đ
Original date posted:2019-07-24
đ Original message:
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-------- Forwarded Message --------
Subject: Re: [Lightning-dev] Paper: A Composable Security Treatment of
the Lightning Network
Date: Thu, 18 Jul 2019 17:47:20 +0100
From: Orfeas Stefanos Thyfronitis Litos <o.thyfronitis at ed.ac.uk>
To: Lloyd Fournier <lloyd.fourn at gmail.com>
Hi Lloyd,
> Thanks for formally modelling lightning
Thanks for the constructive questions.
> I found F_PayNet to be rather difficult to follow
I completely agree. F_PayNet is too complex for anyone's liking. Long
story short, this was the result of:
* staying in the UC model (easier said than done)
* building on top of G_Ledger (with all its complexity)
* the modelling of the entire LN as a single functionality (minimizing
abstraction leak)
* not depending on the `clock` functionality (thus not obstructing
G_Ledger and other protocols that use it)
* possibly many other reasons (such as me being a noob dev)
FWIW, it's still much simpler than the real-world protocol Pi_LN (e.g.
half its length).
I'm currently exploring alternative models where e.g. there's one
functionality per channel. It may make things more modular, but may also
expose more gory details to the "user" of the functionality (i.e. the
cryptographer who builds on top of those channels).
> "F_PayNet checks that for each payment the charged party was one of
> the following: (a) the one that initiated the payment, (b) a malicious
> party or (c) an honest party that is negligent"
>
> Why not assume that (b) never happens because a malicious party never
> wants to lose the funds from a party they've corrupted[?]
In security proofs we usually let the Adversary be any polynomial
machine. In particular, this includes the case where the Adversary does
silly things, such as not fulfilling HTLCs. Sure, it's not a rational
thing to do, but rationality is of interest in a game-theoretic
analysis. (BTW, LN is a fine example of a protocol that requires both a
cryptographic and a game-theoretic analysis, each of which could uncover
different flaws.)
We could restrict the adversary to always fulfilling the HTLCs it can,
but that would immediately exile us from UC territory.
> [Why not assume] (c) never happens because honest parties follow the
> protocol and check each ledger update for malicious channel closes?
If activated at the correct moment and with the correct command, honest
parties indeed check the ledger. However, parties are activated by the
Environment (another polynomial machine), which may simply refuse to
activate them in time. This is why honest parties may end up being
negligent.
We could tie the advancement of the protocol to the clock functionality
to avoid the above, but that would bring a big degree of coupling of LN
with other protocols that use the clock. E.g. G_Ledger could stall
because the Environment decided not to let some LN parties advance,
which is very counterintuitive.
> I am not convinced that the ideal and real worlds aren't easily
> distinguishable from each other by an Environment that just looks at
> the transactions in the blockchain (G_ledger).
Good point, it's not explained well enough in the main body, we should
update the description (pp. 10-11). We indeed take care to have the
exact same transactions end up on-chain in both worlds (otherwise the
proof of security wouldn't work). F_PayNet checks at several moments
that the ledger really contains the txs that would be there in the real
world. The trick is that instead of having F_PayNet prepare all
necessary transactions itself (i.e. "speak LN"), it forces the Simulator
to do it by halting (and thus allowing the Environment to distinguish)
in case it doesn't find the txs.
> I don't understand this "receipt" mechanism.
The receipt is to let the environment know which channels were
successfully opened/closed and which payments were made. Importantly, it
doesn't contain any keys. As such, it is unrelated to the keypair that
can spend Alice's coins (the coins that Alice has before opening any
channel).
> In the ideal world, the ideal functionality should be the one with the
> private key signing the funding transaction directly
In the real world, Alice's key is created by the protocol instance when
she receives REGISTER (Fig. 19, line 9), whereas in the ideal world,
this key is created by the Simulator when it receives REGISTER from
F_PayNet (Fig. 40, line 5). It's a bit counterintuitive on first
thought, but F_PayNet shouldn't be managing private keys or doing
signatures. It should just ensure that Alice's public key contains the
promised coins upon channel closing.
Note that our approach is different from that mentioned by Andrew
Miller. Since we ensure that on-chain txs are the same in both worlds,
we don't need to hide the ledger contents from the Environment.
Let me know if I left anything unclear, or if you have further
observations/corrections/questions.
