Pages:
Author

Topic: [Lightning] Eltoo - Convince me that it is safe enough! - page 2. (Read 581 times)

legendary
Activity: 3430
Merit: 3080
The old-state attack would work if you get cut-off from all internet past the timeout, but that's no different than with HTLC lightning.
The difference however is that in HTLC lightning if the victim closes successfully, the scammer gets punished, in eltoo he only loses transaction fees. This is the incentive problem I mean, the scammer can even try flooding blocks with transactions himself to prevent the victims from closing successfully.

One dis-incentive I can imagine is that in the case of the attack being successful, and e.g. there are 3000 from 10000 closing transactions from victims which didn't make it into the blocks before the timeout, it is likely that these 3000 will be those with the least profit for the scammer, because victims with a high level of damage would be willing to pay higher transaction fees. This would be valid both for HTLC-Lightning and Eltoo. But is this enough?

I think we might be forgetting why the penalty exists in Poon-Dryja lightning in the first place


If penalty did not exist in the current lightning protocol, a simple griefing attack would be:

  • 1. Alice and Mallory have a channel
  • 2. Mallory closes with an old state
  • 3. Alice closes with newest state to ovverride
  • 4. Malloy closes with the exact same old state
  • 5. Repeat until no-one is willing to spend yet more money in onchain fees

eltoo's sequence numbers make the above attack impossible. The penalty branch in the Poon-Dryja lightning protocol was the only way to stop that attack, I don't think it's meant as a way of stopping the "Mallory closed with an old state and DDOSed my connection all over the world until her old-state channel-close reached timeout" attack, which is what you seem to be thinking

(correct me if I'm wrong)
copper member
Activity: 821
Merit: 1992
Pawns are the soul of chess
Quote
I don't understand exactly what you mean ... In my last post I meant "flooding" the blocks with "normal" spam transactions between the wallets of the attacker, to ensure that there is a low amount of space left for closing transactions. (Maybe "flooding" isn't the correct term).
Oh, I thought you assume that there are two parties involved: the honest node and the attacker. But if there are two nodes controlled by the attacker, then in Eltoo only the latest transaction will remain in the mempool, all previous transactions with lower sequence numbers will be discarded.

Because sequence numbers are 32-bit numbers, that can be abused to exhaust nodes from bandwidth, but I guess that you will have to pay more on-chain fees for replacements. Currently, RBF is designed in a way that every replacement transaction has to cover the cost of itself and the cost of the replaced transaction. As long as you broadcast a single transaction, you have no reason to worry. But if you broadcast hundreds of such transactions, then you will pay for each of your replacement, while other people sending single transaction won't have to.

Quote
Is it possible that this penalty transaction, in Eltoo, uses funds which are locked in the LN channel?
As long as the closing transaction is on the mempool level, there is no need for any penalty transaction, you can just broadcast the latest channel state and it will be confirmed instead, because of higher sequence number. However, if some old transaction will reach at least one confirmation, then you need to take that coins somehow. Uncooperative close in LN is protected by CLTV, then you can get attacker's coins directly without any timeout, the same can be used in Eltoo. But I can also imagine a system where you will have that coins locked in some lightning channel instead.

Quote
Unfortunately my knowledge about Sighash_Anyprevout/Noinput isn't that deep ...
The concept is quite simple: SIGHASH_ANYPREVOUT means you can use any previous transaction input you want, because that part of the transaction is not signed. That means you can create some closing channel transaction and it will be valid all the time. But that's too much flexibility, because you want to limit it somehow to allow invalidating that transaction later. To do that, you can for example use decreased timelocks, but it seems there is something designed just for that: sequence numbers. If there will be mempool rules discarding lower sequence numbers, you can start from zero, increment it, and transaction with the highest sequence number will be confirmed.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
You get it right, but it is the same situation as closing LN channel with old transaction state today. If you can reach one confirmation for some old channel state in LN today, you can steal money from people. That attack can be used in LN and in Eltoo.
Thanks! OK so far I have got it right, but now to the interesting part:

In LN, that problem is solved by creating a penalty transaction that takes all coins from the cheating party. In LN you need one penalty transaction for each old channel state. In Eltoo you will need only one transaction that can be used as a penalty for any previous N transactions, up to some sequence number or something like that, in this way you can discard previous penalty transactions and store only the latest one.
Is it possible that this penalty transaction, in Eltoo, uses funds which are locked in the LN channel? I had understood in the Eltoo description that the way a penalty could be enforced would be with additional funds (see the last part of my OP). If it would be possible to use the same funds locked in the multisig contract for a penalty (via Sighash_Anyprevout maybe?), like in the current LN protocol (Poon-Dryja channels) then this would be the definitive answer I'm waiting for in this thread Smiley Unfortunately my knowledge about Sighash_Anyprevout/Noinput isn't that deep ...

