-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custodial Popcorn #31
Comments
Crazy idea: have every LSP be a Chaumian bank (though using WabiSabi-style keyed-verification anonymous credentials instead of blinded signatures). LSP issues popcorn tokens to clients. If the client wants to send out (i.e. use its received zap to zap someone else) it contacts a competitor LSP and hands over control of the popcorn token to the competitor LSP conditional on the HTLC being fulfilled. Once the competitor LSP has gathered enough popcorn tokens of the LSP, it asks for onchain settlement from the issuing LSP; presumably LSPs are in a better position to enforce this than mere clients, and provide proof of misbehaviour. On the other hand, misbehaviour here is not providing the data, which is difficult to prove. Hmm. |
Custodial Popcorn can possibly be inverted so that risks are inverted i.e. instead of client-trusts-LSP, it is LSP-trusts-client. The transform is done this way: Client single-funds a channel toward the LSP, LSP issues blinded tokens to client (without a corresponding transfer on the channel!); client periodically uses those tokens / trades the tokens, then client settles to the LSP periodically by saying "these are the tokens that remained with me" and then the client transfers the delta between the channel size and the tokens that remained with the client. An additional mechanism would be for a client to go to another LSP, say "I have tokens from this first LSP" and make payments out via that other LSP without making a channel to them; the other LSP then aggregates tokens issued by the first LSP from multiple such clients and periodically the LSPs settle over the LN. The advantage here is privacy: the client has a channel with one LSP but leaks its outgoing payments to another HTLC, decoupling identity of its onchain funds vs its outgoing payments (whereas with a "normal" LSP the identity of its outgoing payments is tied to the onchain funds used by the client to open the channel to the LSP; the LSP might not know who the payee is, but it does know who the payer is and what onchain funds were used to pay with). LSPs may also use the tokens of other LSPs strategically: if it has a channel with another LSP, and that channel is depleted and it is getting a lot of forwarding failures because of the lack of liquidity, it can withdraw the value of the other LSP tokens it holds and get some liquidity to power its forwards towards that LSP. This effectively rebalances through their shared clients. Token values would degrade over time. Any such token-minting system would require rotation of keys used to mint tokens (or else unbound storage), so a client that wants to retain control of funds would need to have slightly-old tokens from a few rotations ago be re-issued with the latest key rotation, and that mechanism can deduct a small "servicing fee" each time tokens are re-issued with the latest key rotation, representing the cost of lockup of funds on behalf of the user. The client can then settle with the LSP by disposing of its tokens and paying the delta with the channel, which removes the servicing fee but now the client can only pay by leaking its actual payments to the LSP via normal in-channel HTLCs. To get privacy, the client pays for it by then asking for tokens and promising to pay the delta back to the LSP in the future, which lets the client pay for payments using the anonymized tokens (possibly via another LSP that is willing to credit the tokens of the first LSP it has). Comes from @nothingmuch who credits @moonsettler for this idea. Against this, we should note that the original impetus / user story is that of nostr zaps, traditionally 21 sats each, being too small to pay for a channel open in the foreseeable future. The user story is that the client is someone who occassionally posts on nostr, who then aggregates the received funds and then gets a channel opened once the funds are large enough, hence Custodial Popcorn |
btw sending ecash on nostr does not require any special setup. it's the simplest most straightforward thing to do. it can even be done with a throwaway nsec and identifying the sender (if desired) inside the encrypted envelope with a meta protocol. the receivers could simply consolidate to self custody at their leisure. {
"type": "cashu/v1",
"sender": "<real_npub>",
"memo": "optional message or tx identifier",
"tokens": [...]
} |
@moonsettler The tokens being sent would be cashu-style tokens? As I understand it it would require some interaction with the server anyway to transfer definitely to the receiver, is my understanding correct? |
yes. the receiver would receive tokens he/she can spend through the mint. either pull into self custodial LN channel or move to a different mint. we can call it a sweep operation if we want, because before that the sender can also spend the same tokens. (unless they are bound to the receiver's pubkey, there have been experiments with that, it's enforced by the mint ofc) the main point is the receiver can do this at their convenience when they come online, in fact their wallet can automatically do this. |
link that i never provided: https://gist.github.com/moonsettler/42b588fa97a1da3ac0adea0dd16dadf2 note that some of what is described is my own attempt to generalize this inversion into a market/price discovery mechanism, there the credit goes to to Paul Grignon's self issued credit concept, which is a bit like gift cards with a maturity curve & discount built into, so it's applying his design to moonsettler's concept, but with a different design goal. |
yeah, i like the idea, iterated on it in a twitter thread:
|
@moonsettler writes:
Let me see if I understand this correctly: the 2-of-2 escrow would not be enforceable on the Bitcoin blockchain, but instead requires mutual trust between the LSP and its client, correct? Have you considered the use of Smart Contracts Unchained instead of a 2-of-2 mutual trust contract? Basically Smart Contracts Unchained extends the typical 2-of-3 escrow (2 keys are from the direct parties in the contract, 3rd key is an escrow that arbitrates in case of a conflict) so that an "escrow service" is a k-of-n of multiple services (so you get some of the advantages of Blockstream Liquid where you have distributed trust in a k-of-n, but gives you maximal freedom in changing who that k-of-n is) and the parties can agree in an n-of-n or if there is a disagreement they put up their contract and their witnesses to the contract. This does require third-party validation of tokens (because the escrow service is the third party in the contract), which I think are not possible with existing cashu tokens? @nothingmuch is pushing for switching to WabiSabi credentials. Would WabiSabi credentials be third-party validatable? I guess the problem is that the server marks some credentials as spent, and thus the server needs to prove that the credential was spent somehow. For third-party validatability: would it work with the BDHKE used in cashu to provide |
Although being a KVAC system requires knowledge of the secret key to verify a credential presentation, the server can produce a publicly verifiaible proof that such a message was valid using its secret analogous to the proof of valid issuance that it must provide to prevent key tagging attacks, so the specific situation you are describing can be done. A credential system that is not based on algebraic MACs can be used, e.g. Coconut is a publicly verifiable scheme. (sorry for edit, accidentally posted before finishing the response) |
it's the basis of the escrow, as most cases are assumed to be resolved cooperatively. neither party can gain by not cooperating and you are already in a highly interactive setting with lightning. presigned transactions can further lead to arbitration contracts. that can be trust oracles or maybe even BitVM fraud proofs. (altho i'm skeptical about it's economic viability for small amounts)
yes i baseline recommend 3-of-4 for arbitration where both parties bring their own oracle from a reputable set. ecash fraud proofs are a big part of how arbitration could be carried out. edit: ideally these escrows are obviated with a new commitment transaction after settlement. so they would never make it on-chain. |
@moonsettler with the current Poon-Dryja mechanism, every output contract does need to be infect with the Poon-Dryja mechanism, i.e. the 2-of-2 would actually be Basically, every contract is infected, so that an arbitrary contract With an escrow as you mentioned, the base contract C would be Sorry, this is melting my brain :P |
It seems to me, naively, that if the client wanted to show a third party a proof that it was issued a token, it could present both Of course, once this is revealed to the escrow and the escrow challenges the server to give the Basically in any case where the escrow set needs to judge between "the client says it has this token unspent, but the server is not crediting it" we want the client to be able to provide an entire "smoking gun" solely from data available during token issuance, without the server having to cooperate, as they are now in adversarial positions if they have reached the point where they need third parties to adjudicate between them.
Thanks, how different is this from WabiSabi? Would the credentials need to be group elements / points that are actually Pedersen commitments like in WabiSabi or...? |
sounds good to me. once you have your potential 2-of-2 output you can pre-sign further arbitration steps optionally. |
That seems somewhat dubious to me. I spent some time trying to figure out whether it can still be achieved without revealing b (it can with a proof of knowledge), but that is still problematic since (T, tB) are exposed together, and I don't really see a way around this since T is a hash to curve point. Admittedly it's possible to prove knowledge of t with general NIZKs as opposed to Sigma protocols, but at what feels like a prohibitive complexity increase. To verify the DLEQs, though, T must be a public input, and so is bT in the DLEQ that is just copied. Since T is a hash to curve point, and I don't see a way to formulate that statement without revealing it in some way. Perhaps the compressed Sigma protocol literature can offer some insight for how to prove knowledge of a DLEQ proof instead of providing it directly, thereby allowing only But, given it's already specified, I don't see why this would be better than just using the publicly verifiable variant of privacy pass, which relies on blind RSA? Seems like a better approach than trying to bypass the limitations with this recursive PoK approach.
Quite similar in the abstract, but using pairing based threshold blind signature scheme instead of an algebraic MAC on an Abelian group. Nitpicking, those would be credential attributes, not the credentials themselves (which is the attributes as well as the signature/MAC covering them), but yes, more or less the same. Formally, attribute values always field elements and the issuer only sees ElGammal commitments/encryptions of those, with re-randomization for credential presentation, but that's a minor difference. I worked out some of the details about two years ago but lost my notes (i think this was on physical paper), the attributes there are not group elements so it's a bit trickier, but not unlike Danake which uses an algebraic MAC scheme that is not as convenient as the Signal KVAC one. I looked at the paper right now but could not figure out at a glance what was challenging at the time, but IIRC it had to do with what would have been the equivalent of a balance proof. |
Before this dusts of into the nirvana: I still think a standard like this is needed. No idea when we should work on it (we already have lots on our plate) or how legally feasible it is but the base problem of handling initial small amounts is still here. |
"Popcorn", in the sense of a small value being custodied at the LSP on behalf of the client. The intent is that the coins lost in your couch are more valuable than the popcorn being custodied on your behalf.
A problem is that our base layer really only enforces satoshi-valued amounts, and if the value owned by one side is below the dust limit, it is simply given to miners as fee --- i.e. any value below the dust limit is not practically enforceable onchain.
It would be nice if we could make a "small claims court" where a client could prove it has a lien on a popcorn-sized monetary amount (i.e. less than the dust limit plus fee to open an actual for-reals channel) custodied on an LSP, and the LSP is refusing to let the client use the popcorn to pay someone else. This would allow enforcement, of a sort, of sub-dust-limit amounts.
Of course, this is custodial, so....
Also, the amounts being considered as so tiny that it might not be worth worrying about anyway.
We would also need some way to upgrade from custodial to non-custodial.
The text was updated successfully, but these errors were encountered: