Published on: 2021-02-03T06:33:44+00:00
In an email thread, Rusty Russell asked if a heuristic from a paper is less true after Taproot. The response was that the heuristic is not affected by Taproot. However, Taproot will be useful for keeping private channels private against a certain method. The core idea of this method involves funding public channels and using the change to fund another public channel. By doing so, it is possible to identify the owner of the node that funded both channels. A variant of this method involves using the output of a cooperative close of the first channel to fund the second channel. This allows for identification of the node that funded the first channel as well as the owner of the other UTXO from the close of the first channel. The point of this method is to associate UTXOs with a node ID and any descendant UTXOs, making UTXO probing useless.The article discusses the idea of using PoDLE to protect against parallel attacks. The author argues that immediate broadcast of signaling TX is a bad idea since it leaks the UTXO associated with the signaling TX is creating a channel and suggests lazy broadcast signaling TXs as a good way to protect against sequential attacks but are weak against parallel attacks. The article further explains the steps involved in implementing the PoDLE protocol. It also suggests alternative ways of dealing with UTXO probing outside the protocol such as maintaining a shared UTXO blacklist. While the author's bias is towards doing nothing and keeping things simple, he acknowledges that taproot will change the game for private channels but won't do much for public channels. Additionally, the article provides links to research on how effective chainalysis techniques are at associating funding UTXOs to nodes for the most common usage patterns. The article concludes by stating that adding PoDLE could be done later with a feature bit and not currently necessary.Lloyd Fournier proposes changing PoDLE to give it an advantage in parallel attacks. The weakness of the lightning proposal is that the h2 point is not broadcast immediately, instead, participants wait for a failure before broadcasting. Participants should broadcast h2 as soon as they agree to create a transaction with the initiator. If at any time during the transaction creation protocol, they receive the same h2 from someone else, they cancel and don't reveal their UTXOs. They wait about 10 seconds after broadcasting before revealing any UTXOs. However, there are several downsides to this scheme, such as everyone knowing what the participant is doing since they see the signalling tx and Bitcoind doesn't tell if it encounters a conflicting tx from a peer, so we'd probably need to gossip this via lightning instead. Also, if tx fees are low, the signalling tx might be mined. Despite the downsides, it has better protection against parallel attacks than others.In an email exchange between Lloyd Fournier and Rusty Russell, the issue of proving ownership of inputs when using a signaling transaction was discussed. The practical problem with a signaling transaction is that it's difficult to tell if it's conflicting, as Mallory uses a single UTXO to probe for everyone’s UTXO at once. Poor Bob wants to both wait 60 seconds to see if a conflicting transaction ends up in his mempool and broadcast it ASAP to signal to others. He wants to do both of these before revealing his own UTXOs. Lloyd Fournier pointed out that this is a problem with all three schemes he mentioned. There will always be a need to wait for things to be gossiped in some way to catch attempts at parallel sessions. If parallel sessions are legal, then you shouldn't try and catch them; but if they're legal, there will always be an effective dual funding UTXO discovery attack by using one UTXO to hit many targets. The real question is whether it's even worth trying to stop sequential attacks if parallel attacks are unstoppable. PoDLE might have an advantage in parallel attacks if the scheme was changed a bit. A weakness of the lightning proposal compared to the joinmarket idea is that the h2 point is not broadcast immediately, rather you wait for failure and then broadcast it. Instead, a peer should broadcast h2 as soon as they have agreed to create a transaction with the initiator. If at any time during the tx creation protocol they receive the same h2 from someone else, they cancel and don't reveal their UTXOs. Note that here you don't have to randomly select the time you wait. Since this scheme is effective, it would also break the "middleman" idea unless Alice funds with two UTXOs or there is some way for all parties involved in the funding to distinguish gossiped h2s from their funding session from others.In a discussion between Lloyd Fournier, Rusty, and Zman, they considered the idea of doing one signaling transaction out of a group of inputs.
Updated on: 2023-07-31T23:21:37.681062+00:00