[Lightning-dev] Recovering protocol with watchtowers

Margherita Favaretto s170065 at student.dtu.dk
Tue Nov 13 20:30:20 UTC 2018

Hello ZmnSCPxj,
thanks for your e-mail and your feedback, I'll answer your questions in the following points.

In case of a breach while node A is offline, can the Watchtowers do anything?
In my solution, the function of backup is not destinated to substitute the first function of the watchtower, that is monitoring the status channel, but instead, the backup option can be considered as a sort of additional feature.
I haven't merged the two functions yet, but the idea is to collaborate to have watchtowers which can have the function of monitor the channel, so defend A when it is offline, but also the function of backup when A loses the data of past commitments (e.g. software doesn't work properly). So, I'd like to highlight that the two functions are independent.
The reason because I'm using a watchtower is just because I need a full node online 24h, that can guarantee the service.
In my solution, the payment channels are created ad-hoc for the backup mechanism, and in the commitment transaction between the node A and the Watchtower has to be added a new field that contains the current nonce-time and payload.

How does this scheme protect the privacy of a node?
This scheme protects the privacy of the node because the payload contained the information of status channel and nonce-time are encrypted on the public key of A. So the watchtowers cannot decrypt the payload and modify it (e.g. with a higher nonce value as you wrote) since just A has the own private key.

If you refer that another node can personify A and send the payload to a watchtower, this is not possible since the payload has to contain the channel_id between A and the specific watchtower, and this information is not known by the other node of the network. So, A can discover a malicious activity because that channel_id is not correct.

As I've written in the previous point, my work is independence from the function of monitoring the channel when node A is offline, so my project doesn't use the blob data.

I hope to get the question, otherwise, could you explain a little bit more the point, please?

Please note also, that you cannot make a single channel with multiple peers; [...]
As regarding the channel, If A has three watchtowers, it has to have three distinct payment channels. Every watchtower is independence from the others.

If you have any opinions/feedback/suggestions, please do not hesitate to write to me.  : -)

Kind regards,

Da: ZmnSCPxj <ZmnSCPxj at protonmail.com>
Inviato: marted¨¬ 13 novembre 2018 00:33:41
A: Margherita Favaretto
Cc: lightning-dev at lists.linuxfoundation.org
Oggetto: Re: [Lightning-dev] Recovering protocol with watchtowers

Good morning Margherita,

How does this scheme protect privacy of node?
I would at least suggest that the pubkey used be different from the node normal pubkey.

If I find out the pubkey of A, can I spoof A and give a higher nonce value with a blob containing random data (which is indistinguishable from a properly-implemented ciphertext) to the watchtowers of A?  Presumably part of the protocol will require that any updates be signed using the key of A, otherwise I can easily corrupt the data being backed up for A.

In case of a breach while node A is offline, can the Watchtowers do anything?
Please note, that main purpose of Watchtowers is to handle breaches while client is offline, not backup.
It would be pointless for Watchtower to exist if it can only provide data while A is online.
The best time to attack A is when A is unable to defend itself.
Please refer to https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001196.html for information on what we consider the best design for watchtowers so far.

Please note also, that you cannot make a single channel with multiple peers; you must make a channel for each peer.
(well it is theoretically possible, with eltoo, to make multi-party channel. but it requires all members to be online at every update, such that if a single party is offline, the channel is unuseable; having multiple 2-party channels with each peer is far better since if one of your peers drops, you can use the channels with other peers)


©\©\©\©\©\©\©\ Original Message ©\©\©\©\©\©\©\
On Tuesday, November 13, 2018 2:59 AM, Margherita Favaretto <s170065 at student.dtu.dk> wrote:

Hello, dev-lightning community,
I¡¯m writing to you to share an update of my Thesis project (previous object e-mail: Recovering protocol for Lightning network 11/01/2018).
I warn you that this message is quite long, but I hope that could be interesting for you, and then it would be great receiving your opinions. :-)

The problem that I'm focusing on is the recovering mechanism of false positive in the Lightning network, that it is possible to re-define as how it is possible to have a solution of backup in the network in case of false positive nodes, with a particular attention to privacy and security.
First of all, compared to the solution proposed in the previous e-mail, I've decided not to use the other connected nodes as the back-up of recent status, but using Watchtowers. In fact, the problem of using a normal node is that it might be offline, and so it could not guarantee the service of backup.
In my design, I consider a watchtower simply as a full node that is online 24h, but I have not considered the mechanism of monitoring status channel (maybe we can overlap the two functions later).

