đź“… Original date posted:2022-10-20
đź“ť Original message:
Hi Joost,
I need more time to review your proposed change, but I wanted to quickly
correct a misunderstanding you had in quoting eclair's code:
> Unfortunately it is possible for nodes on the route to hide themselves.
> If they return random data as the failure message, the sender won't know
> where the failure happened. Some senders then penalize all nodes that
> were part of the route [4][5]. This may exclude perfectly reliable nodes
> from being used for future payments.
Eclair's code does not penalize nodes for future payment attempts in this
case. It only ignores them for the retries of that particular payment.
Cheers,
Bastien
Le mer. 19 oct. 2022 Ă 13:13, Joost Jager <joost.jager at gmail.com> a Ă©crit :
> Hi list,
>
> I wanted to get back to a long-standing issue in Lightning: gaps in error
> attribution. I've posted about this before back in 2019 [1].
>
> Error attribution is important to properly penalize nodes after a payment
> failure occurs. The goal of the penalty is to give the next attempt a
> better chance at succeeding. In the happy failure flow, the sender is able
> to determine the origin of the failure and penalizes a single node or pair
> of nodes.
>
> Unfortunately it is possible for nodes on the route to hide themselves. If
> they return random data as the failure message, the sender won't know where
> the failure happened. Some senders then penalize all nodes that were part
> of the route [4][5]. This may exclude perfectly reliable nodes from being
> used for future payments. Other senders penalize no nodes at all [6][7],
> which allows the offending node to keep the disruption going.
>
> A special case of this is a final node sending back random data. Senders
> that penalize all nodes will keep looking for alternative routes. But
> because each alternative route still ends with that same final node, the
> sender will ultimately penalize all of its peers and possibly a lot of the
> rest of the network too.
>
> I can think of various reasons for exploiting this weakness. One is just
> plain grievance for whatever reason. Another one is to attract more traffic
> by getting competing routing nodes penalized. Or the goal could be to
> sufficiently mess up reputation tracking of a specific sender node to make
> it hard for that node to make further payments.
>
> Related to this are delays in the path. A node can delay propagating back
> a failure message and the sender won't be able to determine which node did
> it.
>
> The link at the top of this post [1] describes a way to address both
> unreadable failure messages as well as delays by letting each node on the
> route append a timestamp and hmac to the failure message. The great
> challenge is to do this in such a way that nodes don’t learn their position
> in the path.
>
> I'm revisiting this idea, and have prototyped various ways to implement
> it. In the remainder of this post, I will describe the variant that I
> thought works best (so far).
>
> # Failure message format
>
> The basic idea of the new format is to let each node (not just the error
> source) commit to the failure message when it passes it back by adding an
> hmac. The sender verifies all hmacs upon receipt of the failure message.
> This makes it impossible for any of the nodes to modify the failure message
> without revealing that they might have played a part in the modification.
> It won’t be possible for the sender to pinpoint an exact node, because
> either end of a communication channel may have modified the message.
> Pinpointing a pair of nodes however is good enough, and is commonly done
> for regular onion failures too.
>
> On the highest level, the new failure message consists of three parts:
>
> `message` (var len) | `payloads` (fixed len) | `hmacs` (fixed len)
>
> * `message` is the standard onion failure message as described in [2], but
> without the hmac. The hmac is now part of `hmacs` and doesn't need to be
> repeated.
>
> * `payloads` is a fixed length array that contains space for each node
> (`hop_payload`) on the route to add data to return to the sender. Ideally
> the contents and size of `hop_payload` is signaled so that future
> extensions don’t require all nodes to upgrade. For now, we’ll assume the
> following 9-byte format:
>
> `is_final` (1 byte) | `duration` (8 bytes)
>
> `is_final` indicates whether this node is the failure source. The sender
> uses `is_final` to determine when to stop the decryption/verification
> process.
>
> `duration` is the time in milliseconds that the node held the htlc. By
> observing the series of reported durations, the sender is able to pinpoint
> a delay down to a pair of nodes.
>
> The `hop_payload` is repeated 27 times (the maximum route length).
