BOLT #11: Invoice Protocol for Lightning Payments

A simple, extendable, QR-code-ready protocol for requesting payments over Lightning.

Table of Contents

• Encoding Overview
• Human-Readable Part
• Data Part
  • Tagged Fields
  • Feature Bits
• Payer / Payee Interactions
  • Payer / Payee Requirements
• Implementation
• Examples
• Authors

Encoding Overview

The format for a Lightning invoice uses bech32 encoding, which is already used for Bitcoin Segregated Witness. It can be simply reused for Lightning invoices even though its 6-character checksum is optimized for manual entry, which is unlikely to happen often given the length of Lightning invoices.

If a URI scheme is desired, the current recommendation is to either use 'lightning:' as a prefix before the BOLT-11 encoding (note: not 'lightning://'), or for fallback to Bitcoin payments, to use 'bitcoin:', as per BIP-21, with the key 'lightning' and the value equal to the BOLT-11 encoding.

Requirements

A writer:

• MUST encode the payment request in Bech32 (see BIP-0173)
• SHOULD use upper case for QR codes (see BIP-0173)
• MAY exceed the 90-character limit specified in BIP-0173.

A reader:

• MUST parse the address as Bech32, as specified in BIP-0173 (also without the character limit).
  • Note: this includes handling uppercase as specified by BIP-0173
• if the checksum is incorrect:
  • MUST fail the payment.

Human-Readable Part

The human-readable part of a Lightning invoice consists of two sections:

1. prefix: ln + BIP-0173 currency prefix (e.g. lnbc for Bitcoin mainnet, lntb for Bitcoin testnet, lntbs for Bitcoin signet, and lnbcrt for Bitcoin regtest)
2. amount: optional number in that currency, followed by an optional multiplier letter. The unit encoded here is the 'social' convention of a payment unit -- in the case of Bitcoin the unit is 'bitcoin' NOT satoshis.

The following multiplier letters are defined:

• m (milli): multiply by 0.001
• u (micro): multiply by 0.000001
• n (nano): multiply by 0.000000001
• p (pico): multiply by 0.000000000001

Requirements

A writer:

• MUST encode prefix using the currency required for successful payment.
• if a specific minimum amount is required for successful payment:
  • MUST include that amount.
  • MUST encode amount as a positive decimal integer with no leading 0s.
  • If the p multiplier is used the last decimal of amount MUST be 0.
  • SHOULD use the shortest representation possible, by using the largest multiplier or omitting the multiplier.

A reader:

• if it does NOT understand the prefix:
  • MUST fail the payment.
• if the amount is empty:
  • SHOULD indicate to the payer that amount is unspecified.
• otherwise:
  • if amount contains a non-digit OR is followed by anything except a multiplier (see table above):
    • MUST fail the payment.
  • if the multiplier is present:
    • MUST multiply amount by the multiplier value to derive the amount required for payment.
    • if multiplier is p and the last decimal of amount is not 0:
      • MUST fail the payment.

Rationale

The amount is encoded into the human readable part, as it's fairly readable and a useful indicator of how much is being requested.

Donation addresses often don't have an associated amount, so amount is optional in that case. Usually a minimum payment is required for whatever is being offered in return.

The p multiplier would allow to specify sub-millisatoshi amounts, which cannot be transferred on the network, since HTLCs are denominated in millisatoshis. Requiring a trailing 0 decimal ensures that the amount represents an integer number of millisatoshis.

Note that non-largest multipliers have been encountered in the wild, and as such invoice parsers should handle them.

Data Part

The data part of a Lightning invoice consists of multiple sections:

1. timestamp: seconds-since-1970 (35 bits, big-endian)
2. zero or more tagged parts
3. signature: compact ECDSA/secp256k1 signature of the above (520 bits: 64-byte R||S + 1-byte recovery id)

Requirements

A writer:

• MUST set timestamp to the number of seconds since Midnight 1 January 1970, UTC in big-endian.
• MUST set signature to a valid compact ECDSA signature over secp256k1 of the SHA-256 hash of: the human-readable part (as UTF-8 bytes) concatenated with the data part (excluding the signature), with 0 bits appended to pad to a byte boundary. The signature is encoded as 64 bytes (R || S), followed by a trailing 1-byte recovery id in {0,1,2,3}.

A reader:

• MUST check that the signature is valid (see the n tagged field specified below).

Rationale

signature covers an exact number of bytes even though the SHA2 standard actually supports hashing in bit boundaries, because it's not widely implemented. The recovery ID allows public-key recovery, so the identity of the payee node can be implied.

Tagged Fields

Each Tagged Field is of the form:

1. type (5 bits)
2. data_length (10 bits, big-endian)
3. data (data_length x 5 bits)

Note that the maximum length of a Tagged Field's data is constricted by the maximum value of data_length. This is 1023 x 5 bits, or 639 bytes.

Currently defined tagged fields are:

• p (1): data_length 52. 256-bit SHA256 payment_hash. Preimage of this provides proof of payment.
• s (16): data_length 52. This 256-bit secret prevents forwarding nodes from probing the payment recipient.
• d (13): data_length variable. Short description of purpose of payment (UTF-8), e.g. '1 cup of coffee' or 'ナンセンス 1杯'
• m (27): data_length variable. Additional metadata to attach to the payment. Note that the size of this field is limited by the maximum hop payload size. Long metadata fields reduce the maximum route length.
• n (19): data_length 53. 33-byte public key of the payee node
• h (23): data_length 52. 256-bit description of purpose of payment (SHA256). This is used to commit to an associated description that is over 639 bytes, but the transport mechanism for the description in that case is transport specific and not defined here.
• x (6): data_length variable. expiry time in seconds (big-endian). Default is 3600 (1 hour) if not specified.
• c (24): data_length variable. min_final_cltv_expiry_delta to use for the last HTLC in the route. Default is 18 if not specified.
• f (9): data_length variable, depending on version. Fallback on-chain address: for Bitcoin, this starts with a 5-bit version and contains a witness program or P2PKH or P2SH address.
• r (3): data_length variable. One or more entries containing extra routing information for a private route; there may be more than one r field
  • pubkey (264 bits)
  • short_channel_id (64 bits)
  • fee_base_msat (32 bits, big-endian)
  • fee_proportional_millionths (32 bits, big-endian)
  • cltv_expiry_delta (16 bits, big-endian)
• 9 (5): data_length variable. One or more 5-bit values containing features supported or required for receiving this payment. See Feature Bits.

Requirements

A writer:

• MUST include exactly one p field.
• MUST include exactly one s field.
• MUST set payment_hash to the SHA2 256-bit hash of the payment_preimage that will be given in return for payment.
• MUST include either exactly one d or exactly one h field.
  • if d is included:
    • MUST set d to a valid UTF-8 string.
    • SHOULD use a complete description of the purpose of the payment.
  • if h is included:
    • MUST make the preimage of the hashed description in h available through some unspecified means.
      • SHOULD use a complete description of the purpose of the payment.
• MAY include one x field.
  • if x is included:
    • MUST use the minimum data_length possible, i.e. no leading 0 field-elements.
• SHOULD include one c field (min_final_cltv_expiry_delta).
  • MUST set c to the minimum cltv_expiry it will accept for the last HTLC in the route.
  • MUST use the minimum data_length possible, i.e. no leading 0 field-elements.
• MAY include one n field. (Otherwise performing public-key recovery is required)
  • MUST set n to the public key used to create the signature.
• MAY include one or more f fields.
  • for Bitcoin payments:
    • MUST set an f field to a valid witness version and program, OR to 17 followed by a public key hash, OR to 18 followed by a script hash.
• if there is NOT a public channel associated with its public key:
  • MUST include at least one r field.
    • r field MUST contain one or more ordered entries, indicating the forward route from a public node to the final destination.
      • Note: for each entry, the pubkey is the node ID of the start of the channel; short_channel_id is the short channel ID field to identify the channel; and fee_base_msat, fee_proportional_millionths, and cltv_expiry_delta are as specified in BOLT #7.
  • MAY include more than one r field to provide multiple routing options.
• if 9 contains non-zero bits:
  • MUST use the minimum data_length possible to encode the non-zero bits with no 0 field-elements at the start.
• otherwise:
  • MUST omit the 9 field altogether.
• MUST pad field data to a multiple of 5 bits, using 0s.
• if a writer offers more than one of any field type, it:
  • MUST specify the most-preferred field first, followed by less-preferred fields, in order.

A reader:

• MUST skip over f fields that use an unknown version.
• MUST fail the payment if any field with fixed data_length (p, h, s, n) does not have the correct length (52, 52, 52, 53).
• MUST fail the payment if neither a d field nor a h field is present, or if both are present.
• if the 9 field contains unknown odd bits that are non-zero:
  • MUST ignore the bit.
• if the 9 field contains unknown even bits that are non-zero:
  • MUST fail the payment.
  • SHOULD indicate the unknown bit to the user.
• MUST check that the SHA2 256-bit hash in the h field exactly matches the hashed description.
• if a valid n field is provided:
  • MUST use the n field to validate the signature instead of performing public-key recovery.
  • If the signature is not compliant with the low-S standard rule^low-S:
    • MUST fail the payment
• otherwise:
  • MUST perform ECDSA public-key recovery and accept both high-S and low-S signatures.
• if a valid s field is not provided:
  • MUST fail the payment.
• otherwise:
  • MUST use the s field as payment_secret
• if the c field (min_final_cltv_expiry_delta) is not provided:
  • MUST use an expiry delta of at least 18 when making the payment
• if an m field is provided:
  • MUST use that as payment_metadata
• if a c, x, or 9 field is provided which has a non-minimal data_length (i.e. begins with 0 field elements):
  • SHOULD treat the invoice as invalid.

Rationale

The type-and-length format allows future extensions to be backward compatible. data_length is always a multiple of 5 bits, for easy encoding and decoding.

The d field allows inline descriptions, but may be insufficient for complex orders. Thus, the h field allows a summary: though the method by which the description is served is as-yet unspecified and will probably be transport dependent.

The m field allows metadata to be attached to the payment. This supports applications where the recipient doesn't keep any context for the payment.

The n field can be used to explicitly specify the destination node ID, instead of requiring public-key recovery.

The x field gives warning as to when a payment will be refused: mainly to avoid confusion. The default was chosen to be reasonable for most payments and to allow sufficient time for on-chain payment, if necessary.

The c field allows a way for the destination node to require a specific minimum CLTV expiry for its incoming HTLC. Destination nodes may use this to require a higher, more conservative value than the default one (depending on their fee estimation policy and their sensitivity to time locks). Note that remote nodes in the route specify their required cltv_expiry_delta in the channel_update message, which they can update at all times.

The f field allows on-chain fallback; however, this may not make sense for tiny or time-sensitive payments. It's possible that new address forms will appear; thus, multiple f fields (in an implied preferred order) help with transition, and f fields with versions 19-31 will be ignored by readers.

The r field allows limited routing assistance: as specified, it only allows minimum information to use private channels, however, it could also assist in future partial-knowledge routing.

Security Considerations for Payment Descriptions

Payment descriptions are user-defined and provide a potential avenue for injection attacks: during the processes of both rendering and persistence.

Payment descriptions should always be sanitized before being displayed in HTML/Javascript contexts (or any other dynamically interpreted rendering frameworks). Implementers should be extra perceptive to the possibility of reflected XSS attacks, when decoding and displaying payment descriptions. Avoid optimistically rendering the contents of the payment request until all validation, verification, and sanitization processes have been successfully completed.

Furthermore, consider using prepared statements, input validation, and/or escaping, to protect against injection vulnerabilities in persistence engines that support SQL or other dynamically interpreted querying languages.

• Stored and Reflected XSS Prevention
• DOM-based XSS Prevention
• SQL Injection Prevention

Don't be like the school of Little Bobby Tables.

Feature Bits

Feature bits allow forward and backward compatibility, and follow the it's ok to be odd rule. Features appropriate for use in the 9 field are marked in BOLT 9.

The field is

[Content truncated — view full spec at source]