596 lines
33 KiB
Markdown
596 lines
33 KiB
Markdown
|
---
|
|||
|
title:
|
|||
|
Lightning Layer
|
|||
|
---
|
|||
|
# This discussion of the lightning layer may well be obsoleted
|
|||
|
|
|||
|
by the elegant cryptography of [Scriptless Scripts] using adaptive Schnorr
|
|||
|
signatures and of [Anonymous Multi-Hop Locks].
|
|||
|
|
|||
|
Contingent payments can reveal a key to an alien blockchain on the bitcoin blockchain, and [zero knowledge contingent payments on the bitcoin chain] can reveal any arbitrarily complex secret that fulfils any arbitrarily complex condition.
|
|||
|
|
|||
|
[Scriptless Scripts]:https://tlu.tarilabs.com/cryptography/scriptless-scripts/introduction-to-scriptless-scripts.html
|
|||
|
"Introduction to Scriptless Scripts – Tari Labs University"
|
|||
|
|
|||
|
[Anonymous Multi-Hop Locks]: anonymous_multihop_locks_lightning_network.pdf
|
|||
|
"Anonymous Multi-Hop Locks for Blockchain Scalability and Interoperability"
|
|||
|
|
|||
|
[zero knowledge contingent payments on the bitcoin chain]:https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
|
|||
|
"The first successful Zero-Knowledge Contingent Bitcoin Payment"
|
|||
|
|
|||
|
I need to understand the [Anonymous Multi-Hop Locks] primitive, and
|
|||
|
rewrite this accordingly.
|
|||
|
|
|||
|
Scriptless scripts have the huge advantage of being self enforcing – it is
|
|||
|
impossible to defect from the script, because there is no script – there are
|
|||
|
just actions that are cryptographically possible or impossible.
|
|||
|
|
|||
|
But scriptless scripts cannot in themselves solve the hard problem, that all
|
|||
|
participants in a multilateral transaction need to know _in a short time_ that
|
|||
|
the whole multilateral transaction has definitely succeeded or definitely
|
|||
|
failed. This inherently requires a reliable broadcast channel, though if
|
|||
|
everyone is cooperating, they don’t have to actually put anything on that
|
|||
|
channel. But they need the capability to resort to that channel if something
|
|||
|
funny happens, and that capability has to be used or lost within a time limit.
|
|||
|
|
|||
|
So, the adapter secret not only has to become known to the participants, it has to become known to the participants within timing limits.
|
|||
|
|
|||
|
[Anonymous Multi-Hop Locks] can ensure that the lightning network is
|
|||
|
always in a definite state, and that those parts of it that are undergoing
|
|||
|
state change are locked, but need to be embedded in a protocol that
|
|||
|
ensures that those locks always go away in a short time with commitment
|
|||
|
of the total transaction, or rollback of the total transaction, and that the
|
|||
|
participants in the transaction always know whether the transaction was
|
|||
|
committed or rolled back within a short time. Scriptless scripts are
|
|||
|
timeless, and need to be embedded in scripted scripts that have timing
|
|||
|
constraints, and which require information to be broadcast over a reliable
|
|||
|
broadcast channel if the information is available, yet certain time limits are
|
|||
|
nonetheless exceeded.
|
|||
|
|
|||
|
My conclusion was that full circle unbreakability of lightning network
|
|||
|
transactions within time limits needs a reliable broadcast, and I envisaged
|
|||
|
a hierarchy of reliable broadcasters, (sidechains, with some sidechains
|
|||
|
representing a group of bilateral lightning network gateways that act as
|
|||
|
one multilateral lightning network gateway) But this conclusion may be
|
|||
|
wrong or overly simple – though we are still going to need sidechains and
|
|||
|
hierarchical reliable broadcasting, because it can do no end of things that
|
|||
|
are very difficult otherwise.
|
|||
|
|
|||
|
But reliable broadcast mechanism both supplies and requires a solution to
|
|||
|
distributed Byzantine fault tolerant consensus, so the problem of getting a
|
|||
|
lock up and bringing it down is a general distributed Byzantine fault
|
|||
|
tolerant consensus problem, and perhaps viewing it as a reliable broadcast
|
|||
|
problem is a misperception and misanalysis.
