WIP [don’t merge] Add BIP324 - Version 2 Peer-to-Peer Message Transport Protocol #1024

pull jonasschnelli wants to merge 1 commits into bitcoin:master from jonasschnelli:master changing 2 files +474 −0
  1. jonasschnelli commented at 8:49 am on October 21, 2020: contributor
  2. jonasschnelli added the label New BIP on Oct 21, 2020
  3. jonatack commented at 9:00 am on October 21, 2020: contributor
    Concept ACK
  4. dr-orlovsky commented at 10:14 am on October 22, 2020: contributor
    Question: why not to stick to the same messaging structure used by the current LN and increase the number of encoding standards/protocol/library code?
  5. jonasschnelli commented at 12:13 pm on October 22, 2020: contributor

    @dr-orlovsky I think BOLT8 is very similar to the proposed AEAD scheme we use in BIP324. I guess BOLT8 was inspired by BIP151 which is the predecessor of BIP324. The main differences are the handshake as well as the MACing of the encrypted length.

    The reason why I don’t think using BOLT8 directly are the following:

    • LN nodes have static node keys (nodeid), Bitcoin doesn’t. Bitcoin Nodes try to be non fingerprintable.
    • One goal of designing BIP324 was to not increase the bandwidth (traffic) requirement of peers. My observations shows that roughly 50% of all sent and receives bitcoin messages of a node are <= 64 bytes (even higher for pruned peers). Adding another 16byte MAC for each package would increase the traffic requirement significant (IMO without reasonable security benefits).
  6. Add BIP324 - Version 2 Peer-to-Peer Message Transport Protocol 2d331e8a89
  7. jonasschnelli force-pushed on Oct 30, 2020
  8. in bip-0324.mediawiki:18 in 2d331e8a89
    13+
    14+This BIP describes a new Bitcoin peer to peer transport protocol with opportunistic encryption.
    15+
    16+== Motivation ==
    17+
    18+The current peer-to-peer protocol is partially inefficient and in plaintext.
    


    ysangkok commented at 9:56 pm on October 31, 2020:

    I don’t like “current” for the same reason I don’t like it on Wikipedia, it will be weird reading this document in 5 years. Better just write “the P2P protocol supported in Bitcoin 0.20.1”.

    “partially inefficient” in which way? Because of the double-SHA256? Surely the lack of encryption isn’t inefficient, which is what most of the section talks about. I would at least just remove “partially”, inefficiency isn’t black/white in any case, so the word “partially” doesn’t add anything.


    ysangkok commented at 10:39 pm on October 31, 2020:
    Maybe link to the section “Length comparisons between v1 and v2 messages” as a reference for the inefficiency.
  9. in bip-0324.mediawiki:14 in 2d331e8a89
     9+  License: PD
    10+</pre>
    11+
    12+== Abstract ==
    13+
    14+This BIP describes a new Bitcoin peer to peer transport protocol with opportunistic encryption.
    


    ysangkok commented at 9:56 pm on October 31, 2020:
    Inconsistent hyphenation in peer-to-peer
  10. in bip-0324.mediawiki:24 in 2d331e8a89
    19+
    20+With the current unencrypted message transport, BGP hijack, block delay attacks and message tampering are inexpensive and can be executed covertly (undetectable MITM)<ref>[https://btc-hijack.ethz.ch/files/btc_hijack.pdf Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - M. Apostolaki, A. Zohar, L.Vanbever]</ref>.
    21+
    22+Adding opportunistic encryption introduces a high risk for attackers of being detected. Peer operators can compare encryption session IDs or use other form of authentication schemes <ref name="bip150">[https://github.com/bitcoin/bips/blob/master/bip-0150.mediawiki BIP150]</ref> to identify an attack.
    23+
    24+Each current version 1 Bitcoin peer-to-peer message uses a double-SHA256 checksum truncated to 4 bytes. Roughly the same amount of computation power would be required for encrypting and authenticating a peer-to-peer message with ChaCha20 & Poly1305.
    


    ysangkok commented at 9:59 pm on October 31, 2020:
    It would be nice if there were some rough figures referenced here, maybe in seconds per byte?
  11. in bip-0324.mediawiki:28 in 2d331e8a89
    23+
    24+Each current version 1 Bitcoin peer-to-peer message uses a double-SHA256 checksum truncated to 4 bytes. Roughly the same amount of computation power would be required for encrypting and authenticating a peer-to-peer message with ChaCha20 & Poly1305.
    25+
    26+Additionally, this BIP describes a way to identify data which has been manipulated by peers (intercepting, then blocking or tampering with messages).
    27+
    28+Encrypting traffic between peers is already possible with VPN, tor, stunnel, curveCP or any other encryption mechanism on a deeper OSI level, however, most of those solutions require significant technical experience in setting up a secure channel and are therefore not widely deployed.
    


    ysangkok commented at 10:02 pm on October 31, 2020:
    Why invoke OSI? It is not clear what is deep in OSI. Apparently it is anything that can wrap the Bitcoin P2P protocol. But such a protocol could also leverage the application layer. I think it would be better to just say it can wrap Bitcoin.
  12. in bip-0324.mediawiki:58 in 2d331e8a89
    53+
    54+A peer usually learns an address along with the expected service flags which MAY be used to filter possible outbound peers.
    55+
    56+A peer signaling <code>NODE_P2P_V2</code> MUST accept encrypted communication specified in this proposal.
    57+
    58+Peers MAY only make outbound connections to peers supporting <code>NODE_P2P_V2</code>.
    


    ysangkok commented at 10:07 pm on October 31, 2020:

    Before you connect, you can’t know whether the node supports V2. Why not say “maintain” instead of “make”?

    Why is “peers” plural here, when it is singular above? An implementer of this BIP will write node software for a single peer, so I think singular works better. Better use plural for the other nodes.

  13. in bip-0324.mediawiki:67 in 2d331e8a89
    62+<pre>
    63+ ----------------------------------------------------------------------------------------
    64+ | Initiator                             Responder                                      |
    65+ |                                                                                      |
    66+ | x, X         := SECP256k1_KEYGEN()                                                   |
    67+ | CLIENT_HDATA := X                                                                    |
    


    ysangkok commented at 10:07 pm on October 31, 2020:
    What does HDATA stand for?
  14. in bip-0324.mediawiki:83 in 2d331e8a89
    78+ ----------------------------------------------------------------------------------------
    79+</pre>
    80+
    81+To request encrypted communication (only possible if yet no other messages have been sent or received), the initiating peer generates an EC secp256k1 ephemeral key and sends the corresponding 32-byte public key to the responding peer and waits for the remote 32-byte public key from the counterparty.
    82+
    83+ODD secp256k1 public keys MUST be used (public keys starting with 0x02). If the public key from the generated ephemeral key is an EVEN public key (starting with 0x03), its public key SHOULD be negated and then recalculated.
    


    ysangkok commented at 10:09 pm on October 31, 2020:
    What does it mean to recalculate after negating?
  15. in bip-0324.mediawiki:86 in 2d331e8a89
    81+To request encrypted communication (only possible if yet no other messages have been sent or received), the initiating peer generates an EC secp256k1 ephemeral key and sends the corresponding 32-byte public key to the responding peer and waits for the remote 32-byte public key from the counterparty.
    82+
    83+ODD secp256k1 public keys MUST be used (public keys starting with 0x02). If the public key from the generated ephemeral key is an EVEN public key (starting with 0x03), its public key SHOULD be negated and then recalculated.
    84+Only using ODD public keys makes it more complex to identify the handshake based on analyzing the traffic.
    85+
    86+The handshake request and response message are raw 32byte payloads containing no header, length or checksum (the pure 32byte payload) and MUST be sent before anything else.
    


    ysangkok commented at 10:09 pm on October 31, 2020:
    32byte without spacing or hyphenation is weird.

    ysangkok commented at 10:13 pm on October 31, 2020:
    what does “pure” mean? seems like this is the only place you use that term.
  16. in bip-0324.mediawiki:97 in 2d331e8a89
    92+do {
    93+    ecdh_key.MakeNewKey();
    94+    if (ecdh_key.GetPubKey()[0] == 3) {
    95+        ecdh_key.Negate();
    96+    }
    97+} while (m_ecdh_key.GetPubKey()[0..3] == NETWORK_MAGIC);
    


    ysangkok commented at 10:09 pm on October 31, 2020:
    Would be good to specify that this indexing is inclusive, since not all languages work like that.
  17. in bip-0324.mediawiki:88 in 2d331e8a89
    83+ODD secp256k1 public keys MUST be used (public keys starting with 0x02). If the public key from the generated ephemeral key is an EVEN public key (starting with 0x03), its public key SHOULD be negated and then recalculated.
    84+Only using ODD public keys makes it more complex to identify the handshake based on analyzing the traffic.
    85+
    86+The handshake request and response message are raw 32byte payloads containing no header, length or checksum (the pure 32byte payload) and MUST be sent before anything else.
    87+
    88+Public keys starting with the 4-byte network magic are forbidden and MUST lead to local regeneration of an ephemeral-key.
    


