📅 Original date posted:2016-09-09
📝 Original message:
Rusty Russell <rusty at rustcorp.com.au> wrote:
> Each node ID is 33 bytes (pubkey) each channel is 6 bytes (blocknum +
txnum).
Using blocknum+txnum to identify a channel doesn't account for the
possibility of a single transaction which opens multiple channels
concurrently. A possible use-case for such a transaction are coin-joined
channel openings which obfuscate the relationships being creating with a
channel opening. You'd need to tack on an extra byte (maybe two) to also
encode the output index of the channel within the transaction. Additionally,
identifying channels based solely from blockheight+offsets conjures up some
re-org safety concerns. It's also a bit less "verifiable" than referring via
the full outpoint.
> The proofs are larger: to prove which IDs owns a channel, each one needs a
> merkle proof (12 x 32 bytes) plus the funding tx (227 bytes, we can skip
> some though), the two pubkeys (66 bytes), and a signature of the ID using
> those pubkeys (128 bytes, schnorr would be 64?).
Are those two pub keys the multi-sig pub keys, or the identity pub keys? In
either case, only requiring two pub keys to attest-to/authenticate the state
of a channel is insufficient. With only two signatures, then nodes can
advertise the same channel several times creating a non-canonical graphs
resulting in differing network views. If we'd like to eliminate such a
possibility, then we also need to cryptographically bind the two identities
to the proof. Using a schnorr multi-signature generated by the four pubkeys
would remedy this. Validators can use pubkey recovery to extract the "group
pubkey" from the single signature, ensure it's the result of point addition
of the four public keys, check the channel isn't closed, then verify the
signature over the advertisement as normal.
Christian Decker <decker.christian at gmail.com> wrote:
> I forgot that we have two potential key-rotations:
> - Rotating the key used in transactions that hit the Bitcoin network
If you mean the key included within the 2-of-2 multi-sig, I assume all
implementations will be using a fresh key with each channel either way, so
we don't need any explicit rotations here?
I've only been thinking of rotations for the onion pubkeys used for the DH
shared secret derivation for the onion packets. Identity keys could also
possibly either be rotated/revoked, or delegated with some sort of
"certificate".
> Another case we could consider is having passive rotations: when an
> endpoint announces a channel's existence it also sends its rotation
> interval along.
IMO a passive rotation scheme is superior due to the bandwidth savings of
pushing the onion key rotations to the edges themselves. As you said an
active rotation might be used in the emergency case of a forced key rotation
due to key compromise.
Rusty Russell <rusty at rustcorp.com.au> wrote:
> Hmm, do we lose forward secrecy if we use a BIP32 chain? But we may be
> able to use another derivation method where we derive key N from key
> N-1. I'm looking at Laolu...
Well, sorta. If the master pubkey is published, and nodes use public
derivation on the edges to do passive key rotations, then if one of the
non-hardened child private keys is leaked, an adversary can derive the
master private key thereby gaining the ability to decrypt any
saved/intercepted onion packets to the compromised node.
Earlier in this email chain I suggested a scheme to regain forward secrecy
in the case of such a private key leak by requiring nodes to do some upfront
pre-computation involving an intermediate derivation point. This would still
allow passive rotation by the edges. However, in practice those
pre-generated would likely be stored in the same location? So that kinda
puts us back at the original exploit scenario.
If we were to involve some pairing crypto (IBE style), we would use say
block hashes to allow nodes to passively derive keys the "source" node is
able to generate the corresponding private key to...
IMO we need to more clearly state our security model/assumptions here to
reason about the attack scenarios we'll try to guard against.
-- Laolu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160909/486374b1/attachment.html>;
Olaoluwa Osuntokun [ARCHIVE] /
npub19h…zkvn4
2023-06-09 12:46:42
in reply to nevent1q…hygh
Author Public Key
npub19helcfnqgk2jrwzjex2aflq6jwfc8zd9uzzkwlgwhve7lykv23mq5zkvn4Published at
2023-06-09 12:46:42Event JSON
{
"id": "e0309a02d8d80e27aea44e55f4c53772021c9b932e7702c73e95459b615a659c",
"pubkey": "2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476",
"created_at": 1686314802,
"kind": 1,
"tags": [
[
"e",
"6e65ece61bd323b60e8549dd5955ce1565ad06118112038c52f2e00d9538477b",
"",
"root"
],
[
"e",
"cf98d0fa8000077bf807590bf4946c8d96645d527e8a09265d56b873fcfe9429",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2016-09-09\n📝 Original message:\nRusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\n\u003e Each node ID is 33 bytes (pubkey) each channel is 6 bytes (blocknum +\ntxnum).\n\nUsing blocknum+txnum to identify a channel doesn't account for the\npossibility of a single transaction which opens multiple channels\nconcurrently. A possible use-case for such a transaction are coin-joined\nchannel openings which obfuscate the relationships being creating with a\nchannel opening. You'd need to tack on an extra byte (maybe two) to also\nencode the output index of the channel within the transaction. Additionally,\nidentifying channels based solely from blockheight+offsets conjures up some\nre-org safety concerns. It's also a bit less \"verifiable\" than referring via\nthe full outpoint.\n\n\u003e The proofs are larger: to prove which IDs owns a channel, each one needs a\n\u003e merkle proof (12 x 32 bytes) plus the funding tx (227 bytes, we can skip\n\u003e some though), the two pubkeys (66 bytes), and a signature of the ID using\n\u003e those pubkeys (128 bytes, schnorr would be 64?).\n\nAre those two pub keys the multi-sig pub keys, or the identity pub keys? In\neither case, only requiring two pub keys to attest-to/authenticate the state\nof a channel is insufficient. With only two signatures, then nodes can\nadvertise the same channel several times creating a non-canonical graphs\nresulting in differing network views. If we'd like to eliminate such a\npossibility, then we also need to cryptographically bind the two identities\nto the proof. Using a schnorr multi-signature generated by the four pubkeys\nwould remedy this. Validators can use pubkey recovery to extract the \"group\npubkey\" from the single signature, ensure it's the result of point addition\nof the four public keys, check the channel isn't closed, then verify the\nsignature over the advertisement as normal.\n\n\nChristian Decker \u003cdecker.christian at gmail.com\u003e wrote:\n\n\u003e I forgot that we have two potential key-rotations:\n\u003e - Rotating the key used in transactions that hit the Bitcoin network\n\nIf you mean the key included within the 2-of-2 multi-sig, I assume all\nimplementations will be using a fresh key with each channel either way, so\nwe don't need any explicit rotations here?\n\nI've only been thinking of rotations for the onion pubkeys used for the DH\nshared secret derivation for the onion packets. Identity keys could also\npossibly either be rotated/revoked, or delegated with some sort of\n\"certificate\".\n\n\u003e Another case we could consider is having passive rotations: when an\n\u003e endpoint announces a channel's existence it also sends its rotation\n\u003e interval along.\n\nIMO a passive rotation scheme is superior due to the bandwidth savings of\npushing the onion key rotations to the edges themselves. As you said an\nactive rotation might be used in the emergency case of a forced key rotation\ndue to key compromise.\n\n\nRusty Russell \u003crusty at rustcorp.com.au\u003e wrote:\n\n\u003e Hmm, do we lose forward secrecy if we use a BIP32 chain? But we may be\n\u003e able to use another derivation method where we derive key N from key\n\u003e N-1. I'm looking at Laolu...\n\nWell, sorta. If the master pubkey is published, and nodes use public\nderivation on the edges to do passive key rotations, then if one of the\nnon-hardened child private keys is leaked, an adversary can derive the\nmaster private key thereby gaining the ability to decrypt any\nsaved/intercepted onion packets to the compromised node.\n\nEarlier in this email chain I suggested a scheme to regain forward secrecy\nin the case of such a private key leak by requiring nodes to do some upfront\npre-computation involving an intermediate derivation point. This would still\nallow passive rotation by the edges. However, in practice those\npre-generated would likely be stored in the same location? So that kinda\nputs us back at the original exploit scenario.\n\nIf we were to involve some pairing crypto (IBE style), we would use say\nblock hashes to allow nodes to passively derive keys the \"source\" node is\nable to generate the corresponding private key to...\n\nIMO we need to more clearly state our security model/assumptions here to\nreason about the attack scenarios we'll try to guard against.\n\n\n-- Laolu\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160909/486374b1/attachment.html\u003e",
"sig": "c084d7a816d2ea2afd245141ee22bfd47839adb283e1f25081111db3a23cb110bbf3a72d1d6d57051cfe61e18aef9024623e08829e43c412113301786f57e2ac"
}