If someone knows some additional links about eltoo/penalty mechanisms, I would be grateful for them to be posted here Smiley  (it's not so easy to find material about these topics with search engines)

Edit: Just found this proposal on the Lightning-devel mailing list, I'll see if I'll be able to understand it Smiley

Quote
I guess that if you flood blocks with transactions, then you have to constuct that transactions somehow. And for that, you have to for example move coins inside Eltoo, paying some second layer fees for each transaction.
I don't understand exactly what you mean ... In my last post I meant "flooding" the blocks with "normal" spam transactions between the wallets of the attacker, to ensure that there is a low amount of space left for closing transactions. (Maybe "flooding" isn't the correct term).
Quote
So I guess that if nodes will be cheated by flooding, then fees will rise, maybe first-layer fees or second-layer fees.
Yes, the attacker obviously would have to ensure that his attack still is profitable even with high fees. So he would only generate additional spam/flood transactions in the blocks if the fee level is still too low (or the blocks not full enough) and a too high percentage of the closing transactions are successful.
copper member
Activity: 821
Merit: 1992
Pawns are the soul of chess
Quote
Thanks. I understand however that if the scammer manages to confirm his "old-state closing" transaction on-chain and the victim doesn't close the channel before the timeod, either because the victim is offline or because the blocks are full and they didn't get space for their own channel update, then the attack could be performed. Or am I understanding something wrong?
You get it right, but it is the same situation as closing LN channel with old transaction state today. If you can reach one confirmation for some old channel state in LN today, you can steal money from people. That attack can be used in LN and in Eltoo. The same is for dust amounts: they are passed as transaction fees and if something goes wrong, then the miner can collect that coins, because no additional output is created for them.

In LN, that problem is solved by creating a penalty transaction that takes all coins from the cheating party. In LN you need one penalty transaction for each old channel state. In Eltoo you will need only one transaction that can be used as a penalty for any previous N transactions, up to some sequence number or something like that, in this way you can discard previous penalty transactions and store only the latest one.

Quote
This is the incentive problem I mean, the scammer can even try flooding blocks with transactions himself to prevent the victims from closing successfully.
I guess that if you flood blocks with transactions, then you have to constuct that transactions somehow. And for that, you have to for example move coins inside Eltoo, paying some second layer fees for each transaction. So I guess that if nodes will be cheated by flooding, then fees will rise, maybe first-layer fees or second-layer fees. Now you can lose all of your coins as a punishment, I expect that if second layers like Eltoo will grow, then that will be reduced to half of your coins, fee-based fraction of your coins or something similar to make attacking unprofitable.

Quote
But is this enough?
Yes, I think fees will solve that issue, because fees are needed as an incentive and as a protection from flooding. The more flooding will be there, the more fees will be added to each transaction by nodes. So, if some nodes will be scammed by that kind of attack, then I expect that node operators will rise their routing fees, making that attacks less profitable. I can imagine a system where there is no constant fee rate, but where it depends on how well your node behaves and how many transactions you make.

For example: in Phoenix wallet you have some fees set at 0.1%. That means for each 0.01 BTC (one million satoshi) you have to pay one thousand satoshi in fees. So, when you move 1 BTC, it means you have to pay 100k satoshis in fees. On the other hand, you could transfer that amount on-chain and pay for example 500 satoshi when mempool is almost empty, no matter how big that amount will be. So, I guess that different layers will be used for different purposes, you won't have one layer fitting all use cases. The same with LN and Eltoo, I expect some people will prefer taking all coins as a punishment, some people will prefer taking only the smallest allowed fraction of coins as a punishment, and the free market will set that point somewhere in between.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
each state/update PTLC has a update sequence number, using any old states to channel-close are rejected by validating nodes if a close tx with a newer state has already been confirmed in a block. Because the sequence number is lower for the older state. Higher state numbers override lower state numbers.

Conversely, if a scammer tries to initiate a channel-close with an old state, it's perfectly valid on-chain to override that with another tx that redistributes funds according to the newest state, because the sequence number of newer states are higher.
Thanks. I understand however that if the scammer manages to confirm his "old-state closing" transaction on-chain and the victim doesn't close the channel before the timeout, either because the victim is offline or because the blocks are full and they didn't get space for their own channel update, then the attack could be performed. Or am I understanding something wrong?

The old-state attack would work if you get cut-off from all internet past the timeout, but that's no different than with HTLC lightning.
The difference however is that in HTLC lightning if the victim closes successfully, the scammer gets punished, in eltoo he only loses transaction fees. This is the incentive problem I mean, the scammer can even try flooding blocks with transactions himself to prevent the victims from closing successfully.

One dis-incentive I can imagine is that in the case of the attack being successful, and e.g. there are 3000 from 10000 closing transactions from victims which didn't make it into the blocks before the timeout, it is likely that these 3000 will be those with the least profit for the scammer, because victims with a high level of damage would be willing to pay higher transaction fees. This would be valid both for HTLC-Lightning and Eltoo. But is this enough?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
According to my understanding, I don't think the Eltoo spec allows for broadcasting intermediate state anyway because the proposed SIGHASH_NOINPUT flag would (in their words) "bind a transaction input to any output with a matching script" which eliminates the need to broadcast the intermediate transactions.

Or maybe they still are broadcasted but it says they can't be confirmed because a transaction with a newer state (and thus sequence number) was already broadcasted (?). But I like the idea of not broadcasting any intermediate transactions in the first place, instead only doing so for non-cooperation. So they all get broadcasted sequentially. I have the feeling that this is what Eltoo does too.
legendary
Activity: 3430
Merit: 3080
My doubt is now principally that this could lead to an incentive problem: it would give all scammers the incentive to open LN channels and "simply try" to close channels with old states, as there is no punishment they would only lose transaction fees.


each state/update PTLC has a update sequence number, using any old states to channel-close are rejected by validating nodes if a close tx with a newer state has already been confirmed in a block. Because the sequence number is lower for the older state. Higher state numbers override lower state numbers.

Conversely, if a scammer tries to initiate a channel-close with an old state, it's perfectly valid on-chain to override that with another tx that redistributes funds according to the newest state, because the sequence number of newer states are higher.

The scammer spends their own anchor outputs as fees to close with an old state in the latter case, a small but real disincentive to try.

Maybe there are real attacks, perhaps with very busy channels the sequence number might be susceptible to overflow? Didn't check the specifics (and I don't think any actual code exists yet anyway). The old-state attack would work if you get cut-off from all internet past the timeout, but that's no different than with HTLC lightning.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
Many Lightning supporters seem to have high hopes on Eltoo. Eltoo is basically a new way how the channels in Lightning could be updated. There is a description on the Blockstream website. It would make things like channel factories (Lightning channels for more than two people, which would improve scaling even more) much easier. Eltoo is currently not possible because it needs a softfork on Bitcoin to work (Sighash_Anyprevout).

I haven't found any thread about eltoo in this forum, and I have a doubt I haven't received a convincing answer so far.

Basically, one of the changes which Eltoo proposes is to eliminate the "punishment" for nodes which behave in an uncooperative way. When you close a channel in standard Lightning ("LN-Penalty") because the other party has broadcast an old state of the channel, you can claim the entirety of the channel balance for you. This is an important incentive to avoid misbehaviour in LN.

In Eltoo, in contrast, you can also close channels, but in this case the last "commonly agreed" state of the channel is broadcast. This means that there is no punishment at all.

My doubt is now principally that this could lead to an incentive problem: it would give all scammers the incentive to open LN channels and "simply try" to close channels with old states, as there is no punishment they would only lose transaction fees.

In the Eltoo whitepaper they acknowledge this problem; they propose a mechanism based on an additional security deposit, but this would make the whole system more inefficient as -- from my level of understanding -- for the same level of "punishment" one would have to lock two times the amount in the Lightning channel than with LN-penalty. For example, if I have an 0.01 BTC LN channel, I need to lock 0.01 more to ensure that in the worst case (I'm losing ~0,01 BTC because of the other party closing the channel in a wrong state) the punishment is at least as high as the profit the scammer could get.

So my question is: Is my description of the problem right or am I missing something? Are there ideas or even finished mechanisms to avoid this incentive problem, and which is the "incentive model" of these ideas? I would really like to embrace Eltoo, but I still have doubts about its safety on a massive scale, above all regarding flooding attacks.

Thanks in advance for all serious answers Smiley

(Self-moderation note: I know where this discussion could lead, so I will delete any posts which question LN in its entirety because it's off topic here. Eltoo criticism is allowed, but I am, as I wrote, more interested in the "other side".)
Pages:
Jump to: