ZmnSCPxj [ARCHIVE] on Nostr: 📅 Original date posted:2019-01-05 📝 Original message: Good morning David, What ...
📅 Original date posted:2019-01-05
📝 Original message:
Good morning David,
What happens if the exchange node only sends its preimage towards the payer and not towards the payee?
If the payer and payee do not coordinate, then it becomes possible for the exchange node to take the funds without the payee gaining the ability to claim the payment.
This might be used by a node to take proofs of payment without paying, by simulating the payer and exchange nodes.
This may be important if the proof of payment is valuable, such as, the mentioned offline Lightning vending machines, or if the preimage is the decryption key for valuable data (e.g. ransomware; now the ransomware author may find it is scammed off their potential earnings).
Regards,
ZmnSCPxj
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 5, 2019 5:05 AM, David A. Harding <dave at dtrt.org> wrote:
> On Thu, Dec 27, 2018 at 05:43:51AM +0000, ZmnSCPxj via Lightning-dev wrote:
>
> > We can try to mitigate this, but the solutions below all have significant drawbacks.
>
> An alternative is to give the person making the exchange the ability to
> cancel the payment if they think the exchange rate has changed
> unfavorably for them. I think you could do that by adding an extra
> hashlock to the HTLC that's controlled by the exchanger. For example,
> here's what we'd expect a cross-asset path to look like:
>
> Alice Bob Charlie Dan Eliza
> 1.3 mBTC -> 1.3 mBTC -> 1.2 mBTC
>
> 1.2 mWJT -> 1.1 mWJT -> 1.0 mWJT
>
>
> Instead of Alice's node just locally constructing this path and trying
> to pay it like normal, she first sends a special probe to Charlie
> requesting a new hash for which only he knows the preimage. With this
> hash plus the hash Alice received from Eliza, Alice sends a payment that
> requires both hashlocks be unlocked before anyone can claim the payment.
>
> 1. When this payment reaches the exchanger, Charlie, he checks that the
> payment includes a hashlock he controls before routing the payment on to
> a different asset.
>
> 2. When the payment reaches receiver Eliza's node, she releases her
> PreImage (PI0) back along the path.
>
> 3. When Eliza's preimage reaches exchanger Charlie's node, he releases
> his preimage (PI1) in both directions along the path and continues
> forwarding PI0 backwards. Eventually everyone receives both preimages
> through the usual offchain or onchain mechanisms.
>
> Alice Bob Charlie Dan Eliza
> PI0 <- PI0 <- PI0 <- PI0 <- PI0 (start here)
> PI1 <- PI1 <- PI1 -> PI1 -> PI1
>
>
> However, if the exchange rate changes too much for Charlie's comfort
> before both preimages have been released, Charlie can unilaterally
> decide to cancel the payment by simply not releasing his preimage.
>
> Note that by making the payment contingent on the approval of the
> exchanger, the ability to create an underhanded call option is
> transferred to the exchanger. However, this may be less concerning
> because the exchanger can only keep this option open by refusing to
> immediately claim the routing fees.
>
> For example, our exchanger Charlie is being offered 0.1 mBTC to route
> the payment (a made up number). If he can route 100 such payments in a
> day (another made up number), he can earn 10.0 mBTC from routing. By
> comparison, if he delays a payment of 1.2 mBTC, he'd need to expect the
> exchange rate to change by an order of magnitude within a day to earn
> the same amount. In ZmnSCPxj's terminology, the option is now no longer
> free because Charlie must decide between potential routing income and
> potential option income. Whether or not exchangers play the option game
> will therefore likely be based on the amount of honest routing income
> they can earn relative to the exchange rate volatility (and also on how
> good nodes get at tracking reliable routes).
>
> This idea certainly complicates the current protocol (both routing and
> transaction construction), but maybe there are simplifications
> available.
>
> -Dave
📝 Original message:
Good morning David,
What happens if the exchange node only sends its preimage towards the payer and not towards the payee?
If the payer and payee do not coordinate, then it becomes possible for the exchange node to take the funds without the payee gaining the ability to claim the payment.
This might be used by a node to take proofs of payment without paying, by simulating the payer and exchange nodes.
This may be important if the proof of payment is valuable, such as, the mentioned offline Lightning vending machines, or if the preimage is the decryption key for valuable data (e.g. ransomware; now the ransomware author may find it is scammed off their potential earnings).
Regards,
ZmnSCPxj
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 5, 2019 5:05 AM, David A. Harding <dave at dtrt.org> wrote:
> On Thu, Dec 27, 2018 at 05:43:51AM +0000, ZmnSCPxj via Lightning-dev wrote:
>
> > We can try to mitigate this, but the solutions below all have significant drawbacks.
>
> An alternative is to give the person making the exchange the ability to
> cancel the payment if they think the exchange rate has changed
> unfavorably for them. I think you could do that by adding an extra
> hashlock to the HTLC that's controlled by the exchanger. For example,
> here's what we'd expect a cross-asset path to look like:
>
> Alice Bob Charlie Dan Eliza
> 1.3 mBTC -> 1.3 mBTC -> 1.2 mBTC
>
> 1.2 mWJT -> 1.1 mWJT -> 1.0 mWJT
>
>
> Instead of Alice's node just locally constructing this path and trying
> to pay it like normal, she first sends a special probe to Charlie
> requesting a new hash for which only he knows the preimage. With this
> hash plus the hash Alice received from Eliza, Alice sends a payment that
> requires both hashlocks be unlocked before anyone can claim the payment.
>
> 1. When this payment reaches the exchanger, Charlie, he checks that the
> payment includes a hashlock he controls before routing the payment on to
> a different asset.
>
> 2. When the payment reaches receiver Eliza's node, she releases her
> PreImage (PI0) back along the path.
>
> 3. When Eliza's preimage reaches exchanger Charlie's node, he releases
> his preimage (PI1) in both directions along the path and continues
> forwarding PI0 backwards. Eventually everyone receives both preimages
> through the usual offchain or onchain mechanisms.
>
> Alice Bob Charlie Dan Eliza
> PI0 <- PI0 <- PI0 <- PI0 <- PI0 (start here)
> PI1 <- PI1 <- PI1 -> PI1 -> PI1
>
>
> However, if the exchange rate changes too much for Charlie's comfort
> before both preimages have been released, Charlie can unilaterally
> decide to cancel the payment by simply not releasing his preimage.
>
> Note that by making the payment contingent on the approval of the
> exchanger, the ability to create an underhanded call option is
> transferred to the exchanger. However, this may be less concerning
> because the exchanger can only keep this option open by refusing to
> immediately claim the routing fees.
>
> For example, our exchanger Charlie is being offered 0.1 mBTC to route
> the payment (a made up number). If he can route 100 such payments in a
> day (another made up number), he can earn 10.0 mBTC from routing. By
> comparison, if he delays a payment of 1.2 mBTC, he'd need to expect the
> exchange rate to change by an order of magnitude within a day to earn
> the same amount. In ZmnSCPxj's terminology, the option is now no longer
> free because Charlie must decide between potential routing income and
> potential option income. Whether or not exchangers play the option game
> will therefore likely be based on the amount of honest routing income
> they can earn relative to the exchange rate volatility (and also on how
> good nodes get at tracking reliable routes).
>
> This idea certainly complicates the current protocol (both routing and
> transaction construction), but maybe there are simplifications
> available.
>
> -Dave