Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C57EF504 for ; Sat, 25 Nov 2017 19:21:59 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ot0-f179.google.com (mail-ot0-f179.google.com [74.125.82.179]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0B973E2 for ; Sat, 25 Nov 2017 19:21:57 +0000 (UTC) Received: by mail-ot0-f179.google.com with SMTP id b49so21161305otj.5 for ; Sat, 25 Nov 2017 11:21:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=0tLQdWVBHiPcmg/Z6DP8ly/JeEEUycmt5DwHQ1F4h7g=; b=E9KGDrnAA93RYcdrfUEIN8FdZC39Hl3K1qRk8pp/wofhfhQxmK6yflwxp7HJFnW/R3 Vi78GIzL01UimAix1rLVO8dY0HERaoiigFhFL30E6pNNUCm6tM/ijvHjXjeEAB14rUPT 5rpN/EkZJ0/703mN/Y6T631f3Tjvm3k2VWKXrGWQ4w8KKIF1DGP5vBC3T9mrDFX3E9Dv AgwSHLsUetidopGxlyvGmwTR28aCjO80OW6GcNQvpGt7kdqvvvipECV4CKVP1eqRW3gZ oIj/bSCsKRzja4cAiTeuMFpmSLKW/EXtn6duGgbmWPqPAlWI6VS5gnwxRKmMlibmyjdJ d3OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=0tLQdWVBHiPcmg/Z6DP8ly/JeEEUycmt5DwHQ1F4h7g=; b=OYzSuMsTMxB+k/GA2dX3+MANr7U1FI4pWaG+hVhggB3mpgg2A6CsZCTp73y3snblUI uYXn3bWLZV8wwIQQpq5uA+zqBX8MZlk6+WdbmfC9onXnOOU6pJgNbm7Cc1/xelp3gCTQ fQF9y7ihvwHSqDUZeObkQclwaGM1ChQjsnc1hqBzycobq+2xYwH4ccVg1d4/DQyZwfyA xSMTD4GHhFmREE9YUMMvtLQ9QysieXLgxQSKJRG4e4etpR8d0WuX1o3VVrCt6imdEZbC UFwewzvE0vrlLKNmnui82Sf1wo0iffPquqqS1fUU+UqTJsLobTTeWNst2ywXXyMDClS5 0vow== X-Gm-Message-State: AJaThX7nFltEQBRsqmAaj3DDrCW46iv5n5NgyJdWGSmI4VD0tjso2iwX JTZJ4HirjyPlMTSKBHgP56y7iu/9rrwbO4aYs8q2HQ== X-Google-Smtp-Source: AGs4zMa/n5AwGQMaUQPWnyJlsXTdni3gbQkzAh/I7KkTc3kR6+DuvKsqRsXGXSqVzz3L9vzN4K3M361HKl/VNEy2k+E= X-Received: by 10.157.32.19 with SMTP id n19mr23869306ota.133.1511637717019; Sat, 25 Nov 2017 11:21:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.11.43 with HTTP; Sat, 25 Nov 2017 11:21:55 -0800 (PST) In-Reply-To: References: <49e10ec4-83ef-df0e-ae87-598bbf7e0784@purdue.edu> From: Bryan Bishop Date: Sat, 25 Nov 2017 13:21:55 -0600 Message-ID: To: Bitcoin Dev , Bryan Bishop Content-Type: multipart/alternative; boundary="001a1140a95e26f4b8055ed395de" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] Fwd: [Lightning-dev] General question on routing difficulties X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2017 19:21:59 -0000 --001a1140a95e26f4b8055ed395de Content-Type: text/plain; charset="UTF-8" ---------- Forwarded message ---------- From: Olaoluwa Osuntokun Date: Sat, Nov 25, 2017 at 1:16 PM Subject: Re: [Lightning-dev] General question on routing difficulties To: Pedro Moreno Sanchez Cc: lightning-dev@lists.linuxfoundation.org (final try as the prior mail hit the size limit, sorry for the spam!) Hi Pedro, I came across this paper a few weeks ago, skimmed it lightly, and noted a few interesting aspects I wanted to dig into later. Your email reminded me to re-read the paper, so thanks for that! Before reading the paper, I wasn't aware of the concept of coordinate embedding, nor how that could be leveraged in order to provide sender+receiver privacy in a payment network using a distance-vector-like routing system. Very cool technique! After reading the paper again, my current conclusion is that while the protocol presents some novel traits in the design a routing system for payment channel based networks, it lends much better to a closed-membership, credit network, such as Ripple (which is the focus of the paper). In Ripple, there are only a handful of gateways, and clients that seek to interact with the network must chose their gateways *very* carefully, otherwise consensus faults can occur, violating safety properties of the network. It would appear that this gateway model nicely translates well to the concept of landmarks that the protocol is strongly dependant on. Ideally, each gateway would be a landmark, and as there are a very small number of gateways within Ripple (as you must be admitted to be a verified gateway in the network), then parameter L (the total number of landmarks) is kept small which minimizes routing overhead, the average path-length, etc. When we compare Ripple to LN, we find that the two networks are nearly polar opposites of each other. LN is an open-membership network that requires zero initial configuration by central administrators(s). It more closely resembles *debit* network (a series of tubes of money), as the funds within channels must be pre-committed in order to establish a link between two nodes, and cannot be increased without an additional on-chain control transaction (to add or remove funds). Additionally, AFAIK (I'm no expert on Ripple of course), there's no concept of fees within the network. While within LN, the fee structure is a critical component of the inventive for node operators to lift their coins onto this new layer to provider payment routing services. Finally, in LN we rely on time-locks in order to ensure that all transactions are atomic which adds another set of constraints. Ripple has no such constraint as transfers are based on bi-lateral trust. With that said, the primary difference between this protocol is that currently we utilize a source-routed system which requires the sender to know "most" of the path to the destination. I say "most" as currently, it's possible for the receiver of a payment to use a poor man's rendezvous system to provide the sender with a set of suffix paths form what one can consider ad-hoc landmarks. The sender can then concatenate these with their own paths, and construct the Sphinx routing package which encodes the full route. This itself only gives sender privacy, and the receiver doesn't know the identity of the sender, but the sender learns the identity of the receiver. We have plans to achieve proper sender/receiver privacy by extending our Sphinx usage to leverage HORNET, such that the payment descriptor (payment request containing details of the payment) also includes several paths from rendezvous nodes (Rodrigo's) to the receiver. The rendezvous route itself will be nested as a further Anonymous Header (AHDR) which includes the information necessary to complete the onion circuit from Rodrigo to the receiver. As onion routing is used, only Rodrigo can decrypt the payload and finalize the route. With such a structure, the only nodes that need to advertise their channels are nodes which seek to actively serve as channel routers. All other nodes (phones, laptops, etc), don't need to advertise their channels to the greater network, reducing the size of the visible