From aj at erisian.com.au Fri Aug 21 14:29:08 2015 From: aj at erisian.com.au (Anthony Towns) Date: Fri, 21 Aug 2015 16:29:08 +0200 Subject: [Lightning-dev] Loop attack with onion routing.. In-Reply-To: <874mjujyqe.fsf@rustcorp.com.au> References: <874mjujyqe.fsf@rustcorp.com.au> Message-ID: On 20 August 2015 at 07:49, Rusty Russell wrote: > I think in this case we need to peel the onion[1]: ?Okay, so how might this actually work? Alice sends a payment to Emma, via Bob, Carol and Dave. Case 1: Dave misbehaves by taking a few minutes rather than a few seconds to talk to Emma. * Carol decides that's unacceptable and asks Dave for an excuse. Dave cannot provide one. Carol closes the channel (unilaterally, or with Dave's grudging cooperation) * At this point Bob believes Carol has taken too long too, so he asks Carol for an excuses. Carol says its Dave's fault, and points to the transaction closing the Carol/Dave channel as evidence; Bob knows that Dave was cheating because the HTLC is still present in that transaction (Carol reveals the P2SH script if necessary); Bob knows that Dave was who Carol was forwarding to, because Carol provides a verifiable decryption of the onion routing message Bob passed on to Carol. * Bob likewise passes this back on to Alice as the explanation of why it's taking so long. Case 2: Carol misbehaves by pretending Dave was misbehaving, when he wasn't. ?* Carol closes the channel with Dave before accepting Dave's resolution of the HTLC, passing the info to Bob as before. ? * ?Since he's not cheating, Dave claims the HTLC output on the blockchain. * Bob sees the HTLC output Carol was pointing at has been spent in a timely fashion, indicating Carol is cheating. * Bob claims funds from Alice in a timely fashion, so does not have to justify being a cheat himself. * Bob closes the channel with Carol since she's being weird. ?That seems like it works as expected to me?? ?But this reveals the chain of payees all the way back to the root. If you were routing a payment from Joe Commie -> Bank of America -> Deutsche Bank -> Central Bank of Cuba -> Cuba Communist Party then you might find that a network hiccup in Cuba might cause BoA to realise you're sending money to Cuba, and be forced to cease their relationship with you. This potentially gets worse if you're not actually trying to send money to some forbidden organisation, but you just happened to randomly choose a route that looks suspicious to hide your payments to Ashley Madison or your donation in support of traditional marriage. But if that's okay, and you don't mind BoA (or someone snooping on BoA's traffic) knowing who you're sending money too, why do onion routing in the first place? Cheers, aj -- Anthony Towns -------------- next part -------------- An HTML attachment was scrubbed... URL: