Exploring Payment Proofs for invoice flow

tromp · October 1, 2020, 12:57pm

The payment proofs RFC at

mimblewimble/grin-rfcs/blob/22d3835de1ec816de765c29ea4c3b5559d86a1b6/text/0000-payment-proofs.md

- Title: payment-proofs
- Authors: [David Burkett](mailto:davidburkett38@gmail.com)
- Start date: Nov 5, 2019
- RFC PR: Edit if merged: [mimblewimble/grin-rfcs#0000](https://github.com/mimblewimble/grin-rfcs/pull/0000) 
- Tracking issue: [Edit if merged with link to tracking github issue]
---

# Summary
[summary]: #summary

Support generating and validating payment proofs for sender-initiated (i.e. non-invoice) transactions. 

# Motivation
[motivation]: #motivation

Bitcoin and other cryptocurrencies with transparent protocol-level addressing and immutable, unprunable blockchains can prove sender, receiver, and amounts of payments simply by pointing to the transaction in the blockchain.
Grin's privacy and scalability means users no longer have this ability. This prevents some merchants from accepting Grin due to the high possibility of payment disputes that are unresolvable in the same way they are for transparent coins.

This RFC changes the transaction building process where payers can require payees to create a "proof" they've received a payment before the payer finalizes and broadcasts the transaction.

This file has been truncated. show original

states payment proofs for invoices as an Unresolved question.
In the invoice transaction building flow we have

receiver sends her public nonce and excess
sender sends back his public nonce and excess, and other stuff including a partial kernel signature
receiver computes their partial kernel signature and finalizes

The payment proof is a signed statement that the receiver accepts the on-chain confirmation of a specific kernel as proof of payment of a specific amount by a specific sender.

The receiver doesn’t know the kernel yet in step 1, as the kernel excess depends on the sender excess sent in step 2. So for the sender to withhold payment until they have a payment proof would require two extra rounds, if we want the receiver to finalize (for which there are good reasons):

receiver sends her public nonce and excess
sender sends back his public nonce and excess
receiver sends payment proof
sender sends other stuff including a a partial kernel signature
receiver computes their partial kernel signature and finalizes

This is obviously undesirable. So the question is if we can come up with a payment proof that can be sent in round 1, depending only on the receiver nonce R_r and excess X_r.

Recall that in step 3, the receiver produces a partial signature (s_r, R_r) that satisfies

s_r * G = R_r + e * X_r

where e is the hash challenge H((R | X | …) .

What if the receiver accepts, as proof of payment of a specific amount by a specific sender, any pair (s_r, i) where i is the index of an on-chain kernel whose hash challenge e satisfies the above equation?

No one should be able to present this information unless the receiver made her partial signature, and the resulting transaction hit the chain.

david · October 1, 2020, 1:16pm

Don’t we already have a potential solution here: https://github.com/DavidBurkett/grin-rfcs/blob/eliminate_finalize/text/0000-eliminate-finalize.md#building-the-proof

At a technical level, the RFC is roughly just a switch to invoices with the addition of payment proofs and some UX tweaks to reduce the number of steps (this is a loaded word, so don’t read too much into it).

As far as I know, the scheme (developed by kurt, which I simplified when including in the RFC) hasn’t been shown to be insecure. The only thing that was found to be insecure was the separate idea, discussed in the comments, which involved modifying the actual signature scheme.

tromp · October 1, 2020, 1:50pm

It’s quite similar to your proposal, but much closer to the existing payment proofs, as the payment info is signed by the ed25519 key.

I find yours harder to reason about, since it puts the payment info into a proof_nonce that gets added to the existing sender and receiver nonce.

For instance, when you say

Show that sender.public_nonce + receiver.public_nonce + (proof_nonce * G) = total_nonce * G (ie. the k*G in the kernel signature)
Provide the preimage to proof_nonce ( sender.public_nonce | receiver.address | tx.amount )

it appears that the pair of sender.nonce and proof_nonce is malleable until one notices the proof_nonce depending on the sender nonce.

Kurt · October 1, 2020, 2:14pm

I don’t care anymore about > 2-step txs, and i would hope leaders of the coin and technical people here do too (some like David, made a lot of efforts for this, including the great idea for 2 steps). It is just the expression of striving for the better for the user, rather than accepting a text-book and useless status quo.

oryhp · October 4, 2020, 6:57pm

I think the main idea behind the payment proofs described in this document could be used. The idea is that Kr has a structure such that it commits to a few things, including the amount and the receiver_pub_key.

gist.github.com

https://gist.github.com/pkariz/9da5c3decffba0661a11f49c645b966e

tx-building-alternative.md

# Transaction building alternative

## Schnorr notations

`s = k + e*r`, where:
  - `k` is a secret nonce
  - `e` is a schnorr challenge
  - `r` is the private key

For multisig:

This file has been truncated. show original

vegycslol · October 4, 2020, 10:26pm

I like the simplicity of your invoice solution, seems pretty easy to reason about:

only the sender can know sr since only he knows ss
only the sender can know Rr since only he knows Rs
only the sender can know Xr since only he knows Xs

Ofc the receiver also knows the above stuff.

My solution is a bit more complicated and therefore harder to reason about. It has a nice property though in that both the receiver and the sender can prove it in the same way + the payment proof when the other party finalizes the transaction is symmetric. I haven’t thought much about your solution but it feels like yours is also symmetric (or even better, the same), so when the sender finalizes it he can provide (sr, i) + signed message. Is that correct? I know we have payment proofs for that flow but am just wondering if that holds.

Another question: why do you use i and not R or K to reference the kernel?

tromp · October 5, 2020, 8:35am

When sender initiates, then the receiver can send the exact same payment proof (that they send in round 1 of invoice flow) in round 2 instead. That is, an ed25519 signature on payment info, receiver public nonce and excess, to be witnessed by a pair (sr,i).

Because specifying K takes more bytes and the first thing a verifier would do is lookup K in the kernel MMR to find its index and check that it has sufficient confirmations. So we might as well provide the index directly.

Topic		Replies	Views
Bidirectional payment proofs Research	7	491	August 17, 2021
Another Take on Non Interactive Transactions Development and Technical Discussion	21	1478	December 23, 2018
Integrated Payment Proofs and Round Minimization Development and Technical Discussion	17	1811	September 12, 2020
Eliminating finalize step Development and Technical Discussion	102	5846	July 3, 2021
Mimblewimble Non-Interactive Transactions Development and Technical Discussion	10	1695	February 18, 2018

Exploring Payment Proofs for invoice flow

Related Topics