{"type":"rich","version":"1.0","title":"ZmnSCPxj [ARCHIVE] wrote","author_name":"ZmnSCPxj [ARCHIVE] (npub1g5…3ms3l)","author_url":"https://yabu.me/npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3l","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2019-11-22\n📝 Original message:\nGood morning Bastien,\n\n\u003e I think there's another alternative than upfront payments to prevent spam, which is maybe less \n\u003e controversial (but potentially less effective as well - to be investigated).\n\u003e\n\u003e Why not adapt what has been done with email spam and PoW/merkle puzzles?\n\u003e The high-level idea would be that the sender must solve a small PoW puzzle for each intermediate \n\u003e node and communicate the solution in the onion.\n\u003e There are many ways we could do that (a new field in each intermediate hop, grinding an HMAC \n\u003e prefix, etc) so before going into specifics I only wanted to submit the high-level idea.\n\u003e What's neat with this is that it's simple, doesn't leak any privacy, and avoids having to create a\n\u003e node reputation system.\n\u003e\n\u003e We fight spam by forcing the sender to use some resources (instead of sats).\n\u003e Maybe this idea has already been proposed and broken, if that's the case I'd love to see the\n\u003e discussion if someone can surface it.\n\nThis imposes a cost that varies depending on how specialized your hardware is at generating proof-of-work.\n\nAt a certain point-of-view, one can argue that directly paying with millisatoshis for each hop (whether it fails to forward or not) has the same cost on the sender (replace the consumption of energy to compute proof-of-work with a payment or burning of funds instead), and at least does not prejudice against sender hardware that is not specialized at generating proof-of-work.\n\nThus I would argue that, given we already have a system that bases an economic token on top of proof-of-work, every use of proof-of-work today (other than to power Bitcoin itself, as Bitcoin cannot support itself) can instead be done by using Bitcoins to impose this economic cost.\n\nAll economic costs resolve to energy (economic tokens represent \"right-to-consume-energy\", by the simple technique of purchasing energy), thus requiring a fee is equivalent to requiring proof-of-work, incentive-wise.\nThe drawback is that proof-of-work is cheaper for specialized hardware (as well as specialized setups for getting more energy at cheaper costs).\n\nAs hardware specialization for the specific Lightning-Network-proof-of-work arises, we will find that to practically limit spam, intermediate nodes will have to increase and increase the threshold for accepting proof-of-work, as spammers are going to switch to the more-specialized hardware.\nThis leads to certain kinds of hardware (older mobile phones, older workstations, etc.) being unable to practically use the Lightning Network due to the increased proof-of-work threshold.\nEventually, services will arise where datacenters of specialized hardware are rented out to Lighning Network nodes for a fee in exchange for a proof-of-work to be used on a route --- datacenters that may very well end up becoming kingmakers capable of allowing or suppressing certain economic activities.\nThis ends up being indirect and loses a good amount of privacy.\nIt is better to simply impose *some* cost on the sender that it pays directly, than to use a mechanism that inherently leads to specialization.\n\nRegards,\nZmnSCPxj\n\n\u003e\n\u003e Cheers,\n\u003e Bastien\n\u003e\n\u003e Le lun. 11 nov. 2019 à 00:32, Rusty Russell \u003crusty at rustcorp.com.au\u003e a écrit :\n\u003e\n\u003e \u003e Anthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e \u003e \u003e On Fri, Nov 08, 2019 at 01:08:04PM +1030, Rusty Russell wrote:\n\u003e \u003e \u003e\u003e Anthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e \u003e \u003e\u003e [ Snip summary, which is correct ]\n\u003e \u003e \u003e\n\u003e \u003e \u003e Huzzah!