Michael Folkson [ARCHIVE] on Nostr: 📅 Original date posted:2023-05-10 🗒️ Summary of this message: Reputation data ...
📅 Original date posted:2023-05-10
🗒️ Summary of this message: Reputation data can assist in making probabilistic judgments about future behavior, but it cannot guarantee security. It is not a protocol or P2P gossiping issue, and there may be competing reputation data providers and services.
📝 Original message:
>From my perspective it really comes down to whether you want security *guarantees* or data to assist you in making probabilistic judgments about future behavior. Reputation data or reputation systems will never give you guarantees for the reasons Christian explains. But reputation data is better than nothing and depending on the quality and granularity of the data could be considerably better than nothing. In the most basic case of deciding on a potential channel counterparty I would much rather choose a counterparty who has demonstrated competence and reliability over a number of years than a channel counterparty who has just joined the network and who I know nothing about. Similarly a Lightning node that hasn't carried a jamming attack for multiple years despite having the opportunity to is a much better bet than a Lightning node of which I know nothing.
Now where it sits on the software stack assuming a user opts into such a reputation "service" (plugin maybe or more likely an API) is I think what in essence this discussion is about. As I've already stated previously and which I agree with Christian on is that it isn't/shouldn't be a protocol or a P2P gossiping issue. In the same way as we have multiple Lightning explorers (1ML, Amboss etc) that aren't part of the Lightning protocol or part of the "core" of a Lightning node you can expect there would be competing reputation data providers and services. Also many users for privacy and/or other reasons won't be interested in using or participating in (to the extent they can opt out if the data is public) a reputation service.
So yeah I think I'm somewhere in between Christian's and Antoine's perspectives here. I do think there are interesting projects, services or even businesses in this area of reputation but it isn't a protocol/P2P gossiping issue or a "core" of a Lightning node issue.
Thanks
Michael
[0]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003766.html
--
Michael Folkson
Email: michaelfolkson at protonmail.com
GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
------- Original Message -------
On Wednesday, May 10th, 2023 at 12:57, Christian Decker <decker.christian at gmail.com> wrote:
> Hi Antoine,
>
> this is an intrinsic issue with reputation systems, and the main
> reason I'm sceptical w.r.t. their usefulness in lightning.
> Fundamentally any reputation system bases their expectations for the
> future on experiences they made in the past, and they are thus always
> susceptible to sudden behavioral changes (going rogue from a prior
> clean record) and whitewashing attacks (switching identity, abusing
> any builtin bootstrapping method for new users to gain a good or
> neutral reputation before turning rogue repeatedly).
>
> This gets compounded as soon as we start gossiping about reputations,
> since now our decisions are no longer based just on information we can
> witness ourselves, or at least verify its correctness, and as such an
> attacker can most likely "earn" a positive reputation in some other
> part of the world, and then turn around and attack the nodes that
> trusted the reputation shared from those other parts.
>
> I'd be very interested in how many repeat interactions nodes get from
> individual senders, since that also tells us how much use we can get
> out of local-only reputation based systems, and I wouldn't be
> surprised if, for large routing nodes, we have sufficient data for
> them to make an informed decision, while the edges may be more
> vulnerable, but they'd also be used by way fewer senders, and the
> impact of an attack would also be proportionally smaller.
>
> Cheers,
> Christian
>
> On Mon, May 8, 2023 at 10:26 PM Antoine Riard antoine.riard at gmail.com wrote:
>
> > Hi *,
> >
> > > Our suggestion is to start simple with a binary endorsement field. As
> > > we learn more, we will be better equipped to understand whether a
> > > more expressive value is required.
> >
> > I think the HTLC endorsement scheme as proposed is still suffering from a vulnerability as local reputation can be built up during periods of low routing fees, endorsement gained and then abused during periods of high routing fees. Therefore, it sounds to me this scheme should aim for some reputational transitivity between incoming traffic and outgoing traffic. Namely, the acquisition cost of the local reputation should be equal to the max timevalue damage that one can inflict on a routing node channel accessible from its local counterparty granting this high-level of reputation.
> >
> > I don't know if this can be fixed by ensuring permanent link-level "gossip" where counterparties along a payment path expose their reputation heuristics to guarantee this transitivity, or it's a fundamental issue with a point-to-point approach like HTLC endorsement.
> >
> > Opened an issue on the repository to converge on a threat model:
> > https://github.com/ClaraShk/LNJamming/pull/13
> >
> > I still think building data gathering infrastructure for Lightning is valuable as ultimately any jamming mitigation will have to adapt its upfront fees or reputation acquisition cost in function of HTLC traffic and market forces.
> >
> > Looking forward to giving an update on Staking Credentials [0], an end-to-end approach to mitigate channel jamming.
> >
> > Best,
> > Antoine
> >
> > [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html
> >
> > Le dim. 30 avr. 2023 à 03:57, Carla Kirk-Cohen kirkcohenc at gmail.com a écrit :
> >
> > > Hi list,
> > >
> > > Some updates on channel jamming!