|
|||
|
|
|||
|
Rather, the blockdag requires a mechanism to establish a total order of
|
|||
|
blocks, and the distributed multihop lock requires a mechanism to
|
|||
|
establish the state of the lock, the classic distributed state machine
|
|||
|
problem addressed by Practical Byzantine Fault Tolerant distributed
|
|||
|
consensus. Albeit implementing Practical Byzantine Fault Tolerant
|
|||
|
distributed consensus as a state machine over a blockdag may well be a
|
|||
|
simpler and more humanly intelligible form of this algorithm. But a state
|
|||
|
machine for BEGIN … COMMIT is going to be a fundamentally different
|
|||
|
state machine to the one that constructs a total order of transactions.
|
|||
|
|
|||
|
# Lightning layer concept
|
|||
|
|
|||
|
The lightning layer is a design that implements something like full reserve
|
|||
|
correspondence banking on top of the blockchain layer, thereby solving
|
|||
|
the problem of the blockchain exposing too much information about
|
|||
|
everyone’s transactions to everyone, allowing a blockchain solution to
|
|||
|
scale to completely replacing fiat currency, and allowing instant on the
|
|||
|
spot transactions.
|
|||
|
|
|||
|
A lightning gateway allows instant trustless unilateral transactions (Alice
|
|||
|
pays Bob) between two or more people, but you have to lock up a
|
|||
|
significant amount of money in each gateway, and if you have more than
|
|||
|
two participants, and one of the participants goes off the internet, then
|
|||
|
the protocols necessary for the gateway to keep going between the remaining
|
|||
|
participants become a bit more complicated. Multiparty gateways will be
|
|||
|
(eventually) implemented as sidechains.
|
|||
|
|
|||
|
A lightning gateway consists of coin (unspent transaction output) on the
|
|||
|
blockchain that need a joint signature to be spent. The parties to coin
|
|||
|
construct a transaction splitting it up between them before they create that
|
|||
|
coin on the blockchain, and then do not drop that transaction to the
|
|||
|
blockchain layer, keeping the transaction for when one them decides to break
|
|||
|
up the gateway. To change ownership of the coin, to increase the amount of the
|
|||
|
coin owned by one of them and decrease the amount owned by the other, they
|
|||
|
generate a new transaction, and then do not drop that transaction to the
|
|||
|
blockchain layer either.
|
|||
|
|
|||
|
And the problem is that we don’t want unilateral transactions. We want Alice
|
|||
|
pays Bob, and Bob gets a proof that he paid Alice, completing the circle.
|
|||
|
|
|||
|
And, to work like correspondence banking, we want Alice pays Bob, Bob pays
|
|||
|
Carol, Carol pays Dan, Dan pays Erin, Erin pays Frank, and Frank gets proof
|
|||
|
that he paid Ann, completing the circle.
|
|||
|
|
|||
|
And we want every unilateral transaction in the circle to go through, or none
|
|||
|
of them to go through. We want the whole circle of unilateral transactions
|
|||
|
making up a complete multilateral transaction to succeed or every unilateral
|
|||
|
transaction in the whole circle to fail.
|
|||
|
|
|||
|
And we want it to normally and usually succeed fast, and if it fails, to take
|
|||
|
a reasonably short time to fail. And if it fails, we want all participants to
|
|||
|
know it has definitely failed after a reasonably short timeout.
|
|||
|
|
|||
|
# The Bitcoin lightning layer is not
|
|||
|
|
|||
|
It is not correspondence banking with predictable behavior enforced by
|
|||
|
cryptography.
|
|||
|
|
|||
|
It is correspondence banking that uses cryptography, where the participants
|
|||
|
trustworthy behaviour is enforced from behind the scenes by unclear authority,
|
|||
|
which is likely to lead to the existing problem where authority is supposed to
|
|||
|
protect you from the bankers, but who protects you from authority?
|
|||
|
|
|||
|
For the lightning network to change from a single consistent state of who owns
|
|||
|
what part of each gateway unspent transaction output to another single
|
|||
|
consistent state is equivalent to the well known hard problems of a reliable
|
|||
|
broadcast channel, the Byzantine generals problem, the two generals problem,
|
|||
|
and acid transactions on a distributed database.
|
|||
|
|
|||
|
So when I looked at the lightning documents for a lightning layer on top of
|
|||
|
bitcoin I expected to see discussion of smart contracts on the bitcoin layer
|
|||
|
or lightning network protocols on the lightning layer for resolving these hard
|
|||
|
problems and eventually reaching a resolution, so that the network would
|
|||
|
always eventually reach a consistent and intended state. Not seeing them.
|
|||
|
|
|||
|
Instead what I do see is that the lightning network is safe because
|
|||
|
“misconduct” will result in you losing your bitcoins.
|
|||
|
|
|||
|
It will? Who do you lose them to? How is *misconduct* defined? Who decides
|
|||
|
*misconduct*? The guy who gets your bitcoins? Do we have a central banker of
|
|||
|
the lightning network somewhere?
