š
Original date posted:2016-08-15
š Original message:
There's two approaches with encrypted vs non-encrypted: the non-encrypted
design which I kindof like, is to make all the information given to the
observer not mean anything on its own. With encrypted, you achieve the
same result, but have some decryption key stuffed somewhere in the observed
transaction to reveal meaningful data which identifies the channel, but is
encrypted.
Non-encrypted can be more efficient, because it's hard to squeeze down
compact encrypted data (though see below for an attempt!). But most things
in the channel states can be obfuscated such that even if you tell
everything to the observer, they don't learn anything. (Even in the case
where the observer is watching both sides of the channel, they shouldn't be
able to match them... well other than timing, which is admittedly a very
effective way to do it!)
I skipped over HTLCs though because they didn't fit with this model. And
they really don't -- unlike the updating pubkeys in the commit tx, HTLC's
are passed though multiple nodes, so information about them can get to the
observer pretty easily. So I think HTLCs would need to be in some kind of
encrypted blob to send to the observer.
I really like txid[0:16] as the truncated txid for the observer and
txid[16:32] as the decryption key because it's simple and quite fast. This
would allow constant-time lookups into the observer's database regarless of
how many channels it's watching, which HMAC'ing the txid doesn't have.
(You could hash txid[16:32] again for the decryption key if you want 32
bytes.)
The non-HTLC data can be sent unencrypted -- it's pretty much just a
signature and hash from the tree. If there is a new HTLC (or a few) added
in that state, the node can elect to send that to the observer as well. I
think the format can be something like:
htlc #1 expiry (4 bytes)
htlc #1 preimage (20 bytes)
htlc #2 expiry (4 bytes)
htlc #2 preimage (20 bytes)
offset to previous blob (2 bytes)
decrypt key for previous blob (16 bytes)
having pointers to previous states can save a lot of space if HTLCs are
added incrementally. The "blobs" can be kept in a separate data store
indexed by state number, so it's quick to see that, e.g, state 471 also has
an HTLC from state 465, which has HTLCs from state 442. This chained
decryption may end up revealing more HTLCs than are needed (which are quick
for the observer to detect and discard) but if the fraud has occurred then
anonymity is gone anyway and it's no big deal if the observer learns a
little more -- they already learned all the important stuff.
I *think* 2 bytes is enough; it's not that an HTLC can't last more than 65K
states, it's that an HTLC can't persist > 65K states with no other HTLCs
being added during that period. A long-lived HTLC wouldn't be referenced
directly; instead later states which still had it would point to a previous
state that also pointed to it. It's a bit more work for the observer, who
might end up with hundreds of extra preimages, but I think optimizing for
space savings at the cost of CPU time when the fraud occurs is a good
trade-off. (The fraud occurs almost never, while the state data transfers
and storage happen always)
This would also allow nodes to omit or include HTLCs to the observer as
they see fit, which seems useful for micropayments which might outstrip the
abilities of the observer.
Also, yeah, padding (handwave) and timing are what make hiding the channel
very tricky, especially for HTLCs. With non-HTLC updates, it can be hard
to know when 2 nodes are updating a channel state, but with HTLCs there are
more nodes in the mix with more points for data to leak out to the
observer. That's another reason you might want to omit sending out some
portion of HTLC recovery data.
