Update messaging and serialization

[Tibo-lg]

This PR is a proposal to update the update the serialization to make it more efficient, concise and upgradable. The current message format specifies hard coded type prefixes for embedded type that don't require them, making it a maintenance burden and inefficient. It also lacks any extensibility or upgradability mechanism.

Changes include:

• Add protocol version to offer_dlc
• Add tlv streams to wire messages
• Define three types of subtypes and specific serialization format for each of them (and update type definitions accordingly)

I hesitated to move the wire message definitions to Messaging.md as previously discussed but to keep the diff small I didn't.

[benthecarman]

maybe we should define a advertisement message now and just use that as an initial message in current setups so we don't have to define a new offer_dlc_vx once we have this.

[Tibo-lg]

let me know if I misunderstand you, but I feel having an advertisement message would not remove the need to have a prrotocol version field (if that's what you're proposing?). Nodes could potentially support multiple protocol version so announcing it in the offer message still seem necessary to me.

[benthecarman]

I am confused why we are removing these types

[Tibo-lg]

Before we used type tags in two cases:

• for types that are embedded in others. In this case I couldn't see any use of the tag since if you know exactly what you want to parse a tag doesn't bring anything (happy to be corrected if I missed something).
• for cases where there are multiple version of a field (this case). I couldn't see any reason to use type numbers that are assigned by LN for wire messages, as this is both less efficient and a waste of them AFAICT (again happy to be corrected if I'm wrong).

[nkohen]

do we not want to support the "it's okay to be odd" design here?

[Tibo-lg]

My thinking was that the odd/even requirements in LN are used for extensibility, and to determine whether a TLV or message is part of the base protocol or part of a higher layer (application specific) protocol. The way sibling types are defined, there is no case where they should be ignored, so I didn't see a good reason to use the odd/even requirements. If I am missing something and you have in mind a use case for it I'm happy to change.

[ariard]

Instead of envisioning sibling type, we could define an even type for a field, servicing as reference and any future, alternative field as an odd one ?

[Tibo-lg]

@ariard sorry I completely missed your comments. I don't really get what you mean here though, the point of sibling type is not for extensibility or upgradeability but just for cases where within a data structures, a field can have different types.

[nkohen]

no bigsize length requirement?

[Tibo-lg]

This follows somehow from the previous point. The length requirement is useful for parsing unknown types or things that should be ignored, but I couldn't think of how it would be useful here (again happy to change it if there is a good reason).

[Christewart]

Aren't you assuming everything is a static size then? An example of something that has non deterministic size is ECDSA signatures. IIRC they can very anywhere in between 68 - 72 bytes in size. If you don't explicitly encode the size, you can't parse the message if i understand this correctly.

[Tibo-lg]

In general for fields that have variable length we have length prefixes in the type definition itself, like your example of ECDSA signature

[nkohen]

I'm not sure I understand, are these simple sub-types then? If so I don't get the point of a simple sub-type with a version number, wouldn't it make more sense to have a sibling sub-type with just one version?

[Tibo-lg]

You're right updated

[nkohen]

seems a little redundant to have both of these

[nkohen]

I personally think the offer should signal the features it supports and requires which are two separate things, and then have a field in the accept with the feature set to be used, so for example you could have an offer that had a new feature enabled but not required where the accepter can choose whether or not to use it.

[Tibo-lg]

I personally see these two fields as providing different information.
protocol_version indicates which language I speak, and enables the receiver to determine whether they will be able to understand the content of the messages that are exchanged. Ideally in the future nodes should advertise which version of the protocol they support so that other peers will know how to communicate with them.
contract_flags are used to signal features as you mention.
Does that make sense?

[ariard]

In a Lightning/DLC world, I'm not sure if the protocol_version is making sense as new protocol subset can be introduced as new messages types and the question of whom to talk to is already solved with the feature bits space ?
I agree with the necessity of a contract_flags, see my other point mentioning the LN discussion on channel_type.

[Tibo-lg]

For me contract_flags ad protocol_version are two separate things. The protocol version is for breaking changes in the protocol specifications and enabling nodes to see whether they are compatible with a version or not. Contract flags is for a given protocol version whether a node supports a feature or not.
I guess we could use contract version for both but it doesn't feel optimal to me.
Happy to discuss though, I don't have that strong of an opinion about how things should be, just that it's practical to have some sort of upgradeability mechanism.

[nkohen]

nit: I think this is backwards, should be [`bigsize`:`protocol_version`]

[Tibo-lg]

Thanks fixed

[nkohen]

I take it none of offer_tlvs, accept_tlvs or sign_tlvs have any currently existing fields correct?

[Tibo-lg]

correct

[nkohen]

I'm not sure I understand the necessity for this requirement?

[nkohen]

Especially seeing as simple sub-types can presumably have optional fields?

[Tibo-lg]

You're right removed.

[nkohen]

Is this now a 0x00 for every absent optional field or for every empty group of consecutive fields or?

[Tibo-lg]

As discussed replaced the type identifier with a single byte indicating absence/presence of an optional field.

[ariard]

After reading this proposal, I'm leaning towards the LN-way for upgradeability/nesting.

If the message is flow is different, introduce a new message type. If the message flow is the same and we're extending message semantic, add a TLV field.

If we want nested data struct, I think we can achieve it the way onions (BOLT4) are done, versioning and new namespaces at each nesting entry ?

[ariard]

Browsing through the BOLTs again, tlv_stream are extensions to already defined messages, allowing to add optional fields in a backward compatible-way ?

Throughout the protocol, a TLV (Type-Length-Value) format is used to allow for the backwards-compatible addition of new fields to existing message types.

IIUC your proposal correctly it defines the content of any of our DLC messages as a TLV namespace itself ? Not sure if it's achieving it's purpose of bandwidth-saving as the type/length components of a tlv_record are redundant information for mandatory fields ?

[Tibo-lg]

My point was to have tlv_stream for the exact same purpose as LN, so maybe the way I've written things is confusing?

[ariard]

Instead of envisioning sibling type, we could define an even type for a field, servicing as reference and any future, alternative field as an odd one ?

[ariard]

Can you give an example of "plain sub-type" ? I'm not sure I'm following on the replacement part...

[Tibo-lg]

Added an example. I think the naming is probably not great. But basically the point is that before we had type prefixes for fields that were neither optional or sibling.

[ariard]

Maybe we should wait for the channel_type discussion to settle on the LN-side and piggy-back there, defining new DLC features as-yet-another-channel ?

See lightning/bolts#880 and this week LN meeting : https://gnusha.org/lightning-dev/2021-07-05.log

[Tibo-lg]

Can you clarify what you would like to do here?

[Christewart]

is there any precedent for this in other deployed cryptocurrency protocols? Could you reference some resources you used for this if so?

It seems like this isn't just a problem with our protocol, but every cryptocurrency protocol that has versioning.

[Christewart]

Oh sorry, this is a TODO nevermind.

[Tibo-lg]

I think having a protocol version is really common in any kind of protocol. It's for example used in the bitcoin p2p protocol: https://en.bitcoin.it/wiki/Protocol_documentation#version

[Christewart]

it would be nice to have a list of known protocol_versions. My understanding is the first one is introduced in this PRs test vectors. It would be nice to have it listed somewhere in this doc

[benthecarman]

why not start at 0?

[matthewjablack]

+1 Looks like #171 starts with 0

[matthewjablack]

I'm confused about the purpose of the TLV here

Should there be a separate TLV and message format?

Currently OracleAnnouncementV0 and OracleAttestmentV0 are both TLVs (at least they're both implemented as TLVs in bitcoin-s and node-dlc)

(Also looks like TLV is not specified in #171 https://github.com/discreetlogcontracts/dlcspecs/pull/171/files#diff-b8a9c2888fe05c198758fbe393798cd0802b578f7eb07dbf82cc2c90616f97c3R402 )

[benthecarman]

+1 if nothing else is changing about the announcements I don't see the reasoning of changing the type

[Tibo-lg]

Sorry I confused myself. I think they should be wire messages as they can be broadcast directly (please see updated version). I guess we could define two formats but for the sake of simplicity I would personally prefer keeping a single one.

+1 if nothing else is changing about the announcements I don't see the reasoning of changing the type

I was thinking since we are going to have breaking changes on these anyway we might as well make it so that the wire message types follow each others (I left an open space for the close dlc. Though now thinking about it I wonder if close dlc should actually have an odd type number 🤔

[matthewjablack]

Sorry I confused myself. I think they should be wire messages as they can be broadcast directly (please see updated version). I guess we could define two formats but for the sake of simplicity I would personally prefer keeping a single one.

+1 for having one format for sake of simplicity. Keeping it as a wire message makes sense to me

Though now thinking about it I wonder if close dlc should actually have an odd type number 🤔

What would be the rationale for this? I'm guessing because it's optional?

[Tibo-lg]

What would be the rationale for this? I'm guessing because it's optional?

Yes exactly, that's at least the semantics specified in BOLT 1: https://github.com/lightningnetwork/lightning-rfc/blob/master/01-messaging.md#lightning-message-format

[matthewjablack]

I noticed that in the latest version of #163 OracleAnnouncement, OracleEvent, EnumEventDescriptor and DigitDecompositionEventDescriptor are all wire messages

This makes sense for OracleAnnouncement, since it's likely announcements and attestments would be communicated over the transport layer. However, shouldn't the wire messages inside OracleAnnouncement actually be a TLVs since it's unlikely for them to be communicated over the transport layer.

