đź“… Original date posted:2023-07-26
🗒️ Summary of this message: Carla thanks everyone for their participation in the meeting and acknowledges Wolf for hosting in NYC and Michael Levin for providing notes.
đź“ť Original message:
On Wed, Jul 19, 2023 at 09:56:11AM -0400, Carla Kirk-Cohen wrote:
> Thanks to everyone who traveled far, Wolf for hosting us in style in
> NYC and to Michael Levin for helping out with notes <3
Thanks for the notes!
Couple of comments:
> - What is the “top of mempool” assumption?
FWIW, I think this makes much more sense if you think about this as a
few related, but separate goals:
* transactors want their proposed txs to go to miners
* pools/miners want to see the most profitable txs asap
* node operators want to support bitcoin users/businesses
* node operators also want to avoid wasting too much bandwidth/cpu/etc
relaying txs that aren't going to be mined, both their own and that
of other nodes'
* people who care about decentralisation want miners to get near-optimal
tx selection with a default bitcoind setup, so there's no secret
sauce or moats that could encourage a mining monopoly to develop
Special casing lightning unilateral closes [0] probably wouldn't be
horrible. It's obviously good for the first three goals. As far as the
fourth, if it was lightning nodes doing the relaying, they could limit
each unilateral close to one rbf attempt (based on to_local/to_remote
outputs changing). And for the fifth, provided unilateral closes remain
rare, the special config isn't likely to cause much of a profit difference
between big pools and small ones (and maybe that's only a short term
issue, and a more general solution will be found and implemented, where
stuff that would be in the next block gets relayed much more aggressively,
even if it replaces a lot of transactions).
[0] eg, by having lightning nodes relay the txs even when bitcoind
doesn't relay them, and having some miners run special configurations
to pull those txs in.
> - Is there a future where miners don’t care about policy at all?
Thinking about the different goals above seems like it gives a clear
answer to this: as far as mining goes, no there's no need to care
about policy restricitions -- policy is just there to meet other goals:
making it possible to run a node without wasting bandwidth, and to help
decentralisation by letting miners just buy hardware and deploy it,
without needing to do a bunch of protocol level trade secret/black magic
stuff in order to be competitive.
> - It must be zero fee so that it will be evicted.
The point of making a tx with ephemeral outputs be zero fee is to
prevent it from being mined in non-attack scenarios, which in turn avoids
generating a dust utxo. (An attacking miner can just create arbitrary
dust utxos already, of course)
> - Should we add trimmed HTLCs to the ephemeral anchor?
> - You can’t keep things in OP_TRUE because they’ll be taken.
> - You can also just put it in fees as before.
The only way value in an OP_TRUE output can be taken is by confirming
the parent tx that created the OP_TRUE output, exactly the same as if
the value had been spent to fees instead.
Putting the value to fees directly would violate the "tx must be zero
fee if it creates ephemeral outputs" constraint above.
> ### Hybrid Approach to Channel Jamming
> - Generally when we think about jamming, there are three “classes” of
> mitigations:
> - Monetary: unconditional fees, implemented in various ways.
> - The problem is that none of these solutions work in isolation.
> - Monetary: the cost that will deter an attacker is unreasonable for an
> honest user, and the cost that is reasonable for an honest user is too low
> for an attacker.
A different way of thinking about the monetary approach is in terms of
scaling rather than deterrance: that is, try to make the cost that the
attacker pays sufficient to scale up your node/the network so that you
continue to have excess capacity to serve regular users.
In that case, if people are suddenly routing their netflix data and
nostr photo libraries over lightning onion packets, that's fine: you
make them pay amazon ec2 prices plus 50% for the resources they use,
and when they do , you deploy more servers. ie, turn your attackers and
spammers into a profit centre.
I've had an email about this sitting in my drafts for a few years now,
but I think this could work something like:
- message spam (ie, onion traffic costs): when you send a message
to a peer, pay for its bandwidth and compute. Perhaps something
like 20c/GB is reasonable, which is something like 1msat per onion
packet, so perhaps 20msat per onion packet if you're forwarding it
over 20 hops.
- liquidity DoS prevention: if you're in receipt of a HTLC/PTLC and
aren't cancelling or confirming it, you pay your peer a fee for
holding their funds. (if you're forwarding the HTLC, then whoever you
forwarded to pays you a slightly higher fee, while they hold your
funds) Something like 1ppm per hour matches a 1% pa return, so if
you're an LSP holding on to a $20 payment waiting for the recipient to
come online and claim it, then you might be paying out $0.0004 per hour
(1.4sat) in order for 20 intermediate hops to each be making 20%
pa interest on their held up funds.
- actual payment incentives: eg, a $20 payment paying 0.05% fees
(phoenix's minimum) costs $0.01 (33sat). Obviously you want this
number to be a lot higher than all the DoS prevention fees.
