📅 Original date posted:2019-02-08
📝 Original message:
Hi Laolu,
thanks for bringing this up. I think committing to more data might be
nice, but I have some reservations re signaling in the onion packet
version. But let's start at the top:
> However, since the CLTV isn't also authenticated, then it's possible
> to attempt to inject a new HTLC with a fresher CLTV. If the node isn't
> keeping around all pre-images, then they might forward this since it
> passes the regular expiry tests. If we instead extend the associated
> data payload to cover the CLTV as well, then this binds the adversary
> to using the same CLTV details.
The CLTV is actually committed to indirectly through the outgoing CLTV
value in the onion payload itself (both for intermediate hops and final
hops). For intermediate hops we will refuse any forward that has a CLTV
value for the next leg that is not far enough in the future based on the
incoming CLTV value. Notice that the values we commit to are not deltas,
but absolute values. This means that a node needs to keep a cache of
shared secrets used until the `outgoing_cltv_value` from the onion dips
below `incoming_cltv_value - cltv_expiry_delta`). Any replay attempt
after that will result in the first hop (adjacent to the attacker) to
reject the HTLC with an `incorrect_cltv_expiry` error.
That being said I'm happy to add more information to the AD, but it may
need to be rolled out differently from what you describe.
> If this were to be deployed, then we can do it by using a new packet version
> in the Sphinx packet. Nodes that come across this new version (signalled by
> a global feature bit) would then know to include the extra information in
> the AD for their MAC check.
This will not really work if the route contains any node that does not
understand the new version of the packet. The node prior to the
non-upgraded node would have to downgrade the packet version from v1 to
v0 understood by the non-upgraded node, which could be done via an
instruction in the per-hop payload itself, but the non-upgraded node
would not have any way of learning that it needs to upgrade the packet
version to v1 again. This means we can use v1 up to the first node that
doesn't understand v1 and have a permanent downgrade for the rest of the
route.
We might get away with signalling this in the payload itself, but that
inverts the processing of the onion into parse and interpret the payload
before checking the HMAC, which I can already hear cryptographers groan
about :-)
> While we're at it, we should also actually *commit* to the packet
> version. Right now nodes can swap out the version to anything they
> want, potentially causing another node to reject the packet. This
> should also be added to the AD to ensure the packet can't be modified
> without another node detecting it.
I don't think this is really useful. If a node wants to cause us to
reject a packet it can just tamper with anything in the payload and
we'll fail with an HMAC failure. The version really is just a hint as to
how we should process the packet, and if tampered with it'll just cause
us to reject, similarly to when the attacker modifies the ephemeral key.
> Longer term, we may end up with _all_ payment details in the Sphinx packet.
Agreed, we can also just use the serialized HTLC output, since that is
the on-chain representation of the payment, and therefore has to include
all relevant details :-)
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:54:13
in reply to nevent1q…hshc
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:54:13Event JSON
{
"id": "fb79bd284998e0d2787b6e3a58184b0c7c5587aad50f53d116183fdef040794c",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315253,
"kind": 1,
"tags": [
[
"e",
"cf926c0294d9a38805f6e8ca1e2929bbad5c37781c9f850b510884e8917f3405",
"",
"root"
],
[
"e",
"f41a1592cbaf693c98467add033f808cf0f60f90779d126b6d6774353fd54311",
"",
"reply"
],
[
"p",
"2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476"
]
],
"content": "📅 Original date posted:2019-02-08\n📝 Original message:\nHi Laolu,\n\nthanks for bringing this up. I think committing to more data might be\nnice, but I have some reservations re signaling in the onion packet\nversion. But let's start at the top:\n\n\u003e However, since the CLTV isn't also authenticated, then it's possible\n\u003e to attempt to inject a new HTLC with a fresher CLTV. If the node isn't\n\u003e keeping around all pre-images, then they might forward this since it\n\u003e passes the regular expiry tests. If we instead extend the associated\n\u003e data payload to cover the CLTV as well, then this binds the adversary\n\u003e to using the same CLTV details.\n\nThe CLTV is actually committed to indirectly through the outgoing CLTV\nvalue in the onion payload itself (both for intermediate hops and final\nhops). For intermediate hops we will refuse any forward that has a CLTV\nvalue for the next leg that is not far enough in the future based on the\nincoming CLTV value. Notice that the values we commit to are not deltas,\nbut absolute values. This means that a node needs to keep a cache of\nshared secrets used until the `outgoing_cltv_value` from the onion dips\nbelow `incoming_cltv_value - cltv_expiry_delta`). Any replay attempt\nafter that will result in the first hop (adjacent to the attacker) to\nreject the HTLC with an `incorrect_cltv_expiry` error.\n\nThat being said I'm happy to add more information to the AD, but it may\nneed to be rolled out differently from what you describe.\n\n\u003e If this were to be deployed, then we can do it by using a new packet version\n\u003e in the Sphinx packet. Nodes that come across this new version (signalled by\n\u003e a global feature bit) would then know to include the extra information in\n\u003e the AD for their MAC check.\n\nThis will not really work if the route contains any node that does not\nunderstand the new version of the packet. The node prior to the\nnon-upgraded node would have to downgrade the packet version from v1 to\nv0 understood by the non-upgraded node, which could be done via an\ninstruction in the per-hop payload itself, but the non-upgraded node\nwould not have any way of learning that it needs to upgrade the packet\nversion to v1 again. This means we can use v1 up to the first node that\ndoesn't understand v1 and have a permanent downgrade for the rest of the\nroute.\n\nWe might get away with signalling this in the payload itself, but that\ninverts the processing of the onion into parse and interpret the payload\nbefore checking the HMAC, which I can already hear cryptographers groan\nabout :-)\n\n\u003e While we're at it, we should also actually *commit* to the packet\n\u003e version. Right now nodes can swap out the version to anything they\n\u003e want, potentially causing another node to reject the packet. This\n\u003e should also be added to the AD to ensure the packet can't be modified\n\u003e without another node detecting it.\n\nI don't think this is really useful. If a node wants to cause us to\nreject a packet it can just tamper with anything in the payload and\nwe'll fail with an HMAC failure. The version really is just a hint as to\nhow we should process the packet, and if tampered with it'll just cause\nus to reject, similarly to when the attacker modifies the ephemeral key.\n\n\u003e Longer term, we may end up with _all_ payment details in the Sphinx packet.\n\nAgreed, we can also just use the serialized HTLC output, since that is\nthe on-chain representation of the payment, and therefore has to include\nall relevant details :-)\n\nCheers,\nChristian",
"sig": "18bc2efecff87327c8ffda8788087c713cac127c92dfd8a49f7f4f004b5c64c0946f8ef63cc86a3c85c628684aa7926278daefcd4d8b2822a5096527d1dd3bbf"
}