Good morning list,
I started considering, what a trustless, blinded WatchTower for eltoo channels
would look like. Unfortunately, I cannot derive a good one yet, sorry.
My basis, is the same "encrypted blob" we use for Poon-Dryja channels.
Now an issue is that update transactions in Decker-Russell-Osuntokun channels
have no txid that can be used as key for the encrypted blob.
One thing we can use is the trigger transaction, which has a stable txid since
its sole input is an ordinary 2-of-2 that is signed with normal `SIGHASH_ALL`.
However, this has the drawback that each update of a single channel will
generate a `(txid[:16], blob)` pair that has the same `txid[:16]` key, letting
the WatchTower correlate the timing and number of updates of each of your
channels. Compare to the case where a Poon-Dryja uses the same encoding: the
WatchTower knows each `(txid[:16], blob)` pair is *some* update to *one* of
your channels, but cannot know if any two pairs you submit are for the same
channel or two different channels. Indeed even if a theft attempt occurs the
WatchTower can only know that some `txid[:16]` belongs to a particular channel,
but not whether the other `txid[:16]` you published to it are to the same
channel, or another channel you happen to be interested in.
It seems desirable to at least retain the property that the WatchTower cannot
correlate our updates to our channels.
Another property that the Poon-Dryja encrypted-blob has is that we can
distribute our updates for a single channel to two or more WatchTowers, to
improve our privacy slightly (if we can somehow identify that two different
WatchTowers are not somehow comparing notes; but simple use of Tor and similar
can obscure that the same node is the source of communications). It also seems
desirable to retain this property, but under Decker-Russell-Osuntokun channels,
when a new update is made, every WatchTower who is watching should be informed
of that update (since only the latest update transaction is valid). Under
Poon-Dryja, if I have watching service contracts from several WatchTowers, when
I get another revocation, I can distribute the revocation data to a subset of
all my serving WatchTowers; under Decker-Russell-Osuntokun I would have to
contact all of them to give the latest update transaction.
So let me propose my half-baked idea for encrypted-blob, slightly-blinded
1. We observe that for each update transaction, the signatures are malleable
(sign malleability, also one signature is from the attacker and the attacker
can pick a new R), but the message they are signing (a copy of the transaction
that has been modified in particular ways) is not.
2. We observe that under SegWit the txid is simply an unusual form of the hash
of the message (transaction) that is getting signed under a `SIGHASH_ALL`
signature. Thus if `txid[:16]` is acceptable as a key, then `hash[:16]` of the
message signed in the update transactions should also be acceptable.
3. Thus we generalize our WatchTowers pairs to `(hash[:16], blob)`, where
`hash` is the message that is signed in the witness program, not just the
4. The same framework can be used for Poon-Dryja and Decker-Russell-Osuntokun
WatchTowers. Under Poon-Dryja the `hash` is the reverse of the `txid` (or
rather, the `txid` is properly the reverse of the hash) being watched for.
5. The main loop of the WatchTower (which can watch either Poon-Dryja or
Decker-Russell-Osuntokun channels) is now something like: When a block comes
in, verify each transaction. If during signature validation, we match the hash
of the message being signed to a watched blob `hash[:16]`, we decrypt the blob
and proceed to justice depending on the type of the decrypted blob.
6. Notice an important point: the same WatchTower, if it supported both
Poon-Dryja and Decker-Russell-Osuntokun channels, would not know if a
`(hash[:16], blob)` pair even belongs to a Poon-Dryja or a
Decker-Russell-Osuntokun channel, unless a theft attempt was made! This is
important as it lets us retain high anonymity sets while transitioning the
network from Poon-Dryja to Decker-Russell-Osuntokun.
7. We handle Poon-Dryja channel blobs as with current Poon-Dryja techniques
that I ahd Connor described last month.
8. For Decker-Russell-Osuntokun channels, the blob would contain: state number
(`nLockTime`), `Au` and `Bu` pubkeys, the basepoints for `As,i` and `Bs,i`, and
the corresponding signatures for the update transaction, the corresponding
settlement transaction, and the settlement details (how much value each side,
HTLCs in flight, CSV-delta, etc) as well as how the WatchTower bounty gets paid
9. The blob does not contain the latest channel update! Instead, the
WatchTower would iterate the state number repeatedly, and generate each
possible future update transaction (without signatures). This is because the
message commits to constant data, an `nLockTime` we are iterating, a satoshi
amount that is the same since update transactions pay no fees from the funding
transaction, and a P2WSH that is derivable completely from `Au`, `Bu`, `As,i`
and `Bs,i` basepoints, the current `nLockTime`, and the CSV-delta setting.
This yields new messages that are hashed and compared to other `hash[:16]` the
WatchTower has. If it matches another one, the WatchTower knows that at least
one future update transaction exists: the WatchTower simply iterates until it
finds the last channel update or reaches the maximum state number.
10. When the WatchTower finds the last channel update for the channel, and it
is different from the message that triggered us, then it knows that the current
published update transaction is not the latest, it knows the latest update, and
it can now publish the latest update transaction and eventually its
corresponding settlement transaction, in order to provide justice.
The above retains the decorrelation property (the WatchTower, given two
`(hash[:16], blob)` pairs, cannot know if the two pairs refer to the same
channel, or different channels), but only up to a theft attempt. If a theft
attempt occurs, then the WatchTower can now correlate the blobs (it might have
kept records of when the blobs were given to it, and the decrypted blobs
certainly give it history of how much money was allocated to both sides of the
channel at that time) to a specific channel; hopefully theft attempts are rare
enough that this is an acceptable amount of lost privacy. If a node is served
by many WatchTowers, it might elect to not give all updates to a single
WatchTower (to reduce the privacy leakage in case of a theft attempt), so the
WatchTower should also be prepared in that its latest known update might not
actually be the latest.
it also requires quite a bit of grinding on the WatchTower, as it has to
generate a large number (possibly up to a billion) of possible future update
Lightning-dev mailing list