📅 Original date posted:2015-11-24
📝 Original message:
Mats Jerratsch <matsjj at gmail.com> writes:
> While working on the payment layer and messing around with timeouts /
> timeframes for CSV and CLTV, I noticed a few things...
>
> (1)
> It is indeed not possible for HTLCs to have a long revocation time and
> a short refund time. And it makes sense the way we designed the
> scripts and the commit transaction. As it's a single output, we either
> can prevent the other side from doing ANYTHING for the revocation
> timeout T1, or the other party is able to claim the complete output
> without any encumbering... In long chains of multiple hops, I might
> need R to settle the payment normally, while you still wait out the
> revocation timeout before you can reveal R...
Right.
This isn't immediately obvious, so let's unpack this a bit:
Because any to-self output needs to have an additional relative
revocation delay, A's HTLC output would look like:
For A if HTLC times out + revocation relative timeout, OR
For B with HTLC R value, OR
For B with revocation hash.
A needs to handle the case where B spends after the HTLC timeout, but
before the revocation relative timeout, so its inter-hop HTLC timeout
delta has to be > revocation timeout.
(Aside: can we reduce the HTLC timeout there so that it takes into account
the relative timeout? I'd have to think harder about all the other
scripts, too, but it seems reasonable on the surface?).
> (2)
> As revocation-time and refund time are equal, we have some problematic
> race conditions, where both parties can technically claim the payment,
> depending on propagation time of the transaction. Further, if you
> claim the payment that I was actually entitled to per refund, I may be
> out of luck getting my money back on the next hop...
Yeah, don't do this.
> (3)
> As the absolute CLTV timeout has to increase with each hop, it can
> give us insight about our position within the route, even with onion
> routing. It is possible to have the sender add some delay, but this
> just increases the (already long) total refund time.
This was my plan.
> I played with the numbers back and forth, but I don't really see any
> way out of this problem. Anything below one day might be dangerous
> already for DDoS attacks, with 20 hops we might end up with 30-40 days
> for a refund though...
It's not about DoS, really. The revocation time has to be long enough
so you're certain to spot someone cheating. And we've established that
the HTLC inter-hop-delta should be >> revocation time.
If your node is online and robust, 3 hours should be sufficient for
revocation time (remember, you can jack up fees if you need to). 12
hours will give you plenty of time to take your claim transactions and
inject them into the bitcoin network via carrier pidgeon or whatever you
need to get around any DDoS.
Still, let's assume everyone uses 1 day for revocation time, and 2 days
for HTLC timeout delta, and we have 20 hops.
The original HTLC (NODE 0 -> NODE 1) times out in 40 days. The last
HTLC (NODE 19 -> NODE 20) times out in 2 days, and that one falls to the
blockchain. NODE 19 takes 3 days to get a refund. Then it can
immediately close the incoming HTLC from NODE18 (why wait for a timeout?
It no longer has outstanding liabilities or any reason to believe it
will get the R value), etc.
So, worst case is 3 days unless there are multiple hop failures?
> If we go back to the original design, we are able to separate
> 'claiming-a-payment-using-R' and 'revoke-an-output' into two layers
> and such, we can enforce revealing R within a separate timeframe than
> the revocation timeframe. To do this, we need either SIGHASH_NOINPUT
> or SW, as we can't construct the transaction on top of the 'reveal-R'
> transaction without knowing R currently. Short refund timeouts would
> also mitigate the problems of (3)
>
> I would really love to stick with the current design, as not having to
> keep another set of signatures makes everything easier ...
Agreed.
What do you think about reducing the OP_CHECKLOCKTIMEVERIFY argument if
it's followed by the revocation delay?
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:45:14
in reply to nevent1q…x2rq
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:45:14Event JSON
{
"id": "2d8cbfac5d7996a59df8b38cbb413e301305c27f12c8ef6972188053f3293dfe",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314714,
"kind": 1,
"tags": [
[
"e",
"736dfb86ab78326fcc1e394bf47470bcf73f1ab13d3a1b7b50e205d771436d9e",
"",
"root"
],
[
"e",
"f3373ecaaa8e6c61e727e846667a581274a56e0784839788f077704b0ace8b90",
"",
"reply"
],
[
"p",
"b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528"
]
],
"content": "📅 Original date posted:2015-11-24\n📝 Original message:\nMats Jerratsch \u003cmatsjj at gmail.com\u003e writes:\n\u003e While working on the payment layer and messing around with timeouts /\n\u003e timeframes for CSV and CLTV, I noticed a few things...\n\u003e\n\u003e (1)\n\u003e It is indeed not possible for HTLCs to have a long revocation time and\n\u003e a short refund time. And it makes sense the way we designed the\n\u003e scripts and the commit transaction. As it's a single output, we either\n\u003e can prevent the other side from doing ANYTHING for the revocation\n\u003e timeout T1, or the other party is able to claim the complete output\n\u003e without any encumbering... In long chains of multiple hops, I might\n\u003e need R to settle the payment normally, while you still wait out the\n\u003e revocation timeout before you can reveal R...\n\nRight.\n\nThis isn't immediately obvious, so let's unpack this a bit:\n\nBecause any to-self output needs to have an additional relative\nrevocation delay, A's HTLC output would look like:\n\n For A if HTLC times out + revocation relative timeout, OR\n For B with HTLC R value, OR\n For B with revocation hash.\n\nA needs to handle the case where B spends after the HTLC timeout, but\nbefore the revocation relative timeout, so its inter-hop HTLC timeout\ndelta has to be \u003e revocation timeout.\n\n(Aside: can we reduce the HTLC timeout there so that it takes into account\nthe relative timeout? I'd have to think harder about all the other\nscripts, too, but it seems reasonable on the surface?).\n\n\u003e (2)\n\u003e As revocation-time and refund time are equal, we have some problematic\n\u003e race conditions, where both parties can technically claim the payment,\n\u003e depending on propagation time of the transaction. Further, if you\n\u003e claim the payment that I was actually entitled to per refund, I may be\n\u003e out of luck getting my money back on the next hop...\n\nYeah, don't do this.\n\n\u003e (3)\n\u003e As the absolute CLTV timeout has to increase with each hop, it can\n\u003e give us insight about our position within the route, even with onion\n\u003e routing. It is possible to have the sender add some delay, but this\n\u003e just increases the (already long) total refund time.\n\nThis was my plan.\n\n\u003e I played with the numbers back and forth, but I don't really see any\n\u003e way out of this problem. Anything below one day might be dangerous\n\u003e already for DDoS attacks, with 20 hops we might end up with 30-40 days\n\u003e for a refund though...\n\nIt's not about DoS, really. The revocation time has to be long enough\nso you're certain to spot someone cheating. And we've established that\nthe HTLC inter-hop-delta should be \u003e\u003e revocation time.\n\nIf your node is online and robust, 3 hours should be sufficient for\nrevocation time (remember, you can jack up fees if you need to). 12\nhours will give you plenty of time to take your claim transactions and\ninject them into the bitcoin network via carrier pidgeon or whatever you\nneed to get around any DDoS.\n\nStill, let's assume everyone uses 1 day for revocation time, and 2 days\nfor HTLC timeout delta, and we have 20 hops.\n\nThe original HTLC (NODE 0 -\u003e NODE 1) times out in 40 days. The last\nHTLC (NODE 19 -\u003e NODE 20) times out in 2 days, and that one falls to the\nblockchain. NODE 19 takes 3 days to get a refund. Then it can\nimmediately close the incoming HTLC from NODE18 (why wait for a timeout?\nIt no longer has outstanding liabilities or any reason to believe it\nwill get the R value), etc.\n\nSo, worst case is 3 days unless there are multiple hop failures?\n\n\u003e If we go back to the original design, we are able to separate\n\u003e 'claiming-a-payment-using-R' and 'revoke-an-output' into two layers\n\u003e and such, we can enforce revealing R within a separate timeframe than\n\u003e the revocation timeframe. To do this, we need either SIGHASH_NOINPUT\n\u003e or SW, as we can't construct the transaction on top of the 'reveal-R'\n\u003e transaction without knowing R currently. Short refund timeouts would\n\u003e also mitigate the problems of (3)\n\u003e\n\u003e I would really love to stick with the current design, as not having to\n\u003e keep another set of signatures makes everything easier ...\n\nAgreed. \n\nWhat do you think about reducing the OP_CHECKLOCKTIMEVERIFY argument if\nit's followed by the revocation delay?\n\nThanks!\nRusty.",
"sig": "757cc64f8d8abc27b73873e4e2836f04dfdd21eb3ea74695a3eb01778c8c97ab7bdadc82bc95916e04d0306b68a1cb80280dc3170a0927bd0ec43f9ddee63f2d"
}