[Lightning-dev] Griefing-Penalty: A proposal for mitigating Griefing Attack

Subhra Mazumdar subhra.mazumdar1993 at gmail.com
Wed May 20 04:12:52 UTC 2020


Hi,

     We went through the discussion of Griefing Attack
<https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/002608.html>
and after a thorough analysis, we realized that the attack cannot be
prevented as the adversary doesn’t suffer any loss of funds.

We propose an efficient countermeasure for the attack, known as
Griefing-Penalty. Our proposed strategy works for any timelock based
payment protocol. The penalty compensates for the loss incurred by the
intermediaries, affected by griefing attack. You will find the paper
Griefing-Penalty:
Countermeasure for Griefing Attack in Bitcoin-compatible PCNs
<https://arxiv.org/abs/2005.09327> on arXiv. We look forward to hearing
from the community on the feasibility of the approach and whether it can be
implemented or not.

Our Contribution to the paper:

• We propose a countermeasure for mitigating griefing attack in
Bitcoin-compatible PCNs, known as Griefing-Penalty. It punishes the griefer
by forcing it to pay compensation to all the parties whose funds got locked
for a certain time period as a result of the attack.

• The loss of funds incurred upon mounting griefing-attack is proportional
to the collateral cost of each channel involved in routing the payment.

• To illustrate the benefit of the proposed countermeasure, we propose a
new payment protocol, called as HTLC-GP or Hashed Timelock Contract with
Griefing-Penalty.

• We provide a security analysis which proves that our protocol is
privacy-preserving as well as mitigates loss due to griefing attack by
compensating the honest nodes

We will briefly summarize the problem and our contribution through an
example.

The problem of Griefing Attack explained briefly

Consider the situation where A wants to transfer 1 msat to C. It figures
out a path connecting it to C, in the form A->B->C. A establishes an HTLC
with B, locking 1 msat in the contract having expiration time of say 2
days. B after receiving the incoming contract, forms a contract with C,
locking 1 msat in the contract with locktime of 1 day.

A------------------------->B---------------------->C

HTLC(1msat, 2 day)     HTLC(1msat, 1 day)

Now if C griefs, funds of A and B remain locked as they cannot resolve
HTLC. After an elapsed time of 1 day, the fund gets unlocked and B gets
back 1 msat. Similarly, B cancels contract with A after 1 day, A unlocks 1
msat. The problem with this construction is that C doesn’t lose anything.

Griefing-Penalty: a strategy to penalize the adversary

Hence we have come up with the following idea:

1) An off-chain contract established between 2 parties requires both the
parties to lock funds – one party locking the amount that is to be
forwarded and the other party locking the fund which can be claimed as a
penalty, if this party griefs.

2) The penalty locked is proportional to the product of the amount being
forwarded and the expiration time of the contract. All the parties affected
by griefing must get compensation since their liquidity is tied up for a
certain period of time.

Considering the example used for demonstrating griefing attack. We modify
the contract and term it as HTLC-GP (Hashed Timelock Contract with Griefing
Penalty). We assume a rate of penalty, say 0.01 per hour, for calculating
the penalty the party has to lock in order to accept an off-chain contract
request.

A forwards the term of the contract to B, requesting B to lock
0.01*1*48=0.48 msat as a penalty. A locks 1 msat in the contract, so the
total amount locked in the contract is 1.48 msat. In the same way, B
forwards the term of the contract to C, requesting C to lock 0.01*1*24=0.24
msat as a penalty. B locks 1 msat in the contract, so the total amount
locked in the contract is 1.24 msat. If the payment is not resolved within
1 day, all the parties who have forwarded the contract will claim the
penalty locked in the contract.

A-------------------------------------->B-------------------------------->C

HTLC-GP(1.48 msat, 2 days)       HTLC-GP(1.24 msat,1 day)

If C releases the preimage before the expiration of locktime, it will claim
the full amount locked in the contract, i.e. 1.24 msat. Similarly, B claims
1.48 msat from the contract established with A.

Suppose C griefs. After an elapse of 1 day, B claims 1.24 msat from the
contract. C loses 0.24 msat. When B cancels contract with A, it will settle
by paying 1.48 msat to A. But then B loses an additional 0.24 msat. This is
not desired as B was not involved in mounting the attack. As per the
objective, even B should earn a remuneration as it got affected by griefing.

Hence, B should have asked C to lock funds in the contract which can be
used for compensating both B and A. So C must lock 0.48 msat + 0.24 msat =
0.72 msat. So if C griefs, now it loses 0.72 msat (proportional to the
collateral cost of the path). B pays 0.48 msat to A, keeping 0.24 msat with
itself as compensation.

A-------------------------------------->B-------------------------------->C

HTLC-GP(1.48 msat, 2 days)       HTLC-GP(1.72 msat,1 day)



A------------------------------------->B-------------------------------->C
(griefs)

(A gain 0.48 msat)      (B gain 0.24 msat)              (C loses 0.72 msat)


-- 
Yours sincerely,
Subhra Mazumdar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20200520/c67d82af/attachment-0001.html>


More information about the Lightning-dev mailing list