📅 Original date posted:2023-05-10
🗒️ Summary of this message: The Lightning Network's reputation system is susceptible to sudden behavioral changes and whitewashing attacks, but fees can put a price on having a good reputation. Nodes do not gossip about peer reputation, and data collection will inform future decisions.
📝 Original message:
Hi Christian,
Thanks for your comments! We will discuss this further in the upcoming call
on the 15th, would be great to see you there!
> this is an intrinsic issue with reputation systems, and the main
> reason I'm sceptical w.r.t. their usefulness in lightning.
> Fundamentally any reputation system bases their expectations for the
> future on experiences they made in the past, and they are thus always
> susceptible to sudden behavioral changes (going rogue from a prior
> clean record) and whitewashing attacks (switching identity, abusing
> any builtin bootstrapping method for new users to gain a good or
> neutral reputation before turning rogue repeatedly).
>
In the Lightning Network, fees are a native way to put a price on having a
good reputation (see details here [0]). In the design that we suggest, the
reputation gained today cannot be used in the distant future, and funds
need to be invested continuously to keep a good reputation. Good reputation
is also a function of the general environment, and so if there is a fee
spike, reputation will change. It is true that nodes can go rogue, but this
is why we aim for the price of a good reputation to be similar to the
amount of damage they can create.
> This gets compounded as soon as we start gossiping about reputations,
> since now our decisions are no longer based just on information we can
> witness ourselves, or at least verify its correctness, and as such an
> attacker can most likely "earn" a positive reputation in some other
> part of the world, and then turn around and attack the nodes that
> trusted the reputation shared from those other parts.
>
Notice that we are not gossiping about our peer's reputation. The only
thing that a node communicates to its neighbor is whether they see an HTLC
as endorsed or just neutral, that is, should this HTLC be granted access to
all of the resources or just the restricted part.
> I'd be very interested in how many repeat interactions nodes get from
> individual senders, since that also tells us how much use we can get
> out of local-only reputation based systems, and I wouldn't be
> surprised if, for large routing nodes, we have sufficient data for
> them to make an informed decision, while the edges may be more
> vulnerable, but they'd also be used by way fewer senders, and the
> impact of an attack would also be proportionally smaller.
>
This is something we hope to learn once we'll start collecting data from
our brave volunteers :)
Cheers,
Clara
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230510/e8f3be68/attachment-0001.html>