{"type":"rich","version":"1.0","title":"Rusty Russell [ARCHIVE] wrote","author_name":"Rusty Russell [ARCHIVE] (npub1zw…hkhpx)","author_url":"https://yabu.me/npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpx","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2019-11-05\n📝 Original message:\nAnthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e On Tue, Nov 05, 2019 at 07:56:45PM +1030, Rusty Russell wrote:\n\u003e\u003e Sure: for simplicity I'm sending a 0-value HTLC.\n\u003e\u003e ZmnSCPxj has balance 10000msat in channel with Rusty, who has 1000msat\n\u003e\u003e in the channel with YAIjbOJa.\n\u003e\n\u003e Alice, Bob and Carol sure seem simpler than Zmn YAI and Rusty...\n\nAgreed, I should not have directly answered the q.\n\n\u003e\u003e Rusty prepares a nonce, AAAAA and hashes it 25 times = ZZZZZ.\n\u003e\u003e ZmnSCPxj prepares the onion, but adds extra fields (see below).  \n\u003e\n\u003e It would have made more sense to me for Alice (Zmn) to generate\n\u003e the nonce, hash it, and prepare the onion, so that the nonce is\n\u003e revealed to Dave (Rusty) if/when the message ever actually reaches its\n\u003e destination. Otherwise Rusty has to send AAAAA to Zmn already so that\n\u003e Zmn can prepare the onion?\n\nThe entire point is to pay *up-front*, though, to prevent spam.\n\nBob/ZmnSCPxj doesn't prepare anything in the onion.  They get handed the\nlast hash directly: Alice is saying \"I'll pay you 50msat for each\npreimage you can give me leading to this hash\".\n\n\u003e\u003e He then\n\u003e\u003e sends the HTLC to Rusty, but also sends ZZZZZ, and 25x50 msat (ie. those\n\u003e\u003e fields are in the update_add_htlc msg).  His balance with Rusty is now\n\u003e\u003e 8750msat (ie. 25x50 to Rusty).\n\u003e\u003e \n\u003e\u003e Rusty decrypts the onion, reads the prepay field: it says 14, LLLLL.\n\u003e\u003e Rusty checks: the hash of the onion \u0026 block (or something) does indeed\n\u003e\u003e have the top 8 bits clear, so the cost is in fact 16 - 8/2 == 14.  He\n\u003e\u003e then hashes LLLLL 14 times, and yes, it's ZZZZZ as ZmnSCPxj said it\n\u003e\u003e should be.\n\u003e\n\u003e I'm not sure why lucky hashing should result in a discount?\n\nBecause the PoW adds noise to the amounts, otherwise the path length is\ntrivially exposed, esp in the failure case.  It's weak protection\nthough.\n\n\u003e You're giving a linear discount for exponentially more luck in hashing\n\u003e which also seems odd.\n\nBecause you really want some actual payment, not just PoW.  Botnets are\nreally good at PoW, less good at sending msats.  And the PoW is hard to\ncalibrate (I guessed: real numbers will be necessary)/\n\n\u003e You've only got two nonce choices -- the initial AAAA and the depth\n\u003e that you tell Bob and Carol to hash to as steps in the route;\n\nNo, the sphinx construction allows for grinding, that was my intent\nhere.  The prepay hashes are independent.\n\n\u003e I think you could just make the scheme be:\n\u003e\n\u003e   Alice sends HTLC(k,v) + 1250 msat to Bob\n\u003e   Bob unwraps the onion and forwards HTLC(k,v) + 500 msat to Carol\n\u003e   Carol unwraps the onion and forwards HTLC(k,v) + 250 msat to Dave\n\u003e   Dave redeems the HTLC, claims an extra 300 msat and refunds 200 msat to Carol\n\u003e   Carol redeems the HTLC and refunds 200 msat to Bob\n\u003e   Bob redeems the HTLC and refunds 200 msat to Alice\n\u003e\n\u003e If there's a failure, Alice loses the 1250 msat, and someone in the\n\u003e path steals the funds.\n\nThis example confuses me.\n\nSo, you're charging 250msat per hop?  Why is Bob taking 750?  Does Carol\nnow know Dave is the last hop?\n\nDoes Alice lose everything on any routing failure?\n\nIf so, that is strong incentive for Alice to reduce path-length privacy\nby keeping payments minimal, which I was really trying to avoid.\n\n\u003e You could make the accountable by having Alice\n\u003e also provide \"Hash(AAAA, refund=200)\" to everyone, encoding AAAA in the\n\u003e onion to Dave, and then each hop reveals AAAA and refunds 200msat to\n\u003e demonstrate their honesty.\n\u003e\n\u003e Does that miss anything that all the hashing achieves?\n\nIt does nothing if Carol is the one who can't route.\n\n\u003e I think the idea here is that you're paying tiny amounts for the\n\u003e bandwidth, which when it's successful does in fact pay for the bandwidth;\n\u003e and when it's unsuccessful results in a channel closure, which makes it\n\u003e unprofitable to cheat the system, but doesn't change the economics of\n\u003e lightning much overall because channel closures can happen anytime anyway.\n\nNot at all.  You can still fail to route, and still get paid.  You can't\nsteal *more* money without channel closure though.\n\n\u003e I think that approach makes sense.\n\u003e\n\u003e Cheers,\n\u003e aj\n\nCheers,\nRusty."}