📅 Original date posted:2021-04-27
📝 Original message:
Lloyd Fournier <lloyd.fourn at gmail.com> writes:
> Hey Rusty,
>
> Thoughts on each point below.
>
> On Fri, 23 Apr 2021 at 14:29, Rusty Russell <rusty at rustcorp.com.au> wrote:
>
>> OK, I'm now leaning *against* this method.
>>
>> 1. It removes the ability to update a channel without access to the node's
>> secret key. At the moment the node secret key is only needed for
>> gossip and to DH to set up a new peer connection. c-lightning does
>> not use this for now (we keep the per-channel keys in the HSM too),
>> but it would be a perfectly acceptable tradeoff not to do this.
>>
>
> Don't you also need the node secret key for onion routing? i.e. every time
> you update your channel to forward a payment.
You need to ECDH with the node_id privkey, yes (as you do to establish
peer comms). But in the c-lightning model, that's part of central
routing, not the subdaemon which deals with a single channel. You can
still shutdown a channel without knowing the node's private key.
> I am not familiar with lightning HSM designs and security goals but to me
> it doesn't sound like much of a cost to keep the key on the HSM and to
> include doing channel updates as well seeing as it's already doing so much
> work. If it is desirable to have different keys for DH and channel updates
> then a simple solution is to have two static public keys -- one for each
> task.
The main concern is that access to one channel's keys doesn't give you
any access to the other channels' keys. I don't think there's a way
around that in any "I can derive another nodes' keys" model.
>>From my perspective it is worth making the necessary sacrifices to include
> this feature. For me and many people, lost data without backups is the
> biggest risk to my funds in lightning. Certainly much more threatening than
> whether certain keys are on a HSM or not. Anecdotally I've heard stories
> like "I put my lnd on autopilot and then lost my disk died -- all my funds
> are gone!?" more than once.
Fair, but more reliable backups solve this better IMHO. (Roasbeef told
us that Electrum uses OP_RETURN to tag opens, which also works).
> 2. It doesn't get rid of temporary_channel_id, since we don't know
>> the generation_number until both sides have sent it. We have a
>> workaround for this already in dual-funding anyway.
>>
>
> Why did you decide to send this rather than just look up in your own
> database what "generation" should be? I think that it's easy to make sure
> that you and the other node are on the same page about this number without
> communicating it. If someone is opening a channel with data that appears to
> be invlaid because they are using the wrong generation then sending an
> error back indicating what you are up to should be sufficient to recover?
If you ever lose that information, you can never open a channel again?
Or you simply believe them and retry if they offer a higher generation?
>> 3. Because we need a generation counter, it's not quite as easily
>> scannable as you'd hope (the "gap" problem).
>>
>
> This doesn't seem to be a big issue. You are trying to recover your funds
> after all so you can afford to scan over very large gaps i.e. leave the
> node on for days. I mean my Bitcoin wallet manages to handle this so why
> wouldn't it work here?
Well, bitcoin core famously didn't do this at all (had a key pool) and
people lost funds. Deterministic key generation is better, but it's
still making gross assumptions, usually undocumented, on how many keys
you can hand out before you *have* to use one.
It's sometimes shocking how unpolished Bitcoin infrastructure is. But
it's stuff like this that so many exchanges offer fixed deposit
addresses :(
> I wonder if it is even necessary to bump the
> generation until a funding tx is confirmed -- I can't think of a good
> reason why you would want to open two channels to the same node at the same
> time (why not put all your funds into the same funding).
Well, I'd agree with you of course, but other implementations do allow
it. If you don't allow it, you don't need a temporary_channel_id at
all.
But that still only prevents gaps if you scan the TXO set, not the UTXO
set. And it doesn't help with unannounced peers or peers which are no
longer in the public graph. You want backups :)
>> I think the "encrypted blob served by peers", even in a very naive way,
>> offers another way to do this, though it requires the assumption that at
>> least one peer is honest.
>
> I see encrypted backups as complementary. With this scheme you can at least
> find a peer that you've had a channel with. From the encrypted backup you
> left with them you can then find others and check against them.
I see encrypted backups as a more-likely-to-be-implemented solution
though. Because they're useful to send to places other than peers, and
they can also contain HTLC information if you want.
And after that, I don't think the remaining problem is sufficient to
engineer salvage solutions for.
But we can revisit if I'm wrong!
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 13:02:17
in reply to nevent1q…u63k
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 13:02:17Event JSON
{
"id": "06242941a490af300ca41b9467a4178484c87a6cd1a435da9640fc4acbdb363c",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315737,
"kind": 1,
"tags": [
[
"e",
"9eb4c7be3b2b54415d1ca222464abf2f2c946db286a895ee30cb6529f9bcf7b5",
"",
"root"
],
[
"e",
"296a7e3c39244945d7ff1fe4f7d5ad82677aa1020f6550a4698857c102aae407",
"",
"reply"
],
[
"p",
"b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e"
]
],
"content": "📅 Original date posted:2021-04-27\n📝 Original message:\nLloyd Fournier \u003clloyd.fourn at gmail.com\u003e writes:\n\u003e Hey Rusty,\n\u003e\n\u003e Thoughts on each point below.\n\u003e\n\u003e On Fri, 23 Apr 2021 at 14:29, Rusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\u003e\n\u003e\u003e OK, I'm now leaning *against* this method.\n\u003e\u003e\n\u003e\u003e 1. It removes the ability to update a channel without access to the node's\n\u003e\u003e secret key. At the moment the node secret key is only needed for\n\u003e\u003e gossip and to DH to set up a new peer connection. c-lightning does\n\u003e\u003e not use this for now (we keep the per-channel keys in the HSM too),\n\u003e\u003e but it would be a perfectly acceptable tradeoff not to do this.\n\u003e\u003e\n\u003e\n\u003e Don't you also need the node secret key for onion routing? i.e. every time\n\u003e you update your channel to forward a payment.\n\nYou need to ECDH with the node_id privkey, yes (as you do to establish\npeer comms). But in the c-lightning model, that's part of central\nrouting, not the subdaemon which deals with a single channel. You can\nstill shutdown a channel without knowing the node's private key.\n\n\u003e I am not familiar with lightning HSM designs and security goals but to me\n\u003e it doesn't sound like much of a cost to keep the key on the HSM and to\n\u003e include doing channel updates as well seeing as it's already doing so much\n\u003e work. If it is desirable to have different keys for DH and channel updates\n\u003e then a simple solution is to have two static public keys -- one for each\n\u003e task.\n\nThe main concern is that access to one channel's keys doesn't give you\nany access to the other channels' keys. I don't think there's a way\naround that in any \"I can derive another nodes' keys\" model.\n\n\u003e\u003eFrom my perspective it is worth making the necessary sacrifices to include\n\u003e this feature. For me and many people, lost data without backups is the\n\u003e biggest risk to my funds in lightning. Certainly much more threatening than\n\u003e whether certain keys are on a HSM or not. Anecdotally I've heard stories\n\u003e like \"I put my lnd on autopilot and then lost my disk died -- all my funds\n\u003e are gone!?\" more than once.\n\nFair, but more reliable backups solve this better IMHO. (Roasbeef told\nus that Electrum uses OP_RETURN to tag opens, which also works).\n\n\u003e 2. It doesn't get rid of temporary_channel_id, since we don't know\n\u003e\u003e the generation_number until both sides have sent it. We have a\n\u003e\u003e workaround for this already in dual-funding anyway.\n\u003e\u003e\n\u003e\n\u003e Why did you decide to send this rather than just look up in your own\n\u003e database what \"generation\" should be? I think that it's easy to make sure\n\u003e that you and the other node are on the same page about this number without\n\u003e communicating it. If someone is opening a channel with data that appears to\n\u003e be invlaid because they are using the wrong generation then sending an\n\u003e error back indicating what you are up to should be sufficient to recover?\n\nIf you ever lose that information, you can never open a channel again?\nOr you simply believe them and retry if they offer a higher generation?\n\n\u003e\u003e 3. Because we need a generation counter, it's not quite as easily\n\u003e\u003e scannable as you'd hope (the \"gap\" problem).\n\u003e\u003e\n\u003e\n\u003e This doesn't seem to be a big issue. You are trying to recover your funds\n\u003e after all so you can afford to scan over very large gaps i.e. leave the\n\u003e node on for days. I mean my Bitcoin wallet manages to handle this so why\n\u003e wouldn't it work here?\n\nWell, bitcoin core famously didn't do this at all (had a key pool) and\npeople lost funds. Deterministic key generation is better, but it's\nstill making gross assumptions, usually undocumented, on how many keys\nyou can hand out before you *have* to use one.\n\nIt's sometimes shocking how unpolished Bitcoin infrastructure is. But\nit's stuff like this that so many exchanges offer fixed deposit\naddresses :(\n\n\u003e I wonder if it is even necessary to bump the\n\u003e generation until a funding tx is confirmed -- I can't think of a good\n\u003e reason why you would want to open two channels to the same node at the same\n\u003e time (why not put all your funds into the same funding).\n\nWell, I'd agree with you of course, but other implementations do allow\nit. If you don't allow it, you don't need a temporary_channel_id at\nall.\n\nBut that still only prevents gaps if you scan the TXO set, not the UTXO\nset. And it doesn't help with unannounced peers or peers which are no\nlonger in the public graph. You want backups :)\n\n\u003e\u003e I think the \"encrypted blob served by peers\", even in a very naive way,\n\u003e\u003e offers another way to do this, though it requires the assumption that at\n\u003e\u003e least one peer is honest.\n\u003e\n\u003e I see encrypted backups as complementary. With this scheme you can at least\n\u003e find a peer that you've had a channel with. From the encrypted backup you\n\u003e left with them you can then find others and check against them.\n\nI see encrypted backups as a more-likely-to-be-implemented solution\nthough. Because they're useful to send to places other than peers, and\nthey can also contain HTLC information if you want.\n\nAnd after that, I don't think the remaining problem is sufficient to\nengineer salvage solutions for.\n\nBut we can revisit if I'm wrong!\n\nCheers,\nRusty.",
"sig": "a0aa3e86e9c43e110439307a843ca7ea767f35b4138535275f6d05924e2f847dc01a5e3a907b334171e02a86bb5d54d6cafcd9b2ceb800863eacf52812b8ccc0"
}