> > >
> > > # Next Call
> > > - Monday 01 May @ 15:00 UTC
> > > - https://meet.jit.si/UnjammingLN
> > > - Agenda: https://github.com/ClaraShk/LNJamming/issues/12
> > >
> > > # Data Gathering
> > > During these weekly calls, we've come to agreement that we would like
> > > to gather data about the use of HTLC endorsement and local reputation
> > > tracking for jamming mitigation. A reminder of the full scheme is
> > > included at the end of this email, and covered more verbosely in [1].
> > >
> > > We have a few goals in mind:
> > > - Observe the effect of endorsement in the steady state with
> > > logging-only implementation.
> > > - Gather real-world data for use in future simulation work.
> > > - Experiment with different algorithms for tracking local reputation.
> > >
> > > The minimal changes required to add HTLC endorsement are outlined in [2].
> > > Our suggestion is to start simple with a binary endorsement field. As
> > > we learn more, we will be better equipped to understand whether a
> > > more expressive value is required.
> > >
> > > With this infrastructure in place, we can start to experiment with
> > > various local reputation schemes and data gathering, possibly even
> > > externally to LN implementations in projects like circuitbreaker [3].
> > > We'd be interested to hear whether there's any appetite to deploy using
> > > an experimental TLV value?
> > >
> > > # Reputation Scheme
> > > - Each node locally tracks the reputation of its direct neighbors.
> > > - Each node allocates, per its risk tolerance:
> > > - A number of slots reserved for endorsed HTLCs from high reputation
> > > peers.
> > > - A portion of liquidity reserved for endorsed HTLCs from high
> > > reputation peers.
> > > - Forwarding of HTLCs:
> > > - If a HTLC is endorsed by a high reputation peer, it is forwarded
> > > as usual with endorsed = 1.
> > > - Otherwise, it is forwarded with endorsed = 0 if there are slots and
> > > liquidity available for unknown HTLCs.
> > >
> > > Endorsement and reputation are proposed as the first step in a two part
> > > scheme for mitigating channel jamming:
> > > - Reputation for slow jams which are easily detected as misbehavior.
> > > - Unconditional fees for quick jams that are difficult to detect, as
> > > they can always fall under a target threshold.
> > >
> > > Looking forward to discussing further in the upcoming call!
> > >
> > > Best,
> > > Carla and Clara
> > >
> > > [1] https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343
> > > [2] https://github.com/lightning/bolts/pull/1071
> > > [3] https://github.com/lightningequipment/circuitbreaker
> > > _______________________________________________
> > > Lightning-dev mailing list
> > > Lightning-dev at lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
> >
> > _______________________________________________
> > Lightning-dev mailing list
> > Lightning-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
🗒️ Summary of this message: Reputation data can assist in making probabilistic judgments about future behavior, but it cannot guarantee security. It is not a protocol or P2P gossiping issue, and there may be competing reputation data providers and services.
📝 Original message:
>From my perspective it really comes down to whether you want security *guarantees* or data to assist you in making probabilistic judgments about future behavior. Reputation data or reputation systems will never give you guarantees for the reasons Christian explains. But reputation data is better than nothing and depending on the quality and granularity of the data could be considerably better than nothing. In the most basic case of deciding on a potential channel counterparty I would much rather choose a counterparty who has demonstrated competence and reliability over a number of years than a channel counterparty who has just joined the network and who I know nothing about. Similarly a Lightning node that hasn't carried a jamming attack for multiple years despite having the opportunity to is a much better bet than a Lightning node of which I know nothing.
Now where it sits on the software stack assuming a user opts into such a reputation "service" (plugin maybe or more likely an API) is I think what in essence this discussion is about. As I've already stated previously and which I agree with Christian on is that it isn't/shouldn't be a protocol or a P2P gossiping issue. In the same way as we have multiple Lightning explorers (1ML, Amboss etc) that aren't part of the Lightning protocol or part of the "core" of a Lightning node you can expect there would be competing reputation data providers and services. Also many users for privacy and/or other reasons won't be interested in using or participating in (to the extent they can opt out if the data is public) a reputation service.
So yeah I think I'm somewhere in between Christian's and Antoine's perspectives here. I do think there are interesting projects, services or even businesses in this area of reputation but it isn't a protocol/P2P gossiping issue or a "core" of a Lightning node issue.
Thanks
Michael
[0]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003766.html
--
Michael Folkson
Email: michaelfolkson at protonmail.com
GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
------- Original Message -------
On Wednesday, May 10th, 2023 at 12:57, Christian Decker <decker.christian at gmail.com> wrote:
> Hi Antoine,
>
> this is an intrinsic issue with reputation systems, and the main
> reason I'm sceptical w.r.t. their usefulness in lightning.
> Fundamentally any reputation system bases their expectations for the
> future on experiences they made in the past, and they are thus always
> susceptible to sudden behavioral changes (going rogue from a prior
> clean record) and whitewashing attacks (switching identity, abusing
> any builtin bootstrapping method for new users to gain a good or
> neutral reputation before turning rogue repeatedly).
