From aj at erisian.com.au Mon Oct 19 01:41:00 2015 From: aj at erisian.com.au (Anthony Towns) Date: Mon, 19 Oct 2015 11:41:00 +1000 Subject: [Lightning-dev] Preventing MITM - Providing new nodes with real pubkeys In-Reply-To: References: <20151016230141.GA22262@navy> Message-ID: <20151019014100.GA19146@navy> On Sun, Oct 18, 2015 at 01:25:29PM +0200, Mats Jerratsch wrote: > > It only works if you actually setup a channel, though -- so you have to > > lock some money into the channel for however many confirmations until > > the channel activates, before you can test, plus the OP_CSV delay if > > the test fails. > And there's the catch. If an attacker achieves nodes opening up > channels with him, he already succeeded in vandalism. I'm not sure this is true? Supposing there are V vandals on the system, compared to T total nodes, so V/T is your probability of selecting a vandal. Then, to join the lightning network, you open up N channels with randomly chosen nodes at $1 each, committing $N in total, and (if they're all run by vandals and have to get closed) spending about 2*N*2c (so 4%?) in fees. If there are 1000 nodes (ie, lots), then the probability of finding at least one good node is about 1-(V/T)^N. If you want a probability of 99% of getting a good node on your first try, then: V/T = 10%: N = 2 V/T = 20%: N = 3 V/T = 30%: N = 4 V/T = 40%: N = 6 V/T = 50%: N = 7 V/T = 60%: N = 9 V/T = 70%: N = 13 V/T = 80%: N = 21 V/T = 90%: N = 43 V/T = 95%: N = 86 V/T = 99%: N = 368 So with 90% of nodes being hostile, that'd be getting expensive, but not completely implausible. If 40%-plus of the network is legit, though, just trying out 10 random nodes seems like it works fine, and only locks up $10 for a couple of days and costs about 40c in bitcoin fees... Also, if you've got to run 2.5 times as many vandal nodes as there are legitimate nodes for people to even really be bothered, I don't think you'll see many vandals in the first place... (Once you've got a node that actually works, you can expand your channel from $1 to $10 or $100, and/or open additional channels, and at that point (afaics) you're set.) That's only necessary if you don't know anyone with a lightning account already, though. Since anyone can forward for you, you could start with someone you trust in real life -- eg, a friend, a bank, a government, etc. If Rusty tells me he'll route my payments (as long as they're made between 10am and 3pm Adelaide time on a weekday, maybe) then I can open a $5 channel with him, and use that to send 1 satoshi payments to test connectivity. So, if I'm wondering whether BOBSBANK is reliable, I work out a route: aj -> rusty -> a -> b -> c -> BOBSBANK -> x -> y -> z -> rusty -> aj apply it as an onion so it can't get short-circuited, and see if it gets back to me, at a cost of maybe 10% of a satoshi (10 hops at 1% each)... If it does, BOBSBANK is connected and functional, and I can try opening a channel. If it doesn't, I can try a different route to BOBSBANK, or try someone else entirely. > Furthermore, an > attacker can always play by the rules and forward all payments up to > one point where he stops. (For example, he could happily route payments on $1 channels, but refuse to do likewise when the channel capacity was upped to $10) In the general case though, does that even count as an attack? Isn't that just like a web site going down or being put behind a paywall? ie, annoying, but completely legitimate? I mean, if someone downloads the lightning software to try it out, runs it for a while, then decides it's no fun and stops, they'll be "playing by the rules up to one point where they stop"; but they're not trying to "attack" the system. Coping with unreliability is definitely important, but running a node that works sometimes but is deliberately unreliable is a lot more effort than running a node that claims to work, but never does. It's also more work (and less profitable) than just running a node that actually work... > And even worse, if everyone connect to his > nodes, he can relay all payments, but he is able to distinctively > identify payee and payers, even with onion routing. That's a different attack isn't it? To get everyone to connect to your nodes, you'd have to be running the majority of nodes -- ie, there's 5000 different organisations running lightning nodes, but 4999 of them run one or two nodes each, but one of them runs 100,000 nodes. But if it were cheap enough for one org to run 100k nodes, why wouldn't the others treat it as an arms race and end up running, say, 20-50 nodes each? They'd have an economic incentive to do so, in that it increases their odds of collecting fees... At that point the attacker's already reduced to 28%-50% of nodes. ie, I think that's likely to be self-correcting? But! An arms race in nodes-per-person would probably cause a scaling problem for the network (depending on how routing actually works), and you'd have to address that by creating some cost to run (or at least register?) a node/channel. But if they're all legitimate nodes, I think that's just a scaling problem, rather than vandalism per se. (An additional but: even if spamming the list of nodes doesn't work as an effective attack, if you can spam the list of *channels* with valid looking edges that won't actually route payments successfully, you can screw over the network pretty well) Cheers, aj