Good morning Subhra, > There may be other issues as well with the overall setup, please wait, I > am considering as well what would happen if we correctly establish the > contracts from S to R.
Unfortunately the Mitigating Reverse-Griefing contract reintroduces griefing. First, let us simplify the setup to S -> F -> R. In the griefing attack of today the setup would be: * S->F has the contract, funded by S only: * If F can reveal x such that h = h(x) for a known h, F can claim the fund. * After 2 days, S can recover the fund. * F->R has the contract, funded by F only: * If R can reveal x such that h = h(x) for a known h, R can claim the fund. * After 1 day, F can recover the fund. Then, 1 Planck interval before the 1-day limit, R cancels the HTLC by doing some form of `update_fail_htlc` to F. This causes F to not earn any funds, even though it had its funds locked for 1 day minus 1 Planck interval; thus in practice, R can lock the funds of F for a little less than the time limit imposed. With the Mitigating Reverse Griefing technique, the setup would be: * S->F has the contract, funded by S and F: * If F can reveal x such that h = h(x) for a known h, F can claim the fund. * If F can reveal r such that y = h(r) for a known y, S and F can recover their original contributions to the fund. * After 2 days, S can claim the fund. * F->R has the contract, funded by F and R: * If R can reveal x such that h = h(x) for a known h, R can claim the fund. * If R can reveal r such that y = h(r) for a known y, F and R can recover their original contributions to the fund. * After 1 day, F can claim the fund. Then, 1 Planck interval before the 1-day limit, R uses the second clause to cancel the entire payment. This is exactly the same result as with the current griefing attack: F is induced to lock its funds for 1 day minus 1 Planck interval, but is never compensated for it. It is immaterial whether the mechanism used is `update_fail_htlc` or some other mechanism. So not only does Mitigating Reverse-Griefing just replace reverse-griefing with the attack described in my previous post, which I am now calling backflip-reverse-griefing (because calling it "reverse-reverse-griefing" would be ***SO BORING AND OBVIOUS***), it also returns the original griefing attack. I think it is a principle of protocol design that, in general, protecting against one attack could open you up to the opposite of that attack. It is helpful to remember that the original griefing attack is basically a withholding attack, wherein a participant does not respond after a particular step in the protocol. By adding more steps, you simply add more places where a participant can stop responding after some step in the protocol, and thus add even more attack surface. Regards, ZmnSCPxj _______________________________________________ Lightning-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