Best,
Orfeas
Orfeas Stefanos Thyfronitis Litos [ARCHIVE] /
npub1h9âŚ9dv32
2023-06-09 12:55:40
in reply to nevent1qâŚszwf
Author Public Key
npub1h9v94vzhwug6qdxzldyy8vfg4vyxhftwqhalec5vjwr8hfx0fnzst9dv32Published at
2023-06-09 12:55:40Event JSON
{
"id": "09bd27ddaee4de0f1ccc2c2945fa44d636a8ba10a3808d356bbf4595fe2e9a45",
"pubkey": "b9585ab0577711a034c2fb4843b128ab086ba56e05fbfce28c93867ba4cf4cc5",
"created_at": 1686315340,
"kind": 1,
"tags": [
[
"e",
"ffb7b8d32ef0075ea0a2bf9995066d033cfcc3dcd01c0e8dd2edf4d1a884a682",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "đ
Original date posted:2019-07-24\nđ Original message:\n-- \nThe University of Edinburgh is a charitable body, registered in\nScotland, with registration number SC005336.\n\n\n-------- Forwarded Message --------\nSubject: Re: [Lightning-dev] Paper: A Composable Security Treatment of\nthe Lightning Network\nDate: Thu, 18 Jul 2019 17:47:20 +0100\nFrom: Orfeas Stefanos Thyfronitis Litos \u003co.thyfronitis at ed.ac.uk\u003e\nTo: Lloyd Fournier \u003clloyd.fourn at gmail.com\u003e\n\nHi Lloyd,\n\n\u003e Thanks for formally modelling lightning\n\nThanks for the constructive questions.\n\n\u003e I found F_PayNet to be rather difficult to follow\n\nI completely agree. F_PayNet is too complex for anyone's liking. Long\nstory short, this was the result of:\n* staying in the UC model (easier said than done)\n* building on top of G_Ledger (with all its complexity)\n* the modelling of the entire LN as a single functionality (minimizing\nabstraction leak)\n* not depending on the `clock` functionality (thus not obstructing\nG_Ledger and other protocols that use it)\n* possibly many other reasons (such as me being a noob dev)\n\nFWIW, it's still much simpler than the real-world protocol Pi_LN (e.g.\nhalf its length).\n\nI'm currently exploring alternative models where e.g. there's one\nfunctionality per channel. It may make things more modular, but may also\nexpose more gory details to the \"user\" of the functionality (i.e. the\ncryptographer who builds on top of those channels).\n\n\u003e \"F_PayNet checks that for each payment the charged party was one of\n\u003e the following: (a) the one that initiated the payment, (b) a malicious\n\u003e party or (c) an honest party that is negligent\"\n\u003e\n\u003e Why not assume that (b) never happens because a malicious party never\n\u003e wants to lose the funds from a party they've corrupted[?]\n\nIn security proofs we usually let the Adversary be any polynomial\nmachine. In particular, this includes the case where the Adversary does\nsilly things, such as not fulfilling HTLCs. Sure, it's not a rational\nthing to do, but rationality is of interest in a game-theoretic\nanalysis. (BTW, LN is a fine example of a protocol that requires both a\ncryptographic and a game-theoretic analysis, each of which could uncover\ndifferent flaws.)\n\nWe could restrict the adversary to always fulfilling the HTLCs it can,\nbut that would immediately exile us from UC territory.\n\n\u003e [Why not assume] (c) never happens because honest parties follow the\n\u003e protocol and check each ledger update for malicious channel closes?\n\nIf activated at the correct moment and with the correct command, honest\nparties indeed check the ledger. However, parties are activated by the\nEnvironment (another polynomial machine), which may simply refuse to\nactivate them in time. This is why honest parties may end up being\nnegligent.\n\nWe could tie the advancement of the protocol to the clock functionality\nto avoid the above, but that would bring a big degree of coupling of LN\nwith other protocols that use the clock. E.g. G_Ledger could stall\nbecause the Environment decided not to let some LN parties advance,\nwhich is very counterintuitive.\n\n\u003e I am not convinced that the ideal and real worlds aren't easily\n\u003e distinguishable from each other by an Environment that just looks at\n\u003e the transactions in the blockchain (G_ledger).\n\nGood point, it's not explained well enough in the main body, we should\nupdate the description (pp. 10-11). We indeed take care to have the\nexact same transactions end up on-chain in both worlds (otherwise the\nproof of security wouldn't work). F_PayNet checks at several moments\nthat the ledger really contains the txs that would be there in the real\nworld. The trick is that instead of having F_PayNet prepare all\nnecessary transactions itself (i.e. \"speak LN\"), it forces the Simulator\nto do it by halting (and thus allowing the Environment to distinguish)\nin case it doesn't find the txs.\n\n\u003e I don't understand this \"receipt\" mechanism.\n\nThe receipt is to let the environment know which channels were\nsuccessfully opened/closed and which payments were made. Importantly, it\ndoesn't contain any keys. As such, it is unrelated to the keypair that\ncan spend Alice's coins (the coins that Alice has before opening any\nchannel).\n\n\u003e In the ideal world, the ideal functionality should be the one with the\n\u003e private key signing the funding transaction directly\n\nIn the real world, Alice's key is created by the protocol instance when\nshe receives REGISTER (Fig. 19, line 9), whereas in the ideal world,\nthis key is created by the Simulator when it receives REGISTER from\nF_PayNet (Fig. 40, line 5). It's a bit counterintuitive on first\nthought, but F_PayNet shouldn't be managing private keys or doing\nsignatures. It should just ensure that Alice's public key contains the\npromised coins upon channel closing.\n\nNote that our approach is different from that mentioned by Andrew\nMiller. Since we ensure that on-chain txs are the same in both worlds,\nwe don't need to hide the ledger contents from the Environment.\n\nLet me know if I left anything unclear, or if you have further\nobservations/corrections/questions.\n\nBest,\nOrfeas",
"sig": "61fefae7428544c6184e8d9c851c7bf612fb60438eb05d48ee87caeac6c9b2bc31ae4c67aaade38a81ef0a8b74402c85f9b7371db2cf95a542c31d46544a424a"
}