Re: [Lightning-dev] A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight.
Good morning Bastien, > * it's impossible for a node to prove that it did *not* receive a message: > you can prove knowledge, > but proving lack of knowledge is much harder (impossible?) Yes, it is impossible. If there could exist a proof-of-lack-of-knowledge, then even if I personally knew some fact, I could simply run a virtual machine that knows everything I know *except* for that piece of knowledge, and generate the proof-of-lack-of-knowledge there. This leads to a contradiction, as I myself *actually* know the fact, but I can present the proof-of-lack-of-knowledge by pretending to be somebody ignorant. Regards, ZmnSCPxj (I definitely do not know that I am an AI) ___ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
Re: [Lightning-dev] A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight.
Good morning, I agree, this onion message trick could let us work around this kind of cheating attempt. However, it becomes quite a complex protocol, and it's likely that the more we progress towards specifying it, the more subtle issues we will find that will require making it even more complex. I'm more hopeful that we'll find channel jamming mitigations that work for both fast spam and slow spam, and will remove the need for this protocol (which doesn't protect against fast spam, only against slow spam). `D` can present to `B` its own `revoke_and_ack` in the above mentioned > onion message reply. > A few high-level notes on why I think this is still harder than it looks: * even if `D` shows B its `revoke_and_ack`, it doesn't prove that D sent it to C * it's impossible for a node to prove that it did *not* receive a message: you can prove knowledge, but proving lack of knowledge is much harder (impossible?) Cheers, Bastien Le jeu. 16 déc. 2021 à 01:50, lightning developer < lightning-develo...@protonmail.com> a écrit : > Good Morning Bastien, > > I believe there is another limitation that you're not mentioning: it's > easy for a malicious node to blame an honest node. I'm afraid this is a > serious limitation of the proposal. > > > Thank you very much for your review and comments. I have just updated the > proposal on github with a section "Security Considerations" that is > equivalent to what I will send in this mail as I believe that the "serious > limitation" that you pointed out can be resolved with the help of onion > messages similar to what I tried to communicate in the already existing > "Extensions" section. BTW before I sent my initial mail I was thinking > exactly about the example that you mentioned! I elected to not include it > to keep the text concise and short. Of course I might have back then and > still a mistake in my thinking and in that case I apologize for asking you > to review the proposal and my rebuttal. > > If we have a payment: A -> B -> C -> D and C is malicious. > C can forward the payment to D, and even wait for D to correctly settle it > (with `update_fulfill_htlc` or `update_fail_htlc`), but then withhold that > message instead of forwarding it to B. Then C blames D, everyone agrees > that > D is bad node that must be avoided. Later, C unblocks the `update_*_htlc` > and everyone thinks that D hodled the HTLC for a long time, which is bad. > > > The above issue can be addressed by `B` verifying the proof it received > from `C`. This can be done by presenting the proof to `D` via an onion > message along a different node than `C`. If `D` cannot refute the proof by > presenting a newer state to `B` then `B` knows that `D` was indeed > dishonest. Otherwise `D` and `B` have discovered that `C` was misbehaving > and tried to frame `D`. > > `B` indicates to `D` that it is allowed to ask such verification question > by include the received proof from `C`. Note that `B` could never own such > proof if `C` has not communicated with `B`. Of course if `C` has never > talked to `B` in the first place `B` would have send a > `TEMPORARY_CHANNEL_FAILURE` and if `C` stopped during the update of the > statemachine to communicate to `B` then `B` can blame `C` via the above > mechanism and `A` can verify the claim it received from `B`. > > Also `B` cannot just send garbage to `D` and try to frame `C` because as > soon as `B` would frame `C` the upstream node `A` would talk to `C` and > recognize that it was `B` who was dishonest. > > Going back to the situation assuming that `C` and `D` have indeed already > successfully resolved the HTLC then the node `D` could in the reply to `B` > even securely include the preimage allowing `B` to reclaim the funds from > `A` and settle the HTLC in the A->B channel. Only the HTLC in the B->C > channel would be locked which doesn't have to bother `B` as `B` expects > that `C` is pulling / settling the HTLC anyway. Only `C` would have the > disadvantage as it is not pulling its liquidity as soon as it can. > > So far - besides a rather complicated flow of information - I do not see > why the principles of my suggestion would not be possible to work at any > other point of the channel state machine. So when queried by `B` the node > `D` could always replay with the latest state it has in the C->D channel > indicating to `B` that `C` was dishonest. > > Of course we could ask now what is if `B` is also malicious? In this case > `B` could propagate the `blame_channel` back but `A` could again use the > onion trick to verify and discover that `B` and `C` are not following the > protocol. > > > Apart from this, I think the blame proof isn't that easy to build. > It cannot simply use `commitment_signed`, because HTLCs are relayed only > once the previous commitment has been revoked (through `revoke_and_ack`). > So the proof should contain data from `commitment_signed` and a proof that > the previous commitment was revoked (and that it was indeed the
Re: [Lightning-dev] A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight.
