Bitcoin Optech Newsletter #129: 2020 Year-in-Review Special Bitcoin Optech

199 Views

This special edition of the Optech Newsletter summarizes notable developments in Bitcoin during all of 2020. It’s the sequel to our summaries from 2018 and 2019.

As we’ve done in our previous annual summaries, we must prefix what
you’re about to read with an apology. Many more people worked on both
maintaining and improving Bitcoin’s technology than we could possibly
ever write about. Their fundamental research, code review, bug fixes,
test writing, administrative work, and other thankless activities may
not be described here—but it is not unacknowledged. If you contributed
to Bitcoin in 2020, please accept our deepest thanks.

Contents

January

Several developers began working on a specification for using Discreet Log Contracts (DLCs) between different
software. DLCs are a contract protocol where two or more parties agree
to exchange money dependent on the outcome of a certain event as
determined by an oracle (or several oracles). After the event happens,
the oracle publishes a commitment to the outcome of the event
that the winning party can use to claim
their funds. The oracle doesn’t need to know the terms of the contract
(or even that there is a contract). The contract can be made
indistinguishable from many other Bitcoin transactions or it can be
executed within an LN channel. This makes DLCs more private and
efficient than other known oracle-based contract methods, and it’s
arguably more secure as an oracle that commits to a false
result generates clear evidence of fraud. By the end of the year,
there would be four compatible implementations of DLCs, an
application for offering and accepting
DLC-based peer-to-peer derivatives, and several users reporting that they’d used DLCs in transactions on mainnet.

February

Five years after the first public presentation about LN, several early protocol decisions meant to be temporary were
revisited. The most immediate change was the February update to the LN specification that allowed users to opt out of the
maximum channel and payment value limits enacted
in 2016.

Another early decision that saw reconsideration was keeping the protocol
simple by opening all channels with a single funder. This minimizes
protocol complexity but prevents channel funders from receiving any
payments until they’ve spent some of their funds—a position that
creates barriers to merchants joining LN. One proposal to eliminate
this problem is dual-funded channels where both the channel opener and
their counterparty commit some amount of funds to the channel.
Lisa Neigut has developed a protocol for dual funding, but
(as expected) it’s complex. In February, she started a
discussion about an incremental
improvement over the existing single-funder standard that would allow
interactive construction of the funding transaction. Instead of the
current case where one party proposes a channel open and the other party
either accepts it or rejects it, the nodes belonging to the two parties
could exchange information about their preferences and negotiate opening
a channel that they would both find desirable.

New progress was also made on the often-discussed plans to allow
rendez-vous routing for LN, which was labeled a priority during the
2018 LN specification meeting. A new method for achieving
equivalent privacy was described by Bastien
Teinturier in February based on a previous privacy enhancement he had
proposed. This new method, called blinded paths, was later
implemented as an experimental feature in C-Lightning.

March

One method hardware wallets could use to steal bitcoins from their users is by
leaking information about the wallet’s private keys via the transaction
signatures it creates. In March, Stepan Snigirev,
Pieter Wuille, and several others discussed
possible solutions to this problem for both Bitcoin’s current ECDSA
signature system and the proposed schnorr signature system.

2020 summary
Taproot, tapscript, and schnorr signatures

Nearly every month of 2020 saw some notable development related to the
proposed taproot soft fork (BIP341) which also adds
support for schnorr signatures (BIP340)
and tapscript (BIP342). Together, these
improvements will allow users of single-signature scripts,
multisignature scripts, and complex contracts to all use
identical-appearing commitments that enhance their privacy and the
fungibility of all bitcoins. Spenders will enjoy lower fees and the
ability to resolve many multisig scripts and complex contracts with the
same efficiency, low fees, and large anonymity set as single-sig users.
Taproot and schnorr also lay the groundwork for future potential
upgrades that may improve efficiency, privacy, and fungibility further,
such as signature aggregation, SIGHASH_ANYPREVOUT, and scripting language changes.

This special section concentrates the summaries about those developments
into a single narrative that we hope will be easier to follow than
describing each event separately in the month it occurred.

January started with a discussion of soft fork activation mechanisms,
with Matt Corallo proposing a careful and patient
approach to addressing disagreements between different sets of
stakeholders. Other developers focused on the BIP8 proposal to be
able to quickly bypass the type of procedural problem that delayed
segwit activation in 2016 and 2017. The discussion about what precise
activation mechanism to use would continue all year, in a dedicated IRC
channel and elsewhere, with there being both a
developer survey about mechanism design and a
survey of miners about their support for
taproot.

February saw the first of several updates during the year to the
algorithms used to derive public keys and signatures in the BIP340
specification of schnorr signatures. Most of
these changes were small optimizations discovered from
experience implementing and testing the
proposal in libsecp256k1 and its experimental fork
libsecp256k1-zkp. Also in February, Lloyd Fournier
extended Andrew Poelstra’s previous
security proof for taproot.

In March, Bitcoin Core carefully changed its consensus
code—without introducing a fork—to remove an inefficiency in the
parsing of OP_IF and related flow control opcodes. Currently, the
inefficiency can’t be exploited to cause problems, but the extended
capabilities proposed for tapscript would have made it possible for an
attacker to use the inefficiency to create blocks that could take a
large amount of computation to verify.

Although much of the public attention on taproot focuses on its change
to Bitcoin’s consensus rules, taproot won’t be a positive contribution unless
wallet developers can use it safely. In April, and throughout the year,
several updates to BIP340 changed the recommendations for
how developers should generate public keys
and the signature nonce. The changes are probably only directly
interesting to cryptographers, but the history of Bitcoin has many
examples of people losing money because a wallet developer didn’t fully
understand the cryptographic protocol they implemented. Hopefully, the
recommendations from experienced cryptographers in BIP340 will help
avoid some of those types of problems in the future.

In May, there was renewed discussion about
the blinded ownership attack that makes it
dangerous to automatically sign transactions with a hardware wallet.
Ideally, hardware wallets could provide a mode where they’d automatically
sign transactions guaranteed to increase the wallet’s balance, such as
maker coinjoins and LN splices. Unfortunately, it’s
only safe to sign a transaction if you know for sure which inputs are
yours—otherwise an attacker can get you to sign a transaction that
looks like it only has one of your inputs, then get you to sign a
different version of the same transaction that also looks like it only
has one of your inputs (a different input than the first version), and
finally combine the signatures for the two different inputs into the
actual transaction that pays your money to the attacker. This
isn’t normally a risk because most people today only use hardware
wallets to sign transactions where they own 100% of the inputs, but for
coinjoins, LN splices, and other protocols, it’s expected that other users
may partly or fully control some of the inputs. It was proposed that
taproot provide an additional way to commit to inputs that can be used
in conjunction with data provided in a PSBT to ensure a
hardware wallet will only generate a valid signature when it has enough
data to identify all of its inputs. This proposal was later
accepted into BIP341.

Illustration of using a fake coinjoin to trick a hardware wallet into losing funds

In July, another discussion resumed about a previously known problem—the
bech32 address format being less effective than
expected at preventing users from sending money to unspendable
addresses. This doesn’t practically affect current bech32 address
users, but it could be an issue for planned taproot addresses where the
addition or removal of a small number of characters could lead to the
loss of funds. Last year it was proposed to simply extend the
protection current segwit v0 addresses have to segwit v1 (taproot)
addresses, but that would reduce the flexibility of future upgrades.
This year, after more research and debate, there seemed to be
agreement among developers that taproot and future segwit-based script
upgrades should use a new address format that’s a slight tweak on the
original BIP173 bech32 addresses. The new format will resolve the
deficiency and provide some other nice properties.

In September, the code implementing schnorr signature verification and
single-party signing functions from BIP340 was merged into libsecp256k1 and soon became part of Bitcoin
Core. This allowed the subsequent October merge of the verification code for taproot, schnorr, and tapscript.
The code consists of about 700 lines of consensus-related changes (500
excluding comments and whitespace) and 2,100 lines of tests. Over 30
people directly reviewed this PR and related changes, and many others
participated in developing and reviewing the underlying research, the
BIPs, the related code in libsecp256k1, and other parts of the system.
The new soft fork rules are currently only used in signet and Bitcoin Core’s
private test mode (“regtest”); they need to be activated before they can
be used on Bitcoin’s mainnet.

Many of the contributors to taproot spent the remainder of the year
focusing on the 0.21.0 release of Bitcoin Core with the intention that a
subsequent minor release, possibly 0.21.1, will contain code that can
begin enforcement of taproot’s rules when an appropriate activation
signal is received.

