The purpose of decoy packets usually is providing the possibility to implementations of hiding any sample that may be inferred from the sizes of TCP/IP packets being despatched forwards and backwards.
This concern applies to all 3 phases of the protocol. Throughout the key change part, a (restricted) type of dimension sample hiding will be completed via the rubbish mechanism. Throughout the utility part, but additionally in the course of the model negotiation part, that is accomplished utilizing decoy packets – a way more highly effective mechanism than rubbish, however solely doable after keys have been exchanged.
It’s honest to say that proper now, with the model negotiation part simply consisting of a single message in each instructions, this doesn’t matter. In each instructions, as a substitute of a decoy message earlier than the model packet, a decoy message may very well be despatched instantly after it (making it a part of the appliance part), or rubbish may very well be despatched earlier than it as a substitute.
Nevertheless, in hypothetical extensions, the model negotiation part may include a number of messages too. If there are at the least 3, it might not be doable to keep away from a recognizable sample of sizes within the center ones. Having the decoy mechanism generically obtainable means future extension designers don’t have to fret about it.
Moreover, design sensible, I do not consider it complicates implementations a lot essentially, however after all that is determined by implementation features. Consider a BIP324 connection as having just a few states it progresses via:
- Sending/receiving public key
- Sending/receiving rubbish + rubbish terminator
- Sending/receiving packets
Throughout the third state, all communication is completed within the type of packets utilizing the keys negotiated earlier than, decoys and all. The primary (non-decoy) packet(s) negotiate the model, and the whole lot after is handled as utility layer. I believe this is sensible, as model negotiation wants one thing packet-like anyway, so it’d as nicely use the complete packet interface anyway.
But it surely does add a little bit of complexity to implementations
Definitely having assist for decoy packets as a mechanism usually provides complexity to implementations which can’t be prevented if compatibility with the specification is desired. I do not suppose having it moreover obtainable throughout model negotiation provides a lot complexity on prime.
given the dearth of bounds on the decoy packets.
One can not keep away from supporting packets as much as ~4M as that’s how giant application-layer BLOCK messages are allowed to be. I consider the Bitcoin Core BIP324 implementation makes use of that as packet dimension restrict for all packets, together with decoys.
I seen Core has not supported sending decoy packets within the handshake since including BIP324 assist in v26.0, however is that this a worthy function of the protocol that may later be applied?
It’s not very excessive on my private precedence listing, however I do plan to work sooner or later on including assist for sending decoys to the Bitcoin Core BIP324 implementation, specifically for transactions (whose relay sizes do reveal some data). It could be nice if somebody labored on this.
My guess is to protect towards “recognized plaintext” assault
A recognized plaintext would allow an attacker to guess the important thing stream popping out of the used ChaCha20 cipher, although there are not any recognized methods to take advantage of that to realize something helpful (like decrypting different messages, or forging messages). This was not a selected consideration when designing BIP324 or its decoy packet mechanism, so far as I recall.
Disclaimer: I’m a co-author of BIP324, and am probably biased in regards to the design selections we made in it.