>
> This gets compounded as soon as we start gossiping about reputations,
> since now our decisions are no longer based just on information we can
> witness ourselves, or at least verify its correctness, and as such an
> attacker can most likely "earn" a positive reputation in some other
> part of the world, and then turn around and attack the nodes that
> trusted the reputation shared from those other parts.
>
> I'd be very interested in how many repeat interactions nodes get from
> individual senders, since that also tells us how much use we can get
> out of local-only reputation based systems, and I wouldn't be
> surprised if, for large routing nodes, we have sufficient data for
> them to make an informed decision, while the edges may be more
> vulnerable, but they'd also be used by way fewer senders, and the
> impact of an attack would also be proportionally smaller.
>
> Cheers,
> Christian
>
> On Mon, May 8, 2023 at 10:26 PM Antoine Riard antoine.riard at gmail.com wrote:
>
> > Hi *,
> >
> > > Our suggestion is to start simple with a binary endorsement field. As
> > > we learn more, we will be better equipped to understand whether a
> > > more expressive value is required.
> >
> > I think the HTLC endorsement scheme as proposed is still suffering from a vulnerability as local reputation can be built up during periods of low routing fees, endorsement gained and then abused during periods of high routing fees. Therefore, it sounds to me this scheme should aim for some reputational transitivity between incoming traffic and outgoing traffic. Namely, the acquisition cost of the local reputation should be equal to the max timevalue damage that one can inflict on a routing node channel accessible from its local counterparty granting this high-level of reputation.
> >
> > I don't know if this can be fixed by ensuring permanent link-level "gossip" where counterparties along a payment path expose their reputation heuristics to guarantee this transitivity, or it's a fundamental issue with a point-to-point approach like HTLC endorsement.
> >
> > Opened an issue on the repository to converge on a threat model:
> > https://github.com/ClaraShk/LNJamming/pull/13
> >
> > I still think building data gathering infrastructure for Lightning is valuable as ultimately any jamming mitigation will have to adapt its upfront fees or reputation acquisition cost in function of HTLC traffic and market forces.
> >
> > Looking forward to giving an update on Staking Credentials [0], an end-to-end approach to mitigate channel jamming.
> >
> > Best,
> > Antoine
> >
> > [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-November/003754.html
> >
> > Le dim. 30 avr. 2023 à 03:57, Carla Kirk-Cohen kirkcohenc at gmail.com a écrit :
> >
> > > Hi list,
> > >
> > > Some updates on channel jamming!
> > >
> > > # Next Call
> > > - Monday 01 May @ 15:00 UTC
> > > - https://meet.jit.si/UnjammingLN
> > > - Agenda: https://github.com/ClaraShk/LNJamming/issues/12
> > >
> > > # Data Gathering
> > > During these weekly calls, we've come to agreement that we would like
> > > to gather data about the use of HTLC endorsement and local reputation
> > > tracking for jamming mitigation. A reminder of the full scheme is
> > > included at the end of this email, and covered more verbosely in [1].
> > >
> > > We have a few goals in mind:
> > > - Observe the effect of endorsement in the steady state with
> > > logging-only implementation.
> > > - Gather real-world data for use in future simulation work.
> > > - Experiment with different algorithms for tracking local reputation.
> > >
> > > The minimal changes required to add HTLC endorsement are outlined in [2].
> > > Our suggestion is to start simple with a binary endorsement field. As
> > > we learn more, we will be better equipped to understand whether a
> > > more expressive value is required.
> > >
> > > With this infrastructure in place, we can start to experiment with
> > > various local reputation schemes and data gathering, possibly even
> > > externally to LN implementations in projects like circuitbreaker [3].
> > > We'd be interested to hear whether there's any appetite to deploy using
> > > an experimental TLV value?
> > >
> > > # Reputation Scheme
> > > - Each node locally tracks the reputation of its direct neighbors.
> > > - Each node allocates, per its risk tolerance:
> > > - A number of slots reserved for endorsed HTLCs from high reputation
> > > peers.
> > > - A portion of liquidity reserved for endorsed HTLCs from high
> > > reputation peers.
> > > - Forwarding of HTLCs:
> > > - If a HTLC is endorsed by a high reputation peer, it is forwarded
> > > as usual with endorsed = 1.
> > > - Otherwise, it is forwarded with endorsed = 0 if there are slots and
> > > liquidity available for unknown HTLCs.
> > >
> > > Endorsement and reputation are proposed as the first step in a two part
> > > scheme for mitigating channel jamming:
> > > - Reputation for slow jams which are easily detected as misbehavior.
> > > - Unconditional fees for quick jams that are difficult to detect, as
> > > they can always fall under a target threshold.
> > >
> > > Looking forward to discussing further in the upcoming call!
> > >
> > > Best,
> > > Carla and Clara
> > >
> > > [1] https://gist.github.com/carlaKC/be820bb638624253f3ae7b39dbd0e343
> > > [2] https://github.com/lightning/bolts/pull/1071
> > > [3] https://github.com/lightningequipment/circuitbreaker
> > > _______________________________________________
> > > Lightning-dev mailing list
> > > Lightning-dev at lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
> >
> > _______________________________________________
> > Lightning-dev mailing list
> > Lightning-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev