Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BOLT04: Add rationale for constant error decryption. #1154

Merged
merged 2 commits into from
Jul 2, 2024
Merged

BOLT04: Add rationale for constant error decryption. #1154

merged 2 commits into from
Jul 2, 2024

Conversation

ziggie1984
Copy link
Contributor

@ziggie1984 ziggie1984 commented Apr 16, 2024
edited
Loading

Fixes #1125

@ziggie1984 ziggie1984 marked this pull request as ready for review April 16, 2024 15:15
ProofOfKeags
ProofOfKeags reviewed Apr 16, 2024
View reviewed changes
04-onion-routing.md Outdated Show resolved Hide resolved
@ziggie1984
BOLT04: Add rationale for constant error decryption.
ea2d84a 
To avoid timing analysis when decrypting failed payments the sender
should act as if the failure in the route came for the 27th hop.
Also changed the maximum number of hops in the route from 20 (legacy)
to 27 (tlv onion).
@ziggie1984 ziggie1984 force-pushed the error-onion-clarification branch from e6bc330 to ea2d84a Compare April 16, 2024 19:23
ProofOfKeags
ProofOfKeags reviewed Apr 16, 2024
View reviewed changes
04-onion-routing.md Outdated Show resolved Hide resolved
@ziggie1984 ziggie1984 requested a review from ProofOfKeags April 17, 2024 10:18
@t-bast
Copy link
Collaborator

t-bast commented Apr 17, 2024

Shouldn't we instead just get rid of this section entirely? This is completely useless, isn't it? I don't see how timing the decryption steps of the error message can be useful to any attacker, as there is a lot of random delay before a retry that is orders of magnitude larger (path-finding and network latency).

@ziggie1984
Copy link
Contributor Author

ziggie1984 commented Apr 17, 2024
edited
Loading

Agree, either we get rid of the whole section or we introduce the rationale because when I was reading this part of the spec I had a hard time understanding the reasoning behind it. LND has implemented it, it actually does the 27 decryption cycle so maybe keep it? But open for both approaches, wdyt @morehouse

@t-bast
Copy link
Collaborator

t-bast commented Apr 17, 2024

LND has implemented it, it actually does the 27 decryption cycle

Then it's probably a good idea to simplify lnd by removing that extra code if it's useless 😉
This timing information seems completely unusable by an attacker to me, but maybe I'm missing something.

@ProofOfKeags
Copy link
Contributor

I would like to second the opinion that it seems entirely useless. Two reasons for this.

  1. Like y'all have already stated, network delay middle 50% variance probably dwarfs the entirety of the decryption process.
  2. Learning your relative position in the route is pretty useless beyond 3 hops. It is important to make it hard to distinguish whether your upstream is the sender or a forwarder, but let's say you know you're hop number 6... what then?! I'm supposedly 6 degrees of separation from everyone on the planet, so you've successfully ascertained it could be....anyone...

All that said, this PR aims to clarify and for as long as we continue to have the normative requirement to do that extra decryption. I support merging this as the rationale to clarify the purpose of this (seemingly ridiculous) practice.

@t-bast t-bast mentioned this pull request Apr 18, 2024
Closed
22 tasks
@t-bast t-bast mentioned this pull request May 2, 2024
Closed
25 tasks
@t-bast
Copy link
Collaborator

t-bast commented May 7, 2024

This was discussed during the last two spec meetings, and it was agreed that this specific decryption step isn't really a fingerprinting vector. But there are other fingerprinting vectors when retrying payments, so this section should be re-worked to explain that generally, as a payment sender, you should ensure you're protecting against fingerprinting by adding random delays before retries and trying as much as possible to be constant time in most operations.

@t-bast t-bast mentioned this pull request May 14, 2024
Closed
23 tasks
Roasbeef
Roasbeef approved these changes May 20, 2024
View reviewed changes
Copy link
Collaborator

@Roasbeef Roasbeef left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🦎

ProofOfKeags
ProofOfKeags approved these changes May 21, 2024
View reviewed changes
Copy link
Contributor

@ProofOfKeags ProofOfKeags left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This immediate commit is better for consistency and clarity of the existing spec. However, the "real solution" to this is to generalize the recommendation to say that the sender SHOULD implement reasonable defenses against timing attacks by inserting a random delay before retrying.

@t-bast t-bast mentioned this pull request Jun 3, 2024
Closed
23 tasks
@t-bast t-bast mentioned this pull request Jun 17, 2024
Closed
22 tasks
@t-bast t-bast mentioned this pull request Jun 26, 2024
Closed
23 tasks
@t-bast t-bast merged commit 64ce121 into lightning:master Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t-bast t-bast t-bast approved these changes

@ProofOfKeags ProofOfKeags ProofOfKeags approved these changes

@Roasbeef Roasbeef Roasbeef approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Error decryption - adopt requirement also for new tlv package format.
4 participants
@ziggie1984 @t-bast @ProofOfKeags @Roasbeef