-
Notifications
You must be signed in to change notification settings - Fork 890
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add plugin hook for penalty transactions on revocation #3422
Comments
Pedantic: Still needs an encrypted channel between the mobile wallet and the home device, so --- Otherwise looks OK. |
This looks great from our side. Thanks for making the effort to ease the interaction with watchtowers 😄 |
Right, I was mainly concerned about the payload, and less about transport. Will rephrase in OP 👍 |
A question regarding the hook and Are you planning on allowing In the new iteration of BOLT13 we'll be proposing user authentication with the tower via signed messages, that, tentatively, could be done using the node private key or an ephemeral key. We were thinking on using the same approach as There are a couple of caveats we can foresee with this though (and therefore my question):
|
@sr-gi If the key is ephemeral, presumably you generated it from some randomly-selected privkey, in which case you can just use Why does the watchtower need a signature created by anybody else? I suggest using blinded bearer signatures, either the original RSA ones or the nice new EC ones from privacypas. That way the watchtower only sees its own signatures (which it generated via blind-signing), and the node can keep its anonymity. I.e. the watchtower operates as a Chaumian bank, issues tokens (i.e. leases on the watchtower service) in exchange for money (or even just somebody begging free tokens if you want to make your watchtower a free service), then later when somebody claims a token, provides the service that it promised to offer in exchange for the token. The tokens are blinded signatures. Have the node contact the watchtower over a new Tor circuit on each sending of watching data (i.e. |
@cdecker how about exposing the One possibility for a low-overhead watchtower would be for the watchtower to be SPV. Most SPV interfaces are designed to look for transactions that pay to/from a specific address/ So what could be done would be:
The resulting address plus encrypted blob does not leak information to the watchtower: all commitment tx output addresses are generated directly or indirectly using Then, when the address is found onchain or on mempool, the watchtower can find the txid of the transaction that actually pays to that address (using normal Electrum/Neutrino queries), and tries to AEAD-decrypt the encrypted blob using the transaction ID as the key. If decryption fails then the transaction that paid to that address is not the commitment transaction. If decryption succeeds then the watchtower is now in possession of the penalty transaction. The above scheme requires that the |
@ZmnSCPxj I discussed this with Christian and Rusty and completely forgot to get back here to comment. We were thinking on something similar, by using tweaks over the node private key. The main reasons why we where thinking on this over blinded tokens was to:
With the tweak approach the user should be able to only keep around a tweak:tower_id pair. Regarding update/deletion, the user may need to update some of the appointments for ones with higher fees, specially in the short future since no CPFP approach has been set for penalty transactions. On the other hand, appointment deletion once the channel is closed should be an option so space can be freed. Finally, bulk deletion can be performed if appointments from the same channel are linked on the tower side. This can be achieved, in a privacy preserving way, by using We're also thinking on the Tor approach to establish the connection between the user and the tower, since otherwise the tower will know the EDIT: Thinking this trough though all of it should be possible with blinded tokens instead of signatures, as long as the token can be reused over a time period. It seems a bit overkill though, what are the benefits you see on it over a signing + EC recover? |
It would require exposing an API at I mildly prefer keeping the
Bearer tokens, if intercepted, can then be used by third parties who have acquired a copy of the token. They are equivalent to a symmetric key; you only get good security properties if it is a one-time password. You could try to get around this by using an encrypted tunnel with the watchtower, or by using a challenge-response protocol somehow (which might not exist for the bearer token you might want to use).
This still correlates all activity on a channel, which in combination with other metadata may still allow a tower (or anyone who hacks it) to figure out which channel it is and then leak all the timings of that channel with 100% accuracy. For example, a hacker who gets read access to the tower data can try routing through a channel it suspects is protected by the tower; if it is able to identify that a What you could do would be to use this novel cryptographic construct I invented, the recognition code ("Recognition code 927, I am a potato"). This is nothing more than having a secret scalar, and signing that scalar with itself (i.e. it is both the message that is hashed and signed, and the signing key), with the resulting signature as the recognition code. If you know the secret scalar, you can recognize the recognition code by checking if it is a valid signature for the secret scalar times G, with the message as the hash of the secret scalar. The intent is not to prove to third parties that you signed; it is to prove to yourself that you signed, in case you forgot something. If you use an apparently-random |
Would it make any difference if it's an ephemeral key instead of a derived key? The goal of making it derived was to reduce the overhead, but having a different set of keys to use with towers will also do.
The issue with this is that if you cannot identify request from the same user you cannot even give a service beyond storing data. Updates, deletion and requests (to prove that the data is being kept on the tower side for instance) should only be allowed to the user who sent the data, otherwise we'd open the door to many type of attacks on the tower. This seems to complicate the protocol quite a bit IMHO.
True, but this should be similar to what a routing node connected to the target is already getting, at an arguably lower cost. A routing node having a channel with the victim with enough liquidity and no fees may be getting all payments not going to direct channels of the target, the total amount going out of the target (which defines a higher bound on the payment amount) and even knowing which of them fail or not. A tower following the tab approach only knows the amount of traffic that is routed trough a blinded channel. Anyway, the |
Then you would not need to request You could have the plugin hold its own key.
Then use the token to register a lifetime of one watched transaction: insert-delete of a single registered commitment transaction. At insertion you present the token and a (hash of a) pubkey. At deletion you present a signature with that pubkey. In between insertion and deletion, if the specified commitment transaction appears, the watchtower can auto-delete the entry by itself. When the client opens a channel, and then the channel is updated (and the old commitment tx is revoked) the client gets an unused token and registers the old commitment tx plus a pubkey it can derive from its client privkey plus the commitmentt tx. At each update it does the same: get an unused token (possibly paying to the watchtower for new tokens if it runs low on tokens) and registers it with a pubkey derived from its privkey plus commitment tx. Once the channel is closed, it deletes all the registered old commitments.
You are thinking in single channels. But a node using a watchtower is likely to use the same watchtower on all channels (unless you are proposing to only use one channel per watchtower). The peer gets the same inforrmation, but only for the very specific channel the target node has with it. On the other hand, a hacker getting read-only access to the watchtower you are using can now probe every channel you have once, learn the I mean --- even small leaks are big leaks when correlated with other data. So you make an effort to reduce the amount of data you can leak each time. |
There are a number of designs for watchtowers based on encrypting the penalty
transaction and shipping it to a semi-trusted third-party. In order to
facilitate the implementation of watchtowers it'd be good to generate penalty
transactions for each commitment upon receiving the revocation and deliver it
to a plugin that takes care of the communication with the actual
watchtower. We'd do so without encrypting the information, however we'd give
the plugin enough information to perform the encryption itself. This maximizes
the flexibility of the watchtower scheme, and even allows for self-hosted
watchtowers that do not require encryption at all. For example it is possible
to run a personal watchtower node at home and a mobile wallet that just pushes
penalty transactions to the personal watchtower.
The main difficulty is in generating the penalty transaction, since that is
currently done only in
onchaind
, and we'd need to generate them for eachcommitment, either in
lightnignd
orchanneld
now.Plugin interface
A hook is likely the best option since it allows us to synchronously call the
watchtower plugin which can make sure the bundle has been delivered at
whatever watchtower backend it is talking to before allowing
lightningd
tocontinue running. A notification on the other hand could lead to a bundle
being dropped, which could lead to a cheat attempt for which the watchtower
doesn't have a matching penalty.
The hook payload would consist of the following fields:
Steps
common/
The text was updated successfully, but these errors were encountered: