Skip to content

Changed/Added: Bolt12 deterministic path key for offer paths' node IDs recovery #8853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
21M4TW wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Changed/Added: Bolt12 deterministic path key for offer paths' node IDs recovery #8853

21M4TW wants to merge 2 commits into from
+936 −657

Conversation

@21M4TW
Copy link
Contributor

@21M4TW 21M4TW commented Jan 19, 2026

This PR is an extension to #8238. In addition to signing invoices that don't have an offer_issuer_id using the key from the last used blinded_path node, this new PR generates the private path key deterministically (see derive_first_path_privkey from common/blindedpath.c) in such situation and it is then used to recover the offer paths' node IDs (unblind_paths from common/blindedpath.c). It also derives the path_pubkey that is then used to tweak the private key to sign the invoice. In contrast, in #8238, path_pubkey was derived using information from the onion message, but the offer paths' node IDs could not be recovered, as the path_privkey information was lost after the offer was generated.

So in addition to generating offers without an issuer_id and signing related invoices using the proper key, this PR recovers the offer paths' node IDs, which will enable the generation of invoices with matching paths (addressing #8041) in a future PR.

In this PR, the first path private key for a given path is generated using
e_0 = HMAC256(\text{"first_path_privkey"}, SHA256(path_id || N_0 || path_index))

where path_id is the secret stored in the offer's encrypted_data_tlv and that is only known by the payee, and where N_0 and path_index are the first_node_id and the 64-bit index of the path, respectively.

Checklist

Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:

  • The changelog has been updated in the relevant commit(s) according to the guidelines.
  • Tests have been added or modified to reflect the changes.
  • Documentation has been reviewed and updated as needed.
  • Related issues have been listed and linked, including any that this PR closes.
  • Important All PRs must consider how to reverse any persistent changes for tools/lightning-downgrade

@21M4TW
Changelog-Changed
729f192 
offers: offers that include offer_paths now omit offer_issuer_id and
sign with the blinded path alias' key by default. An optional force_issuer_id
field is also added to the offer command so the offer_issuer_id is
included even when not required to reach the issuer due to the existence
of offer_paths.
@21M4TW
Changelog-Changed: offer_paths' e_0 derived deterministically fro…
2e09992 
…m the offer's `path_id`, `N_0` and the path's index so the offer's paths can be recovered when an invoice is fetched. Offer paths' node IDs and the used path index stored in struct invreq.
@21M4TW 21M4TW requested a review from cdecker as a code owner January 19, 2026 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdecker cdecker Awaiting requested review from cdecker cdecker is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@21M4TW