📅 Original date posted:2016-09-06
📝 Original message:
Christian Decker <decker.christian at gmail.com> writes:
> On Mon, Sep 05, 2016 at 11:55:22AM +0930, Rusty Russell wrote:
>> Christian Decker <decker.christian at gmail.com> writes:
>> > I'd like to pick up the conversation about the onion routing protocol
>> > again, since we are close to merging our implementation into the
>> > lightningd node.
>> >
>> > As far as I can see we mostly agree on the spec, with some issues that
>> > should be deferred until later/to other specs:
>> >
>> > - Key-rotation policies
>>
>> OK, I've been thinking about the costs of key-rotation.
>>
>
> I forgot that we have two potential key-rotations:
>
> - Rotating the key used in transactions that hit the Bitcoin network
Oh, that's different, yes.
> - Rotating the public key used for the DH shared secret generation
> for the onion routing protocol
>
> For the moment I was concentrating on the latter.
Yes. It's the one we need to communicate through the node.
>> Change Assumptions:
>> 1) We use a "comms" key for each node instead of its ID.
>> 2) Nodes send out a new comms key, signed by ID.
>>
>> That's another 33 bytes each to keep, or 8.25MB. To rotate a comms key,
>> we need the new key (33 bytes), and a signature from the id (64 bytes),
>> and probably a timestamp, (4 bytes), that's 25.25MB.
>>
>> That's not too bad if we rotate daily. Probably not if we rotate
>> hourly..
> A node's public key used for DH shared secret generation exists
> independently of its channels. I think we probably should not bind the
> rotation of the key we use to talk to that node to one of its
> channels. However, it does make sense to require that a node also has
> at least one active channel in order for us to care at all :-)
This calculation was per-node, not per-channel.
> The comms key approach is in line with what I was thinking as well.
> We can bind the new communication key with the channel's existence by
> showing a derivation path from the node's (fixed) public key and the
> new key. So a node wanting to rotate its communication key just sends
> the following: "I am <pubkey> (33 byte), please use key <derivation
> number> (~4 byte) and here is a <signature> (64 bytes) that I signed
> this rotation off.". The communication overhead is identical to your
> proposal, but, since you send only the new key, I think in your
> proposal we'd have to churn through all known node ids to find which
> one signed the rotation, or where you also using timestamp based
> derivation?
Hmm, do we lose forward secrecy if we use a BIP32 chain? But we may be
able to use another derivation method where we derive key N from key
N-1. I'm looking at Laolu...
> Another case we could consider is having passive rotations: when an
> endpoint announces a channel's existence it also sends its rotation
> interval along. Every <rotation interval> nodes simply derive the new
> key and use that for the DH shared secret generation should they want
> to talk to this node. And nodes have a switchover window in which they
> accept both (would be necessary in the active rotation as well due to
> delays). The passive rotation incurs no communication overhead and can
> be bound to the node's channels, so as long as we believe one of its
> channels to exist, we rotate its keys.
I like the zero-comms overhead! We could in fact use block number to
rotate; key 1 is used for the first N blocks, then key 2, etc, with old
keys allowed X blocks late, new keys allowed X blocks early?
I think we should select some N for the moment, rather than making it
configurable. If it's too small it might take a long time for clients
to derive the current key: 50 usecs each step is almost half a second
for a year-old key if we rotate every 6 blocks. Rotation daily makes
that much more approachable...
> Possibly a mix of active and passive would make sense, with the active
> rotation enabling emergency rotations in case a key was compromised,
> but we're in a lot of trouble then anyway :-)
In that case, you close the channels and start a new node?
