Onion Messaging In Depth

  1. There’s a new message (387, aka onion_message), which contains a “blinding point” and an onion message.
  2. The onion message is just like the one used inside update_add_htlc, except it’s a variable size instead of always having 1300 bytes of payload data.
  3. You can’t just unwrap the onion though: it’s been created for your blinded address, not your normal node id. But you can figure out what that was, using that “blinding point”: you use ECDH to get a shared secret ss and then you can determine the blinding tweakHMAC256("blinded_node_id", ss). You can multiply your private key by that blinding tweak and unwrap the onion, but you can also simply multiply the ephemeral key inside the onion by that blinding tweak (and then use your normal key to unwrap) for the same effect.
  4. Now you get the variable length contents of the hop, called an onionmsg_payload. It’s actually a type-length-value stream, and if you’re the final node it contains the reply path, offer request or whatever. But if you’re an intermediate node it only contains one field, an encrypted blob called “enctlv”.
  5. You use that ss from the blinding point to derive the decryption key: HMAC256("rho", ss)gives they key (this identical formulation is used inside the Sphinx protocol to unwrap the onion itself). ChaCha20-Poly1305’s AEAD is used with a 96-bit all-zero nonce.
  6. This second decryption gives you another TLV stream. This one contains the next node id to send the message to, and optionally a new blinding point to hand it.
  7. If that tlv stream didn’t specify a new blinding point, derive it from the current one by hashing in the shared secret: SHA256(blinding point || ss)
  8. Pass the unwrapped onion and new blinding point to the next peer using a fresh onion message. If it doesn’t support onion messages, no loss, since it’s an odd message that it will happily ignore.

Rusty is a Linux kernel dev who wandered into Blockstream, and is currently trying to produce a prototype and spec for bitcoin lightning. Hodls bitcoin (only).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

SwapAll Joins HyperPay x HSC Projects Airdrops!

TeamCyprus ECSC Qualifiers CTF - WassApp Challenge Writeup

Shlayer Purveyor VeryMal Renounces Steganography In Favor Of Google Firebase As Malvertisers Shift…

QUBE Token is the key to success.

Data Security, Data Ethics, and Data Ownership

{UPDATE} Лунтик - развивающие мини игры Hack Free Resources Generator

Why should we learn about Encryptions?

With Many Automation Professionals Working from Home, Cybersecurity Exposure Is Rising

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rusty Russell

Rusty Russell

Rusty is a Linux kernel dev who wandered into Blockstream, and is currently trying to produce a prototype and spec for bitcoin lightning. Hodls bitcoin (only).

More from Medium

Simulation for robot development

Autonomous Vehicle, Weekly News #01 / 2022

Outlined Advantages Of SynAssets.

Because who among us could not learn more about string theory, healthy sexual role-play and 12-step…