Re: [Lightning-dev] [RFC] Lightning gossip alternative

[Rusty Russell]

Olaoluwa Osuntokun  writes:
> Hi Rusty,
>
>> Timestamps are replaced with block heights.
>
> This is a conceptually small change, but would actually make things like
> rate limiting updates for implementations easier and more uniform. A simple
> rule would be only allowing an update per block, which cuts down a lot on
> potential chatter traffic, but maybe it's _too_ restrictive? Based on my
> network observations, these days some many power user nodes more
> aggressively
> update their fee schedules in response to liquidity imbalances or as an
> attempt to incentive usage of some channels vs others.

As an aside, Alex Myers is looking at using minisketch for gossip
reconciliation, and there's enough spam in the network that it probably
requires some consensus on filtering.  When he's got some better
analysis I expect a post here...

>> 1. Nodes send out weekly node_announcement_v2, proving they own some
>> UTXOs.
>
> If a node doesn't send out this announcement, then will others start to
> ignore their "channels"?

Yes, this would be the anchor (reverse of now, ignore node_announcement
unless you've seen a channel_announcement).

>> 3. This uses UTXOs for anti-spam, but doesn't tie them to channels
>> directly.
>
> As I hinted a bit in prior discussion, and also my recent ML [1] post
> outlining a possible "do most of the same things" stop gap, this has the
> potentially undesirable effect of allowing parties on the network to utilize
> _existing_ outputs to advertise false channels and inflate the "total
> network capacity" metric. We'd effectively be moving away from "Alice and
> Bob have N BTC of bound capacity between them to", "Bob has N BTC he can use
> for signing these proofs".

Since the aim is to defeat onchain analysis, this seems inevitable in
almost any non-zero-knowledge scheme?

> Also while we're at it, why not add a merkle proof here (independent of
> which direction we go with) which makes it possible for constrained/mobile
> nodes to more easily verify gossip data (could be an optional query flag).

Yeah, we should do that anyway (the merkle proof doesn't need to be
signed, so can be added by anyone).

>> FIXME: what about tapscripts?
>
> Yeah, one side effect of moving to nodes advertising how much BTC they can
> sign w/ vs the _actual_ BTC they have in "channels", is that to extend
> validation here, the verifiers would need to fully verify possible script
> path spends (assuming a scenario where a NUMs point is used as the internal
> key).

Yech, you're right :(

>> Legacy proofs are two signatures, similar to the existing
>> channel_announcement.
>
> Why not musig2? We'd be able to get away with just a single sig with this
> modified `node_announcement_v2` and if we go the `channel_announcement2`
> route, we'd be able to compress those 4 sigs into one.

Good point: I was thinking this would allow nodes to advertize v2 even
if their peer doesn't support it, but it doesn't.

>> - If two node_announcement_v2 claim the same UTXO, use the first seen,
>> discard any others.
>
> So then this would mean that nodes that _actually_ have a channel between
> them can't _individually_ claim the capacity?

Yeah, it's kind of arbitrary who gets the UTXO in that case, but for
simplicitly I think we need to enforce uniqueness.  They can flip a coin?

>> - node_announcement_v2 are discarded after a week (1000 blocks).  - Nodes
>> do not need to monitor existence of UTXOs after initial check (since they
>> will automatically prune them after a week).
>
> A side effect of this would be _continual_ gossip churn in order to keep
> channels alive. Today we do have the 2 week `channel_update` heart beat, but
> channel updates are relatively small compared to this `node_announcement_v2`
> message.

We could increase this to 2000 blocks, but #nodes << #channels, so it's
still probably a win?  I'd have to run some real numbers though...

>> - The total proved utxo value (not counting any utxos which are spent) is
>> multiplied by 10 to give the "announcable_channel_capacity" for that node.
>
> I don't see how this is at all useful in practice. We'd end up with inflated
> numbers for the total node capacity, and path finding would be more
> difficult as it isn't clear exactly how large an HTLC I can send over the
> "channel". Sure there's the existence of max_htlc, but in that case why add
> this "leverage" factor in the first place?

Because not every node will have enough onchain funds, they'll end up
revealing some channels' UTXOs.  The larger the leverage, the less
revealed...

