What is Nostr?
Antoine Riard [ARCHIVE] /
npub1vjz…x8dd
2023-06-09 13:05:28
in reply to nevent1q…fjd6

Antoine Riard [ARCHIVE] on Nostr: 📅 Original date posted:2022-03-07 📝 Original message: Hi Eugene, > Since the ...

📅 Original date posted:2022-03-07
📝 Original message:
Hi Eugene,

> Since the remote party gives them a signature, after the timeout, the
offering party can
claim with the remote's signature + preimage, but can only spend with the
HTLC-timeout transaction because of SIGHASH_ALL.

I've not exercised the witness against our test framework though the
description sounds to me correct.

The offering counterparty spends the offered HTLC output with a
HTLC-timeout transaction where the witness is <<remote_sig>
<payment_preimage>>. SIGHASH_ALL is not committing to the spent Script
branch intended to be used. As you raised, it doesn't alleviate the
offering counterparty to respect the CLTV delay and as such the offered
HTLC timespan cannot be shortened. The implication I can think of, in case
of competing HTLC race, once the absolute timelock is expired, the offering
counterparty is able to compete against the receiving one with a more
feerate-efficient witness. However, from a receiving counterparty safety
viewpoint, if you're already suffering a contest, it means your HTLC-claim
on your own local commitment transaction inbound HTLC output has been
inefficient, and your fee-bumping strategy is to blame.

If we think the issue is relevant, I believe splitting the Script branches
in two tapleaves and having bip342 signature digest committing to the
tapleaf_hash solves it.

Antoine

Le lun. 7 mars 2022 à 15:27, Eugene Siegel <elzeigel at gmail.com> a écrit :

> I'm not sure if this is known, but I'm pretty sure it's benign and so I
> thought I'd share since I found it interesting and maybe someone else will
> too. I'm not sure if this is already known either.
>
>
> https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs
> Offered HTLCs have three claim paths: the revocation case, the offerer
> claiming through the HTLC-timeout transaction, and the receiver claiming
> via their sig + preimage. The offering party can claim via the HTLC-timeout
> case on their commitment transaction with their signature and the remote's
> signature (SIGHASH_ALL) after the cltv_expiry timeout. Since the remote
> party gives them a signature, after the timeout, the offering party can
> claim with the remote's signature + preimage, but can only spend with the
> HTLC-timeout transaction because of SIGHASH_ALL. This assumes that the
> remote party doesn't claim it first. I can't think of any cases where the
> offering party would know the preimage AND want to force close, so that's
> why I think it's benign. It does make the witness smaller. The same trick
> isn't possible with the Received HTLC's due to OP_CHECKLOCKTIMEVERIFY.
>
> Eugene (Crypt-iQ on github)
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20220307/b55f369a/attachment.html>;
Author Public Key
npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8dd