[Lightning-dev] Trustless Watchtowers

Conner Fromknecht conner at lightning.engineering
Wed Nov 14 00:12:05 UTC 2018 

Hi ZmnSCPxj,

I haven't yet gotten around to writing up everything documenting in the working
watchtower design. However, I think we are nearing that phase where things seem
mostly solidified and would welcome feedback before attempting to formalize it.
Expect some follow up posts on the ML :)

> From my bare knowledge of go, it seems data structures and messages so far,
> without actual logic, but please inform me if I am incorrect.

Much of the server side has been implemented, which accepts encrypted blobs from
watchtower clients and stores them. The functionality related to scanning blocks
and publishing justice txns has also been implemented, but has not been merged
yet. The big remaining task is to integrate the client such that it properly
backs up states after receiving revocations from the remote peer.

> Note however that watchtowers would require to keep all encrypted blobs that
> are keyed to the same partial txid.  I.e. watchtowers need to store the pair
> in a set with the set looking at the entire txid+blob as the identity of the
> object.  Otherwise it would be possible, if your watchtower is identified by
> your counterparty, for the counterparty to give the commitment transaction's
> txid with a randomly-generated blob to your watchtower before it gives the
> revocation key to you.
>
> I have described the above problem before here:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html
> with an unsatisfactory solution.

Indeed, this was great observation! The tower can't be sure which client is
uploading the "real" blob either. In light of that, the chosen design uses a
two level bucketing structure that maps:

  <txid[:16]> -> client_pubkey1 : encrypted_blob1
                    -> client_pubkey2 : encrypted_blob2

ensuring that different client's can't overwrite each other. Further, the tower
will only store one blob for a given txid per client. Upon decryption, the tower
would learn that only one of this a valid update (and possibly delete state for
the offender).

> However, this remains your counterparty best avenue of attack, is to simply
> spam your watchtower until it runs out of resources and crashes.

The client pubkeys described above are tied to what we've been referring to as a
session. In order for a client to facilitate the attack described above, they
would have to pay the tower for multiple sessions tied to different ephemeral
session keys.

A session grants the client the ability to store up to N blobs, where N would be
several thousand. Thus, the cost to perform the attack would be many orders of
magnitude greater than the cost to back up one channel. In the private tower
case, there isn't necessarily payment, though it's more or less assumed that one
wouldn't DOS their own tower.

In practice, the tower should only ever accept sessions if it can be certain it
has the appropriate disk-space to facilitate them, so I don't think
there is much
risk in the node crashing due to this. Someone could still pay to fill
up my tower,
but the tower would be compensated appropriately. The tower could also raise
it's price point if it detects such behavior.

> And if the watchtower identifies the user, then this leaks the privacy of the
> user to the watchtower, and what would then be the point of encrypted blob?

I believe the same session-based, encrypted-blob approach would work eltoo
towers as well, if the concern is primarily about the channel partner presuming
the valid blob. The general design should be readily able to serve
eltoo clients,
with some slight modifications to breach detection and justice txn construction.

My greater concern with the update-and-replace model is that it leaks timing
information about a particular channel to the tower, since the tower must know
which prior state needs replacing. So even though it is possible to make eltoo
towers constant-space per channel, IMO we're better off storing all prior
encrypted blobs to maintain adequate privacy. On private towers, perhaps this
privacy/space tradeoff may acceptable, but not sure if the tradeoff makes sense
on public towers.

Cheers,
Conner

On Mon, Nov 12, 2018 at 1:18 AM ZmnSCPxj via Lightning-dev
<lightning-dev at lists.linuxfoundation.org> wrote:
>
> Good morning list,
>
> We were not able to discuss this topic much at recent summit, but I noticed that lnd has some code related to watchtowers already.  From my bare knowledge of go, it seems data structures and messages so far, without actual logic, but please inform me if I am incorrect.
>
> I assume much of the watchtowers code and design in lnd is by Conner, simply because, he discussed this on this list earlier this year.
>
> I have seen recently, some paper about paying watchtowers by actually simulating breaches.  You would give a watchtower some txid+blob pair, then send that txid and see if the watchtower claims it.  If it does, then you have evidence of liveness and correct behavior, and have also paid for and incentivized the watchtower to operate correctly.
>
> Note however that watchtowers would require to keep all encrypted blobs that are keyed to the same partial txid.  I.e. watchtowers need to store the pair in a set with the set looking at the entire txid+blob as the identity of the object.  Otherwise it would be possible, if your watchtower is identified by your counterparty, for the counterparty to give the commitment transaction's txid with a randomly-generated blob to your watchtower before it gives the revocation key to you.  However, this remains your counterparty best avenue of attack, is to simply spam your watchtower until it runs out of resources and crashes.
>
> I have described the above problem before here: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html with an unsatisfactory solution.
>
> --
>
> I have also been thinking about watchtowers compatible with Decker-Russell-Osuntokun channels.
>
> As I understand, in a separate thread, laolu is promoting that Decker-Russell-Osuntokun channels can simply "update" the blob side of a txid-blob entry, with the txid being the kickoff/trigger transaction.  As I point out, unless the watchtower identifies the user somehow, this is unsafe; if I can identify your watchtower, then after you update it but before I attack, I can "update" the blob side with a randomly-generated, invalid blob.  And if the watchtower identifies the user, then this leaks the privacy of the user to the watchtower, and what would then be the point of encrypted blob? https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001264.html
>
> I am curious what Conner and the other lnd developers are planning for these issues?  You seem to be the first movers into this, and I cannot read go well enough to decipher what plans you have.
>
> Regards,
> ZmnSCPxj
>
>
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

More information about the Lightning-dev mailing list