Re: [Lightning-dev] [DRAFT] BOLT 13(?): WatchTower protocol

2019-11-28 Thread Antoine Riard 
Thanks for working on this, a bunch of interesting ideas!

I think it could be noted in the motivation, that's having an interoperable
watchtower protocol is really cool, because every watchtower you add is
a liveness reliability increase (modulo privacy loss), specially if these
watchtowers are from different implementations in case of a vuln affecting
breach
monitoring code of your LN node.

Some generic remarks, you should define another TCP port than the LN one of
9735
because this is client-server relationship and you want to avoid leak of
p2p
messages to your watchtower.

Messages should also use the TLV format, will remove a lot *_len field and
each
QoS could be a tlv_record in `appointment`.

For the init protocol, I was considering the following scheme.


init
-->

version
<--
   Alice Bob
payment protocol
--->
 ...

appointment hiring
--->
 ...

appointment firing
--->

The `init` message would contain a method to establish a secure connection
between client and server. Watchtower shouldn't learn LN pubkey of client
as it may be a conflict of interest and be leveraged to build more
sophisticated
attacks. So client should implement identity contingement properly and use
the `init` message to start a Noise session or something like BIP324.

After secure connection establishement, `version` would be the reply with
a features field, wider than only QoS like also the payment protocol
supported,
and maybe an invoice for the payment protocol preferred. In a future,
features may
extend beyond channel watching, like timing out client HTLC or
synchronization
server for multi-party channels...

Client would then execute the one or multiple steps of the payment protocol.
This one may be complex, i.e include parameters negotiation like update
rate-limiting, feerate for encrypted blob, storage throttling after time X,
...
I do think this kind of parameters belong there compare to
`appointment_hiring`,
as they may cover watching operations of one or more channels and secondly
they
are DoS protections, and payment scheme and DoS are going to be really tied
in watchtowers protocol.

Then `appointment_hiring` with QoS and their parameters, is there reasons
for
not having them being stable for the lifetime of client-server interaction ?

Finally, some `appointment_firing` to let the client cut its subscription
and
authorize the server to clean storage.


> * `start_block` is further than one block behind the current chain tip.
> * `start_block` is further than one block ahead the current chain tip.

Is a 3 block window enough if the client is a mobile which a lot of latency
and weak
processing compare to a watchtower's competitive full-node ? I think it's
only
a block issuance edge case but maybe could be easier if client set
start_block to
current_seen_block_height+6 and server would reject if height already past..

> minimum_viable_transaction_size and maximum_viable_transaction_size refer
to the minimum/maximum size required to create a valid transaction.

Couldn't these limits be implictly MAX_STANDARD_TX_WEIGHT and
MAX_STANDARD_TX_NONWITNESS_SIZE, current mempool policy limits ?

Also, nothing is specified on disconnection/reconnection, you want to be
sure than
watchtower as ACK every justice tx sent as every one of them maybe
critical. A client
doesn't want to assume is channel is covered and finally not due to its
network
connection being rotten.


> * MUST set `dispute_delta` to the CLTV value specified in the
> `commitment_transaction`.

What's a dispute delta ? You mean the justice-CSV locktime encumbering
outputs ?
Given this one is fixed at channel opening, it should be fixed also for the
channel
hiring lifetime. And server should announce a min_dispute_delta at QoS
`accountability`
announcement.

> * MUST set `transaction_size` to the size of the serialized
> `justice_transaction`, in bytes.

I would remove the transaction size, given that all outputs are
standardized in LN, that would
be a leak on how much payment traffic is going through the client without
any channel breach.

> * MUST set `transaction_fee` to the fee set in the `justice_transaction`,
> in satoshis.

Generally, the idea to provide justice tx with pre-signed fees to a
watchtower and expect
this one to do is job reliably somewhere in the future seem a weak
assumption... Every watchtower
following this protocol should handle dynamic fees, that's should be a
basic service not even
a QoS. It may through CPFP (but won't be reliable until package relay( or
RBF'ing the justice
tx through usage of SIGHASH_ANYONECANPAY, no need interactivity with the
user at broadcast,
but you m

Re: [Lightning-dev] Proof-of-work vs fees

2019-11-28 Thread Orfeas Stefanos Thyfronitis Litos 
Hi ZmnSCPxj,

>>> -   Locking the up-front fees for a time, then reverting them to the 
>>> original sender.
>>
>> This means that I can burst-spam today, wait until unlock, repeat. If the 
>> PoW scheme somehow enforces fresh PoWs (e.g. by needing (nonce || recent 
>> block hash) as proof), I can't do this attack.
> 
> But in order for PoW to actively limit spam, the PoW target must be high 
> enough that you can burst-spam today, wait until you get your *next* 
> passes-the-threshold PoW, repeat.
> The difference is that PoW has more variance, but that variance itself can 
> limit non-spam usage (in much the same way that too high an up-front locktime 
> would also limit non-spam usage).

We wouldn't be able to burst-spam with PoW if it was (nonce || recent block 
hash || recipient public key). Including the pubkey there makes sense anyway.

We can further concatenate some kind of `secret_to_get_fees` in the PoW so that 
P the payer can't outsource the PoW calculation to some service S without P 
trusting that S won't steal the fee. I.e. P can't buy the PoW.
 
> Money represents the allocation of available energy (by the simple mechanism 
> of purchasing energy using money; the invisible hand is really the mechanism 
> which directs energy towards the production of goods that are demanded), and 
> PoW is a proof that somebody allocated available energy for the production of 
> the PoW.

I think I understand now the root of our disagreement, please correct me if I'm 
wrong.
You are saying that PoWs, being a scarce resource, have a market value. In 
other words, we can engineer PoW in a way that it can be bought for money.
I'm saying that PoW and fees are not blindly interchangeable as an anti-spam 
measure for LN. (Heck, even the various versions of PoW we devised in this 
thread are not interchangeable!) I'm further saying that we don't know whether 
every PoW-based scheme can be transformed to an equivalent fee-based scheme.

In this sense, I believe we are both right.

The argument "there is a market price for PoW, therefore PoW and fees are 
equivalent, therefore we can use fees and PoW interchangeably for LN anti-spam" 
is not correct though. Just s/PoW/sneakers and the reason will become obvious. 
(This substitution is OK because neither sneakers nor PoWs can be converted 
back to abstract energy and reused to produce different goods, only exchanged 
for other manufactured goods or money.)

Best,
Orfeas

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev