BOLT 8 - secure noise transport

2022-04-10 ยท 1 min read


Summary #

Lightning connections use a 1.5 RTT Noise_XK handshake, which means the listener pubkey is pinned and the dialer pubkey is negotiated in-band.

In contrast, we moved from Noise_XX to a 1 RTT Noise_IK handshake in diem's secure transport. Privacy was not a requirement, but minimizing responder DH ops (two) and network messages (none) before authentication rejection (had a well-defined list of acceptable inbound pubkeys) was more important to reduce DDoS surface for liveness-sensitive consensus protocol. We also tried to mitigate handshake replays, which isn't possible w/ XK or XX.

The lightning Noise messages also use an encrypted message length, which needs its own separate MAC.

The max ln message length is u16::MAX == 65535. The max ln packet size is

|msg len| + |msg len MAC| + |ln msg| + |ln msg MAC|
= 2 + 16 + 65535 + 16
= 65569