📅 Original date posted:2015-09-23
📝 Original message:
Mats Jerratsch <matsjj at gmail.com> writes:
>> On Mon, Sep 21, 2015 at 11:46:13AM +0930, Rusty Russell wrote:
>>> We regularly choose a dozen "beacon" nodes at random (using proximity to
>>> the SHA of latest block hash or something). Everyone propagates the
>>> cheapest route to & from those nodes (which is pretty efficient, similar
>>> to your scheme).
>
> I don't know, using the beacon kind of technique does seem a little
> bit cumbersome and you really have to think about a lot of possible
> attacks that might render the whole network unusable, because all
> beacons are maliciously sabotaging the network..
Indeed. Random selection helps, here, but analysis will be interesting.
>> If you do know the entire graph, you don't need to give away any
>> information about who you want to pay prior to sending the transaction.
>> Knowing the graph is potentially interesting for commercial and academic
>> reasons beyond wanting privacy. (Knowing the fees others charge helps you
>> work out what fees you should charge; but just querying your neighbours'
>> routes is probably sufficient to work that out too)
>
> I initially thought about going with a Node Directory. That is, a
> central server collecting the routing data that could be sent there by
> choice. We can work out with signature and if both nodes submit the
> route towards the other node, whether this is indeed correct. But as
> this isn't too much data in the first place, I am very much in favour
> of just using some gossip-protocol.
Short term I'm thinking we'll have an IRC channel (a-la early bitcoin)
and everyone will advertise their channels there. This is design for
the next, more ambitious phase.
> Furthermore, we can also include
> some byte for a reputation / web-of-trust system. It is completely
> optional, if you are able to figure out how to route the payment
> across your nodes you are not forced to use this system, and I don't
> think it will have severe privacy problems.
I think reputation systems will become an overlay, if the basic system
proves vulnerable. It's nicer if we don't have to though, as reputation
is both hard to encode in normal behaviour, and deeply centralizing.
> Payer and payee can further work out a rendezvous node. The payee will
> send the encrypted routing data from that node on to himself and the
> payer can build the rest of the routing from his viewpoint.
Yes, like R hash and destination node, you'd send some
routes-from-nodes for one or more rendezvous.
The advantage of this system is that it's less revealing, even if you
have to ask how to get to those.
> Having this data distributed really allows for making payments without
> leaving too many visible traces on the network.
>
> I would also spread data about how much can be spent and received with
> this route and fees for receiving and spending. Again, this data can
> be very vague and does not need to reflect the real world. You can say
> you support payments up to 10k satoshis, even though the channel has
> 5BTC in it.
My basic model for fees is base + percentage. AJ has been thinking
harder about exactly how a node would set these...
> Is there any plan how we handle connections currently? I am thinking
> about sending the current IP address with this update, such that nodes
> can connect to each other after one broke down again, and it would
> further support dynamic IPs as well. Could be possible to extend this
> to hidden service notation, although this would need some more bytes
> to store.
So, I'm assuming the basic network comms is organized along channel
lines; you have to communicate to the other end of the channel anyway,
so that makes sense.
This doesn't solve "how do I connect to the network" or "how do I start
a channel with this particular node", though. For that, I've floated
the idea of reusing the bittorrent DHT, which has extensions to allow
just this.
> The protocol on my side does look like this currently:
>
> General beacon for our node
> - pubkey [32]
> - timestamp [4]
> - IP/connectionDetails [8+...]
> - signature [70]
Yep, makes sense. Pubkey is usually 33 bytes, BTW.
You can squeze some more bytes out of you want:
1) Signature should be 64 bytes (never DER encode).
2) Pubkey can be hashed bitcoin-address style, and recovered from sig.
> Routing information
> - pubkey_from_us [32]
> - pubkey_from_you [32]
> - fee_sending [4]
> - max_sending [4]
> - current_reputation [1]
> - timestamp [4]
> - signature [70]
If we're using protobufs, they're extensible, so you can add reputation
later if we need it.
You also want two signatures, I think: one from each side. Though it
makes sense to have a separate teardown message which only needs one
sig.
> These two would be spread as one message.
> This allows to keep two separate databases, and be able to bootstrap
> new nodes with this information, while we do not have to store old
> beacon data.
> As reputation will be stored for quite some time, we should really
> save them with separate signatures. (This will make it more difficult
> / costly to share the complete database with new nodes, and we need to
> store old data (reputation should be stored for some time) to validate
> the signatures.
Unclear what reputation means, here?
> I was calculating with two updates a day, but only 100k nodes. Each
> node would make a connection to around 10 other nodes, resulting in
> 114+10*147 = 1.5kB per update. Each node would only use around 3kb/s
> up/down and would do around 3 signature verifications per second in
> idle mode, while allowing everyone a full copy of the routing. Making
> sure messages spread efficiently is another problem, as we have so
> many tiny messages. Storing the hashes you received in a bloom table
> and asking other peers if they want to receive it as well does work,
> but just the hashes of all messages do add up already..
