Explicitly allow funding_locked early, and include scid.

[rustyrussell]

This lets you add your brand new channel to routehints, and also sanity check the peer in case of chain splits.

[t-bast]

Concept ACK, I like the fact that it's really simple and minimal: the gist of this PR is that turbo channels are simply about ignoring accept_channel.minimum_depth. Any node can send funding_locked whenever they want, and the receiver decides whether to trust it at that point or wait for confirmations before sending theirs. No need for a feature bit or explicit negotiation, which is nice.
@pm47 curious to have your feedback on that, I think it should be easy to migrate Phoenix to this mechanism.

[t-bast]

nit:

Suggested change

	For this reason, a convincing fake number can be use; when the real
	For this reason, a convincing fake number can be used; when the real

[t-bast]

nit: indent should be the same as the previous line

[Roasbeef]

So the idea here is to leave the derivation of this value up to both sides? Some implementations of zero conf channels I've seen in the wild, prescribe a schema (like using some bits from the pending chan ID which is selected by the funder as is anyway) so both sides can use the same value until things are confirmed on-chain, and a "real" scid is generated.

[Roasbeef]

On the other hand, the freedom allowed here to implementations is attractive, since one side is effectively just telling the other "I'm referring to that channel using this value until it confirms". The other direction can use another value as long as the receiver remembers that value (and doesn't even need to write it to disk?) when it sees it in an onion payload.

[t-bast]

Is this necessary? It feels like nodes should instead watch confirmations on the funding tx to figure out the real short_channel_id by themselves instead of trusting anything their peer gives them? But it's true that it doesn't hurt to send it as an FYI...

btw, nit:

Suggested change

	- SHOULD re-transmit `funding_locked` if the `short_channel_id` for this chanel has changed.
	- SHOULD re-transmit `funding_locked` if the `short_channel_id` for this channel has changed.

[Roasbeef]

Yeah I think this is one of those things where it doesn't hurt, this way nodes explicitly ensure that they're using teh same scid value as otherwise the channel may not be able to be routed over.

[TheBlueMatt]

We should probably specify the semantics here, though - like, that both SCIDs remain active forever?

[t-bast]

Remove?

[Kixunil]

Things that are unclear to me:

• Is this actually backwards compatible? Is there any implementation that will do something strange if the peer sends funding_locked immediately?
• If my understanding is correct, a node that wants to spend push_amount needs to send funding_locked before doing so. Is it possible to somehow disable receiving/routing until the transaction confirms without being penalized?

[t-bast]

Is this actually backwards compatible?

Yes, this is fully backwards-compatible.

When you receive funding_locked, even if it looks like it's too early, you can't know for sure, because it may be your own view of the blockchain that's late. So you simply store this message for later and wait to see for yourself that minimum_depth blocks have been found before sending your own funding_locked. What this PR changes is that you can decide to accept their early funding_locked and sends yours early as well if there is some trust between you and your peer.

Is it possible to somehow disable receiving/routing until the transaction confirms without being penalized?

If you want to disable payments in both directions, just don't send your funding_locked before enough confirmations have happened.

If you want to disable in only one direction, you can simply refuse to forward by failing htlcs just after they've been added. However you cannot prevent htlcs from being added to the commit tx (unless you force-close), but I don't think it creates an attack vector if you don't forward (but I could be wrong, this deserves a deeper investigation if that's something you plan on implementing).

[Kixunil]

I don't think it creates an attack vector if you don't forward

I believe you're right, it's still money of the funder. The biggest potential issue I see is being penalized by some quality-measuring algorithms. Could we have some "please don't forward yet" flag, so that such algorithms could take it into account? I think it could be translated to marking the channel as offline.

[t-bast]

Could we have some "please don't forward yet" flag, so that such algorithms could take it into account?

This opens up a big can of worms, I would personally like to avoid it. You can't enforce it anyway (you can't prevent your peer from sending you an htlc), apart from force-closing your channel, so why bother?

Imagine that there is A -> B -> C -> D where the B -> C channel is a turbo channel where C advertised "please don't send through B -> C, still confirming, I don't trust this direction yet", but B receives an htlc that should be forwarded to C. If B decides to fail it, he gets penalized by such quality-measuring algorithms. So he'd rather forward it and see C fail it, so that it's C that gets penalized.

I'd really like to avoid these games of trying to make nice to quality-measuring algorithms (which are probably inherently buggy because they depend on heuristics that can prove wrong in practice).

[Kixunil]

Would it make sense to gossip it as disabled but still forward? It'd work similarly to a private channel for the time being. Or maybe not signing announcement is enough?

[Roasbeef]

So this scid can be made up? Is the expectation that once it has a stable ID, it's sent each time on reconnection to allow both sides to synchronize?

[TheBlueMatt]

Maybe name it something like short_channel_id_alias to make the semantics more clear? Presumably the SCID here would be something that the counterparty knows to forward to, so the user could also put it in invoices, etc?

[Roasbeef]

So the idea here is to leave the derivation of this value up to both sides? Some implementations of zero conf channels I've seen in the wild, prescribe a schema (like using some bits from the pending chan ID which is selected by the funder as is anyway) so both sides can use the same value until things are confirmed on-chain, and a "real" scid is generated.

[Roasbeef]

Yeah I think this is one of those things where it doesn't hurt, this way nodes explicitly ensure that they're using teh same scid value as otherwise the channel may not be able to be routed over.

[Roasbeef]

I think this needs a feature bit, as it would allow nodes that want to actively open these zero conf channels to seek out other peers that want to accept them.

[Roasbeef]

Also it's possible some nodes treat the early sending of funding locked as a protocol-level error?

[t-bast]

Also it's possible some nodes treat the early sending of funding locked as a protocol-level error?

That would be very surprising, you can't be sure that a funding_locked is early, when you think it's early it may be in fact your view of the blockchain that's late. Considering this a protocol error would be a mistake, when you simply need to wait for your view of the blockchain to catch up and send your own funding_locked

[t-bast]

I think this needs a feature bit, as it would allow nodes that want to actively open these zero conf channels to seek out other peers that want to accept them.

I'm really hesitant on that one. At first I agreed with you (and we've defined a feature bit for that in Phoenix). But the issue is that it's not actually binding. If Alice advertises that she accepts 0-conf, you open a channel to her, but then in fact she doesn't send her funding_locked early, you'll feel a bit cheated.

But I wouldn't hold a grudge against Alice: it's dangerous for her to accept 0-conf from any random node that comes up, so we can't expect her to universally do 0-conf...she would probably do 0-conf based on a set of heuristics (is she funder or fundee? what channel type is this? is this channel part of a service she benefits from, such as opening on-the-fly for a fee?).

[TheBlueMatt]

I'm pretty dubious of this as a general-purpose extension. I'm not sure that, in practice, you'd ever really use this by going out and finding public nodes that accept 0conf payments, its more of an extension for nodes to use when communicating with their wallet vendor's or their own node, ie manually configured.

[ariard]

I think this proposal would benefit from a feature bit. I can see in the future situation where you're seeking instant inbound liquidity because the missed economic opportunity will cost you higher than the loss multiplied by the odds of double-spend event realization. If one has to probe-and-engage-in-opening %X of the network to see who is willingly to zero-conf you're moving away from the instant effect.

Further, w.r.t to the unsafety of 0-conf, I still think trust won't be binary, one might rely on other heuristics to decide if it's a "random" node or not, e.g already-opened channels, reputation scoring, pre-paid tokens, ...

[Roasbeef]

I'm really hesitant on that one. At first I agreed with you (and we've defined a feature bit for that in Phoenix). But the issue is that it's not actually binding.

