Good morning again CAsey, > > I believe a major failing of Chaumian mints is that they are, at their core, > inherently custodial. > The mint issues blinded minted coins in exchaange for people handing over > other resources to their custody. > While the mint itself cannot identify who owns how much, it can outright deny > all its clients access to their funds and then run off with the money to > places unknown. > > However, do note that both Wasabi and WabiSabi are extensions of Chaumian > mints. > These avoid the custodiality issue of Chaumian mints by operating the mint as > a temporary entity, whose output is then counterchecked by the users of the > Wasabi/WabiSabi scheme. > > ... > > In any case, you might also be interested in the "nodelets" I described some > years ago. > This link has a presentation where I introduce nodelets towards the end, > sorry but most of the beginning is about LN pathfinding (which is currently a > non-problem since nobody makes published channels anymore). > This allows multiple users to implement a single node without a central > custodian, and may allow for similar flexibility of liquidity if there are > enough users, but every action requires all users to have keys online.
Thinking more, it helps to consider how Wasabi and WabiSabi are constructed. In Wasabi, there exists a coordinator, which is a server that works as a temporary Chaumian mint. Clients of the coordinator register some UTXOs of some common value to the mint (indicating any change outputs if the UTXO total value exceeds the fixed common value). Then the coordinator issues blind signatures, which serve as tokens in a Chaumian mint. Then users re-connect via a different pseudonym, unblind signatures and reclaim the funds, indicating a target output address. The coordinator then creates a single transaction that consumes the registered input UTXOs and the indicated outputs. As a *final* step, the clients then check that the produced transaction is correct. This final step prevents the coordinator from absconding with the funds. WabiSabi "simply" replaces blinded signatures with blinded credentials. Blinded signatures are fairly low-bandwidth ---- either you have a blinded signature, or you do not. Credentials, however, also include a blinded homomorphic value. On issuing, the issuer can ensure that a particular value is encoded, then when the credential is blinded by the receiver, and the issuer can ensure that multiple credentials can be presented which sum up to a newly issued credential, with the value being correctly added. Thus, I think for a modern Chaumian mint, you should really consider the credentials scheme used by WabiSabi. -- Now, let us consider the "nodelets" idea as well. The "nodelets" system allows for a coordinator (which can be a separate entity, or, for the reduction of needed entities, any nodelet of the node). This coordinator in nodelets is simply a way to implement a broadcast medium among all the nodelets in a node. However, the same coordinator in a nodelets system can also serve as a coordinator in something very much like a WabiSabi system. So it seems to me that this can be implemented in a way that is non-custodial, as long as we can actually implement nodelets. (which "just" requires that we use a multiparticipant signing scheme for Schnorr signatures that is composable.) Basically, just as in the WabiSabi case, nodelets can connect to the coordinator, register some of the values they have in channels, then get back some equivalent credentials. Then the nodelets can "self-mix" their coins, then get back a new set of values, then request that some part of their value be sent over the network. Then, before signing off on the new state of any channel, the actual nodelets check the new state that the coordinator wants them to sign off on, thus preventing custodial risk in the same manner as Waasabi/WabiSabi does. Thus, each state update of the channel is created by a Chaumian mint (using credentials instead of blinded signatures), then the state update is "ratified" by the actual nodelets, preventing the Chaumian mint from stealing the funds; new states are simply not signed (and presumably one or more of the nodelets will drop the previous valid state onchain, which allows them to recover funds without loss) until all nodelets can confirm that the coordinator has not stolen anything. Nodelets can use pseudonyms in between states of channels, to reduce the ability of the coordinator, or the other nodelets, to guess who owns how much. An issue however is how to handle forwarding. Forwarding is an important privacy technique. If you are a forwarder, you can plausibly claim that an outgoing HTLC is not from your own funds, but instead was a forward. By supporting forwarding, the nodelets composing the node can reduce the ability of non-participants to determine the payments of the node. Handling forwarding in such a system requires that nodelets be willing to leak that they have funds in the outgoing channel, in exchange for getting some earned forwarding fees. So it seems to me that this is plausible with nodelets. In addition, ti seems to me that the node management problem can be solved in software, by something similar in purpose to CLBOSS. Regards, ZmnSCPxj _______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
