lightning-dev

HTLC output aggregation as a mitigation for tx recycling, jamming, and on-chain efficiency (covenants)

HTLC output aggregation as a mitigation for tx recycling, jamming, and on-chain efficiency (covenants)

Original Postby Antoine Riard

Posted on: November 21, 2023 02:39 UTC

The correspondence from Antoine addresses several technical concerns and suggestions related to the Lightning Network (LN) and its transaction processes.

The email begins with a description of a transaction recycling attack that exploits the changes made to Hash Time-Locked Contracts (HTLCs) in anchor channel types, which now allow additional inputs to increase fees without invalidating the signature. This vulnerability does not exist for legacy channels because fees were drawn directly from HTLC outputs and agreed upon by both parties.

Antoine also considers the advantages of aggregating HTLC outputs, such as reducing the need for fee-bumping reserves. However, there is concern over the remaining malleability that could potentially allow a counterparty to inflate miner's fees at the expense of the HTLC value. To mitigate this, Antoine suggests segregating HTLC claims into two separate outputs and using covenants to manage aggregated claims based on witness and chain state conditions.

The limitations imposed by the protocol limit of 483 are discussed in the context of long-term payment throughput for LN. Antoine explores the potential use of sliding windows to manage claim periods for HTLCs, but this introduces the necessity for off-chain consensus regarding feerate thresholds among routing nodes.

Further exploration is made into Point Time-Locked Contracts (PTLCs), where aggregate curve points might be utilized to maintain near-constant size for offered HTLCs. Antoine expresses interest in how covenant mechanisms could apply to withdrawal phases in payment pools, involving many participants and non-competing transactions.

The email touches on the complexity and potential risks associated with activating multiple covenants simultaneously in Bitcoin's conservative system, alluding to the possibility of 'malicious' Layer 2 contracts with unresolved game-theory implications. Antoine refers to past discussions around CoinSwap's Transaction Withholding Attack and the need for an efficiency simulation framework to compare different covenant constructions and their performance trade-offs.

Finally, Antoine raises a question about whether advanced cryptosystems, based on assumptions other than the Discrete Logarithm (DL) problem, could significantly scale LN payment throughput by decoupling the number of off-chain payments from the on-chain witness size needed to claim them, without compromising security.

These topics suggest a deep dive into the intricate balance between innovation and security within the evolving landscape of Bitcoin and Layer 2 solutions like the Lightning Network. Antoine's insights reflect ongoing discussions and developments aimed at enhancing the scalability and robustness of cryptocurrency transactions.