Hi ZmnSCPxj,
I suppose some variant of that proposal might mitigate the attack, but
it would trigger a race condition between the valid state of the
sub-factory and the new state of the channel.
Also, as you said, Alice and Bob might be interested in stealing anyways
from Carol, regardless of losing the race, if the stolen funds are more.
Best,
Alejandro.
On 17/04/2019 13:45, ZmnSCPxj wrote:
Good morning Alejandro, and list,
I am uncertain if this would completely solve it, but Discrete Log Contracts
has a mechanism by which an Oracle is enforced to reveal its private key, if it
publishes multiple signatures signing different messages for a particular
sampling.
It seems like a way to ensure, that a public key is used only once.
Can this mechanism be somehow used, so that if Alice and Bob sign an alternate
transaction spending the A,B output (thus invalidating the sub-factory
transaction), they also reveal to Carol the private key?
Carol can then punish this behavior by burning the A,B output and sending it
all as fees to miners.
However, it may be insufficient.
If the A,B channel is very small in capacity, Alice and Bob may be willing to
sacrifice it in exchange for stealing larger amounts from Carol.
Regards,
ZmnSCPxj
--
Alejandro Ranchal Pedrosa
_______________________________________________
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
