Skip to content

Upgrade VSS encryption and obfuscation scheme #627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Upgrade VSS encryption and obfuscation scheme #627

wants to merge 8 commits into from

Conversation

@tnull
Copy link
Collaborator

@tnull tnull commented Aug 22, 2025

Based on lightningdevkit/vss-client#40

In this PR we'll fix minor issues with the data encryption and key obfuscation scheme currently employed by VssStore.

As these are breaking changes, we'll also include a migration procedure as part of this PR. Will be in draft until we have all parts ready.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Aug 22, 2025
edited
Loading

👋 Hi! This PR is now in draft status.
I'll wait to assign reviewers until you mark it as ready for review.
Just convert it out of draft status when you're ready for review!

@tnull tnull marked this pull request as draft August 22, 2025 09:14
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch from ac8ae88 to 3490f2a Compare August 22, 2025 09:53
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch 2 times, most recently from bec8829 to e977a6d Compare November 6, 2025 11:41
@tnull tnull mentioned this pull request Nov 6, 2025
Closed
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch 3 times, most recently from c7fc423 to dd9a9e0 Compare November 6, 2025 11:57
@tnull tnull moved this to Goal: Merge in Weekly Goals Nov 6, 2025
@tnull tnull self-assigned this Nov 6, 2025
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch 2 times, most recently from bd46497 to 5d2c43a Compare November 7, 2025 17:21
@tnull
Supply data_decryption_key and aad for StorableBuilder
082de3e 
We bump our `vss-client` dependency to include the changes to the
`StorableBuilder` interface.

Previously, we the `vss-client` didn't allow to set `ChaCha20Poly1305RFC`'s `aad` field,
which had the `tag` not commit to any particular key. This would allow a
malicious VSS provider to substitute blobs stored under a different key
without the client noticing.

Here, we now set the `aad` field to the key under which the `Storable`
will be stored, ensuring that the retrieved data was originally stored
under the key we expected.

We also account for `StorableBuilder` now taking `data_decryption_key`
by reference on `build`/`deconstruct`.
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch from 5d2c43a to 656b188 Compare November 7, 2025 17:25
tnull added 6 commits November 7, 2025 18:28
@tnull
Account for vss-client being renamed to vss-client-ng
046a104
@tnull
Account for Retry being handled internally
690f12a 
We recently dropped the `Retry` logic in `vss-client-ng`, and rather now
lean on `reqwest`'s retry logic. Here, we account for the corresponding
interface changes.
@tnull
Only use internal runtime in VssStore
ac50269 
We previously attempted to drop the internal runtime from `VssStore`,
resulting into blocking behavior. While we recently made changes that
improved our situation (having VSS CI pass again pretty reliably), we
just ran into yet another case where the VSS CI hung (cf.
https://github.com/lightningdevkit/vss-server/actions/runs/19023212819/job/54322173817?pr=59).

Here we attempt to restore even more of the original pre-
ab3d78d / lightningdevkit#623 behavior to get rid of
the reappearing blocking behavior, i.e., only use the internal runtime
in `VssStore`.
@tnull
Drop redundant tokio::timeouts for VSS IO
4790def 
Now that we rely on `reqwest` v0.12.* retry logic as well as client-side
timeouts, we can address the remaining TODOs here and simply drop the
redundant `tokio::timeout`s we previously added as a safeguard to
blocking tasks (even though in the worst cases we saw they never
actually fired).
@tnull
DROPME: Run test 100 times
ba9ba5b
@tnull
Bump retries and timeouts considerably
189fd6d 
As LDK currently will still panic and crash if we'd ever fail a `write`
operation, we here considerably bump the defaults set in `VssClient` to
at least make this less likely. Longer term, we still hope to mitigate
the issue by moving to the async-persist flow.
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch from 656b188 to e1615e1 Compare November 7, 2025 17:28
@tnull tnull force-pushed the 2025-08-upgrade-vss-encryption-obfuscation-scheme branch from e1615e1 to 96db24d Compare November 7, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tnull tnull

Labels

None yet

Projects

Weekly Goals
Status: Goal: Merge

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tnull @ldk-reviews-bot