Add support for "phantom" BOLT 12 offers, up to the invoice_request step #4335
Conversation
It turns out we also switched the key we use to authenticate offers *created* in the 0.2 upgrade and as a result downgrading to 0.2 will break any offers created on 0.2. This wasn't intentional but it doesn't really seem worth fixing at this point, so just document it.
In the coming commits we'll add support for building a blinded path which can be received to any one of several nodes in a "phantom" configuration (terminology we retain from BOLT 11 though there are no longer any phantom nodes in the paths). Here we adda new key in `ExpandedKey` which we can use to authenticate blinded paths as coming from a phantom node participant.
In the next commit we'll add support for building a BOLT 12 offer which can be paid to any one of a number of participant nodes. Here we add support for validating blinded paths as coming from one of the participating nodes by deriving a new key as a part of the `ExpandedKey`. We keep this separate from the existing `ReceiveAuthKey` which is node-specific to ensure that we only allow this key to be used for blinded payment paths and contexts in `invoice_request` messages. This ensures that normal onion messages are still tied to specific nodes. Note that we will not yet use the blinded payment path phantom support which requires additional future work. However, allowing them to be authenticated in a phantom configuration should allow for compatibility across versions once the building logic lands.
|
👋 Thanks for assigning @joostjager as a reviewer! |
| /// checked, effectively treating the contents as the AAD for the AAD-containing MAC but behaving | ||
| /// like classic ChaCha20Poly1305 for the non-AAD-containing MAC. | ||
| pub(crate) struct ChaChaDualPolyReadAdapter<R: Readable> { | ||
| pub(crate) struct ChaChaTriPolyReadAdapter<R: Readable> { |
There was a problem hiding this comment.
Would you say there is sufficient test coverage on this? I think there is some higher-level coverage, but no direct unit test.
There was a problem hiding this comment.
I think so? I mean if its horribly broken the higher-level code will also break. Its also somewhat indirectly fuzzed through the onion decoding fuzzing.
There was a problem hiding this comment.
I think lower level unit tests do have value even if there are higher level tests already.
There was a problem hiding this comment.
Not really sure what you'd want to test? That it can decrypt correctly? That's definitely well-covered. The one bug we did have in it was found by our fuzz test. More test coverage is great but more tests to get the same coverage seems like a net-negative.
| let ChaChaDualPolyReadAdapter { readable, used_aad } = | ||
| ChaChaDualPolyReadAdapter::read(&mut reader, (rho, receive_auth_key.0)) | ||
| .map_err(|_| ())?; | ||
| let ChaChaTriPolyReadAdapter { readable, used_aad_a, used_aad_b } = |
There was a problem hiding this comment.
Names like used_local and used_phantom could be helpful
There was a problem hiding this comment.
Sadly I can't rename the fields since I switched to an enum.
There was a problem hiding this comment.
Why not use Local and Phantom in the enum? This adapter isn't used for anything else.
There was a problem hiding this comment.
Because that's really confusing when you read the stream type that isn't dedicated to only use in blinded paths. I'm not at all convinced the callsites are unclear, and we also might need to/want to upstream this at some point to rust-bitcoin.
| .iter() | ||
| .filter(|chan| chan.is_usable) | ||
| .filter_map(|chan| chan.short_channel_id) | ||
| .min(), |
There was a problem hiding this comment.
Its the oldest, matching the existing logic we have for the non-phantom case.
There was a problem hiding this comment.
Is that to maximize the chances that it still exist? Curious where the existing logic is located also.
There was a problem hiding this comment.
Yea, basically. Absent any better criteria we assume that the oldest channel is most likely to stick around. We do it in get_peers_for_blinded_path as well using funded_channel.context.channel_creation_height
| node_signer.ecdh(Recipient::Node, &self.inner_path.blinding_point, None)?; | ||
| let rho = onion_utils::gen_rho_from_shared_secret(&control_tlvs_ss.secret_bytes()); | ||
| let receive_auth_key = node_signer.get_receive_auth_key(); | ||
| let phantom_auth_key = node_signer.get_expanded_key().phantom_node_blinded_path_key; |
There was a problem hiding this comment.
You could have None here in case the node isn't configured for phantom payments. I think that might help keep that case in mind for readers, and also saves some computation?
There was a problem hiding this comment.