>
> Every hop shifts `payloads` 9 bytes to the right and puts its own
> `hop_payload` in the 9 left-most bytes.
>
> * `hmacs` is a fixed length array where nodes add their hmacs as the
> failure message travels back to the sender.
>
> To keep things simple, I'll describe the format as if the maximum route
> length was only three hops (instead of 27):
>
> `hmac_0_2` | `hmac_0_1`| `hmac_0_0`| `hmac_1_1`| `hmac_1_0`| `hmac_2_0`
>
> Because nodes don't know their position in the path, it's unclear to
> them what part of the failure message they are supposed to include in the
> hmac. They can't just include everything, because if part of that data is
> deleted later (to keep the message size fixed) it opens up the possibility
> for nodes to blame others.
>
> The solution here is to provide hmacs for all possible positions. The
> last node that updated `hmacs` added `hmac_0_2`, `hmac_0_1` and `hmac_0_0`
> to the block. Each hmac corresponds to a presumed position in the path,
> where `hmac_0_2` is for the longest path (2 downstream hops) and `hmac_0_0`
> for the shortest (node is the error source).
>
> `hmac_x_y` is the hmac added by node x (counted from the node that is
> currently handling the failure message) assuming that this node is y hops
> away from the final node.
>
> Before an hop adds its hmacs, it first deletes some of the previous hmacs.
> This keeps the failure message at a fixed length. The removed hmacs are the
> ones that cannot be useful anymore. If node 0 adds itself, the former node
> 0 (now node 1) cannot be at the first position anymore. The former node 1
> (now node 2) cannot be at the second position anymore. The former node 2
> cannot be the source of the error anymore and isn’t represented in the
> failure message any longer. The corresponding hmacs (the now non-existent
> `hmac_0_2`, `hmac_1_1` and `hmac_2_0`) are deleted by node 0.
>
> Deleting the useless data reduces the number of hmacs (and roughly the
> total failure message size) to half.
>
> The delete operation transform the fields above to:
>
> <empty> | <empty> | <empty> | `hmac_0_1`| `hmac_0_0`| `hmac_1_0`
>
> The exact data that is included in each hmac is:
> * `message`
> * the node’s own `hop_payload` and a set of downstream `hop_payload`s,
> depending on assumed position
> * a set of downstream node hmacs, depending on assumed position
>
> For example `hmac_0_1` is based on:
>
> `message` | `hop_payload[0]` | `hop_payload[1]` | `hmac_1_0`
>
> If the node that is currently handling the failure message is one hop away
> from the final node, it needs to cover its own `hop_payload[0]`, the final
> node `hop_payload[1]` and the final node hmac `hmac_1_0`.
>
> A longer path is committed to in `hmac_0_2`:
>
> `message` | `hop_payload[0]` | `hop_payload[1]` | `hop_payload[2]` |
> `hmac_1_1` | `hmac_2_0`
>
> The current node is two hops away from the final node. It needs to cover
> its own `hop_payload[0]` as well as `hop_payload[1]` and `hop_payload[2]`
> for the next and final hops. Additionally it covers the next hop `hmac_1_1`
> and final hop `hmac_2_0`, which correspond to the positions of those nodes
> in the path that is assumed for `hmac_0_2`.
>
> With this information, the sender is able to verify the longest chain of
> hmacs until it encounters a `hop_payload` with `is_final` set.
>
> If any of the nodes messes with any byte in the failure message, the
> sender is always able to determine a pair of nodes that the offending node
> is part of. This statement can be verified through reasoning, but to be
> sure I also tested it with code. I’ve simulated a malicious node that
> modifies a byte of the failure message at index x and observed the error
> source as determined by the sender. For every x, the sender reports the
> same correct pair.
>
> # Size
>
> The obvious downside of the scheme above is the size. Given a maximum of
> 27 hops, the `hmacs` block contains 27+26+25+...+1=378 hmacs of 32 bytes
> each. This makes for a total size of 12 KB.
