Ripple and the problem of the decentralized commit

User Avatar
fiatjaf October 17, 2020

This is about Ryan Fugger's Ripple.

The summary is: unless everybody is good and well-connected at all times a transaction can always be left in a half-committed state, which creates confusion, erodes trust and benefits no one.

If you're unconvinced consider the following protocol flow:

  1. A finds a route (A--B--C--D) between her and D somehow;
  2. A "prepares" a payment to B, tells B to do the same with C and so on (to prepare means to give B a conditional IOU that will be valid as long as the full payment completes);
  3. When the chain of prepared messages reaches D, D somehow "commits" the payment.
  4. After the commit, A now really does owe B and so on, and D really knows it has been effectively paid by A (in the form of debt from C) so it can ship goods to A.

The most obvious (but wrong) way of structuring this would be for the entire payment chain to be dependent on the reveal of some secret. For example, the "prepare" messages could contain something like "I will pay you as long as you know p such that sha256(p) == h".

The payment flow then starts with D presenting A with an invoice that contains h, so D knows p, but no one else knows. A can then send the "prepare" message to B and B do the same until it reaches D.

When it reaches D, D can be sure that C will pay him because he knows p such that sha256(p) == h. He then reveals p to C, C now reveals it to B and B to A. When A gets it it has a proof that D has received his payment, therefore it is happy to settle it later with B and can prove to an external arbitrator that he has indeed paid D in case D doesn't deliver his products.

Issues with the naïve flow above

What if D never reveals p to C?

Then no one knows what happened. And then 10 years later he arrives at C's house (remember they are friends or have a trust relationship somehow) and demands his payment, and shows p to her in a piece of paper. Or worse: go directly to the court and shows C's message that says "I will pay you as long as you know p such that sha256(p) == h" (but with an actual number instead of "h") and the corresponding p. Now the judge has to decide in favor of D.

Now C was supposed to do the same with B, but C is not playing with this anymore, has lost all contact with B after they did their final settlement many years ago, no one was expecting this.

This clearly can't work. There must be a timeout for these payments.

What if we have a timeout?

Now what if we say the payment expires in one hour. D cannot hold the payment hostage and reveal p after 10 years. It must either reveal it before the timeout or conditional IOU will be void. Solves everything!

Except no, now it's the time we reach the most dark void of the protocol, the flaw that sucks its life into the abyss: subjectivity and ambiguity.

The big issue is that we don't have an independent judge to assert, for example, that D has indeed "revealed" p to C in time. C must acknowledge that voluntarily. C could do it using messages over the internet, but these messages are not reliable. C is not reliable. Clocks are not synchronized. Also if we now require C to confirm it has received p from D then the "prepare" message means nothing, as for D now just knowing p is not enough to claim before an arbitrator that C owes her -- because, again, D also must prove it has shown p to C before the timeout, therefore it needs a new signed acknowledgement from C, or from some other party.

Let's see a few examples.

Subjectivity and perverse incentives

D could send p to C, and C acknowledge it, but then when C goes to B and send it B will not acknowledge it, and claim it's past the time. Now C loses money.

Maybe C can not acknowledge it received anything from D before checking first with B? But B will have to check with A too! And it subverts the entire flow of the thing. And now A has a "proof of payment" (knowledge of p) without even having to acknowledge anything! In this case knowing p or not becomes meaningless as everybody knows p without acknowleding it to anyone else.

But even if A is honest and sends an "acknowledge" message to B, now B can just sit quiet and enjoy the credit it has just earned from A without ever acknowleding anything to C. It's perverted incentives in every step.

Ambiguity

But isn't this a protocol based on trust?, you ask, isn't C trusting that B will behave honestly already? Therefore if B is dishonest C just has to acknowledge his loss and break his chain of trust with B.

No, because C will not know what happened. B can say "I could have sent you an acknowledgement, but was waiting for A, and A didn't send anything" and C won't ever know if that was true. Or B could say "what? You didn't send me p at all", and that could be true. B could have been offline when A sent it, there could have been a broken connection or many other things, and B continues: "I was waiting for you to present me with p, but you didn't, therefore the payment timed out, you can't come here with p now, because now A won't accept it anymore from me". That could be true or could be false, who knows?

Therefore it is impossible for trust relationships and reputations to be maintained in such a system without "good fences".12

Footnotes

  1. The Lightning Network has a solution for the problem of the decentralized commit.

  2. Ironically this same ambiguity problem is being faced by the Lightning Network community when trying to create a reputation/payment system to prevent routing abuses. It seems simple when you first think about it: "let each node manage its own trust", but in fact it is somewhat impossible.