📅 Original date posted:2021-06-13
📝 Original message:
Hi Z,
Thanks again for getting to the bottom of this. I think we are on the same
page except for one clarification:
On Tue, 8 Jun 2021 at 12:37, ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:
> Thus, in our model, we have the property that Bob can always recover all
> signatures sent by Alice, even if Carol is corrupted by Alice --- we model
> the signature-deletion attack as impossible, by assumption.
> (This is a strengthening of security assumptions, thus a weakening of the
> security of the scheme --- if Bob does not take the above mitigations, Bob
> ***is*** vulnerable to a signature-deletion attack and might have ***all***
> funds in hostage).
>
Only where ***all*** refers to the funds in the fast forward -- funds
consolidated into the channel balance are not at risk (modulo enforcing
correct state on chain).
I think it should be easy to get a stream of signatures so they can't be
deleted. The user "Bob" is creating and sending the invoices so they can
always demand and save the signatures from "Carol the Cashier" that
correspond to each payment so the "deletion attack" will be thwarted.
LL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20210613/fdeacd68/attachment.html>