RFC for PoC of bolt12 contacts formally known as a BLIP 42

[vincenzopalazzo]

With this PR I am proposing the first implementation for the BLIP 42 implementation that allow to send a "contact" with a contact secret for verification when making an invoice request during a pay_for_offer.

The current implementation is injecting the BLIP 42 information by default and there is no way to op out to this feature (and IMHO would be could to have a way to disable it).

In addition this RFC it is just a way to collect the first comments on API and design choice that I made and to collect feedback on how I manage stuff on the ldk internal stuff, probably there is some more simple way of doing the same thing.

However, this PR has already two problem:

• What is the offer that we are considering good to be a "long living" offer that can be store as a contact? We have also the onion size limitation (where currently it is failing the test)
• Supporting the BIP 353
• Add tests vectory for invreq_payer_bip_353_signature

[ldk-reviews-bot]

👋 I see @jkczyz was un-assigned.
If you'd like another reviewer assignment, please click here.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[vincenzopalazzo]

@TheBlueMatt the status of this PR is kind doing everything that the specs specifieds, but I am taking some opinionate decision like on the offer to inject inside the invoice_request (that I am calling in my mental model payer_offer). At the moment there are two big question that are:

1. What kind of offer we should inject inside the invoice_request that preserve the user privacy and is under the the onion size limit? Phoenix does an offer with single blinded path with no node_id
2. We should allow the user to inject the offer tha rust-lightning need to use under the a UserConfig or a parameter of the pay_for_offer to allow to build mobile wallet that works with different LSPs? and probably we should make this kind of offer creation easy?

[TheBlueMatt]

A handful of high-level comments. Apologies if there's something I missed cause I don't recall exactly how all the bLIP 42 stuff was supposed to work.

[TheBlueMatt]

This needs to be substantially more filled-out, including information about intended UX and UI integration logic, how/when to derive secrets, etc.

[TheBlueMatt]

nit: verify methods should never return a bool, they should Result<(), ()>.

[TheBlueMatt]

Should this be a single Option? I'm a bit unclear on what UX would result in there being more than one.

[vincenzopalazzo]

We should have an additional one for when the country party will not remember us, but use somehow the same offer, so we will use this vector to store additional secrets that the other side sends to us. IIRC this should be the logic

[TheBlueMatt]

I'm a bit unclear on this usecase here - using our_private_key (I guess it implies the node_id?) means that it won't match what we put in offers (we should never be reusing the node_id as an offer identity, IMO), but in general we should be using a fresh identity for every issued offer, so its not clear to me how often this will work. Also, we don't currently use it, just expose it as a freestanding function. If we want to support this derivation IMO we should integrate it somehow into the API.

[TheBlueMatt]

This doesn't tell me, a wallet developer, what to do here - am I supposed to have some kind of UI that says "attribute this payment to an outbound payment" (hopefully not no one is gonna build that)? Or is there some way of automatically detecting that (maybe based on validated 353?), in which case we should automate that somehow, presumably?

[TheBlueMatt]

There's a lot of stuff here that could really use examples discussing how to use it in an overall flow but also actual sample code. From reading this API its really not clear to me when/how I'd use this - the type doesn't exist outside of a freestanding struct.

[vincenzopalazzo]

I think UnverifiedContactAddress is overkill now that I am rereading the code and probably I should remove it, I did this implementation when I was doing some kind of overdesign here! sorry about that!

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[codecov]

Codecov Report

❌ Patch coverage is 69.65812% with 71 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.38%. Comparing base (b8118e3) to head (e409d39).

Files with missing lines	Patch %	Lines
lightning/src/offers/contacts.rs	75.36%	33 Missing and 1 partial ⚠️
lightning/src/ln/channelmanager.rs	30.43%	14 Missing and 2 partials ⚠️
lightning/src/offers/flow.rs	0.00%	11 Missing ⚠️
lightning/src/offers/invoice_request.rs	77.77%	6 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4210      +/-   ##
==========================================
- Coverage   86.40%   86.38%   -0.03%     
==========================================
  Files         158      159       +1     
  Lines      109293   109522     +229     
  Branches   109293   109522     +229     
==========================================
+ Hits        94439    94607     +168     
- Misses      12309    12361      +52     
- Partials     2545     2554       +9     

Flag	Coverage Δ
fuzzing-fake-hashes	5.07% <2.40%> (-0.01%)	⬇️
fuzzing-real-hashes	22.75% <0.00%> (-0.03%)	⬇️
tests	86.11% <69.65%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

Bug: ECDH computation is not symmetric when using blinded paths

The function extracts blinded_node_id from the last hop of the other party's blinded path (line 167). However, blinded_node_id is NOT the peer's actual public key — it's actual_pubkey * blinding_factor, where the blinding factor is derived from a random session key during blinded path construction.

This means the ECDH won't produce matching results for two parties who each have blinded-path-only offers:

• Alice computes: alice_privkey * (bob_pubkey * bob_blinding) = alice_privkey * bob_privkey * bob_blinding * G
• Bob computes: bob_privkey * (alice_pubkey * alice_blinding) = alice_privkey * bob_privkey * alice_blinding * G

These are equal only if bob_blinding == alice_blinding, which is not the case since each party uses a random session key.

The same issue exists when issuer_signing_pubkey() is present: LDK's OfferBuilder::deriving_signing_pubkey produces a derived key (from expanded_key + nonce), not the node's actual public key. So our_private_key (the "node identity" key per the docstring) won't ECDH-match with the derived signing pubkey either.

The test vectors pass because the hard-coded private keys happen to correspond to the public keys in the pre-built offer strings (i.e., they are the blinded/derived private keys, not raw node keys). But real callers passing their node identity key would get non-matching secrets.

To fix this, either:

1. The function should accept the private key corresponding to the caller's offer's exposed public key (and the docstring should reflect this), with an API to extract that key, or
2. The function should take both offers and compute the secret differently (e.g., using a hash of both offer bytes as input, rather than ECDH).

[ldk-claude-review-bot]

Performance: Secp256k1::verification_only() is expensive to construct

Secp256k1::verification_only() allocates and precomputes EC tables every time it's called. This function should accept a &Secp256k1<T> parameter instead of creating a new context per invocation, consistent with how the rest of LDK passes secp contexts around.

[ldk-claude-review-bot]

Silent data loss on deserialization round-trip

If payer_offer_bytes contains valid TLV data that fails Offer::try_from() parsing (e.g., due to unknown required fields, or a newer offer format), the payer_offer is silently set to None. On re-serialization, this data is lost.

This means a write -> read -> write cycle can drop the payer_offer field. If this is persisted (e.g., in PaymentContext::Bolt12Offer), stored data can silently degrade.

Consider either propagating the parse error (returning DecodeError), or storing the raw bytes alongside the parsed Offer so that re-serialization preserves unknown data.

[ldk-claude-review-bot]

Re-parses offer bytes on every call

payer_offer() calls Offer::try_from(bytes.clone()) on every invocation, allocating and parsing each time. Consider caching the parsed Offer in the struct, or lazily parsing once and storing the result.

[ldk-claude-review-bot]

Misleading docstring: This says "allowing the recipient to identify which offer the payer is responding to", but the payer_offer is the payer's own offer that the recipient can use to contact the payer back. It is not related to identifying which offer the payer is responding to (that's already implicit in the invoice request itself). The OptionalOfferPaymentParams::payer_offer docstring in channelmanager.rs gets this right.

[ldk-claude-review-bot]

Review Summary

New Issues Found

Inline comments posted:

• lightning/src/offers/contacts.rs:138-141 — Non-constant-time comparison in ContactSecrets::matches() for secret authentication material
• lightning/src/offers/contacts.rs:180-183 — Uses mul_tweak instead of the proper ECDH API (SharedSecret::new), which would also eliminate the per-call Secp256k1::verification_only() context allocation
• lightning/src/ln/channelmanager.rs:797-804 — No size validation on payer_offer, which gets serialized into blinded payment path payloads with a ~1300-byte onion budget

Previously Reported Issues (Still Unaddressed)

These were flagged in the prior review and remain applicable:

• contacts.rs:164-183 — ECDH computation is not symmetric with blinded paths / derived keys. The function extracts blinded_node_id (which includes a blinding factor) or a derived issuer_signing_pubkey, neither of which corresponds to the counterparty's actual node key. The test vectors pass because the hard-coded private keys happen to correspond to the public keys in the pre-built offers. Real callers passing their node identity key would get non-matching secrets.
• invoice_request.rs:1626-1627 — Silent data loss on payer_offer deserialization round-trip. Offer::try_from(bytes).ok() silently drops the field if parsing fails, meaning a write→read→write cycle can lose data persisted in PaymentContext::Bolt12Offer.
• invoice_request.rs:1224-1229 — payer_offer() accessor re-parses offer bytes on every call via Offer::try_from(bytes.clone()).
• invoice_request.rs:270-274 — Misleading docstring on payer_offer builder method says "identify which offer the payer is responding to" but the payer_offer is the payer's own offer for the recipient to contact back.
• No integration tests exercise the BLIP-42 fields through the full pay_for_offer flow.

Resolved from Prior Review

• Even TLV type numbers in InvoiceRequestFields — Fixed. Now uses odd types 7 and 9 (commit 666d450a2).

[ldk-claude-review-bot]

Security (Low): Non-constant-time comparison for cryptographic secrets

ContactSecrets::matches() uses the derived PartialEq for ContactSecret, which performs a byte-by-byte comparison that short-circuits on the first mismatch. For a value used to authenticate payment senders, a constant-time comparison (e.g., using a constant-time equality function) would be more appropriate.

Practical exploitability is very low (the timing difference is nanoseconds, masked by network latency and payment processing overhead), but constant-time comparison is a best practice for any secret material used in authentication.

Suggested change

	/// Checks if the given secret matches either the primary secret or any additional remote secret.
	pub fn matches(&self, secret: &ContactSecret) -> bool {
	&self.primary_secret == secret || self.additional_remote_secrets.contains(secret)
	}
	/// Checks if the given secret matches either the primary secret or any additional remote secret.
	pub fn matches(&self, secret: &ContactSecret) -> bool {
	// Use constant-time comparison to prevent timing side-channels on secret material.
	let primary_match = bitcoin::hashes::cmp::fixed_time_eq(
	self.primary_secret.as_bytes(),
	secret.as_bytes(),
	);
	let additional_match = self.additional_remote_secrets.iter().any(|s| {
	bitcoin::hashes::cmp::fixed_time_eq(s.as_bytes(), secret.as_bytes())
	});
	primary_match || additional_match
	}

Note: check that bitcoin::hashes::cmp::fixed_time_eq or an equivalent constant-time function is available. If not, a simple constant-time comparison loop (xor all bytes, check result) would suffice.

[ldk-claude-review-bot]

Bug: mul_tweak is NOT the standard ECDH operation

PublicKey::mul_tweak computes point * scalar but its contract is as a "tweak" — it was designed for key derivation, not ECDH. While mathematically it performs EC point multiplication (and the result here IS the ECDH shared point), the standard way to do ECDH in secp256k1 is via secp256k1::ecdh::shared_secret_point or SharedSecret::new. Using the proper ECDH API:

1. Makes the intent clearer
2. Uses a purpose-built code path that's been audited for side-channel resistance
3. Avoids relying on internal behavior of the tweak API

Consider:

use bitcoin::secp256k1::ecdh::SharedSecret;
let shared = SharedSecret::new(&offer_node_id, our_private_key);

This also eliminates the need for the Secp256k1::verification_only() context entirely (the SharedSecret::new API doesn't require one).

[ldk-claude-review-bot]

Design concern: No size validation on payer_offer

The Offer passed here gets serialized into both:

1. The invoice request's experimental TLV (the onion message carrying the invreq)
2. InvoiceRequestFields → Bolt12OfferContext → the final hop's encrypted payload in every blinded payment path of the resulting invoice

For (2), the HTLC onion packet has a ~1300-byte total payload budget across all hops. Adding 70-200+ bytes for a compact offer (plus TLV overhead) to the final hop's encrypted data reduces the available space for intermediate hops, limiting route length.

Consider adding a size check (e.g., offer.as_ref().len() <= MAX_PAYER_OFFER_SIZE) and returning an error if the offer is too large, or at least documenting the size constraint so callers know they must use a compact offer.