BOLT04: Add rationale for constant error decryption. #1154
Conversation
To avoid timing analysis when decrypting failed payments the sender should act as if the failure in the route came for the 27th hop. Also changed the maximum number of hops in the route from 20 (legacy) to 27 (tlv onion).
ziggie1984
force-pushed
the
error-onion-clarification
branch
from
e6bc330
to
ea2d84a
Compare
|
Shouldn't we instead just get rid of this section entirely? This is completely useless, isn't it? I don't see how timing the decryption steps of the error message can be useful to any attacker, as there is a lot of random delay before a retry that is orders of magnitude larger (path-finding and network latency). |
|
Agree, either we get rid of the whole section or we introduce the rationale because when I was reading this part of the spec I had a hard time understanding the reasoning behind it. LND has implemented it, it actually does the 27 decryption cycle so maybe keep it? But open for both approaches, wdyt @morehouse |
Then it's probably a good idea to simplify lnd by removing that extra code if it's useless 😉 |
|
I would like to second the opinion that it seems entirely useless. Two reasons for this.
All that said, this PR aims to clarify and for as long as we continue to have the normative requirement to do that extra decryption. I support merging this as the rationale to clarify the purpose of this (seemingly ridiculous) practice. |
|
This was discussed during the last two spec meetings, and it was agreed that this specific decryption step isn't really a fingerprinting vector. But there are other fingerprinting vectors when retrying payments, so this section should be re-worked to explain that generally, as a payment sender, you should ensure you're protecting against fingerprinting by adding random delays before retries and trying as much as possible to be constant time in most operations. |
Fixes #1125