Anchor-outputs (1/3): Refactoring chain backend to extract PackageTemplate

[ariard]

This is 1/3 of anchor ouput implementation

I invite reviewers to only Concept ACK/Approach ACK until I open the complete serie of patchset to see if implementation makes sense.

Rational

Anchor ouptut proposal is a spec move towards introducing dynamic fee-setting for LN transactions. Actually, feerate is selected by channel opener through update_fee and must be adapted to follow network-wise mempool increases/decreases. This model is broken with regards to quick fee spikes, adversial counterparty exploiting mempool policy rules or update_fee in itself introducing funny attack vectors (Flood & Loot among others).

Anchor output modifies commitment transaction format by introducing a special per-party output for adjusting feerate through CPFP. Note, without base layer changes this is still insecure and can only be relied for favorable mempool congestion in case of intentional unilateral closure.

Implementing anchor output consists in both onchain changes to support CPFP logic and offchain ones to dynamically add this new anchor output. This CPFP logic and the further onchain backend will likely get more complex in the future both by security and fee efficiency (like "aggressive" aggregation, cross-commitment CPFP, don't-go-onchain-if-your-HTLC-is-non-economic, don't-bump-more-than-HTLC-in-danger, ...). So this PR envision this by removing code complexity from OnchainTxHandler to some new interface OnchainRequest/PackageTemplate mimicking "packets".

Motivations behind OnchainRequest/PackageTemplate is to provide a generic interface for OnchainTxHandler without this component being aware of actual transaction type processed. It's nice to introduce later pre-signed justice transactions for watchtowers or anchor output garbage-collecting transactions.

Interface holds high-level methods like package_weight or package_amounts. Concretely it kills the monster OnchainTxHandler::generate_claim_tx to get it ready for CPFP support. Current interface is an enum, we may want to switch to trait object but it comes with trade-offs in Rust (thoughts ?)

PR scope

This PR SHOULD NOT introduce any behavior change.

Overview of PR:

• move InputDescriptors in new onchain_utils
• replace InputDescriptors by PackageTemplate, switching from per-input claim to holistic package make it easier to compute weight, which is less footgunish
• replace ClaimTxBumpMaterial/ClaimRequest by a unique structure, easing aggregatiion
• extract fee computing utilitties from `OnchainTxHandler

[arik-so]

This method needs comments, because package_split is not descriptive.

[arik-so]

Same as package_split.

[arik-so]

you keep accessing the first outpoint, so I'd just put it in a variable for easier legibility

[devrandom]

Here are my initial thoughts on this PR

[devrandom]

There's a lot of matching going on in the implementation code below. Maybe it will be cleaner to have this be a hierarchy of types rather than an enum?

[ariard]

Good point, I think we can aggregate MalleableJusticeTx/CounterpartyHTLCTx on a lot of cases. Though I'm holding this on the discussion to switch to dynamic trait objects instead of an enum pseudo-interface.

[TheBlueMatt]

Dynamic traits kinda seems like cheating here, can we not convert the trait variants to enum variants and place structs that each implement some PackageTemplateVariant trait for the inner structs instead? That would keep runtime cost the same but allow similar code cleanup.

[devrandom]

this creates a circular dependency between this class and OnChainTxHandler. Perhaps extract an interface from OnChainTxHandler to break this cycle? actually this seems to be a pre-existing issue.

[ariard]

Yes in the future I think we can just pass key_signer as we're just interested with signer for construction and signing. Maybe we can remove entirely signer from OnchainTxHandler and just give it to PackageTemplate constructor ?

Note, you still have get_fully_signed_htlc_tx/get_fully_signed_holder_tx blocking to remove the passing of OnchainTxHandler, it's a leftover from the past which is my bad. OnchainTxHandler shouldn't have any commitment transaction state directly exposed and it should be wrapped inside package. I started to do this move while writing this PR but it was already a big refactor...

[devrandom]

yeah, sounds like a good topic for a separate PR

[devrandom]

isn't this 1000/750 = 33% or did I miss something?