>
> It could be the case though that it is not possible to devise a more
> compact scheme that also preserves the existing privacy guarantees. I know
> that smart people have spent time on this problem, but nonetheless no
> better solution has come up in the past years. A proof of its non-existence
> would be interesting for sure.
>
> I personally think the size increase is justified to fix this
> vulnerability in Lightning. Also if failures are expected to become more
> rare going forward, size becomes less relevant to the overall operation of
> the network.
>
> Another option is to reduce the maximum number of hops. It is questionable
> whether 27 hops are really needed in practice, and such long routes also
> contribute to latency and capital lock up. If for example the new failure
> message could only be used with routes up to 10 hops, the total number of
> hmacs would drop from 378 to 55. This makes for a total message size of
> about 2 KB.
>
> # Signaling
>
> For backwards compatibility nodes need to know what algorithm they should
> run to generate or transform the failure message. This can be signaled by
> the sender via a tlv onion field. A failure message format signaling
> mechanism is also discussed in the context of long failure messages [3].
> The failure message described in this post could be just another version.
>
> Additionally, intermediate nodes need to advertise their capability to
> transform the new format through a feature bit.
>
> # Delayed successes
>
> It’s not just failures that can be delayed. Successes can too. In that
> case, there is no failure message to improve. It could be an option to add
> the same `payloads` and `hmacs` blocks to the `update_fulfill_htlc` message.
>
> [1]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-June/002015.html
> [2]
> https://github.com/lightning/bolts/blob/master/04-onion-routing.md#returning-errors
> [3] https://github.com/lightning/bolts/pull/1021
> [4]
> https://github.com/lightningnetwork/lnd/blob/4fbd608b734f348d7e79fbfc7feaecc5c6c33a90/routing/result_interpretation.go#L419
> [5]
>
> https://github.com/ACINQ/eclair/blob/a0433aa0c027c9be618c5afe18e7f91642a7f372/eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentEvents.scala#L221
> [6]
> https://github.com/ElementsProject/lightning/blob/62bfed9a8df8731be44ba4e86afb08a5d28a4442/plugins/libplugin-pay.c#L1461
> [7]
> https://github.com/lightningdevkit/rust-lightning/blob/e61f3a238a70cbac87209e223b7c396108a49b97/lightning-invoice/src/payment.rs#L682
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20221020/fd913402/attachment.html>;
Bastien TEINTURIER [ARCHIVE] /
npub17f…ntr0s
2023-06-09 13:07:07
in reply to nevent1q…3ds3
Author Public Key
npub17fjkngg0s0mfx4uhhz6n4puhflwvrhn2h5c78vdr5xda4mvqx89swntr0sPublished at
2023-06-09 13:07:07Event JSON
{
"id": "904b97e4efcdc00a74021e900c66c345d4592961aab6ef3c972c6c6a9ddfaa09",
"pubkey": "f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb",
"created_at": 1686316027,
"kind": 1,
"tags": [
[
"e",
"7e7acd5c9009d2af34a1e92bdcee51b6c78a97018be25ffc59e6b5e8e3dbabb9",
"",
"root"
],
[
"e",
"b1461685f041910b4ca609b0d1546012df4772370ace5266b0d3ad86b77b8665",
"",
"reply"
],
[
"p",
"ec3fb08b335b94aace30d13181f2ad0280df9bc34f1a99832c4e2da8fb125eb3"
]
],
"content": "📅 Original date posted:2022-10-20\n📝 Original message:\nHi Joost,\n\nI need more time to review your proposed change, but I wanted to quickly\ncorrect a misunderstanding you had in quoting eclair's code:\n\n\u003e Unfortunately it is possible for nodes on the route to hide themselves.\n\u003e If they return random data as the failure message, the sender won't know\n\u003e where the failure happened. Some senders then penalize all nodes that\n\u003e were part of the route [4][5]. This may exclude perfectly reliable nodes\n\u003e from being used for future payments.\n\nEclair's code does not penalize nodes for future payment attempts in this\ncase. It only ignores them for the retries of that particular payment.