From rusty at rustcorp.com.au Tue Sep 27 02:03:03 2016 From: rusty at rustcorp.com.au (Rusty Russell) Date: Tue, 27 Sep 2016 11:33:03 +0930 Subject: [Lightning-dev] Atomic payment to multiple parties, and payment amount obfuscation In-Reply-To: <1474611342.1666.6.camel@ultimatestunts.nl> References: <87shtd7syz.fsf@rustcorp.com.au> <1474611342.1666.6.camel@ultimatestunts.nl> Message-ID: <8737kmgkvc.fsf@rustcorp.com.au> CJP writes: > Hi, > > I just woke up with a new thought: > > With source routing and explicit fee payment, you can actually > atomically pay multiple parties, by letting all but one of the > recipients be intermediate parties in the route, and just paying them a > very high transaction fee. With "atomically" I mean it is impossible > that payment to one of the recipients succeeds and payment to another > fails. > > Payment amount can be obfuscated by letting yourself (the sender) be the > final recipient, so none of the intermediate nodes sees the actual > amount being transferred. > > It isn't rocket science (or advanced cryptography), but I hadn't > realized this before. Tricky :) And adds some interesting game theory: Imagine the simple case where I pay C $4 in fees, via B: $5 $5 $1 $1 A ---> B ---> C ---> B ---> A 4days 3days 2days 1day B can simply use the H-preimage it gets from A to fulfill the HTLC A offered, gaining $4 and ignoring C. If C somehow gets the preimage out-of-band, it can claim the $5 from B and then B can get its $1 from C. The risk (for B) is that C will wait until the C->B HTLC has expired, *then* use the B->C HTLC to collect $5, leaving B out-of-pocket. Now, there's nothing special about this: the game happens for normal fees too, especially since we don't know if two apparently-distinct nodes are actually identical. It's just more tempting when the fees are high. Fun! Thanks, Rusty.