[ariard]

I think you're right :

• (feerate=1000) * (weight=100) / (weight_denominator=1000) = 100
• (feerate=1000) * (weight=100) / (weight_denominator=750) = 133

So good catch! I need to update tests so not marking at resolved yet. If you have a better idea on the % heuristic lmk it's quite arbitrary rn :)

[devrandom]

well, to be obvious, this has to be high enough so it tracks feerate spikes within the expiration time, especially when there's an attack on the mempool. if I understand the code correctly, a bump happens on every block, right?

so, the desired bump % is dependent on the expiration time in blocks and the ratio of the spike to original feerate. one issue is if the original feerate was very low, let's say because the network was quiet. then perhaps we can get a very high spike ratio.

for example, with a 100x spike height and 144 block expiration, the bump should be around 3.2%. we could handle much higher spikes with a 10% increase - up to a (1.1 ^ 144) = 900000 feerate increase over 144 blocks.

we should have this in a const with some documentation on the const justifying the value based on assumptions on maximum spike height and minimum expiration time.

[ariard]

Bump happens accordingly to OnchainTxHandler::get_height_timer, if expiration is coming in next 3 blocks, bumps at every block.

What do you qualify as spike height here ? The original height at which the transaction is broadcast for first time ? Ideally you want the fee-bump to be exponential, save on fees if timelock is far away, be ready to burn as funds at stake when the expiration is really near.

Agree on documenting our assumptions.

[devrandom]

apologies, missed this reply. I should have said "spike factor" - which I meant as the ratio of the feerate when we start to try to publish and the feerate at the peak of the spike.

I agree that the bumps should be exponential (and they are in your code, right?).

But my assumption about the bump frequency was incorrect. Looking at get_height_timer, if we have 144 blocks, we bump 9 times every 15 blocks, then twice every 3 blocks then another 3 times, for a total of 14 or so. I might be slightly off. so 1.25 ^ 14 = 22.

I'm not sure that's actually enough to be safe, since we do stand to lose the funds in the worst case. I think a factor of 100 would be better.

[ariard]

Thanks for review @devrandom, updated with at least the minor fixed.

I think before to go further with this PR review there is a discussion between using enum as a pseudo-interface or moving to trait objects. The downside with trait objects (experimented a bit for offchain generic output in #619) is you need a Box and a memory over-head. It might be okay for onchain stuff which isn't a hot path.

Note, I see this PR as a real blocker to work further on third-party watchtower support, future PackageTemplate should be DelegatedJusticeTx/HolderDLCTx. Once we resolve the code design point above, I would be glad to land this PR as soon as we can.

[devrandom]

Regarding efficiency - I usually don't try to optimize this early in a project's lifetime. This especially applies to crypto code, where sign/encrypt/verify operations are usually the bulk of the CPU load.

[ariard]

Updated at de93efc.

Currently, this is the main area where I'm curious of feedback. If we prefer trait objects, I'll need to re-work this PR, so first I would like to settle on trait objecs or enum as a abstract package interface.

I think before to go further with this PR review there is a discussion between using enum as a pseudo-interface or moving to trait objects. The downside with trait objects (experimented a bit for offchain generic output in #619) is you need a Box and a memory over-head. It might be okay for onchain stuff which isn't a hot path.

[TheBlueMatt]

Overall looks like a good refactor. Have a couple of API questions.

[TheBlueMatt]

Can you expand the doc comments and add docs on each variant describing these in t a bit more detail? Does this datastructure restrict the possible things we can claim in one transaction (ie can we claim CounterpartyHTLCTx outputs in the same transaction as MalleableJusticeTx outputs, or do we always punish revoked counterpaty HTLC transactions via a MalleableJusticeTx PackageTemplate)? More docs would help here.

[TheBlueMatt]

Dynamic traits kinda seems like cheating here, can we not convert the trait variants to enum variants and place structs that each implement some PackageTemplateVariant trait for the inner structs instead? That would keep runtime cost the same but allow similar code cleanup.

[TheBlueMatt]

Same here, shouldn't this be a function on PackageTemplate?

[ariard]

Yeah, I'll should study if I can merge OnchainRequest with PackageTemplate, now that I've isolated outpoints and their solving materials in PackageSolvingData. Maybe, the original reason is to facilitate aggregation/fragmentation at block connect/disconnect.

[TheBlueMatt]

Regarding efficiency - I usually don't try to optimize this early in a project's lifetime. This especially applies to crypto code, where sign/encrypt/verify operations are usually the bulk of the CPU load.

This I agree with for CPU operations, but memory allocation operations are more tricky. My personal experience on Core made me very, very scared of too much allocation, its very easy to have a program that ends up with 3x RSS as is required from memory fragmentation and other overhead, and not really have an easy way to fix it - trying to reduce memory allocations after the fact can be a very challenging rebase, doubly so because there aren't any good tools for debugging or profiling these issues.

[devrandom]

Why is "counterparty HTLC tx" malleable, but "holder HTLC tx" not? is the term "HTLC tx" used differently in the two cases?

[ariard]

Holder HTLC tx only become malleable with anchor changes introduced in other branches of this patchset :)
Though they're only malleable under SIGHASH_SINGLE. Claiming transactions on counterparty HTLC outputs have always been malleable beyond witness satisfaction (i.e settup nLocktime correctly) ?

[ariard]

Okay pushed a refactored version of the refactor at 8b27973. It gets rides of code duplication by encapsulating outputs special solving data in a new PackageSolvingData. Still needs heavily documentation but will do once we agree on onchain_utils's structs.

Also, another point I did like with trait objects compare to enum was the ability to easily support other package/outputs types without this new logic being in-tree. Though, we can do it with enum to, e.g add CounterpartyPTLCOutput in PackageSolvingData that we can gate on #[cfg(feature = "ptlc")]

[ariard]

Rebased at 238dd96. Working on API documentation and test coverage.

[TheBlueMatt]

Note that a number of tests fail, and a few appear to hang.

[TheBlueMatt]

I assume these weren't meant to slip in :)

[ariard]

Removed, they're markers for the remaining patchset. For height values passed they don't matter as we can't yet bump them.

[TheBlueMatt]

rustc doesn't like this - even though the whole module is only pub(crate) the fact that this includes a pub(crate) thing makes it sad. We can just make this pub(crate) instead.

[TheBlueMatt]

Its a little confusing that a RevokedOutput could have type OfferedHTLC/ReceivedHTLC. Can we split out the type here or assert that the type is a Revoked... one in build (it looks like the non-revoked types are really just used for get_witnesses_weight).

[ariard]

So I dried-up InputDescriptors and instead I'm using new named constants. It turns out InputDescriptors and the associated helper get_witnesses_weight don't serve a real purpose. At detection, spend weights can be marked as static, we won't touch them anymore until transaction generation.

[TheBlueMatt]

Can you add a comment describing why its ok that these are 0 here, or what the calling preconditions are for this function?

[ariard]

Added a comment, values should change with the remaining anchor patchset, introducing fee-bumping of holder outputs spending packages.

[codecov]

Codecov Report

Merging #642 (499d84c) into master (f8450a7) will decrease coverage by 0.02%.
The diff coverage is 85.87%.

❗ Current head 499d84c differs from pull request most recent head 0065308. Consider uploading reports for the commit 0065308 to get more accurate results

@@            Coverage Diff             @@
##           master     #642      +/-   ##
==========================================
- Coverage   90.42%   90.40%   -0.03%     
==========================================
  Files          59       59              
  Lines       30173    30299     +126     
==========================================
+ Hits        27285    27392     +107     
- Misses       2888     2907      +19     

Impacted Files	Coverage Δ
lightning/src/util/enforcing_trait_impls.rs	90.38% <ø> (ø)
lightning/src/routing/router.rs	96.05% <50.00%> (-0.12%)	⬇️
lightning/src/util/ser_macros.rs	91.11% <62.06%> (-5.63%)	⬇️
lightning/src/ln/channel.rs	88.24% <81.81%> (-0.06%)	⬇️
lightning/src/ln/functional_test_utils.rs	94.90% <88.88%> (-0.17%)	⬇️
lightning/src/ln/channelmanager.rs	83.19% <95.83%> (+0.13%)	⬆️
lightning/src/ln/functional_tests.rs	97.02% <97.43%> (-0.05%)	⬇️
lightning/src/chain/channelmonitor.rs	91.21% <100.00%> (+0.05%)	⬆️
lightning/src/chain/keysinterface.rs	94.96% <100.00%> (+0.04%)	⬆️
lightning/src/ln/msgs.rs	88.20% <100.00%> (-0.02%)	⬇️
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f8450a7...0065308. Read the comment docs.