>> 1. type: 273 (`channel_update_v2`)
>
> This seems to allow the advertisement of channels which aren't actually
> anchored in the chain, which I *think* is a cool thing to have? On the other
> hand, the graph at the _edge_ level would be far more dynamic than it is
> today (Bob can advertise an entirely distinct topology from one day to
> another). Would need to think about the implications here for path finding
> algorithms and n

Re: [Lightning-dev] [RFC] Lightning gossip alternative

[Olaoluwa Osuntokun]

Hi Rusty,

> Timestamps are replaced with block heights.

This is a conceptually small change, but would actually make things like
rate limiting updates for implementations easier and more uniform. A simple
rule would be only allowing an update per block, which cuts down a lot on
potential chatter traffic, but maybe it's _too_ restrictive? Based on my
network observations, these days some many power user nodes more
aggressively
update their fee schedules in response to liquidity imbalances or as an
attempt to incentive usage of some channels vs others.

> 1. Nodes send out weekly node_announcement_v2, proving they own some
> UTXOs.

If a node doesn't send out this announcement, then will others start to
ignore their "channels"?

> 3. This uses UTXOs for anti-spam, but doesn't tie them to channels
> directly.

As I hinted a bit in prior discussion, and also my recent ML [1] post
outlining a possible "do most of the same things" stop gap, this has the
potentially undesirable effect of allowing parties on the network to utilize
_existing_ outputs to advertise false channels and inflate the "total
network capacity" metric. We'd effectively be moving away from "Alice and
Bob have N BTC of bound capacity between them to", "Bob has N BTC he can use
for signing these proofs".

Also while we're at it, why not add a merkle proof here (independent of
which direction we go with) which makes it possible for constrained/mobile
nodes to more easily verify gossip data (could be an optional query flag).

> FIXME: what about tapscripts?

Yeah, one side effect of moving to nodes advertising how much BTC they can
sign w/ vs the _actual_ BTC they have in "channels", is that to extend
validation here, the verifiers would need to fully verify possible script
path spends (assuming a scenario where a NUMs point is used as the internal
key).

> Legacy proofs are two signatures, similar to the existing
> channel_announcement.

Why not musig2? We'd be able to get away with just a single sig with this
modified `node_announcement_v2` and if we go the `channel_announcement2`
route, we'd be able to compress those 4 sigs into one.

> - If two node_announcement_v2 claim the same UTXO, use the first seen,
> discard any others.

So then this would mean that nodes that _actually_ have a channel between
them can't _individually_ claim the capacity?

> - node_announcement_v2 are discarded after a week (1000 blocks).  - Nodes
> do not need to monitor existence of UTXOs after initial check (since they
> will automatically prune them after a week).

A side effect of this would be _continual_ gossip churn in order to keep
channels alive. Today we do have the 2 week `channel_update` heart beat, but
channel updates are relatively small compared to this `node_announcement_v2`
message.

> - The total proved utxo value (not counting any utxos which are spent) is
> multiplied by 10 to give the "announcable_channel_capacity" for that node.

I don't see how this is at all useful in practice. We'd end up with inflated
numbers for the total node capacity, and path finding would be more
difficult as it isn't clear exactly how large an HTLC I can send over the
"channel". Sure there's the existence of max_htlc, but in that case why add
this "leverage" factor in the first place?

> 1. type: 273 (`channel_update_v2`)

This seems to allow the advertisement of channels which aren't actually
anchored in the chain, which I *think* is a cool thing to have? On the other
hand, the graph at the _edge_ level would be far more dynamic than it is
today (Bob can advertise an entirely distinct topology from one day to
another). Would need to think about the implications here for path finding
algorithms and nodes that want to maintain an update to date view of the
network...

> - `channel_id_and_claimant` is a 31-bit per-node channel_id which can be
> used in onion_messages, and a one bit stolen for the `claim` flag.

Where would this `channel_id` be derived from? FWIW, using this value in the
onion means we get a form of pubkey based routing [3] depending on how these
are derived.

> This simplifies gossip, requiring only two messages instead of three,
> and reducing the UTXO validation requirements to per-node instead of
> per-channel.

I'm not sure this would actually _simplify_ gossip in practice, given that
we'd be moving to a channel graph that isn't entirely based in the reality
of what's routable, and would be far more dynamic than it is today.

> We can use a convention that a channel_update_v2 with no `capacity` is a
> permanent close.

On the neutrino side, we tried to do something where if we see both channels
be disabled, then we'd mark the channel as closed. But in practice if you're
not syncing _every_ channel update every transmitted, then you'll end up
actually missing them.

