📅 Original date posted:2016-03-14
📝 Original message:
Mats Jerratsch <mats at blockchain.com> writes:
>> If A sends many HTLCs through B, B can simply plot what the timeouts
>> are and know that A is likely originating the HTLCs rather than relaying
>> them for someone else.
>
> Hm, right. If all payments that come from A have a timeout larger than
> some minimum value X, he is generating all of them and is just trying to
> randomize those. However, if he creates a payment with an initial refund
> value lower than X, the payment might not succeed, because the
> intermediate nodes deducted too much.
>
> However, if we take into account that the amount of nodes in the route
> is not a constant, and only known to the sender, this adds another
> degree of freedom to choose the initial value.
Good point. But we still lose on the receiving side; if you ever see a
small timeout you know the next hop is the final one.
I imagine we'll be spending some time getting more sophisticated with
our value cloaking as attacks emerge, but I'm happy to start with
something reasonable.
>>> However, I am inclined to use those timestamps in the onion object, as
>>> the described attackvector still exists.
>>
>> Doesn't including timestamps in the onion provide explicit information
>> on the number of previous hops though?
>
> Not if they are randomized. The initial sender will choose a good
> starting value (see above), and deduct MIN_TIMEOUT * MIN_OVERLAY *
> RANDOM from it. Actually it doesn't provide any additional data, as that
> is the very same mechanism the intermediate hops come to that value.
OK, let me get the proposal straight:
1. Each node will publish its MIN_TIMEOUT (along
with its other info as per Option 2 in
http://lists.linuxfoundation.org/pipermail/lightning-dev/2015-October/000262.html )
2. The payer sums the MIN_TIMEOUT to the payee, adds some random value
(keeping it under the max value allowed by protocol) to give the
initial HTLC timeout.
3. The payer puts the 'expected_timeout' in each layer of the onion, by
subtracting the last hops' MIN_TIMEOUT from the initial timeout.
eg. Say maximum allowed timeout is 20 * 12 hours, and route is:
A (12 hours) -> B (6 hours) -> C (6 hours) -> D (4 hours)
Initial timeout has to be at least 12 + 6 + 6 + 4 == 28 hours, plus
some padding for transmission delays, say 29 hours.
It picks a random timeout between 29 and 240 hours, say now+100 hours,
and onion looks like:
[ A: now+100 [ B: now+88 [ C: now+82 [ D: now+76 ] ] ] ]
Have I missed anything?
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:45:49
in reply to nevent1q…y6c9
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:45:49Event JSON
{
"id": "763dd7dbd19a615a4a46017dc57ddcfa646ff137128923efc017dfaa954d571f",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314749,
"kind": 1,
"tags": [
[
"e",
"5272205def020e3c5aab3c5851dc225814c5007aed79816e637c6362b3942e81",
"",
"root"
],
[
"e",
"ec56684fba82542c6a02e4adcdfbdc5e18b057bf9dd730df890c6a12eb79cbf9",
"",
"reply"
],
[
"p",
"b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528"
]
],
"content": "📅 Original date posted:2016-03-14\n📝 Original message:\nMats Jerratsch \u003cmats at blockchain.com\u003e writes:\n\u003e\u003e If A sends many HTLCs through B, B can simply plot what the timeouts\n\u003e\u003e are and know that A is likely originating the HTLCs rather than relaying\n\u003e\u003e them for someone else.\n\u003e\n\u003e Hm, right. If all payments that come from A have a timeout larger than\n\u003e some minimum value X, he is generating all of them and is just trying to\n\u003e randomize those. However, if he creates a payment with an initial refund\n\u003e value lower than X, the payment might not succeed, because the\n\u003e intermediate nodes deducted too much.\n\u003e\n\u003e However, if we take into account that the amount of nodes in the route\n\u003e is not a constant, and only known to the sender, this adds another\n\u003e degree of freedom to choose the initial value.\n\nGood point. But we still lose on the receiving side; if you ever see a\nsmall timeout you know the next hop is the final one.\n\nI imagine we'll be spending some time getting more sophisticated with\nour value cloaking as attacks emerge, but I'm happy to start with\nsomething reasonable.\n\n\u003e\u003e\u003e However, I am inclined to use those timestamps in the onion object, as\n\u003e\u003e\u003e the described attackvector still exists.\n\u003e\u003e \n\u003e\u003e Doesn't including timestamps in the onion provide explicit information\n\u003e\u003e on the number of previous hops though?\n\u003e\n\u003e Not if they are randomized. The initial sender will choose a good\n\u003e starting value (see above), and deduct MIN_TIMEOUT * MIN_OVERLAY *\n\u003e RANDOM from it. Actually it doesn't provide any additional data, as that\n\u003e is the very same mechanism the intermediate hops come to that value.\n\nOK, let me get the proposal straight:\n\n1. Each node will publish its MIN_TIMEOUT (along\n with its other info as per Option 2 in\n http://lists.linuxfoundation.org/pipermail/lightning-dev/2015-October/000262.html )\n\n2. The payer sums the MIN_TIMEOUT to the payee, adds some random value\n (keeping it under the max value allowed by protocol) to give the\n initial HTLC timeout.\n\n3. The payer puts the 'expected_timeout' in each layer of the onion, by\n subtracting the last hops' MIN_TIMEOUT from the initial timeout.\n\neg. Say maximum allowed timeout is 20 * 12 hours, and route is:\n\n A (12 hours) -\u003e B (6 hours) -\u003e C (6 hours) -\u003e D (4 hours)\n\n Initial timeout has to be at least 12 + 6 + 6 + 4 == 28 hours, plus\n some padding for transmission delays, say 29 hours.\n\n It picks a random timeout between 29 and 240 hours, say now+100 hours,\n and onion looks like:\n\n [ A: now+100 [ B: now+88 [ C: now+82 [ D: now+76 ] ] ] ]\n\nHave I missed anything?\n\nRusty.",
"sig": "d161516a59433571381941ec180fe9a17074b44e754539e6abb1b8e92f89d4b2794e2b4b15d4b60158789afe28179cd75c3ab86fe675133e3593fdb07c90f007"
}