📅 Original date posted:2015-10-03
📝 Original message:
On Fri, Oct 02, 2015 at 03:18:39PM +0930, Rusty Russell wrote:
> So, I've pushed some test onion routing code in an acceptable
> format:
> https://github.com/ElementsProject/lightning/blob/onion/test/test_onion.c
> struct hop {
> unsigned char msg[MESSAGE_SIZE];
> struct pubkey pubkey;
> struct sha256 hmac;
> };
> That's a fixed 3840 bytes;
Is the idea to switch that to non-fixed size using protobufs, or?
> then prepends padding.
(prefixes...)
My understandng is it works as follows:
* random EC key pairs are generated for each hop, known to the
initiator
* the public key for each hop is included in plaintext as hop.pubkey
* ECDH is used to establish a shared secret with each hop
(initiator uses routing node's pubkey (ie, their lightning node id)
and the generated privkey; routing node uses their privkey and the
hop.pubkey value)
* symmetric AES & HMAC keys are derived based on the secret
When you receive a message (say you're hop 5) what you'll get is:
P4 P3 P2 P1 H20 H19 ... H5
where P1 is padding added at node 1, and H19 is the hop structure
intended for node 19, etc; all of those in various stages of
encryption/decryption.
You then grab the pubkey from H5.pubkey; which is already plaintext,
and calculate your shared secret, and generate AES key, HMAC key, IV
and padding IV from those. That then lets you run a hmac of everything
you've received, excluding the final hmac (so, P4 ... P1 H20 .. H6 +
msg + pubkey), and compare that to the hmac.
You then decrypt everything (except maybe the hmac and pubkey, but
whatever) using AES in CTR mode with a nonce of IV, giving you:
P4' P3' P2' P1' H20' H19' .. H4' [M5]
M5 lets you know what to do, and if you need to forward it, you generate
P5 by encrypting 0000's with AES in CTR mode with a nonce of PAD_IV. You
forward:
P5 P4' P3' .. H4'
and you're done.
Question:
- I think this means lightning nodes are identified by the
full 512 bit (or 257 bit?) public key used for routing -- (ie,
knowing the HASH160 of the pubkey isn't enough, unlike in normal
bitcoin pay2pubkey transactions).
- I think you can still use different keys for routing and
anchors/commitments so far. (Using the anchor transaction to turn
your routing id into a beacon would probably change that though)
Sigh. I've had a go at reimplementing it in python, but I'm stuck trying
to reproduce the secret info using pyelliptic (which in turn uses
openssl).
...
Ah, it looks like the problem is that libsec256k1 actually goes a step
further and runs SHA256(y||x), where "x" is the value I'm getting and y
is '\x02' is the y value is even and '\x03' if it's odd. If I try both,
one of them turns out right:
Secret1: d9946724c6bd8d5b58bdd2256a0251816a42f9707c794427a410075e4dbb199c
Secret2: 105e0c04f0a910d72dcf2683c21903ba08cd8b225e4124afc41bb2341dc40f49
Unfortunately openssl throws away y and just gives us x, so I'm not sure
if I can work out the right secret directly. I guess I can run the HMAC
twice and pick the value that worked?
Okay, we'll see if we can get any further tomorrow.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:44:43
in reply to nevent1q…c5jx
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:44:43Event JSON
{
"id": "2a8128248abd67e94031c02cd4d81b5ef43d08e83ec8ed1681c261e75070f807",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314683,
"kind": 1,
"tags": [
[
"e",
"8068f367a334368b30aff76cd525cce9c5bc6d9781f504af87639b9a503f0531",
"",
"root"
],
[
"e",
"640715c6cbcbcc28f487274c37fc1b59cbd68b3624c1b3a261d92659d107f74d",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2015-10-03\n📝 Original message:\nOn Fri, Oct 02, 2015 at 03:18:39PM +0930, Rusty Russell wrote:\n\u003e So, I've pushed some test onion routing code in an acceptable\n\u003e format:\n\u003e https://github.com/ElementsProject/lightning/blob/onion/test/test_onion.c\n\n\u003e struct hop {\n\u003e \tunsigned char msg[MESSAGE_SIZE];\n\u003e \tstruct pubkey pubkey;\n\u003e \tstruct sha256 hmac;\n\u003e };\n\u003e That's a fixed 3840 bytes;\n\nIs the idea to switch that to non-fixed size using protobufs, or?\n\n\u003e then prepends padding.\n\n(prefixes...)\n\nMy understandng is it works as follows:\n\n * random EC key pairs are generated for each hop, known to the\n initiator\n * the public key for each hop is included in plaintext as hop.pubkey\n * ECDH is used to establish a shared secret with each hop\n (initiator uses routing node's pubkey (ie, their lightning node id)\n and the generated privkey; routing node uses their privkey and the\n hop.pubkey value)\n * symmetric AES \u0026 HMAC keys are derived based on the secret\n\nWhen you receive a message (say you're hop 5) what you'll get is:\n\n P4 P3 P2 P1 H20 H19 ... H5\n\nwhere P1 is padding added at node 1, and H19 is the hop structure\nintended for node 19, etc; all of those in various stages of\nencryption/decryption.\n\nYou then grab the pubkey from H5.pubkey; which is already plaintext,\nand calculate your shared secret, and generate AES key, HMAC key, IV\nand padding IV from those. That then lets you run a hmac of everything\nyou've received, excluding the final hmac (so, P4 ... P1 H20 .. H6 +\nmsg + pubkey), and compare that to the hmac.\n\nYou then decrypt everything (except maybe the hmac and pubkey, but\nwhatever) using AES in CTR mode with a nonce of IV, giving you:\n\n P4' P3' P2' P1' H20' H19' .. H4' [M5]\n\nM5 lets you know what to do, and if you need to forward it, you generate\nP5 by encrypting 0000's with AES in CTR mode with a nonce of PAD_IV. You\nforward:\n\n P5 P4' P3' .. H4'\n\nand you're done.\n\nQuestion:\n\n - I think this means lightning nodes are identified by the\n full 512 bit (or 257 bit?) public key used for routing -- (ie,\n knowing the HASH160 of the pubkey isn't enough, unlike in normal\n bitcoin pay2pubkey transactions).\n\n - I think you can still use different keys for routing and\n anchors/commitments so far. (Using the anchor transaction to turn\n your routing id into a beacon would probably change that though)\n\nSigh. I've had a go at reimplementing it in python, but I'm stuck trying\nto reproduce the secret info using pyelliptic (which in turn uses\nopenssl).\n\n...\n\nAh, it looks like the problem is that libsec256k1 actually goes a step\nfurther and runs SHA256(y||x), where \"x\" is the value I'm getting and y\nis '\\x02' is the y value is even and '\\x03' if it's odd. If I try both,\none of them turns out right:\n\n Secret1: d9946724c6bd8d5b58bdd2256a0251816a42f9707c794427a410075e4dbb199c\n Secret2: 105e0c04f0a910d72dcf2683c21903ba08cd8b225e4124afc41bb2341dc40f49\n\nUnfortunately openssl throws away y and just gives us x, so I'm not sure\nif I can work out the right secret directly. I guess I can run the HMAC\ntwice and pick the value that worked?\n\nOkay, we'll see if we can get any further tomorrow.\n\nCheers,\naj",
"sig": "388401e998033f562348a69413d9e2a98736373df24f4078b2a6862f95c8962cce1185c2e4828bbb9d7cb26c42adfc77d6e147f2d7b1fcdc9c915c3ac8df0975"
}