[Lightning-dev] Trustless Watchtowers

Conner Fromknecht conner at lightning.engineering
Wed Nov 14 00:28:38 UTC 2018


Quick correction:

> Thus, the cost to perform the attack would be many orders of
> magnitude greater than the cost to back up one channel.

This was written assuming the attacker was trying to upload multiple encrypted
blobs for the same txid, which seems like an unlikely attack vector if the tower
inherently defends against it. If instead they are just trying to fill
up the tower, the cost
is linear in the amount of blobs they send.

--Conner
On Tue, Nov 13, 2018 at 4:12 PM Conner Fromknecht
<conner at lightning.engineering> wrote:
>
> Hi ZmnSCPxj,
>
> I haven't yet gotten around to writing up everything documenting in the working
> watchtower design. However, I think we are nearing that phase where things seem
> mostly solidified and would welcome feedback before attempting to formalize it.
> Expect some follow up posts on the ML :)
>
> > From my bare knowledge of go, it seems data structures and messages so far,
> > without actual logic, but please inform me if I am incorrect.
>
> Much of the server side has been implemented, which accepts encrypted blobs from
> watchtower clients and stores them. The functionality related to scanning blocks
> and publishing justice txns has also been implemented, but has not been merged
> yet. The big remaining task is to integrate the client such that it properly
> backs up states after receiving revocations from the remote peer.
>
> > Note however that watchtowers would require to keep all encrypted blobs that
> > are keyed to the same partial txid.  I.e. watchtowers need to store the pair
> > in a set with the set looking at the entire txid+blob as the identity of the
> > object.  Otherwise it would be possible, if your watchtower is identified by
> > your counterparty, for the counterparty to give the commitment transaction's
> > txid with a randomly-generated blob to your watchtower before it gives the
> > revocation key to you.
> >
> > I have described the above problem before here:
> > https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html
> > with an unsatisfactory solution.
>
> Indeed, this was great observation! The tower can't be sure which client is
> uploading the "real" blob either. In light of that, the chosen design uses a
> two level bucketing structure that maps:
>
>   <txid[:16]> -> client_pubkey1 : encrypted_blob1
>                     -> client_pubkey2 : encrypted_blob2
>
> ensuring that different client's can't overwrite each other. Further, the tower
> will only store one blob for a given txid per client. Upon decryption, the tower
> would learn that only one of this a valid update (and possibly delete state for
> the offender).
>
> > However, this remains your counterparty best avenue of attack, is to simply
> > spam your watchtower until it runs out of resources and crashes.
>
> The client pubkeys described above are tied to what we've been referring to as a
> session. In order for a client to facilitate the attack described above, they
> would have to pay the tower for multiple sessions tied to different ephemeral
> session keys.
>
> A session grants the client the ability to store up to N blobs, where N would be
> several thousand. Thus, the cost to perform the attack would be many orders of
> magnitude greater than the cost to back up one channel. In the private tower
> case, there isn't necessarily payment, though it's more or less assumed that one
> wouldn't DOS their own tower.
>
> In practice, the tower should only ever accept sessions if it can be certain it
> has the appropriate disk-space to facilitate them, so I don't think
> there is much
> risk in the node crashing due to this. Someone could still pay to fill
> up my tower,
> but the tower would be compensated appropriately. The tower could also raise
> it's price point if it detects such behavior.
>
> > And if the watchtower identifies the user, then this leaks the privacy of the
> > user to the watchtower, and what would then be the point of encrypted blob?
>
> I believe the same session-based, encrypted-blob approach would work eltoo
> towers as well, if the concern is primarily about the channel partner presuming
> the valid blob. The general design should be readily able to serve
> eltoo clients,
> with some slight modifications to breach detection and justice txn construction.
>
> My greater concern with the update-and-replace model is that it leaks timing
> information about a particular channel to the tower, since the tower must know
> which prior state needs replacing. So even though it is possible to make eltoo
> towers constant-space per channel, IMO we're better off storing all prior
> encrypted blobs to maintain adequate privacy. On private towers, perhaps this
> privacy/space tradeoff may acceptable, but not sure if the tradeoff makes sense
> on public towers.
>
> Cheers,
> Conner
>
> On Mon, Nov 12, 2018 at 1:18 AM ZmnSCPxj via Lightning-dev
> <lightning-dev at lists.linuxfoundation.org> wrote:
> >
> > Good morning list,
> >
> > We were not able to discuss this topic much at recent summit, but I noticed that lnd has some code related to watchtowers already.  From my bare knowledge of go, it seems data structures and messages so far, without actual logic, but please inform me if I am incorrect.
> >
> > I assume much of the watchtowers code and design in lnd is by Conner, simply because, he discussed this on this list earlier this year.
> >
> > I have seen recently, some paper about paying watchtowers by actually simulating breaches.  You would give a watchtower some txid+blob pair, then send that txid and see if the watchtower claims it.  If it does, then you have evidence of liveness and correct behavior, and have also paid for and incentivized the watchtower to operate correctly.
> >
> > Note however that watchtowers would require to keep all encrypted blobs that are keyed to the same partial txid.  I.e. watchtowers need to store the pair in a set with the set looking at the entire txid+blob as the identity of the object.  Otherwise it would be possible, if your watchtower is identified by your counterparty, for the counterparty to give the commitment transaction's txid with a randomly-generated blob to your watchtower before it gives the revocation key to you.  However, this remains your counterparty best avenue of attack, is to simply spam your watchtower until it runs out of resources and crashes.
> >
> > I have described the above problem before here: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001203.html with an unsatisfactory solution.
> >
> > --
> >
> > I have also been thinking about watchtowers compatible with Decker-Russell-Osuntokun channels.
> >
> > As I understand, in a separate thread, laolu is promoting that Decker-Russell-Osuntokun channels can simply "update" the blob side of a txid-blob entry, with the txid being the kickoff/trigger transaction.  As I point out, unless the watchtower identifies the user somehow, this is unsafe; if I can identify your watchtower, then after you update it but before I attack, I can "update" the blob side with a randomly-generated, invalid blob.  And if the watchtower identifies the user, then this leaks the privacy of the user to the watchtower, and what would then be the point of encrypted blob? https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-May/001264.html
> >
> > I am curious what Conner and the other lnd developers are planning for these issues?  You seem to be the first movers into this, and I cannot read go well enough to decipher what plans you have.
> >
> > Regards,
> > ZmnSCPxj
> >
> >
> >
> > _______________________________________________
> > Lightning-dev mailing list
> > Lightning-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


More information about the Lightning-dev mailing list