📅 Original date posted:2020-02-21
📝 Original message:
Rusty Russell <rusty at rustcorp.com.au> writes:
>> Would it not be better to create a circular path? By this I mean,
>> Alice constructs an onion that overall creates a path from herself to
>> Bob and back, ensuring different nodes on the forward and return
>> directions. The onion hop at Bob reveals that Bob is the chosen
>> conversation partner, and Bob forwards its reply via the onion return
>> path (that Alice prepared herself to get back to her via another
>> path).
>
> I like it! The lack of "reply" function eliminates all storage
> requirements for the intermediaries. Unfortunately it's not currently
> possible to fit the reply onion inside the existing onion, but I know
> Christian has a rabbit in his hat for this?
I think circular payment really means an onion that is
> A -> ... -> B -> ... -> A
and not a reply onion inside of a forward onion.
The problem with the circular path is that the "recipient" cannot add
any reply without invalidating the HMACs on the return leg of the
onion. The onion is fully predetermined by the sender, any malleability
introduced in order to allow the recipient to reply poses a threat to
the integrity of the onion routing, e.g., it opens us up to probing by
fiddling with parts of the onion until the attacker identifies the
location the recipient is supposed to put his reply into.
As Rusty mentioned I have a construction of the onion routing packet
that allows us to compress it in such a way that it fits inside of the
payload itself. I'll write up a complete proposal over the coming days,
but the basic idea is to initialize the unused part of the onion in such
a way that it cancels out the layers of encryption and the fully wrapped
onion consists of all `0x00` bytes. These can then be removed resulting
in a compressed onion, and the sender can simply add the padding 0x00
bytes back to get the original, fully HMACd onion, and then send it like
normal (there is an obfuscation step to hide the `0x00` bytes from the
next hop, but more on this in the full rendez-vous proposal later).
This rendez-vous construction is a bit more involved since we want to
fit an onion into another onion of the same size. If we design a
completely new messaging system, requiring end-to-end communication, it
might be worth re-introducing the end-to-end payload which we removed in
the routing onion. It's a simply, variable or fixed length, payload,
that is onion-decrypted at each hop and its contents are revealed to the
destination (this is how onion routing usually works). Since that
payload doesn't have to adhere to the constraints of the routing onions
(multiple payloads, one for each hop, and no special larger payload
destined for the final recipient) this is both simpler, and would allow
us to store a full, unmodified, return-onion in the end-to-end payload.
Another advantage is that the end-to-end payload is not covered by the
HMACs in the header, meaning that the recipient can construct a reply
without having to modify (and invalidate) the routing onion. I guess
this is going back to the roots of the Sphinx paper :-)
Might be worth a consideration, as it seems to me like it'd be simpler
:-) The downside of course is that we'd end up with two different onion
constructions for different use-cases.
>> After Alice receives the first message from Bob the circular
>> "circuit" is established and they can continue to communicate using
>> the same circuit: timing attacks are now "impossible" since Alice and
>> Bob can be anywhere along the circle, even if two of the nodes in the
>> circuit are surveillors cooperating with each other, the timing
>> information they get is the distance between the surveillor nodes.
>>
>> Of course, if a node in the circular path drops the circuit is
>> disrupted, so any higher-level protocols on top of that should
>> probably be willing to resume the conversation on another circular
>> circuit.
>
> My immediate purpose for this is for "offers" which cause a invoice
> request, followed by an invoice reply. This will probably be reused
> once for the payment itself. 2 uses is not sufficient to justify
> setting up a circuit, AFAICT.
I know someone who is itching to implement hornet for these use-cases
;-)
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:59:02
in reply to nevent1q…dftn
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:59:02Event JSON
{
"id": "5817e0b284face4322b3e95fc3cc4a3f459a543ada453f485290291d91c05592",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315542,
"kind": 1,
"tags": [
[
"e",
"42cfc200e7833f933bf8544e61c12de15ea87116a820ad682a285378ff7c555e",
"",
"root"
],
[
"e",
"7a8170823064bcd11e869fd46529eff8045ed3fecc623a0db09c07e46b031fb0",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2020-02-21\n📝 Original message:\nRusty Russell \u003crusty at rustcorp.com.au\u003e writes:\n\n\u003e\u003e Would it not be better to create a circular path? By this I mean,\n\u003e\u003e Alice constructs an onion that overall creates a path from herself to\n\u003e\u003e Bob and back, ensuring different nodes on the forward and return\n\u003e\u003e directions. The onion hop at Bob reveals that Bob is the chosen\n\u003e\u003e conversation partner, and Bob forwards its reply via the onion return\n\u003e\u003e path (that Alice prepared herself to get back to her via another\n\u003e\u003e path).\n\u003e\n\u003e I like it! The lack of \"reply\" function eliminates all storage\n\u003e requirements for the intermediaries. Unfortunately it's not currently\n\u003e possible to fit the reply onion inside the existing onion, but I know\n\u003e Christian has a rabbit in his hat for this?\n\nI think circular payment really means an onion that is\n\n\u003e A -\u003e ... -\u003e B -\u003e ... -\u003e A\n\nand not a reply onion inside of a forward onion.\n\nThe problem with the circular path is that the \"recipient\" cannot add\nany reply without invalidating the HMACs on the return leg of the\nonion. The onion is fully predetermined by the sender, any malleability\nintroduced in order to allow the recipient to reply poses a threat to\nthe integrity of the onion routing, e.g., it opens us up to probing by\nfiddling with parts of the onion until the attacker identifies the\nlocation the recipient is supposed to put his reply into.\n\nAs Rusty mentioned I have a construction of the onion routing packet\nthat allows us to compress it in such a way that it fits inside of the\npayload itself. I'll write up a complete proposal over the coming days,\nbut the basic idea is to initialize the unused part of the onion in such\na way that it cancels out the layers of encryption and the fully wrapped\nonion consists of all `0x00` bytes. These can then be removed resulting\nin a compressed onion, and the sender can simply add the padding 0x00\nbytes back to get the original, fully HMACd onion, and then send it like\nnormal (there is an obfuscation step to hide the `0x00` bytes from the\nnext hop, but more on this in the full rendez-vous proposal later).\n\nThis rendez-vous construction is a bit more involved since we want to\nfit an onion into another onion of the same size. If we design a\ncompletely new messaging system, requiring end-to-end communication, it\nmight be worth re-introducing the end-to-end payload which we removed in\nthe routing onion. It's a simply, variable or fixed length, payload,\nthat is onion-decrypted at each hop and its contents are revealed to the\ndestination (this is how onion routing usually works). Since that\npayload doesn't have to adhere to the constraints of the routing onions\n(multiple payloads, one for each hop, and no special larger payload\ndestined for the final recipient) this is both simpler, and would allow\nus to store a full, unmodified, return-onion in the end-to-end payload.\n\nAnother advantage is that the end-to-end payload is not covered by the\nHMACs in the header, meaning that the recipient can construct a reply\nwithout having to modify (and invalidate) the routing onion. I guess\nthis is going back to the roots of the Sphinx paper :-)\n\n\nMight be worth a consideration, as it seems to me like it'd be simpler\n:-) The downside of course is that we'd end up with two different onion\nconstructions for different use-cases.\n\n\n\u003e\u003e After Alice receives the first message from Bob the circular\n\u003e\u003e \"circuit\" is established and they can continue to communicate using\n\u003e\u003e the same circuit: timing attacks are now \"impossible\" since Alice and\n\u003e\u003e Bob can be anywhere along the circle, even if two of the nodes in the\n\u003e\u003e circuit are surveillors cooperating with each other, the timing\n\u003e\u003e information they get is the distance between the surveillor nodes.\n\u003e\u003e\n\u003e\u003e Of course, if a node in the circular path drops the circuit is\n\u003e\u003e disrupted, so any higher-level protocols on top of that should\n\u003e\u003e probably be willing to resume the conversation on another circular\n\u003e\u003e circuit.\n\u003e\n\u003e My immediate purpose for this is for \"offers\" which cause a invoice\n\u003e request, followed by an invoice reply. This will probably be reused\n\u003e once for the payment itself. 2 uses is not sufficient to justify\n\u003e setting up a circuit, AFAICT.\n\nI know someone who is itching to implement hornet for these use-cases\n;-)\n\nCheers,\nChristian",
"sig": "aad814bb7282310212c4f763a20be4e3875b5da7145ff43ae5958dec6eb5fac03fa6fe23d13bf4703ded244f7b59ed09cdda4dcc95d6fa607ef0259616d4e57b"
}