Alejandro Ranchal Pedrosa [ARCHIVE] on Nostr: 📅 Original date posted:2019-04-15 📝 Original message: Hi all, This is the ...
📅 Original date posted:2019-04-15
📝 Original message:
Hi all,
This is the second of three related different emails on the topic,
through which I will explain what, to my understanding, is the state of
the construction of channel factories.
Knowing what a stale factory situation is, let's have a look at the only
off-chain proposal that claims to solve this situation: the splice-out
mechanism [1]. I will explain why this mechanism can be easily attacked
in what we call the Broken Factory attack [2].
Suppose a factory created between Alice, Bob, Carol and Dave, with
channels F_{AC}, F_{AB}, F_{BC} and F_{CD} (F for "funding"), for instance:
Alice Bob Carol Dave
\ \ / /
\ \ / /
\ | | /
H_{ABCD}
|
A^0_{ABCD}
/ | | \
/ | | \
/ | | \
F_{AC} F_{AB} F_{BC} F_{CD}
/ | | |
R^1_{AC} R^1_{AB} R^1_{BC} R^1_{CD}
Where H_{ABCD} and A^0_{ABCD} refer to the Hook and Allocation
transactions of the factory, the equivalents of the Funding and
Refunding transactions of channels, respectively.
Suppose now that Dave, meaning that they cannot update the channel
factory. If they wanted to perform a factory-level update, the
splice-out mechanism should let them do that by redirecting outputs of
the channels of the factory a new factory (sort of creating a factory
within the factory):
Alice Bob Carol Dave
\ \ / /
\ \ / /
\ | | /
H_{ABCD}
|
A^0_{ABCD}
/ | | \
/ | | \
/ | | \
F_{AC} F_{AB} F_{BC} F_{CD}
/ | | |
R^1_{AC} #R^1_{AB}# R^1_{BC} R^1_{CD}
\ | |
\ | /
\ | /
*H_{ABC}*
And within this new Hook, Alice Bob and Carol can reorder the funds in
new channels as they lack. However, notice that the new Hook (marked
with "*") takes the outputs of 2-party off-chain channels. Suppose now
that, after creating the new hook, Alice and Bob pay in this new factory
to Carol, through some new channels they created. Carol believes the
splice-out mechanism works and so accepts these off-chain payments.
Right after, Alice and Bob can update their former channel state (marked
with "#" in the above image) and invalidate the state R^1_{AB}, making
it older than a new state R^2_{AB}. This invalidates one of the inputs
of the new Hook H_{ABC}, invalidating the transaction and the whole new
factory. Therefore, Alice and Bob have stolen from Carol. This is what
we call a Broken Factory, and which proves that the splice-out mechanism
is not possible, at least without a race condition.
--
Alejandro Ranchal-Pedrosa
[1]: Scalable Funding of Bitcoin MicropaymentChannel Networks
[2]: Scalable Lightning Factories for Bitcoin
📝 Original message:
Hi all,
This is the second of three related different emails on the topic,
through which I will explain what, to my understanding, is the state of
the construction of channel factories.
Knowing what a stale factory situation is, let's have a look at the only
off-chain proposal that claims to solve this situation: the splice-out
mechanism [1]. I will explain why this mechanism can be easily attacked
in what we call the Broken Factory attack [2].
Suppose a factory created between Alice, Bob, Carol and Dave, with
channels F_{AC}, F_{AB}, F_{BC} and F_{CD} (F for "funding"), for instance:
Alice Bob Carol Dave
\ \ / /
\ \ / /
\ | | /
H_{ABCD}
|
A^0_{ABCD}
/ | | \
/ | | \
/ | | \
F_{AC} F_{AB} F_{BC} F_{CD}
/ | | |
R^1_{AC} R^1_{AB} R^1_{BC} R^1_{CD}
Where H_{ABCD} and A^0_{ABCD} refer to the Hook and Allocation
transactions of the factory, the equivalents of the Funding and
Refunding transactions of channels, respectively.
Suppose now that Dave, meaning that they cannot update the channel
factory. If they wanted to perform a factory-level update, the
splice-out mechanism should let them do that by redirecting outputs of
the channels of the factory a new factory (sort of creating a factory
within the factory):
Alice Bob Carol Dave
\ \ / /
\ \ / /
\ | | /
H_{ABCD}
|
A^0_{ABCD}
/ | | \
/ | | \
/ | | \
F_{AC} F_{AB} F_{BC} F_{CD}
/ | | |
R^1_{AC} #R^1_{AB}# R^1_{BC} R^1_{CD}
\ | |
\ | /
\ | /
*H_{ABC}*
And within this new Hook, Alice Bob and Carol can reorder the funds in
new channels as they lack. However, notice that the new Hook (marked
with "*") takes the outputs of 2-party off-chain channels. Suppose now
that, after creating the new hook, Alice and Bob pay in this new factory
to Carol, through some new channels they created. Carol believes the
splice-out mechanism works and so accepts these off-chain payments.
Right after, Alice and Bob can update their former channel state (marked
with "#" in the above image) and invalidate the state R^1_{AB}, making
it older than a new state R^2_{AB}. This invalidates one of the inputs
of the new Hook H_{ABC}, invalidating the transaction and the whole new
factory. Therefore, Alice and Bob have stolen from Carol. This is what
we call a Broken Factory, and which proves that the splice-out mechanism
is not possible, at least without a race condition.
--
Alejandro Ranchal-Pedrosa
[1]: Scalable Funding of Bitcoin MicropaymentChannel Networks
[2]: Scalable Lightning Factories for Bitcoin