1
0
mirror of https://github.com/lightning/bolts.git synced 2024-11-19 01:50:03 +01:00
Commit Graph

170 Commits

Author SHA1 Message Date
Rusty Russell
ca06224cf6 BOLT 4: add bolt12 payloads to onion message payloads.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-09-24 19:40:59 +09:00
Jeffrey Czyz
df4af02eb1 Add a sciddir_or_pubkey fundamental type
Offers may contain blinded paths to allow for greater recipient privacy.
However, they come at a cost of increased QR code size as the
introduction node requires a 33-byte `point`.

Define a new `sciddir_or_pubkey` fundamental type such that either a point or a
reference to one in a `channel_announcement` can be used. This is
backwards compatible with `point`.

Use this new type for the `blinded_path` subtype's `first_node_id`.
2024-09-24 19:40:59 +09:00
Jeffrey Czyz
86ba089de7 Allow using short_channel_id in onion messages
Offers may contain blinded paths to allow for greater recipient privacy.
However, they come at a cost of increased QR code size as each hop
requires a 33-byte `point` for the `next_node_id`. Allow using
`short_channel_id` instead, which only requires 8 bytes.

Still allow for use of `next_node_id` for cases where the blinded path
may not involve channel counterparties or for long-lived offers, which
may outlive the given channels.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-09-24 19:40:59 +09:00
Rusty Russell
3c0fd9ad90 BOLT 4: More clarifying changes.
1. Always use the term `encrypted_recipient_data` for the encrypted field:
   it's confusing enough without multiple names!
2. Don't give an option for joining blinded payments, since everyone will
   use an unblinded payment to the introduction node (at least, for now).
3. Avoid the term "payer" and at least note that encrypted_recipient_data
   can be made by the sender themselves, pointing out that the forwarding
   node cannot tell.

Thanks t-bast and gijswijs for this feedback!

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-30 06:56:48 +09:30
Rusty Russell
6654c5711a BOLT 4: rename onionmsg_hop to blinded_path_hop
It's used for blinded payment paths, too, not just onion messages.

Suggested-by: @t-bast
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:56:32 +09:30
Rusty Russell
43725d7f07 BOLT 4: put dummy hop recommendation into the requirements.
It was mentioned in the rationale only.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:55:27 +09:30
Rusty Russell
d91642e6a0 BOLT 4: try to improve blinded path description.
It's a bit complex, but try to convey the idea of an introduction point,
blinded node ids and encrypted blobs.  Since the requirements detail the
two ways to reach the introduction node, I handwaved on that a bit.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:54:27 +09:30
Rusty Russell
9c15a5c092 BOLT 4: clarify blinded path requirements.
Writer parts:
1. Be explicit that the writer creates a route.
2. Make it clear we create shared secrets, then derive blinded points.
3. Refer explicitly to all `blinded_path` fields.

Split reader into the *two* readers:
1. The reader of the blinded path, who uses it to make an onion (which wasn't described at all!)
2. The reader of the encrypted_recipient_data, who decrypts it.

In the latter case, we don't have to discuss unblinding the onion since
that's now covered in the "Onion Decryption" section.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:53:27 +09:30
Rusty Russell
6c0f0d878f BOLT 4: concretely refer to the blinded_path type and field when constructing.
This spec was initially written before the `blinded_path` type
existed.  Be precise (and we no longer need to say "MUST communicate"!).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:45:10 +09:30
Rusty Russell
14ebb445e6 BOLT 4: move Route Blinding section up a level, and put blinded_path type there.
It's currently buried in the onion message section, but it applies to payments too.

We now have a separate sub-section for the encrypted_data_tlv definition.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:41:35 +09:30
t-bast
3fffab3b88 Clean-up nits
This commit doesn't change the logic at all, it simply:

- removes `realm` from onion test vector
- cleans-up markdown formatting and indents
- fixes typos and missing parenthesis
- consistently uses `_` instead of `-` for field names
- fixes math formatting (including changes from #1169 and #1158)
2024-07-17 10:40:35 +09:30
Rusty Russell
5e9ea22272 BOLT 2, 4: rename blinding to path_key.
Sure, it's used to derive a secret for blinding, but it's also used to derive the key
for encrypted_recipient_data.  It's not used as a blinding factor *directly*.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:40:35 +09:30
Rusty Russell
bc1ce064d2 BOLT 2, BOLT 4: refer to the onion decryption section in update_add_htlc/onion message requirements.
This ties it together, saying what to use as associated data, blinding, and what to do on failure.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:40:35 +09:30
Rusty Russell
8abd9c7e26 BOLT 4: Generalize and create proper requirements for onion decryption
There's currently a *description* of how to decrypt an onion, and some requirements
in forwarding.  But it also applies to onion messages, so:

1. Turn the description into actual enumerated requirements.
2. Ensure the description covers both payload and messaging onions.
3. Include both methods to apply the blinding tweak.
4. Leave the actual handling of the extracted payload (payment vs messaging onion) to those specific sections (e.g. reporting failure)

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:40:35 +09:30
Rusty Russell
6a51861d93 BOLT 4: remove obsolete references to realm
This was from the legacy onion, and is no longer present.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-07-17 10:40:35 +09:30
Elle
e29fca5703
bolt4+proposals: fix max_cltv_expiry calculation (#1176)
* BOLT4: include `min_final_cltv_expiry_delta` in `max_cltv_expiry` calc

Include `min_final_cltv_expiry_delta` in the `max_cltv_expiry`
calculation. Also add a note that indicates that this field may be set
for the final node too. This is useful for the final node as then it
does not need to persist the path expiry separately and can rely on just
checking the `payment_relay` field when the payment arrives.

* BOLT4: include calculation for `total_cltv_delta` of a blinded path

Include an explicit formula to use for determining the total CLTV delta
of a blinded path so that it is clear that it should include the
recipient's `min_final_cltv_expiry_delta`.

* proposals: fix `max_cltv_expiry` value for final hop in example

More info
[here](https://github.com/lightning/bolts/issues/1174#issue-2371364610)
outlining why the example needed to be updated.
2024-07-15 22:20:48 +02:00
Matt Corallo
93b7ee031b
Drop the required channel_update in failure onions (#1173)
As noted previously, `channel_update`s in the onion failure packets
are massive gaping fingerprintign vulnerabilities - if a node
applies them in a publicly-visible way the err'ing node can easily
identify the sender of an HTLC.

While the updates are still arguably marginally useful for nodes to
use in their pathfinding local to retires of the same payment, this
too will eventually become an issue with PTLCs. Further, we
shouldn't be letting nodes get away with delaying payments by
failing to announce the latest channel parameters or enforcing new
parameters too soon, so treating the node as having indicated
insufficient liquidity (or other general failure) is appropriate
in the general case.

Thus, here, we begin phasing out the `channel_update` field,
requiring nodes ignore it outside of the current payment and making
it formally optional (though nodes have been doing this for some
time due to various bugs).

Because some nodes may want to use update data on mobile when they
have stale gossip data, it is left optional.
2024-07-11 09:32:21 +02:00
ziggieXXX
64ce121cdc
BOLT04: Add rationale for constant error decryption. (#1154)
To avoid timing analysis when decrypting failed payments the sender
should act as if the failure in the route came for the 27th hop.
Also changed the maximum number of hops in the route from 20 (legacy)
to 27 (tlv onion).
2024-07-02 12:03:54 +02:00
Olaoluwa Osuntokun
ed012edc15
BOLT-04: convert blinded paths syntax to use LaTeX rendering
Github now supports inline LaTeX rendering:
https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/writing-mathematical-expressions

In this commit, we use this new feature to improve the rendering of the
routines for blinded paths.
2024-03-27 18:30:37 -07:00
Olaoluwa Osuntokun
25e7dbd5ed
BOLT-04: use underscores in place of parens for blinded paths notation
In this commit, we propose a purely syntactical change to the current
blinded paths specification. Rather than denote the public key of the i-th
node as `E(i)`, we propose that instead it's denoted as: `E_i`. This results
in less overall characters, and is more similar to notation customarily
used in LaTeX.

My personal preference is that the proposed notation is easier to scan at a
glance, and also less ambiguous (doesn't look like a function call).
2024-03-27 18:30:31 -07:00
Carla Kirk-Cohen
78e5a6b066
04-onion-routing: strict validation of scid for blinded payments (#1147)
This commit updates bolt04 to more strictly enforce that encrypted_data
that is part of a blinded payment only has short_channel_id set. On
the reader side, we disallow setting of both short_channel_id and
next_node_id (which is intended for use in the context of onion
messages), and on the writer side we specify that next_node_id should
not be included by recipients.
2024-03-12 09:56:54 +01:00
Rusty Russell
8fc3ba9f0c
BOLT 4: It's Check Lock Time Verify not Check Time Lock Verify. (#1141)
I always get this wrong too, so CLN actually has a source check for this, and it triggered when importing the latest spec!

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-02-19 09:34:00 +01:00
xiaolou86
9f55ccdfee
Fix typos (#1130)
* BOLT 04: fix typos
* proposals: fix typos
2024-01-30 06:54:54 +01:00
Antoine Riard
bccab9afc2 Specify max HTLC nLocktime for expiry_too_far 2023-09-25 21:26:16 +01:00
Rusty Russell
803a532c49 fixup! BOLT 4: onion message support.
@thomash-acinq points out:

1. We absolutely can put other fields in `encrypted_data_tlv`, esp. padding, and test vectors do this.
2. Presumably it was supposed to refer to onionmsg_tlv, so fix that.
3. And of course we need to allow payload fields!
2023-08-01 06:20:16 +09:30
Rusty Russell
f0f35ec73b fixup! BOLT 4: onion message support.
Typo fixes from @t-bast, @thomash-acinq and @remyers.
2023-08-01 06:20:16 +09:30
Rusty Russell
17ceba42dc BOLT 4: onion message support.
These use onion encoding for simple one-way messaging: there are no error returns.
However, every onion uses route blinding *even if it doesn't need to*.

You can prove what path was used to reach you by including `path_id` in the
encrypted_data_tlv.

Note that this doesn't actually define the payload we're transporting:
that's explictly defined to be payloads in the 64-255 range.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2023-08-01 06:20:16 +09:30
Matt Corallo
9ab3c87a28 Correct final_cltv handling in blinded paths
When paying a blinded path, we don't have a CLTV delta at each hop
available, but rather only a total CLTV delta for the entire
blinded path.

However, the onion format currently still requires that we specify
an `outgoing_cltv_value` for the final hop. As the sender, we don't
have a sensible value to put there, as we don't know which part of
the total CLTV delta belongs to the recipient.

The sender is instructed to use the values that are known to them
when setting `outgoing_cltv_value` for the final hop:
- The current block height.
- Any additional delta added to account for block propagation and
  improve privacy.

This change reflects the behavior of some implementations at the time
of writing.
2023-07-31 15:40:05 -05:00
Matt Corallo
cded2df1fd Fix undeclared reference in onion-routing 2023-07-31 15:40:05 -05:00
Matt Corallo
50b2df24a2 Update onion errors since we allow overpaying or under-CLTVing
In #1032 we allowed overshooting the final amount and expiry, but
forgot to update the onion error descriptions which make reference
thereto.
2023-04-11 09:56:22 +02:00
t-bast
c4c5a8e5fb Bolt 4: add blinded payments
Add specification requirements for using route blinding to make payments
while preserving recipient anonymity. Implementers must ensure they
understand all those requirements, there are subtle attacks that could let
malicious senders deanonymize the route if incompletely implemented.
2023-03-28 08:44:14 +02:00
t-bast
58d80473e0 Bolt 4: add route blinding construction
Add specification requirements for creating and using blinded routes.
This commit contains the low-level details of the route blinding scheme,
decoupled from how it can be used by high-level components such as onion
messages or payments.
2023-03-28 08:44:14 +02:00
Olaoluwa Osuntokun
a0bbe47b02
Merge pull request #1021 from joostjager/failure-message-tlv
TLV failure message and recommended length to 1024
2022-12-05 11:11:14 -08:00
Bastien Teinturier
9af622690e
Use onion amount in MPP set calculation (#1040)
* Use onion amount in MPP set calculation

The sender chooses the amounts that are set in the onion payload
(`amt_to_forward`) but cannot predict what amounts will be set in the
HTLCs (`amount_msat`) since intermediate nodes are allowed to overpay.

* Fix error requirements for final node

These requirements were missed when integrating #1032
2022-11-22 09:41:17 +01:00
Joost Jager
1a48cdd787
BOLT 04: Update recommended failure message length and test vector 2022-11-21 12:40:14 +01:00
Bastien Teinturier
b38156b951
Allow nodes to overshoot final htlc amount and expiry (#1032)
When nodes receive HTLCs, they verify that the contents of those HTLCs
match the intructions that the sender provided in the onion. It is
important to ensure that intermediate nodes and final nodes have similar
requirements, otherwise a malicious intermediate node could easily probe
whether the next node is the final recipient or not.

Unfortunately, the requirements for intermediate nodes were more lenient
than the requirements for final nodes. Intermediate nodes allowed overpaying
and increasing the CLTV expiry, whereas final nodes required a perfect
equality between the HTLC values and the onion values.

This provided a trivial way of probing: when relaying an HTLC, nodes could
relay 1 msat more than what the onion instructed (or increase the outgoing
expiry by 1). If the next node was an intermediate node, they would accept
this HTLC, but if the next node was the recipient, they would reject it.

We update those requirements to fix this probing attack vector.

We also clarify `min_final_cltv_expiry`: this is actually a cltv_expiry_delta,
not an absolute cltv_expiry, so the field name should reflect that.

Recipients require incoming HTLC expiry to comply with that expiry delta.
2022-11-08 08:38:36 +01:00
Matt Corallo
fc40879995
Allow nodes to overshoot the MPP total_msat when paying (#1031)
When a node retires a failed path as part of a larger MPP payment,
the node may wish to use a path which is constrained by an
`htlc_minimum_msat` value. In this case, the node is forced to
overpay, likely overshooting the `total_msat` it set in the earlier
onions for the same MPP payment.

