đź“… Original date posted:2018-12-06
đź“ť Original message:
Corné Plooy <corne at bitonic.nl> writes:
>> The total_decorrelation_secrets serves as the payer-generated shared
>> secret between payer and payee. B cannot learn this, and thus cannot
>> fake its own secret. Even if it instead offers ((I + K[A]) + k[z] *
>> G) for a new secret k[z], it cannot know how to change
>> total_decorrelation_secrets from k[a] + k[b] to k[a] + k[z] instead.
>>
> The way things are now, the ephemeral key generation and the payment
> hash/preimage generation are completely unrelated. This is what allows
> an attacker to use the same payment hash, and use his own ephemeral key
> pair to create a new onion packet around it.
That is correct, one is generated by the recipient (secret and preimage)
and the other one is generated by the sender (ephemeral key). Mixing the
two seems very unwise, since the sender has very little control over
what the effective ephemeral key that is going to be used for the last
hop. This is the same issue that we have with rendez-vous routing, i.e.,
that if we require the ephemeral key to be something specific at a given
node we'd be breaking the hardness assumption of for the ephemeral key
rotation.
> Primarily, path decorrelation replaces the payment hash/preimage part.
> Maybe I still don't understand something, but if that's the only thing
> (without changing the ephemeral key / onion shared secret generation),
> attacking the direct neighbor should still work; in your case, B would
> still offer ((I + K[A]) + K[B]) to C, with an onion packet B created
> himself. I'm not familiar enough with the path correlation to understand
> what happens after step 6, but for C it looks the same, so she should do
> the same.
>
>
> I do see that, if you couple the "H"TLC payment secret generation to the
> onion shared secret generation, you can make the attack impossible. Do I
> understand correctly that this is the idea? After all, C still needs to
> receive k somehow; my crypto math isn't that good, but my intuitive
> guess is that i + k is the secret that allows C to claim funds locked in
> ((I + K[A]) + K[B]) =? (i + (k[a] + k[b])) * G. If k is submitted from A
> to C through some mechanism that replaces the current ephemeral key
> system, then I understand what you're at.
I can't quite follow where we would be mixing in the ephemeral key here,
could you elaborate on that?
> Assuming this is the case, it's pretty neat. I do wonder how it
> interacts with rendezvous routing. If the sender and receiver each
> create the k[..] values for their own part of the route, can the
> receiver-generated onion packet still use points of the form ((I + K[A])
> + K[B]), including K[..] values related to the sender side? I need to
> dig deeper into this path decorrelation idea.
Since we have very little control over what ephemeral key will actually
be presented to the last hop if we have a multi-hop route, we can't
really hide any information in the ephemeral key itself. What we could
do is change the way the last hop generates the shared secret from it,
i.e., have a last hop mode and a forwarding hop mode, and mix in the
payment secret somehow, but I can't think of a good way to do that, and
it seems contorted. Let's just have the sender prove knowledge of the
original invoice by adding a TLV field with a shared secret from the
invoice instead.
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:53:21
in reply to nevent1q…jf82
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:53:21Event JSON
{
"id": "814d4f17d735a65fd8746b9d038df0fad12a9ba406bd564520982c9dac096279",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315201,
"kind": 1,
"tags": [
[
"e",
"2fcb445dd574564835b2068c030ba4e556383d5b915eb5763f6fba62ac8aa302",
"",
"root"
],
[
"e",
"d4f91a513e1fc851a4b68d394a6a67c1f5c003c0c98a27e561c06bbeeae3535a",
"",
"reply"
],
[
"p",
"f928c1a284fddb630ed23aab2bfe69811423a59f41dd8c3e40c57b916fbadf65"
]
],
"content": "📅 Original date posted:2018-12-06\n📝 Original message:\nCorné Plooy \u003ccorne at bitonic.nl\u003e writes:\n\n\u003e\u003e The total_decorrelation_secrets serves as the payer-generated shared\n\u003e\u003e secret between payer and payee. B cannot learn this, and thus cannot\n\u003e\u003e fake its own secret. Even if it instead offers ((I + K[A]) + k[z] *\n\u003e\u003e G) for a new secret k[z], it cannot know how to change\n\u003e\u003e total_decorrelation_secrets from k[a] + k[b] to k[a] + k[z] instead.\n\u003e\u003e\n\u003e The way things are now, the ephemeral key generation and the payment\n\u003e hash/preimage generation are completely unrelated. This is what allows\n\u003e an attacker to use the same payment hash, and use his own ephemeral key\n\u003e pair to create a new onion packet around it.\n\nThat is correct, one is generated by the recipient (secret and preimage)\nand the other one is generated by the sender (ephemeral key). Mixing the\ntwo seems very unwise, since the sender has very little control over\nwhat the effective ephemeral key that is going to be used for the last\nhop. This is the same issue that we have with rendez-vous routing, i.e.,\nthat if we require the ephemeral key to be something specific at a given\nnode we'd be breaking the hardness assumption of for the ephemeral key\nrotation.\n\n\u003e Primarily, path decorrelation replaces the payment hash/preimage part.\n\u003e Maybe I still don't understand something, but if that's the only thing\n\u003e (without changing the ephemeral key / onion shared secret generation),\n\u003e attacking the direct neighbor should still work; in your case, B would\n\u003e still offer ((I + K[A]) + K[B]) to C, with an onion packet B created\n\u003e himself. I'm not familiar enough with the path correlation to understand\n\u003e what happens after step 6, but for C it looks the same, so she should do\n\u003e the same.\n\u003e\n\u003e\n\u003e I do see that, if you couple the \"H\"TLC payment secret generation to the\n\u003e onion shared secret generation, you can make the attack impossible. Do I\n\u003e understand correctly that this is the idea? After all, C still needs to\n\u003e receive k somehow; my crypto math isn't that good, but my intuitive\n\u003e guess is that i + k is the secret that allows C to claim funds locked in\n\u003e ((I + K[A]) + K[B]) =? (i + (k[a] + k[b])) * G. If k is submitted from A\n\u003e to C through some mechanism that replaces the current ephemeral key\n\u003e system, then I understand what you're at.\n\nI can't quite follow where we would be mixing in the ephemeral key here,\ncould you elaborate on that?\n\n\u003e Assuming this is the case, it's pretty neat. I do wonder how it\n\u003e interacts with rendezvous routing. If the sender and receiver each\n\u003e create the k[..] values for their own part of the route, can the\n\u003e receiver-generated onion packet still use points of the form ((I + K[A])\n\u003e + K[B]), including K[..] values related to the sender side? I need to\n\u003e dig deeper into this path decorrelation idea.\n\nSince we have very little control over what ephemeral key will actually\nbe presented to the last hop if we have a multi-hop route, we can't\nreally hide any information in the ephemeral key itself. What we could\ndo is change the way the last hop generates the shared secret from it,\ni.e., have a last hop mode and a forwarding hop mode, and mix in the\npayment secret somehow, but I can't think of a good way to do that, and\nit seems contorted. Let's just have the sender prove knowledge of the\noriginal invoice by adding a TLV field with a shared secret from the\ninvoice instead.\n\nCheers,\nChristian",
"sig": "dcc47a7fb6f4c02a11ab4fb9d8099a917ba4b1a2774e494f724e2b9bc9eff094c2f91c1960dccf8450bf611eb8067e27cda1a9fc67f81a6682726646a8495b68"
}