From aj at erisian.com.au  Fri Oct 16 23:01:42 2015
From: aj at erisian.com.au (Anthony Towns)
Date: Sat, 17 Oct 2015 09:01:42 +1000
Subject: [Lightning-dev] Preventing MITM - Providing new nodes with real
 pubkeys
In-Reply-To: <CAE8CtV=uH9PG1Tb3e9Kh2CmnNXGVBBaEokocZuv0bjiD-TQm1w@mail.gmail.com>
References: <CAE8CtV=uH9PG1Tb3e9Kh2CmnNXGVBBaEokocZuv0bjiD-TQm1w@mail.gmail.com>
Message-ID: <20151016230141.GA22262@navy>

On Fri, Oct 16, 2015 at 02:22:25PM +0100, Mats Jerratsch wrote:
> [...] an attacker could trick it into a fake network, [...]

How do you tell the difference between the "real" network and a "fake"
one? (ie, what does a Turing test for the lightning network look like?)

I think there's two things:

 1) you can figure out a route to people you want to pay (and
    vice-versa)

 2) payments on those routes actually go through

Even better, you can test this! Get a couple of merchant ids you find
interesting, and pay 1 satoshi to each of them, setting the R value as
the (double) SHA256 of the decrypted onion message. [0]

If you spent 1 satoshi to each of 10 merchants every day for a year to
verify connectivity, that'd still only amount to about $0.01 USD total
at current exchange rates, so it seems pretty affordable. [1]

It only works if you actually setup a channel, though -- so you have to
lock some money into the channel for however many confirmations until
the channel activates, before you can test, plus the OP_CSV delay if
the test fails.

But I think that would let people trustlessly avoid "fake" lightning
networks, even with a sybil-esque attack; no extra infrastructure needed.

Cheers,
aj

[0] If you're already on the lightning network, and you're establishing
    a new channel as backup, you can just pay yourself 1 satoshi to verify
    connectivity. If you have friends on lightning, you could pay them
    1 satoshi to verify connectivity rather than a random merchant too.

[1] Hmm, does forwarding 1 satoshi (2.6 10,000ths of a cent) make
    sense, or would the CPU cycles cost more than the fees you'd make?
    How much does it cost to forward a transaction? In python on my
    laptop, I get about 1000 ECDH operations per second in python, and
    290k AES ops over a 3kB onion per second, and about 77k SHA256 ops
    per second. So just counting elliptic ops, forwarding a transaction
    requires three ops: an ECDH on the onion message, and an ECDSA on
    the commitment transaction to add the HTLC, and another sometime
    later to remove it.  So say 1/350th of a CPU-second. My linode costs
    3c/hour and seems to be about half as fast on the SHA256 test, but
    gives me two CPUs which evens it out. So so 3/60/60/350 cents is
    about the cost of forwarding a single transaction, which is about
    2.4e-8 dollars, which is currently about 9.1e-11 bitcoin, which
    is 0.0091 satoshi. Conveniently lightning balances are denominated
    in millisatoshi, so as long as yours increases by 9 or 10, you're
    doing fine. 10 millisatoshi is 1% of 1 satoshi, so that seems like
    the right order of magnitude.