New BitDevs

2023-07-31

Announcements

Please join us for our next Socratic Seminar. A special thank you to our sponsors CardCoins, Chaincode Labs and Wolf NYC for food, refreshments and event space.

If you can't make it to the main event please join us at PUBKEY around 9:30PM. Learn about this awesome new establishment here.

Presentation

Adam Jonas: BitcoinSearch.xyz

Mailing Lists, Meetings and Bitcoin Optech

Mailing Lists

bitcoin-dev

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

lightning-dev

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.

On the experiment of the Bitcoin Contracting Primitives WG and marking this community process "up for grabs"

The text after the asterisk discusses the author's update on the community process to specify covenants in Bitcoin. The author introduced the idea last year to address issues in consensus development changes and lack of a "codified checklist" for consensus changes. The post highlights the various initiatives undertaken by different individuals and groups, such as the Bitcoin Contracting Primitives WG and the bitcoin-inquisition fork. The author acknowledges that they have been busy with Lightning-side and other Bitcoin projects, and due to the amount of work required in ensuring a secure and reliable Lightning Network, they have decided to allocate their time and energy towards that goal. The author encourages others to continue working on covenant changes proposals and expresses the importance of preserving and assessing consensus changes proposals. They open up the possibility of others taking over the maintenance and nurturing of the Bitcoin Contracting Primitives WG and collaborating with Optech for covenants workshops. The post concludes with the author being open to offers and resources to work full-time on consensus changes.

The author of the text is summarizing their experiment with a new community process for specifying covenants in the Bitcoin space. They discuss the goals of the process, which include building a framework to evaluate covenant proposals and opening consensus changes to a wider range of developers. They mention complementary initiatives that have been undertaken by others during the same period. The author acknowledges that they have not been able to dedicate much time to the project recently due to their work on the Lightning Network. They express their belief that the development of the Lightning Network is more critical for the survival of Bitcoin and explain their decision to focus their time and energy on it. They encourage others to continue working on covenant changes proposals and suggest that small incremental changes can have a significant impact. The author also calls for more technical historians and archivists to assess and preserve consensus change proposals. They invite individuals who are interested in maintaining and nurturing the Bitcoin Contracting Primitives WG to reach out. They note that they have been approached by organizations interested in supporting consensus changes in the Bitcoin space.

Blinded 2-party Musig2

The text describes the implementation of a version of 2-of-2 Schnorr Musig2 for statechains. In this implementation, the server (party 1) is fully "blinded," meaning it holds a private key necessary for generating an aggregate signature but does not learn the aggregate public key, aggregate signature, or the message being signed. The security of the blinded statechains relies on the server being trusted to report the number of partial signatures generated, rather than enforcing rules on what it has signed. The 2-of-2 musig2 protocol involves generating private and public keys for both parties, aggregating the public keys, generating nonces, and computing challenges and signatures. In the case of blinding for party 1, key aggregation and nonce aggregation are performed by party 2, while the computation of the challenge and the final signature involves a communication between parties. The text requests comments and feedback on the implementation.

The text discusses the implementation of a cryptographic protocol called 2-of-2 Schnorr Musig2 for a system called statechains. In this system, a server is "blinded" in a way that it can generate a private key and aggregate signatures without knowing the aggregate public key, the aggregate signature, or the message being signed. The security of the system relies on the server reporting the number of partial signatures it has generated and verifying the full set of signatures on the client side. The protocol involves generating private and public keys, aggregating them, and signing messages using nonces. In the case of blinding for the server, it is suggested that key and nonce aggregation are performed by the other party to prevent the server from learning the full public key and final signature. The text seeks comments and highlights any potential issues. In simpler terms, the text talks about a way to make a server perform certain cryptographic operations without knowing important information. It involves generating private and public keys, combining them, and signing messages. The text suggests a method to prevent the server from learning certain pieces of information by having another party handle some calculations. The author is asking for feedback and pointing out any problems.

