Skip to content

Commit

Permalink
add sender authentication
Browse files Browse the repository at this point in the history
  • Loading branch information
joostjager committed Feb 9, 2022
1 parent 0cd3f84 commit 9c4d8f8
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 0 deletions.
1 change: 1 addition & 0 deletions blip-0002.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ The following table contains extension tlv fields for the `payment_onion_payload

| Type | Name | Link |
|-------------|-----------------------------|--------------------------------|
| 83231 | `sender_auth` | [bLIP 14](./blip-0014.md) |
| 7629169 | `podcasting_2_0` | [bLIP 10](./blip-0010.md) |


Expand Down
92 changes: 92 additions & 0 deletions blip-0014.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
```
bLIP: 14
Title: Sender authentication
Status: Draft
Author: Joost Jager <[email protected]>
Created: 2022-02-04
License: CC0
```

## Abstract

By default, the lightning protocol protects the sender identity by means of
ephemeral keys and onion routing. There are however use cases that ask for
inclusion of the sender identity with a payment.

This bLIP serves to document a way to authenticate the sender of a payment via a
custom TLV record.

## Copyright

This bLIP is licensed under the CC0 license.

## Specification

Sender:

* MUST include a TLV record keyed by type `83231` with the following value:

* [`33*byte`:`sender_pubkey`]
* [`8*byte`:`timestamp`]
* [`var length`:`signature`]

`sender_pubkey` is the public key of the sender. Note that `sender_pubkey` doesn't
need to be the sender's node public key. It can also be a more general
identity.

`timestamp` is the payment initiation time in nano seconds since unix epoch
(big endian encoded).

`signature` is a DER-encoded ECDSA signature calculated using `sender_pubkey`
over a message that is a concatenation of the following fields:

* `timestamp` (8 bytes)
* `recipient_pubkey` (33 bytes)
* `payment_hash` (32 bytes)
* `payment_secret` (32 bytes)
* `amount_msat` (8 bytes, big endian)

For multi-part payments, `amount_msat` is the total amount of the set. The
value of the TLV record MUST be identical for all parts.

Receiver:

* MUST verify that `signature` is valid and produced using `sender_pubkey`.

* SHOULD verify that `timestamp` is not unreasonably long ago. Suggested cut-off is
one hour.

* If verification fails, SHOULD error with
`PERM|15 incorrect_or_unknown_payment_details`.

## Motivation

Example use cases:

* A donation payment where the donor wants to make themselves known.

* Regulated custodial wallets that can offer higher receive limits for payments
originating from specific sources.

* Lightning deposits to an exchange where the exchange automatically credits the
correct account based on the sender identity.

There are many ways to authenticate the sender of a payment in Lightning. This
documentation is an attempt to prevent the emergence of too many variants that
all do more or less the same thing.

## Rationale

* The TLV record key is an odd number, meaning that the record is ignored by
receivers that do not support sender authentication. No feature bit is needed.

* It is possible to recover the public key from an ECDSA signature, so strictly
speaking `sender_pubkey` is redundant. Note that with Schnorr signatures, recovery is no
longer possible.

* It is undesired that a signature can be reused in any way. Therefore all of
the identifying payment properties are covered by the signature.

## Test vectors

TBD

0 comments on commit 9c4d8f8

Please sign in to comment.