|
|||
|
|
|||
|
We should not be talking about “misconduct”. We should be talking about the
|
|||
|
lighting network entering an inconsistent state due to lost messages, nodes
|
|||
|
going down at inopportune moments, and nodes deviating from the protocol, or
|
|||
|
entering a state that some of the participants in the transaction did not
|
|||
|
intend or expect.
|
|||
|
|
|||
|
The cryptographic term for misconduct is “Byzantine failure”, which indeed
|
|||
|
normally results from wickedness, but can result from bugs or data corruption.
|
|||
|
|
|||
|
While the usual and archetypal cause of Byzantine failure is that someone
|
|||
|
wrote or modified software for the purposes of betrayal, lying, cheating, and
|
|||
|
stealing, it happens often enough as a result of data corruption or running a
|
|||
|
program that was compiled under a compiler and in an environment different
|
|||
|
from that it was tested and developed on.
|
|||
|
|
|||
|
A gateway does a unilateral transaction between the parties on the lightning
|
|||
|
layer who control controlling the gateway unspent transaction output by
|
|||
|
generating a new transaction on the bitcoin layer breaking up the gateway
|
|||
|
between the parties, and the parties refrain from committing that transaction
|
|||
|
to the blockchain, and instead endless generate new transactions, which do not
|
|||
|
get played either, thereby changing what part of the gateway unspent
|
|||
|
transaction output is owned by each party to the gateway.
|
|||
|
|
|||
|
*What happens if someone commits an out of date bitcoin layer transaction to
|
|||
|
the blockchain?*
|
|||
|
|
|||
|
Does the central banker confiscate the bitcoin of the party who committed the
|
|||
|
transaction. How does he do that?
|
|||
|
|
|||
|
Suppose Alice’s gateway to Bob is blocked because she now owns the whole of
|
|||
|
that gateway unspent transaction output, and her gateway to Frankie is blocked
|
|||
|
because Frankie owns all of that gateway.
|
|||
|
|
|||
|
So she organizes a transaction that moves bitcoin from the Ann/Bob gateway to
|
|||
|
the Ann/Frankie gateway. So what Alice intends is that Alice pays Bob, Bob
|
|||
|
pays Carol, Carol pays Dan, Dan pays Erin, Erin pays Frank, and Frank pays
|
|||
|
Alice. Except that in the middle the transaction Carol and Erin ungracefully
|
|||
|
disconnect from the network, so that either Ann generated a bitcoin layer
|
|||
|
transaction giving bitcoin to Bob, but Frankie did not generate a bitcoin
|
|||
|
layer transaction to Ann, or the other way around.
|
|||
|
|
|||
|
*What happens when a transaction fails and leaves the parties in an inconsistent
|
|||
|
state?*
|
|||
|
|
|||
|
Does the central banker decide that Carol and Erin were engaged in
|
|||
|
misconduct and confiscate their bitcoin?*
|
|||
|
|
|||
|
# Trustless Unilateral transactions
|
|||
|
|
|||
|
If you wanted to buy or sell cryptocurrency for cash or gold, you could
|
|||
|
arrange over the internet to meet someone in person, set up a lightning
|
|||
|
gateway with him, and then, when you met him in person, pay him instantly, on
|
|||
|
the spot, in a trustless unilateral transaction without need to wait some
|
|||
|
considerable time for the payment to clear.
|
|||
|
|
|||
|
Suppose you wanted to sell bitcoin for gold, in person, both parties are going
|
|||
|
to meet, probably with a weapon in their pocket. You could create a jointly
|
|||
|
signed unspent transaction output, after you and the other party jointly sign
|
|||
|
a bitcoin layer transaction giving the bitcoin back to you. And then, when
|
|||
|
meeting, create a jointly signed bitcoin layer transaction giving the bitcoin
|
|||
|
to the man who is giving you the gold. Except what is going to stop you from
|
|||
|
committing the earlier transaction to the blockchain a few seconds before the
|
|||
|
meeting?
|
|||
|
|
|||
|
OK, let us suppose we have supersedeable transactions. They have to be
|
|||
|
committed to the blockchain for a time before they take effect, and if someone
|
|||
|
submits a transaction with the same signatures but a higher priority, the one
|
|||
|
with lower priority fails to take effect. Then you can endlessly generate
|
|||
|
fresh transactions, each with higher priority than the previous one, and never
|
|||
|
commit them to the blockchain unless the gateway between the parties is
|
|||
|
abandoned.
|
|||
|
|
|||
|
It would take a little while for the gateway to become available, but once it
|
|||
|
was available, instant irrevocable payments become possible.
|
|||
|
|
|||
|
And if one has an account with a service provider over the internet, one could
|
|||
|
set up a gate way with that service provider, and after each session or each
|
|||
|
service, make a small instant payment, without the cost and delay of making
|
|||
|
transactions on the blockchain.
|
|||
|
|
|||
|
It would be possible to do such instant two party transactions with bitcoin
|
|||
|
today, although the wallets are generally not set up to support it, nor is the
|
|||
|
way the main blockchain processes transactions, but with BTC blockchain
|
|||
|
working as it today, such transactions are not trustless. If you want to do a
|
|||
|
BTC transaction you are trusting the lightning network, which means you
|
|||
|
are trusting you do not whom.
|
|||
|
|
|||
|
At the time this is written, the lightning network for bitcoin has not been
|
|||
|
adequately implemented, or even fully designed. Existing implementations on
|
|||
|
top of the bitcoin blockchain still require some trust in intermediaries, and
|
|||
|
thus require trust in some mysterious authority with the mysterious
|
|||
|
capability to punish the intermediaries, and to have a real lighting network on
|
|||
|
bitcoin requires changes in bitcoin which the miners are not going along with,
|
|||
|
and which perhaps are underscoped and not fully thought out, ad hoc changes
|
|||
|
to fit with what already existed, and what was politically feasible. And it
|
|||
|
seems that rather less was politically feasible than one might hope.
|
|||
|
|
|||
|
# Cryptographic implementation of trustless unilateral transactions
|
|||
|
|
|||
|
Ann and Bob create on the blockchain a coin (unspent transaction output,
|
|||
|
utxo) whose corresponding key is the sum of secret key known only to
|
|||
|
Ann, and a secret key known only to Bob. Before they create this coin,
|
|||
|
they create a transaction on it, signed by their joint key, that creates two
|
|||
|
coins, one with a secret key known only to Bob, and one with a secret key
|
|||
|
known only to Ann. They keep this transaction to themselves and do not
|
|||
|
place it on the blockchain.
|
|||
|
|
|||
|
# Multilateral (circle) transactions
|
|||
|
|
|||
|
The lightning layer will function like correspondence banking, only with
|
|||
|
good behavior cryptographically enforced on the lightning vertices, rather
|
|||
|
than by state supervision of the “banks”. This will require a blockchain
|
|||
|
layer designed to support it.
|
|||
|
|
|||
|
Correspondence banking merges large numbers of small transactions into a small
|
|||
|
number of large pooled transactions which are eventually settled on the
|
|||
|
blockchain in one big transaction, with several parties to the transaction
|
|||
|
representing a very large number of parties engaged in a very large number of
|
|||
|
transactions.
|
|||
|
|
|||
|
But correspondence banking works by trust, thus the intermediaries have to
|
|||
|
be well known and subject to pressure, which is apt to mean subject to
|
|||
|
government pressure – and government has interests that are in conflict with
|
|||
|
those of people attempting to use a medium of exchange and a store of
|
|||
|
value.
|
|||
|
|
|||
|
lightning network correspondence banking
|
|||
|
------------------------------------------------------------------------ -----------------------------------------------------------------------------------
|
|||
|
merges many small two party transactions into a few large transactions merges many small two party transactions into a few large transactions
|
|||
|
lightning vertex bank
|
|||
|
lightning gateway bank account
|
|||
|
trustless need to trust the banks
|
|||
|
instant Slow in that you can never be sure if a transaction will be honored for some time
|
|||
|
Payer id visible to payer vertex, payee id visible to payee vertex Government issued id of payer and payee visible to all intermediaries.
|
|||
|
|
|||
|
We have a separate blockchain of supersedeable transactions. A
|
|||
|
transaction gets committed to the primary blockchain after it has been
|
|||
|
sitting on the supersedable chain for a while, if, at the time it is
|
|||
|
evaluated for commitment, all of its inputs are valid unspent outputs on
|
|||
|
the primary blockchain, and none of them are inputs to a currently valid
|
|||
|
higher priority transaction on the blockchain of supersedable
|
|||
|
transactions, the priority being an arbitrary length binary value.
|
|||
|
|
|||
|
If one party tries to break up a gateway with an out of date
|
|||
|
distribution, the other party notices it sitting on the supersedable
|
|||
|
blockchain, and issues a more up to date transaction. Normally this
|
|||
|
should never happen, since when one of the parties wants to break up a
|
|||
|
gateway, the other party should agree to a regular transaction. However,
|
|||
|
one party may go offline and stay offline, especially if the last
|
|||
|
transaction reduced the the value of their interest in the gateway to
|
|||
|
zero.
