[Lightning-dev] On the scalability issues of onboarding millions of LN mobile clients

[ZmnSCPxj]

Good morning Richard,

> Thanks for sharing your thoughts ZmnSCPxj. I think I can summarize your concern as: A node without direct internet connectivity can not rely on an opportunistically incentivized local network peer for blockchain information because the off-grid node's direct LN peers could collude to not forward the payment.

Correct.

> > > 2) a light client can query an ISP connected full node on the same unmetered local WiFi network and exchange differences in block headers opportunistically or pay for large missing ranges of headers, filters or full blocks using a payment channel. Cost is reduced and privacy is enhanced for the light client by not using a centralized ISP. Bandwidth for running the full node can be amortized and subsidized by payments from light clients who they resell data to.
> >
> > A relatively pointless observation, but it seems to me that:
> >
> > * The light client is requesting for validation information, because...
> > * ...its direct peers might be defrauding it, leading to...
> > * ...the money it *thinks* it has in its channels being valueless.
> >
> > Thus, if the light client opportunistically pays for validation information (whether full blocks, headers, or filters), the direct peers it has could just as easily not forward any payments, thus preventing the light client from paying for the validation information.
> >
> > Indeed, if the direct peer *is* defrauding the light client, the direct peer has no real incentive to actually forward *any* payments --- to do so would be to reduce the possible earnings it gets from defrauding the light client.
> > ("Simulating" the payments so that the light client will not suspect anything runs the risk that the light client will be able to forward all its money out of the channel, and the cheating peer is still potentially liable for any funds it originally had in the channel if it gets caught.)
>
> One question I had is: how can a malicious direct payment peer "simulate" a successful payment made by an off-grid victim peer to an information source?  The censoring peer wouldn't be able to return the preimage for a payment they failed to forward. Also, since the information provider and off-grid node can presumably communicate via their local network connection, it would be obvious if all of the victims LN peers were failing to forward payments (whether maliciously or due to routing failures) to an information provider they could otherwise communicate with.

Perhaps "simulate" is not quite the correct term.
Basically, if the eclipsing peer(s) are reasonably sure they have eclipsed the light client, then all funds in those channels are semantically theirs (they "0wn" the eclipsed light client).
Then anything the light node offers from those channels (which it thinks are its, but are now in reality owned by the eclipsing peer) has no value (the eclipsing node already 0wns the light node and all its funds, what can the light node offer to it?).
The eclipsing peer could still "simulate" what the light node expects of reality by pretending that the light node actually still owns funds in the channel (even though the eclipsing node has successfully stolen all those funds), and forward as normal to get the payment preimage/scalar.


> > What would work would be to use a system similar to watchtowers, wherein the validation-information-provider is prepaid and issues tokens that can be redeemed later.
> > But this is not suitable for opportunistic on-same-WiFi where, say, a laptop is running a validation-information-provider-for-payment program on the same WiFi as a light-client mobile phone, if we consider that the laptop and mobile may have never met before and may never meet again.
> > It would work if the laptop altruistically serves the blocks, but not if it were for (on-Lightning) payment.
>
> There's another problem if we can't rely on a recurring relationship with an information provider besides not being able to prepay for validation information doesn't make sense. We don't want an information provider to collect payments for serving invalid information. Maybe for very small payments this isn't a problem, but ideally validity could be coded into the HTLC.
>
> For example, an alternative HTLC construct that only paid for valid 81 B headers that hash to 32 B values with a number of leading zeros committed to by the HTLC. It would make more economic sense for an internet gateway node to serve valid mined header to nodes on their local WiFi network than to create bogus ones with the same (high) amount of work.

If you are considering this for on-Lightning payments, do note that the alternative HTLC construct has to be known by every forwarding node, including the direct peer(s) of the light client, which are precisely the potential attackers on the light client.

It seems to be impractical for onchain payments: the provider can drop the data onchain to claim the funds, but it is precisely the blockchain data that the light client does not have direct access to, so ---


>  
>
> > So it seems to me that this kind of service is best ridden on top of watchtower service providers.
>
> Public watchtowers or some sort of HTTP proxy data cache similar to a watchtower makes the most sense to me because they would be expected to be economically motivated and LN payment aware. Full nodes could potentially be incentivized to exchange new data with other nodes in a tit-for-tat way, but I don't expect them to be incentivized by light clients using LN micropayments in a server-client arrangement.
>
> Network agents that monetize full node information services beyond channel monitoring would be more than just a "Watchtower" for light clients. Would they be more like incentivized Electrum servers?

Possibly.

> Are there still privacy concerns when they serve generic/un-personalized headers/filters/blocks to light clients?

It marks the client as a light client, at least.

Someone who gets read-only access to the logs of such a public-service node now has a list of light clients.
If the light clients are in any way identifiable and locatable, the hacker can then attempt to hack the light client and redirect their understanding of what the public-service node is (e.g. DNS poisoning) and then start performing other attacks on the client once its view of the blockchain is eclipsed.

This would be helped if the light client, for example, always uses Tor to access the public-service node, if payments for services of that node are decorrelated (e.g. tokens issued by the node that will later be reclaimed for service are blinded), etc.
Such would make the light client harder to locate in the first place.

(While a mobile client can certainly access the Internet over various access points, most people who own mobile devices have a home they go to at night, which often has Internet access, possibly with a stable identifiable location that can be attacked)

> A personal, altruistic or friends and family watchtower is also possible, but I'm thinking about how light clients without this possibility can be served.

This is probably something we can expect to see as well; though it should be noted, for those philosophically interested in such things, that these are the genesis of governments and states.

Regards,
ZmnSCPxj