š
Original date posted:2015-10-19
š Original message:
All of your assumptions have the premise though, that choosing a
'good' vs a 'bad' guy is pure probability, like picking the right ball
out of a bag. There are other systematic attacks though, where an
attacker can trick you into his network for practically zero costs,
especially if there is no other solution in place (like checking the
blockchain for all of the networks anchors).
Think about an attacker who is able to MITM your internet connection,
like the hotspot you connect to at a Cafe (or your ISP if hijacked).
They can build locally a gigantic network, all pointing to the same
node. You can't tell, and they don't have to necessarily just block
your payments. (see above)
I am mainly concerned over those. Especially since there is not really
anything we can do about dishonest nodes joining our network, but it's
encouraging to see your math. Since everything security-wise so far
stands only with knowing pubkeys of nodes actually connected to the
network, this should be the first thing to tackle. (that is, making it
expensive to attack it this way)
Only nuisance is that it requires either SPV or full node to check the
anchor, but I kinda like the idea of having all (or a good amount) of
lightning nodes be full bitcoin nodes as well.
cheers
Mats Jerratsch
2015-10-19 3:41 GMT+02:00 Anthony Towns <aj at erisian.com.au>:
> On Sun, Oct 18, 2015 at 01:25:29PM +0200, Mats Jerratsch wrote:
>> > It only works if you actually setup a channel, though -- so you have to
>> > lock some money into the channel for however many confirmations until
>> > the channel activates, before you can test, plus the OP_CSV delay if
>> > the test fails.
>> And there's the catch. If an attacker achieves nodes opening up
>> channels with him, he already succeeded in vandalism.
>
> I'm not sure this is true? Supposing there are V vandals on the system,
> compared to T total nodes, so V/T is your probability of selecting a
> vandal. Then, to join the lightning network, you open up N channels
> with randomly chosen nodes at $1 each, committing $N in total, and
> (if they're all run by vandals and have to get closed) spending about
> 2*N*2c (so 4%?) in fees. If there are 1000 nodes (ie, lots), then the
> probability of finding at least one good node is about 1-(V/T)^N. If you
> want a probability of 99% of getting a good node on your first try, then:
>
> V/T = 10%: N = 2
> V/T = 20%: N = 3
> V/T = 30%: N = 4
> V/T = 40%: N = 6
> V/T = 50%: N = 7
> V/T = 60%: N = 9
> V/T = 70%: N = 13
> V/T = 80%: N = 21
> V/T = 90%: N = 43
> V/T = 95%: N = 86
> V/T = 99%: N = 368
>
> So with 90% of nodes being hostile, that'd be getting expensive, but
> not completely implausible. If 40%-plus of the network is legit, though,
> just trying out 10 random nodes seems like it works fine, and only locks
> up $10 for a couple of days and costs about 40c in bitcoin fees...
>
> Also, if you've got to run 2.5 times as many vandal nodes as there are
> legitimate nodes for people to even really be bothered, I don't think
> you'll see many vandals in the first place...
>
> (Once you've got a node that actually works, you can expand your channel
> from $1 to $10 or $100, and/or open additional channels, and at that point
> (afaics) you're set.)
>
> That's only necessary if you don't know anyone with a lightning account
> already, though. Since anyone can forward for you, you could start with
> someone you trust in real life -- eg, a friend, a bank, a government,
> etc. If Rusty tells me he'll route my payments (as long as they're made
> between 10am and 3pm Adelaide time on a weekday, maybe) then I can open
> a $5 channel with him, and use that to send 1 satoshi payments to test
> connectivity. So, if I'm wondering whether BOBSBANK is reliable, I work
> out a route:
>
> aj -> rusty -> a -> b -> c -> BOBSBANK -> x -> y -> z -> rusty -> aj
>
> apply it as an onion so it can't get short-circuited, and see if it gets
> back to me, at a cost of maybe 10% of a satoshi (10 hops at 1% each)...
> If it does, BOBSBANK is connected and functional, and I can try opening a
> channel. If it doesn't, I can try a different route to BOBSBANK, or try
> someone else entirely.
>
>> Furthermore, an
>> attacker can always play by the rules and forward all payments up to
>> one point where he stops.
>
> (For example, he could happily route payments on $1 channels, but refuse
> to do likewise when the channel capacity was upped to $10)
>
> In the general case though, does that even count as an attack? Isn't
> that just like a web site going down or being put behind a paywall? ie,
> annoying, but completely legitimate? I mean, if someone downloads the
> lightning software to try it out, runs it for a while, then decides it's
> no fun and stops, they'll be "playing by the rules up to one point where
> they stop"; but they're not trying to "attack" the system.
>
> Coping with unreliability is definitely important, but running a node that
> works sometimes but is deliberately unreliable is a lot more effort than
> running a node that claims to work, but never does. It's also more work
> (and less profitable) than just running a node that actually work...
>
>> And even worse, if everyone connect to his
>> nodes, he can relay all payments, but he is able to distinctively
>> identify payee and payers, even with onion routing.
>
> That's a different attack isn't it? To get everyone to connect to your
> nodes, you'd have to be running the majority of nodes -- ie, there's
> 5000 different organisations running lightning nodes, but 4999 of them
> run one or two nodes each, but one of them runs 100,000 nodes.
>
> But if it were cheap enough for one org to run 100k nodes, why wouldn't
> the others treat it as an arms race and end up running, say, 20-50
> nodes each? They'd have an economic incentive to do so, in that it
> increases their odds of collecting fees... At that point the attacker's
> already reduced to 28%-50% of nodes. ie, I think that's likely to be
> self-correcting?
>
> But! An arms race in nodes-per-person would probably cause a scaling
> problem for the network (depending on how routing actually works), and
> you'd have to address that by creating some cost to run (or at least
> register?) a node/channel. But if they're all legitimate nodes, I think
> that's just a scaling problem, rather than vandalism per se.
>
> (An additional but: even if spamming the list of nodes doesn't work as
> an effective attack, if you can spam the list of *channels* with valid
> looking edges that won't actually route payments successfully, you can
> screw over the network pretty well)
>
> Cheers,
> aj
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
Mats Jerratsch [ARCHIVE] /
npub1hzā¦q5x8w
2023-06-09 12:44:49
in reply to nevent1qā¦l74h
Author Public Key
npub1hz386xq4qszumlx5fsxa3kuxpaf8qvfrqqjg8zdl2l892hrcg55q6q5x8wPublished at
2023-06-09 12:44:49Event JSON
{
"id": "ac0e4b5eee3bff3817d5594bb36bff69f54f88ccffbd8ba967f8bebfdcbaf528",
"pubkey": "b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528",
"created_at": 1686314689,
"kind": 1,
"tags": [
[
"e",
"a852f7164f575698e067e8fc679f5003dd9087247fc7ef7f6067ab966288eef1",
"",
"root"
],
[
"e",
"4ae5ebda4c4e87697cc519afd57c4b295babb73c081508e8ba964ce1bed87c80",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "š
Original date posted:2015-10-19\nš Original message:\nAll of your assumptions have the premise though, that choosing a\n'good' vs a 'bad' guy is pure probability, like picking the right ball\nout of a bag. There are other systematic attacks though, where an\nattacker can trick you into his network for practically zero costs,\nespecially if there is no other solution in place (like checking the\nblockchain for all of the networks anchors).\n\nThink about an attacker who is able to MITM your internet connection,\nlike the hotspot you connect to at a Cafe (or your ISP if hijacked).\nThey can build locally a gigantic network, all pointing to the same\nnode. You can't tell, and they don't have to necessarily just block\nyour payments. (see above)\n\nI am mainly concerned over those. Especially since there is not really\nanything we can do about dishonest nodes joining our network, but it's\nencouraging to see your math. Since everything security-wise so far\nstands only with knowing pubkeys of nodes actually connected to the\nnetwork, this should be the first thing to tackle. (that is, making it\nexpensive to attack it this way)\n\nOnly nuisance is that it requires either SPV or full node to check the\nanchor, but I kinda like the idea of having all (or a good amount) of\nlightning nodes be full bitcoin nodes as well.\n\ncheers\nMats Jerratsch\n\n\n\n2015-10-19 3:41 GMT+02:00 Anthony Towns \u003caj at erisian.com.au\u003e:\n\u003e On Sun, Oct 18, 2015 at 01:25:29PM +0200, Mats Jerratsch wrote:\n\u003e\u003e \u003e It only works if you actually setup a channel, though -- so you have to\n\u003e\u003e \u003e lock some money into the channel for however many confirmations until\n\u003e\u003e \u003e the channel activates, before you can test, plus the OP_CSV delay if\n\u003e\u003e \u003e the test fails.\n\u003e\u003e And there's the catch. If an attacker achieves nodes opening up\n\u003e\u003e channels with him, he already succeeded in vandalism.\n\u003e\n\u003e I'm not sure this is true? Supposing there are V vandals on the system,\n\u003e compared to T total nodes, so V/T is your probability of selecting a\n\u003e vandal. Then, to join the lightning network, you open up N channels\n\u003e with randomly chosen nodes at $1 each, committing $N in total, and\n\u003e (if they're all run by vandals and have to get closed) spending about\n\u003e 2*N*2c (so 4%?) in fees. If there are 1000 nodes (ie, lots), then the\n\u003e probability of finding at least one good node is about 1-(V/T)^N. If you\n\u003e want a probability of 99% of getting a good node on your first try, then:\n\u003e\n\u003e V/T = 10%: N = 2\n\u003e V/T = 20%: N = 3\n\u003e V/T = 30%: N = 4\n\u003e V/T = 40%: N = 6\n\u003e V/T = 50%: N = 7\n\u003e V/T = 60%: N = 9\n\u003e V/T = 70%: N = 13\n\u003e V/T = 80%: N = 21\n\u003e V/T = 90%: N = 43\n\u003e V/T = 95%: N = 86\n\u003e V/T = 99%: N = 368\n\u003e\n\u003e So with 90% of nodes being hostile, that'd be getting expensive, but\n\u003e not completely implausible. If 40%-plus of the network is legit, though,\n\u003e just trying out 10 random nodes seems like it works fine, and only locks\n\u003e up $10 for a couple of days and costs about 40c in bitcoin fees...