44/WAKU2-PRIVATE-SETTLEMENT: RAW RFC

[staheri14]

Raw RFC for private settelement.

Some of the rationales behind the design choices are provided as inline comments (in the MD file), please read them through.

As a general note, we may want to simplify the UTXO usage, but I tried to first convey how UTXOs are originally used in other designs (so that we can use the current existing circom circuits) . Later we can revise and make it simpler if need be.
The main reason for using UTXOs is to allow custom value tokens (this is how it is done in Nova). I have already explained my reasoning in the RFC, copying them again here:
Custom token values have multiple benefits in the store protocol: 1) allow service providers to have their own pricing strategy, 2) it also copes with the Ether price fluctuations, 3) it lowers the computation overhead incurred by generating zk proofs e.g., instead of spending 100 different tokens each worth of x Ether (hence generating 100 proofs), one can spend one token worth of 100*x Ether

[oskarth]

I'm confused by this part. Isn't the whole point of this design to decouple payment with service credentials from settlement? If you require contract interactions every history quest this cost gas and it makes the system not scalable due to reasonable tps limits of underlying chain. It is also not realistic in terms of latency from HistoryQuery to HistoryResponse. What am I missing?

[oskarth]

Or is the idea that you pre-pay for many HistoryQueries in advance? Not clear from text

[s1fr0]

How I see it there are two possible approaches:

• the querying node generates and sends the zk proof directly to the service node, which can -verify it before answering to the query; -submit it to the contract and get paid preserving anonymity of the querying node but opening to possible double spend attacks (no need for request_ID).
• the querying node submit the proof to the contract first using some info the service provide can use to track the payment. This implies that the service provide would be able to get and trace the querying node ethereum public key through the request_IDby looking at the contract, even before providing any meaningful response. As a result a probe service node could collect public keys of querying nodes that performs certain queries.

[staheri14]

@s1fr0 both it possible, however, the first one is only possible if the spent token contains the exact amount as the amount requested by the store node (but not more). Otherwise, the token owner needs to wait for the store node to send the transaction to the contract so that it can use the remaining amount if its token.

[oskarth]

Or is the idea that you pre-pay for many HistoryQueries in advance? Not clear from text

[oskarth]

Settlement typo in a few places ("Stt" / "stt")

[staheri14]

fixed now

[oskarth]

Why? This makes it harder to do zero-cost entry too, e.g. if you want to make some crypto by providing a useful service (key insight behind Swarm's SWAP). If we can relax this assumption to e.g. only use new address + e.g. relayers it'd be useful.

[staheri14]

We can relax it (it is not a critical design choice), but it may be good later for scoring and reputation, and also making sure some two random users can not transact with the contract (it just makes it harder but not impossible).
On the other side, I support the idea of zero entry.

[oskarth]

This sounds interesting, but I'm not quite sure I follow. Perhaps motivation and illustration would be useful?

(Or maybe I just need to read it more carefully 😅 )

[oskarth]

Is this idea from somewhere in particular? Is this how Nova works under the hood somehow?

[staheri14]

Thanks for the comments @oskarth
This write up was not ready for review :) I will soon finish up my revisions and make it ready!
The quick response is that
-> UTXO is how Nova works under the hood
-> Registration is only needed for the store nodes, not the querying node, and the reason is to later be able to add reputation, also to make it hard for the users of the system to use the contract for arbitrary payments (outside of the store protocol)

I am adding more details on the rationale of design choices, hopefully, they would address your concerns

[s1fr0]

The name signature is confusing given that it represents an hash or you meant signing under privkey the commitment and index?

[staheri14]

It is a hash, we can certainly change the name.

[s1fr0]

Are those really encryptions or commitments? I see you later use blinding factors..

[s1fr0]

At this point may sound confusing that you create value from zero-value transactions. But is the (here hidden) extAmount that balances the output UTXOs' values, right?.

[staheri14]

Your observation is right, the extAmount determines whether a fund should be deposited in the contract or can be withdrawn to the recipient. Please check this comment of mine #540 (comment).

[s1fr0]

I don't see why you need at least 2 inputs and not just 1 (that can be extended up to 16).

[staheri14]

This is to make all the transactions look identical which is good for anonymity. Although, as I mentioned in the description, we may later decide to simplify things.

[s1fr0]

Is not clear to me how purchasing credential works: if identical a user that just joined the network how does generate the zk-proof? what input UTXOs uses? I guess recipient address and amount will be the contract address and the credential value, respectively.

[staheri14]

Right, for the deposits i.e., purchase of credentials, the two inputs UTXOs are zero values, and the output UTXOs are zero and amount values. The extAmount will be equal to the amount and will be paid to the contract.
Please check the formula for the extAmount at line 222 and the contract verification part at line 274 of the RFC. let me know if that addresses your question.

[s1fr0]

how zero-value UTXOs are generated? Since are nullified I expect the user to be able to generate them, those are not required to be accumulated in the tree?

[staheri14]

Please also check line 270 where the verification is explained.

[staheri14]

Thank you @s1fr0 and @oskarth for your comments
I have finished my edits on the RFC and marked it as ready. Please check the new description and let me know your comments.

[staheri14]

@oskarth @s1fr0 Please re-check the PR description.

[oskarth]

Sorry, devcon and travel, have had this PR on backlog. Why was this PR closed?

[oskarth]

This PR was closed without reason. It is still relevant. If we are doing it a different way then this should be explained in a comment and link to follow up issue.

[oskarth]

We need to restore the previous contents of this PR with work that was started more than 3 weeks ago. Otherwise we are lagging behind a month on critical work. It was also mentioned in several conversations to people to look over here to see the design, but now this has been forcefully removed with poor justification.

[jimstir]

Continue discussion at logos-messaging/specs#5. Some Waku rfcs are being moved to waku/specs repo as there will be a new rfc process.