{"type":"rich","version":"1.0","title":"Anthony Towns [ARCHIVE] wrote","author_name":"Anthony Towns [ARCHIVE] (npub17r…x9l2h)","author_url":"https://yabu.me/npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2h","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2019-11-06\n📝 Original message:\nOn Wed, Nov 06, 2019 at 10:43:23AM +1030, Rusty Russell wrote:\n\u003e \u003e\u003e Rusty prepares a nonce, AAAAA and hashes it 25 times = ZZZZZ.\n\u003e \u003e\u003e ZmnSCPxj prepares the onion, but adds extra fields (see below).  \n\u003e \u003e It would have made more sense to me for Alice (Zmn) to generate\n\u003e \u003e the nonce, hash it, and prepare the onion, so that the nonce is\n\u003e \u003e revealed to Dave (Rusty) if/when the message ever actually reaches its\n\u003e \u003e destination. Otherwise Rusty has to send AAAAA to Zmn already so that\n\u003e \u003e Zmn can prepare the onion?\n\u003e The entire point is to pay *up-front*, though, to prevent spam.\n\nHmm, I'm not sure I see the point of paying upfront but not\nunconditionally -- you already commit the funds as part of the HTLC,\nand if you're refunding some of them, you kind-of have to keep them\nreserved or you risk finalising the HTLC causing a failure because you\ndon't have enough msats spare to do the refund?\n\nIf you refund on routing failure, why wouldn't a spammer just add a fake\n\"Ezekiel\" at the end of the route after Dave, so that the HTLCs always\nfail and all the fees are returned?\n\n\u003e Bob/ZmnSCPxj doesn't prepare anything in the onion.  They get handed the\n\u003e last hash directly: Alice is saying \"I'll pay you 50msat for each\n\u003e preimage you can give me leading to this hash\".\n\nSo my example was Alice paying Dave via Bob and Carol (so Alice/Bob,\nBob/Carol, Carol/Dave being the individual channels).\n\nWhat you wrote to Zmn says \"Rusty decrypts the onion, reads the prepay\nfield: it says 14, LLLL.\" but Alice doesn't know anything other than\nZZZZ so can't put LLLL in the onion?\n\nAre you using Hornet so that every intermediary can communicate a nonce\nback to the source of the route? If not, \"Rusty\" generating the nonce\nseems like you're informing Rusty that you're actually the origin of the\nHTLC, and not just innocently forwarding it along; if so, it seems like\nyou have independent nonces at each step, rather than\nAAAA/BBBB/LLLL/ZZZZ in a direct chain.\n\n\u003e \u003e I'm not sure why lucky hashing should result in a discount?\n\u003e Because the PoW adds noise to the amounts, otherwise the path length is\n\u003e trivially exposed, esp in the failure case.  It's weak protection\n\u003e though.\n\nWith a linear/exponential relationship you just get \"half the time it's\n1 unit, 25% of the time it's 2 units, 12% of the time it's 3 units\", so\nI don't think that's adding much noise?\n\n\u003e \u003e You've only got two nonce choices -- the initial AAAA and the depth\n\u003e \u003e that you tell Bob and Carol to hash to as steps in the route;\n\u003e No, the sphinx construction allows for grinding, that was my intent\n\u003e here.  The prepay hashes are independent.\n\nOh, because you're also xoring with the onion packet, right, I see.\n\n\u003e \u003e I think you could just make the scheme be:\n\u003e \u003e   Alice sends HTLC(k,v) + 1250 msat to Bob\n\u003e \u003e   Bob unwraps the onion and forwards HTLC(k,v) + 500 msat to Carol\n\u003e \u003e   Carol unwraps the onion and forwards HTLC(k,v) + 250 msat to Dave\n\u003e \u003e   Dave redeems the HTLC, claims an extra 300 msat and refunds 200 msat to Carol\n\nThe math here doesn't add up. Let's assume I meant:\n\n  Bob keeps 500 sat, forwards 750 sat\n  Carol keeps 250 sat, forwards 500 sat\n  Dave keeps 300 sat, refunds 200 sat\n\n\u003e \u003e   Carol redeems the HTLC and refunds 200 msat to Bob\n\u003e \u003e   Bob redeems the HTLC and refunds 200 msat to Alice\n\u003e \u003e\n\u003e \u003e If there's a failure, Alice loses the 1250 msat, and someone in the\n\u003e \u003e path steals the funds.\n\u003e This example confuses me.\n\nWell, that makes us even at least? :)\n\n\u003e So, you're charging 250msat per hop?  Why is Bob taking 750?  Does Carol\n\u003e now know Dave is the last hop?\n\nNo, Alice is choosing to pay 500, 250 and 300 msat to Bob, Carol and\nDave respectively, as part of setting up the onion, and picks those\nnumbers via some magic algo trading off privacy and cost.\n\n\u003e Does Alice lose everything on any routing failure?\n\nThat was my thought yeah; it seems weird to pay upfront but expect a\nrefund on failure -- the HTLC funds are already committed upfront and\nrefunded on failure.\n\n\u003e If so, that is strong incentive for Alice to reduce path-length privacy\n\u003e by keeping payments minimal, which I was really trying to avoid.\n\nAssuming v is much larger than 1250msat, and 1250 msat is much lower than\nthe cost to Bob of losing the channel with Alice, I don't think that's\na problem. 1250msat pays for 125kB of bandwdith under your assumptions\nI think?\n\n\u003e \u003e Does that miss anything that all the hashing achieves?\n\u003e It does nothing if Carol is the one who can't route.\n\nIf Carol can't route, then ideally she just refunds all the money and\neveryone's happy.\n\nIf Carol tries to steal, then she can keep 750 msat instead of 250 msat.\nThis doesn't give any way for Bob to prove Carol cheated on him though;\nbut Bob could just refund the 1250 msat and write the 750 msat off as a\nloss of dealing with cheaters like Carol.\n\nCheers,\naj"}