April

The payjoin protocol based on the 2018 Pay-to-EndPoint
proposal received a major boost in April when a version of
it was added to the BTCPay self-hosted payment
processing system. Payjoin provides a convenient way for users to
increase their privacy and the privacy of other users on the network by
creating transactions that undermine the assumption that the same person
owns all of the inputs in a transaction. The BTCPay version of payjoin
would soon be specified as BIP78 and support for
it was added to other programs.

One widely desired improvement to LN is switching the payment security
mechanism from Hash Time Locked Contracts (HTLCs) to Point
Time Locked Contracts (PTLCs) that improve the privacy of
spenders and receivers against a variety of surveillance methods. One
complication is that the ideal multiparty PTLC construction is
challenging to implement using Bitcoin’s existing ECDSA signature
scheme (although it’d be easier with schnorr signatures). Early in the year, Lloyd Fournier circulated a
paper analyzing signature adaptors by disentangling their core locking and information exchange
properties from their use of multiparty signatures, describing an easy
way to use plain Bitcoin Script-based multisig instead. During an April
hackathon, several developers produced a rough
implementation of this protocol for a fork of the popular libsecp256k1
library. Later, in September, Fourier would further advance the
practicality of PTLCs without needing to wait for changes to Bitcoin by
proposing a different way to construct LN commitment transactions. In December, he would
propose two new ways to improve the robustness
of LN backups, again offering practical solutions to user problems
through the clever use of cryptography.

April also saw Ethan Kosakovsky post a proposal
to the Bitcoin-Dev mailing list for using one BIP32 Hierarchical
Deterministic (HD) keychain to create seeds for child HD keychains that
can be used in different contexts. This may address the problem that
many wallets don’t implement the ability to import extended private keys
(xprvs)—they only allow importing either an HD seed or some precursor
data that is transformed into the seed (e.g. BIP39 or SLIP39 seed
words). The proposal allows a user with multiple wallets to backup all
of them using just the super-keychain’s seed. This proposal would
later become BIP85 and would be implemented in
recent versions of the ColdCard hardware wallet.

Two announcements about vaults were made in April. Vaults
are a type of contract known as a covenant that produces a warning
when someone is trying to spend the covenant’s funds, giving
the covenant’s owner time to block a spend they didn’t authorize. Bryan Bishop announced a prototype
vault based on his proposal
from last year. Kevin Loaec and Antoine Poinsot announced their own
project, Revault, that focuses
on using the vault model to store funds shared between multiple users
with multisig security. Jeremy Rubin also announced a new high level
programming language designed for building stateful
smart contracts with the proposed OP_CHECKTEMPLATEVERIFY opcode, which could make it easier to create and
manage vaults.

May

The Bitcoin Core project merged several PRs in May and the following
months that improved transaction origin privacy, both
for users of the Bitcoin Core wallet and for users of other systems.
Bitcoin Core #18038 began tracking whether at
least one peer had accepted a locally-generated transaction, allowing
the wallet to significantly reduce the frequency Bitcoin Core used to
rebroadcast its own transactions and making it harder for surveillance
nodes to identify which node originated the transaction. PRs
#18861 and #19109 were
able to block a type of active scanning by
surveillance nodes by only replying to requests for
a transaction from peers the node told about the transaction, further
reducing the ability of third parties to determine which node first
broadcast a transaction. PRs #14582 and
#19743 allow the wallet to automatically
try to eliminate address reuse links when it wouldn’t cost the user any extra fees (or, alternatively,
allowing the user to specify the maximum extra they’re willing to spend
in order to eliminate such links).

Late May and early June saw two significant developments in coinswaps.
Coinswap is a trustless protocol that allows two or more users to create
transactions that look like regular payments but which actually swap
their coins with each other. This improves the privacy of not just the
coinswap users but all Bitcoin users, as anything that looks like a
payment could have instead been a coinswap.

  • Succinct Atomic Swaps (SAS): Ruben Somsen wrote a post and created
    a video describing a procedure for a trustless exchange
    of coins using only two transactions. The protocol has several
    advantages over earlier coinswap designs: it requires less block space, it
    saves on transaction fees, it only requires consensus-enforced
    timelocks on one of the chains in a cross-chain swap, and it doesn’t
    depend on any new security assumptions or Bitcoin consensus changes.
    If taproot is adopted, swaps can be made even more privately and
    efficiently.

  • Coinswap implementation: Chris Belcher posted
    a design for a full-featured coinswap implementation. His initial
    post     included the history of the coinswap idea,
    suggested ways the multisig conditions needed for coinswap could be
    disguised as more common transaction types, proposed using a market
    for liquidity (like JoinMarket already does), described splitting and
    routing techniques to reduce privacy losses from amount correlation or
    spying participants, suggested combining coinswap with payjoin, and discussed some of the backend requirements for the
    system. Additionally, he compared coinswap to other privacy
    techniques such as using LN, coinjoin, payjoin, and
    payswap. The proposal received a significant amount of expert discussion and a number of
    suggestions were integrated into the protocol. By December, Belcher’s
    prototype software was creating coinswaps on
    testnet that demonstrated their strong lack of linkability.

Since Bitcoin’s early days, one of the challenges of developing
lightweight clients with SPV security has been finding a way for the
client to download transactions affecting its wallet without giving the
third party server providing the transactions the ability to track the
wallet’s receiving and spending history. An initial attempt at this was
BIP37-style bloom filters, but
the way wallets used them ended up providing only minimal privacy and created denial of service risks for the full nodes that served them. An anonymous developer
posted to the Bitcoin-Dev mailing list in May 2016 suggesting an
alternative construction of a single bloom filter per block
that all wallets could use. The idea was quickly refined, implemented, and specified,
becoming the BIP157 and BIP158 specifications of compact block
filters. This can significantly improve
the privacy of lightweight clients, although it does increase their
bandwidth, CPU, and memory requirements compared to current popular
methods. For full nodes, it reduces the DoS risk to that of a simple
bandwidth exhaustion attack, which nodes can already address with
bandwidth throttling options. Although merged on the server side in
btcd in 2018 and proposed for Bitcoin Core around the same
time, 2020 saw the P2P part of the protocol merged piecewise into Bitcoin Core in May through
August, culminating with the ability for a node
operator to opt in to creating and serving compact block filters by
enabling just two configuration options.

2020 summary
Major releases of popular infrastructure projects

  • LND 0.9.0-beta released in January improved the access control list
    mechanism (“macaroons”), added support for receiving multipath
    payments    , added the ability to send
    additional data in an encrypted onion message, and allowed requesting
    channel close outputs pay a specified address (e.g. your hardware
    wallet).

  • LND 0.10.0-beta released in May added support for sending
    multipath payments, allowed funding channels using an external wallet
    via PSBTs, and began supporting the creation of invoices
    larger than 0.043 BTC.

  • Eclair 0.4 released in May added compatibility with the
    latest version of Bitcoin Core and deprecated the Eclair Node GUI
    (referring users to instead to Phoenix or Eclair Mobile).

  • Bitcoin Core 0.20.0 released in June began defaulting to bech32
    addresses for RPC users, allowed configuring RPC permissions for
    different users and applications, and added some basic support for
    generating PSBTs in the GUI.

  • C-Lightning 0.9.0 released in August provided an updated pay
    command and an RPC for sending messages over LN.

  • LND 0.11.0-beta released in August allowed accepting large
    channels    .

June

June was an especially active month for the discovery and discussion of
vulnerabilities, although many problems were discovered earlier or fully
disclosed later. The notable vulnerabilities included:

  • Overpayment attack on multi-input segwit transactions:
    in June, Trezor announced Saleem Rashid had discovered a weakness in
    segwit’s ability to prevent fee overpayment attacks. Fee overpayment
    attacks are a well known weakness in Bitcoin’s original transaction
    format where signatures don’t commit to the value of an input,
    allowing an attacker to trick a dedicated signing device (such as a
    hardware wallet) into spending more money than expected. Segwit tried
    to eliminate this issue by having each signature commit to the amount
    of the input it spent. However, Rashid re-discovered a problem
    previously discovered and reported by Gregory Sanders in 2017 where a specially
    constructed transaction with at least two inputs can get around this
    limitation if the user can be tricked into signing two or more
    seemingly identical variations of the same transaction. Several
    developers felt this was a minor issue—if you can get a user to sign
    twice, you can get them to pay the receiver twice, which also loses
    their money. Despite that, several hardware wallet manufacturers
    released new firmware that implemented the same protection for segwit
    transactions that they’ve successfully used to prevent fee
    overpayments in legacy transactions. In some cases, such as in the
    ColdCard wallet, this security improvement was implemented
    non-disruptively. In other hardware wallets, the implementation broke
    support with existing workflows, forcing updates to the BIP174
    specification of PSBT and software such as Electrum, Bitcoin Core, and
    HWI.

    Fee overpayment attack illustration

  • LN payment atomicity attack: as LN developers
    worked to implement the anchor outputs
    protocol to eliminate risks related to rapid rises in transaction
    feerates, one of the key contributors to that protocol—Matt
    Corallo—discovered it would enable a new vulnerability. A malicious
    counterparty could attempt to settle an LN payment (HTLC) using a low feerate and a transaction pinning technique that prevents the transaction or a fee
    bump of it from being confirmed quickly. The delayed confirmation
    causes the HTLC’s timeout to expire, allowing the attacker to steal
    back funds they paid to the honest counterparty. Several solutions
    were proposed, from changes to the LN
    protocol, to third-party markets, to soft fork consensus
    changes    , but no solution has yet gained any
    significant traction.

  • Fast LN eclipse attacks: although Bitcoin
    protocol experts from Satoshi Nakamoto to present have been aware that
    a node isolated from any honest peer can be deceived into accepting
    unspendable bitcoins, a category of problems sometimes called eclipse
    attacks    , Gleb Naumenko and Antoine Riard
    published a paper in June showing that eclipse attacks could steal
    from LN nodes in as little as two hours—although it would take
    longer to steal from LN nodes that were connected to their own full
    verification nodes.
    The authors suggest the implementation of more methods for avoiding
    eclipse attacks, which did see several positive developments in the
    Bitcoin Core project this year.

  • LN fee ransom: René Pickhardt publicly
    disclosed a vulnerability to the Lightning-Dev mailing list that he
    had previously privately reported to LN implementation maintainers
    almost a year earlier. A malicious channel counterparty can initiate
    up to 483 payments (HTLCs) in an LN channel and then close the
    channel, producing an onchain transaction whose size is about 2% of an
    entire block and which needs to have its transaction fee paid by the
    honest node. Simple mitigations for this attack were implemented in
    several LN nodes and the use of anchor outputs
    is also expected to help, but no comprehensive solution has yet been
    proposed.

  • Concern about HTLC mining incentives: two
    papers about out-of-band HTLC bribes were discussed in late June and
    early July. HTLCs are contracts used to secure LN
    payments, cross-chain atomic swaps, and several other trustless
    exchange protocols. They work by giving a receiving user a period of
    time where they have the exclusive ability to claim a payment by
    releasing a secret data string; after the time expires, the spending
    user can take back the payment. The papers examined the risk that
    the spending user could bribe miners to release the secret data but
    not confirm the transaction containing it, allowing the timelock to
    expire so that the spender would get their money back but still learn
    the secret. Developer ZmnSCPxj reminded the researchers of a
    well known mechanism that should prevent such problems, a mechanism he
    helped implement in C-Lightning. Although the idea
    works in theory, using it will cost users money, so research into
    better solutions is still encouraged.

  • Inventory out-of-memory Denial-of-Service attack (InvDoS):
    an attack originally discovered in 2018 that affected the Bcoin and
    Bitcoin Core full nodes, which was responsibly disclosed
    and fixed at that time, was reevaluated in June 2020 and found to also
    apply to the Btcd full node. An attacker could flood a victim’s node
    with an excessive number of new transaction announcements (inv
    messages), each containing nearly the maximum allowed number of
    transaction hashes. When too many of these announcements were queued,
    the victim’s node would run out of memory and crash. After Btcd fixed
    the problem and users were given time to upgrade, the vulnerability
    was publicly disclosed.

June also had some good news, with a team of researchers working on the
Wasabi coinjoin implementation announcing a protocol
named WabiSabi that should allow
trustless server-coordinated coinjoins with arbitrary output values.
This makes it easier to use coordinated coinjoins to send payments,
either between participants in the coinjoin or to non-participants.
Wasabi developers worked on implementing the protocol during the
remainder of the year.

