<div dir="ltr"><div dir="ltr">Hi ZmnSCPxj,<div><br></div><div>Sorry for the late reply I only recently had time to review your comments.</div><div>I didn't really get your motivation for multiple secrets. In my mind, having the last hop put collateral into the HTLC to make a <i>Collateralized HTLC</i> solves the problem without any extra complexity (your original example captures this perfectly). You wrote:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The exchange can insist on getting a short timelock for receiving the collateral (i.e. limit the time horizon that the exchange hash is valid), to reduce the time horizon in which the payee can pay or not pay the collateral for the exchange (as before the payee releases the collateral, it still has the option of doing or not doing the swap, i.e. American Option).</blockquote><div><br></div><div>I think this unnecessary. The "free option" time isn't limited by a timelock (if it was, we wouldn't have solved the problem). The option is limited by the exchange's willingness to wait for the other party to sign the state update (assuming the exchange signs first). The minor point I was trying to make was that normally when routing payments etc you can be willing to wait for minutes or hours for the other party to come back online if they went offline during a state update. But if you are doing a swap and your partner is meant to be signing a collateralized HTLC you shouldn't wait; you should force settlement to the blockchain within a few seconds. As soon as the state gets onto the blockchain the other party has lost any chance of getting an option.</div><div><br></div><div>At a glance, the simplest way to enable this functionality is to add a new field to the "update_add_htlc" BOLT message [1] like "collateral_amount_sat". The receiver of "collateral_amount_sat" would have to contribute that amount to the HTLC (if they are willing to go through with the update). Obviously you should only ever agree to do this if you are last hop or are willing to risk your collateral on the honest behaviour of nodes further down.</div><div><br></div><div>I was actually wondering if this could be a useful feature outside of swaps. e.g. if there is a new node without much reputation who you are routing a payment to, you could demand that they put up collateral into the HLTC to receive the payment. This might help prevent attacks where people try and tie up funds by receiving large payments they never release the secrets for. </div><div><br>WRT to your final comments, it sounds a bit like [2] which also mentions that their protocol can make atomic swaps fungible. </div><div><br></div><div>1. <a href="https://github.com/lightningnetwork/lightning-rfc/blob/master/02-peer-protocol.md#adding-an-htlc-update_add_htlc">https://github.com/lightningnetwork/lightning-rfc/blob/master/02-peer-protocol.md#adding-an-htlc-update_add_htlc</a><br></div><div>2. Anonymous Multi-Hop Locks for Blockchain
Scalability and Interoperability: <a href="https://eprint.iacr.org/2018/472.pdf">https://eprint.iacr.org/2018/472.pdf</a></div><div><br></div><div>Cheers,</div><div><br></div><div>Lloyd</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 6, 2019 at 2:51 PM ZmnSCPxj <<a href="mailto:ZmnSCPxj@protonmail.com">ZmnSCPxj@protonmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Good morning Lloyd,<br>
<br>
I think the most generic solution is to require multiple hashlocks.<br>
One hashlock for the payee, the other for the exchange.<br>
<br>
Payer acquires an exchange hash from the exchange, plus specs of the collateral.<br>
Then payer routes to the payee via the exchange using two hashlocks (hashlock for the payment hash, hashlock for the exchange hash) and from the payee to the exchange.<br>
The exchange onion hop includes the information that the cross-currency swap is allowed by pointing at the hashlock that the exchange hash is on.<br>
The exchange verifies that it is one of the exchange hashes it has issued and it releases the agreed amount to the next hop, plus the collateral agreed upon.<br>
<br>
The payee onion hop includes the information that it should proceed to give a single hashlock to succeeding hops, as well as the agreed-upon collateral to the exchange.<br>
The exchange receives the payment with a single hashlock containing the value of the collateral.<br>
It verifies that the collateral value is equal to the agreed collateral for that payment, then releases the exchange preimage.<br>
The payee can then release its preimage once it has acquired the exchange preimage.<br>
<br>
The above is similar to your solution, as it effectively means the payee offers collateral to the exchange, which it can only reclaim by properly completing the payment protocol.<br>
The exchange can insist on getting a short timelock for receiving the collateral (i.e. limit the time horizon that the exchange hash is valid), to reduce the time horizon in which the payee can pay or not pay the collateral for the exchange (as before the payee releases the collateral, it still has the option of doing or not doing the swap, i.e. American Option).<br>
The advantage is that it can go over multiple hops, and the exchange and payee do not know each other (but the payer does).<br>
Disadvantage is that it requires two hashlocks, which is rather obvious on the protocol and signals "this payment is a cross-currency exchange payment!" to all intermediate nodes; also, it still allows a short time duration for American Option shenanigans.<br>
<br>
The Route Maker solution by CJP is plausible, to me, only if the exchange and the Route Maker are the same, which is effectively what is done here, but now requires multiple secrets to be revealed.<br>
<br>
I was thinking it might be possible, to use point/scalar and require the sum of the payment scalar and the exchange scalar, and thereby hide from intermediate nodes that multiple secrets are needed, but now the payer receives the sum of scalars instead of two separate preimages; this can make it difficult for protocols requiring proof-of-payment secrets (such as the offline vending machine discussed before) from working correctly.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
