Skip to content

Add per-contact deterministic payer keys#690

Closed
t-bast wants to merge 2 commits intomasterfrom
contact-payer-keys
Closed

Add per-contact deterministic payer keys#690
t-bast wants to merge 2 commits intomasterfrom
contact-payer-keys

Conversation

@t-bast
Copy link
Member

@t-bast t-bast commented Jul 19, 2024
edited
Loading

When paying people we added as trusted contacts, we may want to use a deterministic payer_key which lets them know the payment came from us. If they have added us to their own contact list, they will be able to match the payment and know it came from us.

This is of course optional: whenever we don't want to reveal that we are the source of a payment, we keep using a random payer_key.

This is specified in bLIP 42. Note that this is a draft, as we're waiting for discussions on https://delvingbitcoin.org/t/bolt-12-trusted-contacts/1046 to decide what the final protocol should be.

@t-bast t-bast requested review from dpad85, pm47 and thomash-acinq July 19, 2024 14:48
@t-bast
Add per-contact deterministic payer keys
fa5ec01 
When paying people we added as trusted contacts, we may want to use a
deterministic payer_key which lets them know the payment came from us.
If they have added us to their own contact list, they will be able to
match the payment and know it came from us.

This is of course optional: whenever we don't want to reveal that we
are the source of a payment, we keep using a random payer_key.
@t-bast t-bast force-pushed the contact-payer-keys branch from 7c0d2e8 to fa5ec01 Compare July 19, 2024 14:55
thomash-acinq
thomash-acinq reviewed Jul 19, 2024
View reviewed changes
Copy link
Contributor

@thomash-acinq thomash-acinq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the motivation for this?
I fail to see the benefit compared to using the key associated with the default offer without tweaking.

@t-bast
Copy link
Member Author

t-bast commented Jul 19, 2024

I fail to see the benefit compared to using the key associated with the default offer without tweaking.

This is following standard cryptography best practices. It is recommended to use separate keys as much as possible when providing cryptographic signatures, because signing arbitrary messages with the same key can be exploited to leak bits of the private key. This is usually theoretical, but if we can avoid it entirely, it's better to be safe.

Directly using the key associated with the default offer means we would use it in different contexts:

  • to sign invoices for payments we receive
  • to sign invoice requests for payment we send

Cryptographers recommend always erring on the side of caution and try to separate keys used for different operations. By the same reasoning, it's safer to use distinct keys for each contact (and it isn't much harder to do). It also has the nice benefit that Carol cannot correlate the payer_key you use with them with the one you use with Bob (unless all offers are also revealed).

@t-bast t-bast marked this pull request as draft August 7, 2024 10:11
@t-bast
Copy link
Member Author

t-bast commented Oct 17, 2024

Replaced by #719

@t-bast t-bast closed this Oct 17, 2024
@t-bast t-bast deleted the contact-payer-keys branch October 17, 2024 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pm47 pm47 Awaiting requested review from pm47

@dpad85 dpad85 Awaiting requested review from dpad85

1 more reviewer

@thomash-acinq thomash-acinq thomash-acinq approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@t-bast @thomash-acinq