📅 Original date posted:2018-04-17
📝 Original message:
Hi ZmnSCPxj,
> I understand. For myself, I will also wait for comment from other
c-lightning
> developers: this seems to require a bit of surgery on our code I think
> (currently construction of justice transactions is done in a separate
process,
> and we always generate a justice transaction that claims all claimable
outputs
> of the revoked commitment transaction), and we might decide to defer this
> feature for later (leaking revocation basepoint secret is easy and
requires
> maybe a few dozen sloc, but that requires a trusted WatchTower).
Certainly, it will require changes to ours as well. Would also love to hear
what the
other implementations think of such a proposal. As of now, we detect if the
commitment outputs have been spent, and if so, attempt to spend an
aggregate of
the commitment outputs and second-level outputs conditioned on which are
reported as spent. To realize this fully, we would need to also detect the
case
in which the second-level txns have already been spent, and then forgo
sweeping
them entirely (on the assumption that it has already been done by a
watchtower).
> Ah, I thought you wanted to impose some kind of contract on
> HTLC-timeout/HTLC-success to enforce this behavior, you are referring to a
> technique that the attacker might attempt to use if we use only a single
> justice transaction that claims all HTLC outputs.
Precisely, if the attacker knows that we can only sweep a particular sets of
outputs when batched, they can choose other sets that the watchtower can't
act
on. Spending them independently seems to resolve this.
-Conner
On Tue, Apr 17, 2018 at 8:02 AM ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:
> Good morning Conner,
>
> > I understand. It would be good to know what you have, and perhaps
> consider
> > planning a new BOLT document for such.
> Yes, that is the ultimate goal. I think it might be a little to soon to
> have a
> full-on BOLT spec. There are still some implementation details that we
> would
> like to address before formalizing everything. I am working to have
> something
> written up in the short-term documenting the approach[es] that ends up
> being
> solidified. Hopefully that can get some eyes during development, and
> perhaps
> serve as working document/rough draft.
>
>
> I understand. For myself, I will also wait for comment from other
> c-lightning developers: this seems to require a bit of surgery on our code
> I think (currently construction of justice transactions is done in a
> separate process, and we always generate a justice transaction that claims
> all claimable outputs of the revoked commitment transaction), and we might
> decide to defer this feature for later (leaking revocation basepoint secret
> is easy and requires maybe a few dozen sloc, but that requires a trusted
> WatchTower).
>
> > Sorry, I seem confused this idea. Can you give example for commitment
> with 2x
> > HTLC?
>
> Sure thing! The confirmation of second level HTLC txns can be separated by
> arbitrary delays. This is particularly true if the CLTVs have already
> expired,
> offering an attacker total control over when the txns appear on the
> network. One
> way this can happen is if the attacker iteratively broadcasts a single
> second-level txn, waits for confirmation and CSV to expire, then repeat
> with
> another second-level txn.
>
> Since the CSVs begin ticking as soon as they are included in the chain,
> the
> attacker could try to sweep each one immediately after its CSV expires.
> If the
> watchtower doesn't have the ability to sweep outputs independently, it
> would
> have no way to intercept this behavior, and prevent the breacher from
> sweeping
> individual HTLCs sequentially.
>
> Ah, I thought you wanted to impose some kind of contract on
> HTLC-timeout/HTLC-success to enforce this behavior, you are referring to a
> technique that the attacker might attempt to use if we use only a single
> justice transaction that claims all HTLC outputs.
>
>
> > 5. 0 or 1 or 2 signatures for the main outputs. These sign a single
> > transaction that claims only the main outputs.
>
> Yes, it seems necessary to separate the commitment outpoints from the HTLC
> outpoints in case the commitment txn is broadcasted before the CLTVs
> expire.
> You could try to batch these with the HTLCs, but then we get back into
> exponential territory.
>
> Agreed.
>
> > Is that approximately what is needed? Have I missed anything?
>
> Nope, I think your understanding is on point. IMO this seems to be a
> reasonable
> compromise of the tradeoffs at hand, and definitely something that could
> serve
> as an initial iteration due to its simplicity. In the future, there are definitely
> ways
> to improve on this on make it even more efficient! Though having a
> solid/workable v0 is important if it is to be deployed. I enjoy hearing
> your
> thoughts on this, thank you for your responses!
>
> Thank you for this confirmation.
