Why Nostr? What is Njump?
2023-06-09 13:13:19

Antoine Riard [ARCHIVE] on Nostr: ๐Ÿ“… Original date posted:2023-05-17 ๐Ÿ—’๏ธ Summary of this message: The Lightning ...

๐Ÿ“… Original date posted:2023-05-17
๐Ÿ—’๏ธ Summary of this message: The Lightning Network's reputation system is vulnerable to sudden changes in fees and behavior, making it susceptible to attacks and whitewashing.
๐Ÿ“ Original message:
Hi all,

> That is, one cannot gain reputation during low fee times and use it when
fees are high.

> Good reputation is also a function of the general environment, and so if
there is a fee spike, reputation will change. It is true that nodes can go
rogue, but this is why we aim > for the price of a good reputation to be
similar to the amount of damage they can create.

The lack of transitivity of the reputation acquisition cost (e.g based on
historical fees earned from forwards originating from the peer) between the
hops of the payment path still raises a vulnerability issue for the
endorsement scheme, I think.

Namely, let's say you have Alice, Bob and Caroll where endorsement has been
obtained by Alice on the Bob incoming link by paying fees for an amount of
1000 sats for the last 100 blocks. Caroll offers a far higher pricing on
her incoming link from Bob, 10000 sats as `fee_base_msat` on her endorsed
slots. It sounds to me there is nothing preventing Alice from sacrificing
her earned reputation to inflict a loss of routing fees damage on Caroll
incoming link ?

Generally, I think the endorsement scheme assumes some synchronicity in the
setting of routing fees by the hops. In practice, it's expected there will
be variations based on their own pricing of liquidity, their accumulated
data sets (e.g historical view of LN gossips) and downstream link topology.
And this is the same between building a mitigation on concepts like
"peace/war" time, sophisticated attackers might be able to mask their
traffic as some spontaneous congestion.

There is an independent new observation on the effect of dynamic reputation
windows on payment reliability, as those windows are not announced to the
rest of the network, sudden changes in the links throughput based on HTLC
resolution might break the historical liquidity buckets of routing scoring
algorithms (at least in the way we're doing it for LDK), I think ?

Best,
Antoine


Le mer. 10 mai 2023 ร  16:59, Clara Shikhelman <clara.shikhelman at gmail.com>
a รฉcrit :

> Hi Christian,
>
> Thanks for your comments! We will discuss this further in the upcoming
> call on the 15th, would be great to see you there!
>
>
>> this is an intrinsic issue with reputation systems, and the main
>> reason I'm sceptical w.r.t. their usefulness in lightning.
>> Fundamentally any reputation system bases their expectations for the
>> future on experiences they made in the past, and they are thus always
>> susceptible to sudden behavioral changes (going rogue from a prior
>> clean record) and whitewashing attacks (switching identity, abusing
>> any builtin bootstrapping method for new users to gain a good or
>> neutral reputation before turning rogue repeatedly).
>>
>
> In the Lightning Network, fees are a native way to put a price on having a
> good reputation (see details here [0]). In the design that we suggest, the
> reputation gained today cannot be used in the distant future, and funds
> need to be invested continuously to keep a good reputation. Good reputation
> is also a function of the general environment, and so if there is a fee
> spike, reputation will change. It is true that nodes can go rogue, but this
> is why we aim for the price of a good reputation to be similar to the
> amount of damage they can create.
>
>
>> This gets compounded as soon as we start gossiping about reputations,
>> since now our decisions are no longer based just on information we can
>> witness ourselves, or at least verify its correctness, and as such an
>> attacker can most likely "earn" a positive reputation in some other
>> part of the world, and then turn around and attack the nodes that
>> trusted the reputation shared from those other parts.
>>
>
> Notice that we are not gossiping about our peer's reputation. The only
> thing that a node communicates to its neighbor is whether they see an HTLC
> as endorsed or just neutral, that is, should this HTLC be granted access to
> all of the resources or just the restricted part.
>
>
>> I'd be very interested in how many repeat interactions nodes get from
>> individual senders, since that also tells us how much use we can get
>> out of local-only reputation based systems, and I wouldn't be
>> surprised if, for large routing nodes, we have sufficient data for
>> them to make an informed decision, while the edges may be more
>> vulnerable, but they'd also be used by way fewer senders, and the
>> impact of an attack would also be proportionally smaller.
>>
>
> This is something we hope to learn once we'll start collecting data from
> our brave volunteers :)
>
> Cheers,
> Clara
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230517/9cd075a3/attachment.html>;
Author Public Key
npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8dd