[Lightning-dev] Recovering protocol with watchtowers

ZmnSCPxj ZmnSCPxj at protonmail.com
Tue Nov 13 23:08:40 UTC 2018


Good morning Margherita,

> In case of a breach while node A is offline, can the Watchtowers do anything?
> In my solution, the function of backup is not destinated to substitute the first function of the watchtower, that is monitoring the status channel, but instead, the backup option can be considered as a sort of additional feature.

Watchtowers being designed currently are keyed to a txid, whose appearance onchain triggers the watchtower behavior.
Your scheme is keyed on a node public key.
There is an immediate incompatibility here.

The reason why txid is used, is to protect privacy of the node.
The watchtower has no identifying information, and cannot have identifying information.
The txid is for a transaction that is not broadcast (except in a breach attempt), so the watchtower cannot identify the node using it at all.
This can be important, since a hack of the watchtower might give the hackers the ability to find nodes that could be vulnerable and possibly targetable for attack.

Distributed backup may be better implemented using standard techniques such as DHT.

> How does this scheme protect the privacy of a node?
> This scheme protects the privacy of the node because the payload contained the information of status channel and nonce-time are encrypted on the public key of A. So the watchtowers cannot decrypt the payload and modify it (e.g. with a higher nonce value as you wrote) since just A has the own private key.
>
> If you refer that another node can personify A and send the payload to a watchtower, this is not possible since the payload has to contain the channel_id between A and the specific watchtower, and this information is not known by the other node of the network. So, A can discover a malicious activity because that channel_id is not correct.

It is indeed possible, and the `channel_id` is immaterial.
All an attacker has to do is corrupt the backup data, not replace it with data that is favorable to it.
With corrupted backup data, the operation of A is doomed and irrecoverable, especially if private keys or even just derivation paths are part of the backed-up data.

> Please note also, that you cannot make a single channel with multiple peers; [...]
> As regarding the channel, If A has three watchtowers, it has to have three distinct payment channels. Every watchtower is independence from the others.

Then why is the watchtower keyed to the node?  Should it not be keyed to something that is distinct for each payment channel?

Regards,
ZmnSCPxj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20181113/ba45ff55/attachment-0001.html>


More information about the Lightning-dev mailing list