{"type":"rich","version":"1.0","title":"Lloyd Fournier [ARCHIVE] wrote","author_name":"Lloyd Fournier [ARCHIVE] (npub1kh…y05yp)","author_url":"https://yabu.me/npub1khlhcuz0jrjwa0ayznq2q9agg4zvxfvx5x7jljrvwnpfzngrcf0q7y05yp","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2020-12-15\n📝 Original message:\n\u003e It seems difficult to recommend YOLO commitment transactions becoming\nthe standard way to recover funds. It could be preferable to the current\nsystem but even that is up for debate I guess.\n\u003e I feel like I can recommend oblivious settlements because (i) it's covert\n(like YOLO commitments txs unlike current system) and (ii) it's  \"what you\nsee is what you get\" -- you are guaranteed to recover the funds that you\nare presented with once you finally trigger the recovery\n\nOff list Dave correctly pointed out to me that this wasn't a very clear\npicture of the situation.\nAfter some thought, I came up with these claims that I think I can make\nstrongly:\n\n1. Before you reveal that you are doing recovery you are guaranteed to have\na tx in hand that:\n     i. You can broadcast first\n     ii. You can choose the fee to be as high as you like\n     iii. Is not replaceable.\n2. If the malicious party is *not* willing to risk broadcasting a revoked\ntx then you are guaranteed to recover the face value of the transaction(s)\nyou have in hand.\n3. An honest party is never at risk of broadcasting a revoked commitment tx.\n4. You never have to reveal that you were doing a recovery i.e. the channel\ncan continue (strictly preferable to 1)\n\nCurrent system has: 3\nOblivious mutual close has: 1,2,3\nYOLO commitments has: 1,5\n\nSo I think the question of YOLO commitments vs oblivious mutual close is\nwhether paying the price of losing (2,3) is worth the upgrade from (1) to\n(5).\nThe concern with (1) is that once you broadcast to the network the\nobliviously transferred \"mutual close\" transaction, the malicious party\nthen has a hint that you have lost data and they can try and broadcast a\nfavourable revoked transaction.\nThis should be very hard since in (1) you broadcast first, can choose as\nlarge a fee as you like and the tx does not signal replaceability whereas\nthe revoked tx *will* signal replaceability.\nI'm also personally trying to avoid losing (3) because to keep [1]\napplicable.\n\nAs a side note: in YOLO commitment transactions you have to recover some\nadditional metadata from the other party -- in particular the compressed\nrevocation keys that you *should* know otherwise the channel cannot\ncontinue to operate. So a signature on the compressed revocation keys must\nbe given to the other party before you lose data and returned to you when\nyou are given the commitment transaction upon reconnection.\nThis should be easy enough to do though.\n\n[1]\nhttps://github.com/LLFourn/witness-asymmetric-channel#scorched-earth-punishments\n\nOn Tue, Dec 15, 2020 at 12:13 AM David A. Harding \u003cdave at dtrt.org\u003e wrote:\n\n\u003e \u003e The idea I'm working with in revocable signature based channels [1] is\n\u003e \u003e to make the node lose its static secret key if it posts a revoked\n\u003e \u003e commitment tx. This means they could lose ALL funds from ALL their\n\u003e \u003e channels with ALL their peers if they ever broadcast a single revoked\n\u003e \u003e commitment transaction. This would be a very bad thing to happen while\n\u003e \u003e you're trying to recover funds.\n\u003e\n\u003e Yikes!  A very bad thing indeed.  I'll have to re-read about witness\n\u003e asymmetric channels; I don't think I realized that was a consequence of\n\u003e using them.\n\u003e\n\nIt's an optional feature -- see link[1] above where I just added an\nexplanation of it.\nI actually see no reason why you couldn't apply revocable signatures to\ntransaction asymmetric channels (LN as it is today) you just have to\noverhaul the revocation mechanism.\n\nIn general I agree with your points that side-channels may be effective\ntools to reveal whether a node has had data loss or not.\nI think in both YOLO commitments and oblivious mutual close it is easy\nenough to simulate data-loss up to a point to try and catch malicious peers\nusing side channels.\nAt least you don't have to ask the peer to broadcast a tx to find out!\n\nCheers,\n\nLL\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201215/7b1e9210/attachment.html\u003e"}