Good morning all,

It seems to me the below two worlds are possible:

1.  Symmetric delays.
1.1.  I can attack passively: I force a condition where most funds are in the 
other side (e.g. forwarding to another node I control, or exchanging BTC for 
material goods), then stop forwarding payments and generally being a pest.  The 
other side closes unilaterally in frustration (locking its funds) and I get 
penalized by having my (smaller, in my case) amount locked for some blocks.
1.2.  I can attack actively: I force a condition where most funds are in the 
other side, then unilaterally close the channel (locking my counterparty 
funds).  I get penalized by having my smaller amount locked for some blocks.

2.  Asymmetric delays.
2.1.  I can attack passively: I force a condition where most funds are in the 
other side (e.g. forwarding to another node I control, or exchanging BTC for 
material goods), then stop forwarding payments and generally being a pest.  The 
other side closes unilaterally in frustration (locking its funds) and I do not 
get penalized.

It seems to me that adding an entire new attack vector in order to only 
*mitigate* (not eliminate!) another attack vector is not a good enough 
trade-off.  In particular the new attack seems *easier* to perform.  The 
current attack where I annoy the other side until it closes has the risk that 
the other side may have a high tolerance for annoyance, and decide not to close 
the channel unilaterally anyway.  But in a symmetric-delay world, I do not have 
to wait for the other side to get annoyed: I just trigger the lockup period 
immediately in the active attack.

--

> For example, in the case where the side unilaterally closing the channel has 
> zero balance, the other side gets no delay and symmetry as measured by (coins 
> locked) * (duration of lock) equals zero on both sides. When the side closing 
> the channel has at least 50% of the balance, both sides must wait the full 
> delay. Thoughts?

So on channel setup where I am the funder to a 1BTC  channel I make to Daniel:

* Daniel holds a commitment transaction with: ZmnSCPxj=1BTC+no delay, 
Daniel=0BTC+no delay
* I hold a commitment transaction with: ZmnSCPxj=1BTC+no delay, Daniel=0BTC+no 
delay

In order to make the symmetry "(coins locked) * (duration of lock)" equal on 
both sides of the commitment transaction (after all, Daniel has 0 BTC, so the 
product 0BTC * anything is 0, so I should not be penalized with a delay on my 
output of the commitment transaction).

Then I send 0.99BTC to Daniel for 0.99BTC of Daniel products.

Then I publish my original, revoked, commitment transaction with 
ZmnSCPxj=1BTC+no delay, Danel=0BTC+no delay

Since there is no delay involved in my branch, I can get the money immediately 
without Daniel being able to revoke it.  So I get 1.0BTC and 0.99BTC worth of 
Daniel products.

Regards,
ZmnSCPxj
_______________________________________________
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

Reply via email to