Good Morning Bastien, > I believe there is another limitation that you're not mentioning: it's > easy for a malicious node to blame an honest node. I'm afraid this is a > serious limitation of the proposal. Thank you very much for your review and comments. I have just updated the proposal on github with a section "Security Considerations" that is equivalent to what I will send in this mail as I believe that the "serious limitation" that you pointed out can be resolved with the help of onion messages similar to what I tried to communicate in the already existing "Extensions" section. BTW before I sent my initial mail I was thinking exactly about the example that you mentioned! I elected to not include it to keep the text concise and short. Of course I might have back then and still a mistake in my thinking and in that case I apologize for asking you to review the proposal and my rebuttal. > If we have a payment: A -> B -> C -> D and C is malicious. > C can forward the payment to D, and even wait for D to correctly settle it > (with `update_fulfill_htlc` or `update_fail_htlc`), but then withhold that > message instead of forwarding it to B. Then C blames D, everyone agrees that > D is bad node that must be avoided. Later, C unblocks the `update_*_htlc` > and everyone thinks that D hodled the HTLC for a long time, which is bad. The above issue can be addressed by `B` verifying the proof it received from `C`. This can be done by presenting the proof to `D` via an onion message along a different node than `C`. If `D` cannot refute the proof by presenting a newer state to `B` then `B` knows that `D` was indeed dishonest. Otherwise `D` and `B` have discovered that `C` was misbehaving and tried to frame `D`. `B` indicates to `D` that it is allowed to ask such verification question by include the received proof from `C`. Note that `B` could never own such proof if `C` has not communicated with `B`. Of course if `C` has never talked to `B` in the first place `B` would have send a `TEMPORARY_CHANNEL_FAILURE` and if `C` stopped during the update of the statemachine to communicate to `B` then `B` can blame `C` via the above mechanism and `A` can verify the claim it received from `B`. Also `B` cannot just send garbage to `D` and try to frame `C` because as soon as `B` would frame `C` the upstream node `A` would talk to `C` and recognize that it was `B` who was dishonest. Going back to the situation assuming that `C` and `D` have indeed already successfully resolved the HTLC then the node `D` could in the reply to `B` even securely include the preimage allowing `B` to reclaim the funds from `A` and settle the HTLC in the A->B channel. Only the HTLC in the B->C channel would be locked which doesn't have to bother `B` as `B` expects that `C` is pulling / settling the HTLC anyway. Only `C` would have the disadvantage as it is not pulling its liquidity as soon as it can. So far - besides a rather complicated flow of information - I do not see why the principles of my suggestion would not be possible to work at any other point of the channel state machine. So when queried by `B` the node `D` could always replay with the latest state it has in the C->D channel indicating to `B` that `C` was dishonest. Of course we could ask now what is if `B` is also malicious? In this case `B` could propagate the `blame_channel` back but `A` could again use the onion trick to verify and discover that `B` and `C` are not following the protocol. > Apart from this, I think the blame proof isn't that easy to build. > It cannot simply use `commitment_signed`, because HTLCs are relayed only > once the previous commitment has been revoked (through `revoke_and_ack`). > So the proof should contain data from `commitment_signed` and a proof that > the previous commitment was revoked (and that it was indeed the previous > commitment) which is likely very hard to do securely without disclosing > too much about your channel. I agree the details for the construction of the blame proofs might be more tricky than in my naive and high level description. Never the less I think they should be possible to construct. I didn't work them out on purpose yet given the current state of the proposal to make it easy to understand and discuss the concept without getting distracted by details at this stage. I think the details of the blame proofs and the communication flow can be worked out if we believe that such a mechanism is an overall improvement for the protocol. Also on a side note: I chose `commitment_signed `as the example as this would be sufficient to see that the `HTLC` was being processed. If `D` does not send `revoke_and_ack` D cannot forward / settle the HTLC and will be the malicious node and it is fair for `C` to blame `D`. If on the other hand `C` does not move the state forward by not sending `revoke_and_ack` and preventing `D` from relaying the HTLC the node `D` can present to `B` its own
Re: [Lightning-dev] A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight.
Good morning, Thanks for looking into this! I believe there is another limitation that you're not mentioning: it's easy for a malicious node to blame an honest node. I'm afraid this is a serious limitation of the proposal. If we have a payment: A -> B -> C -> D and C is malicious. C can forward the payment to D, and even wait for D to correctly settle it (with `update_fulfill_htlc` or `update_fail_htlc`), but then withhold that message instead of forwarding it to B. Then C blames D, everyone agrees that D is bad node that must be avoided. Later, C unblocks the `update_*_htlc` and everyone thinks that D hodled the HTLC for a long time, which is bad. Apart from this, I think the blame proof isn't that easy to build. It cannot simply use `commitment_signed`, because HTLCs are relayed only once the previous commitment has been revoked (through `revoke_and_ack`). So the proof should contain data from `commitment_signed` and a proof that the previous commitment was revoked (and that it was indeed the previous commitment) which is likely very hard to do securely without disclosing too much about your channel. Cheers, Bastien Le mer. 15 déc. 2021 à 02:08, lightning developer via Lightning-dev < lightning-dev@lists.linuxfoundation.org> a écrit : > Good morning list, > > I have just published a proposal to address (but unfortunately not solve) > the old issue of HTLC spam via onions: > https://github.com/lightning-developer/lightning-network-documents/blob/main/A%20blame%20ascribing%20protocol%20to%20mitigate%20HTLC%20spam.md > > The proposal picks up the early idea by Rusty, AJ and others to ascribe > blame to a malicious actor but hopefully in a cheaper way than providing > proof of a channel close by making use of a new lightning message > `blame_channel` in combination with the proposed onion messages. I guess > similar ideas and follow ups are already community knowledge (for example > the local reputation tracking by Jim Posen at: > https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001232.html) > However I had the feeling that the current write up might provide some > additional value to the community. > > The proposal also ensures that blame can be ascribed quickly by requiring > a reply from the downstream onion that is proportional to the `cltv delta` > at the hop. In this way a sending node will quickly know that a (and more > importantly which) downstream channel is not working properly. > > I will be delighted to read your feedback, thoughts and criticism. For > your convenience and archiving I also copied the raw markdown file of the > proposal to the end of this Mail. > > Sincerely Lighting Developer > > > - Begin Proposal -- > > # A blame ascribing protocol towards ensuring time limitation of stuck > HTLCs in flight. > > I was reviewing the [HOLD fee proposal by Joost]( > https://github.com/lightning/bolts/pull/843) and the [excellent summary > of known mitigation techniques by t-bast]( > https://github.com/t-bast/lightning-docs/blob/master/spam-prevention.md) > when I revisited the very [first idea to mitigate HTLC spam via onions]( > https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-August/000135.html) > that was discussed back in 2015 by Rusty, AJ and a few others. At that time > the idea was to ascribe blame to a malicious actor by triggering a force > close and proofing ones own honesty by providing the force close > transaction. I think there is a lot of merit to the idea of ascribing blame > and I think it might be possible with the help of [onion messages]( > https://github.com/lightning/bolts/pull/759) without the necessity to > trigger full force closes. > > As I am not entirely sure if this suggestion is a reasonable improvement > (it certainly does not resolve all the issues we have) I did not spec out > the details and message formats and fields but only described the high > level idea. I hope this is sufficient to discuss the principles and get the > feedback from you if you consider this to be of use and if you think we > should work on the details. > > Idea / Obervation: > = > The key idea is to set a fixed time in seconds (the `reply_interval`) > after successfully negotiating an HTLC until when a node requires a > resultion or reply from its peer to which it previously has forwarded a > downstream onion. If the HTLC is not resolved and no reply was sent the > downstream peer is considered to be acting maliciously. > > The amount in seconds can be proportional to the `cltv_delta` of that hop. > To me the arbitrary choice of translating 10 blocks of `cltv_delta` to `1` > second of expected reply time seems reasonable for now but could be chosen > differently as long as the entire network (or at least every node included > to the payment attempt) agrees upon the same conversion rate from > `cltv_delta` to expected response time from downstream nodes. > > There are three cases for the reply: > > The Good reply case (HTLC
[Lightning-dev] A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight.
Good morning list, I have just published a proposal to address (but unfortunately not solve) the old issue of HTLC spam via onions: https://github.com/lightning-developer/lightning-network-documents/blob/main/A%20blame%20ascribing%20protocol%20to%20mitigate%20HTLC%20spam.md The proposal picks up the early idea by Rusty, AJ and others to ascribe blame to a malicious actor but hopefully in a cheaper way than providing proof of a channel close by making use of a new lightning message `blame_channel` in combination with the proposed onion messages. I guess similar ideas and follow ups are already community knowledge (for example the local reputation tracking by Jim Posen at: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001232.html) However I had the feeling that the current write up might provide some additional value to the community. The proposal also ensures that blame can be ascribed quickly by requiring a reply from the downstream onion that is proportional to the `cltv delta` at the hop. In this way a sending node will quickly know that a (and more importantly which) downstream channel is not working properly. I will be delighted to read your feedback, thoughts and criticism. For your convenience and archiving I also copied the raw markdown file of the proposal to the end of this Mail. Sincerely Lighting Developer - Begin Proposal -- # A blame ascribing protocol towards ensuring time limitation of stuck HTLCs in flight. I was reviewing the [HOLD fee proposal by Joost](https://github.com/lightning/bolts/pull/843) and the [excellent summary of known mitigation techniques by t-bast](https://github.com/t-bast/lightning-docs/blob/master/spam-prevention.md) when I revisited the very [first idea to mitigate HTLC spam via onions](https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-August/000135.html) that was discussed back in 2015 by Rusty, AJ and a few others. At that time the idea was to ascribe blame to a malicious actor by triggering a force close and proofing ones own honesty by providing the force close transaction. I think there is a lot of merit to the idea of ascribing blame and I think it might be possible with the help of [onion messages](https://github.com/lightning/bolts/pull/759) without the necessity to trigger full force closes. As I am not entirely sure if this suggestion is a reasonable improvement (it certainly does not resolve all the issues we have) I did not spec out the details and message formats and fields but only described the high level idea. I hope this is sufficient to discuss the principles and get the feedback from you if you consider this to be of use and if you think we should work on the details. Idea / Obervation: = The key idea is to set a fixed time in seconds (the `reply_interval`) after successfully negotiating an HTLC until when a node requires a resultion or reply from its peer to which it previously has forwarded a downstream onion. If the HTLC is not resolved and no reply was sent the downstream peer is considered to be acting maliciously. The amount in seconds can be proportional to the `cltv_delta` of that hop. To me the arbitrary choice of translating 10 blocks of `cltv_delta` to `1` second of expected reply time seems reasonable for now but could be chosen differently as long as the entire network (or at least every node included to the payment attempt) agrees upon the same conversion rate from `cltv_delta` to expected response time from downstream nodes. There are three cases for the reply: The Good reply case (HTLC resolution): == The good case is if the payment will succesfully settle or fail within the `reply_interval`. Thus the reply comes in the form of either an `update_fulfill_htlc` or an `update_fail_htlc`. In any case the HTLC will be removed quickly and the reply can propagate back to the upstream peers. The bad reply case: === If a node `N` is not able to send one of those two `update_` messages because the HTLC was not resolved from the downstream channels it MUST send back a new message called `blame_channel`. The `blame_channel` includes a proof that `N` has previously successfully set up the HTLC with the next peer. This may for example be done by including the `commitment_signed` message that the node has received from the next peer as this commits to this (and potentially other) HTLCs. (Alternatively one could extract the relevant `htlc_signature` or adopt `commitment_signed` to include a signature to the `payment_hash` that can be verified with the node's pubkey) The propagated bad reply case: A node might have received an `blame_channel` message from a downstream channel and can propagate this back. To disallow spoofing, nodes might always have to extend the message with their own signature. (I have not thought about this extensively yet). This will