> It also allows "leasing" of UTXOs: you could pay someone to sign their
> UTXO for your node_announcement, with some level of trust.

I'm not sure this is entirely a *good* thing, as the

Re: [Lightning-dev] [RFC] Lightning gossip alternative

[Rusty Russell]

ZmnSCPxj  writes:
> Good morning rusty,
>
> If we are going to switch to a new gossip version, should we prepare now for 
> published channels that are backed by channel factories?

This is already true with the new proposal: channels don't have to be
"real".  It's possible to raise the required ratio later, so less UTXO
proof is required (since channels are prioritized by their id, you can
choose which ones older nodes will see.

Cheers,
Rusty.
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

Re: [Lightning-dev] [RFC] Lightning gossip alternative

[ZmnSCPxj via Lightning-dev]

Good morning rusty,

If we are going to switch to a new gossip version, should we prepare now for 
published channels that are backed by channel factories?

Instead of a UTXO serving as a bond to allow advertisement of a *single* 
channel, allow it to advertise *multiple* channels.
This does not require us to flesh out the details of channel factories in the 
gossip protocol, especially post-Taproot --- we could simply require that a 
simple BIP-340 signature of the gossip message attesting to multiple channels 
is enough, and the details of the channel factories can be left to later 
protocol updates.


The reason for this is that for a set of N published nodes, there is an 
incentive to make as many channels as possible between pairs of nodes.
We expect that for N published nodes, all (N * (N - 1)) / 2 possible channels 
will be created, as that maximizes the expected fee return of the N published 
nodes.

Without the ability to gossip channel factories, channel factories can only be 
used for unpublished channels.
Due to not being available for routing, given an "LSP" and N clients, there is 
no incentive for the N clients to make direct channels to each other.
(In particular, one of the reasons given for unpublished channels is that the 
clients of an LSP may not have high onlineness, thus an unpublished channel 
would really only exist between a public LSP and a non-published client of that 
LSP.)
This means that for N clients we expect only N channels backed by the channel 
factory (and thus by the UTXO).

It seems to me to be a good idea to have as much of the public network backed 
by fewer UTXOs, as the published network has far more channels for every N 
participants.

(as well, supporting channel factories for the public graph does not preclude 
the unpublished graph from using channel factories, so even if the unpublished 
graph turns out to be much larger than the published graph, reducing the UTXO 
set of the published graph does not prevent reducing the UTXO set of the 
unpublished graph anyway.)


Against this, we should note that it makes stuffing the public graph cheaper (a 
single UTXO can now justify the addition of multiple edges on the public 
routing graph), which translates to making it easier to increase the complexity 
of the public graph and thus increase the cost of pathfinding.


Thoughts?

Regards,
ZmnSCPxj
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

Re: [Lightning-dev] [RFC] Lightning gossip alternative

[Rusty Russell]

Joost Jager  writes:
> Hi Rusty,
>
> Nice to see the proposal in more concrete terms. Few questions:
>
> - The total proved utxo value (not counting any utxos which are spent)
>>   is multiplied by 10 to give the "announcable_channel_capacity" for that
>> node.
>>
>
> Could this work as a dynamic value too, similar to the minimum relay fee on
> L1?

I made the number up, so I'm not very attached to it.  How would we
choose to scale it though?  If nodes don't use the same value it makes
for wasted gossip (and minisketch-based gossip much harder).

>> 1. `tlv_stream`: `channel_update_v2_tlvs`
>>
> 2. types:
>> 1. type: 4 (`capacity`)
>> 2. data:
>> * [`tu64`:`satoshis`]
>>
>
> What does capacity mean exactly outside the context of a real channel? Will
> this be reduced to that maximum htlc amount that the nodes want to route,
> to save as much of the announceable budget as possible?

Yes, it's the old htlc_maximum_msat, but expressed in satoshis because
msat seems to finegrained?

> It is also the question of whether 10 x 10k channels should weigh as much
> on the budget as a 1 x 100k channel. A spammer may be able to do more harm
> with multiple smaller channels because there is more for the sender's
> pathfinding algorithms to explore. Maybe it doesn't matter as long as there
> is some mechanism to discourage spam.

Yes, I suggested a minimum cost to avoid 100k 1sat channels, I don't
know if we should be more sophisticated.