|
|||
|
|
|||
|
A gateway in the lightning network layer is a jointly signed coin on the
|
|||
|
blockchain on the blockchain layer. Bob’s account with BigCrypto is a coin
|
|||
|
on the blockchain layer, for which there exists a a jointly signed
|
|||
|
transaction distributing that block between two blocks, one wholly owned by
|
|||
|
Bob, and one wholly owned by BigCrypto, thus giving BigCrypto effective
|
|||
|
offchain control of one part of that block, and Bob effective control of the
|
|||
|
other part of the block, and by generating new superseding transaction, they
|
|||
|
can effectively transfer ownership of part of the block instantly without
|
|||
|
anything going on the blockchain.
|
|||
|
|
|||
|
But …
|
|||
|
|
|||
|
# Acid
|
|||
|
|
|||
|
We have to make sure that transactions are acid on the lightning network as a
|
|||
|
whole, that transactions are atomic, consistent, isolated, and durable.
|
|||
|
|
|||
|
## Atomic and consistent
|
|||
|
|
|||
|
Ann has an account with Bob, Bob has an account with Carol.
|
|||
|
|
|||
|
To change what is Ann’s account requires a transaction signed by
|
|||
|
Bob and Ann, and similarly for Carol.
|
|||
|
|
|||
|
Ann wants to pay Carol, but does not want to sign a reduction in her account
|
|||
|
with Bob, unless she is sure that Carol gets the corresponding increase. Bob
|
|||
|
does not want to sign an increase in Carol’s account, unless it gets Ann’s
|
|||
|
signature on a decrease in her account. Not to mention that Ann probably
|
|||
|
does not want to sign a decrease on her account without getting a receipt
|
|||
|
from Carol. Full circle transaction. We need to guarantee that either the
|
|||
|
full circle goes through, or none of the separate unilateral transactions in
|
|||
|
the circle go through.
|
|||
|
|
|||
|
## Reliable broadcast channel
|
|||
|
|
|||
|
The solution to atomicity and maintaining consistency between different
|
|||
|
entities on the lightning network is the reliable broadcast channel.
|
|||
|
|
|||
|
Such as the blockchain itself. Create a special zero value transaction that
|
|||
|
has no outputs and carries its own signature, but can be a required input to
|
|||
|
other transactions, and whose construction requires the cooperation of all
|
|||
|
the parties. Each gateway constructs a transaction only be valid if a code
|
|||
|
is placed on the blockchain that requires the cooperation of all the gateways
|
|||
|
within a short time. Once the code exists, and everyone knows it exists,
|
|||
|
they proceed with bilateral transactions that do not require the code and
|
|||
|
only potentially go on the blockchain. If not everyone knows it exists, and
|
|||
|
it does not appear on the blockchain within a short time, then the
|
|||
|
transaction fails. If everyone knows it exists, the transaction succeeds. If
|
|||
|
not everyone knows it exists, but it appears on the blockchain within the
|
|||
|
time limit, the transaction succeeds, and each party could potentially play
|
|||
|
the transaction, and thus effectively owns the corresponding part of the
|
|||
|
gateway coin, regardless of whether they play it or not.
|
|||
|
|
|||
|
A reliable broadcast channel is something that somehow works like a
|
|||
|
classified ad did back in the days of ink on paper newspapers. The physical
|
|||
|
process of producing the newspaper guaranteed that every single copy had the
|
|||
|
exact same classified ad in it, and that ad must have been made public on a
|
|||
|
certain date. Easy to do this with a printing press that puts ink on
|
|||
|
paper. Very hard to do this, with electronic point to point communications.
|
|||
|
|
|||
|
But let us assume we somehow have a reliable broadcast channel:
|
|||
|
|
|||
|
All the parties agree on a Merkle tree, which binds them if the joint
|
|||
|
signature to that Merkle tree appears on the reliable broadcast channel
|
|||
|
within a certain short time period.
|
|||
|
|
|||
|
And, if some of them have the joint signature, then knowing that they could
|
|||
|
upload it to the reliable broadcast channel, they each agree to superseding
|
|||
|
unilateral transactions. If Bob expects payment from Ann and expects to
|
|||
|
make payment to Carol, and he has the joint signature, and knows Carol has a
|
|||
|
copy of the authenticated joint signature, because Carol sent him the
|
|||
|
signature and he sent Ann the signature, of it, then he knows Carol can
|
|||
|
*make* him pay her, and knows he can *make* Ann pay him. So he just goes
|
|||
|
right ahead with unilateral transactions that supersede the transaction that
|
|||
|
relies on the reliable broadcast channel. And if every party to the
|
|||
|
transaction does that, none of them actually broadcast the signature the
|
|||
|
reliable broadcast channel. Which in consequence, by merely being available
|
|||
|
enforces correct behaviour, and is seldom likely to need to actually
|
|||
|
broadcast anything. And when something is actually broadcast on that
|
|||
|
channel, chances are that all the transactions that that broadcast enables
|
|||
|
will have been superseded.
|
|||
|
|
|||
|
Each party, when receives a copy of the joint signature that he *could* upload
|
|||
|
to the reliable broadcast channel, sends a copy to the counter party that he
|
|||
|
expects to pay him, and each party, when he receives a copy from the party he
|
|||
|
expects to pay, performs the unilateral payment to that party that supersedes
|
|||
|
and the transaction using the reliable broadcast network.
|
|||
|
|
|||
|
And if a party has a copy of the joint signature and the document that it
|
|||
|
signs for the full circle transaction, but finds himself unable to perform
|
|||
|
the superseding unilateral transactions with his counterparties, (perhaps
|
|||
|
their internet connection or their computer went down) then he uploads the
|
|||
|
signature to the reliable broadcast channel.
|
|||
|
|
|||
|
When the signature is uploaded to reliable broadcast channel, this does not
|
|||
|
give the reliable broadcast channel any substantial information about the
|
|||
|
amount of the transaction, and who the parties to the transaction are, but the
|
|||
|
node of the channel sees IP addresses, and this could frequently be used to
|
|||
|
reconstruct a pretty good guess about who is transacting with whom and why.
|
|||
|
As we see with Monaro, a partial information leak can be put together with
|
|||
|
lots of other sources of information to reconstruct a very large information
|
|||
|
leak.
|
|||
|
|
|||
|
But most of the time, the channel is not likely to be used, which means it
|
|||
|
will have only small fragments of data, not enough to put together to form
|
|||
|
a meaningful picture, hence the privacy leak is unlikely to be very useful
|
|||
|
to those snooping on other people’s business.
|
|||
|
|
|||
|
### Other use cases for a reliable broadcast channel
|
|||
|
|
|||
|
The use case of joint signatures implies an immutable data structure of the
|
|||
|
tuple oid, hash, public key, and two scalars.
|
|||
|
|
|||
|
But another use case is to publicly root private immutable data.
|
|||
|
|
|||
|
If you continually upload the latest version, you wind up uploading most of
|
|||
|
tree, or all of it, which does not add significantly to the cost of each
|
|||
|
interaction recorded. The simplest sql friendly data structure is (oid of
|
|||
|
this item, public key, hash, your index of hash, oids of two child hashes)
|
|||
|
with the reliable broadcast channel checking that the child hashes do in fact
|
|||
|
generate the hash, and that the tuple (public key, index of hash) is unique.
|
|||
|
|
|||
|
If the data is aged out after say, three months, cannot directly check
|
|||
|
uniqueness and correctness for the nodes that are the roots of big trees. How
|
|||
|
do you know someone has not made up several different and mutually
|
|||
|
inconsistent pasts for immutable append only data structure associated with
|
|||
|
this key?
|
|||
|
|
|||
|
To work around this problem, allow unbalanced Merkle trees, consisting of
|
|||
|
(oid of this item, public key, hash, your tree node index, index of the
|
|||
|
highest index leaf governed by this hash, oids of two child hashes) If an
|
|||
|
unbalanced node referencing an old tree root is uploaded at intervals of less
|
|||
|
than three months, it can be used to prove the contents and uniqueness of
|
|||
|
the old balanced binary tree root, since the most recent unbalanced node must
|
|||
|
have also proved contents and uniqueness, using a less recent unbalanced
|
|||
|
node, and unbalanced nodes must also be unique on the tuple (public key,
|
|||
|
index of node, index of highest leaf node governed) Someone can forget his
|
|||
|
old past, and, after three months, start making up a new past, but the
|
|||
|
witness for the new past can only begin on the day he starts the upload. He
|
|||
|
cannot construct several realities, and six months later, choose which
|
|||
|
reality he finds convenient. Or rather he can, but he cannot provide a six
|
|||
|
month earlier witness to it.
