From corne at bitonic.nl  Tue Dec  4 10:47:59 2018
From: corne at bitonic.nl (=?UTF-8?Q?Corn=c3=a9_Plooy?=)
Date: Tue, 4 Dec 2018 11:47:59 +0100
Subject: [Lightning-dev] Reason for having HMACs in Sphinx
In-Reply-To: <tKOQS9kVgLdkXw1UQ5aXvyaB6GnoYgL7DFByxcLKW2yquax6eMZlSOY1Sb6lL1teH6Oi8nfL7UYd_OA0TL9jHH-0VmRb7rbYlO3ywZTxvys=@protonmail.com>
References: <fd770fa8-4044-6953-1d3c-e9e461c31661@bitonic.nl>
	<87a7lrreme.fsf@gmail.com>
	<2f0a233e-d751-f7d9-3ad5-38cae19559de@bitonic.nl>
	<tKOQS9kVgLdkXw1UQ5aXvyaB6GnoYgL7DFByxcLKW2yquax6eMZlSOY1Sb6lL1teH6Oi8nfL7UYd_OA0TL9jHH-0VmRb7rbYlO3ywZTxvys=@protonmail.com>
Message-ID: <59ff9858-baf7-c4e7-0c10-245ef4578b43@bitonic.nl>


>> I think we could stop this type of attack by including some kind of
>> shared secret in the onion message to the final node:
> I think we get this "for free" if we switch to path decorrelation and points+privkeys instead of hashes+preimages.
>
> Path decorrelation means that each hop is given a random point, to be added to the next SS "HTLC".
> The final node needs to be given the total of the scalars of each hop random point along the route, most likely within the last hop of the onion.
> The final node also cannot differentiate between an incorrect total for this scalar, or an incorrect "invoice hash"/invoice point.
>
> Hence, some intermediate node along the way cannot guess this, and the final node will give the same error, i.e. "invoice point not found".
>
>
That might indeed stop an attacker from testing 2nd-degree, 3rd-degree
etc. neighbors, making the attack much less versatile. However, for his
direct neighbor in the route, the attacker does learn the point to be
used in that hop. Therefore I think the attacker can still test whether
or not the next node is the final hop.


CJP