Bob can cheat #6
Comments
|
Alice has a choice to sign HTLC fallback tx if she didn't get the data, and in that case she will get money back. Bob can "appeal" to this by confirming that he had hold the data for Alice. Bob does this by providing a "preimage" to the secret hashed by Alice. This secret is composed at setup time by Alice, and she uses her newly-derived public key for both funding transaction output and deterministiclly definition of some small portion of the source data. This portion is double-hashed to 160-bit hash and included into HTLC fallback tx by Alice as a hash lock. Later, when Bob wants to prove that he still has the data available, he see the published HTLC transaction, extracts Alice public key and uses it to get the same deterministic piece of the source data as Alice. Bob computes a single hash on the data, which gives him a preimage to unlock the hash lock from the HTLC transaction output before Alice will spend it (Alice's branch is timelocked). The only case for possible cheating here is Alice not needing data anymore and avoiding paying the full amount for the storage. However, this can be a part of the Bob business risk and may be covered by some insurance + Alice's reputation & taken into account by Bob at setup time. |
|
I think this was a very clever solution. |
|
It is not clear if the solution will work unless you also show a sequence diagram, and inform in more detail just which things you are referring to as key 1, key 2, and key 3. |
Bob just waits. Either the funding tx-CSV times out - he just takes the money. So Alice IS FORCED to publish the pre-signed HTLC settlement tx. Then Bob just takes the money by publishing the decryption key. But he never sent Alice the data.
This scheme still works in cases where the message is just the key. But that's nothing new.
The text was updated successfully, but these errors were encountered: