Skip to content

BOLT #4 Feedback #1320

New issue
New issue
Open
Open
BOLT #4 Feedback#1320
@RazorBest

Description

@RazorBest
RazorBest
opened on Feb 9, 2026

Obfusaction

BOLT-4 uses the term "obfuscation" quite a lot, with the meaning of "encryption". This choice doesn't seem intuitive, and in practice, people rarely use that word to imply security. Generally, things are obfuscated in software for obscurity, not for security.

I suggest replacing obfuscation/obfuscate with "encryption", "hidden"/"hide", or "secrecy".

For example:

The packet is obfuscated at each hop

To:

The packet is encrypted at each hop

pseudo-random byte stream that is used to obfuscate the per-hop information

To:

pseudo-random byte stream that is used to hide the per-hop information

The hop_payloads field is a structure that holds obfuscated routing information

To:

The hop_payloads field is a structure that holds hidden routing information

Modulo

When deriving a new ephemeral key, the Golang algorithm also applies modulo, ensuring that the value is within the field. However, this is not documented anywhere else in the document.

If the implementer is not aware that the exponent might overflow, the consequences are shifted towards the underlying secp256k1 library, and the behaviour between implementations that use different crypto libraries might vary.

I suggest changing this:

  • $e_{i+1} = SHA256(E_i || ss_i) * e_i$ (ephemeral private path key, only known by $N_r$)
  • $E_{i+1} = SHA256(E_i || ss_i) * E_i$ (path_key. NB: $N_i$ MUST NOT learn $e_i$)

Into this:

  • $e_{i+1} = SHA256(E_i || ss_i) * e_i\ mod\ N_{256}$ (ephemeral private path key, only known by $N_r$)
  • $E_{i+1} = (SHA256(E_i || ss_i)\ mod\ N_{256}) * E_i$ (path_key. NB: $N_i$ MUST NOT learn $e_i$)

There's also the alternative to assume that in every multiplication operation between a scalar and an elliptic curve point, the scalar is implicitly mapped to a valid field element by applying modulo, but this should be specified in the document, as a preliminary.

Shift size

In the Packet Construction section, the shift_size is defined, after which the golang code replaces it with hopDataSize.

I suggest replacing this:

filler := generateHeaderPadding("rho", numHops, hopDataSize, hopSharedSecrets)

With this:

filler := generateHeaderPadding("rho", numHops, shiftSize, hopSharedSecrets)

And also include the code for calculating shiftSize:

shiftSize := buf.len()

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions