[Lightning-dev] Outsourcing route computation with trampoline payments

ZmnSCPxj ZmnSCPxj at protonmail.com
Thu Apr 4 09:44:49 UTC 2019 

Good morning list,


> Could this be implemented by replacing only the front of the trampoline-level onion?
> (presumably with some adjustment of how the HMAC is computed for the new trampoline layer)

I am trying to design a trampoline-level onion that would allow replacement of the first hop of the onion.

Below is what I came up with.
As I am neither a cryptographer nor a mathematician, I am unable to consider, whether this may have some problem in security.

Now the "normal" onion, the first hop is encrypted to the recipient.

I propose that for the "inner" trampoline-level onion, the first hop be sent "in the clear".
I think this is still secure, as the "inner" trampoline-level onion will still be wrapped by the outer link-level onion, which would still encrypt it.

When a node receives a trampoline-level onion, it checks if it is the first hop.
If it is, then it decrypts the rest of the onion and tries to route to the next trampoline-level node.
If not, then it is being delegated to, to find the trampoline.

If the node cannot find the front of the trampoline-level onion, then it can route it to another node that it suspects is more likely to know the destination (such as the mechanisms in discussion in the "Routemap Scaling" thread).

Let me provide a concrete example.

Payer Z creates a trampoline-level onion C->D->E:

C | Z | encrypt(Z * C, D | encrypt(Z * D, E))

Then Z routes to link-level onion A->B->C, with the payload to C being the above trampoline-level onion:

encrypt(Z * A, "link level" | B | encrypt(Z * B, "link level" | C | encrypt(Z * C, "trampoline level" | C | Z | encrypt(Z * C, D | encrypt(Z * D, E)))))

Upon reaching C, it sees it is given a trampoline-level onion, and if C is unable to find D in its local map, it can delegate it to some other node.

For example, if C thinks its neighbor M knows D, it can create:

encrypt(C * M, "link level" | M | encrypt(C * M, "trampoline level" | D | Z | encrypt(Z * D, E)))

M finds that it is not the first hop in the trampoline-level onion.
So M finds a route to D, for example via M->N->D, and gives:

encrypt(M * N, "link level" | D | encrypt(M * D, "trampoline level" | D | Z | encrypt(Z * D, E)))

Is this workable?
Note that it seems to encounter the same problem as Rendezvous Routing.
I assume it is possible to do this somehow (else how would hidden services in Tor work?), but the details, I am uncertain of.
I only play a cryptographer on Internet.

Regards,
ZmnSCPxj

More information about the Lightning-dev mailing list