📅 Original date posted:2015-07-14
📝 Original message:
> OK, so this is why I proposed an onion routing system.
>
> Basically: each node sees the next hop, the R hash, the amount, the
> timeout, the fee being offered. It doesn't see the source, nor the
> final destination.
>
> This, however, requires source routing.
Ah, now I understand a bit better what you mean with onion routing. Yes,
that requires source routing, and it is another way of anonymizing the
route. A disadvantage of this approach is that it requires the source of
a route (so basically everyone) to know the shape of the network (who is
connected to who), which is a privacy disadvantage. This is not
necessary in TOR, since in TOR, every node can (usually) connect to
every other node, so finding a route is trivial.
At the risk of making things too complicated: it is possible to combine
both concepts in a single design. Source routing just requires the
protocol to be able to carry arbitrary payload data to the next
waypoint, so that the waypoint (which is supposed to understand the
arbitrary payload data) can determine how the route should be continued.
It's perfectly fine if the final waypoint of the route is a "neutral
meeting point" somewhere in the middle, as in my concept. In-between
waypoints, routers are free to use non-source routing, as long as the
waypoints can report with reasonable accuracy which other waypoints are
reachable, so that other nodes know the high-level shape of the network
for use in their source routing.
I don't see the "several thousand hubs" model as more sensitive to
centralization/censorship than other routing models, as long as there is
no barrier to creating your own hub and to start using new hubs. Any
routing model has routable addresses and risks addresses being censored
by a part of the network.
There is one other attack mode I see, which is independent of the
routing method: a powerful attacker (read: government) could be
monitoring transactions on several "regulated" nodes. It could also gain
the ability, every once in a while, to initiate transactions from an
"illegal" node that should have been censored (e.g. by physical access
to its hardware). If such transactions are routed over "regulated"
nodes, it would immediately recognize this, because the transaction hash
would be the same. The attacker can then identify the node that allows
"illegal" transactions to enter the regulated network, and punish it.
Even if we find a way to somehow use a different hash on every hop of a
transaction, it can still do this based on the exact payment amount, or
based on timing. I don't see right now how this attack mode can be
eliminated; maybe it should be accepted as a risk inherent in the design
of the network. Let's hope that the freedom-loving part of the network
will always be so large that censorship-loving parts will just hurt
themselves by isolating themselves.
> In summary:
>
> 1) Each-hop routing:
> - Final destination hub is revealed to all nodes.
> - May be forwarded, though.
Yes, may be forwarded, as in the "hybrid design" I described here. Also,
bi-directional routing towards a meeting point in the middle doesn't
reveal the final destination of the route as a whole.
> - Source may be revealed to all nodes?
Not necessary. You just need to keep the route open for a while, so that
messages towards the source can follow it back.
> - Fees are tricky.
> - Too low will fail
> - How to estimate?
I'll make another reply about fees; that's a whole subject on its own.
> - Adaptable to changing network conditions
> - Intermediary nodes can reroute.
> - End clients need not know anything.
>
> 2) Source routing:
> - Neither final source nor dest revealed to intermediary nodes.
> - Fees are known in advance.
> - Requires retransmission from source if routes change.
> - End clients need routing/fee information.
> - Allows selection of nodes from source
> - May let you avoid bad/tracking/unreliable nodes?