There are two possible solutions to this - either allow the
`total_msat` value to change in later HTLCs or allow the node to
(slightly) overshoot the `total_msat` value.

Allowing `total_msat` to change across HTLCs is nontrivial to
implement - HTLCs may arrive out-of-order, causing the receiving
node to have to track all seen `total_msat` values and accept a
set of HTLCs which meet any of the seen `total_msat` values.

Instead, this commit changes the MPP logic to simply allow a sender
to overshoot the stated `total_msat`.

Sadly the backwards-compatibility story for this is not great.
There doesn't seem to be a good way to resolve this issue in a
backwards-compatible way. Instead we just bite the bullet and make
the incompatible change, hoping the overshooting is rare enough
that it's not a major issue.
2022-11-08 08:37:07 +01:00
Joost Jager
484110f6e3
BOLT 04: Onion failure message may be followed by a tlv stream 2022-10-26 12:47:34 +02:00
Joost Jager
786963760a
BOLT 04: remove max hops from test vector
With the tlv payload, the maximum isn't fixed anymore.
2022-10-26 12:47:34 +02:00
Joost Jager
adcd03725c
BOLT 04: remove associated data from test vector
Data is not relevant for failure message generation.
2022-10-26 12:47:33 +02:00
Rusty Russell
60cfb5972a BOLT 4: Remove legacy format, make var_onion_optin compulsory.
My measurements a few weeks ago reveal that only 5 nodes do not
advertize this feature, of over 17000.  I have a patch to
remove support from c-lightning, too.

[ 6 months later: t-bast notes that they only see 0.2% of htlcs using
  legacy, and my node hasn't seen one for 2 months w/ 12000 htlcs --RR ]

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-09-29 12:37:35 +09:30
Matt Corallo
bc86304b4b
Merge pull request #910 from rustyrussell/zeroconf-as-alias
Explicitly allow funding_locked early, and support alias scids (feat 46/47/50/51)
2022-05-30 13:50:25 -07:00
Rusty Russell
f8e5c92fb5 channel_update: make sure we use alias scids correctly.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-05-30 20:47:49 +00:00
Matt Corallo
fe96e8fc3d Note that lightning implementations used to skip the msg type bytes
...well, okay, do today, but by the time anyone is reading this
it'll be "used to".
2022-05-19 08:28:31 +02:00
Matt Corallo
de8bb07a65 Clarify how to encode channel_update messages in onions
Apparently not all implementations implemented the onion encoding
the same, causing vastly differing onion failure packets. This
should unify them somewhat.

CC https://github.com/ElementsProject/lightning/issues/5154
2022-05-19 08:28:31 +02:00
Matt Corallo
03468e1756 Clarify what the two flag bytes are in channel_disabled failures
Fixes #791
2022-05-19 08:28:31 +02:00
Joost Jager
2ab3a9f022
Add payment metadata to payment request 2022-01-03 20:09:14 +01:00
Adam Gibson
3d88d1dd31
Remove stale reference to the gamma key from Bolt 4 (#928)
Fixes #927.
The gamma key was removed from the onion routing spec in 8b29062.

Co-authored-by: Adam Gibson <AdamISZ@protonmail.com>
2021-10-19 08:14:36 +02:00
Rusty Russell
83980de786
BOLT 4: remove space in formatting which prevented tools/extract-formats.py (#858)
This is the only one, so I simply removed it.  We'd notice if a new field
was introduced which didn't change the output these days, but this has been
here since 2017.

Here's the difference in extract-formats.py's output:

```diff
@@ -177,6 +177,9 @@
 msgtype,final_incorrect_htlc_amount,19
 msgdata,final_incorrect_htlc_amount,incoming_htlc_amt,u64,
 msgtype,channel_disabled,UPDATE|20
+msgdata,channel_disabled,flags,u16,
+msgdata,channel_disabled,len,u16,
+msgdata,channel_disabled,channel_update,byte,len
 msgtype,expiry_too_far,21
 msgtype,invalid_onion_payload,PERM|22
 msgdata,invalid_onion_payload,type,bigsize,
```

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-04-08 08:54:01 +02:00
Matheus Degiovani
ffa0a3c243
Clarify nonce size for onion cipher
Some ChaCha20 implementations API's support both 64- and 96-bit nonces, while
others only support a single one.

Functionally, both nonce sizes are equivalent for LN usage, since the
nonce is always zeroed. However, while evaluating spec compliance of
ChaCha20 libraries, the fact that some do not support the 8 byte nonce
variant prompted a closer investigation about the nonce requirement.

Since RFC8439 is the one linked to in the current BOLT0004 spec and that
RFC only specifies the 96-bit nonce variant, that requirement is made
more explicit by this commit.
2021-02-18 10:21:48 -03:00