-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
blip-0004: add experimental HTLC endorsement signaling
- Loading branch information
Showing
3 changed files
with
158 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,143 @@ | ||
| ``` | ||
| bLIP: 4 | ||
| Title: Experimental Endorsement Signaling | ||
| Status: Active | ||
| Author: Carla Kirk-Cohen <[email protected]> | ||
| Created: 2024-01-12 | ||
| License: CC0 | ||
| ``` | ||
|
|
||
| ## Abstract | ||
|
|
||
| HTLC endorsement signaling is a [proposed](https://github.com/lightning/bolts/pull/1071) | ||
| component of a [hybrid approach](https://research.chaincode.com/2022/11/15/unjamming-lightning) | ||
| to addressing [channel jamming attacks](https://bitcoinops.org/en/topics/channel-jamming-attacks) | ||
| against the Lightning Network. This bLIP outlines a proposal to deploy an | ||
| experimental endorsement TLV to the network to provide real world data to | ||
| inform specification of reputation algorithms. | ||
|
|
||
| ## Copyright | ||
|
|
||
| This bLIP is licensed under the CC0 license. | ||
|
|
||
| ## Specification | ||
|
|
||
| Experiment Parameters: | ||
| * `experiment_start`: [TODO] | ||
| * `experiment_end`: [TODO] | ||
|
|
||
| ### Adding an HTLC: `update_add_htlc`: | ||
|
|
||
| 1. `tlv_stream`: `update_add_htlc_tlvs` | ||
| 1. type: 65555 (`endorsed`) | ||
| 2. data: | ||
| * [`byte`:`endorsed`] | ||
|
|
||
| Sender: | ||
| * If the current time is greater than or equal to `experiment_start` and less | ||
| than `experiment_end`: | ||
| * if it is the original source of the HTLC: | ||
| * if it does not expect immediate fulfillment upon receipt by the | ||
| final destination: | ||
| * SHOULD set `endorsed` to `0`. | ||
| * otherwise: | ||
| * SHOULD set `endorsed` to `1`. | ||
| * MAY choose to set `endorsed` to `0` for some percentage of payments to | ||
| prevent leaking its identity as the original sender. | ||
|
|
||
| Receiver: | ||
| * If the current time is less than `experiment_end`: | ||
| * if running an experimental reputation algorithm: | ||
| * SHOULD set `endorsed` at its discretion. | ||
| * otherwise: | ||
| * if `endorsed` is present and non-zero in the `update_add_htlc`: | ||
| * SHOULD set `endorsed` to `1`. | ||
| * otherwise: | ||
| * SHOULD set `endorsed` to `0`. | ||
|
|
||
| ## Deployment and Deprecation | ||
|
|
||
| ### Deployment | ||
|
|
||
| Forwarding nodes can upgrade and being to set `endorsed` signals immediately, | ||
| as there is no privacy risk associated with propagating zero values. Feature | ||
| bit signaling and a flag day are used to allow senders to set `endorsed` to `1` | ||
| without leaking their identity as the original sender of the HTLC. | ||
|
|
||
| 1. Nodes on the network upgrade to support forwarding `endorsed` signals. | ||
| 2. Choose a `experiment_start` parameter based on deployment of the | ||
| `htlc_endorsed` signal on the network. | ||
| 3. After `experiment_start` has passed, sending nodes start to set `endorsed` | ||
| to `1` as described above. | ||
| 4. When `experiment_end` is reached, sending node on the network stop setting | ||
| the experimental `endorsed` field and intermediate nodes will stop | ||
| relaying it, so the signal will cease to propagate through the network. | ||
|
|
||
| ### Deprecation | ||
|
|
||
| If `endorsement` is merged to the BOLTs, the experimental signal can be | ||
| deprecated in favor of the protocol-range field. If it is not, the signal | ||
| will simply expire when `experiment_end` is reached. | ||
|
|
||
| 1. Upgrade to protocol-range field: | ||
|
|
||
| Once nodes are updated to use the protocol-range field, they can stop | ||
| advertising the experimental `htlc_endorsed` feature bit. | ||
|
|
||
| Sender: | ||
| * MUST set the same value for experimental and protocol-range field. | ||
|
|
||
| Receiver: | ||
| * if the protocol-range TLV is present: | ||
| * MUST interpret its value as the `endorsed` signal for the HTLC. | ||
| otherwise, if the experimental TLV is present: | ||
| * SHOULD interpret the experimental value as the `endorsed` signal | ||
| for the HTLC. | ||
|
|
||
| 2. When `experiment_end` is reached, the experimental field can be deprecated, | ||
| and the TLV number / feature bit can be released into the available pool: | ||
| Sender: | ||
| * MUST set the protocol-range field. | ||
| * MUST NOT set the experimental range field. | ||
|
|
||
| Receiver: | ||
| * MUST interpret the protocol-range field as the `endorsed` value for the HTLC. | ||
|
|
||
| ## Motivation | ||
|
|
||
| The emergent properties of network-wide changes to Lightning are difficult to | ||
| fully grasp without gathering real world data. This bLIP outlines a lightweight | ||
| and reversible mechanism to assess the impact of this change so that we can | ||
| direct further specification in an informed manner. | ||
|
|
||
| ## Rationale | ||
|
|
||
| Endorsement signals are copied from the incoming `update_add_htlc` to allow | ||
| positive signals to propagate through the network. Nodes wishing to participate | ||
| in active experimentation may set this signal according to their local | ||
| reputation algorithm, and this signal will be passively propagated by the | ||
| remainder of the route that is simply copying incoming values. | ||
|
|
||
| A flag day is included to mitigate privacy concerns that setting the | ||
| endorsement signal on payments will expose the identity of the original sender. | ||
| Nodes participating in the experiment will signal the `htlc_endorsed` feature | ||
| in their node announcement to help chose an appropriate `experiment_start`. | ||
| Once a sufficient portion of the network is upgraded to relay these signals, the | ||
| presence of positive endorsement does not expose the sender as the original | ||
| source of the HTLC. Senders are also advised to only set a positive endorsement | ||
| signal for some percentage of payments to further protect sender privacy. | ||
|
|
||
| The `endorsed` TLV is encoded as a single `byte` rather than a boolean to allow | ||
| flexible experimentation. HTLCs that are not endorsed include a TLV with a zero | ||
| value byte so that they can be distinguished from those with no endorsement | ||
| signal, which can be filtered out of experimental data as null values. | ||
|
|
||
| This experiment is opened as a bLIP because it is not intended to be a | ||
| permanent part of the lightning specification. Should endorsement signaling be | ||
| accepted to the BOLTs, the network can cleanly upgrade by setting the same | ||
| value for the protocol and experimental range TLV, and deprecate the | ||
| experimental TLV. | ||
|
|
||
| ## Reference Implementations | ||
|
|
||
| * [LND](https://github.com/lightningnetwork/lnd/pull/8390) |