Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2020-02-13 📝 Original message: ZmnSCPxj via ...
📅 Original date posted:2020-02-13
📝 Original message:
ZmnSCPxj via Lightning-dev <lightning-dev at lists.linuxfoundation.org> writes:
> Good morning niftynei,
>
>
>> Rusty had some suggestions about how to improve the protocol messages for this, namely adding a serial_id to the inputs and outputs, which can then be reused for deletions.
>>
>> The serial id can then also be used as the ordering heuristic for transaction inputs during construction (replacing current usage of BIP69). Inputs can be shared amongst peers by flipping the bottom bit of the serial_id before relaying them to another peer (as your own).
>
> What happens if the initiator deliberately provides serial IDs 0x1, 0x3, .... while the acceptor naively provides serial IDs from `/dev/urandom`?
This is a feature, and one you might need to use if you have some
SIGHASH_SINGLE or other weirdness for one input.
> Then the balance of probability is that the initiator inputs and outputs are sorted before the acceptor.
> Now, this is probably not an issue, since the initiator and acceptor both know which inputs and outputs are theirs and not theirs, so they could just reveal this information to anyone, so an actor providing such lousy serial IDs is just hurting its own privacy relative to blockchain analysts, so probably will not happen in practice.
>
> My initial reaction was to propose adding a secret-sharing round where the resulting key is XORed to each serial ID before sorting by the XORed serial ID, but this might be too overweight, and again the initiator is only hurting its own privacy, and the two participants already know whose money is whose anyway....
>> > - nLocktime is always set to 0x00000000
>>
>> - If a blockheight to be used as nLocktime is communicated in the initiation step, is set to blockheight-6; otherwise set to zero-
>
> I am unsure what is the purpose of this minus 6.
>
> If you fear blockheight disagreements, this is probably a good time to introduce block headers.
> So for example if the acceptor thinks the initiator blockheight is too high, it could challenge the initiator to give block headers from its known blockheight to the initiator blockheight.
> If the acceptor thinks the initiator blockheight is too low, it could provide block headers itself as proof.
> This could be limited so that gross differences in blockheight are outright rejected by the acceptor (it could `error` the temporary channel ID rather than accept it).
Yes, I would just have the initiator specify nLocktime directly, just
like feerate. If you don't like it, don't contribute to the tx
construction.
> This is SPV, but neither side is actually making or accepting a payment *yet*, just synchronizing clocks, so maybe not as bad as normal SPV.
>
> Massive chain reorgs cannot reduce blockheight, only increase it (else
> the reorg attempt fails in the first place)
This is not quite true, due to difficulty adjustments. It's true in
practice, however, and not relevant since you'd just have to wait one
more block.
>> - Serial ids should be chosen at random
>> - For multiparty constructions, the initiator MUST flip the bottom bit of any received inputs before relaying them to a peer.
>>
>> - Collisions of serial ids between peers is a protocol error
>
> I suppose we should define collision to mean "equal in all bits except the lowest bit".
No, literally equal. i.e. you can only make this error by clashing with
yourself.
Cheers,
Rusty.
Published at
2023-06-09 12:58:40Event JSON
{
"id": "1ac2f1fe03b8dc6322ffbc87972ad1a7d0cced151722c8e15697dd134cb68c15",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315520,
"kind": 1,
"tags": [
[
"e",
"c218110e24b04f0c1c5d2dd6e63487b0dca619f1f570c991ff7f4dc7c65213bd",
"",
"root"
],
[
"e",
"da1a82cbc3c2cfc7cc1de8c911a09d01140d00c86f99d8483fe2763896f4da45",
"",
"reply"
],
[
"p",
"804770eb58d163d63f0f996fd6bebabe1b8c582a5dd544cf61bba0bc5335720a"
]
],
"content": "📅 Original date posted:2020-02-13\n📝 Original message:\nZmnSCPxj via Lightning-dev \u003clightning-dev at lists.linuxfoundation.org\u003e writes:\n\u003e Good morning niftynei,\n\u003e\n\u003e\n\u003e\u003e Rusty had some suggestions about how to improve the protocol messages for this, namely adding a serial_id to the inputs and outputs, which can then be reused for deletions. \n\u003e\u003e\n\u003e\u003e The serial id can then also be used as the ordering heuristic for transaction inputs during construction (replacing current usage of BIP69). Inputs can be shared amongst peers by flipping the bottom bit of the serial_id before relaying them to another peer (as your own).\n\u003e\n\u003e What happens if the initiator deliberately provides serial IDs 0x1, 0x3, .... while the acceptor naively provides serial IDs from `/dev/urandom`?\n\nThis is a feature, and one you might need to use if you have some\nSIGHASH_SINGLE or other weirdness for one input.\n\n\u003e Then the balance of probability is that the initiator inputs and outputs are sorted before the acceptor.\n\u003e Now, this is probably not an issue, since the initiator and acceptor both know which inputs and outputs are theirs and not theirs, so they could just reveal this information to anyone, so an actor providing such lousy serial IDs is just hurting its own privacy relative to blockchain analysts, so probably will not happen in practice.\n\u003e\n\u003e My initial reaction was to propose adding a secret-sharing round where the resulting key is XORed to each serial ID before sorting by the XORed serial ID, but this might be too overweight, and again the initiator is only hurting its own privacy, and the two participants already know whose money is whose anyway....\n\n\u003e\u003e \u003e - nLocktime is always set to 0x00000000\n\u003e\u003e\n\u003e\u003e - If a blockheight to be used as nLocktime is communicated in the initiation step, is set to blockheight-6; otherwise set to zero-\n\u003e\n\u003e I am unsure what is the purpose of this minus 6.\n\u003e\n\u003e If you fear blockheight disagreements, this is probably a good time to introduce block headers.\n\u003e So for example if the acceptor thinks the initiator blockheight is too high, it could challenge the initiator to give block headers from its known blockheight to the initiator blockheight.\n\u003e If the acceptor thinks the initiator blockheight is too low, it could provide block headers itself as proof.\n\u003e This could be limited so that gross differences in blockheight are outright rejected by the acceptor (it could `error` the temporary channel ID rather than accept it).\n\nYes, I would just have the initiator specify nLocktime directly, just\nlike feerate. If you don't like it, don't contribute to the tx\nconstruction.\n\n\u003e This is SPV, but neither side is actually making or accepting a payment *yet*, just synchronizing clocks, so maybe not as bad as normal SPV.\n\u003e\n\u003e Massive chain reorgs cannot reduce blockheight, only increase it (else\n\u003e the reorg attempt fails in the first place)\n\nThis is not quite true, due to difficulty adjustments. It's true in\npractice, however, and not relevant since you'd just have to wait one\nmore block.\n\n\u003e\u003e - Serial ids should be chosen at random\n\u003e\u003e - For multiparty constructions, the initiator MUST flip the bottom bit of any received inputs before relaying them to a peer.\n\u003e\u003e\n\u003e\u003e - Collisions of serial ids between peers is a protocol error\n\u003e\n\u003e I suppose we should define collision to mean \"equal in all bits except the lowest bit\".\n\nNo, literally equal. i.e. you can only make this error by clashing with\nyourself.\n\nCheers,\nRusty.",
"sig": "1e0d9bfd053fb9a5ec96e63c9c5bfaddf80290c8336d3f5152d8355f32855d319f7b8a9a8955eaba6e2f197961c14469eee848a7330346dc79c87786984bf83f"
}