From snigirev.stepan at gmail.com Sun Jun 9 19:39:11 2019 From: snigirev.stepan at gmail.com (Stepan Snigirev) Date: Sun, 9 Jun 2019 21:39:11 +0200 Subject: [Lightning-dev] ECDH for spontaneous payments and offline vending machines Message-ID: Hi list, In the last couple weeks we came up with two ideas that you might find interesting. One is how to do spontaneous lightning payments to a node only with the knowledge of the node id, and the second one is how to generate invoices for the offline vending machine with arbitrary amounts without exposing node secrets to it. Both tricks use ECDH key agreement but in a slightly different way. # Spontaneous payments. The idea is to send the payment to a friend only with the knowledge of his node id. In this situation the node id acts similar to a bitcoin address for lightning. When we create an onion packet for the target node we calculate a common secret with ECDH ( x-coordinate of `k * N` where `k` is a ephemeral key and `N` is the node id). We can use the double-sha256 of this common secret as a payment hash for the htlc and a single sha256 of this secret will be the preimage. Christian Decker was very kind and implemented this feature as a plugin for c-lightning (https://github.com/cdecker/lightning/tree/stepan-pay) and it looks like the changes to be made are pretty small. IMHO it would be nice to have such functionality and it can be used for payments between friends or for donations to charity organisations. # Offline invoice generation Some time ago there was a discussion about offline vending machines, the idea was to pre-load a vending machine with invoices, display invoices to the user and ask for the preimage as a payment confirmation. When all invoices are used or expired we refill it with the new ones. It is great but it doesn't work if the payment amount is variable (pay for volume or time). An alternative could be to share the node private key with the vending machines to generate invoices on the fly, but it is a security hole. There is a trick though how generate invoices that our online node could claim without exposing any secrets to the vending machine. Vending machine generates an ephemeral key `k` and corresponding ephemeral node id `K`. It generates an invoice signed with this key. It also includes a routing information that the payment should go through our online node `N`. As a preimage we use `hmac-sha256(x, amount)` where `x` is a secret key from ECDH(K, N) - (x-coordinate of `k * N`). We also put the amount into the 8-byte short channel id in the routing information to ensure that the node can calculate the preimage even if the user is willing to pay a tip and increases the amount of the htlc. When our online node is asked to route a payment to an unknown node `K` it tries to generate the preimage. It calculates the ECDH secret `x` (x-coordinate of `n * K` where `n` is a private key corresponding to its node id) and calculates the preimage from the amount encoded in the short channel id and the secret x. If the preimage matches the payment hash it can claim the money (also checking that htlc amount is greater or equal the amount encoded in the channel id). This construction allows to generate invoices on a vending machine or a web server without ever talking to the node itself. In contrast to the spontaneous payments described above the payer has no idea about the preimage. I don't suggest to include this in the node implementation as is, but having a plugin / add-on with such functionality could be interesting. Cheers, Stepan. -------------- next part -------------- An HTML attachment was scrubbed... URL: