From 64ce121cdc658a4b4a949c055adf8c1284298500 Mon Sep 17 00:00:00 2001
From: ziggieXXX <90319354+ziggie1984@users.noreply.github.com>
Date: Tue, 2 Jul 2024 12:03:54 +0200
Subject: [PATCH] BOLT04: Add rationale for constant error decryption. (#1154)

To avoid timing analysis when decrypting failed payments the sender
should act as if the failure in the route came for the 27th hop.
Also changed the maximum number of hops in the route from 20 (legacy)
to 27 (tlv onion).
---
 04-onion-routing.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/04-onion-routing.md b/04-onion-routing.md
index 30a6352e4..d6c68563d 100644
--- a/04-onion-routing.md
+++ b/04-onion-routing.md
@@ -1057,9 +1057,17 @@ The _erring node_:
 The _origin node_:
   - once the return message has been decrypted:
     - SHOULD store a copy of the message.
-    - SHOULD continue decrypting, until the loop has been repeated 20 times.
+    - SHOULD continue decrypting, until the loop has been repeated 27 times
+    (maximum route length of tlv payload type).
     - SHOULD use constant `ammag` and `um` keys to obfuscate the route length.
 
+### Rationale
+
+The requirements for the _origin node_ should help hide the payment sender.
+By continuing decrypting 27 times (dummy decryption cycles after the error is found)
+the erroring node cannot learn its relative position in the route by performing
+a timing analysis if the sender were to retry the same route multiple times.
+
 ## Failure Messages
 
 The failure message encapsulated in `failuremsg` has an identical format as