BOLT-04: modify Sphinx packet construction to use starting random bytes #697
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustyrussell
added a commit
to rustyrussell/lightning
that referenced
this pull request
Nov 6, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
rustyrussell
added a commit
to rustyrussell/lightning
that referenced
this pull request
Nov 6, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
cfromknecht
previously requested changes
Nov 6, 2019
|
cdecker
pushed a commit
to rustyrussell/lightning
that referenced
this pull request
Nov 7, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
cdecker
pushed a commit
to rustyrussell/lightning
that referenced
this pull request
Nov 7, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
rustyrussell
added a commit
to rustyrussell/lightning
that referenced
this pull request
Nov 8, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html We generate it from an hmac using the session secret. It's not clear that this will be useful for reproducing test vectors though, since we don't generate the first 66 bytes, which is what the spec says to do. Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
cdecker
pushed a commit
to ElementsProject/lightning
that referenced
this pull request
Nov 8, 2019
lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html We generate it from an hmac using the session secret. It's not clear that this will be useful for reproducing test vectors though, since we don't generate the first 66 bytes, which is what the spec says to do. Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
fwiw we have decided to generate the initial content of the routing packet using ChaCha20 keyed with a key derived from the This would allow us to maintain reproducibility, at the cost of slightly more computation to generate the stream (then again CSPRGs are likely also not free). One notable difference to this PR is that we just fill the entire routing packet instead of offsetting from the end of the last hop's payload. |
|
So i've updated our implementation on the In the end, all that matters is that the callers fill out the packet with random bytes, the precise method can actually be left up to the sender. The receiver won't be able to distinguish how the bytes were generated, just that they're indistinguishable from a random set of bytes. |
The PR just fills the entire set of bytes now. Skipping the first few bytes is really just an optimization. See my comment above w.r.t how we can still maintain reproducibility yet let the caller choose between the two... If we go with this route, we'd need to add a comment to the test vectors. Alternatively, we can update the not-really-psuedo-code to do something similar to this: https://github.com/lightningnetwork/lightning-onion/blob/088b62e7296023531f54595092a03672278acadc/sphinx.go#L189 |
|
On the other hand, it's nice for there just to be "one correct way" in the end. This would mean less guess work for implementors and more "plug and chug" (just implement the spec and you'll be fine) specification. Going the route of re-using the chacha stream (extracting more bytes under a different key) would give us that IMO. |
TheBlueMatt
added a commit
to TheBlueMatt/rust-lightning
that referenced
this pull request
Nov 25, 2019
This avoids at least the trivial hop count discovery attack, though other obvious ones remain and are slightly harder to avoid. See lightning/bolts#697
TheBlueMatt
added a commit
to TheBlueMatt/rust-lightning
that referenced
this pull request
Nov 25, 2019
This avoids at least the trivial hop count discovery attack, though other obvious ones remain and are slightly harder to avoid. See lightning/bolts#697
TheBlueMatt
added a commit
to TheBlueMatt/rust-lightning
that referenced
this pull request
Nov 28, 2019
This avoids at least the trivial hop count discovery attack, though other obvious ones remain and are slightly harder to avoid. See lightning/bolts#697
TheBlueMatt
added a commit
to TheBlueMatt/rust-lightning
that referenced
this pull request
Dec 2, 2019
This avoids at least the trivial hop count discovery attack, though other obvious ones remain and are slightly harder to avoid. See lightning/bolts#697
|
I think it would be useful to update the official test vectors for that change, especially if we're all leaning towards spec-ing one way to do it (I like @cdecker's proposal to reuse ChaCha20). Applying this change here is what I'm getting as new bolt 4 test vectors. Let me know if you find the same results. onion-test-v0.json{
"comment": "This is a simple testcase in which we only use v0 payloads, and all hops have single frame payloads",
"generate": {
"session_key": "4141414141414141414141414141414141414141414141414141414141414141",
"associated_data": "4242424242424242424242424242424242424242424242424242424242424242",
"hops": [
{
"realm": 0,
"pubkey": "02eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619",
"hop_shared_secret": "53eb63ea8a3fec3b3cd433b85cd62a4b145e1dda09391b348c4e1cd36a03ea66",
"payload": "0000000000000000000000000000000000000000000000000000000000000000",
"rhokey": "ce496ec94def95aadd4bec15cdb41a740c9f2b62347c4917325fcc6fb0453986",
"mukey": "b57061dc6d0a2b9f261ac410c8b26d64ac5506cbba30267a649c28c179400eba",
"hmac": "ac73e62f2cc382a1356e06f2762f9cdbcec7c7771037e824b0c1071f4f93d614"
},
{
"realm": 0,
"pubkey": "0324653eac434488002cc06bbfb7f10fe18991e35f9fe4302dbea6d2353dc0ab1c",
"hop_shared_secret": "a6519e98832a0b179f62123b3567c106db99ee37bef036e783263602f3488fae",
"payload": "0101010101010101000000000000000100000001000000000000000000000000",
"rhokey": "450ffcabc6449094918ebe13d4f03e433d20a3d28a768203337bc40b6e4b2c59",
"mukey": "05ed2b4a3fb023c2ff5dd6ed4b9b6ea7383f5cfe9d59c11d121ec2c81ca2eea9",
"hmac": "9350c058fe33b70d9cea125d2d68ba02d81af4609c916d51a575c8db2d5f1de5"
},
{
"realm": 0,
"pubkey": "027f31ebc5462c1fdce1b737ecff52d37d75dea43ce11c74d25aa297165faa2007",
"hop_shared_secret": "3a6b412548762f0dbccce5c7ae7bb8147d1caf9b5471c34120b30bc9c04891cc",
"payload": "0202020202020202000000000000000200000002000000000000000000000000",
"rhokey": "11bf5c4f960239cb37833936aa3d02cea82c0f39fd35f566109c41f9eac8deea",
"mukey": "caafe2820fa00eb2eeb78695ae452eba38f5a53ed6d53518c5c6edf76f3f5b78",
"hmac": "ef3860bc4d742ca9a6c2818d03c83f034d5c22776232a87ca049ec79b63627b9"
},
{
"realm": 0,
"pubkey": "032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991",
"hop_shared_secret": "21e13c2d7cfe7e18836df50872466117a295783ab8aab0e7ecc8c725503ad02d",
"payload": "0303030303030303000000000000000300000003000000000000000000000000",
"rhokey": "cbe784ab745c13ff5cffc2fbe3e84424aa0fd669b8ead4ee562901a4a4e89e9e",
"mukey": "5052aa1b3d9f0655a0932e50d42f0c9ba0705142c25d225515c45f47c0036ee9",
"hmac": "22b8aa7917b4e2c87fc5678bab10b450454fbb5e70708c3d49f0670a616085ea"
},
{
"realm": 0,
"pubkey": "02edabbd16b41c8371b92ef2f04c1185b4f03b6dcd52ba9b78d9d7c89c8f221145",
"hop_shared_secret": "b5756b9b542727dbafc6765a49488b023a725d631af688fc031217e90770c328",
"payload": "0404040404040404000000000000000400000004000000000000000000000000",
"rhokey": "034e18b8cc718e8af6339106e706c52d8df89e2b1f7e9142d996acf88df8799b",
"mukey": "8e45e5c61c2b24cb6382444db6698727afb063adecd72aada233d4bf273d975a",
