Specify Client-Side Oracle Validation #120
Conversation
| * MUST fetch oracle pubkey. | ||
| * MUST fetch any oracle pubkey available. | ||
| * MUST persist its keyring across restart/shutdown. | ||
|
|
There was a problem hiding this comment.
Should we also recommend a encrypted & authenticated channel so they have less of chance of being man-in-the-middle'd
There was a problem hiding this comment.
Also should we add recommendations of where to obtain the oracle's keys? ie directly from oracle vs oracle explorer
There was a problem hiding this comment.
Yes I think rn we don't have specific communication protocols for oracle discovery, you might have
- a DNS seed (e.g BOLT 10) relying on trusting DNS servers
- a manual copy-paste from few oracle repositories (e.g 1ml.com)
- a oracle existence gossips network (e.g BOLT 7) with some attributes filtered by user preferences
- a hardcoded initial list provided by DLC client vendors
- ....
Even if you answer "What's a good oracle to me ?", you still have to find the list of such "good" oracles without them being hidden or unknown from you, or if you have some central repo avoiding this one becoming a bait ?
Should we also recommend a encrypted & authenticated channel so they have less of chance of being man-in-the-middle'd
First, how do you ensure that the pubkey you're opening a E&A transport with is really owned by the entity you expect to talk with ?
There was a problem hiding this comment.
Should we also recommend a encrypted & authenticated channel so they have less of chance of being man-in-the-middle'd
I don't see the point of an authenticated channel to receive oracle information if the oracle announcements (and attestations) are themselves authenticated.
Also should we add recommendations of where to obtain the oracle's keys? ie directly from oracle vs oracle explorer
I think it's up to the users who they trust more, and I don't really see a technical rational for choosing one over the other? (and thus I don't think we should recommend anything, at least at this stage).
There was a problem hiding this comment.
I don't see the point of an authenticated channel to receive oracle information if the oracle > announcements (and attestations) are themselves authenticated.
It might be good to heartbeat your connections with a oracle to detect any kind of oracle censorship attempt. Wouldn't achieve its effect with unauthenticated channel. Though such heartbeat might not be great to preserve your privacy toward the oracle, trade-off...
I think it's up to the users who they trust more, and I don't really see a technical rational for choosing one over the other? (and thus I don't think we should recommend anything, at least at this stage).
Once we have lazyness/fraud proofs we might have some kind of scoring and selection engine? But overall agree too early for now..
There was a problem hiding this comment.
It might be good to heartbeat your connections with a oracle to detect any kind of oracle censorship attempt. Wouldn't achieve its effect with unauthenticated channel. Though such heartbeat might not be great to preserve your privacy toward the oracle, trade-off...
Yeah not great for privacy, and I don't really see a big upside. If you get censored there is not much you can do I think? And if there is something you can do, you should be able to do it even if you detect it only at maturation time if you setup a long enough refund time lock.
Once we have lazyness/fraud proofs we might have some kind of scoring and selection engine? But overall agree too early for now..
Yes we might. But still I personally feel it will be up to the users which scoring or selection engine they'd want to chose, or if they just trust an oracle more than those. I think what I'm saying is that such considerations might not have their place in the specifications.
There was a problem hiding this comment.
If you get censored there is not much you can do I think? And if there is something you can do, you should be able to do it even if you detect it only at maturation time if you setup a long enough refund time lock.
First we should dissociate oracle censorship from bitcoin p2p censorship. They may overlap or not. Secondly, you might have redundant communication channels, only enabled in case of emergency (including worst-case scenario sending a mail to a human operator to get involved). And if it's a tx-relay censorship, it might be hard to dissociate from a congestioned mempool...
That said, no a worry to address those issues now.
Oracle-Validation.md
Outdated
| Authenticating oracle event prevents time-value DoS where a DLC is entered relying on a known honest oracle which doesn't have committed to the DLC event signing. | ||
|
|
||
|
|
||
| TODO: sybil attack where honest connections to Olivia are censored until `refund_tx` is valid ? |
There was a problem hiding this comment.
What aspect of this is a sybill attack?
There was a problem hiding this comment.
Depends if oracle discovery is happening through any kind of p2p mechanisms. If you learn oracle through a DNS record and the server cache is poisoned do you consider this as a sybil attack ? But yes better to call this oracle censorship, which is beyond the scope of this PR.
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
4b533e3 to
cebf2df
Compare
|
Finally updated this PR, incorporating new I think this comment merits its own meeting discussion, how do we make oracle discovery accessible is a really good question. |
Oracle-Validation.md
Outdated
| Authenticating the `oracle_attestation` against a previously accepted announcement prevent CPU DoS | ||
| against a DLC client feeded with expensive-to-validate messages. | ||
|
|
||
| TODO: `oracle_attestation` should be signed against `oracle_public_key` to prevent forging of invalid `oracle_attestation` by an attacker ? |
There was a problem hiding this comment.
Not sure what this means? Aren't oracle_attestations unforgeable?
There was a problem hiding this comment.
Olivia announces event_id=XYZ with pubkey.Olivia. It's committed by Alice and Bob in their DLC. Mallory, a malicious oracle is connected to Alice for an unrelated event_id=ABC. XYZ is a public event announcement, so Mallory might guess that Alice consumes this oracle.