If you get too much message spam, you fire up more amazon compute
and take maybe 10c/GB in profit; if all your liquidity gets used up,
congrats you've just gotten 20%+ APY on your bitcoin without third party
risk and you can either reinvest your profits or increase your fees; and
all of those numbers are just noise compared to actual payment traffic,
which is 30x or 1500x more profitable.
> - How do you know that these fees will be small? The market could decide
> otherwise.
If the liquidity or message fees on the network are high it's easy to
spin up new lightning nodes at slightly lower fees and steal all that
traffic while still being hugely profitable.
> - The problem here is that there’s no way to prove time when things go
> wrong, and any solution without a universal clock will fall back on
> cooperation which breaks down in the case of an attack.
The amounts here are all very low, so I don't think you really need much
more precision than "hourly". I think you could even do it "per block"
and convert "1% pa" as actually "0.2 parts per million per block", since
the only thing time is relevant for is turning liquidity DoS into an APY
figure. Presumably that needs some tweaking to deal with the possibility
of reorgs or stale blocks.
> - No honest user will be willing to pay the price for the worst case,
> which gets us back to the pricing issue.
> - There’s also an incentives issue when the “rent” we pay for these two
> weeks worst case is more than the forwarding fee, so a router may be
> incentivized to just hang on to that amount and bank it.
I think the worst case for that scenario is if you have a route
A1 -> A2 -> .. -> A19 -> B -> A20
then B closes the {B,A20} channel and at the end of the timeout A20 claims
the funds. At that point B will have paid liquidity fees to A1..A19 for
the full two week period, but will have only received a fixed payout
from A20 due to the channel close.
At 10% APY, with a $1000 payment, B will have paid ~$73 to A (7.3%). If
the close channel transaction costs, say, $5, then either you end up with
B wanting to close the channel early in non-attack scenarios (they collect
$73 from A20, but only pay perhaps 4c back to A1..A19, and perhaps $6 to
open and close the channel), or you end up with A holding up the funds
and leaching off B (B only collects, say, $20 from A20, but then A20
claims the funds after two weeks so is either up $75 if B didn't claim
the funds from A19, or is up $53 after B paid liquidity fees for 2 weeks).
_But_ I think this is an unreasonable scenario: the only reason for B to
forward a HTLC with a 2 week expiry is if they're early in the route,
but the only reason to accept a large liquidity fee is if they're late
in the route. So I think you can solve that by only forwarding a payment
if the liquidity fee rate multiplied by the expiry is below a cap, eg:
A19 -> B : wants 36ppm per block; cap/ppm = 500/36 = 13.8
B -> A20 : expiry is in 13 blocks; wants 38ppm per block
(2ppm per block ~= 10% APY)
For comparison, at the start of the chain, things look like:
A2 -> A3 : wants 2ppm per block; cap/ppm = 500/2 = 250
A3 -> A4 : expiry is in 250 blocks; wants 4ppm per block
In each case, the commitment tx would look like:
$1000 HTLC paying Y refunding to X
$0.50 liquidity fee bonus to X's balance (500ppm cap)
> - They’re not large enough to be enforceable, so somebody always has
> to give the money back off chain.
If the cap is 500ppm per block, then the liquidity fees for a 2000sat
payment ($0.60) are redeemable onchain.
> - Does everybody feel resolved on the statement that we need to take this
> hybrid approach to clamp down on jamming? Are there any “what about
> solution X” questions left for anyone? Nothing came up.
