📅 Original date posted:2020-12-16
📝 Original message:
Hey Z,
On Tue, Dec 15, 2020 at 9:21 PM ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:
>
> Good morning LL,
>
>
> > - What do you do if the channel state has HTLCs in flight? I don't know -- I guess you can just put them onto the settlement tx? That way it's possible the payment could still go through. Alternatively you could just gift the money to the party offering the recovery settlement.
>
> Gifting the money is not a good option --- we allow HTLCs to be almost as high as the total channel value minus fees and reserve.
> Thus all the claimable value could potentially be in an outgoing HTLC.
> Worse, if our node is a forwarding node, it would be easy for a third party to arrange to have our funds in various HTLCs.
Hopefully this recovery system is used by people whose channels are in
a HTLC free state 99.9999% of the time (and hopefully hardware
failures do not somehow coincide with HTLCs!).
As a user, it would be cool to be able to just lock up all my Bitcoin
into channels with well-established lightning nodes. That way if fees
go ballistic I can still move money around cheaply.
One of the main concerns for this pattern of user behaviour is the
recovery story I think. The first line of defence for routing nodes
(people who are taking their role in LN seriously) has to be redundant
data storage.
This would be a poor last-resort solution for routing nodes.
> Using static-key channels (i.e. channel keys are our node keys) allows us to recover even the outgoing channel with outgoing HTLC that has been forgotten by the outgoing peer.
Right. I think this doesn't work with PTLCs though.
> Using static-key channels does have slightly weaker privacy:
>
> * Published nodes reveal all their channels with other published nodes on the blockchain.
> * While it is true that published nodes already reveal their channels with published nodes, they are currently only revealed on the LN gossip network, which is not archived; historical channels that are now closed are not informed to current surveillors.
> * On the other hand, all it takes is one "LN wayback machine" to record all LN gossip, which are self-attesting and include a signature from the node.
> * Unpublished nodes risk revealing their channels with published nodes via the blockchain.
> * Invoices created by unpublished nodes currently reveal their public key.
> Payers can then uncover all the channels of that node.
I don't think so? You need to know the private key of the node to
discover its channels! The points actually used in the channels would
be randomized with shared secret from Diffie-Hellman so are unlinkable
to the public keys of the two nodes under decisional Diffie-Hellman
assumption.
There is more minor but still real concern of "deniability" of
unpublished closed channels if a large node operator later becomes
corrupted or coerced by a malicious actor. Since the node operator
still knows their secret key (obviously) they can still do a scan
(same as you would do in recovery) on the whole chain and find any
past channels they had with any nodes. A mitigation of this problem
would be for users who want unpublished channels to turn the
use-node-key-as-channel-key feature off for their keys in the channel
so they would still be able to do a backup-free channel scan but the
well-established node would lose the ability to do so. This means that
after the channel is closed there would be no way for the large node
to find the channel again assuming they honestly delete the data.
Cheers,
LL
Lloyd Fournier [ARCHIVE] /
npub1kh…y05yp
2023-06-09 13:01:45
in reply to nevent1q…pw7l
Author Public Key
npub1khlhcuz0jrjwa0ayznq2q9agg4zvxfvx5x7jljrvwnpfzngrcf0q7y05ypPublished at
2023-06-09 13:01:45Event JSON
{
"id": "381be9fb49750672ab516b943e45eb29157218a87bdb375db286b2259e9043e1",
"pubkey": "b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e",
"created_at": 1686315705,
"kind": 1,
"tags": [
[
"e",
"e21c86dc6da7e4e7f2c2f49c2f0de867759b86836147a2e16bdbd8dc076c9c48",
"",
"root"
],
[
"e",
"bf8fec92c348cde086d2822c90b7fa611e6a6bcb6d19c263ae63f9f0524c4c44",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2020-12-16\n📝 Original message:\nHey Z,\n\nOn Tue, Dec 15, 2020 at 9:21 PM ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e wrote:\n\u003e\n\u003e Good morning LL,\n\u003e\n\u003e\n\u003e \u003e - What do you do if the channel state has HTLCs in flight? I don't know -- I guess you can just put them onto the settlement tx? That way it's possible the payment could still go through. Alternatively you could just gift the money to the party offering the recovery settlement.\n\u003e\n\u003e Gifting the money is not a good option --- we allow HTLCs to be almost as high as the total channel value minus fees and reserve.\n\u003e Thus all the claimable value could potentially be in an outgoing HTLC.\n\u003e Worse, if our node is a forwarding node, it would be easy for a third party to arrange to have our funds in various HTLCs.\n\nHopefully this recovery system is used by people whose channels are in\na HTLC free state 99.9999% of the time (and hopefully hardware\nfailures do not somehow coincide with HTLCs!).\nAs a user, it would be cool to be able to just lock up all my Bitcoin\ninto channels with well-established lightning nodes. That way if fees\ngo ballistic I can still move money around cheaply.\nOne of the main concerns for this pattern of user behaviour is the\nrecovery story I think. The first line of defence for routing nodes\n(people who are taking their role in LN seriously) has to be redundant\ndata storage.\nThis would be a poor last-resort solution for routing nodes.\n\n\u003e Using static-key channels (i.e. channel keys are our node keys) allows us to recover even the outgoing channel with outgoing HTLC that has been forgotten by the outgoing peer.\n\nRight. I think this doesn't work with PTLCs though.\n\n\u003e Using static-key channels does have slightly weaker privacy:\n\u003e\n\u003e * Published nodes reveal all their channels with other published nodes on the blockchain.\n\u003e * While it is true that published nodes already reveal their channels with published nodes, they are currently only revealed on the LN gossip network, which is not archived; historical channels that are now closed are not informed to current surveillors.\n\u003e * On the other hand, all it takes is one \"LN wayback machine\" to record all LN gossip, which are self-attesting and include a signature from the node.\n\u003e * Unpublished nodes risk revealing their channels with published nodes via the blockchain.\n\u003e * Invoices created by unpublished nodes currently reveal their public key.\n\u003e Payers can then uncover all the channels of that node.\n\nI don't think so? You need to know the private key of the node to\ndiscover its channels! The points actually used in the channels would\nbe randomized with shared secret from Diffie-Hellman so are unlinkable\nto the public keys of the two nodes under decisional Diffie-Hellman\nassumption.\n\nThere is more minor but still real concern of \"deniability\" of\nunpublished closed channels if a large node operator later becomes\ncorrupted or coerced by a malicious actor. Since the node operator\nstill knows their secret key (obviously) they can still do a scan\n(same as you would do in recovery) on the whole chain and find any\npast channels they had with any nodes. A mitigation of this problem\nwould be for users who want unpublished channels to turn the\nuse-node-key-as-channel-key feature off for their keys in the channel\nso they would still be able to do a backup-free channel scan but the\nwell-established node would lose the ability to do so. This means that\nafter the channel is closed there would be no way for the large node\nto find the channel again assuming they honestly delete the data.\n\nCheers,\n\nLL",
"sig": "c4e7cab91c07b1396c43c711efbfe4393aa61a16f7a125e1b640aaea51c677675dc9f09a352aa2a6ff61469039c027920cfeeef4e90a045fbd8e8eedb2efc8ea"
}