network, and also the storage and validation overhead. This serves to extend the "scale ceiling" a bit. My first question is: is it possible to adapt the protocol to allow each intermediate node to communicate their time lock and fee references to the sender? Currently, as the full path isn't known ahead of time, the sender is unable to properly craft the timelocks to ensure safety+atomicity of the payment. This would mean they don't know what the total timelock should be on the first outgoing link. Additionally, as they don't know the total path and the fee schedule of each intermediate node, then once again, they don't know how much to send on the first out going link. It would seem that one could extend the probing phase to allow backwards communication by each intermediate node back to the sender, such that they can properly craft a valid HTLC. This would increase the set up costs of the protocol however, and may also increase routing failures as it's possible incompatibilities arise at run-time between the preferences of intermediate nodes. Additionally, routes may fail as an intermediate node consumes too many funds as their fee, causing the funds to be insufficient when it reaches the destination. One countermeasure would maybe: the sender always sends waaay more than necessary, and gives the receiver a one-time payment identifier, requiring that they route the remainder of the funds *back* to them. To solve this issue presently, we extend the header in Sphinx to include a per-hop payload which allows the sender to precisely dictate the structure of the route, allows the intermediate nodes to authenticate the information given to it, and also allow the intermediate node to verify that their policies have properly been respected. These payloads can also be utilized by applications to communicate a small-ish amount of data to construct higher-level protocols on top of the system. Examples include: cross-chain swaps, chance payment games, higher-level B2B protocols, flavors of ZKCP's, media streaming, internet access proxying, etc. From my point-of-view, when extended to LN, the core component of the protocol (landmarks), becomes the weakest component. From my reading, *all* nodes need to be ware of an *identical* set of landmarks (more or less similar to the desired homogeneity of Gateways), otherwise the coordinate embedding scheme breaks down. Currently, there's no requirement that all nodes have a globally consistent view of the network. So then an important questions arises: who choose the landmarks? A desirable property of a routing system for LN (IMO) is that is has close to zero required initial set up by a central administrator. With this protocol, it would seem that all nodes much ship with a hard coded set of global landmarks for the path finding to succeed. This itself pins a hard coordination requirement amongst implementers to have something like this deployed. Even ignoring this requirement for a minute, I see several other downsides: * As *all* payments must flow through landmarks (since nodes break up their payment into L sub-flows), the landmarks must be very, very well capitalized. This would cause strong consolidation of the selection of landmarks, as they need extremely large channels in order to facilitate transfer within the network. * As landmarks must be globally known, this it seems this would introduce fragility in the network. If most of the landmarks go down (fails stop crashes) due to hardware issues, DoS, exploited bugs, etc, then the network's throughput instantly becomes crippled. * If all payment flow *must* go through landmarks, and the transfers within the network are relatively uni-directional (all payment going to Candy Crush Ultra: Lighting Strikes Twice), then their channels would become unbalanced very quickly. The last point there invokes another component of the network: passive channel rebalancing. With source routing, it's possible for nodes to passive rebalance their channels, in order to keep the in equilibrium, such that on average they'll be able to handle a payment flow coming from any direction. This is possible as with source routing, it's easy for a node to simply send a payment to himself incoming/outgoing from the pair of channels they wish to adjust the available flow of. With distance-vector-like protocols, this doesn't seem possible, as the node doesn't have any control of the incoming channel that the payment will arrive on. Finally, the notion of value privacy within the scheme seems a bit weak. From this definition, any protocol that didn't broadcast intents to send payments to the world would achieve this trait. The base Bitcoin blockchain doesn't mask the values of transfers (yet), but even if it did unconditionally maintaining value privacy of channel doesn't seem compatible with multi-hop payment networks (nodes can simply perform probing/tagging attacks to ascertain a range of the size of a channel). A possible mitigation would be for nodes to probabilistically drop incoming payments, with all nodes sampling from the same distribution. However, this would dramatically increase routing failures by senders, removing the "low-latency" trait of payment networks that many find desirable. Personally, I've very excited to see additional research on the front of routing within the network! Excellent work by all authors. In the end, I don't think it'll be a one-size fits all solution, as each routing protocol delivers with it a set of tradeoffs that should be weighed depending on target characteristics, and use-cases. There's no strong requirement that the network as a whole uses a *single* routing protocol. Instead several distinct protocols can be deployed based on use-case requirements, as we only need to share a single end-to-end construct: the HTLC. I could see a future in a few years where we have several deployed protocols, similar to the wide array of existing routing protocols deployed on the Internet. What we have currently gets us from Zero to One. We'll definitely need to experiment with additional approaches as the size of the network grows, and the true economic flow patterns emerge after we all deploy to mainnet. -- Laolu _______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev -- - Bryan http://heybryan.org/ 1 512 203 0507 --001a1140a95e26f4b8055ed395de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

---------- Forwarded messag= e ----------
From: Olaoluwa Osuntokun = <laolu32@gmail.co= m>
Date: Sat, Nov 25, 2017 at 1:16 PM
Subject: Re: [Lig= htning-dev] General question on routing difficulties
To: Pedro Moreno Sa= nchez <pmorenos@purdue.edu>= ;
Cc: lightni= ng-dev@lists.linuxfoundation.org


(final try= as the prior mail hit the size limit, sorry for the spam!)

<= div>
Hi Pedro,=C2=A0

I came across this paper = a few weeks ago, skimmed it lightly, and noted a
few interesting = aspects I wanted to dig into later. Your email reminded me
to re-= read the paper, so thanks for that! Before reading the paper, I
w= asn't aware of the concept of coordinate embedding, nor how that could = be
leveraged in order to provide sender+receiver privacy in a pay= ment network
using a distance-vector-like routing system. Very co= ol technique!


After reading the pap= er again, my current conclusion is that while the
protocol presen= ts some novel traits in the design a routing system for
payment c= hannel based networks, it lends much better to a
closed-membershi= p, credit network, such as Ripple (which is the focus of
the pape= r).=C2=A0


In Ripple, there are only= a handful of gateways, and clients that seek to
interact with th= e network must chose their gateways *very* carefully,
otherwise c= onsensus faults can occur, violating safety properties of the
net= work. It would appear that this gateway model nicely translates well to
the concept of landmarks that the protocol is strongly dependant on.=
Ideally, each gateway would be a landmark, and as there are a ve= ry small
number of gateways within Ripple (as you must be admitte= d to be a verified
gateway in the network), then parameter L (the= total number of landmarks)
is kept small which minimizes routing= overhead, the average path-length,
etc.


