Hi Christian, Thanks for your comments! We will discuss this further in the upcoming call on the 15th, would be great to see you there!
> this is an intrinsic issue with reputation systems, and the main > reason I'm sceptical w.r.t. their usefulness in lightning. > Fundamentally any reputation system bases their expectations for the > future on experiences they made in the past, and they are thus always > susceptible to sudden behavioral changes (going rogue from a prior > clean record) and whitewashing attacks (switching identity, abusing > any builtin bootstrapping method for new users to gain a good or > neutral reputation before turning rogue repeatedly). > In the Lightning Network, fees are a native way to put a price on having a good reputation (see details here [0]). In the design that we suggest, the reputation gained today cannot be used in the distant future, and funds need to be invested continuously to keep a good reputation. Good reputation is also a function of the general environment, and so if there is a fee spike, reputation will change. It is true that nodes can go rogue, but this is why we aim for the price of a good reputation to be similar to the amount of damage they can create. > This gets compounded as soon as we start gossiping about reputations, > since now our decisions are no longer based just on information we can > witness ourselves, or at least verify its correctness, and as such an > attacker can most likely "earn" a positive reputation in some other > part of the world, and then turn around and attack the nodes that > trusted the reputation shared from those other parts. > Notice that we are not gossiping about our peer's reputation. The only thing that a node communicates to its neighbor is whether they see an HTLC as endorsed or just neutral, that is, should this HTLC be granted access to all of the resources or just the restricted part. > I'd be very interested in how many repeat interactions nodes get from > individual senders, since that also tells us how much use we can get > out of local-only reputation based systems, and I wouldn't be > surprised if, for large routing nodes, we have sufficient data for > them to make an informed decision, while the edges may be more > vulnerable, but they'd also be used by way fewer senders, and the > impact of an attack would also be proportionally smaller. > This is something we hope to learn once we'll start collecting data from our brave volunteers :) Cheers, Clara
_______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
