From rusty at rustcorp.com.au Tue Nov 5 02:17:56 2019 From: rusty at rustcorp.com.au (Rusty Russell) Date: Tue, 05 Nov 2019 12:47:56 +1030 Subject: [Lightning-dev] A proposal for up-front payments. Message-ID: <87ftj33w2z.fsf@rustcorp.com.au> Hi all, It's been widely known that we're going to have to have up-front payments for msgs eventually, to avoid Type 2 spam (I think of Type 1 link-local, Type 2 though multiple nodes, and Type 3 liquidity-using spam). Since both Offers and Joost's WhatSat are looking at sending messages, it's time to float actual proposals. I've been trying to come up with something for several years now, so thought I'd present the best I've got in the hope that others can improve on it. 1. New feature bit, extended messages, etc. 2. Adding an HTLC causes a *push* of a number of msat on commitment_signed (new field), and a hash. 3. Failing/succeeding an HTLC returns some of those msat, and a count and preimage (new fields). How many msat can you take for forwarding? That depends on you presenting a series of preimages (which chain into a final hash given in the HTLC add), which you get by decoding the onion. You get to keep 50 msat[1] per preimage you present[2]. So, how many preimages does the user have to give to have you forward the payment? That depends. The base rate is 16 preimages, but subtract one for each leading 4 zero bits of the SHA256(blockhash | hmac) of the onion. The blockhash is the hash of the block specified in the onion: reject if it's not in the last 3 blocks[3]. This simply adds some payment noise, while allowing a hashcash style tradeoff of sats for work. The final node gets some variable number of preimages, which adds noise. It should take all and subtract from the minimum required invoice amount on success, or take some random number on failure. This leaks some forward information, and makes an explicit tradeoff for the sender between amount spent and privacy, but it's the best I've been able to come up with. Thoughts? Rusty. [1] If we assume $1 per GB, $10k per BTC and 64k messages, we get about 655msat per message. Flat pricing for simplicity; we're trying to prevent spam, not create a spam market. [2] Actually, a number and a single preimage; you can check this is indeed the n'th preimage. [3] This reduces incentive to grind the damn things in advance, though maybe that's dumb? We can also use a shorter hash (siphash?), or even truncated SHA256 (128 bits).