July

July saw the merge of the BIP339 specification for wtxid
transaction announcements. Nodes have historically announced the
availability of new unconfirmed transactions for relay using the
transaction’s hash-based identifier (txid), but when the proposed segwit
code was being reviewed in 2016, Peter Todd discovered that a malicious node could get other nodes on the network to
ignore an innocent user’s transaction by invalidating witness data in the transaction
that is not part of its txid. A quick
fix was implemented at the time, but it had some
minor downsides and developers knew that the best solution—despite its
complexities—was to announce new transactions using their
witness txid (wtxid). Within a month of BIP339 being added to the BIPs
repository, wtxid announcements were merged into Bitcoin
Core. Although seemingly a minor concern without any obvious effect on
users, wtxid announcements simplify the development of
hoped-for upgrades, such as package relay.

August

After over a year of development, including multiple feedback-driven changes, the last
major revision to the BIP325 specification of
signet was merged in early August. Signet is a protocol
that allows developers to create public test networks and also the name
of the primary public signet. Unlike Bitcoin’s existing public test
network (testnet), signet blocks must be signed by a trusted party.
This prevents vandalism and other problems that occur because testnet
uses Bitcoin’s economic-based consensus convergence mechanism (proof of
work) even though testnet coins have no value. The ability to
optionally enable signet was finally added to Bitcoin Core
in September.

Almost two years after Matt Corallo first proposed the CPFP carve-out mechanism, the LN
specification was updated to allow the creation of
anchor outputs that use carve outs for security.
Anchor outputs allow a multiparty transaction to be fee bumped even if
one of the parties attempts to use a transaction pinning attack to prevent fee bumps. The ability to fee
bump transactions even under adversarial conditions allows LN nodes to
accept offchain transactions without worrying about feerates increasing in
the future. If it later becomes necessary to broadcast that offchain
transaction, the node can choose an appropriate feerate for it at
broadcast time. This simplifies the LN protocol and improves several
aspects of its security.

2020 summary
Bitcoin Optech

In Optech’s third year, 10 new member companies joined, we
held a taproot workshop in London,
published 51 weekly newsletters, added 20 new pages to
our topics index, added several new wallets and services to our
compatibility index, and published several contributed blog
posts about Bitcoin scaling technology.

September

In a 2011 forum post, early Bitcoin contributor Hal Finney
described a method by Gallant, Lambert, and Vanstone (GLV) to reduce the
number of expensive computations needed to verify Bitcoin transaction
signatures. Finney wrote a proof-of-concept implementation, which he
claimed sped up signature verification by around 25%. Unfortunately,
the algorithm was encumbered by U.S. Patent 7,110,538 and so
neither Finney’s implementation nor a later implementation by Pieter
Wuille was distributed to users. On September 25th, that patent
expired. Within a month, the code was merged into Bitcoin Core. For users with the default settings, the speed
improvement will be most apparent during the final part of syncing a new
node or when verifying blocks after a node has been offline for a while.
Finney died in 2014, but we remain grateful for his two decades of work
on making cryptographic technology widely accessible.

Square announced the formation of the Cryptocurrency Open Patent Alliance (COPA) to
coordinate the pooling of patents related to cryptocurrency technology.
Members allow anyone to use their patents freely and, in exchange,
receive the ability to use patents in the pool in defense against patent
aggressors. As of this writing, the alliance had 18 members: ARK.io, Bithyve, Blockchain Commons, Blockstack,
Blockstream, Carnes Validadas, Cloudeya Ltd., Coinbase, Foundation
Devices, Horizontal Systems, Kraken, Mercury Cash, Protocol Labs,
Request Network, SatoshiLabs, Square, Transparent Systems, and
VerifyChain.

October

October saw a significant increase in discussion among LN developers
about solving the jamming problem first described in 2015, as well
as related problems. An LN node can route a payment to itself across a
path of 20 or more hops. This allows an attacker with 1 BTC to
temporarily lock up 20 BTC or more belonging to other users. After
several hours of locking other users’ money, the attacker can cancel the
payment and receive a complete refund on their fees, making the attack
essentially free. A related problem is an attacker sending 483 small
payments through a series of channels, where 483 is the maximum number
of pending payments a channel may contain. In this case, an attacker
with two channels, each with 483 slots, can jam over 10,000 honest
connection slots—again without paying any fees. A variety of possible solutions were discussed, including forward upfront
fees paid from the spender to each node along the path, backwards
upfront fees paid from each payment hop to
the previous hop, a combination of both forward
and backwards fees, nested incremental routing, and fidelity bonds. Unfortunately,
none of the methods discussed received widespread acceptance and so the
problem remains unsolved.

