📅 Original date posted:2019-06-09
📝 Original message:
Hi list,
In the last couple weeks we came up with two ideas that you might find
interesting. One is how to do spontaneous lightning payments to a node only
with the knowledge of the node id, and the second one is how to generate
invoices for the offline vending machine with arbitrary amounts without
exposing node secrets to it. Both tricks use ECDH key agreement but in a
slightly different way.
# Spontaneous payments.
The idea is to send the payment to a friend only with the knowledge of his
node id. In this situation the node id acts similar to a bitcoin address
for lightning.
When we create an onion packet for the target node we calculate a common
secret with ECDH ( x-coordinate of `k * N` where `k` is a ephemeral key and
`N` is the node id). We can use the double-sha256 of this common secret as
a payment hash for the htlc and a single sha256 of this secret will be the
preimage.
Christian Decker was very kind and implemented this feature as a plugin for
c-lightning (https://github.com/cdecker/lightning/tree/stepan-pay) and it
looks like the changes to be made are pretty small.
IMHO it would be nice to have such functionality and it can be used for
payments between friends or for donations to charity organisations.
# Offline invoice generation
Some time ago there was a discussion about offline vending machines, the
idea was to pre-load a vending machine with invoices, display invoices to
the user and ask for the preimage as a payment confirmation. When all
invoices are used or expired we refill it with the new ones. It is great
but it doesn't work if the payment amount is variable (pay for volume or
time).
An alternative could be to share the node private key with the vending
machines to generate invoices on the fly, but it is a security hole. There
is a trick though how generate invoices that our online node could claim
without exposing any secrets to the vending machine.
Vending machine generates an ephemeral key `k` and corresponding ephemeral
node id `K`. It generates an invoice signed with this key. It also includes
a routing information that the payment should go through our online node
`N`. As a preimage we use `hmac-sha256(x, amount)` where `x` is a secret
key from ECDH(K, N) - (x-coordinate of `k * N`). We also put the amount
into the 8-byte short channel id in the routing information to ensure that
the node can calculate the preimage even if the user is willing to pay a
tip and increases the amount of the htlc.
When our online node is asked to route a payment to an unknown node `K` it
tries to generate the preimage. It calculates the ECDH secret `x`
(x-coordinate of `n * K` where `n` is a private key corresponding to its
node id) and calculates the preimage from the amount encoded in the short
channel id and the secret x. If the preimage matches the payment hash it
can claim the money (also checking that htlc amount is greater or equal the
amount encoded in the channel id).
This construction allows to generate invoices on a vending machine or a web
server without ever talking to the node itself. In contrast to the
spontaneous payments described above the payer has no idea about the
preimage.
I don't suggest to include this in the node implementation as is, but
having a plugin / add-on with such functionality could be interesting.
Cheers,
Stepan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190609/5af088ec/attachment.html>;
Stepan Snigirev [ARCHIVE] /
npub1xz…czrtg
2023-06-09 12:55:05
in reply to nevent1q…sn4d
Author Public Key
npub1xzl2lq5eguuel0htwdy2s6lrjype7kdye6vhp4j60t79fmrtna5qcczrtgSeen on
wss://relay.nostr.bandPublished at
2023-06-09 12:55:05Event JSON
{
"id": "995b94ee3a01e91fbd0a396f0d5a8783339af8cc10f9bbd75a4dc9eab6560f74",
"pubkey": "30beaf829947399fbeeb7348a86be391039f59a4ce9970d65a7afc54ec6b9f68",
"created_at": 1686315305,
"kind": 1,
"tags": [
[
"e",
"3047eca7875ef1eb20063dbea079c314415e03add4cc476c8f7c8a56660005bd",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2019-06-09\n📝 Original message:\nHi list,\n\nIn the last couple weeks we came up with two ideas that you might find\ninteresting. One is how to do spontaneous lightning payments to a node only\nwith the knowledge of the node id, and the second one is how to generate\ninvoices for the offline vending machine with arbitrary amounts without\nexposing node secrets to it. Both tricks use ECDH key agreement but in a\nslightly different way.\n\n# Spontaneous payments.\n\nThe idea is to send the payment to a friend only with the knowledge of his\nnode id. In this situation the node id acts similar to a bitcoin address\nfor lightning.\n\nWhen we create an onion packet for the target node we calculate a common\nsecret with ECDH ( x-coordinate of `k * N` where `k` is a ephemeral key and\n`N` is the node id). We can use the double-sha256 of this common secret as\na payment hash for the htlc and a single sha256 of this secret will be the\npreimage.\n\nChristian Decker was very kind and implemented this feature as a plugin for\nc-lightning (https://github.com/cdecker/lightning/tree/stepan-pay) and it\nlooks like the changes to be made are pretty small.\n\nIMHO it would be nice to have such functionality and it can be used for\npayments between friends or for donations to charity organisations.\n\n# Offline invoice generation\n\nSome time ago there was a discussion about offline vending machines, the\nidea was to pre-load a vending machine with invoices, display invoices to\nthe user and ask for the preimage as a payment confirmation. When all\ninvoices are used or expired we refill it with the new ones. It is great\nbut it doesn't work if the payment amount is variable (pay for volume or\ntime).\n\nAn alternative could be to share the node private key with the vending\nmachines to generate invoices on the fly, but it is a security hole. There\nis a trick though how generate invoices that our online node could claim\nwithout exposing any secrets to the vending machine.\n\nVending machine generates an ephemeral key `k` and corresponding ephemeral\nnode id `K`. It generates an invoice signed with this key. It also includes\na routing information that the payment should go through our online node\n`N`. As a preimage we use `hmac-sha256(x, amount)` where `x` is a secret\nkey from ECDH(K, N) - (x-coordinate of `k * N`). We also put the amount\ninto the 8-byte short channel id in the routing information to ensure that\nthe node can calculate the preimage even if the user is willing to pay a\ntip and increases the amount of the htlc.\n\nWhen our online node is asked to route a payment to an unknown node `K` it\ntries to generate the preimage. It calculates the ECDH secret `x`\n(x-coordinate of `n * K` where `n` is a private key corresponding to its\nnode id) and calculates the preimage from the amount encoded in the short\nchannel id and the secret x. If the preimage matches the payment hash it\ncan claim the money (also checking that htlc amount is greater or equal the\namount encoded in the channel id).\n\nThis construction allows to generate invoices on a vending machine or a web\nserver without ever talking to the node itself. In contrast to the\nspontaneous payments described above the payer has no idea about the\npreimage.\n\nI don't suggest to include this in the node implementation as is, but\nhaving a plugin / add-on with such functionality could be interesting.\n\nCheers,\nStepan.\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190609/5af088ec/attachment.html\u003e",
"sig": "ca581dc98435fe550d28753de75e5ba4d61d9e618305ee7eea8d8831acb47bd70785e0abb660f901a971c0578d532414f615ab9f70ee20083e439d9f7efa471c"
}