📅 Original date posted:2019-11-08
📝 Original message:
Anthony Towns <aj at erisian.com.au> writes:
> On Thu, Nov 07, 2019 at 02:56:51PM +1030, Rusty Russell wrote:
>> > What you wrote to Zmn says "Rusty decrypts the onion, reads the prepay
>> > field: it says 14, LLLL." but Alice doesn't know anything other than
>> > ZZZZ so can't put LLLL in the onion?
>> Alice created the onion. Alice knows all the preimages, since she
>> created the chain AAAAA....ZZZZZ.
>
> In your reply to Zmn, it was Rusty (Bob) preparing the nonce and creating
> the chain AAAA...ZZZZ -- so I was lost as to what you were proposing...
Oops. Don't trust that Rusty guy, let's stick with Alice.
[ Snip summary, which is correct ]
> As far as the "fair price" goes, the spitballed formula is "16 - X/4"
> where X is number of zero bits in some PoW-y thing. The proposal is
> the thing is SHA256(blockhash|revealedonion) which works, and (I think)
> means each step is individually grindable.
>
> I think an alternative would be to use the prepayment hashes themselves,
> so you generate the nonce AAAA as the value you'll send to Dave then
> hash it repeatedly to get BBBB..QQQQ, then check if pow(AAAA,BBBB) has
> 60 leading zero bits or pow(AAAA,CCCC) has 56 leading zero bits etc.
> If you made pow(a,b) be SHA256(a,b,shared-onion-key) I think it'd
> preserve privacy, but also mean you can't meaningfully grind unfairly
> cheap routing except for very short paths?
>
> If you don't grind and just go by luck, the average number of hashes
> per hop is ~15.93 (if I got my maths right), so you should be able to
> estimate path length pretty accurate by dividing claimed prepaid funds by
> 15.93*25msat or whatever. If everyone grinds at each level independently,
> I think you'd just subtract maybe 6 hops from that, but the maths would
> mostly stay the same?
>
> Though I think you could obfusticate that pretty well by moving
> some of the value from the HTLC into the prepayment -- you'd risk losing
> that extra value if the payment made it all the way to the recipient but
> they declined the HTLC that way though.
Yeah, and doesn't help obscure in the in-the-middle failure case unf.
Which is really bad with current payment_hash since you can spot
multiple attempts so easily. Hence my attempt to roll in some PoW to
obscure the amounts.
The ideal prepay range would be wider, so you can believably have
payments between 16 and 4 per hop, say. But if I can grind it I'll
naturally restrict the range to the lower end, and if it's ungrindable
(eg. based on nodeid and payment_hash or recent block hash) then
everyone on the path knows what it so too.
So, hashcash here is better than nothing, but still not very good.
>> >> Does Alice lose everything on any routing failure?
>> > That was my thought yeah; it seems weird to pay upfront but expect a
>> > refund on failure -- the HTLC funds are already committed upfront and
>> > refunded on failure.
>> AFAICT you have to overpay, since anything else is very revealing of
>> path length. Which kind of implies a refund, I think.
>
> I guess you'd want to pay for a path length of about 20 whether the
> path is actually 17, 2, 10 or 5. But a path length of 20 is just paying
> for bandwidth for maybe 200kB of total traffic which at $1/GB is 2% of
> 1 cent, which doesn't seem that worth refunding (except for really tiny
> micropayments, where paying for payment bandwidth might not be feasible
> at all).
>
> If you're buying a $2 coffee and paying 500ppm in regular fees per hop
> with 5 hops, then each routing attempt increases your fees by 4%, which
> seems pretty easy to ignore to me.
True, but ideally we'd have lots of noise even if people are trying to
minimize fees (which, if they're sending messages rather than payments,
they might).