When event XYZ maturity comes, Mallory feeds Alice with an attestation {event_id=XYZ, oracle_public_key=Olivia, sigs=invalid}. Is there a risk of triggering Alice to severe her connection for faulty sigs or return a specific error to Mallory leaking event_id=XYZ usage ?
There was a problem hiding this comment.
In the sense that only Olivia can create a valid attestation under her announcement -- yes this is a requirement generally. Any invalid attestation should just be ignored. I don't think there is a need to sign the attestation.
There was a problem hiding this comment.
Just ignoring is a good behavior, otherwise it might be exploited in weird ways. Will add a "if invalid, MUST ignore". I believe CPU DoS can't really be avoided...
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
cebf2df to
f335dc1
Compare
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
f335dc1 to
d0f377c
Compare
|
Updated at d0f377c, requiring to ignore invalid Ready for a new round of reviews. |
| other oracles actually consumed by this DLC client. Accepting unrequested _valid_ `oracle_attestation` | ||
| and broadcasting a CET transaction on the p2p network are observable behaviors revealing DLC presenve | ||
| for the corresponding event and oracle. |
There was a problem hiding this comment.
I don't really follow this part. Do you mean an unrequested oracle_attestation but for which you actually have a DLC? In that case I'm not sure how we could propagate attestation in a P2P setting.
There was a problem hiding this comment.
It's all depend of we propagate messages in this p2p settings.
If it's something similar to tx-relay on the base layer, you do have an inventory-getdata-tx messages sequence. If the inventory is already known by receiver you won't emit a getdata to save on bandwidth/CPU.
If it's something like Lightning gossips, without any announcement, effectively this requirement would be a blocker to process attestations.
So yeah I agree, I think that's a small mitigation against DoS assuming our p2p network fits the first model. Likely to early as a reasoning 😅
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
d0f377c to
80b1cd5
Compare
|
@nkohen Let me know what needs to get done on this PR. I think Lloyd is okay to land it and integrate expected changes around attestation/announcement keys later. |
Oracle-Validation.md
Outdated
|
|
||
| Rejecting announcement for which the `oracle_public_key` hasn't been accepted by client oracle | ||
| selection policy and announcement hasn't been authenticated prevent usage of lazy or malicious | ||
| oracles. Authenticating event also prevent entering in a DLC position for which the event won't |
There was a problem hiding this comment.
what is a lazy oracle and how is it different to a malicious oracle?
There was a problem hiding this comment.
I think a malicious oracle might be qualified by an equivocation proof. A lazy would be one faulting to commit to a yet-to-be-designed-and-proposed-on-the-ml-publication space :)
Note, I made the same point during my fraud point review that we should have better security definitions of notions like equivocation, invalidity, falseness and maybe lazyness. See #152
Dropping for now we can revise later.
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
80b1cd5 to
a8cac0c
Compare
|
ping @nkohen :) |
| # `oracle_announcement` Authentication | ||
|
|
||
| [`oracle_announcement`](https://github.com/discreetlogcontracts/dlcspecs/blob/master/Oracle.md#oracle-announcements) | ||
| authentication happens at `offer_dlc` reception, thus verifying binding between an event and an |
There was a problem hiding this comment.
Isn't it also authenticated before offer_dlc construction?
There was a problem hiding this comment.
IIUC your question, your suggesting that a DLC client could pre-authenticated events as soon as they're publicly announced by an oracle but before they're proposed as a contract by a counterparty ?
I think so, added a MAY likewise :
"MAY pre-validate oracle_event signature against the oracle_public_key at the time of its publication"
Beyond the really slight perf improvement, it might also avoid to fetch oracle_public_key on offer_dlc reception, that way preserve receiver anonymity towards the oracle.
| A node: | ||
| - SHOULD NOT fetch `oracle_public_key` if it's already a member of client oracle keyring | ||
| - if `oracle_public_key` has not been accepted by client oracle selection policy: | ||
| - MUST reject the `offer_dlc` |
There was a problem hiding this comment.
is this really a MUST and not a SHOULD? Above you say "SHOULD fetch any oracle_public_key ..."
There was a problem hiding this comment.
Above is a SHOULD NOT ?
If you already know the oracle_public_key, avoid to fetch it again to preserve anonymity towards the oracle.
If you don't know the oracle_public_key, fetch it to authenticate the oracle_announcement.
If this oracle_public_key has been blacklisted by your oracle selection policy, keep it as part of you keyring, otherwise you won't be able to reject offending offer_dlc.
If this oracle_public_key has been accepted by your oracle, accept the proposed offer_dlc.
Do you have another flow in mind ? Note, you might have a size issue on your keyring, but for now let's shrug about tricky DoS.
That's a good remark, clarified with new requirements.
| selection policy and announcement hasn't been authenticated prevent usage of malicious oracles. | ||
| Authenticating the event also prevents entering in a DLC position where the oracle never intends | ||
| to make the attestation, and thus losing the timevalue of the collateral. | ||
|
|
There was a problem hiding this comment.
probably also worth mentioning that valid announcements are required in generating fraud proofs in the case of fraud later on.
ariard
force-pushed
the
2020-12-oracle-validation
branch
from
a8cac0c to
3f181f7
Compare
|
Thanks for the review, updated at 3f181f7 to address Nadav comments. |
A really raw WIP, I still need clarification on
oracle_info/oracle_announcementformats. Also if we scope censorship-resistance of oracle-client communications.