Illustration of LN liquidity and HTLC jamming attacks

Two money-stealing attacks against LND that were discovered and reported
by Antoine Riard in April were fully disclosed in October. In one case, LND could be tricked into
accepting invalid data; in the other case, it could be tricked into
disclosing secret data. Thanks to Riard’s responsible disclosure and
the LND team’s response, we are unaware of any users who lost funds.
The LN specification was updated for both problems to help new implementations avoid them.

Over five years after the introduction of the initial segwit proposal,
and three years after its activation, there remains no universal way to
create and verify plain text messages signed using the keys that
correspond to a P2WPKH or P2SH-P2WPKH address. The problem exists more
generically as well: there’s no widely supported way to handle messages
for P2SH, P2WSH, and P2SH-P2WSH addresses either—nor a forward
compatible way that will work for taproot addresses. The BIP322
proposal for a generic signmessage function
is an attempt to fix all of these issues, but it’s failed to gain much
traction. This year saw an additional request for feedback from its champion, a simplification, and (in October) a nearly complete
replacement of its core mechanism.
The new mechanism makes message
signing potentially compatible with a large amount of existing software
and hardware wallets, as well as the PSBT data format, by
allowing the signing of virtual transactions that look like real
transactions but which can be safely signed because they aren’t valid
according to Bitcoin’s consensus rules. Hopefully, this improvement will
allow generic signmessage to start to receive adoption.

Jonas Nick, Tim Ruffing, and Yannick Seurin published
the MuSig2 paper in October describing a new variant of the
MuSig signature scheme with a two round signing protocol
and no need for a zero-knowledge proof. What’s more, the first round
(nonce exchange) can be done at key setup time with a non-interactive
signing variant that could be particularly useful for cold storage and
offchain contract protocols such as LN.

Also in October, Bitcoin Core became the first project to
merge an implementation of the version 2 addr
message. The addr message advertises the network
addresses of potential peers, allowing full nodes to discover new peers
without any centralized coordination. The original Bitcoin addr
message was designed to hold 128-bit IPv6 addresses, which also allowed
it to contain encoded IPv4 addresses and version 2 Tor onion addresses.
After almost 15 years in production, the Tor project deprecated version
2 onion services and will stop supporting them in July 2021. Newer
version 3 onion addresses are 256 bits, so they’re not usable with the
original addr messages. The BIP155 upgrade of the addr message
provides more capacity for Tor addresses and also makes it possible to use
other anonymity networks that require larger addresses.

November

As mentioned in the February section, one challenge faced in the current
LN network is that users and merchants need channels with incoming
capacity in order to receive funds over LN. A fully
decentralized solution to that problem could be the dual-funded channels
described earlier. However, in November, Lightning Labs took a
different track and announced a new Lightning
Pool marketplace for buying incoming LN channels. Some existing node
operators already provide incoming channels, either for free or as a
paid service, but Lightning Pool may be able to use its centrally
coordinated marketplace to make this service more standardized and
competitive. It’s possible this could also be upgraded to work with
dual funded channels when they become available.

December

Last year, Rusty Russell published a first draft of a proposed
specification for LN offers, the ability for a spending
node to request an invoice from a receiving node over the onion-routed
LN network. Although the existing BOLT11 provides an invoice
protocol, it doesn’t allow for any protocol-level negotiation between
the spender and receiver nodes. Offers would make it possible for the
nodes to communicate additional information and automate payment steps
that currently require manual intervention or additional tools. For
example, offers could allow LN nodes to manage recurring payments or
donations by having a spender node request a new invoice each month from
a receiver node. In December 2020, the first in a series of commits by
Russell to C-Lightning for implementing offers was merged.

Conclusion

One of the things we love about summarizing the past year’s events is
that every bit of progress is fully realized. The summary above does
not contain promises about what Bitcoin will do in the future—it lists
only actual accomplishments achieved in the past 12 months. Bitcoin
contributors have a lot to be proud of in 2020. We can’t wait to see
what they have in store for us in 2021.

The Optech newsletter will return to its regular Wednesday publication
schedule on January 6th.

—Source link—

What do you think?

0 points
Upvote Downvote

Kaiko 2020 Year in Review Kaiko Data – Medium

Announcing our first Bitcoin Core developer grants The Coinbase Blog – Medium