📅 Original date posted:2015-09-21
📝 Original message:
Could you please point me to any notes about requirements/desiderata?
Thanks!
--Zooko
On Sep 18, 2015 5:47 PM, "Rusty Russell" <rusty at rustcorp.com.au> wrote:
> Hi all!
>
> So, we've handwaved that we're going to have onion routing, so
> each node can only see the immediate neighbors.
>
> Here's my first attempt; please fix :)
>
> The format of a route looks like so:
>
> required bytes route;
>
> A node decrypts that using its pubkey (probably some counter mode
> scheme, but that's for a different post!), expecting:
>
> // Sum of this whole thing after decryption.
> required sha256_hash sum = 1;
>
> // Where to next?
> oneof next {
> // Actually, this is the last one
> bool end = 2;
> // Next lightning node.
> pubkey lightning = 3;
> // Other realms go here...
> }
>
> // How much fee you can take (== all, if last node)
> required int32 fee = 4;
>
> // Remainder (route blob for next node).
> required bytes route = 5;
>
> If the sum is wrong, the routing has failed (it's been corrupted or was
> malformed to start).
>
> Nodes create the route backwards, to calculate the size. Then picks a
> total size randomly between 1024 and 4096, and pads to that size (at
> least 32 bytes of random padding). Then walks backwards to wrap and
> encrypt it.
>
> This offers some protection from guessing the route length.
>
> Route Probing Attacks
> =====================
> Now, there's a weakness here: No MAC! A nosy node can't corrupt the
> routing past the next hop, but it could replace it entirely (this is
> fundamental to the scheme of R values). If it guesses the final
> destination right, the HTLC will succeed, otherwise it will fail, so it
> can use this to probe.
>
> One partial defence is to fail to allow two HTLCs with the same R value,
> forcing probe serialization. Unfortunately that allows a simple way to
> probe back to the source, so we shouldn't do this!
>
> We may be able to do some probabalistic backoff of duplicate R values,
> such that you can't tell if I've received one before? A more
> sophisticated probe sequence could get a probability though...
>
> I can't see a fix for this in general. :(
>
> Error Messages
> ==============
> Another issue is that we should try not to leak information to passive
> observers on the route due to errors, so signing errors and using the
> 'sum' field as a secret key seems sensible. This means your padding in
> the original message needs to be "random" so 'sum' is random.
>
> Thoughts welcome!
> Rusty.
> PS. As noted before, nodes can trivially correlate HTLCs by R value, so
> onioning the routing only gets you so far...
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150922/1abdd47c/attachment-0001.html>;
Zooko Wilcox-OHearn [ARCHIVE] /
npub1z4…684vc
2023-06-09 12:44:26
in reply to nevent1q…gtxx
Author Public Key
npub1z4nwmaam6z2a4mszqjl2fh0g402xfsnsehcctnxrr62mqa9agc9sv684vcPublished at
2023-06-09 12:44:26Event JSON
{
"id": "f961a373f460b8a75628083bb473d72dad892bc890889ad4d2d7a722369bff82",
"pubkey": "1566edf7bbd095daee0204bea4dde8abd464c270cdf185ccc31e95b074bd460b",
"created_at": 1686314666,
"kind": 1,
"tags": [
[
"e",
"36906e9db439c1be0c33c07064c5914ca50c01ffdfa370a0d6a3e54356187808",
"",
"root"
],
[
"e",
"a03d25bb52ea3a4e9ded94e9bcd5daf984beb2b96862c3d0a5d0ef8618fa3748",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2015-09-21\n📝 Original message:\nCould you please point me to any notes about requirements/desiderata?\n\nThanks!\n\n--Zooko\nOn Sep 18, 2015 5:47 PM, \"Rusty Russell\" \u003crusty at rustcorp.com.au\u003e wrote:\n\n\u003e Hi all!\n\u003e\n\u003e So, we've handwaved that we're going to have onion routing, so\n\u003e each node can only see the immediate neighbors.\n\u003e\n\u003e Here's my first attempt; please fix :)\n\u003e\n\u003e The format of a route looks like so:\n\u003e\n\u003e required bytes route;\n\u003e\n\u003e A node decrypts that using its pubkey (probably some counter mode\n\u003e scheme, but that's for a different post!), expecting:\n\u003e\n\u003e // Sum of this whole thing after decryption.\n\u003e required sha256_hash sum = 1;\n\u003e\n\u003e // Where to next?\n\u003e oneof next {\n\u003e // Actually, this is the last one\n\u003e bool end = 2;\n\u003e // Next lightning node.\n\u003e pubkey lightning = 3;\n\u003e // Other realms go here...\n\u003e }\n\u003e\n\u003e // How much fee you can take (== all, if last node)\n\u003e required int32 fee = 4;\n\u003e\n\u003e // Remainder (route blob for next node).\n\u003e required bytes route = 5;\n\u003e\n\u003e If the sum is wrong, the routing has failed (it's been corrupted or was\n\u003e malformed to start).\n\u003e\n\u003e Nodes create the route backwards, to calculate the size. Then picks a\n\u003e total size randomly between 1024 and 4096, and pads to that size (at\n\u003e least 32 bytes of random padding). Then walks backwards to wrap and\n\u003e encrypt it.\n\u003e\n\u003e This offers some protection from guessing the route length.\n\u003e\n\u003e Route Probing Attacks\n\u003e =====================\n\u003e Now, there's a weakness here: No MAC! A nosy node can't corrupt the\n\u003e routing past the next hop, but it could replace it entirely (this is\n\u003e fundamental to the scheme of R values). If it guesses the final\n\u003e destination right, the HTLC will succeed, otherwise it will fail, so it\n\u003e can use this to probe.\n\u003e\n\u003e One partial defence is to fail to allow two HTLCs with the same R value,\n\u003e forcing probe serialization. Unfortunately that allows a simple way to\n\u003e probe back to the source, so we shouldn't do this!\n\u003e\n\u003e We may be able to do some probabalistic backoff of duplicate R values,\n\u003e such that you can't tell if I've received one before? A more\n\u003e sophisticated probe sequence could get a probability though...\n\u003e\n\u003e I can't see a fix for this in general. :(\n\u003e\n\u003e Error Messages\n\u003e ==============\n\u003e Another issue is that we should try not to leak information to passive\n\u003e observers on the route due to errors, so signing errors and using the\n\u003e 'sum' field as a secret key seems sensible. This means your padding in\n\u003e the original message needs to be \"random\" so 'sum' is random.\n\u003e\n\u003e Thoughts welcome!\n\u003e Rusty.\n\u003e PS. As noted before, nodes can trivially correlate HTLCs by R value, so\n\u003e onioning the routing only gets you so far...\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150922/1abdd47c/attachment-0001.html\u003e",
"sig": "2c7f78cbf20e27024be3d9c3be86a32502f38dc960cb3d89369b69d3d66a1e3a7efcb5f224e2d6c9e442b6e5386ecfb00dad64d8ecf5422e02e518989a58e0e5"
}