>
> In the end, the nodes themselves don't really need the routing
> information, we just need a way to transport the information to the
> clients that make payments. Nodes will just stupidly obey the orders
> given in the blob of data they'll receive.
BTW I've not been separating nodes and clients in my head-design. Of
course, some nodes might not ever generate payments, and some nodes
might never route others' payments, but it increases privacy vastly if
they *can*, so I'm trying to think about them that way.
> This design opens up for some DDoS attacks, as we don't want other
> nodes to just spam information all day long that would be relayed
> through the complete network. Furthermore, one attacker can just
> emulate a complete network that is vouching for him, and he can use
> those 'nodes' to push spam through the network as well. This does
> screw a little bit with the reputation system, but I think it would be
> possible to detect a cluster of nodes that is only connected to the
> rest of the network through that one attacker (some graph theory I
> guess). Furthermore, we can check nodes by pinging them randomly, and
> dropping any reputation if we cannot reach them.
Yes, reputation is hard.
What do you think about the idea of using the anchor transactions in the
blockchain as a map of the network? You could use an OP_RETURN to stash
two pubkeysx, that is the two node IDs.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:44:34
in reply to nevent1q…dn2h
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:44:34Event JSON
{
"id": "5bf796e8ab533281793390f9ea8826fe992e966791b1958d9802e9c40b86f3e6",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314674,
"kind": 1,
"tags": [
[
"e",
"d508e26ae44d949f7c534399c4b1e4f82df043bc5ea4ea4a1d4d81571bfaec45",
"",
"root"
],
[
"e",
"230e1f84b561c968bd56dfef0890c6b790b7c1f189c240203f49c4086da794f4",
"",
"reply"
],
[
"p",
"b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528"
]
],
"content": "📅 Original date posted:2015-09-23\n📝 Original message:\nMats Jerratsch \u003cmatsjj at gmail.com\u003e writes:\n\u003e\u003e On Mon, Sep 21, 2015 at 11:46:13AM +0930, Rusty Russell wrote:\n\u003e\u003e\u003e We regularly choose a dozen \"beacon\" nodes at random (using proximity to\n\u003e\u003e\u003e the SHA of latest block hash or something). Everyone propagates the\n\u003e\u003e\u003e cheapest route to \u0026 from those nodes (which is pretty efficient, similar\n\u003e\u003e\u003e to your scheme).\n\u003e\n\u003e I don't know, using the beacon kind of technique does seem a little\n\u003e bit cumbersome and you really have to think about a lot of possible\n\u003e attacks that might render the whole network unusable, because all\n\u003e beacons are maliciously sabotaging the network..\n\nIndeed. Random selection helps, here, but analysis will be interesting.\n\n\u003e\u003e If you do know the entire graph, you don't need to give away any\n\u003e\u003e information about who you want to pay prior to sending the transaction.\n\u003e\u003e Knowing the graph is potentially interesting for commercial and academic\n\u003e\u003e reasons beyond wanting privacy. (Knowing the fees others charge helps you\n\u003e\u003e work out what fees you should charge; but just querying your neighbours'\n\u003e\u003e routes is probably sufficient to work that out too)\n\u003e\n\u003e I initially thought about going with a Node Directory. That is, a\n\u003e central server collecting the routing data that could be sent there by\n\u003e choice. We can work out with signature and if both nodes submit the\n\u003e route towards the other node, whether this is indeed correct. But as\n\u003e this isn't too much data in the first place, I am very much in favour\n\u003e of just using some gossip-protocol.\n\nShort term I'm thinking we'll have an IRC channel (a-la early bitcoin)\nand everyone will advertise their channels there. This is design for\nthe next, more ambitious phase.\n\n\u003e Furthermore, we can also include\n\u003e some byte for a reputation / web-of-trust system. It is completely\n\u003e optional, if you are able to figure out how to route the payment\n\u003e across your nodes you are not forced to use this system, and I don't\n\u003e think it will have severe privacy problems.\n\nI think reputation systems will become an overlay, if the basic system\nproves vulnerable. It's nicer if we don't have to though, as reputation\nis both hard to encode in normal behaviour, and deeply centralizing.\n\n\u003e Payer and payee can further work out a rendezvous node. The payee will\n\u003e send the encrypted routing data from that node on to himself and the\n\u003e payer can build the rest of the routing from his viewpoint.\n\nYes, like R hash and destination node, you'd send some\nroutes-from-nodes for one or more rendezvous.\n\nThe advantage of this system is that it's less revealing, even if you\nhave to ask how to get to those.\n\n\u003e Having this data distributed really allows for making payments without\n\u003e leaving too many visible traces on the network.