Keysend

[valentinewallace]

Based on #964

06/23/2021: Seeking concept ACKs for the API before adding tests

• Re this Slack discussion, implement keysend to private nodes

[codecov]

Codecov Report

Merging #967 (6dd6289) into main (d37b1dd) will decrease coverage by 0.03%.
The diff coverage is 88.09%.

@@            Coverage Diff             @@
##             main     #967      +/-   ##
==========================================
- Coverage   90.78%   90.75%   -0.04%     
==========================================
  Files          60       60              
  Lines       30926    31322     +396     
==========================================
+ Hits        28076    28426     +350     
- Misses       2850     2896      +46     

Impacted Files	Coverage Δ
lightning/src/util/events.rs	15.13% <0.00%> (-2.04%)	⬇️
lightning/src/ln/chanmon_update_fail_tests.rs	97.62% <81.48%> (-0.33%)	⬇️
lightning/src/ln/channelmanager.rs	85.80% <92.85%> (+0.94%)	⬆️
lightning/src/ln/functional_tests.rs	97.33% <93.75%> (-0.11%)	⬇️
lightning/src/ln/features.rs	99.70% <100.00%> (+<0.01%)	⬆️
lightning/src/ln/functional_test_utils.rs	94.90% <100.00%> (+0.03%)	⬆️
lightning/src/ln/msgs.rs	88.69% <100.00%> (+0.04%)	⬆️
lightning/src/ln/onion_route_tests.rs	97.11% <100.00%> (ø)
lightning/src/ln/onion_utils.rs	94.91% <100.00%> (+0.01%)	⬆️
lightning/src/routing/router.rs	95.94% <100.00%> (+0.01%)	⬆️
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d37b1dd...6dd6289. Read the comment docs.

[TheBlueMatt]

Concept ACK the (public) api changes.

[jkczyz]

Concept ACK

[TheBlueMatt]

Structure all looks good IMO, one request for more tests and a comment or two.

[TheBlueMatt]

Hmm, right, so to make this compatible we need to pull the impl_writeable_tlv_based apart and implement manually - if ClaimableType is Invoice we'll write the 4-type payment_data and if its Spontaneous we'll write an 8-type preimage. Its not ideal and we could just cheat here if we want, but IMO its not a ton of work here.

[valentinewallace]

I think I did this

[jkczyz]

nit: could you use a trailing comma so the blame layer for future additions don't affect this line?

[valentinewallace]

The macro gives me an error when I do this :/

[jkczyz]

Just to check my understanding, going from required to optional is ok, but going from optional to required would necessitate increasing the version number?

[valentinewallace]

I think there's ways to make both directions work depending on if you're willing to add a special case in the code for backwards-compatibility? @TheBlueMatt would have to confirm

[TheBlueMatt]

I think going from option to required is never allowed. If we move from option to required, and an old version "wrote" None, we'll fail to deserialize data written by an old node, which is not allowed unless we are deliberately breaking reading old versions (presumably after several sequential versions that always wrote Some so that you have to be reading very old data to fail).

[jkczyz]

If payment_secret were optional in InvoicePayment, would we be able to distinguish what the purpose is? In other words, should we encode this as an enum instead? Or would that break compatibility?

[valentinewallace]

In other words, should we encode this as an enum instead?

Could you clarify roughly what enum is being suggested? Didn't quite follow..

[jkczyz]

PaymentPurpose enum using impl_writeable_tlv_based_enum.

[valentinewallace]

Believe that'd break compatibility

[jkczyz]

Seems like as we change our data format more, the more complex our (de)serialization logic becomes as we can no longer use impl_writeable_tlv_based. I'm wondering if it would be any better to bump the version but support reading older versions. Then maybe you could condition on the version read and use a macro for implementing each version we'd like to support? I might be missing something about this, though.

[TheBlueMatt]

Hmm, I dont think bumping the version helps a ton, then we'd just have two copies of the deserialization logic - one for the old objects, and one for the new, and we'd have to switch between them based on the version. That just results in a code blowup that's almost equivalent, I think.

[jkczyz]

I guess then the versions would at least be fairly well delineated. Otherwise, if we refactor further there is more cognitive overhead in figuring out the various cases. But maybe at that point we'd just decided to bump versions. I don't feel strongly on this, but just want to point out the cost.

[jkczyz]

That said, if our version is only in topic-level structs (is it?) then we'd have to pass it through. So maybe not very feasible / clean?

[TheBlueMatt]

Right, I have a feeling sooner or later we'll adapt our read trait to pass a version number. I haven't bothered yet, but it may be required eventually. I agree we should be careful about growing bloat in read functions, maybe it makes sense to have a "we only support things written by versions as old as one year ago"-style policy.

[jkczyz]

Do we need to do this because we introduced an enum where there wasn't one before? Would it make sense to bump the version and serialize enums using the macro for doing so?

[valentinewallace]

Yeah: #967 (comment)

Would it make sense to bump the version and serialize enums using the macro for doing so?

Is this the same idea as in this comment? I'm pretty eager to get this PR out the door to unblock sphinx, but would love to get @TheBlueMatt's input on this idea since it does sound potentially nicer

[jkczyz]

Yeah, similar concern.

[TheBlueMatt]

We can't "just bump the version" since we want to at least try (I think) to be compatible where old versions can read new serialized data. Because some users will be synchronizing state across multiple applications that may upgrade at different times, I think we should generally try to at least have our data be readable by the previous version as long as you aren't using new features.

[TheBlueMatt]

I think going from option to required is never allowed. If we move from option to required, and an old version "wrote" None, we'll fail to deserialize data written by an old node, which is not allowed unless we are deliberately breaking reading old versions (presumably after several sequential versions that always wrote Some so that you have to be reading very old data to fail).

[ariard]

I think this comment could be clearer saying "an unknown preimage for the received payment hash" ?

I don't think this is true that we trigger a channel closure for an inbound HTLC of which the payment hash is unknown. See ChannelMonitor::should_broadcast_holder_commitment_txn, if the htlc is !htlc_outbound and we don't know a self.payment_preimages.contains_key(&htlc.payment_hash) so it doesn't matter for our payment logic has enough time to fail the HTLC backward ?

[valentinewallace]

I think this comment could be clearer saying "an unknown preimage for the received payment hash" ?

Added this!

[ariard]

What if the recipient did generate an invoice with a given payment hash and signals even payment_secret feature bit ? If the recipient is a LDK node, I think it'll fail the keysend reception as we don't allow payment_secret + keysend_preimage ?

Maybe a bit edgy but point to be cleared up with keysend specification ? Like invoice reception implies MUST NOT pay with keysend?

[TheBlueMatt]

Right, I think the behavior here is right, we should expect a "real" payment, the spec should mention this.

[ariard]

IIUC this case handling, if we've a valid (payment_secret, payment_hash) pair in self.pending_inbound_payments and we receive a latter keysend with the same hash, we fail the keysend instead of claiming ?

If you're an intermediary hop Mallory and you relay HTLC 1 hash X to final hop Bob, I think this let Mallory send a "final-receiver probing" keysend hash X to Bob and observe the early failure (PendingHTLCsForwardable vs PaymentReceived processing times diff) ? If this is correct, I'm not sure if it binds well the requirement laid out above ("Further, we must not expose whether we have any other HTLCs associated with the same payment_hash pending or not')...

[TheBlueMatt]

Grr good catch. Going one step up the stack, I wonder if we're gonna have users screw this up reliably too. If you're a user and doing accounting based on the payment_hash when you issue invoices, if you receive a keysend I can see users looking up the payment hash in their accounting database. I wonder if we should avoid exposing the keysend payment hash/preimage entirely. I guess some users may want them for other reasons, but we should go to great pains to point out in documentation that you MUST NEVER EVER co-mingle payment hash lookups between keysend and non-keysend. Maybe at least we should name the field differently to call it "keysend preimage" instead of "payment preimage"?

[ariard]

Can we avoid to return payment hash to avoid mangle with the accounting database ? I can foresee users willingly to know the preimage if it has any semantic sense like a pay-to-publish, privacy-preserving satoshi place. But within the keysend model I would say the payment hash should be ignored by the receiver there is no hash validation operation to realize against a database.

And if the receiver wants to prove delivery they can still manually hash the preimage. We can even return a prefixed preimage by concatening a "Lightning keysend" ?

You might even have worst collision, where a low-value keysend trigger the release of a virtual/physical good by your business logic, substituting to a regular high-value payment...?

[TheBlueMatt]

Right, disregard, I had made that comment before I saw your suggestion at #967 (comment)

[ariard]

Well I've a doubt if this doesn't introduce a weird payment censorship attack. Let's say an attacker observe that a payment invoice hash X has been issued by Alice. From now on, it will repeatedly send keysend X to Alice aiming to provoke a collision with honest HTLC X, thus triggering a reject.

Is the concern exposed sound ? I don't think the attacker even has to be on the honest HTLC payment path...

[TheBlueMatt]

Yea, but its solved by #967 (comment) as well, no?

[ariard]

What do you think about checking early that keysend preimage == HTLC hash and isn't pure junk, returning 0x4000|22 if it is ? May help with probing concerns expressed after.

[TheBlueMatt]

Ah! Yea, if we do that then we don't have to completely rewrite this whole PR to avoid the issues you noted at #967 (comment)

[ariard]

Yes i think that's okay to solve the issues. I had a concern with MPP payment where a preimage revealed could be replay as a probing keysend as long as the whole eMPP isn't settled but in fact we won't start the MPP settlement phase until all chunks have been received. And when we do so we remove the entry from pending_inbound_payments and as such the collision ?

[TheBlueMatt]

I think it doesn't matter either way - basically we would be using the payment preimage the same way we use the payment secret today - to authenticate that the sender of a given HTLC is the one authorized to send for that payment hash. We reliably check this authentication immediately upon HTLC receipt both for MPP and regular payments, and will just have to also do it for keysend.

[valentinewallace]

What do you think about checking early that keysend preimage == HTLC hash and isn't pure junk, returning 0x4000|22 if it is ? May help with probing concerns expressed after.

Added this check! Thanks for the thoughtful review Antoine

[ariard]

Just to be clear, this doesn't prevent honest keysend replay, where a buggy/hazardous payer sends twice a keysend with the same hash, even with different payment paths, and as such opens the payment to be claimed in-flight by an intermediary node ? Note, I think this is already a risk for any hashlock-based LN payment (variant of wormhole attacks...)

I would say we even care less that w.r.t to regular payments as we keysend the preimage doesn't have the proof-of-payment property plead most of the time ?

[valentinewallace]

Hmm, yes it does seem like keysend requires more thought than normal payments for replay situations. I don't think it would open up buggy clients to in-flight claims by an intermediate node though, because wouldn't the buggy client run into issues once they started "replaying" the whole update_add dance, preventing the HTLC from being successfully added to the commitment tx to begin with?

[ariard]

I mean the HTLC would appear under a new htlc_id. I'm thinking a situation similar to duplicate_htlc_test/test_duplicate_htlc_different_direction_onchain. Though nevermind, we don't prevent double-spend already for normal payments, see comment around send_payment.

[ariard]

See my points about payment fault-injection and the lowered cost of hash-collision in our ChannelMonitor.

I wonder if we shouldn't introduce a no_keysend_receive config setting. Previously, we have a cleaner separation between routing and payment endpoint, and a routing hop no eager to receive payments could have just not issue invoices at all. I think this is blurred by keysend, and you might have weird interactions to care about with potential higher application logic. E.g a third-party replaying hash trying to provoke undefined behaviors. Likely going to be worst if we implement MPP keysend.

I think we can address this config setting question in a follow-up, otherwise I believe the PR to be pretty mature. Great work overall!

[ariard]

I think we're bouncing between mentions of "spontaenous" or "keysend" payments across this PR to designate the same feature. LDK-user wise, maybe we should bind to a consistent naming ?

[valentinewallace]

@jkczyz I was thinking that people might want to specifically send either a keysend spontaneous payment or a non-keysend spontaneous payment if they know that the payee only supports one or the other. So, I'm somewhat in favor of switching all Spontaneous variable names to Keysend (including s/send_spontaneous_payment/send_keysend_payment). Thoughts?

[jkczyz]

My understanding was that Keysend is a specific type of spontaneous payment that is the predecessor to spontaneous AMP payments. They both seem either unintuitive or somewhat overloaded names and also are implementation details from a user's perspective.

On the receiving side (Event::PaymentReceived), does the user need to know what implementation was used to make the spontaneous payment? If not, I'd argue we shouldn't expose the implementation detail in our public API.

On the sending side (ChannelManager), how does the user know if the receiver accepts spontaneous payments and using which implementation? If via feature flags, could we chose which implementation to use based on the flags rather than making the user choose?

On the processing side, can these be generalized in any way?

I don't have definitive answers to these, but I'd imagine we could at least keep the first two generic (i.e., "spontaneous") and if needed make the third specific to the implementation.

[valentinewallace]

w/r/t:

On the receiving side (Event:: PaymentReceived), does the user need to know what implementation was used to make the spontaneous payment?
If via feature flags, could we chose which implementation to use based on the flags rather than making the user choose?

Not sure, pinged Sphinx for their thoughts last night. Hopefully they get back to me soonish

how does the user know if the receiver accepts spontaneous payments and using which implementation?

It's a little annoying right now... C-Lightning and Eclair advertise feature bit 55 if they support keysend, but iiuc lnd doesn't advertise any feature bits for keysend. So, right now you know if the receiver doesn't support keysend if they fail back the payment, but there's no good way to tell if they do support keysend.

[ariard]

Do you have concerns of fault-injection attacks against honest routing hops introduced with our keysend implementation ?

Let's say you have the following topology : A -> B -> C -> D -> E.
A is the payer, it draws a payment path to the payee E, going through B, C and D.
B receives a keysend X and from HTLC traffic A's habits assumes it's a keysend.
B knows a payment secret for C, which is also a merchant node and deliver on-demand.
B sends a regular payment X to C then A's keysend X.
C receives in-order the regular payment X then A's keysend X, provoking the failure of the keysend.
C returns an error to A as the source of the payment path failure.
A downgrades C's routing reputation and doesn't select it for future payment paths.

[TheBlueMatt]

C returns an error to A as the source of the payment path failure.

C Should only fail if the payment is to C. It should (maybe could use a test for this) still happily forward an HTLC with the same payment hash onwards.

[ariard]

Ah you're right, the relayed keysend payment shouldn't appear twice in pending_inbound_payments we won't generate a PaymentReceived.

[ariard]

I think keysend make it a bit easier to exploit our hash-collision in ChannelMonitor.payment_preimages.
Let's say you have the following topology : M1 -- A -- B -- M2
M1 and M2 are collusioning attackers.
M1 sends a keysend to A, populating its payment_preimages with H (ChannelManager::claim_funds_from_hop())
M1 sends a regular payment H to M2 via A and B
M2 breaks the chan, and pin the commitment, B will never update_fail_htlc to A before the forward payment is settled (is_resolving_htlc_output)
B goes onchain on the AB link as there is a pending inbound HTLC for which it knows the preimage.
M1 and M2 succeed to close a channel, of which they're not a counterparty
Attack can be made economically rational by batching, if B has neighboors C, D, E, ..., malicious HTLCs on their channels can be routed and made pending on the one M2's commitment
Previously, this attack would have require interactivity with B, like paying an invoice for each malicious HTLC

Ultimately, I don't think keysend is faultive, it's a known defect of our ChannelMonitor logic, so I don't believe there is anything to do on this PR...

[TheBlueMatt]

it's a known defect of our ChannelMonitor logic

If the attack starts with "M2 prevents a channel-close transaction from going onchain because of pinning" I don't think we have a bug, lightning has a bug :). There isn't anything we can do about this short of fixing Bitcoin Core.

[TheBlueMatt]

Needs rebase.

[ariard]

Code Review ACK 6dd6289, good on my side!

Thanks to adding coverage and can't think of of other weirdness. W.r.t to naming we can fix it with follow-ups once we have feedbacks from users.

[valentinewallace]

Code Review ACK 6dd6289, good on my side!

Thanks to adding coverage and can't think of of other weirdness. W.r.t to naming we can fix it with follow-ups once we have feedbacks from users.

Thanks, I agree, we can bikeshed on naming in follow-up

[TheBlueMatt]

Looks good mod one comment. Gonna go ahead and merge so we can move forward, but would be good to follow up.

[TheBlueMatt]

This also needs to mention that you should see send_payment for more details on the return value. Further, this needs to mention that the Route must only have at most one path. Finally, we need to actually check that, but not here - as far as I can see we don't currently require that non-payment-secret-containing sends don't contain more than one path, which we should do in send_payment_internal.

[jkczyz]

Thanks, I agree, we can bikeshed on naming in follow-up

SGTM