📅 Original date posted:2020-12-15
📝 Original message:
> It seems difficult to recommend YOLO commitment transactions becoming
the standard way to recover funds. It could be preferable to the current
system but even that is up for debate I guess.
> I feel like I can recommend oblivious settlements because (i) it's covert
(like YOLO commitments txs unlike current system) and (ii) it's "what you
see is what you get" -- you are guaranteed to recover the funds that you
are presented with once you finally trigger the recovery
Off list Dave correctly pointed out to me that this wasn't a very clear
picture of the situation.
After some thought, I came up with these claims that I think I can make
strongly:
1. Before you reveal that you are doing recovery you are guaranteed to have
a tx in hand that:
i. You can broadcast first
ii. You can choose the fee to be as high as you like
iii. Is not replaceable.
2. If the malicious party is *not* willing to risk broadcasting a revoked
tx then you are guaranteed to recover the face value of the transaction(s)
you have in hand.
3. An honest party is never at risk of broadcasting a revoked commitment tx.
4. You never have to reveal that you were doing a recovery i.e. the channel
can continue (strictly preferable to 1)
Current system has: 3
Oblivious mutual close has: 1,2,3
YOLO commitments has: 1,5
So I think the question of YOLO commitments vs oblivious mutual close is
whether paying the price of losing (2,3) is worth the upgrade from (1) to
(5).
The concern with (1) is that once you broadcast to the network the
obliviously transferred "mutual close" transaction, the malicious party
then has a hint that you have lost data and they can try and broadcast a
favourable revoked transaction.
This should be very hard since in (1) you broadcast first, can choose as
large a fee as you like and the tx does not signal replaceability whereas
the revoked tx *will* signal replaceability.
I'm also personally trying to avoid losing (3) because to keep [1]
applicable.
As a side note: in YOLO commitment transactions you have to recover some
additional metadata from the other party -- in particular the compressed
revocation keys that you *should* know otherwise the channel cannot
continue to operate. So a signature on the compressed revocation keys must
be given to the other party before you lose data and returned to you when
you are given the commitment transaction upon reconnection.
This should be easy enough to do though.
[1]
https://github.com/LLFourn/witness-asymmetric-channel#scorched-earth-punishments
On Tue, Dec 15, 2020 at 12:13 AM David A. Harding <dave at dtrt.org> wrote:
> > The idea I'm working with in revocable signature based channels [1] is
> > to make the node lose its static secret key if it posts a revoked
> > commitment tx. This means they could lose ALL funds from ALL their
> > channels with ALL their peers if they ever broadcast a single revoked
> > commitment transaction. This would be a very bad thing to happen while
> > you're trying to recover funds.
>
> Yikes! A very bad thing indeed. I'll have to re-read about witness
> asymmetric channels; I don't think I realized that was a consequence of
> using them.
>
It's an optional feature -- see link[1] above where I just added an
explanation of it.
I actually see no reason why you couldn't apply revocable signatures to
transaction asymmetric channels (LN as it is today) you just have to
overhaul the revocation mechanism.
In general I agree with your points that side-channels may be effective
tools to reveal whether a node has had data loss or not.
I think in both YOLO commitments and oblivious mutual close it is easy
enough to simulate data-loss up to a point to try and catch malicious peers
using side channels.
At least you don't have to ask the peer to broadcast a tx to find out!
Cheers,
LL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201215/7b1e9210/attachment.html>;
Lloyd Fournier [ARCHIVE] /
npub1kh…y05yp
2023-06-09 13:01:44
in reply to nevent1q…r5ln
Author Public Key
npub1khlhcuz0jrjwa0ayznq2q9agg4zvxfvx5x7jljrvwnpfzngrcf0q7y05ypPublished at
2023-06-09 13:01:44Event JSON
{
"id": "e3393ea861cf0ddd054cee918733de36308572a554bb3fff88950491f3e9f833",
"pubkey": "b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e",
"created_at": 1686315704,
"kind": 1,
"tags": [
[
"e",
"e21c86dc6da7e4e7f2c2f49c2f0de867759b86836147a2e16bdbd8dc076c9c48",
"",
"root"
],
[
"e",
"0d39be34c79dc787415877184eda40c65a29517e3ebb8d9e0917efd406c5f144",
"",
"reply"
],
[
"p",
"d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2"
]
],
"content": "📅 Original date posted:2020-12-15\n📝 Original message:\n\u003e It seems difficult to recommend YOLO commitment transactions becoming\nthe standard way to recover funds. It could be preferable to the current\nsystem but even that is up for debate I guess.\n\u003e I feel like I can recommend oblivious settlements because (i) it's covert\n(like YOLO commitments txs unlike current system) and (ii) it's \"what you\nsee is what you get\" -- you are guaranteed to recover the funds that you\nare presented with once you finally trigger the recovery\n\nOff list Dave correctly pointed out to me that this wasn't a very clear\npicture of the situation.\nAfter some thought, I came up with these claims that I think I can make\nstrongly:\n\n1. Before you reveal that you are doing recovery you are guaranteed to have\na tx in hand that:\n i. You can broadcast first\n ii. You can choose the fee to be as high as you like\n iii. Is not replaceable.\n2. If the malicious party is *not* willing to risk broadcasting a revoked\ntx then you are guaranteed to recover the face value of the transaction(s)\nyou have in hand.\n3. An honest party is never at risk of broadcasting a revoked commitment tx.\n4. You never have to reveal that you were doing a recovery i.e. the channel\ncan continue (strictly preferable to 1)\n\nCurrent system has: 3\nOblivious mutual close has: 1,2,3\nYOLO commitments has: 1,5\n\nSo I think the question of YOLO commitments vs oblivious mutual close is\nwhether paying the price of losing (2,3) is worth the upgrade from (1) to\n(5).\nThe concern with (1) is that once you broadcast to the network the\nobliviously transferred \"mutual close\" transaction, the malicious party\nthen has a hint that you have lost data and they can try and broadcast a\nfavourable revoked transaction.\nThis should be very hard since in (1) you broadcast first, can choose as\nlarge a fee as you like and the tx does not signal replaceability whereas\nthe revoked tx *will* signal replaceability.\nI'm also personally trying to avoid losing (3) because to keep [1]\napplicable.\n\nAs a side note: in YOLO commitment transactions you have to recover some\nadditional metadata from the other party -- in particular the compressed\nrevocation keys that you *should* know otherwise the channel cannot\ncontinue to operate. So a signature on the compressed revocation keys must\nbe given to the other party before you lose data and returned to you when\nyou are given the commitment transaction upon reconnection.\nThis should be easy enough to do though.\n\n[1]\nhttps://github.com/LLFourn/witness-asymmetric-channel#scorched-earth-punishments\n\nOn Tue, Dec 15, 2020 at 12:13 AM David A. Harding \u003cdave at dtrt.org\u003e wrote:\n\n\u003e \u003e The idea I'm working with in revocable signature based channels [1] is\n\u003e \u003e to make the node lose its static secret key if it posts a revoked\n\u003e \u003e commitment tx. This means they could lose ALL funds from ALL their\n\u003e \u003e channels with ALL their peers if they ever broadcast a single revoked\n\u003e \u003e commitment transaction. This would be a very bad thing to happen while\n\u003e \u003e you're trying to recover funds.\n\u003e\n\u003e Yikes! A very bad thing indeed. I'll have to re-read about witness\n\u003e asymmetric channels; I don't think I realized that was a consequence of\n\u003e using them.\n\u003e\n\nIt's an optional feature -- see link[1] above where I just added an\nexplanation of it.\nI actually see no reason why you couldn't apply revocable signatures to\ntransaction asymmetric channels (LN as it is today) you just have to\noverhaul the revocation mechanism.\n\nIn general I agree with your points that side-channels may be effective\ntools to reveal whether a node has had data loss or not.\nI think in both YOLO commitments and oblivious mutual close it is easy\nenough to simulate data-loss up to a point to try and catch malicious peers\nusing side channels.\nAt least you don't have to ask the peer to broadcast a tx to find out!\n\nCheers,\n\nLL\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201215/7b1e9210/attachment.html\u003e",
"sig": "8f97d505f9528e78ae34332b5892df5eb5508480fa31862671a1f3ff15eb7ded8b174b1329bcc42d37ba800ab1fcdb96a24f3174706ee2d45200c92cf8c78634"
}