[Lightning-dev] [RFC] Lightning payment format

Rusty Russell rusty at rustcorp.com.au
Mon May 29 10:48:51 UTC 2017 

Olaoluwa Osuntokun <laolu32 at gmail.com> writes:
> Rusty wrote:
>> Yes, I thought about this too, but I'm reluctant to assign those onion
>> bytes as they're a limited resource.  Easy to add later, though.
>
> If y'all recall, the initial version of the Sphinx derived onion format
> included an end-to-end payload. In the first revision, removed this
> payload as at the time it was very large (1KB iirc), an at the time, we
> didn't see nay clear use case for such a payload (and also due to MTU
> constraints?). In my opinion, we should re-introduce this payload so we
> aren't put into a corner where we need to shave bytes off of the per-hop
> payload in order to accommodate application level schemes/apps.

Unfortunately people want this for mid-points, too, to do weird crazy
shit.  But it's trivial for us to extend to a "multi-cell" format in
future, so I'm tempted by the default of "no change"?

> Fabrice wrote:
>> Payment requests should also include a timestamp and an expiry date (they
>> could be optional tagged items but I think it makes more sense to make
>> them mandatory)
>
> Agreed that that would make for a really useful tag. I had a user which
> was making a store on lnd request such a feature as his use-case depended
> on users only having a particular time window to make the payment. This
> could of course be enforced server side, but allow senders to enforce it
> at the origin of the payment saves them from extending an HTLC all
> together.

Agreed.  Latest version has a UTC timestamp, and expiry time (defaults
to 1 hour if not specified).  As you say, must be server-enforced too,
but it's nice to make it clear to the user (and it's signed in case of
dispute).

> Rusty wrote:
>> Note: we will lose this ability when we switch to Schnorr, apparently.
>
> AFAIK, this isn't the case. With Schnorr signatures (that include the
> entire point, instead of the hash), we actually won't need to include a
> recovery ID at all.

Quoting a private conversation with Pieter Wuille, when I asked him
about it:

        You can't.

        At least, if you follow modern practices (which make the signature hash
        commit to the public key), you can't do pubkey recovery.

        It *is* possible (and safe, I think) to commit to the pubkeyhash
        rather than the pubkey directly, in which case you can verify a
        (signature, pubkeyhash, msg) triplet.

        I think you can use a 128-bit pubkey hash, actually.

> Rusty wrote:
>> OK, if people like this change, I think we can move start turning this
>> into BOLT 10?
>
> Let's do it (BOLT 11)! As were all getting pretty close to the stage of
> cross-implementation interoperability tests, having a shared payment
> request format will be super useful.

OK, I'll start typing...

Thanks!
Rusty.

More information about the Lightning-dev mailing list