Yea, we don't currently have a separate method on the signer that returns None in cases where we aren't doing phantom so we'd have to add a new key-fetcher (or bool-fetcher) to decide whether to do phantom validation. I thought about doing that but it seemed way cleaner to reuse the ExpandedKey (which is already used for all the inbound-payment key logic, including phantom). Its also not very much compute at all to just do one round of poly1305 + the finish logic so I'm not sure its worth the extra work.
|
👋 The first review has been submitted! Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer. |
TheBlueMatt
force-pushed
the
2025-01-phantom-bolt12
branch
from
8bbc7b1 to
736cab5
Compare
In the BOLT 11 world, we have specific support for what we call "phantom nodes" - creating invoices which can be paid to any one of a number of nodes by adding route-hints which represent nodes that do not exist. In BOLT 12, blinded paths make a similar feature much simpler - we can simply add blinded paths which terminate at different nodes. The blinding means that the sender is none the wiser. Here we add logic to fetch an `OfferBuilder` which can generate an offer payable to any one of a set of nodes. We retain the "phantom" terminology even though there are no longer any "phantom" nodes. Note that the current logic only supports the `invoice_request` message going to any of the participating nodes, it then replies with a `Bolt12Invoice` which can only be paid to the responding node. Future work may relax this restriction.
TheBlueMatt
force-pushed
the
2025-01-phantom-bolt12
branch
from
736cab5 to
5ef29ff
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #4335 +/- ##
==========================================
- Coverage 86.53% 86.08% -0.45%
==========================================
Files 158 156 -2
Lines 103188 102554 -634
Branches 103188 102554 -634
==========================================
- Hits 89292 88287 -1005
- Misses 11471 11772 +301
- Partials 2425 2495 +70
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
joostjager
left a comment
joostjager
left a comment
There was a problem hiding this comment.
No blocking comments. I do think that renaming the enum values would be a good idea. Curious to hear from 2nd reviewer.
| /// checked, effectively treating the contents as the AAD for the AAD-containing MAC but behaving | ||
| /// like classic ChaCha20Poly1305 for the non-AAD-containing MAC. | ||
| pub(crate) struct ChaChaDualPolyReadAdapter<R: Readable> { | ||
| pub(crate) struct ChaChaTriPolyReadAdapter<R: Readable> { |
There was a problem hiding this comment.
I think lower level unit tests do have value even if there are higher level tests already.
| let ChaChaDualPolyReadAdapter { readable, used_aad } = | ||
| ChaChaDualPolyReadAdapter::read(&mut reader, (rho, receive_auth_key.0)) | ||
| .map_err(|_| ())?; | ||
| let ChaChaTriPolyReadAdapter { readable, used_aad_a, used_aad_b } = |
There was a problem hiding this comment.
Why not use Local and Phantom in the enum? This adapter isn't used for anything else.
| .iter() | ||
| .filter(|chan| chan.is_usable) | ||
| .filter_map(|chan| chan.short_channel_id) | ||
| .min(), |
There was a problem hiding this comment.
Is that to maximize the chances that it still exist? Curious where the existing logic is located also.
| let keys_manager = if predefined_keys_ids.is_some() { | ||
| let mut seed = [i as u8; 32]; | ||
| if phantom { | ||
| // We would ideally randomize keys on every test run, but some tests fail in that case. |
There was a problem hiding this comment.
I think there are pros and cons. Fully deterministic tests are desirable too sometimes.
|
✅ Added second reviewer: @jkczyz |
3 participants
In the BOLT 11 world, we have specific support for what we call
"phantom nodes" - creating invoices which can be paid to any one of
a number of nodes by adding route-hints which represent nodes that
do not exist.
In BOLT 12, blinded paths make a similar feature much simpler - we
can simply add blinded paths which terminate at different nodes.
The blinding means that the sender is none the wiser.
Here we add logic to fetch an
OfferBuilderwhich can generate anoffer payable to any one of a set of nodes. We retain the "phantom"
terminology even though there are no longer any "phantom" nodes.
Note that the current logic only supports the
invoice_requestmessage going to any of the participating nodes, it then replies
with a
Bolt12Invoicewhich can only be paid to the respondingnode. Future work may relax this restriction.
Also,
Progress towards full solution for #4313, but enough to get folks started.