<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <updated>2023-06-09T12:11:22Z</updated>
  <generator>https://njump.me</generator>

  <title>Nostr notes by Christian Decker [ARCHIVE]</title>
  <author>
    <name>Christian Decker [ARCHIVE]</name>
  </author>
  <link rel="self" type="application/atom+xml" href="https://njump.me/npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuyn.rss" />
  <link href="https://njump.me/npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuyn" />
  <id>https://njump.me/npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuyn</id>
  <icon></icon>
  <logo></logo>




  <entry>
    <id>https://njump.me/nevent1qqs0d367q6uz9mycpnvd5rrcy945nkmh7vh9xz6spmsdgvavv5ptehqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wtas33u</id>
    
      <title type="html">📅 Original date posted:2023-09-08 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs0d367q6uz9mycpnvd5rrcy945nkmh7vh9xz6spmsdgvavv5ptehqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wtas33u" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqszk97l9qlcps4vpxhjjhvfe6xmg6ta3f3gg4hkdmvucpz7uryh5js0p396a&#39;&gt;nevent1q…396a&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-09-08&lt;br/&gt;🗒️ Summary of this message: A proposal suggests using runes managed by a hardware wallet to authenticate RPC calls, preventing compromised clients from making unauthorized calls.&lt;br/&gt;📝 Original message:&lt;br/&gt;Very interesting proposal, though as Will points out we could implement the&lt;br/&gt;same using runes: have the rune be managed by the hardware wallet, and&lt;br/&gt;commit the rune used to authenticate the RPC call commit to the call&amp;#39;s&lt;br/&gt;payload. That way a potentially compromised client cannot authenticate&lt;br/&gt;arbitrary calls, since the hardware wallet is required to associate a rune&lt;br/&gt;with it, giving it a chance for review.&lt;br/&gt;&lt;br/&gt;This is similar to how authentication of RPC calls works in greenlight,&lt;br/&gt;where the node host is not trusted, and we need to pass the authenticated&lt;br/&gt;commands forward to the signer for verification before processing any&lt;br/&gt;signature request from the node. We chose to authenticate the payload&lt;br/&gt;rather than the transport (which is what partonnere does) because it&lt;br/&gt;removes the need for a direct connection, and adds flexibility to how we&lt;br/&gt;can deliver the commands. Functionally they are very similar however.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Thu, Sep 7, 2023, 15:06 Bastien TEINTURIER &amp;lt;bastien at acinq.fr&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Hi William,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; What is wrong with runes/macaroons for validating and authenticating&lt;br/&gt;&amp;gt; &amp;gt; commands?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Runes/macaroons don&amp;#39;t provide any protection if the machine you are&lt;br/&gt;&amp;gt; issuing the RPCs from is compromised. The attacker can change the&lt;br/&gt;&amp;gt; parameters of your RPC call and your lightning node will still gladly&lt;br/&gt;&amp;gt; execute it.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; I can&amp;#39;t imagine validating every RPC request with a hardware&lt;br/&gt;&amp;gt; &amp;gt; device and trusted display, unless you have some specific use case in&lt;br/&gt;&amp;gt; &amp;gt; mind.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think that this is because you have the wrong idea of which RPCs&lt;br/&gt;&amp;gt; this is supposed to protect. This is useful for the RPCs that actually&lt;br/&gt;&amp;gt; involve paying something (channel open, channel close, pay invoice).&lt;br/&gt;&amp;gt; This isn&amp;#39;t useful for &amp;#34;read&amp;#34; RPCs (listing channels).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Making an on-chain operation or paying an invoice is something that is&lt;br/&gt;&amp;gt; infrequent enough for the vast majority of nodes that it makes sense&lt;br/&gt;&amp;gt; to validate it manually. Also, this is fully configurable: you can&lt;br/&gt;&amp;gt; choose which RPCs you want to protect that way and which RPCs you want&lt;br/&gt;&amp;gt; to keep open.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thanks,&lt;br/&gt;&amp;gt; Bastien&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Le mer. 6 sept. 2023 à 17:42, William Casarin &amp;lt;jb55 at jb55.com&amp;gt; a écrit :&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; On Wed, Sep 06, 2023 at 03:32:50AM &#43;0200, Bastien TEINTURIER wrote:&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;Hey Zman,&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;I saw the announcement about the commando plugin, and it was actually&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;one of the reasons I wanted to write up what I had in mind, because&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;while commando also uses a lightning connection to send commands to a&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;lightning node, it was missing what in my opinion is the most important&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;part: having all of Bolt 8 handled by the HSM and validating commands&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;using a trusted display.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; What is wrong with runes/macaroons for validating and authenticating&lt;br/&gt;&amp;gt; &amp;gt; commands? I can&amp;#39;t imagine validating every RPC request with a hardware&lt;br/&gt;&amp;gt; &amp;gt; device and trusted display, unless you have some specific use case in&lt;br/&gt;&amp;gt; &amp;gt; mind.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt;         Will&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230908/57a116fe/attachment-0001.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230908/57a116fe/attachment-0001.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-09-12T08:59:58Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsr6pytufulls9q28xddmk4zh0gsa5q36k966zpnc2e8yjkgqdhp8qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn0qg8v</id>
    
      <title type="html">📅 Original date posted:2023-05-20 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsr6pytufulls9q28xddmk4zh0gsa5q36k966zpnc2e8yjkgqdhp8qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn0qg8v" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs23r6x7zyum0qn53rzpyydzln7xkvm4rlj7dn27k5ka76mtp6yhmcedkdja&#39;&gt;nevent1q…kdja&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-20&lt;br/&gt;🗒️ Summary of this message: The author is interested in the number of repeat interactions nodes receive from individual senders to determine the effectiveness of local-only reputation systems. However, they realize they were mixing two different proposals and apologize for the confusion. Nodes that forward fewer HTLCs may have difficulty building a good reputation with active routing nodes, but during an attack, small and low activity nodes can still interact with similar nodes to build a good reputation.&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;gt; &amp;gt; I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;&amp;gt; individual senders, since that also tells us how much use we can get&lt;br/&gt;&amp;gt; out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;&amp;gt; surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;&amp;gt; them to make an informed decision, while the edges may be more&lt;br/&gt;&amp;gt; vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;&amp;gt; impact of an attack would also be proportionally smaller.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m unclear on what you mean by “individual senders” here? In our&lt;br/&gt;&amp;gt; scheme, nodes only track local reputation for their direct peers so&lt;br/&gt;&amp;gt; what matters is their history with all HTLCs a peer has forwarded to&lt;br/&gt;&amp;gt; them (not whether they come from repeat senders).&lt;br/&gt;&lt;br/&gt;Apologies, upon rethinking this I realized I had been mixing two different&lt;br/&gt;proposals in my mind. The criticism of sender-based reputation does&lt;br/&gt;not apply if all we do is track our immediate neighbors. Sorry for the&lt;br/&gt;confusion.&lt;br/&gt;&lt;br/&gt;&amp;gt; It’s true that nodes that forward fewer HTLCs are less likely to be&lt;br/&gt;&amp;gt; able to build a good reputation with very active routing nodes. In the&lt;br/&gt;&amp;gt; regular operation of the network, this should have low to no impact on&lt;br/&gt;&amp;gt; their activity - they don’t require much from their peers anyway.&lt;br/&gt;&amp;gt; During an attack, small and low activity nodes will temporarily be in&lt;br/&gt;&amp;gt; competition for large routing nodes’ scarce liquidity and slots, but&lt;br/&gt;&amp;gt; will still be able to interact with similar nodes where they have&lt;br/&gt;&amp;gt; better chances of building a good reputation.&lt;br/&gt;&lt;br/&gt;That matches my own interpretation very well, thanks.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-19T17:42:28Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsfrmjj40rdagw672408u39fawyl3f8f9nwylewwpk7l5ms50etzlczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w3vlzdp</id>
    
      <title type="html">📅 Original date posted:2023-05-10 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsfrmjj40rdagw672408u39fawyl3f8f9nwylewwpk7l5ms50etzlczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w3vlzdp" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsp87sm0a0kd5a74x46nhmqgzxctl9za96cm3atrn80gha525w867se262vd&#39;&gt;nevent1q…62vd&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-10&lt;br/&gt;🗒️ Summary of this message: Reputation systems in Lightning Network are susceptible to sudden behavioral changes and whitewashing attacks, making them less useful. Local-only reputation systems may work for large routing nodes, but edges are more vulnerable.&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Antoine,&lt;br/&gt;&lt;br/&gt;this is an intrinsic issue with reputation systems, and the main&lt;br/&gt;reason I&amp;#39;m sceptical w.r.t. their usefulness in lightning.&lt;br/&gt;Fundamentally any reputation system bases their expectations for the&lt;br/&gt;future on experiences they made in the past, and they are thus always&lt;br/&gt;susceptible to sudden behavioral changes (going rogue from a prior&lt;br/&gt;clean record) and whitewashing attacks (switching identity, abusing&lt;br/&gt;any builtin bootstrapping method for new users to gain a good or&lt;br/&gt;neutral reputation before turning rogue repeatedly).&lt;br/&gt;&lt;br/&gt;This gets compounded as soon as we start gossiping about reputations,&lt;br/&gt;since now our decisions are no longer based just on information we can&lt;br/&gt;witness ourselves, or at least verify its correctness, and as such an&lt;br/&gt;attacker can most likely &amp;#34;earn&amp;#34; a positive reputation in some other&lt;br/&gt;part of the world, and then turn around and attack the nodes that&lt;br/&gt;trusted the reputation shared from those other parts.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;individual senders, since that also tells us how much use we can get&lt;br/&gt;out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;them to make an informed decision, while the edges may be more&lt;br/&gt;vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;impact of an attack would also be proportionally smaller.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Mon, May 8, 2023 at 10:26 PM Antoine Riard &amp;lt;antoine.riard at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Hi *,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt; &amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt; &amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think the HTLC endorsement scheme as proposed is still suffering from a vulnerability as local reputation can be built up during periods of low routing fees, endorsement gained and then abused during periods of high routing fees. Therefore, it sounds to me this scheme should aim for some reputational transitivity between incoming traffic and outgoing traffic. Namely, the acquisition cost of the local reputation should be equal to the max timevalue damage that one can inflict on a routing node channel accessible from its local counterparty granting this high-level of reputation.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t know if this can be fixed by ensuring permanent link-level &amp;#34;gossip&amp;#34; where counterparties along a payment path expose their reputation heuristics to guarantee this transitivity, or it&amp;#39;s a fundamental issue with a point-to-point approach like HTLC endorsement.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Opened an issue on the repository to converge on a threat model:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/pull/13&#34;&gt;https://github.com/ClaraShk/LNJamming/pull/13&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I still think building data gathering infrastructure for Lightning is valuable as ultimately any jamming mitigation will have to adapt its upfront fees or reputation acquisition cost in function of HTLC traffic and market forces.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Looking forward to giving an update on Staking Credentials [0], an end-to-end approach to mitigate channel jamming.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Best,&lt;br/&gt;&amp;gt; Antoine&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [0] &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Le dim. 30 avr. 2023 à 03:57, Carla Kirk-Cohen &amp;lt;kirkcohenc at gmail.com&amp;gt; a écrit :&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hi list,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Some updates on channel jamming!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Next Call&lt;br/&gt;&amp;gt;&amp;gt; - Monday 01 May @ 15:00 UTC&lt;br/&gt;&amp;gt;&amp;gt; - &lt;a href=&#34;https://meet.jit.si/UnjammingLN&#34;&gt;https://meet.jit.si/UnjammingLN&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; - Agenda: &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/issues/12&#34;&gt;https://github.com/ClaraShk/LNJamming/issues/12&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Data Gathering&lt;br/&gt;&amp;gt;&amp;gt; During these weekly calls, we&amp;#39;ve come to agreement that we would like&lt;br/&gt;&amp;gt;&amp;gt; to gather data about the use of HTLC endorsement and local reputation&lt;br/&gt;&amp;gt;&amp;gt; tracking for jamming mitigation. A reminder of the full scheme is&lt;br/&gt;&amp;gt;&amp;gt; included at the end of this email, and covered more verbosely in [1].&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; We have a few goals in mind:&lt;br/&gt;&amp;gt;&amp;gt; - Observe the effect of endorsement in the steady state with&lt;br/&gt;&amp;gt;&amp;gt;   logging-only implementation.&lt;br/&gt;&amp;gt;&amp;gt; - Gather real-world data for use in future simulation work.&lt;br/&gt;&amp;gt;&amp;gt; - Experiment with different algorithms for tracking local reputation.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The minimal changes required to add HTLC endorsement are outlined in [2].&lt;br/&gt;&amp;gt;&amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt;&amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt;&amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; With this infrastructure in place, we can start to experiment with&lt;br/&gt;&amp;gt;&amp;gt; various local reputation schemes and data gathering, possibly even&lt;br/&gt;&amp;gt;&amp;gt; externally to LN implementations in projects like circuitbreaker [3].&lt;br/&gt;&amp;gt;&amp;gt; We&amp;#39;d be interested to hear whether there&amp;#39;s any appetite to deploy using&lt;br/&gt;&amp;gt;&amp;gt; an experimental TLV value?&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Reputation Scheme&lt;br/&gt;&amp;gt;&amp;gt; - Each node locally tracks the reputation of its direct neighbors.&lt;br/&gt;&amp;gt;&amp;gt; - Each node allocates, per its risk tolerance:&lt;br/&gt;&amp;gt;&amp;gt;   - A number of slots reserved for endorsed HTLCs from high reputation&lt;br/&gt;&amp;gt;&amp;gt;     peers.&lt;br/&gt;&amp;gt;&amp;gt;   - A portion of liquidity reserved for endorsed HTLCs from high&lt;br/&gt;&amp;gt;&amp;gt;     reputation peers.&lt;br/&gt;&amp;gt;&amp;gt; - Forwarding of HTLCs:&lt;br/&gt;&amp;gt;&amp;gt;   - If a HTLC is endorsed by a high reputation peer, it is forwarded&lt;br/&gt;&amp;gt;&amp;gt;     as usual with endorsed = 1.&lt;br/&gt;&amp;gt;&amp;gt;   - Otherwise, it is forwarded with endorsed = 0 if there are slots and&lt;br/&gt;&amp;gt;&amp;gt;     liquidity available for unknown HTLCs.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Endorsement and reputation are proposed as the first step in a two part&lt;br/&gt;&amp;gt;&amp;gt; scheme for mitigating channel jamming:&lt;br/&gt;&amp;gt;&amp;gt; - Reputation for slow jams which are easily detected as misbehavior.&lt;br/&gt;&amp;gt;&amp;gt; - Unconditional fees for quick jams that are difficult to detect, as&lt;br/&gt;&amp;gt;&amp;gt;   they can always fall under a target threshold.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Looking forward to discussing further in the upcoming call!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Best,&lt;br/&gt;&amp;gt;&amp;gt; Carla and Clara&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; [1] &lt;a href=&#34;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&#34;&gt;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [2] &lt;a href=&#34;https://github.com/lightning/bolts/pull/1071&#34;&gt;https://github.com/lightning/bolts/pull/1071&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [3] &lt;a href=&#34;https://github.com/lightningequipment/circuitbreaker&#34;&gt;https://github.com/lightningequipment/circuitbreaker&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-19T17:42:22Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsw9h2ulq3ydadca0hvf4j7epupa0t0zr79c6pzp8gr8ktd3qm43fgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wl445n5</id>
    
      <title type="html">📅 Original date posted:2023-05-20 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsw9h2ulq3ydadca0hvf4j7epupa0t0zr79c6pzp8gr8ktd3qm43fgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wl445n5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs98enndnv4d3e497gxqd6cxdlw0wuptcar9p8jm8qpmfgtxpcgf8cpajdk9&#39;&gt;nevent1q…jdk9&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-20&lt;br/&gt;🗒️ Summary of this message: The author is interested in the number of repeat interactions nodes receive from individual senders to determine the effectiveness of local-only reputation systems. However, they realize they were mixing two different proposals and apologize for the confusion. Nodes that forward fewer HTLCs may have difficulty building a good reputation with active routing nodes, but during an attack, they can still interact with similar nodes to build a good reputation.&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;gt; &amp;gt; I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;&amp;gt; individual senders, since that also tells us how much use we can get&lt;br/&gt;&amp;gt; out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;&amp;gt; surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;&amp;gt; them to make an informed decision, while the edges may be more&lt;br/&gt;&amp;gt; vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;&amp;gt; impact of an attack would also be proportionally smaller.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m unclear on what you mean by “individual senders” here? In our&lt;br/&gt;&amp;gt; scheme, nodes only track local reputation for their direct peers so&lt;br/&gt;&amp;gt; what matters is their history with all HTLCs a peer has forwarded to&lt;br/&gt;&amp;gt; them (not whether they come from repeat senders).&lt;br/&gt;&lt;br/&gt;Apologies, upon rethinking this I realized I had been mixing two different&lt;br/&gt;proposals in my mind. The criticism of sender-based reputation does&lt;br/&gt;not apply if all we do is track our immediate neighbors. Sorry for the&lt;br/&gt;confusion.&lt;br/&gt;&lt;br/&gt;&amp;gt; It’s true that nodes that forward fewer HTLCs are less likely to be&lt;br/&gt;&amp;gt; able to build a good reputation with very active routing nodes. In the&lt;br/&gt;&amp;gt; regular operation of the network, this should have low to no impact on&lt;br/&gt;&amp;gt; their activity - they don’t require much from their peers anyway.&lt;br/&gt;&amp;gt; During an attack, small and low activity nodes will temporarily be in&lt;br/&gt;&amp;gt; competition for large routing nodes’ scarce liquidity and slots, but&lt;br/&gt;&amp;gt; will still be able to interact with similar nodes where they have&lt;br/&gt;&amp;gt; better chances of building a good reputation.&lt;br/&gt;&lt;br/&gt;That matches my own interpretation very well, thanks.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:13:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9wc2fxm232yrnkseh2u93gla4lnm7qs5jv3lgrtv3wk0ku2geyvgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9waurxam</id>
    
      <title type="html">📅 Original date posted:2023-05-10 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9wc2fxm232yrnkseh2u93gla4lnm7qs5jv3lgrtv3wk0ku2geyvgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9waurxam" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs874vvqsscq3f86fjf7qtczzgl4rzp3dfw354s3f22dev4y4kzfqgmm5rrq&#39;&gt;nevent1q…5rrq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-10&lt;br/&gt;🗒️ Summary of this message: Reputation systems in Lightning are susceptible to sudden behavioral changes and whitewashing attacks, making their usefulness questionable. Local-only reputation systems may work for large routing nodes, but edges may be more vulnerable.&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Antoine,&lt;br/&gt;&lt;br/&gt;this is an intrinsic issue with reputation systems, and the main&lt;br/&gt;reason I&amp;#39;m sceptical w.r.t. their usefulness in lightning.&lt;br/&gt;Fundamentally any reputation system bases their expectations for the&lt;br/&gt;future on experiences they made in the past, and they are thus always&lt;br/&gt;susceptible to sudden behavioral changes (going rogue from a prior&lt;br/&gt;clean record) and whitewashing attacks (switching identity, abusing&lt;br/&gt;any builtin bootstrapping method for new users to gain a good or&lt;br/&gt;neutral reputation before turning rogue repeatedly).&lt;br/&gt;&lt;br/&gt;This gets compounded as soon as we start gossiping about reputations,&lt;br/&gt;since now our decisions are no longer based just on information we can&lt;br/&gt;witness ourselves, or at least verify its correctness, and as such an&lt;br/&gt;attacker can most likely &amp;#34;earn&amp;#34; a positive reputation in some other&lt;br/&gt;part of the world, and then turn around and attack the nodes that&lt;br/&gt;trusted the reputation shared from those other parts.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;individual senders, since that also tells us how much use we can get&lt;br/&gt;out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;them to make an informed decision, while the edges may be more&lt;br/&gt;vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;impact of an attack would also be proportionally smaller.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Mon, May 8, 2023 at 10:26 PM Antoine Riard &amp;lt;antoine.riard at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Hi *,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt; &amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt; &amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think the HTLC endorsement scheme as proposed is still suffering from a vulnerability as local reputation can be built up during periods of low routing fees, endorsement gained and then abused during periods of high routing fees. Therefore, it sounds to me this scheme should aim for some reputational transitivity between incoming traffic and outgoing traffic. Namely, the acquisition cost of the local reputation should be equal to the max timevalue damage that one can inflict on a routing node channel accessible from its local counterparty granting this high-level of reputation.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t know if this can be fixed by ensuring permanent link-level &amp;#34;gossip&amp;#34; where counterparties along a payment path expose their reputation heuristics to guarantee this transitivity, or it&amp;#39;s a fundamental issue with a point-to-point approach like HTLC endorsement.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Opened an issue on the repository to converge on a threat model:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/pull/13&#34;&gt;https://github.com/ClaraShk/LNJamming/pull/13&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I still think building data gathering infrastructure for Lightning is valuable as ultimately any jamming mitigation will have to adapt its upfront fees or reputation acquisition cost in function of HTLC traffic and market forces.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Looking forward to giving an update on Staking Credentials [0], an end-to-end approach to mitigate channel jamming.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Best,&lt;br/&gt;&amp;gt; Antoine&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [0] &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Le dim. 30 avr. 2023 à 03:57, Carla Kirk-Cohen &amp;lt;kirkcohenc at gmail.com&amp;gt; a écrit :&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hi list,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Some updates on channel jamming!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Next Call&lt;br/&gt;&amp;gt;&amp;gt; - Monday 01 May @ 15:00 UTC&lt;br/&gt;&amp;gt;&amp;gt; - &lt;a href=&#34;https://meet.jit.si/UnjammingLN&#34;&gt;https://meet.jit.si/UnjammingLN&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; - Agenda: &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/issues/12&#34;&gt;https://github.com/ClaraShk/LNJamming/issues/12&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Data Gathering&lt;br/&gt;&amp;gt;&amp;gt; During these weekly calls, we&amp;#39;ve come to agreement that we would like&lt;br/&gt;&amp;gt;&amp;gt; to gather data about the use of HTLC endorsement and local reputation&lt;br/&gt;&amp;gt;&amp;gt; tracking for jamming mitigation. A reminder of the full scheme is&lt;br/&gt;&amp;gt;&amp;gt; included at the end of this email, and covered more verbosely in [1].&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; We have a few goals in mind:&lt;br/&gt;&amp;gt;&amp;gt; - Observe the effect of endorsement in the steady state with&lt;br/&gt;&amp;gt;&amp;gt;   logging-only implementation.&lt;br/&gt;&amp;gt;&amp;gt; - Gather real-world data for use in future simulation work.&lt;br/&gt;&amp;gt;&amp;gt; - Experiment with different algorithms for tracking local reputation.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The minimal changes required to add HTLC endorsement are outlined in [2].&lt;br/&gt;&amp;gt;&amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt;&amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt;&amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; With this infrastructure in place, we can start to experiment with&lt;br/&gt;&amp;gt;&amp;gt; various local reputation schemes and data gathering, possibly even&lt;br/&gt;&amp;gt;&amp;gt; externally to LN implementations in projects like circuitbreaker [3].&lt;br/&gt;&amp;gt;&amp;gt; We&amp;#39;d be interested to hear whether there&amp;#39;s any appetite to deploy using&lt;br/&gt;&amp;gt;&amp;gt; an experimental TLV value?&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Reputation Scheme&lt;br/&gt;&amp;gt;&amp;gt; - Each node locally tracks the reputation of its direct neighbors.&lt;br/&gt;&amp;gt;&amp;gt; - Each node allocates, per its risk tolerance:&lt;br/&gt;&amp;gt;&amp;gt;   - A number of slots reserved for endorsed HTLCs from high reputation&lt;br/&gt;&amp;gt;&amp;gt;     peers.&lt;br/&gt;&amp;gt;&amp;gt;   - A portion of liquidity reserved for endorsed HTLCs from high&lt;br/&gt;&amp;gt;&amp;gt;     reputation peers.&lt;br/&gt;&amp;gt;&amp;gt; - Forwarding of HTLCs:&lt;br/&gt;&amp;gt;&amp;gt;   - If a HTLC is endorsed by a high reputation peer, it is forwarded&lt;br/&gt;&amp;gt;&amp;gt;     as usual with endorsed = 1.&lt;br/&gt;&amp;gt;&amp;gt;   - Otherwise, it is forwarded with endorsed = 0 if there are slots and&lt;br/&gt;&amp;gt;&amp;gt;     liquidity available for unknown HTLCs.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Endorsement and reputation are proposed as the first step in a two part&lt;br/&gt;&amp;gt;&amp;gt; scheme for mitigating channel jamming:&lt;br/&gt;&amp;gt;&amp;gt; - Reputation for slow jams which are easily detected as misbehavior.&lt;br/&gt;&amp;gt;&amp;gt; - Unconditional fees for quick jams that are difficult to detect, as&lt;br/&gt;&amp;gt;&amp;gt;   they can always fall under a target threshold.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Looking forward to discussing further in the upcoming call!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Best,&lt;br/&gt;&amp;gt;&amp;gt; Carla and Clara&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; [1] &lt;a href=&#34;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&#34;&gt;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [2] &lt;a href=&#34;https://github.com/lightning/bolts/pull/1071&#34;&gt;https://github.com/lightning/bolts/pull/1071&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [3] &lt;a href=&#34;https://github.com/lightningequipment/circuitbreaker&#34;&gt;https://github.com/lightningequipment/circuitbreaker&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:13:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsd3ues2y8yue5wr45dg0k79px2534r6m7mnc7jkmnju4tuv2ue3pqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w52c5zx</id>
    
      <title type="html">📅 Original date posted:2023-02-13 🗒️ Summary of this ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsd3ues2y8yue5wr45dg0k79px2534r6m7mnc7jkmnju4tuv2ue3pqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w52c5zx" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs875k87wauy78vaq84fc4384mghrlwx5j08q2p74f0jyu4auz6e7g9dvtht&#39;&gt;nevent1q…vtht&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-02-13&lt;br/&gt;🗒️ Summary of this message: Reputation systems are difficult to get right and easy to exploit. There are three types: first-hand experience, inferred experience, and hearsay. Repeat interactions are rare, and local knowledge gets out of date. Penalizing nodes is not the goal; optimizing the payment process is.&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Matt,&lt;br/&gt;Hi Joost,&lt;br/&gt;&lt;br/&gt;let me chime in here, since we seem to be slowly reinventing all the&lt;br/&gt;research on reputation systems that is already out there. First of all&lt;br/&gt;let me say that I am personally not a fan of reputation systems in&lt;br/&gt;general, just to get my own biases out of the way, now on to the why :-)&lt;br/&gt;&lt;br/&gt;Reputation systems are great when they work, but they are horrible to&lt;br/&gt;get right, and certainly the patchworky approach we see being proposed&lt;br/&gt;today will end up with a system that is easy to exploit and hard to&lt;br/&gt;understand. The last time I encountered this kind of scenario was during&lt;br/&gt;my work on Bittorrent, where the often theorized tit-for-tat approach&lt;br/&gt;failed spectacularly, and leeching (i.e., not contributing to other&lt;br/&gt;people&amp;#39;s download) is rampant even today (BT only works because a few&lt;br/&gt;don&amp;#39;t care about their upload bandwidth).&lt;br/&gt;&lt;br/&gt;First of all let&amp;#39;s see what types of reputation system exist (and yes,&lt;br/&gt;this is my very informal categorization):&lt;br/&gt;&lt;br/&gt; - First hand experience&lt;br/&gt; - Inferred experience&lt;br/&gt; - Hearsay&lt;br/&gt;&lt;br/&gt;The first two are likely the setup we all are comfortable with: we ourselves&lt;br/&gt;experienced something, and make some decisions based on that&lt;br/&gt;experience. This is probably what we&amp;#39;re all doing at the moment: we&lt;br/&gt;attempt a payment, it fails, we back off for a bit from that channel&lt;br/&gt;being used again. This requires either being able to witness the issue&lt;br/&gt;directly (local peer) or infer from unforgeable error messages (the&lt;br/&gt;failing node returns an error, and it can&amp;#39;t point the finger at someone&lt;br/&gt;else). Notice that this also includes some transitive constructions,&lt;br/&gt;such as the backpressure mechanism we were discussing for ariard&amp;#39;s&lt;br/&gt;credentials proposal.&lt;br/&gt;&lt;br/&gt;Ideally we&amp;#39;d only rely on the first two to make decisions, but here&amp;#39;s&lt;br/&gt;exactly the issue we ran into with Bittorrent: repeat interactions are&lt;br/&gt;too rare. In addition, our local knowledge gets out of date the longer&lt;br/&gt;we wait, and a previously failing channel may now be good again, and&lt;br/&gt;vice-versa. For us to have sufficient knowledge to make good decisions&lt;br/&gt;we need to repeatedly interact with the same nodes in the network, and&lt;br/&gt;since end-users will be very unlikely to do that, we might end up in a&lt;br/&gt;situation were we instinctively fall back to the hearsay method, either&lt;br/&gt;by sharing our local reputation with peers and then somehow combine that&lt;br/&gt;with our own view. To the best of my knowledge such a system has never&lt;br/&gt;been built successfully, and all attempts have ended in a system that&lt;br/&gt;was either way too simple or is gameable by rational players.&lt;br/&gt;&lt;br/&gt;I also object to the wording of penalizing nodes that haven&amp;#39;t been as&lt;br/&gt;reliable in the past. It&amp;#39;s not penalizing them if, based on our local&lt;br/&gt;information, we decide to route over other nodes for a bit. Our goal is&lt;br/&gt;optimize the payment process, chosing the best possible routes, not&lt;br/&gt;making a judgement on the honesty or reliability of a node. When talking&lt;br/&gt;about penalizing we see node operators starting to play stupid games to&lt;br/&gt;avoid that perceived penalty, when in reality they should do their best&lt;br/&gt;to route as many payments successfully as possible (the negative fees&lt;br/&gt;for direct peers &amp;#34;exhausting&amp;#34; a balanced flow is one such example of&lt;br/&gt;premature optimization in that direction imho).&lt;br/&gt;&lt;br/&gt;So I guess what I&amp;#39;m saying is that we need to get away from this&lt;br/&gt;patchwork mode of building the protocol, and have a much clearer model&lt;br/&gt;for a) what we want to achieve, b) how much untrustworthy information we&lt;br/&gt;want to rely on, and c) how we protect (and possibly prove security)&lt;br/&gt;against manipulation by rational players. For the last question we at&lt;br/&gt;least have one nice feature (for now), namely that the identities are&lt;br/&gt;semi-permanent, and so white-washing attacks at least are not free.&lt;br/&gt;&lt;br/&gt;And after all this rambling, let&amp;#39;s get back to the topic at hand: I&lt;br/&gt;don&amp;#39;t think enshrining the differences of availability in the protocol,&lt;br/&gt;thus creating two classes of nodes, is a desirable&lt;br/&gt;feature. Communicating up-front that I intend to be reliable does&lt;br/&gt;nothing, and penalizing after the fact isn&amp;#39;t worth much due to the&lt;br/&gt;repeat interactions issue. It&amp;#39;d be even worse if now we had to rely on a&lt;br/&gt;third party to aggregate and track the reliability, in order to get&lt;br/&gt;enough repeat interactions to build a good model of their liquidity,&lt;br/&gt;since we&amp;#39;re now back in the hearsay world, and the third party can feed&lt;br/&gt;us wrong information to maximize their profits.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Matt Corallo &amp;lt;lf-lists at mattcorallo.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi Joost,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m not sure I agree that lightning is “capital efficient” (or even close to it), but more generally I don’t see why this needs a signal.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If nodes start aggressively preferring routes through nodes that reliably route payments (which I believe lnd already does, in effect, to some large extent), they should do so by measurement, not signaling.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In practice, many channels on the network are “high availability” today, but only in one direction (I.e. they aren’t regularly spliced/rebalanced and are regularly unbalanced). A node strongly preferring a high payment success rate *should* prefer such a channel, but in your scheme would not.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This ignores the myriad of “at what threshold do you signal HA” issues, which likely make such a signal DOA, anyway.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Finally, I’m very dismayed at this direction in thinking on how ln should work - nodes should be measuring the network and routing over paths that it thinks are reliable for what it wants, *robustly over an unreliable network*. We should absolutely not be expecting the lightning network to be built out of high reliability nodes, that creates strong centralization pressure. To truly meet a “high availability” threshold, realistically, you’d need to be able to JIT 0conf splice-in, which would drive lightning to actually being a credit network.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; With reasonable volume, lightning today is very reliable and relatively fast, with few retries required. I don’t think we need to change anything to fix it. :)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Matt&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; On Feb 13, 2023, at 06:46, Joost Jager &amp;lt;joost.jager at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; ﻿&lt;br/&gt;&amp;gt;&amp;gt; Hi,&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; For a long time I&amp;#39;ve held the expectation that eventually payers on the lightning network will become very strict about node performance. That they will require a routing node to operate flawlessly or else apply a hefty penalty such as completely avoiding the node for an extended period of time - multiple weeks. The consequence of this is that routing nodes would need to manage their liquidity meticulously because every failure potentially has a large impact on future routing revenue.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; I think movement in this direction is important to guarantee competitiveness with centralised payment systems and their (at least theoretical) ability to process a payment in the blink of an eye. A lightning wallet trying multiple paths to find one that works doesn&amp;#39;t help with this.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; A common argument against strict penalisation is that it would lead to less efficient use of capital. Routing nodes would need to maintain pools of liquidity to guarantee successes all the time. My opinion on this is that lightning is already enormously capital efficient at scale and that it is worth sacrificing a slight part of that efficiency to also achieve the lowest possible latency.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; This brings me to the actual subject of this post. Assuming strict penalisation is good, it may still not be ideal to flip the switch from one day to the other. Routing nodes may not offer the required level of service yet, causing senders to end up with no nodes to choose from.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; One option is to gradually increase the strength of the penalties, so that routing nodes are given time to adapt to the new standards. This does require everyone to move along and leaves no space for cheap routing nodes with less leeway in terms of liquidity.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Therefore I am proposing another way to go about it: extend the `channel_update` field `channel_flags` with a new bit that the sender can use to signal `highly_available`. &lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; It&amp;#39;s then up to payers to decide how to interpret this flag. One way could be to prefer `highly_available` channels during pathfinding. But if the routing node then returns a failure, a much stronger than normal penalty will be applied. For routing nodes this creates an opportunity to attract more traffic by marking some channels as `highly_available`, but it also comes with the responsibility to deliver.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Without shadow channels, it is impossible to guarantee liquidity up to the channel capacity. It might make sense for senders to only assume high availability for amounts up to `htlc_maximum_msat`.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; A variation on this scheme that requires no extension of `channel_update` is to signal availability implicitly through routing fees. So the more expensive a channel is, the stronger the penalty that is applied on failure will be. It seems less ideal though, because it could disincentivize cheap but reliable channels on high traffic links.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; The effort required to implement some form of a `highly_available` flag seem limited and it may help to get payment success rates up. Interested to hear your thoughts.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Joost&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:12:39Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs09ck97hcp0gyrehtdslx35fh4n046jr4fsyva7vxpu3ly3leyqwqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpe6a93</id>
    
      <title type="html">📅 Original date posted:2023-05-20 📝 Original message: &amp;gt; ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs09ck97hcp0gyrehtdslx35fh4n046jr4fsyva7vxpu3ly3leyqwqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpe6a93" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqswlsykydfpsnlf5nsgc79lkz0ynm5jrd2qdzpstde5lmu33zct6yg5s5zf7&#39;&gt;nevent1q…5zf7&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-20&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;gt; &amp;gt; I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;&amp;gt; individual senders, since that also tells us how much use we can get&lt;br/&gt;&amp;gt; out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;&amp;gt; surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;&amp;gt; them to make an informed decision, while the edges may be more&lt;br/&gt;&amp;gt; vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;&amp;gt; impact of an attack would also be proportionally smaller.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m unclear on what you mean by “individual senders” here? In our&lt;br/&gt;&amp;gt; scheme, nodes only track local reputation for their direct peers so&lt;br/&gt;&amp;gt; what matters is their history with all HTLCs a peer has forwarded to&lt;br/&gt;&amp;gt; them (not whether they come from repeat senders).&lt;br/&gt;&lt;br/&gt;Apologies, upon rethinking this I realized I had been mixing two different&lt;br/&gt;proposals in my mind. The criticism of sender-based reputation does&lt;br/&gt;not apply if all we do is track our immediate neighbors. Sorry for the&lt;br/&gt;confusion.&lt;br/&gt;&lt;br/&gt;&amp;gt; It’s true that nodes that forward fewer HTLCs are less likely to be&lt;br/&gt;&amp;gt; able to build a good reputation with very active routing nodes. In the&lt;br/&gt;&amp;gt; regular operation of the network, this should have low to no impact on&lt;br/&gt;&amp;gt; their activity - they don’t require much from their peers anyway.&lt;br/&gt;&amp;gt; During an attack, small and low activity nodes will temporarily be in&lt;br/&gt;&amp;gt; competition for large routing nodes’ scarce liquidity and slots, but&lt;br/&gt;&amp;gt; will still be able to interact with similar nodes where they have&lt;br/&gt;&amp;gt; better chances of building a good reputation.&lt;br/&gt;&lt;br/&gt;That matches my own interpretation very well, thanks.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:08:52Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsx4k82zlcvppstdddcu26t8gjdvgt6eakhu753y049j9wat24zfvgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ww9mj5q</id>
    
      <title type="html">📅 Original date posted:2023-05-10 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsx4k82zlcvppstdddcu26t8gjdvgt6eakhu753y049j9wat24zfvgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ww9mj5q" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs9lynxry55jgqar00y5jz9r6vdt4q5nye79m74awcuddaeng7yj3gu9czxn&#39;&gt;nevent1q…czxn&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-05-10&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Antoine,&lt;br/&gt;&lt;br/&gt;this is an intrinsic issue with reputation systems, and the main&lt;br/&gt;reason I&amp;#39;m sceptical w.r.t. their usefulness in lightning.&lt;br/&gt;Fundamentally any reputation system bases their expectations for the&lt;br/&gt;future on experiences they made in the past, and they are thus always&lt;br/&gt;susceptible to sudden behavioral changes (going rogue from a prior&lt;br/&gt;clean record) and whitewashing attacks (switching identity, abusing&lt;br/&gt;any builtin bootstrapping method for new users to gain a good or&lt;br/&gt;neutral reputation before turning rogue repeatedly).&lt;br/&gt;&lt;br/&gt;This gets compounded as soon as we start gossiping about reputations,&lt;br/&gt;since now our decisions are no longer based just on information we can&lt;br/&gt;witness ourselves, or at least verify its correctness, and as such an&lt;br/&gt;attacker can most likely &amp;#34;earn&amp;#34; a positive reputation in some other&lt;br/&gt;part of the world, and then turn around and attack the nodes that&lt;br/&gt;trusted the reputation shared from those other parts.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d be very interested in how many repeat interactions nodes get from&lt;br/&gt;individual senders, since that also tells us how much use we can get&lt;br/&gt;out of local-only reputation based systems, and I wouldn&amp;#39;t be&lt;br/&gt;surprised if, for large routing nodes, we have sufficient data for&lt;br/&gt;them to make an informed decision, while the edges may be more&lt;br/&gt;vulnerable, but they&amp;#39;d also be used by way fewer senders, and the&lt;br/&gt;impact of an attack would also be proportionally smaller.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Mon, May 8, 2023 at 10:26 PM Antoine Riard &amp;lt;antoine.riard at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Hi *,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt; &amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt; &amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think the HTLC endorsement scheme as proposed is still suffering from a vulnerability as local reputation can be built up during periods of low routing fees, endorsement gained and then abused during periods of high routing fees. Therefore, it sounds to me this scheme should aim for some reputational transitivity between incoming traffic and outgoing traffic. Namely, the acquisition cost of the local reputation should be equal to the max timevalue damage that one can inflict on a routing node channel accessible from its local counterparty granting this high-level of reputation.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t know if this can be fixed by ensuring permanent link-level &amp;#34;gossip&amp;#34; where counterparties along a payment path expose their reputation heuristics to guarantee this transitivity, or it&amp;#39;s a fundamental issue with a point-to-point approach like HTLC endorsement.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Opened an issue on the repository to converge on a threat model:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/pull/13&#34;&gt;https://github.com/ClaraShk/LNJamming/pull/13&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I still think building data gathering infrastructure for Lightning is valuable as ultimately any jamming mitigation will have to adapt its upfront fees or reputation acquisition cost in function of HTLC traffic and market forces.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Looking forward to giving an update on Staking Credentials [0], an end-to-end approach to mitigate channel jamming.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Best,&lt;br/&gt;&amp;gt; Antoine&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [0] &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Le dim. 30 avr. 2023 à 03:57, Carla Kirk-Cohen &amp;lt;kirkcohenc at gmail.com&amp;gt; a écrit :&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hi list,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Some updates on channel jamming!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Next Call&lt;br/&gt;&amp;gt;&amp;gt; - Monday 01 May @ 15:00 UTC&lt;br/&gt;&amp;gt;&amp;gt; - &lt;a href=&#34;https://meet.jit.si/UnjammingLN&#34;&gt;https://meet.jit.si/UnjammingLN&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; - Agenda: &lt;a href=&#34;https://github.com/ClaraShk/LNJamming/issues/12&#34;&gt;https://github.com/ClaraShk/LNJamming/issues/12&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Data Gathering&lt;br/&gt;&amp;gt;&amp;gt; During these weekly calls, we&amp;#39;ve come to agreement that we would like&lt;br/&gt;&amp;gt;&amp;gt; to gather data about the use of HTLC endorsement and local reputation&lt;br/&gt;&amp;gt;&amp;gt; tracking for jamming mitigation. A reminder of the full scheme is&lt;br/&gt;&amp;gt;&amp;gt; included at the end of this email, and covered more verbosely in [1].&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; We have a few goals in mind:&lt;br/&gt;&amp;gt;&amp;gt; - Observe the effect of endorsement in the steady state with&lt;br/&gt;&amp;gt;&amp;gt;   logging-only implementation.&lt;br/&gt;&amp;gt;&amp;gt; - Gather real-world data for use in future simulation work.&lt;br/&gt;&amp;gt;&amp;gt; - Experiment with different algorithms for tracking local reputation.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The minimal changes required to add HTLC endorsement are outlined in [2].&lt;br/&gt;&amp;gt;&amp;gt; Our suggestion is to start simple with a binary endorsement field. As&lt;br/&gt;&amp;gt;&amp;gt; we learn more, we will be better equipped to understand whether a&lt;br/&gt;&amp;gt;&amp;gt; more expressive value is required.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; With this infrastructure in place, we can start to experiment with&lt;br/&gt;&amp;gt;&amp;gt; various local reputation schemes and data gathering, possibly even&lt;br/&gt;&amp;gt;&amp;gt; externally to LN implementations in projects like circuitbreaker [3].&lt;br/&gt;&amp;gt;&amp;gt; We&amp;#39;d be interested to hear whether there&amp;#39;s any appetite to deploy using&lt;br/&gt;&amp;gt;&amp;gt; an experimental TLV value?&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; # Reputation Scheme&lt;br/&gt;&amp;gt;&amp;gt; - Each node locally tracks the reputation of its direct neighbors.&lt;br/&gt;&amp;gt;&amp;gt; - Each node allocates, per its risk tolerance:&lt;br/&gt;&amp;gt;&amp;gt;   - A number of slots reserved for endorsed HTLCs from high reputation&lt;br/&gt;&amp;gt;&amp;gt;     peers.&lt;br/&gt;&amp;gt;&amp;gt;   - A portion of liquidity reserved for endorsed HTLCs from high&lt;br/&gt;&amp;gt;&amp;gt;     reputation peers.&lt;br/&gt;&amp;gt;&amp;gt; - Forwarding of HTLCs:&lt;br/&gt;&amp;gt;&amp;gt;   - If a HTLC is endorsed by a high reputation peer, it is forwarded&lt;br/&gt;&amp;gt;&amp;gt;     as usual with endorsed = 1.&lt;br/&gt;&amp;gt;&amp;gt;   - Otherwise, it is forwarded with endorsed = 0 if there are slots and&lt;br/&gt;&amp;gt;&amp;gt;     liquidity available for unknown HTLCs.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Endorsement and reputation are proposed as the first step in a two part&lt;br/&gt;&amp;gt;&amp;gt; scheme for mitigating channel jamming:&lt;br/&gt;&amp;gt;&amp;gt; - Reputation for slow jams which are easily detected as misbehavior.&lt;br/&gt;&amp;gt;&amp;gt; - Unconditional fees for quick jams that are difficult to detect, as&lt;br/&gt;&amp;gt;&amp;gt;   they can always fall under a target threshold.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Looking forward to discussing further in the upcoming call!&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Best,&lt;br/&gt;&amp;gt;&amp;gt; Carla and Clara&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; [1] &lt;a href=&#34;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&#34;&gt;https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [2] &lt;a href=&#34;https://github.com/lightning/bolts/pull/1071&#34;&gt;https://github.com/lightning/bolts/pull/1071&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; [3] &lt;a href=&#34;https://github.com/lightningequipment/circuitbreaker&#34;&gt;https://github.com/lightningequipment/circuitbreaker&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:08:48Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqswzrq9kqewdz3d27yyve4d9hty8prnx2rexey9enp9sm94hue4gfczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5q5fgg</id>
    
      <title type="html">📅 Original date posted:2023-02-13 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqswzrq9kqewdz3d27yyve4d9hty8prnx2rexey9enp9sm94hue4gfczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5q5fgg" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdvz2s7m8e49zqdzl09ukeem9ppds2h8gkqxxt9myngfzwhug0lrqs0yj0g&#39;&gt;nevent1q…yj0g&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2023-02-13&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Matt,&lt;br/&gt;Hi Joost,&lt;br/&gt;&lt;br/&gt;let me chime in here, since we seem to be slowly reinventing all the&lt;br/&gt;research on reputation systems that is already out there. First of all&lt;br/&gt;let me say that I am personally not a fan of reputation systems in&lt;br/&gt;general, just to get my own biases out of the way, now on to the why :-)&lt;br/&gt;&lt;br/&gt;Reputation systems are great when they work, but they are horrible to&lt;br/&gt;get right, and certainly the patchworky approach we see being proposed&lt;br/&gt;today will end up with a system that is easy to exploit and hard to&lt;br/&gt;understand. The last time I encountered this kind of scenario was during&lt;br/&gt;my work on Bittorrent, where the often theorized tit-for-tat approach&lt;br/&gt;failed spectacularly, and leeching (i.e., not contributing to other&lt;br/&gt;people&amp;#39;s download) is rampant even today (BT only works because a few&lt;br/&gt;don&amp;#39;t care about their upload bandwidth).&lt;br/&gt;&lt;br/&gt;First of all let&amp;#39;s see what types of reputation system exist (and yes,&lt;br/&gt;this is my very informal categorization):&lt;br/&gt;&lt;br/&gt; - First hand experience&lt;br/&gt; - Inferred experience&lt;br/&gt; - Hearsay&lt;br/&gt;&lt;br/&gt;The first two are likely the setup we all are comfortable with: we ourselves&lt;br/&gt;experienced something, and make some decisions based on that&lt;br/&gt;experience. This is probably what we&amp;#39;re all doing at the moment: we&lt;br/&gt;attempt a payment, it fails, we back off for a bit from that channel&lt;br/&gt;being used again. This requires either being able to witness the issue&lt;br/&gt;directly (local peer) or infer from unforgeable error messages (the&lt;br/&gt;failing node returns an error, and it can&amp;#39;t point the finger at someone&lt;br/&gt;else). Notice that this also includes some transitive constructions,&lt;br/&gt;such as the backpressure mechanism we were discussing for ariard&amp;#39;s&lt;br/&gt;credentials proposal.&lt;br/&gt;&lt;br/&gt;Ideally we&amp;#39;d only rely on the first two to make decisions, but here&amp;#39;s&lt;br/&gt;exactly the issue we ran into with Bittorrent: repeat interactions are&lt;br/&gt;too rare. In addition, our local knowledge gets out of date the longer&lt;br/&gt;we wait, and a previously failing channel may now be good again, and&lt;br/&gt;vice-versa. For us to have sufficient knowledge to make good decisions&lt;br/&gt;we need to repeatedly interact with the same nodes in the network, and&lt;br/&gt;since end-users will be very unlikely to do that, we might end up in a&lt;br/&gt;situation were we instinctively fall back to the hearsay method, either&lt;br/&gt;by sharing our local reputation with peers and then somehow combine that&lt;br/&gt;with our own view. To the best of my knowledge such a system has never&lt;br/&gt;been built successfully, and all attempts have ended in a system that&lt;br/&gt;was either way too simple or is gameable by rational players.&lt;br/&gt;&lt;br/&gt;I also object to the wording of penalizing nodes that haven&amp;#39;t been as&lt;br/&gt;reliable in the past. It&amp;#39;s not penalizing them if, based on our local&lt;br/&gt;information, we decide to route over other nodes for a bit. Our goal is&lt;br/&gt;optimize the payment process, chosing the best possible routes, not&lt;br/&gt;making a judgement on the honesty or reliability of a node. When talking&lt;br/&gt;about penalizing we see node operators starting to play stupid games to&lt;br/&gt;avoid that perceived penalty, when in reality they should do their best&lt;br/&gt;to route as many payments successfully as possible (the negative fees&lt;br/&gt;for direct peers &amp;#34;exhausting&amp;#34; a balanced flow is one such example of&lt;br/&gt;premature optimization in that direction imho).&lt;br/&gt;&lt;br/&gt;So I guess what I&amp;#39;m saying is that we need to get away from this&lt;br/&gt;patchwork mode of building the protocol, and have a much clearer model&lt;br/&gt;for a) what we want to achieve, b) how much untrustworthy information we&lt;br/&gt;want to rely on, and c) how we protect (and possibly prove security)&lt;br/&gt;against manipulation by rational players. For the last question we at&lt;br/&gt;least have one nice feature (for now), namely that the identities are&lt;br/&gt;semi-permanent, and so white-washing attacks at least are not free.&lt;br/&gt;&lt;br/&gt;And after all this rambling, let&amp;#39;s get back to the topic at hand: I&lt;br/&gt;don&amp;#39;t think enshrining the differences of availability in the protocol,&lt;br/&gt;thus creating two classes of nodes, is a desirable&lt;br/&gt;feature. Communicating up-front that I intend to be reliable does&lt;br/&gt;nothing, and penalizing after the fact isn&amp;#39;t worth much due to the&lt;br/&gt;repeat interactions issue. It&amp;#39;d be even worse if now we had to rely on a&lt;br/&gt;third party to aggregate and track the reliability, in order to get&lt;br/&gt;enough repeat interactions to build a good model of their liquidity,&lt;br/&gt;since we&amp;#39;re now back in the hearsay world, and the third party can feed&lt;br/&gt;us wrong information to maximize their profits.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Matt Corallo &amp;lt;lf-lists at mattcorallo.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi Joost,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m not sure I agree that lightning is “capital efficient” (or even close to it), but more generally I don’t see why this needs a signal.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If nodes start aggressively preferring routes through nodes that reliably route payments (which I believe lnd already does, in effect, to some large extent), they should do so by measurement, not signaling.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In practice, many channels on the network are “high availability” today, but only in one direction (I.e. they aren’t regularly spliced/rebalanced and are regularly unbalanced). A node strongly preferring a high payment success rate *should* prefer such a channel, but in your scheme would not.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This ignores the myriad of “at what threshold do you signal HA” issues, which likely make such a signal DOA, anyway.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Finally, I’m very dismayed at this direction in thinking on how ln should work - nodes should be measuring the network and routing over paths that it thinks are reliable for what it wants, *robustly over an unreliable network*. We should absolutely not be expecting the lightning network to be built out of high reliability nodes, that creates strong centralization pressure. To truly meet a “high availability” threshold, realistically, you’d need to be able to JIT 0conf splice-in, which would drive lightning to actually being a credit network.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; With reasonable volume, lightning today is very reliable and relatively fast, with few retries required. I don’t think we need to change anything to fix it. :)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Matt&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; On Feb 13, 2023, at 06:46, Joost Jager &amp;lt;joost.jager at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; ﻿&lt;br/&gt;&amp;gt;&amp;gt; Hi,&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; For a long time I&amp;#39;ve held the expectation that eventually payers on the lightning network will become very strict about node performance. That they will require a routing node to operate flawlessly or else apply a hefty penalty such as completely avoiding the node for an extended period of time - multiple weeks. The consequence of this is that routing nodes would need to manage their liquidity meticulously because every failure potentially has a large impact on future routing revenue.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; I think movement in this direction is important to guarantee competitiveness with centralised payment systems and their (at least theoretical) ability to process a payment in the blink of an eye. A lightning wallet trying multiple paths to find one that works doesn&amp;#39;t help with this.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; A common argument against strict penalisation is that it would lead to less efficient use of capital. Routing nodes would need to maintain pools of liquidity to guarantee successes all the time. My opinion on this is that lightning is already enormously capital efficient at scale and that it is worth sacrificing a slight part of that efficiency to also achieve the lowest possible latency.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; This brings me to the actual subject of this post. Assuming strict penalisation is good, it may still not be ideal to flip the switch from one day to the other. Routing nodes may not offer the required level of service yet, causing senders to end up with no nodes to choose from.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; One option is to gradually increase the strength of the penalties, so that routing nodes are given time to adapt to the new standards. This does require everyone to move along and leaves no space for cheap routing nodes with less leeway in terms of liquidity.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Therefore I am proposing another way to go about it: extend the `channel_update` field `channel_flags` with a new bit that the sender can use to signal `highly_available`. &lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; It&amp;#39;s then up to payers to decide how to interpret this flag. One way could be to prefer `highly_available` channels during pathfinding. But if the routing node then returns a failure, a much stronger than normal penalty will be applied. For routing nodes this creates an opportunity to attract more traffic by marking some channels as `highly_available`, but it also comes with the responsibility to deliver.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Without shadow channels, it is impossible to guarantee liquidity up to the channel capacity. It might make sense for senders to only assume high availability for amounts up to `htlc_maximum_msat`.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; A variation on this scheme that requires no extension of `channel_update` is to signal availability implicitly through routing fees. So the more expensive a channel is, the stronger the penalty that is applied on failure will be. It seems less ideal though, because it could disincentivize cheap but reliable channels on high traffic links.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; The effort required to implement some form of a `highly_available` flag seem limited and it may help to get payment success rates up. Interested to hear your thoughts.&lt;br/&gt;&amp;gt;&amp;gt; &lt;br/&gt;&amp;gt;&amp;gt; Joost&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:08:04Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsrh3myk7d0k09l56cegpu76qlujx7tntwcehrvtxfwpsr6ya28hsqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9weq6d5k</id>
    
      <title type="html">📅 Original date posted:2022-06-30 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsrh3myk7d0k09l56cegpu76qlujx7tntwcehrvtxfwpsr6ya28hsqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9weq6d5k" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsps3lqkqytp643qdyv0qwmpzu0rfcn7ykjpmysr3xz7h3geh47gngced4mu&#39;&gt;nevent1q…d4mu&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2022-06-30&lt;br/&gt;📝 Original message:&lt;br/&gt;Thanks Bastien for writing up the proposal, it is simple but effective I&lt;br/&gt;think.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; One issue I see w/ the first category is that a single party can flood the&lt;br/&gt;&amp;gt;&amp;gt; network and cause nodes to trigger their rate limits, which then affects&lt;br/&gt;&amp;gt;&amp;gt; the&lt;br/&gt;&amp;gt;&amp;gt; usability of the onion messages for all other well-behaving parties.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But that&amp;#39;s exactly what this proposal addresses? That single party can&lt;br/&gt;&amp;gt; only flood for a very small amount of time before being rate-limited for&lt;br/&gt;&amp;gt; a while, so it cannot disrupt other parties that much (to be properly&lt;br/&gt;&amp;gt; quantified by research, but it seems quite intuitive).&lt;br/&gt;&lt;br/&gt;Indeed, it creates a tiny bubble (1-2 hops) in which an attacker can&lt;br/&gt;indeed trigger the rate-limiter, but beyond which its messages simply&lt;br/&gt;get dropped. In this respect it is very similar to the staggered&lt;br/&gt;gossip, in which a node may send updates at an arbitrary rate, but since&lt;br/&gt;each node will locally buffer these changes and aggregate them, the&lt;br/&gt;effective rate that is forwarded/broadcast is such that it doesn&amp;#39;t&lt;br/&gt;overwhelm the network (parametrization and network size apart ^^).&lt;br/&gt;&lt;br/&gt;This is also an argument for not allowing onion messages over&lt;br/&gt;non-channel connections, since otherwise an attacker could arbitrarily&lt;br/&gt;extend their bubble to encompass every channel in the network, and can&lt;br/&gt;sybil its way to covering the entire network (depending on rate limiter,&lt;br/&gt;and their parameters and timing the attacker bubble may extend to more&lt;br/&gt;than a single hop).&lt;br/&gt;&lt;br/&gt;Going back a step it is also questionable whether non-channel OM&lt;br/&gt;forwarding is usable at all, since nodes usually do not know about the&lt;br/&gt;existence of these connections at all (not gossiped). I&amp;#39;d therefore not&lt;br/&gt;allow non-channel forwarding at all, with the small exception of some&lt;br/&gt;local applications, where local knowledge is required, but in that case&lt;br/&gt;the OM should signal this clearly to the forwarding node as well or rely&lt;br/&gt;on direct messaging with the peer (pre-channel negotiation, etc).&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; W.r.t this topic, one event that imo is worth pointing out is that a very&lt;br/&gt;&amp;gt;&amp;gt; popular onion routing system, Tor, has been facing a severe DDoS attack&lt;br/&gt;&amp;gt;&amp;gt; that&lt;br/&gt;&amp;gt;&amp;gt; has lasted weeks, and isn&amp;#39;t yet fully resolved [2].&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t think we can compare lightning to Tor, the only common design&lt;br/&gt;&amp;gt; is that there is onion encryption, but the networking parts are very&lt;br/&gt;&amp;gt; different (and the attack vectors on Tor are mostly on components that&lt;br/&gt;&amp;gt; don&amp;#39;t exist in lightning).&lt;br/&gt;&lt;br/&gt;Indeed, a major difference if we insist on there being a channel is that&lt;br/&gt;it is no longer easy to sybil the network, and there are no ways to just&lt;br/&gt;connect to a node and send it data (which is pretty much the Tor circuit&lt;br/&gt;construction). So we can rely on the topology of the network to keep an&lt;br/&gt;attacker constrained in its local region of the network, and extending&lt;br/&gt;the attacker&amp;#39;s reach would require opening channel, i.e., wouldn&amp;#39;t be&lt;br/&gt;free.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:06:28Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsqu8pqezqw5vpu32kh6smakjct47wjuefft6atcamqeqhtatde5jszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxs73h4</id>
    
      <title type="html">📅 Original date posted:2022-06-29 📝 Original message: Matt ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsqu8pqezqw5vpu32kh6smakjct47wjuefft6atcamqeqhtatde5jszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxs73h4" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs2x42ccrkdkxncwgh3hy373g2d5nkg7enrztcdnyy62fx7ywvh6wqsjgl5g&#39;&gt;nevent1q…gl5g&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2022-06-29&lt;br/&gt;📝 Original message:&lt;br/&gt;Matt Corallo &amp;lt;lf-lists at mattcorallo.com&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; On 6/28/22 9:05 AM, Christian Decker wrote:&lt;br/&gt;&amp;gt;&amp;gt; It is worth mentioning here that the LN protocol is generally not very&lt;br/&gt;&amp;gt;&amp;gt; latency sensitive, and from my experience can easily handle very slow&lt;br/&gt;&amp;gt;&amp;gt; signers (3-5 seconds delay) without causing too many issues, aside from&lt;br/&gt;&amp;gt;&amp;gt; slower forwards in case we are talking about a routing node. I&amp;#39;d expect&lt;br/&gt;&amp;gt;&amp;gt; routing node signers to be well below the 1 second mark, even when&lt;br/&gt;&amp;gt;&amp;gt; implementing more complex signer logic, including MuSig2 or nested&lt;br/&gt;&amp;gt;&amp;gt; FROST.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In general, and especially for &amp;#34;edge nodes&amp;#34;, yes, but if forwarding nodes start taking a full second &lt;br/&gt;&amp;gt; to forward a payment, we probably need to start aggressively avoiding any such nodes - while I&amp;#39;d &lt;br/&gt;&amp;gt; love for all forwarding nodes to take 30 seconds to forward to improve privacy, users ideally expect &lt;br/&gt;&amp;gt; payments to complete in 100ms, with multiple payment retries in between.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This obviously probably isn&amp;#39;t ever going to happen in lightning, but getting 95th percentile &lt;br/&gt;&amp;gt; payments down to one second is probably a good goal, something that requires never having to retry &lt;br/&gt;&amp;gt; payments and also having forwarding nodes not take more than, say, 150ms.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Of course I don&amp;#39;t think we should ever introduce a timeout on the peer level - if your peer went &lt;br/&gt;&amp;gt; away for a second and isn&amp;#39;t responding quickly to channel updates it doesn&amp;#39;t merit closing a &lt;br/&gt;&amp;gt; channel, but its something we will eventually want to handle in route selection if it becomes more &lt;br/&gt;&amp;gt; of an issue going forward.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Matt&lt;br/&gt;&lt;br/&gt;Absolutely agreed, and I wasn&amp;#39;t trying to say that latency is not a&lt;br/&gt;concern, I was merely pointing out that the protocol as is, is very&lt;br/&gt;latency-tolerant. That doesn&amp;#39;t mean that routers shouldn&amp;#39;t strive to be&lt;br/&gt;as fast as possible, but I think the MuSig schemes, executed over local&lt;br/&gt;links, is unlikely to be problematic when considering overall network&lt;br/&gt;latency that we have anyway.&lt;br/&gt;&lt;br/&gt;For edge nodes it&amp;#39;s rather nice to have relaxed timings, given that they&lt;br/&gt;might be on slow or flaky connections, but routers are a completely&lt;br/&gt;different category.&lt;br/&gt;&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:06:16Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsg8ndg7hzh2nkxmkl8p4h74h45x9wv5pkgvjwa5sqt66p7dkdpl6gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wky39n5</id>
    
      <title type="html">📅 Original date posted:2022-06-28 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsg8ndg7hzh2nkxmkl8p4h74h45x9wv5pkgvjwa5sqt66p7dkdpl6gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wky39n5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspx9vna264h5p4jakgm94s98vwvgr4hntae0qdjxnmspnjn04egvshauzvy&#39;&gt;nevent1q…uzvy&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2022-06-28&lt;br/&gt;📝 Original message:&lt;br/&gt;Olaoluwa Osuntokun &amp;lt;laolu32 at gmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; Rene Pickhardt brought up the issue of latency with regards to&lt;br/&gt;&amp;gt;&amp;gt; nested/recursive MuSig2 (or nested FROST for threshold) on Bitcoin&lt;br/&gt;&amp;gt;&amp;gt; StackExchange&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Not explicitly, but that strikes me as more of an implementation level&lt;br/&gt;&amp;gt; concern. As an example, today more nodes are starting to use replicated&lt;br/&gt;&amp;gt; database backends instead of a local ed embedded database. Using such a&lt;br/&gt;&amp;gt; database means that _network latency_ is now also a factor, as committing&lt;br/&gt;&amp;gt; new states requires round trips between the DBMS that&amp;#39;ll increase the&lt;br/&gt;&amp;gt; perceived latency of payments in practice. The benefit ofc is better support&lt;br/&gt;&amp;gt; for backups/replication.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think in the multi-signature setting for LN, system designers will also&lt;br/&gt;&amp;gt; need to factor in the added latency due to adding more signers into the mix.&lt;br/&gt;&amp;gt; Also any system that starts to break up the logical portions of a node&lt;br/&gt;&amp;gt; (signing, hosting, etc -- like Blockstream&amp;#39;s Greenlight project), will need&lt;br/&gt;&amp;gt; to wrangle with this as well (such is the nature of distributed systems).&lt;br/&gt;&lt;br/&gt;It is worth mentioning here that the LN protocol is generally not very&lt;br/&gt;latency sensitive, and from my experience can easily handle very slow&lt;br/&gt;signers (3-5 seconds delay) without causing too many issues, aside from&lt;br/&gt;slower forwards in case we are talking about a routing node. I&amp;#39;d expect&lt;br/&gt;routing node signers to be well below the 1 second mark, even when&lt;br/&gt;implementing more complex signer logic, including MuSig2 or nested&lt;br/&gt;FROST.&lt;br/&gt;&lt;br/&gt;In particular remember that the LN protocol implements a batch&lt;br/&gt;mechanism, with changes applied to the commitment transaction as a&lt;br/&gt;batch. Not every change requires a commitment and thus a signature. This&lt;br/&gt;means that while a slow signer may have an impact on payment latency, it&lt;br/&gt;should generally not have an impact on throughput on the routing nodes.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:06:15Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqszwu290kjvdqd0xmw0zqfx5awf8xl8zk4mp6lec66jenpgp7g59rgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfajrnf</id>
    
      <title type="html">📅 Original date posted:2022-01-19 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqszwu290kjvdqd0xmw0zqfx5awf8xl8zk4mp6lec66jenpgp7g59rgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfajrnf" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs946aypd30tm4jp4kkthks6qvfjpp0pstet0jhydrqn9wwtfcpras56mjh6&#39;&gt;nevent1q…mjh6&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2022-01-19&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Will,&lt;br/&gt;&lt;br/&gt;&amp;gt; I noticed you are doing RPC stuff... I&amp;#39;m looking to do RPC over&lt;br/&gt;&amp;gt; lightning itself. I started a C library called lnsocket[1], scrounged&lt;br/&gt;&amp;gt; from clightning parts, so that I can send messages from iOS to control&lt;br/&gt;&amp;gt; my lightning node.&lt;br/&gt;&lt;br/&gt;Sounds interesting, and similar to commando&amp;#39;s goals. Rusty also has a&lt;br/&gt;summer of bitcoin project attempting to expose a websocket directly to&lt;br/&gt;browsers in order to provide another way to communicate with your node,&lt;br/&gt;and of course there&amp;#39;s commando.&lt;br/&gt;&lt;br/&gt;&amp;gt; I&amp;#39;ve got to the point with lnsocket where I can send TLVs to my node,&lt;br/&gt;&amp;gt; and now I&amp;#39;m starting to think about what format the RPC commands should&lt;br/&gt;&amp;gt; be.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I noticed the commando c-lightning plugin just uses the JSON-RPC&lt;br/&gt;&amp;gt; payload, but perhaps something more compact and rpc-friendly like grpc&lt;br/&gt;&amp;gt; would be better... which is why this cln-grpc PR peaked my curiosity.&lt;br/&gt;&lt;br/&gt;Yep, JSON-RPC is rather bad with binary data, and doesn&amp;#39;t have any&lt;br/&gt;concept of streaming. I personally like grpc because it ticks a lot of&lt;br/&gt;boxes: secure transport over TLS, mutual authentication via mTLS,&lt;br/&gt;possibility to add metadata to calls (technically prohibited by the&lt;br/&gt;JSON-RPC spec) which can help us use macaroons/runes in future,&lt;br/&gt;streaming support and compact binary format.&lt;br/&gt;&lt;br/&gt;Having an IDL to describe the interface is also rather nice, even though&lt;br/&gt;for cln-grpc we actually generate that from the JSON-RPC schemas, so&lt;br/&gt;it&amp;#39;s a bit less expressive than .proto files.&lt;br/&gt;&lt;br/&gt;&amp;gt; I think the end goal of an RPC bolt would be super powerful, so that&lt;br/&gt;&amp;gt; lnsocket could talk to any lightning node, but that could be further&lt;br/&gt;&amp;gt; down the line. Choosing the right data format seemed like an important&lt;br/&gt;&amp;gt; step in that direction. Would love to hear your thoughts on this!&lt;br/&gt;&lt;br/&gt;I agree. Exchanging the transport layer underneath grpc doesn&amp;#39;t change&lt;br/&gt;semantics, but does unlock a number of potential use-cases. I think&lt;br/&gt;either the JSON-RPC or grpc can serve as a basis for a common RPC&lt;br/&gt;definition that can have any number of bindings, since we generate&lt;br/&gt;conversion code to/from JSON-RPC and grpc we can transparently map them&lt;br/&gt;back and forth.&lt;br/&gt;&lt;br/&gt;&amp;gt; I&amp;#39;ve cc&amp;#39;d clightning/lightning-dev as well to see if anyone else is&lt;br/&gt;&amp;gt; working on this or thinking about this stuff right now.&lt;br/&gt;&lt;br/&gt;Definitely open to suggestions, comments and criticism: the cln-grpc [1]&lt;br/&gt;crate is rather new, and will see a number of rebases and fixups, but&lt;br/&gt;should be reviewable as is. The cln-plugin [2] crate is a bit less&lt;br/&gt;well-fleshed-out, but has the core functionality needed for&lt;br/&gt;cln-grpc-plugin which was the goal of this first exploration. The&lt;br/&gt;cln-rpc [4] crate is also missing many RPC commands, but that&amp;#39;s just&lt;br/&gt;grunt work that I plan to tackle separately :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/5011&#34;&gt;https://github.com/ElementsProject/lightning/pull/5011&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/5012&#34;&gt;https://github.com/ElementsProject/lightning/pull/5012&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/5013&#34;&gt;https://github.com/ElementsProject/lightning/pull/5013&lt;/a&gt;&lt;br/&gt;[4] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/5010&#34;&gt;https://github.com/ElementsProject/lightning/pull/5010&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:05:03Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs99w0jy2t0fn6a2uv6s2hs4ttv8jtmp8f0ywqytu3dqk93j3mh5pczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrw04r6</id>
    
      <title type="html">📅 Original date posted:2021-12-17 📝 Original message: I was ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs99w0jy2t0fn6a2uv6s2hs4ttv8jtmp8f0ywqytu3dqk93j3mh5pczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrw04r6" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqst2qgy4hhycyjrewxwuc3j3nq5rs92qfdmpawhhz528qd23lyv9xcnvyykq&#39;&gt;nevent1q…yykq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-12-17&lt;br/&gt;📝 Original message:&lt;br/&gt;I was looking into the docs [1] and stumbled over `createinvoice` which&lt;br/&gt;does almost what you need. However it requires the preimage, and stores the&lt;br/&gt;invoice in the database which you don&amp;#39;t want.&lt;br/&gt;&lt;br/&gt;However if you have access to the `hsm_secret` you could sign in the plugin&lt;br/&gt;itself, completely sidestepping `lightningd`. Once you have that it should&lt;br/&gt;be a couple of days work to get a PoC plugin for the coordination and&lt;br/&gt;testing. From there it depends on how much polish you want to apply and&lt;br/&gt;what other systems you want to embed it into.&lt;br/&gt;&lt;br/&gt;Each recipient will have to run the plugin otherwise they&amp;#39;d not understand&lt;br/&gt;how to handle the payment, and creating an invoice requires a bit more work&lt;br/&gt;(each payee needs to coordinate to be part of the Rendez-vous), but from&lt;br/&gt;the senders point of view it&amp;#39;s all seamless.&lt;br/&gt;&lt;br/&gt;As for whether this is better suited for the protocol itself: could be,&lt;br/&gt;probably not though. We let everybody experiment and then formalize and&lt;br/&gt;standardize the best ideas from the community, so it may make its way into&lt;br/&gt;the spec, but would need to be implemented, tested and popular enough to&lt;br/&gt;warrant everybody having to implement yet another feature. In this case&lt;br/&gt;it&amp;#39;s more for a bLiP, which are less formal and better match the fact that&lt;br/&gt;only a small part of the network needs to implement it (only payees need to&lt;br/&gt;coordinate and forward, senders and everybody else doesn&amp;#39;t care).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://lightning.readthedocs.io/lightning-createinvoice.7.html&#34;&gt;https://lightning.readthedocs.io/lightning-createinvoice.7.html&lt;/a&gt;&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;On Fri, 17 Dec 2021, 11:22 Ronan McGovern, &amp;lt;Ronan at trelis.com&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Hi ZmnSCPxj,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So, are you saying there needs to be a new command &amp;#34;signfakeinvoice&amp;#34; at&lt;br/&gt;&amp;gt; the protocol level?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If that was there, how much work/hours would it be to build the poor man&amp;#39;s&lt;br/&gt;&amp;gt; rendez-vous at the application level?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If the above were to be implemented, when the payer pays the invoice, it&amp;#39;s&lt;br/&gt;&amp;gt; then automatically split and sent to two (or more) recipients?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Lastly, would it make more sense to have split payments at the protocol&lt;br/&gt;&amp;gt; level?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thanks, Ronan&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Thu, Dec 16, 2021 at 11:44 PM ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Good morning William,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Has anyone coded up a &amp;#39;Poor man&amp;#39;s rendez-vous&amp;#39; demo yet? How hard would&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; it be, could it be done with a clightning plugin perhaps?&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Probably not *yet*; it needs each intermediate payee (i.e. the one that&lt;br/&gt;&amp;gt;&amp;gt; is not the last one) to sign an invoice for which it does not know the&lt;br/&gt;&amp;gt;&amp;gt; preimage.&lt;br/&gt;&amp;gt;&amp;gt; Maybe call such a command `signfakeinvoice`.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; However, if a command to do the above is implemented (it would have to&lt;br/&gt;&amp;gt;&amp;gt; generate and sign the invoice, but not insert it into the database at all),&lt;br/&gt;&amp;gt;&amp;gt; then intermediate payees can use `htlc_accepted` hook for the &amp;#34;rendez-vous&amp;#34;.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; So to generate the invoice:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; * Arrange the payees in some agreed fixed order.&lt;br/&gt;&amp;gt;&amp;gt; * Last payee generates a normal invoice.&lt;br/&gt;&amp;gt;&amp;gt; * From last payee to second, each one:&lt;br/&gt;&amp;gt;&amp;gt;   * Passes its invoice to the previous payee.&lt;br/&gt;&amp;gt;&amp;gt;   * The previous payee then creates its own signed invoice with&lt;br/&gt;&amp;gt;&amp;gt; `signfakeinvoice` to itself, adding its payout plus a fee budget, as well&lt;br/&gt;&amp;gt;&amp;gt; as adding its own delay budget.&lt;br/&gt;&amp;gt;&amp;gt;   * The previous payee plugin stores the next-payee invoice and the&lt;br/&gt;&amp;gt;&amp;gt; details of its own invoice to db, such as by `datastore` command.&lt;br/&gt;&amp;gt;&amp;gt; * The first payee sends the sender the invoice.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; On payment:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; * The sender sends the payment to the first hop.&lt;br/&gt;&amp;gt;&amp;gt; * From first payee to second-to-last:&lt;br/&gt;&amp;gt;&amp;gt;   * Triggers `htlc_accepted` hook, and plugin checks if the incoming&lt;br/&gt;&amp;gt;&amp;gt; payment has a hash that is in this scheme stored in the database.&lt;br/&gt;&amp;gt;&amp;gt;   * The plugin gathers `htlc_accepted` hook invocations until they sum up&lt;br/&gt;&amp;gt;&amp;gt; to the expected amount (this handles multipath between payees).&lt;br/&gt;&amp;gt;&amp;gt;   * The plugin marks that it has gathered all `htlc_accepted` hooks for&lt;br/&gt;&amp;gt;&amp;gt; that hash in durable storage a.k.a. `datastore` (this handles a race&lt;br/&gt;&amp;gt;&amp;gt; condition where the plugin is able to respond to some `htlc_accepted`&lt;br/&gt;&amp;gt;&amp;gt; hooks, but the node is restarted before all of them were able to be&lt;br/&gt;&amp;gt;&amp;gt; recorded by C-Lightning in its own database --- this makes the plugin skip&lt;br/&gt;&amp;gt;&amp;gt; the &amp;#34;gathering&amp;#34; step above, once it has already gathered them all before).&lt;br/&gt;&amp;gt;&amp;gt;   * The plugin checks if there is already an outgoing payment for that&lt;br/&gt;&amp;gt;&amp;gt; hash (this handles the case where our node gets restarted in the meantime&lt;br/&gt;&amp;gt;&amp;gt; --- C-Lightning will reissue `htlc_accepted` on startup)&lt;br/&gt;&amp;gt;&amp;gt;     * If the outgoing payment exists and is pending, wait for it to&lt;br/&gt;&amp;gt;&amp;gt; resolve to either success or failure.&lt;br/&gt;&amp;gt;&amp;gt;     * If the outgoing payment exists and succeeded, resolve all the&lt;br/&gt;&amp;gt;&amp;gt; gathered `htlc_accepted` hooks.&lt;br/&gt;&amp;gt;&amp;gt;     * If the outgoing payment exists and failed, fail all the gathered&lt;br/&gt;&amp;gt;&amp;gt; `htlc_accepted` hooks.&lt;br/&gt;&amp;gt;&amp;gt;     * Otherwise, perform a `pay`, giving `maxfeepercent` and `maxdelay`&lt;br/&gt;&amp;gt;&amp;gt; based on its fee budget and delay budget.&lt;br/&gt;&amp;gt;&amp;gt;       When the `pay` succeeds or fails, propagate it to the gathered&lt;br/&gt;&amp;gt;&amp;gt; `htlc_accepted` hooks.&lt;br/&gt;&amp;gt;&amp;gt; * The last payee just receives a normal payment using the normal&lt;br/&gt;&amp;gt;&amp;gt; invoice-receive scheme.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20211217/ad84b53b/attachment-0001.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20211217/ad84b53b/attachment-0001.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T13:04:51Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs2tkd5k50ltj6kevxmmrsc8a8ar4xecv4y0df0kak57f564txkfkqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wefkfm6</id>
    
      <title type="html">📅 Original date posted:2021-12-16 📝 Original message: This ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs2tkd5k50ltj6kevxmmrsc8a8ar4xecv4y0df0kak57f564txkfkqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wefkfm6" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs0gtrqw53rp43pjxewwp42kspqdantv2v0j4fa7y0zafcpvutdxmsj8pfau&#39;&gt;nevent1q…pfau&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-12-16&lt;br/&gt;📝 Original message:&lt;br/&gt;This is quite a common request, and we&amp;#39;ve used a solution I like to call&lt;br/&gt;the &amp;#34;Poor man&amp;#39;s rendez-vous&amp;#34;. It basically routes a payment through all&lt;br/&gt;the parties that are to be paid, with the last one accepting the payment&lt;br/&gt;for all participants.&lt;br/&gt;&lt;br/&gt;The payment is atomic, once the circuit is set up no participant can&lt;br/&gt;cheat the others and it&amp;#39;s seamless from the payer&amp;#39;s perspective.&lt;br/&gt;&lt;br/&gt;Let&amp;#39;s say user `A` wants to pay `B` and `C` atomically. `B` gets 10ksat&lt;br/&gt;and `C` gets 90ksat out of a total of 100ksat:&lt;br/&gt;&lt;br/&gt; 1) `C` creates an invoice with payment hash `H` for 90ksat and sends it&lt;br/&gt;    to `B`&lt;br/&gt; 2) `B` creates an invoice with payment hash `H` (same as the first&lt;br/&gt;    invoice, but `B` doesn&amp;#39;t know the preimage) for 100ksat (maybe plus&lt;br/&gt;    a tiny bit for routing fees between `B` and `C`).&lt;br/&gt; 3) `A` receives an invoice which appears to be from `B` for the&lt;br/&gt;    expected total of 100ksat.&lt;br/&gt; 4) `A` proceeds to pay the invoice to `B` like normal&lt;br/&gt; 5) `B` receives the incoming payment, but doesn&amp;#39;t have the preimage for&lt;br/&gt;    `H`, so they must forward to `C` if they want to receive their&lt;br/&gt;    share. `B` then proceeds to pay the 90ksat invoice from `C`, which&lt;br/&gt;    reveals the preimage to them, and they can turn around and claim&lt;br/&gt;    the incoming `100ksat` (covering both `B` and `C` share)&lt;br/&gt;&lt;br/&gt;It&amp;#39;s a poor man&amp;#39;s version because it requires creating two invoices and&lt;br/&gt;`B` sees two payments (100ksat incoming, 90ksat outgoing), but the&lt;br/&gt;overall outcome is the desired one: either both parties get paid or&lt;br/&gt;noone gets paid. This can trivially be extended to any number of parties&lt;br/&gt;(with reduced success probability), and will remain atomic. It also&lt;br/&gt;doesn&amp;#39;t require any changes on the sender side, and only minimal setup&lt;br/&gt;between the payees. The crux here is that we somehow need to ensure `H`&lt;br/&gt;is always the same along the entire chain of payments, but with a good&lt;br/&gt;coordination protocol that should be feasible.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Ronan McGovern &amp;lt;Ronan at trelis.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi folks, I&amp;#39;m Ronan - based in Dublin and building Trelis.com (simple&lt;br/&gt;&amp;gt; payment links to accept Lightning).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I&amp;#39;m wondering if there is a way to create an invoice that splits the&lt;br/&gt;&amp;gt; payment to two lightning addresses?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If not, what would be required to develop this?&lt;br/&gt;&amp;gt; * A protocol change?&lt;br/&gt;&amp;gt; * Could it be built with the current protocol (I see an app on LN Bits to&lt;br/&gt;&amp;gt; split but it doesn&amp;#39;t seem to work).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Many thanks, Ronan&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Ronan McGovern&lt;br/&gt;&amp;gt; www.Trelis.com&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:04:50Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsdzs8338yey0kd8nr444zykmcs3maz69045e0sjgn88eqw9q2525qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wuf540v</id>
    
      <title type="html">📅 Original date posted:2021-11-23 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsdzs8338yey0kd8nr444zykmcs3maz69045e0sjgn88eqw9q2525qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wuf540v" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsd75hmhw0fdjx329mkjvltdnu7f26u2wlc4gctsv94k9mnvj2g3aglx39lp&#39;&gt;nevent1q…39lp&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-11-23&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt; Are you proposing as well to provide the hardware and Internet&lt;br/&gt;&amp;gt; connection for these boxes?&lt;br/&gt;&lt;br/&gt;Having implemented and operated the lightning integration testing&lt;br/&gt;framework [1,2] in the past this is something near and dear to my&lt;br/&gt;heart. However I have since become convinced that this kind of&lt;br/&gt;artificial setup is unlikely to catch any but the most egregious issues,&lt;br/&gt;given their different usage pattern. Much like the bitcoin testnet is&lt;br/&gt;not representative of what happens on the mainnet, I don&amp;#39;t think a&lt;br/&gt;separate network would be able to reproduce all the issues that occur on&lt;br/&gt;the lightning mainnet.&lt;br/&gt;&lt;br/&gt;I agree with ZmnSCPxj that testing on the mainnet is much more likely to&lt;br/&gt;catch more involved issues, and therefore a solid process with release&lt;br/&gt;candidates and nightly builds, in combination with lnprototest [3] to test&lt;br/&gt;the nodes for spec adherence in isolation is the way to go.&lt;br/&gt;&lt;br/&gt;&amp;gt; I know of one person at least who runs a node that tracks the&lt;br/&gt;&amp;gt; C-Lightning master (I think they do a nightly build?), and I run a&lt;br/&gt;&amp;gt; node that I update every release of C-Lightning (and runs CLBOSS as&lt;br/&gt;&amp;gt; well).  I do not know the actual implementations of what they connect&lt;br/&gt;&amp;gt; to, but LND is very popular on the network and LNBIG is known to be an&lt;br/&gt;&amp;gt; LND shop, and LNBIG is so pervasive that nearly every long-lived&lt;br/&gt;&amp;gt; forwarding node has at least one channel with *some* LNBIG node.  I&lt;br/&gt;&amp;gt; consider this &amp;#34;good enough&amp;#34; in practice to catch interop bugs, but&lt;br/&gt;&amp;gt; some interop bugs are deeper than just direct node-to-node&lt;br/&gt;&amp;gt; communications.  For example, we had bugs in our interop with LND&lt;br/&gt;&amp;gt; `keysend` before, by my memory.&lt;br/&gt;&lt;br/&gt;We should differentiate between spec compliance, and compatibility of&lt;br/&gt;extensions. `keysend` wasn&amp;#39;t and still isn&amp;#39;t specd which resulted in us&lt;br/&gt;having to reverse engineer the logic from the first experimental&lt;br/&gt;implementation, and I did get some details wrong. For example I expected&lt;br/&gt;nodes to explicitly opt-into keysend via featurebit 55, but they just&lt;br/&gt;yolo it...&lt;br/&gt;&lt;br/&gt;As these primitives become more widespread and more users rely on them,&lt;br/&gt;I think it is paramount that we actually spec them out (something that&lt;br/&gt;the new bLIP process should cover), but until we do there is no way of&lt;br/&gt;saying what&amp;#39;s correct and what isn&amp;#39;t.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/cdecker/lightning-integration&#34;&gt;https://github.com/cdecker/lightning-integration&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://cdecker.github.io/lightning-integration/&#34;&gt;https://cdecker.github.io/lightning-integration/&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://github.com/rustyrussell/lnprototest&#34;&gt;https://github.com/rustyrussell/lnprototest&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:04:30Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsqccfcpxj8pr63m23a874gu033ynlu9c5pxxh2fdy8syky8e3wwkczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5zme7c</id>
    
      <title type="html">📅 Original date posted:2021-07-20 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsqccfcpxj8pr63m23a874gu033ynlu9c5pxxh2fdy8syky8e3wwkczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5zme7c" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs8zyedlpa6vm358awxqg9s2jpenr7nhap0fdv42xczj0ru8wdu97cn07vff&#39;&gt;nevent1q…7vff&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-07-20&lt;br/&gt;📝 Original message:&lt;br/&gt;We&amp;#39;d likely be using an HMAC to ensure the integrity of the data returned&lt;br/&gt;by peers, so we&amp;#39;d only have to guard against them returning an older&lt;br/&gt;version, which in eltoo. Furthermore by retrieving the blobs on reconnect&lt;br/&gt;regardless of whether we need them or not we can verify that peers are&lt;br/&gt;behaving correctly, since they shouldn&amp;#39;t be able to distinguish whether&lt;br/&gt;we&amp;#39;re just checking or actually need the data. In addition we can store the&lt;br/&gt;same data with multiple peers, ensuring that as long as one node is&lt;br/&gt;behaving we&amp;#39;re good.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Thu, 15 Jul 2021, 12:28 Martin Habovštiak &amp;lt;martin.habovstiak at gmail.com&amp;gt;&lt;br/&gt;wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; What would happen in 2) if the node has data but the peer returned an&lt;br/&gt;&amp;gt; incorrect state?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Wed, Jul 14, 2021, 20:13 Christian Decker &amp;lt;decker.christian at gmail.com&amp;gt;&lt;br/&gt;&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Not quite sure if this issue is unique to eltoo tbh. While in LN-penalty&lt;br/&gt;&amp;gt;&amp;gt; loss-of-state equates to loss-of-funds, in eltoo this is reduced to&lt;br/&gt;&amp;gt;&amp;gt; impact only funds that are in a PTLC at the time of the loss-of-state.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; We have a couple of options here, that don&amp;#39;t touch the blockchain, and&lt;br/&gt;&amp;gt;&amp;gt; are therefore rather lightweight:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;  1) Do nothing and keep the incentive to keep up to date backups. It&lt;br/&gt;&amp;gt;&amp;gt;  still is a reduction in risk w.r.t. LN-penalty, since this is just an&lt;br/&gt;&amp;gt;&amp;gt;  append only log of secrets, and old secrets don&amp;#39;t harm you like&lt;br/&gt;&amp;gt;&amp;gt;  attempting to close with an old commitment would.&lt;br/&gt;&amp;gt;&amp;gt;  2) Use the peer-storage idea, where we deposit an encrypted bundle with&lt;br/&gt;&amp;gt;&amp;gt;  our peers, and which we expect the peers to return. by hiding the fact&lt;br/&gt;&amp;gt;&amp;gt;  that we forgot some state, until the data has been exchanged we can&lt;br/&gt;&amp;gt;&amp;gt;  ensure that peers always return the latest snapshot of whatever we gave&lt;br/&gt;&amp;gt;&amp;gt;  them.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The latter is the encrypted-blob idea that Rusty has been proposing for&lt;br/&gt;&amp;gt;&amp;gt; a while now.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt;&amp;gt; Christian&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Hello world,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Suppose you have some payments going from Alice to Bob to Carol with&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; eltoo channels. Bob&amp;#39;s lightning node crashes, and he recovers from an&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; old backup, and Alice and Carol end up dropping newer channel states&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; onto the blockchain.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Suppose the timeout for the payments is a few hours away, while the&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; channels have specified a week long CSV delay to rectify any problems&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; on-chain.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Then I think that that means that:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  1) Carol will reveal the point preimages on-chain via adaptor&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     signatures, but Bob won&amp;#39;t be able to decode those adaptor signatures&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     because those signatures will need to change for each state&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  2) Even if Bob knows the point preimages, he won&amp;#39;t be able to&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     claim the PTLC payments on-chain, for the same reason: he needs&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     newer adaptor signatures that he&amp;#39;ll have lost with the state update&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  3) For any payments that timeout, Carol doesn&amp;#39;t have any particular&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     incentive to make it easy for Bob to claim the refund, and Bob won&amp;#39;t&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     have the adaptor signatures for the latest state to do so&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  4) But Alice will be able to claim refunds easily. This is working how&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     it&amp;#39;s meant to, at least!&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; I think you could fix (3) by giving Carol (who does have all the adaptor&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; signatures for the latest state) the ability to steal funds that are&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; meant to have been refunded, provided she gives Bob the option of&lt;br/&gt;&amp;gt;&amp;gt; claiming&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; them first.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; However fixing (1) and (2) aren&amp;#39;t really going against Alice or Carol&amp;#39;s&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; interests, so maybe you can just ask: Carol loses nothing by allowing&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Bob to claim funds from Alice; and Alice has already indicated that&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; knowing P is worth more to her than the PTLC&amp;#39;s funds -- otherwise she&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; wouldn&amp;#39;t have forwarded the PTLC to Bob in the first place.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Likewise, everyone&amp;#39;s probably incentivised to negotiate cooperative&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; closes instead of going on-chain -- better privacy, less fees, and less&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; delay before the funds can be used elsewhere.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; FWIW, I think a similar flaw exists even in the original eltoo spec --&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Alice could simply decline to publish the settlement transaction until&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; the timeout has been reached, preventing Bob from revealing the HTLC&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; preimage before Alice can claim the refund.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; So I think that adds up to:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  a) Nodes should share state on reconnection; if you find a node that&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     doesn&amp;#39;t do this, close the channel and put the node on your enemies&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     list. If you disagree on what the current state is, share your most&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     recent state, and if the other guy&amp;#39;s state is more recent, and all&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     the signatures verify, update your state to match theirs.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  b) Always negotiate a mutual/cooperative close if possible, to avoid&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     actually using the eltoo protocol on-chain.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  c) If you want to allow continuing the channel after restoring an old&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     state from backup, set the channel state index based on the real&lt;br/&gt;&amp;gt;&amp;gt; time,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     eg (real_time-start_time)*(max_updates_per_second). That way your&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     first update after a restore from backup will ensure that any old&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     states that your channel partner may not have told you about are&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     invalidated.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  d) Accept that if you lose connectivity to a channel partner, you will&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     have to pay any PTLCs that were going to them, and won&amp;#39;t be able&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     to claim the PTLCs that were funding them. Perhaps limit the total&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     value of inbound PTLCs for forwarding that you&amp;#39;re willing to accept&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;     at any one itme?&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Also, layered commitments seem like they make channel factories&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; complicated too. Nobody came up with a way to avoid layered commitments&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; while I wasn&amp;#39;t watching did they?&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Cheers,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; aj&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20210720/29630c09/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20210720/29630c09/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T13:03:10Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9aqzg6vhq0rcz23ld9lfdzp204js4cugdyphmzh2kwtjzazqdm4gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wd9z84f</id>
    
      <title type="html">📅 Original date posted:2021-07-14 📝 Original message: Not ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9aqzg6vhq0rcz23ld9lfdzp204js4cugdyphmzh2kwtjzazqdm4gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wd9z84f" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsz4vgsca0636fm5azrznzz7hx9775ea0uv4pnzqwpu9aj9xr3hepgemwh8t&#39;&gt;nevent1q…wh8t&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-07-14&lt;br/&gt;📝 Original message:&lt;br/&gt;Not quite sure if this issue is unique to eltoo tbh. While in LN-penalty&lt;br/&gt;loss-of-state equates to loss-of-funds, in eltoo this is reduced to&lt;br/&gt;impact only funds that are in a PTLC at the time of the loss-of-state.&lt;br/&gt;&lt;br/&gt;We have a couple of options here, that don&amp;#39;t touch the blockchain, and&lt;br/&gt;are therefore rather lightweight:&lt;br/&gt;&lt;br/&gt; 1) Do nothing and keep the incentive to keep up to date backups. It&lt;br/&gt; still is a reduction in risk w.r.t. LN-penalty, since this is just an&lt;br/&gt; append only log of secrets, and old secrets don&amp;#39;t harm you like&lt;br/&gt; attempting to close with an old commitment would.&lt;br/&gt; 2) Use the peer-storage idea, where we deposit an encrypted bundle with&lt;br/&gt; our peers, and which we expect the peers to return. by hiding the fact&lt;br/&gt; that we forgot some state, until the data has been exchanged we can&lt;br/&gt; ensure that peers always return the latest snapshot of whatever we gave&lt;br/&gt; them.&lt;br/&gt;&lt;br/&gt;The latter is the encrypted-blob idea that Rusty has been proposing for&lt;br/&gt;a while now.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt; Hello world,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose you have some payments going from Alice to Bob to Carol with&lt;br/&gt;&amp;gt; eltoo channels. Bob&amp;#39;s lightning node crashes, and he recovers from an&lt;br/&gt;&amp;gt; old backup, and Alice and Carol end up dropping newer channel states&lt;br/&gt;&amp;gt; onto the blockchain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose the timeout for the payments is a few hours away, while the&lt;br/&gt;&amp;gt; channels have specified a week long CSV delay to rectify any problems&lt;br/&gt;&amp;gt; on-chain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Then I think that that means that:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  1) Carol will reveal the point preimages on-chain via adaptor&lt;br/&gt;&amp;gt;     signatures, but Bob won&amp;#39;t be able to decode those adaptor signatures&lt;br/&gt;&amp;gt;     because those signatures will need to change for each state&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  2) Even if Bob knows the point preimages, he won&amp;#39;t be able to&lt;br/&gt;&amp;gt;     claim the PTLC payments on-chain, for the same reason: he needs&lt;br/&gt;&amp;gt;     newer adaptor signatures that he&amp;#39;ll have lost with the state update&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  3) For any payments that timeout, Carol doesn&amp;#39;t have any particular&lt;br/&gt;&amp;gt;     incentive to make it easy for Bob to claim the refund, and Bob won&amp;#39;t&lt;br/&gt;&amp;gt;     have the adaptor signatures for the latest state to do so&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  4) But Alice will be able to claim refunds easily. This is working how&lt;br/&gt;&amp;gt;     it&amp;#39;s meant to, at least!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think you could fix (3) by giving Carol (who does have all the adaptor&lt;br/&gt;&amp;gt; signatures for the latest state) the ability to steal funds that are&lt;br/&gt;&amp;gt; meant to have been refunded, provided she gives Bob the option of claiming&lt;br/&gt;&amp;gt; them first.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However fixing (1) and (2) aren&amp;#39;t really going against Alice or Carol&amp;#39;s&lt;br/&gt;&amp;gt; interests, so maybe you can just ask: Carol loses nothing by allowing&lt;br/&gt;&amp;gt; Bob to claim funds from Alice; and Alice has already indicated that&lt;br/&gt;&amp;gt; knowing P is worth more to her than the PTLC&amp;#39;s funds -- otherwise she&lt;br/&gt;&amp;gt; wouldn&amp;#39;t have forwarded the PTLC to Bob in the first place.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Likewise, everyone&amp;#39;s probably incentivised to negotiate cooperative&lt;br/&gt;&amp;gt; closes instead of going on-chain -- better privacy, less fees, and less&lt;br/&gt;&amp;gt; delay before the funds can be used elsewhere.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; FWIW, I think a similar flaw exists even in the original eltoo spec --&lt;br/&gt;&amp;gt; Alice could simply decline to publish the settlement transaction until&lt;br/&gt;&amp;gt; the timeout has been reached, preventing Bob from revealing the HTLC&lt;br/&gt;&amp;gt; preimage before Alice can claim the refund.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So I think that adds up to:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  a) Nodes should share state on reconnection; if you find a node that&lt;br/&gt;&amp;gt;     doesn&amp;#39;t do this, close the channel and put the node on your enemies&lt;br/&gt;&amp;gt;     list. If you disagree on what the current state is, share your most&lt;br/&gt;&amp;gt;     recent state, and if the other guy&amp;#39;s state is more recent, and all&lt;br/&gt;&amp;gt;     the signatures verify, update your state to match theirs.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  b) Always negotiate a mutual/cooperative close if possible, to avoid&lt;br/&gt;&amp;gt;     actually using the eltoo protocol on-chain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  c) If you want to allow continuing the channel after restoring an old&lt;br/&gt;&amp;gt;     state from backup, set the channel state index based on the real time,&lt;br/&gt;&amp;gt;     eg (real_time-start_time)*(max_updates_per_second). That way your&lt;br/&gt;&amp;gt;     first update after a restore from backup will ensure that any old&lt;br/&gt;&amp;gt;     states that your channel partner may not have told you about are&lt;br/&gt;&amp;gt;     invalidated.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  d) Accept that if you lose connectivity to a channel partner, you will&lt;br/&gt;&amp;gt;     have to pay any PTLCs that were going to them, and won&amp;#39;t be able&lt;br/&gt;&amp;gt;     to claim the PTLCs that were funding them. Perhaps limit the total&lt;br/&gt;&amp;gt;     value of inbound PTLCs for forwarding that you&amp;#39;re willing to accept&lt;br/&gt;&amp;gt;     at any one itme?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Also, layered commitments seem like they make channel factories&lt;br/&gt;&amp;gt; complicated too. Nobody came up with a way to avoid layered commitments&lt;br/&gt;&amp;gt; while I wasn&amp;#39;t watching did they?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; aj&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:03:09Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsxjtnd8au7qnkyx0p0s8c6a2qqdqzlrnhyqhzuls2gtqf7gd7pk5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7dexfd</id>
    
      <title type="html">📅 Original date posted:2021-03-15 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsxjtnd8au7qnkyx0p0s8c6a2qqdqzlrnhyqhzuls2gtqf7gd7pk5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7dexfd" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs0cu42yfasqyqv8d2n7mrh0m0qp9qyjhld76xqwsh58q9x96d40msek45rt&#39;&gt;nevent1q…45rt&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-03-15&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi All,&lt;br/&gt;&lt;br/&gt;I just finished writing a (very) rough draft of the Funding Timeout&lt;br/&gt;Recovery proposal (a.k.a. &amp;#34;So long, and thanks for all the sigs&amp;#34;). You&lt;br/&gt;can find the full proposal here [1].&lt;br/&gt;&lt;br/&gt;The proposal details how the fundee can assist the funder quickly&lt;br/&gt;recover a botched funding. This is an alternative to using the&lt;br/&gt;pre-signed commitment transaction, which likely overestimates the&lt;br/&gt;feerate, and also locks the funder&amp;#39;s funds with a timeout since it is a&lt;br/&gt;unilateral close.&lt;br/&gt;&lt;br/&gt;The trick is to have the fundee sign a blank check with the&lt;br/&gt;funding_privkey, used to setup the 2-of-2, and using `sighash_none` to&lt;br/&gt;make the signature independent from the outputs. The funder can then use&lt;br/&gt;that signature to create a close transaction however she wants,&lt;br/&gt;including adjustable feerates, and any desired outputs.&lt;br/&gt;&lt;br/&gt;In addition it also includes a recovery mechanism for malleated funding&lt;br/&gt;transactions, which can happen from time to time, if there are&lt;br/&gt;non-segwit inputs, or if the funding transaction is edited externally to&lt;br/&gt;the lightning node prior to broadcasting it. This extension is however&lt;br/&gt;optional.&lt;br/&gt;&lt;br/&gt;There are a couple of open questions at the bottom, and I would be very&lt;br/&gt;interested in everyone&amp;#39;s opinion on the safety. I think we&amp;#39;re ok due to&lt;br/&gt;the funding_privkey = channel mapping, but I&amp;#39;m open to further analysis.&lt;br/&gt;&lt;br/&gt;Since this is rather short-notice for today&amp;#39;s spec meeting I&amp;#39;ll probably&lt;br/&gt;add it to the agenda for next time instead, to give everybody time to&lt;br/&gt;familiarize themselves with the proposal, before delving into details&lt;br/&gt;:-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/pull/854&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/pull/854&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:02:09Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9dzyddd30px2g9es8dkersmg89mm8xfrvfgj69wj826t5gs35j2szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wzj5c0x</id>
    
      <title type="html">📅 Original date posted:2021-02-27 📝 Original message: &amp;gt; ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9dzyddd30px2g9es8dkersmg89mm8xfrvfgj69wj826t5gs35j2szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wzj5c0x" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs9ejc3e69u0dvaq9uhey3ejnuq0qcpwsfm2mtytnqg8r0veh62pxcg70a8k&#39;&gt;nevent1q…0a8k&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-02-27&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;gt; The `!(a &amp;amp;&amp;amp; b &amp;amp;&amp;amp; ...)` can be converted to a reversal of the payment.&lt;br/&gt;&amp;gt; The individual `!BUYER` is just the buyer choosing not to claim the&lt;br/&gt;&amp;gt; seller-&amp;gt;buyer direction, and the individual `!ESCROW` is just the&lt;br/&gt;&amp;gt; escrow choosing not to reveal its temporary scalar for this payment.&lt;br/&gt;&amp;gt; And any products (i.e. `&amp;amp;&amp;amp;`) are trivially implemented in PTLCs as&lt;br/&gt;&amp;gt; trivial scalar and point addition.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So it may actually be possible to express *any* Boolean logic, by the&lt;br/&gt;&amp;gt; use of reversal payments and &amp;#34;option not to release scalar&amp;#34;, both of&lt;br/&gt;&amp;gt; which implement the NOT gate needed for the above.  Boolean logic is a&lt;br/&gt;&amp;gt; fairly powerful, non-Turing-complete, and consistent programming&lt;br/&gt;&amp;gt; language, and if we can actually implement any kind of Boolean logic&lt;br/&gt;&amp;gt; with a set of payments in various directions and Barrier Escrows we&lt;br/&gt;&amp;gt; can enable some fairly complex use-cases..&lt;br/&gt;&lt;br/&gt;This got me thinking about my first year logic course and functional&lt;br/&gt;completeness [1], and it it trivial to prove that any boolean logic can&lt;br/&gt;be expressed by this construction. We can trivially build a functionally&lt;br/&gt;complete set by just constructing a NAND, a NOR, or {AND, NOT}, all of&lt;br/&gt;which you&amp;#39;ve already done in your prior mails.&lt;br/&gt;&lt;br/&gt;The resulting expressions may not be particularly nice, and result in a&lt;br/&gt;multitude of payments going back and forth between the participants to&lt;br/&gt;represent that logic, but it is possible. So the problem should now&lt;br/&gt;simply be reduced to finding a minimal representation for a given&lt;br/&gt;expression, which then minimizes the funds committed to a particular&lt;br/&gt;instance of the expression.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://en.wikipedia.org/wiki/Functional_completeness&#34;&gt;https://en.wikipedia.org/wiki/Functional_completeness&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:02:02Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsfyfpuqmxr8kr3x7y9p2fsmkrfhzzujsx3uhrkspwu4amwre705yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wyk9gpj</id>
    
      <title type="html">📅 Original date posted:2020-10-26 📝 Original message: Rusty ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsfyfpuqmxr8kr3x7y9p2fsmkrfhzzujsx3uhrkspwu4amwre705yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wyk9gpj" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstqxk90faavpts47uajnmeapqlxnlg5lavmuvwhfp7dprjxtefsmsz2ufrr&#39;&gt;nevent1q…ufrr&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-10-26&lt;br/&gt;📝 Original message:&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; This is in stark contrast to the leader-based approach, where both&lt;br/&gt;&amp;gt;&amp;gt; parties can just keep queuing updates without silent times to&lt;br/&gt;&amp;gt;&amp;gt; transferring the token from one end to the other.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; You&amp;#39;ve swayed me, but it needs new wire msgs to indicate &amp;#34;these are&lt;br/&gt;&amp;gt; your proposals I&amp;#39;m reflecting to you&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; OTOH they don&amp;#39;t need to carry data, so we can probably just have:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; update_htlcs_ack:&lt;br/&gt;&amp;gt;    * [`channel_id`:`channel_id`]&lt;br/&gt;&amp;gt;    * [`u16`:`num_added`]&lt;br/&gt;&amp;gt;    * [`num_added*u64`:`added`]&lt;br/&gt;&amp;gt;    * [`u16`:`num_removed`]&lt;br/&gt;&amp;gt;    * [`num_removed*u64`:`removed`]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; update_fee can stay the same.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thoughts?&lt;br/&gt;&lt;br/&gt;So this would pretty much be a batch-ack, sent after a whole series of&lt;br/&gt;changes were proposed to the leader, and referenced by their `htlc_id`,&lt;br/&gt;correct? This is one optimization step further than what I was thinking,&lt;br/&gt;but it can work. My proposal would have been to either reflect the whole&lt;br/&gt;message (nodes need to remember proposals they&amp;#39;ve sent anyway in case of&lt;br/&gt;disconnects, so matching incoming changes with the pending ones should&lt;br/&gt;not be too hard), or send back individual acks, containing the hash of&lt;br/&gt;the message if we want to safe on bytes transferred. Alternatively we&lt;br/&gt;could also use reference the change by its htlc_id.&lt;br/&gt;&lt;br/&gt;The latter however means that we are now tightly binding the&lt;br/&gt;linearization protocol (in which order should the changes be applied)&lt;br/&gt;with the internals of these changes (namely we look into the change, and&lt;br/&gt;reference the htlc_id). My goal ultimately is introduce a better&lt;br/&gt;layering between the change proposal/commitment scheme, and the&lt;br/&gt;semantics of the the individual changes (&amp;#34;which order&amp;#34; vs. &amp;#34;what&amp;#34;).&lt;br/&gt;&lt;br/&gt;I wonder what the performance increase of the batching would be compared&lt;br/&gt;to just acking each update individually. My expectation would be that in&lt;br/&gt;most cases we&amp;#39;d be acking a batch of size 1 :-)&lt;br/&gt;&lt;br/&gt;Personally I think just reflecting the changes as a whole, interleaving&lt;br/&gt;my updates with yours is likely the simplest protocol, with the least&lt;br/&gt;implied state that can get out of sync, and cause nodes to drift apart&lt;br/&gt;like we had a number of times (&amp;#34;bad signature&amp;#34; anyone ^^). And looking&lt;br/&gt;(much much) further it is also a feasible protocol for multiparty&lt;br/&gt;channels with eltoo or similar constructions, where the leader&lt;br/&gt;reflecting my own changes back to me is more of a special case than the&lt;br/&gt;norm.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:01:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsqmqrvjdcu6hcvqvdmfud36m2tmtdr7rc38hwkf9yqczsd46u8p9qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjzneh8</id>
    
      <title type="html">📅 Original date posted:2020-10-15 📝 Original message: &amp;gt; ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsqmqrvjdcu6hcvqvdmfud36m2tmtdr7rc38hwkf9yqczsd46u8p9qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjzneh8" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspjcw3qrcmg8245duuntxwspswsmmw4v3unqvpvmml95xr0vq0yhgnzu3rj&#39;&gt;nevent1q…u3rj&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-10-15&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;gt; And you don&amp;#39;t get the benefit of the turn-taking approach, which is that&lt;br/&gt;&amp;gt; you can have a known state for fee changes.  Even if you change it to&lt;br/&gt;&amp;gt; have opener always the leader, it still has to handle the case where&lt;br/&gt;&amp;gt; incoming changes are not allowed under the new fee regime (and similar&lt;br/&gt;&amp;gt; issues for other dynamic updates).&lt;br/&gt;&lt;br/&gt;Good point, I hadn&amp;#39;t considered that a change from one side might become&lt;br/&gt;invalid due to a change from the other side. I think however this can only&lt;br/&gt;affect changes that result in other changes no longer being applicable,&lt;br/&gt;e.g., changing the number of HTLCs you&amp;#39;ll allow on a channel making the&lt;br/&gt;HTLC we just added and whose update_add is still in flight invalid.&lt;br/&gt;&lt;br/&gt;I don&amp;#39;t think fee changes are impacted here, since the non-leader only&lt;br/&gt;applies the change to its commitment once it gets back its own change.&lt;br/&gt;The leader will have inserted your update_add into its stream after the&lt;br/&gt;fee update, and so you&amp;#39;ll first apply the fee update, and then use the&lt;br/&gt;correct fee to add the HTLC to your commitment, resulting in the same&lt;br/&gt;state.&lt;br/&gt;&lt;br/&gt;The remaining edgecases where changes can become invalid if they are in&lt;br/&gt;flight, can be addressed by bouncing the change through the non-leader,&lt;br/&gt;telling him that &amp;#34;hey, I&amp;#39;d like to propose this change, if you&amp;#39;re good&lt;br/&gt;with it send it back to me and I&amp;#39;ll add it to my stream&amp;#34;. This can be&lt;br/&gt;seen as draining the queue of in-flight changes, however the non-leader&lt;br/&gt;may pipeline its own changes after it and take the updated parameters&lt;br/&gt;into consideration. Think of it as a two-phase commit, alerting the peer&lt;br/&gt;with a proposal, before committing it by adding it to the stream. It&lt;br/&gt;adds latency (about 1/2RTT over the token-passing approach since we can&lt;br/&gt;emulate it with the token-passing approach) but these synchronization&lt;br/&gt;points are rare and not on the critical path when forwarding payments.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; The downside is that we add a constant overhead to one side&amp;#39;s&lt;br/&gt;&amp;gt;&amp;gt; operations, but since we pipeline changes, and are mostly synchronous&lt;br/&gt;&amp;gt;&amp;gt; during the signing of the commitment tx today anyway, this comes out to&lt;br/&gt;&amp;gt;&amp;gt; 1 RTT for each commitment.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yeah, it adds 1RTT to every hop on the network, vs my proposal which&lt;br/&gt;&amp;gt; adds just over 1/2 RTT on average.&lt;br/&gt;&lt;br/&gt;Doesn&amp;#39;t that assume a change of turns while the HTLC was in-flight?&lt;br/&gt;Adding and resolving an HTLC requires one change coming from either side&lt;br/&gt;of the channel, implying that a turn change must have been performed,&lt;br/&gt;which itself takes 1 RTT. Thus to add an remove an HTLC we add at least&lt;br/&gt;1RTT for each hop.&lt;br/&gt;&lt;br/&gt;With the leader-based approach, we add 1RTT latency to the updates from&lt;br/&gt;one side, but the other never has to wait for the token, resulting in&lt;br/&gt;1/2RTT per direction as well, since messages are well-balanced.&lt;br/&gt;&lt;br/&gt;&amp;gt; Yes, but it alternates because that&amp;#39;s optimal for a non-busy channel&lt;br/&gt;&amp;gt; (since it&amp;#39;s usually &amp;#34;Alice adds htlc, Bob completes the htlc&amp;#34;).&lt;br/&gt;&lt;br/&gt;What&amp;#39;s bothering me more about the turn-based approach is that while the&lt;br/&gt;token is in flight, neither endpoint can make any progress, since the&lt;br/&gt;one reliquishing the token promised not to say anything and the other&lt;br/&gt;one hasn&amp;#39;t gotten the token yet. This might result in rather a lot of&lt;br/&gt;dead-air if both sides have a constant stream of changes to add. So we&amp;#39;d&lt;br/&gt;likely have to add a timeout to defer giving up the token, to counter&lt;br/&gt;dead-air, further adding delay to the changes from the other end, and&lt;br/&gt;adding yet another parameter.&lt;br/&gt;&lt;br/&gt;This is in stark contrast to the leader-based approach, where both&lt;br/&gt;parties can just keep queuing updates without silent times to&lt;br/&gt;transferring the token from one end to the other.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:01:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs80r3w4sx5zq7da8yj2hs3zltney2zyglqgqx3n3tddkm8de0qquqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wx75xaq</id>
    
      <title type="html">📅 Original date posted:2020-10-13 📝 Original message: I ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs80r3w4sx5zq7da8yj2hs3zltney2zyglqgqx3n3tddkm8de0qquqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wx75xaq" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsd0nrrx6v0uv2mretq2mjeky48lxtsmetyzdwdgd9kxthmtzz2wmcdp8zxu&#39;&gt;nevent1q…8zxu&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-10-13&lt;br/&gt;📝 Original message:&lt;br/&gt;I wonder if we should just go the tried-and-tested leader-based&lt;br/&gt;mechanism:&lt;br/&gt;&lt;br/&gt; 1. The node with the lexicographically lower node_id is determined to&lt;br/&gt;    be the leader.&lt;br/&gt; 2. The leader receives proposals for changes from itself and the peer&lt;br/&gt;    and orders them into a logical sequence of changes&lt;br/&gt; 3. The leader applies the changes locally and streams them to the peer.&lt;br/&gt; 4. Either node can initiate a commitment by proposing a `flush` change.&lt;br/&gt; 5. Upon receiving a `flush` the nodes compute the commitment&lt;br/&gt;    transaction and exchange signatures.&lt;br/&gt;&lt;br/&gt;This is similar to your proposal, but does away with turn changes (it&amp;#39;s&lt;br/&gt;always the leader&amp;#39;s turn), and therefore reduces the state we need to&lt;br/&gt;keep track of (and re-negotiate on reconnect).&lt;br/&gt;&lt;br/&gt;The downside is that we add a constant overhead to one side&amp;#39;s&lt;br/&gt;operations, but since we pipeline changes, and are mostly synchronous&lt;br/&gt;during the signing of the commitment tx today anyway, this comes out to&lt;br/&gt;1 RTT for each commitment.&lt;br/&gt;&lt;br/&gt;On the other hand a token-passing approach (which I think is what you&lt;br/&gt;propose) require a synchronous token handover whenever a the direction&lt;br/&gt;of the updates changes. This is assuming I didn&amp;#39;t misunderstand the turn&lt;br/&gt;mechanics of your proposal :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi all,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;         Our HTLC state machine is optimal, but complex[1]; the Lightning&lt;br/&gt;&amp;gt; Labs team recently did some excellent work finding another place the spec&lt;br/&gt;&amp;gt; is insufficient[2].  Also, the suggestion for more dynamic changes makes it&lt;br/&gt;&amp;gt; more difficult, usually requiring forced quiescence.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The following protocol returns to my earlier thoughts, with cost of&lt;br/&gt;&amp;gt; latency in some cases.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1. The protocol is half-duplex, with each side taking turns; opener first.&lt;br/&gt;&amp;gt; 2. It&amp;#39;s still the same form, but it&amp;#39;s always one-direction so both sides&lt;br/&gt;&amp;gt;    stay in sync.&lt;br/&gt;&amp;gt;         update&#43;-&amp;gt; commitsig-&amp;gt; &amp;lt;-revocation &amp;lt;-commitsig revocation-&amp;gt;&lt;br/&gt;&amp;gt; 3. A new message pair &amp;#34;turn_request&amp;#34; and &amp;#34;turn_reply&amp;#34; let you request&lt;br/&gt;&amp;gt;    when it&amp;#39;s not your turn.&lt;br/&gt;&amp;gt; 4. If you get an update in reply to your turn_request, you lost the race&lt;br/&gt;&amp;gt;    and have to defer your own updates until after peer is finished.&lt;br/&gt;&amp;gt; 5. On reconnect, you send two flags: send-in-progress (if you have&lt;br/&gt;&amp;gt;    sent the initial commitsig but not the final revocation) and&lt;br/&gt;&amp;gt;    receive-in-progress (if you have received the initial commitsig&lt;br/&gt;&amp;gt;    not not received the final revocation).  If either is set,&lt;br/&gt;&amp;gt;    the sender (as indicated by the flags) retransmits the entire&lt;br/&gt;&amp;gt;    sequence.&lt;br/&gt;&amp;gt;    Otherwise, (arbitrarily) opener goes first again.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Pros:&lt;br/&gt;&amp;gt; 1. Way simpler.  There is only ever one pair of commitment txs for any&lt;br/&gt;&amp;gt;    given commitment index.&lt;br/&gt;&amp;gt; 2. Fee changes are now deterministic.  No worrying about the case where&lt;br/&gt;&amp;gt;    the peer&amp;#39;s changes are also in flight.&lt;br/&gt;&amp;gt; 3. Dynamic changes can probably happen more simply, since we always&lt;br/&gt;&amp;gt;    negotiate both sides at once.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cons:&lt;br/&gt;&amp;gt; 1. If it&amp;#39;s not your turn, it adds 1 RTT latency.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Unchanged:&lt;br/&gt;&amp;gt; 1. Database accesses are unchanged; you need to commit when you send or&lt;br/&gt;&amp;gt;    receive a commitsig.&lt;br/&gt;&amp;gt; 2. You can use the same state machine as before, but one day (when&lt;br/&gt;&amp;gt;    this would be compulsory) you&amp;#39;ll be able signficantly simplify;&lt;br/&gt;&amp;gt;    you&amp;#39;ll need to record the index at which HTLCs were changed&lt;br/&gt;&amp;gt;    (added/removed) in case peer wants you to rexmit though.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Rusty.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [1] This is my fault; I was persuaded early on that optimality was more&lt;br/&gt;&amp;gt;     important than simplicity in a classic nerd-snipe.&lt;br/&gt;&amp;gt; [2] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/issues/794&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/issues/794&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:01:20Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs8yelkch097mzc0j8sdy52ntsacaqvaz44h7cqmae3l8m7kmxph4czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2leq52</id>
    
      <title type="html">📅 Original date posted:2020-10-13 📝 Original message: Joost ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs8yelkch097mzc0j8sdy52ntsacaqvaz44h7cqmae3l8m7kmxph4czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2leq52" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsyql74lfggef2gc5r7p0qq3akwgstz7ds3kn7elsnzq9nyrhmap2ga32tx8&#39;&gt;nevent1q…2tx8&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-10-13&lt;br/&gt;📝 Original message:&lt;br/&gt;Joost Jager &amp;lt;joost.jager at gmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; The LOW-REP node being out of pocket is the clue here: if one party&lt;br/&gt;&amp;gt;&amp;gt; loses funds, even a tiny bit, another party gains some funds. In this&lt;br/&gt;&amp;gt;&amp;gt; case the HIGH-REP node collaborating with the ATTACKER can extract some&lt;br/&gt;&amp;gt;&amp;gt; funds from the intermediate node, allowing them to dime their way to all&lt;br/&gt;&amp;gt;&amp;gt; of LOW-REP&amp;#39;s funds. If an attack results in even a tiny loss for an&lt;br/&gt;&amp;gt;&amp;gt; intermediary and can be repeated, the intermediary&amp;#39;s funds can be&lt;br/&gt;&amp;gt;&amp;gt; syphoned by an attacker.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The assumption is that HIGH-REP nodes won&amp;#39;t do this :) LOW-REP will see all&lt;br/&gt;&amp;gt; those failed payments and small losses and start to realize that something&lt;br/&gt;&amp;gt; strange is happening. I know the proposal isn&amp;#39;t fully trustless, but I&lt;br/&gt;&amp;gt; think it can work in practice.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Another attack that is a spin on ZmnSCPxj&amp;#39;s waiting to backpropagate the&lt;br/&gt;&amp;gt;&amp;gt; preimage is even worse:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;  - Attacker node `A` charging hold fees receives HTLC from victim `V`&lt;br/&gt;&amp;gt;&amp;gt;  - `A` does not forward the HTLC, but starts charging hold fees&lt;br/&gt;&amp;gt;&amp;gt;  - Just before the timeout for the HTLC would force us to settle onchain&lt;br/&gt;&amp;gt;&amp;gt;    `A` just removes the HTLC without forwarding it or he can try to&lt;br/&gt;&amp;gt;&amp;gt;    forward at the last moment, potentially blaming someone else for its&lt;br/&gt;&amp;gt;&amp;gt;    failure to complete&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; This results in `A` extracting the maximum hold fee from `V`, without&lt;br/&gt;&amp;gt;&amp;gt; the downstream hold fees cutting into their profits. By forwarding as&lt;br/&gt;&amp;gt;&amp;gt; late as possible `A` can cause a downstream failure and look innocent,&lt;br/&gt;&amp;gt;&amp;gt; and the overall payment has the worst possible outcome: we waited an&lt;br/&gt;&amp;gt;&amp;gt; eternity for what turns out to be a failed attempt.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The idea is that an attacker node is untrusted and won&amp;#39;t be able to charge&lt;br/&gt;&amp;gt; hold fees.&lt;br/&gt;&lt;br/&gt;The attacker controls both the sender and the HIGH-REP node. The sender&lt;br/&gt;doesn&amp;#39;t need to be trusted, it just initiates a payment that is used to&lt;br/&gt;extract hold fees from a forwarding node. The HIGH-REP node doesn&amp;#39;t&lt;br/&gt;lose reputation because from what we can witness externally the payment&lt;br/&gt;failed somewhere downstream. It does require an attacker to have a hold&lt;br/&gt;fee charging HIGH-REP node, yes, but he is not jeopardizing its&lt;br/&gt;reputation by having it fail downstream.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:01:12Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsd4cl0whw68h6ul042ytf4tyrs89ad56gh3nuw95xxrm86fmzf2tqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpfs6yn</id>
    
      <title type="html">📅 Original date posted:2020-10-13 📝 Original message: I ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsd4cl0whw68h6ul042ytf4tyrs89ad56gh3nuw95xxrm86fmzf2tqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpfs6yn" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsgvca9le5s74m9zslv478jm7q7ujdq8q3pzdadtu9hkpz37v9dnjqrtev8p&#39;&gt;nevent1q…ev8p&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-10-13&lt;br/&gt;📝 Original message:&lt;br/&gt;I think the mechanism can indeed create interesting dynamics, but not in&lt;br/&gt;a good sense :-)&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; I can still establish channels to various low-reputation nodes, and&lt;br/&gt;&amp;gt;&amp;gt; then use them to grief a high-reputation node.  Not only do I get to&lt;br/&gt;&amp;gt;&amp;gt; jam up the high-reputation channels, as a bonus I get the&lt;br/&gt;&amp;gt;&amp;gt; low-reputation nodes to pay for it!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So you&amp;#39;re saying:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ATTACKER --(no hold fee)--&amp;gt; LOW-REP --(hold fee)--&amp;gt; HIGH-REP&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If I were LOW-REP, I&amp;#39;d still charge an unknown node a hold fee. I&lt;br/&gt;&amp;gt; would only waive the hold fee for high-reputation nodes. In that case,&lt;br/&gt;&amp;gt; the attacker is still paying for the attack. I may be forced to take a&lt;br/&gt;&amp;gt; small loss on the difference, but at least the larger part of the pain&lt;br/&gt;&amp;gt; is felt by the attacker. The assumption is that this is sufficient&lt;br/&gt;&amp;gt; enough to deter the attacker from even trying.&lt;br/&gt;&lt;br/&gt;The LOW-REP node being out of pocket is the clue here: if one party&lt;br/&gt;loses funds, even a tiny bit, another party gains some funds. In this&lt;br/&gt;case the HIGH-REP node collaborating with the ATTACKER can extract some&lt;br/&gt;funds from the intermediate node, allowing them to dime their way to all&lt;br/&gt;of LOW-REP&amp;#39;s funds. If an attack results in even a tiny loss for an&lt;br/&gt;intermediary and can be repeated, the intermediary&amp;#39;s funds can be&lt;br/&gt;syphoned by an attacker.&lt;br/&gt;&lt;br/&gt;Another attack that is a spin on ZmnSCPxj&amp;#39;s waiting to backpropagate the&lt;br/&gt;preimage is even worse:&lt;br/&gt;&lt;br/&gt; - Attacker node `A` charging hold fees receives HTLC from victim `V`&lt;br/&gt; - `A` does not forward the HTLC, but starts charging hold fees&lt;br/&gt; - Just before the timeout for the HTLC would force us to settle onchain&lt;br/&gt;   `A` just removes the HTLC without forwarding it or he can try to&lt;br/&gt;   forward at the last moment, potentially blaming someone else for its&lt;br/&gt;   failure to complete&lt;br/&gt;&lt;br/&gt;This results in `A` extracting the maximum hold fee from `V`, without&lt;br/&gt;the downstream hold fees cutting into their profits. By forwarding as&lt;br/&gt;late as possible `A` can cause a downstream failure and look innocent,&lt;br/&gt;and the overall payment has the worst possible outcome: we waited an&lt;br/&gt;eternity for what turns out to be a failed attempt.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T13:01:11Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsqer9th3vzzdp24adn0pq008a2swj829rd0x852e2xc47pne8mypgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wktpyjc</id>
    
      <title type="html">📅 Original date posted:2020-09-22 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsqer9th3vzzdp24adn0pq008a2swj829rd0x852e2xc47pne8mypgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wktpyjc" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstec0dqrcsw0y0lcsy9wrz00zx2luw5vawxpux2dd4hgmv4nzq7pqzlxpvz&#39;&gt;nevent1q…xpvz&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-09-22&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; I am almost certain that a Smart Contract Unchained Escrowed&lt;br/&gt;&amp;gt; Decker-Russell-Osuntokun channel factory can merge the watchtower and&lt;br/&gt;&amp;gt; escrow functionality as well, using the above basic sketch, with&lt;br/&gt;&amp;gt; additional overlay network to allow for federated escrows.  The issue&lt;br/&gt;&amp;gt; is really the increased complexity of the `(halftxid, encrypted_blob)`&lt;br/&gt;&amp;gt; scheme with Decker-Russell-Osuntokun.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; (To my knowledge, Decker-Russell-Osuntokun only simplifies watchtowers&lt;br/&gt;&amp;gt; if the watchtower knows the funding outpoint, which is information we&lt;br/&gt;&amp;gt; should really prefer the watchtower to not know unless an attack&lt;br/&gt;&amp;gt; occurs; with an unknown-funding-outpoint, `(halftxid, encrypted_blob)`&lt;br/&gt;&amp;gt; scheme, Decker-Russell-Osuntokun is actually more complicated, since&lt;br/&gt;&amp;gt; hiding the funding outpoint prevents having a simple key for the&lt;br/&gt;&amp;gt; watchtower to replace.)&lt;br/&gt;&lt;br/&gt;Just a minor comment on this: for eltoo the watchtower does not need to&lt;br/&gt;know the funding outpoint, instead any information that&amp;#39;d allow a&lt;br/&gt;watchtower to collate (encrypted) updates would be sufficient for it to&lt;br/&gt;be able to discard earlier ones. I&amp;#39;m thinking in particular about the&lt;br/&gt;session-based collation that the lnd watchtower protocol uses can be one&lt;br/&gt;such collation key. Alternatively we can still use the Poon-Dryja style&lt;br/&gt;encryption with the trigger transaction hash (which admittedly isn&amp;#39;t&lt;br/&gt;very prominently described in the eltoo paper) as the encryption&lt;br/&gt;key. That transaction being the first step towards closing a channel&lt;br/&gt;unilaterally forces any cheating party to reveal the decryption key for&lt;br/&gt;the update txs that&amp;#39;ll override its actions.&lt;br/&gt;&lt;br/&gt;Furthermore, while encrypting all the reactions with the same encryption&lt;br/&gt;key may appear to leak information, it is only the update transaction&lt;br/&gt;that is passed to the watchtower, not the actual state (direct outputs&lt;br/&gt;and HTLCs) which is attached to the settlement transaction, kept by the&lt;br/&gt;endpoint. So all the watchtower gets from decrypting all prior update&lt;br/&gt;transactions is a set of semantically identical 1-input-1-output update&lt;br/&gt;transactions from which it can at most learn how many updates were&lt;br/&gt;performed. This last leak can also be addressed by simply randomizing&lt;br/&gt;the increment step for state numbers and not passing every state update&lt;br/&gt;to the watchtower (since the watchtower will only ever need the last one&lt;br/&gt;we can coalesce multiple updates and flush them to the watchtower after&lt;br/&gt;some time).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;[1]: &lt;a href=&#34;https://github.com/lightningnetwork/lnd/blob/master/docs/watchtower.md&#34;&gt;https://github.com/lightningnetwork/lnd/blob/master/docs/watchtower.md&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:00:50Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsg04dxald273ffst2wknesxpv80tg9rtxjczq5zwpraw378hca56qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6zu2j5</id>
    
      <title type="html">📅 Original date posted:2020-09-01 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsg04dxald273ffst2wknesxpv80tg9rtxjczq5zwpraw378hca56qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6zu2j5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqst8tmx64vhr3vgmypr38fzktgvdxktl3faptyuzg7nkf6wzsehudqrxvxtz&#39;&gt;nevent1q…vxtz&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-09-01&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Nadav,&lt;br/&gt;&lt;br/&gt;thanks for writing up this proposal. I think I can add a bit of details,&lt;br/&gt;which might simplify the proposal.&lt;br/&gt;&lt;br/&gt;## Ordering of updates&lt;br/&gt;&lt;br/&gt;The way we ensure that an update tx (as the commitment txs are called in&lt;br/&gt;the paper) can be attached only to prior updates is done by comparing&lt;br/&gt;the state-number committed to in the prevout script with the current&lt;br/&gt;timelock through CLTV. This functionality exists today already, and does&lt;br/&gt;not have to be implemented by the Escrow at all: it can just sign off on&lt;br/&gt;any update transaction and the monotonicity of the sequence of updates&lt;br/&gt;is guaranteed through the script.&lt;br/&gt;&lt;br/&gt;This should simplify the escrow considerably and allow us to disclose&lt;br/&gt;less to it.&lt;br/&gt;&lt;br/&gt;## Emulating `sighash_anyprevout`&lt;br/&gt;&lt;br/&gt;We can emulate `sighash_anyprevout` and variants today already, if we&lt;br/&gt;know all the transactions we&amp;#39;d eventually want to bind to at the time we&lt;br/&gt;create the transaction that&amp;#39;d use `anyprevout`: simply iterate through&lt;br/&gt;all the transactions it might bind to, update the transaction we&amp;#39;re&lt;br/&gt;signing with the prevout details of that potential binding, and sign&lt;br/&gt;it. There are two downsides to this, namely processing overhead to&lt;br/&gt;generate `n` signatures for `n` potential bindings, and communication&lt;br/&gt;overhead, since we&amp;#39;re now exchanging `n` signatures, instead of a single&lt;br/&gt;`anyprevout` signature, but it can work.&lt;br/&gt;&lt;br/&gt;I think with the escrow we can defer the creation of the signature to&lt;br/&gt;the time we need it, and externalize the anyprevout logic: at each&lt;br/&gt;update all parties sign a statement that they are ok with state&lt;br/&gt;`k`. Should one party become unresponsive, or broadcast an intermediate&lt;br/&gt;TX k&amp;#39;&amp;lt;k, the other party can take the statement to the escrow, which&lt;br/&gt;verifies the signature of the misbehaving party and co-signs the state&lt;br/&gt;`k`, basically taking on the role of the misbehaving party.&lt;br/&gt;&lt;br/&gt;Notice that the &amp;#34;statement&amp;#34; above could just be the update TX bound to&lt;br/&gt;the funding outpoint, meaning that in the happy case we&amp;#39;d just be able&lt;br/&gt;to use that to collaboratively close the contract, otherwise we use the&lt;br/&gt;escrow to rebind the update to whatever happened inbetween.&lt;br/&gt;&lt;br/&gt;## Escrow collusion&lt;br/&gt;&lt;br/&gt;While not particularly familiar with SCU, I think the escrow might need&lt;br/&gt;to be ultimately trusted, since giving it the ability to act as&lt;br/&gt;co-signer in lieu of a subset of participants, or even sole signature&lt;br/&gt;authority could lead to collusion between the escrow and the remainder&lt;br/&gt;of the contract participants, but I&amp;#39;m happy to be corrected here.&lt;br/&gt;&lt;br/&gt;We had similar considerations while working on the original channel&lt;br/&gt;factories paper, where we tried to come up with a scheme that&amp;#39;d allow a&lt;br/&gt;subset of participants to split out an inactive participant in order to&lt;br/&gt;recover from what would otherwise be a deadlock. We decided to drop that&lt;br/&gt;possibility due to the complexity involved and the potential for serious&lt;br/&gt;damage if participants collude.&lt;br/&gt;&lt;br/&gt;## Fees&lt;br/&gt;&lt;br/&gt;The way we handle fees in eltoo is simply sign the update txs with&lt;br/&gt;sighash_single, allowing us to attach fees at a later point in&lt;br/&gt;time. This is also what we&amp;#39;re trying to do with the LN spec at the&lt;br/&gt;moment by externalizing the fees with the anchor outputs proposal.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Overall I really like the idea of using an escrow to optimize the my&lt;br/&gt;&amp;#34;just sign all variants&amp;#34; workaround, let&amp;#39;s see where it takes us :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Nadav Kohen &amp;lt;nadav at suredbits.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi all,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; # Simulating Eltoo / ANYPREVOUT Factories Using SCU Escrows&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In this write-up I hope to convince you that it is possible to create some&lt;br/&gt;&amp;gt; weak version of Eltoo channels and channel factories today without&lt;br/&gt;&amp;gt; SIGHASH_ANYPREVOUT (although the version using this sighash is clearly&lt;br/&gt;&amp;gt; superior) using ZmnSCPxj&amp;#39;s proposal Smart Contracts Unchained (SCU) which&lt;br/&gt;&amp;gt; Ben Carman has cleverly given the name SCUE&amp;#39;d Eltoo.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ## Introduction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Eltoo / ANYPREVOUT&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Eltoo is a proposal for a new (and generally improved) way of doing&lt;br/&gt;&amp;gt; Lightning channels which also allows for multi-party channels (and channel&lt;br/&gt;&amp;gt; factories). I am by no means fluent in the going&amp;#39;s on of eltoo and&lt;br/&gt;&amp;gt; anyprevout so I will link &lt;a href=&#34;https://blockstream.com/eltoo.pdf&#34;&gt;https://blockstream.com/eltoo.pdf&lt;/a&gt; and&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://bitcoinops.org/en/topics/sighash_noinput/&#34;&gt;https://bitcoinops.org/en/topics/sighash_noinput/&lt;/a&gt;. My understanding is that&lt;br/&gt;&amp;gt; at a high level, rather than using a penalty mechanism to update channel&lt;br/&gt;&amp;gt; states, sighash_anyprevout is used to make any old commitment transaction&lt;br/&gt;&amp;gt; spendable by any newer commitment transaction so that old revoked states&lt;br/&gt;&amp;gt; can be updated on-chain instead of relying on a punishment mechanism.&lt;br/&gt;&amp;gt; Benefits of this scheme include but are not limited to easier watchtower&lt;br/&gt;&amp;gt; implementations, static partial backups, and multi-party channels.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Smart Contracts Unchained (SCU)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I strongly recommend the reader read this write up by ZmnSCPxj before&lt;br/&gt;&amp;gt; continuing &lt;a href=&#34;https://zmnscpxj.github.io/bitcoin/unchained.html&#34;&gt;https://zmnscpxj.github.io/bitcoin/unchained.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; At a high level the idea is to use a participant-chosen &amp;#34;federation&amp;#34; of&lt;br/&gt;&amp;gt; &amp;#34;escrows&amp;#34; which can be thought of as virtual machines which understand&lt;br/&gt;&amp;gt; contracts written in some language and which enforce said contracts by&lt;br/&gt;&amp;gt; giving users signatures of transactions that are produced by these&lt;br/&gt;&amp;gt; contracts. A general goal of SCU is to be trust-minimizing and as private&lt;br/&gt;&amp;gt; as possible. For example, escrows should not be able to see that they are&lt;br/&gt;&amp;gt; being used if there are no disputes, among other considerations that can be&lt;br/&gt;&amp;gt; made to make SCU Escrows as oblivious as possible (discussed further below).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ## Proposal (Un-Optimized)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; At a high level, this proposal is to replace the use of ANYPREVOUT with a&lt;br/&gt;&amp;gt; federation of SCU Escrows which will enforce state updates by only&lt;br/&gt;&amp;gt; generating signatures to spend older states with newer ones.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I will work in the general context of multi-party channels but all of this&lt;br/&gt;&amp;gt; works just as well in two-party (Lightning) channels.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Say that we have N parties who wish to enter into a multi-party channel&lt;br/&gt;&amp;gt; (aka channel factory). Each participant has a public key P_i and together&lt;br/&gt;&amp;gt; they do a distributed key generation (DKG) of some kind to reach some&lt;br/&gt;&amp;gt; shared secret x (for example, each party contributes a commitment to a&lt;br/&gt;&amp;gt; random number and then that random number, MuSig style, and the sum of&lt;br/&gt;&amp;gt; these random numbers constitutes the shared secret). This x will be used to&lt;br/&gt;&amp;gt; derive a sequence of (shared) key pairs (x_k, X_k) (for example this can be&lt;br/&gt;&amp;gt; done by having x_k = PRNG(x, k)).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let State(k) be some agreed upon commitment of the channel state at update&lt;br/&gt;&amp;gt; k (for example, HMAC(k, kth State Tx outputs)). State(0) is a commitment to&lt;br/&gt;&amp;gt; 0 and the initial channel balances.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let Delta be some CSV timelock.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For the sake of simplicity, let us consider the case where only a single&lt;br/&gt;&amp;gt; SCU escrow is used which has public key E, but note that all of the&lt;br/&gt;&amp;gt; following can be extended to a threshold scheme of escrows. E_k will be&lt;br/&gt;&amp;gt; used to denote some tweak of E by State(k) similar to the tweak described&lt;br/&gt;&amp;gt; in SCU.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Transactions&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### Funding Transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Like all such schemes, the funding transaction is some transaction&lt;br/&gt;&amp;gt; containing an N-of-N multi-signature output with keys P_1, ..., P_N called&lt;br/&gt;&amp;gt; the funding output.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### Commitment Transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The commitment transaction spends the funding output and has a single&lt;br/&gt;&amp;gt; output which has two spending conditions: Either E_k and X_k sign OR all N&lt;br/&gt;&amp;gt; parties sign cooperatively after Delta.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### State Transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The state transaction spends the commitment transaction via the cooperative&lt;br/&gt;&amp;gt; branch and has (potentially many) outputs representing the current channel&lt;br/&gt;&amp;gt; state. For example there will be an output for each solvent participant in&lt;br/&gt;&amp;gt; this channel, as well as an output for ever contract living on this channel&lt;br/&gt;&amp;gt; (for instance, other smaller channels).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### Commitment Update Transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let k2 be some state where k2 &amp;gt; k.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The commitment update transaction spends either a commitment transaction&amp;#39;s&lt;br/&gt;&amp;gt; non-cooperative branch (E_k and X_k) or another commitment update&lt;br/&gt;&amp;gt; transaction&amp;#39;s non-time-locked branch, and has a single output which has two&lt;br/&gt;&amp;gt; spending conditions: Either E_k2 and X_k2 sign OR E_k2&amp;#39; and X_k2&amp;#39; sign&lt;br/&gt;&amp;gt; after Delta where those are tweaked keys in some way (to avoid signatures&lt;br/&gt;&amp;gt; generated for one case being used in the other).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### State Update Transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The state update transaction spends the commitment update transaction via&lt;br/&gt;&amp;gt; the time-locked branch and has outputs equal to those on the (k2)th state&lt;br/&gt;&amp;gt; transaction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Update Mechanism&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The update mechanism here is the same as would be expected for a&lt;br/&gt;&amp;gt; multi-party payment channel but with the added step that all parties must&lt;br/&gt;&amp;gt; sign the commitment State(k) before they sign State Transaction k.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Settlement&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### Cooperative (Normal Close)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As you might expect, cooperative closure is where a transaction is&lt;br/&gt;&amp;gt; cooperatively constructed which directly spends the on-chain funding UTXO&lt;br/&gt;&amp;gt; and outputs the current State Transaction&amp;#39;s outputs.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; #### Non-Cooperative (Force Close)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In any case where not all parties are able or willing to sign a cooperative&lt;br/&gt;&amp;gt; closing transaction, any party can broadcast the most recent commitment&lt;br/&gt;&amp;gt; transaction, which can then be spent by anyone broadcasting the most recent&lt;br/&gt;&amp;gt; state transaction after Delta.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If, at any time, any party broadcasts an old commitment transaction k &amp;lt; c,&lt;br/&gt;&amp;gt; any other party has until Delta to correct this mistake/attack. They do so&lt;br/&gt;&amp;gt; by going to the SCU Escrow and presenting all signatures of State(k) and of&lt;br/&gt;&amp;gt; State(c) which the Escrow verifies as well as verifying that k &amp;lt; c. Should&lt;br/&gt;&amp;gt; all of these things check out, the Escrow can construct a Commitment Update&lt;br/&gt;&amp;gt; Transaction (for (k, k2) = (k, c)) and the corresponding State Update&lt;br/&gt;&amp;gt; Transaction and sign both of these transactions using E. These signatures&lt;br/&gt;&amp;gt; (along with signatures from the shared keys X_k and X_c) can be used to&lt;br/&gt;&amp;gt; broadcast the commitment update transaction, and after Delta, the state&lt;br/&gt;&amp;gt; update transaction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If a commitment update transaction is broadcast for an old state c &amp;lt; c&amp;#39;,&lt;br/&gt;&amp;gt; then any party has until Delta to correct this mistake/attack. They do so&lt;br/&gt;&amp;gt; by following the same exact steps as in the previous paragraph but with k&lt;br/&gt;&amp;gt; &amp;lt;- c and c &amp;lt;- c&amp;#39; and where the Commitment Update Transaction spends the&lt;br/&gt;&amp;gt; previous Commitment Update Transaction instead of a Commitment Transaction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In this way any channel participant can unilaterally update the on-chain&lt;br/&gt;&amp;gt; commitment transaction until the most recent state is reached after which&lt;br/&gt;&amp;gt; Delta will pass and a State Update Transaction with the current state will&lt;br/&gt;&amp;gt; be valid to broadcast.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ## Optimizations and Open Details&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Multiple Escrows&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The above can be done with some user-chosen federation with some threshold&lt;br/&gt;&amp;gt; by replacing E above with a threshold condition using many escrow public&lt;br/&gt;&amp;gt; keys. Doing so with as large and diverse a federation as possible is&lt;br/&gt;&amp;gt; strongly encouraged as it reduces the likelihood that the federation will&lt;br/&gt;&amp;gt; be bribed to spend the non-time-locked branch of the commitment transaction&lt;br/&gt;&amp;gt; along with some channel participant directly. I believe it should&lt;br/&gt;&amp;gt; (hopefully) be possible to make such an attack traceable (i.e. provide&lt;br/&gt;&amp;gt; proof that this happened in an illegal way) so that attacked parties can&lt;br/&gt;&amp;gt; prove that Escrows have been malicious.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Taproot&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As is mentioned in SCU, the escrow scheme is made much better (especially&lt;br/&gt;&amp;gt; in the multi-escrow case) by Taproot and the above scheme using SCU is&lt;br/&gt;&amp;gt; improved even further as all outputs are bi-conditional and these two&lt;br/&gt;&amp;gt; conditions can be separated into different merkle branches to increase&lt;br/&gt;&amp;gt; privacy and fungibility.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### What is given to the Escrow? (aka Blinding / ZKP)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In the above proposal, virtually all information about the channel, as well&lt;br/&gt;&amp;gt; as how to find it on chain, is given to the escrow(s). This is really bad,&lt;br/&gt;&amp;gt; and luckily it is avoidable! In principal we want Escrows to do nothing but&lt;br/&gt;&amp;gt; (potentially many) random looking simple computations on random looking&lt;br/&gt;&amp;gt; inputs to generate random looking outputs. The algorithm given the the&lt;br/&gt;&amp;gt; Escrow is currently:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Inputs =&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * output to spend (either a commitment output or a commitment update output)&lt;br/&gt;&amp;gt; * State(k) corresponding to that output&lt;br/&gt;&amp;gt; * signatures of State(k)&lt;br/&gt;&amp;gt; * State(c) with c &amp;gt; k&lt;br/&gt;&amp;gt; * signatures of State(c)&lt;br/&gt;&amp;gt; * N public keys&lt;br/&gt;&amp;gt; * Relevant shared public keys&lt;br/&gt;&amp;gt; * Delta&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Output = If any signature is invalid or c &amp;lt;= k, FAIL. Otherwise, generate a&lt;br/&gt;&amp;gt; digital signature using E with some tweak (as a function of inputs) and of&lt;br/&gt;&amp;gt; some hash (as a function of inputs).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As such, I will first note that the verification part of this algorithm&amp;#39;s&lt;br/&gt;&amp;gt; execution is linear time and so there must be a way to do it in Zero&lt;br/&gt;&amp;gt; Knowledge. Specifically I believe this should be &amp;#34;as simple as&amp;#34; blinding&lt;br/&gt;&amp;gt; all state inputs with random tweaks and blinding signatures of these states&lt;br/&gt;&amp;gt; in the corresponding way (this may require that the signatures given by all&lt;br/&gt;&amp;gt; parties during updates actually be altered in some way to make this work).&lt;br/&gt;&amp;gt; Furthermore I think it should be possible (at least in theory it seems&lt;br/&gt;&amp;gt; plausible to me) that all inputs can be hidden/blinded/tweaked and the&lt;br/&gt;&amp;gt; Escrow performs some computations on these random looking inputs resulting&lt;br/&gt;&amp;gt; in either a FAIL, or in further random looking computation using E (likely&lt;br/&gt;&amp;gt; requiring some ZKP inputs proving that the calling party has followed some&lt;br/&gt;&amp;gt; set of rules) to generate a blinded signature which can then be unblinded&lt;br/&gt;&amp;gt; by the caller to receive a valid digital signature usable to enforce the&lt;br/&gt;&amp;gt; above proposal.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Please note that I do not have these details worked out in any meaningful&lt;br/&gt;&amp;gt; way (and probably won&amp;#39;t be able to do so, would love if someone more apt in&lt;br/&gt;&amp;gt; this area would give this some thought!), but also that while this vastly&lt;br/&gt;&amp;gt; improves the privacy and security of this scheme, it isn&amp;#39;t strictly&lt;br/&gt;&amp;gt; speaking a necessary optimization if you are willing to place more trust&lt;br/&gt;&amp;gt; and be less private with Escrows.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### Fees&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I have given no thought to transaction fees in the above and I&amp;#39;m sure there&lt;br/&gt;&amp;gt; are a bunch of ways to do them wrong but I&amp;#39;m hoping that it is possible to&lt;br/&gt;&amp;gt; add anchor outputs or whatever other alterations need to occur to allow fee&lt;br/&gt;&amp;gt; considerations to work out.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I hope people find this proposal interesting! In theory it could be&lt;br/&gt;&amp;gt; implemented on today&amp;#39;s Bitcoin (though I will not have time to work on this&lt;br/&gt;&amp;gt; in the foreseeable future, but would be happy to help anyone who would want&lt;br/&gt;&amp;gt; to try to do this)!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Best,&lt;br/&gt;&amp;gt; Nadav&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:00:49Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsf4qc86ex837585dh99h7k0slrqm756yp7wejy3t0wwp9eszqk7fczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w07gkeu</id>
    
      <title type="html">📅 Original date posted:2020-07-29 📝 Original message: It ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsf4qc86ex837585dh99h7k0slrqm756yp7wejy3t0wwp9eszqk7fczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w07gkeu" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstd08zn3j8dcr53wpmlfa7wcdgte6mzugv58wm533azgdz2t494pqqs6286&#39;&gt;nevent1q…6286&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-07-29&lt;br/&gt;📝 Original message:&lt;br/&gt;It might be worth mentioning here that the wormhole attack can also just&lt;br/&gt;be considered a more efficient way of routing a payment over fewer hops,&lt;br/&gt;freeing funds in channels that have been skipped by failing them even&lt;br/&gt;though the overall payment has not been completed.&lt;br/&gt;&lt;br/&gt;This is why I hesitate to even call it an attack in the first place: if&lt;br/&gt;the skipped hops free the HTLCs, which the skipping entity that controls&lt;br/&gt;both endpoints of the shortcut is encouraged to in order to free its own&lt;br/&gt;reserved funds, we are increasing the efficiency of the network.&lt;br/&gt;&lt;br/&gt;As ZmnSCPxj correctly points out this requires the attacker to be able&lt;br/&gt;to collate HTLCs, which goes away with PTLCs. However even today we&amp;#39;re&lt;br/&gt;not worse off by nodes exploiting this.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&amp;gt; Good morning Ankit,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I believe what you describe is a specific form of what is called the Wormhole attack.&lt;br/&gt;&amp;gt; In the general form, the Wormhole attack has two forwarding nodes in a path that are coordinating with each other, and they can &amp;#34;teleport&amp;#34; the preimage from one to the other, skipping intermediate forwarding nodes.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The case you describe is the specific case where one of the nodes performing this attack on a path is the payee itself.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; What is stolen here is not the payment amount, but the fees that the &amp;#34;skipped&amp;#34; forwarding nodes should have earned for honestly forwarding.&lt;br/&gt;&amp;gt; On the other hand, in that case, it is simply a form of the griefing attack: C and E are able to  cause D to lock its funds into HTLCs without earning fees, but C and E can mount that attack at any time regardless of A or B anyway, so it is not an additional attack surface on D.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; At a high level, this attack is not a concern.&lt;br/&gt;&amp;gt; As long as A is able to acquire the preimage, it has proof of payment, and it is immaterial *how* A managed to get the preimage, as Rene describes.&lt;br/&gt;&amp;gt; Even if E claims that it did not deliberately give the preimage and that it was hacked by C, then it is C who is liable, in which case C and E, being a cooperating team, have gained nothing at all (and just made C angry at E for throwing C under the bus).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Basically, the preimage *is* the proof.&lt;br/&gt;&amp;gt; There are only two things you need to do:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Ensure that invoices are signed by E (meaning E agreed to perform some service if the preimage is revealed by anyone).&lt;br/&gt;&amp;gt;   BOLT11 already requires this.&lt;br/&gt;&amp;gt; * Ensure that invoices indicate *who exactly* is going to get the service or product.&lt;br/&gt;&amp;gt;   Since the preimage is learned by every intermediate hop, it cannot be a bearer certificate, so it must indicate specifically that the beneficiary of the product or service will be A.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; With the above, A can be sure that paying in exchange for getting the preimage, is a binding contract on the service indicated by the invoice.&lt;br/&gt;&amp;gt; The preimage and the invoice (that has a signature from E), are sufficient to show that E has an obligation to provide a service or product to A.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The wormhole attack (which steals fees from D) is fixed by using PTLCs and blinding factors.&lt;br/&gt;&amp;gt; E learns the total of all blinding factors, and knows the final scalar, but does not know the blinding factor delta from C to E, and thus cannot give C any information on how to claim the funds.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hey Ankit, &lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The lightning network sees the possession of a preimage as a proof of payment. And I believe everyone agrees that a court should rule in favor of A forcing E to deliver the good or reimburse A. The reason is that possession of the preimage matching the signed payment hash from E is a much stronger evidence of A actually having paid than E claiming to not have received anything. &lt;br/&gt;&amp;gt;&amp;gt; This is also due to the fact that guessing the preimage can practically be considered impossible (though there is a tiny likelihood) &lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; If E breaches the protocol by giving the preimage to C (for free) instead of claiming the money from D (and thus settling the Htlc) it will be considered E&amp;#39;s problem, that E did not get reimbursed but just gave out the preimage for free. (actually E&amp;#39;s so called &amp;#34;partner in crime&amp;#34; did get reimbursed). Even if D would testify that E never settled the Htlc one would wonder why E never settled the incoming htlc as they should only have created a payment hash for which they know the preimage. Since A can actually provide one it is again unlikely if E for example claims they just used a random hash for which they didn&amp;#39;t know the preimage because they wanted to just see if A has enough liquidity. &lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; With kind regards Rene&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Ankit Gangwal &amp;lt;A.Gangwal at tudelft.nl&amp;gt; schrieb am Fr., 17. Juli 2020, 08:43:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Consider A wants to send some funds to E.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; They don’t have a direct payment channel among them. So, they use a following path A-B-C-D-E. A is the sender of payment and E is final recipient.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; E sends the hash of a secret r to A, A passes on the hash to B, B to C, C to D, and D to E.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; E discloses the secret to C (a partner in crime with E) and E do not respond to D. C gives the secret to B (settling the HTLC between them). Then, B gives the secret to A (settling the HTLC between them).&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; A sent (and lost) the money, as E denies receiving the money (and the promised service/good).&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; How the lightening network sees this? Out of their control?&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; --&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; A_G&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;  &lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:00:36Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgxkr3x750gycyhphns39hsrs8ate4qhtawgddmu9zyn66avhh6aczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfeewed</id>
    
      <title type="html">📅 Original date posted:2020-05-23 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgxkr3x750gycyhphns39hsrs8ate4qhtawgddmu9zyn66avhh6aczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfeewed" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqswmyyj94xskj6frzswxtu5lyfvv4vatlwl4lkjxlrv7u25hq95kqqu78k0k&#39;&gt;nevent1q…8k0k&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-05-23&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear Fellow Bolters,&lt;br/&gt;&lt;br/&gt;the next Lightning Network specification meeting will be this Monday at&lt;br/&gt;20:00 UTC [1]. The current agenda [2] is still a bit light on issues and&lt;br/&gt;PRs, which gives us some time to spend on longer term goals, and&lt;br/&gt;extended discussions. If there are issues that need to be discussed&lt;br/&gt;feel free to add them to the agenda (comment and I&amp;#39;ll add them to the&lt;br/&gt;list), otherwise it&amp;#39;d be good to read up on the longer term topics in&lt;br/&gt;the agenda.&lt;br/&gt;&lt;br/&gt;The current agenda looks like this at the moment:&lt;br/&gt;&lt;br/&gt;```markdown&lt;br/&gt;# Pull Request Review&lt;br/&gt; - Update BOLT 3 transaction test vectors to use static_remotekey #758&lt;br/&gt;&lt;br/&gt;# Long Term Updates&lt;br/&gt; - Trampoline routing #654 (@t-bast)&lt;br/&gt; - Mempool tx pinning attack (@ariard @TheBlueMatt)&lt;br/&gt; - Anchor outputs #688 (@joostjager)&lt;br/&gt; - Blinded paths #765 (@t-bast)&lt;br/&gt;&lt;br/&gt;# Backlog&lt;br/&gt;The following are topics that we should discuss at some point, so if we&lt;br/&gt;have time to discuss them great, otherwise they slip to the next&lt;br/&gt;meeting.&lt;br/&gt;&lt;br/&gt; - Upfront payments / DoS protection&lt;br/&gt; - Hornet (@cfromknecht)&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;See you all on Monday, and have a great weekend ^^&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://www.timeanddate.com/worldclock/converter.html?iso=20200525T200000&amp;amp;p1=195&amp;amp;p2=268&amp;amp;p3=179&amp;amp;p4=224&amp;amp;p5=248&amp;amp;p6=5&#34;&gt;https://www.timeanddate.com/worldclock/converter.html?iso=20200525T200000&amp;amp;p1=195&amp;amp;p2=268&amp;amp;p3=179&amp;amp;p4=224&amp;amp;p5=248&amp;amp;p6=5&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/issues/775&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/issues/775&lt;/a&gt;
    </content>
    <updated>2023-06-09T13:00:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvrvtwzag2kvtw69s4t5fsk00hzvc59kzzsar3y9fx44yuk2ycy3czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w05ea3x</id>
    
      <title type="html">📅 Original date posted:2020-02-28 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvrvtwzag2kvtw69s4t5fsk00hzvc59kzzsar3y9fx44yuk2ycy3czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w05ea3x" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs9euz2kmva7nmw8qfsq4t28dmux3phx6vh7lw5vzmqy5vchye7ynszz2esd&#39;&gt;nevent1q…2esd&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-02-28&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear Protocol Devs,&lt;br/&gt;&lt;br/&gt;start you text-editors, the next meeting is this Monday (2020/03/02),&lt;br/&gt;and to facilitate review and meeting preparations we have prepared a&lt;br/&gt;short agenda [1], this time brought to you by @t-bast, because I almost&lt;br/&gt;forgot :-)&lt;br/&gt;&lt;br/&gt;Below is a snapshot of the current agenda. Should there be any pull&lt;br/&gt;request, issue or topic missing, please reply either here, or on the&lt;br/&gt;issue on Github and we will add it if necessary.&lt;br/&gt;&lt;br/&gt;```markdown&lt;br/&gt;The meeting will take place on Monday 2020/03/02 on IRC [#lightning-dev](irc://chat.freenode.net/lightning-dev). It is open to the public.&lt;br/&gt;&lt;br/&gt;## Pull Request Review&lt;br/&gt;- [ ] Reply channel range simplification #737&lt;br/&gt;   - Adds details to the spec which were interpreted differently by the implementations.&lt;br/&gt;- [ ] BOLT11 additional and negative tests #736&lt;br/&gt;- [ ] Stuck channels: #740 and #750&lt;br/&gt;- [ ] Wumbo advisory for scaling confirmations: #746 &lt;br/&gt;- [ ] Quick follow-up on Gitbook #738 &lt;br/&gt;&lt;br/&gt;## Long Term Updates&lt;br/&gt;- [ ] Current status of the trampoline routing proposal (@t-bast)&lt;br/&gt;- [ ] Protocol testing framework (@rustyrussell). See the `tools/` and `tests/events` directories in [lightning-rfc-protocol-test](&lt;a href=&#34;https://github.com/ElementsProject/lightning-rfc-protocol-test&#34;&gt;https://github.com/ElementsProject/lightning-rfc-protocol-test&lt;/a&gt;) for details.&lt;br/&gt;- [ ] Rendez-vous (@cdecker and @t-bast)&lt;br/&gt;- [ ] How can we improve the gossip (`gossip_queries_ex`)? (@sstone )&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;In particular the rendez-vous routing and the trampoline routing&lt;br/&gt;proposals are slowly taking shape, so make sure to catch up on the&lt;br/&gt;discussions [2,3].&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/issues/744&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/issues/744&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://gist.github.com/t-bast/ab42a7f52eb2e73105557957c8359601&#34;&gt;https://gist.github.com/t-bast/ab42a7f52eb2e73105557957c8359601&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002565.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002565.html&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:59:07Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsp26738klc07ar0nl22e5slky46zy7rf0efh3p6dd7xu7kzs3xhcqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ws4tpxr</id>
    
      <title type="html">📅 Original date posted:2020-03-02 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsp26738klc07ar0nl22e5slky46zy7rf0efh3p6dd7xu7kzs3xhcqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ws4tpxr" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsfkeazgzgvunevq9haz3n4d9p6zkv6n835v94lz7e954rgl0jmfvqy9s6km&#39;&gt;nevent1q…s6km&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-03-02&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Bastien,&lt;br/&gt;&lt;br/&gt;thanks for verifying my proposal, and I do share your concerns regarding&lt;br/&gt;privacy leaks (how many hops are encoded in the onion) and success ratio&lt;br/&gt;if a payment is based on a fixed (partial) path.&lt;br/&gt;&lt;br/&gt;&amp;gt; I believe this makes it quite usable in Bolt 11 invoices, without blowing up&lt;br/&gt;&amp;gt; the size of the QR code (but more experimentation is needed on that).&lt;br/&gt;&lt;br/&gt;It becomes a tradeoff of how small you want your onion to be, and how&lt;br/&gt;many hops the partial onion can have. For longer partial onions we&amp;#39;re&lt;br/&gt;getting close to the current full onion size, but I expect most partial&lt;br/&gt;onion to be close to the network diameter of ~6 (excluding degerenate&lt;br/&gt;chains). So the example below with 5 hops seemed realistic, and dropping&lt;br/&gt;the legacy format in favor of TLVs we can get a couple of bytes back as&lt;br/&gt;well.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; As an example such an onion, with 5 legacy hops (65 byte each) results&lt;br/&gt;&amp;gt;&amp;gt; in a 325 &#43; 66 bytes onion, and we save 975 bytes.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; While having flexibility when choosing the length of the prefill&lt;br/&gt;&amp;gt; stream feels nice, wouldn&amp;#39;t it be safer to impose a fixed size to&lt;br/&gt;&amp;gt; avoid any kind of heuristic at `RV` to try to guess how many hops&lt;br/&gt;&amp;gt; there are between him and the recipient?&lt;br/&gt;&lt;br/&gt;I&amp;#39;m currently just using the maximum size, which is an obvious privacy&lt;br/&gt;leak, but I&amp;#39;m also planning on exposing the size to be prefilled, and&lt;br/&gt;hence cropped out when compressing, when generating. Ideally we&amp;#39;d have a&lt;br/&gt;couple of presets, i.e., 1/4, 2/4, 3/4, and adhere to them, randomizing&lt;br/&gt;which one we pick.&lt;br/&gt;&lt;br/&gt;Having smaller partial onions would enable my stretch goal of being able&lt;br/&gt;to chain multiple partial onions, though that might be a useless&lt;br/&gt;achievement to unlock xD&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Compute a shared secret using a random ephemeral private key and&lt;br/&gt;&amp;gt;&amp;gt; `RV`s public key, and then generate a prefill-key&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; While implementing, I felt that the part about the shared secret used&lt;br/&gt;&amp;gt; to generate the prefill stream is a bit blurry (your proposal on&lt;br/&gt;&amp;gt; Github doesn&amp;#39;t phrase it the same way). I think it&amp;#39;s important to&lt;br/&gt;&amp;gt; stress that this secret is derived from both `ephkey` and `RV`&amp;#39;s&lt;br/&gt;&amp;gt; private key, so that `RV&#43;1` can&amp;#39;t compute the same stream.&lt;br/&gt;&lt;br/&gt;I noticed the same while implementing the decompress stage, which&lt;br/&gt;requires the node ID from `RV` during generation, and performs ECDH &#43;&lt;br/&gt;HKDF with the `RV` node private and the ephemeral key in the *next*&lt;br/&gt;onion, i.e., the one extracted from the payload itself. This is&lt;br/&gt;necessary since the ephemeral key on the incoming onion, which delivered&lt;br/&gt;the partial onion in its payload is not controlled by the partial onion&lt;br/&gt;creator, while the one in the partial onion is.&lt;br/&gt;&lt;br/&gt;This means that the ephemeral key in the partial onion is used twice:&lt;br/&gt;&lt;br/&gt; - Once by `RV` to generate the obfuscation stream to fill in the gap&lt;br/&gt; - As part of the reconstructed onion, processed by `RV&#43;1` to decode the&lt;br/&gt;   onion.&lt;br/&gt;&lt;br/&gt;I&amp;#39;m convinced this is secure and doesn&amp;#39;t leak information since&lt;br/&gt;otherwise transporting the ephemeral key publicly would be insecure&lt;br/&gt;(`RV&#43;1` can&amp;#39;t generate the obfuscation secret used to fill in the gap&lt;br/&gt;without access to `RV`s private key), and the ephemeral key is only&lt;br/&gt;transmitted in cleartext once (from `RV` to `RV&#43;1`), otherwise it is&lt;br/&gt;hidden in the outer onion.&lt;br/&gt;&lt;br/&gt;&amp;gt; Another thing that may be worth mentioning is error forwarding. Since&lt;br/&gt;&amp;gt; the recipient generated the onion, `RV` won&amp;#39;t have the shared secrets&lt;br/&gt;&amp;gt; (that&amp;#39;s by design). So it&amp;#39;s expected that payment errors won&amp;#39;t be&lt;br/&gt;&amp;gt; readable by `RV`, but it&amp;#39;s probably a good idea if `RV` returns an&lt;br/&gt;&amp;gt; indication to the sender that the payment failed *after* the&lt;br/&gt;&amp;gt; rendezvous point.&lt;br/&gt;&lt;br/&gt;Indeed, this is pretty much by design, since otherwise the sender could&lt;br/&gt;provoke errors, e.g., consuming all of `RV`s outgoing capacity with&lt;br/&gt;probes to get back temporary channel failure errors for the channel that&lt;br/&gt;was encoded in the partial onion, and then do that iteratively until we&lt;br/&gt;have identified the real destination which we weren&amp;#39;t supposed to learn.&lt;br/&gt;&lt;br/&gt;So any error beyond `RV` should be treated by the sender as &amp;#34;rendez-vous&lt;br/&gt;failed, discard partial onion&amp;#34;.&lt;br/&gt;&lt;br/&gt;&amp;gt; An important side-note is that your proposal is really quick and&lt;br/&gt;&amp;gt; simple to implement from the existing Sphinx code. I have made ASCII&lt;br/&gt;&amp;gt; diagrams of the scheme (see [1]).  This may help readers visualize it&lt;br/&gt;&amp;gt; more easily.&lt;br/&gt;&lt;br/&gt;I quickly skimmed the drawings and they&amp;#39;re very nice to understand how&lt;br/&gt;regions overlap, that was my main problem with the whole sphinx&lt;br/&gt;construction, so thanks for taking the time :&#43;1:&lt;br/&gt;&lt;br/&gt;&amp;gt; It still has the issue that each hop&amp;#39;s amount/cltv is fixed at invoice&lt;br/&gt;&amp;gt; generation time by the recipient. That means MPP cannot be used, and&lt;br/&gt;&amp;gt; if any channel along the path updates their fee the partial onion&lt;br/&gt;&amp;gt; becomes invalid (unless you overpay the fees).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Trampoline should be able to address that since it provides more&lt;br/&gt;&amp;gt; freedom to each trampoline node to find an efficient way to forward to&lt;br/&gt;&amp;gt; the next trampoline.  It&amp;#39;s not yet obvious to me how I can mix these&lt;br/&gt;&amp;gt; two proposals to make it work though.  I&amp;#39;ll spend more time&lt;br/&gt;&amp;gt; experimenting with that.&lt;br/&gt;&lt;br/&gt;True, I think rendez-vous routing have some use-cases, but routing in&lt;br/&gt;the public network seems a bit brittle. It is definitely not MPP&lt;br/&gt;compliant since the sphinx constructions says that each shared secret&lt;br/&gt;should be blacklisted after use, and if we were to use the partial onion&lt;br/&gt;on multiple path we&amp;#39;d be bound to use the same shared secret for the&lt;br/&gt;subpaths contained in the partial onion.&lt;br/&gt;&lt;br/&gt;I&amp;#39;ve been mostly thinking about systems in which you can guarantee&lt;br/&gt;stability, e.g., in a subnetwork controlled by the recipient, but to&lt;br/&gt;hide any internal routing decisions. That&amp;#39;d be similar to a supercharged&lt;br/&gt;routing hint basically, without revealing the internal structure.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:59:07Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsryv9hfzra53fkmzdlagef2dy2h2fafdwx8wxxvtcrf8h6fuwg40gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wv8psgk</id>
    
      <title type="html">📅 Original date posted:2020-02-24 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsryv9hfzra53fkmzdlagef2dy2h2fafdwx8wxxvtcrf8h6fuwg40gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wv8psgk" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspxw8kd6ylx7nf7sankwq4wrq9dwedf94uwf80pjkhrjhl4qss05qgkat53&#39;&gt;nevent1q…at53&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-02-24&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Bastien,&lt;br/&gt;&lt;br/&gt;seems you were a bit quicker than I was with my writeup of my&lt;br/&gt;proposal. I came up with a scheme that allows us to drop a large part of&lt;br/&gt;the partial onion, so that it can indeed fit into an outer onion, and&lt;br/&gt;the rendez-vous node RV can re-construct the original packet from the&lt;br/&gt;included data [1].&lt;br/&gt;&lt;br/&gt;The construction comes down to initializing the part of the routing info&lt;br/&gt;string that is not going to be used, in such a way that the incremental&lt;br/&gt;unwrappings at the nodes in the partial onion cancels out. Like you&lt;br/&gt;mentioned in your mail it comes down extending the filler generation to&lt;br/&gt;also cover the unused part and then applying all the encryption streams&lt;br/&gt;xored to the unused space. By doing this we get the middle part of the&lt;br/&gt;onion consisting of only 0x00 bytes.&lt;br/&gt;&lt;br/&gt;I then decided to apply an additional ChaCha20 stream to this prefill,&lt;br/&gt;such that the onion will not consist of mostly 0x00 bytes which would be&lt;br/&gt;a dead giveaway to `RV&#43;1` that `RV` was a rendez-vous node.&lt;br/&gt;&lt;br/&gt;The process for the partial onion creator boils down to:&lt;br/&gt;&lt;br/&gt; - Compute a path from `RV` of its choice to recipient `R`.&lt;br/&gt; - Compute a shared secret using a random ephemeral private key and&lt;br/&gt;  `RV`s public key, and then generate a prefill-key&lt;br/&gt; - Compute the prefill by combining the correct substrings of the&lt;br/&gt;   encryption streams for the nodes along the path, then add the&lt;br/&gt;   ChaCha20 stream keyed with the prefill-key.&lt;br/&gt; - Wrap the onion, including payloads for each of the nodes along path&lt;br/&gt;   `RV` to `R`&lt;br/&gt; - Trim out the unused space, which now will match the obfuscation&lt;br/&gt;   stream generated with the prefill-key&lt;br/&gt;&lt;br/&gt;As an example such an onion, with 5 legacy hops (65 byte each) results&lt;br/&gt;in a 325 &#43; 66 bytes onion, and we save 975 bytes. See [2] for an example&lt;br/&gt;of how this looks like.&lt;br/&gt;&lt;br/&gt;The sender `S` then just does the following:&lt;br/&gt;&lt;br/&gt; - Compute a route from `S` to `RV`&lt;br/&gt; - Build an onion with the route, specifying the trimmed partial onion&lt;br/&gt;   as payload, along with the usual parameters, for `RV`&lt;br/&gt; - Initiate payment with the constructed onion&lt;br/&gt;&lt;br/&gt;Upon receiving an incoming HTLC with a partial onion the rendez-vous&lt;br/&gt;node `RV` then just does the following:&lt;br/&gt;&lt;br/&gt; - Verify all parameters as usual&lt;br/&gt; - Extract the partial onion&lt;br/&gt; - Use the ephemeral key from the partial onion to generate the shared&lt;br/&gt;   secret and the prefill key&lt;br/&gt; - Generate the prefill stream and insert it in the correct place,&lt;br/&gt;   before the HMAC. This reconstitutes the original routing packet&lt;br/&gt; - Swap out the original onion with the reconstituted onion and forward.&lt;br/&gt;&lt;br/&gt;My writeup [1] is an early draft, but I wanted to get it out early to&lt;br/&gt;give the discussion a basis to work off. I&amp;#39;ll revisit it a couple of&lt;br/&gt;times before opening a PR, but feel free to shout at me if I have&lt;br/&gt;forgotten to consider something :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/blob/rendez-vous/proposals/0001-rendez-vous.md&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/blob/rendez-vous/proposals/0001-rendez-vous.md&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://gist.github.com/cdecker/ec06452bc470749d9f6d2de73651c5fd&#34;&gt;https://gist.github.com/cdecker/ec06452bc470749d9f6d2de73651c5fd&lt;/a&gt;&lt;br/&gt;&lt;br/&gt;Bastien TEINTURIER via Lightning-dev&lt;br/&gt;&amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; After exploring decoys [1], which is a cheap way of doing route blinding,&lt;br/&gt;&amp;gt; I&amp;#39;m turning back to exploring rendezvous.&lt;br/&gt;&amp;gt; The previous mails on the mailing list mentioned that there was a&lt;br/&gt;&amp;gt; technicality&lt;br/&gt;&amp;gt; to make the HMACs check out, but didn&amp;#39;t provide a lot of details.&lt;br/&gt;&amp;gt; The issue is that the filler generation needs to take into account some hops&lt;br/&gt;&amp;gt; that will be added *later*, by the payer.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However it is quite easy to work-around, with a few space trade-offs.&lt;br/&gt;&amp;gt; Let&amp;#39;s consider a typical rendezvous setup, where Alice wants to be paid via&lt;br/&gt;&amp;gt; rendezvous Bob, and Carol wants to pay that invoice:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Carol -&amp;gt; ... -&amp;gt; Bob -&amp;gt; ... -&amp;gt; Alice&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If Alice knows how many bytes Carol is going to use for her part of the&lt;br/&gt;&amp;gt; onion&lt;br/&gt;&amp;gt; payloads, Alice can easily take them into account when generating her&lt;br/&gt;&amp;gt; filler by&lt;br/&gt;&amp;gt; pre-pending the same amount of `0` bytes. It seems reasonable to impose a&lt;br/&gt;&amp;gt; fixed&lt;br/&gt;&amp;gt; number of onion bytes for each side of the rendezvous (650 each?) so Alice&lt;br/&gt;&amp;gt; would&lt;br/&gt;&amp;gt; know that amount.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; When Carol completes the onion with her part of the route, she simply needs&lt;br/&gt;&amp;gt; to&lt;br/&gt;&amp;gt; generate filler data for her part of the route following the normal Sphinx&lt;br/&gt;&amp;gt; protocol&lt;br/&gt;&amp;gt; and apply it to the onion she found in the invoice.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But the tricky part is that she needs to give Bob a way of generating the&lt;br/&gt;&amp;gt; same&lt;br/&gt;&amp;gt; filler data to unapply it. Then all HMACs correctly check out.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I see two ways of doing that:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Carol simply sends that filler (650 bytes), probably via a TLV in&lt;br/&gt;&amp;gt; `update_add_htlc`.&lt;br/&gt;&amp;gt; This means every intermediate hop needs to forward that, which is painful&lt;br/&gt;&amp;gt; and&lt;br/&gt;&amp;gt; potentially leaking too much data.&lt;br/&gt;&amp;gt; * Carol provides Bob with the rho keys used to generate her filler, and the&lt;br/&gt;&amp;gt; length&lt;br/&gt;&amp;gt; used by each hop. This leaks to Bob an upper bound on the number of hops&lt;br/&gt;&amp;gt; and the&lt;br/&gt;&amp;gt; number of bytes sent to each hop.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Since shift-and-xor kind of crypto is hard to read as equations, but very&lt;br/&gt;&amp;gt; easy to&lt;br/&gt;&amp;gt; read as diagrams, I spent a bit of time doing beautiful ASCII art [2].&lt;br/&gt;&amp;gt; Don&amp;#39;t hesitate&lt;br/&gt;&amp;gt; to have a look at it to find more details about how that works. You can&lt;br/&gt;&amp;gt; also print&lt;br/&gt;&amp;gt; that on t-shirts to look fancy at conferences. I also have some sample code&lt;br/&gt;&amp;gt; working&lt;br/&gt;&amp;gt; in eclair [3] for those who can read Scala without getting headaches.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Are there other tricks we can use to reconcile both sides of the onion at&lt;br/&gt;&amp;gt; Bob&amp;#39;s?&lt;br/&gt;&amp;gt; Maybe cdecker (or someone else) has an ace up his sleeve for me there? :)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; One important thing to note is that rendezvous on normal onions will be&lt;br/&gt;&amp;gt; costly to&lt;br/&gt;&amp;gt; integrate into invoices: it takes 1366 bytes to include one onion, and if&lt;br/&gt;&amp;gt; we want&lt;br/&gt;&amp;gt; to handle route failures or let the sender use multi-part, we will need to&lt;br/&gt;&amp;gt; have a&lt;br/&gt;&amp;gt; handful of pre-encrypted onions in the invoice (hence a few kB, which may&lt;br/&gt;&amp;gt; not be&lt;br/&gt;&amp;gt; practical for QR codes).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But I did mention before that doing rendezvous on the trampoline onion&lt;br/&gt;&amp;gt; could have&lt;br/&gt;&amp;gt; better properties [4]. When doing that, having Carol transmit her filler&lt;br/&gt;&amp;gt; data only&lt;br/&gt;&amp;gt; to Bob, via the outer onion payload becomes practical and doesn&amp;#39;t leak&lt;br/&gt;&amp;gt; information.&lt;br/&gt;&amp;gt; Multi-part would work with a single trampoline onion in the invoice (~500&lt;br/&gt;&amp;gt; bytes),&lt;br/&gt;&amp;gt; because nodes can do MPP between trampoline nodes thanks to the&lt;br/&gt;&amp;gt; onion-in-onion&lt;br/&gt;&amp;gt; construction. We simply need to decide the size of the trampoline onion to&lt;br/&gt;&amp;gt; allow&lt;br/&gt;&amp;gt; each side of the rendezvous to be able to insert a number of hops we&amp;#39;re&lt;br/&gt;&amp;gt; comfortable&lt;br/&gt;&amp;gt; with. You can find more details in the &amp;#34;Rendezvous on a trampoline&amp;#34; section&lt;br/&gt;&amp;gt; of [2].&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I&amp;#39;m really interested in other approaches to making rendezvous work with&lt;br/&gt;&amp;gt; the HMACs&lt;br/&gt;&amp;gt; correctly checking out. If people on this list have drafts, intuitions or&lt;br/&gt;&amp;gt; random&lt;br/&gt;&amp;gt; thoughts about possible constructions, please share them, I&amp;#39;d be happy to&lt;br/&gt;&amp;gt; dive into&lt;br/&gt;&amp;gt; them to explore alternatives to the one I found, hoping we can make this&lt;br/&gt;&amp;gt; work and&lt;br/&gt;&amp;gt; provide this feature to our users in the near future.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; A small side-note on Hornet. Hornet does offer many features that I believe&lt;br/&gt;&amp;gt; we will&lt;br/&gt;&amp;gt; want in Lightning in the future. It may seem that doing a custom rendezvous&lt;br/&gt;&amp;gt; scheme&lt;br/&gt;&amp;gt; is a waste of time since we&amp;#39;ll ditch it once/if we implement Hornet. While&lt;br/&gt;&amp;gt; that is&lt;br/&gt;&amp;gt; true in the long run, I believe that if we&amp;#39;re able to find a rendezvous&lt;br/&gt;&amp;gt; scheme that&lt;br/&gt;&amp;gt; isn&amp;#39;t too much work to implement, it makes sense to have something&lt;br/&gt;&amp;gt; available soon-ish.&lt;br/&gt;&amp;gt; Hornet will likely be a longer-term effort that we won&amp;#39;t get as soon as&lt;br/&gt;&amp;gt; we&amp;#39;d like&lt;br/&gt;&amp;gt; (especially since it will probably require a network-wide update). But who&lt;br/&gt;&amp;gt; knows, maybe&lt;br/&gt;&amp;gt; we may see that we are trying to create many features that are already&lt;br/&gt;&amp;gt; built into Hornet&lt;br/&gt;&amp;gt; (rendezvous, directed message support, etc) and will decide to implement&lt;br/&gt;&amp;gt; Hornet sooner&lt;br/&gt;&amp;gt; than expected?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Bastien&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [1]&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002435.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002435.html&lt;/a&gt;&lt;br/&gt;&amp;gt; [2] &lt;a href=&#34;https://gist.github.com/t-bast/ab42a7f52eb2e73105557957c8359601&#34;&gt;https://gist.github.com/t-bast/ab42a7f52eb2e73105557957c8359601&lt;/a&gt;&lt;br/&gt;&amp;gt; [3] &lt;a href=&#34;https://github.com/ACINQ/eclair/tree/sphinx-rendezvous&#34;&gt;https://github.com/ACINQ/eclair/tree/sphinx-rendezvous&lt;/a&gt;&lt;br/&gt;&amp;gt; [4]&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002237.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002237.html&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:59:04Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9s9lqk2z04njry2e7jh7re39r73v62sad53flfpffq2gaj8q9tyszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5mgzz4</id>
    
      <title type="html">📅 Original date posted:2020-02-21 📝 Original message: Rusty ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9s9lqk2z04njry2e7jh7re39r73v62sad53flfpffq2gaj8q9tyszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5mgzz4" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs84qtssgcxf0x3r6rfl4r998hlspz760lvcc36pkcfcplydvp3lvqjydftn&#39;&gt;nevent1q…dftn&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-02-21&lt;br/&gt;📝 Original message:&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Would it not be better to create a circular path?  By this I mean,&lt;br/&gt;&amp;gt;&amp;gt; Alice constructs an onion that overall creates a path from herself to&lt;br/&gt;&amp;gt;&amp;gt; Bob and back, ensuring different nodes on the forward and return&lt;br/&gt;&amp;gt;&amp;gt; directions.  The onion hop at Bob reveals that Bob is the chosen&lt;br/&gt;&amp;gt;&amp;gt; conversation partner, and Bob forwards its reply via the onion return&lt;br/&gt;&amp;gt;&amp;gt; path (that Alice prepared herself to get back to her via another&lt;br/&gt;&amp;gt;&amp;gt; path).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I like it!  The lack of &amp;#34;reply&amp;#34; function eliminates all storage&lt;br/&gt;&amp;gt; requirements for the intermediaries.  Unfortunately it&amp;#39;s not currently&lt;br/&gt;&amp;gt; possible to fit the reply onion inside the existing onion, but I know&lt;br/&gt;&amp;gt; Christian has a rabbit in his hat for this?&lt;br/&gt;&lt;br/&gt;I think circular payment really means an onion that is&lt;br/&gt;&lt;br/&gt;&amp;gt; A -&amp;gt; ... -&amp;gt; B -&amp;gt; ... -&amp;gt; A&lt;br/&gt;&lt;br/&gt;and not a reply onion inside of a forward onion.&lt;br/&gt;&lt;br/&gt;The problem with the circular path is that the &amp;#34;recipient&amp;#34; cannot add&lt;br/&gt;any reply without invalidating the HMACs on the return leg of the&lt;br/&gt;onion. The onion is fully predetermined by the sender, any malleability&lt;br/&gt;introduced in order to allow the recipient to reply poses a threat to&lt;br/&gt;the integrity of the onion routing, e.g., it opens us up to probing by&lt;br/&gt;fiddling with parts of the onion until the attacker identifies the&lt;br/&gt;location the recipient is supposed to put his reply into.&lt;br/&gt;&lt;br/&gt;As Rusty mentioned I have a construction of the onion routing packet&lt;br/&gt;that allows us to compress it in such a way that it fits inside of the&lt;br/&gt;payload itself. I&amp;#39;ll write up a complete proposal over the coming days,&lt;br/&gt;but the basic idea is to initialize the unused part of the onion in such&lt;br/&gt;a way that it cancels out the layers of encryption and the fully wrapped&lt;br/&gt;onion consists of all `0x00` bytes. These can then be removed resulting&lt;br/&gt;in a compressed onion, and the sender can simply add the padding 0x00&lt;br/&gt;bytes back to get the original, fully HMACd onion, and then send it like&lt;br/&gt;normal (there is an obfuscation step to hide the `0x00` bytes from the&lt;br/&gt;next hop, but more on this in the full rendez-vous proposal later).&lt;br/&gt;&lt;br/&gt;This rendez-vous construction is a bit more involved since we want to&lt;br/&gt;fit an onion into another onion of the same size. If we design a&lt;br/&gt;completely new messaging system, requiring end-to-end communication, it&lt;br/&gt;might be worth re-introducing the end-to-end payload which we removed in&lt;br/&gt;the routing onion. It&amp;#39;s a simply, variable or fixed length, payload,&lt;br/&gt;that is onion-decrypted at each hop and its contents are revealed to the&lt;br/&gt;destination (this is how onion routing usually works). Since that&lt;br/&gt;payload doesn&amp;#39;t have to adhere to the constraints of the routing onions&lt;br/&gt;(multiple payloads, one for each hop, and no special larger payload&lt;br/&gt;destined for the final recipient) this is both simpler, and would allow&lt;br/&gt;us to store a full, unmodified, return-onion in the end-to-end payload.&lt;br/&gt;&lt;br/&gt;Another advantage is that the end-to-end payload is not covered by the&lt;br/&gt;HMACs in the header, meaning that the recipient can construct a reply&lt;br/&gt;without having to modify (and invalidate) the routing onion. I guess&lt;br/&gt;this is going back to the roots of the Sphinx paper :-)&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Might be worth a consideration, as it seems to me like it&amp;#39;d be simpler&lt;br/&gt;:-) The downside of course is that we&amp;#39;d end up with two different onion&lt;br/&gt;constructions for different use-cases.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; After Alice receives the first message from Bob the circular&lt;br/&gt;&amp;gt;&amp;gt; &amp;#34;circuit&amp;#34; is established and they can continue to communicate using&lt;br/&gt;&amp;gt;&amp;gt; the same circuit: timing attacks are now &amp;#34;impossible&amp;#34; since Alice and&lt;br/&gt;&amp;gt;&amp;gt; Bob can be anywhere along the circle, even if two of the nodes in the&lt;br/&gt;&amp;gt;&amp;gt; circuit are surveillors cooperating with each other, the timing&lt;br/&gt;&amp;gt;&amp;gt; information they get is the distance between the surveillor nodes.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Of course, if a node in the circular path drops the circuit is&lt;br/&gt;&amp;gt;&amp;gt; disrupted, so any higher-level protocols on top of that should&lt;br/&gt;&amp;gt;&amp;gt; probably be willing to resume the conversation on another circular&lt;br/&gt;&amp;gt;&amp;gt; circuit.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My immediate purpose for this is for &amp;#34;offers&amp;#34; which cause a invoice&lt;br/&gt;&amp;gt; request, followed by an invoice reply.  This will probably be reused&lt;br/&gt;&amp;gt; once for the payment itself.  2 uses is not sufficient to justify&lt;br/&gt;&amp;gt; setting up a circuit, AFAICT.&lt;br/&gt;&lt;br/&gt;I know someone who is itching to implement hornet for these use-cases&lt;br/&gt;;-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:59:02Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsptjfg0tqwz5ftxwp7f7x5ed74twv6eyuq8u4q9atmr8w7gmsaefczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wtqdp59</id>
    
      <title type="html">📅 Original date posted:2020-02-14 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsptjfg0tqwz5ftxwp7f7x5ed74twv6eyuq8u4q9atmr8w7gmsaefczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wtqdp59" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsf60x3h4k5ndmt8ntz75xr5pqp7skzy3tyg438rc90e2etlxt9ghqftgc2x&#39;&gt;nevent1q…gc2x&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-02-14&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear Fellow Protocol Devs,&lt;br/&gt;&lt;br/&gt;the next meeting is this Monday (2020/02/17), and to facilitate review&lt;br/&gt;and meeting preparations we have prepared a short agenda [1].&lt;br/&gt;&lt;br/&gt;The open topic discussions during the last two iterations have been very&lt;br/&gt;interesting, albeit a bit long, so this time we decided to limit&lt;br/&gt;ourselves to just two topics, and track other topics of interest in a&lt;br/&gt;backlog section. If there is time we can start discussing entries from&lt;br/&gt;the backlog section, however it is likely better to concentrate well on&lt;br/&gt;a few topics rather than touching many briefly. Let me know if you&lt;br/&gt;agree, and of course any other feedback is more than welcome.&lt;br/&gt;&lt;br/&gt;The agenda is not yet final, so if there are topics people are eager to&lt;br/&gt;discuss please let me know either on GH or reply to this mail :-)&lt;br/&gt;&lt;br/&gt;So far the agenda looks as follows:&lt;br/&gt;&lt;br/&gt;```markdown&lt;br/&gt;The meeting will take place on Monday 2020/02/17 on IRC [#lightning-dev](irc://chat.freenode.net/lightning-dev). It is open to the public.&lt;br/&gt;&lt;br/&gt;## Pull Request Review&lt;br/&gt;- [ ] A home for BOLT #738&lt;br/&gt;- [ ] Reply channel range simplification #737&lt;br/&gt;- [ ] BOLT11 additional and negative tests #736&lt;br/&gt;- [ ] Avoid stuck channels after fee increase #740&lt;br/&gt;&lt;br/&gt;## Long Term Updates&lt;br/&gt;- [ ] Protocol testing framework (@rustyrussell). See the `tools/` and `tests/events` directories in [lightning-rfc-protocol-test](&lt;a href=&#34;https://github.com/ElementsProject/lightning-rfc-protocol-test&#34;&gt;https://github.com/ElementsProject/lightning-rfc-protocol-test&lt;/a&gt;) for details.&lt;br/&gt;- [ ] Poor man&amp;#39;s rendez-vous routing (@t-bast). See [mail by t-bast](&lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002519.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-February/002519.html&lt;/a&gt;) and [gist](&lt;a href=&#34;https://gist.github.com/t-bast/9972bfe9523bb18395bdedb8dc691faf&#34;&gt;https://gist.github.com/t-bast/9972bfe9523bb18395bdedb8dc691faf&lt;/a&gt;) for details. (Since this is a fresh proposal still in everybody&amp;#39;s mind this moved up the list to minimize loss of context).&lt;br/&gt;&lt;br/&gt;## Backlog&lt;br/&gt;The following are topics that we should discuss at some point, so if we have time to discuss them great, otherwise they slip to the next meeting.&lt;br/&gt;&lt;br/&gt;- [ ] Current status of the trampoline routing proposal (@t-bast)&lt;br/&gt;- [ ] How can we improve the gossip (gossip_queries_ex)? (@sstone )&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;Looking forward to Monday&amp;#39;s meeting :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/issues/735&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/issues/735&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:58:54Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsx96clenhdmxjukg78s6u2xj0mpzw3673swpwrusr9tmd2x9fygdczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wr7yhth</id>
    
      <title type="html">📅 Original date posted:2020-02-04 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsx96clenhdmxjukg78s6u2xj0mpzw3673swpwrusr9tmd2x9fygdczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wr7yhth" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsgeasej7pn8ytnpdnamryc07en2xl9yenzlxs3q8q9hevl2cph6ygvlwjxy&#39;&gt;nevent1q…wjxy&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-02-04&lt;br/&gt;📝 Original message:&lt;br/&gt;darosior via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi Pavol,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; 1) Is c-lightning going to support Sphinx or other form of&lt;br/&gt;&amp;gt;&amp;gt; spontaneous payments?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think cdecker is working on integrating keysend to his noise plugin&lt;br/&gt;&amp;gt; (&lt;a href=&#34;https://github.com/lightningd/plugins/pull/68&#34;&gt;https://github.com/lightningd/plugins/pull/68&lt;/a&gt;).&lt;br/&gt;&lt;br/&gt;The keysend functionality is implemented in the noise plugin and I am&lt;br/&gt;planning to pull the keysend part out of the plugin, since that part is&lt;br/&gt;really trivial to implement (`htlc_accepted` hook that checkes the&lt;br/&gt;payment_hash against the preimage in the onion, then tell `lightningd`&lt;br/&gt;to resolve directly).&lt;br/&gt;&lt;br/&gt;As a side note: Sphinx-send is a terrible misnomer, since sphinx is the&lt;br/&gt;name of our onion construction, keysend is the proper name to use in&lt;br/&gt;this case.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; 2) Can a lightning node (such as lnd or c-lightning) send a push&lt;br/&gt;&amp;gt;&amp;gt; notification (e.g. to a webhook) when it receives or routes a&lt;br/&gt;&amp;gt;&amp;gt; payment? If yes, is this notification cryptographically signed (for&lt;br/&gt;&amp;gt;&amp;gt; example with the node&amp;#39;s private key)? Is this documented somewhere?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; C-lightning sends notifications (and hooks, but it doesn&amp;#39;t seem to be&lt;br/&gt;&amp;gt; your usecase here) for typical events such as &amp;#34;I received an HTLC&lt;br/&gt;&amp;gt; !&amp;#34;. You can make a plugin which registers to these lightningd&lt;br/&gt;&amp;gt; notifications sends encrypted push notifs. Doc here&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lightning.readthedocs.io/PLUGINS.html#event-notifications&#34;&gt;https://lightning.readthedocs.io/PLUGINS.html#event-notifications&lt;/a&gt; :-).&lt;br/&gt;&lt;br/&gt;You can have a plugin subscribe to HTLC related events (such as&lt;br/&gt;`forward_event` [1], or `invoice_payment` [2], to get notified about&lt;br/&gt;forwardings or invoices being paid. What you do with that notification&lt;br/&gt;then is up to you. It could queue the event in kafka, call out to a&lt;br/&gt;webhook, or log a message with a log management system. You can&lt;br/&gt;arbitrarily transform the event in the plugin, including issuing calls&lt;br/&gt;to `signmessage` which will create a signature for the event message,&lt;br/&gt;thus allowing you to prove authenticity of the message. You&amp;#39;d most&lt;br/&gt;likely need to canonicalize the message before signing, since JSON is&lt;br/&gt;not the best format for canonical serialization, i.e., decoding and&lt;br/&gt;re-encoding can result in subtle changes, which could then fail&lt;br/&gt;signature verification, but that should not be a major issue.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:58:30Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs93aww2eya09y8e2cf7s9r20s8zcm0673qk69j2wrdhruv5ts55xqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wl25vfl</id>
    
      <title type="html">📅 Original date posted:2020-01-31 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs93aww2eya09y8e2cf7s9r20s8zcm0673qk69j2wrdhruv5ts55xqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wl25vfl" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstv5xwejy222am8glyg5yvnqrfmecy9spkcensexrm0phg9mlpqns6uaay7&#39;&gt;nevent1q…aay7&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-01-31&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear Fellow Protocol Devs,&lt;br/&gt;&lt;br/&gt;the next meeting is this Monday (2020/02/03), and to facilitate review&lt;br/&gt;and meeting preparations we have prepared a short agenda [1].&lt;br/&gt;&lt;br/&gt;We switched over to a Github issue to prepare the agenda, since we&lt;br/&gt;already heavily rely on the infrastructure for all of our other&lt;br/&gt;tasks. Since this requires a bit of curation to keep the top post&lt;br/&gt;updated I am curating the list based on feedback on the issue and in&lt;br/&gt;other places. If you think that there is an open issue, open pull&lt;br/&gt;request, or other topic that should be discussed next Monday please let&lt;br/&gt;me know and I&amp;#39;ll amend accordingly. Please let me know as soon as&lt;br/&gt;possible to give other devs a chance to catch up prior to the meeting.&lt;br/&gt;&lt;br/&gt;The current agenda looks like this:&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;```markdown&lt;br/&gt;# Pull Request Review&lt;br/&gt;- [ ] Single-option large channel proposal #596&lt;br/&gt;- [ ] BOLT 7: be more aggressive about sending our own gossip. #684&lt;br/&gt;- [ ] Bolt 1: Specify that extensions to existing messages must use TLV #714 (@t-bast)&lt;br/&gt; - Gossip channel queries&lt;br/&gt;   - [ ] BOLT7: reply_channel_range parameter #560&lt;br/&gt;   - [ ] BOLT 7: clarify how to decode empty arrays #729&lt;br/&gt;   - [ ] BOLT 7: clarify how to encode multiple `reply_channel_range` messages #730&lt;br/&gt;&lt;br/&gt;# Long Term Updates&lt;br/&gt;- [ ] Current status of the trampoline routing proposal (@t-bast)&lt;br/&gt;&lt;br/&gt;# Research&lt;br/&gt;- [ ] How can we improve the gossip (`gossip_queries_ex`)? (@t-bast)&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;Looking forward to Monday,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/issues/731&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/issues/731&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:58:29Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9xz2le38sqjf9g4k2jtl4xm0ss0k6h3m3uvgqjvk8tw27t84navgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wu8kfgr</id>
    
      <title type="html">📅 Original date posted:2020-01-29 📝 Original message: Matt ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9xz2le38sqjf9g4k2jtl4xm0ss0k6h3m3uvgqjvk8tw27t84navgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wu8kfgr" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsvvez57h4aqpnrx6mdzrfh75stj5s95eh6pjmnhacmxt54tjacs4gepezfy&#39;&gt;nevent1q…ezfy&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-01-29&lt;br/&gt;📝 Original message:&lt;br/&gt;Matt Corallo &amp;lt;lf-lists at mattcorallo.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Right, but there are approaches that are not as susceptible - an&lt;br/&gt;&amp;gt; obvious, albeit somewhat naive, approach would be to define a fixed and&lt;br/&gt;&amp;gt; proportional max fee, and pick a random (with some privacy properties eg&lt;br/&gt;&amp;gt; biasing towards old or good-reputation nodes, routing across nodes&lt;br/&gt;&amp;gt; hosted on different ISPs/Tor/across continents, etc) route that pays no&lt;br/&gt;&amp;gt; more than those fees unless no such route is available. You could&lt;br/&gt;&amp;gt; imagine hard-coding such fees to &amp;#34;fees that are generally available on&lt;br/&gt;&amp;gt; the network as observed in the real world&amp;#34;.&lt;br/&gt;&lt;br/&gt;This is sort of what we do already in c-lightning, namely we set up a&lt;br/&gt;fee budget of 0.5% and then select a random route within this&lt;br/&gt;constraint. On top we also fuzz the amount and other parameters within&lt;br/&gt;this range and similar ones in order to obfuscate the distance to the&lt;br/&gt;recipient, i.e., slightly overpaying the recipient, but simulating a&lt;br/&gt;shadow route.&lt;br/&gt;&lt;br/&gt;So while not fixed in the network, we built our own fuzzing on top of&lt;br/&gt;the real fees. The rationaly behind this is that users will simply not&lt;br/&gt;care to optimize down to the satoshi, and the resulting randomization&lt;br/&gt;helps privcay. We don&amp;#39;t have real numbers but recent research results&lt;br/&gt;show that attempting to squeeze the very last bit of fees out has a&lt;br/&gt;detrimental effect on sender-receiver-privcay (surprise...).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:58:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsyrzdm6c3hfwvvad3veltg6pmjcvvc7ufhx8ps3xv6rq5khwar7gczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wzvf70u</id>
    
      <title type="html">📅 Original date posted:2020-01-17 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsyrzdm6c3hfwvvad3veltg6pmjcvvc7ufhx8ps3xv6rq5khwar7gczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wzvf70u" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsfuvsaz0tedsxa92mtalg8pjnug47wl9hzey7qwcfecs8a0lnu7kg92vxmr&#39;&gt;nevent1q…vxmr&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2020-01-17&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear Fellow Protocol Devs,&lt;br/&gt;&lt;br/&gt;our next meeting is this Monday (2020/01/20) and I thought I&amp;#39;d try to&lt;br/&gt;follow up on my new years resolution to add some more structure to the&lt;br/&gt;spec meetings. I drafted an agenda for Monday [1], hoping to give&lt;br/&gt;everybody a couple of days before the meeting to get up to speed with&lt;br/&gt;the open Issues and Pull Requests that are going to be discussed. My&lt;br/&gt;hope is that this speeds up the actual process of agreeing or discarding&lt;br/&gt;individual proposals, and keep the short time we can meet as productive&lt;br/&gt;as possible.&lt;br/&gt;&lt;br/&gt;I kept the list of Issues and PRs short on purpose, to allow a good&lt;br/&gt;discussion, and reduce the ACK / NACK slog to a minimum. In addition I&lt;br/&gt;added a couple of items for longer term discussions.&lt;br/&gt;&lt;br/&gt;This week @niftynei and @t-bast have agreed to give a short status&lt;br/&gt;update on the dual-funding and the trampoline proposals respectively. I&lt;br/&gt;think we could add a discussion of research results to future meetings,&lt;br/&gt;to balance both short-term and long-term goals.&lt;br/&gt;&lt;br/&gt;The document is a tentative agenda, so if there&amp;#39;s something missing that&lt;br/&gt;should be discussed, or you think is urgent, please let me know as a&lt;br/&gt;comment in the document or here. However keep in mind that issues or PRs&lt;br/&gt;on the agenda should be actionable (not require more than ~5 minutes of&lt;br/&gt;discussion) :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://paper.dropbox.com/doc/Lightning-Spec-Meeting-20200120--AskYSrKxdj_MThuRPYLTRRhYAQ-SA160p27VepiVZcnbKcZE&#34;&gt;https://paper.dropbox.com/doc/Lightning-Spec-Meeting-20200120--AskYSrKxdj_MThuRPYLTRRhYAQ-SA160p27VepiVZcnbKcZE&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:58:10Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgc93atstxd9gjpz839y2zmhmsn8sl34dhagdas8n7r0ezwm5jqkgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5g7kqk</id>
    
      <title type="html">📅 Original date posted:2019-12-04 📝 Original message: (I ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgc93atstxd9gjpz839y2zmhmsn8sl34dhagdas8n7r0ezwm5jqkgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5g7kqk" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsptuztfew8wlhacv98sgpquvzcdgmm4c8q3rdnex5lwxcaqj6vjnqq6t4xx&#39;&gt;nevent1q…t4xx&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-12-04&lt;br/&gt;📝 Original message:&lt;br/&gt;(I wrote this a couple of days ago but forgot to send it, sorry for that)&lt;br/&gt;&lt;br/&gt;Hi Conner,&lt;br/&gt;&lt;br/&gt;thanks for looking into this. I hadn&amp;#39;t really thought too much about&lt;br/&gt;watchtowers while writing the paper, so there might definitely be things&lt;br/&gt;I hadn&amp;#39;t considered. I fail to see where the watchtower needs to&lt;br/&gt;generate the witness script if he&amp;#39;s given the update transaction and the&lt;br/&gt;matching settlement transaction (see deployment option 2 below).&lt;br/&gt;&lt;br/&gt;There are a couple of deployment options for watchtowers, from simple&lt;br/&gt;forward ratchetting to fully settling watchtowers. As you correctly&lt;br/&gt;point out if the watchtower just ratchets forward the state, all it&lt;br/&gt;needs is the latest update transaction that is bindable to any prior&lt;br/&gt;update transaction and therefore the per-channel state is a single&lt;br/&gt;update transaction. The channel operator would then come back at a later&lt;br/&gt;time, when the watchtower has ratchetted forward and prevented any cheat&lt;br/&gt;attempt by the counterparty and just release the latest settlement tx.&lt;br/&gt;&lt;br/&gt;This is the model I had in mind when writing since it has constant&lt;br/&gt;per-channel state on the watchtower independent of the number of updates&lt;br/&gt;and of the size of the state (HTLCs, simple outputs, ...)  attached to&lt;br/&gt;that settlement. This is safe since the operator knows when it has to&lt;br/&gt;check back in at the latest in order to settle HTLCs built on top since&lt;br/&gt;they have absolute locktimes (this is not true if we start building&lt;br/&gt;relative locktime things on top of eltoo channels, but let&amp;#39;s keep it&lt;br/&gt;simple for now).&lt;br/&gt;&lt;br/&gt;The second deployment option is to give the watchtower the settlement&lt;br/&gt;transaction along with the update transaction. The settlement&lt;br/&gt;transaction is fully signed and uses noinput/anyprevout to bind to the&lt;br/&gt;update, so the bundle of update and settlement transactions is&lt;br/&gt;broadcastable right away, no need to produce any scripts or&lt;br/&gt;signatures. This ensures that we at least drop the correct state&lt;br/&gt;on-chain, but comes at the cost of the watchtower learning intermediate&lt;br/&gt;states, or at least the size of the state (number of outputs) if we&lt;br/&gt;encrypt it.&lt;br/&gt;&lt;br/&gt;A third deployment option would be to allow the watchtower the ability&lt;br/&gt;to further settle things we built on top of the base eltoo contract,&lt;br/&gt;such as HTLCs, but at that point we are leaking a lot of information,&lt;br/&gt;watchtowers become very complex and we lose the flexibility of having&lt;br/&gt;clear layering.  If we are aiming for this third option indeed the&lt;br/&gt;watchtower would also need the ability to bind the HTLC settlement or&lt;br/&gt;whatever we build on top of eltoo, which implies they&amp;#39;d also use&lt;br/&gt;noinput/anyprevout, but that&amp;#39;s hardly an issue, as long as the binding&lt;br/&gt;is unique.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Conner Fromknecht &amp;lt;conner at lightning.engineering&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi all,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I recently revisited the eltoo paper and noticed some things related&lt;br/&gt;&amp;gt; watchtowers that might affect channel construction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Due to NOINPUT, any update transaction _can_ spend from any other, so&lt;br/&gt;&amp;gt; in theory the tower only needs the most recent update txn to resolve&lt;br/&gt;&amp;gt; any dispute.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In order to spend, however, the tower must also produce a witness&lt;br/&gt;&amp;gt; script which when hashed matches the witness program of the input. To&lt;br/&gt;&amp;gt; ensure settlement txns can only spend from exactly one update txn,&lt;br/&gt;&amp;gt; each update txn uses unique keys for the settlement clause, meaning&lt;br/&gt;&amp;gt; that each state has a _unique_ witness program.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Naively then a tower could store settlement keys for all states,&lt;br/&gt;&amp;gt; permitting it to reconstruct arbitrary witness scripts for any given&lt;br/&gt;&amp;gt; sequence of confirmed update txns.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So far, the only work around I’ve come up with to avoid this is to&lt;br/&gt;&amp;gt; give the tower an extended parent pubkey for each party, and then&lt;br/&gt;&amp;gt; derive non-hardened settlement keys on demand given the state numbers&lt;br/&gt;&amp;gt; that get confirmed. It&amp;#39;s not the most satisfactory solution though,&lt;br/&gt;&amp;gt; since leaking one hot settlement key now compromises all sibling&lt;br/&gt;&amp;gt; settlement keys.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Spending the unique witness programs is mentioned somewhat in section&lt;br/&gt;&amp;gt; 4.1.4, which refers to deriving keys via state numbers, but to me it&lt;br/&gt;&amp;gt; reads mostly from the PoV of the counterparties and not a third-party&lt;br/&gt;&amp;gt; service. Is requiring non-hardened keys a known consequence of the&lt;br/&gt;&amp;gt; construction? Are there any alternative approaches folks are aware of?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Conner&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:57:34Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsta5frd7xkad5fy90zr69mx7dfrm28eap9p0jrcyyp3tu729zp3yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9snm99</id>
    
      <title type="html">📅 Original date posted:2019-12-04 📝 Original message: That ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsta5frd7xkad5fy90zr69mx7dfrm28eap9p0jrcyyp3tu729zp3yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9snm99" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqst6penj20uh9448ghjez89gnm83wzyg7vtpufw9h6etv4pzs00z9g6z54ed&#39;&gt;nevent1q…54ed&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-12-04&lt;br/&gt;📝 Original message:&lt;br/&gt;That is correct, the chain of noinput/anyprevout transactions is broken&lt;br/&gt;as soon as the signers are online and can interactively bind and sign&lt;br/&gt;without noinput/anyprevout.&lt;br/&gt;&lt;br/&gt;Conner Fromknecht &amp;lt;conner at lightning.engineering&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good evening,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; I didn&amp;#39;t think this was the design.  The update transaction can spend any&lt;br/&gt;&amp;gt; prior, with a fixed script, due to NOINPUT.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; From my reading of the final construction, each update transaction has a&lt;br/&gt;&amp;gt; unique script to bind settlement transactions to exactly one update.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; My understanding is that this is not logically possible?&lt;br/&gt;&amp;gt; The update transaction has no fixed txid until it commits to a particular&lt;br/&gt;&amp;gt; output-to-be-spent, which is either the funding/kickoff txout, or a&lt;br/&gt;&amp;gt; lower-`nLockTime` update transaction output.&lt;br/&gt;&amp;gt;&amp;gt; Thus a settlement transaction *must* use `NOINPUT` as well, as it has no&lt;br/&gt;&amp;gt; txid it can spend, if it is constrained to spend a particular update&lt;br/&gt;&amp;gt; transaction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This is also my understanding. Any presigned descendants of a NOINPUT txn&lt;br/&gt;&amp;gt; must also use NOINPUT as well. This chain must continue until a signer is&lt;br/&gt;&amp;gt; online to bind a txn to a confirmed input. The unique settlement keys thus&lt;br/&gt;&amp;gt; prevent rebinding of settlement txns since NOINPUT with a shared script&lt;br/&gt;&amp;gt; would be too liberal.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Conner&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Mon, Dec 2, 2019 at 18:55 ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Good morning Rusty,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; Hi all,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; I recently revisited the eltoo paper and noticed some things related&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; watchtowers that might affect channel construction.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; Due to NOINPUT, any update transaction can spend from any other, so&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; in theory the tower only needs the most recent update txn to resolve&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; any dispute.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; In order to spend, however, the tower must also produce a witness&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; script which when hashed matches the witness program of the input. To&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; ensure settlement txns can only spend from exactly one update txn,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; each update txn uses unique keys for the settlement clause, meaning&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; that each state has a unique witness program.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; I didn&amp;#39;t think this was the design. The update transaction can spend&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; any prior, with a fixed script, due to NOINPUT.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; The settlement transaction does not use NOINPUT, and thus can only&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; spend the matching update.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; My understanding is that this is not logically possible?&lt;br/&gt;&amp;gt;&amp;gt; The update transaction has no fixed txid until it commits to a particular&lt;br/&gt;&amp;gt;&amp;gt; output-to-be-spent, which is either the funding/kickoff txout, or a&lt;br/&gt;&amp;gt;&amp;gt; lower-`nLockTime` update transaction output.&lt;br/&gt;&amp;gt;&amp;gt; Thus a settlement transaction *must* use `NOINPUT` as well, as it has no&lt;br/&gt;&amp;gt;&amp;gt; txid it can spend, if it is constrained to spend a particular update&lt;br/&gt;&amp;gt;&amp;gt; transaction.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Unless I misunderstand how update transactions work, or what settlement&lt;br/&gt;&amp;gt;&amp;gt; transactions are.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt; -- &lt;br/&gt;&amp;gt; —Sent from my Spaceship&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:57:33Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsqg9ncc6k9zdrx7ya978pxy879rnmxwm8mtrnd0u3gaz2jgya0sqszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wts77l7</id>
    
      <title type="html">📅 Original date posted:2019-12-04 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsqg9ncc6k9zdrx7ya978pxy879rnmxwm8mtrnd0u3gaz2jgya0sqszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wts77l7" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstqzxgwuu8pfnqmq5lzue0t66e6pfs79rhlhdcq4tymgg4wslrt0qw7argw&#39;&gt;nevent1q…argw&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-12-04&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&amp;gt; Good morning Rusty,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; ZmnSCPxj ZmnSCPxj at protonmail.com writes:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Good morning Rusty,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Hi all,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; I recently revisited the eltoo paper and noticed some things related&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; watchtowers that might affect channel construction.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Due to NOINPUT, any update transaction can spend from any other, so&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; in theory the tower only needs the most recent update txn to resolve&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; any dispute.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; In order to spend, however, the tower must also produce a witness&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; script which when hashed matches the witness program of the input. To&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; ensure settlement txns can only spend from exactly one update txn,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; each update txn uses unique keys for the settlement clause, meaning&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; that each state has a unique witness program.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; I didn&amp;#39;t think this was the design. The update transaction can spend&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; any prior, with a fixed script, due to NOINPUT.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; The settlement transaction does not use NOINPUT, and thus can only&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; &amp;gt; spend the matching update.&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; My understanding is that this is not logically possible?&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; You&amp;#39;re right, no wonder I missed this problem :(&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; OK, so we need to change the key(s) every time. Can we tweak it based&lt;br/&gt;&amp;gt;&amp;gt; on something the watchtower will know, i.e. something in the update tx&lt;br/&gt;&amp;gt;&amp;gt; itself? Obviously not the output, as that would create a circular&lt;br/&gt;&amp;gt;&amp;gt; dependency. Is there some taproot thing we can use to insert some&lt;br/&gt;&amp;gt;&amp;gt; noise in the input?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; You could always add a taproot branch with a `OP_RETURN &amp;lt;randomness&amp;gt;` tapscript, which can never be used (thus has no effect on the overall security), but can inject randomness to the outer taproot key.&lt;br/&gt;&amp;gt; This *is* secure, since bip-schnorr indicates that `e` is `h(R | P | m)`, with `P` being the pubkey itself, so that should be enough.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Or why not BIP32 derivation?&lt;br/&gt;&amp;gt; This should be just as secure.&lt;br/&gt;&lt;br/&gt;I still fail to see the issue, update_tx and settlement_tx are&lt;br/&gt;self-contained, and there is no need to recover the prevout scriptPubKey&lt;br/&gt;or any value therein. Are we talking about things built on top of eltoo?&lt;br/&gt;&lt;br/&gt;If that&amp;#39;s the case, we need to use noinput/anyprevout anyway, so why not&lt;br/&gt;just replicate the same logic and ship them bound correctly to the&lt;br/&gt;watchtower?&lt;br/&gt;&lt;br/&gt;I&amp;#39;d also argue that it&amp;#39;s not a watchtower&amp;#39;s job to finalize the entire&lt;br/&gt;off-chain contract. It&amp;#39;s main job is to watch the blockchain and react&lt;br/&gt;should anything trigger it, while anything we build on top likely has&lt;br/&gt;absolute locktimes (HTLCs have absolute timeouts), so it the client that&lt;br/&gt;knows when it has to check back in and settle anything that happened.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:57:33Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsrukgakxhfp9e53td9az4s8kuu7qcsu089u0jwnn6zq2y8we3adrqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wydh4et</id>
    
      <title type="html">📅 Original date posted:2019-10-03 📝 Original message: Chris ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsrukgakxhfp9e53td9az4s8kuu7qcsu089u0jwnn6zq2y8we3adrqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wydh4et" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsr0nren7yuj0787exp2jyyxtq2sgaytaaekh6xavjlgjk7um8gujqeu20dc&#39;&gt;nevent1q…20dc&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-03&lt;br/&gt;📝 Original message:&lt;br/&gt;Chris Stewart &amp;lt;chris at suredbits.com&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; I don&amp;#39;t find too compelling the potential problem of a &amp;#39;bad wallet&lt;br/&gt;&amp;gt; designer&amp;#39;, whether lazy or dogmatic, misusing noinput. I think there are&lt;br/&gt;&amp;gt; simpler ways to cut corners and there will always be plenty of good wallet&lt;br/&gt;&amp;gt; options people can choose.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In my original post, the business that I am talking about don&amp;#39;t use &amp;#34;off&lt;br/&gt;&amp;gt; the shelf&amp;#34; wallet options. It isn&amp;#39;t a &amp;#34;let&amp;#39;s switch from wallet A to wallet&lt;br/&gt;&amp;gt; B&amp;#34; kind of situation. Usually this involves design from ground up with&lt;br/&gt;&amp;gt; security considerations that businesses of scale need to consider (signing&lt;br/&gt;&amp;gt; procedures and key handling being the most important!).&lt;br/&gt;&lt;br/&gt;In this case I&amp;#39;d hope that the custom wallet designers/developers are&lt;br/&gt;well-versed in the issues they might encounter when implementing their&lt;br/&gt;wallet. This is especially true if they decide to opt into using some&lt;br/&gt;lesser known sighash flags, such as noinput, that come with huge warning&lt;br/&gt;signs (I forgot to mention that renaming noinput to noinput_dangerous is&lt;br/&gt;also still on the table).&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt;Because scripts signed with no_input signatures are only really exchanged&lt;br/&gt;&amp;gt; and used for off-chain negotiations, very few should ever appear on chain.&lt;br/&gt;&amp;gt; Those that do should represent non-cooperative situations that involve&lt;br/&gt;&amp;gt; signing parties who know not to reuse or share scripts with these public&lt;br/&gt;&amp;gt; keys again. No third party has any reason to spend value to a&lt;br/&gt;&amp;gt; multisignature script they don&amp;#39;t control, whether or not a no_input&lt;br/&gt;&amp;gt; signature exists for it.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Just because some one is your friend today, doesn&amp;#39;t mean they aren&amp;#39;t&lt;br/&gt;&amp;gt; necessarily your adversary tomorrow. I don&amp;#39;t think a signature being&lt;br/&gt;&amp;gt; onchain really matters, as you have to give it to your counterparty&lt;br/&gt;&amp;gt; regardless. How do you know your counterparty won&amp;#39;t replay that&lt;br/&gt;&amp;gt; SIGHASH_NOINPUT signature later? Offchain protocols shouldn&amp;#39;t rely on&lt;br/&gt;&amp;gt; &amp;#34;good-will&amp;#34; for their counter parties for security.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;As I mentioned before, I don&amp;#39;t think the lazy wallet designer advantage is&lt;br/&gt;&amp;gt; enough to justify the downsides of chaperone signatures. One additional&lt;br/&gt;&amp;gt; downside is the additional code complexity required to flag whether or not&lt;br/&gt;&amp;gt; a chaperone output is included. By comparison, the code changes for&lt;br/&gt;&amp;gt; creating a no_input digest that skips the prevout and prevscript parts of a&lt;br/&gt;&amp;gt; tx is much less intrusive and easier to maintain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;I want to second this. The most expensive part of wallet design is&lt;br/&gt;&amp;gt; engineering time. Writing code that uses a new sighash or a custom&lt;br/&gt;&amp;gt; script with a OP_CODE is a very large barrier to use. How many wallets&lt;br/&gt;&amp;gt; support multisig or RBF? How much BTC has been stolen over the entire&lt;br/&gt;&amp;gt; history of Bitcoin because of sighash SIGHASH_NONE or SIGHASH_SINGLE&lt;br/&gt;&amp;gt; vs ECDSA nonce reuse&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I actually think lazy wallet designer is a really compelling reason to fix&lt;br/&gt;&amp;gt; footguns in the bitcoin protocol. Mt Gox is allegedly a product of lazy&lt;br/&gt;&amp;gt; wallet design. Now we have non-malleable transactions in the form of segwit&lt;br/&gt;&amp;gt; (yay!) that prevent this exploit. We can wish that the Mt Gox wallet&lt;br/&gt;&amp;gt; designers were more aware of bitcoin protocol vulnerabilities, but at the&lt;br/&gt;&amp;gt; end of the day the best thing to do was offering an alternative that&lt;br/&gt;&amp;gt; circumvents the vulnerability all together.&lt;br/&gt;&lt;br/&gt;It&amp;#39;s worth pointing out that the transaction malleability issue and the&lt;br/&gt;introduction of a new sighash flag are fundamentally different: a wallet&lt;br/&gt;developer has to take active measures to guard against transaction&lt;br/&gt;malleability since it was present even for the most minimal&lt;br/&gt;implementation, whereas with sighash flags the developers have to&lt;br/&gt;actively add support for it. Where transaction malleability you just had&lt;br/&gt;to know that it might be an issue, with noinput you actively have to do&lt;br/&gt;work yo expose yourself to it.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d argue that you have to have a very compelling reason to opt into&lt;br/&gt;supporting noinput, and that&amp;#39;s usually because you want to support a&lt;br/&gt;more complex protocol such as an off-chain contract anyway, at which&lt;br/&gt;point I&amp;#39;d hope you know about the tradeoffs of various sighash flags :-)&lt;br/&gt;&lt;br/&gt;&amp;gt; Ethan made a great point about SIGHASH_NONE or SIGHASH_SINGLE -- which have&lt;br/&gt;&amp;gt; virtually no use AFAIK -- vs the ECDSA nonce reuse which is used in nearly&lt;br/&gt;&amp;gt; every transaction. The feature -- ECDSA in this case -- was managed to be&lt;br/&gt;&amp;gt; done wrong by wallet developers causing fund loss. Unfortunately we can&amp;#39;t&lt;br/&gt;&amp;gt; protect against this type of bug in the protocol.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If things aren&amp;#39;t used -- such as SIGHASH_NONE or SIGHASH_SINGLE -- it&lt;br/&gt;&amp;gt; doesn&amp;#39;t matter if they are secure or insecure. I&amp;#39;m hopefully that offchain&lt;br/&gt;&amp;gt; protocols will achieve wide adoption, and I would hate to see money lost&lt;br/&gt;&amp;gt; because of this. Even though they aren&amp;#39;t used, in my OP I do advocate for&lt;br/&gt;&amp;gt; fixing these.&lt;br/&gt;&lt;br/&gt;I do share the feeling that we better make a commonly used sighash flag&lt;br/&gt;as useable and safe as possible, but it&amp;#39;s rather unrealistic to have a&lt;br/&gt;developer that is able to implement a complex off-chain system, but&lt;br/&gt;fails to understand the importance of using the correct sighash flags in&lt;br/&gt;their wallet. That being said, I think this concern would be addressed&lt;br/&gt;by any form of explicit opt-in on the output side (whether hidden or&lt;br/&gt;not), right?&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:25Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsza54vxj5eep5wagm60y8zmgtp3x52rc47k355p8ypz3954tx7xqszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wf68uuf</id>
    
      <title type="html">📅 Original date posted:2019-10-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsza54vxj5eep5wagm60y8zmgtp3x52rc47k355p8ypz3954tx7xqszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wf68uuf" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs8xyknwau3y9l6x6t6l7svh4gkrusvkxmg74nnntvmv57zlpy4r9c567asz&#39;&gt;nevent1q…7asz&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-03&lt;br/&gt;📝 Original message:&lt;br/&gt;Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; On Mon, Sep 30, 2019 at 03:23:56PM &#43;0200, Christian Decker via bitcoin-dev wrote:&lt;br/&gt;&amp;gt;&amp;gt; With the recently renewed interest in eltoo, a proof-of-concept implementation&lt;br/&gt;&amp;gt;&amp;gt; [1], and the discussions regarding clean abstractions for off-chain protocols&lt;br/&gt;&amp;gt;&amp;gt; [2,3], I thought it might be time to revisit the `sighash_noinput` proposal&lt;br/&gt;&amp;gt;&amp;gt; (BIP-118 [4]), and AJ&amp;#39;s `bip-anyprevout` proposal [5].&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Hey Christian, thanks for the write up!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; ## Open questions&lt;br/&gt;&amp;gt;&amp;gt; The questions that remain to be addressed are the following:&lt;br/&gt;&amp;gt;&amp;gt; 1.  General agreement on the usefulness of noinput / anyprevoutanyscript /&lt;br/&gt;&amp;gt;&amp;gt;     anyprevout[?]&lt;br/&gt;&amp;gt;&amp;gt; 2.  Is there strong support or opposition to the chaperone signatures[?]&lt;br/&gt;&amp;gt;&amp;gt; 3.  The same for output tagging / explicit opt-in[?]&lt;br/&gt;&amp;gt;&amp;gt; 4.  Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the&lt;br/&gt;&amp;gt;&amp;gt;     confusion and make for simpler discussions in the end.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think there&amp;#39;s an important open question you missed from this list:&lt;br/&gt;&amp;gt; (1.5) do we really understand what the dangers of noinput/anyprevout-style&lt;br/&gt;&amp;gt; constructions actually are?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My impression on the first 3.5 q&amp;#39;s is: (1) yes, (1.5) not really,&lt;br/&gt;&amp;gt; (2) weak opposition for requiring chaperone sigs, (3) mixed (weak)&lt;br/&gt;&amp;gt; support/opposition for output tagging.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My thinking at the moment (subject to change!) is:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  * anyprevout signatures make the address you&amp;#39;re signing for less safe,&lt;br/&gt;&amp;gt;    which may cause you to lose funds when additional coins are sent to&lt;br/&gt;&amp;gt;    the same address; this can be avoided if handled with care (or if you&lt;br/&gt;&amp;gt;    don&amp;#39;t care about losing funds in the event of address reuse)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  * being able to guarantee that an address can never be signed for with&lt;br/&gt;&amp;gt;    an anyprevout signature is therefore valuable; so having it be opt-in&lt;br/&gt;&amp;gt;    at the tapscript level, rather than a sighash flag available for&lt;br/&gt;&amp;gt;    key-path spends is valuable (I call this &amp;#34;opt-in&amp;#34;, but it&amp;#39;s hidden&lt;br/&gt;&amp;gt;    until use via taproot rather than &amp;#34;explicit&amp;#34; as output tagging&lt;br/&gt;&amp;gt;    would be)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  * receiving funds spent via an anyprevout signature does not involve any&lt;br/&gt;&amp;gt;    qualitatively new double-spending/malleability risks.&lt;br/&gt;&amp;gt;    &lt;br/&gt;&amp;gt;    (eltoo is unavoidably malleable if there are multiple update&lt;br/&gt;&amp;gt;    transactions (and chaperone signatures aren&amp;#39;t used or are used with&lt;br/&gt;&amp;gt;    well known keys), but while it is better to avoid this where possible,&lt;br/&gt;&amp;gt;    it&amp;#39;s something that&amp;#39;s already easily dealt with simply by waiting&lt;br/&gt;&amp;gt;    for confirmations, and whether a transaction is malleable is always&lt;br/&gt;&amp;gt;    under the control of the sender not the receiver)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  * as such, output tagging is also unnecessary, and there is also no&lt;br/&gt;&amp;gt;    need for users to mark anyprevout spends as &amp;#34;tainted&amp;#34; in order to&lt;br/&gt;&amp;gt;    wait for more confirmations than normal before considering those funds&lt;br/&gt;&amp;gt;    &amp;#34;safe&amp;#34;&lt;br/&gt;&lt;br/&gt;Excellent points, I had missed the hidden nature of the opt-in via&lt;br/&gt;pubkey prefix while reading your proposal. I&amp;#39;m starting to like that&lt;br/&gt;option more and more. In that case we&amp;#39;d only ever be revealing that we&lt;br/&gt;opted into anyprevout when we&amp;#39;re revealing the entire script anyway, at&lt;br/&gt;which point all fungibility concerns go out the window anyway.&lt;br/&gt;&lt;br/&gt;Would this scheme be extendable to opt into all sighash flags the&lt;br/&gt;outpoint would like to allow (e.g., adding opt-in for sighash_none and&lt;br/&gt;sighash_anyonecanpay as well)? That way the pubkey prefix could act as a&lt;br/&gt;mask for the sighash flags and fail verification if they don&amp;#39;t match.&lt;br/&gt;&lt;br/&gt;&amp;gt; I think it might be good to have a public testnet (based on Richard Myers&lt;br/&gt;&amp;gt; et al&amp;#39;s signet2 work?) where we have some fake exchanges/merchants/etc&lt;br/&gt;&amp;gt; and scheduled reorgs, and demo every weird noinput/anyprevout case anyone&lt;br/&gt;&amp;gt; can think of, and just work out if we need any extra code/tagging/whatever&lt;br/&gt;&amp;gt; to keep those fake exchanges/merchants from losing money (and write up&lt;br/&gt;&amp;gt; the weird cases we&amp;#39;ve found in a wiki or a paper so people can easily&lt;br/&gt;&amp;gt; tell if we missed something obvious).&lt;br/&gt;&lt;br/&gt;That&amp;#39;d be great, however even that will not ensure that every possible&lt;br/&gt;corner case is handled and from experience it seems that people are&lt;br/&gt;unwilling to invest a lot of time testing on a network unless their&lt;br/&gt;money is on the line. That&amp;#39;s not to say that we shouldn&amp;#39;t try, we&lt;br/&gt;absolutely should, I&amp;#39;m just not sure it alone is enough to dispell all&lt;br/&gt;remaining doubts :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:22Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgrmarl9me6cc42azmkx2zgg2jat6expfkd56k7lf6p39q7dkv5qgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wwgm48n</id>
    
      <title type="html">📅 Original date posted:2019-10-01 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgrmarl9me6cc42azmkx2zgg2jat6expfkd56k7lf6p39q7dkv5qgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wwgm48n" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsx3rv6de8n3xe5mdnt0kql7p5545njrpzreym2ncgr3tupwe4jj4gqk29l0&#39;&gt;nevent1q…29l0&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-01&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; To elucidate further ---&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose rather than `SIGHASH_NOINPUT`, we created a new opcode,&lt;br/&gt;&amp;gt; `OP_CHECKSIG_WITHOUT_INPUT`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This new opcode ignores any `SIGHASH` flags, if present, on a&lt;br/&gt;&amp;gt; signature, but instead hashes the current transaction without the&lt;br/&gt;&amp;gt; input references, then checks that hash to the signature.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This is equivalent to `SIGHASH_NOINPUT`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yet as an opcode, it would be possible to embed in a Taproot script.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For example, a Decker-Russell-Osuntokun would have an internal Taproot&lt;br/&gt;&amp;gt; point be a 2-of-2, then have a script `OP_1&lt;br/&gt;&amp;gt; OP_CHECKSIG_WITHOUT_INPUT`.  Unilateral closes would expose the hidden&lt;br/&gt;&amp;gt; script, but cooperative closes would use the 2-of-2 directly.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Of note, is that any special SCRIPT would already be supportable by Taproot.&lt;br/&gt;&amp;gt; This includes SCRIPTs that may potentially lose funds for the user.&lt;br/&gt;&amp;gt; Yet such SCRIPTs are already targetable by a Taproot address.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If we are so concerned about `SIGHASH_NOINPUT` abuse, why are we not&lt;br/&gt;&amp;gt; so concerned about Taproot abuse?&lt;br/&gt;&lt;br/&gt;That would certainly be another possibility, which I have not explored&lt;br/&gt;in detail so far. Due to the similarity between the various signature&lt;br/&gt;checking op-codes it felt that it should be a sighash flag, and it&lt;br/&gt;neatly slotted into the already existing flags. If we go for a separate&lt;br/&gt;opcode we might end up reinventing the wheel, and to be honest I feared&lt;br/&gt;that proposing a new opcode would get us into bikeshedding territory&lt;br/&gt;(which I apparently failed to avoid with the sighash flag anyway...).&lt;br/&gt;&lt;br/&gt;The advantage would be that with the sighash flag the spender is in&lt;br/&gt;charge of specifying the flags, whereas with an opcode the output&lt;br/&gt;dictates the signature verification modalities. The downside is the&lt;br/&gt;increased design space.&lt;br/&gt;&lt;br/&gt;What do others think? Would this be an acceptable opt-in mechanism that&lt;br/&gt;addresses the main concerns?&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:20Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsx3rv6de8n3xe5mdnt0kql7p5545njrpzreym2ncgr3tupwe4jj4gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4vtmaf</id>
    
      <title type="html">📅 Original date posted:2019-10-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsx3rv6de8n3xe5mdnt0kql7p5545njrpzreym2ncgr3tupwe4jj4gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4vtmaf" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdksul853a2sfmy5p2l79x86nrsvyevdusym6wvk0sc44fpzluplqqmhfvj&#39;&gt;nevent1q…hfvj&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-03&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; That is very much how I was planning to implement it anyway, using a&lt;br/&gt;&amp;gt;&amp;gt; trigger transaction to separate timeout start and the actual&lt;br/&gt;&amp;gt;&amp;gt; update/settlement pairs (cfr. eltoo paper Section 4.2). So for eltoo&lt;br/&gt;&amp;gt;&amp;gt; there shouldn&amp;#39;t be an issue here :-)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My understanding is that a trigger transaction is not in fact&lt;br/&gt;&amp;gt; necessary for Decker-Russell-Osuntokun: any update transaction could&lt;br/&gt;&amp;gt; spend the funding transaction output directly, and thereby start the&lt;br/&gt;&amp;gt; relative timelock.  At least, if we could arrange the funding&lt;br/&gt;&amp;gt; transaction output to be spendable directly using `SIGHASH_NOINPUT` or&lt;br/&gt;&amp;gt; variants thereof.&lt;br/&gt;&lt;br/&gt;This is the case in which we don&amp;#39;t have a pre-signed settlement&lt;br/&gt;transaction (or in this case refund transaction) that uses a relative&lt;br/&gt;timelock. In order to have a refund transaction we would need to have&lt;br/&gt;the first update and settlement pair be signed before funding (otherwise&lt;br/&gt;the funder isn&amp;#39;t sure she is getting her funds back). Since that first&lt;br/&gt;update and settlement pair do not need to be rebound (they can only ever&lt;br/&gt;be bound to the funding transaction) they can be signed without&lt;br/&gt;noinput/anyprevoutanyscript. If we use output tagging we would mandate&lt;br/&gt;that this first update must be published, so that the funding output is&lt;br/&gt;indistinguishable from a normal output, and the first update switches&lt;br/&gt;from non-noinput/anyprevoutanyscript to enabling it. Collaborative&lt;br/&gt;closes are still indistinguishable, unilateral closes require the&lt;br/&gt;switch, but then would be identifiable anyway.&lt;br/&gt;&lt;br/&gt;The one downside I can see is that we now mandate that unilateral closes&lt;br/&gt;also publish the first update, which is a bit annoying.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; While I do agree that we should keep outputs as unidentifiable as&lt;br/&gt;&amp;gt;&amp;gt; possible, I am starting to question whether that is possible for&lt;br/&gt;&amp;gt;&amp;gt; off-chain payment networks since we are gossiping about the existence of&lt;br/&gt;&amp;gt;&amp;gt; channels and binding them to outpoints to prove their existence anyway.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Lightning supports unpublished channels, so we do not gossip some outpoints even though they are in fact channels underneath.&lt;br/&gt;&amp;gt;   * I confess the existence of unpublished channels in the spec fails to summon any reaction other than incredulity from me, but they exist nonetheless, my incredulity notwithstanding.&lt;br/&gt;&lt;br/&gt;That is true, we do however selectively tell others about the channel&amp;#39;s&lt;br/&gt;existence (in invoices, our peers, ...) so I wouldn&amp;#39;t consider that to&lt;br/&gt;be the most secret information :-)&lt;br/&gt;&lt;br/&gt;As for why they exist: nodes need to have the option of not announcing&lt;br/&gt;their channels to reduce the noise in the network with channels that are&lt;br/&gt;unlikely to be useable in order to forward payments. If every node were&lt;br/&gt;to announce their channels we&amp;#39;d have a much larger routing table, mostly&lt;br/&gt;consisting of unusable channels going to leafs in the&lt;br/&gt;network. Furthermore, the sheer threat that there might be unannounced&lt;br/&gt;channels adds uncertainty for attackers trying to profile nodes: &amp;#34;I see&lt;br/&gt;only my channel with my peer, but he might have unannounced channels, so&lt;br/&gt;I can&amp;#39;t really tell whether the payment I forwarded to it is destined&lt;br/&gt;for it or one of its unannounced peers&amp;#34;.&lt;br/&gt;&lt;br/&gt;&amp;gt; * Historical channels that have been cooperatively closed are no longer normally gossiped, so the fact that they used to be channels is no longer widely broadcast, and may eventually be forgotten by most or all of the network.&lt;br/&gt;&amp;gt;   * This means anyone who wants to record the historical use of Lightning will have to retain the information themselves, rather than delegating it to fullnodes everywhere.&lt;br/&gt;&lt;br/&gt;Good point, it requires storing the ephemeral data from gossip, that&amp;#39;s&lt;br/&gt;not all that hard, but I agree that it puts up a small barrier for&lt;br/&gt;newcomers.
    </content>
    <updated>2023-06-09T12:56:20Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsf5034ke43v9fepjnfgfxw089lw6l27cevpyz3tyvqdq2hc96ntfqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxy0xjc</id>
    
      <title type="html">📅 Original date posted:2019-10-01 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsf5034ke43v9fepjnfgfxw089lw6l27cevpyz3tyvqdq2hc96ntfqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxy0xjc" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspzv9uh4mqydwcqndhy5wh02lzu2lsvphdusz8e7laqmmp54h863shsnx2z&#39;&gt;nevent1q…nx2z&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-01&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; I rather strongly oppose output tagging.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The entire point of for example Taproot was to reduce the variability&lt;br/&gt;&amp;gt; of how outputs look like, so that unspent Taproot outputs look exactly&lt;br/&gt;&amp;gt; like other unspent Taproot outputs regardless of the SCRIPT (or lack&lt;br/&gt;&amp;gt; of SCRIPT) used to protect the outputs.  That is the reason why we&lt;br/&gt;&amp;gt; would prefer to not support P2SH-wrapped Taproot even though&lt;br/&gt;&amp;gt; P2SH-wrapping was intended to cover all future uses of SegWit,&lt;br/&gt;&amp;gt; including SegWit v1 that Taproot will eventually get.&lt;br/&gt;&lt;br/&gt;That is a bit reductive if you ask me. Taproot brings a number of&lt;br/&gt;improvements such as the reduction of on-chain footprint in the&lt;br/&gt;collaborative spend case, the hiding of complex logic in that case, and&lt;br/&gt;yes, the uniformity of UTXOs that you mentioned. I do agree that it&amp;#39;d be&lt;br/&gt;to make everything look identical to the outside observer, but saying&lt;br/&gt;that separating outputs into two coarse-grained domains is equivalent to&lt;br/&gt;throwing the baby out with the bath-water :-)&lt;br/&gt;&lt;br/&gt;That being said, I should clarify that I would prefer not having to make&lt;br/&gt;special accomodations on top of the raw sighash_noinput proposal, for&lt;br/&gt;some perceived, but abstract danger that someone might shoot themselves&lt;br/&gt;in the foot. I think we&amp;#39;re all old enough not to need too much&lt;br/&gt;handholding :-)&lt;br/&gt;&lt;br/&gt;Output tagging is my second choice, since it minimizes the need for&lt;br/&gt;people to get creative to work around other proposals, and minimizes the&lt;br/&gt;on-chain footprint, and finally chaperone signatures are my least&lt;br/&gt;preferred option due to its heavy-handed nature and the increased cost.&lt;br/&gt;&lt;br/&gt;&amp;gt; Indeed, if it is output tagging that gets into Bitcoin base layer, I&lt;br/&gt;&amp;gt; would strongly suggest the below for all Decker-Russell-Osuntokun&lt;br/&gt;&amp;gt; implementations:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * A standard MuSig 2-of-2 bip-schnorr SegWit v1 Funding Transaction Output, confirmed onchain&lt;br/&gt;&amp;gt; * A &amp;#34;translator transaction&amp;#34; spending the above and paying out to a SegWit v16 output-tagged output, kept offchain.&lt;br/&gt;&amp;gt; * Decker-Russell-Osuntokun update transaction, signed with `SIGHASH_NOINPUT` spending the translator transaction output.&lt;br/&gt;&amp;gt; * Decker-Russell-Osuntokun state transaction, signed with `SIGHASH_NOINPUT` spending the update transaction output.&lt;br/&gt;&lt;br/&gt;That is very much how I was planning to implement it anyway, using a&lt;br/&gt;trigger transaction to separate timeout start and the actual&lt;br/&gt;update/settlement pairs (cfr. eltoo paper Section 4.2). So for eltoo&lt;br/&gt;there shouldn&amp;#39;t be an issue here :-)&lt;br/&gt;&lt;br/&gt;&amp;gt; The point regarding use of a commonly-known privkey to work around&lt;br/&gt;&amp;gt; chaperone signatures is appropriate to the above, incidentally.  In&lt;br/&gt;&amp;gt; short: this is a workaround, plain and simple, and one wonders the&lt;br/&gt;&amp;gt; point of adding *either* chaperones *or* output tagging if we will, in&lt;br/&gt;&amp;gt; practice, just work around them anyway.&lt;br/&gt;&lt;br/&gt;Exactly, why introduce the extra burden of chaperone signatures or&lt;br/&gt;output tagging if we&amp;#39;re just going to sidestep it?&lt;br/&gt;&lt;br/&gt;&amp;gt; Again, the *more* important point is that special blockchain&lt;br/&gt;&amp;gt; constructions should only be used in the &amp;#34;bad&amp;#34; unilateral close case.&lt;br/&gt;&amp;gt; In the cooperative case, we want to use simple plain&lt;br/&gt;&amp;gt; bip-schnorr-signed outputs getting spent to further bip-schnor/Taproot&lt;br/&gt;&amp;gt; SegWit v1 addresses, to increase the anonymity set of all uses of&lt;br/&gt;&amp;gt; Decker-Russell-Osuntokun and other applications that might use&lt;br/&gt;&amp;gt; `SIGHASH_NOINPUT` in some edge case (but which resolve down to simple&lt;br/&gt;&amp;gt; bip-schnorr-signed n-of-n cases when the protocol is completed&lt;br/&gt;&amp;gt; successfully by all participants).&lt;br/&gt;&lt;br/&gt;While I do agree that we should keep outputs as unidentifiable as&lt;br/&gt;possible, I am starting to question whether that is possible for&lt;br/&gt;off-chain payment networks since we are gossiping about the existence of&lt;br/&gt;channels and binding them to outpoints to prove their existence anyway.&lt;br/&gt;&lt;br/&gt;Not the strongest argument I know, but there&amp;#39;s little point in talking&lt;br/&gt;ideal cases when we need to weaken that later again. &lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Open questions&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; ---------------&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The questions that remain to be addressed are the following:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; 1.  General agreement on the usefulness of noinput / anyprevoutanyscript /&lt;br/&gt;&amp;gt;&amp;gt;     anyprevout. While at the CoreDev meeting I think everybody agreed that&lt;br/&gt;&amp;gt;&amp;gt;     these proposals a useful, also beyond eltoo, not everybody could be&lt;br/&gt;&amp;gt;&amp;gt;     there. I&amp;#39;d therefore like to elicit some feedback from the wider community.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I strongly agree that `NOINPUT` is useful, and I was not able to attend CoreDev (at least, not with any human fleshbot already known to you --- I checked).&lt;br/&gt;&lt;br/&gt;Great, good to know that I&amp;#39;m not shouting into the void, and that I&amp;#39;m&lt;br/&gt;not just that crazy guy trying to get his hairbrained scheme to work :-)&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; 2.  Is there strong support or opposition to the chaperone signatures&lt;br/&gt;&amp;gt;&amp;gt;     introduced in anyprevout / anyprevoutanyscript? I think it&amp;#39;d be best to&lt;br/&gt;&amp;gt;&amp;gt;     formulate a concrete set of pros and contras, rather than talk about&lt;br/&gt;&amp;gt;&amp;gt;     abstract dangers or advantages.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; No opposition, we will just work around this by publishing a common&lt;br/&gt;&amp;gt; known private key to use for all chaperone signatures, since all the&lt;br/&gt;&amp;gt; important security is in the `NOINPUT` signature anyway.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; 3.  The same for output tagging / explicit opt-in. What are the advantages and&lt;br/&gt;&amp;gt;&amp;gt;     disadvantages?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Strongly oppose, see above about my argument.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; 4.  Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the&lt;br/&gt;&amp;gt;&amp;gt;     confusion and make for simpler discussions in the end.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Ambivalent, mildly support.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; 5.  Anything I forgot to mention :-)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cats are very interesting creatures, and are irrelevant to `SIGHASH_NOINPUT` discussion, but are extremely cute nonetheless.&lt;br/&gt;&lt;br/&gt;Definitely agreed :&#43;1:
    </content>
    <updated>2023-06-09T12:56:19Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvzye4dkzsmrjlkg4lewu89h7y43z437mahmf63zl9trsz8ku0ufszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wuu4j6l</id>
    
      <title type="html">📅 Original date posted:2019-10-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvzye4dkzsmrjlkg4lewu89h7y43z437mahmf63zl9trsz8ku0ufszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wuu4j6l" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs0mmt2a55s52fjvcwt47x75sd42pur5qszpwgk20j7vk24ufl22jgvhpg3j&#39;&gt;nevent1q…pg3j&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-03&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via bitcoin-dev &amp;lt;bitcoin-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning lists,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let me summarize concerns brought up:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Chris concern, is that an ordinary UTXO that is not allocated for `SIGHASH_NOINPUT` use, is inadvertently spent using `SIGHASH_NOINPUT`.&lt;br/&gt;&amp;gt; * My concern, is that unless a UTXO allocated for `SIGHASH_NOINPUT` use, is *indeed* used with SIGHASH_NOINPUT`, it should look exactly the same as any other SegWit v1 output.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I propose the below instead:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Do ***NOT*** allocate SegWit v16 for `SIGHASH_NOINPUT`.&lt;br/&gt;&amp;gt; * Instead, allocate SegWit v1 Tapscript v16 for `SIGHASH_NOINPUT`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Then, on usage:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Exchange hoards can be protected by simple MuSig bip-schnorr SegWit v1 outputs, or a NUMS Taproot internal point with a MAST branch Tapscript v0 `OP_CHECKSIG_ADD` sequence.&lt;br/&gt;&amp;gt; * Decker-Russell-Osuntokun constructions are backed by a n-of-n MuSig Taproot internal point, with a MAST branch containing a Tapscript v16 with `OP_1 OP_CHECKSIG`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This solves both concerns:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Ordinary UTXOs not allocated for `SIGHASH_NOINPUT` use simply do not commit to any Taproot that has a Tapscript v16 branch, and thus `SIGHASH_NOINPUT` is unuseable to claim it.&lt;br/&gt;&amp;gt; * If a UTXO used for an offchain protocol ends up in a cooperative-resolution state, nobody has to know that a Tapscript v16 branch existed that could have used `SIGHASH_NOINPUT`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Again, my objection to output tagging is that it is **publicly visible** as soon as the funding transaction is confirmed onchain that this is a special output used for a Decker-Russell-Osuntokun construction, greatly damaging privacy.&lt;br/&gt;&amp;gt; But if this fact is kept secret *unless* the very specific case of unilateral uncooperative enforcement, then it is quite fine with me.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Would this alternate proposal hold better muster?&lt;br/&gt;&lt;br/&gt;Intriguing idea, this would be an invisible tagging, since the opt-in to&lt;br/&gt;noinput and friends is hidden inside the committed script, which only&lt;br/&gt;gets revealed whenever we actually need it.&lt;br/&gt;&lt;br/&gt;For eltoo this would mean that the funding output would be invisibly&lt;br/&gt;tagged, and the cooperative close would use the taproot pubkey, while&lt;br/&gt;the uncooperative close, which would require noinput opt-in, reveals the&lt;br/&gt;script, proving prior opt-in, and provides a matching signature.&lt;br/&gt;&lt;br/&gt;If I&amp;#39;m not mistaken this would require AJ&amp;#39;s alternative pubkey encoding&lt;br/&gt;(0x01 or 0x00 prefixed pubkey) to make the opt-in visible, correct?
    </content>
    <updated>2023-06-09T12:56:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqspzv9uh4mqydwcqndhy5wh02lzu2lsvphdusz8e7laqmmp54h863szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrk927a</id>
    
      <title type="html">📅 Original date posted:2019-10-03 📝 Original message: Chris ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqspzv9uh4mqydwcqndhy5wh02lzu2lsvphdusz8e7laqmmp54h863szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrk927a" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsvzye4dkzsmrjlkg4lewu89h7y43z437mahmf63zl9trsz8ku0ufsmvgxz2&#39;&gt;nevent1q…gxz2&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-10-03&lt;br/&gt;📝 Original message:&lt;br/&gt;Chris Stewart &amp;lt;chris at suredbits.com&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; I do have some concerns about SIGHASH_NOINPUT, mainly that it does&lt;br/&gt;&amp;gt; introduce another footgun into the bitcoin protocol with address reuse.&lt;br/&gt;&amp;gt; It&amp;#39;s common practice for bitcoin businesses to re-use addresses. Many&lt;br/&gt;&amp;gt; exchanges [1] reuse addresses for cold storage with very large sums of&lt;br/&gt;&amp;gt; money that is stored in these addreses.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It is my understanding with this part of BIP118&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;Using NOINPUT the input containing the signature no longer references a&lt;br/&gt;&amp;gt; specific output. Any participant can take a transaction and rewrite it by&lt;br/&gt;&amp;gt; changing the hash reference to the previous output, without invalidating&lt;br/&gt;&amp;gt; the signatures. This allows transactions to be bound to any output that&lt;br/&gt;&amp;gt; matches the value committed to in the witness and whose witnessProgram,&lt;br/&gt;&amp;gt; combined with the spending transaction&amp;#39;s witness returns true.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; if an exchange were to once produce a digital signature from that cold&lt;br/&gt;&amp;gt; storage address with a SIGHASH_NOINPUT signature, that signature can be&lt;br/&gt;&amp;gt; replayed again and again on the blockchain until their wallet is drained.&lt;br/&gt;&amp;gt; This might be able to mitigated since the signatures commit to outputs,&lt;br/&gt;&amp;gt; which may be small in value for the transaction that SIGHASH_NOINPUT was&lt;br/&gt;&amp;gt; used. This means that an exchange could move coins from the address with a&lt;br/&gt;&amp;gt; larger transaction that spends money to a new output (and presumably pays a&lt;br/&gt;&amp;gt; higher fee than the smaller transactions).&lt;br/&gt;&lt;br/&gt;Thanks for sharing your concerns Chris, I do agree that noinput and&lt;br/&gt;friends are a very sharp knife that needs to be treated carefully, but&lt;br/&gt;ultimately it&amp;#39;s exactly its sharpness that makes it useful :-)&lt;br/&gt;&lt;br/&gt;&amp;gt; ### Why does this matter?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It seems that SIGHASH_NOINPUT will be an extremely useful tool for offchain&lt;br/&gt;&amp;gt; protocols like Lightning. This gives us the building blocks for enforcing&lt;br/&gt;&amp;gt; specific offchain states to end up onchain [2].&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Since this tool is useful, we can presume that it will be integrated into&lt;br/&gt;&amp;gt; the signing path of large economic entities in bitcoin -- namely exchanges.&lt;br/&gt;&amp;gt; Many exchanges have specific signing procedures for transactions that are&lt;br/&gt;&amp;gt; leaving an exchange that is custom software. Now -- presuming wide adoption&lt;br/&gt;&amp;gt; of off chain protocols -- they will need to have a _second unique signing&lt;br/&gt;&amp;gt; path that uses SIGHASH_NOINPUT_.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It is imperative that this second signing path -- which uses&lt;br/&gt;&amp;gt; SIGHASH_NOINPUT -- does NOT get mixed up with the first signing path that&lt;br/&gt;&amp;gt; controls an exchanges onchain funds. If this were to happen, fund lost&lt;br/&gt;&amp;gt; could occur if the exchange is reusing address, which seems to be common&lt;br/&gt;&amp;gt; practice.&lt;br/&gt;&lt;br/&gt;Totally agreed, and as you point out, BIP118 is careful to mandate&lt;br/&gt;separate private keys be used for off-chain contracts and that the&lt;br/&gt;off-chain contract never be mixed with the remainder of your funds. The&lt;br/&gt;way eltoo uses noinput we selectively open us up to replay attacks&lt;br/&gt;(because that&amp;#39;s what the update mechanism is after all) by controlling&lt;br/&gt;the way the transactions can be replayed very carefully, and any other&lt;br/&gt;use of noinput would need to make sure to have the same guarantees.&lt;br/&gt;However, once we have separated the two domains, we can simply use a&lt;br/&gt;separate (hardened) derivation path from a seed key, and never mix them&lt;br/&gt;afterwards. We never exchange any private keys, so even leaking info&lt;br/&gt;across derived keys is not an issue here.&lt;br/&gt;&lt;br/&gt;&amp;gt; This is stated here in BIP118:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;This also means that particular care has to be taken in order to avoid&lt;br/&gt;&amp;gt; unintentionally enabling this rebinding mechanism. NOINPUT MUST NOT be&lt;br/&gt;&amp;gt; used, unless it is explicitly needed for the application, e.g., it MUST NOT&lt;br/&gt;&amp;gt; be a default signing flag in a wallet implementation. Rebinding is only&lt;br/&gt;&amp;gt; possible when the outputs the transaction may bind to all use the same&lt;br/&gt;&amp;gt; public keys. Any public key that is used in a NOINPUT signature MUST only&lt;br/&gt;&amp;gt; be used for outputs that the input may bind to, and they MUST NOT be used&lt;br/&gt;&amp;gt; for transactions that the input may not bind to. For example an application&lt;br/&gt;&amp;gt; SHOULD generate a new key-pair for the application instance using NOINPUT&lt;br/&gt;&amp;gt; signatures and MUST NOT reuse them afterwards.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This means we need to encourage onchain hot wallet signing procedures to be&lt;br/&gt;&amp;gt; kept separate from offchain hot wallet signing procedures, which introduces&lt;br/&gt;&amp;gt; more complexity for key management (two keychains).&lt;br/&gt;&lt;br/&gt;This is already the case: off-chain systems always require access to the&lt;br/&gt;signing key in real-time in order to be useful. If any state change is&lt;br/&gt;performed in a channel, even just adjusting fees or receiving a payment,&lt;br/&gt;requires the signature from the key associated with the channel. With&lt;br/&gt;high security on-chain systems on the other hand you should never have a&lt;br/&gt;hot key that automatically signs off on transfers without human&lt;br/&gt;intervention. So I find it unlikely that mandating the on-chain keys to&lt;br/&gt;be kept separate from off-chain keys is any harder than what should be&lt;br/&gt;done with the current systems.&lt;br/&gt;&lt;br/&gt;&amp;gt; One (of the few) upsides of the current Lightning penalty mechanism is that&lt;br/&gt;&amp;gt; fund loss can be contained to balance of the channel. You cannot do&lt;br/&gt;&amp;gt; something in the current protocol that will effect your funds outside of&lt;br/&gt;&amp;gt; that channel. With SIGHASH_NOINPUT, that property changes.&lt;br/&gt;&lt;br/&gt;Good point, but if the key hygiene is maintained as detailed in BIP118,&lt;br/&gt;i.e., off-chain keys must be kept separate from on-chain keys, and that&lt;br/&gt;each off-chain contract instance uses a separate set of keys, that&lt;br/&gt;property is maintained.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsrctz6lfjxa7lq42nud0vdlcyk74rr9j3upfg46klp68tq556ue6gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2ffa7l</id>
    
      <title type="html">📅 Original date posted:2019-09-30 📝 Original message: With ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsrctz6lfjxa7lq42nud0vdlcyk74rr9j3upfg46klp68tq556ue6gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2ffa7l" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs99rpshu5pgd0n7fw5ve7gevx934ansx6k3vfl2ecrt5kmt03kaxgq5ta8f&#39;&gt;nevent1q…ta8f&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-30&lt;br/&gt;📝 Original message:&lt;br/&gt;With the recently renewed interest in eltoo, a proof-of-concept implementation&lt;br/&gt;[1], and the discussions regarding clean abstractions for off-chain protocols&lt;br/&gt;[2,3], I thought it might be time to revisit the `sighash_noinput` proposal&lt;br/&gt;(BIP-118 [4]), and AJ&amp;#39;s `bip-anyprevout` proposal [5].&lt;br/&gt;&lt;br/&gt;(sorry for the long e-mail. I wanted to give enough context and describe the&lt;br/&gt;various tradeoffs so people don&amp;#39;t have to stitch them together from memory. If&lt;br/&gt;you&amp;#39;re impatient there are a couple of open questions at the bottom)&lt;br/&gt;&lt;br/&gt;Both proposals are ways to allow rebinding of transactions to new outputs, by&lt;br/&gt;adding a sighash flag that excludes the output when signing. This allows the&lt;br/&gt;transaction to be bound to any output, without needing a new signature, as&lt;br/&gt;long as output script and input script are compatible, e.g., the signature&lt;br/&gt;matches the public key specified in the output.&lt;br/&gt;&lt;br/&gt;BIP-118 is limited to explaining the details of signature verification, and&lt;br/&gt;omits anything related to deployment and dependency on other proposals. This&lt;br/&gt;was done in order not to depend on bip-taproot which is also in draft-phase&lt;br/&gt;currently, and to allow deployment alongside the next version of segwit&lt;br/&gt;script. `bip-anyprevout` builds on top of BIP-118, adding integration with&lt;br/&gt;`bip-taproot`, chaperone signatures, limits the use of the sighash flag to&lt;br/&gt;script path spends, as well as a new pubkey serialization which uses the first&lt;br/&gt;byte to signal opt-in.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d like to stress that both proposals are complementary and not competing,&lt;br/&gt;which is something that I&amp;#39;ve heard a couple of times.&lt;br/&gt;&lt;br/&gt;There remain a couple of unclear points which I hope we can address in the&lt;br/&gt;coming days, to get this thing moving again, and hopefully get a new tool in&lt;br/&gt;our toolbox soon(ish).&lt;br/&gt;&lt;br/&gt;In the following I will quote a couple of things that were discussed during&lt;br/&gt;the CoreDev meeting earlier this year, but not everybody could join, and it is&lt;br/&gt;important that we engage the wider community, to get a better picture, and I&lt;br/&gt;think not everybody is up-to-date about the current state.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;## Dangers of `sighash_noinput`&lt;br/&gt;&lt;br/&gt;An argument I have heard against noinput is that it is slightly less complex&lt;br/&gt;or compute intensive than `sighash_all` signatures, which may encourage wallet&lt;br/&gt;creators to only implement the noinput variant, and use it indiscrimi-&lt;br/&gt;nately. This is certainly a good argument, and indeed we have seen at least&lt;br/&gt;one developer proposing to use noinput for all transactions to discourage&lt;br/&gt;address reuse.&lt;br/&gt;&lt;br/&gt;This was also mentioned at CoreDev [6]:&lt;br/&gt;&lt;br/&gt;&amp;gt; When [...] said he wanted to write a wallet that only used SIGHASH\_NOINPUT,&lt;br/&gt;&amp;gt; that was pause for concern. Some people might want to use SIGHASH\_NOINPUT as a&lt;br/&gt;&amp;gt; way to cheapen or reduce the complexity of making a wallet&lt;br/&gt;&amp;gt; implementation. SIGHASH\_NOINPUT is from a purely procedural point of view&lt;br/&gt;&amp;gt; easier than doing a SIGHASH\_ALL, that&amp;#39;s all I&amp;#39;m saying. So you&amp;#39;re hashing&lt;br/&gt;&amp;gt; less. It&amp;#39;s way faster. That concern has been brought to my attention and it&amp;#39;s&lt;br/&gt;&amp;gt; something I can see. Do we want to avoid people being stupid and shooting&lt;br/&gt;&amp;gt; themselves and their customers in the foot? Or do we treat this as a special&lt;br/&gt;&amp;gt; case where you mark we&amp;#39;re aware of how it should be used and we just try to&lt;br/&gt;&amp;gt; get that awareness out?&lt;br/&gt;&lt;br/&gt;Another issue that is sometimes brought up is that an external user may&lt;br/&gt;attempt to send funds to a script that was really part of a higher-level&lt;br/&gt;protocol. This leads to those funds becoming inaccessible unless you gather&lt;br/&gt;all the participants and sign off on those funds. I don&amp;#39;t believe this is&lt;br/&gt;anything new, and if users really want to shoot themselves in the foot and&lt;br/&gt;send funds to random addresses they fish out of a blockexplorer there&amp;#39;s little&lt;br/&gt;we can do. What we could do is make the scripts used internally in our&lt;br/&gt;protocols unaddressable (see output tagging below), removing this issue&lt;br/&gt;altogether.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;## Chaperone signatures&lt;br/&gt;&lt;br/&gt;Chaperone signatures are signatures that ensure that there is no third-party&lt;br/&gt;malleability of transactions. The idea is to have an additional signature,&lt;br/&gt;that doesn&amp;#39;t use noinput, or any of its variants, and therefore needs to be&lt;br/&gt;authored by one of the pubkeys in the output script, i.e., one or more of the&lt;br/&gt;participants of the contract the transaction belongs to. Concretely in eltoo&lt;br/&gt;we&amp;#39;d be using a shared key known to all participants in the eltoo instance, so&lt;br/&gt;any participant can sign an update to rebind it to the desired output.&lt;br/&gt;&lt;br/&gt;Chaperone signatures have a number of downsides however:&lt;br/&gt;&lt;br/&gt;-   Additional size: both the public key and the signature actually need to be&lt;br/&gt;    stored along with the real noinput signature, resulting in transfer,&lt;br/&gt;    computational and storage overhead. We can&amp;#39;t reuse the same pubkey from the&lt;br/&gt;    noinput signature since that&amp;#39;d require access to the matching privkey which&lt;br/&gt;    is what we want to get rid of using noinput in the first place.&lt;br/&gt;-   Protocols can still simply use a globally known privkey, voiding the&lt;br/&gt;    benefit of chaperone signatures, since third-parties can sign again. I&lt;br/&gt;    argue that third-party malleability is a subset of first-party&lt;br/&gt;    malleability, and we should protect against first-party malleability first&lt;br/&gt;    and foremost. My counterparty has the incentive to trick me, a third-party&lt;br/&gt;    may not.&lt;br/&gt;&lt;br/&gt;On the plus side chaperone signatures certainly address the lazy-wallet-dev&lt;br/&gt;scenario, and as AJ points out in [bip-anyprevout] we get back the same&lt;br/&gt;security guarantees as we had without noinput.&lt;br/&gt;&lt;br/&gt;&amp;gt;From what I remember and the transcript (thanks Kanzure for your awesome work&lt;br/&gt;by the way), there was no strong support for chaperone signatures during the&lt;br/&gt;meeting [6], but feedback from people that were not present is needed:&lt;br/&gt;&lt;br/&gt;&amp;gt; if everyone who wanted to use NOINPUT was convinced there was a problem, then&lt;br/&gt;&amp;gt; they would pick the right thing, but clearly people aren&amp;#39;t. It&amp;#39;s not a&lt;br/&gt;&amp;gt; foot-gun defense mechanism because it&amp;#39;s easily bypassed, and it&amp;#39;s easier to&lt;br/&gt;&amp;gt; bypass it than to use it. Whereas for tagged outputs, it&amp;#39;s that if you want&lt;br/&gt;&amp;gt; any NOINPUT then you must tag.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;## Output tagging&lt;br/&gt;&lt;br/&gt;One proposal that I found rather fascinating during the discussion in&lt;br/&gt;Amsterdam was that we could achieve the same disincentive to use on&lt;br/&gt;non-smart-contract cases by simply making the output scripts&lt;br/&gt;unaddressable. This can be done by specifying a version of taproot outputs for&lt;br/&gt;which the bech32 addressing scheme simply doesn&amp;#39;t have a representation [6]:&lt;br/&gt;&lt;br/&gt;&amp;gt; The tagged outputs idea is that we don&amp;#39;t have NOINPUT ANYPREVOUT supported for&lt;br/&gt;&amp;gt; taproot v1 outputs, instead we have a segwit version 16 v16 that supports&lt;br/&gt;&amp;gt; taproot. The reason for v16 is that we redefine bech32 to not cover&lt;br/&gt;&amp;gt; v16. There&amp;#39;s no addresses for this type of output. If you&amp;#39;re an exchange and&lt;br/&gt;&amp;gt; receive a bech32 address, you declare it invalid. You make it less user&lt;br/&gt;&amp;gt; friendly here; and there shouldn&amp;#39;t be an address anyway. You might want to see&lt;br/&gt;&amp;gt; it on a block explorer, but you don&amp;#39;t want to pass it around to anyone.&lt;br/&gt;&lt;br/&gt;We don&amp;#39;t need addresses in our contract constructions because we deal directly&lt;br/&gt;with the scripts. This would also have the desired effect of no allowing&lt;br/&gt;generic wallets to send to these addresses, or users accidentally sending&lt;br/&gt;funds to what was supposed to be a one-off script used internally in the&lt;br/&gt;off-chain contract.&lt;br/&gt;&lt;br/&gt;Notice that this idea was already used by Russell O&amp;#39;Connor when performing a&lt;br/&gt;transaction on elements using his new scripting language simplicity&lt;br/&gt;[7]:&lt;br/&gt;&lt;br/&gt;&amp;gt; For this experimental development, we created an improper segwit version,&lt;br/&gt;&amp;gt; &amp;#34;version 31&amp;#34; for Simplicity addresses. The payload of this segwit version 31&lt;br/&gt;&amp;gt; address contains a commitment Merkle root of a Simplicity program to control&lt;br/&gt;&amp;gt; the UTXO.&lt;br/&gt;&lt;br/&gt;The concern with output tagging is that it hurts fungibility, marking outputs&lt;br/&gt;used in a contract as such and making them identifiable. But maybe it would be&lt;br/&gt;a good idea to create two domains anyway: one for user-addressable&lt;br/&gt;destinations which users can use with their general purpose wallets, and one&lt;br/&gt;domain for contracts, which users cannot send to directly.&lt;br/&gt;&lt;br/&gt;This also came up during the CoreDev meeting [ams-coredev]:&lt;br/&gt;&lt;br/&gt;&amp;gt; these sort of NOINPUT signatures are only things that are within some&lt;br/&gt;&amp;gt; application or within some protocol that gets negotiated between participants,&lt;br/&gt;&amp;gt; but they don&amp;#39;t cross-independent domains where you see a wallet or a protocol&lt;br/&gt;&amp;gt; as a kind of domain. You can&amp;#39;t tell the difference, is this an address I can&lt;br/&gt;&amp;gt; give to someone else or not? It&amp;#39;s all scripts, no real addresses. There are&lt;br/&gt;&amp;gt; types of outputs that are completely insecure unconditionally; there are&lt;br/&gt;&amp;gt; things that are protected and I can give to anyone, you don&amp;#39;t want to reuse&lt;br/&gt;&amp;gt; it, but there&amp;#39;s no security issue from doing so. This is an additional class&lt;br/&gt;&amp;gt; that is secure perfectly but only when used in the right way.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;## Open questions&lt;br/&gt;&lt;br/&gt;The questions that remain to be addressed are the following:&lt;br/&gt;&lt;br/&gt;1.  General agreement on the usefulness of noinput / anyprevoutanyscript /&lt;br/&gt;    anyprevout. While at the CoreDev meeting I think everybody agreed that&lt;br/&gt;    these proposals a useful, also beyond eltoo, not everybody could be&lt;br/&gt;    there. I&amp;#39;d therefore like to elicit some feedback from the wider community.&lt;br/&gt;2.  Is there strong support or opposition to the chaperone signatures&lt;br/&gt;    introduced in anyprevout / anyprevoutanyscript? I think it&amp;#39;d be best to&lt;br/&gt;    formulate a concrete set of pros and contras, rather than talk about&lt;br/&gt;    abstract dangers or advantages.&lt;br/&gt;3.  The same for output tagging / explicit opt-in. What are the advantages and&lt;br/&gt;    disadvantages?&lt;br/&gt;4.  Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the&lt;br/&gt;    confusion and make for simpler discussions in the end.&lt;br/&gt;5.  Anything I forgot to mention :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &amp;lt;&lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002131.html&amp;gt&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002131.html&amp;gt&lt;/a&gt;;&lt;br/&gt;[2] &amp;lt;&lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017285.html&amp;gt&#34;&gt;https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017285.html&amp;gt&lt;/a&gt;;&lt;br/&gt;[3] &amp;lt;&lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-August/001383.html&amp;gt&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-August/001383.html&amp;gt&lt;/a&gt;;&lt;br/&gt;[4] &amp;lt;&lt;a href=&#34;https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki&amp;gt&#34;&gt;https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki&amp;gt&lt;/a&gt;;&lt;br/&gt;[5] &amp;lt;&lt;a href=&#34;https://github.com/ajtowns/bips/blob/bip-anyprevout/bip-anyprevout.mediawiki&amp;gt&#34;&gt;https://github.com/ajtowns/bips/blob/bip-anyprevout/bip-anyprevout.mediawiki&amp;gt&lt;/a&gt;;&lt;br/&gt;[6] &amp;lt;&lt;a href=&#34;http://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2019-06-06-noinput-etc/&amp;gt&#34;&gt;http://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2019-06-06-noinput-etc/&amp;gt&lt;/a&gt;;&lt;br/&gt;[7] &amp;lt;&lt;a href=&#34;https://lists.ozlabs.org/pipermail/simplicity/2019/000018.html&amp;gt&#34;&gt;https://lists.ozlabs.org/pipermail/simplicity/2019/000018.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:56:15Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsw85k7hlqjkn4jqwja2pwe4x5svc023c3tlh7kedt7qqjsyt84sgszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w385xft</id>
    
      <title type="html">📅 Original date posted:2019-09-19 📝 Original message: I ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsw85k7hlqjkn4jqwja2pwe4x5svc023c3tlh7kedt7qqjsyt84sgszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w385xft" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspxd6qdddxl9s8ayz4tvjxvys3nupdd0ucaw638pyhaf5kz5ydtxcrgaczr&#39;&gt;nevent1q…aczr&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-19&lt;br/&gt;📝 Original message:&lt;br/&gt;I don&amp;#39;t think this paints an accurate picture, both when it comes to&lt;br/&gt;watchtowers for LN-penalty as well as for eltoo:&lt;br/&gt;&lt;br/&gt;Technically the storage requirement for the shachain is also O(log(n))&lt;br/&gt;and not O(1) due to the fact that we effectively have a cut through the&lt;br/&gt;height of the tree, along which we have to keep the inner nodes until we&lt;br/&gt;get the parent node which then allows us to infer the children. Given&lt;br/&gt;that we use a constant size for that tree, it is not really relevant&lt;br/&gt;but I thought it might be worth pointing this out. The shachain is&lt;br/&gt;currently limited to 2^48 updates, which is way beyond what we can hope&lt;br/&gt;to achieve on a single channel, so I agree with you that this limit is&lt;br/&gt;not important at all currently.&lt;br/&gt;&lt;br/&gt;Even with shachain the storage requirements for the nodes (not the&lt;br/&gt;watchtowers) are far from being constant either: since any old state,&lt;br/&gt;including anything that we built on top of it (HTLCs), so we need to&lt;br/&gt;keep information around to react to those as well (preimages that cannot&lt;br/&gt;be subsumed in a shachain since the HTLC preimage is chosen by many&lt;br/&gt;remote senders).&lt;br/&gt;&lt;br/&gt;When it comes to eltoo, just reusing the same watchtower protocol that&lt;br/&gt;we designed for LN-penalty, with unidentified blobs, randomly inserted&lt;br/&gt;by anyone, and encrypted with the commitment transaction is likely too&lt;br/&gt;simplistic, and results in the O(n) requirement you mentioned. My&lt;br/&gt;proposal would be to establish an authenticated session with a&lt;br/&gt;watchtower, e.g., by signing all encrypted updates using a session key,&lt;br/&gt;and the watchtower only replacing updates that match the session. An&lt;br/&gt;attacker could not replace my updates I stashed with the watchtower&lt;br/&gt;since it cannot hijack my session. This means that the watchtower can be&lt;br/&gt;certain that it can discard old states, but still have the correct&lt;br/&gt;reaction stashed when it needs it.&lt;br/&gt;&lt;br/&gt;Notice that this is already what the lnd watchtower protocol pretty much&lt;br/&gt;does, and it is likely that we&amp;#39;d like a session anyway in order to pay&lt;br/&gt;the watchtower for its service. I think it&amp;#39;s unrealistic to expect&lt;br/&gt;altruistic watchtowers storing encrypted blobs for some random people&lt;br/&gt;out there in eternity, without getting compensation for it. To hide the&lt;br/&gt;activity and timing of our channels we could simply open multiple&lt;br/&gt;sessions with the watchtower, or spread them across multiple watchtowers.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;I&amp;#39;d even go further and just add the channel outpoint (or should I call&lt;br/&gt;it &amp;#34;contract outpoint&amp;#34;?) to the update in cleartext so that the&lt;br/&gt;watchtower can prune states for closed channels. We can still spread the&lt;br/&gt;states across multiple watchtowers to hide update rate and timing. So&lt;br/&gt;this effectively gets us to a O(1) storage space for watchtowers in&lt;br/&gt;eltoo.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I was reading through the transcript of recent talk: &lt;a href=&#34;https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/&#34;&gt;https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In section &amp;#34;Revocations and SIGHASH_NOINPUT&amp;#34;:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; There&amp;#39;s another issue in lightning, which is the revocation transactions. There are basically, every time you do a state update, there&amp;#39;s an extra transactions that both parties need to hold forever. If you&amp;#39;re doing watchtowers, then the watchtowers need to keep all this evergrowing state.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; ...&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; using SIGHASH_NOINPUT ... You have state to keep around, but it&amp;#39;s just one transaction and it scales with O(1) instead of O(n).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I thought I would just like to point out a few things:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Rusty created shachain so that we can store the O(n) transactions in O(1) space (though with large constant) and O(log n) time to extract in case of breach (and breach is expected to be a rare operation).&lt;br/&gt;&amp;gt;   (Rusty can correct me if I am incorrect in the performance of this shachain construct).&lt;br/&gt;&amp;gt;   * For the most part we can ignore (I think) the storage of revocation keys at this point in LN development.&lt;br/&gt;&amp;gt;   * There is a limit to the number of updates possible, but my understanding is that this is so large as to be impractical for users to reach even with long-lifetime channels.&lt;br/&gt;&amp;gt; * Admittedly, watchtowers with Poon-Dryja revocation mechanism need to store O(n) transactions.&lt;br/&gt;&amp;gt;   This is because shachain stores keys, and we do not want watchtowers to possess revocation keys, only pre-built signatures to revocation transactions that pay a partial fee to the watchtower (else the watchtower could sign a revocation transaction paying only to itself without giving the client any money at all).&lt;br/&gt;&amp;gt;   But!&lt;br/&gt;&amp;gt;   * Watchtowers, even with Decker-Russell-Osuntokun, still need to store *all* O(n) transactions it receives for a channel.&lt;br/&gt;&amp;gt;     This is needed to protect against &amp;#34;poisoned blob&amp;#34; attacks, where an attacker creates an encrypted blob that is just random data and feeds it into the watchtower.&lt;br/&gt;&amp;gt;     See:&lt;br/&gt;&amp;gt;       * &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html&lt;/a&gt;&lt;br/&gt;&amp;gt;       * &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001267.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001267.html&lt;/a&gt;&lt;br/&gt;&amp;gt;   * Of note is that even Decker-Russell-Osuntokun watchtowers either need to identify their clients so that attackers cannot spoof the clients (meaning clients trust the watchtower with their financial information!) or have to store all encrypted blobs related to a channel (meaning O(n) data is still stored by the watchtower for each channel, despite the other advantages of Decker-Russell-Osuntokun).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I do not know if work has been done on watchtowers to allow them to have O(1) storage of channel state, without leaking channel activity to the watchtower.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; That is, even for Decker-Russell-Osuntokun I think it is better to make an effort to keep channel activity from being correlated by the watchtower, and this will require O(n) storage at the watchtower where n is number of updates in channel.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think the main advantage of Decker-Russell-Osuntokun (and thus the `SIGHASH_NOINPUT` it requires) is the possibility of having multiparticipant offchain updateable cryptocurrency systems, not the storage advantages.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:56:11Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqswr9n00xgu8vnrhx5wvhaap0nxmf7a05q0axy9jlu6pxqnef7c3rgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqtrjzl</id>
    
      <title type="html">📅 Original date posted:2019-09-19 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqswr9n00xgu8vnrhx5wvhaap0nxmf7a05q0axy9jlu6pxqnef7c3rgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqtrjzl" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstnhxh8wzn9dx27mu3j87cm7neu6fk8g2cmcnfafhdtlxmnkf08mcvfwx3r&#39;&gt;nevent1q…wx3r&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-19&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; Not necessarily. If we have an escape hatch in the scripts that allows&lt;br/&gt;&amp;gt;&amp;gt; to spend any output attached to the settlement transaction by n-1&lt;br/&gt;&amp;gt;&amp;gt; participants we could reclaim these into a new open right away.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This would have to be very very carefully designed.&lt;br/&gt;&amp;gt; The entire point of requiring an n-of-n signature is:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * By using an n-of-n signatory where *you* are a signer, you are completely immune to Sybil attacks: even if everybody other than *you* in the signatory set is secretly just one entity, this is no different from doing a 2-of-2 bog-standard boring sleepy Zzzzzz Poon-Dryja Lightning Network channel.&lt;br/&gt;&amp;gt;   * Any m-of-n signatory where strictly m &amp;lt; n allows anybody with the ability to run m nodes to outright steal money from you.&lt;br/&gt;&amp;gt;     * As processing power is cheap nowadays, there is no m that can be considered safe.&lt;br/&gt;&amp;gt;       Your alternative is to fall back on proof-of-work, but that just means going onchain, so you might as well just do things onchain.&lt;br/&gt;&amp;gt;   * This is why 2-of-2 channels work so well, it&amp;#39;s the minimum useable construction and any multiparty construction, when Sybilled, devolves to a 2-of-2 channel.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So the n-1 participants would have to be very very very carefully limited in what they can do.&lt;br/&gt;&amp;gt; And if the only &amp;#34;right&amp;#34; the n-1 participants can do is to force the nth participant to claim its funds onchain, then that is implementable with a transaction doing just that, which is pre-signed by the nth participant and given to participants 1..n-1.&lt;br/&gt;&lt;br/&gt;Just to be clear, I do *not* want to support uncooperative splice-outs.&lt;br/&gt;This is due to their need to either pre-sign a splice-out of the party&lt;br/&gt;like I explained further down, or it requires encumbering whatever we&lt;br/&gt;build on top in order to do a fast-reopen.&lt;br/&gt;&lt;br/&gt;But I do think there is value in exploring what the options are :-)&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Notice that we are negotiating whether or not to apply generic&lt;br/&gt;&amp;gt;&amp;gt; transactions to a shared state. This also means that there is no direct&lt;br/&gt;&amp;gt;&amp;gt; relationship between the ownership of an output and the ID signing off&lt;br/&gt;&amp;gt;&amp;gt; on a change.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The privacy guarantees are identical to Bitcoin on-chain, with the one&lt;br/&gt;&amp;gt;&amp;gt; caveat that we may identify the proposing participant, but we can defend&lt;br/&gt;&amp;gt;&amp;gt; against this by mixing as you propose.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yes, but if we later combine this with allowing multiilateral kick-out&lt;br/&gt;&amp;gt; of a member that is unresponsive (i.e. we splice out the outputs it&lt;br/&gt;&amp;gt; has at least partial ownership of, and keep only those that are owned&lt;br/&gt;&amp;gt; only by the remaining members), then each member would have to&lt;br/&gt;&amp;gt; honestly claim which UTXOs it is interested in keeping after it is&lt;br/&gt;&amp;gt; kicked out of the membership set, defeating this point entirely.  I&lt;br/&gt;&amp;gt; believe this is roughly what you propose in the next point, and&lt;br/&gt;&amp;gt; roughly what you would want with the &amp;#34;n-1 participants&amp;#34; earlier.&lt;br/&gt;&lt;br/&gt;That is indeed the issue I explained further down:&lt;br/&gt;&lt;br/&gt;&amp;gt; It also adds the complexity of having to identify which participant is&lt;br/&gt;&amp;gt; the co-owner of an output, otherwise I can claim ownership of an&lt;br/&gt;&amp;gt; unrelated output and force that to move on-chain by including it in my&lt;br/&gt;&amp;gt; fallback and then becoming unresponsive (added rounds of communication&lt;br/&gt;&amp;gt; can help here, but are cumbersome).&lt;br/&gt;&lt;br/&gt;Claiming ownership would then involve providing a valid input script&lt;br/&gt;(disregarding any timelocks) that could spend the output under some&lt;br/&gt;condition. Others would have to verify this proof-of-ownership before&lt;br/&gt;accepting the node&amp;#39;s self-splice-out before accepting it.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt;     It may be a bit much added complexity for a small complexity to be&lt;br/&gt;&amp;gt;&amp;gt;     honest, hopefully this won&amp;#39;t be needed too often :-)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Statement makes no sense, unless you meant to say &amp;#34;It may be a bit&lt;br/&gt;&amp;gt; much complexity for a small benefit&amp;#34; or similar?&lt;br/&gt;&lt;br/&gt;Indeed, that was a weird sentence :-) I did mean that it is a lot of&lt;br/&gt;complexity for very little benefit :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:06Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs8l6yv8x4xnz6pq2vfjcvt56u2402kamwxczyau4n3c9femq6w7yqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wup2nr7</id>
    
      <title type="html">📅 Original date posted:2019-09-18 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs8l6yv8x4xnz6pq2vfjcvt56u2402kamwxczyau4n3c9femq6w7yqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wup2nr7" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs0s2pl6fheevy25ywshcn9n28qrgukhnrp895l7m7tcxzdf88qqfqzvxkjs&#39;&gt;nevent1q…xkjs&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-18&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; cooperative close:&lt;br/&gt;&amp;gt;&amp;gt; * when all parties mutually agree to close the channel&lt;br/&gt;&amp;gt;&amp;gt; * close the channel with a layer one transaction which finalizes the outputs from the most recent channel output state&lt;br/&gt;&amp;gt;&amp;gt; * should be optimized for privacy and low on-chain fees&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Of note is that a close of an update mechanism does not require the&lt;br/&gt;&amp;gt; close of any hosted update mechanisms, or more prosaically, &amp;#34;close of&lt;br/&gt;&amp;gt; channel factory does not require close of hosted channels&amp;#34;.  This is&lt;br/&gt;&amp;gt; true for both unilateral and cooperative closes.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Of course, the most likely reason you want to unilaterally close an&lt;br/&gt;&amp;gt; outer mechanism is if you have some contract in some deeply-nested&lt;br/&gt;&amp;gt; mechanism that will absolute-locktime expire &amp;#34;soon&amp;#34;, in which case you&lt;br/&gt;&amp;gt; have to close everything that hosts it.  But for example if a channel&lt;br/&gt;&amp;gt; factory has channels A B C and only A has an HTLC that will expire&lt;br/&gt;&amp;gt; soon, while the factory and A have to close, B and C can continue&lt;br/&gt;&amp;gt; operation, even almost as if nothing happened to A.&lt;br/&gt;&lt;br/&gt;Indeed this is something that I think we already mentioned back in the&lt;br/&gt;duplex micropayment channel days, though it was a bit hidden and only&lt;br/&gt;mentioned HTLCs (though the principle carries over for other structures&lt;br/&gt;built on the raw update mechanism):&lt;br/&gt;&lt;br/&gt;&amp;gt; The process simply involves one party creating the teardown&lt;br/&gt;&amp;gt; transaction, both parties signing it and committing it to the&lt;br/&gt;&amp;gt; blockchain. HTLC outputs which have not been removed by agreement can&lt;br/&gt;&amp;gt; be copied over to the summary transaction such that the same timelocks&lt;br/&gt;&amp;gt; and resolution rules apply.&lt;br/&gt;&lt;br/&gt;Notice that in the case of eltoo the settlement transaction is already&lt;br/&gt;the same as the teardown transaction in DMC.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; membership change (ZmnSCPxj ritual):&lt;br/&gt;&amp;gt;&amp;gt; * when channel parties want to leave or add new members to the channel&lt;br/&gt;&amp;gt;&amp;gt; * close and reopen a new channel via something like a channel splicing transaction to the layer one blockchain&lt;br/&gt;&amp;gt;&amp;gt; * should be optimized for privacy and low on-chain fees paid for by parties entering and leaving the channel&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Assuming you mean that any owned funds will eventually have to be&lt;br/&gt;&amp;gt; claimed onchain, I suppose this is doable as splice-out.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But note that currently we have some issues with splice-in.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As far as I can tell (perhaps Lisa Neigut can correct me, I believe&lt;br/&gt;&amp;gt; she is working on this), splice-in has the below tradeoffs:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Option 1: splice-in is async (other updates can continue after all participants have sent the needed signatures for the splice-in).&lt;br/&gt;&amp;gt;     Drawback is that spliced-in funds need to be placed in a temporary&lt;br/&gt;&amp;gt;     n-of-n, meaning at least one additional tx.&lt;br/&gt;&lt;br/&gt;Indeed this is the first proposal I had back at the Milan spec meeting,&lt;br/&gt;and you are right that it requires stashing the funds in a temporary&lt;br/&gt;co-owned output to make sure the transition once we splice in is&lt;br/&gt;atomic. Batching could help here, if we have 3 participants joining they&lt;br/&gt;can coordinate to set the funds aside together and then splice-in at the&lt;br/&gt;same time. The downside is the added on-chain transaction, and the fact&lt;br/&gt;that the funds are not operational until they reach the required depth&lt;br/&gt;(I don&amp;#39;t think we can avoid this with the current security guarantees&lt;br/&gt;provided by Bitcoin). Notice that there is still some uncertainty&lt;br/&gt;regarding the confirmation of the splice-in even though the funds were&lt;br/&gt;stashed ahead of time, and we may end up in a state where we assumed&lt;br/&gt;that the splice-in will succeed, but the fees we attached turn out to be&lt;br/&gt;too low. In this case we built a sandcastle that collapses due to our&lt;br/&gt;foundation being washed away, and we&amp;#39;d have to go back and agree on&lt;br/&gt;re-splicing with corrected fees (which a malicious participant might&lt;br/&gt;sabotage) or hope the splice eventually confirms.&lt;br/&gt;&lt;br/&gt;&amp;gt; 2.  Option 2: splice-in is efficient (only the splice-in tx appears onchain).&lt;br/&gt;&amp;gt;     Drawback is that subsequent updates can only occur after the splice-in tx is deeply confirmed.&lt;br/&gt;&amp;gt;     * This can be mitigated somewhat by maintaining a pre-splice-in&lt;br/&gt;&amp;gt;     and post-splice-in mechanism, until the splice-in tx is deeply&lt;br/&gt;&amp;gt;     confirmed, after which the pre-splice-in version is discarded.&lt;br/&gt;&amp;gt;       Updates need to be done on *both* mechanisms until then, and any&lt;br/&gt;&amp;gt;     introduced money is &amp;#34;unuseable&amp;#34; anyway until the splice-in tx&lt;br/&gt;&amp;gt;     confirms deeply since it would not exist in the pre-splice-in&lt;br/&gt;&amp;gt;     mechanism yet.&lt;br/&gt;&lt;br/&gt;This is the more complex variant we discussed during the last&lt;br/&gt;face-to-face in Australia, and it seemed to me that people were mostly&lt;br/&gt;in favor of doing it this way. It adds complexity since we maintain&lt;br/&gt;multiple variants (making it almost un-implementable in LN-penalty),&lt;br/&gt;however the reduced footprint, and the uncertainty regarding&lt;br/&gt;confirmations in the first solution are strong arguments in favor of&lt;br/&gt;this option.&lt;br/&gt;&lt;br/&gt;&amp;gt; But perhaps a more interesting thing (and more in keeping with my&lt;br/&gt;&amp;gt; sentiment &amp;#34;a future where most people do not typically have&lt;br/&gt;&amp;gt; single-signer ownership of coins onchain&amp;#34;) would be to transfer funds&lt;br/&gt;&amp;gt; from one multiparticipant offchain mechanism to another&lt;br/&gt;&amp;gt; multiparticipant offchain, by publishing a single transaction onchain.&lt;br/&gt;&amp;gt; It may be doable via some extension of my proposed ritual for changing&lt;br/&gt;&amp;gt; membership set.&lt;br/&gt;&lt;br/&gt;Aside from a bit more coordination I don&amp;#39;t see any roadblocks to do&lt;br/&gt;this, and it&amp;#39;d be an awesome improvement. It even allows sub-dust&lt;br/&gt;transfers between channels, as long as the total funds in the channel&lt;br/&gt;remain above dust :-)&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; uncooperative membership change:&lt;br/&gt;&amp;gt;&amp;gt; * a subset of channel parties might want to cooperatively sign a channel splicing transaction to &amp;#39;splice out&amp;#39; uncooperative parties&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I believe this is currently considered unsafe.&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-April/001975.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-April/001975.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Unless you refer to another mechanism...?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I believe this will end up requiring deep confirmation of the&lt;br/&gt;&amp;gt; uncooperative close followed by a new mechanism open.&lt;br/&gt;&lt;br/&gt;Not necessarily. If we have an escape hatch in the scripts that allows&lt;br/&gt;to spend any output attached to the settlement transaction by n-1&lt;br/&gt;participants we could reclaim these into a new open right away. The&lt;br/&gt;footprint would be 1 unilateral close, n outputs for participants, m&lt;br/&gt;outputs for contracts built on top, and 1 open transaction that&lt;br/&gt;recollects all outputs in which the non-responding participant is not a&lt;br/&gt;co-signer. The main advantage is that we can avoid downtime.&lt;br/&gt;&lt;br/&gt;Just spit-balling here, since it&amp;#39;d leak some of the update logic back&lt;br/&gt;into the contracts built on top of the update mechanism, which for me is&lt;br/&gt;enough to discard this idea again.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; mining, mining reward and difficulty adjustment&lt;br/&gt;&amp;gt;&amp;gt; * no equivalent concept for multi-party channels&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Fees for each update.  Consider how HTLC routing in Lightning&lt;br/&gt;&amp;gt; implicitly pays forwarding nodes to cooperate with the forwarding.  I&lt;br/&gt;&amp;gt; imagine most nodes in a multiparticipant offchain system will want to&lt;br/&gt;&amp;gt; be paid for cooperation, even if just a nominal sub-satoshi amount.&lt;br/&gt;&lt;br/&gt;If we allow generic contracts on top of the base update mechanism it&amp;#39;ll&lt;br/&gt;be rather difficult to identify the beneficiary of an update, so it&amp;#39;s&lt;br/&gt;hard to know who should pay a fee. I&amp;#39;d rather argue that cooperating is&lt;br/&gt;in the interest of all participants since they&amp;#39;d eventually want to&lt;br/&gt;create an update of their own, and there is no upside to become&lt;br/&gt;unresponsive.&lt;br/&gt;&lt;br/&gt;Notice that the fees we leverage in LN are because we expose our funds&lt;br/&gt;to the risk of not being available by allocating them to an HTLC, not&lt;br/&gt;for the updates themselves. Since in the forwarding scenario we&amp;#39;re only&lt;br/&gt;exposing the funds of the forwarding nodes to this risk it&amp;#39;s only&lt;br/&gt;natural that they&amp;#39;d be the ones leveraging a fee, not the other&lt;br/&gt;participants that simply sign off on the change.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; privacy:&lt;br/&gt;&amp;gt;&amp;gt; * disassociate a particular update from signer(s)&lt;br/&gt;&amp;gt;&amp;gt; * disassociate IP address of signers from signature&lt;br/&gt;&amp;gt;&amp;gt; * using SIGHASH_ALL for cooperative closes&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I suppose Tor can be used to disassociate IP address from signers if&lt;br/&gt;&amp;gt; everyone is from a hidden service.  However, we need to include some&lt;br/&gt;&amp;gt; kind of mix mechanism to allow individual signers to disassociate&lt;br/&gt;&amp;gt; their ownership of funds from their identity as signers.  Though such&lt;br/&gt;&amp;gt; mechanisms already exist as theoretical constructs, so &amp;#34;just needs&lt;br/&gt;&amp;gt; implementing&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But then again: if you own funds in the mechanism, you *should* be a&lt;br/&gt;&amp;gt; signer (else you are trusting a federation).  So a basic fact here is&lt;br/&gt;&amp;gt; that if you are a participant in some offchain mechanism, you are&lt;br/&gt;&amp;gt; likely (approaching 100% probability) to own money in it.&lt;br/&gt;&lt;br/&gt;Notice that we are negotiating whether or not to apply generic&lt;br/&gt;transactions to a shared state. This also means that there is no direct&lt;br/&gt;relationship between the ownership of an output and the ID signing off&lt;br/&gt;on a change.&lt;br/&gt;&lt;br/&gt;The privacy guarantees are identical to Bitcoin on-chain, with the one&lt;br/&gt;caveat that we may identify the proposing participant, but we can defend&lt;br/&gt;against this by mixing as you propose.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; liveness:&lt;br/&gt;&amp;gt;&amp;gt; * if signers know they will be offline, can they pre-sign updates that just commit their own outputs, rather then splice out?&lt;br/&gt;&amp;gt;&amp;gt; * contingent tap-leafs to splice out non-responsive signers&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It might be possible to create a new mechanism-within-mechanism layer,&lt;br/&gt;&amp;gt; if a signer knows they will be offline.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For example, suppose entities A, B, and C have an offchain update&lt;br/&gt;&amp;gt; mechanism, which we shall call a &amp;#34;factory&amp;#34;.  Suppose this factory&lt;br/&gt;&amp;gt; contains an A-B channel, a B-C channel, a A-C channel, and some funds&lt;br/&gt;&amp;gt; owned by B only.  Then suppose A knows he or she will be offline for&lt;br/&gt;&amp;gt; some time.  Before A goes offline, they can move from this UTXO set:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * A-B channel&lt;br/&gt;&amp;gt; * B-C channel&lt;br/&gt;&amp;gt; * A-C channel&lt;br/&gt;&amp;gt; * B funds&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; To this UTXO set:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * A-B channel&lt;br/&gt;&amp;gt; * A-C channel&lt;br/&gt;&amp;gt; * B-C offchain update mechanism (sub-factory), which itself has its own UTXO set:&lt;br/&gt;&amp;gt;   * B-C channel&lt;br/&gt;&amp;gt;   * B funds&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This allows B and C to manage the B-C channels and B funds without&lt;br/&gt;&amp;gt; cooperation of A.  Then, later, when A returns online, the B-C&lt;br/&gt;&amp;gt; offchain update mechanism is collapsed back to the parent A-B-C&lt;br/&gt;&amp;gt; offchain update mechanism.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This assumes A knows it will be offline (which it might do for&lt;br/&gt;&amp;gt; e.g. regular maintenance, or software updates).&lt;br/&gt;&lt;br/&gt;We could theoretically play this game, having each participant create&lt;br/&gt;two updates with the same state-number at each update:&lt;br/&gt;&lt;br/&gt; 1) A normal one that just keeps them in the contract&lt;br/&gt; 2) A fallback splice all outputs they own (direct ones, HTLCs, ...) and&lt;br/&gt;    putting the rest back into a channel without them.&lt;br/&gt;&lt;br/&gt;In case of one user becoming inactive the others can sign the splice,&lt;br/&gt;dropping the inactive participant and continue like nothing&lt;br/&gt;happened. The worst case scenario is that the normal update gets&lt;br/&gt;broadcast and confirmed instead, which means we are back to the&lt;br/&gt;unilateral close that we&amp;#39;d have to do anyway without this mechanism.&lt;br/&gt;&lt;br/&gt;Notice however that this only works if participants drop off one by one,&lt;br/&gt;otherwise we get a combinatorial explosion for the fallback cases where&lt;br/&gt;each combination of inactive participants needs to splice themselves&lt;br/&gt;out. It also adds the complexity of having to identify which participant&lt;br/&gt;is the co-owner of an output, otherwise I can claim ownership of an&lt;br/&gt;unrelated output and force that to move on-chain by including it in my&lt;br/&gt;fallback and then becoming unresponsive (added rounds of communication&lt;br/&gt;can help here, but are cumbersome).&lt;br/&gt;&lt;br/&gt;It may be a bit much added complexity for a small complexity to be&lt;br/&gt;honest, hopefully this won&amp;#39;t be needed too often :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:05Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs2xa2evqrz7eq8q32e4el3altjc602wxk6ga3ad7d3z3hr6vzmnqczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5wh0qs</id>
    
      <title type="html">📅 Original date posted:2019-09-06 📝 Original message: With ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs2xa2evqrz7eq8q32e4el3altjc602wxk6ga3ad7d3z3hr6vzmnqczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5wh0qs" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdf9w94405m47zm5skwdqmat3tpnnsr2y4r0k7sm0nlv65mdjf9ysw5ckjg&#39;&gt;nevent1q…ckjg&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-06&lt;br/&gt;📝 Original message:&lt;br/&gt;With the recently published proof-of-concept of eltoo on signet by&lt;br/&gt;Richard, I thought it might a good time to share some thoughts on ho I&lt;br/&gt;think we can build this system. I think there are a few properties of&lt;br/&gt;eltoo that allow us to build a nicely layered protocol stack, which&lt;br/&gt;improves flexibility and simplifies the reasoning about their relative&lt;br/&gt;security.&lt;br/&gt;&lt;br/&gt;Since I don&amp;#39;t like huge e-mails myself and I&amp;#39;m about to write one,&lt;br/&gt;here&amp;#39;s a quick TL;DR:&lt;br/&gt;&lt;br/&gt;&amp;gt; Using the clean separation of protocol layers provided by eltoo we can&lt;br/&gt;&amp;gt; reconcile many on-chain and off-chain concepts, and simplify the&lt;br/&gt;&amp;gt; reasoning to build more complex functionality beyond simple&lt;br/&gt;&amp;gt; HTLCs. Bitcoin transactions are a natural fit to represent proposed&lt;br/&gt;&amp;gt; off-chain state-changes while they are being negotiated.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;### Clean separation of protocol layers&lt;br/&gt;&lt;br/&gt;One of te big advantages of eltoo over other off-chain update mechanisms&lt;br/&gt;is that it provides strong guarantees regarding the state that will&lt;br/&gt;eventually end up confirmed on-chain. If parties in an eltoo off-chain&lt;br/&gt;contract agree on an update, we can be certain (within eltoo&amp;#39;s security&lt;br/&gt;assumptions) that this is the state that will eventually confirm&lt;br/&gt;on-chain, if no newer states are agreed.&lt;br/&gt;&lt;br/&gt;In particular it means that we are guaranteed no earlier state can leak&lt;br/&gt;onto the chain, keeping anything we build on top of the update layer&lt;br/&gt;unencumbered since it doesn&amp;#39;t have to deal with this case.&lt;br/&gt;&lt;br/&gt;This is in stark contrast to the penalty update mechanism, where&lt;br/&gt;old/revoked states can leak on-chain, resulting in anything built on top&lt;br/&gt;of the penalty mechanism having to deal with that eventuality. For&lt;br/&gt;example if we look at HTLCs as specified [1] we see that it needs an&lt;br/&gt;additional revokation path for the case the commitment transaction that&lt;br/&gt;created this HTLC output is confirmed:&lt;br/&gt;&lt;br/&gt;```btcscript&lt;br/&gt;# To remote node with revocation key&lt;br/&gt;OP_DUP OP_HASH160 &amp;lt;RIPEMD160(SHA256(revocationpubkey))&amp;gt; OP_EQUAL&lt;br/&gt;OP_IF&lt;br/&gt;    OP_CHECKSIG&lt;br/&gt;OP_ELSE&lt;br/&gt;    &amp;lt;remote_htlcpubkey&amp;gt; OP_SWAP OP_SIZE 32 OP_EQUAL&lt;br/&gt;    OP_IF&lt;br/&gt;        # To local node via HTLC-success transaction.&lt;br/&gt;        OP_HASH160 &amp;lt;RIPEMD160(payment_hash)&amp;gt; OP_EQUALVERIFY&lt;br/&gt;        2 OP_SWAP &amp;lt;local_htlcpubkey&amp;gt; 2 OP_CHECKMULTISIG&lt;br/&gt;    OP_ELSE&lt;br/&gt;        # To remote node after timeout.&lt;br/&gt;        OP_DROP &amp;lt;cltv_expiry&amp;gt; OP_CHECKLOCKTIMEVERIFY OP_DROP&lt;br/&gt;        OP_CHECKSIG&lt;br/&gt;    OP_ENDIF&lt;br/&gt;OP_ENDIF&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;The update mechanism bleeding into the other layers is rather cumbersome&lt;br/&gt;if you ask me, and complicates the reasoning about security. Having to&lt;br/&gt;thread the penalty through outputs created by the off-chain contract may&lt;br/&gt;also not work if we deal with more than 2 parties, since penalties&lt;br/&gt;always steal all the funds, regardless of whether the output belonged to&lt;br/&gt;the cheater or not (see asymmetry vs symmetry argument from the paper&lt;br/&gt;[2]).&lt;br/&gt;&lt;br/&gt;With the clean separation we get from eltoo we can concentrate on&lt;br/&gt;building the output scripts we&amp;#39;d like to have without having to thread&lt;br/&gt;penalties through them. This reduces the complexity and our on-chain&lt;br/&gt;footprint.&lt;br/&gt;&lt;br/&gt;The update layer now exposes only two very simple operations:&lt;br/&gt;`add_output` and `remove_output` (this should sound very familiar :-p).&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;### Ownership and atomic update model&lt;br/&gt;&lt;br/&gt;Now that we have a solid update layer, which ensures that agreed upon&lt;br/&gt;states will eventually be reflected on-chain, we can turn our attention&lt;br/&gt;to the next layer up: the negotiation layer. Each output in our&lt;br/&gt;agreed-upon state needs to be assigned one or more owners. The owners&lt;br/&gt;are the participants that need to sign off on removal of an output and&lt;br/&gt;the creation of new outputs which redistribute the funds contained in&lt;br/&gt;the removed outputs to newly created outputs.&lt;br/&gt;&lt;br/&gt;In addition we need to ensure that multiple `remove_output` and&lt;br/&gt;`add_output` are guaranteed to be applied atomically. By creating a&lt;br/&gt;datastructure that lists a number of operations that are to either be&lt;br/&gt;applied to the current state or discarded, we can have arbitrary complex&lt;br/&gt;changes of ownership, and the newly created outputs can have arbitrary&lt;br/&gt;scripts.&lt;br/&gt;&lt;br/&gt;If all of this sounds familiar that&amp;#39;s because this is exactly the UTXO&lt;br/&gt;model and the transaction structure we have in Bitcoin. We&lt;br/&gt;collaboratively manage funds bound to some outputs (UTXO) and can change&lt;br/&gt;their ownership and allocation over time (transactions).&lt;br/&gt;&lt;br/&gt;This means that a subset of the participants in an off-chain contract&lt;br/&gt;can negotiate among themselves how to redistribute funds, join and split&lt;br/&gt;them in an arbitrary fashion, without the rest of the contract being&lt;br/&gt;involved. The end result is a valid Bitcoin transaction that spends some&lt;br/&gt;outputs of the current state, and is signed by the owners. The&lt;br/&gt;transaction can then be presented to the entire group, and applied to&lt;br/&gt;the state. Applying the transaction flattens multiple transactions built&lt;br/&gt;on top of the current state into a new state (similar to transaction&lt;br/&gt;cut-through in mimblewimble).&lt;br/&gt;&lt;br/&gt;Using transactions as a means to represent off-chain negotiations, and&lt;br/&gt;then applying them to the off-chain state via cut-through has a number&lt;br/&gt;of advantages over similar schemes:&lt;br/&gt;&lt;br/&gt;- Even if we failed to update the off-chain state, the transactions&lt;br/&gt;  building on top of it are valid transactions, so once we tear down&lt;br/&gt;  the channel, our negotiated new state can still be reached by&lt;br/&gt;  broadcasting the transaction after settlement (this is basically&lt;br/&gt;  what the channel factory paper [3] was using).&lt;br/&gt;    &lt;br/&gt;- We can reuse a lot of tools that we have already built for on-chain&lt;br/&gt;  transactions, including things like miniscript and hardware wallets,&lt;br/&gt;  without explicitly requiring them in our own specification. The&lt;br/&gt;  Bitcoin object model is our interface here.&lt;br/&gt;&lt;br/&gt;- It allows for experimentation even inside a running eltoo instance. If&lt;br/&gt;  you can find another participant that supports a fancy new protocol,&lt;br/&gt;  you can use that protocol even though some of the other participants&lt;br/&gt;  may not know anything about it. As long as you can understand the&lt;br/&gt;  Bitcoin transaction model you can participate in a multi-party&lt;br/&gt;  channel.&lt;br/&gt;&lt;br/&gt;I think this reconciliation between the off-chain model and the on-chain&lt;br/&gt;model, with many concepts cleanly mapping from one context to another&lt;br/&gt;(state outputs = UTXO, off-chain update = on-chain transactions,&lt;br/&gt;cut-through = confirmation, operation batching = block creation) is&lt;br/&gt;rather nice :-)&lt;br/&gt;&lt;br/&gt;That should be enough rambling on my side. I&amp;#39;m interested in what others&lt;br/&gt;think about this. Is it completely off, does it make no sense at all, or&lt;br/&gt;is this something we should be looking into going forward?&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/blob/master/03-transactions.md#received-htlc-outputs&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/blob/master/03-transactions.md#received-htlc-outputs&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://blockstream.com/eltoo.pdf&#34;&gt;https://blockstream.com/eltoo.pdf&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://tik-old.ee.ethz.ch/file/a20a865ce40d40c8f942cf206a7cba96/Scalable%5FFunding%5FOf%5FBlockchain%5FMicropayment%5FNetworks.pdf&#34;&gt;https://tik-old.ee.ethz.ch/file/a20a865ce40d40c8f942cf206a7cba96/Scalable%5FFunding%5FOf%5FBlockchain%5FMicropayment%5FNetworks.pdf&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:56:02Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsxpuwe84wj3m798yvw2jaajzjflympw6dyltdmyh6qmqz4aupmqwczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wahgze5</id>
    
      <title type="html">📅 Original date posted:2019-09-18 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsxpuwe84wj3m798yvw2jaajzjflympw6dyltdmyh6qmqz4aupmqwczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wahgze5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs2y0g24x243qjta5mljgkvhfdrw37qyhykpfmr2lgv3r6ux0a9vfqa25uaa&#39;&gt;nevent1q…5uaa&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-18&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt;&amp;gt; But it is perfectly fine to use ***zero*** routing fees, I think.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Briefly: if a channel has too much liquidity on your side, passively&lt;br/&gt;&amp;gt; rebalance by broadcasting a `channel_update` with 0 routing fees.&lt;br/&gt;&amp;gt; This helps JIT-Routing of nearby nodes as it allows cheaper rebalances&lt;br/&gt;&amp;gt; to support.&lt;br/&gt;&lt;br/&gt;This falls a bit outside of the scope of `channel_update`s if you ask&lt;br/&gt;me. `channel_update`s are meant to communicate coarse grained&lt;br/&gt;information about the channel to the rest of the network. They are not&lt;br/&gt;meant to communicate in a local group of nodes. I&amp;#39;d rather have a&lt;br/&gt;`local_channel_update` that has a small TTL counted down on each hop to&lt;br/&gt;limit its spread for this kind of communication. That local update can&lt;br/&gt;then also bypass the rate-limiting.&lt;br/&gt;&lt;br/&gt;&amp;gt; Of course, it is still desirable to rate-limit such updates.&lt;br/&gt;&amp;gt; So we can do the below policy:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Maintain a &amp;#34;latest broadcast is zero&amp;#34; flag.&lt;br/&gt;&amp;gt; 2.  If the channel has been &amp;gt;=75% in your favor for more than 10 minutes (or whatever configuration you want), and the &amp;#34;latest broadcast is zero&amp;#34; flag is cleared, set it and broadcast a 0-fee `channel_update` and set your feerate to 0.&lt;br/&gt;&amp;gt; 3.  If the channel has been &amp;lt;75% in your favor, set your feerate to non-zero, but do not broadcast (meaning &amp;#34;latest broadcast is zero&amp;#34; flag does not change).&lt;br/&gt;&amp;gt; 4.  If the channel has been &amp;lt;75% in your favor for more than 10 minutes, and the &amp;#34;latest broadcast is zero&amp;#34; flag is set, clear it and broacast your normal `channel_update`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However this will probably still lead to more than a burst of 4 `channel_update`s per day.&lt;br/&gt;&lt;br/&gt;This is way more logic to add to an already complex set of rules. I&amp;#39;d&lt;br/&gt;prefer having separate negotiation logic for the scenarios you&lt;br/&gt;propose. `channel_update`s are coarse-grained on purpose and a really&lt;br/&gt;large hammer that is not well-suited for tiny adjustments like&lt;br/&gt;rebalancing. This is also the reason why I advocated for active&lt;br/&gt;rebalancing over indirect signalling through negative fees. Notice that&lt;br/&gt;you can still allow zero-fee forwarding by using local updates as offers&lt;br/&gt;and then referencing the offer in the onion, without telling the wider&lt;br/&gt;world about the balances in your channel, and without having to deal&lt;br/&gt;with someone using that zero-fee much later than you needed it.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:56:00Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs8uezu3cl6a96fng73ng4gzvwjp70z00rhswk9dtk2kj6kwyj9v0szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6zwln5</id>
    
      <title type="html">📅 Original date posted:2019-07-14 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs8uezu3cl6a96fng73ng4gzvwjp70z00rhswk9dtk2kj6kwyj9v0szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6zwln5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqszwpxnky098e99up7re8esk3zkqvdq376exze4ueeqqfnv2xwamxg6490ke&#39;&gt;nevent1q…90ke&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-07-14&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning Atoine,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thank you for your proposal.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Eltoo has been criticized to lower the cost for a malicious party to&lt;br/&gt;&amp;gt;&amp;gt; test your monitoring of the chain. If we&amp;#39;re able to reintroduce some&lt;br/&gt;&amp;gt;&amp;gt; form of punishment without breaking transaction symmetry that would be great.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The primary advantage of Decker-Russell-Osuntokun is that it&lt;br/&gt;&amp;gt; eliminates &amp;#34;toxic waste&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; By this we mean, older version of your channel database are &amp;#34;toxic&amp;#34; in&lt;br/&gt;&amp;gt; that you, ***or someone who wants to attack you***, can use it&lt;br/&gt;&amp;gt; (accidentally in your case, deliberately in the attacker case), and&lt;br/&gt;&amp;gt; then you will lose all funds in the channel.&lt;br/&gt;&lt;br/&gt;I&amp;#39;m pretty sure at this point that the toxic-waste problem is inherent&lt;br/&gt;to punishment schemes, and anything we build on top of it would&lt;br/&gt;reintroduce asymmetry, undoing a lot of the benefits that we gained with&lt;br/&gt;eltoo. Then again, I personally don&amp;#39;t think that punishments are such a&lt;br/&gt;great idea in the first place (having been inadvertently punished myself&lt;br/&gt;due to botched backups and similar things).&lt;br/&gt;&lt;br/&gt;&amp;gt; Note that access to your channel database, without necessarily&lt;br/&gt;&amp;gt; accessing your node private keys, is often easier.  For example,&lt;br/&gt;&amp;gt; C-Lightning stores channel data into an SQLITE database and exposes&lt;br/&gt;&amp;gt; every transaction it makes to a `db_hook` that plugins can use to&lt;br/&gt;&amp;gt; replicate the database elsewhere.  If you were to use an&lt;br/&gt;&amp;gt; insufficiently secured plugin to replicate your database, an attacker&lt;br/&gt;&amp;gt; might be able to access your channel data, replicate your database,&lt;br/&gt;&amp;gt; and use an older version to frame you for theft and make you lose all&lt;br/&gt;&amp;gt; your channel funds.&lt;br/&gt;&lt;br/&gt;Just a minor correction here: your own commitment transactions are not&lt;br/&gt;being signed until we want to release them. Therefore having access to&lt;br/&gt;your DB doesn&amp;#39;t give an attacker the ability to frame the user with an&lt;br/&gt;old version, since that&amp;#39;d still require access to the keys to add our&lt;br/&gt;own signature. Even a simple signing component that keeps a high-water&lt;br/&gt;mark for the latest state and refuses to sign an older one would be&lt;br/&gt;sufficient to guard against involuntary cheating.&lt;br/&gt;&lt;br/&gt;Nevertheless, there are quite a few damaging things an attacker can do&lt;br/&gt;if he get hold of your DB, just not this one :-)&lt;br/&gt;&lt;br/&gt;&amp;gt; Thus, Decker-Russell-Osuntokun removes the punitive consideration so&lt;br/&gt;&amp;gt; that you being framed for theft does not lose all your funds, it&lt;br/&gt;&amp;gt; merely closes your channels.&lt;br/&gt;&lt;br/&gt;Which is also not free: you are still paying on-chain fees for your&lt;br/&gt;failed attempt to enforce an older state, and you still don&amp;#39;t get the&lt;br/&gt;desired effect, since the counterparty just overrides your attempt,&lt;br/&gt;without returning your fees.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:55:29Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqszk87h53xqgqawz2sq43gv0u04yn6a0uxp4mah67cc8960xue55pqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w08jxdr</id>
    
      <title type="html">📅 Original date posted:2019-06-28 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqszk87h53xqgqawz2sq43gv0u04yn6a0uxp4mah67cc8960xue55pqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w08jxdr" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs034qgcssg6pvnsw80crx98nxvycnm7d04p78r805prm4r450lnssf00m40&#39;&gt;nevent1q…0m40&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-06-28&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Ugam,&lt;br/&gt;&lt;br/&gt;I just wanted to quickly note that the current proposal [1] (implemented&lt;br/&gt;here [2]) is to give up on the fixed 65 byte frames altogether and allow&lt;br/&gt;variable payloads (reclaiming what previously was padding in the hop&lt;br/&gt;payloads). Given the low diameter of the network, this gives us a lot of&lt;br/&gt;freedom to put additional payloads in the onion :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/pull/619&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/pull/619&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/2689&#34;&gt;https://github.com/ElementsProject/lightning/pull/2689&lt;/a&gt;&lt;br/&gt;&lt;br/&gt;On Tue, Jun 25, 2019 at 1:07 PM Ugam Kamat &amp;lt;ugamkamat1 at gmail.com&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Hey guys,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I’m kind of new to this mailing list, so let me know if this has been&lt;br/&gt;&amp;gt; proposed previously. While reading Olaoluwa Osuntokun’s Spontaneous&lt;br/&gt;&amp;gt; Payment proposal, I came up with the idea of simultaneous payments to&lt;br/&gt;&amp;gt; multiple parties using the same partial route. In other words, say Alice,&lt;br/&gt;&amp;gt; Bob, Charlie, Dave and Eric have channel opened with one another, and say&lt;br/&gt;&amp;gt; Dave also has channel with Frank who has channel with Grace. Now, Alice is&lt;br/&gt;&amp;gt; at a restaurant and wants to pay the bill amount to Eric (the restaurant&lt;br/&gt;&amp;gt; owner) and a tip to Grace (who was her waiter). In the current scenario,&lt;br/&gt;&amp;gt; Alice would have to send two payments A-&amp;gt;B-&amp;gt;C-&amp;gt;D-&amp;gt;E and A-&amp;gt;B-&amp;gt;C-&amp;gt;D-&amp;gt;F-&amp;gt;G.&lt;br/&gt;&amp;gt; However, if we repurpose the onion blob&lt;br/&gt;&amp;gt; &amp;lt;&lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/2363&amp;gt&#34;&gt;https://github.com/ElementsProject/lightning/pull/2363&amp;gt&lt;/a&gt;; in the same way&lt;br/&gt;&amp;gt; as is needed for Spontaneous Payments, we can create a scenario where there&lt;br/&gt;&amp;gt; is no path duplication. Dave would split the payments, one to Eric and&lt;br/&gt;&amp;gt; other going to Grace through Frank. The preimage PM used in commitments&lt;br/&gt;&amp;gt; A-&amp;gt;B, B-&amp;gt;C and C-&amp;gt;D will be a function of pre-images P1 of D-&amp;gt;E and P2 of&lt;br/&gt;&amp;gt; D-&amp;gt;F and F-&amp;gt;G such that PM = f(P1, P2).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; *Proposal can be implemented by repurposing the onion in similar fashion&lt;br/&gt;&amp;gt; as Spontaneous Payments with slight modification*&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This proposal works in similar fashion to Spontaneous Payment proposal, by&lt;br/&gt;&amp;gt; packing in additional data in the unused hops. For B and C the onion blob&lt;br/&gt;&amp;gt; will be identical to other lightning payments. When D parses the onion, the&lt;br/&gt;&amp;gt; 4 MSB of the realm will tell D how much data can be extracted. This data&lt;br/&gt;&amp;gt; will encode the hashes of the pre-images that would be used for commitment&lt;br/&gt;&amp;gt; transaction towards Eric and other towards Frank.  For simplicity and&lt;br/&gt;&amp;gt; privacy, I propose using 2 onion blobs for the data. So the payload can be&lt;br/&gt;&amp;gt; 64 &#43; 33 bytes = 97 bytes. The first byte would indicate how many hashes are&lt;br/&gt;&amp;gt; packed, so we have 96 bytes for the payload, meaning we can pack a maximum&lt;br/&gt;&amp;gt; of 3 hashes for 3 route payments from D. Now D will split the onion (18&lt;br/&gt;&amp;gt; hops as it has used the first two for bifurcation data) into number of&lt;br/&gt;&amp;gt; routes. In the above case it will be 9 hops each. Now these two onions are&lt;br/&gt;&amp;gt; similar to other lightning payments. The first hop tells D the&lt;br/&gt;&amp;gt; short-channel id, amount to forward, CLTV and the padding. Since, the&lt;br/&gt;&amp;gt; preimage is 32 bytes, we can pack that in one single hop that is received&lt;br/&gt;&amp;gt; by the final party. This leaves the remaining 7 hops can be used for&lt;br/&gt;&amp;gt; routing. Below figure depicts the onion split in terms of how A will create&lt;br/&gt;&amp;gt; it. D will add the filler to make each onion have 20 hops. Onion data is&lt;br/&gt;&amp;gt; encoded in the same order in which the payment hashes are packed in the&lt;br/&gt;&amp;gt; bifurcation data for D.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; *Calculating the preimages*&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Eric and Grace will parse the onion and use the pre-images for settlement.&lt;br/&gt;&amp;gt; Let P1 represent the pre-images of D-&amp;gt;E and P2 of D-&amp;gt;F and F-&amp;gt;G. When the&lt;br/&gt;&amp;gt; pre-images arrive at node D, it will combine them such that PM = f(P1, P2).&lt;br/&gt;&amp;gt; The easiest way for both A and D to calculate that will be PM = SHA256(P1&lt;br/&gt;&amp;gt; || P2 || ss_d). Where || represents concatenation and ss_d is the shared&lt;br/&gt;&amp;gt; secret created using the ephemeral public key of sender (the one generated&lt;br/&gt;&amp;gt; by Alice) and private key of Dave. The need for using shared secret is to&lt;br/&gt;&amp;gt; prevent the vulnerability where one channel operator who has nodes across&lt;br/&gt;&amp;gt; both branches can use them to calculate the PM. Using shared secret also&lt;br/&gt;&amp;gt; ensures that it is in fact D that has parsed them together.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; *Advantages of this proposal:*&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    - Commitment transactions between A &amp;amp; B, B &amp;amp; C, and C &amp;amp; D now carry&lt;br/&gt;&amp;gt;    only one HTLC instead of two&lt;br/&gt;&amp;gt;       - This means lower fees in case of on-chain settlement&lt;br/&gt;&amp;gt;       - Lower routing fees for Alice as Bob and Charlie would not get to&lt;br/&gt;&amp;gt;       charge for two routings&lt;br/&gt;&amp;gt;       - Since 483 is the max limit of the htlcs nodes can accepts,&lt;br/&gt;&amp;gt;       preventing duplication will allow more number of htlcs in flight.&lt;br/&gt;&amp;gt;    - If each payment of Eric and Grace is below the htlc min B or C&lt;br/&gt;&amp;gt;    accepts, but together if it is higher, this route is now usable&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; *Some thoughts on if this proposal can be misused?*&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    - The probability of transaction failures increases as now the&lt;br/&gt;&amp;gt;    transaction is dependent on 2/3 branches&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; *Deployment*&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Not all nodes need to support this feature. For example, B, C, E, F,  and&lt;br/&gt;&amp;gt; G does not even know that the payment arrived through branching. The nodes&lt;br/&gt;&amp;gt; that can handle branching of payments can signal that using global features.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Ugam&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190628/6b06c3d0/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190628/6b06c3d0/attachment.html&amp;gt&lt;/a&gt;;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;A non-text attachment was scrubbed...&lt;br/&gt;Name: image002.png&lt;br/&gt;Type: image/png&lt;br/&gt;Size: 7836 bytes&lt;br/&gt;Desc: not available&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190628/6b06c3d0/attachment.png&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190628/6b06c3d0/attachment.png&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:55:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgs2sz7xmtjzv3f433g75s8hc60a5n36vnar3skagqlqr758psmwszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wv6pgus</id>
    
      <title type="html">📅 Original date posted:2019-05-20 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgs2sz7xmtjzv3f433g75s8hc60a5n36vnar3skagqlqr758psmwszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wv6pgus" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs2jzul2f84j9ldft4ymud9xeaqea9fl5q5tpx4jlu0qvuunn4pl2qhqjkkv&#39;&gt;nevent1q…jkkv&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-05-20&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Can you expand on that? Why do we need to &amp;#34;make use of the&lt;br/&gt;&amp;gt;&amp;gt; collaborative path&amp;#34; (maybe it&amp;#39;s unclear to me what you mean by&lt;br/&gt;&amp;gt;&amp;gt; collaborative path here)?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The collaborative path is the use of the taproot-tweaked public key to&lt;br/&gt;&amp;gt; sign, without revealing any scripts.  The bip-taproot proposal&lt;br/&gt;&amp;gt; specifically disallows all `SIGHASH` that is not the current set of&lt;br/&gt;&amp;gt; valid `SIGHASH` flags when using this path, and thus does not include&lt;br/&gt;&amp;gt; `SIGHASH_NOINPUT`/`SIGHASH_ANYPREVOUT`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; New `SIGHASH` types *are* allowed in bip-tapscript (i.e. when signing&lt;br/&gt;&amp;gt; for a `OP_CHECKSIG` variant inside a taproot script), and this is&lt;br/&gt;&amp;gt; where the proposal of aj builds upon.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For myself, I do not see any point in using the collaborative path&lt;br/&gt;&amp;gt; unless we are cooperatively closing anyway.  And once we are&lt;br/&gt;&amp;gt; cooperatively closing, we can agree to spend the funding txo without&lt;br/&gt;&amp;gt; requiring that `SIGHASH_ANYPREVOUT` be used (since we already have&lt;br/&gt;&amp;gt; fallbacks in case of cooperation failure, i.e. the existing&lt;br/&gt;&amp;gt; update/settlement txes).  So again I do not see this to be an issue.&lt;br/&gt;&amp;gt; (I could be wrong)&lt;br/&gt;&lt;br/&gt;You are correct. I forgot that the updates, besides being signed by both&lt;br/&gt;parties, also need to enforce the correct ordering through the CLTV&lt;br/&gt;opcode which cannot be part of the key path (thanks AJ for the correct&lt;br/&gt;name). Hence only collaborative closes can use the key path, which means&lt;br/&gt;we sadly don&amp;#39;t gain much from using taproot in the update-settlement&lt;br/&gt;structure, i.e., the unilateral case is always visible on-chain.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:55:02Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsz29jt7ynlqxusksez4h4vd2vqlx7m83f5dma07pssplq3k5x73dgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wkh6ksq</id>
    
      <title type="html">📅 Original date posted:2019-05-15 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsz29jt7ynlqxusksez4h4vd2vqlx7m83f5dma07pssplq3k5x73dgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wkh6ksq" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs8d22zdhunsuquz6rkyazgjj2pswknqws5df53frdc0um69pfhdwcvyhax3&#39;&gt;nevent1q…hax3&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-05-15&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Bastien,&lt;br/&gt;&lt;br/&gt;thanks for investigating.&lt;br/&gt;&lt;br/&gt;&amp;gt; I have been digging into Anthony Towns&amp;#39; anyprevout BIP&lt;br/&gt;&amp;gt; &amp;lt;&lt;a href=&#34;https://github.com/ajtowns/bips/blob/bip-anyprevout/bip-anyprevout.mediawiki&amp;gt&#34;&gt;https://github.com/ajtowns/bips/blob/bip-anyprevout/bip-anyprevout.mediawiki&amp;gt&lt;/a&gt;;&lt;br/&gt;&amp;gt; proposal&lt;br/&gt;&amp;gt; to verify that it has everything we need for Eltoo&lt;br/&gt;&amp;gt; &amp;lt;&lt;a href=&#34;https://blockstream.com/eltoo.pdf&amp;gt&#34;&gt;https://blockstream.com/eltoo.pdf&amp;gt&lt;/a&gt;;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The separation between anyprevout and anyprevoutanyscript is very handy&lt;br/&gt;&amp;gt; (compared to the previous noinput proposal).&lt;br/&gt;&amp;gt; Unless I&amp;#39;m missing something, it would simplify the funding tx (to a simple&lt;br/&gt;&amp;gt; multisig without cltv/csv) and remove the need for the trigger tx.&lt;br/&gt;&lt;br/&gt;I think it makes sense for us to consider both variants, one committing&lt;br/&gt;to the script and the other not committing to the script, but I think it&lt;br/&gt;applies rather to the `update_tx` &amp;lt;-&amp;gt; `settlement_tx` link and less to&lt;br/&gt;the `funding_tx` &amp;lt;-&amp;gt; `update_tx` link and `update_tx` &amp;lt;-&amp;gt; `update_tx`&lt;br/&gt;link. The reason is that the `settlement_tx` needs to be limited to be&lt;br/&gt;bindable only to the matching `update_tx` (`anyprevout`), while&lt;br/&gt;`update_tx` need to be bindable to the `funding_tx` as well as any prior&lt;br/&gt;`update_tx` which differ in the script by at least the state number&lt;br/&gt;(hence `anyprevoutanyscript`).&lt;br/&gt;&lt;br/&gt;Like AJ pointed out in another thread, the use of an explicit trigger&lt;br/&gt;transaction is not really needed since any `update_tx` can act as a&lt;br/&gt;trigger transaction (i.e., start the relative timeouts to tick). This&lt;br/&gt;was an oversight of mine, which may have contributed more confusion than&lt;br/&gt;necessary :-)&lt;br/&gt;&lt;br/&gt;The `funding_tx` itself doesn&amp;#39;t need any form of timeout, in fact&lt;br/&gt;collaborative spending/closing without a timeout should always be&lt;br/&gt;possible. The `settlement_tx`s can have a BIP68-style relative timelock,&lt;br/&gt;which also saves us a few bytes.&lt;br/&gt;&lt;br/&gt;&amp;gt; The more tricky part to integrate is the chaperone signature.&lt;br/&gt;&amp;gt; If I understand it correctly (which I&amp;#39;m not guaranteeing), we would need to&lt;br/&gt;&amp;gt; modify the update transactions to something like:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; OP_IF&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     10 OP_CSV&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     1 A(s,i) B(s,i) 2 OP_CHECKMULTISIGVERIFY          &amp;lt;- public keys&amp;#39; first&lt;br/&gt;&amp;gt;&amp;gt; byte in this line is 0x02 or 0x03&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     2 A(s,i) B(s,i) 2 OP_CHECKMULTISIGVERIFY          &amp;lt;- public keys&amp;#39; first&lt;br/&gt;&amp;gt;&amp;gt; byte in this line is 0x00 or 0x01&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; OP_ELSE&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     &amp;lt;S(i) &#43; 1&amp;gt; OP_CLTV&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     1 A(u) B(u) 2  OP_CHECKMULTISIGVERIFY          &amp;lt;- public keys&amp;#39; first&lt;br/&gt;&amp;gt;&amp;gt; byte in this line is 0x02 or 0x03&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     2 A(u) B(u) 2  OP_CHECKMULTISIGVERIFY          &amp;lt;- public keys&amp;#39; first&lt;br/&gt;&amp;gt;&amp;gt; byte in this line is 0x00 or 0x01&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; OP_END&lt;br/&gt;&lt;br/&gt;We could collapse those 1-of-2 multisigs into a single-sig if we just&lt;br/&gt;collaboratively create a shared private key that is specific to the&lt;br/&gt;instance of the protocol upon setup. That minimizes the extra space&lt;br/&gt;needed.&lt;br/&gt;&lt;br/&gt;Something that I notived talking to Jonas Nick is that we might have&lt;br/&gt;some interaction between the taproot and noinput (or any of its aliases&lt;br/&gt;:D). Specifically we can&amp;#39;t make make use of the collaborative path where&lt;br/&gt;we override an `update_tx` with a newer one in taproot as far as I can&lt;br/&gt;see, since the `update_tx` needs to be signed with noinput (for&lt;br/&gt;rebindability) but there is no way for us to specify the chaperone key&lt;br/&gt;since we&amp;#39;re not revealing the committed script.&lt;br/&gt;&lt;br/&gt;&amp;gt; (I ommitted the tapscript changes, ie moving to OP_CHECKSIGADD, to&lt;br/&gt;&amp;gt; highlight only the chaperone changes)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; When updating the channel, Alice and Bob would exchange their&lt;br/&gt;&amp;gt; anyprevoutanyscript signatures (for the 2-of-2 multisig).&lt;br/&gt;&amp;gt; The chaperone signature can be provided by either Alice or Bob at&lt;br/&gt;&amp;gt; transaction broadcast time (so that it commits to a specific input&lt;br/&gt;&amp;gt; transaction).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It seems to me that using the same key for both signatures (the chaperone&lt;br/&gt;&amp;gt; one and the anyprevoutanyscript one) is safe here, but if someone knows&lt;br/&gt;&amp;gt; better I&amp;#39;m interested.&lt;br/&gt;&amp;gt; If that&amp;#39;s unsafe, we simply need to introduce another key-pair (chaperone&lt;br/&gt;&amp;gt; key).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Is that how you guys understand it too? Do you have other ideas on how to&lt;br/&gt;&amp;gt; comply with the need for a chaperone signature?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Note that as Anthony said himself, the BIP isn&amp;#39;t final and we don&amp;#39;t know&lt;br/&gt;&amp;gt; yet if chaperone signatures will eventually be needed, but I think it&amp;#39;s&lt;br/&gt;&amp;gt; useful to make sure that Eltoo could support it.&lt;br/&gt;&lt;br/&gt;I quite like the chaperone idea, however it doesn&amp;#39;t really play nice&lt;br/&gt;with taproot collaborative spends that require anyprevout /&lt;br/&gt;anyprevoutanyscript / noinput, which would make our transactions stand&lt;br/&gt;out quite a bit. Then again this is only the case for the unhappy,&lt;br/&gt;unilateral close, path of the protocol, which (hopfully) should happen&lt;br/&gt;rarely.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:54:59Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvkf6w0kkfqa3hkk5556x63s43k380auklrelcl832tukx9lh0uhczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4at86q</id>
    
      <title type="html">📅 Original date posted:2019-04-04 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvkf6w0kkfqa3hkk5556x63s43k380auklrelcl832tukx9lh0uhczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4at86q" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsq7qastfuwe4yx3z7ah3hcpf8sac7q6lasmrg0zdeezze3tzxfjlcsddx47&#39;&gt;nevent1q…dx47&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-04-04&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi ZmnSCPzj,&lt;br/&gt;&lt;br/&gt;I think we should not try to recover from a node not finding the next&lt;br/&gt;hop in the trampoline, and rather expect trampolines to have reasonable&lt;br/&gt;uptime (required anyway) and have an up to date routing table (that&amp;#39;s&lt;br/&gt;what we&amp;#39;re paying them for after all).&lt;br/&gt;&lt;br/&gt;So I&amp;#39;d rather propose reusing the existing onion construction as is and&lt;br/&gt;expect the trampolines to fail a payment if they can&amp;#39;t find the next&lt;br/&gt;hop.&lt;br/&gt;&lt;br/&gt;Let&amp;#39;s take the following route for example (upper case letters represent&lt;br/&gt;trampolines):&lt;br/&gt;&lt;br/&gt;```&lt;br/&gt;a -&amp;gt; b -&amp;gt; c -&amp;gt; D -&amp;gt; e -&amp;gt; f -&amp;gt; G -&amp;gt; h -&amp;gt; i -&amp;gt; j&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;With `a` being the sender, and `j` being the recipient. `D` and `G` are&lt;br/&gt;trampolines. The sender `a` selects trampolines `D` and `G` at random&lt;br/&gt;from their partial (possibly outdated) routing table. It creates the&lt;br/&gt;inner onion using those two trampolines. It then computes a route to `D`&lt;br/&gt;(`a -&amp;gt; b -&amp;gt; c -&amp;gt; D`). The `hop_payload` for `D` is a TLV payload that&lt;br/&gt;has a single key `t` (assuming `t` is assigned in the TLV spec) that&lt;br/&gt;contains the inner onion. It then initiates the payment using this&lt;br/&gt;nested onion (`a -&amp;gt; b -&amp;gt; c -&amp;gt; D` &#43; trampoline payload for `D`).&lt;br/&gt;&lt;br/&gt;Upon receiving the onion `D` decrypts the outer onion to find the TLV&lt;br/&gt;payload containing the `t` entry, which indicates that it should act as&lt;br/&gt;a trampoline. It then decodes the inner trampoline onion and finds the&lt;br/&gt;`node_id` of `G`. `D` then computes the outer onion to the next&lt;br/&gt;trampoline `D -&amp;gt; e -&amp;gt; f -&amp;gt; G`, and adds the trampoline payload for `G`&lt;br/&gt;(the inner trampoline onion we just decoded).&lt;br/&gt;&lt;br/&gt;Upon receiving the onion `G` processes the onion like normal, finding&lt;br/&gt;again an inner trampoline onion and decrypting it. Since `j` did not&lt;br/&gt;indicate that it understands the trampoline protocol, `G` is instructed&lt;br/&gt;to downgrade the onion into a normal non-trampoline onion (don&amp;#39;t include&lt;br/&gt;a trampoline, rather include the raw payload for `j`). It then computes&lt;br/&gt;the route to `j`, and it creates a normal outer base routing onion `G -&amp;gt;&lt;br/&gt;h -&amp;gt; i -&amp;gt; j`, which completes the protocol.&lt;br/&gt;&lt;br/&gt;Like mentioned above the entire job of trampolines is to provide base&lt;br/&gt;routing capability, and we should not make special provisions for myopic&lt;br/&gt;trampoline nodes, since routing is their entire reason for existence :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Could this be implemented by replacing only the front of the trampoline-level onion?&lt;br/&gt;&amp;gt;&amp;gt; (presumably with some adjustment of how the HMAC is computed for the new trampoline layer)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I am trying to design a trampoline-level onion that would allow replacement of the first hop of the onion.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Below is what I came up with.&lt;br/&gt;&amp;gt; As I am neither a cryptographer nor a mathematician, I am unable to consider, whether this may have some problem in security.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now the &amp;#34;normal&amp;#34; onion, the first hop is encrypted to the recipient.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I propose that for the &amp;#34;inner&amp;#34; trampoline-level onion, the first hop be sent &amp;#34;in the clear&amp;#34;.&lt;br/&gt;&amp;gt; I think this is still secure, as the &amp;#34;inner&amp;#34; trampoline-level onion will still be wrapped by the outer link-level onion, which would still encrypt it.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; When a node receives a trampoline-level onion, it checks if it is the first hop.&lt;br/&gt;&amp;gt; If it is, then it decrypts the rest of the onion and tries to route to the next trampoline-level node.&lt;br/&gt;&amp;gt; If not, then it is being delegated to, to find the trampoline.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If the node cannot find the front of the trampoline-level onion, then it can route it to another node that it suspects is more likely to know the destination (such as the mechanisms in discussion in the &amp;#34;Routemap Scaling&amp;#34; thread).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let me provide a concrete example.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Payer Z creates a trampoline-level onion C-&amp;gt;D-&amp;gt;E:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; C | Z | encrypt(Z * C, D | encrypt(Z * D, E))&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Then Z routes to link-level onion A-&amp;gt;B-&amp;gt;C, with the payload to C being the above trampoline-level onion:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; encrypt(Z * A, &amp;#34;link level&amp;#34; | B | encrypt(Z * B, &amp;#34;link level&amp;#34; | C | encrypt(Z * C, &amp;#34;trampoline level&amp;#34; | C | Z | encrypt(Z * C, D | encrypt(Z * D, E)))))&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Upon reaching C, it sees it is given a trampoline-level onion, and if C is unable to find D in its local map, it can delegate it to some other node.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For example, if C thinks its neighbor M knows D, it can create:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; encrypt(C * M, &amp;#34;link level&amp;#34; | M | encrypt(C * M, &amp;#34;trampoline level&amp;#34; | D | Z | encrypt(Z * D, E)))&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; M finds that it is not the first hop in the trampoline-level onion.&lt;br/&gt;&amp;gt; So M finds a route to D, for example via M-&amp;gt;N-&amp;gt;D, and gives:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; encrypt(M * N, &amp;#34;link level&amp;#34; | D | encrypt(M * D, &amp;#34;trampoline level&amp;#34; | D | Z | encrypt(Z * D, E)))&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Is this workable?&lt;br/&gt;&amp;gt; Note that it seems to encounter the same problem as Rendezvous Routing.&lt;br/&gt;&amp;gt; I assume it is possible to do this somehow (else how would hidden services in Tor work?), but the details, I am uncertain of.&lt;br/&gt;&amp;gt; I only play a cryptographer on Internet.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj
    </content>
    <updated>2023-06-09T12:54:49Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgzkt3l3at8ey5ut4q2kcpr32ny299cq045ndnntj4lvv4k68y36qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wg57nxk</id>
    
      <title type="html">📅 Original date posted:2019-04-03 📝 Original message: On ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgzkt3l3at8ey5ut4q2kcpr32ny299cq045ndnntj4lvv4k68y36qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wg57nxk" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsfvu9mtjxpamp3gtvzw846mghyjwl9euc7c9pkk5e85kmg34n2l2shslk68&#39;&gt;nevent1q…lk68&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-04-03&lt;br/&gt;📝 Original message:&lt;br/&gt;On Wed, 3 Apr 2019, 05:42 ZmnSCPxj via Lightning-dev &amp;lt;&lt;br/&gt;lightning-dev at lists.linuxfoundation.org&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning Pierre and list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt;     There is another unrelated issue: because trampoline nodes don&amp;#39;t know&lt;br/&gt;&amp;gt; &amp;gt;     anything about what happened before they received the onion, they may&lt;br/&gt;&amp;gt; &amp;gt;     unintentionnaly create overlapping routes. So we can&amp;#39;t simply use the&lt;br/&gt;&amp;gt; &amp;gt;     payment_hash as we currently do, we would have to use something a bit&lt;br/&gt;&amp;gt; &amp;gt;     more elaborate.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Just to be clear, the issue is for example with a network like:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     A ------- B -------- C&lt;br/&gt;&amp;gt;              / \&lt;br/&gt;&amp;gt;             /   \&lt;br/&gt;&amp;gt;            /     \&lt;br/&gt;&amp;gt;           /       \&lt;br/&gt;&amp;gt;          D ------- E&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Then, A creates an inner trampoline onion &amp;#34;E-&amp;gt;C&amp;#34;, and an outer onion&lt;br/&gt;&amp;gt; &amp;#34;A-&amp;gt;B-&amp;gt;E&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; E, on receiving the inner trampoline onion &amp;#34;E-&amp;gt;C&amp;#34;, finds that E-&amp;gt;B&lt;br/&gt;&amp;gt; direction is low capacity, so routes over the outer onion &amp;#34;E-&amp;gt;D-&amp;gt;B-&amp;gt;C&amp;#34; with&lt;br/&gt;&amp;gt; inner trampoline onion &amp;#34;C&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This creates an overall route A-&amp;gt;B-&amp;gt;E-&amp;gt;D-&amp;gt;B-&amp;gt;C.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; When the B-&amp;gt;C HTLC is resolved, B can instead claim the A-&amp;gt;B HTLC and just&lt;br/&gt;&amp;gt; fail the D-&amp;gt;B HTLC, thereby removing D and E from the route and claiming&lt;br/&gt;&amp;gt; their fees, even though they participated in the route.&lt;br/&gt;&amp;gt;&lt;br/&gt;&lt;br/&gt;This is not an issue. Like we discussed for the multi-part payments the&lt;br/&gt;HTLCs still resolve correctly, though node B might chose to short circuit&lt;br/&gt;the payment it&amp;#39;ll also clear the HTLCs through E And D (by failing them&lt;br/&gt;instead of settling them) but the overall payment remains atomic and&lt;br/&gt;end-to-end secure. The skipped nodes (which may include the trampoline) may&lt;br/&gt;lose a bit of fees, but that is not in any way different than a failed&lt;br/&gt;payment attempt that is being retried from the sender :-)&lt;br/&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190403/326187f0/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190403/326187f0/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:54:47Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsy8n8snqv39elet6h0quc8ma9awdrxelkjhn0axv9s7mfprgclu2szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfekp7w</id>
    
      <title type="html">📅 Original date posted:2019-04-01 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsy8n8snqv39elet6h0quc8ma9awdrxelkjhn0axv9s7mfprgclu2szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wfekp7w" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsglgvakfp8ujdgqlqd68ukk8204x9vkzp9k9xt4cnzrz68lqstzxcdwe49c&#39;&gt;nevent1q…e49c&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-04-01&lt;br/&gt;📝 Original message:&lt;br/&gt;Thanks Pierre for this awesome proposal, I think we&amp;#39;re onto something&lt;br/&gt;here. I&amp;#39;ll add a bit more color to the proposal, since I&amp;#39;ve been&lt;br/&gt;thinking about it all weekend :-)&lt;br/&gt;&lt;br/&gt;There are two ways we can use this:&lt;br/&gt;&lt;br/&gt; - A simple variant in which we just tell a single trampoline what the&lt;br/&gt;   intended recipient is (just a pubkey, and an amount) and it&amp;#39;ll find a&lt;br/&gt;   route.&lt;br/&gt; - A complex variant in which a trampoline is given a next hop, and a&lt;br/&gt;   smaller onion to pass along to the next hop. The trampoline doesn&amp;#39;t&lt;br/&gt;   learn the intended recipient, but can still route it.&lt;br/&gt;&lt;br/&gt;# Simple Variant&lt;br/&gt;&lt;br/&gt;As the name implies it is pretty trivial to implement: the sender&lt;br/&gt;computes a route to some trampoline node `t` it knows in its 2- or&lt;br/&gt;3-neightborhood and creates an onion that describes this route. The&lt;br/&gt;payload for the trampoline node `t` then contains two parameters:&lt;br/&gt;`receiver` and `amount`. The trampoline node `t` then computes a route&lt;br/&gt;from itself to the `receiver` and creates a new onion (the old onion&lt;br/&gt;terminates at the trampoline node). Since the trampoline node generates&lt;br/&gt;a new route, it also generates the shared secrets, HMACs and everything&lt;br/&gt;else to match (no problem with matching HMACs like in the case of&lt;br/&gt;rendezvous routing).&lt;br/&gt;&lt;br/&gt;The receiver doesn&amp;#39;t learn anything about this being a trampoline&lt;br/&gt;payment (it doesn&amp;#39;t even have to implement it itself), and resolution of&lt;br/&gt;the HTLC happens like normal (with the extra caveat that the trampoline&lt;br/&gt;needs to associate the upstream incoming HTLC with the resolution of the&lt;br/&gt;downstream HTLC, but we do that anyway now).&lt;br/&gt;&lt;br/&gt;# Multi-trampoline routing&lt;br/&gt;&lt;br/&gt;The more complex proposal involves nesting a smaller onion into the&lt;br/&gt;outer routing onion. For this the sender generates a small onion of, for&lt;br/&gt;example, 10 hops whose length is only 650 bytes instead of the 20 hops&lt;br/&gt;for the outer routing onion. The hops in the inner/smaller onion do not&lt;br/&gt;have to be adjacent to each other, i.e., they can be picked randomly&lt;br/&gt;from the set of known nodes and there doesn&amp;#39;t need to be a channel&lt;br/&gt;between two consecutive hops, unlike in the outer/routing onion. The&lt;br/&gt;hops in the smaller onion are called trampolines `t_1` to `t_10`.&lt;br/&gt;&lt;br/&gt;The construction of the smaller onion can be identical to the&lt;br/&gt;construction of the routing onion, just needs its size adjusted. The&lt;br/&gt;sender then picks a random trampoline node `t_0` in its known&lt;br/&gt;neighborhood and generates a routing onion containing the smaller onion&lt;br/&gt;as payload to `t_0` and signaling data (final recipient, amount, inner&lt;br/&gt;onion). Upon receiving an incoming payment with trampoline instructions&lt;br/&gt;a trampoline `t_i` unwraps the inner onion, which yields the next&lt;br/&gt;trampoline `t_{i&#43;1}` node_id. The trampoline then finds a route to&lt;br/&gt;`t_{i&#43;1}`, serializing the inner onion (which was unwrapped and is now&lt;br/&gt;destined for `t_{i&#43;1}`) and creating the outer routing onion with that&lt;br/&gt;as the payload. Notice that, like in the simple variant, `t_i` generates&lt;br/&gt;a new outer onion, which means we don&amp;#39;t have any issues with shared&lt;br/&gt;secrets and HMACs like in rendezvous routing. Resolution is also&lt;br/&gt;identical to above.&lt;br/&gt;&lt;br/&gt;This construction reuses all the onion primitives we already have, and&lt;br/&gt;it allows us to bounce a payment through multiple trampolines without&lt;br/&gt;them learning their position in this nested path. The sender does&lt;br/&gt;not have to have a total view of the network topology, just have a&lt;br/&gt;reasonable chance that two consecutive trampolines can find a route to&lt;br/&gt;each other, i.e., don&amp;#39;t use mobile phone as trampolines :-)&lt;br/&gt;&lt;br/&gt;# Tradeoffs everywhere&lt;br/&gt;&lt;br/&gt;## Longer Routes&lt;br/&gt;&lt;br/&gt;One potential downside is that by introducing this two-level nesting of&lt;br/&gt;an outer routing onion and an inner trampoline onion, we increase the&lt;br/&gt;maximum length of a route to `num_outer_hops * num_inner_hops`, given&lt;br/&gt;that each layer of the inner onion may initiate a new `num_outer_hops`&lt;br/&gt;outer route. For the example above (which is also the worst case) we&lt;br/&gt;have a 10 inner hops, and 9 outer hops (due to the signalling overhead),&lt;br/&gt;which results in a maximum route length of 90 hops. This may result in&lt;br/&gt;more funds being used to route a payment, but it may also increase&lt;br/&gt;chances of the payment succeeding.&lt;br/&gt;&lt;br/&gt;## Comparison with TCP/IP &#43; Tor&lt;br/&gt;&lt;br/&gt;This proposal also brings us a lot closer to the structure of Tor on the&lt;br/&gt;public network, in which the nodes that are part of a circuit do not&lt;br/&gt;have to be direct neighboors in the network topology since end-to-end&lt;br/&gt;reachability is guaranteed by a base routing layer (TCP/IP) whereas&lt;br/&gt;sender/receiver obfuscation is tackled at a higher layer (Tor).&lt;br/&gt;&lt;br/&gt;In our case the outer onion serves as the base routing layer that is&lt;br/&gt;used for point-to-point communication, but unlike TCP/IP is also&lt;br/&gt;encrypted and routed anonymously, while the inner onion takes care of&lt;br/&gt;end-to-end reachability, also in encrypted fashion.&lt;br/&gt;&lt;br/&gt;## In-network retrial&lt;br/&gt;&lt;br/&gt;&amp;gt;From the comparison with TCP/IP and Tor might have hinted at this, but&lt;br/&gt;since the outer onion is created from scratch at each trampoline, a&lt;br/&gt;trampoline may actually retry a payment multiple times if an attempt&lt;br/&gt;failed, reducing the burden on the sender, and increasing chances of the&lt;br/&gt;payment succeeding.&lt;br/&gt;&lt;br/&gt;# Conclusion&lt;br/&gt;&lt;br/&gt;Overall I&amp;#39;m really excited about this proposal. It decreases the need&lt;br/&gt;for a complete network view at the endpoints, may delegate some of the&lt;br/&gt;burden of finding routes to in-network trampolines, may increase the&lt;br/&gt;successrate of our payments, and increases the total length of a&lt;br/&gt;possible route (may be a negative as well).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Pierre &amp;lt;pm&#43;lists at acinq.fr&amp;gt; writes:&lt;br/&gt;&amp;gt; Hello List,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think we can use the upcoming &amp;#34;Multi-frame sphinx onion format&amp;#34; [1]&lt;br/&gt;&amp;gt; to trustlessly outsource the computation of payment routes.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; A sends a payment to an intermediate node N, and in the onion payload,&lt;br/&gt;&amp;gt; A provides the actual destination D of the payment and the amount. N&lt;br/&gt;&amp;gt; then has to find a route to D and make a payment himself. Of course D&lt;br/&gt;&amp;gt; may be yet another intermediate node, and so on. The fact that we can&lt;br/&gt;&amp;gt; make several &amp;#34;trampoline hops&amp;#34; preserves the privacy characteristics&lt;br/&gt;&amp;gt; that we already have.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Intermediate nodes have an incentive to cooperate because they are&lt;br/&gt;&amp;gt; part of the route and will earn fees. As a nice side effect, it also&lt;br/&gt;&amp;gt; creates an incentive for &amp;#34;routing nodes&amp;#34; to participate in the gossip,&lt;br/&gt;&amp;gt; which they are lacking currently.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This could significantly lessen the load on (lite) sending nodes both&lt;br/&gt;&amp;gt; on the memory/bandwidth side (they would only need to know a smallish&lt;br/&gt;&amp;gt; neighborhood) and on the cpu side (intermediate nodes would run the&lt;br/&gt;&amp;gt; actual route computation).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As Christian pointed out, one downside is that fee computation would&lt;br/&gt;&amp;gt; have to be pessimistic (he also came up with the name trampoline!).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Pierre-Marie&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [1] &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-February/001875.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-February/001875.html&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:54:47Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsr6mve0xzsm5gpx4jvlh4rquzqkq06r2pnznfrchkexwulgskktagzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqyfjr7</id>
    
      <title type="html">📅 Original date posted:2019-03-14 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsr6mve0xzsm5gpx4jvlh4rquzqkq06r2pnznfrchkexwulgskktagzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqyfjr7" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsznecmp4nfzxln0q5z86grk9ts8eed3kecjll2lc0ta8u6j2mjngq2r3gc4&#39;&gt;nevent1q…3gc4&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-03-14&lt;br/&gt;📝 Original message:&lt;br/&gt;Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt; I&amp;#39;m thinking of tagged outputs as &amp;#34;taproot plus&amp;#34; (ie, plus noinput),&lt;br/&gt;&amp;gt; so if you used a tagged output, you could do everything normal taproot&lt;br/&gt;&amp;gt; address could, but also do noinput sigs for them.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So you might have:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    funding tx -&amp;gt; cooperative claim&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    funding tx -&amp;gt; update 3 [TAGGED] -&amp;gt; settlement 3 -&amp;gt; claim&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    funding tx -&amp;gt; update 3 [TAGGED] -&amp;gt; &lt;br/&gt;&amp;gt;                  update 4 [TAGGED,NOINPUT] -&amp;gt; &lt;br/&gt;&amp;gt; 		 settlement 4 [TAGGED,NOINPUT] -&amp;gt; &lt;br/&gt;&amp;gt; 		 claim [NOINPUT]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In the cooperative case, no output tagging needed.&lt;br/&gt;&lt;br/&gt;I might be missing something here, but how do you bind update 3 to the&lt;br/&gt;funding tx output, when that output is not tagged? Do we keep each&lt;br/&gt;update in multiple separate states, one bound to the funding tx output&lt;br/&gt;and another signed with noinput? If that&amp;#39;s the case we just doubled our&lt;br/&gt;storage and communication requirements for very little gain. An&lt;br/&gt;alternative is to add a trigger transaction that needs to be published&lt;br/&gt;in a unilateral case, but that&amp;#39;d increase our on-chain footprint.
    </content>
    <updated>2023-06-09T12:54:28Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs0ljqy89wxl480hvuu8a2a8l3d0re0zsds0kq9yyse9qr66xl2kkgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wakzj0t</id>
    
      <title type="html">📅 Original date posted:2019-02-24 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs0ljqy89wxl480hvuu8a2a8l3d0re0zsds0kq9yyse9qr66xl2kkgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wakzj0t" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsfu4j5kdg3qnxg05gkak04wdls7zvvdtkmrh8dzj2yv546l0grk2gn3ht5c&#39;&gt;nevent1q…ht5c&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-02-24&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Good morning Christian, Rusty, and list,&lt;br/&gt;&amp;gt; You can take this a step further and make the realm 0 byte into a&lt;br/&gt;&amp;gt; special type &amp;#34;0&amp;#34; which has a fixed length of 1299 bytes, with the&lt;br/&gt;&amp;gt; length never encoded for this special type.  It would then define the&lt;br/&gt;&amp;gt; next 1299 bytes as the &amp;#34;V&amp;#34;, having the format of 64 bytes of the&lt;br/&gt;&amp;gt; current hop format (short channel ID, amount, CLTV, 12-byte padding,&lt;br/&gt;&amp;gt; HMAC), plus 19*65 bytes as the encrypted form of the next hop data.&lt;br/&gt;&amp;gt; This lets us reclaim even the realm byte, removing its overhead by&lt;br/&gt;&amp;gt; re-encoding it as the type in a TLV system, and with the special&lt;br/&gt;&amp;gt; exception of dropping the &amp;#34;L&amp;#34; for the type 0 (== current realm 0)&lt;br/&gt;&amp;gt; case.&lt;br/&gt;&lt;br/&gt;I disagree that this would be any clearer than the current proposal&lt;br/&gt;since we completely lose the separation of payload encoding vs. onion&lt;br/&gt;encoding. Let&amp;#39;s not mix the concepts of payload and transport onion,&lt;br/&gt;please.&lt;br/&gt;&lt;br/&gt;&amp;gt; In short, drop the concept of 65-byte &amp;#34;frames&amp;#34;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; We could have another special length-not-encoded type 255, which&lt;br/&gt;&amp;gt; declares the next 32 bytes as HMAC and the rest of the onion packet as&lt;br/&gt;&amp;gt; the data for the next hop.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The above is not a particularly serious proposal.&lt;br/&gt;&lt;br/&gt;You had me worried for a second there :-)
    </content>
    <updated>2023-06-09T12:54:19Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgdnrq6z0wm48e09fel35yyxsm2cvka55cgwvls56jp2t7qlmge5szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ww5av9x</id>
    
      <title type="html">📅 Original date posted:2019-02-22 📝 Original message: Rusty ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgdnrq6z0wm48e09fel35yyxsm2cvka55cgwvls56jp2t7qlmge5szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9ww5av9x" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqszey8pmvgwgt9sshv0uj56w5cetq2hecmcur33unk6ggk2wvdk5qqy0l9c4&#39;&gt;nevent1q…l9c4&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-02-22&lt;br/&gt;📝 Original message:&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt; There are two ways to add TLV to the onion:&lt;br/&gt;&amp;gt; 1. Leave the existing fields and put TLV in the padding:&lt;br/&gt;&amp;gt;    * [`8`:`short_channel_id`]&lt;br/&gt;&amp;gt;    * [`8`:`amt_to_forward`]&lt;br/&gt;&amp;gt;    * [`4`:`outgoing_cltv_value`]&lt;br/&gt;&amp;gt;    * [`12`:`padding`]&lt;br/&gt;&amp;gt; 2. Replace existing fields with TLV (eg. 2=short_channel_id,&lt;br/&gt;&amp;gt;    4=amt_to_forward, 6=outgoing_cltv_value) and use realm &amp;gt; 0&lt;br/&gt;&amp;gt;    to flag the new TLV format.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The length turns out about the same for intermediary hops, since:&lt;br/&gt;&amp;gt; TLV of short_channel_id =&amp;gt; 10 bytes&lt;br/&gt;&amp;gt; TLV of amt_to_forward =&amp;gt; probably 5-6 bytes.&lt;br/&gt;&amp;gt; TLV of outgoing_cltv_value =&amp;gt; probably 3-4 bytes.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For final hop, we don&amp;#39;t use short_channel_id, so we save significantly&lt;br/&gt;&amp;gt; there.  That&amp;#39;s also where many proposals to add information go (eg. a&lt;br/&gt;&amp;gt; special &amp;#34;app-level&amp;#34; value), so it sways me in the direction of making&lt;br/&gt;&amp;gt; TLV take the entire room.&lt;br/&gt;&lt;br/&gt;I&amp;#39;d definitely vote for making the entire payload a TLV (option 2) since&lt;br/&gt;that allows us to completely redefine the payload. I don&amp;#39;t think the&lt;br/&gt;overhead argument really applies since we&amp;#39;re currently wasting 12 bytes&lt;br/&gt;of payload anyway, and with option 2 we still fit the current payload in&lt;br/&gt;a single frame.&lt;br/&gt;&lt;br/&gt;There is however a third option, namely make the entire payload a&lt;br/&gt;TLV-set and then use the old payload format (`short_channel_id`,&lt;br/&gt;`amt_to_forward`, `outgoing_ctlv_value`) as a single TLV-value with 20&lt;br/&gt;bytes of size. That means we have only 2 bytes of overhead compared to&lt;br/&gt;the old v0 format (4 byte less than option 2), and can drop it if we&lt;br/&gt;require some other payload that doesn&amp;#39;t adhere to this format.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:54:19Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsdh82vegpxwjgh8gs3dnpztr559ap5jejm4vvlr4g78qrdmjy8wlgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9lyp3j</id>
    
      <title type="html">📅 Original date posted:2019-02-18 📝 Original message: Heya ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsdh82vegpxwjgh8gs3dnpztr559ap5jejm4vvlr4g78qrdmjy8wlgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9lyp3j" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsxrh99qpj6ddsaw59u0244zazeqptdnpc03wfsec4w02mywpcklucf7z8l9&#39;&gt;nevent1q…z8l9&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-02-18&lt;br/&gt;📝 Original message:&lt;br/&gt;Heya everybody,&lt;br/&gt;&lt;br/&gt;during the spec meeting in Adelaide we decided that we&amp;#39;d like to extend&lt;br/&gt;our current onion-routing capabilities with a couple of new features,&lt;br/&gt;such as rendez-vous routing, spontaneous payments, multi-part payments,&lt;br/&gt;etc. These features rely on two changes to the current onion format:&lt;br/&gt;bigger per-hop payloads (in the form of multi-frame payloads) and a more&lt;br/&gt;modern encoding (given by the TLV encoding).&lt;br/&gt;&lt;br/&gt;In the following I will explain my proposal on how to extend the per-hop&lt;br/&gt;payload from the current 65 bytes (which include realm and HMAC) to&lt;br/&gt;multiples.&lt;br/&gt;&lt;br/&gt;Until now we had a 1-to-1 relationship between a 65 byte segment of&lt;br/&gt;payload and a hop in the route. Since this is no longer the case, I&lt;br/&gt;propose we call the 65 byte segment a frame, to differentiate it from a&lt;br/&gt;hop in the route, hence the name multi-frame onion. The creation and&lt;br/&gt;decoding process doesn&amp;#39;t really change at all, only some of the&lt;br/&gt;parameters.&lt;br/&gt;&lt;br/&gt;When constructing the onion, the sender currently always right-shifts by&lt;br/&gt;a single 65 byte frame, serializes the payload, and encrypts using the&lt;br/&gt;ChaCha20 stream. In parallel it also generates the fillers (basically 0s&lt;br/&gt;that get appended and encrypted by the processing nodes, in order to get&lt;br/&gt;matching HMACs), these are also shifted by a single 65 byte frame on&lt;br/&gt;each hop. The change in the generation comes in the form of variable&lt;br/&gt;shifts for both the payload serialization and filler generation,&lt;br/&gt;depending on the payload size. So if the payload fits into 32 bytes&lt;br/&gt;nothing changes, if the payload is bigger, we just use additional frames&lt;br/&gt;until it fits. The payload is padded with 0s, the HMAC remains as the&lt;br/&gt;last 32 bytes of the payload, and the realm stays at the first&lt;br/&gt;byte. This gives us&lt;br/&gt;&lt;br/&gt;&amp;gt; payload_size = num_frames * 65 byte - 1 byte (realm) - 32 bytes (hmac)&lt;br/&gt;&lt;br/&gt;The realm byte encodes both the payload format as well as how many&lt;br/&gt;additional frames were used to encode the payload. The MSB 4 bits encode&lt;br/&gt;the number of frames used, while the 4 LSB bits encode the realm/payload&lt;br/&gt;format.&lt;br/&gt;&lt;br/&gt;The decoding of an onion packet pretty much stays the same, the&lt;br/&gt;receiving node generates the shared secret, then generates the ChaCha20&lt;br/&gt;stream, and decrypts the packet (and additional padding that matches the&lt;br/&gt;filler the sender generated for HMACs). It can then read the realm byte,&lt;br/&gt;and knows how many frames to read, and how many frames it needs to left-&lt;br/&gt;shift in order to derive the next onion.&lt;br/&gt;&lt;br/&gt;This is a competing proposal with the proposal by roasbeef on the&lt;br/&gt;lightning-onion repo [1], but I think it is superior in a number of&lt;br/&gt;ways. The major advantage of this proposal is that the payload is in one&lt;br/&gt;contiguous memory region after the decryption, avoiding re-assembly of&lt;br/&gt;multiple parts and allowing zero-copy processing of the data. It also&lt;br/&gt;avoids multiple decryption steps, and does not waste space on multiple,&lt;br/&gt;useless, HMACs. I also believe that this proposal is simpler than [1],&lt;br/&gt;since it doesn&amp;#39;t require re-assembly, and creates a clear distinction&lt;br/&gt;between payload units and hops.&lt;br/&gt;&lt;br/&gt;To show that this proposal actually works, and is rather simple, I went&lt;br/&gt;ahead and implemented it for c-lightning [2] and lnd [3] (sorry ACINQ,&lt;br/&gt;my scala is not sufficient to implement if for eclair). Most of the code&lt;br/&gt;changes are preparation for variable size payloads alongside the legacy&lt;br/&gt;v0 payloads we used so far, the relevant commits that actually change&lt;br/&gt;the generation of the onion are [4] and [5] for c-lightning and lnd&lt;br/&gt;respectively.&lt;br/&gt;&lt;br/&gt;I&amp;#39;m hoping that this proposal proves to be useful, and that you agree&lt;br/&gt;about the advantages I outlined above. I&amp;#39;d also like to mention that,&lt;br/&gt;while this is working, I&amp;#39;m open to suggestions :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-onion/pull/31&#34;&gt;https://github.com/lightningnetwork/lightning-onion/pull/31&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/2363&#34;&gt;https://github.com/ElementsProject/lightning/pull/2363&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-onion/pull/33&#34;&gt;https://github.com/lightningnetwork/lightning-onion/pull/33&lt;/a&gt;&lt;br/&gt;[4] &lt;a href=&#34;https://github.com/ElementsProject/lightning/pull/2363/commits/aac29daeeb5965ae407b9588cd599f38291c0c1f&#34;&gt;https://github.com/ElementsProject/lightning/pull/2363/commits/aac29daeeb5965ae407b9588cd599f38291c0c1f&lt;/a&gt;&lt;br/&gt;[5] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-onion/pull/33/commits/216c09c257d1a342c27c1e85ef6653559ef39314&#34;&gt;https://github.com/lightningnetwork/lightning-onion/pull/33/commits/216c09c257d1a342c27c1e85ef6653559ef39314&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:54:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs0k7da9pye3cxj0pakuwjcrp9sclz4s74d2r6n6ytps0777pq8jnqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7ppx52</id>
    
      <title type="html">📅 Original date posted:2019-02-08 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs0k7da9pye3cxj0pakuwjcrp9sclz4s74d2r6n6ytps0777pq8jnqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7ppx52" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs0gxs4jt9676funpr84hgr87qgeu8kp7g808gjddkkwap48l25xygxzhshc&#39;&gt;nevent1q…hshc&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-02-08&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Laolu,&lt;br/&gt;&lt;br/&gt;thanks for bringing this up. I think committing to more data might be&lt;br/&gt;nice, but I have some reservations re signaling in the onion packet&lt;br/&gt;version. But let&amp;#39;s start at the top:&lt;br/&gt;&lt;br/&gt;&amp;gt; However, since the CLTV isn&amp;#39;t also authenticated, then it&amp;#39;s possible&lt;br/&gt;&amp;gt; to attempt to inject a new HTLC with a fresher CLTV. If the node isn&amp;#39;t&lt;br/&gt;&amp;gt; keeping around all pre-images, then they might forward this since it&lt;br/&gt;&amp;gt; passes the regular expiry tests. If we instead extend the associated&lt;br/&gt;&amp;gt; data payload to cover the CLTV as well, then this binds the adversary&lt;br/&gt;&amp;gt; to using the same CLTV details.&lt;br/&gt;&lt;br/&gt;The CLTV is actually committed to indirectly through the outgoing CLTV&lt;br/&gt;value in the onion payload itself (both for intermediate hops and final&lt;br/&gt;hops). For intermediate hops we will refuse any forward that has a CLTV&lt;br/&gt;value for the next leg that is not far enough in the future based on the&lt;br/&gt;incoming CLTV value. Notice that the values we commit to are not deltas,&lt;br/&gt;but absolute values. This means that a node needs to keep a cache of&lt;br/&gt;shared secrets used until the `outgoing_cltv_value` from the onion dips&lt;br/&gt;below `incoming_cltv_value - cltv_expiry_delta`). Any replay attempt&lt;br/&gt;after that will result in the first hop (adjacent to the attacker) to&lt;br/&gt;reject the HTLC with an `incorrect_cltv_expiry` error.&lt;br/&gt;&lt;br/&gt;That being said I&amp;#39;m happy to add more information to the AD, but it may&lt;br/&gt;need to be rolled out differently from what you describe.&lt;br/&gt;&lt;br/&gt;&amp;gt; If this were to be deployed, then we can do it by using a new packet version&lt;br/&gt;&amp;gt; in the Sphinx packet. Nodes that come across this new version (signalled by&lt;br/&gt;&amp;gt; a global feature bit) would then know to include the extra information in&lt;br/&gt;&amp;gt; the AD for their MAC check.&lt;br/&gt;&lt;br/&gt;This will not really work if the route contains any node that does not&lt;br/&gt;understand the new version of the packet. The node prior to the&lt;br/&gt;non-upgraded node would have to downgrade the packet version from v1 to&lt;br/&gt;v0 understood by the non-upgraded node, which could be done via an&lt;br/&gt;instruction in the per-hop payload itself, but the non-upgraded node&lt;br/&gt;would not have any way of learning that it needs to upgrade the packet&lt;br/&gt;version to v1 again. This means we can use v1 up to the first node that&lt;br/&gt;doesn&amp;#39;t understand v1 and have a permanent downgrade for the rest of the&lt;br/&gt;route.&lt;br/&gt;&lt;br/&gt;We might get away with signalling this in the payload itself, but that&lt;br/&gt;inverts the processing of the onion into parse and interpret the payload&lt;br/&gt;before checking the HMAC, which I can already hear cryptographers groan&lt;br/&gt;about :-)&lt;br/&gt;&lt;br/&gt;&amp;gt; While we&amp;#39;re at it, we should also actually *commit* to the packet&lt;br/&gt;&amp;gt; version. Right now nodes can swap out the version to anything they&lt;br/&gt;&amp;gt; want, potentially causing another node to reject the packet.  This&lt;br/&gt;&amp;gt; should also be added to the AD to ensure the packet can&amp;#39;t be modified&lt;br/&gt;&amp;gt; without another node detecting it.&lt;br/&gt;&lt;br/&gt;I don&amp;#39;t think this is really useful. If a node wants to cause us to&lt;br/&gt;reject a packet it can just tamper with anything in the payload and&lt;br/&gt;we&amp;#39;ll fail with an HMAC failure. The version really is just a hint as to&lt;br/&gt;how we should process the packet, and if tampered with it&amp;#39;ll just cause&lt;br/&gt;us to reject, similarly to when the attacker modifies the ephemeral key.&lt;br/&gt;&lt;br/&gt;&amp;gt; Longer term, we may end up with _all_ payment details in the Sphinx packet.&lt;br/&gt;&lt;br/&gt;Agreed, we can also just use the serialized HTLC output, since that is&lt;br/&gt;the on-chain representation of the payment, and therefore has to include&lt;br/&gt;all relevant details :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:54:13Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsg27ycpe8s606trndf4eztkzdv4xjukdgc6vksm8p3u7qr8kkh4rqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wc0cjv7</id>
    
      <title type="html">📅 Original date posted:2019-01-08 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsg27ycpe8s606trndf4eztkzdv4xjukdgc6vksm8p3u7qr8kkh4rqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wc0cjv7" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsvrfpael44sa6nw6puuexf2dxjpkawuv3qqw3487tturm9ruzrhzcr3v8rg&#39;&gt;nevent1q…v8rg&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-01-08&lt;br/&gt;📝 Original message:&lt;br/&gt;Fabrice Drouin &amp;lt;fabrice.drouin at acinq.fr&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; I think there may even be a simpler case where not replacing updates&lt;br/&gt;&amp;gt; will result in nodes not knowing that a channel has been re-enabled:&lt;br/&gt;&amp;gt; suppose you got 3 updates U1, U2, U3 for the same channel, U2 disables&lt;br/&gt;&amp;gt; it, U3 enables it again and is the same as U1. If you discard it and&lt;br/&gt;&amp;gt; just keep U1, and your peer has U2, how will you tell them that the&lt;br/&gt;&amp;gt; channel has been enabled again ? Unless &amp;#34;discard&amp;#34; here means keep the&lt;br/&gt;&amp;gt; update but don&amp;#39;t broadcast it ?&lt;br/&gt;&lt;br/&gt;Excellent point, that&amp;#39;s a simpler example of how it could break down.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; I think all the bolted on things are pretty much overkill at this point,&lt;br/&gt;&amp;gt;&amp;gt; it is unlikely that we will get any consistency in our views of the&lt;br/&gt;&amp;gt;&amp;gt; routing table, but that&amp;#39;s actually not needed to route, and we should&lt;br/&gt;&amp;gt;&amp;gt; consider this a best effort gossip protocol anyway. If the routing&lt;br/&gt;&amp;gt;&amp;gt; protocol is too chatty, we should make efforts towards local policies at&lt;br/&gt;&amp;gt;&amp;gt; the senders of the update to reduce the number of flapping updates, not&lt;br/&gt;&amp;gt;&amp;gt; build in-network deduplications. Maybe something like &amp;#34;eager-disable&amp;#34;&lt;br/&gt;&amp;gt;&amp;gt; and &amp;#34;lazy-enable&amp;#34; is what we should go for, in which disables are sent&lt;br/&gt;&amp;gt;&amp;gt; right away, and enables are put on an exponential backoff timeout (after&lt;br/&gt;&amp;gt;&amp;gt; all what use are flappy nodes for routing?).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yes there are probably heuristics that would help reducing gossip&lt;br/&gt;&amp;gt; traffic, and I see your point but I was thinking about doing the&lt;br/&gt;&amp;gt; opposite: &amp;#34;eager-enable&amp;#34; and &amp;#34;lazy-disable&amp;#34;, because from a sender&amp;#39;s&lt;br/&gt;&amp;gt; p.o.v trying to use a disabled channel is better than ignoring an&lt;br/&gt;&amp;gt; enabled channel.&lt;br/&gt;&lt;br/&gt;That depends on what you are trying to optimize. Your solution keeps&lt;br/&gt;more channels in enabled mode, potentially increasing failures due to&lt;br/&gt;channels being unavailable. I was approaching it from the other side,&lt;br/&gt;since failures are on the critical path in the payment flow, they&amp;#39;d&lt;br/&gt;result in longer delays and many more retries, which I think is annoying&lt;br/&gt;too. It probably depends on the network structure, i.e., if the fanout&lt;br/&gt;from the endpoints is large, missing some channels shouldn&amp;#39;t be a&lt;br/&gt;problem, in which case the many failures delaying your payment weighs&lt;br/&gt;more than not finding a route (eager-disable &amp;amp; lazy-enable). If on the&lt;br/&gt;other hand we are really relying on a huge number of flaky connections&lt;br/&gt;then eager-enable &amp;amp; lazy-disable might get lucky and get the payment&lt;br/&gt;through. I&amp;#39;m hoping the network will have the latter structure, because&lt;br/&gt;we&amp;#39;d have really unpredictable behavior anyway.&lt;br/&gt;&lt;br/&gt;We&amp;#39;ll probably gain more insight once we start probing the network. My&lt;br/&gt;expectation is that today&amp;#39;s network is a baseline, whose resiliency and&lt;br/&gt;redundancy will improve over time, hopefully swinging in favor of&lt;br/&gt;trading off the speed gains over bare routability.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:53:52Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs0jm570dyu5jm44cc4ymg0cpy42pnff0gjvmn8sudxfxmlpdjj9uqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsjy4yu</id>
    
      <title type="html">📅 Original date posted:2019-01-08 📝 Original message: Rusty ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs0jm570dyu5jm44cc4ymg0cpy42pnff0gjvmn8sudxfxmlpdjj9uqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsjy4yu" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsqhcxpusns4sz6njxvatqj9em2zu3acxc9pvt9gj0m0cs09lhu99su4kq7s&#39;&gt;nevent1q…kq7s&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-01-08&lt;br/&gt;📝 Original message:&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; But only 18 000 pairs of channel updates carry actual fee and/or HTLC&lt;br/&gt;&amp;gt;&amp;gt; value change. 85% of the time, we just queried information that we&lt;br/&gt;&amp;gt;&amp;gt; already had!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Note that this can happen in two legitimate cases:&lt;br/&gt;&amp;gt; 1. The weekly refresh of channel_update.&lt;br/&gt;&amp;gt; 2. A node updated too fast (A-&amp;gt;B-&amp;gt;A) and the -&amp;gt;A update caught up with the&lt;br/&gt;&amp;gt;    -&amp;gt;B update.&lt;br/&gt;&amp;gt;  &lt;br/&gt;&amp;gt; Fortunately, this seems fairly easy to handle: discard the newer&lt;br/&gt;&amp;gt; duplicate (unless &amp;gt; 1 week old).  For future more advanced&lt;br/&gt;&amp;gt; reconstruction schemes (eg. INV or minisketch), we could remember the&lt;br/&gt;&amp;gt; latest timestamp of the duplicate, so we can avoid requesting it again.&lt;br/&gt;&lt;br/&gt;Unfortunately this assumes that you have a single update partner, and&lt;br/&gt;still results in flaps, and might even result in a stuck state for some&lt;br/&gt;channels.&lt;br/&gt;&lt;br/&gt;Assume that we have a network in which a node D receives the updates&lt;br/&gt;from a node A through two or more separate paths:&lt;br/&gt;&lt;br/&gt;A --- B --- D&lt;br/&gt; \--- C ---/&lt;br/&gt;&lt;br/&gt;And let&amp;#39;s assume that some channel of A (c_A) is flapping (not the ones&lt;br/&gt;to B and C). A will send out two updates, one disables and the other one&lt;br/&gt;re-enables c_A, otherwise they are identical (timestamp and signature&lt;br/&gt;are different as well of course). The flush interval in B is sufficient&lt;br/&gt;to see both updates before flushing, hence both updates get dropped and&lt;br/&gt;nothing apparently changed (D doesn&amp;#39;t get told about anything from&lt;br/&gt;B). The flush interval of C triggers after getting the re-enable, and D&lt;br/&gt;gets the disabling update, followed by the enabling update once C&amp;#39;s&lt;br/&gt;flush interval triggers again. Worse if the connection A-C gets severed&lt;br/&gt;between the updates, now C and D learned that the channel is disabled&lt;br/&gt;and will not get the re-enabling update since B has dropped that one&lt;br/&gt;altogether. If B now gets told by D about the disable, it&amp;#39;ll also go&lt;br/&gt;&amp;#34;ok, I&amp;#39;ll disable it as well&amp;#34;, leaving the entire network believing that&lt;br/&gt;the channel is disabled.&lt;br/&gt;&lt;br/&gt;This is really hard to debug, since A has sent a re-enabling&lt;br/&gt;channel_update, but everybody is stuck in the old state.&lt;br/&gt;&lt;br/&gt;At least locally updating timestamp and signature for identical updates&lt;br/&gt;and then not broadcasting if they were the only changes would at least&lt;br/&gt;prevent the last issue of overriding a dropped state with an earlier&lt;br/&gt;one, but it&amp;#39;d still leave C and D in an inconsistent state until we have&lt;br/&gt;some sort of passive sync that compares routing tables and fixes these&lt;br/&gt;issues.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; Adding a basic checksum (4 bytes for example) that covers fees and&lt;br/&gt;&amp;gt;&amp;gt; HTLC min/max value to our channel range queries would be a significant&lt;br/&gt;&amp;gt;&amp;gt; improvement and I will add this the open BOLT 1.1 proposal to extend&lt;br/&gt;&amp;gt;&amp;gt; queries with timestamps.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; I also think that such a checksum could also be used&lt;br/&gt;&amp;gt;&amp;gt; - in “inventory” based gossip messages&lt;br/&gt;&amp;gt;&amp;gt; - in set reconciliation schemes: we could reconcile [channel id |&lt;br/&gt;&amp;gt;&amp;gt; timestamp | checksum] first&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think this is overkill?&lt;br/&gt;&lt;br/&gt;I think all the bolted on things are pretty much overkill at this point,&lt;br/&gt;it is unlikely that we will get any consistency in our views of the&lt;br/&gt;routing table, but that&amp;#39;s actually not needed to route, and we should&lt;br/&gt;consider this a best effort gossip protocol anyway. If the routing&lt;br/&gt;protocol is too chatty, we should make efforts towards local policies at&lt;br/&gt;the senders of the update to reduce the number of flapping updates, not&lt;br/&gt;build in-network deduplications. Maybe something like &amp;#34;eager-disable&amp;#34;&lt;br/&gt;and &amp;#34;lazy-enable&amp;#34; is what we should go for, in which disables are sent&lt;br/&gt;right away, and enables are put on an exponential backoff timeout (after&lt;br/&gt;all what use are flappy nodes for routing?).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:53:51Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs2qgkf77xrfsss3rx5nlj9csd69e5k3x54nfv8zayrvt56t3r5tfgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2pvxjm</id>
    
      <title type="html">📅 Original date posted:2019-01-02 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs2qgkf77xrfsss3rx5nlj9csd69e5k3x54nfv8zayrvt56t3r5tfgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2pvxjm" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdwxjeuqa9s30cjpe04dw9lqv65sxd36e9j5hte9vg0ekcx3m6xcg4m2fv5&#39;&gt;nevent1q…2fv5&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-01-02&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Fabrice,&lt;br/&gt;&lt;br/&gt;happy new year to you too :-)&lt;br/&gt;&lt;br/&gt;Thanks for taking the time to collect that information. It&amp;#39;s very much&lt;br/&gt;in line with what we were expecting in that most of the updates come&lt;br/&gt;from flapping channels. Your second observation that some updates only&lt;br/&gt;change the timestamp is likely due to the staggered broadcast merging&lt;br/&gt;multiple updates, e.g., one disabling and one enabling the channel, that&lt;br/&gt;are sent very close to each other. This is the very reason we introduced&lt;br/&gt;the staggering back in the days, as it limits the maximum rate of&lt;br/&gt;updates a single node may produce for each of its channels.&lt;br/&gt;&lt;br/&gt;In the second case we can probably get away with not forwarding the&lt;br/&gt;update, but updating the timestamp and signature for the old&lt;br/&gt;`channel_update` locally, so that we don&amp;#39;t then flap back to an older&lt;br/&gt;one should we get that in a roundabout way. That&amp;#39;s purely a local&lt;br/&gt;decision and does not warrant a spec change imho.&lt;br/&gt;&lt;br/&gt;For the ones that flap with a period that is long enough for the&lt;br/&gt;disabling and enabling updates being flushed, we are presented with a&lt;br/&gt;tradeoff. IIRC we (c-lightning) currently hold back disabling&lt;br/&gt;`channel_update`s until someone actually attempts to use the channel at&lt;br/&gt;which point we fail the HTLC and send out the stashed `channel_update`&lt;br/&gt;thus reducing the publicly visible flapping. For the enabling we can&amp;#39;t&lt;br/&gt;do that, but we could think about a local policy on how much to delay a&lt;br/&gt;`channel_update` depending on the past stability of that peer. Again&lt;br/&gt;this is local policy and doesn&amp;#39;t warrant a spec change.&lt;br/&gt;&lt;br/&gt;I think we should probably try out some policies related to when to send&lt;br/&gt;`channel_update`s and how to hide redundant updates, and then we can see&lt;br/&gt;which ones work best :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Fabrice Drouin &amp;lt;fabrice.drouin at acinq.fr&amp;gt; writes:&lt;br/&gt;&amp;gt; Hello All, and Happy New Year!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; To understand why there is a steady stream of channel updates, even&lt;br/&gt;&amp;gt; when fee parameters don&amp;#39;t seem to actually change, I made hourly&lt;br/&gt;&amp;gt; backups of the routing table of one of our nodes, and compared these&lt;br/&gt;&amp;gt; routing tables to see what exactly was being modified.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It turns out that:&lt;br/&gt;&amp;gt; - there are a lot of disable/enable/disable etc…. updates which are&lt;br/&gt;&amp;gt; just sent when a channel is disabled then enabled again (when nodes go&lt;br/&gt;&amp;gt; offline for example ?). This can happen&lt;br/&gt;&amp;gt; there are also a lot of updates that don’t change anything (just a new&lt;br/&gt;&amp;gt; timestamp and signatures but otherwise same info), up to several times&lt;br/&gt;&amp;gt; a day for the same channel id&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In both cases we end up syncing info that we already have.&lt;br/&gt;&amp;gt; I don’t know yet how best to use this when syncing routing tables, but&lt;br/&gt;&amp;gt; I thought it was worth sharing anyway. A basic checksum that does not&lt;br/&gt;&amp;gt; cover all fields, but only fees and HTLC min/max values could probably&lt;br/&gt;&amp;gt; be used to improve routing table sync ?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Fabrice&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:53:50Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgzn20zltntfjlmp6xh8gr3hc045f2nwjqd02kg5sfstya4syky7gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7jsy5t</id>
    
      <title type="html">📅 Original date posted:2018-12-06 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgzn20zltntfjlmp6xh8gr3hc045f2nwjqd02kg5sfstya4syky7gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w7jsy5t" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdf7g62ylpljz35jmg6w22dfnurawqq0qvnz38u4suq6a7at34xksfzjf82&#39;&gt;nevent1q…jf82&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-12-06&lt;br/&gt;📝 Original message:&lt;br/&gt;Corné Plooy &amp;lt;corne at bitonic.nl&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; The total_decorrelation_secrets serves as the payer-generated shared&lt;br/&gt;&amp;gt;&amp;gt; secret between payer and payee.  B cannot learn this, and thus cannot&lt;br/&gt;&amp;gt;&amp;gt; fake its own secret.  Even if it instead offers ((I &#43; K[A]) &#43; k[z] *&lt;br/&gt;&amp;gt;&amp;gt; G) for a new secret k[z], it cannot know how to change&lt;br/&gt;&amp;gt;&amp;gt; total_decorrelation_secrets from k[a] &#43; k[b] to k[a] &#43; k[z] instead.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt; The way things are now, the ephemeral key generation and the payment&lt;br/&gt;&amp;gt; hash/preimage generation are completely unrelated. This is what allows&lt;br/&gt;&amp;gt; an attacker to use the same payment hash, and use his own ephemeral key&lt;br/&gt;&amp;gt; pair to create a new onion packet around it.&lt;br/&gt;&lt;br/&gt;That is correct, one is generated by the recipient (secret and preimage)&lt;br/&gt;and the other one is generated by the sender (ephemeral key). Mixing the&lt;br/&gt;two seems very unwise, since the sender has very little control over&lt;br/&gt;what the effective ephemeral key that is going to be used for the last&lt;br/&gt;hop. This is the same issue that we have with rendez-vous routing, i.e.,&lt;br/&gt;that if we require the ephemeral key to be something specific at a given&lt;br/&gt;node we&amp;#39;d be breaking the hardness assumption of for the ephemeral key&lt;br/&gt;rotation.&lt;br/&gt;&lt;br/&gt;&amp;gt; Primarily, path decorrelation replaces the payment hash/preimage part.&lt;br/&gt;&amp;gt; Maybe I still don&amp;#39;t understand something, but if that&amp;#39;s the only thing&lt;br/&gt;&amp;gt; (without changing the ephemeral key / onion shared secret generation),&lt;br/&gt;&amp;gt; attacking the direct neighbor should still work; in your case, B would&lt;br/&gt;&amp;gt; still offer ((I &#43; K[A]) &#43; K[B]) to C, with an onion packet B created&lt;br/&gt;&amp;gt; himself. I&amp;#39;m not familiar enough with the path correlation to understand&lt;br/&gt;&amp;gt; what happens after step 6, but for C it looks the same, so she should do&lt;br/&gt;&amp;gt; the same.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I do see that, if you couple the &amp;#34;H&amp;#34;TLC payment secret generation to the&lt;br/&gt;&amp;gt; onion shared secret generation, you can make the attack impossible. Do I&lt;br/&gt;&amp;gt; understand correctly that this is the idea? After all, C still needs to&lt;br/&gt;&amp;gt; receive k somehow; my crypto math isn&amp;#39;t that good, but my intuitive&lt;br/&gt;&amp;gt; guess is that i &#43; k is the secret that allows C to claim funds locked in&lt;br/&gt;&amp;gt; ((I &#43; K[A]) &#43; K[B]) =? (i &#43; (k[a] &#43; k[b])) * G. If k is submitted from A&lt;br/&gt;&amp;gt; to C through some mechanism that replaces the current ephemeral key&lt;br/&gt;&amp;gt; system, then I understand what you&amp;#39;re at.&lt;br/&gt;&lt;br/&gt;I can&amp;#39;t quite follow where we would be mixing in the ephemeral key here,&lt;br/&gt;could you elaborate on that?&lt;br/&gt;&lt;br/&gt;&amp;gt; Assuming this is the case, it&amp;#39;s pretty neat. I do wonder how it&lt;br/&gt;&amp;gt; interacts with rendezvous routing. If the sender and receiver each&lt;br/&gt;&amp;gt; create the k[..] values for their own part of the route, can the&lt;br/&gt;&amp;gt; receiver-generated onion packet still use points of the form ((I &#43; K[A])&lt;br/&gt;&amp;gt; &#43; K[B]), including K[..] values related to the sender side? I need to&lt;br/&gt;&amp;gt; dig deeper into this path decorrelation idea.&lt;br/&gt;&lt;br/&gt;Since we have very little control over what ephemeral key will actually&lt;br/&gt;be presented to the last hop if we have a multi-hop route, we can&amp;#39;t&lt;br/&gt;really hide any information in the ephemeral key itself. What we could&lt;br/&gt;do is change the way the last hop generates the shared secret from it,&lt;br/&gt;i.e., have a last hop mode and a forwarding hop mode, and mix in the&lt;br/&gt;payment secret somehow, but I can&amp;#39;t think of a good way to do that, and&lt;br/&gt;it seems contorted. Let&amp;#39;s just have the sender prove knowledge of the&lt;br/&gt;original invoice by adding a TLV field with a shared secret from the&lt;br/&gt;invoice instead.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:53:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsxcdw0k8dz96vjn2prfdsm44wv807pdh2g8rg09mseh2kw9sra98czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wavv9mc</id>
    
      <title type="html">📅 Original date posted:2018-12-05 📝 Original message: Rusty ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsxcdw0k8dz96vjn2prfdsm44wv807pdh2g8rg09mseh2kw9sra98czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wavv9mc" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqspxaajw83ayye6avx4a9rwdsdpmp7655jr2xtdy6tx3hjfchgwggqajccaq&#39;&gt;nevent1q…ccaq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-12-05&lt;br/&gt;📝 Original message:&lt;br/&gt;Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; The shared secret doesn&amp;#39;t need to be very large: the number of attempts&lt;br/&gt;&amp;gt;&amp;gt; per second (to guess the shared secret) is limited by network latency,&lt;br/&gt;&amp;gt;&amp;gt; bandwidth and maybe some artificial rate limiting. If an attacker can do&lt;br/&gt;&amp;gt;&amp;gt; 100 attempts per second, then a 32-bit shared secret will take (on&lt;br/&gt;&amp;gt;&amp;gt; average) 2^31 / (100*3600*24) = 248 days to crack, for a single guess of&lt;br/&gt;&amp;gt;&amp;gt; which node is the final node. In the mean time, people will have noticed&lt;br/&gt;&amp;gt;&amp;gt; the ongoing attack and will have taken countermeasures. Besides, the&lt;br/&gt;&amp;gt;&amp;gt; transaction lock time will likely have expired in the mean time as well.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; We could really just use the last 4 bytes of the signature, AFAICT.&lt;br/&gt;&lt;br/&gt;A stupid idea came to mind that would allow us to use no more space in&lt;br/&gt;the onion at all: store the secret from the invoice in the HMAC&lt;br/&gt;field. That would complicate the final hop checking on the recipient to&lt;br/&gt;either being all 0x00, or some known secret (could also use a partial&lt;br/&gt;HMAC so we can reduce the number of lookups we need to do). Another&lt;br/&gt;option is that we could XOR it with some other field as well. The&lt;br/&gt;recipient already signaled that it supports this by including a secret&lt;br/&gt;in the invoice in the first place anyway, so no need for a lockstep&lt;br/&gt;upgrade either.&lt;br/&gt;&lt;br/&gt;Just putting it out there, I&amp;#39;m still unsure if I like it at all, since&lt;br/&gt;it mixes field purposes, but it is an option if we decide this is a&lt;br/&gt;serious issue.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:53:21Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsp9r8wshwdxpq6d3uk3582urqd97p5vn6r3ul4g47p8uczvp54d5gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjrgcn9</id>
    
      <title type="html">📅 Original date posted:2018-12-04 📝 Original message: Which ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsp9r8wshwdxpq6d3uk3582urqd97p5vn6r3ul4g47p8uczvp54d5gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjrgcn9" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsd50skuav3cqwpmjgw6m77mv9k4lu4ctw00qx7ctktnt5n47vkt9s0hc4pl&#39;&gt;nevent1q…c4pl&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-12-04&lt;br/&gt;📝 Original message:&lt;br/&gt;Which brings us back to the initial proposal that just signals the&lt;br/&gt;awareness of a temporary underpayment with the single &amp;#34;more is coming&amp;#34;-bit.&lt;br/&gt;&lt;br/&gt;On Sun, Dec 2, 2018 at 11:49 PM Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; &amp;gt; But what if 2 of those paths fail?&lt;br/&gt;&amp;gt; &amp;gt; It would be better to merge them into a single payment along the&lt;br/&gt;&amp;gt; expensive 4th path.&lt;br/&gt;&amp;gt; &amp;gt; However, the remaining succeeding path has already given `numpaths`=3.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Using `numpaths` overcommits to what you will do in the future, and is&lt;br/&gt;&amp;gt; unnecessary anyway.&lt;br/&gt;&amp;gt; &amp;gt; The payee is interested in the total value, not the details of the split.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Excellent point.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thanks,&lt;br/&gt;&amp;gt; Rusty.&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181204/de818531/attachment-0001.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181204/de818531/attachment-0001.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:53:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqstjmkue0gfxcsyjlzlga7kx0yrlmevhqr8uanumkjpeudk0vermkszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9demlz</id>
    
      <title type="html">📅 Original date posted:2018-11-29 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqstjmkue0gfxcsyjlzlga7kx0yrlmevhqr8uanumkjpeudk0vermkszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9demlz" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsz3dpwulc59men97gwhq8vj680pqf3qrau79hnve23328k0m3f96c3c4kxq&#39;&gt;nevent1q…4kxq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-29&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Corne,&lt;br/&gt;&lt;br/&gt;the HMACs are necessary in order to make sure that a hop cannot modify&lt;br/&gt;the packet before forwarding, and the next node not detecting that&lt;br/&gt;modification.&lt;br/&gt;&lt;br/&gt;One potential attack that could facilitate is that an attacker could&lt;br/&gt;learn the path length by messing with different per-hop payloads: set&lt;br/&gt;n=0 the attacker flips bits in the nth per-hop payload, and forwards&lt;br/&gt;it. If the next node doesn&amp;#39;t return an error it was the final recipient,&lt;br/&gt;if if returns an error, increment n and flip bits in the (n&#43;1)th per-hop&lt;br/&gt;payload, until no error is returned. Congratulation you just learned the&lt;br/&gt;path length after you. The same can probably be done with the error&lt;br/&gt;packet, meaning you can learn the exact position in the route. Add to&lt;br/&gt;that the information you already know about the network (cltv_deltas,&lt;br/&gt;amounts, fees, ...) and you can probably detect sender and recipient.&lt;br/&gt;&lt;br/&gt;Adding HMACs solves this by ensuring that the next hop will return an&lt;br/&gt;error if anything was changed, i.e., removing the leak about which node&lt;br/&gt;would have failed the route.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Corné Plooy via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Is there a reason why we have HMACs in Sphinx? What could go wrong if we&lt;br/&gt;&amp;gt; didn&amp;#39;t?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; A receiving node doesn&amp;#39;t know anyway what the origin node is; I don&amp;#39;t&lt;br/&gt;&amp;gt; see any attack mode where an attacker wouldn&amp;#39;t be able to generate a&lt;br/&gt;&amp;gt; valid HMAC.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; A receiving node only knows which peer sent it a Sphinx packet;&lt;br/&gt;&amp;gt; verification that this peer really sent this Sphinx packet is (I think)&lt;br/&gt;&amp;gt; already done on a lower protocol layer.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; AFAICS, The only real use case of the HMAC value is the special case of&lt;br/&gt;&amp;gt; a 0-valued HMAC, indicating the end of the route. But that&amp;#39;s just silly:&lt;br/&gt;&amp;gt; it&amp;#39;s essentially a boolean, not any kind of cryptographic verification.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; CJP&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:53:14Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs8kvd35v2cea977eydvuvw8dw55ch30zmglkcxtf3d8m4q0uu6fsqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w633z9g</id>
    
      <title type="html">📅 Original date posted:2018-11-18 📝 Original message: I ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs8kvd35v2cea977eydvuvw8dw55ch30zmglkcxtf3d8m4q0uu6fsqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w633z9g" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsgmxd7sn2tncjq5x2rx3jxamxflpfhs0lnuj30y09mtxec05dm40sjrhyyw&#39;&gt;nevent1q…hyyw&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-18&lt;br/&gt;📝 Original message:&lt;br/&gt;I finally got around to amending my initial (broken) proposal for the&lt;br/&gt;rendez-vous protocol using the ephemeral key switch at the rendez-vous&lt;br/&gt;point. I&amp;#39;d like to try and keep a live document that describes the&lt;br/&gt;entire proposal in the Wiki to make it easier for people to get an&lt;br/&gt;overall view of the proposal, instead of having to stitch it together&lt;br/&gt;from the ML posts. You can find the proposal here [1]. It makes heavy&lt;br/&gt;use of the description in the onion routing bolt [2].&lt;br/&gt;&lt;br/&gt;The initial proposal was to have the rendez-vous node `RV` swap in an&lt;br/&gt;ephemeral key `ek_rv` instead of generating it from `ss_k` derived from&lt;br/&gt;ECDH(`ek_{k-1}`, node_id), because that allows the recipient `R` to&lt;br/&gt;generate the second half of the route by selecting that `ek_rv`.&lt;br/&gt;&lt;br/&gt;The problem I mentioned in other mails arises from the fact that when&lt;br/&gt;`RV` decrypts its payload to learn about its routing instructions and&lt;br/&gt;learn about `ek_rv`, it was also encrypting the filler bytes appended to&lt;br/&gt;the end. The decryption is done via XOR with a ChaCha20 bytestream whose&lt;br/&gt;key is generated from `ss_k`, which is unknown to `R` (depends on the&lt;br/&gt;ephemeal key selected by the sender and the intermediate hops). This is&lt;br/&gt;important since `R` needs to know the exact contents of the packet&lt;br/&gt;including the filler to compute valid HMACs.&lt;br/&gt;&lt;br/&gt;The fix is relatively simple, and just adds a virtual hop at `RV`. I&amp;#39;ll&lt;br/&gt;describe the actions of `RV` here instead of the packet building since&lt;br/&gt;this way is easier to follow:&lt;br/&gt;&lt;br/&gt; - `RV` derives `ss_k` from `ek_k` which was given to it by the previous&lt;br/&gt;   hop, appends the `0x00`-vector to shift in when stripping its per-hop&lt;br/&gt;   payload (may need more than 65 bytes now since we shift more than one&lt;br/&gt;   per-hop field now), generates the ChaCha20 stream using `ss_k` and&lt;br/&gt;   XORs the packet with the stream.&lt;br/&gt; - `RV` reads its per-hop payload notices that an ephemeral key switch&lt;br/&gt;   is desired and reads `ek_rv` from the per-hop payload. It overwrites&lt;br/&gt;   the, now encrypted, filler vector with `0x00`-bytes again (to&lt;br/&gt;   recreate a well-known state that `R` can use when generating its&lt;br/&gt;   partial onion).&lt;br/&gt; - It then derives a new secret key `ss_rv` from `ek_rv` and its node&lt;br/&gt;   ID. `ss_rv` is then used to generate a new ChaCha20 stream which will&lt;br/&gt;   encrypt the packet again (obfuscating the filler) and it&amp;#39;ll be used&lt;br/&gt;   to generate a new ephemeral key `ek_{rv&#43;1}` which will be passed on&lt;br/&gt;   to the next hop.&lt;br/&gt;&lt;br/&gt;At this point the normal operation continues as usual. IMHO the proposal&lt;br/&gt;is clean and backwards compatible, but I&amp;#39;m open for suggestions. There&lt;br/&gt;are a number of variants for this protocol, but I chose this one for its&lt;br/&gt;symmetry with the existing scheme. I&amp;#39;ll list a few alternatives here:&lt;br/&gt;&lt;br/&gt; - `ek_{rv&#43;1}` == `ek_rv`: it is not really required to generate a new&lt;br/&gt;   ephemeral key for the next hop, we could just reuse it. The reason&lt;br/&gt;   the switch is done in normal Sphinx is to avoid correlating hops, but&lt;br/&gt;   `ek_rv` is not really seen on the wire in cleartext right now so we&lt;br/&gt;   could just reuse it. I prefer not to simply because of symmetry.&lt;br/&gt; - Overwrite the filler with `0x00`-bytes and don&amp;#39;t obfuscate it. This&lt;br/&gt;   is the simple initial proposal, but it leaks the fact that `RV` is a&lt;br/&gt;   rendez-vous node to the next hop.&lt;br/&gt;&lt;br/&gt;Please let me know if I missed something, I&amp;#39;ll try to implement this&lt;br/&gt;soon and see if something unexpected jumps at me :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/wiki/Rendez-vous-mechanism-on-top-of-Sphinx&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/wiki/Rendez-vous-mechanism-on-top-of-Sphinx&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/blob/master/04-onion-routing.md#shared-secret&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/blob/master/04-onion-routing.md#shared-secret&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:52:58Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs0qef3xz55f7nu2jvz0q4q4gatg7l782skkwkx7y62kzzrvgrk9rqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9u9l88</id>
    
      <title type="html">📅 Original date posted:2018-11-15 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs0qef3xz55f7nu2jvz0q4q4gatg7l782skkwkx7y62kzzrvgrk9rqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w9u9l88" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsqeldqcqf88rmvxd7c662qm9smjajvysa0ql0xnllukxy9huucq2c3u6zrg&#39;&gt;nevent1q…6zrg&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-15&lt;br/&gt;📝 Original message:&lt;br/&gt;Conner Fromknecht &amp;lt;conner at lightning.engineering&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; For a sequence of `type,len,value`, the `type`s must be in ascending order&lt;br/&gt;&amp;gt;&amp;gt; -- not explicitly accepted or rejected.  It would be easier to check&lt;br/&gt;&amp;gt;&amp;gt; uniqueness &amp;gt; (the previous rule we accepted) here for a naive parser (keep&lt;br/&gt;&amp;gt;&amp;gt; track of some &amp;#34;minimum allowed type&amp;#34; that initializes at zero, check current&lt;br/&gt;&amp;gt;&amp;gt; type &amp;gt;= this, update to current type &#43; 1) if `type`s are in ascending order.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yep ascending makes sense to me, for the reasons you stated.&lt;br/&gt;&lt;br/&gt;Definitely a good idea, especially because it results in a canonical&lt;br/&gt;serialization format, which is important to ensure signatures over&lt;br/&gt;messages can be verified even when reserializing parsed messages.
    </content>
    <updated>2023-06-09T12:52:54Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsdfz4stxvk8atz0qrt2fslr63cfwvmjnhsejr9s8wyscpzr2jr0qczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6ayfkd</id>
    
      <title type="html">📅 Original date posted:2018-11-15 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsdfz4stxvk8atz0qrt2fslr63cfwvmjnhsejr9s8wyscpzr2jr0qczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6ayfkd" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs2t3re6xwqdwhmantqqp22x7fmzq5detpuj90ax9709p280lzc6zc4tnpq0&#39;&gt;nevent1q…npq0&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-15&lt;br/&gt;📝 Original message:&lt;br/&gt;I&amp;#39;m not sure this is an improvement at all over just allowing a single&lt;br/&gt;merge-point, i.e., the destination. You see as long as we don&amp;#39;t attempt&lt;br/&gt;intermediate merges the routes are independent and failures of one HTLC&lt;br/&gt;do not impact any other parts. Take for example the network below:&lt;br/&gt;&lt;br/&gt;  --------&lt;br/&gt; /        \&lt;br/&gt;A----B-----C-----D&lt;br/&gt;\               /&lt;br/&gt; -------E-------&lt;br/&gt;&lt;br/&gt;For simplicity let&amp;#39;s assume unit capacities on all channels except C-D&lt;br/&gt;and a total payment of 2 from A to D.&lt;br/&gt;&lt;br/&gt;If we use C as a merge point for the two partial payments A-C-D and&lt;br/&gt;A-B-C-D, then C can only forward if both partial payment succeed, i.e.,&lt;br/&gt;if for example A-C fails then we&amp;#39;ll need to tear down the HTLCs for both&lt;br/&gt;paths because it&amp;#39;ll no longer be possible to find an alternative route&lt;br/&gt;to fulfill the forwarding of 2 over C-D.&lt;br/&gt;&lt;br/&gt;If however we have two independent routes A-B-C-D and A-C-D, then A-C-D&lt;br/&gt;can fail independently and we can recover by attempting A-E-D, no need&lt;br/&gt;to touch A-B-C-D at all.&lt;br/&gt;&lt;br/&gt;Overall it seems we get very little benefit (we save some HTLC setups&lt;br/&gt;and teardown) for a lot of added complexity. In the above case we would&lt;br/&gt;have saved on a single C-D HTLC, and the cost of doing so is many times&lt;br/&gt;larger (2 HTLCs needed to be torn down because we could no longer pass&lt;br/&gt;enough capacity to C in order for it to reach the forward threshold).&lt;br/&gt;&lt;br/&gt;Let&amp;#39;s please stick with the simple mechanism of having the recipient be&lt;br/&gt;the only merge point.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I propose the below to support Base AMP.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The below would allow arbitrary merges of paths, but not arbitrary splits.  I am uncertain about the safety of arbitrary splits.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ### The `multipath_merge_per_hop` type (`option_base_amp`)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This indicates that payment has been split by the sender using Base AMP, and that the receiver should wait for the total intended payment before forwarding or claiming the payment.&lt;br/&gt;&amp;gt; In case the receiving node is not the last node in the path, then succeeding hops MUST be the same across all splits.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1. type: 1 (`termination_per_hop`)&lt;br/&gt;&amp;gt; 2. data:&lt;br/&gt;&amp;gt;   * [`8` : `short_channel_id`]&lt;br/&gt;&amp;gt;   * [`8` : `amt_to_forward`]&lt;br/&gt;&amp;gt;   * [`4` : `outgoing_cltv_value`]&lt;br/&gt;&amp;gt;   * [`8` : `intended_total_payment`]&lt;br/&gt;&amp;gt;   * [`4` : `zeros`]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The contents of this hop will be the same across all paths of the Base AMP.&lt;br/&gt;&amp;gt; The `payment_hash` of the incoming HTLCs will also be the same across all paths of the Base AMP.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; `intended_total_payment` is the total amount of money that this node should expect to receive in all incoming paths to the same `payment_hash`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This may be the last hop of a payment onion, in which case the `HMAC` for this hop will be `0` (the same rule as for `per_hop_type` 0).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The receiver:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * MUST impose a reasonable timeout for waiting to receive all component paths, and fail all incoming HTLC offers for the `payment_hash`  if they have not totalled equal to `intended_total_payment`.&lt;br/&gt;&amp;gt; * MUST NOT forward (if an intermediate node) or claim (if the final node) unless it has received a total greater or equal to `intended_total_payment` in all incoming HTLCs for the same `payment_hash`.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The sender:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * MUST use the same `payment_hash` for all paths of a single multipath payment.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:52:43Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvf02xmq2wch6z3p8fsema0w0q06nyghvf30ha8ntjuzdywc9y5rszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn4t2sc</id>
    
      <title type="html">📅 Original date posted:2018-11-13 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvf02xmq2wch6z3p8fsema0w0q06nyghvf30ha8ntjuzdywc9y5rszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn4t2sc" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsgx6eayf8wr00l5dtwq8g9895f9hxzkjxvlejsf7g0nm5984lk88gx808w5&#39;&gt;nevent1q…08w5&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-13&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi ZmnSCPxj,&lt;br/&gt;&lt;br/&gt;like I mentioned in the other mailing thread we have a minor&lt;br/&gt;complication in order get rendez-vous working.&lt;br/&gt;&lt;br/&gt;If I&amp;#39;m not mistaken it&amp;#39;ll not be possible for us to have spontaneous&lt;br/&gt;ephemeral key switches while forwarding a payment. Specifically either&lt;br/&gt;the sender or the recipient have to know the switchover points in their&lt;br/&gt;respective parts of the onion. Otherwise it&amp;#39;ll not be possible to cover&lt;br/&gt;the padding in the HMAC, for the same reason that we couldn&amp;#39;t meet up&lt;br/&gt;with the same ephemeral key at the rendez-vous point.&lt;br/&gt;&lt;br/&gt;Sorry about not noticing this before.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Although, packet switching was part of the agenda, we decided, that we would defer this to some later version of BOLT spec.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Interestingly, some sort of packet switching becomes possible, due to the below features we did not defer:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Multi-hop onion packets (i.e. s/realm/packettype/)&lt;br/&gt;&amp;gt; 2.  Identify &amp;#34;next&amp;#34; by node-id instead of short-channel-id (actually, we solved this by &amp;#34;short-channel-id is not binding&amp;#34; and next hop is identified by short-channel-id still).&lt;br/&gt;&amp;gt; 3.  Onion ephemeral key switching (required by rendez-vous routing).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; -----------&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose we define the below packettype (notice below type number is even, but I am uncertain how &amp;#34;is OK to be odd&amp;#34;, is appropriate for this):&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; packettype 0: same as current realm 0&lt;br/&gt;&amp;gt; packettype 2: ephemeral key switch (use ephemeral key in succeeding 65-byte packet)&lt;br/&gt;&amp;gt; packettype 4: identify next node by node-id on succeeding 65-byte packet&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose I were to receive a packettype 0 in an onion.  It identifies a short-channel-id.  Now suppose this particular channel has no capacity.  As I showed in thread &amp;#34; Link-level payment splitting via intermediary rendezvous nodes&amp;#34; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001547.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001547.html&lt;/a&gt;, it is possible, that I can route it via some other route *composed of multiple channels*, by using packettype 4 at the end of this route to connect it to the rest of the onion I receive.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However, in this case, in effect, the short-channel-id simply identifies the &amp;#34;next&amp;#34; node along this route.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Suppose we also identify a new packettype (packettype 4)) where he &amp;#34;next&amp;#34; node is identified by its node-id.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Let us make the below scenarios.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Suppose the node-id so identified, I have a channel with this node.  And suppose this channel has capacity.  I can send the payment directly to that node.  This is no different from today.&lt;br/&gt;&amp;gt; 2.  Suppose the node-id so identified, I have a channel with this node.  But this channel has not capacity.  However, I can look for alternate route.  And by using rendez-vous feature &amp;#34;switch ephemeral key&amp;#34; I can generate a route that is multiple hops, in order to reach the identified node-id, and connect the rest of the onion to this.  This case is same as if the node is identified by short-channel-id.&lt;br/&gt;&amp;gt; 3.  Suppose the node-id so identified, I have not a channel with this node.  However, I can again look for alternate route.  Again, by using &amp;#34;switch ephemeral key&amp;#34; feature, I can generate a route that is multiple hops, in order to reach the identified node-id, and again connect the rest of the onion to this.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now, the case 3 above, can build up packet switching.  I might have a routemap that contains the destination node-id and have an accurate route through the network, and identify the path directly to the next node.  If not, I could guess/use statistics that one of my peers is likely to know how to route to that node, and also forward a packettype 4 to the same node-id to my peer.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This particular packet switching, also allows some uncertainty about the destination.  For instance, even if I wish to pay CJP, actually I make an onion with packettype 4 Rene, packettype 4 CJP. packettype 0 HMAC=0.  Then I send the above onion (appropriately layered-encrypted) to my direct peer cdecker, who attempts to make an effort to route to Rene.  When Rene receives it, it sees packettype 4 CJP, and then makes an effort to route to CJP, who sees packettype 0 HMAC=0 meaning CJP is the recipient.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Further, this is yet another use of the siwtch-ephemeral-key packettype.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thus:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  It allows packet switching&lt;br/&gt;&amp;gt; 2.  It increases anonymity set of rendez-vous routing. Node that sees packettype 2 (switch ephemeral key) does not know, if it is sending to a packet-switched or link-level payment rerouting, or if it is the rendes-vous for a deniable payment.&lt;br/&gt;&amp;gt; 3.  Mapless Lightning nodes (&lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001552.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001552.html&lt;/a&gt;) could ask a peer to be their pathfinding provider, with some amount of uncertinaty (it is possible that somebody else sent a packettype 4 to me, and I selected you as peer who might know the destination; also, the destination specified may not be the final destination, and I might also be someone who received a packettype 2 and switched keys before forwarding the packettype 4 to you).&lt;br/&gt;&amp;gt; 4.  It justifies multiple features (support for packettype 2 and packettype 4) having a single feature bit, again making it difficult to justify discriminating nodes with this feature bit enabled.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:52:28Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsw4r99z7crwu7vr57v86x7hjej75kam8ckpu0qkzgvyf3lmt0gh5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wnsrqd8</id>
    
      <title type="html">📅 Original date posted:2018-11-15 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsw4r99z7crwu7vr57v86x7hjej75kam8ckpu0qkzgvyf3lmt0gh5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wnsrqd8" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs8uxy3shj0nqc7ew8wfzmgm4nmyr6a4vqkedyapc6dqkdd68v30xgwh20rq&#39;&gt;nevent1q…20rq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-15&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; The construction we came up with allows multiple rendezvous nodes,&lt;br/&gt;&amp;gt; unlike the HORNET construction that is inherently only a single&lt;br/&gt;&amp;gt; rendezvous node.  Perhaps the extra flexibility comes with some&lt;br/&gt;&amp;gt; security degradation?&lt;br/&gt;&lt;br/&gt;I don&amp;#39;t think this is the case. If I remember correctly (Conner please&lt;br/&gt;correct me if I&amp;#39;m wrong here), then the Hornet rendez-vous construction&lt;br/&gt;relied on a Sphinx packet from the RV to R, wrapped in a Sphinx packet&lt;br/&gt;from S to RV. This was possible because of the variable sized payload.&lt;br/&gt;It would be possible to do that a number of times, with the downside&lt;br/&gt;that the packet would be bigger and bigger since we are wrapping full&lt;br/&gt;Sphinx packets.&lt;br/&gt;&lt;br/&gt;Our construction with the ephemeral key switch at the rendez-vous point&lt;br/&gt;is identical to that construction, except that we have the ephemeral key&lt;br/&gt;at the RV hidden inside the routing information (per-hop payload) and&lt;br/&gt;the remainder of the route in what would otherwise be padding. The&lt;br/&gt;constructions are IMHO no different except for the location we store the&lt;br/&gt;forward information that the RV will have to unpack (per-hop payload&lt;br/&gt;instead of nested sphinx packets).&lt;br/&gt;&lt;br/&gt;The only difficulty that I pointed out comes from the fact that the HMAC&lt;br/&gt;verification can&amp;#39;t work if we can&amp;#39;t generate a specify shared secret at&lt;br/&gt;the RV, which to me sounds like an intrinsic property of the way we use&lt;br/&gt;one-way functions to derive those.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:52:27Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsywhwae6w45w2nxvfe5hwglcu0f0mcpxd5yp4gnk00ljpw2wf6r7szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5fj3ku</id>
    
      <title type="html">📅 Original date posted:2018-11-14 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsywhwae6w45w2nxvfe5hwglcu0f0mcpxd5yp4gnk00ljpw2wf6r7szypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w5fj3ku" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsvtjkzy2ul0erh5m04wtvtkuwgludtnv7pat43p4cdzj38j0hm6actta9k7&#39;&gt;nevent1q…a9k7&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-14&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Conner,&lt;br/&gt;&lt;br/&gt;thanks for the pointers, looking forward to reading up on the&lt;br/&gt;wrap resistance. I don&amp;#39;t quite follow if you&amp;#39;re against the&lt;br/&gt;re-wrapping for spontaneous re-routing, or the entire rendez-vous&lt;br/&gt;construction we came up with in Australia. If it&amp;#39;s the latter, do&lt;br/&gt;you have an alternative construction that we might look at?&lt;br/&gt;Hornet requires the onion-in-onion initial sphinx setup IIRC&lt;br/&gt;which is pretty much what we came up with here (with the&lt;br/&gt;exception that we manage to have the second onion be hidden in&lt;br/&gt;the first one&amp;#39;s header instead of the payload).&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Tue, Nov 13, 2018 at 9:21 PM Conner Fromknecht&lt;br/&gt;&amp;lt;conner at lightning.engineering&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning all,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Taking a step back—even if key switching can be done mathematically, it&lt;br/&gt;&amp;gt; seems&lt;br/&gt;&amp;gt; dubious that we would want to introduce re-routing or rendezvous routing&lt;br/&gt;&amp;gt; in this&lt;br/&gt;&amp;gt; manner. If the example provided _could_ be done, it would directly violate&lt;br/&gt;&amp;gt; the&lt;br/&gt;&amp;gt; wrap-resistance property of the ideal onion routing scheme defined in [1].&lt;br/&gt;&amp;gt; This&lt;br/&gt;&amp;gt; property is proven for Sphinx in section 4.3 of [2]. Schemes like HORNET&lt;br/&gt;&amp;gt; [3]&lt;br/&gt;&amp;gt; support rendezvous routing and are formally proven in this model. Seems&lt;br/&gt;&amp;gt; this&lt;br/&gt;&amp;gt; would be the obvious path forward, given that we&amp;#39;ve already done a&lt;br/&gt;&amp;gt; considerable&lt;br/&gt;&amp;gt; amount of work towards implementing HORNET via Sphinx.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Conner&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [1] A Formal Treatment of Onion Routing:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://www.iacr.org/cryptodb/archive/2005/CRYPTO/1091/1091.pdf&#34;&gt;https://www.iacr.org/cryptodb/archive/2005/CRYPTO/1091/1091.pdf&lt;/a&gt;&lt;br/&gt;&amp;gt; [2] Sphinx: &lt;a href=&#34;https://cypherpunks.ca/~iang/pubs/Sphinx_Oakland09.pdf&#34;&gt;https://cypherpunks.ca/~iang/pubs/Sphinx_Oakland09.pdf&lt;/a&gt;&lt;br/&gt;&amp;gt; [3] HORNET: &lt;a href=&#34;https://arxiv.org/pdf/1507.05724.pdf&#34;&gt;https://arxiv.org/pdf/1507.05724.pdf&lt;/a&gt;&lt;br/&gt;&amp;gt; On Mon, Nov 12, 2018 at 8:47 PM ZmnSCPxj via Lightning-dev&lt;br/&gt;&amp;gt; &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; wrote:&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Good morning Christian,&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; I am nowhere near a mathematician, thus, cannot countercheck your&lt;br/&gt;&amp;gt; expertise here (and cannot give a counterproposal thusly).&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; But I want to point out the below scenarios:&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; 1.  C is the payer.  He is in contact with an unknown payee (who in&lt;br/&gt;&amp;gt; reality is E).  E provides the onion-wrapped route D-&amp;gt;E with ephemeral key&lt;br/&gt;&amp;gt; and other data necessary, as well as informing C that D is the rendez-vous&lt;br/&gt;&amp;gt; point.  Then C creates a route from itself to D (via channel C-&amp;gt;D or via&lt;br/&gt;&amp;gt; C-&amp;gt;A-&amp;gt;D).&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; 2.  B is the payer.  He knows the entire route B-&amp;gt;C-&amp;gt;D-&amp;gt;E and knows that&lt;br/&gt;&amp;gt; payee is C.  Unfortunately the C&amp;lt;-&amp;gt;D channel is low capacity or down or etc&lt;br/&gt;&amp;gt; etc.  At C, B has provided the onion-wrapped route D-&amp;gt;E with ephemeral key&lt;br/&gt;&amp;gt; and other data necessary, as well as informing to C that D is the next&lt;br/&gt;&amp;gt; node.  Then C either pays via C-&amp;gt;D or via C-&amp;gt;A-&amp;gt;D.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Even if there is an off-by-one error in our thinking about rendez-vous&lt;br/&gt;&amp;gt; nodes, could it not be compensated also by an off-by-one in the link-level&lt;br/&gt;&amp;gt; payment splitting via intermediary rendez-vous node?&lt;br/&gt;&amp;gt; &amp;gt; In short, D is the one that switches keys instead of A.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; The operation of processing a hop would be:&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; 1.  Unwrap the onion with current ephemeral key.&lt;br/&gt;&amp;gt; &amp;gt; 2.  Dispatch based on realm byte.&lt;br/&gt;&amp;gt; &amp;gt; 2.1.  If realm byte 0:&lt;br/&gt;&amp;gt; &amp;gt; 2.1.1.  Normal routing behavior, extract HMAC, etc etc&lt;br/&gt;&amp;gt; &amp;gt; 2.2.  If realm byte 2 &amp;#34;switch ephemeral keys&amp;#34;:&lt;br/&gt;&amp;gt; &amp;gt; 2.2.1.  Set current ephemeral key to bytes 1 -&amp;gt; 32 of packet.&lt;br/&gt;&amp;gt; &amp;gt; 2.2.2.  Shift onion by one hop packet.&lt;br/&gt;&amp;gt; &amp;gt; 2.2.3.  Goto 1.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Would that not work?&lt;br/&gt;&amp;gt; &amp;gt; (I am being naive here, as I am not a mathist and I did not understand&lt;br/&gt;&amp;gt; half what you wrote, sorry)&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Then at C, we have the onion from D-&amp;gt;E, we also know the next ephemeral&lt;br/&gt;&amp;gt; key to use (we can derive it since we would pass it to D anyway).&lt;br/&gt;&amp;gt; &amp;gt; It rightshifts the onion by one, storing the next ephemeral key to the&lt;br/&gt;&amp;gt; new hop it just allocated.&lt;br/&gt;&amp;gt; &amp;gt; Then it encrypts the onion using a new ephemeral key that it will use to&lt;br/&gt;&amp;gt; generate the D&amp;lt;-A&amp;lt;-C part of the onion.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Regards,&lt;br/&gt;&amp;gt; &amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Sent with ProtonMail Secure Email.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐&lt;br/&gt;&amp;gt; &amp;gt; On Tuesday, November 13, 2018 11:45 AM, Christian Decker &amp;lt;&lt;br/&gt;&amp;gt; decker.christian at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; Great proposal ZmnSCPxj, but I think I need to raise a small issue with&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; it. While writing up the proposal for rendez-vous I came across a&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; problem with the mechanism I described during the spec meeting: the&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; padding at the rendez-vous point would usually zero-padded and then&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; encrypted in one go with the shared secret that was generated from the&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; previous ephemeral key (i.e., the one before the switch). That&lt;br/&gt;&amp;gt; ephemeral&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; key is not known to the recipient (barring additional rounds of&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; communication) so the recipient would be unable to compute the correct&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; MACs. There are a number of solutions to this, basically setting the&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; padding to something that the recipient could know when generating its&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; half onion.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; My current favorite goes like this:&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; 1.  Rendez-vous RV receives an onion, performs ECDH like normal to get&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     the shared secret, decrypts its payload, simultaneously encrypts&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     the padding.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; 2.  It extracts its per-hop payload and shifts the entire packet over&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     (shift its payload out and the newly generated padding in)&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; 3.  It then notices that it should perform an ephemeral key switch, now&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     deviating from the normal protocol (which would just be to generate&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     the new ephemeral key, serialize and forward)&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     3.1. It zero-fills the padding that it just added (so we are in a&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     state that the recipient knew when generating its partial onion&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     3.2 It performs ECDH with the switched in ephemeral key to get a&lt;br/&gt;&amp;gt; new&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     shared secret that which is then used to unwrap one additional&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     layer of encryption, and most importantly encrypt the padding so&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     the next hop doesn&amp;#39;t see the zero-filled padding.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     3.3 Only then will it generate the new ephemeral key for the next&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     hop, based on the switched in ephemeral key and the newly&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     generated shared secret, serialize the packet and forward it.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     This has the advantage of reusing all the existing machinery but&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     assembling it a bit differently, by adding a little detour when&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     generating the next onion. It involves one additional ECDH at the&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     rendez-vous, one ChaCha20 encryption and one scalar multiplication&lt;br/&gt;&amp;gt; to&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     generate the next ephemeral keys. It does not need more space than&lt;br/&gt;&amp;gt; the&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     single ephemeral key in the per-hop payload.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     And now for the reason that I write this as a reply to your post:&lt;br/&gt;&amp;gt; with&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     this scheme it is not possible for C to find an ephemeral key that&lt;br/&gt;&amp;gt; would&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     end up identical to the one that D would require to decrypt the&lt;br/&gt;&amp;gt; onion&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     correctly. This would not be an issue if D is informed about this&lt;br/&gt;&amp;gt; split&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     and would basically accept whatever it gets, but that kind of&lt;br/&gt;&amp;gt; defeats&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     the transparency that you were going for with your proposal.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     I&amp;#39;m open for other proposals but I currently can&amp;#39;t think of a way&lt;br/&gt;&amp;gt; to&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     make sure that a) the recipient can deterministically generate the&lt;br/&gt;&amp;gt; same&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     padding that RV will generate, and b) hide the fact that RV was&lt;br/&gt;&amp;gt; indeed a&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     rendez-vous point (e.g., by leaving the padding be a well known&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     constant).&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     Sorry for this problem, I had a mental off-by-one at the meeting&lt;br/&gt;&amp;gt; that I&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     hadn&amp;#39;t considered, the solution should work, but it makes this&lt;br/&gt;&amp;gt; kind of&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     things a bit harder.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     Cheers,&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     Christian&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;     ZmnSCPxj via Lightning-dev lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; writes:&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Good morning list,&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; As was discussed directly in summit, we accept link-lvel payment&lt;br/&gt;&amp;gt; splitting (scid is not binding), and provisionally accept rendez-vous&lt;br/&gt;&amp;gt; routing.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; It strikes me, that even if your node has only a single channel to&lt;br/&gt;&amp;gt; the next node (c-lightning), it is possible, to still perform link-level&lt;br/&gt;&amp;gt; payment splitting/re-routing.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; For instance, consider this below graph:&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;       E&amp;lt;---D---&amp;gt;C&amp;lt;---B&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;            ^  /&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;            | /&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;            |L&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;            A&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; In the above, B requests a route from B-&amp;gt;C-&amp;gt;D-&amp;gt;E.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; However, C cannot send to D, since the channel direction is&lt;br/&gt;&amp;gt; saturated in favor of D.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Alternately, C can route to D via A instead. It holds the&lt;br/&gt;&amp;gt; (encrypted) route from D to E. It can take that sub-route and treat it as a&lt;br/&gt;&amp;gt; partial route-to-payee under rendez-vous routing, as long as node A&lt;br/&gt;&amp;gt; supports rendez-vous routing.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; This can allow re-routing or payment splitting over multiple hops.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Even though C does not know the number of remaining hops between D&lt;br/&gt;&amp;gt; and the destination, its alternative is to earn nothing anyway as its only&lt;br/&gt;&amp;gt; alternative is to fail the routing. At least with this, there is a chance&lt;br/&gt;&amp;gt; it can succeed to send the payment to the final destination.&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Regards,&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &amp;gt; &amp;gt; &amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; &amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; &amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181114/0fcb41a8/attachment-0001.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181114/0fcb41a8/attachment-0001.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:52:25Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsq87v3mx6purr0k0vpv885az82f8ezvnjpq2z6ce7gz7x3km3394qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsl5cnh</id>
    
      <title type="html">📅 Original date posted:2018-11-13 📝 Original message: Great ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsq87v3mx6purr0k0vpv885az82f8ezvnjpq2z6ce7gz7x3km3394qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsl5cnh" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsqujmadj0y6wca23vy2hslt3lf57uah6yext67u5wvus4wma6ctvqasecxq&#39;&gt;nevent1q…ecxq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-13&lt;br/&gt;📝 Original message:&lt;br/&gt;Great proposal ZmnSCPxj, but I think I need to raise a small issue with&lt;br/&gt;it. While writing up the proposal for rendez-vous I came across a&lt;br/&gt;problem with the mechanism I described during the spec meeting: the&lt;br/&gt;padding at the rendez-vous point would usually zero-padded and then&lt;br/&gt;encrypted in one go with the shared secret that was generated from the&lt;br/&gt;previous ephemeral key (i.e., the one before the switch). That ephemeral&lt;br/&gt;key is not known to the recipient (barring additional rounds of&lt;br/&gt;communication) so the recipient would be unable to compute the correct&lt;br/&gt;MACs. There are a number of solutions to this, basically setting the&lt;br/&gt;padding to something that the recipient could know when generating its&lt;br/&gt;half onion.&lt;br/&gt;&lt;br/&gt;My current favorite goes like this:&lt;br/&gt;&lt;br/&gt; 1. Rendez-vous RV receives an onion, performs ECDH like normal to get&lt;br/&gt;    the shared secret, decrypts its payload, simultaneously encrypts&lt;br/&gt;    the padding.&lt;br/&gt; 2. It extracts its per-hop payload and shifts the entire packet over&lt;br/&gt;    (shift its payload out and the newly generated padding in)&lt;br/&gt; 3. It then notices that it should perform an ephemeral key switch, now&lt;br/&gt;    deviating from the normal protocol (which would just be to generate&lt;br/&gt;    the new ephemeral key, serialize and forward)&lt;br/&gt;    3.1. It zero-fills the padding that it just added (so we are in a&lt;br/&gt;         state that the recipient knew when generating its partial onion&lt;br/&gt;    3.2 It performs ECDH with the switched in ephemeral key to get a new&lt;br/&gt;        shared secret that which is then used to unwrap one additional&lt;br/&gt;        layer of encryption, and most importantly encrypt the padding so&lt;br/&gt;        the next hop doesn&amp;#39;t see the zero-filled padding.&lt;br/&gt;    3.3 Only then will it generate the new ephemeral key for the next&lt;br/&gt;        hop, based on the switched in ephemeral key and the newly&lt;br/&gt;        generated shared secret, serialize the packet and forward it.&lt;br/&gt;&lt;br/&gt;This has the advantage of reusing all the existing machinery but&lt;br/&gt;assembling it a bit differently, by adding a little detour when&lt;br/&gt;generating the next onion. It involves one additional ECDH at the&lt;br/&gt;rendez-vous, one ChaCha20 encryption and one scalar multiplication to&lt;br/&gt;generate the next ephemeral keys. It does not need more space than the&lt;br/&gt;single ephemeral key in the per-hop payload.&lt;br/&gt;&lt;br/&gt;And now for the reason that I write this as a reply to your post: with&lt;br/&gt;this scheme it is not possible for C to find an ephemeral key that would&lt;br/&gt;end up identical to the one that D would require to decrypt the onion&lt;br/&gt;correctly. This would not be an issue if D is informed about this split&lt;br/&gt;and would basically accept whatever it gets, but that kind of defeats&lt;br/&gt;the transparency that you were going for with your proposal.&lt;br/&gt;&lt;br/&gt;I&amp;#39;m open for other proposals but I currently can&amp;#39;t think of a way to&lt;br/&gt;make sure that a) the recipient can deterministically generate the same&lt;br/&gt;padding that RV will generate, and b) hide the fact that RV was indeed a&lt;br/&gt;rendez-vous point (e.g., by leaving the padding be a well known&lt;br/&gt;constant).&lt;br/&gt;&lt;br/&gt;Sorry for this problem, I had a mental off-by-one at the meeting that I&lt;br/&gt;hadn&amp;#39;t considered, the solution should work, but it makes this kind of&lt;br/&gt;things a bit harder.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;   &lt;br/&gt;&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; As was discussed directly in summit, we accept link-lvel payment splitting (scid is not binding), and provisionally accept rendez-vous routing.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It strikes me, that even if your node has only a single channel to the next node (c-lightning), it is possible, to still perform link-level payment splitting/re-routing.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For instance, consider this below graph:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;       E&amp;lt;---D---&amp;gt;C&amp;lt;---B&lt;br/&gt;&amp;gt;            ^  /&lt;br/&gt;&amp;gt;            | /&lt;br/&gt;&amp;gt;            |L&lt;br/&gt;&amp;gt;            A&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In the above, B requests a route from B-&amp;gt;C-&amp;gt;D-&amp;gt;E.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However, C cannot send to D, since the channel direction is saturated in favor of D.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Alternately, C can route to D via A instead.  It holds the (encrypted) route from D to E.  It can take that sub-route and treat it as a partial route-to-payee under rendez-vous routing, as long as node A supports rendez-vous routing.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This can allow re-routing or payment splitting over multiple hops.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Even though C does not know the number of remaining hops between D and the destination, its alternative is to earn nothing anyway as its only alternative is to fail the routing.  At least with this, there is a chance it can succeed to send the payment to the final destination.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:52:24Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs03l9qzc8wss50s4l8vvgxgwc4az4fv98m8mkc4cersag0dtte67gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w36r5lh</id>
    
      <title type="html">📅 Original date posted:2018-11-08 📝 Original message: Would ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs03l9qzc8wss50s4l8vvgxgwc4az4fv98m8mkc4cersag0dtte67gzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w36r5lh" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs9w4gn8lda7rwzajgdgjnjctfwrmm90m724d3k0gd6hh749dzl6uqdqzxum&#39;&gt;nevent1q…zxum&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-08&lt;br/&gt;📝 Original message:&lt;br/&gt;Would it be possible to query a command line program or a JSON-RPC call to&lt;br/&gt;get the secret? In that case we could add it to the `listpeers` output.&lt;br/&gt;&lt;br/&gt;On Wed, Nov 7, 2018 at 6:43 AM tock203 &amp;lt;tomokio203 at gmail.com&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; We implemented the latter scheme. lightning-dissector already supports key&lt;br/&gt;&amp;gt; rotation.&lt;br/&gt;&amp;gt; FYI, here&amp;#39;s the key log file format lightning-dissector currently&lt;br/&gt;&amp;gt; implements.&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://github.com/nayutaco/lightning-dissector/blob/master/CONTRIBUTING.md#by-dumping-key-log-file&#34;&gt;https://github.com/nayutaco/lightning-dissector/blob/master/CONTRIBUTING.md#by-dumping-key-log-file&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Whenever key rotation happens(nonce==0), lightning node software write&lt;br/&gt;&amp;gt; 16byteMAC &amp;amp; key of &amp;#34;first BOLT packet&amp;#34;.&lt;br/&gt;&amp;gt; When you read .pcap starts with a message whose nonce is not 0, the&lt;br/&gt;&amp;gt; messages can not be decrypted until the next key rotation.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The current design is as described above. Because it is a provisional&lt;br/&gt;&amp;gt; specification, any opinion is welcome.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 2018年11月6日(火) 16:08 Olaoluwa Osuntokun &amp;lt;laolu32 at gmail.com&amp;gt;:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hi tomokio,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; This is so dope! We&amp;#39;ve long discussed creating canned protocol&lt;br/&gt;&amp;gt;&amp;gt; transcripts for&lt;br/&gt;&amp;gt;&amp;gt; other implementations to assert their responses again, and I think this&lt;br/&gt;&amp;gt;&amp;gt; is a&lt;br/&gt;&amp;gt;&amp;gt; great first step towards that.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Our proposal:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Every implementation has compile option which enable output key&lt;br/&gt;&amp;gt;&amp;gt; information&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; file.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; So is this request to add an option which will write out the _plaintext_&lt;br/&gt;&amp;gt;&amp;gt; messages to disk, or an option that writes out the final derived&lt;br/&gt;&amp;gt;&amp;gt; read/write&lt;br/&gt;&amp;gt;&amp;gt; secrets to disk? For the latter path, it the tools that read these&lt;br/&gt;&amp;gt;&amp;gt; transcripts&lt;br/&gt;&amp;gt;&amp;gt; would need to be aware of key rotations, so they&amp;#39;d  be able to continue to&lt;br/&gt;&amp;gt;&amp;gt; decrypt the transact pt post rotation.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; -- Laolu&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; On Sat, Oct 27, 2018 at 2:37 AM &amp;lt;tomokio203 at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Hello lightning network developers.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Nayuta team is developing Wireshark plug-in for Lightning Network(BOLT)&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; protocol.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://github.com/nayutaco/lightning-dissector&#34;&gt;https://github.com/nayutaco/lightning-dissector&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; It’s alpha version, but it can decode some BOLT message.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Currently, this software works for Nayuta’s implementation(ptarmigan)&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; and Éclair.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; When ptarmigan is compiled with some option, it write out key&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; information file. This Wireshark plug-in decode packet using that file.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; When you use Éclair, this software parse log file.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Through our development experience, interoperability test is time&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; consuming task.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; If people can see communication log of BOLT message on same format&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; (.pcap), it will be useful for interoperability test.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Our proposal:&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Every implementation has compile option which enable output key&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; information file.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; We are glad if this project is useful for lightning network eco-system.&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181108/d7736bc9/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181108/d7736bc9/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:52:15Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9jz0syrx6ww3klqq8hjw0fgtq4ctdv39ekdn5s432tvgrm9u2fxgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxy3g0e</id>
    
      <title type="html">📅 Original date posted:2018-11-07 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9jz0syrx6ww3klqq8hjw0fgtq4ctdv39ekdn5s432tvgrm9u2fxgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxy3g0e" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsrtu55ahvssfvr7gljd36wnuywde5t6wl324m9nfxuyxy904wu95c3zlm64&#39;&gt;nevent1q…lm64&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-11-07&lt;br/&gt;📝 Original message:&lt;br/&gt;Olaoluwa Osuntokun &amp;lt;laolu32 at gmail.com&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; However personally I do not really see the need to create multiple&lt;br/&gt;&amp;gt; channels&lt;br/&gt;&amp;gt;&amp;gt; to a single peer, or increase the capacity with a specific peer (via&lt;br/&gt;&amp;gt; splice&lt;br/&gt;&amp;gt;&amp;gt; or dual-funding).  As Christian says in the other mail, this&lt;br/&gt;&amp;gt; consideration,&lt;br/&gt;&amp;gt;&amp;gt; is that it becomes less a network and more of some channels to specific&lt;br/&gt;&amp;gt; big&lt;br/&gt;&amp;gt;&amp;gt; businesses you transact with regularly.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I made no reference to any &amp;#34;big businesses&amp;#34;, only the utility that arises&lt;br/&gt;&amp;gt; when one has multiple channels to a given peer. Consider an easier example:&lt;br/&gt;&amp;gt; given the max channel size, I can only ever send 0.16 or so BTC to that&lt;br/&gt;&amp;gt; peer. If I have two channels, then I can send 0.32 and so on. Consider the&lt;br/&gt;&amp;gt; case post AMP where we maintain the current limit of the number of in flight&lt;br/&gt;&amp;gt; HTLCs. If AMP causes most HTLCs to generally be in flight within the&lt;br/&gt;&amp;gt; network, then all of a sudden, this &amp;#34;queue&amp;#34; size (outstanding HTLCS in a&lt;br/&gt;&amp;gt; commitment) becomes more scarce (assume a global MTU of say 100k sat for&lt;br/&gt;&amp;gt; simplicity). This may then promote nodes to open additional channels to&lt;br/&gt;&amp;gt; other nodes (1&#43;) in order to accommodate the increased HTLC bandwidth load&lt;br/&gt;&amp;gt; due to the sharded multi-path payments.&lt;br/&gt;&lt;br/&gt;I think I see the issue now, thanks for explaining. However I get the&lt;br/&gt;feeling that this is a rather roundabout way of increasing the&lt;br/&gt;limitations that you negotiated with your peer (max HTLC in flight, max&lt;br/&gt;channel capacity, ...), so wouldn&amp;#39;t those same limits also apply across&lt;br/&gt;all channels that you have with that peer? Isn&amp;#39;t the real solution here&lt;br/&gt;to lift those limitations?&lt;br/&gt;&lt;br/&gt;&amp;gt; Independent on bolstering the bandwidth capabilities of your links to other&lt;br/&gt;&amp;gt; nodes, you would still want to maintain a diverse set of channels for fault&lt;br/&gt;&amp;gt; tolerance, path diversity, and redundancy reasons.&lt;br/&gt;&lt;br/&gt;Absolutely agree, and it was probably my mistake for assuming that you&lt;br/&gt;would go for the one peer only approach as a direct result of increasing&lt;br/&gt;bandwidth to one peer.
    </content>
    <updated>2023-06-09T12:52:12Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqswsrjr05m83jmrm4987nxy4h6vdkkmaua6ujunlj6ezeywm3n8sjqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9whj3ujc</id>
    
      <title type="html">📅 Original date posted:2018-10-13 📝 Original message: Great ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqswsrjr05m83jmrm4987nxy4h6vdkkmaua6ujunlj6ezeywm3n8sjqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9whj3ujc" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqswqd6hljzwylwwl2dauz06t68tettpufjcmdq4uqe52gnrlqg876sly589n&#39;&gt;nevent1q…589n&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-10-13&lt;br/&gt;📝 Original message:&lt;br/&gt;Great find ZmnSCPxj, we can also have an adaptive scheme here, in which we&lt;br/&gt;start with a single update transaction, and then at ~90% of the available&lt;br/&gt;range we add a second. This is starting to look a bit like the DMC&lt;br/&gt;invalidation tree :-)&lt;br/&gt;But realistically speaking I don&amp;#39;t think 1B updates is going to be&lt;br/&gt;exhausted any time soon, but the adaptive strategy gets the best of&lt;br/&gt;both worlds.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;On Fri, Oct 12, 2018 at 5:21 AM ZmnSCPxj &amp;lt;ZmnSCPxj at protonmail.com&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Another way would be to always have two update transactions, effectively&lt;br/&gt;&amp;gt; creating a larger overall counter:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [anchor] -&amp;gt; [update highbits] -&amp;gt; [update lobits] -&amp;gt; [settlement]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; We normally update [update lobits] until it saturates.  If lobits&lt;br/&gt;&amp;gt; saturates we increment [update highbits] and reset [update lobits] to the&lt;br/&gt;&amp;gt; lowest valid value.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This will provide a single counter with 10^18 possible updates, which&lt;br/&gt;&amp;gt; should be enough for a while even without reanchoring.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Sent with ProtonMail &amp;lt;&lt;a href=&#34;https://protonmail.com&amp;gt&#34;&gt;https://protonmail.com&amp;gt&lt;/a&gt;; Secure Email.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐&lt;br/&gt;&amp;gt; On Friday, October 12, 2018 1:37 AM, Christian Decker &amp;lt;&lt;br/&gt;&amp;gt; decker.christian at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thanks Anthony for pointing this out, I was not aware we could&lt;br/&gt;&amp;gt; roll keypairs to reset the state numbers.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I basically thought that 1billion updates is more than I would&lt;br/&gt;&amp;gt; ever do, since with splice-in / splice-out operations we&amp;#39;d be&lt;br/&gt;&amp;gt; re-anchoring on-chain on a regular basis anyway.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Wed, Oct 10, 2018 at 10:25 AM Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; On Mon, Apr 30, 2018 at 05:41:38PM &#43;0200, Christian Decker wrote:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; eltoo is a drop-in replacement for the penalty based invalidation&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; mechanism that is used today in the Lightning specification. [...]&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Maybe this is obvious, but in case it&amp;#39;s not, re: the locktime-based&lt;br/&gt;&amp;gt;&amp;gt; sequencing in eltoo:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;  &amp;#34;any number above 0.500 billion is interpreted as a UNIX timestamp, and&lt;br/&gt;&amp;gt;&amp;gt;   with a current timestamp of ~1.5 billion, that leaves about 1 billion&lt;br/&gt;&amp;gt;&amp;gt;   numbers that are interpreted as being in the past&amp;#34;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; I think if you had a more than a 1B updates to your channel (50 updates&lt;br/&gt;&amp;gt;&amp;gt; per second for 4 months?) I think you could reset the locktime by rolling&lt;br/&gt;&amp;gt;&amp;gt; over to use new update keys. When unilaterally closing you&amp;#39;d need to&lt;br/&gt;&amp;gt;&amp;gt; use an extra transaction on-chain to do that roll-over, but you&amp;#39;d save&lt;br/&gt;&amp;gt;&amp;gt; a transaction if you did a cooperative close.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; ie, rather than:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;   [funding] -&amp;gt; [coop close / re-fund] -&amp;gt; [update 23M] -&amp;gt; [HTLCs etc]&lt;br/&gt;&amp;gt;&amp;gt; or&lt;br/&gt;&amp;gt;&amp;gt;   [funding] -&amp;gt; [coop close / re-fund] -&amp;gt; [coop close]&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; you could have:&lt;br/&gt;&amp;gt;&amp;gt;   [funding] -&amp;gt; [update 1B] -&amp;gt; [update 23,310,561 with key2] -&amp;gt; [HTLCs]&lt;br/&gt;&amp;gt;&amp;gt; or&lt;br/&gt;&amp;gt;&amp;gt;   [funding] -&amp;gt; [coop close]&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; You could repeat this when you get another 1B updates, making unilateral&lt;br/&gt;&amp;gt;&amp;gt; closes more painful, but keeping cooperative closes cheap.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt;&amp;gt; aj&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181013/92190e1e/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181013/92190e1e/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:51:48Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsgnqvv0cwy03k099y0ltlaht9kv4mm6jkyu7xkr7jtjazmfuatj5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrwpwad</id>
    
      <title type="html">📅 Original date posted:2018-10-11 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsgnqvv0cwy03k099y0ltlaht9kv4mm6jkyu7xkr7jtjazmfuatj5qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wrwpwad" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsvylkjmz64x9peg9ltyanx9vgujxh5n2jrvprljqvjuu09ammgtjq2nuhdl&#39;&gt;nevent1q…uhdl&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-10-11&lt;br/&gt;📝 Original message:&lt;br/&gt;Thanks Anthony for pointing this out, I was not aware we could&lt;br/&gt;roll keypairs to reset the state numbers.&lt;br/&gt;&lt;br/&gt;I basically thought that 1billion updates is more than I would&lt;br/&gt;ever do, since with splice-in / splice-out operations we&amp;#39;d be&lt;br/&gt;re-anchoring on-chain on a regular basis anyway.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;On Wed, Oct 10, 2018 at 10:25 AM Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; On Mon, Apr 30, 2018 at 05:41:38PM &#43;0200, Christian Decker wrote:&lt;br/&gt;&amp;gt; &amp;gt; eltoo is a drop-in replacement for the penalty based invalidation&lt;br/&gt;&amp;gt; &amp;gt; mechanism that is used today in the Lightning specification. [...]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Maybe this is obvious, but in case it&amp;#39;s not, re: the locktime-based&lt;br/&gt;&amp;gt; sequencing in eltoo:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;  &amp;#34;any number above 0.500 billion is interpreted as a UNIX timestamp, and&lt;br/&gt;&amp;gt;   with a current timestamp of ~1.5 billion, that leaves about 1 billion&lt;br/&gt;&amp;gt;   numbers that are interpreted as being in the past&amp;#34;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think if you had a more than a 1B updates to your channel (50 updates&lt;br/&gt;&amp;gt; per second for 4 months?) I think you could reset the locktime by rolling&lt;br/&gt;&amp;gt; over to use new update keys. When unilaterally closing you&amp;#39;d need to&lt;br/&gt;&amp;gt; use an extra transaction on-chain to do that roll-over, but you&amp;#39;d save&lt;br/&gt;&amp;gt; a transaction if you did a cooperative close.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; ie, rather than:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;   [funding] -&amp;gt; [coop close / re-fund] -&amp;gt; [update 23M] -&amp;gt; [HTLCs etc]&lt;br/&gt;&amp;gt; or&lt;br/&gt;&amp;gt;   [funding] -&amp;gt; [coop close / re-fund] -&amp;gt; [coop close]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; you could have:&lt;br/&gt;&amp;gt;   [funding] -&amp;gt; [update 1B] -&amp;gt; [update 23,310,561 with key2] -&amp;gt; [HTLCs]&lt;br/&gt;&amp;gt; or&lt;br/&gt;&amp;gt;   [funding] -&amp;gt; [coop close]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; You could repeat this when you get another 1B updates, making unilateral&lt;br/&gt;&amp;gt; closes more painful, but keeping cooperative closes cheap.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; aj&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181011/c03ad2ea/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181011/c03ad2ea/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:51:48Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9384frqhwp5qwdnuxy48yj974hdjtkaqh9n46mdem65uktyled2czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsjydzh</id>
    
      <title type="html">📅 Original date posted:2018-10-16 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9384frqhwp5qwdnuxy48yj974hdjtkaqh9n46mdem65uktyled2czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wsjydzh" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstqxurc883z4jzgrm4hs0ktjvpy2ttzx9dxdjxx4mp3q57v7vep2gex3q4j&#39;&gt;nevent1q…3q4j&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-10-16&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; One thing that I think we should lift from the multiple funding output&lt;br/&gt;&amp;gt;&amp;gt; approach is the &amp;#34;pre seating of inputs&amp;#34;. This is cool as it would allow&lt;br/&gt;&amp;gt;&amp;gt; clients to generate addresses, that others could deposit to, and then have&lt;br/&gt;&amp;gt;&amp;gt; be spliced directly into the channel. Public derivation can be used, along&lt;br/&gt;&amp;gt;&amp;gt; with a script template to do it non-interactively, with the clients picking&lt;br/&gt;&amp;gt;&amp;gt; up these deposits, and initiating a splice in as needed.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I am uncertain what this means in particular, but let me try to&lt;br/&gt;&amp;gt; restate what you are talking about in other terms:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Each channel has two public-key-derivation paths (BIP32) to create onchain addresses.  One for each side of the channel.&lt;br/&gt;&amp;gt; 2.  When somebody sends to one of the onchain addresses in the path, their client detects this.&lt;br/&gt;&amp;gt; 3.  The client initiates a splice-in automatically from this UTXO paying to that address into the channel.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It seems to me naively that the above can be done by the client&lt;br/&gt;&amp;gt; software without any modifications to the Lightning Network BOLT&lt;br/&gt;&amp;gt; protocol, as long as the BOLT protocol is capable of supporting *some*&lt;br/&gt;&amp;gt; splice-in operation, i.e. it seems to be something that a client&lt;br/&gt;&amp;gt; software can implement as a feature without requiring a BOLT change.&lt;br/&gt;&amp;gt; Or is my above restatement different from what you are talking about?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; How about this restatement?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Each channel has two public-key-derivation paths (BIP32) to create onchain addresses.  One for each side of the channel.&lt;br/&gt;&amp;gt; 2.  The base of the above is actually a combined private-public keypair of both sides (e.g. created via MuSig or some other protocol).  Thus the addresses require cooperation of both parties to spend.&lt;br/&gt;&amp;gt; 3.  When somebody sends to one of the onchain addresses in the path, their client detects this.&lt;br/&gt;&amp;gt; 4.  The client updates the current transaction state, such that the new commit transaction has two inputs ( the original channel transaction and the new UTXO).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The above seems unsafe without trust in the other peer, as, the other&lt;br/&gt;&amp;gt; peer can simply refuse to create the new commit transaction.  Since&lt;br/&gt;&amp;gt; the address requires both parties to spend, the money cannot be spent&lt;br/&gt;&amp;gt; and there is no backoff transaction that can be used.  But maybe you&lt;br/&gt;&amp;gt; can describe some mechanism to ensure this, if this is what is meant&lt;br/&gt;&amp;gt; instead?&lt;br/&gt;&lt;br/&gt;This could easily be solved by making the destination address a Taproot&lt;br/&gt;address, which by default is just a 2-of-2, but in the uncooperative&lt;br/&gt;case it can reveal the script it commits to, which is just a timelocked&lt;br/&gt;refund that requires a single-sig. The only problem with this is that&lt;br/&gt;the refund would be non-interactive, and so the entirety of the funds,&lt;br/&gt;that may be from a third-party, need to be claimed by one endpoint,&lt;br/&gt;i.e., there is no splitting the funds in case of an uncollaborative&lt;br/&gt;refund. Not sure how important that is though, since I don&amp;#39;t think&lt;br/&gt;third-party funds will come from unrelated parties, e.g., most of these&lt;br/&gt;funds will come from an on-chain wallet that is under the control of&lt;br/&gt;either parties so the refund should go back to that party anyway.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:51:47Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9a0232kfpvtel790f47yqkulm7zzwlezj3p35q5u23w7led59xeczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqt836t</id>
    
      <title type="html">📅 Original date posted:2018-10-15 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9a0232kfpvtel790f47yqkulm7zzwlezj3p35q5u23w7led59xeczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wqt836t" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsxlwtuq286u6t7azcds3rwmuwh3ec90lhqyhggsldhfy44rsua2tqns9ev7&#39;&gt;nevent1q…9ev7&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-10-15&lt;br/&gt;📝 Original message:&lt;br/&gt;Olaoluwa Osuntokun &amp;lt;laolu32 at gmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Splicing isn&amp;#39;t a substitute for allowing multiple channels. Multiple&lt;br/&gt;&amp;gt; channels allow nodes to:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;   * create distinct channels with distinct acceptance policies.&lt;br/&gt;&amp;gt;   * create a mix of public and non-advertised channels with a node.&lt;br/&gt;&amp;gt;   * be able to send more than the (current) max HTLC amount&lt;br/&gt;&amp;gt;     using various flavors of AMP.&lt;br/&gt;&amp;gt;   * get past the (current) max channel size value&lt;br/&gt;&amp;gt;   * allow a link to carry more HTLCs (due to the current super low max HTLC&lt;br/&gt;&amp;gt;     values) given the additional HTLC pressure that&lt;br/&gt;&amp;gt;     AMP may produce (alternative is a commitment fan out)&lt;br/&gt;&lt;br/&gt;While these are all good points, I think they are equally well served if&lt;br/&gt;by creating channels to other peers. This has the added benefit of&lt;br/&gt;reducing the node&amp;#39;s reliance on a single peer. In fact it seems we are&lt;br/&gt;currently encouraging users to have a small number of fat channels that&lt;br/&gt;are manually maintained (dual-funding, splicing, multiple channels per&lt;br/&gt;peer), rather than making the default to create a diverse set of&lt;br/&gt;channels that allow indirectly routed payments.&lt;br/&gt;&lt;br/&gt;Instead of obsessing about that one peer and hoping that that peer is&lt;br/&gt;online when we need it, we should make routed payments a first-class&lt;br/&gt;citizen. If we can route correctly and with confidence we can stop&lt;br/&gt;worrying about that one peer and our connectivity to it. On the other&lt;br/&gt;hand, if routing doesn&amp;#39;t work, and people have to worry about that one&lt;br/&gt;channel that connects them directly to the destination, then we&amp;#39;re not&lt;br/&gt;much of a network, but rather a set of disjoint channels.&lt;br/&gt;&lt;br/&gt;Ultimately users should stop caring about individual channels or peer&lt;br/&gt;relationships, and multipath routing gets us a long way there. I&amp;#39;d&lt;br/&gt;really like to have a wallet that&amp;#39;ll just manage channels in the&lt;br/&gt;background and not expose those details to the users which just want to&lt;br/&gt;send and receive payments, and we can start that now by de-emphasizing&lt;br/&gt;the importance of the peer selection.&lt;br/&gt;&lt;br/&gt;Regards,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:51:45Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvnz8tjn47z35c9kzvh9v5dd9u33q0qg5z0rvsqretts97ky8za9czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wp8ep9e</id>
    
      <title type="html">📅 Original date posted:2018-10-11 📝 Original message: On ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvnz8tjn47z35c9kzvh9v5dd9u33q0qg5z0rvsqretts97ky8za9czypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wp8ep9e" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqs2t7tf78gqr0cu2llany3duy6umkpj2cltmrnn6rs3r6q9vrr5lhcr5gev9&#39;&gt;nevent1q…gev9&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-10-11&lt;br/&gt;📝 Original message:&lt;br/&gt;On Thu, Oct 11, 2018 at 3:40 AM Rusty Russell &amp;lt;rusty at rustcorp.com.au&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; &amp;gt; * Once we have enough confirmations we merge the channels (either&lt;br/&gt;&amp;gt; &amp;gt; automatically or with the next channel update). A new commitment tx is&lt;br/&gt;&amp;gt; &amp;gt; being created which now spends each output of each of the two funding tx&lt;br/&gt;&amp;gt; &amp;gt; and assigns the channel balance to the channel partners accordingly to&lt;br/&gt;&amp;gt; the&lt;br/&gt;&amp;gt; &amp;gt; two independent channels. The old commitment txs are being invalidated.&lt;br/&gt;&amp;gt; &amp;gt; * The disadvantage is that while splicing is not completed and if the&lt;br/&gt;&amp;gt; &amp;gt; funder of the splicing tx is trying to publish an old commitment tx the&lt;br/&gt;&amp;gt; &amp;gt; node will only be punished by sending all the funds of the first funding&lt;br/&gt;&amp;gt; tx&lt;br/&gt;&amp;gt; &amp;gt; to the partner as the special commitment tx of the 2nd output has no&lt;br/&gt;&amp;gt; newer&lt;br/&gt;&amp;gt; &amp;gt; state yet.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Yes, this is the alternative method; produce a parallel funding tx&lt;br/&gt;&amp;gt; (which only needs to support a single revocation, or could even be done&lt;br/&gt;&amp;gt; by a long timeout) and then join them when it reaches the agreed depth.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It has some elegance; particularly because one side doesn&amp;#39;t have to do&lt;br/&gt;&amp;gt; any validation or store anything until it&amp;#39;s about to splice in.  You get&lt;br/&gt;&amp;gt; asked for a key and signature, you produce a new one, and sign whatever&lt;br/&gt;&amp;gt; tx they want.  They hand you back the tx and the key you used once it&amp;#39;s&lt;br/&gt;&amp;gt; buried far enough, and you check the tx is indeed buried and the output&lt;br/&gt;&amp;gt; is the script you&amp;#39;re expecting, then you flip the commitment tx.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But I chose chose not to do this because every transaction commitment&lt;br/&gt;&amp;gt; forever will require 2 signatures, and doesn&amp;#39;t allow us to forget old&lt;br/&gt;&amp;gt; revocation information.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; And it has some strange side-effects: onchain this looks like two&lt;br/&gt;&amp;gt; channels; do we gossip about both?  We have to figure the limit on&lt;br/&gt;&amp;gt; splice-in to make sure the commitment tx stays under 400kSipa.&lt;br/&gt;&amp;gt;&lt;br/&gt;&lt;br/&gt;This is a lot closer to my original proposal for splicing, and I&lt;br/&gt;still like it a lot more since the transition from old to new&lt;br/&gt;channel is bascially atomic (not having to update state on both&lt;br/&gt;pre-splice and post-splice version). The new funds will remain&lt;br/&gt;unavailable for the same time, and since we allow only one&lt;br/&gt;concurrent splice in your proposal we don&amp;#39;t even lose any&lt;br/&gt;additional time regarding the splice-outs.&lt;br/&gt;&lt;br/&gt;So pulling the splice_add_input and splice_add_output up to&lt;br/&gt;signal the intent of adding funds to a splice. Splice_all_added&lt;br/&gt;is then used to start moving the funds to a pre-allocated 2-of-2&lt;br/&gt;output where the funds can mature. Once the funds are&lt;br/&gt;matured (e.g., 6 confirmations) we can start the transition: both&lt;br/&gt;parties claim the funding output, and the pre-allocated funds, to&lt;br/&gt;create a new funding tx which is immediately broadcast, and we&lt;br/&gt;flip over to the new channel state. No need to keep parallel&lt;br/&gt;state and then disambiguating which one it was.&lt;br/&gt;&lt;br/&gt;The downsides of this is that we now have 2 on-chain&lt;br/&gt;transactions (pre-allocation and re-open), and splice-outs are no&lt;br/&gt;longer immediate if we have a splice-in in the changeset as well.&lt;br/&gt;The latter can be remediatet with one more reanchor that just&lt;br/&gt;considers splice-ins that were proposed.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; I believe splicing out is even safer:&lt;br/&gt;&amp;gt; &amp;gt; * One just creates a spent of the funding tx which has two outputs. One&lt;br/&gt;&amp;gt; &amp;gt; output goes to the recipient of the splice out operation and the second&lt;br/&gt;&amp;gt; &amp;gt; output acts as a new funding transaction for the newly spliced channel.&lt;br/&gt;&amp;gt; &amp;gt; Once signatures for the new commitment transaction are exchanged&lt;br/&gt;&amp;gt; (basically&lt;br/&gt;&amp;gt; &amp;gt; following the protocol to open a channel) the splicing operation can be&lt;br/&gt;&amp;gt; &amp;gt; broadcasted.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; * The old channel MUST NOT be used anymore but the new channel can be&lt;br/&gt;&amp;gt; &amp;gt; operational right away without blockchain confirmation. In case someone&lt;br/&gt;&amp;gt; &amp;gt; tries to publish an old state of the old channel it will be a double&lt;br/&gt;&amp;gt; spent&lt;br/&gt;&amp;gt; &amp;gt; of the splicing operation and in the worst case will be punished and the&lt;br/&gt;&amp;gt; &amp;gt; splicing was not successful.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt;  if one publishes an old state of the new&lt;br/&gt;&amp;gt; &amp;gt; channel everything will just work as normal even if the funding tx is not&lt;br/&gt;&amp;gt; &amp;gt; yet mined. It could only be replaced with an old state of the previous&lt;br/&gt;&amp;gt; &amp;gt; channel (which as we saw is not a larger risk than the usual operation&lt;br/&gt;&amp;gt; of a&lt;br/&gt;&amp;gt; &amp;gt; lightning node)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Right, you&amp;#39;re relying on CPFP pushing through the splice-out tx if it&lt;br/&gt;&amp;gt; gets stuck.  This requires that we check carefully for standardness and&lt;br/&gt;&amp;gt; other constraints which might prevent this; for example, we can&amp;#39;t allow&lt;br/&gt;&amp;gt; more than 20 (?) of these in a row without being sufficiently buried&lt;br/&gt;&amp;gt; since I think that&amp;#39;s where CPFP calculations top out.&lt;br/&gt;&amp;gt;&lt;br/&gt;&lt;br/&gt;We shouldn&amp;#39;t allow more than one pending splice operation anyway, as&lt;br/&gt;stated in your proposal initially. We are already critically reliant on our&lt;br/&gt;transaction being confirmed on-chain, so I don&amp;#39;t see this as much of an&lt;br/&gt;added issue.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&amp;gt; &amp;gt; As mentioned maybe you had this workflow already in your mind but I don&amp;#39;t&lt;br/&gt;&amp;gt; &amp;gt; see why we need to send around all the messages twice with my workflow.&lt;br/&gt;&amp;gt; We&lt;br/&gt;&amp;gt; &amp;gt; only need to maintain double state but only until it is fair / safe to do&lt;br/&gt;&amp;gt; &amp;gt; so. I would also believe that with my approach it should be possible (but&lt;br/&gt;&amp;gt; &amp;gt; not really necessary) to have multiple splicing operations in parallel.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The extra sigs are only needed in transition, though; once splicing is&lt;br/&gt;&amp;gt; over the channel looks exactly like a newly created one, which is nice.&lt;br/&gt;&amp;gt;&lt;br/&gt;&lt;br/&gt;I&amp;#39;m less worried about the bandwidth overhead, rather the&lt;br/&gt;parallel state updates are error prone and there might be&lt;br/&gt;corner-cases that we simply don&amp;#39;t see right now. Having parallel&lt;br/&gt;state-updates just for the sake of saving some on-chain&lt;br/&gt;fees (fees that we&amp;#39;d spend in purely on-chain cases anyway) has a&lt;br/&gt;direct impact on the channel state machine.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&amp;gt; &amp;gt; One other question: What happens to the short_channel_id of a channel to&lt;br/&gt;&amp;gt; &amp;gt; which founds have been spliced in?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In the parallel splice world, they look like two channels.  In my&lt;br/&gt;&amp;gt; proposal it looks like a new channel, with a channel_update to make sure&lt;br/&gt;&amp;gt; modern nodes know that the transition is happening.&lt;br/&gt;&amp;gt;&lt;br/&gt;&lt;br/&gt;With the pre-allocation the final effect is the same, we&amp;#39;ve just&lt;br/&gt;pulled some of the waiting time above the re-anchoring and added&lt;br/&gt;one more TX.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;This is one of the cases where a simpler solution (relatively&lt;br/&gt;speaking ^^) is to be preferred imho, allowing for future&lt;br/&gt;iterations.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181011/f7fa9632/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181011/f7fa9632/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:51:37Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsfmh4emh4y3wzcghf37vc6uglph4n7h0mjqre2nes349chxd2zgwczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wupkn8r</id>
    
      <title type="html">📅 Original date posted:2018-09-20 📝 Original message: That ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsfmh4emh4y3wzcghf37vc6uglph4n7h0mjqre2nes349chxd2zgwczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wupkn8r" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsffs93u67u3pv69m99jxrtg5jhy47vv47kalder4jmemgpmkdupccc8clt2&#39;&gt;nevent1q…clt2&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-09-20&lt;br/&gt;📝 Original message:&lt;br/&gt;That might not be so desirable, since it leaks the current channel&lt;br/&gt;capacity to the user. Depending on how fine grained the amount in the&lt;br/&gt;invoice is and how the user can control it, he could do a binary search&lt;br/&gt;over capacities and very reliably tell how much capacity you have and&lt;br/&gt;track it over time. That is still the case for a single channel, but if&lt;br/&gt;you always chose the same channel it reduces how much info is leaked.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Johan Torås Halseth &amp;lt;johanth at gmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Any reason not to include _all_ (up to a limit) incoming channels with&lt;br/&gt;&amp;gt; sufficient capacity?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt; Johan&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Thu, Sep 20, 2018 at 4:12 AM Rusty Russell &amp;lt;rusty at blockstream.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Hi all,&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;         I&amp;#39;m considering a change to c-lightning, where `invoice` would&lt;br/&gt;&amp;gt;&amp;gt; automatically append an &amp;#39;r&amp;#39; field for a channel which has sufficient&lt;br/&gt;&amp;gt;&amp;gt; *incoming* capacity for the amount (using a weighted probability across&lt;br/&gt;&amp;gt;&amp;gt; our peers).&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt;          This isn&amp;#39;t quite what &amp;#39;r&amp;#39; was for, but it would be a useful&lt;br/&gt;&amp;gt;&amp;gt; hint for payment routing and also potentially for establishing an&lt;br/&gt;&amp;gt;&amp;gt; initial channel.  This is an issue for the Blockstream Store which&lt;br/&gt;&amp;gt;&amp;gt; deliberately doesn&amp;#39;t advertize an address any more to avoid&lt;br/&gt;&amp;gt;&amp;gt; centralization.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Thoughts welcome!&lt;br/&gt;&amp;gt;&amp;gt; Rusty.&lt;br/&gt;&amp;gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:31Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsxpxfshurz54r8ngw68vqwc3xctc7jjvkjen8q2cdll3l8gct4dcgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6w4kyt</id>
    
      <title type="html">📅 Original date posted:2018-08-27 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsxpxfshurz54r8ngw68vqwc3xctc7jjvkjen8q2cdll3l8gct4dcgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w6w4kyt" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsw5ppwgc34ld0xnq3f4ppk8aq9zxf58yd4uwgzn75hy4mlvva2ergmpeq3d&#39;&gt;nevent1q…eq3d&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-08-27&lt;br/&gt;📝 Original message:&lt;br/&gt;Corné Plooy via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt;&amp;gt; Aside from that, spontaneous payments is amongst the most request feature&lt;br/&gt;&amp;gt;&amp;gt; request I get from users and developers.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; A while ago I realized that spontaneous payments (without proof of&lt;br/&gt;&amp;gt; payment, mostly for donations only) can be realized quite easily if the&lt;br/&gt;&amp;gt; payer generates the preimage and hash, and includes the preimage in the&lt;br/&gt;&amp;gt; sphinx message to the payee node. If the payee node recognizes the&lt;br/&gt;&amp;gt; sphinx message format, it can use the preimage to claim the payment.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; CJP&lt;br/&gt;&lt;br/&gt;You mean like we describe in the Brainstorming wiki [1]? We definitely&lt;br/&gt;need to make the Wiki more prominent :-)&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/lightningnetwork/lightning-rfc/wiki/Brainstorming#passing-a-transfer-secret-in-the-onion&#34;&gt;https://github.com/lightningnetwork/lightning-rfc/wiki/Brainstorming#passing-a-transfer-secret-in-the-onion&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:23Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsyz3dmhgplhxdexa6v7n23mzmhvm2j0egescf47wfk9ydwzfp9jqqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wt0u46k</id>
    
      <title type="html">📅 Original date posted:2018-08-30 📝 Original message: Just ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsyz3dmhgplhxdexa6v7n23mzmhvm2j0egescf47wfk9ydwzfp9jqqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wt0u46k" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsqg40h6c9jtke9delwfvk26hk2a4jcp8ntx7ldm9e2t54sfuwxy9s6kh7n9&#39;&gt;nevent1q…h7n9&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-08-30&lt;br/&gt;📝 Original message:&lt;br/&gt;Just a quick followup on this: yes, I am indeed a member of the W3C Web&lt;br/&gt;Payments Working Group, though not a very active one. I am following the&lt;br/&gt;discussion as best I can, and try to figure out what changes and special&lt;br/&gt;considerations, if any, are needed for both Bitcoin and Lightning to&lt;br/&gt;work correctly, when the spec is finalized and deployed.&lt;br/&gt;&lt;br/&gt;As it stands today the spec should be Bitcoin and Lightning compatible,&lt;br/&gt;with the following considerations:&lt;br/&gt;&lt;br/&gt; - A special Payment Method ID [1] must be assigned to Bitcoin and&lt;br/&gt;   Lightning since we cannot rely on a centralized URL to act as a&lt;br/&gt;   payment method for these decentralized networks. Currently only the&lt;br/&gt;   `basic-card` identifier has been assigned, but we can apply for one&lt;br/&gt;   eventually;&lt;br/&gt; - As far as I see a local handler can be specified as Payment Handler&lt;br/&gt;   [2] allowing us to have a Bitcoin or Lightning daemon running locally&lt;br/&gt;   that is invoked for payment requests;&lt;br/&gt; - The Payment Request API [3] even mentions XBT as a supported&lt;br/&gt;   currency, in addition to ISO4217 codes, so if a vendor publishes a&lt;br/&gt;   Bitcoin amount and a matching Payment Method, we should be able to&lt;br/&gt;   perform the payment;&lt;br/&gt; - Since we require special handling for Bitcoin and Lightning&lt;br/&gt;   w.r.t. the Payment Method, the Payment Method Manifest [4] doesn&amp;#39;t&lt;br/&gt;   apply to us.&lt;br/&gt;&lt;br/&gt;So all in all, we should be able to get Bitcoin and Lightning working&lt;br/&gt;with the spec without any major roadblocks. Notice that this is based&lt;br/&gt;solely on my current understanding of the spec, and I&amp;#39;d love for others&lt;br/&gt;to chime in and point out anything that I might have missed.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://www.w3.org/TR/payment-method-id/&#34;&gt;https://www.w3.org/TR/payment-method-id/&lt;/a&gt;&lt;br/&gt;[2] &lt;a href=&#34;https://www.w3.org/TR/payment-handler/&#34;&gt;https://www.w3.org/TR/payment-handler/&lt;/a&gt;&lt;br/&gt;[3] &lt;a href=&#34;https://www.w3.org/TR/payment-request/&#34;&gt;https://www.w3.org/TR/payment-request/&lt;/a&gt;&lt;br/&gt;[4] &lt;a href=&#34;https://www.w3.org/TR/payment-method-manifest/&#34;&gt;https://www.w3.org/TR/payment-method-manifest/&lt;/a&gt;&lt;br/&gt;&lt;br/&gt;René Pickhardt via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Hey lightning devs,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I was wondering if any of the companies here are members of W3C  and if&lt;br/&gt;&amp;gt; anyone here could be member of the W3C Web Payments Working Group (c.f.:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://www.w3.org/Payments/WG/&#34;&gt;https://www.w3.org/Payments/WG/&lt;/a&gt; )? According to this mail&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-March.txt&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-March.txt&lt;/a&gt;&lt;br/&gt;&amp;gt; Christian Decker is a member. Which I think would be awesome!&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; They have just released their candidate recommendation for a payment API&lt;br/&gt;&amp;gt; at: &lt;a href=&#34;https://www.w3.org/TR/payment-request/&#34;&gt;https://www.w3.org/TR/payment-request/&lt;/a&gt; According to their site the&lt;br/&gt;&amp;gt; proposed recommendation will be published not earlier than October 31st&lt;br/&gt;&amp;gt; 2018. They are currently looking for feedback in their github repository&lt;br/&gt;&amp;gt; at: &lt;a href=&#34;https://github.com/w3c/payment-request/&#34;&gt;https://github.com/w3c/payment-request/&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I can see that they have bitcoin somewhat on their mind. But I guess it&lt;br/&gt;&amp;gt; would be even cooler if we could make sure that lightning payments will&lt;br/&gt;&amp;gt; also be compatible with their recommendation.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Christian - if you really are a member -  could you give us an update on&lt;br/&gt;&amp;gt; that work? How relevant is it for us?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; best Rene&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; -- &lt;br/&gt;&amp;gt; &lt;a href=&#34;https://www.rene-pickhardt.de&#34;&gt;https://www.rene-pickhardt.de&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Skype: rene.pickhardt&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; mobile: &#43;49 (0)176 5762 3618&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:22Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsylpnq4q8na2lj5cd6xj560lcsx9dr4rhavylmvv9pngdq4aa5u9qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpwhru9</id>
    
      <title type="html">📅 Original date posted:2018-08-01 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsylpnq4q8na2lj5cd6xj560lcsx9dr4rhavylmvv9pngdq4aa5u9qzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpwhru9" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqszy3kmf5p6m353gadtfphk72dltf3u94sce47tecqyu6agsvljpuqfa5zuy&#39;&gt;nevent1q…5zuy&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-08-01&lt;br/&gt;📝 Original message:&lt;br/&gt;Thanks for the excellent writeup ZmnSCPxj, I just have a minor issue&lt;br/&gt;with your characterization that LN-penalty is to be preferred.&lt;br/&gt;&lt;br/&gt;My issue is with the fact that CLTV-branches and nLocktimed spending&lt;br/&gt;transactions also need to be guarded with a further `OP_CSV` condition,&lt;br/&gt;since they may leak on-chain, and be immediately valid. This is the&lt;br/&gt;reason why we introduced the two stage HTLC resolution, with the first&lt;br/&gt;stage acting as the `OP_CSV` guard, and keeping the second stage clean.&lt;br/&gt;&lt;br/&gt;I think therefore the construction of the contract ought to be this:&lt;br/&gt;&lt;br/&gt;[/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt; [signA signB, (revoke) || (CSV &amp;amp;&amp;amp; A &amp;amp;&amp;amp; B &amp;amp;&amp;amp; C)] -&amp;gt; [signA signB witnessCbyA, revoke || A] /* held by A */&lt;br/&gt;[/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt; [signA signB, (revoke) || (CSV &amp;amp;&amp;amp; A &amp;amp;&amp;amp; B &amp;amp;&amp;amp; C)] -&amp;gt; [signA signB witnessCbyB, revoke || B] /* held by B */&lt;br/&gt;&lt;br/&gt;Namely the CSV belongs in the output script, not the input script (which&lt;br/&gt;is under the control of the spending party). Notice that I might have&lt;br/&gt;misgroked your syntax :-) If C now contains a CLTV-branch whose timeout&lt;br/&gt;expires before we attempt the on-chain mediation, suddenly both branches&lt;br/&gt;become valid and we have a race.&lt;br/&gt;&lt;br/&gt;Take this for example:&lt;br/&gt;&lt;br/&gt;```&lt;br/&gt;OP_IF&lt;br/&gt;  x OP_CLTV&lt;br/&gt;  &amp;lt;checksigs&amp;gt;&lt;br/&gt;OP_ELSE&lt;br/&gt;  &amp;lt;checksigs&amp;gt;&lt;br/&gt;OP_END&lt;br/&gt;```&lt;br/&gt;&lt;br/&gt;If we wait until block x was found, we attempt to cheat by publishing&lt;br/&gt;this state, and suddenly both prepared reaction transactions are valid,&lt;br/&gt;resulting in a race. This is simply due to the fact that transactions&lt;br/&gt;can leak. To fix this we&amp;#39;d have to encumber the OP_IF branch with an&lt;br/&gt;additional CSV. So it&amp;#39;s not really like we can just add an OR-clause to&lt;br/&gt;an arbitrary contract and we&amp;#39;re safe, we actually have to weave it into&lt;br/&gt;the logic, or create a second stage that just disambiguates the cheat&lt;br/&gt;and the non-cheat unilateral case.&lt;br/&gt;&lt;br/&gt;With eltoo this sort of weaving falls away, since we guarantee that the&lt;br/&gt;old state can never leak on-chain. If we squint at it we can see that&lt;br/&gt;we have effectively pushed down the second stage into the on-chain state&lt;br/&gt;resolution, allowing us to keep the contracts clean.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Recently, somebody on the IRC channel, asked regarding smart contracts&lt;br/&gt;&amp;gt; being transported via LN.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Indeed, this is theoretically possible, provided the &amp;#34;smart contract&amp;#34;&lt;br/&gt;&amp;gt; is implementable as a Bitcoin SCRIPT.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Afterwards, I opined that, for transportation of *arbitrary*&lt;br/&gt;&amp;gt; contracts, Poon-Dryja is superior to either Decker-Wattenhofer or&lt;br/&gt;&amp;gt; Decker-Osuntokun-Russell.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So, first, my other opinions:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  The only smart contract you really want to transport is HTLC (or&lt;br/&gt;&amp;gt; equivalent in scriptless script).  There really is no point in&lt;br/&gt;&amp;gt; transporting any other contract on LN.  HTLCs can even be used to&lt;br/&gt;&amp;gt; implement (nontransferable) swap options, and can be composed (at the&lt;br/&gt;&amp;gt; cost of increasing CLTV limits on backoff) to create multi-step swaps.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 2.  Decker-Osuntokun-Russell &amp;#34;eltoo&amp;#34; is far superior to Poon-Dryja&lt;br/&gt;&amp;gt; &amp;#34;LN-penalty&amp;#34; in everything else, except transportation of *arbitrary*&lt;br/&gt;&amp;gt; contracts.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now, ultimately any Bitcoin SCRIPT may be expressed as a Boolean&lt;br/&gt;&amp;gt; computation whether or not the contract has been fulfilled by the&lt;br/&gt;&amp;gt; transaction that attempts to claim it.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So I introduce, an arbitrary contract C, ostensibly to be transported&lt;br/&gt;&amp;gt; over LN.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; And I introduce our transactions, as so: [scriptSig, redeemScript] -&amp;gt;&lt;br/&gt;&amp;gt; redeeming transaction&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; To transport C over a channel between nodes A and B, under Poon-Dryja,&lt;br/&gt;&amp;gt; we first have a channel anchoring transaction onchain:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now suppose the entire output is to be put into a contract C. Under&lt;br/&gt;&amp;gt; Poon-Dryja, we create the below symmetrical series of transactions,&lt;br/&gt;&amp;gt; with only the anchoring transaction existing onchain:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt; [signA signB, (revoke) || (A &amp;amp;&amp;amp; B &amp;amp;&amp;amp; C)] -&amp;gt;&lt;br/&gt;&amp;gt; [signA signB witnessCbyA, revoke || (A &amp;amp;&amp;amp; CSV)] /* held by A */&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt; [signA signB, (revoke) || (A &amp;amp;&amp;amp; B &amp;amp;&amp;amp; C)] -&amp;gt;&lt;br/&gt;&amp;gt; [signA signB witnessCbyB, revoke || (B &amp;amp;&amp;amp; CSV)] /* held by B */&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Where (revoke) is the revocation key, whose derivation requires both A&lt;br/&gt;&amp;gt; and B, and whose half is kept secret by the A (resp. B) until they&lt;br/&gt;&amp;gt; both agree to revoke the old state.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Of note is that the only additional condition added to C is (A &amp;amp;&amp;amp; B),&lt;br/&gt;&amp;gt; which makes sense since the contract is between nodes A and B (and&lt;br/&gt;&amp;gt; which would be implicitly required by the funding transaction anyway).&lt;br/&gt;&amp;gt; The (revoke) || does not affect the enforcement of C if the revocation&lt;br/&gt;&amp;gt; key is not yet revealed; once the revocation key is revealed, that&lt;br/&gt;&amp;gt; revokes the entire sequence of transactions (which is why (revoke) ||&lt;br/&gt;&amp;gt; appears in both the second and third transactions above).  In&lt;br/&gt;&amp;gt; particular, the CSV-encumberance does not affect claiming of C; it&lt;br/&gt;&amp;gt; encumbers the claiming of the money, but does not interact with C&lt;br/&gt;&amp;gt; itself.  Thus, any CLTV conditions in C will not be interefered with&lt;br/&gt;&amp;gt; by the CSV-encumberance on the *next* transaction.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Note also that only signA and signB for the final transaction needs to&lt;br/&gt;&amp;gt; be shared; the witnessC can presumably be fulfilled by each side&lt;br/&gt;&amp;gt; themselves automatically.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On the other hand, under Decker-Osuntokun-Russell eltoo, the&lt;br/&gt;&amp;gt; transaction series is:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; [/*arbitrary*/, A &amp;amp;&amp;amp; B] -&amp;gt; [signA signB, (CSV &amp;amp;&amp;amp; A &amp;amp;&amp;amp; B) || (CLTV &amp;amp;&amp;amp; A&lt;br/&gt;&amp;gt; &amp;amp;&amp;amp; B)] -&amp;gt; [nSequence signA signB, C]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now the above is massively simpler with no additional SCRIPT that&lt;br/&gt;&amp;gt; needs to be written, around the transported contract C --- but the CSV&lt;br/&gt;&amp;gt; in the second transaction, is now potentially interfering with the&lt;br/&gt;&amp;gt; operation of the contract C, as the final transaction cannot be&lt;br/&gt;&amp;gt; enforced onchain until the CSV has been satisfied.  This is in&lt;br/&gt;&amp;gt; contrast with the Poon-Dryja case, where the contract C appears&lt;br/&gt;&amp;gt; immediately on the second transaction in the sequence, and can be&lt;br/&gt;&amp;gt; enforced, as soon as it appears onchain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; (In eltoo, the (CTLV &amp;amp;&amp;amp; A &amp;amp;&amp;amp; B) branch of the intermediate contract is&lt;br/&gt;&amp;gt; the &amp;#34;update&amp;#34; path, and the CLTV required is always a past Unix Epoch&lt;br/&gt;&amp;gt; time, so this CLTV cannot interfere with the contract C).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The above consideration, is why I suppose that, *for arbitrary&lt;br/&gt;&amp;gt; contracts*, Poon-Dryja is superior.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Simply, the conclusion is that Decker-Osuntokun-Russell channels&lt;br/&gt;&amp;gt; require a CSV that may interfere with the contract C if C is&lt;br/&gt;&amp;gt; time-sensitive (i.e. has a CLTV or CSV itself), whereas Poon-Dryja&lt;br/&gt;&amp;gt; requires CSV only for revocability, and the CSV cannot prevent the&lt;br/&gt;&amp;gt; enforcement of time-sensitive C.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Indeed, as I pointed out, even when transporting HTLCs,&lt;br/&gt;&amp;gt; Decker-Osuntokun-Russell will require consideration of the CSV on top&lt;br/&gt;&amp;gt; of the CLTV-deltas imposed by intermediary nodes, with weights&lt;br/&gt;&amp;gt; complicated by the fact that CLTV-deltas are summed together but the&lt;br/&gt;&amp;gt; highest CSV is added to the CLTV total, which does not mix well with&lt;br/&gt;&amp;gt; typical route-finding algorithms (most of which assume a simple&lt;br/&gt;&amp;gt; summing of costs, which CLTV-deltas use but CSVs on&lt;br/&gt;&amp;gt; Decker-Osuntokun-Russell do not since highest is used).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In almost all other ways, Poon-Dryja is inferior:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; 1.  Does not use nLockTime in a sufficiently clever way.  2.&lt;br/&gt;&amp;gt; Dangerous &amp;#34;toxic waste&amp;#34; (old revoked transactions) which (1) you&lt;br/&gt;&amp;gt; should not recover from your backups and (2) you should not let your&lt;br/&gt;&amp;gt; worst enemy find, because they can publish those onchain and make you&lt;br/&gt;&amp;gt; LOSE MONEY.  3.  Symmetrical chains of transactions, different for&lt;br/&gt;&amp;gt; both parties, instead of a single chain.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In addition, arbitrary contracts are not really particularly useful.&lt;br/&gt;&amp;gt; HTLCs seem to me an important building block for digital value&lt;br/&gt;&amp;gt; transfers, and they (and their equivalents under scriptless) are&lt;br/&gt;&amp;gt; sufficient for most practical transfers.  Thus, moving forward,&lt;br/&gt;&amp;gt; Decker-Osuntokun-Russell remains a superior technology over&lt;br/&gt;&amp;gt; Poon-Dryja.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards, ZmnSCPxj _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:18Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsx4t8v2ggdlurmnm2fde0ywcwywqqmhqur484mrkcp8lklvtpw8wgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjllsx5</id>
    
      <title type="html">📅 Original date posted:2018-07-29 📝 Original message: Hi ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsx4t8v2ggdlurmnm2fde0ywcwywqqmhqur484mrkcp8lklvtpw8wgzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wjllsx5" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstaxka3ftt0e2507amt66vyqpf0zw3kdkv630n39tsrugfnv2zq9qzrt597&#39;&gt;nevent1q…t597&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-07-29&lt;br/&gt;📝 Original message:&lt;br/&gt;Hi Alex,&lt;br/&gt;&lt;br/&gt;could you elaborate what you mean by measuring lightning nodes? For&lt;br/&gt;example are you interested in the network topology, or monitoring a&lt;br/&gt;single node?  Or maybe you are interested in the successrate of payments&lt;br/&gt;performed on the network? There are a lot of things one can&lt;br/&gt;monitor/measure :-)&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;Alex Evanovic &amp;lt;alex.evanovic.151 at gmail.com&amp;gt; writes:&lt;br/&gt;&amp;gt; Hi all,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Hope you are well.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Can you please suggest how can I measure lightning nodes, in its current&lt;br/&gt;&amp;gt; state?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Best,&lt;br/&gt;&amp;gt; Alex&lt;br/&gt;&amp;gt; ᐧ&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:16Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsdldrvf4y6gmy5cjn3r30amk9tgk7pa93qhjtltdnaznhp8lvn8yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn3qra4</id>
    
      <title type="html">📅 Original date posted:2018-07-29 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsdldrvf4y6gmy5cjn3r30amk9tgk7pa93qhjtltdnaznhp8lvn8yszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wn3qra4" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsxxkwed08eqt0nn82fxuk4hzedyjr5a4hwwmvfzj0dzy0vnd9u5cqjkkaxq&#39;&gt;nevent1q…kaxq&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-07-29&lt;br/&gt;📝 Original message:&lt;br/&gt;Robert Olsson &amp;lt;robban at robtex.com&amp;gt; writes:&lt;br/&gt;&amp;gt; I think however it would be much better and flexible to append a max to&lt;br/&gt;&amp;gt; channel_update. We already have htlc_minimum_msat there and could add&lt;br/&gt;&amp;gt; htlc_maximum_msat to show capacity (minus fees)&lt;br/&gt;&amp;gt; Like this:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    1. type: 258 (channel_update)&lt;br/&gt;&amp;gt;    2. data:&lt;br/&gt;&amp;gt;       - [64:signature]&lt;br/&gt;&amp;gt;       - [32:chain_hash]&lt;br/&gt;&amp;gt;       - [8:short_channel_id]&lt;br/&gt;&amp;gt;       - [4:timestamp]&lt;br/&gt;&amp;gt;       - [2:flags]&lt;br/&gt;&amp;gt;       - [2:cltv_expiry_delta]&lt;br/&gt;&amp;gt;       - [8:htlc_minimum_msat]&lt;br/&gt;&amp;gt;       - [4:fee_base_msat]&lt;br/&gt;&amp;gt;       - [4:fee_proportional_millionths]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;       - [8:htlc_maximum_msat]&lt;br/&gt;&lt;br/&gt;This isn&amp;#39;t about maximum HTLC value, rather Артём is talking about&lt;br/&gt;adding the total channel capacity to the channel_announcement. That is a&lt;br/&gt;perfectly reasonable idea, as it allows us to safe an on-chain lookup&lt;br/&gt;(incidentally that is the main reason we started tracking an internal&lt;br/&gt;UTXO set so we can stop asking bitcoind for full blocks just to check a&lt;br/&gt;channel&amp;#39;s capacity).&lt;br/&gt;&lt;br/&gt;The channel&amp;#39;s capacity is also fixed for the existence of that channel&lt;br/&gt;(splice-in and splice-out will result in new short channel IDs), so the&lt;br/&gt;announcement is exactly the right place to put this.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:51:15Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs8c54qr3wntxszv76r7skhpv7dcs25mghlmpm0djg9820hpc60cnczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4hqd95</id>
    
      <title type="html">📅 Original date posted:2018-07-29 📝 Original message: They ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs8c54qr3wntxszv76r7skhpv7dcs25mghlmpm0djg9820hpc60cnczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w4hqd95" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstmv4fjt04e8yyc8663snchyl64lq2k8hd6g3m85vgzy578hgxdmgktdnxa&#39;&gt;nevent1q…dnxa&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-07-29&lt;br/&gt;📝 Original message:&lt;br/&gt;They are orthogonal, I agree, but we should judge their merits&lt;br/&gt;independently, and not batch the discussions out of convenience.&lt;br/&gt;In the case of the htlc_maximum_msat I think it will not be&lt;br/&gt;controversial, but it should get its own proposal and discussion.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;On Sun, Jul 29, 2018 at 4:17 PM Robert Olsson &amp;lt;robban at robtex.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Christian,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Ok, it definitely makes sense to include the exact fixed capacity in channel_announcement for the reason you mentioned, and more.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However, can we do both while we are at it? The ideas are not mutually exclusive, and for successful routing, i think the channel_update-approach is much more of a boost.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; Robert&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Sun, Jul 29, 2018 at 4:59 PM, Christian Decker &amp;lt;decker.christian at gmail.com&amp;gt; wrote:&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Robert Olsson &amp;lt;robban at robtex.com&amp;gt; writes:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; I think however it would be much better and flexible to append a max to&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; channel_update. We already have htlc_minimum_msat there and could add&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; htlc_maximum_msat to show capacity (minus fees)&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; Like this:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;    1. type: 258 (channel_update)&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;    2. data:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [64:signature]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [32:chain_hash]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [8:short_channel_id]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [4:timestamp]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [2:flags]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [2:cltv_expiry_delta]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [8:htlc_minimum_msat]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [4:fee_base_msat]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [4:fee_proportional_millionths]&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt;       - [8:htlc_maximum_msat]&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; This isn&amp;#39;t about maximum HTLC value, rather Артём is talking about&lt;br/&gt;&amp;gt;&amp;gt; adding the total channel capacity to the channel_announcement. That is a&lt;br/&gt;&amp;gt;&amp;gt; perfectly reasonable idea, as it allows us to safe an on-chain lookup&lt;br/&gt;&amp;gt;&amp;gt; (incidentally that is the main reason we started tracking an internal&lt;br/&gt;&amp;gt;&amp;gt; UTXO set so we can stop asking bitcoind for full blocks just to check a&lt;br/&gt;&amp;gt;&amp;gt; channel&amp;#39;s capacity).&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; The channel&amp;#39;s capacity is also fixed for the existence of that channel&lt;br/&gt;&amp;gt;&amp;gt; (splice-in and splice-out will result in new short channel IDs), so the&lt;br/&gt;&amp;gt;&amp;gt; announcement is exactly the right place to put this.&lt;br/&gt;&amp;gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; Cheers,&lt;br/&gt;&amp;gt;&amp;gt; Christian&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; Lightning-dev mailing list&lt;br/&gt;&amp;gt; Lightning-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:51:15Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsv807ay8pe2mahrpqzt4yd9frrwnecavlsrlfn7fzer03hmhk83hszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2rakj0</id>
    
      <title type="html">📅 Original date posted:2018-07-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsv807ay8pe2mahrpqzt4yd9frrwnecavlsrlfn7fzer03hmhk83hszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9w2rakj0" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsz7d3m8tlwd6l2n0v0qh9g4lfvuxyrelx4nggrsw9cr7st2jhe7ngndfm4q&#39;&gt;nevent1q…fm4q&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-07-03&lt;br/&gt;📝 Original message:&lt;br/&gt;Gregory Maxwell &amp;lt;greg at xiph.org&amp;gt; writes:&lt;br/&gt;&amp;gt; I know it seems kind of silly, but I think it&amp;#39;s somewhat important&lt;br/&gt;&amp;gt; that the formal name of this flag is something like&lt;br/&gt;&amp;gt; &amp;#34;SIGHASH_REPLAY_VULNERABLE&amp;#34; or likewise or at least&lt;br/&gt;&amp;gt; &amp;#34;SIGHASH_WEAK_REPLAYABLE&amp;#34;. This is because noinput is materially&lt;br/&gt;&amp;gt; insecure for traditional applications where a third party might pay to&lt;br/&gt;&amp;gt; an address a second time, and should only be used in special protocols&lt;br/&gt;&amp;gt; which make that kind of mistake unlikely.   Otherwise, I&amp;#39;m worried&lt;br/&gt;&amp;gt; that wallets might start using this sighash because it simplifies&lt;br/&gt;&amp;gt; handling malleability without realizing that when a third party reuses&lt;br/&gt;&amp;gt; a script pubkey, completely outside of control of the wallet that uses&lt;br/&gt;&amp;gt; the flag, funds will be lost as soon as a troublemaker shows up (but&lt;br/&gt;&amp;gt; not, sadly, in testing).  This sort of risk is magnified because the&lt;br/&gt;&amp;gt; third party address reuser has no way to know that this sighash flag&lt;br/&gt;&amp;gt; has (or will) be used with a particular scriptpubkey.&lt;br/&gt;&lt;br/&gt;Absolutely agree that we should be signaling the danger of using noinput&lt;br/&gt;as clearly as possible to developers, and I&amp;#39;m more than happy to adopt&lt;br/&gt;the _unsafe suffix suggested by jb55. I think using non-sighash_all&lt;br/&gt;sighashes is always a huge danger, as you have correctly pointed out, so&lt;br/&gt;maybe we should be marking all of them as being unsafe, or make sure to&lt;br/&gt;communicate that danger on a higher level (docs).
    </content>
    <updated>2023-06-09T12:51:07Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs9xpshydwfdnvgjtxk0hmj3vpkyuwkx546tplm5hkmtvkscpc3ysszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpalusm</id>
    
      <title type="html">📅 Original date posted:2018-07-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs9xpshydwfdnvgjtxk0hmj3vpkyuwkx546tplm5hkmtvkscpc3ysszypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wpalusm" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsq45rupm7n9th7j4de7myeqywqh5ccsssjfxhdx0ssckefu2dghaqjj9kg3&#39;&gt;nevent1q…9kg3&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-07-03&lt;br/&gt;📝 Original message:&lt;br/&gt;ZmnSCPxj via Lightning-dev &amp;lt;lightning-dev at lists.linuxfoundation.org&amp;gt;&lt;br/&gt;writes:&lt;br/&gt;&amp;gt; For myself, I think, for old nodes, it should just appear as a&lt;br/&gt;&amp;gt; &amp;#34;normal&amp;#34; close followed by a &amp;#34;normal&amp;#34; open.&lt;br/&gt;&lt;br/&gt;That&amp;#39;s exactly what they should look like, since the channel is being&lt;br/&gt;closed with the existing protocol and opened (possibly with a slightly&lt;br/&gt;different value).&lt;br/&gt;&lt;br/&gt;&amp;gt; So, instead, maybe a new `channel_announce_reopen` which informs&lt;br/&gt;&amp;gt; everyone that an old scid will eventually become a new scid, and that&lt;br/&gt;&amp;gt; the nodes involved will still consider routes via the old scid to be&lt;br/&gt;&amp;gt; valid regardless.&lt;br/&gt;&lt;br/&gt;I thought of it more as a new alias for the old channel, so that the&lt;br/&gt;update in the network view is just switching names after the announce&lt;br/&gt;depth is reached.&lt;br/&gt;&lt;br/&gt;&amp;gt; Then an ordinary `channel_announce` once the announce depth of the new&lt;br/&gt;&amp;gt; scid is reached.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; From point of view of old nodes, the channel is closed for some&lt;br/&gt;&amp;gt; blocks, but a new channel between the two nodes is then announced.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; From point of view of new nodes, the channel is referred to using the&lt;br/&gt;&amp;gt; previous scid, until an ordinary `channel_announce` is received, and&lt;br/&gt;&amp;gt; then the channel is referred to using the new scid.&lt;br/&gt;&lt;br/&gt;The message announcing the reopen or the alias should probably preceed&lt;br/&gt;the actual close, otherwise nodes may prune the channel from their view&lt;br/&gt;upon seeing the close. The message then simply has the effect of saying&lt;br/&gt;&amp;#34;ignore the close, let it linger for 6 more blocks before really&lt;br/&gt;removing from your network view&amp;#34;.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&amp;gt; For myself, I think splice is less priority than AMP. But I prefer an&lt;br/&gt;&amp;gt; AMP which retains proper ZKCP (i.e. receipt of preimage at payer&lt;br/&gt;&amp;gt; implies receipt of payment at payee, to facilitate trustless&lt;br/&gt;&amp;gt; on-to-offchain and off-to-onchain bridges).&lt;br/&gt;&lt;br/&gt;Agreed, multipath routing is a priority, but I think splicing is just as&lt;br/&gt;much a key piece to a better UX, since it allows to ignore differences&lt;br/&gt;between on-chain and off-chain funds, showing just a single balance for&lt;br/&gt;all use-cases.&lt;br/&gt;&lt;br/&gt;&amp;gt; With AMP, size of channels is less important, and many small channels&lt;br/&gt;&amp;gt; will work almost as well as a few large channels.&lt;br/&gt;&lt;br/&gt;Well, capacities are still very much important, and if there is a&lt;br/&gt;smaller min-cut separating source and destination than the total amount&lt;br/&gt;of the payment, then the payment will still fail. We now simply no&lt;br/&gt;longer require a single channel with sufficient capacity to exist.
    </content>
    <updated>2023-06-09T12:51:03Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqspxr847a38uk7kqgwp4d2r9y2kcudzm9czts3v90za82nu3y6n2dqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wntsuhn</id>
    
      <title type="html">📅 Original date posted:2018-06-19 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqspxr847a38uk7kqgwp4d2r9y2kcudzm9czts3v90za82nu3y6n2dqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wntsuhn" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsyfxfnv0tc5h3shgp87fyc780h3aqfwd9gfu7cgdhp2h75yv7ay2snuj04e&#39;&gt;nevent1q…j04e&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-06-19&lt;br/&gt;📝 Original message:&lt;br/&gt;&amp;#34;David A. Harding&amp;#34; &amp;lt;dave at dtrt.org&amp;gt; writes:&lt;br/&gt;&amp;gt; I finished a re-read of y&amp;#39;alls excellent paper describing Eltoo, and&lt;br/&gt;&amp;gt; there was something that confused me:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;&amp;gt; If the update transaction represents the last agreed upon state it can&lt;br/&gt;&amp;gt;&amp;gt; use relatively low fees being certain that it will not be replaced. &lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t understand why this is &amp;#34;certain&amp;#34;?  State_2 can&amp;#39;t replace State_3&lt;br/&gt;&amp;gt; on the block chain (ignoring reorgs) because S_2&amp;#39;s nLockTime of n&#43;2&lt;br/&gt;&amp;gt; doesn&amp;#39;t satisify S_3&amp;#39;s CLTV-enforced minimum state number/locktime of&lt;br/&gt;&amp;gt; n&#43;4.  But in the mempool this constraint doesn&amp;#39;t hold: if S_3 is in the&lt;br/&gt;&amp;gt; mempool, S_2 can simply pay more fees than S_3 for RBF replacement.&lt;br/&gt;&lt;br/&gt;That is true, we can&amp;#39;t prevent S_2 to make it into the blockchain, but&lt;br/&gt;we can make sure it doesn&amp;#39;t have any effect (aside from wasting some&lt;br/&gt;fees), by simply binding S_3 to it immediately afterwards. So if S_3 is&lt;br/&gt;the last agreed upon state, we can bind it to the funding output or any&lt;br/&gt;intermediate ones, i.e., when an intermediate update makes it into the&lt;br/&gt;blockchain. Eventually S_3, bound to some prior update output and&lt;br/&gt;ideally directly to the funding output, will make it into the blockchain&lt;br/&gt;at which point the game is over. Intermediate updates may have leaked&lt;br/&gt;into the blockchain, but did not unlock the intermediate settlement path&lt;br/&gt;and the blockchain was paid with the fees attached to the intermediate&lt;br/&gt;updates.&lt;br/&gt;&lt;br/&gt;&amp;gt; A mempool replacement of S_3 with S_2 also invalidates the transaction&lt;br/&gt;&amp;gt; containing S_3 until one of the participants rewrites it from binding to&lt;br/&gt;&amp;gt; State_1&amp;#39;s outpoint to binding to S_2&amp;#39;s outpoint.&lt;br/&gt;&lt;br/&gt;It should be noted that anyone can perform the rewriting, and it&amp;#39;s easy&lt;br/&gt;to do so, by just following the funding output and knowing the final&lt;br/&gt;update.&lt;br/&gt;&lt;br/&gt;&amp;gt; Unless I&amp;#39;m misunderstanding, this could perhaps be clarified to make&lt;br/&gt;&amp;gt; clear that, even in the case of a cooperative close, monitoring for old&lt;br/&gt;&amp;gt; states needs to continue until the final state has whatever number of&lt;br/&gt;&amp;gt; confirmations a participant deems sufficient to make it immutable.&lt;br/&gt;&lt;br/&gt;Good point, we did not mention that finality has to be ensured, and that&lt;br/&gt;in a case of a reorg that unconfirms the update we might have to perform&lt;br/&gt;additional rewrites. This is similar to LN-penalty where we actually&lt;br/&gt;need to make sure that the penalty transaction is final and doesn&amp;#39;t get&lt;br/&gt;reorged out.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:50:53Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsywrhj36gknvgt8a0xfvznnu3rwdfl3gez4raru3dm9tpjapmdtcqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wc2w0yh</id>
    
      <title type="html">📅 Original date posted:2018-05-15 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsywrhj36gknvgt8a0xfvznnu3rwdfl3gez4raru3dm9tpjapmdtcqzypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wc2w0yh" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqstjlqx2yw9nl5ltzwd9n45l3ujelzylkz7jewl4slwp3e527hppqsxh3d3v&#39;&gt;nevent1q…3d3v&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-05-15&lt;br/&gt;📝 Original message:&lt;br/&gt;Anthony Towns &amp;lt;aj at erisian.com.au&amp;gt; writes:&lt;br/&gt;&lt;br/&gt;&amp;gt; On Thu, May 10, 2018 at 08:34:58AM &#43;0930, Rusty Russell wrote:&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; The big concern I have with _NOINPUT is that it has a huge failure&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; case: if you use the same key for multiple inputs and sign one of them&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; with _NOINPUT, you&amp;#39;ve spent all of them. The current proposal kind-of&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; limits the potential damage by still committing to the prevout amount,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; but it still seems a big risk for all the people that reuse addresses,&lt;br/&gt;&amp;gt;&amp;gt; &amp;gt; which seems to be just about everyone.&lt;br/&gt;&amp;gt;&amp;gt; If I can convince you to sign with SIGHASH_NONE, it&amp;#39;s already a problem&lt;br/&gt;&amp;gt;&amp;gt; today.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; So, I don&amp;#39;t find that very compelling: &amp;#34;there&amp;#39;s already a way to lose&lt;br/&gt;&amp;gt; your money, so it&amp;#39;s fine to add other ways to lose your money&amp;#34;. And&lt;br/&gt;&amp;gt; again, I think NOINPUT is worse here, because a SIGHASH_NONE signature&lt;br/&gt;&amp;gt; only lets others take the coin you&amp;#39;re trying to spend, messing up when&lt;br/&gt;&amp;gt; using NOINPUT can cause you to lose other coins as well (with caveats).&lt;br/&gt;&lt;br/&gt;`SIGHASH_NOINPUT` is a rather powerful tool, but has to be used&lt;br/&gt;responsibly, which is why we always mention that it shouldn&amp;#39;t be used&lt;br/&gt;lightly. Then again all sighash flags can be dangerous if not well&lt;br/&gt;understood. Think for example `SIGHASH_SINGLE` with it&amp;#39;s pitfall when&lt;br/&gt;the input has no matching output, or the already mentioned SIGHASH_NONE.&lt;br/&gt;&lt;br/&gt;&amp;gt;From a technical, and risk, point of view I don&amp;#39;t think there is much&lt;br/&gt;difference between a new opcode or a new sighash flag, with the&lt;br/&gt;activation being the one exception. I personally believe that a segwit&lt;br/&gt;script bump has cleaner semantics than soft-forking in a new opcode&lt;br/&gt;(which has 90% overlap with the existing checksig and checkmultisig&lt;br/&gt;opcodes).&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; [...]&lt;br/&gt;&amp;gt;&amp;gt; In a world where SIGHASH_NONE didn&amp;#39;t exist, this might be an argument :)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I could see either dropping support for SIGHASH_NONE for segwit&lt;br/&gt;&amp;gt; v1 addresses, or possibly limiting SIGHASH_NONE in a similar way to&lt;br/&gt;&amp;gt; limiting SIGHASH_NOINPUT. Has anyone dug through the blockchain to see&lt;br/&gt;&amp;gt; if SIGHASH_NONE is actually used/useful?&lt;br/&gt;&lt;br/&gt;That&amp;#39;s a good point, I&amp;#39;ll try looking for it once I get back to my full&lt;br/&gt;node :-) And yes, `SIGHASH_NONE` should also come with all the warning&lt;br/&gt;signs about not using it without a very good reason.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; That was also suggested by Mark Friedenbach, but I think we&amp;#39;ll end up&lt;br/&gt;&amp;gt;&amp;gt; with more &amp;#34;magic key&amp;#34; a-la Schnorr/taproot/graftroot and less script in&lt;br/&gt;&amp;gt;&amp;gt; future.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Taproot and graftroot aren&amp;#39;t &amp;#34;less script&amp;#34; at all -- if anything they&amp;#39;re&lt;br/&gt;&amp;gt; the opposite in that suddenly every address can have a script path.&lt;br/&gt;&amp;gt; I think NOINPUT has pretty much the same tradeoffs as taproot/graftroot&lt;br/&gt;&amp;gt; scripts: in the normal case for both you just use a SIGHASH_ALL&lt;br/&gt;&amp;gt; signature to spend your funds; in the abnormal case for NOINPUT, you use&lt;br/&gt;&amp;gt; a SIGHASH_NOINPUT (multi)sig for unilateral eltoo closes or watchtower&lt;br/&gt;&amp;gt; penalties, in the abnormal case for taproot/graftroot you use a script.&lt;br/&gt;&lt;br/&gt;That&amp;#39;s true for today&amp;#39;s uses of `SIGHASH_NOINPUT` and others, but there&lt;br/&gt;might be other uses that we don&amp;#39;t know about in which noinput isn&amp;#39;t just&lt;br/&gt;used for the contingency, handwavy I know. That&amp;#39;s probably not the case&lt;br/&gt;for graftroot/taproot, but I&amp;#39;m happy to be corrected on that one.&lt;br/&gt;&lt;br/&gt;Still, these opcodes and hash flags being mainly used for contingencies,&lt;br/&gt;doesn&amp;#39;t remove the need for these contingency options to be enforced&lt;br/&gt;on-chain.&lt;br/&gt;&lt;br/&gt;&amp;gt;&amp;gt; That means we&amp;#39;d actually want a different Segwit version for&lt;br/&gt;&amp;gt;&amp;gt; &amp;#34;NOINPUT-can-be-used&amp;#34;, which seems super ugly.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; That&amp;#39;s backwards. If you introduce a new opcode, you can use the existing&lt;br/&gt;&amp;gt; segwit version, rather than needing segwit v1. You certainly don&amp;#39;t need&lt;br/&gt;&amp;gt; v1 segwit for regular coins and v2 segwit for NOINPUT coins, if that&amp;#39;s&lt;br/&gt;&amp;gt; where you were going?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; For segwit v0, that would mean your addresses for a key &amp;#34;X&amp;#34;, might be:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    [pubkey]  X    &lt;br/&gt;&amp;gt;     - not usable with NOINPUT&lt;br/&gt;&amp;gt;    [script]  2 X Y 2 CHECKMULTISIG&lt;br/&gt;&amp;gt;     - not usable with NOINPUT&lt;br/&gt;&amp;gt;    [script]  2 X Y 2 CHECKMULTISIG_1USE_VERIFY&lt;br/&gt;&amp;gt;     - usable with NOINPUT (or SIGHASH_ALL)&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; CHECKMULTISIG_1USE_VERIFY being soft-forked in by replacing an OP_NOP,&lt;br/&gt;&amp;gt; of course. Any output spendable via a NOINPUT signature would then have&lt;br/&gt;&amp;gt; had to have been deliberately created as being spendable by NOINPUT.&lt;br/&gt;&lt;br/&gt;The main reason I went for the sighash flag instead of an opcode is that&lt;br/&gt;it has clean semantics, allows for it to be bundled with a number of&lt;br/&gt;other upgrades, and doesn&amp;#39;t use up NOP-codes, which I was lectured&lt;br/&gt;for my normalized tx BIP (BIP140) is a rare resource that should be used&lt;br/&gt;sparingly. The `SIGHASH_NOINPUT` proposal is minimal, since it enhances&lt;br/&gt;4 existing opcodes. If we were to do that with new opcodes we&amp;#39;d either&lt;br/&gt;want a multisig and a singlesig variant, potentially with a verify&lt;br/&gt;variant each. That&amp;#39;s a lot of opcodes.&lt;br/&gt;&lt;br/&gt;The proposal being minimal should also help against everybody trying to&lt;br/&gt;get their favorite feature added, and hopefully streamline the&lt;br/&gt;discussion.&lt;br/&gt;&lt;br/&gt;&amp;gt; For a new segwit version with taproot that likewise includes an opcode,&lt;br/&gt;&amp;gt; that might be:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;    [taproot]  X&lt;br/&gt;&amp;gt;     - not usable with NOINPUT&lt;br/&gt;&amp;gt;    [taproot]  X or: X CHECKSIG_1USE&lt;br/&gt;&amp;gt;     - usable with NOINPUT&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; If you had two UTXOs (with the same value), then if you construct&lt;br/&gt;&amp;gt; a taproot witness script for the latter address it will look like:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt;     X [X CHECKSIG_1USE] [sig_X_NOINPUT]&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; and that signature can&amp;#39;t be used for addresses that were just intending&lt;br/&gt;&amp;gt; to pay to X, because the NOINPUT sig/sighash simply isn&amp;#39;t supported&lt;br/&gt;&amp;gt; without a taproot path that includes the CHECKSIG_1USE opcode.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; In essence, with the above construction there&amp;#39;s two sorts of addresses&lt;br/&gt;&amp;gt; you generate from a public key X: addresses where you spend each coin&lt;br/&gt;&amp;gt; individually, and different addresses where you spend the wallet of&lt;br/&gt;&amp;gt; coins with that public key (and value) at once; and that remains the&lt;br/&gt;&amp;gt; same even if you use a single key for both.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I think it&amp;#39;s slightly more reasonable to worry about signing with NOINPUT&lt;br/&gt;&amp;gt; compared to signing with SIGHASH_NONE: you could pretty reasonably setup&lt;br/&gt;&amp;gt; your (light) bitcoin wallet to not be able to sign (or verify) with&lt;br/&gt;&amp;gt; SIGHASH_NONE ever; but if you want to use lightning v2, it seems pretty&lt;br/&gt;&amp;gt; likely your wallet will be signing things with SIGHASH_NOINPUT. From&lt;br/&gt;&amp;gt; there, it&amp;#39;s a matter of having a bug or a mistake cause you to&lt;br/&gt;&amp;gt; cross-contaminate keys into your lightning subsystem, and not be&lt;br/&gt;&amp;gt; sufficiently protected by other measures (eg, muSig versus checkmultisig).&lt;br/&gt;&lt;br/&gt;I think the same can be addressed by simply having the wallet use a&lt;br/&gt;different derivation path for keys that it is willing to sign with&lt;br/&gt;NOINPUT. I sort of dislike having a direct dependency on taproot, i.e.,&lt;br/&gt;allowing noinput only in taproot scripts, since that isn&amp;#39;t a done deal&lt;br/&gt;either. Without that direct dependency, having the noinput path and the&lt;br/&gt;sighash_all path be differentiated in the script leaks the details&lt;br/&gt;on-chain, bloating the UTXO set, and leaking details about our contract.&lt;br/&gt;&lt;br/&gt;Also isn&amp;#39;t the same issue true for a separate opcode?&lt;br/&gt;&lt;br/&gt;&amp;gt; (For me the Debian ssh key generation bug from a decade ago is sufficient&lt;br/&gt;&amp;gt; evidence that people you&amp;#39;d think are smart and competent do make really&lt;br/&gt;&amp;gt; stupid mistakes in real life; so defense in depth here makes sense even&lt;br/&gt;&amp;gt; though you&amp;#39;d have to do really stupid things to get a benefit from it)&lt;br/&gt;&lt;br/&gt;Totally agree, however one could argue that increased code complexity&lt;br/&gt;is a major contributor to security issues, and I&amp;#39;m still convinced that&lt;br/&gt;the hashflag is the simplest and cleanest approach to getting this&lt;br/&gt;feature implemented.&lt;br/&gt;&lt;br/&gt;That being said, I think the soft-forked opcode is also a good option,&lt;br/&gt;if we can get agreement on the details in a reasonable amount of time.&lt;br/&gt;&lt;br/&gt;&amp;gt; The other benefit of a separate opcode is support can be soft-forked in&lt;br/&gt;&amp;gt; independently of a new segwit version (either earlier or later).&lt;br/&gt;&lt;br/&gt;That can both be a positive as well as a negative, since a bundle of&lt;br/&gt;complementing features likely is easier to get reviewed and activated.&lt;br/&gt;&lt;br/&gt;&amp;gt; I don&amp;#39;t think the code has to be much more complicated with a separate&lt;br/&gt;&amp;gt; opcode; passing an extra flag to TransactionSignatureChecker::CheckSig()&lt;br/&gt;&amp;gt; is probably close to enough. Some sort of flag remains needed anyway&lt;br/&gt;&amp;gt; since v0 and pre-segwit signatures won&amp;#39;t support NOINPUT.&lt;br/&gt;&lt;br/&gt;That&amp;#39;s moving the fanout for sighash_all vs sighash_none from the opcode&lt;br/&gt;up to the interpreter, right.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian
    </content>
    <updated>2023-06-09T12:50:37Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsfzr0yp04w9ape20sf5eaduyu5vme9gyx8uxt7c54ceyfr83f07yczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9weql67a</id>
    
      <title type="html">📅 Original date posted:2018-05-07 📝 Original message: Given ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsfzr0yp04w9ape20sf5eaduyu5vme9gyx8uxt7c54ceyfr83f07yczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9weql67a" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsxy352t6kred9sl8qug5ncjh8favjr5dtlgp9ywlmv0378q9r822s69h7sg&#39;&gt;nevent1q…h7sg&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-05-07&lt;br/&gt;📝 Original message:&lt;br/&gt;Given the general enthusiasm, and lack of major criticism, for the&lt;br/&gt;`SIGHASH_NOINPUT` proposal, I&amp;#39;d like to formally ask the BBEs (benevolent&lt;br/&gt;BIP editors) to be assigned a BIP number. I have hacked together a&lt;br/&gt;simple implementation of the hashing implementation in Bitcoin Core [1]&lt;br/&gt;though I think it&amp;#39;s unlikely to sail through review, and given the lack&lt;br/&gt;of ground-work on witness V1 scripts, I can&amp;#39;t really test it now, and&lt;br/&gt;only the second commit is part of the implementation itself.&lt;br/&gt;&lt;br/&gt;One issue that was raised off list was that some fork coins have used&lt;br/&gt;sighash 0x40 as FORKID. This does not conflict with this proposal since&lt;br/&gt;the proposal only applies to segwit transactions, which the fork coins&lt;br/&gt;have explicitly disabled :-)&lt;br/&gt;&lt;br/&gt;I&amp;#39;m looking forward to discussing how to we can move forward to&lt;br/&gt;implementing this proposal, and how we can combine multiple proposals&lt;br/&gt;into the next soft-fork.&lt;br/&gt;&lt;br/&gt;Cheers,&lt;br/&gt;Christian&lt;br/&gt;&lt;br/&gt;[1] &lt;a href=&#34;https://github.com/cdecker/bitcoin/tree/noinput&#34;&gt;https://github.com/cdecker/bitcoin/tree/noinput&lt;/a&gt;
    </content>
    <updated>2023-06-09T12:50:35Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsrns0uj9cqu0s80a4chsyjrzc5c2h7v5704mtdtvemt9xuslj2sfczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxjxuhz</id>
    
      <title type="html">📅 Original date posted:2018-05-03 📝 Original message: ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsrns0uj9cqu0s80a4chsyjrzc5c2h7v5704mtdtvemt9xuslj2sfczypev6spn9mrc9hg20a36evp78dha47ndjx73kcf9ek9hz9aphwq9wxjxuhz" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsg7ehx38kkqg8tt3aspehev898vszzc66avq82wqpezwvxhaf69wq8mj9ut&#39;&gt;nevent1q…j9ut&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2018-05-03&lt;br/&gt;📝 Original message:&lt;br/&gt;Carsten Otto &amp;lt;carsten.otto at andrena.de&amp;gt; writes:&lt;br/&gt;&amp;gt; the paper is a bit confusing regarding the setup transaction, as it is&lt;br/&gt;&amp;gt; not described formally. There also seems to be a mixup of &amp;#34;setup&lt;br/&gt;&amp;gt; transaction&amp;#34; and &amp;#34;funding transaction&amp;#34;, also named T_{u,0} without&lt;br/&gt;&amp;gt; showing it in the diagrams.&lt;br/&gt;&lt;br/&gt;The setup transaction is simply a transaction that spends some funds and&lt;br/&gt;creates a single output, which has the script from Figure 2, but since&lt;br/&gt;that would be a forward reference, I decided to handwave and call it a&lt;br/&gt;multisig. A simple fix would be to change the setup phase bullet point&lt;br/&gt;at the beginning of section 3, would that be sufficient?&lt;br/&gt;&lt;br/&gt;&amp;gt; In 3.1 the funding transaction is described as funding &amp;#34;to a multisig&lt;br/&gt;&amp;gt; address&amp;#34;. In the description of trigger transactions the change is&lt;br/&gt;&amp;gt; described as &amp;#34;The output from the setup transaction is changed into a&lt;br/&gt;&amp;gt; simple 2-of-2 multisig output&amp;#34; - which it already is?&lt;br/&gt;&lt;br/&gt;If instead of calling it a multisig we call it a multiparty output and&lt;br/&gt;reference the script in Figure 2, that&amp;#39;d be addressed as well.&lt;br/&gt;&lt;br/&gt;&amp;gt; As far as I understand the situation, the trigger transaction is needed&lt;br/&gt;&amp;gt; because the broadcasted initial/funding/setup transaction includes an&lt;br/&gt;&amp;gt; OP_CLV, which then starts the timer and could lead to premature&lt;br/&gt;&amp;gt; settlement. Removing OP_CLV (and having in a transaction that is only&lt;br/&gt;&amp;gt; published later when it is needed), i.e. by changing it to a simple&lt;br/&gt;&amp;gt; multisig output, seems to solve this issue.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Could you (Christian?) explain how the &amp;#34;setup transaction&amp;#34; is supposed&lt;br/&gt;&amp;gt; to look like without the changes described in section 4.2?&lt;br/&gt;&lt;br/&gt;Well, it has arbitrary inputs, and a single output with the script from&lt;br/&gt;Figure 2, in the non-trigger case, and in the trigger case it&amp;#39;d be just&lt;br/&gt;a `2 A B 2 OP_CMSV`.
    </content>
    <updated>2023-06-09T12:50:21Z</updated>
  </entry>

</feed>