[c-lightning] Policy signer PoC

Devrandom c1.devrandom at niftybox.net
Mon Dec 16 11:35:26 AEDT 2019

Thank you for the responses!  See inline:

On Sun, Dec 15, 2019 at 11:14 PM ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:

> Good morning devrandom,
> > Agreed on all points.  Would you agree that there is no risk that
> composable musig (or musig composed with threshold sig) is impossible for
> some reason?  i.e. we are just searching for the most convenient protocol
> and we have some candidates?
> In http://www.erisian.com.au/taproot-bip-review/log-2019-11-22.html
> nickler offhandedly mentions "definitely something we want to support in
> libsecp-zkp" with regards to my proposed multi-`R` proposal for composable
> MuSig, so it seems this is likely to at least be supported in base
> libraries.
> The multi-`R` proposal simply has the drawback that you are leaking how
> many signers you actually have for your node, when in principle the other
> side of the channel should not have to know this information.
> Closing that privacy leak is theoretically possible if we have some
> commitment scheme on points that is homomorphic to addition of points but
> *not* homomorphic to negation of points.
> It is not clear if the attack on ElGamal (which allows negation of points)
> is something that can actually be promoted into a "real" attack, but the
> existence of that negation does seem to complicate proving that using
> ElGamal commitments is secure, at least as I understand from private
> communications with at least one MuSig paper author.
> So there is a reasonable chance that multi-`R` gets into Lightning, as it
> is a trivial extension of the MuSig protocol, but it is not clear if
> "better" commitment schemes for the first phase of MuSig is possible.

Got it, thank you.

> > - The backup should be per-channel, so that an update of the backup on a
> channel state change is O(1)
> This is not quite what C-lightning supports currently; we have a single
> `db_write` hook that includes all database updates for all channels, with
> no easy way (other than writing an SQL parser yourself) to determine which
> channel is being updated.

Got it, perhaps it can be modified later on.

> > - The signer should have its own signed backup in case the node is
> compromised.  There will probably be a need to reconcile the state of the
> node and the signer - i.e. the last state change should be replayed if
> necessary.
> It seems to me that the signer could be stateless?

Unfortunately, not having a tamper proof persistent store for the signer
opens up some attacks.  For example, if you can make the signer believe
that the last transaction didn't happen, you can have it counter-sign a
revoked transaction, losing all funds in the channel.  So the signer's
store must be persistent and resistant to rollback.


> > - It seems that the communication channel between the node and the
> signer should already be encrypted and authenticated for privacy.
> Therefore the only encryption needed is for the backup at rest.  In that
> case, I would have the hsmd process encrypt internally - the node doesn't
> have to worry about it.
> Assuming the signing hardware is not too far from the node physically, it
> seems to me that it is the hardware on which the node software is running
> that is easiest to exploit (in which case the node software credentials may
> already be compromised), but in any case an additional encryption and
> authentication seems fine to me.

Let's consider the node backup and the signer backup separately.

Node backup:

Once the secrets are externalized to a separate signer, the node backup
needs encryption only for privacy.  An attacker can't steal funds just by
accessing that backup.

In any case, the integrity of the backup should also be ensured, otherwise
the node may not function correctly (a DoS vector).  That can be done via a
separate mechanism, e.g. a signature or a MAC.

Signer backup:

Separately, there will be a backup of the signer, which needs both
confidentiality *and* a high level of integrity (no rollback).

Once we have Eltoo, broadcasting an old state is not catastrophic anymore,
since we can further spend that with a later state stored elsewhere.  So
the integrity requirements will be somewhat reduced.  For example, if you
have multiple backups, only one of them needs to be current and it's safe
for all of them to try to broadcast.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/c-lightning/attachments/20191216/9db33dd4/attachment.htm>

More information about the c-lightning mailing list