Nostr notes by Nadav Kohen [ARCHIVE]

📅 Original date posted:2020-04-23 📝 Original message: Hi ...

2023-06-09T12:59:53Z

In reply to nevent1q…twsk
_________________________

📅 Original date posted:2020-04-23
📝 Original message:
Hi Laolu,

Thanks for the response :)

I agree that some more framing probably would have been good to have in my
update.

First, I want to clarify that my intention is not to implement a PTLC-based
lightning network on top of ECDSA adaptor signatures, as I do believe that
using Schnorr will be superior, but rather I wish to get some PoC sandbox
with which to start implementing and testing out the long list of currently
theoretical proposals surrounding PTLCs, most of which are implementation
agnostic (to a degree anyway). I think it would be super beneficial to have
more fleshed out with respect to what some challenges of a Payment Point LN
are going to be than we understand now, before Schnorr is implemented and
it is time to commit to some PTLC scheme for real.

Second, I agree that I've probably understated somewhat the changes that
will be needed in most implementations as I was mostly thinking about what
would need to change in the BOLTs, which does actually seem relatively
minimal (although as you mention, these minimal changes to the BOLTs do
trigger large changes in many implementations). Also, good point on how
BOLT 11 (invoicing) will have to be altered as well, must've slipped my
mind.

Best,
Nadav

On Wed, Apr 22, 2020 at 8:17 PM Olaoluwa Osuntokun <laolu32 at gmail.com>
wrote:

> Hi Nadav,
>
> Thanks for the updates! Super cool to see this concept continue to evolve
> and integrate new technologies as they pop up.
>
> > I believe this would only require a few changes to existing nodes:
>
> Rather than a "few changes", this would to date be the largest
> network-level
> update undertaken to the Lightning Network thus far. In the past, we rolled
> out the new onion blob format (which enables changes like this), but none
> of
> the intermediate nodes actually need to modify their behavior. New payment
> types like MPP+AMP only needed the _end points_ to update making this an
> end-to-end update that has been rolled out so far in a de-synchronized
> manner.
>
> Re-phrasing deploying this requires changes to: the core channel state
> machine (the protocol we use to make commitment updates), HTLC scripts,
> on-chain HTLC handling and resolution, path finding algorithms (to only see
> out the new PTLC-enabled nodes), invoice changes and onion blob processing.
> I'd caution against underestimating how long all of this will take in
> practice, and the degree of synchronization required to pull it all off
> properly.
>
> For a few years now the question we've all been pondering is: do we wait
> for
> scnhorr to roll out multi-hop locks, or just use the latest ECDSA based
> technique? As dual deployment is compatible (we can make the onion blobs
> for
> both types the same), a path has always existed to first roll out with the
> latest ECDSA based technique then follow up later to roll out the schnorr
> version as well. However there's also a risk here as depending on how
> quickly things can be rolled out, schnorr may become available
> mid-development, which would possibly cause us to reconsider the ECDSA path
> and have the network purely use scnhorr to make things nice and uniform.
>
> Zooming out for a bit, the solution space of "how channels can look post
> scriptless-scripts + taproot" is rather large [1], and the addition of this
> new technique allows for an even larger set of deployment possibilities.
> This latest ECDSA variant is much simpler than the prior ones (which had a
> few rounds of more involved ZKPs), but since it still uses OP_CMS, it can't
> be used to modify the funding output.
>
> [1]:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-December/002375.html
>
> -- Laolu
>
>
> On Wed, Apr 22, 2020 at 8:13 AM Nadav Kohen <nadav at suredbits.com> wrote:
>
>> Hello all,
>>
>> I'd like to give an update on the current state of thinking and coding
>> surrounding replacing Hash-TimeLock Contracts (HTLCs) with Point-TimeLock
>> Contracts (PTLCs) (aka Payment Hashes -> Payment Points) in hopes of
>> sparking interest, discussion, development, etc.
>>
>>
>> We Want Payment Points!
>> -----------------------
>>
>> Using point-locks (in PTLCs) instead of hash-locks (in HTLCs) for
>> lightning payments is an all around improvement. HTLCs require the use of
>> the same hash across payment routes (barring fancy ZKPs which are inferior
>> to PTLCs) while PTLCs allow for payment de-correlation along routes. For an
>> introduction to the topic, see
>> https://suredbits.com/payment-points-part-1/.
>>
>> In addition to improving privacy in this way and protecting against
>> wormhole attacks, PTLC-based lightning channels open the door to a large
>> variety of interesting applications that cannot be accomplished with HTLCs:
>>
>> Stuckless (retry-able) Payments with proof of payment (
>> https://suredbits.com/payment-points-part-2-stuckless-payments/)
>>
>> Escrow contracts over Lightning (
>> https://suredbits.com/payment-points-part-3-escrow-contracts/)
>>
>> High/DLOG AMP (
>> https://docs.google.com/presentation/d/15l4h2_zEY4zXC6n1NqsImcjgA0fovl_lkgkKu1O3QT0/edit#slide=id.g64c15419e7_0_40
>> )
>>
>> Stuckless + AMP (an improvement on Boomerang) (
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002239.html
>> )
>>
>> Pay-for-signature (
>> https://suredbits.com/payment-points-part-4-selling-signatures/)
>>
>> Pay-for-commitment (
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002166.html
>> )
>>
>> Monotonic access structures on payment completion (
>> https://suredbits.com/payment-points-monotone-access-structures/)
>>
>> Ideal Barrier Escrow Implementation (
>> https://suredbits.com/payment-points-implementing-barrier-escrows/)
>>
>> And allowing for Barrier Escrows, we can even have
>>
>> Atomic multi-payment setup (
>> https://suredbits.com/payment-points-and-barrier-escrows/)
>>
>> Lightning Discreet Log Contract (
>> https://suredbits.com/discreet-log-contracts-on-lightning-network/)
>>
>> Atomic multi-payment update (
>> https://suredbits.com/updating-and-transferring-lightning-payments/)
>>
>> Lightning Discreet Log Contract Novation/Transfer (
>> https://suredbits.com/transferring-lightning-dlcs/)
>>
>> There are likely even more things that can be done with Payment Points so
>> make sure to respond if I've missed any known ones.
>>
>>
>> How Do We Get Payment Points?
>> -----------------------------
>>
>> Eventually, once we have Taproot, we can use 2p-Schnorr adaptor
>> signatures in Lightning channels. For a detailed thread by ZmnSCPxj, see
>> here
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-December/002375.html
>>
>> In the meantime, Lloyd has written about a way to do 1p-ECDSA adaptor
>> sigs (https://github.com/LLFourn/one-time-VES) which can be paired with
>> OP_CHECKMULTISIG to allows us to execute PTLCs on Bitcoin today!
>>
>> Nickler has implemented this in a branch of secp256k1 (
>> https://github.com/jonasnick/secp256k1/pull/14) and I have implemented
>> it in Bouncy Castle in Bitcoin-S with some testing against this branch (
>> https://github.com/nkohen/bitcoin-s-core/tree/bouncy-adaptor). Do note
>> that as nickler states on his PR, "IT IS EXTREMELY DANGEROUS AND RECKLESS
>> TO USE THIS MODULE IN PRODUCTION. DON'T!"
>>
>> A demo of an on-chain PTLC I executed using nickler's implementation on
>> the backend + bitcoin-s can be seen here https://youtu.be/w9o4v7Idjno
>>
>> And waxwing did a lovely write-up about the crypto itself
>> https://joinmarket.me/blog/blog/schnorrless-scriptless-scripts/
>>
>> I would be very interested in having a fork of (at least) one lightning
>> implementation (or Rust Lightning) to be a proof of concept ECDSA-PTLC node
>> with which we can test and play with the plethora of PTLC-based proposals
>> above.
>>
>> I believe this would only require a few changes to existing nodes:
>>
>> 1) update_add_ptlc will have a 32 byte x-coordinate (of a point) rather
>> than a 32 byte hash. Additionally the onion's hop_data will contain a 32
>> byte scalar tweak for each hop. As per [link multi-hop locks]. The last
>> hop_data will instead include a 32 byte scalar equal to the sum of all
>> tweaks.
>>
>> 2) commitment_signed will have 162 byte adaptor ptlc_signatures rather
>> than valid (71/72 byte) ECDSA signatures on PTLC-success transactions.
>>
>> 3) The in-flight outputs on the commitment transaction itself become a
>> little simpler as we no longer need to explicitly check the payment
>> pre-image against a hash. Instead, delete all instances of "OP_HASH160
>> <RIPEMD160(payment_hash)> OP_EQUALVERIFY" in the scripts (leaving the rest
>> the same) and require no pre-image in the witness, only a valid signature.
>> The pre-image check is implicitly enforced by the <remoteptlc_sig> witness
>> since only an adaptor signature was provided by remote so that the payment
>> pre-image is required to create the valid signature (from which the
>> pre-image can be then deduced by comparing adaptor and valid signatures).
>>
>> If I've missed any other changes that need to happen, do respond with
>> them!
>>
>> I hope that as a community we can work towards having a PTLC-based
>> Lightning Network that is safe and stable as soon as possible, and so I
>> encourage further thinking, development and expirementation with PTLCs now
>> so that when Taproot is finally at our disposal we can cleanly start moving
>> towards a more ideal Lightning :)
>>
>> Best,
>> Nadav
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20200423/a75c29ad/attachment-0001.html>;

📅 Original date posted:2020-04-02 📝 Original message: Good ...

2023-06-09T12:59:23Z

In reply to nevent1q…ll4m
_________________________

📅 Original date posted:2020-04-02
📝 Original message:
Good morning ZmnSCPxj,

> The consideration is that much of the cost of a channel is with the setup
and teardown --- E could always just reopen the CE channel again later.
> Thus, the cost that E bears in setting up EE and tearing down EE would be
still similar to the cost of losing CE and reestablishing it again.
> Further, any amount it places in the EE channel would be an amount it
could have been using as liquidity on Lightning, but which it cannot use
for forwarding (because it is a channel to nowhere).
> Ultimately, proof-of-closure is an economic mechanism, not an
information-theoretic one.

Okay, I see what you mean now but I'm still a bit worried due to the
following: although it is true that the same nominal penalty is incurred,
the real economic value for the attacker in channel E-E' is significantly
less than that in A-E, which can be used for routing. As such, a rich
attacker who wishes to crowd out their competition might occasionally open
channels with themselves equal to the value needed to lock up a
competitor's channels, then do such a payment to themselves (with a high
"hard" locktime) and close their temporary channel, but still hold their
competitor's funds hostage, and still have enough liquidity in the channels
they didn't have to close in order to facilitate all routing that was done
by their competitor. Furthermore this route (for self-payment) could attack
multiple competitors at the same time (likely leaving some funds to all but
the least liquid competitor).

I could be missing something, but it seems to me like the proposal to close
channels after a soft timeout unless non-cooperation can be proven upstream
adds a cost to the attacker of two on-chain transactions, which they can
immediately revoke (as they know both pieces to the revocation priv key),
but still allows very long lock-ups of other's funds (with a 10x multiplier
if they choose a long route). I do think that this is certainly an
improvement on what we have now but I'm not sure it properly punishes the
attacker in its current form.

> Since this is a proof-of-***closure***, this is indeed an actual closing
of the channel.

Ah I see, I was misunderstanding a couple things, but I get it now, makes
sense :)

Best,
Nadav

On Wed, Apr 1, 2020 at 7:43 PM ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:

> Good morning Nadav,
>
>
> > Love the idea! I have a couple questions though:
> >
> > I'm not convinced that "Purely Falsified Proof-Of-Closure" aren't
> effective. Consider a similar network to the one you described where we
> have channels A - B - C and A - E - C but where we add a "fake" channel E -
> E'. Now if the attacker sets up a payment from E to E' using the route E -
> C - B - A - E - E', then the attacker can successfully lock up all of B's
> channels (as is desirable to get rid of competition) and also generate a
> false proof of closure for the E - E' channel. Even if this false proof
> (which is a commitment tx) ends up being published on chain, E has lost no
> ability to route and has successfully made B unable to route between A and
> C. If my understanding of the proposal is correct, and it may not be, then
> the punishment for grieving payments is the threat of closing channels that
> would benefit from the grieving attack. But adding a new channel on the end
> to be closed seems to invalidate this punishment?
>
> The consideration is that much of the cost of a channel is with the setup
> and teardown --- E could always just reopen the CE channel again later.
> Thus, the cost that E bears in setting up EE and tearing down EE would be
> still similar to the cost of losing CE and reestablishing it again.
> Further, any amount it places in the EE channel would be an amount it
> could have been using as liquidity on Lightning, but which it cannot use
> for forwarding (because it is a channel to nowhere).
> Ultimately, proof-of-closure is an economic mechanism, not an
> information-theoretic one.
>
> So the mere existence of EE, to be later sacrificed, is enough punishment
> on E.
> I think.
>
> >
> > A second question I have is if you think that it would be advisable to
> use up-front payments (pay for attempt, not just success) on payments with
> abnormally high soft timeouts? If all this works, this combination seems to
> be a way to enable hodl invoices under the proof of closure proposal.
>
> Possibly, though this increases the complexity of the proposal even more.
>
> >I just thought of a potentially more serious problem, at least for
> Poon-Dryja channels, isn't it true that giving a proof of closure is
> equivalent to actually closing the channel since once other parties have
> copies of the fully signed commitment transaction, it cannot be safely
> revoked since other parties now have the ability to publish an old state? I
> might be missing something but this seems like a big problem.
>
> Since this is a proof-of-***closure***, this is indeed an actual closing
> of the channel.
> It would not be proof-of-closure if the channel was not being closed, but
> proof-of-something-else.
>
> What is desired is simply that C can plausibly say "I punished somebody
> else by closing on them, please do not punish me for punishing them".
>
> Regards,
> ZmnSCPxj
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20200402/b6b6749a/attachment.html>;

📅 Original date posted:2020-04-01 📝 Original message: Hi ...

2023-06-09T12:59:21Z

In reply to nevent1q…zgku
_________________________

📅 Original date posted:2020-04-01
📝 Original message:
Hi ZmnSCPxj and list,

Love the idea! I have a couple questions though:

I'm not convinced that "Purely Falsified Proof-Of-Closure" aren't
effective. Consider a similar network to the one you described where we
have channels A - B - C and A - E - C but where we add a "fake" channel E -
E'. Now if the attacker sets up a payment from E to E' using the route E -
C - B - A - E - E', then the attacker can successfully lock up all of B's
channels (as is desirable to get rid of competition) and also generate a
false proof of closure for the E - E' channel. Even if this false proof
(which is a commitment tx) ends up being published on chain, E has lost no
ability to route and has successfully made B unable to route between A and
C. If my understanding of the proposal is correct, and it may not be, then
the punishment for grieving payments is the threat of closing channels that
would benefit from the grieving attack. But adding a new channel on the end
to be closed seems to invalidate this punishment?

A second question I have is if you think that it would be advisable to use
up-front payments (pay for attempt, not just success) on payments with
abnormally high soft timeouts? If all this works, this combination seems to
be a way to enable hodl invoices under the proof of closure proposal.

Best,
Nadav

On Wed, Apr 1, 2020 at 1:19 AM ZmnSCPxj via Lightning-dev <
lightning-dev at lists.linuxfoundation.org> wrote:

> Introduction
> ============
>
> Given the fact that contracts on offchain protocols need to be enforceable
> onchain as well, timelocks involved in multi-hop payments are measured in
> blocks.
> This is because the blockchain can only (third-party-verifiably) enforce
> timeouts in units of entire blocks.
> This leads to very long timeouts for payment delivery, thus multi-hop
> offchain payment attempts can be, deliberately or accidentally, be in a
> "pending" state up to the very large timeouts involved.
>
> Deliberately setting up a multi-hop payment such that it will be in a
> "pending" state for long periods of time is colloquially known as a
> "griefing attack".
> In this article, we assess various proposed solutions to mitigate the
> effects of griefing attacks, and propose a particular solution,
> proof-of-closure, as well, that requires significant changes to the update
> state machine.
>
> Digression: Why Grief?
> ======================
>
> Before embarking on our investigation for solutions to the griefing
> problem, we should first wonder if griefing is, in fact, a problem.
>
> This brings up the question of: why would anybody grief at all?
>
> Humans, like cats and other less-sapient pieces of walking meat, often
> find enjoyment in causing the suffering of others for no immediate direct
> gain to themselves, as a public demonstration of dominance over those they
> make suffer (aka "shits and giggles", which, if executed correctly, can
> lead to eventual direct gains to themselves or their progeny or relatives
> or allies, but such details are often outside the ken of the very beings
> who execute such survival strategies: brains are pieces of meat that have
> been hacked to act as action-reaction engines, but are not sophisticated
> enough to execute as pure rationality engines at all times).
> Fortunately, in the Bitcoin world, only purely rational beings of pure
> selfishness can exist in the long run, thus we can neglect such motivations
> as mere noise.
>
> First, let us investigate *how* griefing attacks can be performed.
>
> * An intermediate node in a multi-hop attempt can delay forwarding or
> failing an incoming HTLC.
> * A final node in a payment attempt can delay claiming an incoming HTLC.
>
> Let us consider a purely rational intermediate node of pure selfishness:
>
> * If it forwards as soon as possible, it can earn fees, and also speed up
> the release of the HTLC-locked funds so that they can reuse those funds as
> liquidity for further payment attempts.
> * Thus, delaying an HTLC is not selfishly-rational for an intermediate
> node.
>
> Thus, for an intermediate node, it seems there is no selfishly-rational
> motivation to execute a griefing attack on an arbitrary payment attempt.
> We can then conclude that an intermediate that delays a payment would do
> so, not of its own rational self-interest, but as an accident, such as an
> unforeseen connectivity or power failure.
>
> However, things are different when we consider a non-arbitrary payment.
> Suppose a node were to make a payment attempt to itself, and deliberately
> delay claiming this self-payment.
> This lets any single node, *who happens to own large liquidity*, to lock
> up the liquidity of other nodes.
>
> The motivation to lock up the liquidity of other nodes is to *eliminate
> competition*.
> Suppose we have a network as below:
>
> A -- B -- C
> \ /
> \ /
> \ /
> E
>
> When A and C want to transact with one another, they may choose to route
> via either B or E.
> B and E are therefore competitors in the business of forwarding payments.
>
> But suppose E has much larger channels AE and CE than the channels of AB
> and CB.
> For example, suppose E has 100mBTC perfectly-balanced channels while B has
> only 10mBTC perfectly-balanced channels, as all things should be in
> simplified models of reality.
> E can then "take out the competition" by making a 5mBTC self-payment along
> E->A->B->C->E and a 5mBTC self-payment along E->C->B->A->E, then refusing
> to claim the payment, tying up all the liquidity of the channels of B.
> By doing so, it can ensure that A and C will always fail to pay via B,
> even if they wish to transact in amounts less than 5mBTC.
> E thereby eliminates B as a competitor.
>
> This demonstrates that griefing attacks will be motivated, such that such
> attacks will be performed by payers and payees *against intermediate nodes*.
> Intermediate nodes have no motivation to attack payers and payees (those
> are their potential customers in the business of forwarding payments, and
> attacking potential customers is bad business: such attacking intermediate
> nodes will be removed economically in the long run).
> However, payers and payees can become motivated to attack intermediate
> nodes, if the "payer" and "payee" are actually competitor intermediate
> nodes.
>
> (We can observe that this is always a possibility even outside of
> Lightning: a service or product provider has no incentive to attack its
> customers ("the customer is always right"), but have an incentive to
> *pretend* to be a customer of a competitor and attack them.)
>
> We will keep this fact in mind: active griefing attacks are attacks *on*
> intermediate nodes, not *by* intermediate nodes, because there is no
> economic incentive for intermediate nodes to attack their customers.
>
> Previous Proposed Solutions
> ===========================
>
> Time-Spent Reporting
> --------------------
>
> At each channel along the route, the time spent by a node to handle its
> forwarding is recorded, and reported upstream in the route.
>
> Unfortunately, this solution protects payers from intermediate nodes and
> payees: it does not protect intermediate nodes from colluding payers and
> payees.
> Even if an intermediate node knows that a particular node is consistently
> slow via a previous time-spent report, it will not be able, with our
> current onion routing, determine if an onion packet it just received will
> or will not go through the known-slow node.
> Thus, an intermediate node would not be able to defend against distant
> payees that, with a colluding payer, will not claim a particular payment.
>
> As we have established, an active griefing atttack will never be
> deliberately performed by a selfishly-rational intermediate node.
> Thus, this solution protects against the wrong thing: it protects payers
> against slow/unreliable intermediate nodes, it does not protect
> intermediate nodes against malicious payer/payee collusions.
> It protects only against intermediate nodes that inadvertently go offline
> during forwarding, but such nodes will inevitably lose out on the
> forwarding market anyway, and will disappear in the long run.
>
> Up-Front Payment
> ----------------
>
> Payers pay for an attempt, not just the successful completion of an
> attempt.
>
> A variation on this is that the payer (or payee) continuously pays as long
> as the payment is pending.
> Further variations include paying by other means, such as just locking
> funds or paying with proof-of-work.
>
> While it certainly erects economic barriers against payer/payee collusions
> attacking intermediate nodes, it *also* erects economic barriers against
> normal, non-malicious payments.
>
> We can consider that economic barriers against non-malicious, low-value,
> high-frequency payments ("micropayments") may be enough that such payments
> become infeasible if we impose up-front payment for mere attempts.
> Thus, while this solution is certainly something we can consider, we must
> be reluctant to use it due to its up-front, strict-evaluation behavior.
>
> Proof-Of-Closure
> ================
>
> Observing the above, we want the properties for a "good" solution to
> griefing attacks to be:
>
> * It should protect intermediate nodes against payer/payee collusions.
> * It should only come into play upon detection of an attack.
>
> We now present proof-of-closure, which (we hope) has the above properties.
>
> We can consider instead a softer timeout, distinct from the HTLC
> block-based timeout.
> This softer timeout is measurable in fractions of a second, e.g. units of
> 0.1 seconds.
>
> Each node on the network advertises, in addition to a block-based
> `cltv_delta`, a `timeout_delta` in units of 0.1 seconds.
> Further, each invoice contains, in addition to a block-based `final_cltv`,
> a `final_timeout` in units of 0.1 seconds.
>
> Thus, there are two timeouts:
>
> * The current "hard" block-based timeout that is enforceable onchain.
> * A new "soft" sidereal-time-based timeout that is not onchain enforceable.
>
> The soft timeout, as mentioned, is not enforceable onchain.
> Instead, enforcement of the soft timeout *is* the act of putting the
> channel state onchain.
>
> Now, for the current "hard" block-based timeout, we already have a
> reaction.
> If the HTLC "hard" timeout is approaching:
>
> * Drop the channel onchain and enforce the hard timeout onchain to reclaim
> the funds in the HTLCs.
> * Wait for the onchain action to be deeply resolved (either timelock or
> hashlock branch is confirmed deeply) and report the result (success or
> fail) upstream.
>
> What happens if the "soft" timeout is violated?
>
> * Drop the channel onchain.
> * Report the channel closure upstream.
>
> The "hard" timeout is cancelled in any of these two conditions:
>
> * A success is reported via `update_fulfill_htlc`, OR,
> * A failure is reported via `update_fail_htlc` AND the HTLC is irrevocably
> removed from the latest commitments/state(s) of the channel.
>
> The "soft" timeout is cancelled in any of these three conditions, the
> first two of which are the same as above:
>
> * A success is reported via `update_fulfill_htlc`, OR,
> * A failure is reported via `update_fail_htlc` AND the HTLC is irrevocably
> removed from the latest commitments/state(s) of the channel, OR
> * A channel closure is reported.
>
> Let us fill this in more detail.
>
> Suppose we have a payment route A->B->C->E.
>
> Both the "hard" block timeouts and the "soft" second timeouts decrement
> monotonically at each hop.
> Thus, the payee E has the shortest "hard" and "soft" timeouts (as normal).
>
> * Suppose E then delays claiming the payment and violates the "soft"
> timeout.
> * C then drops the CE channel onchain.
> * C reports, before its own timeout (slightly larger than the timeout
> imposed on E), the closing of the channel CE, to B.
> * B validates this report, and if valid, propagates the report to A.
> * A validates this report, and if valid, accepts that the payment will be
> "stuck" for up to the hard timeout it imposed on B.
>
> C has to report back to B in order to prevent B from closing the BC
> channel, and B has to report back to A in order to prevent A from closing
> the AB channel.
> The decrementing seconds-unit timeouts are needed for each hop, for the
> same reason that decrementing block-unit timeouts are needed.
>
> Since E is motivated to attack intermediate nodes because it wants to
> redirect payment forwards through itself rather than its competitotrs,
> having one of its channels closed (which prevents it from being used for
> forwarding) is directly opposed to its end goal of getting more money,
> thus, we can believe the action of closing a channel involved in a griefing
> attack is sufficient disincentive.
>
> The major drawback is that enforcement of the soft timeout *is* a channel
> closure, which is generally a negative for the network.
> This is not a remote attack vector, since a node can only trigger this
> closure if it is able to stall the fulfillment or failure of an HTLC on a
> channel, which generally means the node triggering this closure can only do
> so for its own channels (or it is able to, via a separate mechanism,
> remotely crash a different node).
>
> Proving Channel Closes
> ----------------------
>
> What C *really* needs to prove is that:
>
> * It is *willing* to close a channel due to a violation of the soft
