ð
Original date posted:2020-12-14
ð Original message:
On Mon, Dec 14, 2020 at 04:31:23PM +1100, Lloyd Fournier wrote:
> To be clear: The goal is to offer a cooperative settlement transaction up
> front to the (possibly) recovering party -- *not a commitment transaction*.
Ah, what BOLT0 calls a "mutual close". That makes a lot more sense and
makes the protocol even cooler than I thought. Thanks for clarifying!
> The idea I'm working with in revocable signature based channels [1] is
> to make the node lose its static secret key if it posts a revoked
> commitment tx. This means they could lose ALL funds from ALL their
> channels with ALL their peers if they ever broadcast a single revoked
> commitment transaction. This would be a very bad thing to happen while
> you're trying to recover funds.
Yikes! A very bad thing indeed. I'll have to re-read about witness
asymmetric channels; I don't think I realized that was a consequence of
using them.
> What is the story with option_static_remotekey? I am interested to know how
> the negotiation of that option has a security issue but I don't see how it
> could.
Whoops, I got myself confused. I meant option_data_loss_protect, which
LND calls "static channel backups". I just git greped the bolts for
"static" and copied the first plausible seeming result. :facepalm:
On Mon, Dec 14, 2020 at 12:08:27AM -0800, Ariel Lorenzo-Luaces wrote:
> I don't think it's so clear that any party refusing to go go first can
> be assumed to have lost data.
Oh, I agree, it's definitely not clear. I just said they could "be
*suspected* of having lost data".
On Mon, Dec 14, 2020 at 12:08:27AM -0800, Ariel Lorenzo-Luaces wrote:
> If the rule is that the party receiving the connection is the one that
> must send the oblivious signatures then a party that has both lost
> data and is receiving a connection can just ignore the connection
> request.
>
> There is plausible denyability because knowingly not answering a
> request can't be distinguished from just having connection issues or
> distinguished from a machine is just turned off.
In many cases, the network does behave differently in different
cases:
$ nmap -p 80 dtrt.org ## online and port available
80/tcp open http
$ nmap -p 80 newmail.dtrt.org ## online but no service listening
80/tcp closed http
$ nmap -p 22 10.0.0.1 ## online but connection refused
22/tcp filtered ssh
$ nmap -p 80 10.0.0.200 ## not online
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Moreover, there's the case where Bob tries to open a connection with
Mallory, but Mallory immediately turns around and tries to open a
connection with Bob. In that case, Bob's unavailability might look
suspicious (although it could just be NAT or something else innocuous).
However, beyond IP network activity, there's potentially a lot of
evidence a dishonest counterparty can gather about a
recently-reconnected node to evaluate the probability that it suffered a
data loss. Perhaps most persuasive would be seeing what happened to
that node's other channels. Were they all closed? Did the node fail to
promptly broadcast a transaction with preimages trying to claim any
pending HTLCs (which can be especially strong evidence if the dishonest
counterparty was along the routing path for any of those HTLCs and so
knows that the preimage was disclosed).
The reason option_data_loss_protects works in theory is that the only
way attacker Mallory can test her hypothesis that victim Bob lost data
is by Mallory broadcasting an old state that Bob, if he didn't actually
lose data, can use to penalize Mallory in a way that may profit Bob. In
an ideal world, for every victim node that actually lost data there'd be
several honeypot nodes that faked losing data in order to profit from
dishonest counterparties. Unfortunately, I doubt that's the case, for
two reasons:
1. You can only operate a data loss honeypot by causing a channel to
be closed onchain, which is going to waste someone's fees.
2. A dishonest node may only try broadcasting an old state when their
channel balance is low, near the minimum allowed by the channel
reserve. The guidelines for channel reserve amounts were chosen
(I believe) under the assumption that Mallory can be highly
confident that Bob has the latest state, so the reserve is just
the bare amount needed to prevent some annoying griefing. The
reserve is probably not large enough to compensate for the work and
fee-paying costs of operating data loss honeypots.
That said, most nodes seem to be honest and hopefully the nodes playing
with high-value channels are using some sort of live replication, so I
don't think there have been any issues so far.
-Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201214/9ee971e1/attachment.sig>;
David A. Harding [ARCHIVE] /
npub16dâŠx4wrd
2023-06-09 15:01:44
in reply to nevent1qâŠcmjr
Author Public Key
npub16dt55fpq3a8r6zpphd9xngxr46zzqs75gna9cj5vf8pknyv2d7equx4wrdPublished at
2023-06-09 15:01:44Event JSON
{
"id": "0d39be34c79dc787415877184eda40c65a29517e3ebb8d9e0917efd406c5f144",
"pubkey": "d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2",
"created_at": 1686315704,
"kind": 1,
"tags": [
[
"e",
"e21c86dc6da7e4e7f2c2f49c2f0de867759b86836147a2e16bdbd8dc076c9c48",
"",
"root"
],
[
"e",
"82f0cb2ef9d936906e3dc9ac292e83191914ec73a23cec7026bf724f18ac7719",
"",
"reply"
],
[
"p",
"b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e"
]
],
"content": "ð
Original date posted:2020-12-14\nð Original message:\nOn Mon, Dec 14, 2020 at 04:31:23PM +1100, Lloyd Fournier wrote:\n\u003e To be clear: The goal is to offer a cooperative settlement transaction up\n\u003e front to the (possibly) recovering party -- *not a commitment transaction*.\n\nAh, what BOLT0 calls a \"mutual close\". That makes a lot more sense and\nmakes the protocol even cooler than I thought. Thanks for clarifying!\n\n\u003e The idea I'm working with in revocable signature based channels [1] is\n\u003e to make the node lose its static secret key if it posts a revoked\n\u003e commitment tx. This means they could lose ALL funds from ALL their\n\u003e channels with ALL their peers if they ever broadcast a single revoked\n\u003e commitment transaction. This would be a very bad thing to happen while\n\u003e you're trying to recover funds.\n\nYikes! A very bad thing indeed. I'll have to re-read about witness\nasymmetric channels; I don't think I realized that was a consequence of\nusing them.\n\n\u003e What is the story with option_static_remotekey? I am interested to know how\n\u003e the negotiation of that option has a security issue but I don't see how it\n\u003e could.\n\nWhoops, I got myself confused. I meant option_data_loss_protect, which\nLND calls \"static channel backups\". I just git greped the bolts for\n\"static\" and copied the first plausible seeming result. :facepalm:\n\nOn Mon, Dec 14, 2020 at 12:08:27AM -0800, Ariel Lorenzo-Luaces wrote:\n\u003e I don't think it's so clear that any party refusing to go go first can\n\u003e be assumed to have lost data.\n\nOh, I agree, it's definitely not clear. I just said they could \"be\n*suspected* of having lost data\". \n\nOn Mon, Dec 14, 2020 at 12:08:27AM -0800, Ariel Lorenzo-Luaces wrote:\n\u003e If the rule is that the party receiving the connection is the one that\n\u003e must send the oblivious signatures then a party that has both lost\n\u003e data and is receiving a connection can just ignore the connection\n\u003e request.\n\u003e \n\u003e There is plausible denyability because knowingly not answering a\n\u003e request can't be distinguished from just having connection issues or\n\u003e distinguished from a machine is just turned off.\n\nIn many cases, the network does behave differently in different\ncases:\n\n $ nmap -p 80 dtrt.org ## online and port available\n 80/tcp open http\n\n $ nmap -p 80 newmail.dtrt.org ## online but no service listening\n 80/tcp closed http\n\n $ nmap -p 22 10.0.0.1 ## online but connection refused\n 22/tcp filtered ssh\n\n $ nmap -p 80 10.0.0.200 ## not online\n Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn\n\nMoreover, there's the case where Bob tries to open a connection with\nMallory, but Mallory immediately turns around and tries to open a\nconnection with Bob. In that case, Bob's unavailability might look\nsuspicious (although it could just be NAT or something else innocuous).\n\nHowever, beyond IP network activity, there's potentially a lot of\nevidence a dishonest counterparty can gather about a\nrecently-reconnected node to evaluate the probability that it suffered a\ndata loss. Perhaps most persuasive would be seeing what happened to\nthat node's other channels. Were they all closed? Did the node fail to\npromptly broadcast a transaction with preimages trying to claim any\npending HTLCs (which can be especially strong evidence if the dishonest\ncounterparty was along the routing path for any of those HTLCs and so\nknows that the preimage was disclosed). \n\nThe reason option_data_loss_protects works in theory is that the only\nway attacker Mallory can test her hypothesis that victim Bob lost data\nis by Mallory broadcasting an old state that Bob, if he didn't actually\nlose data, can use to penalize Mallory in a way that may profit Bob. In\nan ideal world, for every victim node that actually lost data there'd be\nseveral honeypot nodes that faked losing data in order to profit from\ndishonest counterparties. Unfortunately, I doubt that's the case, for\ntwo reasons:\n\n 1. You can only operate a data loss honeypot by causing a channel to\n be closed onchain, which is going to waste someone's fees.\n\n 2. A dishonest node may only try broadcasting an old state when their\n channel balance is low, near the minimum allowed by the channel\n reserve. The guidelines for channel reserve amounts were chosen\n (I believe) under the assumption that Mallory can be highly\n confident that Bob has the latest state, so the reserve is just\n the bare amount needed to prevent some annoying griefing. The\n reserve is probably not large enough to compensate for the work and\n fee-paying costs of operating data loss honeypots.\n\nThat said, most nodes seem to be honest and hopefully the nodes playing\nwith high-value channels are using some sort of live replication, so I\ndon't think there have been any issues so far.\n\n-Dave\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 833 bytes\nDesc: not available\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201214/9ee971e1/attachment.sig\u003e",
"sig": "ddf97d06915f450a31c5f84f064eb8504bea76fe834dec36427e2b04c255e0c3279f73634b3ae6a1aea5d8d5229d018da751f792c0a5fc69fbb4b3455e4d5e12"
}