Author: Corné Plooy 2018-12-06 11:51:30
Published on: 2018-12-06T11:51:30+00:00
The context mentions the use of layer 0 and layer 1 in generating shared secrets between payer and payee, with total_decorrelation_secrets being the final secret that cannot be faked by an attacker. The payment hash and ephemeral key generation are unrelated, which allows an attacker to create a new onion packet around the same payment hash using their own ephemeral key pair. Path decorrelation replaces the payment hash/preimage part and makes the attack impossible by coupling the "H"TLC payment secret generation to the onion shared secret generation. This idea is neat but needs further exploration on how it interacts with rendezvous routing. If the sender and receiver each create their own k values for their part of the route, can the receiver-generated onion packet still use points of the form ((I + K[A]) + K[B]), including K values related to the sender side?
Updated on: 2023-06-02T15:26:02.006004+00:00