📅 Original date posted:2015-10-16
📝 Original message:
Mats Jerratsch <matsjj at gmail.com> writes:
> So being done with encryption and authentication, the next layer for
> me now is to figure out how exactly nodes will broadcast their
> existence and open channels and everything.
Hi Mats,
Thanks for bringing this on-list!
> (2)
> As long as the malleability issue has not been fixed, the blockchain
> can only used with additional techniques to obtain a map of the
> channels from it. As the anchor transactions are P2SH, we need to
> expose the script, such that others are able to verify we at least
> have an anchor tx on the blockchain (associated with costs after all).
This makes some sense (though the anchor transactions don't need to be
P2SH, it's nicer for bitcoin's UTXO if they are).
> For the current form it would be enough to have
> SecretAHash || KeyB' || KeyB || KeyA || TxID || SignatureB (L=231B)
> with KeyB being the node pubkey (lots of key reusage...)
> or
> SecretAHash || KeyB' || KeyB || KeyA || TxID || nodePubKey ||
> SignatureB (L=264B) with KeyB as a channel key that does not need to
> be equal with the nodePubKey.
Yes, I think avoiding key reuse is good. So, to be clear, the anchor TX
output looks like:
P2SH (2 KEYA KEYB 2 OP_CHECKMULTISIG)
To prove we control KEYA, we simply need to sign something with it (our
nodePubKey):
KEYA NODE-PUBKEY TXID SIGNATURE
I think we can do slightly better with Schnorr signatures (which you can
simply do multisig by addition, if I understand correctly) where both
parties cooperate to form:
KEYA KEYB NODE-PUBKEYA NODE-PUBKEYB TXID DUAL-SIGNATURE
That's 33+33+33+33+32+64 = 228 bytes per channel.
Later on, we can send SPV proofs for TXID.
> This is information everyone should store in case a new node joins a
> network, similar to the blockchain. New nodes can then check against
> the blockchain, whether this data is actually present there. An
> attacker can fake a complete network together with lots of
> transactions on the blockchain, but the incentive is low (vandalism)
> and the costs are high. For 100k nodes and 10 open channels per node,
> this adds up to 220MB. Not too bad, considering full nodes are highly
> incentivised to run full bitcoin nodes as well, it is actually rather
> negligible. This information is pretty static, however we want
> everyone to have a decently consistent view of the network, so we
> would probably do some rebroadcast of that every few days, just to
> ensure everyone knows about it.
Also, once a node is live, I'm not sure how much of the map it will need
to keep. It might be able to prune distant parts of the map randomly,
and get it back from the rest of the network if needed? Requires more
thought, though.
> As I'm implementing broadcast messages anyways for other purposes (see
> other ML post), I tent to like (2) the most, it is the most expensive
> to attack as well I think.
I agree. Least on-chain spam.
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:44:47
in reply to nevent1q…mmlf
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:44:47Event JSON
{
"id": "25d2b9c4972bb4a16ce3a272fde5c35d9ca183ae47b260c0ba60ddb9aabeb2a3",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314687,
"kind": 1,
"tags": [
[
"e",
"a852f7164f575698e067e8fc679f5003dd9087247fc7ef7f6067ab966288eef1",
"",
"root"
],
[
"e",
"eb614f9eaf2fdf6e3dbea33aecfd27dbccaed8a6d74c0cc93103aad8aaa821f2",
"",
"reply"
],
[
"p",
"b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528"
]
],
"content": "📅 Original date posted:2015-10-16\n📝 Original message:\nMats Jerratsch \u003cmatsjj at gmail.com\u003e writes:\n\u003e So being done with encryption and authentication, the next layer for\n\u003e me now is to figure out how exactly nodes will broadcast their\n\u003e existence and open channels and everything.\n\nHi Mats,\n\n Thanks for bringing this on-list!\n\n\u003e (2)\n\u003e As long as the malleability issue has not been fixed, the blockchain\n\u003e can only used with additional techniques to obtain a map of the\n\u003e channels from it. As the anchor transactions are P2SH, we need to\n\u003e expose the script, such that others are able to verify we at least\n\u003e have an anchor tx on the blockchain (associated with costs after all).\n\nThis makes some sense (though the anchor transactions don't need to be\nP2SH, it's nicer for bitcoin's UTXO if they are).\n\n\u003e For the current form it would be enough to have\n\u003e SecretAHash || KeyB' || KeyB || KeyA || TxID || SignatureB (L=231B)\n\u003e with KeyB being the node pubkey (lots of key reusage...)\n\u003e or\n\u003e SecretAHash || KeyB' || KeyB || KeyA || TxID || nodePubKey ||\n\u003e SignatureB (L=264B) with KeyB as a channel key that does not need to\n\u003e be equal with the nodePubKey.\n\nYes, I think avoiding key reuse is good. So, to be clear, the anchor TX\noutput looks like:\n\n P2SH (2 KEYA KEYB 2 OP_CHECKMULTISIG)\n\nTo prove we control KEYA, we simply need to sign something with it (our\nnodePubKey):\n\n KEYA NODE-PUBKEY TXID SIGNATURE\n\nI think we can do slightly better with Schnorr signatures (which you can\nsimply do multisig by addition, if I understand correctly) where both\nparties cooperate to form:\n\n KEYA KEYB NODE-PUBKEYA NODE-PUBKEYB TXID DUAL-SIGNATURE\n\nThat's 33+33+33+33+32+64 = 228 bytes per channel.\n\nLater on, we can send SPV proofs for TXID.\n\n\u003e This is information everyone should store in case a new node joins a\n\u003e network, similar to the blockchain. New nodes can then check against\n\u003e the blockchain, whether this data is actually present there. An\n\u003e attacker can fake a complete network together with lots of\n\u003e transactions on the blockchain, but the incentive is low (vandalism)\n\u003e and the costs are high. For 100k nodes and 10 open channels per node,\n\u003e this adds up to 220MB. Not too bad, considering full nodes are highly\n\u003e incentivised to run full bitcoin nodes as well, it is actually rather\n\u003e negligible. This information is pretty static, however we want\n\u003e everyone to have a decently consistent view of the network, so we\n\u003e would probably do some rebroadcast of that every few days, just to\n\u003e ensure everyone knows about it.\n\nAlso, once a node is live, I'm not sure how much of the map it will need\nto keep. It might be able to prune distant parts of the map randomly,\nand get it back from the rest of the network if needed? Requires more\nthought, though.\n\n\u003e As I'm implementing broadcast messages anyways for other purposes (see\n\u003e other ML post), I tent to like (2) the most, it is the most expensive\n\u003e to attack as well I think.\n\nI agree. Least on-chain spam.\n\nThanks!\nRusty.",
"sig": "14aef24c2d244cc2980dc733bc0cf5f8331f5930bad54a70c54bc07f09af88c98d949703e74add843d39e1d35a03e1f2e40575c3dab35c19e790296ee5a4311a"
}