-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lightning Specification Meeting 2022/01/31 #955
Comments
Jeff Czyz, Matt, Rusty and I spent some time looking into making gossip more private by means of ZKPs. The overarching approach being essentially the following:
We compared some proof mechanisms including PLONK, STARKs, and SNARKs, and came up with the following estimates for proof sizes and verification times:
Some additional considerations are, for once, that with Schnorr cooperative channel opens, there is no singular private key either node knows and could therefore prove in the channel announcement message. That means that rather than using a SNARK-optimized curve and proving key equivalence, secp256k1 emulation circuitry might need to be embedded inside the proof. A SNARK-native EC point multiplication requires ~3,500 constraints, whereas a non-native one would require ~100,000, which means that for the two multiplications required for a Schnorr sig verification, the constraint count would grow to ~200,000. Additionally, assuming the Merkle tree allows for up to a depth of 17, using a SNARK-friendly hash function that takes up 750 constraints, the Merkle proof would add an extra 12,750 constraints, which admittedly is somewhat negligible compared to the non-native EC point multiplication issue. Lastly, and in our opinion, most striking of all, there really don't appear to be any mature libraries for any of the proof mechanisms. Everything is highly experimental, and even though there technically are a lot of different libraries available, especially for SNARKs, not a single one is production-ready. If there's any motivation in the Lightning community to pursue this further, I think that would likely mean a delay of possibly 6-12 months. |
Thanks for the summary! Most of these schemes are still in the iteration phase at the academic level, so I believe it's expected that there's no production-ready, mature library. I'm afraid it will likely take years before such libraries are available (so much has changed already since Groth16!). Unfortunately I think we probably need to rule out SNARKs (because we don't want to go through a trusted setup just for gossip stuff). PLONK looks like it could be a good fit, but is it going to be obsolete in one year once a new paper provides a more efficient iteration (or finds a flaw)? STARKs are somewhat more stable, but I believe most of the good libraries are closed-source (unless StarkWare has something that we can easily use?). I was hoping we could find something based on less fancy crypto (e.g. ring signatures, which are easy to do with schnorr), but I really haven't given it much thought so it's probably a dead-end. |
Thanks for your response! Indeed, in our discussions with Rusty, ring sigs did come up, though as far as I understand, the signature size grows approximately proportionally with the number of pubkeys included in the set. If there were a way to create a ring signature that would hypothetically validate only against a given ordered set of pubkeys, thus allowing nodes to supply a lion's share of the data necessary for verification simply by tracking the UTXO set, things would be much easier. |
Yes, that's the main issue. That's where we'd need to be smart, and see if we can have most of it be deterministically computed at each block by every node and have that reduce the size of the signature (this is very very hand-wavy, I know!). |
log scaling ring signatures exist, though they're a bit more heavy weight than the borromean ring variant most of us are likely somewhat familiar with. |
Yea, sadly that also fails the "mature implementations exist" criteria like basically all ZK proof systems :( |
Late addition: what do ppl think about moving https://github.com/cdecker/lightning-integration to the new |
In principle, yes, how does that compare to https://github.com/rustyrussell/lnprototest/ ? |
Definitely go with |
Are there logs available from jitsi and/or irc? |
Yes, we have the recording meeting, I think that the transcript will be available soon. |
Yeah I'll post it here in the next couple of days. Apologies for the delay. |
Another consideration that I don't believe has been discussed (at least above) on ZK proofs, ring sigs is replicability. If we want to prevent a commitment to a particular UTXO being used to gossip thousands/millions of channels ideally you'd only be able to use it once. Or a weaker form would be the ZK proof not being malleable so if it was used to gossip multiple channels a network participant would be able to identify that it was being used multiple times. It sounds like ZK proofs, ring sigs aren't being pursued for the time being for the reasons stated by various participants but just thought I'd post this in case it is revisited in future. (I added a StackExchange post too.) |
The meeting will take place on Monday 2022/01/31 at 7pm UTC (5:30am Adelaide time) on Libera Chat IRC #lightning-dev. It is open to the public.
A video link is available for higher bandwidth communication: https://meet.jit.si/Lightning-Spec-Meeting
Pull Request Review
Onion messages BOLT 7: Onion message support (features 38/39) #759Add dust exposure threshold Add amax_dust_htlc_exposure_msat
#919Simple turbo channels enablement Explicitly allow funding_locked early, and support alias scids (feat 46/47/50/51) #910Dynamic DNS support in gossip messages BOLT 7: add gossip address descriptor type DNS hostname #911Long Term Updates
Dual funding interactive-tx: Add dual-funding flow, using the interactive tx protocol (feature 28/29) #851Liquidity ads option_will_fund: liquidity ads #878Splicing Splice draft (feature 62/63) #863Simplified commitment Feature 106/107: option_simplified_update. #867Trampoline routing Trampoline Routing (2021 edition) (Feature 56/57) #829 and Trampoline onion format (Feature 56/57) #836Upfront payments / DoS protection Hold fees #843Peer storage backup Peer backup storage (feature 40/41/42/43) #881Taproot updatesBacklog
The following are topics that we should discuss at some point, so if we have time to discuss them great, otherwise they slip to the next meeting.
The text was updated successfully, but these errors were encountered: