📅 Original date posted:2016-08-05
📝 Original message:
Olaoluwa Osuntokun <laolu32 at gmail.com> writes:
>> I'm going back and forth about including the payloads in the header HMAC.
> I
>> think we have three options here:
>>
>> 1) Include the payload in the header HMAC computation
>
> I'd say personally, I prefer the first option. This results in "fail fast"
> behavior w.r.t packet forwarding, and additionally adds the smallest
> overhead.
Agreed. I worry about forwarding corrupted packets leading to the
ability for malicious nodes to probe routes.
>> we also lose the ability to do anonymous rendezvous meetings, where the
> final
>> recipient provides half of the route in the form of a precompiled header
>> (something that Hornet is using).
>
> It doesn't appear that we loose the ability to do rendezvous routing if we
> follow through with the first option. The final recipient can still provide
> a
> precompiled header which is the e2e payload sent from the source to the
> rendezvous node. As the source knows the exact nested mix-header when
> sending,
> it can still be protected under the mix-header wide MAC.
>
> Additionally, in order to hide the next-hop after the rendezvous node from
> the
> source node, the destination can wrap the nested header in a layer of
> encryption, decryptable only by the rendezvous node.
In practice, you can do this one level up: simply agree with a rendevous
node that a given H-hash is to be fwded to you. Then direct the payer
to the rendevous node.
So I don't think it's worth any complexity in the routing protocol.
>> There is a tradeoff between small packets and keeping the size uniform. I
> think
>> we could bucketize sizes, e.g., have multiples of 32 bytes or 64 bytes
> for the
>> fields, to have packets with similar sized payloads have the same packet
> size.
>> That would allow us to also drop the e2e payload by setting a size of 0,
> and
>> still be able to forward it, should we ever find a use for it.
>
> Good point, we may have uses for non-uniform sizes as far as mix-headers in
> the
> future. So with this, then it appears there may be 3 types of mix-header
> formats:
> 1. Regular. Meaning no e2e payload, weighing in at 1234 bytes.
> 2. Extended. Meaning bearing the e2e payload with a size of 2468 bytes.
> 3. Rendezvous. Which nests another mix-header within the end-to-end
> payload,
> with a size which is double that of the regular.
>
> If we like this taxonomy, then we may want to reserve the first 2 version
> bytes
> within the draft. A version 0 packet would encompass processing the first
> two
> types, while a version 1 packet denotes that this is a rendezvous packet.
Keep it simple; let's just support regular for now. Nodes will have to
broadcast what extensions they support, and this can be used for
extended formats later. Including ones we *didn't* think of yet...
>> We have to be careful when using timestamps in the packet as it makes
> individual hops collatable.
>
> Excellent observation. Assuming we roll out a reasonably efficient solution
> for
> the collatable HTLC R-values across hops, naively selecting timestamps would
> present another correlation vector.
>
>> So my proposal would be to include a timestamp rounded up to the closest
> hour
>> and have a sliding window of accepted timestamps of +/- 1 hour,
> remembering the
>> secrets for that period and rejecting anything that is too far in the
> future or
>> too far in the past.
>
> This seems reasonable, also the size of the sliding window can easily be
> tuned
> in the future should we find it too large or small.
>
>> The more coarse the bigger the less likely an attacker is to guess which
>> packets belong to the same route, but the more storage is required on the
>> node's side.
>
> Yep, there's a clear trade off between the window size of the accepted
> timestamps, and a node's storage overhead. We can tune this value to a
> ballpark
> estimate of the number of HTLCs/sec a large node with high frequency
> bi-directional throughput may forward at peak times.
>
> Let's say a HFB (High-Frequency Bitcoin) node on the network at peak
> forwards
> 5k HTLC's per second: (5000/sec * 32 bytes) * 3600 sec = 576MB, if nodes are
> required to wait 1 hour between log prunings, and 288MB if we use a
> 30-minute
> interval. Even with such a high throughput value, that seems reasonable.
I think we're over-designing. How about: daily key rotation (which we
want anywat), remember all onions for current and previous key.
Remember: if we switch from C-hash to C-point, then it's simpler: we
only need to guard against retransmissions for *unresolved* htlcs. If
someone retransmits an HTLC for which we already know the C-point value,
they risk us redeeming it immediately and not forwarding at all.
