PSKv2

[emschwartz]

Transport protocol that handles encryption, fulfillment and condition generation, end-to-end quoting, and chunked payments.

There are still a number of TODOs scattered throughout the spec but I figured we might as well get the discussion going.

Curious to hear if you think all the description up front is helpful or makes the protocol seem more complicated than necessary. Should we cut that down, move more to the appendix, or add more explanation?

Please leave comments inline (as opposed to in the conversation view) so we can keep discussion threads together.

[michielbdejong]

Can it also be used for test payments and/or stats collection?

[emschwartz]

Sure it can be used for test payments, but would those be any different from normal payments or quotes? If not, I'm not sure it needs to be documented here

[michielbdejong]

Strictly speaking, in ILQP the receiver cannot lie about how much arrives, unless they run the destination ledger

[emschwartz]

"or they could run a connector that happens to have a bad exchange rate to their destination units"

[michielbdejong]

running one such connector wouldn't make a difference, the network would route around it using other connectors to reach the destination ledger

[michielbdejong]

Comments inline.

[adrianhopebailie]

Strongly recommend using the format from RFC8188 rather than making up our own.
See: http://httpwg.org/specs/rfc8188.html#header

This would make PKS over ILP over HTTP compliant with RFC8188.

[emschwartz]

This would make PKS over ILP over HTTP compliant with RFC8188.

This wouldn't be true if we bring back the ILP packet, because the HTTP body will be the ILP packet and this envelope will be inside there. I think it's more important to be consistent with the rest of our stack (using OER)

[adrianhopebailie]

I agree. This makes me sad 😢

1. Put ILP Address in HTTP headers use RFC 8188 as is. Profit
   OR
2. Put ILP Address in packet in body. Invent everything from scratch.

[emschwartz]

@justmoon brought up the point: do we need purely informational quotes or should these be removed?

If on a normal payment the receiver will tell you how much arrived, the sender could just use an actual payment to determine the rate for the path. It seems like the main problem would be that the rounding error could get quite large if you send a super tiny payment first. That would also mean you need to pay a small amount for quotes, but that might not be the worst thing.

Thoughts?

[sentientwaffle]

If a quote is a "Payment Chunk Request" with the "Chunk Minimum" set to the max uint64, then it won't actually cost anything.

[emschwartz]

That's a great point. I'm going to update it to remove the quote request and response types. It's very cool that that means we can use the same request/response/error packets to handle quotes, one-off payments, and chunked payments.

[sharafian]

Extensions must be ignored if you don't implement the logic to handle OER extensions. "Always 0" implies that a parser should verify that the extensions byte is zero, which would actually break extensibility.

[sharafian]

Maybe include the length prefix for the application data in this diagram

[emschwartz]

I'd like to but I'm not sure how to illustrate a variable length prefix...

[sentientwaffle]

I think that refunds are an uncommon enough case that psk shouldn't account for them.

[adrianhopebailie]

What's the motivation for defining a binary packet format?

[emschwartz]

1. We need some encoding format
2. There's no reason to have the overhead of including the keys as strings, since we know what they are up front
3. Might as well make it consistent with the rest of our stack by using OER
4. We don't need this layer to have the "extensible by anyone" quality that a string-based key-value map would provide. You can stick whatever additional data you want in the Application Data part

What else would you propose?

[adrianhopebailie]

I think pushing OER (or any binary encoding) up to this layer is a mistake because it is passed opaquely through all intermediaries so the interoperability requirement is significantly diminished.

Only the sender and receiver need to interpret this so it's more likely to be implemented by clients than connectors and something more common at this layer (like JSON) just seems like a better natural fit.

[emschwartz]

It is only the sender and receiver that need to implement this, but the sender and receiver also need to support OER to send and receive ILP packets.

[adrianhopebailie]

The implementation of different layers of the stack is likely to come from different libraries and a sender/receiver is also likely to support multiple transport layer protocols so I don't think using OER just because it's used in ILP is a good argument.

That said, I think it makes more sense at to do this at the transport layer than the application layer.

[emschwartz]

Agreed, I think many application layer protocols will use JSON or some other "friendlier" encoding. If that's the case though, that's all the more reason to have as minimal byte overhead as possible in the transport layer so the application layer can send more data.

In most cases I would expect the ILP and PSK2 modules to be implemented roughly at the same time, by the same people. If you're building a sender or receiver right now you'll need both, and I think that is a good place to get started for an implementation.

[dappelt]

Typo determeined and gettting

[dappelt]

If there is only one path, the connectors do not need to do anything sneaky to drive up the rate.

What do you mean exactly with "sneaky"? If there is only one path, there are many sneaky ways how a connector could steal from a sender/receiver (e.g. increasing the rate half-way through the payment).

[emschwartz]

The point is that there's no benefit to for them to do this in a sneaky way. They can simply charge a higher rate up front, since there's nowhere else to go. Sending a chunked payment is no worse than sending a single payment in this case.

[dappelt]

If such a connector sets a higher rate up front, a customer could simply not send the transfer at all. By providing a cheaper rate initially and increasing the rate half-way through the sender is trapped: Either he finishes the payment at the higher rate or he asks the receiver for a refund, for which the connector would also apply the higher rate. Either way, the sender is trapped.

I propose to drop the sentence If there is only one path, the connectors do not need to do anything sneaky to drive up the rate.

[michielbdejong]

By payment amount and chunk amount, do you mean transfer amount and packet amount? Why would anyone forward such a payment if the transfer amount is zero?

[emschwartz]

No, it means the fields called Payment Amount and Chunk Amount in the PSK data packet defined below

[michielbdejong]

I would prefer to use ilqp in this case

[emschwartz]

I don't think that will realistically be an option. As I've said before, ILQP doesn't work unless every connector supports it and/or every connector pushes up to date price information to one another very frequently. This is a high burden to place on the connectors that isn't necessary if senders can get the same information in a different way that doesn't require a specific feature from the connectors.

[michielbdejong]

I think we should rename this to PSK-chunked, so that it doesn't imply deprecating current interledger. That's the nice thing about having an hourglass stack; multiple things can be built on top of Interledger's chained hashlocks.

[emschwartz]

I do think we should deprecate the ILP packet type with the amount in it and ILQP.

We are trying to create interoperability. Having multiple different protocols at the core interoperability layer means more that everyone needs to agree on and implement and I don't think they provide enough substantive benefit to merit the cost. Someone could build another set of protocols using the same chaining idea as ILP, but it's not our concern because it wouldn't actually be interoperable.

Forwarded payments are a much simpler and more generic building block, as evidenced by the fact that you can build the three different flows described in this spec using only that one connector feature. I would strongly argue that this is the right building block to standardize on at the Inyerledger layer.

[michielbdejong]

more that everyone needs to agree on and implement

I think that's an illusion. For ledgers and ledger plugins, it doesn't matter because they treat the packet as opaque. The question is how connectors can be interoperable with each other.

Of course connectors need to talk each other's complex language to do complex things like path finding, liquidity management, and dynamic pricing. So yes, interoperability between connectors will be hard, regardless of whether we make the interledger layer a thick layer or a thin layer.

The beauty is that the ledger requirements are low: to become interoperable, a ledger just needs to support timed sha256 hashlock escrow + messaging, and if the ledger supports both (or the messaging is added in a way that makes sense for that ledger) then someone needs to write a plugin for that ledger, done. That doesn't change by moving quoting and path finding up or down in the stack.

[adrianhopebailie]

I do think we should deprecate the ILP packet type with the amount in it and ILQP.

I agree that we should deprecate the ILP packet with the amount (we need one or the other in the ILP layer).

I'm not sure about ILQP. It is not a fundamental part of ILP but that doesn't mean it may not be used between connectors. i.e. It's not part of ILP but it may still be used so it's probably out of place in the ILP packet definitions but not entirely useless

[michielbdejong]

The destination amount can easily be considered to be implied by the transfer amount, so I wouldn't be so opposed to moving it into the packet data. We could also say ILQP is part of the connector-to-connector (and/or sender-to-connector) layer, the fact that we have ilp-packet types for ILQP just makes it easy to send such messages as a payload to some other account on the same ledger

[emschwartz]

Ok I actually don't care if we deprecate ILQP, but it is important to agree that it is not required and you cannot expect all other connectors to have implemented it (as was the assumption before).

