Payment Hash 支付哈希

Payment Hash Generation

Receiver (Bob):
1. Generate random 32-byte preimage
   preimage = random_bytes(32)
   Example: 0x1234567890abcdef... (32 bytes)

2. Calculate SHA256 hash
   payment_hash = SHA256(preimage)
   Example: 0xabcdef1234567890... (32 bytes)

3. Keep preimage secret, publish hash
   • Preimage: Only Bob knows
   • Hash: Included in invoice, sent to Alice

Sender (Alice):
1. Receives invoice containing payment_hash
2. Cannot reverse hash to get preimage (one-way function)
3. Uses payment_hash to build HTLC
4. Sends payment

Payment Flow Using Payment Hash

Alice ----------------------------------------> Bob
        Carol (intermediate node)

Step 1: Bob Creates Invoice
Bob generates:
  preimage = 0x11223344... (secret)
  payment_hash = SHA256(preimage) = 0xaabbccdd...

Invoice content:
  lnbc10u1p... (contains payment_hash)

  | Invoice sent to Alice
  v

Step 2: Alice Sends Payment
Alice -> Carol:
  HTLC: If you can provide preimage of H, I'll give you 10,000 sats
  H = 0xaabbccdd...

Carol -> Bob:
  HTLC: If you can provide preimage of H, I'll give you 9,990 sats
  H = 0xaabbccdd... (same hash)

  | Bob knows the preimage
  v

Step 3: Bob Claims Payment
Bob -> Carol:
  Reveals preimage = 0x11223344...
  Carol verifies: SHA256(0x11223344...) = 0xaabbccdd... OK
  Carol pays Bob

Carol -> Alice:
  Reveals preimage = 0x11223344... (same preimage)
  Alice verifies: SHA256(0x11223344...) = 0xaabbccdd... OK
  Alice pays Carol

BOLT 11 Invoice Structure

lnbc10u1pj9...

Decoded:
• Amount: 10 microbitcoin (1,000 satoshis)
• Timestamp: 1234567890
• payment_hash:
  0xabcdef1234567890abcdef1234567890
  abcdef1234567890abcdef1234567890
• Description: Coffee payment
• Expiry time: 3600 seconds
• Signature: ...

payment_secret (BOLT 11 Extension):

Problem:
  Intermediate nodes can probe if payment reaches destination

Solution: payment_secret
• Another 32-byte random value
• Passed to final receiver via onion routing
• Receiver verifies payment_secret
• Intermediate nodes cannot obtain this value

Multiple Uses of Preimage

1. Proof of Payment
   • Sender saves preimage as receipt
   • Can prove payment was received
   • Used for dispute resolution

2. Conditional Payments (Hold Invoices)
   • Receiver delays revealing preimage
   • Waits for certain conditions to be met
   • Implements escrow-style payments

3. Atomic Swaps
   • Cross-chain atomic swaps use same mechanism
   • Ensures both transactions complete simultaneously
   • Submarine Swaps based on this principle

4. Cryptographic Commitments
   • Preimage can encode arbitrary data
   • Revealing preimage = revealing commitment
   • Enables various smart contract functions

Example: Using Preimage as Key

Scenario: Payment unlocks digital content

1. Merchant encrypts content with preimage
   encrypted = AES(content, preimage)

2. Sends encrypted content to buyer

3. Buyer pays invoice

4. After payment succeeds, buyer obtains preimage
   content = AES_decrypt(encrypted, preimage)

Keysend (Spontaneous Payment)

Traditional payment: Receiver generates preimage
Keysend: Sender generates preimage

Flow:
1. Alice generates preimage
2. Alice calculates payment_hash = SHA256(preimage)
3. Alice builds HTLC chain
4. Alice encrypts and passes preimage to Bob via onion
5. Bob obtains preimage from onion
6. Bob uses preimage to claim payment

TLV Passing Preimage:
Onion payload contains:
  keysend_preimage (TLV type 5482373484)
  -> 32 bytes preimage

Advantages:
• No invoice needed
• Suitable for tips, donations
• Supports streaming payments

Disadvantages:
• No amount verification
• Receiver may not expect it
• No payment description