📅 Original date posted:2018-12-06
📝 Original message:
> * layer 0 (to B): decorrelation_secret = k[b]
> * layer 1 (to B): total_decorrelation_secrets = k = k[a] + k[b]
I would have less trouble understanding that if it were layer 1 (to C)
instead of (to B).
> The total_decorrelation_secrets serves as the payer-generated shared secret between payer and payee.
> B cannot learn this, and thus cannot fake its own secret.
> Even if it instead offers ((I + K[A]) + k[z] * G) for a new secret k[z], it cannot know how to change total_decorrelation_secrets from k[a] + k[b] to k[a] + k[z] instead.
>
The way things are now, the ephemeral key generation and the payment
hash/preimage generation are completely unrelated. This is what allows
an attacker to use the same payment hash, and use his own ephemeral key
pair to create a new onion packet around it.
Primarily, path decorrelation replaces the payment hash/preimage part.
Maybe I still don't understand something, but if that's the only thing
(without changing the ephemeral key / onion shared secret generation),
attacking the direct neighbor should still work; in your case, B would
still offer ((I + K[A]) + K[B]) to C, with an onion packet B created
himself. I'm not familiar enough with the path correlation to understand
what happens after step 6, but for C it looks the same, so she should do
the same.
I do see that, if you couple the "H"TLC payment secret generation to the
onion shared secret generation, you can make the attack impossible. Do I
understand correctly that this is the idea? After all, C still needs to
receive k somehow; my crypto math isn't that good, but my intuitive
guess is that i + k is the secret that allows C to claim funds locked in
((I + K[A]) + K[B]) =? (i + (k[a] + k[b])) * G. If k is submitted from A
to C through some mechanism that replaces the current ephemeral key
system, then I understand what you're at.
Assuming this is the case, it's pretty neat. I do wonder how it
interacts with rendezvous routing. If the sender and receiver each
create the k[..] values for their own part of the route, can the
receiver-generated onion packet still use points of the form ((I + K[A])
+ K[B]), including K[..] values related to the sender side? I need to
dig deeper into this path decorrelation idea.
CJP
Corné Plooy [ARCHIVE] /
npub1ly…cdx6n
2023-06-09 12:53:20
in reply to nevent1q…va87
Author Public Key
npub1ly5vrg5ylhdkxrkj824jhlnfsy2z8fvlg8wcc0jqc4aezma6majsycdx6nPublished at
2023-06-09 12:53:20Event JSON
{
"id": "d4f91a513e1fc851a4b68d394a6a67c1f5c003c0c98a27e561c06bbeeae3535a",
"pubkey": "f928c1a284fddb630ed23aab2bfe69811423a59f41dd8c3e40c57b916fbadf65",
"created_at": 1686315200,
"kind": 1,
"tags": [
[
"e",
"2fcb445dd574564835b2068c030ba4e556383d5b915eb5763f6fba62ac8aa302",
"",
"root"
],
[
"e",
"6adfcd325f6101e86166d922df9c4276ee93ca332c86f9e8c060019d96c11fa5",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-12-06\n📝 Original message:\n\u003e * layer 0 (to B): decorrelation_secret = k[b]\n\u003e * layer 1 (to B): total_decorrelation_secrets = k = k[a] + k[b]\n\n\nI would have less trouble understanding that if it were layer 1 (to C)\ninstead of (to B).\n\n\n\u003e The total_decorrelation_secrets serves as the payer-generated shared secret between payer and payee.\n\u003e B cannot learn this, and thus cannot fake its own secret.\n\u003e Even if it instead offers ((I + K[A]) + k[z] * G) for a new secret k[z], it cannot know how to change total_decorrelation_secrets from k[a] + k[b] to k[a] + k[z] instead.\n\u003e\nThe way things are now, the ephemeral key generation and the payment\nhash/preimage generation are completely unrelated. This is what allows\nan attacker to use the same payment hash, and use his own ephemeral key\npair to create a new onion packet around it.\n\n\nPrimarily, path decorrelation replaces the payment hash/preimage part.\nMaybe I still don't understand something, but if that's the only thing\n(without changing the ephemeral key / onion shared secret generation),\nattacking the direct neighbor should still work; in your case, B would\nstill offer ((I + K[A]) + K[B]) to C, with an onion packet B created\nhimself. I'm not familiar enough with the path correlation to understand\nwhat happens after step 6, but for C it looks the same, so she should do\nthe same.\n\n\nI do see that, if you couple the \"H\"TLC payment secret generation to the\nonion shared secret generation, you can make the attack impossible. Do I\nunderstand correctly that this is the idea? After all, C still needs to\nreceive k somehow; my crypto math isn't that good, but my intuitive\nguess is that i + k is the secret that allows C to claim funds locked in\n((I + K[A]) + K[B]) =? (i + (k[a] + k[b])) * G. If k is submitted from A\nto C through some mechanism that replaces the current ephemeral key\nsystem, then I understand what you're at.\n\n\nAssuming this is the case, it's pretty neat. I do wonder how it\ninteracts with rendezvous routing. If the sender and receiver each\ncreate the k[..] values for their own part of the route, can the\nreceiver-generated onion packet still use points of the form ((I + K[A])\n+ K[B]), including K[..] values related to the sender side? I need to\ndig deeper into this path decorrelation idea.\n\n\nCJP",
"sig": "69a83aec575719a01639b18726f29343cdd1f257e7d2fcb38c9a855f852f6d772f0f5b68e6b4559a650b6aaf0f603036d32b235b905a5a8a09b505cb731ad771"
}