📅 Original date posted:2023-08-17
🗒️ Summary of this message: Mobile wallet providers are unlikely to cheat because the mobile wallet can check for any attempts and the provider risks reputation loss. A peer backup solution could be implemented by any node, allowing users to store backups with them. The reputation argument may not hold up for random nodes, but for hardcoded nodes like ACINQ, it is sufficient. The idea of symmetric resumable channels is also proposed.
📝 Original message:
Hi Bastien,
> I don't think this is an attack wallet providers can reasonably attempt.
> The mobile wallet can check at every connection that the provider isn't
> trying to cheat, and the provider doesn't have any way of knowing when
> the mobile wallet has lost data: it would thus be a very risky move to
> try to cheat, because it is very unlikely to succeed and will result in
> reputation loss for the provider.
It would be nice to have a peer backup solution that can be provided by
~any node, and reasonably used without trust by ~any node [0]. To be more
precise (and practical), imagine providing the backup "service" by
default if you run a public forwarding node. E.g. if Alice runs eclair
on their server and have some public channels, the default config of
eclair could result in Alice signalling the "backup-provider" feature
bit. Then, if Bob uses a phone-wallet, and opens to Alice (chosen by Bob
arbitrarily), Bob could store their backups with her.
Note that the "reputation loss" argument does not hold up that well if
you let Bob connect to arbitrary nodes. Something stronger, such as
actual confiscation of funds via Thomas' idea seems more applicable.
Afterall, what does a random node have to lose if they tried to replay
an old backup? You said in another email Phoenix atm simply ignores the
stale backup. I wonder, does the client happily keep using the channel
after a reconnect? If so, what is there to lose by attempting to replay
old states? Random nodes don't really have an easy concept of
reputation.
Obviously the ACINQ node is not random - being hardcoded in your case
it is anything but. Of course, in the case of an LSP/wallet combo
such as Phoenix, the reputation argument is sufficient, I agree.
-----
[0]: I think the whole backup provicer idea could be made symmetric.
I had previously thought that it is inherently asymmetric but after
some more thought I think I was wrong:
Symmetric resumable channels
----------------------------
Alice and Bob could have a channel where they both provide state backups
to each other. Regarding who goes first in channel_reestablish, we need
an extra preliminary round where both Alice and Bob commit to what they
will send in channel_reestablish:
Round 1:
1. Alice sends hashA = hash(bobs_backup, nonceA)
2. Bob sends hashB = hash(alices_backup, nonceB)
Alice persists hashB to disk upon receiving it, and enforces that even
if there is a disconnection, Bob cannot arbitrarily send a different
commitment next time. (if the channel gets reestablished fully and
Alice sends a new backup to Bob, the stored hashB can be cleared)
Round 2:
3. Alice sends channel_reestablish containing bobs_backup, and nonceA
4. Bob sends channel_reestablish containing alices_backup, and nonceB
Alice checks that the commitment received from Bob in round1 matches
what was received in round2.
Regarding the opening post OP_CHECKSIGFROMSTACK on-chain enforcement,
that can be made symmetric as well! The channel funding output script
needs one taproot branch each for both Alice and Bob lying. The protocol
needs to be tweaked a bit so as to allow a party to legitimately admit
having lost state and commit to the hash of that in round1, and then
reveal they lost state in round2 (e.g. send null data). In which case
the other party would not be able to use the fraud proof taproot branch.
Though note that user-error and manual copying/restoring of DBs could
lead to catastrophic failure with the on-chain enforcement:
if you restore an old db and launch your client, the client won't know
it is running an old state and happily participate in the two round
dance, giving a fraud proof to the counterparty in the process.