I'm coming at this from the perspective of someone who wants to reimplement ILP in another language. My question is what must I write to make my implementation interoperable. For a minimal connector (with configured routes) you need one or two ledger protocols and ILP forwarded payments/fulfillments/errors. For a sender or receiver you need at least one ledger layer protocol, ILP forwarded payments/fulfillments/errors, a transport protocol and an application layer protocol.

(Also, if some connectors support ILQP but you can't assume that all do, we need to deprecate and replace both IPR and PSKv1. Neither work if you cannot quote and they don't include built-in functionality to handle quoting. So while they might still work if you're a connector connected to a couple of specific connectors, it would not be advisable to implement and use those protocols because it's not likely to work in most cases.)

[dappelt]

[...] longer-term secret and a nonce that they put into the ILP address [...]

Consider rewording to make it clear that only the nonce goes into the ILP address, not the long-term secret.

[dappelt]

Regarding the size of the Authentication Tag. This is an excerpt from the NIST publication on GCM:

The bit length of the tag, denoted t, is a security parameter, as discussed in Appendix B. In general, t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications, t may be 64 or 32; guidance for the use of these two tag lengths, including requirements on the length of the input data and the lifetime of the key in these cases, is given in Appendix C.

So, a 16 byte Authentication Tag can be considered secure.

Another source recommending a 16 byte authentication tag is Cryptography Engineering: Design Principles and Practical Applications (p. 309):

“Therefore, although it is possible to reduce the size of the authenticator for GCM from 128 bits to something less, we recommend not doing so. Our recommendation is to only use GCM with the full 128-bit authentication tag.”

[emschwartz]

Ok, and I think the recommendation is also to use a 16-byte IV, right?

[dappelt]

The NIST publication recommends a bit length of 96 for the IV:

For IVs, it is recommended that implementations restrict support to the length of 96 bits, to promote interoperability, efficiency, and simplicity of design.

[emschwartz]

Note that the Rust, Go, and Java implementations either require or recommend using a 96-bit IV as well.

[dappelt]

The sender and receiver generate the condition and fulfillment from the pre-shared key that gives this protocol its name and the data that is sent with each payment.

If the reader is not already familiar with PSK, this sentence is confusing. Consider splitting this sentence up. The fulfillment is computed from the pre-shared key and payment data. The condition is the SHA256 hash of the fulfillment.

[dappelt]

18446744073709551615 -> 2⁶⁴-1

[dappelt]

(the maximum value) -> (max. unsigned 64 bit integer)

[dappelt]

The sender does not exactly repeat steps 1 to 8. At 1), the sender creates a new packet with the same Payment ID as before, increments Sequence number etc.

[dappelt]

At step 1) a packet with Chunk Amount of 0 is created. So how can this constraint ever be violated:

Receiver checks that the incoming transfer amount is greater than or equal to the Chunk Amount [...]

The incoming transfer would need to have an amount < 0 to violate this constraint.

[dappelt]

I assume for consecutive packets the chunk amount would be greater than 0.

[dappelt]

Adding pseudo-code would make the algorithm for sending chunked payments more clear.

[emschwartz]

I could add that but I think it would be fairly long. It might be better to just read an actual implementation if you want to reimplement it

[dappelt]

If numbers represent bytes, this should start counting at 1. Also, it should not start over at 0 but should keep going 10, 11, etc.

Maybe better to use powers of 2 instead.

[michielbdejong]

My question is what must I write to make my implementation interoperable. For a minimal connector (with configured routes) you need [...]

This simplification makes sense for an initial network where all connectors trust all other connectors through configured routes, but I would like to be more ambitious and hope that we can later open up that network, and allow random unvetted connectors to join. Then, we'll need to add back things like quote caching, maybe not on the interledger layer, but on the connector-to-connector layer.

Some of the decisions we are proposing now (e.g. relaxing the definition of ledger prefix and not including a targetPrefix in end-to-end quote responses) affect not only the initial closed network, but also the ability to open that network up later. So it's better to build in "trustlessness" from the start, even if it's not an MVP prerequisite.

Especially since we already have an implementation of it, into which years of work were invested and which does already support quote caching, liquidity routing, and route broadcasts with exchange rate information. And it would be easy to add this new experiment without throwing away all that existing work, right?

[sharafian]

...and allow random unvetted connectors to join. Then, we'll need to add back things like quote caching

Can you explain why allowing unvetted connectors to join the network requires quote caching?

[michielbdejong]

When information about alternative routes arrives, you want to compare it to information you received earlier. That comparison cannot happen if you didn't cache the information.

[sharafian]

I think "basic interledger payments" is confusing now, because an ordinary Interledger payment is a micropayment. This should specify that SPSP is for large payments, especially large peer-to-peer payments like the kind one would use Paypal for.

[sharafian]

Should say implements "version 2 of the Pre-Shared Key" protocol. Someone reading over the new spec might not notice that this has changed.

[sharafian]

exteranl -> external

[sharafian]

What happens if there is an error partway through?

[sharafian]

We already use webfinger lookup for SPSP, which means we're given a list of URIs. Couldn't we say that each SPSP version uses a single version of PSK, and you just choose the appropriate SPSP version from the webfinger lookup?

For the current spec of this field, how does the sender tell the receiver which protocol they're using?

I don't think it's a good idea to add a second protocol negotiation on top of the one already used for SPSP (the webfinger lookup)

[emschwartz]

We could. The main argument I see against that would be: what if we add a PSKv2.1 that supports ciphers other than AES-GCM? Would we really need to do a major version bump for SPSP just to support that?

That said, the thing that's weird about including the versions here is that you might want completely different parameters for the other versions. It would be pretty ugly to mash all of the parameters into one JSON object (and make sure the key names don't conflict).

[sharafian]

It's worth pointing out that if the receiver colludes with a connector to have them raise their rates mid-payment, it's no different from the receiver deciding to raise the prices for their goods mid payment. If we don't point that out, then the Malicious Connector attack sounds a lot worse than it is.

[sharafian]

What kinds of payments will PSK2 be used for? Will we use it for everything, or will micropayments (which we expect to be under the MTU) use a different protocol? A lot of the points in this document are very different depending on whether we're thinking about a large payment or a small payment. Most of the time, it seems like this spec is describing retail-sized payments that require lots of chunking.

If it's also being used for micropayments, I think that deserves more mentioning. For instance, many of the attacks described really don't work against micropayments. And many of the quoting mechanisms aren't needed when you're just sending a 1-chunk micropayment.

[sharafian]

What's the purpose of the sequence number? What should the receiver do if they miss a sequence number? If one of the payments fails, should the sender increment the sequence number, or retry it with the same sequence number? Will an informational quote always have a sequence number of 0, even if it occurs partway through a payment (for example to refresh the exchange rate)?

[emschwartz]

The main purpose of the sequence number right now is to allow the sender to ensure that responses match the requests they sent out. Without the sequence, a connector could attach an old response (that would say a lower amount had arrived) to a later fulfillment and the sender wouldn't know the difference.

Originally I thought that receivers should keep track of the sequence numbers to avoid accepting two with the same sequence. @justmoon argued that wasn't necessary because unlike with data, money is fungible so it doesn't matter if the chunks arrive out of order as long as you get the total amount.

I don't think informational quotes need to have a sequence of 0. From the receiver's perspective, there is no such thing as an informational quote, it's just a chunk that arrived with too little money (and potentially an unfulfillable condition).

[sharafian]

What if the sender didn't set the type to 1, but the chunk they sent completes the payment's destination amount. Would the receiver reject subsequent payments? Do they have a way of telling the sender that they've completed the payment already?

What if the sender sets the type to 1, but the destination amount isn't complete yet? Does the receiver just take it to mean that the sender won't pay the rest of what they owe?

[emschwartz]

What if the sender didn't set the type to 1, but the chunk they sent completes the payment's destination amount. Would the receiver reject subsequent payments?

Yes, the receiver should reject further chunks once the destination amount specified has arrived

What if the sender sets the type to 1, but the destination amount isn't complete yet?

The receiver should assume that means the sender won't send any more. I think the PSK implementation would need to turn it over to the Application Layer protocol at that point to figure out what to do

[sharafian]

and 16 byte auth tag

[emschwartz]

When information about alternative routes arrives, you want to compare it to information you received earlier. That comparison cannot happen if you didn't cache the information.

@michielbdejong this seems orthogonal to PSKv2, no?

[emschwartz]

(@justmoon PSKv2 is currently slated to use IL-RFC number 24 but I can change that to 25)