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:57:07
in reply to nevent1q…deej
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:57:07Event JSON
{
"id": "b04a03a0d4e3e815c91bc1cd7573e39b8f47f60358a2bed17a4612d34a2d3b86",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315427,
"kind": 1,
"tags": [
[
"e",
"0c91e21e034533f122e94b0fd3031654ae905512e27a1262e64ae8c7923a76b8",
"",
"root"
],
[
"e",
"396dfda22fb6b241655cfe7114c4a9f681e4b4a551c5e4ca76ebf9b14142da64",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2019-11-08\n📝 Original message:\nAnthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e On Thu, Nov 07, 2019 at 02:56:51PM +1030, Rusty Russell wrote:\n\u003e\u003e \u003e What you wrote to Zmn says \"Rusty decrypts the onion, reads the prepay\n\u003e\u003e \u003e field: it says 14, LLLL.\" but Alice doesn't know anything other than\n\u003e\u003e \u003e ZZZZ so can't put LLLL in the onion?\n\u003e\u003e Alice created the onion. Alice knows all the preimages, since she\n\u003e\u003e created the chain AAAAA....ZZZZZ.\n\u003e\n\u003e In your reply to Zmn, it was Rusty (Bob) preparing the nonce and creating\n\u003e the chain AAAA...ZZZZ -- so I was lost as to what you were proposing...\n\nOops. Don't trust that Rusty guy, let's stick with Alice.\n\n[ Snip summary, which is correct ]\n\n\u003e As far as the \"fair price\" goes, the spitballed formula is \"16 - X/4\"\n\u003e where X is number of zero bits in some PoW-y thing. The proposal is\n\u003e the thing is SHA256(blockhash|revealedonion) which works, and (I think)\n\u003e means each step is individually grindable.\n\u003e\n\u003e I think an alternative would be to use the prepayment hashes themselves,\n\u003e so you generate the nonce AAAA as the value you'll send to Dave then\n\u003e hash it repeatedly to get BBBB..QQQQ, then check if pow(AAAA,BBBB) has\n\u003e 60 leading zero bits or pow(AAAA,CCCC) has 56 leading zero bits etc.\n\u003e If you made pow(a,b) be SHA256(a,b,shared-onion-key) I think it'd\n\u003e preserve privacy, but also mean you can't meaningfully grind unfairly\n\u003e cheap routing except for very short paths?\n\u003e\n\u003e If you don't grind and just go by luck, the average number of hashes\n\u003e per hop is ~15.93 (if I got my maths right), so you should be able to\n\u003e estimate path length pretty accurate by dividing claimed prepaid funds by\n\u003e 15.93*25msat or whatever. If everyone grinds at each level independently,\n\u003e I think you'd just subtract maybe 6 hops from that, but the maths would\n\u003e mostly stay the same?\n\u003e\n\u003e Though I think you could obfusticate that pretty well by moving\n\u003e some of the value from the HTLC into the prepayment -- you'd risk losing\n\u003e that extra value if the payment made it all the way to the recipient but\n\u003e they declined the HTLC that way though.\n\nYeah, and doesn't help obscure in the in-the-middle failure case unf.\nWhich is really bad with current payment_hash since you can spot\nmultiple attempts so easily. Hence my attempt to roll in some PoW to\nobscure the amounts.\n\nThe ideal prepay range would be wider, so you can believably have\npayments between 16 and 4 per hop, say. But if I can grind it I'll\nnaturally restrict the range to the lower end, and if it's ungrindable\n(eg. based on nodeid and payment_hash or recent block hash) then\neveryone on the path knows what it so too.\n\nSo, hashcash here is better than nothing, but still not very good.\n\n\u003e\u003e \u003e\u003e Does Alice lose everything on any routing failure?\n\u003e\u003e \u003e That was my thought yeah; it seems weird to pay upfront but expect a\n\u003e\u003e \u003e refund on failure -- the HTLC funds are already committed upfront and\n\u003e\u003e \u003e refunded on failure.\n\u003e\u003e AFAICT you have to overpay, since anything else is very revealing of\n\u003e\u003e path length. Which kind of implies a refund, I think.\n\u003e\n\u003e I guess you'd want to pay for a path length of about 20 whether the\n\u003e path is actually 17, 2, 10 or 5. But a path length of 20 is just paying\n\u003e for bandwidth for maybe 200kB of total traffic which at $1/GB is 2% of\n\u003e 1 cent, which doesn't seem that worth refunding (except for really tiny\n\u003e micropayments, where paying for payment bandwidth might not be feasible\n\u003e at all).\n\u003e\n\u003e If you're buying a $2 coffee and paying 500ppm in regular fees per hop\n\u003e with 5 hops, then each routing attempt increases your fees by 4%, which\n\u003e seems pretty easy to ignore to me.\n\nTrue, but ideally we'd have lots of noise even if people are trying to\nminimize fees (which, if they're sending messages rather than payments,\nthey might).\n\nCheers,\nRusty.",
"sig": "e23026e14837060ce07c918c3dff895b4541ad9217fc01d40c2f3dd7d5e0b29290d52c0de5b9f8bb40d12a3b7457fb9176fc1fbcba00714c63c1fe969e2bc8dc"
}