From aj at erisian.com.au Mon Aug 24 10:06:25 2015 From: aj at erisian.com.au (Anthony Towns) Date: Mon, 24 Aug 2015 12:06:25 +0200 Subject: [Lightning-dev] Loop attack with onion routing.. In-Reply-To: <87k2sljyci.fsf@rustcorp.com.au> References: <874mjujyqe.fsf@rustcorp.com.au> <87k2sljyci.fsf@rustcorp.com.au> Message-ID: On 24 August 2015 at 02:59, Rusty Russell wrote: > Anthony Towns writes: > > On 20 August 2015 at 07:49, Rusty Russell wrote: > >> I think in this case we need to peel the onion[1]: > I changed my mind by the way. You don't need to peel the onion, you > just need the commit transaction + htlc transactions tied to the closure > (and you can see the HTLC is yours, by the R value). > (?I'm counting anything that reveals multiple forward steps in the chain as unpeeling the onion)? > > Case 2: Carol misbehaves by pretending Dave was misbehaving, when he > wasn't. > > ?* Carol closes the channel with Dave before accepting Dave's resolution > > of the HTLC, passing the info to Bob as before. > > ? * ?Since he's not cheating, Dave claims the HTLC output on the > blockchain. > > * Bob sees the HTLC output Carol was pointing at has been spent in a > > timely fashion, indicating Carol is cheating. > > * Bob claims funds from Alice in a timely fashion, so does not have > ?I? > to > > justify being a cheat himself. > > * Bob closes the channel with Carol since she's being weird. > > ?That seems like it works as expected to me?? > > No, that doesn't work: Bob can't tell if Dave really sent it to Carol or > not. ?Dave didn't send anything to Carol; he resolved the transaction on the blockchain. Bob can tell this, because Carol pointed Bob at the exact transaction that Dave spent, and the fact that Dave spent it reveals R and the time at which Dave spent it (either included in the blockchain or with 0-confirmations)? indicates that Dave wasn't very delayed. > ?? > But Alice doesn't care: she just knows that someone paid 2 txfees > in apology money for the delay. > ?I'm not sure where the apology money comes from? Why would Bob or Carol pay Alice when Alice was the one who chose to route via Dave? Why would Dave pay if his channel's getting closed anyway? The bad one: > 2) Dave starts the HTLC process, but then times out (doesn't resolve > HTLC in 20*11 seconds, and doesn't send back a blame > packet from Emma, either). > In the latter case, Carol dumps the commit tx to the blockchain, and the > screwed-up HTLC (and any other casualty HTLCs in progress, sorry). She > can include this commit tx + htlc txs in the blame packet back to Bob; > there's no reason to name Dave AFAICT[1]. > ?The HTLC txn provides Dave's public key id though (assuming you un-P2SH it, which you need to to prove that it corresponds with the R you expect), which is the only name for Dave that matters, isn't it?? Cheers, aj -- Anthony Towns -------------- next part -------------- An HTML attachment was scrubbed... URL: