You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit doesn't change the logic at all, it simply:
- removes `realm` from onion test vector
- cleans-up markdown formatting and indents
- fixes typos and missing parenthesis
- consistently uses `_` instead of `-` for field names
- fixes math formatting (including changes from #1169 and #1158)
Copy file name to clipboardExpand all lines: 04-onion-routing.md
+29-30
Original file line number
Diff line number
Diff line change
@@ -324,7 +324,7 @@ The reader:
324
324
- MUST return an error if incoming `cltv_expiry` < `outgoing_cltv_value`.
325
325
- MUST return an error if incoming `cltv_expiry` < `current_block_height` + `min_final_cltv_expiry_delta`.
326
326
- Otherwise (it is not part of a blinded route):
327
-
- MUST return an error if `path_key` is set in the incoming `update_add_htlc` or `current_pass` is present.
327
+
- MUST return an error if `path_key` is set in the incoming `update_add_htlc` or `current_path_key` is present.
328
328
- MUST return an error if `amt_to_forward` or `outgoing_cltv_value` are not present.
329
329
- if it is not the final node:
330
330
- MUST return an error if:
@@ -498,20 +498,20 @@ may contain the following TLV fields:
498
498
A recipient $`N_r`$ creating a blinded route $`N_0 \rightarrow N_1 \rightarrow ... \rightarrow N_r`$ to itself:
499
499
500
500
- MUST create a blinded node ID $`B_i`$ for each node using the following algorithm:
501
-
- $`e_0 /leftarrow {0;1}^256`$ ($`e_0`$ SHOULD be obtained via CSPRG)
501
+
- $`e_0 \leftarrow \{0;1\}^{256}`$ ($`e_0`$ SHOULD be obtained via CSPRNG)
502
502
- $`E_0 = e_0 \cdot G`$
503
503
- For every node in the route:
504
504
- let $`N_i = k_i * G`$ be the `node_id` ($`k_i`$ is $`N_i`$'s private key)
505
-
- $`ss_i = SHA256(e_i * N_i) = SHA256(k_i * E_i)$` (ECDH shared secret known only by $`N_r`$ and $`N_i`$)
505
+
- $`ss_i = SHA256(e_i * N_i) = SHA256(k_i * E_i)`$ (ECDH shared secret known only by $`N_r`$ and $`N_i`$)
506
506
- $`B_i = HMAC256(\text{"blinded\_node\_id"}, ss_i) * N_i`$ (blinded `node_id` for $`N_i`$, private key known only by $`N_i`$)
507
507
- $`rho_i = HMAC256(\text{"rho"}, ss_i)`$ (key used to encrypt the payload for $`N_i`$ by $`N_r`$)
508
508
- $`e_{i+1} = SHA256(E_i || ss_i) * e_i`$ (ephemeral private path key, only known by $`N_r`$)
509
509
- $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$ (`path_key`. NB: $`N_i`$ MUST NOT learn $`e_i`$)
510
510
- MAY replace $`E_{i+1}`$ with a different value, but if it does:
511
-
- MUST set `encrypted_data_tlv[i].next_path_key_override` to `$E_{i+1}$`
511
+
- MUST set `encrypted_data_tlv[i].next_path_key_override` to $`E_{i+1}`$
512
512
- MAY store private data in `encrypted_data_tlv[r].path_id` to verify that the route is used in the right context and was created by them
513
513
- SHOULD add padding data to ensure all `encrypted_data_tlv[i]` have the same length
514
-
- MUST encrypt each `encrypted_data_tlv[i]` with ChaCha20-Poly1305 using the corresponding `rho_i` key and an all-zero nonce to produce `encrypted_recipient_data[i]`
514
+
- MUST encrypt each `encrypted_data_tlv[i]` with ChaCha20-Poly1305 using the corresponding $`rho_i`$ key and an all-zero nonce to produce `encrypted_recipient_data[i]`
515
515
- MUST communicate the blinded node IDs $`B_i`$ and `encrypted_recipient_data[i]` to the sender
516
516
- MUST communicate the real node ID of the introduction point $`N_0`$ to the sender
517
517
- MUST communicate the first `path_key` $`E_0`$ to the sender
@@ -521,7 +521,7 @@ A reader:
521
521
- If it receives `path_key` ($`E_i`$) from the prior peer:
522
522
- MUST use $`b_i`$ instead of its private key $`k_i`$ to decrypt the onion.
523
523
Note that the node may instead tweak the onion ephemeral key with
524
-
$`HMAC256(\text{"blinded\_node\_id}", ss_i)`$ which achieves the same result.
524
+
$`HMAC256(\text{"blinded\_node\_id"}, ss_i)`$ which achieves the same result.
525
525
- Otherwise:
526
526
- MUST use $`k_i`$ to decrypt the onion, to extract `current_path_key` ($`E_i`$).
527
527
- MUST compute:
@@ -560,7 +560,7 @@ keys of the nodes in the route with random public keys while letting senders
560
560
choose what data they put in the onion for each hop. Blinded routes are also
561
561
reusable in some cases (e.g. onion messages).
562
562
563
-
Each node in the blinded route needs to receive `E_i` to be able to decrypt
563
+
Each node in the blinded route needs to receive $`E_i`$ to be able to decrypt
564
564
the onion and the `encrypted_data` payload. Protocols that use route blinding
565
565
must specify how this value is propagated between nodes.
566
566
@@ -573,7 +573,7 @@ The final recipient must verify that the blinded route is used in the right
573
573
context (e.g. for a specific payment) and was created by them. Otherwise a
574
574
malicious sender could create different blinded routes to all the nodes that
575
575
they suspect could be the real recipient and try them until one accepts the
576
-
message. The recipient can protect against that by storing `E_r` and the
576
+
message. The recipient can protect against that by storing $`E_r`$ and the
577
577
context (e.g. a `payment_hash`), and verifying that they match when receiving
578
578
the onion. Otherwise, to avoid additional storage cost, it can put some private
579
579
context information in the `path_id` field (e.g. the `payment_preimage`) and
@@ -620,7 +620,7 @@ sent across.
620
620
621
621
Nodes implementing non-strict forwarding are able to make real-time assessments
622
622
of channel bandwidths with a particular peer, and use the channel that is
623
-
locally-optimal.
623
+
locally-optimal.
624
624
625
625
For example, if the channel specified by `short_channel_id` connecting A and B
626
626
does not have enough bandwidth at forwarding time, then A is able use a
1.`onion_routing_packet` in `update_add_htlc` for payments, which contains a `payload` TLV (see [Adding an HTLC](02-peer-protocol.md#adding-an-htlc-update_add_htlc))
865
-
2.`onion_message_packet`on`onion_message` for messages, which contains a`onionmsg_tlv` TLV (see [Onion Messages](#onion-messages)
866
+
2.`onion_message_packet`in`onion_message` for messages, which contains an`onionmsg_tlv` TLV (see [Onion Messages](#onion-messages))
866
867
867
868
Those sections specify the `associated_data` to use, the `path_key` (if any), the extracted payload format and handling (including how to determine the next peer, if any), and how to handle errors. The processing itself is identical.
868
869
@@ -874,26 +875,26 @@ A reader:
874
875
- if `public_key` is not a valid pubkey:
875
876
- MUST abort processing the packet and fail.
876
877
- if the onion is for a payment:
877
-
- if `hmac` has previously been received:
878
-
- if the preimage is known:
879
-
- MAY immediately redeem the HTLC using the preimage.
880
-
- otherwise:
881
-
- MUST abort processing the packet and fail.
878
+
- if `hmac` has previously been received:
879
+
- if the preimage is known:
880
+
- MAY immediately redeem the HTLC using the preimage.
881
+
- otherwise:
882
+
- MUST abort processing the packet and fail.
882
883
- if `path_key` is specified:
883
-
- Calculate the `blinding_ss` as ECDH(`path_key`, `node-privkey`)
884
+
- Calculate the `blinding_ss` as ECDH(`path_key`, `node_privkey`).
884
885
- Either:
885
-
- Tweak `public_key` by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$
886
+
- Tweak `public_key` by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$.
886
887
- or (equivalently):
887
-
- Tweak its own `node-privkey` below by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$
888
-
- Derive the shared secret `ss` as ECDH(`public_key`, `node-privkey`) (see [Shared Secret](#shared-secret))
888
+
- Tweak its own `node_privkey` below by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$.
889
+
- Derive the shared secret `ss` as ECDH(`public_key`, `node_privkey`) (see [Shared Secret](#shared-secret)).
889
890
- Derive `mu` as $`HMAC256(\text{"mu"}, ss)`$ (see [Key Generation](#key-generation)).
890
-
- Derive the HMAC as $`HMAC256(mu, hop_payloads || associated_data)`$
891
+
- Derive the HMAC as $`HMAC256(mu, hop\_payloads || associated\_data)`$.
891
892
- MUST use a constant time comparison of the computed HMAC and `hmac`.
892
893
- If the computed HMAC and `hmac` differ:
893
894
- MUST abort processing the packet and fail.
894
895
- Derive `rho` as $`HMAC256(\text{"rho"}, ss)`$ (see [Key Generation](#key-generation)).
895
896
- Derive `bytestream` of twice the length of `hop_payloads` using `rho` (see [Pseudo Random Byte Stream](pseudo-random-byte-stream)).
896
-
- Set `unwrapped_payloads` to the XOR of `hop_payloads` and `bytestream`
897
+
- Set `unwrapped_payloads` to the XOR of `hop_payloads` and `bytestream`.
897
898
- Remove a `bigsize` from the front of `unwrapped_payloads` as `payload_length`. If that is malformed:
898
899
- MUST abort processing the packet and fail.
899
900
- If the `payload_length` is less than two:
@@ -907,22 +908,20 @@ A reader:
907
908
- If `unwrapped_payloads` is smaller than `hop_payloads`:
908
909
- MUST abort processing the packet and fail.
909
910
- If `next_hmac` is not all-zero (not the final node):
910
-
- Derive `blinding_tweak` as $`SHA256(public_key || ss)`$ (see [Blinding Ephemeral Onion Keys](#blinding-ephemeral-onion-keys))
911
+
- Derive `blinding_tweak` as $`SHA256(public\_key || ss)`$ (see [Blinding Ephemeral Onion Keys](#blinding-ephemeral-onion-keys)).
911
912
- SHOULD forward an onion to the next peer with:
912
-
-`version` set to 0
913
-
-`public_key` set to the incoming `public_key` multiplied by `blinding_tweak`
914
-
-`hop_payloads` set to the `unwrapped_payloads`, truncated to the incoming `hop_payloads` size
915
-
-`hmac` set to `next_hmac`
913
+
-`version` set to 0.
914
+
-`public_key` set to the incoming `public_key` multiplied by `blinding_tweak`.
915
+
-`hop_payloads` set to the `unwrapped_payloads`, truncated to the incoming `hop_payloads` size.
916
+
-`hmac` set to `next_hmac`.
916
917
- If it cannot forward:
917
918
- MUST fail.
918
919
- Otherwise (all-zero `next_hmac`):
919
920
- This is the final destination of the onion.
920
921
921
-
922
922
## Rationale
923
923
924
-
In the case where blinded paths are used, the sender did not actually encrypt this onion for our node_id, but for a tweaked version: we can derive the tweak used from `path_key` which is given alongside the onion. Then we either tweak our node private key the same way to decrypt the onion, or tweak to the onion ephemeral key which is mathematically equivalent.
925
-
924
+
In the case where blinded paths are used, the sender did not actually encrypt this onion for our `node_id`, but for a tweaked version: we can derive the tweak used from `path_key` which is given alongside the onion. Then we either tweak our node private key the same way to decrypt the onion, or tweak to the onion ephemeral key which is mathematically equivalent.
0 commit comments