|
|||
|
|
|||
|
You upload several nodes that constitute the unbalanced tree right side path
|
|||
|
that points at the balanced rest of the old tree every two months, superseding
|
|||
|
the previous right hand side of the unbalanced tree, and thus maintaining a
|
|||
|
chain of proofs stretching into the past that proves that throughout this
|
|||
|
period, there is one and only one immutable data structure associated with
|
|||
|
this public key.
|
|||
|
|
|||
|
A common case is that they key certifying the state of the immutable data may
|
|||
|
change, with the torch being passed from key to key. In which case the
|
|||
|
upload of total state needs to reference the used key, and an earlier,
|
|||
|
normally the earliest, signing key, with links in the chain of keys
|
|||
|
authorizing keys being renewed at less than the timeout interval for data to
|
|||
|
be immutable, but unavailable from the reliable broadcast network. If the
|
|||
|
witness asserts that key is authorized by a chain of keys going back to an
|
|||
|
earlier or the earliest keys, then it relies on its previous witness, rather
|
|||
|
than re-evaluating the entire, possibly very long, chain of keys every time.
|
|||
|
|
|||
|
But, if the witness cannot do that, then the entire, possibly very very long,
|
|||
|
chain of keys and signatures has be uploaded for the witness to record the
|
|||
|
earlier, or earliest key, as authorizing the current ever changing key.
|
|||
|
Similarly if the client starts uploading to a new witness. But such very
|
|||
|
long proofs will only be have to done once in a very long while, and done
|
|||
|
once for everyone.
|
|||
|
|
|||
|
Because of Byzantine failure or network failure, such a chain may fork. The
|
|||
|
protocol has to be such that if a fork develops by network failure,
|
|||
|
it will be fixed, with one of the forks dying when the network functions
|
|||
|
better, and if it fails by Byzantine failure,
|
|||
|
we get two sets of reliable broadcast channels,
|
|||
|
each testifying that the other reliable broadcast channel is unreliable,
|
|||
|
and each testifying that a different fork is the valid fork,
|
|||
|
and which fork you follow depends on which reliable broadcast channel you
|
|||
|
subscribe to.
|
|||
|
|
|||
|
Another use case is for wallet recovery, with mutable data structures
|
|||
|
encrypted by the private key whose primary key is the public key.
|
|||
|
|
|||
|
## implementing and funding a reliable broadcast channel
|
|||
|
|
|||
|
Tardigrade has a somewhat similar architecture to the proposed Reliable
|
|||
|
Broadcast network charges $120 per year for per TB of storage, $45 per
|
|||
|
terabyte of download. So for uploading a single signature, and downloading
|
|||
|
it six times, which one hash, one elliptic point, and two scalars, one
|
|||
|
hundred and twenty eight bytes, so the cost of doing what tardigrade does
|
|||
|
with reliable broadcast network operated by a single operator would be
|
|||
|
$4 × 10^{-7}$ dollars. Which might as well be free, except we have to charge some tiny amount to prevent DDoS.
|
|||
|
|
|||
|
But, when the system is operating at scale, will want the reliable broadcast
|
|||
|
network to have many operators, who synchronize with each other so that the
|
|||
|
data is available to each of them and all of them and from each of them and
|
|||
|
all of them, and can testify when the
|
|||
|
data became available, so the cost will be
|
|||
|
many times that. Which is still insignificant. If the network is composed
|
|||
|
of a hundred operators, and there are substantial overheads to maintain
|
|||
|
synchrony and truth, we are still only looking a cost of $0.0001 per
|
|||
|
transaction. Maybe we should charge for opening the account, and then
|
|||
|
every hundredth transaction.
|
|||
|
|
|||
|
We also want the operators to be genuinely independent and separate from each
|
|||
|
other. We don’t want a single inherently authorized reliable broadcast channel,
|
|||
|
because it is inherently a low cost target for the fifty one percent attack.
|
|||
|
I have been thinking about implementing a reliable broadcast channel as
|
|||
|
byzantine Paxos protocol, but this gives us a massive low cost fifty one
|
|||
|
percent attack vulnerability. If the reliable broadcast channel is cheap
|
|||
|
enough to be useful, it is cheap enough for the fifty one percent attack.
|
|||
|
We want cheap testimony of valuable facts, which makes consensus mechanisms
|
|||
|
unlikely to work.
