📅 Original date posted:2020-02-10
📝 Original message:
Bastien TEINTURIER <bastien at acinq.fr> writes:
>> But Mallory can do the same attack, I think. Just include the P_I from
>> the wrong invoice for Bob.
>
> Good catch, that's true, thanks for keeping me honest there! In that case
> my proposal
> would need the same mitigation as yours, Bob will need to include the
> `scid` he received
> in `update_add_htlc` (this is in fact not that hard once we allow TLV
> extensions on every
> message).
Yes, I've added this to the PR. Which gives a new validation path, I
think:
## Figuring out what nodeid to use to decode onion
1. Look up scid from HTLC; if it didn't include one, use default.
2. Look up payment_hash; if no invoice is found, use default.
3. If invoice specified this scid, get nodeid and use that.
4. ... and refuse to forward the HTLC (it must terminate here).
My plan is to add an argument to `invoice` which is an array of one or
more scids: we get a temporary scids for each peer and use them in the
routehints. We also assign a random temporary nodeid to that invoice.
The above algo is designed to ensure we behave like any other node which
has no idea about this nodeid if Mallory:
1. tries to use a temporary node id on a normal channel to us.
2. tries to pay another invoice using this temporary node id.
3. tries to probe our outgoing channels using this routing hint
(I think we should probably ban forwarding to private channels,
too, for similar reasons).
---
Note that with any self-assigned SCID schemes, Alice has to respond to
unknown scids in update_add_htlc with some BADONION code (which makes
*Bob* give Carol an error response, since Alice can't without revealing
her identity).
With Bob-assigned SCIDs, Alice simply needs to make him unallocate
it before forgetting the invoice, so she will simply never see old
invoices.
(All these schemes give limited privacy, of course: Bob knows who Alice
is, and fingerprinting and liveness attacks are always possible).
> I'm extremely nervous about custodial lightning services restricting
>> what they will pay to. This is not theoretical: they will come under
>> immense KYC pressure in the near future, which means they cannot pay
>> arbitrary invoices.
1>>
>
> That's a very good point, thanks for raising this. However I believe that
> there are (and will be) enough
> non-custodial wallets to let motivated users pay whatever they want. Users
> can even run their own
> node to pay such invoices if needed.
Not if ln_strike (no, the other one!) is the future.
> If you are using a custodial wallet and KYC pressure kicks in, then
> regardless of that feature law may
> require users to completely reveal who they are paying, so even normal
> payments wouldn't protect
> them, don't you think? Regulation could for example disallow paying via
> unannounced channels entirely
> (or require you to show the funding tx associated to your unannounced
> channel).
Actually, as long as the same method is required for both normal private
channels (which will all use non-tx-based short_channel_ids in the near
future I hope!), I don't really mind. I expect such payments to become
significant, and as long as paying to a temporary id and paying to a
private channel looks identical, it's too draconian to ban. A business
would probably meet any KYC requirements by simply asking the user
(perhaps over a certain amount, etc).
(I've put my implementation on hold for a moment while I'm supposed to
be releasing 0.8.1-rc1 RSN!)
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:58:35
in reply to nevent1q…f7uc
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:58:35Event JSON
{
"id": "37eafd48ef1e45a4582e504ede89c8d8ed3f43b2165a9f8553c9627b1d5f8076",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315515,
"kind": 1,
"tags": [
[
"e",
"3ed35742512a6038c8a47910d5915af4fefd8766015db6ab01e4ef19d4ac6fff",
"",
"root"
],
[
"e",
"4e66dbb5de584f99a187d7fabf2bc36090e0054ba5f0a0075d98be0f7597957f",
"",
"reply"
],
[
"p",
"f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb"
]
],
"content": "📅 Original date posted:2020-02-10\n📝 Original message:\nBastien TEINTURIER \u003cbastien at acinq.fr\u003e writes:\n\u003e\u003e But Mallory can do the same attack, I think. Just include the P_I from\n\u003e\u003e the wrong invoice for Bob.\n\u003e\n\u003e Good catch, that's true, thanks for keeping me honest there! In that case\n\u003e my proposal\n\u003e would need the same mitigation as yours, Bob will need to include the\n\u003e `scid` he received\n\u003e in `update_add_htlc` (this is in fact not that hard once we allow TLV\n\u003e extensions on every\n\u003e message).\n\nYes, I've added this to the PR. Which gives a new validation path, I\nthink:\n\n## Figuring out what nodeid to use to decode onion\n\n1. Look up scid from HTLC; if it didn't include one, use default.\n2. Look up payment_hash; if no invoice is found, use default.\n3. If invoice specified this scid, get nodeid and use that.\n4. ... and refuse to forward the HTLC (it must terminate here).\n\nMy plan is to add an argument to `invoice` which is an array of one or\nmore scids: we get a temporary scids for each peer and use them in the\nroutehints. We also assign a random temporary nodeid to that invoice.\n\nThe above algo is designed to ensure we behave like any other node which\nhas no idea about this nodeid if Mallory:\n\n1. tries to use a temporary node id on a normal channel to us.\n2. tries to pay another invoice using this temporary node id.\n3. tries to probe our outgoing channels using this routing hint\n (I think we should probably ban forwarding to private channels,\n too, for similar reasons).\n\n---\n\nNote that with any self-assigned SCID schemes, Alice has to respond to\nunknown scids in update_add_htlc with some BADONION code (which makes\n*Bob* give Carol an error response, since Alice can't without revealing\nher identity).\n\nWith Bob-assigned SCIDs, Alice simply needs to make him unallocate\nit before forgetting the invoice, so she will simply never see old\ninvoices.\n\n(All these schemes give limited privacy, of course: Bob knows who Alice\nis, and fingerprinting and liveness attacks are always possible).\n\n\u003e I'm extremely nervous about custodial lightning services restricting\n\u003e\u003e what they will pay to. This is not theoretical: they will come under\n\u003e\u003e immense KYC pressure in the near future, which means they cannot pay\n\u003e\u003e arbitrary invoices.\n1\u003e\u003e\n\u003e\n\u003e That's a very good point, thanks for raising this. However I believe that\n\u003e there are (and will be) enough\n\u003e non-custodial wallets to let motivated users pay whatever they want. Users\n\u003e can even run their own\n\u003e node to pay such invoices if needed.\n\nNot if ln_strike (no, the other one!) is the future.\n\n\u003e If you are using a custodial wallet and KYC pressure kicks in, then\n\u003e regardless of that feature law may\n\u003e require users to completely reveal who they are paying, so even normal\n\u003e payments wouldn't protect\n\u003e them, don't you think? Regulation could for example disallow paying via\n\u003e unannounced channels entirely\n\u003e (or require you to show the funding tx associated to your unannounced\n\u003e channel).\n\nActually, as long as the same method is required for both normal private\nchannels (which will all use non-tx-based short_channel_ids in the near\nfuture I hope!), I don't really mind. I expect such payments to become\nsignificant, and as long as paying to a temporary id and paying to a\nprivate channel looks identical, it's too draconian to ban. A business\nwould probably meet any KYC requirements by simply asking the user\n(perhaps over a certain amount, etc).\n\n(I've put my implementation on hold for a moment while I'm supposed to\nbe releasing 0.8.1-rc1 RSN!)\n\nCheers,\nRusty.",
"sig": "06b4f099f9ee22242b03acd18c0aaf64ce0d81f5e463b18d238871afabc56f093f20bed460e6e50452577a8be37cbf1724438ed15cacebac41f05454c6c73544"
}