[TheBlueMatt]

This is great, but I think we can simplify the logic a bunch more and pull more out of channelmonitor. It may be that some of it makes more sense in a followup, but probably it could go in here.

[TheBlueMatt]

In the previous commit (while moving this block) you change it from to_holder to to_local, and then change it back here.

[ariard]

Right, corrected in "Add onchain_utils"

[TheBlueMatt]

nit here and below: can we implement this with impl_writeable!()?

[ariard]

Yep good idea, done.

[TheBlueMatt]

style nit: If we're reading this in-order we can also put the Readable::read calls inside the struct creation below.

[TheBlueMatt]

If this is unused can we at least have a debug_assert!(false) instead of returning a bogus value?

[ariard]

Amount is exercised in generate_claim_tx so added a debug_assert(amt == 0) otherwise added for weight.

[TheBlueMatt]

This feels like even more of a layer violation than the original InputDescriptors enum. I think my original complaint about it was more about how its confusing to have two separate enums (and that you can have a non-Revoked InputDescriptor inside of a RevokedOutput which is obviously nonsensical). Instead, can we make RevokedOutput at least contain an enum so that the htlc field isn't an option and we don't need to store a weight passed in from another layer and can calculate it locally?

[ariard]

Addressed with new RevokedHTLCOutput and corresponding constructor

[TheBlueMatt]

Similarly - can we simplify this further and push more logic down into onchain_utils? eg even having channelmonitor aware of what types of outputs are and are not Malleable seems like split logic - ideally ChannelMonitor can only know about the transactions its looking at and then tell onchain_utils or onchaintx which of a given enum an output is and let it handle the rest (maybe with different constructors depending on the types out outputs being spent instead of one big constructor?).

[ariard]

Good call, this one is super straightforward to address. Instead of splitting constructor, I did embed malleability assignment based on output type. channelmonitor is now blind w.r.t to package malleability

[jkczyz]

Mostly nits on chain_utils. Can take a closer look at later commits tonight.

[jkczyz]

Code mostly looks good. Comments are primarily around doc confusion and code organization.

[jkczyz]

It's unclear what outpoints are being consumed from this context. Seems to be talking about a call site. Likewise throughout.

[ariard]

Yes, reword a bit, let me know if it's clearer.

[jkczyz]

Why move this to onchain_utils if it is only used here? I think we should avoid "utils" modules as they tend to collect unrelated code.

[ariard]

Right, made it part of the package interface as it's belonging to it. We don't have an other data struct with a height timer through the rest of chain/

[jkczyz]

Looking at how this is used, it doesn't really seem necessary. You can instead have a method on PackageSolvingData that takes another PackageSolvingData and returns whether they are compatible. No need to introduce the term "category" which isn't defined. This would also eliminate the redundancy between OutputCategory and PackageSolvingData.

[jkczyz]

BTW, such comparison can be accomplished for complex enum types like PackageSolvingData using std::mem::discriminant.

https://doc.rust-lang.org/std/mem/fn.discriminant.html

[ariard]

Okay finally dropped OutputCategory/OutputType! And leverage usage of std::mem::discriminant. There is still a bunch of special logic in output_type_eq to handle the forced-equality for revoked outputs.

[jkczyz]

If these variants only differ by one field but are considered "equal", would it be simpler to make that particular field an enum and collapse these two variants into one variant rather than repeat the six other fields across each?

[ariard]

I was anticipating future implementation of disaggregation-after-timelock to solve this transaction pinning : lightning/bolts#803. If this mitigation is implemented they won't be considered "equal" anymore.

[jkczyz]

Looks good! Thanks for addressing everything.

[TheBlueMatt]

Looks good. Anything else can come in a followup.