📅 Original date posted:2022-03-15
📝 Original message:
I'm not familiar with miniscript besides that it's a subset of script - how
would it help avoiding an unintended path being taken?
On Fri, Mar 11, 2022 at 8:47 AM darosior <darosior at protonmail.com> wrote:
> Also, using Miniscript (whether in Segwit v0 or v1) would prevent this
> kind of surprises. And many potential others. :-)
>
>
> I'll post something soon about how we could integrate Miniscript in
> Lightning.
> -------- Original Message --------
> On Mar 10, 2022, 2:55 PM, Eugene Siegel < elzeigel at gmail.com> wrote:
>
>
> Yes I think bip342 should solve it. Maybe splitting up all conditionals
> into leaves is a good idea for taproot lightning
>
> On Mon, Mar 7, 2022 at 5:46 PM Antoine Riard <antoine.riard at gmail.com>
> wrote:
>
>> Hi Eugene,
>>
>> > Since the remote party gives them a signature, after the timeout, the
>> offering party can
>> claim with the remote's signature + preimage, but can only spend with the
>> HTLC-timeout transaction because of SIGHASH_ALL.
>>
>> I've not exercised the witness against our test framework though the
>> description sounds to me correct.
>>
>> The offering counterparty spends the offered HTLC output with a
>> HTLC-timeout transaction where the witness is <<remote_sig>
>> <payment_preimage>>. SIGHASH_ALL is not committing to the spent Script
>> branch intended to be used. As you raised, it doesn't alleviate the
>> offering counterparty to respect the CLTV delay and as such the offered
>> HTLC timespan cannot be shortened. The implication I can think of, in case
>> of competing HTLC race, once the absolute timelock is expired, the offering
>> counterparty is able to compete against the receiving one with a more
>> feerate-efficient witness. However, from a receiving counterparty safety
>> viewpoint, if you're already suffering a contest, it means your HTLC-claim
>> on your own local commitment transaction inbound HTLC output has been
>> inefficient, and your fee-bumping strategy is to blame.
>>
>> If we think the issue is relevant, I believe splitting the Script
>> branches in two tapleaves and having bip342 signature digest committing to
>> the tapleaf_hash solves it.
>>
>> Antoine
>>
>> Le lun. 7 mars 2022 à 15:27, Eugene Siegel <elzeigel at gmail.com> a écrit :
>>
>>> I'm not sure if this is known, but I'm pretty sure it's benign and so I
>>> thought I'd share since I found it interesting and maybe someone else will
>>> too. I'm not sure if this is already known either.
>>>
>>>
>>> https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs
>>> Offered HTLCs have three claim paths: the revocation case, the offerer
>>> claiming through the HTLC-timeout transaction, and the receiver claiming
>>> via their sig + preimage. The offering party can claim via the HTLC-timeout
>>> case on their commitment transaction with their signature and the remote's
>>> signature (SIGHASH_ALL) after the cltv_expiry timeout. Since the remote
>>> party gives them a signature, after the timeout, the offering party can
>>> claim with the remote's signature + preimage, but can only spend with the
>>> HTLC-timeout transaction because of SIGHASH_ALL. This assumes that the
>>> remote party doesn't claim it first. I can't think of any cases where the
>>> offering party would know the preimage AND want to force close, so that's
>>> why I think it's benign. It does make the witness smaller. The same trick
>>> isn't possible with the Received HTLC's due to OP_CHECKLOCKTIMEVERIFY.
>>>
>>> Eugene (Crypt-iQ on github)
>>> _______________________________________________
>>> Lightning-dev mailing list
>>> Lightning-dev at lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20220315/f3f7ac11/attachment.html>;
Eugene Siegel [ARCHIVE] /
npub139…mvj0j
2023-06-09 13:05:29
in reply to nevent1q…54jl
Author Public Key
npub139lamalg6mww4czepk75anugudczcglp8p9ej9kafmkvgxyk4uus7mvj0jPublished at
2023-06-09 13:05:29Event JSON
{
"id": "77b6aecf0462aeb93d8dee7cee7ff213ca284efaa207531e0bec79770aa9c74e",
"pubkey": "897fddf7e8d6dceae0590dbd4ecf88e3702c23e1384b9916dd4eecc41896af39",
"created_at": 1686315929,
"kind": 1,
"tags": [
[
"e",
"0e07698145199f16ce6d2ffcc9b8f0c33028caf6726f5d0ccfd2b96707290d52",
"",
"root"
],
[
"e",
"7debc15becf9d980a5e0427671d871834f1800ad877aca77fe7a4f947214c715",
"",
"reply"
],
[
"p",
"0c8af5293ea8c40f3686f22669674e0c116a8e92467163929d736aa891b7ece2"
]
],