<br>
<br>
Sent with ProtonMail Secure Email.<br>
<br>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br>
On Saturday, May 4, 2019 4:28 AM, Lloyd Fournier <<a href="mailto:lloyd.fourn@gmail.com" target="_blank">lloyd.fourn@gmail.com</a>> wrote:<br>
<br>
> Hi ZmnSCPxj,<br>
><br>
> I'm glad you pointed this out. I think this protocol is practical. That talk was actually given by my colleague :).<br>
> My post in the December thread was trying to explain the same idea but as a [A -> Exchange -> A] on-chain trade (rather than a [A -> Exchange -> B] cross chain L2 payment). For reference: <a href="https://gist.github.com/LLFourn/d0afa6b37207aed7cd73f6b9203c0def" rel="noreferrer" target="_blank">https://gist.github.com/LLFourn/d0afa6b37207aed7cd73f6b9203c0def</a>.<br>
><br>
> I mentioned it was possible to do it in a channel. Although looking back at it now it seems I was somewhat confused at the time. I said:<br>
><br>
> > As ZmnSCPxj demonstrated, the idea of sending a payment in asset A and the other party receiving it as asset B with some exchange node in the middle doing a conversion is unsound given what we are able to construct in Lightning.<br>
><br>
> As you just showed, this is wrong. [A -> Exchange -> B] with the collateral on the last hop works fine. After all, [A -> Exchange -> A] is just a special case of [A -> Exchange -> B]. I agree that extending this idea across multiple hops after the exchange securely looks impossible.<br>
><br>
> Note, the Exchange should watch carefully for their counter-party delaying in signing the channel update on the final hop (to gain value from the option this gives them). If they notice this they should close the channel and avoid doing business with this party. <br>
> Despite this, it's still a far better protocol than the vanilla atomic swap because the delaying party has a far less time to realise any gains from the option. The exchange can put an end to it by closing the channel within 1 on chain tx.<br>
><br>
> On naming. I think it's better to call it *collateral* rather than an *option premium* because it is only paid on a failure to execute the trade.<br>
> I was thinking we can call them collateralized HTLCs.<br>
><br>
> It's possible to modify the protocol slightly so that the party receiving the option pays the *premium* regardless of whether they release x or not. This makes it a proper cross chain option with guaranteed premium.<br>
> We made a poster describing this idea here: <a href="https://coblox.tech/docs/financial_crypto19.pdf" rel="noreferrer" target="_blank">https://coblox.tech/docs/financial_crypto19.pdf</a>.<br>
><br>
> Cheers,<br>
><br>
> Lloyd<br>
> On Tue, Apr 23, 2019 at 1:52 PM ZmnSCPxj via Lightning-dev <<a href="mailto:lightning-dev@lists.linuxfoundation.org" target="_blank">lightning-dev@lists.linuxfoundation.org</a>> wrote:<br>
><br>
> > Good morning list,<br>
> ><br>
> > Reviving an old thread, but I saw this just recently: <a href="http://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/atomic-swaps/" rel="noreferrer" target="_blank">http://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/atomic-swaps/</a><br>
> ><br>
> > Suppose you are a BTC to WJT exchange.<br>
> > I want to pay 1 BTC to send 1000000000 WJT to YAIjbOJA.<br>
> > I have a BTC channel to you.<br>
> > You have a WJT channel to YAIjbOJA.<br>
> ><br>
> > In order to create a properly-incentivized American Call Option with a premium, you insist that 10% of the WJT value be the premium that is paid if the exchange does not pull through.<br>
> ><br>
> > We perform this ritual:<br>
> ><br>
> > 1. YAIjbOJA generates a secret x and gives h(x) to me.<br>
> > 2. On my channel to you, I get 1 BTC from my side and create an HTLC.<br>
> > Hash is h(x) payable to you, timelock is 2 days payable to me.<br>
> > 3. On your channel to YAIjbOJA, you get 1000000000 WJT from you, and 100000000 WJT (10%, the premium) from YAIjbOJA and create an HTLC.<br>
> > Hash is h(x) payable to YAIjbOJA, timelock is 1 days payable to you.<br>
> ><br>
> > The above also forms an American Call Option, but with a premium if the payment does not push through.<br>
> ><br>
> > However, extending this to beyond one hop after the exchange node is difficult.<br>
> > Problems in communicating with the next hop may cause the current hop after the exchange node to become liable for the premium without being able to forward the liability to the final payee, which is an avenue for attack.<br>
> > And if the payee must be the hop after the exchange node, the exchange node now knows exactly how much and when that node receives payment, and can sell this information and/or selectively disrupt/censor some payments.<br>
> ><br>
> > Putting the premium before the exchange node is possible with an additional transaction spending the HTLC (the timelock branch is payable to a 2-of-2 with a pre-signed transaction that sends the premium to the exchange and returns the rest of the value to the payer).<br>
> > But this is unsafe, since the exchange (and any node between the payer and the exchange) can stall the protocol deliberately and refuse to forward, extracting the premium via the timelock branch.<br>
> > This is effectively forcing fees even in a route failure, which does not incentivize intermediate nodes to actually forward when they can do nothing and receive fees anyway for not routing.<br>
> ><br>
> > Regards,<br>
> > ZmnSCPxj<br>
> > _______________________________________________<br>
> > Lightning-dev mailing list<br>
> > <a href="mailto:Lightning-dev@lists.linuxfoundation.org" target="_blank">Lightning-dev@lists.linuxfoundation.org</a><br>
> > <a href="https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev</a><br>
<br>
<br>
</blockquote></div></div>