rich1.0Rusty Russell [ARCHIVE] (npub1zw…hkhpx)https://yabu.me/npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxnjumphttps://yabu.me📅 Original date posted:2019-11-10 📝 Original message: Anthony Towns <aj at erisian.com.au> writes: > On Fri, Nov 08, 2019 at 01:08:04PM +1030, Rusty Russell wrote: >> Anthony Towns <aj at erisian.com.au> writes: >> [ Snip summary, which is correct ] > > Huzzah! > > This correlates all the hops in a payment when the route reaches its end > (due to the final preimage getting propogated back for everyone to justify > the funds they claim). Maybe solvable by converting from hashes to ECC > as the trapdoor function? I hadn't thought of this, but yes, once we've eliminated the trivial preimage correlation w/scriptless scripts it'd be a shame to reintroduce it here. We need an accumulator with some strange properties though: 1. Alice provides tokens and a base accumulator. 2. Bob et. al can add these tokens to the accumulator. 3. They can tell if invalid tokens have been added to the accumulator. 4. They can tell how many tokens (alt: each token has a value and they can tell the value sum) have been added. 5. They can't tell what tokens have been added (unless they know all the tokens, which is trivial). Any ideas? > The refund amount propogating back also reveals the path, probably. > Could that be obfusticated by somehow paying each intermediate node > both as the funds go out and come back, so the refund decreases on the > way back? > > Oh, can we make the amounts work like the onion, where it stays constant? > So: > > Alice wants to pay Dave via Bob, Carol. Bob gets 700 msat, Carol gets > 400 msat, Dave gets 300 msat, and Alice gets 100 msat refunded. > > Success: > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0) > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0) > Carol forwards 1500 msat to Dave (-1500, 0, 0, +1500) > Dave refunds 1200 msat to Carol (-1500, 0, +1200, +300) > Carol refunds 800 msat to Bob (-1500, +800, +400, +300) > Bob refunds 100 msat to Alice (-1400, +700, +400, +300) Or, on success, upfront payment is fully refunded or not refunded at all (since they get paid by normal fees)? Either way, no data leak for that case. > Clean routing failure at Carol/Dave: > Alice forwards 1500 msat to Bob (-1500, +1500, 0, 0) > Bob forwards 1500 msat to Carol (-1500, 0, +1500, 0) > Carol says Dave's not talking > Carol refunds 1100 msat to Bob (-1500, +1100, +400, 0) > Bob refunds 400 msat to Alice (-1100, +700, +400, 0) > > I think that breaks the correlation pretty well, so you just need a > decent way of obscuring path length? I don't see how this breaks correlation? > In the uncooperative routing failure case, I wonder if using an ECC > trapdoor and perhaps scriptless scripts, you could make it so Carol > doesn't even get an updated state without revealing the preimage... I'm not sure. We can make it so Carol has Bob's preimage(s), etc, so that the node which fails doesn't get paid. I initially thought this would just make people pair up (fake) nodes, but it's probably not worth it since their path would be less-selected in that case. Cheers, Rusty.