>> 1. type: 5 (`cost`)
>> 2. data:
>>* [`u16`:`cltv_expiry_delta`]
>>* [`u32`:`fee_proportional_millionths`]
>>* [`tu32`:`fee_base_msat`]
>> 1. type: 6 (`min_msat`)
>> 2. data:
>> * [`tu64`:`min_htlc_sats`]
>>
>> - `channel_id_and_claimant` is a 31-bit per-node channel_id which can be
>>   used in onion_messages, and a one bit stolen for the `claim` flag.
>
> If you'd increase the budget multiplier from 10 to 20, couldn't this be
> simplified to always applying the cost to both nodes?

Yes!  I forgot that capacity doesn't have to be symmetrical; if I open a
giant channel with you, and you don't want to expose more UTXOs, you
just set your capacity to some lower value.

>> - A channel is not considered to exist until both peers have sent a
>>   channel_update_v2, at least one of which must set the `claim` flag.
>> - If a node sets `claim`, the capacity of the channel is subtracted from
>>   the remaining announcable_channel_capacity for that node (minimum
>>   10,000 sats).
>
> Same question about magic value and whether it can be dynamic.

Yes, 10ksat might be giant one day?  We can change it naively with a
feature bit ("I use v2 capacity calcs"), or in some more finegrained
way, but what do we base it on?

Cheers!
Rusty.
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

Re: [Lightning-dev] [RFC] Lightning gossip alternative

[Joost Jager]

Hi Rusty,

Nice to see the proposal in more concrete terms. Few questions:

- The total proved utxo value (not counting any utxos which are spent)
>   is multiplied by 10 to give the "announcable_channel_capacity" for that
> node.
>

Could this work as a dynamic value too, similar to the minimum relay fee on
L1?


> 1. `tlv_stream`: `channel_update_v2_tlvs`
>
2. types:
> 1. type: 4 (`capacity`)
> 2. data:
> * [`tu64`:`satoshis`]
>

What does capacity mean exactly outside the context of a real channel? Will
this be reduced to that maximum htlc amount that the nodes want to route,
to save as much of the announceable budget as possible?

It is also the question of whether 10 x 10k channels should weigh as much
on the budget as a 1 x 100k channel. A spammer may be able to do more harm
with multiple smaller channels because there is more for the sender's
pathfinding algorithms to explore. Maybe it doesn't matter as long as there
is some mechanism to discourage spam.


> 1. type: 5 (`cost`)
> 2. data:
>* [`u16`:`cltv_expiry_delta`]
>* [`u32`:`fee_proportional_millionths`]
>* [`tu32`:`fee_base_msat`]
> 1. type: 6 (`min_msat`)
> 2. data:
> * [`tu64`:`min_htlc_sats`]
>
> - `channel_id_and_claimant` is a 31-bit per-node channel_id which can be
>   used in onion_messages, and a one bit stolen for the `claim` flag.
>

If you'd increase the budget multiplier from 10 to 20, couldn't this be
simplified to always applying the cost to both nodes?


> - A channel is not considered to exist until both peers have sent a
>   channel_update_v2, at least one of which must set the `claim` flag.
> - If a node sets `claim`, the capacity of the channel is subtracted from
>   the remaining announcable_channel_capacity for that node (minimum
>   10,000 sats).
>

Same question about magic value and whether it can be dynamic.

Joost
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev

[Lightning-dev] [RFC] Lightning gossip alternative

[Rusty Russell]

Hi all,

I've floated this idea before, but this is a more concrete
proposal for a "v2" gossip protocol.

It assumes x-only pubkeys (aka point32) and BIP-340 signatures, and uses
modern TLVs for all optional or extensible fields.  Timestamps are
replaced with block heights.

1. Nodes send out weekly node_announcement_v2, proving they own some
   UTXOs.
2. This entitles them to broadcast channels, using channel_update_v2; a
   channel_update_v2 from both peers means the channel exists.
3. This uses UTXOs for anti-spam, but doesn't tie them to channels
   directly.
4. Future ZKP proofs are could be added.

1. type: 271 (`node_announcement_v2`)
2. data:
* [`bip340sig`:`signature`]
* [`point32`:`node_id`]
* [`u32`:`blockheight`]
* [`node_announcement_v2_tlvs`:`tlvs`]

1. `tlv_stream`: `node_announcement_v2_tlvs`
2. types:
1. type: 2 (`features`)
2. data:
* [`...*byte`:`featurebits`]
1. type: 3 (`chain_hash`)
2. data:
* [`chain_hash`:`chain`]
1. type: 4 (`taproot_utxo_proofs`)
2. data:
* [`...*taproot_utxo_proof`:`proofs`]
1. type: 6 (`legacy_utxo_proofs`)
2. data:
* [`...*legacy_utxo_proof`:`proofs`]
1. type: 127 (`ipv4_addresses`)
2. data:
* [`...*ipv4`:`addresses`]
1. type: 129 (`ipv6_addresses`)
2. data:
* [`...*ipv6`:`addresses`]
1. type: 131 (`torv3_addresses`)
2. data:
* [`...*torv3`:`addr`]
# Maybe alias, color, etc?

Taproot proofs are a signature of the v1 output over the `node_id`,
`utxo` and `blockheight` with prefix "lightingtaproot_utxo_proofsig"
(using the tagged signatures as per BOLT12). (FIXME: what about
tapscripts?).

Legacy proofs are two signatures, similar to the existing
channel_announcement.

1. subtype: `taproot_utxo_proof`
2. data:
* [`short_channel_id`:`utxo`]
* [`signature`:`sig`]

1. subtype: `legacy_utxo_proof`
2. data:
* [`short_channel_id`:`utxo`]
* [`point`:`bitcoin_key_1`]
* [`point`:`bitcoin_key_2`]
* [`signature`:`sig_1`]
* [`signature`:`sig_2`]

- node_announcement_v2 are discarded after a week (1000 blocks).
- If two node_announcement_v2 claim the same UTXO, use the first seen,
  discard any others.
- Nodes do not need to monitor existence of UTXOs after initial check (since
  they will automatically prune them after a week).
- The total proved utxo value (not counting any utxos which are spent)
  is multiplied by 10 to give the "announcable_channel_capacity" for that node.

1. type: 273 (`channel_update_v2`)
2. data:
* [`bip340sig`:`signature`]
* [`point32`:`local_node_id`]
* [`point32`:`remote_node_id`]
* [`u32`:`blockheight`]
* [`u32`:`channel_id_and_claimant`]
* [`channel_update_v2_tlvs`:`tlvs`]

1. `tlv_stream`: `channel_update_v2_tlvs`
2. types:
1. type: 2 (`features`)
2. data:
* [`...*byte`:`featurebits`]
1. type: 3 (`chain_hash`)
2. data:
* [`chain_hash`:`chain`]
1. type: 4 (`capacity`)
2. data:
* [`tu64`:`satoshis`]
1. type: 5 (`cost`)
2. data:
   * [`u16`:`cltv_expiry_delta`]
   * [`u32`:`fee_proportional_millionths`]
   * [`tu32`:`fee_base_msat`]
1. type: 6 (`min_msat`)
2. data:
* [`tu64`:`min_htlc_sats`]

- `channel_id_and_claimant` is a 31-bit per-node channel_id which can be
  used in onion_messages, and a one bit stolen for the `claim` flag.
- A channel is not considered to exist until both peers have sent a
  channel_update_v2, at least one of which must set the `claim` flag.
- If a node sets `claim`, the capacity of the channel is subtracted from
  the remaining announcable_channel_capacity for that node (minimum
  10,000 sats).
- If there is insufficient total `announcable_channel_capacity` for a
  node, it is used by the lower `channel_id`s first.

Implications


This simplifies gossip, requiring only two messages instead of three,
and reducing the UTXO validation requirements to per-node instead of
per-channel.  We can use a convention that a channel_update_v2 with no
`capacity` is a permanent close.

We might want to add a taproot_utxo_delegated_proof where UTXOs can
sign over to another key, so cold storage only needs to sign once, and
the other key can sign weekly.

It also allows "leasing" of UTXOs: you could pay someone to sign their
UTXO for your node_announcement, with some level of trust.  They could
spend the UTXO, which gives you a slow degredation as new nodes don't
accept your channels but existing nodes don't check until it's due for a
refresh).  Or they could sign one UTXO for multiple node_announcements,
which is why preference is given to the first-seen.  But it's a weekly
business so there's incentive for them not to.

Between nodes there's the question of "who claims this new channel?",
which I didn't address here.  Opener claims is logical, but leaks
information (though you could definitely pay for the peer to claim it).
With dual-funding, it's more comple