\n\u003e \u003e \u003e\n\u003e \u003e \u003e This correlates all the hops in a payment when the route reaches its end\n\u003e \u003e \u003e (due to the final preimage getting propogated back for everyone to justify\n\u003e \u003e \u003e the funds they claim). Maybe solvable by converting from hashes to ECC\n\u003e \u003e \u003e as the trapdoor function?\n\u003e \u003e\n\u003e \u003e I hadn't thought of this, but yes, once we've eliminated the trivial\n\u003e \u003e preimage correlation w/scriptless scripts it'd be a shame to reintroduce\n\u003e \u003e it here.\n\u003e \u003e\n\u003e \u003e We need an accumulator with some strange properties though:\n\u003e \u003e\n\u003e \u003e 1. Alice provides tokens and a base accumulator.\n\u003e \u003e 2. Bob et. al can add these tokens to the accumulator.\n\u003e \u003e 3. They can tell if invalid tokens have been added to the accumulator.\n\u003e \u003e 4. They can tell how many tokens (alt: each token has a value and they\n\u003e \u003e    can tell the value sum) have been added.\n\u003e \u003e 5. They can't tell what tokens have been added (unless they know all\n\u003e \u003e    the tokens, which is trivial).\n\u003e \u003e\n\u003e \u003e Any ideas?\n\u003e \u003e\n\u003e \u003e \u003e The refund amount propogating back also reveals the path, probably.\n\u003e \u003e \u003e Could that be obfusticated by somehow paying each intermediate node\n\u003e \u003e \u003e both as the funds go out and come back, so the refund decreases on the\n\u003e \u003e \u003e way back?\n\u003e \u003e \u003e\n\u003e \u003e \u003e Oh, can we make the amounts work like the onion, where it stays constant?\n\u003e \u003e \u003e So:\n\u003e \u003e \u003e\n\u003e \u003e \u003e   Alice wants to pay Dave via Bob, Carol. Bob gets 700 msat, Carol gets\n\u003e \u003e \u003e   400 msat, Dave gets 300 msat, and Alice gets 100 msat refunded.\n\u003e \u003e \u003e\n\u003e \u003e \u003e   Success:\n\u003e \u003e \u003e     Alice forwards 1500 msat to Bob   (-1500, +1500, 0, 0)\n\u003e \u003e \u003e     Bob forwards 1500 msat to Carol   (-1500, 0, +1500, 0)\n\u003e \u003e \u003e     Carol forwards 1500 msat to Dave  (-1500, 0, 0, +1500)\n\u003e \u003e \u003e     Dave refunds 1200 msat to Carol   (-1500, 0, +1200, +300)\n\u003e \u003e \u003e     Carol refunds 800 msat to Bob     (-1500, +800, +400, +300)\n\u003e \u003e \u003e     Bob refunds 100 msat to Alice     (-1400, +700, +400, +300)\n\u003e \u003e\n\u003e \u003e Or, on success, upfront payment is fully refunded or not refunded at all\n\u003e \u003e (since they get paid by normal fees)?  Either way, no data leak for that\n\u003e \u003e case.\n\u003e \u003e\n\u003e \u003e \u003e   Clean routing failure at Carol/Dave:\n\u003e \u003e \u003e     Alice forwards 1500 msat to Bob   (-1500, +1500, 0, 0)\n\u003e \u003e \u003e     Bob forwards 1500 msat to Carol   (-1500, 0, +1500, 0)\n\u003e \u003e \u003e     Carol says Dave's not talking\n\u003e \u003e \u003e     Carol refunds 1100 msat to Bob    (-1500, +1100, +400, 0)\n\u003e \u003e \u003e     Bob refunds 400 msat to Alice     (-1100, +700, +400, 0)\n\u003e \u003e \u003e\n\u003e \u003e \u003e I think that breaks the correlation pretty well, so you just need a\n\u003e \u003e \u003e decent way of obscuring path length?\n\u003e \u003e\n\u003e \u003e I don't see how this breaks correlation?\n\u003e \u003e\n\u003e \u003e \u003e In the uncooperative routing failure case, I wonder if using an ECC\n\u003e \u003e \u003e trapdoor and perhaps scriptless scripts, you could make it so Carol\n\u003e \u003e \u003e doesn't even get an updated state without revealing the preimage...\n\u003e \u003e\n\u003e \u003e I'm not sure.  We can make it so Carol has Bob's preimage(s), etc, so\n\u003e \u003e that the node which fails doesn't get paid.  I initially thought this\n\u003e \u003e would just make people pair up (fake) nodes, but it's probably not worth\n\u003e \u003e it since their path would be less-selected in that case.\n\u003e \u003e\n\u003e \u003e Cheers,\n\u003e \u003e Rusty.\n\u003e \u003e _______________________________________________\n\u003e \u003e Lightning-dev mailing list\n\u003e \u003e Lightning-dev at lists.linuxfoundation.org\n\u003e \u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev"}