📅 Original date posted:2018-05-09
📝 Original message:
Jim Posen <jim.posen at gmail.com> writes:
> There are two directions of solutions I have heard: 1) protocol support for
> decrypting the onion route if the HTLC is kept in-flight for too long 2)
> requiring fees even if the payment fails as a cost to the attacker 3) some
> sort of reputation system for nodes.
>
> Option 1 I'm afraid may be quite complex. Say this mechanism kicks in and
> all nodes in the circuit deobfuscate the route and are able to see the
> delays at each hop. The outcome we hope for is that there is one node
> clearly to blame and the prior hop in the route fails all channels with
> them. However, the attacker can of course control multiple successive hops
> in the route, one that looks innocent in front of one that looks guilty,
> then keep the channel alive and try again. So then all nodes need to keep a
> record of the full circuits and iteratively shift blame up the chain if bad
> HTLCs keep going through those channels.
You missed the vital detail: that you must prove channel closure if you
can't unpeel the onion further. That *will* hit an unresponsive party
with a penalty.[1]
> Option 2 is also problematic because it only protects against the case
> where the sender is colluding with the receiver, and not where a routing
> node is opportunistically delaying payments. This would, however, likely be
> successful against nodes being annoying and sending tons of payments with
> randomly generated payment hashes in order to "ping" a circuit.
The models we tried in Milan all created an incentive to fail payments,
which is a non-starter.
> Option 3 has become my preferred solution. The idea is that that for each
> node that one has channels with, it only forwards payments through them if
> they have a good history, otherwise it fails the payment. Notably, we
> ignore whether the downstream hop is directly responsible for delaying a
> payment or whether they are simply willing to forward to another node that
> is intentionally delaying -- both should be considered bad behavior. In my
> opinion, this type of solution fits best into the Lightning model of
> independent, linked channels where each node has private contracts with its
> direct peers. It also is the simplest in the context of onion routing
> because if you are offered an HTLC to route, the only decision you can make
> is whether to forward it or fail it based on the amount, previous hop, and
> next hop. When I refer to "reputation" hereafter, I do not mean a global
> reputation that is gossiped about -- just a local view of a peer's history.
This seems like we'd need some serious evaluation to show that this
works, because the risks are very high.
I can destroy your node's reputation by routing crap through you; even
if it costs me marginaly more reputation than it does you, that just
means that the largest players can force failure upon smaller players,
centralizing the network. And I think trying to ensure that it costs me
more reputation than the sum of downstream reputation loss leaks too
much information
If the system doesn't work perfectly, it creates incentive to
de-anonymize payments so you can determine which are likely to fail, and
also means nodes are safest not forwarding payments, lest they ruin
their reputatation. But nodes which don't forward have much less
privacy.
But I agree, all solutions I've seen to this problem are bad in
different ways.
Cheers,
Rusty.
[1] Proving that you've committed to a particular HTLC in a channel is
difficult, because of dust HTLCs[2] and partially-committed ones[3].
[2] We could have an OP_RETURN output which was a merkle tree of trimmed
HTLCs to cover the dust case.
[3] You committed to an HTLC but the peer didn't respond; you have no
proof. So you also need to present a merkle tree of uncommitted
HTLCs (limited, say, to 16) otherwise you can create 1M HTLCs, then
claim they were all in that one channel close.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:50:24
in reply to nevent1q…s9k3
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:50:24Event JSON
{
"id": "1f61e282ada84771ff71dea4c52dbc7258924f166f7327639868c5b778b0d2a5",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315024,
"kind": 1,
"tags": [
[
"e",
"ec647d42dc739e5a708f79cd6e7400519e655a3f7062723c1ca708888c19c0eb",
"",
"root"
],
[
"e",
"8d77a6680343c25c3169f9cc4a72776babe3dfdbe5f3e580adda3be6838093e6",
"",
"reply"
],
[
"p",
"9e2723f47c6c16d3093735bd6acdc8b0dd1b91c78216f7001bdd2f7562b69ed1"
]
],
"content": "📅 Original date posted:2018-05-09\n📝 Original message:\nJim Posen \u003cjim.posen at gmail.com\u003e writes:\n\u003e There are two directions of solutions I have heard: 1) protocol support for\n\u003e decrypting the onion route if the HTLC is kept in-flight for too long 2)\n\u003e requiring fees even if the payment fails as a cost to the attacker 3) some\n\u003e sort of reputation system for nodes.\n\u003e\n\u003e Option 1 I'm afraid may be quite complex. Say this mechanism kicks in and\n\u003e all nodes in the circuit deobfuscate the route and are able to see the\n\u003e delays at each hop. The outcome we hope for is that there is one node\n\u003e clearly to blame and the prior hop in the route fails all channels with\n\u003e them. However, the attacker can of course control multiple successive hops\n\u003e in the route, one that looks innocent in front of one that looks guilty,\n\u003e then keep the channel alive and try again. So then all nodes need to keep a\n\u003e record of the full circuits and iteratively shift blame up the chain if bad\n\u003e HTLCs keep going through those channels.\n\nYou missed the vital detail: that you must prove channel closure if you\ncan't unpeel the onion further. That *will* hit an unresponsive party\nwith a penalty.[1]\n\n\u003e Option 2 is also problematic because it only protects against the case\n\u003e where the sender is colluding with the receiver, and not where a routing\n\u003e node is opportunistically delaying payments. This would, however, likely be\n\u003e successful against nodes being annoying and sending tons of payments with\n\u003e randomly generated payment hashes in order to \"ping\" a circuit.\n\nThe models we tried in Milan all created an incentive to fail payments,\nwhich is a non-starter.\n\n\u003e Option 3 has become my preferred solution. The idea is that that for each\n\u003e node that one has channels with, it only forwards payments through them if\n\u003e they have a good history, otherwise it fails the payment. Notably, we\n\u003e ignore whether the downstream hop is directly responsible for delaying a\n\u003e payment or whether they are simply willing to forward to another node that\n\u003e is intentionally delaying -- both should be considered bad behavior. In my\n\u003e opinion, this type of solution fits best into the Lightning model of\n\u003e independent, linked channels where each node has private contracts with its\n\u003e direct peers. It also is the simplest in the context of onion routing\n\u003e because if you are offered an HTLC to route, the only decision you can make\n\u003e is whether to forward it or fail it based on the amount, previous hop, and\n\u003e next hop. When I refer to \"reputation\" hereafter, I do not mean a global\n\u003e reputation that is gossiped about -- just a local view of a peer's history.\n\nThis seems like we'd need some serious evaluation to show that this\nworks, because the risks are very high.\n\nI can destroy your node's reputation by routing crap through you; even\nif it costs me marginaly more reputation than it does you, that just\nmeans that the largest players can force failure upon smaller players,\ncentralizing the network. And I think trying to ensure that it costs me\nmore reputation than the sum of downstream reputation loss leaks too\nmuch information\n\nIf the system doesn't work perfectly, it creates incentive to\nde-anonymize payments so you can determine which are likely to fail, and\nalso means nodes are safest not forwarding payments, lest they ruin\ntheir reputatation. But nodes which don't forward have much less\nprivacy.\n\nBut I agree, all solutions I've seen to this problem are bad in\ndifferent ways.\n\nCheers,\nRusty.\n\n[1] Proving that you've committed to a particular HTLC in a channel is\n difficult, because of dust HTLCs[2] and partially-committed ones[3].\n\n[2] We could have an OP_RETURN output which was a merkle tree of trimmed\n HTLCs to cover the dust case.\n\n[3] You committed to an HTLC but the peer didn't respond; you have no\n proof. So you also need to present a merkle tree of uncommitted\n HTLCs (limited, say, to 16) otherwise you can create 1M HTLCs, then\n claim they were all in that one channel close.",
"sig": "0a8cafee09d14fe8f81227f74f1df873eb364f3c4b101d5d932bf50ab57565a6d01ba959d2d3b350183d29e5425a2b4eb98b459a8822b88661919e1ba94b7637"
}