So the idea here is to use it along-side the new explicit chan funding feature. We can even make the feature bits dependent on it as well. This way a node can preferentially reject zero conf funding attempts w/ nodes for w/e reason (isn't their wallet provider, etc, etc).

[TheBlueMatt]

well. This way a node can preferentially reject zero conf funding attempts w/ nodes for w/e reason (isn't their wallet provider, etc, etc).

Why would you do that?

I can see in the future situation where you're seeking instant inbound liquidity because the missed economic opportunity will cost you higher than the loss multiplied by the odds of double-spend event realization. If one has to probe-and-engage-in-opening %X of the network to see who is willingly to zero-conf you're moving away from the instant effect.

Wouldn't this still imply a separate negotiation mechanism? If you want liquidity you'll probably engage one of the two liquidity negotiation markets that exist now. Advertising the bit is explicitly advertising "I am vulnerable to some funds-stealing attacks, please come and get it".

All that said, I think there's room for a feature bit that implies support, but not use, of the new TLV. If we expand the utility here beyond just zero conf to include SCID aliases that can be useful to advertise. Of course then the feature bit would be useless for the purpose of finding peers that will offer you unsafe forwarding features.

[t-bast]

So the idea here is to use it along-side the new explicit chan funding feature.

Unfortunately even having a channel_type for this doesn't solve the issue, it would still be non-binding.
Even if your peer says ok to a 0-conf channel_type, they may decide to wait for confirmations anyway and you can't do anything about it (apart from avoiding this node in the future).

This matches what Matt says in All that said, I think there's room for a feature bit that implies support, but not use, of the new TLV. . There is some value in advertising "I may do 0-conf for you" with a feature bit, but there's a big red flag that there's no guarantee and peers shouldn't expect it to always be 0-conf.

[Roasbeef]

Even if your peer says ok to a 0-conf channel_type, they may decide to wait for confirmations anyway and you can't do anything about it (apart from avoiding this node in the future).

Ah yeah totally makes sense, up to them if they send it or not, but either side can sort of initiate it first, letting the other side decide if they wish to cooperate in zero conf land or not. Agreed re a bit for support but not compelling usage of given the way things are specified as is.

[Roasbeef]

On the other hand, the freedom allowed here to implementations is attractive, since one side is effectively just telling the other "I'm referring to that channel using this value until it confirms". The other direction can use another value as long as the receiver remembers that value (and doesn't even need to write it to disk?) when it sees it in an onion payload.

[TheBlueMatt]

There should be some restrictions on SCID here if its not real - I think we'll want to avoid accidentally conflicting if we can. IIRC some folks have been using random numbers below the segwit activation height, which seems reasonable, its something like 58 bits which isn't infinite, but probably enough entropy to not worry about it, but that means this should say you MUST set it to a random value or something.

[rustyrussell]

On the one hand, you get to set it, if you break it you get to keep both pieces. "I will refer to this channel as X" and then you open a real channel X and you don't know which one to fwd payments to.

But that may not be obvious, so I'll add some advice.

[TheBlueMatt]

Hmm, I suppose they aren't used in gossip messages so its maybe ok that they collide? It does feel awkward that we'll let them collide in the spec just because colliding namespaces feel wrong, but I don't see any obvious issues since you can argue its just a local namespace that happens to overlap with a separate global one.

[ariard]

If you want to disable in only one direction, you can simply refuse to forward by failing htlcs just after they've been added. However you cannot prevent htlcs from being added to the commit tx (unless you force-close), but I don't think it creates an attack vector if you don't forward (but I could be wrong, this deserves a deeper investigation if that's something you plan on implementing).

If you're the 0-conf fundee and starts with a push_amount balance, I think it's always safe to send payment though unsafe to receive/forward some. Receiving, in the sense of "releasing the preimage as final payee", as we already discussed few times, the preimage knowledge might have a corresponding virtual or real-world value.

Note, I think even adding HTLCs to your fundee's commitment transaction might be unsafe/DoSy in the anchor output model, where it might trigger you to lock up more fee-bumping liquidity.

[TheBlueMatt]

Started implementing this on the LDK side. A few things need clarification, I think. In the reestablish flow should probably drop the "MUST NOT retransmit funding_locked" in case of reconnection after some commitment messages have been exchanged. In general, I think we should allow nodes to send new SCID aliases any time they want, allowing rotating SCID aliases as the counterparty sees fit (though they MUST store all previous SCID aliases they've provided and accept them for inbound routing forever).

Semantics around the contents of the fucking_locked after a few commitments have been exchanged are also somewhat confusing. I guess we can always say "always send the first per commitment point again and again", because I'm not sure how else you'd do it without race conditions that are hard to resolve. Presumably we can also just say that if commitments have been exchanged the values must be ignored.

[pm47]

@pm47 curious to have your feedback on that, I think it should be easy to migrate Phoenix to this mechanism.

It's pretty close to what we have in Phoenix (we send funding_locked immediately for zero-conf channels), so migration should be fairly easy I think. In Phoenix we pick a random scid until the funding tx is confirmed, but it doesn't really matter because in the routing hints of invoices we use a separate virtual scid that identifies the node, not a particular channel, and that's what we use for routing.

[Roasbeef]

In practice, how do y'all plan to handle colliding scid from different peers? So I have peers A and B, we're doing zero conf channel funding, but then they both send the same fake scid to use to identify their channel in the invoice/onion, etc.

Using the pubkey based routing (#814) addresses this AFAICT since those values are unlikely to collide. With pubkey based routing, you also don't need to worry about the scid at all, and can just use the same peer pubkey value and also eventually update it, plus you don't have such a small address space that you need to worry about collisions.

The other advantage of the pubkey approach is that you don't need to to handle the logic of "switching over" to using the "real" scid once the channel is eventually (or maybe it never is really?) confirmed.

Otherwise it seems you'd need to sort of interactively reject a colliding scid and force the peer to reconnect again to present you with a "valid" value?

[rustyrussell]

If you want to disable in only one direction, you can simply refuse to forward by failing htlcs just after they've been added. However you cannot prevent htlcs from being added to the commit tx (unless you force-close), but I don't think it creates an attack vector if you don't forward (but I could be wrong, this deserves a deeper investigation if that's something you plan on implementing).

If you're the 0-conf fundee and starts with a push_amount balance, I think it's always safe to send payment though unsafe to receive/forward some. Receiving, in the sense of "releasing the preimage as final payee", as we already discussed few times, the preimage knowledge might have a corresponding virtual or real-world value.

Yes, if you push me money it's always safe for me to spend it. But I decided this corner case was not worth explicitly supporting TBH, and most people seem more interested in "oh, I bought a channel off bitrefill, sure I trust it".

[rustyrussell]

In practice, how do y'all plan to handle colliding scid from different peers? So I have peers A and B, we're doing zero conf channel funding, but then they both send the same fake scid to use to identify their channel in the invoice/onion, etc.

Who cares? If Bob and Carol both refer to their Alice channels as X, no problem. Alice only needs to know what Bob uses so she can write routehints.

Using the pubkey based routing (#814) addresses this AFAICT since those values are unlikely to collide. With pubkey based routing, you also don't need to worry about the scid at all, and can just use the same peer pubkey value and also eventually update it, plus you don't have such a small address space that you need to worry about collisions.

The other advantage of the pubkey approach is that you don't need to to handle the logic of "switching over" to using the "real" scid once the channel is eventually (or maybe it never is really?) confirmed.

Otherwise it seems you'd need to sort of interactively reject a colliding scid and force the peer to reconnect again to present you with a "valid" value?

I believe you're overthinking?

(Aside: I've been idly considering a scheme where we get rid of all scids, and require nodes to prove control of some UTXO, then announce channels, say 1 channel per 10,000sat rounded up or something. This weakens anti-spam, but also greatly reduces chain-to-lightning linkage.

This scheme has other problems (what if you spend your node utxo? how do we identify channels for channel_update?), but if someone wants something to think about...

[Kixunil]

this corner case

This corner case was the original motivation for Turbo channels and has a nice property of strictly improving zeroconf security in trades (buy a channel from ATM). Other implementations, while not strictly wrong, reduce security by introducing a TTP.
History moved towards TTP even in cases where it'd be (theoretically) possible to avoid them and I suspect it was precisely because of lack of spec and thus lack of implementation (exactly one wallet supporting it). The question is if we want to continue disincentivizing security in this case.

There's another edge case: if I buy from ATM which opens turbo channel with additional liquidity and then I buy again before the initial channel confirms I should be able to reuse the channel without loss of security but I imagine it'd be quite annoying to implement.

prove control of some UTXO

Yes please!!!!!

[rustyrussell]

this corner case

This corner case was the original motivation for Turbo channels and has a nice property of strictly improving zeroconf security in trades (buy a channel from ATM). Other implementations, while not strictly wrong, reduce security by introducing a TTP.
History moved towards TTP even in cases where it'd be (theoretically) possible to avoid them and I suspect it was precisely because of lack of spec and thus lack of implementation (exactly one wallet supporting it). The question is if we want to continue disincentivizing security in this case.

Yes, nobody cared enough to propose a spec change for Turbo Channels, which is disturbing.

Note that you can still implement this, but it's not clear it's a spec issue? If you offer me free money, I can take it: this provides a mechanism to do so.

[rustyrussell]

Started implementing this on the LDK side. A few things need clarification, I think. In the reestablish flow should probably drop the "MUST NOT retransmit funding_locked" in case of reconnection after some commitment messages have been exchanged. In general, I think we should allow nodes to send new SCID aliases any time they want, allowing rotating SCID aliases as the counterparty sees fit (though they MUST store all previous SCID aliases they've provided and accept them for inbound routing forever).

Semantics around the contents of the fucking_locked after a few commitments have been exchanged are also somewhat confusing. I guess we can always say "always send the first per commitment point again and again", because I'm not sure how else you'd do it without race conditions that are hard to resolve. Presumably we can also just say that if commitments have been exchanged the values must be ignored.

I think the alias should last until you send announcement_signatures, if any. I don't think rolling multiple aliases should be explicitly supported.

[rustyrussell]

OK, I've created an alternate proposal, in PR #910

That one:

1. recommends everyone send funding_locked early.
2. provides at least one alias for the scid (even if it gets a real one later).
3. supports the push-msat no-trust case as well.

vs. This one:

1. Only recommends this for the trust case.
2. Only allows a single alias, and only for that case.

It changed enough that I made a new PR.

[Kixunil]

nobody cared enough to propose a spec change

See #565 This PR (and #910) should actually say closes #565

it's not clear it's a spec issue

Actually, I just realized it should be enough as-is:

• The channel won't get announced until transaction actually confirms (or never)
• Not announced channel can not be routed-through by outsiders
• Unless the wallet of receiver creates an invoice nobody will attempt to send sats

There's just one little case: the directly connected peer could attempt to route-out. It could help adding a bit to inform the peer to not do that or the wallets implementing this could simply avoid to send through actually unconfirmed channels.

[Kixunil]

recommends everyone send funding_locked early.

Did you mean to say everyone who believes they won't be a victim of theft?

[Roasbeef]

@rustyrussell

I believe you're overthinking?

Am I? Put simply: if two peers send the same scid, then I don't know how to route payments to those channels as the identifier they'll put in their hop hints and the onion will collide.

Who cares? If Bob and Carol both refer to their Alice channels as X, no problem. Alice only needs to know what Bob uses so she can write routehints.

What does Alice do when an onion that wants to route to channel X arrives? Does she send the HTLC to Bob or Carol?