When we compare Ripple to LN, we find that the two networks= are nearly
polar opposites of each other. LN is an open-membersh= ip network that
requires zero initial configuration by central ad= ministrators(s). It more
closely resembles *debit* network (a ser= ies of tubes of money), as the
funds within channels must be pre-= committed in order to establish a link
between two nodes, and can= not be increased without an additional on-chain
control transacti= on (to add or remove funds). Additionally, AFAIK (I'm no
expe= rt on Ripple of course), there's no concept of fees within the
network. While within LN, the fee structure is a critical component of th= e
inventive for node operators to lift their coins onto this new = layer to
provider payment routing services.=C2=A0 Finally, in LN = we rely on time-locks
in order to ensure that all transactions ar= e atomic which adds another set
of constraints. Ripple has no suc= h constraint as transfers are based on
bi-lateral trust.


With that said, the primary difference betw= een this protocol is that
currently we utilize a source-routed sy= stem which requires the sender to
know "most" of the pa= th to the destination. I say "most" as currently,
it= 9;s possible for the receiver of a payment to use a poor man's rendezvo= us
system to provide the sender with a set of suffix paths form w= hat one can
consider ad-hoc landmarks. The sender can then concat= enate these with
their own paths, and construct the Sphinx routin= g package which encodes
the full route. This itself only gives se= nder privacy, and the receiver
doesn't know the identity of t= he sender, but the sender learns the
identity of the receiver.=C2= =A0

We have plans to achieve proper sender/receive= r privacy by extending our
Sphinx usage to leverage HORNET, such = that the payment descriptor (payment
request containing details o= f the payment) also includes several paths
from rendezvous nodes = (Rodrigo's) to the receiver. The rendezvous route
itself will= be nested as a further Anonymous Header (AHDR) which includes
th= e information necessary to complete the onion circuit from Rodrigo to
=
the receiver. As onion routing is used, only Rodrigo can decrypt the
payload and finalize the route. With such a structure, the only no= des that
need to advertise their channels are nodes which seek to= actively serve as
channel routers. All other nodes (phones, lapt= ops, etc), don't need to
advertise their channels to the grea= ter network, reducing the size of the
visible network, and also t= he storage and validation overhead. This serves
to extend the &qu= ot;scale ceiling" a bit.


My fi= rst question is: is it possible to adapt the protocol to allow each
intermediate node to communicate their time lock and fee references to t= he
sender? Currently, as the full path isn't known ahead of t= ime, the sender
is unable to properly craft the timelocks to ensu= re safety+atomicity of
the payment. This would mean they don'= t know what the total timelock
should be on the first outgoing li= nk. Additionally, as they don't know the
total path and the f= ee schedule of each intermediate node, then once
again, they don&= #39;t know how much to send on the first out going link. It
would= seem that one could extend the probing phase to allow backwards
= communication by each intermediate node back to the sender, such that they<= /div>
can properly craft a valid HTLC. This would increase the set up c= osts of
the protocol however, and may also increase routing failu= res as it's
possible incompatibilities arise at run-time betw= een the preferences of
intermediate nodes. Additionally, routes m= ay fail as an intermediate node
consumes too many funds as their = fee, causing the funds to be insufficient
when it reaches the des= tination. One countermeasure would maybe: the
sender always sends= waaay more than necessary, and gives the receiver a
one-time pay= ment identifier, requiring that they route the remainder of
the f= unds *back* to them.


To solve this = issue presently, we extend the header in Sphinx to include a
per-= hop payload which allows the sender to precisely dictate the
stru= cture of the route, allows the intermediate nodes to authenticate the
=
information given to it, and also allow the intermediate node to verif= y
that their policies have properly been respected. These payload= s can also
be utilized by applications to communicate a small-ish= amount of data to
construct higher-level protocols on top of the= system. Examples include:
cross-chain swaps, chance payment game= s, higher-level B2B protocols,
flavors of ZKCP's, media strea= ming, internet access proxying, etc.


From my point-of-view, when extended to LN, the core component of the
protocol (landmarks), becomes the weakest component. From my reading= ,
*all* nodes need to be ware of an *identical* set of landmarks = (more or
less similar to the desired homogeneity of Gateways), ot= herwise the
coordinate embedding scheme breaks down. Currently, t= here's no requirement
that all nodes have a globally consiste= nt view of the network. So then an
important questions arises: wh= o choose the landmarks? A desirable property
of a routing system = for LN (IMO) is that is has close to zero required
initial set up= by a central administrator. With this protocol, it would
seem th= at all nodes much ship with a hard coded set of global landmarks
= for the path finding to succeed.=C2=A0 This itself pins a hard coordination=
requirement amongst implementers to have something like this dep= loyed.
Even ignoring this requirement for a minute, I see several= other
downsides:

=C2=A0 =C2=A0* As *all= * payments must flow through landmarks (since nodes break up
=C2= =A0 =C2=A0 =C2=A0their payment into L sub-flows), the landmarks must be ver= y, very
=C2=A0 =C2=A0 =C2=A0well capitalized. This would cause st= rong consolidation of the
=C2=A0 =C2=A0 =C2=A0selection of landma= rks, as they need extremely large channels in
=C2=A0 =C2=A0 =C2= =A0order to facilitate transfer within the network.

=C2=A0 =C2=A0* As landmarks must be globally known, this it seems this wo= uld
=C2=A0 =C2=A0 =C2=A0introduce fragility in the network. If mo= st of the landmarks go down
=C2=A0 =C2=A0 =C2=A0(fails stop crash= es) due to hardware issues, DoS, exploited bugs,
=C2=A0 =C2=A0 = =C2=A0etc, then the network's throughput instantly becomes crippled.

=C2=A0 =C2=A0* If all payment flow *must* go through= landmarks, and the transfers
=C2=A0 =C2=A0 =C2=A0within the netw= ork are relatively uni-directional (all payment going
=C2=A0 =C2= =A0 =C2=A0to Candy Crush Ultra: Lighting Strikes Twice), then their
=C2=A0 =C2=A0 =C2=A0channels would become unbalanced very quickly.
=


The last point there invokes another com= ponent of the network: passive
channel rebalancing. With source r= outing, it's possible for nodes to
passive rebalance their ch= annels, in order to keep the in equilibrium,
such that on average= they'll be able to handle a payment flow coming from
any dir= ection. This is possible as with source routing, it's easy for a
<= div>node to simply send a payment to himself incoming/outgoing from the pai= r
of channels they wish to adjust the available flow of. With
distance-vector-like protocols, this doesn't seem possible, as t= he node
doesn't have any control of the incoming channel that= the payment will
arrive on.


<= div>Finally, the notion of value privacy within the scheme seems a bit weak= .
From this definition, any protocol that didn't broadcast in= tents to send
payments to the world would achieve this trait. The= base Bitcoin
blockchain doesn't mask the values of transfers= (yet), but even if it did
unconditionally maintaining value priv= acy of channel doesn't seem
compatible with multi-hop payment= networks (nodes can simply perform
probing/tagging attacks to as= certain a range of the size of a channel). A
possible mitigation = would be for nodes to probabilistically drop incoming
payments, w= ith all nodes sampling from the same distribution. However,
this = would dramatically increase routing failures by senders, removing the
=
"low-latency" trait of payment networks that many find desir= able.=C2=A0


Personally, I've ve= ry excited to see additional research on the front of
routing wit= hin the network! Excellent work by all authors.

In the end, I don't think it'll be a one-size fits all= solution, as each
routing protocol delivers with it a set of tra= deoffs that should be
weighed depending on target characteristics= , and use-cases. There's no
strong requirement that the netwo= rk as a whole uses a *single* routing
protocol. Instead several d= istinct protocols can be deployed based on
use-case requirements,= as we only need to share a single end-to-end
construct: the HTLC= . I could see a future in a few years where we have
several deplo= yed protocols, similar to the wide array of existing routing
prot= ocols deployed on the Internet. What we have currently gets us from
Zero to One. We'll definitely need to experiment with additional
approaches as the size of the network grows, and the true economic f= low
patterns emerge after we all deploy to mainnet.

-- Laolu


_______________________________________________
Lightning-dev mailing list
Lightning-dev@li= sts.linuxfoundation.org
https://lists.linuxfoundation.o= rg/mailman/listinfo/lightning-dev




--
- Bryan
http://heybryan.org/
1 512 203 0507<= /div>
--001a1140a95e26f4b8055ed395de--