(We need to remember all previous HTLCs anyway, so off the top of my
head checking this is not too hard...).
>> We could just use the announced key, i.e., the one that participated in
> the
>> channel setup, as a root key for HD key derivation. The derivation path
> could
>> then be based on floor(blockheight / 144) so that we rotate keys every
> day, and
>> don't need any additional communication to announce new public keys.
>
> Great suggestion! However, I think instead of directly using the key which
> participated in the channel setup, we'd use a new independent key as the
> root
> for this HD onion derivation. This new independent key would then be
> authenticated via a signature of a schnorr multi-sign of the channel
> multi-sig
> key and the node's identity key (or alternatively two sigs). This safeguards
> against the compromise of one of the derived private keys leading to
> compromise
> of the master root HD priv key which would allow possibly stealing a node's
> coins. Additionally, a node can switch keys more easily, avoiding a channel
> tear down.
>
> However, the HD Onion Key approach can potentially cancel out the forward
> secrecy benefits. If an attacker gains access to the root HD pubkey, along
> with
> any of the child derived onion keys, then they can compute the root privkey.
> This allows the attacker to derive all the child priv keys, giving them the
> ability to decrypt all mix-headers encrypted since the HD Onion Key was
> published.
Broadcasting new node keys (up to?) once a day is probably fine.
Perhaps include a validity time range with each key, so you can spot if
you're missing one. Recommend allowing 12 hours overlap or something.
It'd be great to avoid it, but that seems complex enough to push to a
future spec.
To summarize the keys for each node:
1. channel key: bitcoin key used to sign commitment txs. One per channel.
2. id key: used to tie channels together ("I own these channels"). Signed
by channel keys (or could use OP_RETURN, but that's a bit spammy), and
signs channel keys.
3. comms key: rotated key for onion messages. Signed by id key.
4. (various ephemeral keys for inter-node comms).
id and comms keys don't have to be bitcoin keys; could be Schnorr. But
not much point AFIACT: the big win is making the channel keys
(ie. bitcoin) use Schnorr so they can all compactly sign the id key.
>> I'm also trying to figure out how to enable intermediate nodes to reply
> to a
>> packet, e.g., if capacities are insufficient or the next node is
> unreachable,
>> by recycling the routing info.
>
> Yeah I've also attempted to tackle this issue a bit myself. The inclusion of
> onion routing certainly makes certain classes of failures harder to
> reconcile.
Yeah, this one's troubling. In particular, it'd be nice to prove that
a node is misbehaving:
(1) When a node gives a fail message, we want to be able to publish it
to prove (eg) it's lying about its fees. That means that the
failure msg needs to be tied to the request so both can be
published.
(2) If a node corrupts a fail message on return, we want to prove that.
Caveats:
1. We don't want to expose the source of fail message (ie. leak
the route).
2. Ideally the proof can be published in a way which minimizes data
exposure for the originator.
> If we can solve this, then we can greatly increase the robustness of onion
> routing within the network. I think they may be worth spinning some cycles
> on,
> although I don't consider it blocking w.r.t the initial specification.
I look forward to what you come up with!
