draft: Staking Credentials token issuance/redemption

[ariard]

A formalization of a reputation-based scheme to solve channel jamming is proposed. The system relies on "credentials" issued by routing hops and requested to be attached to each HTLC forward request. The "credentials" can be used by a reputation algorithm to reward/punish payment senders and allocate channel liquidity resources efficiently. The "credentials" initial distribution can be boostraped leveraging one-time upfront fees paid toward the routing hops. Afterwards, the "credentials" subsequent distribution can rely on previous HTLC traffic.

See corresponding mailing list thread for more context. There is also a PoC in LDK: lightningdevkit/rust-lightning#1848 (though now code is behind the description)

Feedback very welcome,.This is a really rough sketch aiming to offer a sound reputation-based proposal to be compared against all the jamming mitigations alternatives: upfront fees/unconditional fees/forwarding pass/etc.

This proposal is inspired by IETF's Privacy Pass from original @naumenkogs suggestion.

[joostjager]

Thanks for making a start here with anti-jamming changes!

The paper linked in your rust-lightning pr about privacy pass I also found useful for background info.

[joostjager]

Hold invoice may have a longer cltv, but I don't think that that is a suitable way to recognize and pay for them. Also quick-resolving htlcs on longer routes may have high cltv deltas. What makes hold invoices costly is their actual hold time.

[joostjager]

Yes, or in the credentials case let the routing node sign a number of credentials that varies based on the actual hold time? If the sender causes a lot of holding, they will keep sending out more credentials than they get back, bringing their credentials balance down. The onion payload is limited in size though, so it seems that it can't be very granular.

[joostjager]

Yes, the difference in hold time between a regular payment and a hold payment is massive. Hard to bridge that gap using credentials without requiring more trust.

Routing fee scaling on a time dimension - I think it only works for the success case? Seems we also need something for the slow-failed case.

[joostjager]

I believe this is a lossy data structure. Does that create issues with false positives or negatives?

[joostjager]

This is indeed probably something that can be solved in the implementation phase. With the expiry, the set cannot grow indefinitely. Is that expiry actually encoded inside the 32 byte credential?

[joostjager]

So credential_expiration_height is a delta height that both sender and router use to expire tokens? Can the router do this when it gets presented the unblinded token, or how does the router know when the token was produced?

[joostjager]

Can the router still verify the tag after unblinding? I'd think it has become unreadable for the router when it is presented as a forward credential?

[joostjager]

What happens if upstream nodes along the path corrupt the signed credentials somehow? They are part of the update_fulfill_htlc message, right?

[joostjager]

Attached to update_fulfill_htlc as an onion, I'd think that nodes can still delete it? And stand-alone onion messages may not arrive either. If there is a way to somehow atomically deliver upstream together with the preimage, that seems to be better. Or use something like #1044 so that the sender can penalize the node that deleted the in-flight credentials.

[joostjager]

Nice to have another reason to work on #1044 😉

[joostjager]

Why are these sent back via a separate onion message and not in the update_fulfill_htlc as described for ongoing signing below?

[naumenkogs]

Another option is to make the payload same size for any number of creds somehow... Maybe a static big payload (part of which could be empty), or some fancy compressed data structure with the size independent from the number of creds.

[joostjager]

Would it be possible for routing nodes to sign with different keys to do some traffic correlation? Or can Alice just verify the signatures and ensure herself that they are all signed with the routing node key?

[joostjager]

Is it necessary to do key rotation at all?

[joostjager]

Sounds like rotation is something for later reconsideration, with node keys currently being static.

[joostjager]

Will this be the VOPRF method that is also used for privacy pass?

[joostjager]

Ok. At least good to know that with VOPRF we have one option that seems reasonably well fitting.

[naumenkogs]

I see how it can be easily done when credentials are mixed among a set of users (maybe private mixing is hard, but probably not — it's like Tor 2.0 stuff).
But this would be unfortunate, it likely converges to CoinJoin anonymity set stuff, which, again, relies on reputation... Seems like a recursive problem, but maybe I'm missing the fact that we can solve both at the same time somehow?

Now, fancier schemes, I still don't have a good sense of how they should be applied to our problem.
When I think about this, my first question is "what if there was only one client who received the credential, is there a way to protect them?"

1. This is probably solvable either with mixing (see above), or a trusted third party server (like a mix coordinator, but more flexible — and hopefully provably private towards everything) like a watchtower.
2. Maybe this is fine — we assume privacy only if a routing node served 100 clients a day or something. Then, maybe some minimal technology would be sufficient to help those 100 to make sure they get mixed among each other. Possibly something a routing node publishes every day, or maybe even something about burning the collateral of a routing node if cheating happens :P

[joostjager]

I think it may be useful too - if only as a thought experiment - to envision the simplest possible version of the scheme. So maybe just a single credential per htlc, no introduction of liquidity units and avoiding the use of onion messages?

[joostjager]

For the simplest version, I'd think that you need one credential per htlc, regardless of amount and cltv.

[naumenkogs]

This would make up a good section for this document :)

[fiatjaf]

From what I understand these reputation tokens are being sent as a form of upfront/unconditional monetary payment from the sender to each node in a route. Is this right?

Considering that, aside from these concerns you cite here, is there anything that makes paying these upfront fees with sats inherently harder or worse than paying with reputation tokens?

For example, in a route A->B->C->D is there something that prevents A from sending some extra msats unconditionally to B and C?

(I couldn't find anything that makes that a no-go on https://github.com/t-bast/lightning-docs/blob/master/spam-prevention.md)

[joostjager]

In a way, things look simpler without a dissemination phase. For each hop you either attach a valid token, or pay an unconditional upfront fee. Either way, you'll get a new free token back for the next payment attempt - assuming no misbehavior.

On the other hand this does require different changes to allow these unconditional fees.

[joostjager]

All though yes, this is probably the same as always requiring an upfront fee and lowering the routing fee slightly. In both cases, you pay a little bit for a failure and more for a success.

In that regard it is different from privacy pass. In lightning we are going to pay anyway for a success, so instead of returning a token it could just as well be a discount on the success fee to cover the next payment's upfront fee. Of course that discount won't be explicit, there's just a routing fee. With privacy pass, there is no payment for the success case. The website is opened for free.

[naumenkogs]

The credentials are counter-signed by the issuer to authenticate their origin.

First I thought that a secret (without a signature) should be sufficient. But then I realized, because of onions, you get a signature "for free", right?

[naumenkogs]

But how this is different from issuing a secret only the issuer and the receiver knows?

[naumenkogs]

nit: eve is usually evil, so i was actually seeking for the attack description somewhere :)

[naumenkogs]

Good stuff overall. I kinda feel this document is too in-depth for now, and should be simplified to:

1. Focus on the simplest version first.
2. Focus attention on high-level abstract justifications instead of debatable ideas like key rotation

[saubyk]

nit: do you mean 'In contrast'?

[saubyk]

nit: traffic shaping tool

[saubyk]

nit: HTLC forward/settlement phase

[t-bast]

I haven't seen much progress on this for the past year, so I'm closing this in favor of #1071. Feel free to re-open once someone actively works on developing such a protocol.

[t-bast]

Gotcha, I hadn't seen that this had moved to the civkit organisation! Good to see that you're still working on this.