"content": "📅 Original date posted:2022-03-15\n📝 Original message:\nI'm not familiar with miniscript besides that it's a subset of script - how\nwould it help avoiding an unintended path being taken?\n\nOn Fri, Mar 11, 2022 at 8:47 AM darosior \u003cdarosior at protonmail.com\u003e wrote:\n\n\u003e Also, using Miniscript (whether in Segwit v0 or v1) would prevent this\n\u003e kind of surprises. And many potential others. :-)\n\u003e\n\u003e\n\u003e I'll post something soon about how we could integrate Miniscript in\n\u003e Lightning.\n\u003e -------- Original Message --------\n\u003e On Mar 10, 2022, 2:55 PM, Eugene Siegel \u003c elzeigel at gmail.com\u003e wrote:\n\u003e\n\u003e\n\u003e Yes I think bip342 should solve it. Maybe splitting up all conditionals\n\u003e into leaves is a good idea for taproot lightning\n\u003e\n\u003e On Mon, Mar 7, 2022 at 5:46 PM Antoine Riard \u003cantoine.riard at gmail.com\u003e\n\u003e wrote:\n\u003e\n\u003e\u003e Hi Eugene,\n\u003e\u003e\n\u003e\u003e \u003e Since the remote party gives them a signature, after the timeout, the\n\u003e\u003e offering party can\n\u003e\u003e claim with the remote's signature + preimage, but can only spend with the\n\u003e\u003e HTLC-timeout transaction because of SIGHASH_ALL.\n\u003e\u003e\n\u003e\u003e I've not exercised the witness against our test framework though the\n\u003e\u003e description sounds to me correct.\n\u003e\u003e\n\u003e\u003e The offering counterparty spends the offered HTLC output with a\n\u003e\u003e HTLC-timeout transaction where the witness is \u003c\u003cremote_sig\u003e\n\u003e\u003e \u003cpayment_preimage\u003e\u003e. SIGHASH_ALL is not committing to the spent Script\n\u003e\u003e branch intended to be used. As you raised, it doesn't alleviate the\n\u003e\u003e offering counterparty to respect the CLTV delay and as such the offered\n\u003e\u003e HTLC timespan cannot be shortened. The implication I can think of, in case\n\u003e\u003e of competing HTLC race, once the absolute timelock is expired, the offering\n\u003e\u003e counterparty is able to compete against the receiving one with a more\n\u003e\u003e feerate-efficient witness. However, from a receiving counterparty safety\n\u003e\u003e viewpoint, if you're already suffering a contest, it means your HTLC-claim\n\u003e\u003e on your own local commitment transaction inbound HTLC output has been\n\u003e\u003e inefficient, and your fee-bumping strategy is to blame.\n\u003e\u003e\n\u003e\u003e If we think the issue is relevant, I believe splitting the Script\n\u003e\u003e branches in two tapleaves and having bip342 signature digest committing to\n\u003e\u003e the tapleaf_hash solves it.\n\u003e\u003e\n\u003e\u003e Antoine\n\u003e\u003e\n\u003e\u003e Le lun. 7 mars 2022 à 15:27, Eugene Siegel \u003celzeigel at gmail.com\u003e a écrit :\n\u003e\u003e\n\u003e\u003e\u003e I'm not sure if this is known, but I'm pretty sure it's benign and so I\n\u003e\u003e\u003e thought I'd share since I found it interesting and maybe someone else will\n\u003e\u003e\u003e too. I'm not sure if this is already known either.\n\u003e\u003e\u003e\n\u003e\u003e\u003e\n\u003e\u003e\u003e https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs\n\u003e\u003e\u003e Offered HTLCs have three claim paths: the revocation case, the offerer\n\u003e\u003e\u003e claiming through the HTLC-timeout transaction, and the receiver claiming\n\u003e\u003e\u003e via their sig + preimage. The offering party can claim via the HTLC-timeout\n\u003e\u003e\u003e case on their commitment transaction with their signature and the remote's\n\u003e\u003e\u003e signature (SIGHASH_ALL) after the cltv_expiry timeout. Since the remote\n\u003e\u003e\u003e party gives them a signature, after the timeout, the offering party can\n\u003e\u003e\u003e claim with the remote's signature + preimage, but can only spend with the\n\u003e\u003e\u003e HTLC-timeout transaction because of SIGHASH_ALL. This assumes that the\n\u003e\u003e\u003e remote party doesn't claim it first. I can't think of any cases where the\n\u003e\u003e\u003e offering party would know the preimage AND want to force close, so that's\n\u003e\u003e\u003e why I think it's benign. It does make the witness smaller. The same trick\n\u003e\u003e\u003e isn't possible with the Received HTLC's due to OP_CHECKLOCKTIMEVERIFY.\n\u003e\u003e\u003e\n\u003e\u003e\u003e Eugene (Crypt-iQ on github)\n\u003e\u003e\u003e _______________________________________________\n\u003e\u003e\u003e Lightning-dev mailing list\n\u003e\u003e\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev\n\u003e\u003e\u003e\n\u003e\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20220315/f3f7ac11/attachment.html\u003e",
"sig": "c8a64a24686fea1b56af949de50c9cafd4a5a401992f230e02a75f6000ffed099313df3458dd0d6915da7af86dbb8b26c10afc7e9807fc2eb0da53de625e1283"
}