Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include request timing in threat model? Add timeout noise between polled requests? #440

Open
5 tasks
DanGould opened this issue Dec 11, 2024 · 0 comments
Open
5 tasks

Include request timing in threat model? Add timeout noise between polled requests? #440

DanGould opened this issue Dec 11, 2024 · 0 comments
Labels
payjoin-cli question Further information is requested

Comments

@DanGould
Copy link
Contributor

DanGould commented Dec 11, 2024
edited
Loading

Adding noise may make for better privacy against metadata timing attacks in some circumstances

For a given subdirectory ID, the amount of time in between requests that the directory sees before this change was 5 seconds + R_i, where R is the round trip latency to the relay and i indexes { Alice, Bob or Carol }.

The directory will is able to measure R_i indirectly before this change, and almost directly after it, thereby potentially identifying who is the receiver and who is the sender, since those roles are distinguishable based on the latency patterns of a pair of potentially related (i.e. temporally close but satisfying the ordering constraints of the BIP 77 messaging patterns). In other words R_i is potentially identifying metadata that leaks for each subdirectory, and by correlating different subdirectories (for which differences in this noisy measurement are helpful), the directory could still heuristically identify the parties involved, or at least learn some information or constraints about them with the same difficulty both before and after this change.

If on the other hand the spec encouraged clients to first sample some additional noise to artificially add to the latency, I believe that would address the conern desscribed in the PR more comprehensively than simply divergence in fixed values chosen by different implementations.

Note that this noise could in principle be negative too, by sending the next request slightly before an in flight one is expected to time out and return, at the cost of a low probability of small waste in bandwidth.

...
I'm not convinced such metadata leaks are justifiably in the threat model. Thoughts?

Originally posted by @nothingmuch in #436 (review)

  • Calculate under which traffic conditions timing analysis exposes an attack to which adversaries with vs without noise between requests
  • Decide if this can be rolled out optionally or gradually in only a few implementations, or if it must be enforced in all implementations given that live implementations make OHTTP requests without any noise
  • Decide yea or nay to include timing attacks in the threat model
  • If yea, Document the decision in BIP 77
  • If yea, Implement in payjoin-cli reference and other implementations under our maintainership
@DanGould DanGould added question Further information is requested payjoin-cli labels Dec 11, 2024
@DanGould DanGould changed the title Consider adding noise between polled requests Include request timing in threat model? Add timeout noise between polled requests? Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
payjoin-cli question Further information is requested
Projects
Payjoin Roadmap 📝
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DanGould