Introduce Dummy Hop support in Blinded Path Constructor

Adds a new constructor for blinded paths that allows specifying
the number of dummy hops.
This enables users to insert arbitrary hops before the real destination,
enhancing privacy by making it harder to infer the sender–receiver
distance or identify the final destination.

Lays the groundwork for future use of dummy hops in blinded path construction.

Co-authored-by: valentinewallace <[email protected]>

Author: shaavan

lightning-background-processor/src/lib.rs

@@ -1127,7 +1127,7 @@ mod tests {
 	use lightning::routing::gossip::{NetworkGraph, P2PGossipSync};
 	use lightning::routing::router::{CandidateRouteHop, DefaultRouter, Path, RouteHop};
 	use lightning::routing::scoring::{ChannelUsage, LockableScore, ScoreLookUp, ScoreUpdate};
-	use lightning::sign::{ChangeDestinationSource, InMemorySigner, KeysManager};
+	use lightning::sign::{ChangeDestinationSource, InMemorySigner, KeysManager, NodeSigner};
 	use lightning::types::features::{ChannelFeatures, NodeFeatures};
 	use lightning::types::payment::PaymentHash;
 	use lightning::util::config::UserConfig;
@@ -1603,6 +1603,7 @@ mod tests {
 			let msg_router = Arc::new(DefaultMessageRouter::new(
 				network_graph.clone(),
 				Arc::clone(&keys_manager),
+				keys_manager.get_inbound_payment_key(),
 			));
 			let chain_source = Arc::new(test_utils::TestChainSource::new(Network::Bitcoin));
 			let kv_store =

lightning-dns-resolver/src/lib.rs

@@ -232,7 +232,14 @@ mod test {
 			secp_ctx: &Secp256k1<T>,
 		) -> Result<Vec<BlindedMessagePath>, ()> {
 			let keys = KeysManager::new(&[0; 32], 42, 43);
-			Ok(vec![BlindedMessagePath::one_hop(recipient, context, &keys, secp_ctx).unwrap()])
+			Ok(vec![BlindedMessagePath::one_hop(
+				recipient,
+				context,
+				keys.get_inbound_payment_key(),
+				&keys,
+				secp_ctx,
+			)
+			.unwrap()])
 		}
 	}
 	impl Deref for DirectlyConnectedRouter {
@@ -334,8 +341,14 @@ mod test {
 		let (msg, context) =
 			payer.resolver.resolve_name(payment_id, name.clone(), &*payer_keys).unwrap();
 		let query_context = MessageContext::DNSResolver(context);
-		let reply_path =
-			BlindedMessagePath::one_hop(payer_id, query_context, &*payer_keys, &secp_ctx).unwrap();
+		let reply_path = BlindedMessagePath::one_hop(
+			payer_id,
+			query_context,
+			payer_keys.get_inbound_payment_key(),
+			&*payer_keys,
+			&secp_ctx,
+		)
+		.unwrap();
 		payer.pending_messages.lock().unwrap().push((
 			DNSResolverMessage::DNSSECQuery(msg),
 			MessageSendInstructions::WithSpecifiedReplyPath {

lightning-liquidity/tests/common/mod.rs

@@ -5,7 +5,7 @@
 #![allow(unused_macros)]
 
 use lightning::chain::Filter;
-use lightning::sign::EntropySource;
+use lightning::sign::{EntropySource, NodeSigner};
 
 use bitcoin::blockdata::constants::{genesis_block, ChainHash};
 use bitcoin::blockdata::transaction::Transaction;
@@ -418,8 +418,11 @@ pub(crate) fn create_liquidity_node(
 		scorer.clone(),
 		Default::default(),
 	));
-	let msg_router =
-		Arc::new(DefaultMessageRouter::new(Arc::clone(&network_graph), Arc::clone(&keys_manager)));
+	let msg_router = Arc::new(DefaultMessageRouter::new(
+		Arc::clone(&network_graph),
+		Arc::clone(&keys_manager),
+		keys_manager.get_inbound_payment_key(),
+	));
 	let chain_source = Arc::new(test_utils::TestChainSource::new(Network::Bitcoin));
 	let kv_store =
 		Arc::new(FilesystemStore::new(format!("{}_persister_{}", &persist_dir, i).into()));

lightning/src/blinded_path/message.rs

@@ -56,23 +56,51 @@ impl Readable for BlindedMessagePath {
 impl BlindedMessagePath {
 	/// Create a one-hop blinded path for a message.
 	pub fn one_hop<ES: Deref, T: secp256k1::Signing + secp256k1::Verification>(
-		recipient_node_id: PublicKey, context: MessageContext, entropy_source: ES,
-		secp_ctx: &Secp256k1<T>,
+		recipient_node_id: PublicKey, context: MessageContext,
+		expanded_key: inbound_payment::ExpandedKey, entropy_source: ES, secp_ctx: &Secp256k1<T>,
 	) -> Result<Self, ()>
 	where
 		ES::Target: EntropySource,
 	{
-		Self::new(&[], recipient_node_id, context, entropy_source, secp_ctx)
+		Self::new(&[], recipient_node_id, context, entropy_source, expanded_key, secp_ctx)
 	}
 
 	/// Create a path for an onion message, to be forwarded along `node_pks`. The last node
 	/// pubkey in `node_pks` will be the destination node.
 	///
 	/// Errors if no hops are provided or if `node_pk`(s) are invalid.
-	//  TODO: make all payloads the same size with padding + add dummy hops
 	pub fn new<ES: Deref, T: secp256k1::Signing + secp256k1::Verification>(
 		intermediate_nodes: &[MessageForwardNode], recipient_node_id: PublicKey,
-		context: MessageContext, entropy_source: ES, secp_ctx: &Secp256k1<T>,
+		context: MessageContext, entropy_source: ES, expanded_key: inbound_payment::ExpandedKey,
+		secp_ctx: &Secp256k1<T>,
+	) -> Result<Self, ()>
+	where
+		ES::Target: EntropySource,
+	{
+		BlindedMessagePath::new_with_dummy_hops(
+			intermediate_nodes,
+			0,
+			recipient_node_id,
+			context,
+			entropy_source,
+			expanded_key,
+			secp_ctx,
+		)
+	}
+
+	/// Create a path for an onion message, to be forwarded along `node_pks`.
+	///
+	/// Additionally allows appending a number of dummy hops before the final hop,
+	/// increasing the total path length and enhancing privacy by obscuring the true
+	/// distance between sender and recipient.
+	///
+	/// The last node pubkey in `node_pks` will be the destination node.
+	///
+	/// Errors if no hops are provided or if `node_pk`(s) are invalid.
+	pub fn new_with_dummy_hops<ES: Deref, T: secp256k1::Signing + secp256k1::Verification>(
+		intermediate_nodes: &[MessageForwardNode], dummy_hops_count: u8,
+		recipient_node_id: PublicKey, context: MessageContext, entropy_source: ES,
+		expanded_key: inbound_payment::ExpandedKey, secp_ctx: &Secp256k1<T>,
 	) -> Result<Self, ()>
 	where
 		ES::Target: EntropySource,
@@ -89,9 +117,12 @@ impl BlindedMessagePath {
 			blinding_point: PublicKey::from_secret_key(secp_ctx, &blinding_secret),
 			blinded_hops: blinded_hops(
 				secp_ctx,
+				entropy_source,
+				expanded_key,
 				intermediate_nodes,
 				recipient_node_id,
 				context,
+				dummy_hops_count,
 				&blinding_secret,
 			)
 			.map_err(|_| ())?,
@@ -260,7 +291,7 @@ pub(crate) struct ForwardTlvs {
 }
 
 /// A blank struct, representing dummy tlv prior to authentication.
-/// 
+///
 /// For more details, see [`DummyTlv`].
 pub(crate) struct UnauthenticatedDummyTlv {}
 
@@ -288,15 +319,15 @@ impl Verification for UnauthenticatedDummyTlv {
 /// Represents the dummy TLV encoded immediately before the actual [`ReceiveTlvs`] in a blinded path.
 /// These TLVs are intended for the final node and are recursively authenticated and verified until
 /// the real [`ReceiveTlvs`] is reached.
-/// 
+///
 /// Their purpose is to arbitrarily extend the path length, obscuring the receiver's position in the
 /// route and thereby enhancing privacy.
-/// 
+///
 /// ## Authentication
 /// Authentication provides an additional layer of security, ensuring that the path is legitimate
 /// and terminates in valid [`ReceiveTlvs`] data. Verification begins with the first dummy hop and
 /// continues recursively until the final [`ReceiveTlvs`] is reached.
-/// 
+///
 /// This prevents an attacker from crafting a bogus blinded path consisting solely of dummy tlv
 /// without any valid payload, which could otherwise waste resources through recursive
 /// processing — a potential vector for DoS-like attacks.
@@ -563,13 +594,18 @@ impl_writeable_tlv_based!(DNSResolverContext, {
 pub(crate) const MESSAGE_PADDING_ROUND_OFF: usize = 100;
 
 /// Construct blinded onion message hops for the given `intermediate_nodes` and `recipient_node_id`.
-pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
-	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
-	recipient_node_id: PublicKey, context: MessageContext, session_priv: &SecretKey,
-) -> Result<Vec<BlindedHop>, secp256k1::Error> {
+pub(super) fn blinded_hops<ES: Deref, T: secp256k1::Signing + secp256k1::Verification>(
+	secp_ctx: &Secp256k1<T>, entropy_source: ES, expanded_key: inbound_payment::ExpandedKey,
+	intermediate_nodes: &[MessageForwardNode], recipient_node_id: PublicKey,
+	context: MessageContext, dummy_hops_count: u8, session_priv: &SecretKey,
+) -> Result<Vec<BlindedHop>, secp256k1::Error>
+where
+	ES::Target: EntropySource,
+{
 	let pks = intermediate_nodes
 		.iter()
 		.map(|node| node.node_id)
+		.chain((0..dummy_hops_count).map(|_| recipient_node_id))
 		.chain(core::iter::once(recipient_node_id));
 	let is_compact = intermediate_nodes.iter().any(|node| node.short_channel_id.is_some());
 
@@ -584,6 +620,12 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 		.map(|next_hop| {
 			ControlTlvs::Forward(ForwardTlvs { next_hop, next_blinding_override: None })
 		})
+		.chain((0..dummy_hops_count).map(|_| {
+			let dummy_tlv = UnauthenticatedDummyTlv {};
+			let nonce = Nonce::from_entropy_source(&*entropy_source);
+			let hmac = dummy_tlv.hmac_data(nonce, &expanded_key);
+			ControlTlvs::Dummy(DummyTlv { dummy_tlv, authentication: (hmac, nonce) })
+		}))
 		.chain(core::iter::once(ControlTlvs::Receive(ReceiveTlvs { context: Some(context) })));
 