> timeout.
> * The channel it is willing to close was, in fact, involved in the same
> payment attempt.
>
> With the above, B can believe that C was innocent of wrongdoing, because:
>
> * C would only be wiling to close a channel in case of a protocol
> violation, in this case, a violation of the soft timeout.
> * The channel it closed was closed because of this payment attempt, and
> not because of another payment attempt, or some other unrelated channel
> being unilaterally closed.
>
> First, what C needs to prove is *NOT*, in fact, actual channel closure: it
> needs to prove a *willingness* to close a channel.
> Thus, it does not require the channel to actually be *closed* yet, i.e. it
> does not have to wait for onchain activity that the channel closure is in a
> mempool and is confirmed deeply onchain etc etc.
>
> Thus, to prove a *willingness to close* rather than an actual close, C can
> provide the unilateral close of the channel CE.
> The act of unilaterally closing a channel is the publication of the
> transaction(s) making up the unilateral close.
> Thus, if C is *willing* to close the channel, it is willing to publish the
> transaction(s) involved, and thus, providing the unilateral close to B and
> further upstream, shows a willingness to close the channel.
>
> B then validates the provided proof-of-closure by checking that the
> unilateral close transaction is either onchain, in the mempool, or that it
> spends a TXO that is not currently spent by another transaction.
> In the case the unilateral close transaction is not confirmed and in the
> mempool, B can speed up its propagation on the Bitcoin layer by putting it
> in its own mempool as well --- after all, C is willing to close the channel
> to exonerate itself and punish the actual culprit, and B putting the
> unilateral close in its own mempool can only help C in what it is willing
> to do.
>
> Secondly, C needs to prove that the channel it is willing to close
> involves the payment attempt, and is not some other channel closure that it
> is attempting to use to fulfill its own soft timeout.
> Since the unilateral close transaction *is* the proof-of-closure, B (and
> A) can inspect the transaction outputs and see (with some additional data
> from C) that one of the outputs is to an HTLC that matches the payment hash.
>
> Thus, B (and A) can believe that the proof-of-closure proves that whoever
> is presenting it is free of wrongdoing, as whoever is actually causing the
> delay has been punished (by someone being willing to close a channel with
> the culprit), and that the proof-of-closure commits to this particular
> payment attempt and no other (because it commits to a particular payment
> hash).
>
> Further, if CE is closed by E dropping it onchain rather than C, C will
> still be able to fulfill its own soft timeout by taking the closing
> transaction from E, which should still contain the HTLC.
> Indeed, neither A nor B will particularly care (nor need to know) who
> dropped the channel onchain, or (for A) that the channel participants are C
> and E.
>
> Update State Shenanigans
> ------------------------
>
> Bitcoin update mechanisms are complicated things, and it may be possible
> for an attacking payee E to fool around with the update state machine to
> make it difficult for C to report a willingness to close CE.
>
> In particular, I quote here the relevant passages from `lightning-rfc`,
> `02-peer-protocol.md`, which is an implementation of the Poon-Dryja update
> mechanism:
>
> > Thus each update traverses through the following states:
> >
> > 1. pending on the receiver
> > 2. in the receiver's latest commitment transaction
> > 3. ... and the receiver's previous commitment transaction has been
> revoked,
> > and the update is pending on the sender
> > 4. ... and in the sender's latest commitment transaction
> > 5. ... and the sender's previous commitment transaction has been revoked
>
> The payee E is the "receiver" in this context.
>
> In this case, once the update has reached step 2, then E has a commitment
> transaction that it can put onchain, that contains an HTLC it can claim.
> From this step onward, C cannot send a failure (i.e. it cannot send back
> an `update_fail_htlc`) back to B, because E could drop its latest
> commitment onchain and claim the HTLC onchain.
>
> However, until step 4, C does not have a unilateral close containing the
> HTLC, and thus cannot provide a proof-of-closure that contains an HTLC that
> refers to the payment.
>
> Thus, between steps 2 to 4, C cannot safely respond to its own soft
> timeout.
> C cannot respond with a failure, as E could then drop its latest
> commitment transaction onchain and claim the payment from C, and extract
> money from C that way.
> C also cannot respond with a proof-of-closure, as it does not have a
> transaction that it can use to provide this proof.
>
> The best that C can do would be to impose an even shorter timeout between
> steps 2 and 4 above, and to drop its current commitment transaction (which
> does not contain the HTLC yet and thus does not constitute a valid
> proof-of-closure) onchain.
> In between the time it drops the commitment transaction and its own
> incoming soft timeout, there is a chance, however small, that this
> transaction will be confirmed, and the channel will (with high probability)
> settle in a state where the HTLC is not instantiated, thus C can safely
> fail its incoming HTLC (not show a proof-of-closure, since that is not
> possible for C to do) without risk of loss, just prior to its own soft
> timeout.
>
> Of course, C is still at risk here: E could collude with miners via a
> side-channel fee offer to confirm its commitment transaction with the HTLC
> present, and ensure that C is liable for the HTLC value.
>
> With Decker-Russell-Osuntokun, we can remove this risk by requiring a
> ritual as follows:
>
> 1. C requests exclusive access to update their single shared state.
> * This can be done via a variety of sub-protocols, including a fair coin
> toss in case of near-simultaneous requests for exclusive locks on both
> sides.
> 2. C provides the details of the new HTLC to E.
> 3. C and E generate the new state transaction and exchange signatures for
> it.
> 4. C and E generate (without signing) the new update transaction.
> 5. E provides the signature (or share of signature, if MuSig) for the new
> update transaction to C.
> 6. C provides the signature for the new update transaction to E, which
> releases the exclusive lock on the shared state atomically with the
> finalization of the new update transaction.
>
> Prior to step 5, C can simply fail the incoming HTLC from B in case its
> own soft timeout is near.
> Even if E performs step 5 after C has already failed the incoming HTLC
> from B, C can simply not perform step 6 and drop the channel onchain with
> the previous update and state transactions.
>
> With Poon-Dryja, we will have to rearrange the order in which we perform
> things, effectively adding an extra communications turnaround between the
> participants.
> Specifically, the order would have to be revised to:
>
> > 1. pending on the sender
> > 2. in the sender's latest commitment transaction
> > 3. ... and the sender's previous commitment transaction has been revoked,
> > and the update is pending on the receiver
> > 4. ... and in the receiver's latest commitment transaction
> > 5. ... and the receiver's previous commitment transaction has been
> revoked
>
> This allows the sender (C in our context) to provide a proof-of-closure
> after step 2, and before step 2, C can safely return a failure with
> `update_fail_htlc` (and refuse to proceed beyond step 2, thus ensuring it
> can still use the previous commitment that still has no HTLC).
>
> Of course, this change will require redesigning the update state machine,
> increasing the number of communication turnarounds, and creating a subtle
> incompatbility when transitioning a payment from a hop that knows only the
> old update state machine to a hop that knows the new update state machine.
>
> Purely Falsified Proof-Of-Closure
> ---------------------------------
>
> Of course, the attacking node E might want to create a false
> proof-of-closure.
> E can do this by simulating a Lightning channel: lock an amount of funds
> in a 2-of-2 (where E controls both keys), then spend it in a set of
> transactions mimicking the unilateral close.
>
> We observe, however, that the overhead of simulating a Lightning channel
> is the same as the overhead of actually creating and closing a Lightning
> channel.
> Since the punishment of proof-of-closure is to force attackers to have
> their channels closed, we can consider that this simulation of a channel
> open and close is sufficient as well.
>
> Future-Proofing
> ---------------
>
> This sketch of proof-of-closure can be used for any update mechanism:
>
> * With Poon-Dryja, C can use its own commitment transaction as the
> proof-of-closure.
> * With Decker-Wattenhofer, C can give all the offchain transactions up to
> the last stage in the multi-stage decrementing-`nSequence` mechanism.
> * With Deckker-Russell-Osuntokun, C can give the latest update and state
> trnsaction.
>
> Basically, we expect that for now, and in the future, any update mechanism
> worth consideration will have a concept of "unilateral close" where a
> channel can be dropped onchain, using data that only one of the channel
> participants holds.
>
> Such a unilateral close will be a sequence of one or more valid
> transactions, terminating in a transaction containing an HTLC-like contract
> in one of its outputs.
>
> Thus, to validate the unilateral close, it is only required to validate
> all the transactions contained in the proof-of-closure, and see that the
> last transaction has an HTLC output.
>
> The limitations are thus:
>
> * The acceptable forms of HTLC would need to be agreed-upon by the entire
> network.
> * Implementations would need to be able to assess, in a
> Bitcoin-consensus-compatible way, whether a transaction is valid or not.
>
> Payment Decorrelation and Payment Points
> ----------------------------------------
>
> Of course, having a single payment hash for the entire payment attempt is
> a privacy loss, which we intend to fix in the near future by using payment
> points, and adding a blinding scalar at each hop, aka. payment
> decorrelation.
>
> Thus, in the future, there will not be any HTLC, but instead a PTLC.
> Further, the payment point at each hop will be changed at each hop, in
> order to prevent decorrelation.
>
> Thus, C needs to provide proofs:
>
> * That an apparent singlesig on the unilateral close output is in fact a
> PTLC.
> C needs to provide:
> * A target point P.
> * A partial signature that would spend that singlesig for a particular
> sighash.
> * An adaptor signature which, with knowledge of the completed signature,
> adaptor signature, and sighash message, would have revealed the scalar
> behind P.
> * That the PTLC belongs to the same payment attempt as what B offered to C.
> C needs to provide:
> * The C-only blinding factor that is the difference between the payment
> point of the B-to-C PTLC and the C-to-E PTLC on the unilateral close.
>
> Then, when B needs to propagate the proof-of-closure back to A, B simply
> adds its own blinding factor to the reported blinding factor, in order to
> convince A that this is the same payment attempt.
>
> As we have brought up privacy, we observe that, when this mechanism
> triggers, there is a mild privacy loss, in that intermediate nodes now know
> some channel closure that is related to this payment, and can thus
> determine the exact path that the payment attempt went through, at least
> until the channel being closed.
> However, proof-of-closure is only propagated in case of violation of the
> soft timeout, so for normal non-malicious payments, proof-of-closure does
> not cause any privacy loss.
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20200401/082a44f1/attachment-0001.html>;

