📅 Original date posted:2022-11-27
📝 Original message:
On 2022-11-25 13:12, ZmnSCPxj via Lightning-dev wrote:
> If I am an LSP, and I know my competitor LSP distributes their
> credentials, then I can simply apply to be a spoke on my competitor
> and then make several payments to my node, which I then jam up.
> This reduces the reputation of my competitor LSP.
I don't think this how Riard's credentials work. The credential tokens
are blinded, so forwarding nodes can't use them to determine the origin
of the payment---thus they can't assign blame.
As I understand them, credential tokens prevent DoS by each token only
allowing the one-time creation of a single HTLC, so any failed payment
reduces the sender's supply of tokens. That means, if Mallory becomes a
client of Bob's and Bob lets Mallory use some of his tokens, Mallory can
destroy those tokens. Although that's bad for Bob, he can easily limit
the damage by not giving Mallory more tokens after too many failures.
If Bob obtained his tokens at a low cost (e.g. by sending many payments
that were successful and receiving back >100% of the tokens he used to
make those payments) and if Alice has to pay a similar or greater cost
to become a client of Bob's (e.g. onchain channel open costs), then the
attack should not be economically rational.
> This is even worse if my competitor LSP attaches their credentials on
> trampolines, I do not even need to apply to be a spoke on my
> competitor that way.
I think the analysis for trampolines is the same: as long as Bob only
attaches credential tokens to trampoline payments where he knows the
origin has paid a cost (or will need to pay a cost) to abuse his
service, he can prevent any attack from becoming economically rational.
> Thus all reputation still rests with ultimate senders, who have to
> convince LSPs to sell their reputation to them, because they might
> secretly be competitor LSPs who have incentive to drain their
> reputation.
>
> If the price of sold reputation is too high, then it is no different
> from upfront fees.
>
> If the price of sold reputation is too low, then I can drain the
> reputation of competitor LSPs.
I think the statement at the top about reputation resting with ultimate
senders is true but two conditionals below it are not quite right. If
an LSP helps many clients make successful payments, those clients may
(at no additional cost to them beyond the forwarding fees they already
paid) receive more credential tokens than they'll ever need. By
allowing the LSP to instead use those tokens for other clients
("harvesting" them), it's possible for those later clients to avoid
paying for credential tokens---this is equivalent to free upfront fees.
As long as the LSP can prevent a client from using too many tokens, and
requires the client pay other inescapable costs, then it shouldn't be
possible for a competitor to substantially drain the token capital of a
LSP without losing a substantial amount of its own money.
-Dave
David A. Harding [ARCHIVE] /
npub16d…x4wrd
2023-06-09 13:07:27
in reply to nevent1q…ueg8
Author Public Key
npub16dt55fpq3a8r6zpphd9xngxr46zzqs75gna9cj5vf8pknyv2d7equx4wrdPublished at
2023-06-09 13:07:27Event JSON
{
"id": "c4b207075758302b23ef460ebea89d72b85c560b17f12264d726a58929aaeb6c",
"pubkey": "d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2",
"created_at": 1686316047,
"kind": 1,
"tags": [
[
"e",
"9c3a63b3566ad83b1efc2410b067702e12877b167df07023410314f65ebf754b",
"",
"root"
],
[
"e",
"016744317f2682d15a72cbfcc3cc253be407111ccf9e5f665a5420ad81a73625",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2022-11-27\n📝 Original message:\nOn 2022-11-25 13:12, ZmnSCPxj via Lightning-dev wrote:\n\u003e If I am an LSP, and I know my competitor LSP distributes their\n\u003e credentials, then I can simply apply to be a spoke on my competitor\n\u003e and then make several payments to my node, which I then jam up.\n\u003e This reduces the reputation of my competitor LSP.\n\nI don't think this how Riard's credentials work. The credential tokens \nare blinded, so forwarding nodes can't use them to determine the origin \nof the payment---thus they can't assign blame.\n\nAs I understand them, credential tokens prevent DoS by each token only \nallowing the one-time creation of a single HTLC, so any failed payment \nreduces the sender's supply of tokens. That means, if Mallory becomes a \nclient of Bob's and Bob lets Mallory use some of his tokens, Mallory can \ndestroy those tokens. Although that's bad for Bob, he can easily limit \nthe damage by not giving Mallory more tokens after too many failures. \nIf Bob obtained his tokens at a low cost (e.g. by sending many payments \nthat were successful and receiving back \u003e100% of the tokens he used to \nmake those payments) and if Alice has to pay a similar or greater cost \nto become a client of Bob's (e.g. onchain channel open costs), then the \nattack should not be economically rational.\n\n\u003e This is even worse if my competitor LSP attaches their credentials on\n\u003e trampolines, I do not even need to apply to be a spoke on my\n\u003e competitor that way.\n\nI think the analysis for trampolines is the same: as long as Bob only \nattaches credential tokens to trampoline payments where he knows the \norigin has paid a cost (or will need to pay a cost) to abuse his \nservice, he can prevent any attack from becoming economically rational.\n\n\u003e Thus all reputation still rests with ultimate senders, who have to\n\u003e convince LSPs to sell their reputation to them, because they might\n\u003e secretly be competitor LSPs who have incentive to drain their\n\u003e reputation.\n\u003e \n\u003e If the price of sold reputation is too high, then it is no different\n\u003e from upfront fees.\n\u003e \n\u003e If the price of sold reputation is too low, then I can drain the\n\u003e reputation of competitor LSPs.\n\nI think the statement at the top about reputation resting with ultimate \nsenders is true but two conditionals below it are not quite right. If \nan LSP helps many clients make successful payments, those clients may \n(at no additional cost to them beyond the forwarding fees they already \npaid) receive more credential tokens than they'll ever need. By \nallowing the LSP to instead use those tokens for other clients \n(\"harvesting\" them), it's possible for those later clients to avoid \npaying for credential tokens---this is equivalent to free upfront fees. \nAs long as the LSP can prevent a client from using too many tokens, and \nrequires the client pay other inescapable costs, then it shouldn't be \npossible for a competitor to substantially drain the token capital of a \nLSP without losing a substantial amount of its own money.\n\n-Dave",
"sig": "598d983f22f3c08c2791bb4b6b2ac481923192e27b122d8b8d591cff8db30aad21503b4deffa0d2e70380602850145f29c22957b45186882c773d0b110aec297"
}