๐
Original date posted:2016-08-04
๐ Original message:
> I'm going back and forth about including the payloads in the header HMAC.
I
> think we have three options here:
>
> 1) Include the payload in the header HMAC computation
I'd say personally, I prefer the first option. This results in "fail fast"
behavior w.r.t packet forwarding, and additionally adds the smallest
overhead.
> we also lose the ability to do anonymous rendezvous meetings, where the
final
> recipient provides half of the route in the form of a precompiled header
> (something that Hornet is using).
It doesn't appear that we loose the ability to do rendezvous routing if we
follow through with the first option. The final recipient can still provide
a
precompiled header which is the e2e payload sent from the source to the
rendezvous node. As the source knows the exact nested mix-header when
sending,
it can still be protected under the mix-header wide MAC.
Additionally, in order to hide the next-hop after the rendezvous node from
the
source node, the destination can wrap the nested header in a layer of
encryption, decryptable only by the rendezvous node.
> Both the per-hop checkable schemes, combined with nodes signing the
packets
> they forward, would give us the ability to identify misbehaving nodes and
> denounce them: if we receive a packet we check the integrity and if it
doesn't
> match then we can prove to others that the node forwarded something broken
> with its signature, or it did not check the packet itself.
Great observation. However, it seems like this is currently out of scope
(the
implications of "denouncing" a node") and should be re-visited at a future
time
when we brainstorm some sort of "reputation" scheme.
> There is a tradeoff between small packets and keeping the size uniform. I
think
> we could bucketize sizes, e.g., have multiples of 32 bytes or 64 bytes
for the
> fields, to have packets with similar sized payloads have the same packet
size.
> That would allow us to also drop the e2e payload by setting a size of 0,
and
> still be able to forward it, should we ever find a use for it.
Good point, we may have uses for non-uniform sizes as far as mix-headers in
the
future. So with this, then it appears there may be 3 types of mix-header
formats:
1. Regular. Meaning no e2e payload, weighing in at 1234 bytes.
2. Extended. Meaning bearing the e2e payload with a size of 2468 bytes.
3. Rendezvous. Which nests another mix-header within the end-to-end
payload,
with a size which is double that of the regular.
If we like this taxonomy, then we may want to reserve the first 2 version
bytes
within the draft. A version 0 packet would encompass processing the first
two
types, while a version 1 packet denotes that this is a rendezvous packet.
The
rendezvous case needs to be distinct as it modifies the
processing/forwarding
at the final hop.
Alternatively, we can use solely a version of 0 in the initial spec, with
the
final hop checking if the [1:34] bytes of the payload (if one is present)
are a
point on the curve. If so, this triggers the rendezvous forwarding, with
the
mid-point node processing the packet again as normal, completing the
rendezvous
route.
> We have to be careful when using timestamps in the packet as it makes
individual hops collatable.
Excellent observation. Assuming we roll out a reasonably efficient solution
for
the collatable HTLC R-values across hops, naively selecting timestamps would
present another correlation vector.
> So my proposal would be to include a timestamp rounded up to the closest
hour
> and have a sliding window of accepted timestamps of +/- 1 hour,
remembering the
> secrets for that period and rejecting anything that is too far in the
future or
> too far in the past.
This seems reasonable, also the size of the sliding window can easily be
tuned
in the future should we find it too large or small.
> The more coarse the bigger the less likely an attacker is to guess which
> packets belong to the same route, but the more storage is required on the
> node's side.
Yep, there's a clear trade off between the window size of the accepted
timestamps, and a node's storage overhead. We can tune this value to a
ballpark
estimate of the number of HTLCs/sec a large node with high frequency
bi-directional throughput may forward at peak times.
Let's say a HFB (High-Frequency Bitcoin) node on the network at peak
forwards
5k HTLC's per second: (5000/sec * 32 bytes) * 3600 sec = 576MB, if nodes are
required to wait 1 hour between log prunings, and 288MB if we use a
30-minute
interval. Even with such a high throughput value, that seems reasonable.
> We could just use the announced key, i.e., the one that participated in
the
> channel setup, as a root key for HD key derivation. The derivation path
could
> then be based on floor(blockheight / 144) so that we rotate keys every
day, and
> don't need any additional communication to announce new public keys.
Great suggestion! However, I think instead of directly using the key which
participated in the channel setup, we'd use a new independent key as the
root
for this HD onion derivation. This new independent key would then be
authenticated via a signature of a schnorr multi-sign of the channel
multi-sig
key and the node's identity key (or alternatively two sigs). This safeguards
against the compromise of one of the derived private keys leading to
compromise
of the master root HD priv key which would allow possibly stealing a node's
coins. Additionally, a node can switch keys more easily, avoiding a channel
tear down.
However, the HD Onion Key approach can potentially cancel out the forward
secrecy benefits. If an attacker gains access to the root HD pubkey, along
with
any of the child derived onion keys, then they can compute the root privkey.
This allows the attacker to derive all the child priv keys, giving them the
ability to decrypt all mix-headers encrypted since the HD Onion Key was
published.
I think we can patch this exploit by adding some precomputation for each
node,
and introducing an intermediate onion derivation point. Assuming we rotate
every 144+ (1 day) blocks, then using the HD Onion PrivKey, each node
pre-generates 365 (or a smaller batch size) keys. Then, generates an
independent "onion derivation" key. The OD key then combined with each of
the
child onion keys, produces the final child onion key (C_i = final onion key,
B_i = intermediate child key, A = OD):
* C_i = B_i + A
After the precomputation, the OD key (A) should be *destroyed*. If so, even
if
an attacker gains access to one of the intermediate child onion keys,
they're
unable to derive the final child onion key as the OD key has been destroyed.
This safeguards the forward secrecy of the scheme in the face of the HD
root+child exploit. As before, in the case of a root/child compromise the
original node can simply authenticate a new HD Onion Key.
So perhaps we can combine the two approaches, publishing a blockhash (buried
under a "safe" re-org depth), along with an authenticated HD root pubkey.
With
this new scheme we're able to push key rotation out to the edges in a
non-interactive manner. Having the blockhash as an anchor will reduce the
amount of guessing required by a node to fetch the correct onion key.
> I'm also trying to figure out how to enable intermediate nodes to reply
to a
> packet, e.g., if capacities are insufficient or the next node is
unreachable,
> by recycling the routing info.
Yeah I've also attempted to tackle this issue a bit myself. The inclusion of
onion routing certainly makes certain classes of failures harder to
reconcile.
There has been a bit of discussion of this in the past, at the time called
"unrolling the onion". In a similar vein it's also more difficult to
ascribe blame node's which directly cause a payment to fail.
One of my naive ideas was to include a "backwards" mix-header within each
node's per-hop payload (though I hadn't included the per-hop payload in my
mental model at the time), however this would result in a quadratic blow up
space complexity parametrized by our max-hop limit. Essentially, we'd
include
a SURB within the mix-header for each hop in the route.
> Maybe we could continue blinding the ephemeral key on the return path, and
> have a mechanism to tell the node the total blinding factor along the
path so
> that it can encrypt something in the routing info for the return path?
That
> would neatly combine Hornet and Sphinx, eliminating the initial roundtrip
to
> setup forwarding segments.
Could you elaborate on this a bit more? It seems that this alone is
insufficient to allow "backwards" replies to the source w/o revealing the
source's identity.
It seems the primary question is: how can we re-use the information present
at
a hop, post-processing to reply to the sender without an additional round
trip?
If we can solve this, then we can greatly increase the robustness of onion
routing within the network. I think they may be worth spinning some cycles
on,
although I don't consider it blocking w.r.t the initial specification.