\n\u003e\n\u003e I would also spread data about how much can be spent and received with\n\u003e this route and fees for receiving and spending. Again, this data can\n\u003e be very vague and does not need to reflect the real world. You can say\n\u003e you support payments up to 10k satoshis, even though the channel has\n\u003e 5BTC in it.\n\nMy basic model for fees is base + percentage. AJ has been thinking\nharder about exactly how a node would set these...\n\n\u003e Is there any plan how we handle connections currently? I am thinking\n\u003e about sending the current IP address with this update, such that nodes\n\u003e can connect to each other after one broke down again, and it would\n\u003e further support dynamic IPs as well. Could be possible to extend this\n\u003e to hidden service notation, although this would need some more bytes\n\u003e to store.\n\nSo, I'm assuming the basic network comms is organized along channel\nlines; you have to communicate to the other end of the channel anyway,\nso that makes sense.\n\nThis doesn't solve \"how do I connect to the network\" or \"how do I start\na channel with this particular node\", though. For that, I've floated\nthe idea of reusing the bittorrent DHT, which has extensions to allow\njust this.\n\n\u003e The protocol on my side does look like this currently:\n\u003e\n\u003e General beacon for our node\n\u003e - pubkey [32]\n\u003e - timestamp [4]\n\u003e - IP/connectionDetails [8+...]\n\u003e - signature [70]\n\nYep, makes sense. Pubkey is usually 33 bytes, BTW.\n\nYou can squeze some more bytes out of you want:\n1) Signature should be 64 bytes (never DER encode).\n2) Pubkey can be hashed bitcoin-address style, and recovered from sig.\n\n\u003e Routing information\n\u003e - pubkey_from_us [32]\n\u003e - pubkey_from_you [32]\n\u003e - fee_sending [4]\n\u003e - max_sending [4]\n\u003e - current_reputation [1]\n\u003e - timestamp [4]\n\u003e - signature [70]\n\nIf we're using protobufs, they're extensible, so you can add reputation\nlater if we need it.\n\nYou also want two signatures, I think: one from each side. Though it\nmakes sense to have a separate teardown message which only needs one\nsig.\n\n\u003e These two would be spread as one message.\n\u003e This allows to keep two separate databases, and be able to bootstrap\n\u003e new nodes with this information, while we do not have to store old\n\u003e beacon data.\n\n\u003e As reputation will be stored for quite some time, we should really\n\u003e save them with separate signatures. (This will make it more difficult\n\u003e / costly to share the complete database with new nodes, and we need to\n\u003e store old data (reputation should be stored for some time) to validate\n\u003e the signatures.\n\nUnclear what reputation means, here?\n\n\u003e I was calculating with two updates a day, but only 100k nodes. Each\n\u003e node would make a connection to around 10 other nodes, resulting in\n\u003e 114+10*147 = 1.5kB per update. Each node would only use around 3kb/s\n\u003e up/down and would do around 3 signature verifications per second in\n\u003e idle mode, while allowing everyone a full copy of the routing. Making\n\u003e sure messages spread efficiently is another problem, as we have so\n\u003e many tiny messages. Storing the hashes you received in a bloom table\n\u003e and asking other peers if they want to receive it as well does work,\n\u003e but just the hashes of all messages do add up already..\n\u003e\n\u003e In the end, the nodes themselves don't really need the routing\n\u003e information, we just need a way to transport the information to the\n\u003e clients that make payments. Nodes will just stupidly obey the orders\n\u003e given in the blob of data they'll receive.\n\nBTW I've not been separating nodes and clients in my head-design. Of\ncourse, some nodes might not ever generate payments, and some nodes\nmight never route others' payments, but it increases privacy vastly if\nthey *can*, so I'm trying to think about them that way.\n\n\u003e This design opens up for some DDoS attacks, as we don't want other\n\u003e nodes to just spam information all day long that would be relayed\n\u003e through the complete network. Furthermore, one attacker can just\n\u003e emulate a complete network that is vouching for him, and he can use\n\u003e those 'nodes' to push spam through the network as well. This does\n\u003e screw a little bit with the reputation system, but I think it would be\n\u003e possible to detect a cluster of nodes that is only connected to the\n\u003e rest of the network through that one attacker (some graph theory I\n\u003e guess). Furthermore, we can check nodes by pinging them randomly, and\n\u003e dropping any reputation if we cannot reach them.\n\nYes, reputation is hard.\n\nWhat do you think about the idea of using the anchor transactions in the\nblockchain as a map of the network? You could use an OP_RETURN to stash\ntwo pubkeysx, that is the two node IDs.\n\nCheers,\nRusty.",
"sig": "6837f991427d41edb60dafe74f4f1e5230d314ec4f38a89a05cd4124e222b8760ecefcdbd74e7dacc687289dfcaeb72b02e52efd7a9b6f8fe851ad12f3bac602"
}