Computing Blinding Factors in a PTLC and Trampoline World

The passage explains a method for computing blinding factors in a privacy-preserving protocol. In this method, the ultimate receiver has a secret 'r' and gives the ultimate sender the point 'R = r * G'. When the ultimate sender wants to send a payment to the ultimate receiver directly, it selects a random scalar 'e' and constructs an onion with 'e' decryptable by the ultimate receiver. The ultimate sender offers a payment with the point 'e * G + R', and the ultimate receiver can claim it by revealing 'e + r'. When there is an intermediate node, the ultimate sender needs to generate two scalars 'c' and 'd' such that 'c + d = e'. The onion is encrypted with 'e' for the ultimate receiver and 'd' for the intermediate node. Each non-Trampoline intermediate node adds its per-hop blinding factor to the input point and sends it to the next hop. This process allows the ultimate receiver to receive payments from both direct or indirect routes without knowing which one it came from. In the case of a Trampoline node, the ultimate sender selects 'c' and 'd' and creates an onion with 'e' for the ultimate receiver, 'd' for the intermediate node (Carol), and the next Trampoline node. Carol decrypts the onion, finds a route to the ultimate receiver, selects 'a' and 'b' such that 'a + b = d', and creates another onion for the next hop. This process continues until the payment reaches the ultimate receiver. Overall, this method ensures privacy and allows each node to claim its incoming payment without revealing any sensitive information.

The text explains a mathematical demonstration regarding the computation of blinding factors in a specific way. It involves several nodes, including intermediate and trampoline nodes, as well as the ultimate receiver and sender. The goal is to ensure that non-Trampoline nodes only need to know one blinding factor, the receiver only needs to know one blinding factor, and trampoline nodes can provide blinding factors without non-Trampoline nodes being aware that they are on a trampoline route. In the demonstration, the ultimate receiver has a secret value 'r' and gives the ultimate sender a point 'R', which is equal to 'r' multiplied by another point 'G'. If the sender and receiver are directly connected, the sender chooses a random scalar 'e', known as the error blinding factor, and constructs an onion that can be decrypted by the receiver. The sender also offers a PTLC (Payment-Time Lock Contract) with a specific point. The receiver can claim the PTLC by revealing 'e + r'. If there is an intermediate node, such as Carol, the sender needs to generate two scalars, 'c' and 'd', where 'c + d = e'. The sender encrypts the onion with 'e' meant for the receiver and the ciphertext, as well as 'd' encrypted for Carol. The sender then sends the PTLC to Carol, who adds the appropriate factor and forwards it. In the case of a Trampoline node, the sender does not provide the detailed route from Carol to the next Trampoline hop. Instead, the ultimate receiver is the final Trampoline hop after Carol, but Carol is not aware of this. The sender selects 'e', 'c', and 'd', and creates a Trampoline-level onion encrypted for the receiver and Carol. Carol decrypts the onion, gets 'd', and searches for a route to the ultimate receiver. Carol selects more factors and creates a different onion for the next hop, Alice. Finally, the PTLC is sent to Alice and then to the ultimate receiver. In all cases, the receiver cannot differentiate whether it received the message from a Trampoline, a non-Trampoline intermediate, or directly. Every node along the route has enough information to claim its incoming PTLC, but only the ultimate sender knows 'c', allowing it to recover 'r'.

Potential vulnerability in Lightning backends: BOLT-11 "payment hash" does not commit to payment!

LNbits, a team of researchers, recently discovered an exploit that allows attackers to create fake balances by manipulating how invoices are processed. They have released a patch to fix this exploit and are urging users to update their systems. The attack involves inserting a payment hash from one payment into another, creating a malicious invoice that tricks the backend into thinking it is a legitimate payment. This type of exploit could potentially affect other Lightning applications, such as custodial wallets and payment processors. The critical part of the attack is that payment hashes do not commit to payment details, only the preimage. To mitigate this, backends should use unique "checking id's" for internal payments or additional checks on invoice details. This incident highlights the sophistication of attackers and reminds developers to be cautious when assuming the security of payment hashes. From now on, the researchers suggest referring to payment hashes as "preimage" hashes.

The text explains an exploit that was discovered in a software called LNbits that could allow an attacker to create fake balances. They fixed the issue in the latest version of the software and encourage users to update. The attack involved manipulating payment invoices to trick the system into treating a different payment as if it was another. The critical part was that the system assumed that the payment hash committed to specific payment details, but it actually only committed to a preimage. The text suggests that developers should use unique "checking ids" for internal payments or implement additional checks to avoid such exploits in the future. The author also points out the sophistication of attackers in the Lightning Network ecosystem and emphasizes the need to understand the true nature of payment hashes.

An Open Source Framework to Collect Lightning Network Metrics

The author of the text is sharing one of their side projects that involves collecting data on the lightning network. They explain that the purpose of this project is to monitor the evolution of the network, evaluate possible solution proposals such as channel jamming, and support university research that lacks access to real data. They aim to define and collect information that can be shared among people to evaluate ideas and proposals. They provide links to a more detailed idea, an experimental explorer, and a public Graphql API. The author concludes by expressing hope that this project will be useful to someone.

