Good morning list, After exploring decoys [1], which is a cheap way of doing route blinding, I'm turning back to exploring rendezvous. The previous mails on the mailing list mentioned that there was a technicality to make the HMACs check out, but didn't provide a lot of details. The issue is that the filler generation needs to take into account some hops that will be added *later*, by the payer.
However it is quite easy to work-around, with a few space trade-offs. Let's consider a typical rendezvous setup, where Alice wants to be paid via rendezvous Bob, and Carol wants to pay that invoice: Carol -> ... -> Bob -> ... -> Alice If Alice knows how many bytes Carol is going to use for her part of the onion payloads, Alice can easily take them into account when generating her filler by pre-pending the same amount of `0` bytes. It seems reasonable to impose a fixed number of onion bytes for each side of the rendezvous (650 each?) so Alice would know that amount. When Carol completes the onion with her part of the route, she simply needs to generate filler data for her part of the route following the normal Sphinx protocol and apply it to the onion she found in the invoice. But the tricky part is that she needs to give Bob a way of generating the same filler data to unapply it. Then all HMACs correctly check out. I see two ways of doing that: * Carol simply sends that filler (650 bytes), probably via a TLV in `update_add_htlc`. This means every intermediate hop needs to forward that, which is painful and potentially leaking too much data. * Carol provides Bob with the rho keys used to generate her filler, and the length used by each hop. This leaks to Bob an upper bound on the number of hops and the number of bytes sent to each hop. Since shift-and-xor kind of crypto is hard to read as equations, but very easy to read as diagrams, I spent a bit of time doing beautiful ASCII art [2]. Don't hesitate to have a look at it to find more details about how that works. You can also print that on t-shirts to look fancy at conferences. I also have some sample code working in eclair [3] for those who can read Scala without getting headaches. Are there other tricks we can use to reconcile both sides of the onion at Bob's? Maybe cdecker (or someone else) has an ace up his sleeve for me there? :) One important thing to note is that rendezvous on normal onions will be costly to integrate into invoices: it takes 1366 bytes to include one onion, and if we want to handle route failures or let the sender use multi-part, we will need to have a handful of pre-encrypted onions in the invoice (hence a few kB, which may not be practical for QR codes). But I did mention before that doing rendezvous on the trampoline onion could have better properties [4]. When doing that, having Carol transmit her filler data only to Bob, via the outer onion payload becomes practical and doesn't leak information. Multi-part would work with a single trampoline onion in the invoice (~500 bytes), because nodes can do MPP between trampoline nodes thanks to the onion-in-onion construction. We simply need to decide the size of the trampoline onion to allow each side of the rendezvous to be able to insert a number of hops we're comfortable with. You can find more details in the "Rendezvous on a trampoline" section of [2]. I'm really interested in other approaches to making rendezvous work with the HMACs correctly checking out. If people on this list have drafts, intuitions or random thoughts about possible constructions, please share them, I'd be happy to dive into them to explore alternatives to the one I found, hoping we can make this work and provide this feature to our users in the near future. A small side-note on Hornet. Hornet does offer many features that I believe we will want in Lightning in the future. It may seem that doing a custom rendezvous scheme is a waste of time since we'll ditch it once/if we implement Hornet. While that is true in the long run, I believe that if we're able to find a rendezvous scheme that isn't too much work to implement, it makes sense to have something available soon-ish. Hornet will likely be a longer-term effort that we won't get as soon as we'd like (especially since it will probably require a network-wide update). But who knows, maybe we may see that we are trying to create many features that are already built into Hornet (rendezvous, directed message support, etc) and will decide to implement Hornet sooner than expected? Cheers, Bastien [1] https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002435.html [2] https://gist.github.com/t-bast/ab42a7f52eb2e73105557957c8359601 [3] https://github.com/ACINQ/eclair/tree/sphinx-rendezvous [4] https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002237.html
_______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev