From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id BB589C016E for ; Sat, 20 Jun 2020 08:54:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B45DD203C3 for ; Sat, 20 Jun 2020 08:54:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjsVRQV5VWqf for ; Sat, 20 Jun 2020 08:54:15 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) by silver.osuosl.org (Postfix) with ESMTPS id C6FD9207EF for ; Sat, 20 Jun 2020 08:54:15 +0000 (UTC) Received: by mail-ot1-f43.google.com with SMTP id n6so9199599otl.0 for ; Sat, 20 Jun 2020 01:54:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=acinq-fr.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6girSHmLja6xDNrUsnbs/3btlt85cEWk4uzv4074n6M=; b=qSa91oyupwa4UM5H23duumK8/UAlkEKXRH59KtK3gQPv0Ed55aiOb7c+JYlysVrMB/ labFKj1Ur2oT9n7ykkOF9ilj2NoYOch01KgUlyXyd4JmZmsYaFD88TdE3mTivu62jmLd Q7PJJirTuiuGGuPzz9Q8SBTJSdyzWXk3bhQ2K++k11U6cUq0f+u6LR7yj9Cdo/lM8g5n X7mQJd3GXqFt7nV8DLdyk9XnMRpgpF/DBFI5aL8C2hr8OwmZS1ajJttth4CMPOHdbvbk PP9vosDj5/xGL1o+s4LkgEoDs4vzQHch5yJ5QwjT1opZf1sKl8URtIlSbtKogf9aOU/s oSog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6girSHmLja6xDNrUsnbs/3btlt85cEWk4uzv4074n6M=; b=jF6oBb0KaEWaTkjI8EWj7UT7VBbgcVeomvew5Qs3II+4fxIQOXCDPmbrA4MqM4DAU1 YlrtG78oGOdvSyWBsQSedg3spskUr/f3+AvUw8x97A/rXahMIcwqu/MMnd3EfqKqeRxZ gRycPUkNReELQZwTVMJ+6/iDIKRZrTVY6Wb8uE7wfJI9qrSbUYu4tC2Pw2A9Dxza2uTV g1NrtkoJPv1c3n70cVqax3Lrg2ElDOMny/fbQARm2fQmZEibb1un9zEhmyK34l3VMoqU cou9I8RqMmLHMwoFhFsUdR0ZgXLLLURhtWqRmCBv4w2fJdWpLH4s6EXDRamMg8VodaPp YQSg== X-Gm-Message-State: AOAM531G5cCPwQ9ESuNNDxwaIzz/I2mYcFA9QLhMSsyp1fu4x29eOhYl /DAgTafcI5iHHTx4vLyapG5TCqCIPm9YgyczTKAgE5wmYeM= X-Google-Smtp-Source: ABdhPJwwoQQ1M6l64vqLeF1OECuJdzG8nF/MVbf96qqc4FntGk5mmmxEcWSHPhtKDyepOd3R6Ra4ZrXeyavpSJr54m8= X-Received: by 2002:a9d:2ae3:: with SMTP id e90mr6434324otb.261.1592643254841; Sat, 20 Jun 2020 01:54:14 -0700 (PDT) MIME-Version: 1.0 References: <67334082-5ABA-45C7-9C09-FF19B119C80D@mattcorallo.com> <62P_3wvv8z7AVCdKPfh-bs30-LliHkx9GI9Og3wqIK6hadIG0d6MJJm077zac1erpPUy31FqgZjkAjEl9AQtrOCg4XA5cxozBb7-OIbbgvE=@protonmail.com> <4c4f3a06-0078-ef6a-7b06-7484f0f9edf1@mattcorallo.com> <20200619195846.fclw4ilngvbbf2kk@ganymede> <20200619205220.fshbr7pbijaerbf2@ganymede> In-Reply-To: <20200619205220.fshbr7pbijaerbf2@ganymede> From: Bastien TEINTURIER Date: Sat, 20 Jun 2020 10:54:03 +0200 Message-ID: To: "David A. Harding" Content-Type: multipart/alternative; boundary="00000000000075847305a8802785" X-Mailman-Approved-At: Sat, 20 Jun 2020 09:11:19 +0000 Cc: Bitcoin Protocol Discussion , lightning-dev Subject: Re: [bitcoin-dev] [Lightning-dev] RBF Pinning with Counterparties and Competing Interest X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jun 2020 08:54:18 -0000 --00000000000075847305a8802785 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Dave and list, Thanks for your quick answers! The attacker would be broadcasting the latest > state, so the honest counterparty would only need to send one blind > child. > Exactly, if the attacker submits an outdated transaction he would be shooting himself in the foot, as we could claim the revocation paths when seeing the transaction in a block and get all the channel funds (since the attacker's outputs will be CSV-locked). The only way your Bitcoin peer will relay your blind child > is if it already has the parent transaction. > That's an excellent point that I missed in the blind CPFP carve-out trick! I think this makes the blind CPFP carve-out quite hard in practice (even using getdata - thanks for detailing that option)... In the worst case scenario where most miners' mempools contain the attacker's tx and the rest of the network's mempools contains the honest participant's tx, I think there isn't much we can do. We're simply missing information, so it looks like the only good solution is to avoid being in that situation by having a foot in miners' mempools. Do you think it's unreasonable to expect at least some LN nodes to also invest in running nodes in mining pools, ensuring that they learn about attackers' txs and can potentially share discovered preimages with the network off-chain (by gossiping preimages found in the mempool over LN)? I think that these recent attacks show that we need (at least some) off-chain nodes to be somewhat heavily invested in on-chain operations (layers can't be fully decoupled with the current security assumptions - maybe Eltoo will help change that in the future?). Thank you for your time! Bastien Le ven. 19 juin 2020 =C3=A0 22:53, David A. Harding a =C3= =A9crit : > On Fri, Jun 19, 2020 at 03:58:46PM -0400, David A. Harding via bitcoin-de= v > wrote: > > I think you're assuming here that the attacker broadcast a particular > > state. > > Whoops, I managed to confuse myself despite looking at Bastien's > excellent explainer. The attacker would be broadcasting the latest > state, so the honest counterparty would only need to send one blind > child. However, the blind child will only be relayed by a Bitcoin peer > if the peer also has the parent transaction (the latest state) and, if > it has the parent transaction, you should be able to just getdata('tx', > $txid) that transaction from the peer without CPFPing anything. That > will give you the preimage and so you can immediately resolve the HTLC > with the upstream channel. > > Revising my conclusion from the previous post: > > I think the strongman argument for the attack would be that the attacker > will be able to perform a targeted relay of the low-feerate > preimage-containing transaction to just miners---everyone else on the > network will receive the honest user's higher-feerate expired-timelock > transaction. Unless the honest user happens to have a connection to a > miner's node, the user will neither be able to CPFP fee bump nor use > getdata to retrieve the preimage. > > Sorry for the confusion. > > -Dave > --00000000000075847305a8802785 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Dave and list,

Thanks for your qu= ick answers!

The attacker would be broadcasting the latest
state, so the hone= st counterparty would only need to send one blind
child.

Exactly, if the attacker submits an=C2=A0outdated tran= saction he would be shooting himself in the foot,
as we could cla= im the revocation paths when seeing the transaction in a block and get all = the
channel funds (since the attacker's outputs will be CSV-l= ocked).

The only way your Bitcoin peer will relay your blind child
is if it a= lready has the parent transaction.

That= 's an excellent point that I missed in the blind CPFP carve-out trick! = I think this makes the
blind CPFP carve-out quite hard in practic= e (even using getdata - thanks for detailing that option)...

=
In the worst case scenario where most miners' mempools conta= in the attacker's tx and the rest of
the network's mempoo= ls contains the honest participant's tx, I think there isn't much w= e can do.
We're simply missing information, so it looks like = the only good solution is to avoid being in that
situation by hav= ing a foot in miners' mempools. Do you think it's unreasonable to e= xpect at least
some LN nodes to also invest in running nodes in m= ining pools, ensuring that they learn about
attackers' txs an= d can potentially share discovered preimages with the network off-chain (by=
gossiping preimages found in the mempool over LN)? I think that = these recent attacks show that
we need (at least some) off-chain = nodes to be somewhat heavily invested in on-chain operations
(lay= ers can't be fully decoupled with the current security assumptions - ma= ybe Eltoo will help
change that in the future?).

Thank you for your time!
Bastien



Le=C2=A0ven. 19 juin 2020 =C3=A0=C2=A022:53, David A. Harding &= lt;dave@dtrt.org> a =C3=A9crit=C2= =A0:
On Fri, Jun= 19, 2020 at 03:58:46PM -0400, David A. Harding via bitcoin-dev wrote:
> I think you're assuming here that the attacker broadcast a particu= lar
> state.=C2=A0

Whoops, I managed to confuse myself despite looking at Bastien's
excellent explainer.=C2=A0 The attacker would be broadcasting the latest state, so the honest counterparty would only need to send one blind
child.=C2=A0 However, the blind child will only be relayed by a Bitcoin pee= r
if the peer also has the parent transaction (the latest state) and, if
it has the parent transaction, you should be able to just getdata('tx&#= 39;,
$txid) that transaction from the peer without CPFPing anything.=C2=A0 That<= br> will give you the preimage and so you can immediately resolve the HTLC
with the upstream channel.

Revising my conclusion from the previous post:

I think the strongman argument for the attack would be that the attacker will be able to perform a targeted relay of the low-feerate
preimage-containing transaction to just miners---everyone else on the
network will receive the honest user's higher-feerate expired-timelock<= br> transaction.=C2=A0 Unless the honest user happens to have a connection to a=
miner's node, the user will neither be able to CPFP fee bump nor use getdata to retrieve the preimage.

Sorry for the confusion.

-Dave
--00000000000075847305a8802785--