CJP
CJP [ARCHIVE] /
npub13q…cuzdm
2023-06-09 12:43:33
in reply to nevent1q…clhm
Author Public Key
npub13q863scgpsaanrjhfn7dd4h48lgnupgkcs828arzj4pckrq8hh6s4cuzdmPublished at
2023-06-09 12:43:33Event JSON
{
"id": "1cd1ea0b9be879a124d5c826467ca9a3727403eacb7f07e14deb98074550f7f2",
"pubkey": "880fa8c3080c3bd98e574cfcd6d6f53fd13e0516c40ea3f46295438b0c07bdf5",
"created_at": 1686314613,
"kind": 1,
"tags": [
[
"e",
"b051b897d36d9747c0a2ead17e2be0eb4114a547258d74b54d7d8da5c672c214",
"",
"root"
],
[
"e",
"43e455c168f40abbd163d89a272fe8b32caf00772629d6fd67ff9ba4bbdad865",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2015-07-14\n📝 Original message:\n\u003e OK, so this is why I proposed an onion routing system.\n\u003e \n\u003e Basically: each node sees the next hop, the R hash, the amount, the\n\u003e timeout, the fee being offered. It doesn't see the source, nor the\n\u003e final destination.\n\u003e \n\u003e This, however, requires source routing.\n\nAh, now I understand a bit better what you mean with onion routing. Yes,\nthat requires source routing, and it is another way of anonymizing the\nroute. A disadvantage of this approach is that it requires the source of\na route (so basically everyone) to know the shape of the network (who is\nconnected to who), which is a privacy disadvantage. This is not\nnecessary in TOR, since in TOR, every node can (usually) connect to\nevery other node, so finding a route is trivial.\n\nAt the risk of making things too complicated: it is possible to combine\nboth concepts in a single design. Source routing just requires the\nprotocol to be able to carry arbitrary payload data to the next\nwaypoint, so that the waypoint (which is supposed to understand the\narbitrary payload data) can determine how the route should be continued.\nIt's perfectly fine if the final waypoint of the route is a \"neutral\nmeeting point\" somewhere in the middle, as in my concept. In-between\nwaypoints, routers are free to use non-source routing, as long as the\nwaypoints can report with reasonable accuracy which other waypoints are\nreachable, so that other nodes know the high-level shape of the network\nfor use in their source routing.\n\nI don't see the \"several thousand hubs\" model as more sensitive to\ncentralization/censorship than other routing models, as long as there is\nno barrier to creating your own hub and to start using new hubs. Any\nrouting model has routable addresses and risks addresses being censored\nby a part of the network.\n\nThere is one other attack mode I see, which is independent of the\nrouting method: a powerful attacker (read: government) could be\nmonitoring transactions on several \"regulated\" nodes. It could also gain\nthe ability, every once in a while, to initiate transactions from an\n\"illegal\" node that should have been censored (e.g. by physical access\nto its hardware). If such transactions are routed over \"regulated\"\nnodes, it would immediately recognize this, because the transaction hash\nwould be the same. The attacker can then identify the node that allows\n\"illegal\" transactions to enter the regulated network, and punish it.\nEven if we find a way to somehow use a different hash on every hop of a\ntransaction, it can still do this based on the exact payment amount, or\nbased on timing. I don't see right now how this attack mode can be\neliminated; maybe it should be accepted as a risk inherent in the design\nof the network. Let's hope that the freedom-loving part of the network\nwill always be so large that censorship-loving parts will just hurt\nthemselves by isolating themselves.\n\n\n\u003e In summary:\n\u003e \n\u003e 1) Each-hop routing:\n\u003e - Final destination hub is revealed to all nodes.\n\u003e - May be forwarded, though.\nYes, may be forwarded, as in the \"hybrid design\" I described here. Also,\nbi-directional routing towards a meeting point in the middle doesn't\nreveal the final destination of the route as a whole.\n\u003e - Source may be revealed to all nodes?\nNot necessary. You just need to keep the route open for a while, so that\nmessages towards the source can follow it back.\n\u003e - Fees are tricky.\n\u003e - Too low will fail\n\u003e - How to estimate?\nI'll make another reply about fees; that's a whole subject on its own.\n\u003e - Adaptable to changing network conditions\n\u003e - Intermediary nodes can reroute.\n\u003e - End clients need not know anything.\n\u003e \n\u003e 2) Source routing:\n\u003e - Neither final source nor dest revealed to intermediary nodes.\n\u003e - Fees are known in advance.\n\u003e - Requires retransmission from source if routes change.\n\u003e - End clients need routing/fee information.\n\u003e - Allows selection of nodes from source\n\u003e - May let you avoid bad/tracking/unreliable nodes?\n\nCJP",
"sig": "5d71ca2ad11533439391f4a3633b55213a25052ce044c4743964a74b36239e91470c4c53f8efe818017194ded98108a623d1166ccba02494a852658a8bfcc2eb"
}