Add anti-probing penalty to `ProbabilisticScorer` #1555

tnull · 2022-06-21T14:37:51Z

Currently, channel balances may be rather easily discovered through probing. This however poses a privacy risk, since the analysis of balance changes over adjacent channels could in the worst case empower an adversary to mount an end-to-end deanonymization attack, i.e., track who payed whom.

The penalty added here is applied so we prefer nodes with a smaller htlc_maximum_msat, which makes balance discovery attacks harder to execute. As this improves privacy network-wide, we treat such nodes preferentially and hence create an incentive to restrict htlc_maximum_msat.

Closes #1515

tnull · 2022-06-21T14:38:59Z

Currently figuring out how to make a test happen, therefore still in draft mode.

lightning/src/routing/scoring.rs

codecov-commenter · 2022-06-21T14:57:30Z

Codecov Report

Merging #1555 (800ccec) into main (79e2af9) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1555      +/-   ##
==========================================
- Coverage   91.04%   91.03%   -0.01%     
==========================================
  Files          80       80              
  Lines       44072    44101      +29     
  Branches    44072    44101      +29     
==========================================
+ Hits        40125    40148      +23     
- Misses       3947     3953       +6

Impacted Files	Coverage Δ
lightning/src/routing/gossip.rs	`91.94% <100.00%> (+<0.01%)`	⬆️
lightning/src/routing/scoring.rs	`96.80% <100.00%> (+0.10%)`	⬆️
lightning/src/chain/onchaintx.rs	`93.98% <0.00%> (-0.93%)`	⬇️
lightning/src/ln/functional_tests.rs	`97.19% <0.00%> (-0.03%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 79e2af9...800ccec. Read the comment docs.

lightning/src/routing/gossip.rs

TheBlueMatt · 2022-06-21T18:08:53Z

lightning/src/routing/scoring.rs

+
+		let network_graph = self.network_graph.read_only();
+		let mut anti_probing_penalty_msat = 0;
+		if let Some(chan) = network_graph.channels().get(&short_channel_id) {


We shouldn't do a lookup here, we should instead shove the relevant info into EffectiveCapacity so we can read it via the usage.

Hmpf, I agree that the lookup (especially on every invocation) is unfortunate. I now went this way with d19827e, but I'm not really happy about breaking the so far pretty clean interface of EffectiveCapacity. At lest we will soon be able to remove the Option<> around htlc_maximum_msat and probably Unknown.

lightning/src/routing/scoring.rs

TheBlueMatt

Basically LGTM

TheBlueMatt · 2022-06-24T16:06:30Z

Looks like this needs rebase after #1550. Feel free to squash when you do so.

tnull · 2022-06-24T16:41:33Z

Squashed and rebased.

TheBlueMatt

Makes #1519 all the more important.

lightning/src/routing/scoring.rs

Currently, channel balances may be rather easily discovered through probing. This however poses a privacy risk, since the analysis of balance changes over adjacent channels could in the worst case empower an adversary to mount an end-to-end deanonymization attack, i.e., track who payed whom. The penalty added here is applied so we prefer nodes with a smaller `htlc_maximum_msat`, which makes balance discovery attacks harder to execute. As this improves privacy network-wide, we treat such nodes preferentially and hence create an incentive to restrict `htlc_maximum_msat`.

tnull marked this pull request as draft June 21, 2022 14:38

tnull commented Jun 21, 2022

View reviewed changes