The author of the text is sharing a side project where they are researching and collecting data on the lightning network. They want to understand how the network is evolving, test proposed solutions, and support university research without access to real data. They have a detailed idea explained in [1] and an experimental explorer available at [2], as well as a public Graphql API at [3]. They hope that this information will be helpful to someone.

option_simple_close for "unfailable" closing

The text after the asterisk discusses the "closing_complete" and "closing_sig" messages in the close protocol of the Lightning Network. These messages are used to negotiate the closing of a channel. Once the shutdown process is complete and the channel is empty of HTLCs, each peer states the fee it is willing to pay, and the other side simply signs the transaction with that fee. The sender of the "closing_complete" message, also known as "the closer," sets the fee it will pay and indicates whether it wants to include its own output. If it includes its own output, it provides two valid signatures for different transaction scenarios. The receiver of the "closing_complete" message, also known as "the closee," verifies the signatures and selects one to respond to. The sender of the "closing_sig" message then sets the appropriate values and sends it back. These messages allow for re-negotiation if a new "shutdown" message is received. The close protocol aims to avoid failure scenarios caused by fee disagreement and offers flexibility for each side to decide whether to include its output.

This GitHub pull request introduces a new protocol for closing a channel in the Lightning Network. The protocol allows for a smooth and secure process of closing a channel, with each side being able to indicate whether they want to omit their own output. The protocol is designed to be compatible with the upcoming "taproot" technology. The process involves two stages: the closing initiation, in which a "shutdown" message is sent, and the closing negotiation, in which the fee for the closing transaction is determined and signatures are exchanged. The protocol also includes specifications for the closing transaction and fee calculation. The new protocol aims to avoid failure scenarios caused by fee disagreements.

LN Summit 2023 Notes

The text after the asterisk discusses various topics related to the Lightning Network specification. The first topic is about the Package Relay proposal, which allows for more efficient transaction relay in the network. It provides details on the proposed changes and improvements, including the use of anchors and zero-fee commitments. The second topic is about Taproot, a proposed upgrade to the Bitcoin protocol. It highlights changes related to anchors and the revocation path on to_local, as well as the use of NUMS points and simplified closure negotiations. The third topic is about Gossip, the protocol used for information dissemination in the Lightning Network. It discusses the idea of script binding and the flexibility of allowing any taproot output to be a Lightning channel. It also touches on the concept of amount binding and its impact on pathfinding. The fourth topic is about reputation and its role in mitigating channel jamming attacks. It explains the concept of resource bucketing, which limits the number of slots and amount of liquidity that nodes without good reputation can access. It also introduces the idea of endorsement to propagate a signal indicating the expected honesty of a transaction. The fifth topic is about the Simplified Commitments proposal, which simplifies the state machine of the Lightning Network. It suggests turn-taking between peers to make it easier to debug and understand the state machine. The sixth topic is about the process of creating a meta specification for the Lightning Network. It discusses the idea of versioning the specification to make it more modular and manageable. It also explores the possibility of using extensions to add new features without complicating the main specification. The final topic is about asynchronous payments and trampoline routing. It explains the concept of trampoline routing, where light nodes can send payments through a series of intermediaries without needing to know the full network topology. It also discusses the use of blinded payments for enhanced privacy in trampoline routing. Overall, the text covers a range of proposals and improvements for the Lightning Network specification, addressing issues such as transaction relay, channel jamming attacks, reputation management, and routing efficiency.

The text discusses several topics related to Lightning Network, a protocol for fast and low-cost Bitcoin transactions. The first part focuses on package relay and the concept of package RBF (Replace By Fee). It also mentions the implementation of V3 transactions and ephemeral anchors. The second part discusses Taproot, a proposed upgrade to Bitcoin that improves privacy and script execution. The third part introduces the concept of PTLCs (Probabilistic Time-Locked Contracts) and different methods for addressing redundant overpayment. The fourth part explores different approaches for mitigating channel jamming, including monetary fees, reputation systems, and scarce resources. The fifth part suggests simplifying the Lightning Network's state machine and introducing a turn-based protocol. The sixth part proposes the idea of versioning and modularizing the Lightning Network specification to make it more readable and easier to implement. The final part briefly mentions asynchronous payments and trampoline routing.