Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2019-11-22 📝 Original message: Bastien TEINTURIER ...
📅 Original date posted:2019-11-22
📝 Original message:
Bastien TEINTURIER <bastien at acinq.fr> writes:
> I think there's another alternative than upfront payments to prevent spam,
> which is maybe less
> controversial (but potentially less effective as well - to be investigated).
>
> Why not adapt what has been done with email spam and PoW/merkle puzzles?
If we can't come up with an untracable scheme, this is what we'll have
to do (i.e. remove the sats component).
Unfortunately botnets are really good at generating these. That was
always the hashcash flaw (which is why it was never actually used).
Using a dynamic level is possible, too, so it gets harder in case we're
being spam attacked.
Cheers,
Rusty.
> The high-level idea would be that the sender must solve a small PoW puzzle *for
> each intermediate *
> *node *and communicate the solution in the onion.
> There are many ways we could do that (a new field in each intermediate hop,
> grinding an HMAC
> prefix, etc) so before going into specifics I only wanted to submit the
> high-level idea.
> What's neat with this is that it's simple, doesn't leak any privacy, and
> avoids having to create a
> node reputation system.
>
> We fight spam by forcing the sender to use some resources (instead of sats).
> Maybe this idea has already been proposed and broken, if that's the case
> I'd love to see the
> discussion if someone can surface it.
>
>
> Cheers,
> Bastien
>
> Le lun. 11 nov. 2019 à 00:32, Rusty Russell <rusty at rustcorp.com.au> a
> écrit :
>
>> Anthony Towns <aj at erisian.com.au> writes:
>> > On Fri, Nov 08, 2019 at 01:08:04PM +1030, Rusty Russell wrote:
>> >> Anthony Towns <aj at erisian.com.au> writes:
>> >> [ Snip summary, which is correct ]
>> >
>> > Huzzah!
>> >
>> > This correlates all the hops in a payment when the route reaches its end
>> > (due to the final preimage getting propogated back for everyone to
>> justify
>> > the funds they claim). Maybe solvable by converting from hashes to ECC
>> > as the trapdoor function?
>>
>> I hadn't thought of this, but yes, once we've eliminated the trivial
>> preimage correlation w/scriptless scripts it'd be a shame to reintroduce
>> it here.
>>
>> We need an accumulator with some strange properties though:
>>
>> 1. Alice provides tokens and a base accumulator.
>> 2. Bob et. al can add these tokens to the accumulator.
>> 3. They can tell if invalid tokens have been added to the accumulator.
>> 4. They can tell how many tokens (alt: each token has a value and they
>> can tell the value sum) have been added.
>> 5. They can't tell what tokens have been added (unless they know all
>> the tokens, which is trivial).
>>
>> Any ideas?
>>
>> > The refund amount propogating back also reveals the path, probably.
>> > Could that be obfusticated by somehow paying each intermediate node
>> > both as the funds go out and come back, so the refund decreases on the
>> > way back?
>> >
>> > Oh, can we make the amounts work like the onion, where it stays constant?
>> > So:
>> >
>> > Alice wants to pay Dave via Bob, Carol. Bob gets 700 msat, Carol gets
>> > 400 msat, Dave gets 300 msat, and Alice gets 100 msat refunded.
>> >
>> > Success:
>> > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0)
>> > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0)
>> > Carol forwards 1500 msat to Dave (-1500, 0, 0, +1500)
>> > Dave refunds 1200 msat to Carol (-1500, 0, +1200, +300)
>> > Carol refunds 800 msat to Bob (-1500, +800, +400, +300)
>> > Bob refunds 100 msat to Alice (-1400, +700, +400, +300)
>>
>> Or, on success, upfront payment is fully refunded or not refunded at all
>> (since they get paid by normal fees)? Either way, no data leak for that
>> case.
>>
>> > Clean routing failure at Carol/Dave:
>> > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0)
>> > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0)
>> > Carol says Dave's not talking
>> > Carol refunds 1100 msat to Bob (-1500, +1100, +400, 0)
>> > Bob refunds 400 msat to Alice (-1100, +700, +400, 0)
>> >
>> > I think that breaks the correlation pretty well, so you just need a
>> > decent way of obscuring path length?
>>
>> I don't see how this breaks correlation?
>>
>> > In the uncooperative routing failure case, I wonder if using an ECC
>> > trapdoor and perhaps scriptless scripts, you could make it so Carol
>> > doesn't even get an updated state without revealing the preimage...
>>
>> I'm not sure. We can make it so Carol has Bob's preimage(s), etc, so
>> that the node which fails doesn't get paid. I initially thought this
>> would just make people pair up (fake) nodes, but it's probably not worth
>> it since their path would be less-selected in that case.
>>
>> Cheers,
>> Rusty.
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>
📝 Original message:
Bastien TEINTURIER <bastien at acinq.fr> writes:
> I think there's another alternative than upfront payments to prevent spam,
> which is maybe less
> controversial (but potentially less effective as well - to be investigated).
>
> Why not adapt what has been done with email spam and PoW/merkle puzzles?
If we can't come up with an untracable scheme, this is what we'll have
to do (i.e. remove the sats component).
Unfortunately botnets are really good at generating these. That was
always the hashcash flaw (which is why it was never actually used).
Using a dynamic level is possible, too, so it gets harder in case we're
being spam attacked.
Cheers,
Rusty.
> The high-level idea would be that the sender must solve a small PoW puzzle *for
> each intermediate *
> *node *and communicate the solution in the onion.
> There are many ways we could do that (a new field in each intermediate hop,
> grinding an HMAC
> prefix, etc) so before going into specifics I only wanted to submit the
> high-level idea.
> What's neat with this is that it's simple, doesn't leak any privacy, and
> avoids having to create a
> node reputation system.
>
> We fight spam by forcing the sender to use some resources (instead of sats).
> Maybe this idea has already been proposed and broken, if that's the case
> I'd love to see the
> discussion if someone can surface it.
>
>
> Cheers,
> Bastien
>
> Le lun. 11 nov. 2019 à 00:32, Rusty Russell <rusty at rustcorp.com.au> a
> écrit :
>
>> Anthony Towns <aj at erisian.com.au> writes:
>> > On Fri, Nov 08, 2019 at 01:08:04PM +1030, Rusty Russell wrote:
>> >> Anthony Towns <aj at erisian.com.au> writes:
>> >> [ Snip summary, which is correct ]
>> >
>> > Huzzah!
>> >
>> > This correlates all the hops in a payment when the route reaches its end
>> > (due to the final preimage getting propogated back for everyone to
>> justify
>> > the funds they claim). Maybe solvable by converting from hashes to ECC
>> > as the trapdoor function?
>>
>> I hadn't thought of this, but yes, once we've eliminated the trivial
>> preimage correlation w/scriptless scripts it'd be a shame to reintroduce
>> it here.
>>
>> We need an accumulator with some strange properties though:
>>
>> 1. Alice provides tokens and a base accumulator.
>> 2. Bob et. al can add these tokens to the accumulator.
>> 3. They can tell if invalid tokens have been added to the accumulator.
>> 4. They can tell how many tokens (alt: each token has a value and they
>> can tell the value sum) have been added.
>> 5. They can't tell what tokens have been added (unless they know all
>> the tokens, which is trivial).
>>
>> Any ideas?
>>
>> > The refund amount propogating back also reveals the path, probably.
>> > Could that be obfusticated by somehow paying each intermediate node
>> > both as the funds go out and come back, so the refund decreases on the
>> > way back?
>> >
>> > Oh, can we make the amounts work like the onion, where it stays constant?
>> > So:
>> >
>> > Alice wants to pay Dave via Bob, Carol. Bob gets 700 msat, Carol gets
>> > 400 msat, Dave gets 300 msat, and Alice gets 100 msat refunded.
>> >
>> > Success:
>> > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0)
>> > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0)
>> > Carol forwards 1500 msat to Dave (-1500, 0, 0, +1500)
>> > Dave refunds 1200 msat to Carol (-1500, 0, +1200, +300)
>> > Carol refunds 800 msat to Bob (-1500, +800, +400, +300)
>> > Bob refunds 100 msat to Alice (-1400, +700, +400, +300)
>>
>> Or, on success, upfront payment is fully refunded or not refunded at all
>> (since they get paid by normal fees)? Either way, no data leak for that
>> case.
>>
>> > Clean routing failure at Carol/Dave:
>> > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0)
>> > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0)
>> > Carol says Dave's not talking
>> > Carol refunds 1100 msat to Bob (-1500, +1100, +400, 0)
>> > Bob refunds 400 msat to Alice (-1100, +700, +400, 0)
>> >
>> > I think that breaks the correlation pretty well, so you just need a
>> > decent way of obscuring path length?
>>
>> I don't see how this breaks correlation?
>>
>> > In the uncooperative routing failure case, I wonder if using an ECC
>> > trapdoor and perhaps scriptless scripts, you could make it so Carol
>> > doesn't even get an updated state without revealing the preimage...
>>
>> I'm not sure. We can make it so Carol has Bob's preimage(s), etc, so
>> that the node which fails doesn't get paid. I initially thought this
>> would just make people pair up (fake) nodes, but it's probably not worth
>> it since their path would be less-selected in that case.
>>
>> Cheers,
>> Rusty.
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>