@@ -136,21 +136,19 @@ bool unblind_onion(const struct pubkey *path_key,
136136 /* BOLT #4:
137137 * A reader:
138138 *...
139- * - MUST compute:
140- * - $`ss_i = SHA256(k_i * E_i)`$ (standard ECDH)
141- * - $`b_i = HMAC256(\text{"blinded\_node\_id"}, ss_i) * k_i`$
139+ * - if `path_key` is specified:
140+ * - Calculate the `blinding_ss` as ECDH(`path_key`, `node_privkey`).
141+ * - Either:
142+ * - Tweak `public_key` by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$.
143+ * - or (equivalently):
144+ * - Tweak its own `node_privkey` below by multiplying by $`HMAC256(\text{"blinded\_node\_id"}, blinding\_ss)`$.
142145 */
143146 ecdh (path_key , ss );
144147 subkey_from_hmac ("blinded_node_id" , ss , & hmac );
145148
146- /* We instead tweak the *ephemeral* key from the onion and use
149+ /* We tweak the *ephemeral* key from the onion and use
147150 * our normal privkey: since hsmd knows only how to ECDH with
148- * our real key. IOW: */
149- /* BOLT #4:
150- * - MUST use $`b_i`$ instead of its private key $`k_i`$ to decrypt the onion. Note
151- * that the node may instead tweak the onion ephemeral key with
152- * $`HMAC256(\text{"blinded\_node\_id"}, ss_i)`$ which achieves the same result.
153- */
151+ * our real key. */
154152 return secp256k1_ec_pubkey_tweak_mul (secp256k1_ctx ,
155153 & onion_key -> pubkey ,
156154 hmac .data ) == 1 ;
@@ -166,17 +164,19 @@ u8 *decrypt_encmsg_raw(const tal_t *ctx,
166164 static const unsigned char npub [crypto_aead_chacha20poly1305_ietf_NPUBBYTES ];
167165
168166 /* BOLT #4:
169- * A reader:
167+ * The reader of the `encrypted_recipient_data` :
170168 *...
171- *- MUST decrypt the `encrypted_data` field using $`rho_i`$ and use
172- * the decrypted fields to locate the next node
169+ *- $`rho_i = HMAC256(\text{"rho"}, ss_i)`$
170+ *- MUST decrypt the `encrypted_recipient_data` field using $`rho_i`$
171+ * as a key using ChaCha20-Poly1305 and an all-zero nonce key.
173172 */
174173 subkey_from_hmac ("rho" , ss , & rho );
175174
176175 /* BOLT #4:
177- *- If the `encrypted_data` field is missing or cannot
178- * be decrypted:
179- * - MUST return an error
176+ * - If the `encrypted_recipient_data` field is missing, cannot be
177+ * decrypted into an `encrypted_data_tlv` or contains unknown even
178+ * fields:
179+ * - MUST return an error
180180 */
181181 /* Too short? */
182182 if (tal_bytelen (enctlv ) < crypto_aead_chacha20poly1305_ietf_ABYTES )
@@ -203,10 +203,10 @@ struct tlv_encrypted_data_tlv *decrypt_encrypted_data(const tal_t *ctx,
203203 size_t maxlen = tal_bytelen (cursor );
204204
205205 /* BOLT #4:
206- *
207- * - MUST return an error if `encrypted_recipient_data` does not decrypt
208- * using the `path_key` as described in
209- * [Route Blinding](#route-blinding).
206+ * - If the `encrypted_recipient_data` field is missing, cannot be
207+ * decrypted into an `encrypted_data_tlv` or contains unknown even
208+ * fields:
209+ * - MUST return an error
210210 */
211211 /* Note: our parser consider nothing is a valid TLV, but decrypt_encmsg_raw
212212 * returns NULL if it couldn't decrypt. */
@@ -244,16 +244,13 @@ void blindedpath_next_path_key(const struct tlv_encrypted_data_tlv *enc,
244244 * - $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$
245245 * ...
246246 * - If `encrypted_data` contains a `next_path_key_override`:
247- * - MUST use it as the next `path_key` instead of $`E_{i+1}`$
248- * - Otherwise:
249- * - MUST use $`E_{i+1}`$ as the next `path_key`
247+ * - MUST use it as the next `path_key`.
248+ * - Otherwise:
249+ * - MUST use $`E_{i+1} = SHA256(E_i || ss_i) * E_i `$ as the next `path_key`
250250 */
251251 if (enc -> next_path_key_override )
252252 * next_path_key = * enc -> next_path_key_override ;
253253 else {
254- /* BOLT #4:
255- * $`E_{i+1} = SHA256(E_i || ss_i) * E_i`$
256- */
257254 struct sha256 h ;
258255 blinding_hash_e_and_ss (path_key , ss , & h );
259256 blinding_next_path_key (path_key , & h , next_path_key );
0 commit comments