📅 Original date posted:2019-01-05
📝 Original message:
Good morning David,
What happens if the exchange node only sends its preimage towards the payer and not towards the payee?
If the payer and payee do not coordinate, then it becomes possible for the exchange node to take the funds without the payee gaining the ability to claim the payment.
This might be used by a node to take proofs of payment without paying, by simulating the payer and exchange nodes.
This may be important if the proof of payment is valuable, such as, the mentioned offline Lightning vending machines, or if the preimage is the decryption key for valuable data (e.g. ransomware; now the ransomware author may find it is scammed off their potential earnings).
Regards,
ZmnSCPxj
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 5, 2019 5:05 AM, David A. Harding <dave at dtrt.org> wrote:
> On Thu, Dec 27, 2018 at 05:43:51AM +0000, ZmnSCPxj via Lightning-dev wrote:
>
> > We can try to mitigate this, but the solutions below all have significant drawbacks.
>
> An alternative is to give the person making the exchange the ability to
> cancel the payment if they think the exchange rate has changed
> unfavorably for them. I think you could do that by adding an extra
> hashlock to the HTLC that's controlled by the exchanger. For example,
> here's what we'd expect a cross-asset path to look like:
>
> Alice Bob Charlie Dan Eliza
> 1.3 mBTC -> 1.3 mBTC -> 1.2 mBTC
>
> 1.2 mWJT -> 1.1 mWJT -> 1.0 mWJT
>
>
> Instead of Alice's node just locally constructing this path and trying
> to pay it like normal, she first sends a special probe to Charlie
> requesting a new hash for which only he knows the preimage. With this
> hash plus the hash Alice received from Eliza, Alice sends a payment that
> requires both hashlocks be unlocked before anyone can claim the payment.
>
> 1. When this payment reaches the exchanger, Charlie, he checks that the
> payment includes a hashlock he controls before routing the payment on to
> a different asset.
>
> 2. When the payment reaches receiver Eliza's node, she releases her
> PreImage (PI0) back along the path.
>
> 3. When Eliza's preimage reaches exchanger Charlie's node, he releases
> his preimage (PI1) in both directions along the path and continues
> forwarding PI0 backwards. Eventually everyone receives both preimages
> through the usual offchain or onchain mechanisms.
>
> Alice Bob Charlie Dan Eliza
> PI0 <- PI0 <- PI0 <- PI0 <- PI0 (start here)
> PI1 <- PI1 <- PI1 -> PI1 -> PI1
>
>
> However, if the exchange rate changes too much for Charlie's comfort
> before both preimages have been released, Charlie can unilaterally
> decide to cancel the payment by simply not releasing his preimage.
>
> Note that by making the payment contingent on the approval of the
> exchanger, the ability to create an underhanded call option is
> transferred to the exchanger. However, this may be less concerning
> because the exchanger can only keep this option open by refusing to
> immediately claim the routing fees.
>
> For example, our exchanger Charlie is being offered 0.1 mBTC to route
> the payment (a made up number). If he can route 100 such payments in a
> day (another made up number), he can earn 10.0 mBTC from routing. By
> comparison, if he delays a payment of 1.2 mBTC, he'd need to expect the
> exchange rate to change by an order of magnitude within a day to earn
> the same amount. In ZmnSCPxj's terminology, the option is now no longer
> free because Charlie must decide between potential routing income and
> potential option income. Whether or not exchangers play the option game
> will therefore likely be based on the amount of honest routing income
> they can earn relative to the exchange rate volatility (and also on how
> good nodes get at tracking reliable routes).
>
> This idea certainly complicates the current protocol (both routing and
> transaction construction), but maybe there are simplifications
> available.
>
> -Dave
ZmnSCPxj [ARCHIVE] /
npub1g5…3ms3l
2023-06-09 12:53:45
in reply to nevent1q…gzae
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 12:53:45Event JSON
{
"id": "6fc044d59650297ba21d3fb03ee3ef69345f58dbe2cb50dc9b129e57fc91ad09",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315225,
"kind": 1,
"tags": [
[
"e",
"ca4ba408a7f58042d7f13af4ffdac9ce35c46314a12c4b25cf60835498578c43",
"",
"root"
],
[
"e",
"883aba19efa66c11764e0daa4c9ad657fc439bac9c14b57010456caf73d78972",
"",
"reply"
],
[
"p",
"d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2"
]
],
"content": "📅 Original date posted:2019-01-05\n📝 Original message:\nGood morning David,\n\nWhat happens if the exchange node only sends its preimage towards the payer and not towards the payee?\n\nIf the payer and payee do not coordinate, then it becomes possible for the exchange node to take the funds without the payee gaining the ability to claim the payment.\nThis might be used by a node to take proofs of payment without paying, by simulating the payer and exchange nodes.\nThis may be important if the proof of payment is valuable, such as, the mentioned offline Lightning vending machines, or if the preimage is the decryption key for valuable data (e.g. ransomware; now the ransomware author may find it is scammed off their potential earnings).\n\nRegards,\nZmnSCPxj\n\n\n\nSent with ProtonMail Secure Email.\n\n‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐\nOn Saturday, January 5, 2019 5:05 AM, David A. Harding \u003cdave at dtrt.org\u003e wrote:\n\n\u003e On Thu, Dec 27, 2018 at 05:43:51AM +0000, ZmnSCPxj via Lightning-dev wrote:\n\u003e\n\u003e \u003e We can try to mitigate this, but the solutions below all have significant drawbacks.\n\u003e\n\u003e An alternative is to give the person making the exchange the ability to\n\u003e cancel the payment if they think the exchange rate has changed\n\u003e unfavorably for them. I think you could do that by adding an extra\n\u003e hashlock to the HTLC that's controlled by the exchanger. For example,\n\u003e here's what we'd expect a cross-asset path to look like:\n\u003e\n\u003e Alice Bob Charlie Dan Eliza\n\u003e 1.3 mBTC -\u003e 1.3 mBTC -\u003e 1.2 mBTC\n\u003e\n\u003e 1.2 mWJT -\u003e 1.1 mWJT -\u003e 1.0 mWJT\n\u003e\n\u003e\n\u003e Instead of Alice's node just locally constructing this path and trying\n\u003e to pay it like normal, she first sends a special probe to Charlie\n\u003e requesting a new hash for which only he knows the preimage. With this\n\u003e hash plus the hash Alice received from Eliza, Alice sends a payment that\n\u003e requires both hashlocks be unlocked before anyone can claim the payment.\n\u003e\n\u003e 1. When this payment reaches the exchanger, Charlie, he checks that the\n\u003e payment includes a hashlock he controls before routing the payment on to\n\u003e a different asset.\n\u003e\n\u003e 2. When the payment reaches receiver Eliza's node, she releases her\n\u003e PreImage (PI0) back along the path.\n\u003e\n\u003e 3. When Eliza's preimage reaches exchanger Charlie's node, he releases\n\u003e his preimage (PI1) in both directions along the path and continues\n\u003e forwarding PI0 backwards. Eventually everyone receives both preimages\n\u003e through the usual offchain or onchain mechanisms.\n\u003e\n\u003e Alice Bob Charlie Dan Eliza\n\u003e PI0 \u003c- PI0 \u003c- PI0 \u003c- PI0 \u003c- PI0 (start here)\n\u003e PI1 \u003c- PI1 \u003c- PI1 -\u003e PI1 -\u003e PI1\n\u003e\n\u003e\n\u003e However, if the exchange rate changes too much for Charlie's comfort\n\u003e before both preimages have been released, Charlie can unilaterally\n\u003e decide to cancel the payment by simply not releasing his preimage.\n\u003e\n\u003e Note that by making the payment contingent on the approval of the\n\u003e exchanger, the ability to create an underhanded call option is\n\u003e transferred to the exchanger. However, this may be less concerning\n\u003e because the exchanger can only keep this option open by refusing to\n\u003e immediately claim the routing fees.\n\u003e\n\u003e For example, our exchanger Charlie is being offered 0.1 mBTC to route\n\u003e the payment (a made up number). If he can route 100 such payments in a\n\u003e day (another made up number), he can earn 10.0 mBTC from routing. By\n\u003e comparison, if he delays a payment of 1.2 mBTC, he'd need to expect the\n\u003e exchange rate to change by an order of magnitude within a day to earn\n\u003e the same amount. In ZmnSCPxj's terminology, the option is now no longer\n\u003e free because Charlie must decide between potential routing income and\n\u003e potential option income. Whether or not exchangers play the option game\n\u003e will therefore likely be based on the amount of honest routing income\n\u003e they can earn relative to the exchange rate volatility (and also on how\n\u003e good nodes get at tracking reliable routes).\n\u003e\n\u003e This idea certainly complicates the current protocol (both routing and\n\u003e transaction construction), but maybe there are simplifications\n\u003e available.\n\u003e\n\u003e -Dave",
"sig": "d4125bd2be36cfa502c48a87b4799c7bcc26367c3d6f06622086f8ad2b7dc632f4f13fe9ea510e0207ebd0c4895dde5d1a52d39a30ed985b7854a01994b6f23f"
}