mirror of
https://github.com/lightning/bolts.git
synced 2024-11-19 01:50:03 +01:00
BOLT 4: concretely refer to the blinded_path
type and field when constructing.
This spec was initially written before the `blinded_path` type existed. Be precise (and we no longer need to say "MUST communicate"!). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
parent
14ebb445e6
commit
6c0f0d878f
@ -476,26 +476,25 @@ initial blinding point, and have it sent to the introduction node.
|
|||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
||||||
A recipient $`N_r`$ creating a blinded route $`N_0 \rightarrow N_1 \rightarrow ... \rightarrow N_r`$ to itself:
|
A recipient $`N_r`$ creating a `blinded_path` $`N_0 \rightarrow N_1 \rightarrow ... \rightarrow N_r`$ to itself:
|
||||||
|
|
||||||
- MUST create a blinded node ID $`B_i`$ for each node using the following algorithm:
|
- MUST set `first_node_id` to $`N_0`$
|
||||||
|
- MUST create a `blinded_node_id` $`B_i`$ for each node using the following algorithm:
|
||||||
- $`e_0 \leftarrow \{0;1\}^{256}`$ ($`e_0`$ SHOULD be obtained via CSPRNG)
|
- $`e_0 \leftarrow \{0;1\}^{256}`$ ($`e_0`$ SHOULD be obtained via CSPRNG)
|
||||||
- $`E_0 = e_0 \cdot G`$
|
- $`E_0 = e_0 \cdot G`$
|
||||||
- For every node in the route:
|
- For every node in the route:
|
||||||
- let $`N_i = k_i * G`$ be the `node_id` ($`k_i`$ is $`N_i`$'s private key)
|
- let $`N_i = k_i * G`$ be the `node_id` ($`k_i`$ is $`N_i`$'s private key)
|
||||||
- $`ss_i = SHA256(e_i * N_i) = SHA256(k_i * E_i)`$ (ECDH shared secret known only by $`N_r`$ and $`N_i`$)
|
- $`ss_i = SHA256(e_i * N_i) = SHA256(k_i * E_i)`$ (ECDH shared secret known only by $`N_r`$ and $`N_i`$)
|
||||||
- $`B_i = HMAC256(\text{"blinded\_node\_id"}, ss_i) * N_i`$ (blinded `node_id` for $`N_i`$, private key known only by $`N_i`$)
|
- $`B_i = HMAC256(\text{"blinded\_node\_id"}, ss_i) * N_i`$ (blinded `node_id` for $`N_i`$, private key known only by $`N_i`$)
|
||||||
- $`rho_i = HMAC256(\text{"rho"}, ss_i)`$ (key used to encrypt the payload for $`N_i`$ by $`N_r`$)
|
- $`rho_i = HMAC256(\text{"rho"}, ss_i)`$ (key used to encrypt `encrypted_recipient_data` for $`N_i`$ by $`N_r`$)
|
||||||
- $`e_{i+1} = SHA256(E_i || ss_i) * e_i`$ (ephemeral private path key, only known by $`N_r`$)
|
- $`e_{i+1} = SHA256(E_i || ss_i) * e_i`$ (ephemeral private path key, only known by $`N_r`$)
|
||||||
- $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$ (`path_key`. NB: $`N_i`$ MUST NOT learn $`e_i`$)
|
- $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$ (`path_key`. NB: $`N_i`$ MUST NOT learn $`e_i`$)
|
||||||
|
- MUST set `first_path_key` to $`E_0`$
|
||||||
- MAY replace $`E_{i+1}`$ with a different value, but if it does:
|
- MAY replace $`E_{i+1}`$ with a different value, but if it does:
|
||||||
- MUST set `encrypted_data_tlv[i].next_path_key_override` to $`E_{i+1}`$
|
- MUST set `encrypted_data_tlv[i].next_path_key_override` to $`E_{i+1}`$
|
||||||
- MAY store private data in `encrypted_data_tlv[r].path_id` to verify that the route is used in the right context and was created by them
|
- MAY store private data in `encrypted_data_tlv[r].path_id` to verify that the route is used in the right context and was created by them
|
||||||
- SHOULD add padding data to ensure all `encrypted_data_tlv[i]` have the same length
|
- SHOULD add padding data to ensure all `encrypted_data_tlv[i]` have the same length
|
||||||
- MUST encrypt each `encrypted_data_tlv[i]` with ChaCha20-Poly1305 using the corresponding $`rho_i`$ key and an all-zero nonce to produce `encrypted_recipient_data[i]`
|
- MUST encrypt each `encrypted_data_tlv[i]` with ChaCha20-Poly1305 using the corresponding $`rho_i`$ key and an all-zero nonce to produce `encrypted_recipient_data[i]`
|
||||||
- MUST communicate the blinded node IDs $`B_i`$ and `encrypted_recipient_data[i]` to the sender
|
|
||||||
- MUST communicate the real node ID of the introduction point $`N_0`$ to the sender
|
|
||||||
- MUST communicate the first `path_key` $`E_0`$ to the sender
|
|
||||||
|
|
||||||
A reader:
|
A reader:
|
||||||
|
|
||||||
@ -542,8 +541,7 @@ choose what data they put in the onion for each hop. Blinded routes are also
|
|||||||
reusable in some cases (e.g. onion messages).
|
reusable in some cases (e.g. onion messages).
|
||||||
|
|
||||||
Each node in the blinded route needs to receive $`E_i`$ to be able to decrypt
|
Each node in the blinded route needs to receive $`E_i`$ to be able to decrypt
|
||||||
the onion and the `encrypted_data` payload. Protocols that use route blinding
|
the onion and the `encrypted_recipient_data` payload.
|
||||||
must specify how this value is propagated between nodes.
|
|
||||||
|
|
||||||
When concatenating two blinded routes generated by different nodes, the
|
When concatenating two blinded routes generated by different nodes, the
|
||||||
last node of the first route needs to know the first `path_key` of the
|
last node of the first route needs to know the first `path_key` of the
|
||||||
|
Loading…
Reference in New Issue
Block a user