\n\nCheers,\nBastien\n\nLe mer. 19 oct. 2022 à 13:13, Joost Jager \u003cjoost.jager at gmail.com\u003e a écrit :\n\n\u003e Hi list,\n\u003e\n\u003e I wanted to get back to a long-standing issue in Lightning: gaps in error\n\u003e attribution. I've posted about this before back in 2019 [1].\n\u003e\n\u003e Error attribution is important to properly penalize nodes after a payment\n\u003e failure occurs. The goal of the penalty is to give the next attempt a\n\u003e better chance at succeeding. In the happy failure flow, the sender is able\n\u003e to determine the origin of the failure and penalizes a single node or pair\n\u003e of nodes.\n\u003e\n\u003e Unfortunately it is possible for nodes on the route to hide themselves. If\n\u003e they return random data as the failure message, the sender won't know where\n\u003e the failure happened. Some senders then penalize all nodes that were part\n\u003e of the route [4][5]. This may exclude perfectly reliable nodes from being\n\u003e used for future payments. Other senders penalize no nodes at all [6][7],\n\u003e which allows the offending node to keep the disruption going.\n\u003e\n\u003e A special case of this is a final node sending back random data. Senders\n\u003e that penalize all nodes will keep looking for alternative routes. But\n\u003e because each alternative route still ends with that same final node, the\n\u003e sender will ultimately penalize all of its peers and possibly a lot of the\n\u003e rest of the network too.\n\u003e\n\u003e I can think of various reasons for exploiting this weakness. One is just\n\u003e plain grievance for whatever reason. Another one is to attract more traffic\n\u003e by getting competing routing nodes penalized. Or the goal could be to\n\u003e sufficiently mess up reputation tracking of a specific sender node to make\n\u003e it hard for that node to make further payments.\n\u003e\n\u003e Related to this are delays in the path. A node can delay propagating back\n\u003e a failure message and the sender won't be able to determine which node did\n\u003e it.\n\u003e\n\u003e The link at the top of this post [1] describes a way to address both\n\u003e unreadable failure messages as well as delays by letting each node on the\n\u003e route append a timestamp and hmac to the failure message. The great\n\u003e challenge is to do this in such a way that nodes don’t learn their position\n\u003e in the path.\n\u003e\n\u003e I'm revisiting this idea, and have prototyped various ways to implement\n\u003e it. In the remainder of this post, I will describe the variant that I\n\u003e thought works best (so far).\n\u003e\n\u003e # Failure message format\n\u003e\n\u003e The basic idea of the new format is to let each node (not just the error\n\u003e source) commit to the failure message when it passes it back by adding an\n\u003e hmac. The sender verifies all hmacs upon receipt of the failure message.\n\u003e This makes it impossible for any of the nodes to modify the failure message\n\u003e without revealing that they might have played a part in the modification.\n\u003e It won’t be possible for the sender to pinpoint an exact node, because\n\u003e either end of a communication channel may have modified the message.\n\u003e Pinpointing a pair of nodes however is good enough, and is commonly done\n\u003e for regular onion failures too.\n\u003e\n\u003e On the highest level, the new failure message consists of three parts:\n\u003e\n\u003e `message` (var len) | `payloads` (fixed len) | `hmacs` (fixed len)\n\u003e\n\u003e * `message` is the standard onion failure message as described in [2], but\n\u003e without the hmac. The hmac is now part of `hmacs` and doesn't need to be\n\u003e repeated.\n\u003e\n\u003e * `payloads` is a fixed length array that contains space for each node\n\u003e (`hop_payload`) on the route to add data to return to the sender. Ideally\n\u003e the contents and size of `hop_payload` is signaled so that future\n\u003e extensions don’t require all nodes to upgrade. For now, we’ll assume the\n\u003e following 9-byte format:\n\u003e\n\u003e `is_final` (1 byte) | `duration` (8 bytes)\n\u003e\n\u003e `is_final` indicates whether this node is the failure source. The sender\n\u003e uses `is_final` to determine when to stop the decryption/verification\n\u003e process.\n\u003e\n\u003e `duration` is the time in milliseconds that the node held the htlc. By\n\u003e observing the series of reported durations, the sender is able to pinpoint\n\u003e a delay down to a pair of nodes.\n\u003e\n\u003e The `hop_payload` is repeated 27 times (the maximum route length).\n\u003e\n\u003e Every hop shifts `payloads` 9 bytes to the right and puts its own\n\u003e `hop_payload` in the 9 left-most bytes.\n\u003e\n\u003e * `hmacs` is a fixed length array where nodes add their hmacs as the\n\u003e failure message travels back to the sender.\n\u003e\n\u003e To keep things simple, I'll describe the format as if the maximum route\n\u003e length was only three hops (instead of 27):\n\u003e\n\u003e `hmac_0_2` | `hmac_0_1`| `hmac_0_0`| `hmac_1_1`| `hmac_1_0`| `hmac_2_0`\n\u003e\n\u003e Because nodes don't know their position in the path, it's unclear to\n\u003e them what part of the failure message they are supposed to include in the\n\u003e hmac. They can't just include everything, because if part of that data is\n\u003e deleted later (to keep the message size fixed) it opens up the possibility\n\u003e for nodes to blame others.\n\u003e\n\u003e The solution here is to provide hmacs for all possible positions. The\n\u003e last node that updated `hmacs` added `hmac_0_2`, `hmac_0_1` and `hmac_0_0`\n\u003e to the block. Each hmac corresponds to a presumed position in the path,\n\u003e where `hmac_0_2` is for the longest path (2 downstream hops) and `hmac_0_0`\n\u003e for the shortest (node is the error source).\n\u003e\n\u003e `hmac_x_y` is the hmac added by node x (counted from the node that is\n\u003e currently handling the failure message) assuming that this node is y hops\n\u003e away from the final node.\n\u003e\n\u003e Before an hop adds its hmacs, it first deletes some of the previous hmacs.\n\u003e This keeps the failure message at a fixed length. The removed hmacs are the\n\u003e ones that cannot be useful anymore. If node 0 adds itself, the former node\n\u003e 0 (now node 1) cannot be at the first position anymore. The former node 1\n\u003e (now node 2) cannot be at the second position anymore. The former node 2\n\u003e cannot be the source of the error anymore and isn’t represented in the\n\u003e failure message any longer. The corresponding hmacs (the now non-existent\n\u003e `hmac_0_2`, `hmac_1_1` and `hmac_2_0`) are deleted by node 0.\n\u003e\n\u003e Deleting the useless data reduces the number of hmacs (and roughly the\n\u003e total failure message size) to half.\n\u003e\n\u003e The delete operation transform the fields above to:\n\u003e\n\u003e \u003cempty\u003e | \u003cempty\u003e | \u003cempty\u003e | `hmac_0_1`| `hmac_0_0`| `hmac_1_0`\n\u003e\n\u003e The exact data that is included in each hmac is:\n\u003e * `message`\n\u003e * the node’s own `hop_payload` and a set of downstream `hop_payload`s,\n\u003e depending on assumed position\n\u003e * a set of downstream node hmacs, depending on assumed position\n\u003e\n\u003e For example `hmac_0_1` is based on:\n\u003e\n\u003e `message` | `hop_payload[0]` | `hop_payload[1]` | `hmac_1_0`\n\u003e\n\u003e If the node that is currently handling the failure message is one hop away\n\u003e from the final node, it needs to cover its own `hop_payload[0]`, the final\n\u003e node `hop_payload[1]` and the final node hmac `hmac_1_0`.\n\u003e\n\u003e A longer path is committed to in `hmac_0_2`:\n\u003e\n\u003e `message` | `hop_payload[0]` | `hop_payload[1]` | `hop_payload[2]` |\n\u003e `hmac_1_1` | `hmac_2_0`\n\u003e\n\u003e The current node is two hops away from the final node. It needs to cover\n\u003e its own `hop_payload[0]` as well as `hop_payload[1]` and `hop_payload[2]`\n\u003e for the next and final hops. Additionally it covers the next hop `hmac_1_1`\n\u003e and final hop `hmac_2_0`, which correspond to the positions of those nodes\n\u003e in the path that is assumed for `hmac_0_2`.\n\u003e\n\u003e With this information, the sender is able to verify the longest chain of\n\u003e hmacs until it encounters a `hop_payload` with `is_final` set.\n\u003e\n\u003e If any of the nodes messes with any byte in the failure message, the\n\u003e sender is always able to determine a pair of nodes that the offending node\n\u003e is part of. This statement can be verified through reasoning, but to be\n\u003e sure I also tested it with code. I’ve simulated a malicious node that\n\u003e modifies a byte of the failure message at index x and observed the error\n\u003e source as determined by the sender. For every x, the sender reports the\n\u003e same correct pair.\n\u003e\n\u003e # Size\n\u003e\n\u003e The obvious downside of the scheme above is the size. Given a maximum of\n\u003e 27 hops, the `hmacs` block contains 27+26+25+...+1=378 hmacs of 32 bytes\n\u003e each. This makes for a total size of 12 KB.\n\u003e\n\u003e It could be the case though that it is not possible to devise a more\n\u003e compact scheme that also preserves the existing privacy guarantees. I know\n\u003e that smart people have spent time on this problem, but nonetheless no\n\u003e better solution has come up in the past years. A proof of its non-existence\n\u003e would be interesting for sure.\n\u003e\n\u003e I personally think the size increase is justified to fix this\n\u003e vulnerability in Lightning. Also if failures are expected to become more\n\u003e rare going forward, size becomes less relevant to the overall operation of\n\u003e the network.\n\u003e\n\u003e Another option is to reduce the maximum number of hops. It is questionable\n\u003e whether 27 hops are really needed in practice, and such long routes also\n\u003e contribute to latency and capital lock up. If for example the new failure\n\u003e message could only be used with routes up to 10 hops, the total number of\n\u003e hmacs would drop from 378 to 55. This makes for a total message size of\n\u003e about 2 KB.\n\u003e\n\u003e # Signaling\n\u003e\n\u003e For backwards compatibility nodes need to know what algorithm they should\n\u003e run to generate or transform the failure message. This can be signaled by\n\u003e the sender via a tlv onion field. A failure message format signaling\n\u003e mechanism is also discussed in the context of long failure messages [3].\n\u003e The failure message described in this post could be just another version.\n\u003e\n\u003e Additionally, intermediate nodes need to advertise their capability to\n\u003e transform the new format through a feature bit.\n\u003e\n\u003e # Delayed successes\n\u003e\n\u003e It’s not just failures that can be delayed. Successes can too. In that\n\u003e case, there is no failure message to improve. It could be an option to add\n\u003e the same `payloads` and `hmacs` blocks to the `update_fulfill_htlc` message.\n\u003e\n\u003e [1]\n\u003e https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-June/002015.html\n\u003e [2]\n\u003e https://github.com/lightning/bolts/blob/master/04-onion-routing.md#returning-errors\n\u003e [3] https://github.com/lightning/bolts/pull/1021\n\u003e [4]\n\u003e https://github.com/lightningnetwork/lnd/blob/4fbd608b734f348d7e79fbfc7feaecc5c6c33a90/routing/result_interpretation.go#L419\n\u003e [5]\n\u003e\n\u003e https://github.com/ACINQ/eclair/blob/a0433aa0c027c9be618c5afe18e7f91642a7f372/eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentEvents.scala#L221\n\u003e [6]\n\u003e https://github.com/ElementsProject/lightning/blob/62bfed9a8df8731be44ba4e86afb08a5d28a4442/plugins/libplugin-pay.c#L1461\n\u003e [7]\n\u003e https://github.com/lightningdevkit/rust-lightning/blob/e61f3a238a70cbac87209e223b7c396108a49b97/lightning-invoice/src/payment.rs#L682\n\u003e\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20221020/fd913402/attachment.html\u003e",
"sig": "814d8432b1c21f695848a22efecc92e44d9330b12bee930264789d7f7ae2d84a67196663b7aaaf0a2a646f4627681909fc73eaf6877c42c69d2ac87c021938c1"
}