📅 Original date posted:2018-04-06
📝 Original message:
ZmnSCPxj via Lightning-dev <lightning-dev at lists.linuxfoundation.org>
writes:
> In a retaliation construction, if a party misbehaves, the other party gets the entire amount they are working on together, as disincentive for any party to cheat.
>
> That works for the two-party case A and B. If A cheats, B gets money.
>
> How do you extend that to the three-party case A B C? If A cheats, what happens?
>
> Suppose the correct current state is A=2, B=99, C=3. Suppose A cheats
> and attempts to publish A=102, B=1, C=1. C detects it because B is
> asleep at that time. Does C get to claim the money that A claimed for
> itself, basically 101+1 and thus 102? But the correct state has
> almost all of the money assigned to B instead. Obviously that is
> unjust. Instead C should get to claim only 3 from A (its 3 in the
> final state) in addition to its 1 in the published state, and should
> give the 99 to B. So now B also needs another retaliatory
> construction for the case "A cheated first and C found out and and
> also cheated me", and a separate construction for "A cheated but C was
> honest". And that is separate construction for the case "C cheated
> first and A found out and also cheated me" and a separate construction
> for "C cheated but A was honest".
>
> As should be obvious, it does not scale well with number of
> participants on a single offchain "purse"; it quickly becomes complex
> fast.
The need to identify the misbehaving party and punish just that one
party could be addressed by having pre-committed retaliation
transactions. However this results in a large number of pre-committed
transactions that need to be carried around just for the case that
someone really misbehaves. In addition colluding parties may be able to
punish each other when an cheat attempt seems doomed to fail, which
reduces the cost of the attack. This could also be partially fixed by
pre-committing retaliation transactions that split the misbehaving
party's funds. Overall a very unsatisfactory solution.
> Retaliatory constructions however have the major advantage of not
> imposing limits on the number of updates that are allowed to the
> offchain "purse". Prior to Rusty shachains it was thought to require
> storage linear in the number of updates (which could be pruned once
> the channel/"purse" is brought onchain), but Rusty shachains also
> require O(1) storage on number of updates. Thus retaliatory
> constructions are used for channels.
>
> Note that channel factories, to my understanding, can have the Duplex
> construction near the root of the initial onchain anchor transaction,
> but be terminated in Poon-Dryja retaliatory channels, so that a good
> part of the current LN technology has a good chance of working even
> after channel factories are implemented. This strikes me as a good
> balance: restructuring channels is expected to be much rarer compared
> to updating them normally for normal usage, so each construction plays
> its own strengths: the Decker-Wattenhofer construction which imposes a
> limit on the number of updates, but has no limit on number of
> participants, is used for the rarer. massive "channel restructuring"
> operations, while the Poon-Dryja construction which imposes a
> practical limit on number of particiapnts, but has no limit on number
> of updates, is used for "day-to-day" normal operation.
That's not as bad a tradeoff as people usually interpret, the DMC
construction has parameters that allow tweaking the number of
invalidations, and with parameters similar to LN we can have 1.4 billion
updates. Which is years of operation without need to
re-anchor. In addition penaltyless invalidation has a number of
advantages, for example it doesn't have the state asymmetry inherent in
LN and there is no toxic state information that, when leaked, results in
your funds being claimed through a retaliation. This happened to me btw
last month when I accidentally restored a wallet from backup and
attempted to reconnect.
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:49:44
in reply to nevent1q…jccp
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:49:44Event JSON
{
"id": "649e3548834df8e85300c4cea0da73d1b77cd0f756b00deb42bc68ef202795e1",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686314984,
"kind": 1,
"tags": [
[
"e",
"324bb376a5989cc57735d95d15e241c13cf790cdb1ceb25efbf9b75937c90f61",
"",
"root"
],
[
"e",
"03f9242706ca380b8bb01c6e51123c333b23f376a7fef2582c86648fa58604dc",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-04-06\n📝 Original message:\nZmnSCPxj via Lightning-dev \u003clightning-dev at lists.linuxfoundation.org\u003e\nwrites:\n\u003e In a retaliation construction, if a party misbehaves, the other party gets the entire amount they are working on together, as disincentive for any party to cheat.\n\u003e\n\u003e That works for the two-party case A and B. If A cheats, B gets money.\n\u003e\n\u003e How do you extend that to the three-party case A B C? If A cheats, what happens?\n\u003e\n\u003e Suppose the correct current state is A=2, B=99, C=3. Suppose A cheats\n\u003e and attempts to publish A=102, B=1, C=1. C detects it because B is\n\u003e asleep at that time. Does C get to claim the money that A claimed for\n\u003e itself, basically 101+1 and thus 102? But the correct state has\n\u003e almost all of the money assigned to B instead. Obviously that is\n\u003e unjust. Instead C should get to claim only 3 from A (its 3 in the\n\u003e final state) in addition to its 1 in the published state, and should\n\u003e give the 99 to B. So now B also needs another retaliatory\n\u003e construction for the case \"A cheated first and C found out and and\n\u003e also cheated me\", and a separate construction for \"A cheated but C was\n\u003e honest\". And that is separate construction for the case \"C cheated\n\u003e first and A found out and also cheated me\" and a separate construction\n\u003e for \"C cheated but A was honest\".\n\u003e\n\u003e As should be obvious, it does not scale well with number of\n\u003e participants on a single offchain \"purse\"; it quickly becomes complex\n\u003e fast.\n\nThe need to identify the misbehaving party and punish just that one\nparty could be addressed by having pre-committed retaliation\ntransactions. However this results in a large number of pre-committed\ntransactions that need to be carried around just for the case that\nsomeone really misbehaves. In addition colluding parties may be able to\npunish each other when an cheat attempt seems doomed to fail, which\nreduces the cost of the attack. This could also be partially fixed by\npre-committing retaliation transactions that split the misbehaving\nparty's funds. Overall a very unsatisfactory solution.\n\n\u003e Retaliatory constructions however have the major advantage of not\n\u003e imposing limits on the number of updates that are allowed to the\n\u003e offchain \"purse\". Prior to Rusty shachains it was thought to require\n\u003e storage linear in the number of updates (which could be pruned once\n\u003e the channel/\"purse\" is brought onchain), but Rusty shachains also\n\u003e require O(1) storage on number of updates. Thus retaliatory\n\u003e constructions are used for channels.\n\u003e\n\u003e Note that channel factories, to my understanding, can have the Duplex\n\u003e construction near the root of the initial onchain anchor transaction,\n\u003e but be terminated in Poon-Dryja retaliatory channels, so that a good\n\u003e part of the current LN technology has a good chance of working even\n\u003e after channel factories are implemented. This strikes me as a good\n\u003e balance: restructuring channels is expected to be much rarer compared\n\u003e to updating them normally for normal usage, so each construction plays\n\u003e its own strengths: the Decker-Wattenhofer construction which imposes a\n\u003e limit on the number of updates, but has no limit on number of\n\u003e participants, is used for the rarer. massive \"channel restructuring\"\n\u003e operations, while the Poon-Dryja construction which imposes a\n\u003e practical limit on number of particiapnts, but has no limit on number\n\u003e of updates, is used for \"day-to-day\" normal operation.\n\nThat's not as bad a tradeoff as people usually interpret, the DMC\nconstruction has parameters that allow tweaking the number of\ninvalidations, and with parameters similar to LN we can have 1.4 billion\nupdates. Which is years of operation without need to\nre-anchor. In addition penaltyless invalidation has a number of\nadvantages, for example it doesn't have the state asymmetry inherent in\nLN and there is no toxic state information that, when leaked, results in\nyour funds being claimed through a retaliation. This happened to me btw\nlast month when I accidentally restored a wallet from backup and\nattempted to reconnect.\n\nCheers,\nChristian",
"sig": "161edc4711832ec4cbdefaf68c8ca869f1dddf8be6af1170a9f34fb48ecaf94f6d7cb9f447cc6f660976a8c5f011fb76d5272b990aa822b80c9f626feac1c2b1"
}