From aj at erisian.com.au  Fri Nov  8 12:32:36 2019
From: aj at erisian.com.au (Anthony Towns)
Date: Fri, 8 Nov 2019 22:32:36 +1000
Subject: [Lightning-dev] A proposal for up-front payments.
In-Reply-To: <875zjvum7n.fsf@rustcorp.com.au>
References: <87ftj33w2z.fsf@rustcorp.com.au>
	<L0p5sSPLxLmM6tzffMX9L7S4PZvWY2rBNIeZygNqvRPaJ0ywPB0BR-hcHnZOtsxnU5RZ1TL4aNHUQ-WtIdICUhd6QcJQIq6aGY1FJ579ruM=@protonmail.com>
	<87bltq1xnu.fsf@rustcorp.com.au>
	<20191105112419.cwppexpzpyt2dq2v@erisian.com.au>
	<87d0e5zwt8.fsf@rustcorp.com.au>
	<20191106155733.e2b2ttxs4wsfoqpg@erisian.com.au>
	<87sgn0ux9w.fsf@rustcorp.com.au>
	<20191107113735.72mxwsrcaidydflk@erisian.com.au>
	<875zjvum7n.fsf@rustcorp.com.au>
Message-ID: <20191108123236.kmi4dyqyix2hztyo@erisian.com.au>

On Fri, Nov 08, 2019 at 01:08:04PM +1030, Rusty Russell wrote:
> Anthony Towns <aj at erisian.com.au> writes:
> [ Snip summary, which is correct ]

Huzzah!

This correlates all the hops in a payment when the route reaches its end
(due to the final preimage getting propogated back for everyone to justify
the funds they claim). Maybe solvable by converting from hashes to ECC
as the trapdoor function?

The refund amount propogating back also reveals the path, probably.
Could that be obfusticated by somehow paying each intermediate node
both as the funds go out and come back, so the refund decreases on the
way back?

Oh, can we make the amounts work like the onion, where it stays constant?
So:

  Alice wants to pay Dave via Bob, Carol. Bob gets 700 msat, Carol gets
  400 msat, Dave gets 300 msat, and Alice gets 100 msat refunded.

  Success:
    Alice forwards 1500 msat to Bob   (-1500, +1500, 0, 0)
    Bob forwards 1500 msat to Carol   (-1500, 0, +1500, 0)
    Carol forwards 1500 msat to Dave  (-1500, 0, 0, +1500)
    Dave refunds 1200 msat to Carol   (-1500, 0, +1200, +300)
    Carol refunds 800 msat to Bob     (-1500, +800, +400, +300)
    Bob refunds 100 msat to Alice     (-1400, +700, +400, +300)

  Clean routing failure at Carol/Dave:
    Alice forwards 1500 msat to Bob   (-1500, +1500, 0, 0)
    Bob forwards 1500 msat to Carol   (-1500, 0, +1500, 0)
    Carol says Dave's not talking
    Carol refunds 1100 msat to Bob    (-1500, +1100, +400, 0)
    Bob refunds 400 msat to Alice     (-1100, +700, +400, 0)

I think that breaks the correlation pretty well, so you just need a
decent way of obscuring path length?

In the uncooperative routing failure case, I wonder if using an ECC
trapdoor and perhaps scriptless scripts, you could make it so Carol
doesn't even get an updated state without revealing the preimage...

Cheers,
aj