(Actually implementing the above is obviously a tonne of work --
in particular it requires every node in the route to support paying
liquidity fees eg -- assuming it doesn't turn out to be impossible, so
please don't take any of the above as an objection to using reputation
to reduce DoS vectors)
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-07-27 00:22:34
in reply to nevent1q…jdfe
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hSeen on
wss://nos.lolPublished at
2023-07-27 00:22:34Event JSON
{
"id": "d8201b35fe66a3fbf9ec70ac4d7792cd4552c5ea48d9c1813188493276bf9904",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1690417354,
"kind": 1,
"tags": [
[
"e",
"1cdf4a8e54532f1c567c10cf126833af2883f9215f610331d425a625611c883f",
"",
"root"
],
[
"e",
"d660195b9d821f935a8b3ef679beb6a11b1d34c74af6cd2b6cd9ffcbc36bb134",
"",
"reply"
],
[
"p",
"6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551"
]
],
"content": "📅 Original date posted:2023-07-26\n🗒️ Summary of this message: Carla thanks everyone for their participation in the meeting and acknowledges Wolf for hosting in NYC and Michael Levin for providing notes.\n📝 Original message:\nOn Wed, Jul 19, 2023 at 09:56:11AM -0400, Carla Kirk-Cohen wrote:\n\u003e Thanks to everyone who traveled far, Wolf for hosting us in style in\n\u003e NYC and to Michael Levin for helping out with notes \u003c3\n\nThanks for the notes!\n\nCouple of comments:\n\n\u003e - What is the “top of mempool” assumption?\n\nFWIW, I think this makes much more sense if you think about this as a\nfew related, but separate goals:\n\n * transactors want their proposed txs to go to miners\n * pools/miners want to see the most profitable txs asap\n * node operators want to support bitcoin users/businesses\n * node operators also want to avoid wasting too much bandwidth/cpu/etc\n relaying txs that aren't going to be mined, both their own and that\n of other nodes'\n * people who care about decentralisation want miners to get near-optimal\n tx selection with a default bitcoind setup, so there's no secret\n sauce or moats that could encourage a mining monopoly to develop\n\nSpecial casing lightning unilateral closes [0] probably wouldn't be\nhorrible. It's obviously good for the first three goals. As far as the\nfourth, if it was lightning nodes doing the relaying, they could limit\neach unilateral close to one rbf attempt (based on to_local/to_remote\noutputs changing). And for the fifth, provided unilateral closes remain\nrare, the special config isn't likely to cause much of a profit difference\nbetween big pools and small ones (and maybe that's only a short term\nissue, and a more general solution will be found and implemented, where\nstuff that would be in the next block gets relayed much more aggressively,\neven if it replaces a lot of transactions).\n\n[0] eg, by having lightning nodes relay the txs even when bitcoind\n doesn't relay them, and having some miners run special configurations\n to pull those txs in.\n\n\u003e - Is there a future where miners don’t care about policy at all?\n\nThinking about the different goals above seems like it gives a clear\nanswer to this: as far as mining goes, no there's no need to care\nabout policy restricitions -- policy is just there to meet other goals:\nmaking it possible to run a node without wasting bandwidth, and to help\ndecentralisation by letting miners just buy hardware and deploy it,\nwithout needing to do a bunch of protocol level trade secret/black magic\nstuff in order to be competitive.\n\n\u003e - It must be zero fee so that it will be evicted.\n\nThe point of making a tx with ephemeral outputs be zero fee is to\nprevent it from being mined in non-attack scenarios, which in turn avoids\ngenerating a dust utxo. (An attacking miner can just create arbitrary\ndust utxos already, of course)\n\n\u003e - Should we add trimmed HTLCs to the ephemeral anchor?\n\u003e - You can’t keep things in OP_TRUE because they’ll be taken.\n\u003e - You can also just put it in fees as before.\n\nThe only way value in an OP_TRUE output can be taken is by confirming\nthe parent tx that created the OP_TRUE output, exactly the same as if\nthe value had been spent to fees instead.\n\nPutting the value to fees directly would violate the \"tx must be zero\nfee if it creates ephemeral outputs\" constraint above.\n\n\u003e ### Hybrid Approach to Channel Jamming\n\u003e - Generally when we think about jamming, there are three “classes” of\n\u003e mitigations:\n\u003e - Monetary: unconditional fees, implemented in various ways.\n\u003e - The problem is that none of these solutions work in isolation.\n\u003e - Monetary: the cost that will deter an attacker is unreasonable for an\n\u003e honest user, and the cost that is reasonable for an honest user is too low\n\u003e for an attacker.\n\nA different way of thinking about the monetary approach is in terms of\nscaling rather than deterrance: that is, try to make the cost that the\nattacker pays sufficient to scale up your node/the network so that you\ncontinue to have excess capacity to serve regular users.\n\nIn that case, if people are suddenly routing their netflix data and\nnostr photo libraries over lightning onion packets, that's fine: you\nmake them pay amazon ec2 prices plus 50% for the resources they use,\nand when they do , you deploy more servers. ie, turn your attackers and\nspammers into a profit centre.