    ysangkok commented at 10:12 pm on October 31, 2020:
    here you hyphenate ephemeral-key, but above it is written without the hyphen but with a space
  18. in bip-0324.mediawiki:102 in 2d331e8a89
     97+} while (m_ecdh_key.GetPubKey()[0..3] == NETWORK_MAGIC);
     98+</pre>
     99+
    100+Once a peer has received the public key from its counterparty, the shared secret MUST be calculated by using secp256k1 ECDH.
    101+
    102+Private keys will never be transmitted. The shared secret can only be calculated if an attacker knows at least one private key and the counterparty's public key. This key-exchange is based on the discrete log problem and thus not sufficiently strong against known forms of possible quantum computer algorithms. Adding an additional quantum resistant key exchange like NewHope is possible but out of scope for this proposal.
    


    ysangkok commented at 10:13 pm on October 31, 2020:
    is it necessary to use “will” here? Can’t one of the capitalized RFC verbs be used?
  19. in bip-0324.mediawiki:109 in 2d331e8a89
    104+After a successful handshake, messages MUST use the "v2 messages structure". Non-encrypted v1 messages from the initiating peer MUST lead to an immediate connection termination.
    105+
    106+After a successful handshake, both peers MUST wipe the ephemeral-session-key from memory and/or persistence storage.
    107+
    108+A peer not supporting this proposal will not perform the described handshake and thus send a v1 version message.
    109+Peers supporting this BIP MAY optionally allow unencrypted v1 communication by detecting a v1 version message by the initial 11-byte sequence of <code>4byte net magic || "version"</code>.
    


    ysangkok commented at 10:19 pm on October 31, 2020:

    I suggest changing plural for singular.

    If it is a MAY there is no need to say “optionally”. Also, I don’t think you can say “detecting by”. Maybe a native speaker like @jnewbery can chime in. I’d suggest “allow unencrypted v1 communication after detecting a v1 version message with its 11 byte prefix 4byte net magic || "version"

  20. in bip-0324.mediawiki:113 in 2d331e8a89
    108+A peer not supporting this proposal will not perform the described handshake and thus send a v1 version message.
    109+Peers supporting this BIP MAY optionally allow unencrypted v1 communication by detecting a v1 version message by the initial 11-byte sequence of <code>4byte net magic || "version"</code>.
    110+
    111+=== Symmetric Encryption Cipher Keys ===
    112+
    113+Once the ECDH secret (<code>ECDH_KEY</code>) is calculated on each side, the symmetric encryption cipher keys MUST be derived with HKDF <ref>[https://tools.ietf.org/html/rfc5869 HKDF (RFC 5869)]</ref> after the following specification:
    


    ysangkok commented at 10:23 pm on October 31, 2020:
    • “Once the secret is calculated on each side” -> “Once the secret has been calculated on both sides”
    • “with HKDF” -> “with the HKDF”
    • “after the following specification” -> “using the following specification”

    These are just my suggestions, I think it is easier to read but a native speaker like @jnewbery could confirm.

  21. in bip-0324.mediawiki:140 in 2d331e8a89
    135+
    136+=== ChaCha20-Poly1305@Bitcoin Cipher Suite ===
    137+
    138+==== Background ====
    139+
    140+ChaCha20-Poly1305@Bitcoin AEAD is almost identical to the openSSH version <ref>[https://github.com/jhcloos/openssh-chacha-poly1305/blob/master/PROTOCOL.chacha20poly1305]</ref>. The only difference to the @openSSH version is that the @Bitcoin version has a 3 byte package length (instead 4) and reuses the remaining bytes of the ChaCha20 round (21 length field encryption per ChaCha20 round; 21 x 3 < 64).
    


    ysangkok commented at 10:23 pm on October 31, 2020:

    openSSH -> OpenSSH.

    What does the ampersand mean?

    I think the x is multiplication, but I’d suggest just spelling it out instead: “21 times 3 is less than 64”.

  22. in bip-0324.mediawiki:142 in 2d331e8a89
    137+
    138+==== Background ====
    139+
    140+ChaCha20-Poly1305@Bitcoin AEAD is almost identical to the openSSH version <ref>[https://github.com/jhcloos/openssh-chacha-poly1305/blob/master/PROTOCOL.chacha20poly1305]</ref>. The only difference to the @openSSH version is that the @Bitcoin version has a 3 byte package length (instead 4) and reuses the remaining bytes of the ChaCha20 round (21 length field encryption per ChaCha20 round; 21 x 3 < 64).
    141+
    142+ChaCha20 is a stream cipher designed by Daniel Bernstein and described in <ref>[http://cr.yp.to/chacha/chacha-20080128.pdf ChaCha20]</ref>. It operates by permuting 128 fixed bits, 128 or 256 bits of key, a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output is used as a keystream, with any unused bytes simply discarded.
    


    ysangkok commented at 10:27 pm on October 31, 2020:

    “any unused bytes simply discarded” -> “unused bytes discarded”.

    “128 or 256 bits”. Surely this must be fixed for the purposes of this spec? If one of these configurations is unused in this BIP, maybe it would be nice to explain which one it is. If they can somehow both be used, it would be nice with a pointer to the section where this is selected.

  23. in bip-0324.mediawiki:146 in 2d331e8a89
    141+
    142+ChaCha20 is a stream cipher designed by Daniel Bernstein and described in <ref>[http://cr.yp.to/chacha/chacha-20080128.pdf ChaCha20]</ref>. It operates by permuting 128 fixed bits, 128 or 256 bits of key, a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output is used as a keystream, with any unused bytes simply discarded.
    143+
    144+Poly1305 <ref>[http://cr.yp.to/mac/poly1305-20050329.pdf Poly1305]</ref>, also by Daniel Bernstein, is a one-time Carter-Wegman MAC that computes a 128 bit integrity tag given a message and a single-use 256 bit secret key.
    145+
    146+The chacha20-poly1305@bitcoin combines these two primitives into an authenticated encryption mode. The construction used is based on that proposed for TLS by Adam Langley in <ref>[http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley]</ref>, but differs in the layout of data passed to the MAC and in the addition of encryption of the packet lengths.
    


    ysangkok commented at 10:31 pm on October 31, 2020:

    I suggest “The construction is based on a proposal for TLS”.

    When you say “in addition”, I think you mean that this is yet another difference. But since this is a text using mathematics, I think it would be better to avoid this phrasing and instead say “…, but differs in the layout of the data passed to the MAC. It also encrypts the packet lengths differently.”

  24. in bip-0324.mediawiki:154 in 2d331e8a89
    149+
    150+The chacha20-poly1305@bitcoin cipher requires two 256 bits of key material as output from the key exchange. Each key (K_1 and K_2) are used by two separate instances of chacha20.
    151+
    152+The instance keyed by K_1 is a stream cipher that is used only to encrypt the 3 byte packet length field and has its own sequence number. The second instance, keyed by K_2, is used in conjunction with poly1305 to build an AEAD (Authenticated Encryption with Associated Data) that is used to encrypt and authenticate the entire packet.
    153+
    154+Two separate cipher instances are used here so as to keep the packet lengths confidential (best effort; for passive observing) but not create an oracle for the packet payload cipher by decrypting and using the packet length prior to checking the MAC. By using an independently-keyed cipher instance to encrypt the length, an active attacker seeking to exploit the packet input handling as a decryption oracle can learn nothing about the payload contents or its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). Active observers can still obtain the message length (ex. active ciphertext bit flipping or traffic shemantics analysis)
    


    ysangkok commented at 10:33 pm on October 31, 2020:
    I suggest “e.g.” instead of “ex.”. “Shematics” is not a word. Do you mean “schematics” or “semantics”?
  25. in bip-0324.mediawiki:162 in 2d331e8a89
    157+
    158+==== Packet Handling ====
    159+
    160+When receiving a packet, the length must be decrypted first. When 3 bytes of ciphertext length have been received, they may be decrypted.
    161+
    162+A ChaCha20 round always calculates 64bytes which is sufficient to encrypt a 3 bytes length field 21 times (21*3 = 63). The length field sequence number can thus be used 21 times (keystream caching).
    


    ysangkok commented at 10:34 pm on October 31, 2020:
    Here you use * for multiplication, it should be consistent with the other inline formulas. I suggest using full English words so that it is clear.
  26. in bip-0324.mediawiki:164 in 2d331e8a89
    159+
    160+When receiving a packet, the length must be decrypted first. When 3 bytes of ciphertext length have been received, they may be decrypted.
    161+
    162+A ChaCha20 round always calculates 64bytes which is sufficient to encrypt a 3 bytes length field 21 times (21*3 = 63). The length field sequence number can thus be used 21 times (keystream caching).
    163+
    164+The length field must be enc-/decrypted with the ChaCha20 keystream keyed with K_1 defined by block counter 0, the length field sequence number in little endian and a keystream position from 0 to 60.
    


    ysangkok commented at 10:35 pm on October 31, 2020:

    I suggest replacing “enc-/decrypted” with “encrypted/decrypted”.

    ‘Little endian" is not hyphenated the same as above.

  27. in bip-0324.mediawiki:202 in 2d331e8a89
    197+
    198+The responding peer MUST use <code>K_1_A, K_2_A</code> to decrypt messages on the receive channel, <code>K_1_B, K_2_B</code> MUST be used to encrypt messages on the send channel.
    199+
    200+Optimized implementations of ChaCha20-Poly1305@bitcoin are relatively fast, therefore it is very likely that encrypted messages will not require additional CPU cycles per byte when compared to the current unencrypted p2p message format (ChaCha20/Poly1305 versus double SHA256).
    201+
    202+The initial packet sequence numbers are 0.
    


    ysangkok commented at 10:37 pm on October 31, 2020:
    Since there is only one initial element of anything, I suggest using singular.
  28. in bip-0324.mediawiki:290 in 2d331e8a89
    285+| 16 || MAC tag || ? || 128bit MAC-tag
    286+|}
    287+
    288+Encrypted messages do not have the 4byte network magic.
    289+
    290+The maximum message size is 2^23 (8,388,608) bytes. Future communication MAY exceed this limit and thus MUST be split into different messages.
    


    ysangkok commented at 10:37 pm on October 31, 2020:
    To make it clear that this is not xor, one could spell out “to the power of”.
  29. in bip-0324.mediawiki:409 in 2d331e8a89
    404+
    405+The Re-Keying must be done after every 1GB of data sent (recommended by RFC4253 SSH Transport) or if the last rekey was more than an hour ago.
    406+
    407+Peers calculate the counterparty limits and MUST disconnect immediately if a violation of the limits has been detected.
    408+
    409+=== Test Vectors ===
    


    ysangkok commented at 10:38 pm on October 31, 2020:
    why not put this in a CSV file so that it can easily be tested?
  30. in bip-0324.mediawiki:224 in 2d331e8a89
    219+ |                                    msg   := AEAD(k=K_1_A,K_2_A, n=0, ..., MSG_A_CIPH)  |
    220+ |                                                                                        |
    221+ ------------------------------------------------------------------------------------------
    222+</pre>
    223+
    224+==== AEAD Test Vectors ====
    


    ysangkok commented at 10:39 pm on October 31, 2020:
    These could be in a CSV file.
  31. ysangkok changes_requested
  32. jonasschnelli renamed this:
    Add BIP324 - Version 2 Peer-to-Peer Message Transport Protocol
    WIP [don't merge] Add BIP324 - Version 2 Peer-to-Peer Message Transport Protocol
    on Nov 3, 2020
  33. narich approved
  34. luke-jr commented at 2:51 pm on May 5, 2022: member
    @jonasschnelli Are you still working on this?
  35. michaelfolkson commented at 3:28 pm on May 5, 2022: contributor
    @luke-jr: I think @dhruv has taken over work on BIP 324. In fact (assuming @dhruv agrees) this PR could probably be closed in favor of a future PR from @dhruv.
  36. dhruv commented at 3:38 pm on May 5, 2022: contributor
    @michaelfolkson @luke-jr I agree we can close this PR. The new new draft is very different and reviewing the diff will not make sense. I will link this closed PR in the new one.
  37. luke-jr closed this on May 5, 2022

  38. dhruv cross-referenced this on Oct 7, 2022 from issue Add BIP324: v2 P2P Transport Protocol by dhruv
  39. bitcoin deleted a comment on Oct 21, 2022
  40. bitcoin locked this on Oct 21, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-26 19:10 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me