📅 Original date posted:2019-07-14
📝 Original message:
ZmnSCPxj via Lightning-dev <lightning-dev at lists.linuxfoundation.org>
writes:
> Good morning Atoine,
>
> Thank you for your proposal.
>
>> Eltoo has been criticized to lower the cost for a malicious party to
>> test your monitoring of the chain. If we're able to reintroduce some
>> form of punishment without breaking transaction symmetry that would be great.
>
> The primary advantage of Decker-Russell-Osuntokun is that it
> eliminates "toxic waste".
>
> By this we mean, older version of your channel database are "toxic" in
> that you, ***or someone who wants to attack you***, can use it
> (accidentally in your case, deliberately in the attacker case), and
> then you will lose all funds in the channel.
I'm pretty sure at this point that the toxic-waste problem is inherent
to punishment schemes, and anything we build on top of it would
reintroduce asymmetry, undoing a lot of the benefits that we gained with
eltoo. Then again, I personally don't think that punishments are such a
great idea in the first place (having been inadvertently punished myself
due to botched backups and similar things).
> Note that access to your channel database, without necessarily
> accessing your node private keys, is often easier. For example,
> C-Lightning stores channel data into an SQLITE database and exposes
> every transaction it makes to a `db_hook` that plugins can use to
> replicate the database elsewhere. If you were to use an
> insufficiently secured plugin to replicate your database, an attacker
> might be able to access your channel data, replicate your database,
> and use an older version to frame you for theft and make you lose all
> your channel funds.
Just a minor correction here: your own commitment transactions are not
being signed until we want to release them. Therefore having access to
your DB doesn't give an attacker the ability to frame the user with an
old version, since that'd still require access to the keys to add our
own signature. Even a simple signing component that keeps a high-water
mark for the latest state and refuses to sign an older one would be
sufficient to guard against involuntary cheating.
Nevertheless, there are quite a few damaging things an attacker can do
if he get hold of your DB, just not this one :-)
> Thus, Decker-Russell-Osuntokun removes the punitive consideration so
> that you being framed for theft does not lose all your funds, it
> merely closes your channels.
Which is also not free: you are still paying on-chain fees for your
failed attempt to enforce an older state, and you still don't get the
desired effect, since the counterparty just overrides your attempt,
without returning your fees.
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:55:29
in reply to nevent1q…90ke
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:55:29Event JSON
{
"id": "7e645c8e3fae97499a3d19a2a8131d20f9e27bc7783ac56aecab4b567124563e",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315329,
"kind": 1,
"tags": [
[
"e",
"0c6f5a572f8660ab445ee10254633c334833ca4bc6c0ad610801761d6b900d9c",
"",
"root"
],
[
"e",
"2704d3b11e53e4a5e07c3c9f30b4456031a08fb5930b35e67200266c519ddd99",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2019-07-14\n📝 Original message:\nZmnSCPxj via Lightning-dev \u003clightning-dev at lists.linuxfoundation.org\u003e\nwrites:\n\n\u003e Good morning Atoine,\n\u003e\n\u003e Thank you for your proposal.\n\u003e\n\u003e\u003e Eltoo has been criticized to lower the cost for a malicious party to\n\u003e\u003e test your monitoring of the chain. If we're able to reintroduce some\n\u003e\u003e form of punishment without breaking transaction symmetry that would be great.\n\u003e\n\u003e The primary advantage of Decker-Russell-Osuntokun is that it\n\u003e eliminates \"toxic waste\".\n\u003e\n\u003e By this we mean, older version of your channel database are \"toxic\" in\n\u003e that you, ***or someone who wants to attack you***, can use it\n\u003e (accidentally in your case, deliberately in the attacker case), and\n\u003e then you will lose all funds in the channel.\n\nI'm pretty sure at this point that the toxic-waste problem is inherent\nto punishment schemes, and anything we build on top of it would\nreintroduce asymmetry, undoing a lot of the benefits that we gained with\neltoo. Then again, I personally don't think that punishments are such a\ngreat idea in the first place (having been inadvertently punished myself\ndue to botched backups and similar things).\n\n\u003e Note that access to your channel database, without necessarily\n\u003e accessing your node private keys, is often easier. For example,\n\u003e C-Lightning stores channel data into an SQLITE database and exposes\n\u003e every transaction it makes to a `db_hook` that plugins can use to\n\u003e replicate the database elsewhere. If you were to use an\n\u003e insufficiently secured plugin to replicate your database, an attacker\n\u003e might be able to access your channel data, replicate your database,\n\u003e and use an older version to frame you for theft and make you lose all\n\u003e your channel funds.\n\nJust a minor correction here: your own commitment transactions are not\nbeing signed until we want to release them. Therefore having access to\nyour DB doesn't give an attacker the ability to frame the user with an\nold version, since that'd still require access to the keys to add our\nown signature. Even a simple signing component that keeps a high-water\nmark for the latest state and refuses to sign an older one would be\nsufficient to guard against involuntary cheating.\n\nNevertheless, there are quite a few damaging things an attacker can do\nif he get hold of your DB, just not this one :-)\n\n\u003e Thus, Decker-Russell-Osuntokun removes the punitive consideration so\n\u003e that you being framed for theft does not lose all your funds, it\n\u003e merely closes your channels.\n\nWhich is also not free: you are still paying on-chain fees for your\nfailed attempt to enforce an older state, and you still don't get the\ndesired effect, since the counterparty just overrides your attempt,\nwithout returning your fees.\n\nCheers,\nChristian",
"sig": "fdde7605addd31e9a2d7db4a486c39b2ab7d1eaaff2614bc9317c289dc6632e1d797a63d4bc374e23bf6d564335fb7141fc8cf21248f8bd11de5535974643ce4"
}