Nostr notes by Orfeas Stefanos Thyfronitis Litos [ARCHIVE]

📅 Original date posted:2019-11-22 📝 Original message: Good ...

2023-06-09T12:57:10Z

In reply to nevent1q…zg7u
_________________________

📅 Original date posted:2019-11-22
📝 Original message:
Good morning ZmnSCPxj,

> requiring a fee is equivalent to requiring proof-of-work, incentive-wise.

Not necessarily, given that
1) there is a finite bitcoin supply but an eventually infinite PoW
supply (relevant in the unlikely case fees are burned)
2) sats are transferrable, whereas PoW isn't (relevant in the case fees
are paid)

On the other hand, there exists this paper with the fancy name that
claims using PoW for spam prevention in the context of email (the
original context in which PoW was discovered) is ineffective due to the
high per-message PoW required to beat spam [0]. Therefore we have to see
whether this paper applies to LN as well before going down that road.

Spam prevention in an unauthenticated system is much more complex than
it seems at first, because it boils down to avoiding the Sybil attack,
(one of) the most difficult problem(s) in such systems. A (traditional)
reputation system in essence enables authentication (eww), per-message
PoW might be too expensive, and per-message fees seem to have incentives
issues and are kind of misaligned with LN's aims.

Maybe I've missed something, but what makes spam in LN a bigger problem
than it is in every other p2p network out there? Why won't traditional
bad activity thresholds do the job?

I don't think spam is something that will be completely wiped out, only
contained. LN should provide for many orthogonal spam prevention
measures (local tunable activity thresholds, gossipable reputation
systems (eww), per-message fees, per-message PoW) with sensible defaults
to allow users to experiment and choose what is best for them, but that
may lead to unacceptable protocol and UI complexity. What a tradeoff...

Best,
Orfeas

[0] https://www.cl.cam.ac.uk/~rnc1/proofwork.pdf

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

📅 Original date posted:2019-11-26 📝 Original message: Hello ...

2023-06-09T12:57:10Z

In reply to nevent1q…d9jn
_________________________

📅 Original date posted:2019-11-26
📝 Original message:
Hello ZmnSCPxj,

> This can be made "the same" by any of the following methods:
>
> * Burning the up-front fees.

This would impose a hard maximum of 21 * 10^6 * 10^8 global lifetime hops, and a much lower practical one. PoW OTOH doesn't impose such limits. Hence different dynamics.

> * Locking the up-front fees for a time, then reverting them to the original sender.

This means that I can burst-spam today, wait until unlock, repeat. If the PoW scheme somehow enforces fresh PoWs (e.g. by needing (nonce || recent block hash) as proof), I can't do this attack.

> Fees and PoW are equivalent.

If by "equivalent" you mean "a drop-in replacement", then I hope the subtle differences above and the previous discussion show that this is not the case. If by "equivalent" you mean (a formal version of) "for any scheme that uses PoWs, there exists a fee-based scheme with the same incentives and large-scale dynamics", then that's a very strong claim of which I would love to see a proof (and a formal statement).

This is not to say that I believe PoWs are the solution to spam, just that they warrant separate investigation from fees.

Best,
Orfeas

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

📅 Original date posted:2019-11-25 📝 Original message: Hi ...

2023-06-09T12:57:09Z

In reply to nevent1q…ljcd
_________________________

📅 Original date posted:2019-11-25
📝 Original message:
Hi ZmnSCPxj,

>>> requiring a fee is equivalent to requiring proof-of-work, incentive-wise.
>>
>> Not necessarily, given that
>> 1) there is a finite bitcoin supply but an eventually infinite PoW
>> supply (relevant in the unlikely case fees are burned)
>> 2) sats are transferrable, whereas PoW isn't (relevant in the case fees
>> are paid)
>
> Not actually.
> Again, let me point out that PoW can be *bought*, that is precisely what Bitcoin blockchain layer does.
> And the blockchain layer PoW is bought with two things: fees and subsidies (inflation).
> Thus PoW, being purchaseable, is incentive-wise equivalent to paying somebody to spend electricity (possibly with efficiencies at scale).
> Just cut the middleman.

I wasn't clear enough, sorry for that. I agree that in general PoW can
be bought. However if I understand this particular PoW proposal
correctly, a brand-new PoW has to be created for each intermediary.
These PoWs cannot be reused by the intermediary for later payments (or
for anything else).

I will now show that there exist spam-prevention schemes that differ
only on whether the payer gives sats or PoWs to intermediaries, such
that economically rational agents are incentivized to cheat in the case
of sats but not so in the case of PoWs. This proves that fees are *not*
equivalent to PoWs incentive-wise.

In our model, an intermediary can follow one of three possible
strategies (we make the assumption that other strategies are strictly
dominated by one of the three). Each strategy results in different
resource utilization and proceeds from fees.
(A) do nothing. This results in resources_A = 0 and sats_A = 0
(B) play honestly. resources_B < 0 (negative because they constitute
an operating cost) and sats_B = anti_spam_fee + routing_fee
(C) mount a plausibly deniable attack. Here resources_C < 0 and sats_C
= anti_spam_fee.
We assume that resources_C > resources_B + routing_fee (1).

In case intermediaries receive PoWs as an anti-spam measure, it is
anti_spam_fee = 0 which means that resources_C + sats_C < 0 =
resources_A + sats_A, therefore strategy C is strictly dominated by A.
(The fact that A also strictly dominates B is an interesting
observation, but beside the point for the argument made.)

OTOH, in the case of anti-spam sats, it is anti_spam_fee > 0. Therefore
we have resources_C + sats_C > resources_B + sats_B (using (1)) and for
a big enough anti_spam_fee, it is resources_C + sats_C > 0, therefore
strategy C strictly dominates both A and B.

In other words, by just changing whether we use anti-spam PoWs or fees,
we change the economically rational behavior.

I apologize for the previous ambiguity and I hope this has made my
argument clearer.

Best,
Orfeas

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

📅 Original date posted:2019-07-10 📝 Original message: Hi ...

2023-06-09T12:55:26Z

In reply to nevent1q…edfg
_________________________

📅 Original date posted:2019-07-10
📝 Original message:
Hi all,

The promise for fast, scalable, user-friendly and trustless use of
bitcoin that the Lightning Network offers motivated us to author a paper
where we formalize LN in the cryptographic framework of Universal
Composition and prove its security. It can be found here:
https://eprint.iacr.org/2019/778

We believe that a formal proof of security was needed to specify the
exact operating parameters that safeguard the funds and transactions of
users against arbitrary attackers, to abstract, modularize and validate
the underlying cryptography that is used in LN, to incorporate LN in the
body of cryptographic protocols that have been abstracted within the
Universal Composition framework (and thus can be safely composed and run
in parallel) and to increase the trust of the wider community to LN. We
view this work as a small contribution to the amazing effort that the
Lightning community has expended both on the theoretical and the
practical front throughout the last years.

The paper is authored by my PhD supervisor Prof. Aggelos Kiayias and me.
Any feedback will be greatly appreciated.

Best regards,
Orfeas Stefanos Thyfronitis Litos

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.