\n\u003e\n\u003e Also, if you've got to run 2.5 times as many vandal nodes as there are\n\u003e legitimate nodes for people to even really be bothered, I don't think\n\u003e you'll see many vandals in the first place...\n\u003e\n\u003e (Once you've got a node that actually works, you can expand your channel\n\u003e from $1 to $10 or $100, and/or open additional channels, and at that point\n\u003e (afaics) you're set.)\n\u003e\n\u003e That's only necessary if you don't know anyone with a lightning account\n\u003e already, though. Since anyone can forward for you, you could start with\n\u003e someone you trust in real life -- eg, a friend, a bank, a government,\n\u003e etc. If Rusty tells me he'll route my payments (as long as they're made\n\u003e between 10am and 3pm Adelaide time on a weekday, maybe) then I can open\n\u003e a $5 channel with him, and use that to send 1 satoshi payments to test\n\u003e connectivity. So, if I'm wondering whether BOBSBANK is reliable, I work\n\u003e out a route:\n\u003e\n\u003e aj -\u003e rusty -\u003e a -\u003e b -\u003e c -\u003e BOBSBANK -\u003e x -\u003e y -\u003e z -\u003e rusty -\u003e aj\n\u003e\n\u003e apply it as an onion so it can't get short-circuited, and see if it gets\n\u003e back to me, at a cost of maybe 10% of a satoshi (10 hops at 1% each)...\n\u003e If it does, BOBSBANK is connected and functional, and I can try opening a\n\u003e channel. If it doesn't, I can try a different route to BOBSBANK, or try\n\u003e someone else entirely.\n\u003e\n\u003e\u003e Furthermore, an\n\u003e\u003e attacker can always play by the rules and forward all payments up to\n\u003e\u003e one point where he stops.\n\u003e\n\u003e (For example, he could happily route payments on $1 channels, but refuse\n\u003e to do likewise when the channel capacity was upped to $10)\n\u003e\n\u003e In the general case though, does that even count as an attack? Isn't\n\u003e that just like a web site going down or being put behind a paywall? ie,\n\u003e annoying, but completely legitimate? I mean, if someone downloads the\n\u003e lightning software to try it out, runs it for a while, then decides it's\n\u003e no fun and stops, they'll be \"playing by the rules up to one point where\n\u003e they stop\"; but they're not trying to \"attack\" the system.\n\u003e\n\u003e Coping with unreliability is definitely important, but running a node that\n\u003e works sometimes but is deliberately unreliable is a lot more effort than\n\u003e running a node that claims to work, but never does. It's also more work\n\u003e (and less profitable) than just running a node that actually work...\n\u003e\n\u003e\u003e And even worse, if everyone connect to his\n\u003e\u003e nodes, he can relay all payments, but he is able to distinctively\n\u003e\u003e identify payee and payers, even with onion routing.\n\u003e\n\u003e That's a different attack isn't it? To get everyone to connect to your\n\u003e nodes, you'd have to be running the majority of nodes -- ie, there's\n\u003e 5000 different organisations running lightning nodes, but 4999 of them\n\u003e run one or two nodes each, but one of them runs 100,000 nodes.\n\u003e\n\u003e But if it were cheap enough for one org to run 100k nodes, why wouldn't\n\u003e the others treat it as an arms race and end up running, say, 20-50\n\u003e nodes each? They'd have an economic incentive to do so, in that it\n\u003e increases their odds of collecting fees... At that point the attacker's\n\u003e already reduced to 28%-50% of nodes. ie, I think that's likely to be\n\u003e self-correcting?\n\u003e\n\u003e But! An arms race in nodes-per-person would probably cause a scaling\n\u003e problem for the network (depending on how routing actually works), and\n\u003e you'd have to address that by creating some cost to run (or at least\n\u003e register?) a node/channel. But if they're all legitimate nodes, I think\n\u003e that's just a scaling problem, rather than vandalism per se.\n\u003e\n\u003e (An additional but: even if spamming the list of nodes doesn't work as\n\u003e an effective attack, if you can spam the list of *channels* with valid\n\u003e looking edges that won't actually route payments successfully, you can\n\u003e screw over the network pretty well)\n\u003e\n\u003e Cheers,\n\u003e aj\n\u003e\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev",
"sig": "f9954ab460b1df10d33428b90d7eff7aae0398408c0f0e74b88545081ab1349decc21025357b3bcb8fe244910b6a9209920b92a82c53f72285c281cfcef2c119"
}