I will try coding some of this and see, because it seems to work in my head
but that's no indication it'll work on the computer :)
-Tadge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160815/4eb6ee12/attachment.html>;
Tadge Dryja [ARCHIVE] /
npub1v5ā¦6l74f
2023-06-09 12:46:38
in reply to nevent1qā¦jxs4
Author Public Key
npub1v5856g02zudlkawxh4ut5kc6at8z5evt77lwxeaaudekq4dlfckst6l74fPublished at
2023-06-09 12:46:38Event JSON
{
"id": "696f002aa0d66b902d9f510a50e116108085580c18fde0cd62f9564dcbcf6165",
"pubkey": "650f4d21ea171bfb75c6bd78ba5b1aeace2a658bf7bee367bde3736055bf4e2d",
"created_at": 1686314798,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"07a443d0d9156dc62903e9390fc643523763c94a2aee8f93cf174f14f8058bef",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "š
Original date posted:2016-08-15\nš Original message:\nThere's two approaches with encrypted vs non-encrypted: the non-encrypted\ndesign which I kindof like, is to make all the information given to the\nobserver not mean anything on its own. With encrypted, you achieve the\nsame result, but have some decryption key stuffed somewhere in the observed\ntransaction to reveal meaningful data which identifies the channel, but is\nencrypted.\n\nNon-encrypted can be more efficient, because it's hard to squeeze down\ncompact encrypted data (though see below for an attempt!). But most things\nin the channel states can be obfuscated such that even if you tell\neverything to the observer, they don't learn anything. (Even in the case\nwhere the observer is watching both sides of the channel, they shouldn't be\nable to match them... well other than timing, which is admittedly a very\neffective way to do it!)\n\nI skipped over HTLCs though because they didn't fit with this model. And\nthey really don't -- unlike the updating pubkeys in the commit tx, HTLC's\nare passed though multiple nodes, so information about them can get to the\nobserver pretty easily. So I think HTLCs would need to be in some kind of\nencrypted blob to send to the observer.\n\nI really like txid[0:16] as the truncated txid for the observer and\ntxid[16:32] as the decryption key because it's simple and quite fast. This\nwould allow constant-time lookups into the observer's database regarless of\nhow many channels it's watching, which HMAC'ing the txid doesn't have.\n (You could hash txid[16:32] again for the decryption key if you want 32\nbytes.)\n\nThe non-HTLC data can be sent unencrypted -- it's pretty much just a\nsignature and hash from the tree. If there is a new HTLC (or a few) added\nin that state, the node can elect to send that to the observer as well. I\nthink the format can be something like:\n\nhtlc #1 expiry (4 bytes)\nhtlc #1 preimage (20 bytes)\nhtlc #2 expiry (4 bytes)\nhtlc #2 preimage (20 bytes)\noffset to previous blob (2 bytes)\ndecrypt key for previous blob (16 bytes)\n\nhaving pointers to previous states can save a lot of space if HTLCs are\nadded incrementally. The \"blobs\" can be kept in a separate data store\nindexed by state number, so it's quick to see that, e.g, state 471 also has\nan HTLC from state 465, which has HTLCs from state 442. This chained\ndecryption may end up revealing more HTLCs than are needed (which are quick\nfor the observer to detect and discard) but if the fraud has occurred then\nanonymity is gone anyway and it's no big deal if the observer learns a\nlittle more -- they already learned all the important stuff.\n\nI *think* 2 bytes is enough; it's not that an HTLC can't last more than 65K\nstates, it's that an HTLC can't persist \u003e 65K states with no other HTLCs\nbeing added during that period. A long-lived HTLC wouldn't be referenced\ndirectly; instead later states which still had it would point to a previous\nstate that also pointed to it. It's a bit more work for the observer, who\nmight end up with hundreds of extra preimages, but I think optimizing for\nspace savings at the cost of CPU time when the fraud occurs is a good\ntrade-off. (The fraud occurs almost never, while the state data transfers\nand storage happen always)\n\nThis would also allow nodes to omit or include HTLCs to the observer as\nthey see fit, which seems useful for micropayments which might outstrip the\nabilities of the observer.\n\nAlso, yeah, padding (handwave) and timing are what make hiding the channel\nvery tricky, especially for HTLCs. With non-HTLC updates, it can be hard\nto know when 2 nodes are updating a channel state, but with HTLCs there are\nmore nodes in the mix with more points for data to leak out to the\nobserver. That's another reason you might want to omit sending out some\nportion of HTLC recovery data.\n\nI will try coding some of this and see, because it seems to work in my head\nbut that's no indication it'll work on the computer :)\n\n-Tadge\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160815/4eb6ee12/attachment.html\u003e",
"sig": "dcbeb9fff54d1ed1bc992a7f672141b901e8b89e6b6079d355f458894f6f6a7c2506e8e82c98e1b69ac7b9565957fb6415b7ee81d855d73c43136aeec3ab85c4"
}