[Tibo-lg]

The reason was that it was decided not to touch any oracle related message in this PR so that no update to oracle software is required for now, and then make all oracle related changes as part of #167 at once.

[Tibo-lg]

Fixed the sibling type numbers which where not consistent with the latest update.

[Tibo-lg]

Noticed that we were sometimes using BigSize and sometimes u16 for collection prefixes. Consolidated it to use BigSize everywhere as for the CetSignatures type it is probably safer than having a restriction on size.

[Christewart]

I believe u16:num_funding_inputs is a bigsize in the test vectors (specifically enum_single_oracle_test.json)

[Tibo-lg]

Thanks I had forgotten to update it, fixed.

[Christewart]

I think this is a bigsize now, at least according to the enum_single_oracle_test.json

[Tibo-lg]

Yes thanks fixed.

[Christewart]

bigsize here too i think https://github.com/discreetlogcontracts/dlcspecs/pull/163/files#diff-e0f5b925f91a1c09c6daf26f9a7d28816cb9ff9f08863faca719b7ee0a1cc065R188

[Tibo-lg]

Sorry not sure which field you're referring to in this comment?

[Christewart]

num_funding_inputs

[Tibo-lg]

Thanks!

[Tibo-lg]

• Switched protocol version from BigSize to u32 as I find it cleaner.

• Fixed the missing protocol version in the test vectors.

[Christewart]

I think this needs to be updated as I don't believe its a TLV in the #163 test vectors?

[Tibo-lg]

Thanks! Fixed everything in that file, as well as the RoundingIntervals that was also not updated.

[Christewart]

@Tibo-lg Is this consistent with your implementation?

[Christewart]

Addressed in 70032e3

[Christewart]

I think there is another bug here, I believe this is prefixed by a bigsize in your implementation @Tibo-lg rather than a u16.

[Tibo-lg]

Yes in that case I should have updated the spec to be consistent with other collection prefixes. Updated now.

[Christewart]

to make this change we need to either

1. Add a version to the top of the accept_dlc_tlv_v0
2. revert this back to u16

The reason this is needed is to preserve backwards compatability with the previous version of the spec. This is how i've implemented the backwards compatible parse currently

    //parser for `offer_tlv`
    val fundingInputs = {
      if (protocolVersionOpt.isEmpty) {
        //means we are working with the old version of the spec
        iter.takeU16PrefixedList(() => iter.take(FundingInputV0TLV))
      } else {
        //means we are using version 1 of the spec
        iter.takeBigSizePrefixedList(() => iter.take(FundingInputV0TLV))
      }
    }

parser for the accept_tlv that is an attempt at backwards compatibility

      //accept_tlv
      //
      //we don't have a version # here so we don't know what version we are trying to parse?
      //I suspect this code in the try block will not always cause an exception
      //so this is truely a guess.
      try {
        iter.takeU16PrefixedList(() => iter.take(FundingInputV0TLV))
      } catch {
        case scala.util.control.NonFatal(_) =>
          iter.takeBigSizePrefixedList(() => iter.take(FundingInputV0TLV))
      }

The crux of the issue is that if funding inputs are prefixed with a u16 as required in the old version of the spec, a bigsize can be mistake as a u16. bigsize is required by the new version of the spec, which gives us ambiguity in the parser.

[Tibo-lg]

I don't mind adding a version at the top of the message, but can't you just keep the version from the offer message?

[Christewart]

That doesn't work for a few reasons

1. Its a layer violation to require a database read just to parse a tlv correctly.
2. You cannot guarantee you will parse the accept_tlv since you don't know which serialization format it uses to obtain information to make the database read. I guess you might be able to parse the first 32 bytes (tempContractId) to parse just the 32 bytes, make the database read, and then determine which format the offer had, but this is very cumbersome.

Lets keep the messages -- at the binary serialization level -- context free so that you can parse the offer, accept, and sign tlvs independent of one another.

[Tibo-lg]

Added a protocol_version field to the accept message and updated the test vectors. I wonder if it wouldn't be better to also add one to the sign message, what do you think?

[Christewart]

I wonder if it wouldn't be better to also add one to the sign message, what do you think?

I think its probably a good idea. AFAIK, the sign_tlv does not have the same sort of ambiguity (funding_inputs) that offer,accept have so it isn't strictly necessary now, but it seems prudent to future proof a bit.

[Tibo-lg]

it seems prudent to future proof a bit.

Yeah I feel like that too. Updated docs and test vectors accordingly.

[Christewart]

So this PR on bitcoin-s passes all test vectors in this PR:

I believe we have achieved the 2 impl requirement, which means we may want to merge this? 👀 👀

bitcoin-s/bitcoin-s#3859

[Christewart]

As discussed at the June meeting, we have 2 implementations now so merging this.