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:41
in reply to nevent1q…dpsu
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:41Event JSON
{
"id": "cf98d0fa8000077bf807590bf4946c8d96645d527e8a09265d56b873fcfe9429",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314801,
"kind": 1,
"tags": [
[
"e",
"6e65ece61bd323b60e8549dd5955ce1565ad06118112038c52f2e00d9538477b",
"",
"root"
],
[
"e",
"cbf95890ce97a72530263a056adc576024f25d9a1e835eb50d2efdae2f9edb89",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2016-09-06\n📝 Original message:\nChristian Decker \u003cdecker.christian at gmail.com\u003e writes:\n\u003e On Mon, Sep 05, 2016 at 11:55:22AM +0930, Rusty Russell wrote:\n\u003e\u003e Christian Decker \u003cdecker.christian at gmail.com\u003e writes:\n\u003e\u003e \u003e I'd like to pick up the conversation about the onion routing protocol\n\u003e\u003e \u003e again, since we are close to merging our implementation into the\n\u003e\u003e \u003e lightningd node.\n\u003e\u003e \u003e\n\u003e\u003e \u003e As far as I can see we mostly agree on the spec, with some issues that\n\u003e\u003e \u003e should be deferred until later/to other specs:\n\u003e\u003e \u003e\n\u003e\u003e \u003e - Key-rotation policies\n\u003e\u003e \n\u003e\u003e OK, I've been thinking about the costs of key-rotation.\n\u003e\u003e\n\u003e\n\u003e I forgot that we have two potential key-rotations:\n\u003e\n\u003e - Rotating the key used in transactions that hit the Bitcoin network\n\nOh, that's different, yes.\n\n\u003e - Rotating the public key used for the DH shared secret generation\n\u003e for the onion routing protocol\n\u003e\n\u003e For the moment I was concentrating on the latter.\n\nYes. It's the one we need to communicate through the node.\n\n\u003e\u003e Change Assumptions:\n\u003e\u003e 1) We use a \"comms\" key for each node instead of its ID.\n\u003e\u003e 2) Nodes send out a new comms key, signed by ID.\n\u003e\u003e \n\u003e\u003e That's another 33 bytes each to keep, or 8.25MB. To rotate a comms key,\n\u003e\u003e we need the new key (33 bytes), and a signature from the id (64 bytes),\n\u003e\u003e and probably a timestamp, (4 bytes), that's 25.25MB.\n\u003e\u003e \n\u003e\u003e That's not too bad if we rotate daily. Probably not if we rotate\n\u003e\u003e hourly..\n\n\u003e A node's public key used for DH shared secret generation exists\n\u003e independently of its channels. I think we probably should not bind the\n\u003e rotation of the key we use to talk to that node to one of its\n\u003e channels. However, it does make sense to require that a node also has\n\u003e at least one active channel in order for us to care at all :-)\n\nThis calculation was per-node, not per-channel.\n\n\u003e The comms key approach is in line with what I was thinking as well.\n\u003e We can bind the new communication key with the channel's existence by\n\u003e showing a derivation path from the node's (fixed) public key and the\n\u003e new key. So a node wanting to rotate its communication key just sends\n\u003e the following: \"I am \u003cpubkey\u003e (33 byte), please use key \u003cderivation\n\u003e number\u003e (~4 byte) and here is a \u003csignature\u003e (64 bytes) that I signed\n\u003e this rotation off.\". The communication overhead is identical to your\n\u003e proposal, but, since you send only the new key, I think in your\n\u003e proposal we'd have to churn through all known node ids to find which\n\u003e one signed the rotation, or where you also using timestamp based\n\u003e derivation?\n\nHmm, do we lose forward secrecy if we use a BIP32 chain? But we may be\nable to use another derivation method where we derive key N from key\nN-1. I'm looking at Laolu...\n\n\u003e Another case we could consider is having passive rotations: when an\n\u003e endpoint announces a channel's existence it also sends its rotation\n\u003e interval along. Every \u003crotation interval\u003e nodes simply derive the new\n\u003e key and use that for the DH shared secret generation should they want\n\u003e to talk to this node. And nodes have a switchover window in which they\n\u003e accept both (would be necessary in the active rotation as well due to\n\u003e delays). The passive rotation incurs no communication overhead and can\n\u003e be bound to the node's channels, so as long as we believe one of its\n\u003e channels to exist, we rotate its keys.\n\nI like the zero-comms overhead! We could in fact use block number to\nrotate; key 1 is used for the first N blocks, then key 2, etc, with old\nkeys allowed X blocks late, new keys allowed X blocks early?\n\nI think we should select some N for the moment, rather than making it\nconfigurable. If it's too small it might take a long time for clients\nto derive the current key: 50 usecs each step is almost half a second\nfor a year-old key if we rotate every 6 blocks. Rotation daily makes\nthat much more approachable...\n\n\u003e Possibly a mix of active and passive would make sense, with the active\n\u003e rotation enabling emergency rotations in case a key was compromised,\n\u003e but we're in a lot of trouble then anyway :-)\n\nIn that case, you close the channels and start a new node?\n\nCheers,\nRusty.",
"sig": "ea42543db2617c894c3c24a9a8f607eb7bff8bc9ad4def910caa4dc10d779883d93a742d31f69590e41a86664904f1c16b1430af843c8e8d07c4c93774b6d872"
}