📅 Original date posted:2015-07-25
📝 Original message:
On Fri, Jul 24, 2015 at 03:38:28PM -0700, Joseph Poon wrote:
> If we're presuming everyone uses OP_CSV in the long-term, you can
> overload nLockTime with values below current unixtime as a
> filter/counter. It should be enough bits of entropy no matter the size
> (even in the billions of transactions in a single channel) Since both
> parties are signing the nLockTime value, it's safe to use that as an
> identifier in the Commitment Transaction.
Oh, that's clever! You can use the range between 500M and $NOW, which
gives you 937,798,763 values at the time of writing, so about a billion
updates per channel. If that wasn't enough, you could divide your actual
n by 10, 100, 1000 etc, and just have to search through an additional 10,
100, 1000 hashes to work out which value to use when claiming cheating.
On Fri, Jul 24, 2015 at 04:24:49PM -0700, Joseph Poon wrote:
> Ah sorry, that only solves the Commitment Transactions, not the HTLC
> outputs. It's also not possible to use the pubkeys as identifiers, as
> Rusty said, P2SH would be used.
>
> While it's possible to only check only recent blocks before the
> Commitment Transaction for the search space (e.g. 3 days worth), since
> you know when the Commitment Transaction was broadcast, the search space
> limitation sort of breaks down if you permit long-dated HTLCs.
I don't think it matters how long the HTLC was; maybe they're way old
and all expired, but were payments to you. Say the current channel is:
12 -> Cheater
88 -> You
and the old transaction that Cheater just pushed to the blockchain was:
55 -> Cheater
3 -> You
10 -> You & R1 | Cheater & Timeout1
20 -> You & R2 | Cheater & Timeout2
12 -> You & R3 | Cheater & Timeout3
To get at least your 88 owed, you need all but the last transaction, so
you need to be able to workout #R1 and #R2 and Timeout1 and Timeout2, no
matter how long ago they were.
> For now, I think a reasonable stop-gap solution would be to have some
> small storage of prior commitment transactions. For every commitment,
> and each HTLC output, store the timeout and the original Commitment
> Transaction height when the HTLC was first made.
I don't think you want to multiply each HTLC output by every commitment
it's stored in -- if the TIMEOUT is on the order of a day, and the
channel is updated just once a second that's a x86,400 blowout in
storage, so almost 5 orders of magnitude.
But if everytime you see a new HTLC output (ie, R4, Timeout4), you could
store those values and use the nLockTime trick to store the height of
your HTLC storage. Then you just have to search back down from R4 to
find the other HTLCs in the txn, ie R3, R2 and R1, which is just a
matter of pulling out the values R, Timeout, dropping them into payment
script templates, and checking if they match.
You could also store your commitment count to still limit the searching
you have to do there. If you make the rule:
- nLockTime will increment everytime we introduce a new HTLC
- nLockTime will increment everytime there's been N commitment updates
since the last time nLockTime incremented
and you store:
- 47b commitment index
- 1b am I being paid?
- 80b R
- 16b timeout
each time. If it's a new HTLC you store the info for that, if it's just
a commitment bump, you store the active HTLC that's furthest from the
top of the stack, or all 0s. That's 18 bytes per HTLC or n commitments.
If you spend a year doing 100 new HTLC/s that's 57GB for HTLCs and
if you set n to be 100k hashes to search through (so half a minute's
work on Rusty's laptop), and assume 1000 commitments/s in a worst case
distribution, that's just an extra 5MB.
You might have to increment by ~0.25 each time instead to last a year
without nLockTime surpassing current Unix time; I don't think that causes
much problem though -- you have maybe 4x as many commitment hashes to
check, and up to an extra 3 HTLCs to check and skip. Reduce n by 4 to
compensate, and that's an extra 20MB instead of 5MB.
~60GB after a year is about 30*12 = 360 GB-months of data, which is
about $12 on Amazon S3. That seems reasonably plausible, even at scale,
doesn't it?
(If you need an extra 4B per HTLC to avoid relying on OP_CTV/OP_CSV;
that's ~23% more space; so say $15 over the course of a year)
> That should be enough
> information to work with (you can work backwards if you know which
> Commitment Transaction the HTLC was first created) and amounts to 48
> bits (6 bytes) of storage per HTLC output per fully expired Commitment
> Transaction. I generally dislike OP_RETURN as a solution, but it's
> possible.
Hmm, I'm not sure OP_RETURN actually works well enough for avoiding
local storage of HTLC specs -- more than one OP_RETURN is non-standard :(
(Of course the scripts behind the P2SH hashes are non-standard too)
> Thanks for bringing this up, I haven't really properly considered this!
Glad it's novel :)
On Fri, Jul 24, 2015 at 05:38:25PM -0700, Joseph Poon wrote:
> Oh, I forgot it's necessary to store the hash of the R value. That'll
> make it much bigger. 26-bytes or so.
> Also, if OP_RETURN is viewed as acceptable, then you should be able to
> fit 3 outputs per OP_RETURN metadata output.
Yeah; 80 bytes works much better than 40 bytes.
> 32-bits is used for the Commitment Transaction. For even the most
> high-volume node, 10 commitments per second results in 300 million
> Commitment Transactions. This identifies in which Commitment Transaction
> the HTLC was created. By knowing the Commitment Transaction, you'll know
> the revocation preimage, so after the revocation information has been
> exchanged, you only need to know which Commitment Transaction the HTLC
> was originally formed, since the revocation information was originally
> *generated* using a merkle tree derived from the Commitment Transaction
> as an index.
I don't think this is useful if you've got OP_CTV and OP_CSV? If your
script is:
Pay: (Alice & R & DELAY) | (Bob & TIMEOUT) | (Bob & REVOCATION)
then the REVOCATION has to be updated with each commitment update, or
else Bob would be able to claim it immediately after the next commitment
update. So you only need to know the txn's commitment id, which you
work out from nLockTime anyway.
Otherwise, Alice, Bob, and DELAY are channel parameters; leaving just
R and TIMEOUT which fit in 22 bytes. So you can fit ~3.6 R&TIMEOUTs in
a single OP_RETURN (so 3.6 in 1, 7.2 in 2, exactly 40 in 11).
I'm not sure how the key management works for when you don't have OP_CTV
or OP_CSV. I guess if the the key set used for HTLC #N is calculable given
any secret M>N (but not M<=N), and you always reveal secret MIN(current
active HTLC ids), then you just need to record the HTLC's index. You
could again allow for a small search though; you only have to calculate
the public key and hash the transaction against the calculated keys so
searching should still be somewhat cheap. So yeah, I think that makes
sense?
