mirrors/lightning-bolts
1
0
Fork 0
mirror of https://github.com/lightning/bolts.git synced 2024-11-19 01:50:03 +01:00
Code Issues Projects Releases Wiki Activity

BOLT 8: make it clear that there are *two* chaining keys.

Browse Source 
lnmessage got this wrong!  It would pass our test vectors, but actually fail
in real usage, since it used the same `ck`.

Also, nonce rotation happens after 1000 encryptions, which is when the nonce
reaches 1000 (since it's zero based!), not when it *exceeds* 1000.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Rusty Russell 2023-05-12 16:32:52 +09:30
parent e0995c9b84
commit 7f53a3e46e
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
08-transport.md
View File

@ -369,7 +369,9 @@ construction, and 16 bytes for a final authenticating tag.
receiving messages for the duration of the session, are generated. receiving messages for the duration of the session, are generated.
7. `rn = 0, sn = 0` 7. `rn = 0, sn = 0`
* The sending and receiving nonces are initialized to 0. * The sending and receiving nonces are initialized to 0.
8. Send `m = 0 || c || t` over the network buffer. 8. `rck = sck = ck`
* The sending and receiving chaining keys are initialized the same.
9. Send `m = 0 || c || t` over the network buffer.
**Receiver Actions:** **Receiver Actions:**
@ -401,6 +403,8 @@ construction, and 16 bytes for a final authenticating tag.
receiving messages for the duration of the session, are generated. receiving messages for the duration of the session, are generated.
10. `rn = 0, sn = 0` 10. `rn = 0, sn = 0`
* The sending and receiving nonces are initialized to 0. * The sending and receiving nonces are initialized to 0.
11. `rck = sck = ck`
* The sending and receiving chaining keys are initialized the same.
## Lightning Message Specification ## Lightning Message Specification
@ -488,14 +492,15 @@ Changing keys regularly and forgetting previous keys is useful to
prevent the decryption of old messages, in the case of later key leakage (i.e. prevent the decryption of old messages, in the case of later key leakage (i.e.
backwards secrecy). backwards secrecy).
Key rotation is performed for _each_ key (`sk` and `rk`) _individually_. A key Key rotation is performed for _each_ key (`sk` and `rk`) _individually_,
using `sck` and `rck` respectively. A key
is to be rotated after a party encrypts or decrypts 1000 times with it (i.e. every 500 messages). is to be rotated after a party encrypts or decrypts 1000 times with it (i.e. every 500 messages).
This can be properly accounted for by rotating the key once the nonce dedicated This can be properly accounted for by rotating the key once the nonce dedicated
to it exceeds 1000. to it reaches 1000.
Key rotation for a key `k` is performed according to the following steps: Key rotation for a key `k` is performed according to the following steps:
1. Let `ck` be the chaining key obtained at the end of Act Three. 1. Let `ck` be the chaining key (i.e. `rck` for `rk` or `sck` for `sk`)
2. `ck', k' = HKDF(ck, k)` 2. `ck', k' = HKDF(ck, k)`
3. Reset the nonce for the key to `n = 0`. 3. Reset the nonce for the key to `n = 0`.
4. `k = k'` 4. `k = k'`