Yay!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:30
in reply to nevent1q…edcg
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:30Event JSON
{
"id": "601f599771023939f34fd9604b82bbb825a3c7fcfa532cbd3088d3ef9e50ea91",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314790,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"root"
],
[
"e",
"1f2d5728a9d7ae9b1e99860ef96ab2918507848909d9f7bb25d3836c3a1056d7",
"",
"reply"
],
[
"p",
"2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476"
]
],
"content": "📅 Original date posted:2016-08-05\n📝 Original message:\nOlaoluwa Osuntokun \u003claolu32 at gmail.com\u003e writes:\n\u003e\u003e I'm going back and forth about including the payloads in the header HMAC.\n\u003e I\n\u003e\u003e think we have three options here:\n\u003e\u003e\n\u003e\u003e 1) Include the payload in the header HMAC computation\n\u003e\n\u003e I'd say personally, I prefer the first option. This results in \"fail fast\"\n\u003e behavior w.r.t packet forwarding, and additionally adds the smallest\n\u003e overhead.\n\nAgreed. I worry about forwarding corrupted packets leading to the\nability for malicious nodes to probe routes.\n\n\u003e\u003e we also lose the ability to do anonymous rendezvous meetings, where the\n\u003e final\n\u003e\u003e recipient provides half of the route in the form of a precompiled header\n\u003e\u003e (something that Hornet is using).\n\u003e\n\u003e It doesn't appear that we loose the ability to do rendezvous routing if we\n\u003e follow through with the first option. The final recipient can still provide\n\u003e a\n\u003e precompiled header which is the e2e payload sent from the source to the\n\u003e rendezvous node. As the source knows the exact nested mix-header when\n\u003e sending,\n\u003e it can still be protected under the mix-header wide MAC.\n\u003e\n\u003e Additionally, in order to hide the next-hop after the rendezvous node from\n\u003e the\n\u003e source node, the destination can wrap the nested header in a layer of\n\u003e encryption, decryptable only by the rendezvous node.\n\nIn practice, you can do this one level up: simply agree with a rendevous\nnode that a given H-hash is to be fwded to you. Then direct the payer\nto the rendevous node.\n\nSo I don't think it's worth any complexity in the routing protocol.\n\n\u003e\u003e There is a tradeoff between small packets and keeping the size uniform. I\n\u003e think\n\u003e\u003e we could bucketize sizes, e.g., have multiples of 32 bytes or 64 bytes\n\u003e for the\n\u003e\u003e fields, to have packets with similar sized payloads have the same packet\n\u003e size.\n\u003e\u003e That would allow us to also drop the e2e payload by setting a size of 0,\n\u003e and\n\u003e\u003e still be able to forward it, should we ever find a use for it.\n\u003e\n\u003e Good point, we may have uses for non-uniform sizes as far as mix-headers in\n\u003e the\n\u003e future. So with this, then it appears there may be 3 types of mix-header\n\u003e formats:\n\u003e 1. Regular. Meaning no e2e payload, weighing in at 1234 bytes.\n\u003e 2. Extended. Meaning bearing the e2e payload with a size of 2468 bytes.\n\u003e 3. Rendezvous. Which nests another mix-header within the end-to-end\n\u003e payload,\n\u003e with a size which is double that of the regular.\n\u003e\n\u003e If we like this taxonomy, then we may want to reserve the first 2 version\n\u003e bytes\n\u003e within the draft. A version 0 packet would encompass processing the first\n\u003e two\n\u003e types, while a version 1 packet denotes that this is a rendezvous packet.\n\nKeep it simple; let's just support regular for now. Nodes will have to\nbroadcast what extensions they support, and this can be used for\nextended formats later. Including ones we *didn't* think of yet...\n\n\u003e\u003e We have to be careful when using timestamps in the packet as it makes\n\u003e individual hops collatable.\n\u003e\n\u003e Excellent observation. Assuming we roll out a reasonably efficient solution\n\u003e for\n\u003e the collatable HTLC R-values across hops, naively selecting timestamps would\n\u003e present another correlation vector.\n\u003e\n\u003e\u003e So my proposal would be to include a timestamp rounded up to the closest\n\u003e hour\n\u003e\u003e and have a sliding window of accepted timestamps of +/- 1 hour,\n\u003e remembering the\n\u003e\u003e secrets for that period and rejecting anything that is too far in the\n\u003e future or\n\u003e\u003e too far in the past.\n\u003e\n\u003e This seems reasonable, also the size of the sliding window can easily be\n\u003e tuned\n\u003e in the future should we find it too large or small.\n\u003e\n\u003e\u003e The more coarse the bigger the less likely an attacker is to guess which\n\u003e\u003e packets belong to the same route, but the more storage is required on the\n\u003e\u003e node's side.\n\u003e\n\u003e Yep, there's a clear trade off between the window size of the accepted\n\u003e timestamps, and a node's storage overhead. We can tune this value to a\n\u003e ballpark\n\u003e estimate of the number of HTLCs/sec a large node with high frequency\n\u003e bi-directional throughput may forward at peak times.\n\u003e\n\u003e Let's say a HFB (High-Frequency Bitcoin) node on the network at peak\n\u003e forwards\n\u003e 5k HTLC's per second: (5000/sec * 32 bytes) * 3600 sec = 576MB, if nodes are\n\u003e required to wait 1 hour between log prunings, and 288MB if we use a\n\u003e 30-minute\n\u003e interval. Even with such a high throughput value, that seems reasonable.\n\nI think we're over-designing. How about: daily key rotation (which we\nwant anywat), remember all onions for current and previous key.\n\nRemember: if we switch from C-hash to C-point, then it's simpler: we\nonly need to guard against retransmissions for *unresolved* htlcs. If\nsomeone retransmits an HTLC for which we already know the C-point value,\nthey risk us redeeming it immediately and not forwarding at all.\n\n(We need to remember all previous HTLCs anyway, so off the top of my\nhead checking this is not too hard...).\n\n\u003e\u003e We could just use the announced key, i.e., the one that participated in\n\u003e the\n\u003e\u003e channel setup, as a root key for HD key derivation. The derivation path\n\u003e could\n\u003e\u003e then be based on floor(blockheight / 144) so that we rotate keys every\n\u003e day, and\n\u003e\u003e don't need any additional communication to announce new public keys.\n\u003e\n\u003e Great suggestion! However, I think instead of directly using the key which\n\u003e participated in the channel setup, we'd use a new independent key as the\n\u003e root\n\u003e for this HD onion derivation. This new independent key would then be\n\u003e authenticated via a signature of a schnorr multi-sign of the channel\n\u003e multi-sig\n\u003e key and the node's identity key (or alternatively two sigs). This safeguards\n\u003e against the compromise of one of the derived private keys leading to\n\u003e compromise\n\u003e of the master root HD priv key which would allow possibly stealing a node's\n\u003e coins. Additionally, a node can switch keys more easily, avoiding a channel\n\u003e tear down.\n\u003e\n\u003e However, the HD Onion Key approach can potentially cancel out the forward\n\u003e secrecy benefits. If an attacker gains access to the root HD pubkey, along\n\u003e with\n\u003e any of the child derived onion keys, then they can compute the root privkey.\n\u003e This allows the attacker to derive all the child priv keys, giving them the\n\u003e ability to decrypt all mix-headers encrypted since the HD Onion Key was\n\u003e published.\n\nBroadcasting new node keys (up to?) once a day is probably fine.\nPerhaps include a validity time range with each key, so you can spot if\nyou're missing one. Recommend allowing 12 hours overlap or something.\n\nIt'd be great to avoid it, but that seems complex enough to push to a\nfuture spec.\n\nTo summarize the keys for each node:\n\n1. channel key: bitcoin key used to sign commitment txs. One per channel.\n2. id key: used to tie channels together (\"I own these channels\"). Signed\n by channel keys (or could use OP_RETURN, but that's a bit spammy), and\n signs channel keys.\n3. comms key: rotated key for onion messages. Signed by id key.\n4. (various ephemeral keys for inter-node comms).\n\nid and comms keys don't have to be bitcoin keys; could be Schnorr. But\nnot much point AFIACT: the big win is making the channel keys\n(ie. bitcoin) use Schnorr so they can all compactly sign the id key.\n\n\u003e\u003e I'm also trying to figure out how to enable intermediate nodes to reply\n\u003e to a\n\u003e\u003e packet, e.g., if capacities are insufficient or the next node is\n\u003e unreachable,\n\u003e\u003e by recycling the routing info.\n\u003e\n\u003e Yeah I've also attempted to tackle this issue a bit myself. The inclusion of\n\u003e onion routing certainly makes certain classes of failures harder to\n\u003e reconcile.\n\nYeah, this one's troubling. In particular, it'd be nice to prove that\na node is misbehaving:\n\n(1) When a node gives a fail message, we want to be able to publish it\n to prove (eg) it's lying about its fees. That means that the\n failure msg needs to be tied to the request so both can be\n published.\n\n(2) If a node corrupts a fail message on return, we want to prove that.\n\nCaveats:\n1. We don't want to expose the source of fail message (ie. leak\n the route).\n2. Ideally the proof can be published in a way which minimizes data\n exposure for the originator.\n\n\u003e If we can solve this, then we can greatly increase the robustness of onion\n\u003e routing within the network. I think they may be worth spinning some cycles\n\u003e on,\n\u003e although I don't consider it blocking w.r.t the initial specification.\n\nI look forward to what you come up with!\n\nYay!\nRusty.",
"sig": "68372a481685de360bf1991d1acd2b01f8f2f9d902a6073e6eb8dd582de80a80a0ba99bc88b847b82f8a2a79bcbba783b2088c99404e31c3bb67a02296f8d235"
}