From thomasv at electrum.org Thu Aug 17 09:36:58 2023 From: thomasv at electrum.org (Thomas Voegtlin) Date: Thu, 17 Aug 2023 11:36:58 +0200 Subject: [Lightning-dev] Backing up channel state with counterparties In-Reply-To: References: <0f84f9be-b68e-47db-46b6-3230e4509811@electrum.org> Message-ID: <503072e3-aa26-fefa-9e8f-a214e8cd7737@electrum.org> Hello Peter, I have to disagree with both your reasoning and the numerical values you are proposing. Let us first look at the equations: > Suppose that Alice goes a few days without connecting to Bob 10 > times per year, and this particular connection attempt is an example > of that 10/year event. Suppose that Alice has a 1% chance of data > loss per year that **requires her to use Bob's channel state backup**, > and suppose that with 100% certainty, in the event of data loss Alice > would take a few days to attempt recovery. That means that this > particular connection event represents a 1% / 10 = 0.1% probability > event, and P_d = 0.1% In this paragraph, you are expressing the joint probability that Alice has lost her data AND that she is displaying a certain behaviour visible to Bob (staying disconnected for a few days). First, let me clarify the "per year" issue. Since you are trying to compute the probability of data loss at a particular connection event, the terms used in your equation must be the probability P(loss) of data loss *at that connection*, and the probability P(behaviour) of having been offline for several days *at that connection*. It may be possible to express P(loss) and P(behaviour) from the probabilities *per year*, but that would requires assumptions about the frequency of connections, and the duration of the process. For example, once data is lost, it remains lost forever. Since units of time do not show up in your equations, I will assume that you simply meant probabilities at connection: P(loss) = 0.01 and P(behaviour) = 0.1 To compute the joint probability that Alice has lost data and that she is displaying that behaviour, you used as a product, as if those were independent events: P(loss AND behaviour) = P(loss) * P(behaviour) Unfortunately, those events are not independent. If the behaviour of Alice is caused by the loss, then P(loss AND behaviour) is certainly not equal to P(loss) * P(behaviour), but considerably closer to P(loss). Anyway, the joint probability P(loss AND behaviour) is not the relevant quantity here. Indeed, when you wrote: > Bob can profit if V_f * P_d > V_h, you were implying that P_d is the same as the one you computed above, using that multiplication. This is wrong. If we want to compute whether Bob can profit, we need to look at what the probability of data loss given the information available to Bob. In other words, P_d should be the the conditional probability that Alice has lost her state, given the information available to Bob: P(loss|behaviour): Bob can profit if V_f * P(loss|behaviour) > V_h This can be expressed using the Bayes theorem: P(loss|behaviour) = P(behaviour|loss) * P(loss) / P(behaviour) In practice, the posterior probability that Alice has lost her state will be higher if she behaves as if she has lost it. Your assumption "suppose that with 100% certainty, in the event of data loss Alice would take a few days to attempt recovery" should be translated as P(behaviour|loss) = 1. With the numerical values from above (P(loss) = 0.01, P(behaviour) = 0.1), we arrive at P(loss|behaviour) = 0.1, which is 100 times higher than your estimate. Second, regarding the numerical values: I do not wish to argue over the numerical value of the probability of data loss per year. However, I want to point out that the probability of users connecting without having their data becomes considerably higher if restoring your channels from seed becomes a feature. If users are told that they can restore their state from seed, then they are going to use that feature. For example, some Electrum users decide to uninstall and reinstall their wallet app from their device whenever they cross a border. So, the relevant question is, how frequently do users restore their wallet from seed, and not how frequently they have actually lost data. Finally, note that the "behaviour" encompasses all the information available to Bob, not only the fact that Alice has been offline for a few day. There might be other channels that can be exploited by an attacker to gain information about Alice. If Alice's wallet uses Electrum servers, then whoever operates the server will be able to infer whether Alice has been restoring from seed or not. Not only Electrum, uses Electrum servers, but a whole range of mobile wallets do, including Phoenix.