diff --git a/04-onion-routing.md b/04-onion-routing.md index 19b8f08..d2853b0 100644 --- a/04-onion-routing.md +++ b/04-onion-routing.md @@ -476,26 +476,25 @@ initial blinding point, and have it sent to the introduction node. ### Requirements -A recipient $`N_r`$ creating a blinded route $`N_0 \rightarrow N_1 \rightarrow ... \rightarrow N_r`$ to itself: +A recipient $`N_r`$ creating a `blinded_path` $`N_0 \rightarrow N_1 \rightarrow ... \rightarrow N_r`$ to itself: -- MUST create a blinded node ID $`B_i`$ for each node using the following algorithm: +- MUST set `first_node_id` to $`N_0`$ +- MUST create a `blinded_node_id` $`B_i`$ for each node using the following algorithm: - $`e_0 \leftarrow \{0;1\}^{256}`$ ($`e_0`$ SHOULD be obtained via CSPRNG) - $`E_0 = e_0 \cdot G`$ - For every node in the route: - let $`N_i = k_i * G`$ be the `node_id` ($`k_i`$ is $`N_i`$'s private key) - $`ss_i = SHA256(e_i * N_i) = SHA256(k_i * E_i)`$ (ECDH shared secret known only by $`N_r`$ and $`N_i`$) - $`B_i = HMAC256(\text{"blinded\_node\_id"}, ss_i) * N_i`$ (blinded `node_id` for $`N_i`$, private key known only by $`N_i`$) - - $`rho_i = HMAC256(\text{"rho"}, ss_i)`$ (key used to encrypt the payload for $`N_i`$ by $`N_r`$) + - $`rho_i = HMAC256(\text{"rho"}, ss_i)`$ (key used to encrypt `encrypted_recipient_data` for $`N_i`$ by $`N_r`$) - $`e_{i+1} = SHA256(E_i || ss_i) * e_i`$ (ephemeral private path key, only known by $`N_r`$) - $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$ (`path_key`. NB: $`N_i`$ MUST NOT learn $`e_i`$) +- MUST set `first_path_key` to $`E_0`$ - MAY replace $`E_{i+1}`$ with a different value, but if it does: - MUST set `encrypted_data_tlv[i].next_path_key_override` to $`E_{i+1}`$ - MAY store private data in `encrypted_data_tlv[r].path_id` to verify that the route is used in the right context and was created by them - SHOULD add padding data to ensure all `encrypted_data_tlv[i]` have the same length - MUST encrypt each `encrypted_data_tlv[i]` with ChaCha20-Poly1305 using the corresponding $`rho_i`$ key and an all-zero nonce to produce `encrypted_recipient_data[i]` -- MUST communicate the blinded node IDs $`B_i`$ and `encrypted_recipient_data[i]` to the sender -- MUST communicate the real node ID of the introduction point $`N_0`$ to the sender -- MUST communicate the first `path_key` $`E_0`$ to the sender A reader: @@ -542,8 +541,7 @@ choose what data they put in the onion for each hop. Blinded routes are also reusable in some cases (e.g. onion messages). Each node in the blinded route needs to receive $`E_i`$ to be able to decrypt -the onion and the `encrypted_data` payload. Protocols that use route blinding -must specify how this value is propagated between nodes. +the onion and the `encrypted_recipient_data` payload. When concatenating two blinded routes generated by different nodes, the last node of the first route needs to know the first `path_key` of the