📅 Original date posted:2020-04-01 📝 Original message: I ...

2023-06-09T12:59:21Z

In reply to nevent1q…thst
_________________________

📅 Original date posted:2020-04-01
📝 Original message:
I just thought of a potentially more serious problem, at least for
Poon-Dryja channels, isn't it true that giving a proof of closure is
equivalent to actually closing the channel since once other parties have
copies of the fully signed commitment transaction, it cannot be safely
revoked since other parties now have the ability to publish an old state? I
might be missing something but this seems like a big problem.

Best,
Nadav

On Wed, Apr 1, 2020 at 1:07 PM Nadav Kohen <nadav at suredbits.com> wrote:

> Hi ZmnSCPxj and list,
>
> Love the idea! I have a couple questions though:
>
> I'm not convinced that "Purely Falsified Proof-Of-Closure" aren't
> effective. Consider a similar network to the one you described where we
> have channels A - B - C and A - E - C but where we add a "fake" channel E -
> E'. Now if the attacker sets up a payment from E to E' using the route E -
> C - B - A - E - E', then the attacker can successfully lock up all of B's
> channels (as is desirable to get rid of competition) and also generate a
> false proof of closure for the E - E' channel. Even if this false proof
> (which is a commitment tx) ends up being published on chain, E has lost no
> ability to route and has successfully made B unable to route between A and
> C. If my understanding of the proposal is correct, and it may not be, then
> the punishment for grieving payments is the threat of closing channels that
> would benefit from the grieving attack. But adding a new channel on the end
> to be closed seems to invalidate this punishment?
>
> A second question I have is if you think that it would be advisable to use
> up-front payments (pay for attempt, not just success) on payments with
> abnormally high soft timeouts? If all this works, this combination seems to
> be a way to enable hodl invoices under the proof of closure proposal.
>
> Best,
> Nadav
>
> On Wed, Apr 1, 2020 at 1:19 AM ZmnSCPxj via Lightning-dev <
> lightning-dev at lists.linuxfoundation.org> wrote:
>
>> Introduction
>> ============
>>
>> Given the fact that contracts on offchain protocols need to be
>> enforceable onchain as well, timelocks involved in multi-hop payments are
>> measured in blocks.
>> This is because the blockchain can only (third-party-verifiably) enforce
>> timeouts in units of entire blocks.
>> This leads to very long timeouts for payment delivery, thus multi-hop
>> offchain payment attempts can be, deliberately or accidentally, be in a
>> "pending" state up to the very large timeouts involved.
>>
>> Deliberately setting up a multi-hop payment such that it will be in a
>> "pending" state for long periods of time is colloquially known as a
>> "griefing attack".
>> In this article, we assess various proposed solutions to mitigate the
>> effects of griefing attacks, and propose a particular solution,
>> proof-of-closure, as well, that requires significant changes to the update
>> state machine.
>>
>> Digression: Why Grief?
>> ======================
>>
>> Before embarking on our investigation for solutions to the griefing
>> problem, we should first wonder if griefing is, in fact, a problem.
>>
>> This brings up the question of: why would anybody grief at all?
>>
>> Humans, like cats and other less-sapient pieces of walking meat, often
>> find enjoyment in causing the suffering of others for no immediate direct
>> gain to themselves, as a public demonstration of dominance over those they
>> make suffer (aka "shits and giggles", which, if executed correctly, can
>> lead to eventual direct gains to themselves or their progeny or relatives
>> or allies, but such details are often outside the ken of the very beings
>> who execute such survival strategies: brains are pieces of meat that have
>> been hacked to act as action-reaction engines, but are not sophisticated
>> enough to execute as pure rationality engines at all times).
>> Fortunately, in the Bitcoin world, only purely rational beings of pure
>> selfishness can exist in the long run, thus we can neglect such motivations
>> as mere noise.
>>
>> First, let us investigate *how* griefing attacks can be performed.
>>
>> * An intermediate node in a multi-hop attempt can delay forwarding or
>> failing an incoming HTLC.
>> * A final node in a payment attempt can delay claiming an incoming HTLC.
>>
>> Let us consider a purely rational intermediate node of pure selfishness:
>>
>> * If it forwards as soon as possible, it can earn fees, and also speed up
>> the release of the HTLC-locked funds so that they can reuse those funds as
>> liquidity for further payment attempts.
>> * Thus, delaying an HTLC is not selfishly-rational for an intermediate
>> node.
>>
>> Thus, for an intermediate node, it seems there is no selfishly-rational
>> motivation to execute a griefing attack on an arbitrary payment attempt.
>> We can then conclude that an intermediate that delays a payment would do
>> so, not of its own rational self-interest, but as an accident, such as an
>> unforeseen connectivity or power failure.
>>
>> However, things are different when we consider a non-arbitrary payment.
>> Suppose a node were to make a payment attempt to itself, and deliberately
>> delay claiming this self-payment.
>> This lets any single node, *who happens to own large liquidity*, to lock
>> up the liquidity of other nodes.
>>
>> The motivation to lock up the liquidity of other nodes is to *eliminate
>> competition*.
>> Suppose we have a network as below:
>>
>> A -- B -- C
>> \ /
>> \ /
>> \ /
>> E
>>
>> When A and C want to transact with one another, they may choose to route
>> via either B or E.
>> B and E are therefore competitors in the business of forwarding payments.
>>
>> But suppose E has much larger channels AE and CE than the channels of AB
>> and CB.
>> For example, suppose E has 100mBTC perfectly-balanced channels while B
>> has only 10mBTC perfectly-balanced channels, as all things should be in
>> simplified models of reality.
>> E can then "take out the competition" by making a 5mBTC self-payment
>> along E->A->B->C->E and a 5mBTC self-payment along E->C->B->A->E, then
>> refusing to claim the payment, tying up all the liquidity of the channels
>> of B.
>> By doing so, it can ensure that A and C will always fail to pay via B,
>> even if they wish to transact in amounts less than 5mBTC.
>> E thereby eliminates B as a competitor.
>>
>> This demonstrates that griefing attacks will be motivated, such that such
>> attacks will be performed by payers and payees *against intermediate nodes*.
>> Intermediate nodes have no motivation to attack payers and payees (those
>> are their potential customers in the business of forwarding payments, and
>> attacking potential customers is bad business: such attacking intermediate
>> nodes will be removed economically in the long run).
>> However, payers and payees can become motivated to attack intermediate
>> nodes, if the "payer" and "payee" are actually competitor intermediate
>> nodes.
>>
>> (We can observe that this is always a possibility even outside of
>> Lightning: a service or product provider has no incentive to attack its
>> customers ("the customer is always right"), but have an incentive to
>> *pretend* to be a customer of a competitor and attack them.)
>>
>> We will keep this fact in mind: active griefing attacks are attacks *on*
>> intermediate nodes, not *by* intermediate nodes, because there is no
>> economic incentive for intermediate nodes to attack their customers.
>>
>> Previous Proposed Solutions
>> ===========================
>>
>> Time-Spent Reporting
>> --------------------
>>
>> At each channel along the route, the time spent by a node to handle its
>> forwarding is recorded, and reported upstream in the route.
>>
>> Unfortunately, this solution protects payers from intermediate nodes and
>> payees: it does not protect intermediate nodes from colluding payers and
>> payees.
>> Even if an intermediate node knows that a particular node is consistently
>> slow via a previous time-spent report, it will not be able, with our
>> current onion routing, determine if an onion packet it just received will
>> or will not go through the known-slow node.
>> Thus, an intermediate node would not be able to defend against distant
>> payees that, with a colluding payer, will not claim a particular payment.
>>
>> As we have established, an active griefing atttack will never be
>> deliberately performed by a selfishly-rational intermediate node.
>> Thus, this solution protects against the wrong thing: it protects payers
>> against slow/unreliable intermediate nodes, it does not protect
>> intermediate nodes against malicious payer/payee collusions.
>> It protects only against intermediate nodes that inadvertently go offline
>> during forwarding, but such nodes will inevitably lose out on the
>> forwarding market anyway, and will disappear in the long run.
>>
>> Up-Front Payment
>> ----------------
>>
>> Payers pay for an attempt, not just the successful completion of an
>> attempt.
>>
>> A variation on this is that the payer (or payee) continuously pays as
>> long as the payment is pending.
>> Further variations include paying by other means, such as just locking
>> funds or paying with proof-of-work.
>>
>> While it certainly erects economic barriers against payer/payee
>> collusions attacking intermediate nodes, it *also* erects economic barriers
>> against normal, non-malicious payments.
>>
>> We can consider that economic barriers against non-malicious, low-value,
>> high-frequency payments ("micropayments") may be enough that such payments
>> become infeasible if we impose up-front payment for mere attempts.
>> Thus, while this solution is certainly something we can consider, we must
>> be reluctant to use it due to its up-front, strict-evaluation behavior.
>>
>> Proof-Of-Closure
>> ================
>>
>> Observing the above, we want the properties for a "good" solution to
>> griefing attacks to be:
>>
>> * It should protect intermediate nodes against payer/payee collusions.
>> * It should only come into play upon detection of an attack.
>>
>> We now present proof-of-closure, which (we hope) has the above properties.
>>
>> We can consider instead a softer timeout, distinct from the HTLC
>> block-based timeout.
>> This softer timeout is measurable in fractions of a second, e.g. units of
>> 0.1 seconds.
>>
>> Each node on the network advertises, in addition to a block-based
>> `cltv_delta`, a `timeout_delta` in units of 0.1 seconds.
>> Further, each invoice contains, in addition to a block-based
>> `final_cltv`, a `final_timeout` in units of 0.1 seconds.
>>
>> Thus, there are two timeouts:
>>
>> * The current "hard" block-based timeout that is enforceable onchain.
>> * A new "soft" sidereal-time-based timeout that is not onchain
>> enforceable.
>>
>> The soft timeout, as mentioned, is not enforceable onchain.
>> Instead, enforcement of the soft timeout *is* the act of putting the
>> channel state onchain.
>>
>> Now, for the current "hard" block-based timeout, we already have a
>> reaction.
>> If the HTLC "hard" timeout is approaching:
>>
>> * Drop the channel onchain and enforce the hard timeout onchain to
>> reclaim the funds in the HTLCs.
>> * Wait for the onchain action to be deeply resolved (either timelock or
>> hashlock branch is confirmed deeply) and report the result (success or
>> fail) upstream.
>>
>> What happens if the "soft" timeout is violated?
>>
>> * Drop the channel onchain.
>> * Report the channel closure upstream.
>>
>> The "hard" timeout is cancelled in any of these two conditions:
>>
>> * A success is reported via `update_fulfill_htlc`, OR,
>> * A failure is reported via `update_fail_htlc` AND the HTLC is
>> irrevocably removed from the latest commitments/state(s) of the channel.
>>
>> The "soft" timeout is cancelled in any of these three conditions, the
>> first two of which are the same as above:
>>
>> * A success is reported via `update_fulfill_htlc`, OR,
>> * A failure is reported via `update_fail_htlc` AND the HTLC is
>> irrevocably removed from the latest commitments/state(s) of the channel, OR
>> * A channel closure is reported.
>>
>> Let us fill this in more detail.
>>
>> Suppose we have a payment route A->B->C->E.
>>
>> Both the "hard" block timeouts and the "soft" second timeouts decrement
>> monotonically at each hop.
>> Thus, the payee E has the shortest "hard" and "soft" timeouts (as normal).
>>
>> * Suppose E then delays claiming the payment and violates the "soft"
>> timeout.
>> * C then drops the CE channel onchain.
>> * C reports, before its own timeout (slightly larger than the timeout
>> imposed on E), the closing of the channel CE, to B.
>> * B validates this report, and if valid, propagates the report to A.
>> * A validates this report, and if valid, accepts that the payment will be
>> "stuck" for up to the hard timeout it imposed on B.
>>
>> C has to report back to B in order to prevent B from closing the BC
>> channel, and B has to report back to A in order to prevent A from closing
>> the AB channel.
>> The decrementing seconds-unit timeouts are needed for each hop, for the
>> same reason that decrementing block-unit timeouts are needed.
>>
>> Since E is motivated to attack intermediate nodes because it wants to
>> redirect payment forwards through itself rather than its competitotrs,
>> having one of its channels closed (which prevents it from being used for
>> forwarding) is directly opposed to its end goal of getting more money,
>> thus, we can believe the action of closing a channel involved in a griefing
>> attack is sufficient disincentive.
>>
>> The major drawback is that enforcement of the soft timeout *is* a channel
>> closure, which is generally a negative for the network.
>> This is not a remote attack vector, since a node can only trigger this
>> closure if it is able to stall the fulfillment or failure of an HTLC on a
>> channel, which generally means the node triggering this closure can only do
>> so for its own channels (or it is able to, via a separate mechanism,
>> remotely crash a different node).
>>
>> Proving Channel Closes
>> ----------------------
>>
>> What C *really* needs to prove is that:
>>
>> * It is *willing* to close a channel due to a violation of the soft
>> timeout.
>> * The channel it is willing to close was, in fact, involved in the same
>> payment attempt.
>>
>> With the above, B can believe that C was innocent of wrongdoing, because:
>>
>> * C would only be wiling to close a channel in case of a protocol
>> violation, in this case, a violation of the soft timeout.
>> * The channel it closed was closed because of this payment attempt, and
>> not because of another payment attempt, or some other unrelated channel
>> being unilaterally closed.
>>
>> First, what C needs to prove is *NOT*, in fact, actual channel closure:
>> it needs to prove a *willingness* to close a channel.
>> Thus, it does not require the channel to actually be *closed* yet, i.e.
>> it does not have to wait for onchain activity that the channel closure is
>> in a mempool and is confirmed deeply onchain etc etc.
>>
>> Thus, to prove a *willingness to close* rather than an actual close, C
>> can provide the unilateral close of the channel CE.
>> The act of unilaterally closing a channel is the publication of the
>> transaction(s) making up the unilateral close.
>> Thus, if C is *willing* to close the channel, it is willing to publish
>> the transaction(s) involved, and thus, providing the unilateral close to B
>> and further upstream, shows a willingness to close the channel.
>>
>> B then validates the provided proof-of-closure by checking that the
>> unilateral close transaction is either onchain, in the mempool, or that it
>> spends a TXO that is not currently spent by another transaction.
>> In the case the unilateral close transaction is not confirmed and in the
>> mempool, B can speed up its propagation on the Bitcoin layer by putting it
>> in its own mempool as well --- after all, C is willing to close the channel
>> to exonerate itself and punish the actual culprit, and B putting the
>> unilateral close in its own mempool can only help C in what it is willing
>> to do.
>>
>> Secondly, C needs to prove that the channel it is willing to close
>> involves the payment attempt, and is not some other channel closure that it
>> is attempting to use to fulfill its own soft timeout.
>> Since the unilateral close transaction *is* the proof-of-closure, B (and
>> A) can inspect the transaction outputs and see (with some additional data
>> from C) that one of the outputs is to an HTLC that matches the payment hash.
>>
>> Thus, B (and A) can believe that the proof-of-closure proves that whoever
>> is presenting it is free of wrongdoing, as whoever is actually causing the
>> delay has been punished (by someone being willing to close a channel with
>> the culprit), and that the proof-of-closure commits to this particular
>> payment attempt and no other (because it commits to a particular payment
>> hash).
>>
>> Further, if CE is closed by E dropping it onchain rather than C, C will
>> still be able to fulfill its own soft timeout by taking the closing
>> transaction from E, which should still contain the HTLC.
>> Indeed, neither A nor B will particularly care (nor need to know) who
>> dropped the channel onchain, or (for A) that the channel participants are C
>> and E.
>>
>> Update State Shenanigans
>> ------------------------
>>
>> Bitcoin update mechanisms are complicated things, and it may be possible
>> for an attacking payee E to fool around with the update state machine to
>> make it difficult for C to report a willingness to close CE.
>>
>> In particular, I quote here the relevant passages from `lightning-rfc`,
>> `02-peer-protocol.md`, which is an implementation of the Poon-Dryja update
>> mechanism:
>>
>> > Thus each update traverses through the following states:
>> >
>> > 1. pending on the receiver
>> > 2. in the receiver's latest commitment transaction
>> > 3. ... and the receiver's previous commitment transaction has been
>> revoked,
>> > and the update is pending on the sender
>> > 4. ... and in the sender's latest commitment transaction
>> > 5. ... and the sender's previous commitment transaction has been revoked
>>
>> The payee E is the "receiver" in this context.
>>
>> In this case, once the update has reached step 2, then E has a commitment
>> transaction that it can put onchain, that contains an HTLC it can claim.
>> From this step onward, C cannot send a failure (i.e. it cannot send back
>> an `update_fail_htlc`) back to B, because E could drop its latest
>> commitment onchain and claim the HTLC onchain.
>>
>> However, until step 4, C does not have a unilateral close containing the
>> HTLC, and thus cannot provide a proof-of-closure that contains an HTLC that
>> refers to the payment.
>>
>> Thus, between steps 2 to 4, C cannot safely respond to its own soft
>> timeout.
>> C cannot respond with a failure, as E could then drop its latest
>> commitment transaction onchain and claim the payment from C, and extract
>> money from C that way.
>> C also cannot respond with a proof-of-closure, as it does not have a
>> transaction that it can use to provide this proof.
>>
>> The best that C can do would be to impose an even shorter timeout between
>> steps 2 and 4 above, and to drop its current commitment transaction (which
>> does not contain the HTLC yet and thus does not constitute a valid
>> proof-of-closure) onchain.
>> In between the time it drops the commitment transaction and its own
>> incoming soft timeout, there is a chance, however small, that this
>> transaction will be confirmed, and the channel will (with high probability)
>> settle in a state where the HTLC is not instantiated, thus C can safely
>> fail its incoming HTLC (not show a proof-of-closure, since that is not
>> possible for C to do) without risk of loss, just prior to its own soft
>> timeout.
>>
>> Of course, C is still at risk here: E could collude with miners via a
>> side-channel fee offer to confirm its commitment transaction with the HTLC
>> present, and ensure that C is liable for the HTLC value.
>>
>> With Decker-Russell-Osuntokun, we can remove this risk by requiring a
>> ritual as follows:
>>
>> 1. C requests exclusive access to update their single shared state.
>> * This can be done via a variety of sub-protocols, including a fair
>> coin toss in case of near-simultaneous requests for exclusive locks on both
>> sides.
>> 2. C provides the details of the new HTLC to E.
>> 3. C and E generate the new state transaction and exchange signatures
>> for it.
>> 4. C and E generate (without signing) the new update transaction.
>> 5. E provides the signature (or share of signature, if MuSig) for the
>> new update transaction to C.
>> 6. C provides the signature for the new update transaction to E, which
>> releases the exclusive lock on the shared state atomically with the
>> finalization of the new update transaction.
>>
>> Prior to step 5, C can simply fail the incoming HTLC from B in case its
>> own soft timeout is near.
>> Even if E performs step 5 after C has already failed the incoming HTLC
>> from B, C can simply not perform step 6 and drop the channel onchain with
>> the previous update and state transactions.
>>
>> With Poon-Dryja, we will have to rearrange the order in which we perform
>> things, effectively adding an extra communications turnaround between the
>> participants.
>> Specifically, the order would have to be revised to:
>>
>> > 1. pending on the sender
>> > 2. in the sender's latest commitment transaction
>> > 3. ... and the sender's previous commitment transaction has been
>> revoked,
>> > and the update is pending on the receiver
>> > 4. ... and in the receiver's latest commitment transaction
>> > 5. ... and the receiver's previous commitment transaction has been
>> revoked
>>
>> This allows the sender (C in our context) to provide a proof-of-closure
>> after step 2, and before step 2, C can safely return a failure with
>> `update_fail_htlc` (and refuse to proceed beyond step 2, thus ensuring it
>> can still use the previous commitment that still has no HTLC).
>>
>> Of course, this change will require redesigning the update state machine,
>> increasing the number of communication turnarounds, and creating a subtle
>> incompatbility when transitioning a payment from a hop that knows only the
>> old update state machine to a hop that knows the new update state machine.
>>
>> Purely Falsified Proof-Of-Closure
>> ---------------------------------
>>
>> Of course, the attacking node E might want to create a false
>> proof-of-closure.
>> E can do this by simulating a Lightning channel: lock an amount of funds
>> in a 2-of-2 (where E controls both keys), then spend it in a set of
>> transactions mimicking the unilateral close.
>>
>> We observe, however, that the overhead of simulating a Lightning channel
>> is the same as the overhead of actually creating and closing a Lightning
>> channel.
>> Since the punishment of proof-of-closure is to force attackers to have
>> their channels closed, we can consider that this simulation of a channel
>> open and close is sufficient as well.
>>
>> Future-Proofing
>> ---------------
>>
>> This sketch of proof-of-closure can be used for any update mechanism:
>>
>> * With Poon-Dryja, C can use its own commitment transaction as the
>> proof-of-closure.
>> * With Decker-Wattenhofer, C can give all the offchain transactions up to
>> the last stage in the multi-stage decrementing-`nSequence` mechanism.
>> * With Deckker-Russell-Osuntokun, C can give the latest update and state
>> trnsaction.
>>
>> Basically, we expect that for now, and in the future, any update
>> mechanism worth consideration will have a concept of "unilateral close"
>> where a channel can be dropped onchain, using data that only one of the
>> channel participants holds.
>>
>> Such a unilateral close will be a sequence of one or more valid
>> transactions, terminating in a transaction containing an HTLC-like contract
>> in one of its outputs.
>>
>> Thus, to validate the unilateral close, it is only required to validate
>> all the transactions contained in the proof-of-closure, and see that the
>> last transaction has an HTLC output.
>>
>> The limitations are thus:
>>
>> * The acceptable forms of HTLC would need to be agreed-upon by the entire
>> network.
>> * Implementations would need to be able to assess, in a
>> Bitcoin-consensus-compatible way, whether a transaction is valid or not.
>>
>> Payment Decorrelation and Payment Points
>> ----------------------------------------
>>
>> Of course, having a single payment hash for the entire payment attempt is
>> a privacy loss, which we intend to fix in the near future by using payment
>> points, and adding a blinding scalar at each hop, aka. payment
>> decorrelation.
>>
>> Thus, in the future, there will not be any HTLC, but instead a PTLC.
>> Further, the payment point at each hop will be changed at each hop, in
>> order to prevent decorrelation.
>>
>> Thus, C needs to provide proofs:
>>
>> * That an apparent singlesig on the unilateral close output is in fact a
>> PTLC.
>> C needs to provide:
>> * A target point P.
>> * A partial signature that would spend that singlesig for a particular
>> sighash.
>> * An adaptor signature which, with knowledge of the completed
>> signature, adaptor signature, and sighash message, would have revealed the
>> scalar behind P.
>> * That the PTLC belongs to the same payment attempt as what B offered to
>> C.
>> C needs to provide:
>> * The C-only blinding factor that is the difference between the payment
>> point of the B-to-C PTLC and the C-to-E PTLC on the unilateral close.
>>
>> Then, when B needs to propagate the proof-of-closure back to A, B simply
>> adds its own blinding factor to the reported blinding factor, in order to
>> convince A that this is the same payment attempt.
>>
>> As we have brought up privacy, we observe that, when this mechanism
>> triggers, there is a mild privacy loss, in that intermediate nodes now know
>> some channel closure that is related to this payment, and can thus
>> determine the exact path that the payment attempt went through, at least
>> until the channel being closed.
>> However, proof-of-closure is only propagated in case of violation of the
>> soft timeout, so for normal non-malicious payments, proof-of-closure does
>> not cause any privacy loss.
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20200401/068762fe/attachment-0001.html>;

📅 Original date posted:2019-07-17 📝 Original message: Hi ...

2023-06-09T12:55:38Z

In reply to nevent1q…pcrk
_________________________

📅 Original date posted:2019-07-17
📝 Original message:
Hi Lloyd,

Glad you like it :) And to address your concern, I think that although
certainly it is possible for oracles to sell options contracts, it is also
possible to have a more decentralized setup with normal DLC oracles (that
can be used for all kinds of things as all they do is schnorr sign messages
with pre-commited R values), and then have the CETs be 3-of-3 multisig
outputs. In this way the oracle is still not learning about the contract,
just like normal DLCs.

Best,
Nadav

On Wed, Jul 17, 2019 at 11:23 AM Lloyd Fournier <lloyd.fourn at gmail.com>
wrote:

> Hi Nadav,
>
> This is cool idea. I always imagined oracles would either give their DLC
> signatures away for free or work via a subscription model.
>
> The downside to this proposal is that the seller of the signature knows
> which signature they're selling and therefore learns what kind of contract
> the buyer must be involved in.
>
> LL
>
>
> On Thu, Jul 18, 2019 at 1:37 AM Nadav Kohen <nadav at suredbits.com> wrote:
>
>> Hi All,
>>
>> I recently posted a proposal here for a scheme through which a trusted
>> data provider can utilize the Lightning Network to privately sell data
>> where data is received atomically with purchase.
>>
>> I've more recently been thinking about situations where a party, that is
>> *not* trusted, is attempting to sell its signature to a known message. One
>> example of a situation where this would be useful is if someone is trying
>> to offer a DLC-like Option contract where they are essentially
>> collateralizing themselves in a funding transaction and then selling their
>> signatures to Contract Execution Transactions (CETs). In this example, we
>> must ensure that the buyer of the signatures pays if and only if they
>> receive valid signatures for the CETs which are known.
>>
>> I believe that this is achievable in a relatively straightforward way if
>> we were to use ZmnSCPxj's proposed payment points with scalars (as opposed
>> to payment hashes with pre-images). The (Schnorr) signature seller could
>> give the buyer their one-time public key, `R = k*G`, through which the
>> buyer could compute the payment point whose scalar is the seller's
>> signature: `sig*G = R + h(m, R)*A` where `A` is the seller's public key.
>> Using this value as the payment point, the buyer could be assured that they
>> pay if and only if they receive `sig` from the seller, where `sig` is the
>> desired valid signature of `m`!
>>
>> Best,
>> Nadav
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190717/3c637967/attachment.html>;

📅 Original date posted:2019-07-17 📝 Original message: Hi ...

2023-06-09T12:55:37Z

In reply to nevent1q…0zuu
_________________________

📅 Original date posted:2019-07-17
📝 Original message:
Hi All,

I recently posted a proposal here for a scheme through which a trusted data
provider can utilize the Lightning Network to privately sell data where
data is received atomically with purchase.

I've more recently been thinking about situations where a party, that is
*not* trusted, is attempting to sell its signature to a known message. One
example of a situation where this would be useful is if someone is trying
to offer a DLC-like Option contract where they are essentially
collateralizing themselves in a funding transaction and then selling their
signatures to Contract Execution Transactions (CETs). In this example, we
must ensure that the buyer of the signatures pays if and only if they
receive valid signatures for the CETs which are known.

I believe that this is achievable in a relatively straightforward way if we
were to use ZmnSCPxj's proposed payment points with scalars (as opposed to
payment hashes with pre-images). The (Schnorr) signature seller could give
the buyer their one-time public key, `R = k*G`, through which the buyer
could compute the payment point whose scalar is the seller's signature:
`sig*G = R + h(m, R)*A` where `A` is the seller's public key. Using this
value as the payment point, the buyer could be assured that they pay if and
only if they receive `sig` from the seller, where `sig` is the desired
valid signature of `m`!

Best,
Nadav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190717/95c848fb/attachment.html>;