\n\nI've had an email about this sitting in my drafts for a few years now,\nbut I think this could work something like:\n\n - message spam (ie, onion traffic costs): when you send a message\n to a peer, pay for its bandwidth and compute. Perhaps something\n like 20c/GB is reasonable, which is something like 1msat per onion\n packet, so perhaps 20msat per onion packet if you're forwarding it\n over 20 hops.\n\n - liquidity DoS prevention: if you're in receipt of a HTLC/PTLC and\n aren't cancelling or confirming it, you pay your peer a fee for\n holding their funds. (if you're forwarding the HTLC, then whoever you\n forwarded to pays you a slightly higher fee, while they hold your\n funds) Something like 1ppm per hour matches a 1% pa return, so if\n you're an LSP holding on to a $20 payment waiting for the recipient to\n come online and claim it, then you might be paying out $0.0004 per hour\n (1.4sat) in order for 20 intermediate hops to each be making 20%\n pa interest on their held up funds.\n\n - actual payment incentives: eg, a $20 payment paying 0.05% fees\n (phoenix's minimum) costs $0.01 (33sat). Obviously you want this\n number to be a lot higher than all the DoS prevention fees.\n\nIf you get too much message spam, you fire up more amazon compute\nand take maybe 10c/GB in profit; if all your liquidity gets used up,\ncongrats you've just gotten 20%+ APY on your bitcoin without third party\nrisk and you can either reinvest your profits or increase your fees; and\nall of those numbers are just noise compared to actual payment traffic,\nwhich is 30x or 1500x more profitable.\n\n\u003e - How do you know that these fees will be small? The market could decide\n\u003e otherwise.\n\nIf the liquidity or message fees on the network are high it's easy to\nspin up new lightning nodes at slightly lower fees and steal all that\ntraffic while still being hugely profitable.\n\n\u003e - The problem here is that there’s no way to prove time when things go\n\u003e wrong, and any solution without a universal clock will fall back on\n\u003e cooperation which breaks down in the case of an attack.\n\nThe amounts here are all very low, so I don't think you really need much\nmore precision than \"hourly\". I think you could even do it \"per block\"\nand convert \"1% pa\" as actually \"0.2 parts per million per block\", since\nthe only thing time is relevant for is turning liquidity DoS into an APY\nfigure. Presumably that needs some tweaking to deal with the possibility\nof reorgs or stale blocks.\n\n\u003e - No honest user will be willing to pay the price for the worst case,\n\u003e which gets us back to the pricing issue.\n\u003e - There’s also an incentives issue when the “rent” we pay for these two\n\u003e weeks worst case is more than the forwarding fee, so a router may be\n\u003e incentivized to just hang on to that amount and bank it.\n\nI think the worst case for that scenario is if you have a route \n\n A1 -\u003e A2 -\u003e .. -\u003e A19 -\u003e B -\u003e A20\n\nthen B closes the {B,A20} channel and at the end of the timeout A20 claims\nthe funds. At that point B will have paid liquidity fees to A1..A19 for\nthe full two week period, but will have only received a fixed payout\nfrom A20 due to the channel close.\n\nAt 10% APY, with a $1000 payment, B will have paid ~$73 to A (7.3%). If\nthe close channel transaction costs, say, $5, then either you end up with\nB wanting to close the channel early in non-attack scenarios (they collect\n$73 from A20, but only pay perhaps 4c back to A1..A19, and perhaps $6 to\nopen and close the channel), or you end up with A holding up the funds\nand leaching off B (B only collects, say, $20 from A20, but then A20\nclaims the funds after two weeks so is either up $75 if B didn't claim\nthe funds from A19, or is up $53 after B paid liquidity fees for 2 weeks).\n\n_But_ I think this is an unreasonable scenario: the only reason for B to\nforward a HTLC with a 2 week expiry is if they're early in the route,\nbut the only reason to accept a large liquidity fee is if they're late\nin the route. So I think you can solve that by only forwarding a payment\nif the liquidity fee rate multiplied by the expiry is below a cap, eg:\n\n A19 -\u003e B : wants 36ppm per block; cap/ppm = 500/36 = 13.8\n B -\u003e A20 : expiry is in 13 blocks; wants 38ppm per block\n\n(2ppm per block ~= 10% APY)\n\nFor comparison, at the start of the chain, things look like:\n\n A2 -\u003e A3 : wants 2ppm per block; cap/ppm = 500/2 = 250\n A3 -\u003e A4 : expiry is in 250 blocks; wants 4ppm per block\n\nIn each case, the commitment tx would look like:\n\n $1000 HTLC paying Y refunding to X\n $0.50 liquidity fee bonus to X's balance (500ppm cap)\n\n\u003e - They’re not large enough to be enforceable, so somebody always has\n\u003e to give the money back off chain.\n\nIf the cap is 500ppm per block, then the liquidity fees for a 2000sat\npayment ($0.60) are redeemable onchain.\n\n\u003e - Does everybody feel resolved on the statement that we need to take this\n\u003e hybrid approach to clamp down on jamming? Are there any “what about\n\u003e solution X” questions left for anyone? Nothing came up.\n\n(Actually implementing the above is obviously a tonne of work --\nin particular it requires every node in the route to support paying\nliquidity fees eg -- assuming it doesn't turn out to be impossible, so\nplease don't take any of the above as an objection to using reputation\nto reduce DoS vectors)\n\nCheers,\naj",
"sig": "2f96659f1efe55fd898a0a1629a538f8e54703b0c3511854f8eee9343a0dba1ab14ae5464535f421a9a451f245169549b045d06e10985e34129f82d82d998ee4"
}