BTW, 10 commitments per second (per channel) doesn't sound /that/ high
volume :) Pay per megabyte for an end user at 100Mb/s is already
around that at least at peak times, eg.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:43:44
in reply to nevent1q…gpyj
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:43:44Event JSON
{
"id": "43ffd963e77fab6edc2a598fd60f52a5485767f7ce200a77657f5272e24f8975",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314624,
"kind": 1,
"tags": [
[
"e",
"70bc73032209813d1efbd8c41b490ea29a02fc5941bbed8bed53cf49c33f8564",
"",
"root"
],
[
"e",
"2addbe284fe0b8a78720e7da2929990bbc8666671ec490bcf25a571934e51fbf",
"",
"reply"
],
[
"p",
"ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211"
]
],
"content": "📅 Original date posted:2015-07-25\n📝 Original message:\nOn Fri, Jul 24, 2015 at 03:38:28PM -0700, Joseph Poon wrote:\n\u003e If we're presuming everyone uses OP_CSV in the long-term, you can\n\u003e overload nLockTime with values below current unixtime as a\n\u003e filter/counter. It should be enough bits of entropy no matter the size\n\u003e (even in the billions of transactions in a single channel) Since both\n\u003e parties are signing the nLockTime value, it's safe to use that as an\n\u003e identifier in the Commitment Transaction.\n\nOh, that's clever! You can use the range between 500M and $NOW, which\ngives you 937,798,763 values at the time of writing, so about a billion\nupdates per channel. If that wasn't enough, you could divide your actual\nn by 10, 100, 1000 etc, and just have to search through an additional 10,\n100, 1000 hashes to work out which value to use when claiming cheating.\n\nOn Fri, Jul 24, 2015 at 04:24:49PM -0700, Joseph Poon wrote:\n\u003e Ah sorry, that only solves the Commitment Transactions, not the HTLC\n\u003e outputs. It's also not possible to use the pubkeys as identifiers, as\n\u003e Rusty said, P2SH would be used.\n\u003e \n\u003e While it's possible to only check only recent blocks before the\n\u003e Commitment Transaction for the search space (e.g. 3 days worth), since\n\u003e you know when the Commitment Transaction was broadcast, the search space\n\u003e limitation sort of breaks down if you permit long-dated HTLCs.\n\nI don't think it matters how long the HTLC was; maybe they're way old\nand all expired, but were payments to you. Say the current channel is:\n\n 12 -\u003e Cheater\n 88 -\u003e You\n\nand the old transaction that Cheater just pushed to the blockchain was:\n\n 55 -\u003e Cheater\n 3 -\u003e You\n 10 -\u003e You \u0026 R1 | Cheater \u0026 Timeout1\n 20 -\u003e You \u0026 R2 | Cheater \u0026 Timeout2\n 12 -\u003e You \u0026 R3 | Cheater \u0026 Timeout3\n\nTo get at least your 88 owed, you need all but the last transaction, so\nyou need to be able to workout #R1 and #R2 and Timeout1 and Timeout2, no\nmatter how long ago they were.\n\n\u003e For now, I think a reasonable stop-gap solution would be to have some\n\u003e small storage of prior commitment transactions. For every commitment,\n\u003e and each HTLC output, store the timeout and the original Commitment\n\u003e Transaction height when the HTLC was first made.\n\nI don't think you want to multiply each HTLC output by every commitment\nit's stored in -- if the TIMEOUT is on the order of a day, and the\nchannel is updated just once a second that's a x86,400 blowout in\nstorage, so almost 5 orders of magnitude.\n\nBut if everytime you see a new HTLC output (ie, R4, Timeout4), you could\nstore those values and use the nLockTime trick to store the height of\nyour HTLC storage. Then you just have to search back down from R4 to\nfind the other HTLCs in the txn, ie R3, R2 and R1, which is just a\nmatter of pulling out the values R, Timeout, dropping them into payment\nscript templates, and checking if they match.\n\nYou could also store your commitment count to still limit the searching\nyou have to do there. If you make the rule:\n\n - nLockTime will increment everytime we introduce a new HTLC\n - nLockTime will increment everytime there's been N commitment updates\n since the last time nLockTime incremented\n\nand you store:\n\n - 47b commitment index\n - 1b am I being paid?