 	if is_compact {

lightning/src/ln/functional_test_utils.rs

@@ -27,7 +27,7 @@ use crate::onion_message::messenger::OnionMessenger;
 use crate::ln::onion_utils::LocalHTLCFailureReason;
 use crate::routing::gossip::{P2PGossipSync, NetworkGraph, NetworkUpdate};
 use crate::routing::router::{self, PaymentParameters, Route, RouteParameters};
-use crate::sign::{EntropySource, RandomBytes};
+use crate::sign::{EntropySource, NodeSigner, RandomBytes};
 use crate::util::config::{MaxDustHTLCExposure, UserConfig};
 use crate::util::logger::Logger;
 use crate::util::scid_utils;
@@ -723,7 +723,7 @@ impl<'a, 'b, 'c> Drop for Node<'a, 'b, 'c> {
 					signer_provider: self.keys_manager,
 					fee_estimator: &test_utils::TestFeeEstimator::new(253),
 					router: &test_utils::TestRouter::new(Arc::clone(&network_graph), &self.logger, &scorer),
-					message_router: &test_utils::TestMessageRouter::new(network_graph, self.keys_manager),
+					message_router: &test_utils::TestMessageRouter::new(network_graph, self.keys_manager, self.keys_manager.get_inbound_payment_key()),
 					chain_monitor: self.chain_monitor,
 					tx_broadcaster: &broadcaster,
 					logger: &self.logger,
@@ -3347,7 +3347,7 @@ pub fn create_node_cfgs_with_persisters<'a>(node_count: usize, chanmon_cfgs: &'a
 			tx_broadcaster: &chanmon_cfgs[i].tx_broadcaster,
 			fee_estimator: &chanmon_cfgs[i].fee_estimator,
 			router: test_utils::TestRouter::new(network_graph.clone(), &chanmon_cfgs[i].logger, &chanmon_cfgs[i].scorer),
-			message_router: test_utils::TestMessageRouter::new(network_graph.clone(), &chanmon_cfgs[i].keys_manager),
+			message_router: test_utils::TestMessageRouter::new(network_graph.clone(), &chanmon_cfgs[i].keys_manager, chanmon_cfgs[i].keys_manager.get_inbound_payment_key()),
 			chain_monitor,
 			keys_manager: &chanmon_cfgs[i].keys_manager,
 			node_seed: seed,

lightning/src/ln/functional_tests.rs

@@ -18,7 +18,7 @@ use crate::chain::channelmonitor;
 use crate::chain::channelmonitor::{Balance, ChannelMonitorUpdateStep, CLTV_CLAIM_BUFFER, LATENCY_GRACE_PERIOD_BLOCKS, ANTI_REORG_DELAY, COUNTERPARTY_CLAIMABLE_WITHIN_BLOCKS_PINNABLE};
 use crate::chain::transaction::OutPoint;
 use crate::ln::onion_utils::LocalHTLCFailureReason;
-use crate::sign::{ecdsa::EcdsaChannelSigner, EntropySource, OutputSpender, SignerProvider};
+use crate::sign::{ecdsa::EcdsaChannelSigner, EntropySource, NodeSigner, OutputSpender, SignerProvider};
 use crate::events::bump_transaction::WalletSource;
 use crate::events::{Event, FundingInfo, PathFailure, PaymentPurpose, ClosureReason, HTLCHandlingFailureType, PaymentFailureReason};
 use crate::ln::types::ChannelId;
@@ -5992,7 +5992,7 @@ pub fn test_key_derivation_params() {
 	let network_graph = Arc::new(NetworkGraph::new(Network::Testnet, &chanmon_cfgs[0].logger));
 	let scorer = RwLock::new(test_utils::TestScorer::new());
 	let router = test_utils::TestRouter::new(network_graph.clone(), &chanmon_cfgs[0].logger, &scorer);
-	let message_router = test_utils::TestMessageRouter::new(network_graph.clone(), &keys_manager);
+	let message_router = test_utils::TestMessageRouter::new(network_graph.clone(), &keys_manager, keys_manager.get_inbound_payment_key());
 	let node = NodeCfg { chain_source: &chanmon_cfgs[0].chain_source, logger: &chanmon_cfgs[0].logger, tx_broadcaster: &chanmon_cfgs[0].tx_broadcaster, fee_estimator: &chanmon_cfgs[0].fee_estimator, router, message_router, chain_monitor, keys_manager: &keys_manager, network_graph, node_seed: seed, override_init_features: alloc::rc::Rc::new(core::cell::RefCell::new(None)) };
 	let mut node_cfgs = create_node_cfgs(3, &chanmon_cfgs);
 	node_cfgs.remove(0);