From d91642e6a0d323338e06edb51ba36e53bc927110 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 17 Jul 2024 10:54:27 +0930 Subject: [PATCH] BOLT 4: try to improve blinded path description. It's a bit complex, but try to convey the idea of an introduction point, blinded node ids and encrypted blobs. Since the requirements detail the two ways to reach the introduction node, I handwaved on that a bit. Signed-off-by: Rusty Russell --- 04-onion-routing.md | 47 +++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/04-onion-routing.md b/04-onion-routing.md index 038c875..8997bb6 100644 --- a/04-onion-routing.md +++ b/04-onion-routing.md @@ -451,28 +451,37 @@ intermediary nodes could simply claim the remaining ones. * [`u16`:`enclen`] * [`enclen*byte`:`encrypted_recipient_data`] -Nodes receiving onion packets may hide their identity from senders by -"blinding" an arbitrary amount of hops at the end of an onion path. +A blinded path consists of: +1. an initial introduction point (`first_node_id`) +2. an initial key to share a secret with the first node_id (`first_path_key`) +3. a series of tweaked node ids (`path.blinded_node_id`) +4. a series of binary blobs encrypted to the nodes (`path.encrypted_recipient_data`) + to tell them the next hop. -When using route blinding, nodes find a route to themselves from a given -"introduction node" and initial "path key". They then use ECDH with -each node in that route to create a "blinded" node ID and an encrypted blob -(`encrypted_data`) for each one of the blinded nodes. +For example, Dave wants Alice to reach him via public node Bob then +Carol. He creates a chain of public keys ("path_keys") for Bob, Carol +and finally himself, so he can share a secret with each of them. These +keys are a simple chain, so each node can derive the next `path_key` without +having to be told explicitly. -They communicate this blinded route and the encrypted blobs to the sender. -The sender finds a route to the introduction node and extends it with the -blinded route provided by the recipient. The sender includes the encrypted -blobs in the corresponding onion payloads: they allow nodes in the blinded -part of the route to "unblind" the next node and correctly forward the packet. +From these shared secrets, Dave creates and encrypts three `encrypted_data_tlv`s: +1. encrypted_data_bob: For Bob to tell him to forward to Carol +2. encrypted_data_carol: For Carol to tell her to forward to him +3. encrypted_data_dave: For himself to indicate the path was used, and any metadata he wants. -Note that there are two ways for the sender to reach the introduction -point: one is to create a normal (unblinded) payment, and place the -initial blinding point in `current_path_key` along with the -`encrypted_data` in the onion payload for the introduction point to -start the blinded path. The second way is to create a blinded path to -the introduction point, set `next_path_key_override` inside the -`encrypted_data_tlv` on the hop prior to the introduction point to the -initial blinding point, and have it sent to the introduction node. +To mask the node ids, he also derives three blinding factors from the +shared secrets, which turn Bob into Bob', Carol into Carol' and Dave +into Dave'. + +So this is the `blinded_path` he hands to Alice. + +1. `first_node_id`: Bob +2. `first_path_key`: the first path key for Bob +3. `path`: [Bob', encrypted_data_bob], [Carol', encrypted_data_carol], [Dave', encrypted_data_dave] + +There are two different ways for Alice to construct an onion which gets to Bob (since he's probably not a direct peer of hers) which are described in the requirements below. + +But after Bob the path is always the same: he will send Carol the `path_key` he derived, along with the onion. She will use the `path_key` to derive the tweak for the onion (which Alice encrypted for Carol' not Carol) so she can decrypt it, and also to derive the key to decrypt `encrypted_data_tlv` which will tell her to forward to Dave (and possibly additional restrictions Dave specified). ### Requirements