-- Laolu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160804/30f33520/attachment.html>;
Olaoluwa Osuntokun [ARCHIVE] /
npub19hโฆzkvn4
2023-06-09 12:46:29
in reply to nevent1qโฆtjst
Author Public Key
npub19helcfnqgk2jrwzjex2aflq6jwfc8zd9uzzkwlgwhve7lykv23mq5zkvn4Published at
2023-06-09 12:46:29Event JSON
{
"id": "1f2d5728a9d7ae9b1e99860ef96ab2918507848909d9f7bb25d3836c3a1056d7",
"pubkey": "2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476",
"created_at": 1686314789,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"root"
],
[
"e",
"b02a1fa11a73ce4c5951156fb4c4a998db783e62d1cea3ade8553da8f11b00a8",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "๐
Original date posted:2016-08-04\n๐ Original message:\n\u003e I'm going back and forth about including the payloads in the header HMAC.\nI\n\u003e think we have three options here:\n\u003e\n\u003e 1) Include the payload in the header HMAC computation\n\nI'd say personally, I prefer the first option. This results in \"fail fast\"\nbehavior w.r.t packet forwarding, and additionally adds the smallest\noverhead.\n\n\u003e we also lose the ability to do anonymous rendezvous meetings, where the\nfinal\n\u003e recipient provides half of the route in the form of a precompiled header\n\u003e (something that Hornet is using).\n\nIt doesn't appear that we loose the ability to do rendezvous routing if we\nfollow through with the first option. The final recipient can still provide\na\nprecompiled header which is the e2e payload sent from the source to the\nrendezvous node. As the source knows the exact nested mix-header when\nsending,\nit can still be protected under the mix-header wide MAC.\n\nAdditionally, in order to hide the next-hop after the rendezvous node from\nthe\nsource node, the destination can wrap the nested header in a layer of\nencryption, decryptable only by the rendezvous node.\n\n\u003e Both the per-hop checkable schemes, combined with nodes signing the\npackets\n\u003e they forward, would give us the ability to identify misbehaving nodes and\n\u003e denounce them: if we receive a packet we check the integrity and if it\ndoesn't\n\u003e match then we can prove to others that the node forwarded something broken\n\u003e with its signature, or it did not check the packet itself.\n\nGreat observation. However, it seems like this is currently out of scope\n(the\nimplications of \"denouncing\" a node\") and should be re-visited at a future\ntime\nwhen we brainstorm some sort of \"reputation\" scheme.\n\n\u003e There is a tradeoff between small packets and keeping the size uniform. I\nthink\n\u003e we could bucketize sizes, e.g., have multiples of 32 bytes or 64 bytes\nfor the\n\u003e fields, to have packets with similar sized payloads have the same packet\nsize.\n\u003e That would allow us to also drop the e2e payload by setting a size of 0,\nand\n\u003e still be able to forward it, should we ever find a use for it.\n\nGood point, we may have uses for non-uniform sizes as far as mix-headers in\nthe\nfuture. So with this, then it appears there may be 3 types of mix-header\nformats:\n 1. Regular. Meaning no e2e payload, weighing in at 1234 bytes.\n 2. Extended. Meaning bearing the e2e payload with a size of 2468 bytes.\n 3. Rendezvous. Which nests another mix-header within the end-to-end\npayload,\n with a size which is double that of the regular.\n\nIf we like this taxonomy, then we may want to reserve the first 2 version\nbytes\nwithin the draft. A version 0 packet would encompass processing the first\ntwo\ntypes, while a version 1 packet denotes that this is a rendezvous packet.\nThe\nrendezvous case needs to be distinct as it modifies the\nprocessing/forwarding\nat the final hop.\n\nAlternatively, we can use solely a version of 0 in the initial spec, with\nthe\nfinal hop checking if the [1:34] bytes of the payload (if one is present)\nare a\npoint on the curve. If so, this triggers the rendezvous forwarding, with\nthe\nmid-point node processing the packet again as normal, completing the\nrendezvous\nroute.\n\n\u003e We have to be careful when using timestamps in the packet as it makes\nindividual hops collatable.\n\nExcellent observation. Assuming we roll out a reasonably efficient solution\nfor\nthe collatable HTLC R-values across hops, naively selecting timestamps would\npresent another correlation vector.\n\n\u003e So my proposal would be to include a timestamp rounded up to the closest\nhour\n\u003e and have a sliding window of accepted timestamps of +/- 1 hour,\nremembering the\n\u003e secrets for that period and rejecting anything that is too far in the\nfuture or\n\u003e too far in the past.\n\nThis seems reasonable, also the size of the sliding window can easily be\ntuned\nin the future should we find it too large or small.\n\n\u003e The more coarse the bigger the less likely an attacker is to guess which\n\u003e packets belong to the same route, but the more storage is required on the\n\u003e node's side.\n\nYep, there's a clear trade off between the window size of the accepted\ntimestamps, and a node's storage overhead. We can tune this value to a\nballpark\nestimate of the number of HTLCs/sec a large node with high frequency\nbi-directional throughput may forward at peak times.\n\nLet's say a HFB (High-Frequency Bitcoin) node on the network at peak\nforwards\n5k HTLC's per second: (5000/sec * 32 bytes) * 3600 sec = 576MB, if nodes are\nrequired to wait 1 hour between log prunings, and 288MB if we use a\n30-minute\ninterval. Even with such a high throughput value, that seems reasonable.\n\n\u003e We could just use the announced key, i.e., the one that participated in\nthe\n\u003e channel setup, as a root key for HD key derivation. The derivation path\ncould\n\u003e then be based on floor(blockheight / 144) so that we rotate keys every\nday, and\n\u003e don't need any additional communication to announce new public keys.\n\nGreat suggestion! However, I think instead of directly using the key which\nparticipated in the channel setup, we'd use a new independent key as the\nroot\nfor this HD onion derivation. This new independent key would then be\nauthenticated via a signature of a schnorr multi-sign of the channel\nmulti-sig\nkey and the node's identity key (or alternatively two sigs). This safeguards\nagainst the compromise of one of the derived private keys leading to\ncompromise\nof the master root HD priv key which would allow possibly stealing a node's\ncoins. Additionally, a node can switch keys more easily, avoiding a channel\ntear down.\n\nHowever, the HD Onion Key approach can potentially cancel out the forward\nsecrecy benefits. If an attacker gains access to the root HD pubkey, along\nwith\nany of the child derived onion keys, then they can compute the root privkey.\nThis allows the attacker to derive all the child priv keys, giving them the\nability to decrypt all mix-headers encrypted since the HD Onion Key was\npublished.\n\nI think we can patch this exploit by adding some precomputation for each\nnode,\nand introducing an intermediate onion derivation point. Assuming we rotate\nevery 144+ (1 day) blocks, then using the HD Onion PrivKey, each node\npre-generates 365 (or a smaller batch size) keys. Then, generates an\nindependent \"onion derivation\" key. The OD key then combined with each of\nthe\nchild onion keys, produces the final child onion key (C_i = final onion key,\nB_i = intermediate child key, A = OD):\n * C_i = B_i + A\n\nAfter the precomputation, the OD key (A) should be *destroyed*. If so, even\nif\nan attacker gains access to one of the intermediate child onion keys,\nthey're\nunable to derive the final child onion key as the OD key has been destroyed.\nThis safeguards the forward secrecy of the scheme in the face of the HD\nroot+child exploit. As before, in the case of a root/child compromise the\noriginal node can simply authenticate a new HD Onion Key.\n\nSo perhaps we can combine the two approaches, publishing a blockhash (buried\nunder a \"safe\" re-org depth), along with an authenticated HD root pubkey.\nWith\nthis new scheme we're able to push key rotation out to the edges in a\nnon-interactive manner. Having the blockhash as an anchor will reduce the\namount of guessing required by a node to fetch the correct onion key.\n\n\u003e I'm also trying to figure out how to enable intermediate nodes to reply\nto a\n\u003e packet, e.g., if capacities are insufficient or the next node is\nunreachable,\n\u003e by recycling the routing info.\n\nYeah I've also attempted to tackle this issue a bit myself. The inclusion of\nonion routing certainly makes certain classes of failures harder to\nreconcile.\nThere has been a bit of discussion of this in the past, at the time called\n\"unrolling the onion\". In a similar vein it's also more difficult to\nascribe blame node's which directly cause a payment to fail.\n\nOne of my naive ideas was to include a \"backwards\" mix-header within each\nnode's per-hop payload (though I hadn't included the per-hop payload in my\nmental model at the time), however this would result in a quadratic blow up\nspace complexity parametrized by our max-hop limit. Essentially, we'd\ninclude\na SURB within the mix-header for each hop in the route.\n\n\u003e Maybe we could continue blinding the ephemeral key on the return path, and\n\u003e have a mechanism to tell the node the total blinding factor along the\npath so\n\u003e that it can encrypt something in the routing info for the return path?\nThat\n\u003e would neatly combine Hornet and Sphinx, eliminating the initial roundtrip\nto\n\u003e setup forwarding segments.\n\nCould you elaborate on this a bit more? It seems that this alone is\ninsufficient to allow \"backwards\" replies to the source w/o revealing the\nsource's identity.\n\nIt seems the primary question is: how can we re-use the information present\nat\na hop, post-processing to reply to the sender without an additional round\ntrip?\nIf we can solve this, then we can greatly increase the robustness of onion\nrouting within the network. I think they may be worth spinning some cycles\non,\nalthough I don't consider it blocking w.r.t the initial specification.\n\n-- Laolu\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160804/30f33520/attachment.html\u003e",
"sig": "ac934f6a5aa832742a96f7ca4ade68b1d59997eff4b67da6550e1f77bd6c73d91c5fdd813768db1d75a4c0eb1fe080011898a58f07eaee7fd69523bf100739f2"
}