can we learn anything from research elsewhere / the way things are done\n\u003e on the internet?\n\u003e - A lot of our confidence that these solutions don’t work in isolation\n\u003e is based on previous work looking at spam on the internet.\n\u003e - Lightning is also unique because it is a monetary network - we have\n\u003e money built in, so we have different tools to use.\n\u003e - To me, it seems like if the scarce resource that we’re trying to\n\u003e allocate is HTLC slots and upfront fees you can pay me upfront fees for the\n\u003e worst case (say two weeks) and then if it settles if 5 seconds you give it\n\u003e back?\n\u003e - The dream solution is to only pay for the amount of time that a HTLC\n\u003e is held in flight.\n\u003e - The problem here is that there’s no way to prove time when things go\n\u003e wrong, and any solution without a universal clock will fall back on\n\u003e cooperation which breaks down in the case of an attack.\n\u003e - No honest user will be willing to pay the price for the worst case,\n\u003e which gets us back to the pricing issue.\n\u003e - There’s also an incentives issue when the “rent” we pay for these two\n\u003e weeks worst case is more than the forwarding fee, so a router may be\n\u003e incentivized to just hang on to that amount and bank it.\n\u003e - We’ve talked about forwards and backwards fees extensively on the\n\u003e mailing list:\n\u003e - They’re not large enough to be enforceable, so somebody always has\n\u003e to give the money back off chain.\n\u003e - This means that we rely on cooperation for this refund.\n\u003e - The complexity of this type of system is very high, and we start to\n\u003e open up new “non-cooperation” concerns - can we be attacked using this\n\u003e mechanism itself?\n\u003e - Doesn’t an attacker need to be directly connected to you to steal\n\u003e in the non-cooperative case?\n\u003e - At the end of the day, somebody ends up getting robbed when we\n\u003e can’t pull the money from the source (attacker).\n\u003e - Does everybody feel resolved on the statement that we need to take this\n\u003e hybrid approach to clamp down on jamming? Are there any “what about\n\u003e solution X” questions left for anyone? Nothing came up.\n\u003e\n\u003e ### Reputation for Channel Jamming\n\u003e - Resource bucketing allows us to limit the number of slots and amount of\n\u003e liquidity that are available for nodes that do not have good reputation.\n\u003e - No reputation system is perfect, and we will always have nodes that\n\u003e have low-to-no activity, or are new to the network that we can’t form\n\u003e reputation scores for.\n\u003e - It would be a terrible outcome for lightning to just drop these HTLCs,\n\u003e so we reserve some portion of resources for them.\n\u003e - We have two buckets: protected and general (split 50/50 for the purposes\n\u003e of explanation, but we’ll find more intelligent numbers with further\n\u003e research):\n\u003e - In the normal operation of the network, it doesn’t matter if you get\n\u003e into the protected slots. When everyone is using the network as usual,\n\u003e things clear out quickly so the general bucket won’t fill up.\n\u003e - When the network comes under attack, an attacker will fill up slots\n\u003e and liquidity in the general bucket. When this happens, only nodes with\n\u003e good reputation will be able to use the protected slots, other HTLCs will\n\u003e be dropped.\n\u003e - During an attack, nodes that don’t have a good reputation will\n\u003e experience lower quality of service - we’ll gradually degrade.\n\u003e - What do you mean by the steady state?\n\u003e - Nobody is doing anything malicious, payments are clearing out as usual\n\u003e - not sitting on the channel using all 483 slots.\n\u003e - We decide which bucket the HTLC goes into using two signals:\n\u003e - Reputation: whether the upstream node had good reputation with our\n\u003e local node.\n\u003e - Endorsement: whether the upstream node has indicated that the HTLC is\n\u003e expected to be honest (0 if uncertain, 1 if expected to be honest).\n\u003e - If reputation \u0026\u0026 endorsement, then we’ll allow the HTLC into protected\n\u003e slots and forward the HTLC on with endorsed=1.\n\u003e - We need reputation to add a local viewpoint to this endorsement signal\n\u003e - otherwise we can just trivially be jammed if we just copy what the\n\u003e incoming peer said.\n\u003e - We need endorsement to be able to propagate this signal over multiple\n\u003e hops - once it drops, it’s dropped for good.\n\u003e - There’s a privacy questions for when senders set endorsed:\n\u003e - You can flip a coin or set the endorsed field for your payments at\n\u003e the same proportion as you endorse forwards.\n\u003e - We think about reputation in terms of the maximum amount of damage that\n\u003e can be done by abusing it:\n\u003e - Longest CLTV that we allow in the future from current height 2016\n\u003e blocks (~2 weeks): this it the longest that we can be slow jammed.\n\u003e - Total route length ~27 hops: this is the largest amplifying factor an\n\u003e attacker can have.\n\u003e - We use the two week period to calculate the node’s total routing\n\u003e revenue, this is what we have to lose if we are jammed.\n\u003e - We then look at a longer period, 10x the two week period to see what the\n\u003e peer has forwarded us over that longer period.\n\u003e - If they have forwarded us more over that longer period than what we have\n\u003e to loose in the shorter period, then they have good reputation.\n\u003e - This is the damage that is observable to us - there are values outside\n\u003e of the protocol that are also affected by jamming:\n\u003e - Business reliability, joy of running a node, etc\n\u003e - We contend that these values are inherently unmeasurable to protocol\n\u003e devs:\n\u003e - End users can’t easily put a value on them.\n\u003e - If we try to approximate them, users will likely just run the\n\u003e defaults.\n\u003e - One of the simplest attacks we can expect is an “about turn” where an\n\u003e attacker behaves perfectly and then attacks:\n\u003e - So, once you have good reputation we can’t just give you full access\n\u003e to protected slots.\n\u003e - We want to reward behavior that we consider to be honest, so we consider\n\u003e “effective” HTLC fees - the fee value that a HTLC has given us relative to\n\u003e how long it took to resolve:\n\u003e - Resolution period: the amount of time that a HTLC can reasonably take\n\u003e to resolve - based on MPP timeout / 1 minute.\n\u003e - We calculate opportunity cost for every minute after the first\n\u003e “allowed” minute as the fees that we could have earned with that\n\u003e liquidity/slot.\n\u003e - Reputation is only negatively affected if you endorsed the HTLC.\n\u003e - If you did not endorse, then you only gain reputation for fast success\n\u003e (allowing bootstrapping).\n\u003e - When do I get access to protected slots?\n\u003e - When you get good reputation, you can use protected slots for your\n\u003e endorsed HTLCs but there is a cap on the number of in flight HLTCs that are\n\u003e allowed.\n\u003e - We treat every HLTC as if it will resolve with the worst possible\n\u003e outcome, and temporarily dock reputation until it resolves:\n\u003e - In the good case, it resolves quickly and you get your next HLTC\n\u003e endorsed.\n\u003e - In the bad case, you don’t get any more HTLCs endorsed and you\n\u003e reputation remains docked once it resolves (slowly).\n\u003e - Wouldn’t a decaying average be easier to implement, rather than a\n\u003e sliding window?\n\u003e - If you’re going to use large windows, then a day here or there doesn’t\n\u003e matter so much.\n\u003e - Have you thought about how to make this more visible to node operators?\n\u003e - In the steady state we don’t expect this to have any impact on routing\n\u003e operations, so they’ll only need a high level view.\n\u003e - Can you elaborate on slots vs liquidity for these buckets?\n\u003e - Since we have a proportional fee for HTLCs, this indirectly represents\n\u003e liquidity: larger HTLCs will have larger fees so will be more “expensive”\n\u003e to get endorsed.\n\u003e - Where do we go from here?\n\u003e - We would like to dry run with an experimental endorsement field, and\n\u003e ask volunteers to gather data for us.\n\u003e - Are there any objections to an experimental TLV?\n\u003e - No.\n\u003e - We could also test multiple endorsement signals / algorithms in\n\u003e parallel.