>
> Regards,
> ZmnSCPxj
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180417/466f490f/attachment-0001.html>;
Conner Fromknecht [ARCHIVE] /
npub1za…uua2a
2023-06-09 12:50:11
in reply to nevent1q…puxl
Author Public Key
npub1za0a9afyj7um5feva0d5xmhfsah3zxm252hna2duq0numa952frqvuua2aPublished at
2023-06-09 12:50:11Event JSON
{
"id": "f540bcf773a9f020cf3003b3821da3de0875a6bff7f40c4a488821425738be67",
"pubkey": "175fd2f52497b9ba272cebdb436ee9876f111b6aa2af3ea9bc03e7cdf4b45246",
"created_at": 1686315011,
"kind": 1,
"tags": [
[
"e",
"6dd96ef1f5459831b29122e2c31121736b8e8107366862ff1c3ad1cf0ba80839",
"",
"root"
],
[
"e",
"73b70afb1429a1a3f7afe5b12536c833ee76e8245aa6b91521b17e0da36e06f7",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-04-17\n📝 Original message:\nHi ZmnSCPxj,\n\n\u003e I understand. For myself, I will also wait for comment from other\nc-lightning\n\u003e developers: this seems to require a bit of surgery on our code I think\n\u003e (currently construction of justice transactions is done in a separate\nprocess,\n\u003e and we always generate a justice transaction that claims all claimable\noutputs\n\u003e of the revoked commitment transaction), and we might decide to defer this\n\u003e feature for later (leaking revocation basepoint secret is easy and\nrequires\n\u003e maybe a few dozen sloc, but that requires a trusted WatchTower).\n\nCertainly, it will require changes to ours as well. Would also love to hear\nwhat the\nother implementations think of such a proposal. As of now, we detect if the\ncommitment outputs have been spent, and if so, attempt to spend an\naggregate of\nthe commitment outputs and second-level outputs conditioned on which are\nreported as spent. To realize this fully, we would need to also detect the\ncase\nin which the second-level txns have already been spent, and then forgo\nsweeping\nthem entirely (on the assumption that it has already been done by a\nwatchtower).\n\n\u003e Ah, I thought you wanted to impose some kind of contract on\n\u003e HTLC-timeout/HTLC-success to enforce this behavior, you are referring to a\n\u003e technique that the attacker might attempt to use if we use only a single\n\u003e justice transaction that claims all HTLC outputs.\n\nPrecisely, if the attacker knows that we can only sweep a particular sets of\noutputs when batched, they can choose other sets that the watchtower can't\nact\non. Spending them independently seems to resolve this.\n\n-Conner\n\n\nOn Tue, Apr 17, 2018 at 8:02 AM ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e wrote:\n\n\u003e Good morning Conner,\n\u003e\n\u003e \u003e I understand. It would be good to know what you have, and perhaps\n\u003e consider\n\u003e \u003e planning a new BOLT document for such.\n\u003e Yes, that is the ultimate goal. I think it might be a little to soon to\n\u003e have a\n\u003e full-on BOLT spec. There are still some implementation details that we\n\u003e would\n\u003e like to address before formalizing everything. I am working to have\n\u003e something\n\u003e written up in the short-term documenting the approach[es] that ends up\n\u003e being\n\u003e solidified. Hopefully that can get some eyes during development, and\n\u003e perhaps\n\u003e serve as working document/rough draft.\n\u003e\n\u003e\n\u003e I understand. For myself, I will also wait for comment from other\n\u003e c-lightning developers: this seems to require a bit of surgery on our code\n\u003e I think (currently construction of justice transactions is done in a\n\u003e separate process, and we always generate a justice transaction that claims\n\u003e all claimable outputs of the revoked commitment transaction), and we might\n\u003e decide to defer this feature for later (leaking revocation basepoint secret\n\u003e is easy and requires maybe a few dozen sloc, but that requires a trusted\n\u003e WatchTower).\n\u003e\n\u003e \u003e Sorry, I seem confused this idea. Can you give example for commitment\n\u003e with 2x\n\u003e \u003e HTLC?\n\u003e\n\u003e Sure thing! The confirmation of second level HTLC txns can be separated by\n\u003e arbitrary delays. This is particularly true if the CLTVs have already\n\u003e expired,\n\u003e offering an attacker total control over when the txns appear on the\n\u003e network. One\n\u003e way this can happen is if the attacker iteratively broadcasts a single\n\u003e second-level txn, waits for confirmation and CSV to expire, then repeat\n\u003e with\n\u003e another second-level txn.\n\u003e\n\u003e Since the CSVs begin ticking as soon as they are included in the chain,\n\u003e the\n\u003e attacker could try to sweep each one immediately after its CSV expires.\n\u003e If the\n\u003e watchtower doesn't have the ability to sweep outputs independently, it\n\u003e would\n\u003e have no way to intercept this behavior, and prevent the breacher from\n\u003e sweeping\n\u003e individual HTLCs sequentially.\n\u003e\n\u003e Ah, I thought you wanted to impose some kind of contract on\n\u003e HTLC-timeout/HTLC-success to enforce this behavior, you are referring to a\n\u003e technique that the attacker might attempt to use if we use only a single\n\u003e justice transaction that claims all HTLC outputs.\n\u003e\n\u003e\n\u003e \u003e 5. 0 or 1 or 2 signatures for the main outputs. These sign a single\n\u003e \u003e transaction that claims only the main outputs.\n\u003e\n\u003e Yes, it seems necessary to separate the commitment outpoints from the HTLC\n\u003e outpoints in case the commitment txn is broadcasted before the CLTVs\n\u003e expire.\n\u003e You could try to batch these with the HTLCs, but then we get back into\n\u003e exponential territory.\n\u003e\n\u003e Agreed.\n\u003e\n\u003e \u003e Is that approximately what is needed? Have I missed anything?\n\u003e\n\u003e Nope, I think your understanding is on point. IMO this seems to be a\n\u003e reasonable\n\u003e compromise of the tradeoffs at hand, and definitely something that could\n\u003e serve\n\u003e as an initial iteration due to its simplicity. In the future, there are definitely\n\u003e ways\n\u003e to improve on this on make it even more efficient! Though having a\n\u003e solid/workable v0 is important if it is to be deployed. I enjoy hearing\n\u003e your\n\u003e thoughts on this, thank you for your responses!\n\u003e\n\u003e Thank you for this confirmation.\n\u003e\n\u003e Regards,\n\u003e ZmnSCPxj\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180417/466f490f/attachment-0001.html\u003e",
"sig": "c42badeb009e9a8ee063f98bc9c843ac49cd211d15f577fff748b55212412ff6123025c522ec5de4ad9f69503e996f261c0a55f3e026db595c4a8dcfad5b3fb6"
}