Ecash (esp. Locked to pubkey ecash) seems to fit really well with realtime use cases like this, but it also is a custodial model. More precisely it is custodial but does not compromise privacy at the sender level OR the receiver (relay) level.
Still, just like how when you make a trade p2p you might want an arbiter you both trust to resolve conflicts, if a relay broadcasts a list of trusted mints, and the client user also trusts one of those mints (they should be careful that the mint is not owned by the relay ideally for reasons...), then the client can purchase ecash upfront and send it with their tor packets with practically no latency cost because with pay to pubkey ecash, the tor relay only needs to check the ecash signature and the pubkey to know that the ecash is legit, and no one else could possibly claim the sats but themselves as the pubkey owner.
reply
keysend
in the data stream (instead of at the circuit build step).Keysend Goal
Basic Concept
Steps
1. Client
P
and its hashH
.P
with Relay 1's public key to createEnc_PK1(P)
.H
andEnc_PK1(P)
.2. Relays
H
, and encrypted preimageEnc_PK1(P)
.3. Recipient Relay (Relay 2)
Enc_PK1(P)
back to Relay 1.4. Relay 1
Enc_PK1(P)
using its private key to retrieve the preimageP
.hash(P) = H
.Security
Will it work in practice?