Page MenuHomecode.freespoken.nz

Fixed-size payment paths
Closed, WontfixPublic

Description

In the current draft specification, the length of the encoding of a payment path grows with the length of the path. A fixed-length encoding could be used to make it harder for an adversary with the ability to spy on the sizes and timing of encrypted messages sent between instances. Additionally, it could help to disguise, even from the initiator's own neighbours, the identity of the initiator of a given transaction; this was suggested as a possible feature in Jan Michelfeit's Master's Thesis (see section 1.1, for example).

Related Objects

StatusAssignedTask
OpenNone
Opentim
Opentim
Opentim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Wontfixtim
Wontfixtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim
Resolvedtim

Event Timeline

tim created this task.Apr 5 2017, 12:46 PM
tim added a comment.Jun 1 2017, 1:18 PM

I'm no longer sure it's possible for fixed-size payment paths to fully conceal from the initiator's neighbours their proximity to the initiator, at least if we want to maintain the status-quo fact that a partial agreement represents an unbroken chain of genuine commitments all the way back to the initiator (which is important, so that participants can prefer partial agreements with more attractive prices, without risking ignoring all the partial agreements that could actually end up as part of a transaction).

Payment paths must carry information, so that each participant can determine which (if any) of their own bilateral agreements are included in it. A fixed-size payment path can carry only a certain amount of information, no matter how it's encoded.

Therefore, if Sibyl receives a payment path and continually adds to it a number of dummy bilateral agreements between herself and herself, she will eventually be unable to add any more without removing important information, thus breaking the chain of genuine commitments. We want Sibyl's neighbours to be able to recognize that the chain has been broken, so Sibyl herself must also be able to recognize this.

Sibyl can count how many dummy bilateral agreements she can add without breaking the chain. The more such agreements she can add, the fewer bilateral agreements have been added by previous participants in the chain, thus giving Sibyl a clue as to her proximity to the initiator.

Of course, previous participants (including the initiator) could have added random numbers of their own dummy bilateral agreements, but this would only partially obscure the proximity to the initiator.

However, fixed-size payment paths could still be useful for preventing Big-Brother attacks based on observing the sizes and timings of messages sent between peers.

tim closed this task as Wontfix.Jun 6 2017, 11:23 AM

Actually, to the extent that fixed-size payment paths incur fixed-duration processing by instances, this might actually help Big Brother trace a transaction through the network, since it knows it can associate a received message of a particular size with a similarly-sized message sent a specific duration later.

Big Brother's timing attacks might be made more difficult if instances add randomly-sized delays before sending messages; this is, of course, in tension with the desire for quick payments.

It's still true that restricting message sizes to a few possibilities might make Big Brother's job harder, but padding is easy, so it's probably simpler to specify padding, rather than unnecessarily complicate the definition of a payment path.