Author: Anthony Towns 2015-09-22 05:25:44
Published on: 2015-09-22T05:25:44+00:00
In this email exchange, Anthony Towns suggests using OFB or CTR mode for the symmetric cipher to calculate D_KD() of all padding. Rusty Russell proposes a method which involves having two R values, where one is known by the recipient and the other by the sender. He explains that including S encrypted to the final recipient in the onion payload can make the htlc irredeemable so misrouting it gives no information. Anthony Towns then suggests combining both approaches; he suggests setting S as sha256(H+X) where X is the plaintext routing message the payee gets and H is its hash that was prefixed to the plaintext. He further adds that revealing S as well as R would be required for payment redemption. The combined approach makes any attempt to garble the padding render the payment unredeemable without relying on any verification/cooperation from anyone else on the network.
Updated on: 2023-05-18T00:35:39.852030+00:00