|
|||
|
|
|||
|
A better way reliably implementing a reliable
|
|||
|
broadcast channel is as a network of trusted witnesses, each of which keeps an
|
|||
|
eye on the reliability of other witnesses, because each periodically uploads
|
|||
|
the unbalanced tree testifying to its total state on several of the others,
|
|||
|
and each makes it data reciprocally available to several of the others, and
|
|||
|
each monitors the availability of several of the others, and each provides a
|
|||
|
signed chain of its total state with each witness, or some witnesses. Because
|
|||
|
the data is reciprocally available, each can testify to the uptime and
|
|||
|
reliability of each of the others, and none can hide its state. Each makes
|
|||
|
each of the nodes in each of its balanced trees available by index, the top
|
|||
|
node in each of its unbalanced right hand tree is signed, and nodes in the
|
|||
|
unbalanced tree constitute a separate sql like table, which times out
|
|||
|
considerably faster than the nodes with a single index.
|
|||
|
|
|||
|
Downtime, failure to provide oids on request, and losing its recent state,
|
|||
|
will be detected and will whack its reputation.
|
|||
|
|
|||
|
And it is up to the individual human to decide which trusted witness to follow,
|
|||
|
which human decision roots all the automatic computer decisions.
|
|||
|
|
|||
|
## isolated
|
|||
|
|
|||
|
Isolated means that one transaction cannot mangle another transaction.
|
|||
|
Easiest way to do this is that one gateway of the lightning network cannot
|
|||
|
handle a transaction while another is pending. Which is going to be a problem
|
|||
|
when we have nodes handling a lot of traffic, but a more efficient fix can
|
|||
|
wait till we have traffic problems.
|
|||
|
|
|||
|
For a more efficient fix, we will need relative as well as absolute
|
|||
|
transactions. A relative transaction, on being appended to an absolute
|
|||
|
transaction, subtracts something from one of the outputs, and adds it to
|
|||
|
another outputs. If this would produce a negative output, the compound
|
|||
|
transaction is invalid. But this can wait until we have busy gateways.
|
|||
|
|
|||
|
## durable
|
|||
|
|
|||
|
Durable means that if something bad happens to your node, you can probably
|
|||
|
recover, and if you don’t recover, no one else has problems.
|
|||
|
|
|||
|
If one party to a gateway goes down and does not come up, possibly because he
|
|||
|
has lost the secret key to the gateway, the other party drops the most recent
|
|||
|
transaction of the lightning layer to the blockchain layer.
|
|||
|
|
|||
|
If one party to a gateway goes down, but eventually comes up again, possibly
|
|||
|
with lost data, they resynchronize.
|
|||
|
|
|||
|
Suppose you lose your wallet?
|
|||
|
|
|||
|
At present the standard way of recovering a wallet is that you create a wallet
|
|||
|
using your BIPS master password, and it scans the blockchain for coins whose
|
|||
|
public key corresponds to the secret keys it might have generated.
|
|||
|
|
|||
|
Which works to recover your money, but does not recover your metadata, and
|
|||
|
will not recover a lightning gateway, since the your public key is not on the
|
|||
|
blockchain, rather the sum of your public key, and the public key of other
|
|||
|
parties to the gateway.
|
|||
|
|
|||
|
Metadata is becoming more important. If you lose your Wasabi wallet metadata,
|
|||
|
you have a big problem, and if we use the wallet as the basis for private end
|
|||
|
to end encrypted messages that can carry money, and for uncensorable social
|
|||
|
networking, the wallet will have a lot of very valuable metadata.
|
|||
|
|
|||
|
We really need cloud backup of wallets, with the wallet encrypted by a secret
|
|||
|
key derived from its master key, and cloud backup paid for though a lightning
|
|||
|
gateway. And this needs to be built into the wallet, the way recovery by
|
|||
|
scanning the blockchain is built into wallets today.
|
|||
|
|
|||
|
# trustless, fast, and free from blockchain analysis
|
|||
|
|
|||
|
That full circle transactions are atomic and consistent means that the
|
|||
|
lightning network can operate without trust or reputation – completely
|
|||
|
pseudonymous parties with no reputation can become nodes in the network,
|
|||
|
making it very hard for the state to apply know your customer pressure.
|
|||
|
|
|||
|
If the full content of each gateway’s ownership never becomes known
|
|||
|
except to the parties to the gateway, then the effect is to mingle and
|
|||
|
merge coins on the blockchain, creating fungibility and untraceability,
|
|||
|
as well as instant transactions.
|
|||
|
|
|||
|
If, on the other hand, we had a rather small number of trusted nodes that
|
|||
|
have a special, central, and privileged position on the
|
|||
|
lightning network, this would recreate the traceability problem of
|
|||
|
correspondence banking. The lightning network has to trust the reliable
|
|||
|
broadcast channels with reliability and broadcasting, but the information on
|
|||
|
that channel is meaningless to anyone other than the parties to the
|
|||
|
transaction.
|