š
Original date posted:2023-08-30
šļø Summary of this message: Proposal for symmetric peer backups in resumable channels. Issue: if Alice loses state, Bob may disconnect. Solution: Alice writes Bob's state commitment on-chain to prevent forgetting.
š Original message:
Regarding your proposal to make peer backups symmetric, with a first
message that commits to the current state, and then a second message
that reveals the state: I think it could work, but I see the following
issue:
If Alice reveals that she has lost her state, Bob might be tempted to
disconnect, because he expects that Alice will forget his already sent
state commitment. For example this would happen if the user is frustrated
and uninstalls/re-installs the app, or if she decides to try from another
device because the first device "failed" to restore her wallet). Thus,
Bob could try to send a different commitment the next time.
A possible way to prevent that: Alice could, if Bob does not reveal his
state, write Bob's state commitment on-chain, in an OP_RETURN. That way,
Bob cannot expect her to have forgotten his state commitment.
Thomas
On 17.08.23 20:43, SomberNight wrote:
>
> Symmetric resumable channels
> ----------------------------
>
> Alice and Bob could have a channel where they both provide state backups
> to each other. Regarding who goes first in channel_reestablish, we need
> an extra preliminary round where both Alice and Bob commit to what they
> will send in channel_reestablish:
>
> Round 1:
> 1. Alice sends hashA = hash(bobs_backup, nonceA)
> 2. Bob sends hashB = hash(alices_backup, nonceB)
>
> Alice persists hashB to disk upon receiving it, and enforces that even
> if there is a disconnection, Bob cannot arbitrarily send a different
> commitment next time. (if the channel gets reestablished fully and
> Alice sends a new backup to Bob, the stored hashB can be cleared)
>
> Round 2:
> 3. Alice sends channel_reestablish containing bobs_backup, and nonceA
> 4. Bob sends channel_reestablish containing alices_backup, and nonceB
>
> Alice checks that the commitment received from Bob in round1 matches
> what was received in round2.
>
> Regarding the opening post OP_CHECKSIGFROMSTACK on-chain enforcement,
> that can be made symmetric as well! The channel funding output script
> needs one taproot branch each for both Alice and Bob lying. The protocol
> needs to be tweaked a bit so as to allow a party to legitimately admit
> having lost state and commit to the hash of that in round1, and then
> reveal they lost state in round2 (e.g. send null data). In which case
> the other party would not be able to use the fraud proof taproot branch.
>
> Though note that user-error and manual copying/restoring of DBs could
> lead to catastrophic failure with the on-chain enforcement:
> if you restore an old db and launch your client, the client won't know
> it is running an old state and happily participate in the two round
> dance, giving a fraud proof to the counterparty in the process.
>
> Regards,
> ghost43
Thomas Voegtlin [ARCHIVE] /
npub10fā¦7ej47
2023-09-07 11:17:26
in reply to nevent1qā¦8ehh
Author Public Key
npub10f96gqrsu4qpygfgvuvzce47aavjvql703egfde0l2hua8dzpszs67ej47Published at
2023-09-07 11:17:26Event JSON
{
"id": "df1edbea8e7944c5b0efd4e927a2ce8582996499f6ddf49baf62c5067e78ac10",
"pubkey": "7a4ba40070e54012212867182c66beef592603fe7c7284b72ffaafce9da20c05",
"created_at": 1694085446,
"kind": 1,
"tags": [
[
"e",
"a326d465876144c0b60f5186966248e965bd554a8674674b5753301c75bbe219",
"",
"root"
],
[
"e",
"904cacc1911b0731cb513635b219f2dd4adca506ca3bd1a1fa2fb211d7d1cb32",
"",
"reply"
],
[
"p",
"7a4ba40070e54012212867182c66beef592603fe7c7284b72ffaafce9da20c05"
]
],
"content": "š
Original date posted:2023-08-30\nšļø Summary of this message: Proposal for symmetric peer backups in resumable channels. Issue: if Alice loses state, Bob may disconnect. Solution: Alice writes Bob's state commitment on-chain to prevent forgetting.\nš Original message:\nRegarding your proposal to make peer backups symmetric, with a first\nmessage that commits to the current state, and then a second message\nthat reveals the state: I think it could work, but I see the following\nissue:\n\nIf Alice reveals that she has lost her state, Bob might be tempted to\ndisconnect, because he expects that Alice will forget his already sent\nstate commitment. For example this would happen if the user is frustrated\nand uninstalls/re-installs the app, or if she decides to try from another\ndevice because the first device \"failed\" to restore her wallet). Thus,\nBob could try to send a different commitment the next time.\n\nA possible way to prevent that: Alice could, if Bob does not reveal his\nstate, write Bob's state commitment on-chain, in an OP_RETURN. That way,\nBob cannot expect her to have forgotten his state commitment.\n\nThomas\n\n\n\n\nOn 17.08.23 20:43, SomberNight wrote:\n\u003e \n\u003e Symmetric resumable channels\n\u003e ----------------------------\n\u003e \n\u003e Alice and Bob could have a channel where they both provide state backups\n\u003e to each other. Regarding who goes first in channel_reestablish, we need\n\u003e an extra preliminary round where both Alice and Bob commit to what they\n\u003e will send in channel_reestablish:\n\u003e \n\u003e Round 1:\n\u003e 1. Alice sends hashA = hash(bobs_backup, nonceA)\n\u003e 2. Bob sends hashB = hash(alices_backup, nonceB)\n\u003e \n\u003e Alice persists hashB to disk upon receiving it, and enforces that even\n\u003e if there is a disconnection, Bob cannot arbitrarily send a different\n\u003e commitment next time. (if the channel gets reestablished fully and\n\u003e Alice sends a new backup to Bob, the stored hashB can be cleared)\n\u003e \n\u003e Round 2:\n\u003e 3. Alice sends channel_reestablish containing bobs_backup, and nonceA\n\u003e 4. Bob sends channel_reestablish containing alices_backup, and nonceB\n\u003e \n\u003e Alice checks that the commitment received from Bob in round1 matches\n\u003e what was received in round2.\n\u003e \n\u003e Regarding the opening post OP_CHECKSIGFROMSTACK on-chain enforcement,\n\u003e that can be made symmetric as well! The channel funding output script\n\u003e needs one taproot branch each for both Alice and Bob lying. The protocol\n\u003e needs to be tweaked a bit so as to allow a party to legitimately admit\n\u003e having lost state and commit to the hash of that in round1, and then\n\u003e reveal they lost state in round2 (e.g. send null data). In which case\n\u003e the other party would not be able to use the fraud proof taproot branch.\n\u003e \n\u003e Though note that user-error and manual copying/restoring of DBs could\n\u003e lead to catastrophic failure with the on-chain enforcement:\n\u003e if you restore an old db and launch your client, the client won't know\n\u003e it is running an old state and happily participate in the two round\n\u003e dance, giving a fraud proof to the counterparty in the process.\n\u003e \n\u003e Regards,\n\u003e ghost43",
"sig": "363091309c8babfeb564fdb0fa3f162999c377f4ee72b1d059a735957e45910ade82e206dd760c9bb731c78bcda002839cf9a15ae13f1fbb1c2649457dd1b13f"
}