Categories
Bitcoin Cryptocurrency Mastering Development

LSAT – stateless proof of payment through specific form of preimage

I am aware LSAT consists of macaroon and preimage. Preimage is part of the HTLC construction to route payments in lightning. It is generated by the receiver and eventually known by all participants on the path (if all goes well). And point of a macaroon is that anybody having one can add caveats w/o asking for permission and give out a more restricted version.

Macaroon itself is quite stateless as far as I get it (it can encode everything a client is able to do from the server perspective). But preimage doesn’t seem so. How does that usually work then – you have some cache of paid invoices or need to ask LND – can you even query based on preimage to determine whether a specific LSAT is valid or not?

My idea is to use a deterministic preimage so a web server could instantly know whether a token is valid.

It would be in the form

timestamp, HMAC(timestamp, secret)

where secret is the same thing used to verify macaroons. So web server and LND would share this, but wouldn’t need any further communication after initial invoice generation.

Or actually since somebody can just take preimage and attach it to some other LSAT, you could do:

timestamp, HMAC(H(timestamp + serialized macaroon w/o additional caveats), secret)

The obvious drawback is that you lose some bytes of entropy for the preimage, but that should just be a few bytes. To somebody just looking at payment hash it looks indistinguishable. And if secret is compromised you can forge invalid macaroons anyway. Is there any other problem with such a scheme? Or is there some easier solution?

Leave a Reply

Your email address will not be published. Required fields are marked *