\n - 80b R\n - 16b timeout\n\neach time. If it's a new HTLC you store the info for that, if it's just\na commitment bump, you store the active HTLC that's furthest from the\ntop of the stack, or all 0s. That's 18 bytes per HTLC or n commitments.\nIf you spend a year doing 100 new HTLC/s that's 57GB for HTLCs and\nif you set n to be 100k hashes to search through (so half a minute's\nwork on Rusty's laptop), and assume 1000 commitments/s in a worst case\ndistribution, that's just an extra 5MB.\n\nYou might have to increment by ~0.25 each time instead to last a year\nwithout nLockTime surpassing current Unix time; I don't think that causes\nmuch problem though -- you have maybe 4x as many commitment hashes to\ncheck, and up to an extra 3 HTLCs to check and skip. Reduce n by 4 to\ncompensate, and that's an extra 20MB instead of 5MB.\n\n~60GB after a year is about 30*12 = 360 GB-months of data, which is\nabout $12 on Amazon S3. That seems reasonably plausible, even at scale,\ndoesn't it?\n\n(If you need an extra 4B per HTLC to avoid relying on OP_CTV/OP_CSV;\nthat's ~23% more space; so say $15 over the course of a year)\n\n\u003e That should be enough\n\u003e information to work with (you can work backwards if you know which\n\u003e Commitment Transaction the HTLC was first created) and amounts to 48\n\u003e bits (6 bytes) of storage per HTLC output per fully expired Commitment\n\u003e Transaction. I generally dislike OP_RETURN as a solution, but it's\n\u003e possible.\n\nHmm, I'm not sure OP_RETURN actually works well enough for avoiding\nlocal storage of HTLC specs -- more than one OP_RETURN is non-standard :(\n\n(Of course the scripts behind the P2SH hashes are non-standard too)\n\n\u003e Thanks for bringing this up, I haven't really properly considered this!\n\nGlad it's novel :)\n\nOn Fri, Jul 24, 2015 at 05:38:25PM -0700, Joseph Poon wrote:\n\u003e Oh, I forgot it's necessary to store the hash of the R value. That'll\n\u003e make it much bigger. 26-bytes or so.\n\u003e Also, if OP_RETURN is viewed as acceptable, then you should be able to\n\u003e fit 3 outputs per OP_RETURN metadata output.\n\nYeah; 80 bytes works much better than 40 bytes.\n\n\u003e 32-bits is used for the Commitment Transaction. For even the most\n\u003e high-volume node, 10 commitments per second results in 300 million\n\u003e Commitment Transactions. This identifies in which Commitment Transaction\n\u003e the HTLC was created. By knowing the Commitment Transaction, you'll know\n\u003e the revocation preimage, so after the revocation information has been\n\u003e exchanged, you only need to know which Commitment Transaction the HTLC\n\u003e was originally formed, since the revocation information was originally\n\u003e *generated* using a merkle tree derived from the Commitment Transaction\n\u003e as an index.\n\nI don't think this is useful if you've got OP_CTV and OP_CSV? If your\nscript is:\n\n Pay: (Alice \u0026 R \u0026 DELAY) | (Bob \u0026 TIMEOUT) | (Bob \u0026 REVOCATION)\n\nthen the REVOCATION has to be updated with each commitment update, or\nelse Bob would be able to claim it immediately after the next commitment\nupdate. So you only need to know the txn's commitment id, which you\nwork out from nLockTime anyway.\n\nOtherwise, Alice, Bob, and DELAY are channel parameters; leaving just\nR and TIMEOUT which fit in 22 bytes. So you can fit ~3.6 R\u0026TIMEOUTs in\na single OP_RETURN (so 3.6 in 1, 7.2 in 2, exactly 40 in 11).\n\nI'm not sure how the key management works for when you don't have OP_CTV\nor OP_CSV. I guess if the the key set used for HTLC #N is calculable given\nany secret M\u003eN (but not M\u003c=N), and you always reveal secret MIN(current\nactive HTLC ids), then you just need to record the HTLC's index. You\ncould again allow for a small search though; you only have to calculate\nthe public key and hash the transaction against the calculated keys so\nsearching should still be somewhat cheap. So yeah, I think that makes\nsense?\n\nBTW, 10 commitments per second (per channel) doesn't sound /that/ high\nvolume :) Pay per megabyte for an end user at 100Mb/s is already\naround that at least at peak times, eg.\n\nCheers,\naj",
"sig": "738feb0bc65dae81d483aca212e98c86208b7a57d6b9a93995dad97629662a49968332d61876b23ee2867ae5b3b737b42afe9caaf013b847bb5116c5ddce0698"
}