\n\u003e - In your simulations, have you looked at the ability to segment off\n\u003e attacks as they happen? To see how quickly an attacker's reputation drops\n\u003e off, and that you have a protected path?\n\u003e - Not yet, but plan to.\n\u003e - Do any of these assumptions change with trampoline? Don’t think it’s\n\u003e related.\n\u003e - Your reputation is at stake when you endorse, when do you decide to\n\u003e endorse my own payments?\n\u003e - You do the things you were already doing to figure out a good route.\n\u003e Paths that you think have good liquidity, and have had success with in the\n\u003e past.\n\u003e - What about redundant overpayment, some of your HTLCs are bound to fail?\n\u003e - Provided that they fail fast, it shouldn’t be a problem.\n\u003e - Is it possible that the case where general slots are perpetually filled\n\u003e by attackers becomes the steady state? And we can’t tell the difference\n\u003e between a regular user and attacker.\n\u003e - This is where unconditional fees come in, if somebody wants to\n\u003e perpetually fill up the general bucket they have to pay for it.\n\u003e - Is there anything we’d like to see that will help us have move\n\u003e confidence here?\n\u003e - What do you think is missing from the information presented?\n\u003e - We can simulate the steady state / create synthetic data, but can’t\n\u003e simulate every attack. Would like to spend more time thinking through the\n\u003e ways this could possibly be abused.\n\u003e - Would it help to run this on signet? Or scaling lightning?\n\u003e - Its a little easier to produce various profiles of activity on\n\u003e regtest[.\n\u003e\n\u003e ### Simplified Commitments\n\u003e - Simplified commitments makes our state machine easier to think about.\n\u003e - Advertise option_simplified_commitment: once both peers upgrade, we\n\u003e can just use it.\n\u003e - Simplify our state machine before we make any more changes to it.\n\u003e - Right now Alice and Bob can have changes in flight at the same time:\n\u003e - Impossible to debug, though technically optimal.\n\u003e - Everyone is afraid of touching the state machine.\n\u003e - We can simplify this by introducing turn taking:\n\u003e - First turn is taken by the lower pubkey.\n\u003e - Alice: update / commit.\n\u003e - Bob: revoke and ack.\n\u003e - If alice wants to go when it’s bob’s turn, she can just send a\n\u003e message.\n\u003e - Bob can ignore it, or yield and accept it.\n\u003e - This has been implemented in CLN for LNSymmetry\n\u003e - It’s less code to not have the ignore message, but for real performance\n\u003e we’ll want it. Don’t want to suck up all of that latency.\n\u003e - The easiest way is to re-establish is to upgrade on re-establish.\n\u003e - If it wasn’t somebody’s turn, you can just do lowest pubkey.\n\u003e - If it was somebody’s turn, you can just resume it.\n\u003e - We could also add REVOKE and NACK:\n\u003e - Right now we have no way to refuse updates.\n\u003e - Why do we want a NACK?\n\u003e - You currently have to express to the other side what they can put\n\u003e in your channel because you can’t handle it if they give you something you\n\u003e don't’ like (eg, a HTLC below min_htlc).\n\u003e - You can likely force a break by trying to send things that aren't\n\u003e allowed, which is a robustness issue.\n\u003e - We just force close when we get things we don’t allow.\n\u003e - Could possibly trigger force closes.\n\u003e - There’s an older proposal called fastball where you send a HTLC and\n\u003e advise that you’re going to fail it.\n\u003e - If Alice gets it, she can reply with UNADD.\n\u003e - If you don’t get it in time,you just go through the regular cycle.\n\u003e - When you get commitment signed, you could NACK it. This could mean\n\u003e you’re failing the whole commitment, or just a few HTLCs.\n\u003e - You can’t fail a HTLC when you’ve sent commitment signed, so you need\n\u003e a new cycle to clear it out.\n\u003e - What NACK says is: I’ve ignored all of your updates and I’m\n\u003e progressing to the next commitment.\n\u003e - Revoke and NACK is followed by commitment signed where you clear out all\n\u003e the bad HTLCs, ending that set of updates.\n\u003e - You have to NACk and then wait for another commitment signature, signing\n\u003e for the same revocation number.