An example is that in the near future, the main e-commerce organizations may offer a new service of "Watchtower- Recovery", that the nodes can purchase to back up their commitments data. This means that the user can leverage a payment channel with the watchtower offering the service.

This feature strongly suggests using more than one watchtower, to mitigate the risk that a single watchtower is attacked and all data inside are deleted.

In my solution, I define two new concepts:
- nonce-time Tn, as the current value of nonce-time (sequential integer number that defines the order   of the backups)
- payload P, that consists of
  1.a zip of all status channels of a node A at a specific time T1
  2. the nonce time corresponds to the time T1 of the status contained in the zip
  3. channel_id of the channel with A
This payload is encrypted by the public key of the node A, so the watchtowers cannot know the status channel of A. -> {zip(T1), T1, channel_id} pk(A)

The idea is not sent all data to all watchtowers, but just send the actual nonce-time and the actual payload to one of the watchtower, and just send the new nonce-time to the others. Therefore, we can split the data into different watchtowers, without sending the payload after each transaction to all of them.

To explain the design, let's consider Alice, which has a channel (with Eltoo protocol) with Bob, Charlie, Diana, and three watchtowers W0, W1 and W2. Everytime that Alice is online, she is connected to the three watchtowers.

How to send data to the watchtowers

Alice and Bob change their status channel. So, Alice sends the new status to the watchtowers W0 and shares the current nonce-time with W1 and W2. When Alice sends her information to the three watchtowers, these memorize the node, current nonce-time, payload:

W0: A T0 P0
W1: A T0   -
W2: A T0   -

Alice and Charlie change the status of their channel. So, Alice sends the new status to W1 and sends the new nonce-time to the others, which substitute the previous current nonce-time in the information of A:

W0: A T1 P0
W1: A T1 P1
W2: A T1  -

Alice and Diana change the status of their channel. So, Alice sends the new status to W2 and sends the new nonce-time to the others:

W0: A T2 P0
W1: A T2 P1
W2: A T2 P2

Alice and Charlie change again the status of the channel. So, Alice sends the new status to W1 and upgrade the nonce in the others:
W0: A T3 P3
W1: A T3 P1
W2: A T3 P2

How to request back up to the watchtowers

When Alice needs to have the backup of all her data, she has to ask all her watchtowers the information connected to her node. For example, taking the last example above:

W0 sends {A, T3, P3} to A
W1 sends {A, T3, P1} to A
W2 sends {A, T3, P2} to A

Alice analyzes the information sent by W2, she notices that the payload contains the nonce T2, whereas the new nonce-time is T3. Then, she notices that the payload sent by W1 corresponds to T1, but the nonce is T3. When Alice analyzes the information sent by W0, she can analyze that the Payload corresponds to T3, that is also the last nonce-time. So Alice knows her last status.


Since all the watchtowers store the current time-nonce and the payload is encrypted with the public key of A, we can mitigate the following risks:
- a watchtower sends an older payload instead of the last one. The payload has to contain the current time-nonce to be considered the last one, each payload with a nonce time older are not considered.
- if the watchtower W0 with the last payload P3, sends P0 and you know that the current nonce time is T3, it is possible to discover the malicious activity. If W1 has the payload P1, the W2 has the payload P2 and the current nonce-time is T3, I could conclude that W0 contains P3 and is cheating.
-If one of the watchtowers, W3 decides to change the nonce-time, for example from T3 to T5 and send to A T5 with the payload. Alice can think that the actual time-nonce is T5, but no one of the watchtowers contains a payload corresponding to the state T5. This sort of misbehaviour is solved from the majority, e.g. if 2/3 nodes confirm that the actual nonce-time is T3, Alice considers this last nonce-time as the last one and not T5. The attack can happen just If the 51% of the watchtower agree to cheat and send to Alice another nonce-time.


Every time that the node A requests data to the watchtower for the backup, she sends it a small fee through the Lightning channel. This money encourages the watchtowers to guarantee the service every time.

This one is a simple draft of my design, If you have any feedback/suggestions, please do not hesitate to contact me, even a short feedback would be very helpful! :-)
In more details, I'd like to know does it make sense to overlap the concept of watchtower with the mechanism of backup?

Thank you very much in advance,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181113/6170eec2/attachment-0001.html>

More information about the Lightning-dev mailing list