Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BLIP 0014: add sender authentication #14

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions blip-0002.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ The following table contains extension tlv fields for the `payment_onion_payload

| Type | Name | Link |
|-------------|-----------------------------|--------------------------------|
| 83231 | `sender_auth` | [bLIP 14](./blip-0014.md) |
| 7629169 | `podcasting_2_0` | [bLIP 10](./blip-0010.md) |


Expand Down
92 changes: 92 additions & 0 deletions blip-0014.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
```
bLIP: 14
Title: Sender authentication
Status: Draft
Author: Joost Jager <[email protected]>
Created: 2022-02-04
License: CC0
```

## Abstract

By default, the lightning protocol protects the sender identity by means of
ephemeral keys and onion routing. There are however use cases that ask for
inclusion of the sender identity with a payment.

This bLIP serves to document a way to authenticate the sender of a payment via a
custom TLV record.

## Copyright

This bLIP is licensed under the CC0 license.

## Specification

Sender:

* MUST include a TLV record keyed by type `83231` with the following value:

* [`33*byte`:`sender_pubkey`]
* [`8*byte`:`timestamp`]
* [`var length`:`signature`]

`sender_pubkey` is the public key of the sender. Note that `sender_pubkey` doesn't
need to be the sender's node public key. It can also be a more general
identity.

`timestamp` is the payment initiation time in nano seconds since unix epoch
(big endian encoded).

`signature` is a DER-encoded ECDSA signature calculated using `sender_pubkey`
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe go for Schnorr right from the start so that we can use musig?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The downside is that it is not so easy to do simple signing with the ECDSA node key anymore.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it depends a lot on the specific use-cases here. Its still somewhat unclear to me what the intended use-case is here.

over a message that is a concatenation of the following fields:

* `timestamp` (8 bytes)
* `recipient_pubkey` (33 bytes)
* `payment_hash` (32 bytes)
* `payment_secret` (32 bytes)
* `amount_msat` (8 bytes, big endian)

For multi-part payments, `amount_msat` is the total amount of the set. The
value of the TLV record MUST be identical for all parts.

Receiver:

* MUST verify that `signature` is valid and produced using `sender_pubkey`.

* SHOULD verify that `timestamp` is not unreasonably long ago. Suggested cut-off is
one hour.

* If verification fails, SHOULD error with
`PERM|15 incorrect_or_unknown_payment_details`.

## Motivation

Example use cases:

* A donation payment where the donor wants to make themselves known.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is a signature the best way to do this? Vs, eg, just shoving a name in the TLV? I guess its a question of what you're trying to make known - trying to prove that a given public key sent the funds seems like a somewhat strange use-case, but, sure.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes agreed. I am brainstorming a bit here to see what use cases make sense.

Copy link
Contributor

@hsjoberg hsjoberg Feb 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI I currently have a proprietary TLV that is just sending a simple non-authenticated name to the receiver, which I intend to make a BLIP of.

https://github.com/hsjoberg/blixt-wallet/blob/c79cc4b9e3532400cfd648047f132eb35f10fdf4/src/utils/constants.ts#L5
https://github.com/hsjoberg/blixt-wallet/blob/c79cc4b9e3532400cfd648047f132eb35f10fdf4/src/lndmobile/index.ts#L181

It could make sense to expand this BLIP to cover various use-cases (akin to how LNURL's LUD-18 payerid works)


* Regulated custodial wallets that can offer higher receive limits for payments
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean I guess we'd all be incredibly depressed to see anyone actually deploy this proposal for something like this. Shouldn't we instead push people to use invoices for this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regulated custodial wallets may not be allowed to accept unlimited deposits from unknown sources. An invoice doesn't help with additional information on the origin of the payment?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't prove origin, either, this is a signature from a public key. That could totally come from a third party node as much as they could come from the sender.

Copy link
Author

@joostjager joostjager Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also true. It doesn't prove the origin, but if you know that the owner of a particular key uses it exclusively to sign their own outgoing payments it does help with this use case?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's say you use a custodial wallet that allows a max of 500 euro/day in lightning deposits and you want to receive your 1000 euro monthly-paid salary via lightning.

Adding your employer's public key to the custodial wallet's allow list raises the limit and allows you to receive that payment.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although the question here is again how this can be done spontaneously and whether https://github.com/fiatjaf/lnurl-rfc/blob/luds/18.md would be a better choice.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding your employer's public key to the custodial wallet's allow list raises the limit and allows you to receive that payment.

Right, but you'd also need your employer to configure their node to send this kind of signature to the counterparty when sending a keysend payment, which hopefully will never be an automatic thing. If you want to steelman this use-case I think it'd be the kind of travel-rule nonsense folks deal with today (though that's currently only withdraws, not deposits), where a regulated institution needs legal assurance the recipient of a payment is not a regulated financial institution (or if it is, which one).

In that context, you could argue that regulated institutions could use this to prove to recipients that they are the ones who sent it, though that sadly doesn't fulfill the travel rule obligations, but it could help.

originating from specific sources.

* Lightning deposits to an exchange where the exchange automatically credits the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this be simpler by just exposing an invoice?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would also work with keysend/AMP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that doesn't mean we should encourage people to use keysend+sender auth over an invoice, especially for exchange deposits, where proof-of-payment is really important :).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I appreciate that you take the effort to kill my use cases :)

correct account based on the sender identity.

There are many ways to authenticate the sender of a payment in Lightning. This
documentation is an attempt to prevent the emergence of too many variants that
all do more or less the same thing.

## Rationale

* The TLV record key is an odd number, meaning that the record is ignored by
receivers that do not support sender authentication. No feature bit is needed.

* It is possible to recover the public key from an ECDSA signature, so strictly
speaking `sender_pubkey` is redundant. Note that with Schnorr signatures, recovery is no
longer possible.

* It is undesired that a signature can be reused in any way. Therefore all of
the identifying payment properties are covered by the signature.

## Test vectors

TBD