[Lightning-dev] A proposal for up-front payments.
rusty at rustcorp.com.au
Tue Nov 5 02:17:56 UTC 2019
It's been widely known that we're going to have to have up-front
payments for msgs eventually, to avoid Type 2 spam (I think of Type 1
link-local, Type 2 though multiple nodes, and Type 3 liquidity-using
Since both Offers and Joost's WhatSat are looking at sending
messages, it's time to float actual proposals. I've been trying to come
up with something for several years now, so thought I'd present the best
I've got in the hope that others can improve on it.
1. New feature bit, extended messages, etc.
2. Adding an HTLC causes a *push* of a number of msat on
commitment_signed (new field), and a hash.
3. Failing/succeeding an HTLC returns some of those msat, and a count
and preimage (new fields).
How many msat can you take for forwarding? That depends on you
presenting a series of preimages (which chain into a final hash given in
the HTLC add), which you get by decoding the onion. You get to keep 50
msat per preimage you present.
So, how many preimages does the user have to give to have you forward
the payment? That depends. The base rate is 16 preimages, but subtract
one for each leading 4 zero bits of the SHA256(blockhash | hmac) of the
onion. The blockhash is the hash of the block specified in the onion:
reject if it's not in the last 3 blocks.
This simply adds some payment noise, while allowing a hashcash style
tradeoff of sats for work.
The final node gets some variable number of preimages, which adds noise.
It should take all and subtract from the minimum required invoice amount
on success, or take some random number on failure.
This leaks some forward information, and makes an explicit tradeoff for
the sender between amount spent and privacy, but it's the best I've been
able to come up with.
 If we assume $1 per GB, $10k per BTC and 64k messages, we get about
655msat per message. Flat pricing for simplicity; we're trying to
prevent spam, not create a spam market.
 Actually, a number and a single preimage; you can check this is
indeed the n'th preimage.
 This reduces incentive to grind the damn things in advance, though
maybe that's dumb? We can also use a shorter hash (siphash?), or
even truncated SHA256 (128 bits).
More information about the Lightning-dev