-
Notifications
You must be signed in to change notification settings - Fork 491
Rendez vous mechanism on top of Sphinx
We are currently using sphinx based onion routing to route a payment from one endpoint, the sender S, to another endpoint, the recipient R. This requires that the sender constructs the onion packet that contains the entire route of the payment, i.e., the sender has to compute the entire route and has to know who the recipient is.
This has a number of downsides, most importantly that the sender will learn the identity of the recipient and its surroundings. While it is possible to partially hide the recipient behind private channels and use aliases that hide the last part of the route using the route hints in the bolt11 payment requests, this approach is rather limited, as it still leaks the general location and route length.
A common feature in onion routed networks is the ability to rendez-vous node RV on the public network and have the recipient generate a route onion from that public location. The sender then just takes this trailing part of the route and generates a route to the public location, concatenating the two routes. This results in a route that is only partially known to either endpoint, providing anonymity to both sender and recipient.
The concatenation of the two partial routes however is not trivial, given the cryptographic primitives (EC Diffie-Hellman) used to generate shared secrets for the onion encryption. Specifically the recipient is generating an onion from RV, using an ephemeral key and ECDH with the hops' node_id. This ephemeral key is rotated on each hop using that hop's shared secret. The difficulty lies in having the ephemeral key rotated at each hop from S to RV meet up at RV, i.e., it being exactly the same as the one used by R for the RV to R route.
The proposed solution is to add a new feature that allows RV to switch out the ephemeral key that it is passing on to the next hop, instead of rotating it via the shared secret that depends on the prior ephemeral key. RV receives an onion packet that contains the new ephemeral key (FIXME: Need to describe how the presence of the ephemeral key is signaled), and when forwarding the onion packet it'll simply prepend that ephemeral key.
Potential rendez-vous points signal their support for this feature by setting the rendez_vous global feature bit. Recipients may then select nodes that signal support for their own rendez-vous instances.
When attempting to perform a payment using a rendez-vous point, the recipient R selects a random, possibly well-connected, node RV that signaled support. R then proceeds to generate an ephemeral key ek_k that will be swapped in by RV. It then generates a normal onion routing packet as described in BOLT 04 from RV to R, using a randomly selected ephemeral key ek_k. RV will perform the generation of the shared secret twice, in order to hide the fact that it was the rendez-vous point, so it generates both ss_k from ek_k and ss_{k+1} from ek_{k+1}, but it skips the payload extraction (left shift), i.e., the payloads are simply encrypted twice with 2 different shared secrets. R then serializes the onion packet as described in Packet Structure and passes it to the sender S (this discloses ek_k to S), along with the node_id of RV.
The sender then selects a route from S to RV and a new random ephemeral key ek_0 to be used when generating shared secrets along that route. S then takes the onion packet from R instead of the empty packet that is the starting point in Packet Construction. The payload at RV MUST signal that the ephemeral key should be switched out and contain ek_k. The wrapping of the onion proceeds as normal.
Notice that after switching out the ephemeral key ek_k at RV and the following decryption the onion packet corresponds exactly to the onion packet that R sent to S initially.
The need for the double payload decryption / filler encryption arises from the fact that the HMAC that R computes includes the padding that RV will compute. In non-rendez-vous operation this is a vector of 0x00-bytes, encrypted with a ChaCha20 bytestream that is generated from ss_rv, which itself is generated from ek_rv. The problem is that R can't know ss_rv, so it can't compute the filler for that hop.
The solution is to generate an ss_k from the ek_k that was swapped in, which R can know, and recompute the filler. So the rendez-vous point decrypts its payload which at the same time encrypts the filler with ss_rv, then notices that it should swap out the ephemeral key, and resets the filler to a 0x00-byte vector, which is then encrypted with ek_k again.