📅 Original date posted:2016-08-02
📝 Original message:
Olaoluwa Osuntokun <laolu32 at gmail.com> writes:
>> A special HMAC value of 20 0x00 bytes indicates that the currently
>> processing hop is the intended recipient and that the packet should not be
>> forwarded. At this point the end-to-end payload is fully decrypted and the
>> route has terminated.
>
> It seems that with the current construction, then the "next hop" address
> will
> also be zero bytes if a packet processor is the last hop in the route.
> Alternatively, if the sender is aware that the receiver is actually a
> "virtual
> channel", then an additional address could be used instead of the
> zero-address
> to facilitate de-multiplexing at the last hop to the destination virtual
> channel.
Hmm, I think we should combine the "header" and "per-hop payload" into a
single 40 byte field. They're not meaningfully distinct for lightning,
AFAICT.
And I think we should add/steal at least one byte for "realm". 0 =
terminal. 1 = bitcoin lightning. 2 = TBA. etc.
Obviously we should specify the layout when type = 0 (ignore) and 1
(hash160(nexthop-pubkey) + 8-byte-amount-to-fwd + 12-ignored).
That allows us to extend the protocol incompatibly (add a new realm) or
compatibly (add semantics to those ignored sections).
> First, lets talk replay protection. The current draft specifies that:
>
>> The node MUST keep a log of previously used shared secrets. Should the
> shared
>> secret already be in the log it MUST abort processing the packet and
> report a
>> route failure, since this is likely a replay attack, otherwise the shared
>> secret is added to the log
>
> This is definitely necessary, however as dictated this would require nodes
> to
> allocate a potentially *unbounded* amount of storage to the shared secret
> "seen" log. I think we can allow nodes to periodically truncate this log by
> adding an additional session time stamp to the mix-header, either placed
> directly after the version byte, or within the per-hop payload.
Let's tease this out a bit more; thinking about replays from the PoV of
one layer higher. We can't simply deny multiple HTLCs with the same r
hash, since that allows an attacker to probe the network to see where an
HTLC went (note that in the longer run, it's in a node's short-term
economic interest to allow this, which is why rhash is troubling).
If we switch from hash/preimage to the privkeys with point addition
scheme (which has other benefits) this is no longer an issue and we can
simply refuse to accept two HTLCs with the same pubkey.
Though the idea of using a "comms" key signed by our "peer" key which we
rotate every N minutes/hours is appealing for forward secrecy and
minimal peer-key exposure reasons, as Laolu says.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:24
in reply to nevent1q…h545
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:24Event JSON
{
"id": "6fdd7db00bda4f4246c8073b20f373647d5e42d0ccea0c864f4fea2b954da62d",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314784,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2016-08-02\n📝 Original message:\nOlaoluwa Osuntokun \u003claolu32 at gmail.com\u003e writes:\n\u003e\u003e A special HMAC value of 20 0x00 bytes indicates that the currently\n\u003e\u003e processing hop is the intended recipient and that the packet should not be\n\u003e\u003e forwarded. At this point the end-to-end payload is fully decrypted and the\n\u003e\u003e route has terminated.\n\u003e\n\u003e It seems that with the current construction, then the \"next hop\" address\n\u003e will\n\u003e also be zero bytes if a packet processor is the last hop in the route.\n\u003e Alternatively, if the sender is aware that the receiver is actually a\n\u003e \"virtual\n\u003e channel\", then an additional address could be used instead of the\n\u003e zero-address\n\u003e to facilitate de-multiplexing at the last hop to the destination virtual\n\u003e channel.\n\nHmm, I think we should combine the \"header\" and \"per-hop payload\" into a\nsingle 40 byte field. They're not meaningfully distinct for lightning,\nAFAICT.\n\nAnd I think we should add/steal at least one byte for \"realm\". 0 =\nterminal. 1 = bitcoin lightning. 2 = TBA. etc.\n\nObviously we should specify the layout when type = 0 (ignore) and 1\n(hash160(nexthop-pubkey) + 8-byte-amount-to-fwd + 12-ignored).\n\nThat allows us to extend the protocol incompatibly (add a new realm) or\ncompatibly (add semantics to those ignored sections).\n\n\u003e First, lets talk replay protection. The current draft specifies that:\n\u003e\n\u003e\u003e The node MUST keep a log of previously used shared secrets. Should the\n\u003e shared\n\u003e\u003e secret already be in the log it MUST abort processing the packet and\n\u003e report a\n\u003e\u003e route failure, since this is likely a replay attack, otherwise the shared\n\u003e\u003e secret is added to the log\n\u003e\n\u003e This is definitely necessary, however as dictated this would require nodes\n\u003e to\n\u003e allocate a potentially *unbounded* amount of storage to the shared secret\n\u003e \"seen\" log. I think we can allow nodes to periodically truncate this log by\n\u003e adding an additional session time stamp to the mix-header, either placed\n\u003e directly after the version byte, or within the per-hop payload.\n\nLet's tease this out a bit more; thinking about replays from the PoV of\none layer higher. We can't simply deny multiple HTLCs with the same r\nhash, since that allows an attacker to probe the network to see where an\nHTLC went (note that in the longer run, it's in a node's short-term\neconomic interest to allow this, which is why rhash is troubling).\n\nIf we switch from hash/preimage to the privkeys with point addition\nscheme (which has other benefits) this is no longer an issue and we can\nsimply refuse to accept two HTLCs with the same pubkey.\n\nThough the idea of using a \"comms\" key signed by our \"peer\" key which we\nrotate every N minutes/hours is appealing for forward secrecy and\nminimal peer-key exposure reasons, as Laolu says.\n\nCheers,\nRusty.",
"sig": "a22693f3de5c75dce3b70a645a26e6c95f62d1e7ceb232ccc45ca88ab2a4e55275e62eb8af430e5fca401c71eacde8205e09b8335a98d06fd87d193a1471ab7c"
}