\n\u003e - Bob never has to hold a HTLC that he doesn't want from Alice on his\n\u003e commitment.\n\u003e - This is bad for latency, good for robustness.\n\u003e - Alice can send whatever she wants, and Bob has a way to reject it.\n\u003e - There are a whole lot of protocol violations that Alice can force a\n\u003e force close with, now they can be NACKed.\n\u003e - This is good news for remote signers where policy has been violate\n\u003e because we have cases where policy has been violated and our only way right\n\u003e now is the close the channel.\n\u003e - You still want Alice to know Bob’s limits so that you can avoid endless\n\u003e invalid HTLCs.\n\u003e - Simplified commitment allows us to do things more easily in the protocol.\n\u003e - When we specced this all out, we didn’t foresee that update fee would\n\u003e be so complicated, with this we know update fee will be correct.\n\u003e - If we don’t do this, we have to change update fee?\n\u003e - Sender of the HTLC adds fee.\n\u003e - Or fixed fee.\n\u003e - Even if we have zero fees, don’t we still have HTLC dust problems?\n\u003e - You can have a bit on update add that says the HTLC is dust.\n\u003e - You can’t be totally fee agnostic because you have to be able to\n\u003e understand when to trim HLTCs.\n\u003e - Even update fee aside, shouldn’t things just be simpler?\n\u003e - Would a turn based protocol have implications for musig nonces?\n\u003e - If you’re taking a turn, it’s a session.\n\u003e - You’d need to have different nonces for different sessions.\n\u003e - We should probably do this before we make another major change, it\n\u003e simplifies things.\n\u003e - Upgrade on re-establish is pretty neat because you can just tell them\n\u003e what type you’d like.\n\u003e - This worked very well for CLN getting rid of static remote.\n\u003e - What about parameter exchange?\n\u003e - There’s a version of splice that allows you to add new inputs and\n\u003e outputs.\n\u003e - Splice no splice which means that you can only make a new commitment\n\u003e transaction, no on-chain work.\n\u003e - Seems like you can get something like dynamic commitments with this,\n\u003e and it’s a subset of splicing.\n\u003e\n\u003e ## Day Three\n\u003e\n\u003e ### Meta Spec Process\n\u003e - Do we want to re-evaluate the concept of a “living document”?\n\u003e - It’s only going to get longer.\n\u003e - As we continue to update, we have two options:\n\u003e - Remove old text and replace entirely.\n\u003e - Do an extension and then one day replace.\n\u003e - If implementing from scratch, what would you want to use?\n\u003e - Nobody is currently doing this.\n\u003e - By the time they finished, everything would have move.\n\u003e - The protocol isn’t actually that modular:\n\u003e - Except for untouched BOLT-08, which can be read in isolation.\n\u003e - Other things have tentacles.\n\u003e - We should endeavor for things to be as modular as possible.\n\u003e - Back in Adelaide we have a version with a set of features.\n\u003e - We have not re-visited that discussion.\n\u003e - Is it possible for us to come up with versions and hold ourselves\n\u003e accountable to them?\n\u003e - If we’re going to start having different ideas of what lightning looks\n\u003e like, versioning helps.\n\u003e - Versioning is not tied one-to-one to the protocol:\n\u003e - Features make it less clean because you have a grab bag of features\n\u003e on top of any “base” version we decide on.\n\u003e - Does a version imply that we’re implementing in lock step?\n\u003e - If we do extraction, remove and cleanup, we could say that we’re on\n\u003e version X with features A/B/C.\n\u003e - How confident are we that we can pull things out? Only things that are\n\u003e brand new will be easy to do this with.\n\u003e - Keeping context in your head is hard, and jumping between documents\n\u003e breaks up thought.\n\u003e - Should we fully copy the current document and copy it?\n\u003e - Not everything is a rewrite, some things are optional.\n\u003e - What’s our design goal?\n\u003e - To be able to more easily speak about compatibility.\n\u003e - To have a readable document for implementation.\n\u003e - A single living document works when we were all making a unified push,\n\u003e now it makes less sense:\n\u003e - You can’t be compliant “by commit” because things are implemented in\n\u003e different orders.\n\u003e - We can’t fix that with extensions, they’re hard to keep up to date?\n\u003e - RFCs work like this, they have replacement ones.\n\u003e - BOLT 9 can act as a control bolt because it defines features.\n\u003e - Extensions seem helpful:\n\u003e - Can contain more rationale.\n\u003e - You can have spaghetti and ravioli code, these could be raviolo\n\u003e extensions.\n\u003e - If everything is an extension BOLT with minimal references, we avoid\n\u003e the if-else-ey structure we have right now.\n\u003e - For small things, we can just throw out the old stuff.\n\u003e - If it were possible to modularize and have working groups, that would be\n\u003e great but it seems like we’d tread on each other’s toes.\n\u003e - We must avoid scenarios like vfmanprint:\n\u003e - The return value says “vfprintf returns -1 on error”\n\u003e - The next sentence says “this was true until version 2”\n\u003e - But nobody reads the next sentence.\n\u003e - Cleanup PRs won’t be looked at, and need to be maintained as new stuff\n\u003e gets in.\n\u003e - Eg: legacy onion - we just looked at network use and removed when it was\n\u003e unused:\n\u003e - Rip out how you generate them.\n\u003e - Rip out how you handle them.\n\u003e - One of the issues with deleting old text is that existing software that\n\u003e delete the old text is annoying when you run into interop issues on the old\n\u003e spec version.\n\u003e - If there are real things to deal with on the network, we must keep\n\u003e them.\n\u003e - We must reference old commits so that people at least know what was\n\u003e there and can do git archeology to find out what it used to be.\n\u003e - We can remove some things today!\n\u003e - Static remote\n\u003e - Non-zero fee anchors\n\u003e - ANYSEGWIT is default (/compulsory)\n\u003e - Payment secrets / basic MPP.\n\u003e - Should we have regular cleanups?\n\u003e - Even if we do, they need review.\n\u003e - For now, let’s do wholesale replacement to avoid cleanup.\n\u003e - The proposals folder is nice to know what’s touched by what changes.\n\u003e - Rationale sections need improvement: sometimes they’re detailed,\n\u003e sometimes vague.\n\u003e - Once a feature becomes compulsory on the network we can possibly ignore\n\u003e it.\n\u003e - What about things that are neither bolts nor blips - like inbound fees?\n\u003e - Why does it need to be merged anywhere?\n\u003e - If it’s an implementation experiment, we can merge it once we’re\n\u003e convinced it works.\n\u003e - If we reach a stage where we all agree it should be universally done,\n\u003e then it should be a bolt.\n\u003e - This is a BLIP to BOLT path.\n\u003e - Communication:\n\u003e - We’re not really using IRC anymore - bring it back!\n\u003e - We need a canonical medium, recommit to lightning-dev.\n\u003e\n\u003e ### Async Payments/ Trampoline\n\u003e - Blinded payments are a nice improvement for trampoline because you don’t\n\u003e know where the recipient is.\n\u003e - The high level idea is:\n\u003e - Light nodes only see a small part of the network that they are close\n\u003e to.\n\u003e - Recipients only give a few trampolines in the network that they can be\n\u003e reached via.\n\u003e - In the onion for the first trampoline, there will be an onion for the\n\u003e second trampoline.\n\u003e - You just need to give a trampoline a blinded path and they can do the\n\u003e rest.\n\u003e - If you only have one trampoline, they can probably make a good guess\n\u003e where the payment came from (it’s in the reachable neighborhood).\n\u003e - Is there a new sync mode for trampoline gossip?\n\u003e - We’d now need radius-based gossip rather than block based.\n\u003e - The trust version is just getting this from a LSP.\n\u003e - In cold bootstrap, you’re probably going to open a channel so you ask\n\u003e them for gossip.\n\u003e - Can you split MPP over trampoline? Yes.\n\u003e - Routing nodes can learn more about the network because they make their\n\u003e own attempts.\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230720/bb6138a8/attachment-0001.html\u003e",
"sig": "24a40c3e7253c98a7e3f66d6bb18006de3c5b0778c268e47f58a1ad545c7e80143cc6878073857e6aa22b9e45f8ada219f7110757475a16548f6b0e4daf31343"
}