Regards,
ghost43
SomberNight [ARCHIVE] /
npub1r3…f8xs3
2023-08-21 09:48:48
in reply to nevent1q…dj00
Author Public Key
npub1r3wz0qhmtp77ddyvm98wpy4zsta0k5ash8ejndqjp6s8epnx5plq2f8xs3Published at
2023-08-21 09:48:48Event JSON
{
"id": "719acde7e8a840235516d59cdaf885cad5549e6fb69a9599f4feb670e49ac053",
"pubkey": "1c5c2782fb587de6b48cd94ee092a282fafb53b0b9f329b4120ea07c8666a07e",
"created_at": 1692611328,
"kind": 1,
"tags": [
[
"e",
"a326d465876144c0b60f5186966248e965bd554a8674674b5753301c75bbe219",
"",
"root"
],
[
"e",
"614da26cca8b06a89b28239e24b3ce2f466c0658783402e474ee440b3a5d6de3",
"",
"reply"
],
[
"p",
"f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb"
]
],
"content": "📅 Original date posted:2023-08-17\n🗒️ Summary of this message: Mobile wallet providers are unlikely to cheat because the mobile wallet can check for any attempts and the provider risks reputation loss. A peer backup solution could be implemented by any node, allowing users to store backups with them. The reputation argument may not hold up for random nodes, but for hardcoded nodes like ACINQ, it is sufficient. The idea of symmetric resumable channels is also proposed.\n📝 Original message:\nHi Bastien,\n\n\u003e I don't think this is an attack wallet providers can reasonably attempt.\n\u003e The mobile wallet can check at every connection that the provider isn't\n\u003e trying to cheat, and the provider doesn't have any way of knowing when\n\u003e the mobile wallet has lost data: it would thus be a very risky move to\n\u003e try to cheat, because it is very unlikely to succeed and will result in\n\u003e reputation loss for the provider.\n\nIt would be nice to have a peer backup solution that can be provided by\n~any node, and reasonably used without trust by ~any node [0]. To be more\nprecise (and practical), imagine providing the backup \"service\" by\ndefault if you run a public forwarding node. E.g. if Alice runs eclair\non their server and have some public channels, the default config of\neclair could result in Alice signalling the \"backup-provider\" feature\nbit. Then, if Bob uses a phone-wallet, and opens to Alice (chosen by Bob\narbitrarily), Bob could store their backups with her.\n\nNote that the \"reputation loss\" argument does not hold up that well if\nyou let Bob connect to arbitrary nodes. Something stronger, such as\nactual confiscation of funds via Thomas' idea seems more applicable.\nAfterall, what does a random node have to lose if they tried to replay\nan old backup? You said in another email Phoenix atm simply ignores the\nstale backup. I wonder, does the client happily keep using the channel\nafter a reconnect? If so, what is there to lose by attempting to replay\nold states? Random nodes don't really have an easy concept of\nreputation.\n\nObviously the ACINQ node is not random - being hardcoded in your case\nit is anything but. Of course, in the case of an LSP/wallet combo\nsuch as Phoenix, the reputation argument is sufficient, I agree.\n\n-----\n\n[0]: I think the whole backup provicer idea could be made symmetric.\nI had previously thought that it is inherently asymmetric but after\nsome more thought I think I was wrong:\n\nSymmetric resumable channels\n----------------------------\n\nAlice and Bob could have a channel where they both provide state backups\nto each other. Regarding who goes first in channel_reestablish, we need\nan extra preliminary round where both Alice and Bob commit to what they\nwill send in channel_reestablish:\n\nRound 1:\n1. Alice sends hashA = hash(bobs_backup, nonceA)\n2. Bob sends hashB = hash(alices_backup, nonceB)\n\nAlice persists hashB to disk upon receiving it, and enforces that even\nif there is a disconnection, Bob cannot arbitrarily send a different\ncommitment next time. (if the channel gets reestablished fully and\nAlice sends a new backup to Bob, the stored hashB can be cleared)\n\nRound 2:\n3. Alice sends channel_reestablish containing bobs_backup, and nonceA\n4. Bob sends channel_reestablish containing alices_backup, and nonceB\n\nAlice checks that the commitment received from Bob in round1 matches\nwhat was received in round2.\n\nRegarding the opening post OP_CHECKSIGFROMSTACK on-chain enforcement,\nthat can be made symmetric as well! The channel funding output script\nneeds one taproot branch each for both Alice and Bob lying. The protocol\nneeds to be tweaked a bit so as to allow a party to legitimately admit\nhaving lost state and commit to the hash of that in round1, and then\nreveal they lost state in round2 (e.g. send null data). In which case\nthe other party would not be able to use the fraud proof taproot branch.\n\nThough note that user-error and manual copying/restoring of DBs could\nlead to catastrophic failure with the on-chain enforcement:\nif you restore an old db and launch your client, the client won't know\nit is running an old state and happily participate in the two round\ndance, giving a fraud proof to the counterparty in the process.\n\nRegards,\nghost43",
"sig": "cab828bebf56661672e6924dd8123def39ea260eba3965ea3e6e1d0f584b3c58977755161649decf95f5570564f725beb2f7182f091a071d6202556e76d30483"
}