Published on: 2023-07-04T20:55:34+00:00
ZmnSCPxj proposes a method for computing blinding factors in onion routing. The objective is to achieve specific properties, such as non-Trampoline nodes only needing one blinding factor and Trampoline nodes being able to provide blinding factors without revealing their involvement. The demonstration begins with the ultimate receiver having a secret value 'r' and providing the point 'R'. In a scenario without intermediate nodes, the ultimate sender chooses a random scalar 'e' as the error blinding factor and constructs an onion that can be decrypted by the ultimate receiver. The ultimate sender also offers a PTLC with the point 'e * G + R'. The ultimate receiver can claim the PTLC by revealing 'e + r'. The demonstration then extends to include an intermediate node named Carol. The ultimate sender still chooses a random scalar 'e' but now needs to generate two scalars 'c' and 'd' such that 'c + d = e'. This can be done by selecting a random 'd' and computing 'c = e - d'. The ultimate sender encrypts the onion with 'e' encrypted to the ultimate receiver and the ciphertext along with 'd' encrypted to Carol. For each intermediate non-Trampoline node like Carol, it adds its per-hop blinding factor times 'G' to the input point and uses the result as the output point to the next hop. Carol receives 'c * G + R', adds 'd * G', and sends a PTLC with the point 'c * G + R + d * G'.In the case where Carol is a Trampoline node, additional steps are followed. The ultimate sender learns 'R' and selects a random 'e'. It also selects 'c' and 'd' such that 'c + d = e'. The ultimate sender computes a Trampoline-level onion with 'e' encrypted to the ultimate receiver and the above ciphertext, 'd', and the next Trampoline hop encrypted to Carol. The PTLC sent to Carol is 'c * G + R'. Carol decrypts the onion and obtains 'd'. It then searches for a route from Carol to the ultimate receiver. Assuming it finds a route Carol -> Alice -> ultimate receiver, Carol needs to make 'c * G + d * G + R' reach the ultimate receiver. To achieve this, Carol selects two scalars 'a' and 'b' such that 'a + b = d'. It creates an onion with the copied ciphertext from the ultimate sender, the above ciphertext, and 'b' encrypted to Alice. The PTLC sent to Alice is 'c * G + R + a * G'. Alice decrypts the onion and learns 'b'. She forwards the PTLC with the point 'c * G + R + a * G + b * G' to the next hop, the ultimate receiver. By construction, the ultimate receiver gets the same 'e * G + R' regardless of whether it was reached via a Trampoline or directly. On claiming, every intermediate node has enough data to claim its incoming PTLC. Only the ultimate sender knows 'c', which allows it to recover the 'r'.
Updated on: 2023-08-11T15:51:43.652221+00:00