On Wed, Jul 1, 2020 at 6:58 PM ZmnSCPxj <zmnsc...@protonmail.com> wrote:

> And your paper posits that if a miner is weak, its best strategy is to > take the myopic strategy and include the currently-valid Alice transaction. > Yes. The proof is quite trivial and follows from the definition of weak: if the myopic miner's hashpower percentage is p_i, and it's lower than f/b, that means that f > b*p_i. By including the currently-valid Alice transaction, the myopic miner could make f, which is higher than their expected gain, which is b*p_i. The myopic miner has a p_i chance of mining the first block when Bob's transaction becomes valid, and it's most likely to stay valid for just 1 block, as every miner would want that immediately when it gets valid. This is where we disagree with the MAD-HTLC paper. They assume that there are not any miners with sub-1% hashrate around. We find that there are many such miners, and with channel_reserve_satoshi set to 1% of the channel value, Alice can bump her fees to at least 1% of the channel value without worry (because she will get Bob's channel_reserve_satoshi's for herself if Bob is cheating by releasing a previous commitment TXN). We additionally also show that when strong miners know that weak miners are around, some of their strategies get dominated as well, and they will be forced to include Alice's transaction as well. This, if there is just one *known* weak miner, things are good for Alice. As an FYI, in our paper Alice is the cheater and Bob is the victim. There were reasons to "reverse the convention", so to speak - but that's for another day :-) > > Thus, if Alice even *matches* Bob, it seems to me that this ratio f / b is > 1.0 implying a miner can only be powerful if it has already 51%-attacked > Bitcoin (which tends to invalidate all our security assumptions of > higher-layer protocols anyway, since a 51% attacker can censor anything > with impunity). > We assume that Bob will bribe with the entire channel value - because he has received commensurate goods and services off-chain. So, Alice will find it difficult to match Bob's bribe, but she doesn't have to. > > Of course, Bob can offer up to the entire fund amount, for free, to miners > as a bribe, without loss to Bob. > Yes. Precisely. > > For more realistic scenarios where no miner has 100% hashrate, then Alice > can make all miners weak by being willing to pay up to 50% of the fund as > fee, as a miner that achieves greater than 50% hashrate share would already > effectively pwnzored Bitcoin and gained UNLIMITED POWAH anyway. > But she doesn't have to go as far as 50%. Just 1% seems quite reasonable, given a reasonable timelock. We have a closed form solution for the timelock T as well. In Lightning's case, with 1% channel_reserve_satoshis around, we arrive at T = 316, which is much longer than the current default of 144. > > So it looks to me that scorched-earth is a possible mitigation against > this attack. > I don't follow this. We show that a reasonable value of fees and timelock are enough to avoid the attack. Why scorch the earth?

_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev