[noise] Lightning protocol Noise variation

Thu Jan 9 12:03:17 PST 2020

Hi list!

I sent Alex Wied a PR[0] on his cacophony project (Noise
implementation in Haskell) to add support for the variation of Noise
used in the Lightning protocol. The Lightning protocol is specced in
the lightning-rfc repository, and there is a document in the repo
detailing the transport encryption used.[1]

Alex suggested I bring up the variation of key rotation on this list,
to probe the community. As I have linked in the PR, and if I
understand correctly, one lightning-rfc spec writer claims that
Lightning uses the key rotation it does (with two chaining keys)
because it was developed before key rotation was added to Noise. The
chat logs of my interaction with him (Roasbeef) are available.[2]

I am not a cryptographer myself, but I have implemented the Lightning
transport encryption protocol a few times now. There are other widely
used implementations in ACINQ's Eclair, Blockstream's c-lightning
(also has an implantation in Python), and Lightning Labs LND.

All these live implementations are used with real Bitcoin, so it would
be nice if we could establish whether this variant is officially
sanctioned. I find it a bit confusing that Lightning ended up using
Noise, but apparently not in a fully-standardized way. This wasn't
clear to me before I started added Lightning support to a Noise
implementation that wasn't explicitly written for Lightning.

Looking forward to any comments, especially from Trevor, which
Roasbeef claimed he had been in contact with. My goal is to have the
community agree that the approach used in Lightning is safe and sound.

Regards,
Janus Troelsen

[0]: https://github.com/centromere/cacophony/pull/13
[1]: https://github.com/lightningnetwork/lightning-rfc/blob/master/08-transport.md,
see section "Lightning Message Key Rotation"
[2]: http://gnusha.org/lightning-dev/2019-12-23.log , look around 11:25