📅 Original date posted:2020-02-24
📝 Original message:
Anthony Towns <aj at erisian.com.au> writes:
> On Fri, Feb 21, 2020 at 12:35:20PM +1030, Rusty Russell wrote:
>> And if there is a grace period, I can just gum up the network with lots
>> of slow-but-not-slow-enough HTLCs.
>
> Well, it reduces the "gum up the network for <timeout> blocks" to "gum
> up the network for <grace period> seconds", which seems like a pretty
> big win. I think if you had 20 hops each with a 1 minute grace period,
> and each channel had a max_accepted_htlcs of 30, you'd need 25 HTLCs per
> second to block 1000 channels (so 2.7% of the 36k channels 1ml reports),
> so at the very least, successfully performing this attack would be
> demonstrating lightning's solved bitcoin's transactions-per-second
> limitation?
But the comparison here is not with the current state, but with the
"best previous proposal we have", which is:
1. Charge an up-front fee for accepting any HTLC.
2. Will hang-up after grace period unless you either prove a channel
close, or gain another grace period by decrypting onion.
(There was is an obvious extension to this, where you pay another HTLC
first which covers the (larger) up-front fee for the "I know the next
HTLC is going to take a long time").
That proposal is simpler, and covers this case quite nicely.
> at which point the best B can do is unilaterally close the B/C channel
> with their pre-HTLC commitment, but they still have to wait for that to
> confirm before they can safely cancel the HTLC with A, and that will
> likely take more than whatever the grace period is, so B will be losing
> money on holding fees.
>
> Whereas:
>
> A->B: here's a HTLC, locked in
>
> B->C: HTLC proposal
> C->B: sure: updated commitment with HTLC locked in
> B->C: great, corresponding updated commitment, plus revocation
> C->B: revocation
>
> means that if C goes silent before B receives a new commitment, B can
> cancel the HTLC with A with no risk (B can publish the old commitment
> still even if the new arrives later, and C can only publish the pre-HTLC
> commitment), and if C goes silent after B receives the new commitment, B
> can drop the new commitment to the blockchain and pay A's fees out of it.
Interesting; this adds a trip, but not in latency (since C can still
count on the HTLC being locked in at step 3).
I don't see how it helps B though? It still ends up paying A, and C
doesn't pay anything?
It forces a liveness check of C, but TBH I dread rewriting the state
machine for this when we can just ping like we do now.
>> There's an old proposal to fast-fail HTLCs: Bob sends an new message "I
>> would fail this HTLC once it's committed, here's the error"
>
> Yeah, you could do "B->C: proposal, C->B: no way!" instead of "sure" to
> fast fail the above too.
>
> And I think something like that's necessary (at least with my view of how
> this "keep the HTLC open" payment would work), otherwise B could send C a
> "1 microsecond grace period, rate of 3e11 msat/minute, HTLC for 100 sat,
> timeout of 2016 blocks" and if C couldn't reject it immediately would
> owe B 50c per millisecond it took to cancel.
Well, surely grace period (and penalty rate) are either fixed in the
protocol or negotiated up-front, not per-HTLC.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:58:58
in reply to nevent1q…vhj0
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:58:58Event JSON
{
"id": "469009bc890d00e154274dac2186d554c4da06e0aa7504d2b59c3c121bd363c1",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315538,
"kind": 1,
"tags": [
[
"e",
"45cf63b0d2d71c68e5ad79035b26c58f0d0a7f08c912c1e3fb49d13bc9edb573",
"",
"root"
],
[
"e",
"bc9d6c2bccd422d192e957c9bd1c5e0eb9704df896c38d778363c6c4e9d653f6",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2020-02-24\n📝 Original message:\nAnthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e On Fri, Feb 21, 2020 at 12:35:20PM +1030, Rusty Russell wrote:\n\u003e\u003e And if there is a grace period, I can just gum up the network with lots\n\u003e\u003e of slow-but-not-slow-enough HTLCs.\n\u003e\n\u003e Well, it reduces the \"gum up the network for \u003ctimeout\u003e blocks\" to \"gum\n\u003e up the network for \u003cgrace period\u003e seconds\", which seems like a pretty\n\u003e big win. I think if you had 20 hops each with a 1 minute grace period,\n\u003e and each channel had a max_accepted_htlcs of 30, you'd need 25 HTLCs per\n\u003e second to block 1000 channels (so 2.7% of the 36k channels 1ml reports),\n\u003e so at the very least, successfully performing this attack would be\n\u003e demonstrating lightning's solved bitcoin's transactions-per-second\n\u003e limitation?\n\nBut the comparison here is not with the current state, but with the\n\"best previous proposal we have\", which is:\n\n1. Charge an up-front fee for accepting any HTLC.\n2. Will hang-up after grace period unless you either prove a channel\n close, or gain another grace period by decrypting onion.\n\n(There was is an obvious extension to this, where you pay another HTLC\nfirst which covers the (larger) up-front fee for the \"I know the next\nHTLC is going to take a long time\").\n\nThat proposal is simpler, and covers this case quite nicely.\n\n\u003e at which point the best B can do is unilaterally close the B/C channel\n\u003e with their pre-HTLC commitment, but they still have to wait for that to\n\u003e confirm before they can safely cancel the HTLC with A, and that will\n\u003e likely take more than whatever the grace period is, so B will be losing\n\u003e money on holding fees.\n\u003e\n\u003e Whereas:\n\u003e\n\u003e A-\u003eB: here's a HTLC, locked in\n\u003e\n\u003e B-\u003eC: HTLC proposal\n\u003e C-\u003eB: sure: updated commitment with HTLC locked in\n\u003e B-\u003eC: great, corresponding updated commitment, plus revocation\n\u003e C-\u003eB: revocation\n\u003e\n\u003e means that if C goes silent before B receives a new commitment, B can\n\u003e cancel the HTLC with A with no risk (B can publish the old commitment\n\u003e still even if the new arrives later, and C can only publish the pre-HTLC\n\u003e commitment), and if C goes silent after B receives the new commitment, B\n\u003e can drop the new commitment to the blockchain and pay A's fees out of it.\n\nInteresting; this adds a trip, but not in latency (since C can still\ncount on the HTLC being locked in at step 3).\n\nI don't see how it helps B though? It still ends up paying A, and C\ndoesn't pay anything?\n\nIt forces a liveness check of C, but TBH I dread rewriting the state\nmachine for this when we can just ping like we do now.\n\n\u003e\u003e There's an old proposal to fast-fail HTLCs: Bob sends an new message \"I\n\u003e\u003e would fail this HTLC once it's committed, here's the error\" \n\u003e\n\u003e Yeah, you could do \"B-\u003eC: proposal, C-\u003eB: no way!\" instead of \"sure\" to\n\u003e fast fail the above too. \n\u003e\n\u003e And I think something like that's necessary (at least with my view of how\n\u003e this \"keep the HTLC open\" payment would work), otherwise B could send C a\n\u003e \"1 microsecond grace period, rate of 3e11 msat/minute, HTLC for 100 sat,\n\u003e timeout of 2016 blocks\" and if C couldn't reject it immediately would\n\u003e owe B 50c per millisecond it took to cancel.\n\nWell, surely grace period (and penalty rate) are either fixed in the\nprotocol or negotiated up-front, not per-HTLC.\n\nCheers,\nRusty.",
"sig": "bb7a4ff545bd224c8abaaaff6ca5e3b0640bc8c7f955142bd11c36bf972db902e072703813665ebe65d8a74831f949ac4336c11cfbec8dcaf855b0ad79efc37c"
}