"hmac": "f4bc4473ec0a55d5f3ededdba4a8e303f9128391a0f1f54d8adacf2221c04e1b"
}
]
},
"onion": "0002eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619e5f14350c2a76fc232b5e46d421e9615471ab9e0bc887beff8c95fdb878f7b3a71d215fe077311013884fabc09318c23a2435069ff1c40e90d2c150084eb8eb59ed10f7d61ab590531cf08000178a333a347f8b4072e216400406bdf3bf03865979313da96e66517a37b5c485744275a73b8eab6f43e3d56a2a59764eb12617efbe0ce721caad69320c3a469a202f3e468c67eaf7a7cda226d0fd32f7b48084dca885d3a3451e1a7368bb5edac5c665a61f6796b288bc1f12cd3b9fbaf915bc732ee749a1ec866abe044a9ad635778ba61fc0776dc832b39451bd5d35072d2269cf9b04040caeaeed42e3eb4adf6146661e3708accfeeb02d174de7effeaa8040417c8b49ed4c7f0218ff8c6c7dd7221d189c65b3b9aaa71a01484b122846c7c7b57e02e679ea8469b70e14fe4f70fee4d87b910cf144be6fe48eef24da475c0b0bcc6565ac90cc68a2cfd94a8a93dc787d6a074e539903b1d36e8d5d45655aa59208a20f3f600ef6b05d963ab796cdf33748c944795403626cdff6c0f114586f1754fb6d64800beeda3e18c04f109b7a91c9049ba2967316f088a8b45c57ea708768ed1cc99f06886ee3089d6c8e9ea3ce884b8dfffed4d4cdc425bf4a8740d03cfcdc95861300a03f5913bf284daa96b9c81dac1ec47cd72bd1049256f41d3710bb47d6151bc6d2dca3851363b4c499f53cbfd445bbd11e669f6b868b35b2e2cc950b1dcde4517b548066ac7543d9f9ac78393b61d1df632c1e7e048427d36227a51f795049c9b89cfdf25b9982e8d79f0da84caf54f7904e8731af45bcbf558eeefd885e2907ce00a3f2124421a704c1907a966e26215b26d2fa7558406a767c0e7218e1f9ac26b012971eba585be112b4e84abbab93a6d76f626b744c1f86df334dcc5d5277b2ce89e0c9869be3fd952ccfac0d3ab40eecd8dd5356155a8b0b186e650b9bbac561a9b5f309b18d31d3bfdd6dac9169b7e38f82b300e3598eb142fb5dd99612d3cd8e1f720551142f5460736e6da0d1158b238a626afa86076c64851694651d2bf6808de85104ef995ddc159d2efbe67c50a2462c10864400bf01ef387d63dd06b21ddebc4ddfb12b9ff2ad2816bcabf737ed8e89f8749a5179ab26faf5796c80b2364af41dc0384507b160c1e7bd93cc6062d82fb87572b9822f1400222c9517a5f4a89fe8fbe39b54efcca1d40bc8627d6b1f43e621c3297ea5ab9076824d90cfb86e5025aad6160cbff1d62c1e46d86a43dce76e09bc1833def9deeb42b02e96b2e423c3acf305e02d4c2c942fddcba269ffcdaef2b4dd6514b427e3236cee79bc28a26adf83af2137a9c7c6453a8571a65d86146c6a93fea20fe91d64f4e3eda8c1980d68e4d9d22a8dd20d5b5d36abda9a7a32bc0711802bd68a19a5837d6e45cf21ae674e291f9ab6846c9c0440017b47630f67cba07a90bfc98b4acd9bef2f8b379357f0e91c3dd04ee819214cfb4f50e35e9a6428d072c09240bb550b225ad312698a827da5fad2f1ae11a474d02872a3554822ff12045b230276f3ad5bd57e5b1e71705076ce6c234b32543cd86a8bec4a1da37b02ffeceb4ebc98311c2c1938458ce8e390e8b702032efc2d30326ffd9a16bbee7cd198b442e22a5210152c6b08c13972b50f5c4d3fd8e393d752463b9192f66cb4be243737ae167c044e4517b4d5efd6af68ab040477acd144fbd42d60725ed2a3e0d83af620e800c6c55e628bef178d4490bc8fa0e0be00f309183c75a402fa501ec8253530199d74bd360932281c3cc5a5d33906e695c927f49b169604959aec1978a369784bdeaecfb79281996b1fc377841ac73e62f2cc382a1356e06f2762f9cdbcec7c7771037e824b0c1071f4f93d614",
"decode": [
"4141414141414141414141414141414141414141414141414141414141414141",
"4242424242424242424242424242424242424242424242424242424242424242",
"4343434343434343434343434343434343434343434343434343434343434343",
"4444444444444444444444444444444444444444444444444444444444444444",
"4545454545454545454545454545454545454545454545454545454545454545"
]
}onion-test-multi-frame.json{
"comment": "A testcase for a variable length hop_payload. The third payload is 256 bytes long.",
"generate": {
"session_key": "4141414141414141414141414141414141414141414141414141414141414141",
"associated_data": "4242424242424242424242424242424242424242424242424242424242424242",
"hops": [
{
"type": "legacy",
"pubkey": "02eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619",
"payload": "0000000000000000000000000000000000000000"
},
{
"type": "tlv",
"pubkey": "0324653eac434488002cc06bbfb7f10fe18991e35f9fe4302dbea6d2353dc0ab1c",
"payload": "0101010101010101000000000000000100000001"
},
{
"type": "raw",
"pubkey": "027f31ebc5462c1fdce1b737ecff52d37d75dea43ce11c74d25aa297165faa2007",
"payload": "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"
},
{
"type": "tlv",
"pubkey": "032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991",
"payload": "0303030303030303000000000000000300000003"
},
{
"type": "legacy",
"pubkey": "02edabbd16b41c8371b92ef2f04c1185b4f03b6dcd52ba9b78d9d7c89c8f221145",
"payload": "0404040404040404000000000000000400000004"
}
]
},
"onion": "0002eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619e5f14350c2a76fc232b5e46d421e9615471ab9e0bc887beff8c95fdb878f7b3a71068850554818be051c5fb6e47df0f24ab88623abf089afc95db4f653cfdc4e3fc50f7d61ab590531cf08000178a333a347f8b4072ecac76d4ab27f190828a68222a6bb6c6f23fc671295d5d4fe37b9f3dacaa629d6404bae9a8e8d7178977d7094a1ae549f89338c0777551f874159eb42d3a59fb9285ad4e24883f27de23942ec966611e99bee1cee503455be9e8e642cef6cef7b9864130f692283f8a973d47a8f1c1726b6e59969385975c766e35737c8d76388b64f748ee7943ffb0e2ee45c57a1abc40762ae598723d21bd184e2b338f68ebff47219357bd19cd7e01e2337b806ef4d717888e129e59cd3dc31e6201ccb2fd6d7499836f37a993262468bcb3a4dcd03a22818aca49c6b7b9b8e9e870045631d8e039b066ff86e0d1b7291f71cefa7264c70404a8e538b566c17ccc5feab231401e6c08a01bd5edfc1aa8e3e533b96e82d1f91118d508924b923531929aea889fcdf0568b9af020955bf28f2296f547bec0773d4f76e19351ceda5ad381e6a79b57a5a658149e7e9ced4edde5d38c9b8f92e16f6b4ab13d704721bb12be5941e1b6620be32870100cb1000cf05b7562be8dbfb7fdb4da45b2f3bca8e6fe47eb45fbdd3be21a8a8d200797eae3c9a0497132f92410d804977408494dff49dd3d8bce248e0b74fd9e6f0f7102c25ddfa02bd9ad9f746abbfa337cea1082d8ae639b52346b18c05b8248d9b30df256d432ab365b732a58b04d7d0d6f6dd20b810c52b2457544c629ca0911c35ff1292523f980f13ebd87d1627e9759abf8b17e54955835fa70c3d9217d21dd2a7e33bea072be9170265c9465d5b4c54a1df3c15513332dfb2123c27498af3bfa116a140d28d43661a3088c6f2ae995bd921801d43ee31a353f2e164704b1593136e84815e2d304515ddf45ef3f70b2169718c811fbe697a1c0d97032e83dec858b6672be484244127e23e2ca8fa055e8e34165c3d02219fb588c7a221722e45e2b54f6b9fa4a6013906198cdf72c8d5222155cfc64f1f322f7785d84727fdd2f9b66627cbe8c7ecf5d944ffcb9266ac815ebc4b4301ed6bc1a765bfeade304cac32e5841340ded04f1f9ea4e2fa7ceea533f8b5253a940f842176c672443af37f03a03f7219df1c4062c51e6e79cf859d07eece8cb7583643e698cf76c04cc6f4c01ca9378046e1763818c616c54f640b26a424fbc0b37f6765f57ce1ade6c8c1eef6ab12df9fb6df6125d2d8bb665a4033d1386525eebc5af407155a5bbc9f8719b836f58044a8f5d1256ca627a592c0419af0bbe4886b9f97667c1bb1712f003f9ac8c53e5ceeaa2182260bab8f5ea50951529c4bda2e58ac649bff4447b585e07f8ca3e35379e969dc71f015557fc588eef1282f7da45f57d94f9316898c904217c3a39ceb2e20c4878c6c196ad11aee10b7ed0b047220930aa1d6463d60058dbf1c36f12eb767d5dc09b9c9d1df628766a4de995fa7e85040533087133ba8892b2cd207da65b99e5d95575e4d7d5ba2666de8f9d5582c1f8799e43e25aa1ad7b945bfb97a953e09a9341c49d1346901af9eb30486bd270d750493dfb69b467a24757e5b3a7198f6794549725bccdc69303f6ccaa48f825e5f83d42faba8f32895148c18db0ec3f6411b969674a507d39a4cb723bba876b766bc2219b164a0f32fd9a8c198695343cbc7c48dda1d36ce69efd07a3d7d46275583e50b9fd1a6d95ce3454da8fe754ab58ee4b5ed48a020f514287e900076d389d6266c627f1e0e22a4b511dfa5c4891eac4d8fe7e9f0332cc26af9a5f467b4acea6da597f27fbb58511ffb8a200d68f09aa9e83b401dc012",
"decode": [
"4141414141414141414141414141414141414141414141414141414141414141",
"4242424242424242424242424242424242424242424242424242424242424242",
"4343434343434343434343434343434343434343434343434343434343434343",
"4444444444444444444444444444444444444444444444444444444444444444",
"4545454545454545454545454545454545454545454545454545454545454545"
]
} |
t-bast
added a commit
to ACINQ/eclair
that referenced
this pull request
Dec 10, 2019
Roasbeef
force-pushed
the
sphinx-random-starting-bytes
branch
from
899b48d
to
910e99b
Compare
|
@t-bast I've updated my implementation to generate the random bytes re-using our existing chacha format. However, I'm getting a distinct ending packet compared to what you've posted above. My final packet is: To generate this key, I first serialize the session private key as a big-endian number (padding to a length of 32 bytes if needed), then feed it in as the data to sha256-hmac, using "pad" as the key (appears to also match @cdecker's code). |
|
Updated the PR (other than the test vectors) to use the new pad key to deterministically generate a set of random bytes. |
Roasbeef
force-pushed
the
sphinx-random-starting-bytes
branch
from
910e99b
to
e3a5af9
Compare
t-bast
reviewed
Jan 7, 2020
There was a problem hiding this comment.
However, I'm getting a distinct ending packet compared to what you've posted above.
Good thing I shared mine, it spot an issue :).
I was using the shared_secret with the recipient instead of the session_key to compute the padding key!
I updated that and I find the same onion as you do, so you can now update the test vectors and we should have a match.
Roasbeef
added a commit
to Roasbeef/lightning-onion
that referenced
this pull request
Jan 10, 2020
In this commit, we update the set of test vectors to reflect that all mix-header in the network should be generated suing the new deterministic filler method put forth in: lightning/bolts#697.
Roasbeef
force-pushed
the
sphinx-random-starting-bytes
branch
from
e3a5af9
to
bb810f9
Compare
|
Thanks @Roasbeef! One small change is missing: in the
|
|
Nice catch! Of course the HMAC changes as well, I overlooked it, will update
the set of test vectors. `lnd` 0.9 (to be release soon), will start to
generate onions according to the guidelines in this PR.
…On Mon, Jan 13, 2020 at 1:38 AM Bastien Teinturier ***@***.***> wrote:
Thanks @Roasbeef <https://github.com/Roasbeef>! One small change is
missing: in the onion-test-v0.json the hmacs in hop are now incorrect.
They should be:
- b8640887e027e946df96488b47fbc4a4fadaa8beda4abe446fafea5403fae2ef
- a93aa4f40241cef3e764e24b28570a0db39af82ab5102c3a04e51bec8cca9394
- 5d1b11f1efeaa9be32eb1c74b113c0b46f056bb49e2a35a51ceaece6bd31332c
- 19ca6357b5552b28e50ae226854eec874bbbf7025cf290a34c06b4eff5d2bac0
- 16d4553c6084b369073d259381bb5b02c16bb2c590bbd9e69346cf7ebd563229
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#697>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHTWLWBIG7ANU5PSCFJYUDQ5QZC3ANCNFSM4JJOTXVQ>
.
|
In this commit, we modify the existing instructions to create the Sphinx packet to no longer start out with a zero initialize set of 1366 bytes. Instead, we now instruct the sender to use _random_ bytes derived from a CSPRG. This fixes a recently discovered privacy leak that allows an adversarial exit hop to ascertain a lower bound on the true path length. Note that this doesn't affect packet processing, so this is a backwards compatible change. Only clients need to update in order to avoid this privacy leak. After this change is applied, the test vectors as is don't match the spec, as they're created using the original all zero starting bytes. We can either update these with our specified set of random bytes, or leave them as is, as they're fully deterministic as is. An alternative path would be to generate more random bytes from the shared secret as we do elsewhere (the chacha based CSPRNG).
Roasbeef
force-pushed
the
sphinx-random-starting-bytes
branch
from
bb810f9
to
2c45eba
Compare
|
Updated, also fixed a spelling error caught by the Travis spellcheck. |
t-bast
added a commit
to ACINQ/eclair
that referenced
this pull request
Jan 14, 2020
t-bast
added a commit
to ACINQ/eclair
that referenced
this pull request
Jan 15, 2020
t-bast
added a commit
to ACINQ/eclair
that referenced
this pull request
Jan 15, 2020
* Final recipient should not collect a fee: see lightning/bolts#711 * Fix Sphinx small privacy leak: see lightning/bolts#697
cdecker
reviewed
Jan 21, 2020
cdecker
previously requested changes
Jan 21, 2020
There was a problem hiding this comment.
I'm missing the updates to the multi-frame test-vector, which stumped me for a bit. This results in the following failure when running the test-vector:
devtools/onion runtest ../lightning-rfc/bolt04/onion-test-multi-frame.json
onion: Generated does not match the expected onion:
generated: 0002eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619e5f14350c2a76fc232b5e46d421e9615471ab9e0bc0393985e79ca785dfc3b4f506f38e0b228b21e9eaa403231155af3bbd299303a9795d5d9bb1b44e09a8a525c2a6edf4d366dca91fdf4f91788a678da958a4f41afd21754d7677195e25fe7cea974695531f2e4ff39d03745e85d7b6e11e5be22dafaa2984dc5dc7e31fbfc187301fd50a04e768e5a8e37d668a2c657e830562b4fbcfe54c69469b5cbe0b30c72c76e04addaf5ad190c367037e7539df17044dfd2170bf0066756c90d46ac2469e7869b3527cb06475bb6ff273c2cc602a3164c8909a693e6a9a94fd38aecedd5ff27a45e6b9e68351ed1f34f7196bf39df628fdb2e6d673d1f5bfa6501883e57de93e95cf331c028fade01aaa18212b84e53604914232075d11b50e14aa9e7481efe8e90fec9f2e7bca437c7d84ba567377c11facfe6d925a13503565792a859720b443ceed5b91aaf48a40fca90926ea8fac2d40847e18267504eb8cde102ba4df8a7028f7e7832d3aada0e3b4d9f01bd6dd49ef94f7265c73997f09fef8b124c298209699487671056ef4a426df5583f152b5dee669212d63bb2386fb52d153d0ae2f5fa68ad533d552b1559b7a2df6e4353de187e5cf06648c8e4578190297e3a0baf031af264e8a156dd00bdc78844d6c974a890cbc195ae05175efbdf0cc0f2d41c19b885644c689957fbe686f6025e26742d39b3cb3c8f9a0520fcea294a514b6c0fc32bf6f78b3dd80357d611897162e5af088853847dbc11a701c0b2d5d692ced5dbb206954a396f3b6c504b5056c7f5d1e2c3a2a8011319ad684f0ccaeb2ab8db9af0ea9a97cc4f7efdad6b7bacd29b2d08ccbe69e877ef2c3a4b4e64265965cfea0dd70cf3c0e91440f5aee82c9f6de5c6a386c2b9fe15b286d0fe18f126fee1929d3a43ec687923cd79564abeec1313a490ff1fde0807c7a9dc5852576924cfeffb5e38f13ed3b9e620c78fb855dfc35a5952feda1ea78d91e43421c4e72e684f1728ffe420c72abe128074108e194fc153d52c88641bc2756b42b72c5072be3677f675e5d9236899573b42827bf79258db2650b1a6910cceab30bbaa05300dc29a7142646961aff2450c073695e1c0910fb8c2c47703f72165f460ea0f0e9e23c46a126b82b46d4ee81b6797358e943329bbc030d085bd4d6a225613bef2f1ba38c9bb01deb4ce575972fbe87affbee860670fb6819955c5d821e095eb3f44c14ca3b133194d31bcf2c8042ef3bf5995ae0b8920aad6c1863b3a059f4f8adf16abc93100c3a3dd733217258f3482633a4d0a671ed82fdf2204fa145d873756713d548c0e97432473e5cf85e82e5d2a8654f75f1980e53db4118439498765da4e5f5fe5f971a681215deb6681f43803e3052e33729bcf003aad45f00c2bf40e576c50177c11ef9f0e37ddcc0c7d08ca106349cba304663bcba57fac995ea965f763bcb3f408d8b6fe7695df82e2fb3c75f74289a4fb18a5cefb159a69ef570825f3620c957ed81699d8ebbfe3d6656ebab438122f26acd8f593d55bcd50d09c36507a075ebf9d77c64311ee93f18f81c48397b5eecfe7bf18db53d7b905bc0dac35dca408ef0c848eeda3029c92908a2e99cae009e969934851cc1b5ccf36cca584edb11f5036408bb6001822e237b2173476c6331408bc7e9393b9283ec8803009630da3704c6302507818aeb79099b0d5b1e2cfbc4c3d8c5652e0f81169628b08393ad5a2e8baf16ba7122646ebefee99d24a613960aadc268c5432fd4177d936523b999901f5bb1cf64c38d2eb7c227864182d5e4e655049f7ba426c9af2d916f4e766050a17c77e04ccfcd87aac40f9c78c4109cde53e7f72f2308386d33951763d994c14032282d60b70
expected : 0002eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619e5f14350c2a76fc232b5e46d421e9615471ab9e0bc887beff8c95fdb878f7b3a710f8eaf9ccc768f66bb5dec1f7827f33c43fe2ddd05614c8283aa78e9e7573f87c50f7d61ab590531cf08000178a333a347f8b4072e1cea42da7552402b10765adae3f581408f35ff0a71a34b78b1d8ecae77df96c6404bae9a8e8d7178977d7094a1ae549f89338c0777551f874159eb42d3a59fb9285ad4e24883f27de23942ec966611e99bee1cee503455be9e8e642cef6cef7b9864130f692283f8a973d47a8f1c1726b6e59969385975c766e35737c8d76388b64f748ee7943ffb0e2ee45c57a1abc40762ae598723d21bd184e2b338f68ebff47219357bd19cd7e01e2337b806ef4d717888e129e59cd3dc31e6201ccb2fd6d7499836f37a993262468bcb3a4dcd03a22818aca49c6b7b9b8e9e870045631d8e039b066ff86e0d1b7291f71cefa7264c70404a8e538b566c17ccc5feab231401e6c08a01bd5edfc1aa8e3e533b96e82d1f91118d508924b923531929aea889fcdf057f5995d9731c4bf796fb0e41c885d488dcbc68eb742e27f44310b276edc6f652658149e7e9ced4edde5d38c9b8f92e16f6b4ab13d710ee5c193921909bdd75db331cd9d7581a39fca50814ed8d9d402b86e7f8f6ac2f3bca8e6fe47eb45fbdd3be21a8a8d200797eae3c9a0497132f92410d804977408494dff49dd3d8bce248e0b74fd9e6f0f7102c25ddfa02bd9ad9f746abbfa3379834bc2380d58e9d23237821475a1874484783a15d68f47d3dc339f38d9bf925655d5c946778680fd6d1f062f84128895aff09d35d6c92cca63d3f95a9ee8f2a84f383b4d6a087533e65de12fc8dcaf85777736a2088ff4b22462265028695b37e70963c10df8ef2458756c73007dc3e544340927f9e9f5ea4816a9fd9832c311d122e9512739a6b4714bba590e31caa143ce83cb84b36c738c60c3190ff70cd9ac286a9fd2ab619399b68f1f7447be376ce884b5913c8496d01cbf7a44a60b6e6747513f69dc538f340bc1388e0fde5d0c1db50a4dcb9cc0576e0e2474e4853af9623212578d502757ffb2e0e749695ed70f61c116560d0d4154b64dcf3cbf3c91d89fb6dd004dc19588e3479fcc63c394a4f9e8a3b8b961fce8a532304f1337f1a697a1bb14b94d2953f39b73b6a3125d24f27fcd4f60437881185370bde68a5454d816e7a70d4cea582effab9a4f1b730437e35f7a5c4b769c7b72f0346887c1e63576b2f1e2b3706142586883f8cf3a23595cc8e35a52ad290afd8d2f8bcd5b4c1b891583a4159af7110ecde092079209c6ec46d2bda60b04c519bb8bc6dffb5c87f310814ef2f3003671b3c90ddf5d0173a70504c2280d31f17c061f4bb12a978122c8a2a618bb7d1edcf14f84bf0fa181798b826a254fca8b6d7c81e0beb01bd77f6461be3c8647301d02b04753b0771105986aa0cbc13f7718d64e1b3437e8eef1d319359914a7932548c91570ef3ea741083ca5be5ff43c6d9444d29df06f76ec3dc936e3d180f4b6d0fbc495487c7d44d7c8fe4a70d5ff1461d0d9593f3f898c919c363fa18341ce9dae54f898ccf3fe792136682272941563387263c51b2a2f32363b804672cc158c9230472b554090a661aa81525d11876eefdcc45442249e61e07284592f1606491de5c0324d3af4be035d7ede75b957e879e9770cdde2e1bbc1ef75d45fe555f1ff6ac296a2f648eeee59c7c08260226ea333c285bcf37a9bbfa57ba2ab8083c4be6fc2ebe279537d22da96a07392908cf22b233337a74fe5c603b51712b43c3ee55010ee3d44dd9ba82bba3145ec358f863e04bbfa53799a7a9216718fd5859da2f0deb77b8e315ad6868fdec9400f45a48e6dc8ddbaeb3The HMACs I get are the following (in ascending order, matching the test-vector order):
d87aac40f9c78c4109cde53e7f72f2308386d33951763d994c14032282d60b708be877a6b095a3da734075212e7ddeeda590a8abb2509c6509be6a1b49d3ada5dd159c7047bc5801803de47c37f9bb08fe6155680bc942ea8c7849ab1ff562faca4b47e5170a5ffc11c33cae982df57af8698dc4a51702e55a9a72f70159611483ac47b6fe39a31b11b3e403010832e6e49e3db2dc5825bb29f1762a0cbf4266
I'm pretty confident they'll match up with your tests, since I can reproduce the v0 payload test-vector without issues.
Full trace of intermediate steps can he found here
Ping @t-bast @Roasbeef and @rustyrussell 😉
|
@cdecker I get the same value for I think that for some reason you're using only the first 20 bytes of the hmac (instead of 32 bytes). 000404040404040404000000000000000400000004000000000000000000000000 (actual test payload) 0000000000000000000000000000000000000000 (trimmed hmac???) 77b5a170... (pad stream). Mine is: 000404040404040404000000000000000400000004000000000000000000000000 (actual test payload) 0000000000000000000000000000000000000000000000000000000000000000 (empty hmac) 77b5a170... (pad stream). |
|
Doh, I had removed the legacy encoding (padding of the payload with 12 0x00 bytes). Now the test vector works fine. It was just the test-vector tool that was borked... Nevermind about the hmacs in the multi-frame test-vector, they're missing altogether :-) |
cdecker
dismissed stale reviews from cfromknecht and themself
My test-vector tool was broken...
|
Reproduced in Eclair, lnd, and c-lightning (ElementsProject/lightning#3427). We decided to merge this during the 2020/01/20 spec meeting, however I fixed a JSON typo and the length of the padding that is generated. So this requires sign-off from @t-bast and @Roasbeef. Merging once I have those ACKs here :-) ACK 43f18ef |
SomberNight
added a commit
to spesmilo/electrum
that referenced
this pull request
Mar 16, 2020
sidhujag
pushed a commit
to syscoin/electrumsys
that referenced
this pull request
Mar 16, 2020
matheusd
pushed a commit
to matheusd/lightning-onion
that referenced
this pull request
Sep 7, 2020
In this commit, we update the set of test vectors to reflect that all mix-header in the network should be generated suing the new deterministic filler method put forth in: lightning/bolts#697.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this commit, we modify the existing instructions to create the Sphinx
packet to no longer start out with a zero initialize set of 1366 bytes.
Instead, we now instruct the sender to use random bytes derived from a
CSPRG. This fixes a recently discovered privacy leak that allows an
adversarial exit hop to ascertain a lower bound on the true path length.
Note that this doesn't affect packet processing, so this is a backwards
compatible change. Only clients need to update in order to avoid this
privacy leak.
After this change is applied, the test vectors as is don't match the
spec, as they're created using the original all zero starting bytes. We
can either update these with our specified set of random bytes, or leave
them as is, as they're fully deterministic as is.
An alternative path would be to generate more random bytes from the
session key as we do elsewhere (the chacha based CSPRNG).