blog

The country of my citizenship and residence has invaded Ukraine, starting a war. That much I know from my friends and their relatives etc., and no amount of geopolitical bullshit about Biden/NATO/backyard/neonazis will change my mind, so please don't bother to even start.

Russian government has directly prohibited what I'm doing here since 2020, and I was prepared from the start to take a hit for it when I decided to go ahead. It would be kind of funny if I'm imprisoned for a publication or something like this text, which changes almost nothing, instead of the actual, useful anti-state activity of providing flow of funds without verifying anything about the sender or asking anything but the bare minimum about the recipient.

It wouldn't be a personal fun for me and lnurl-pay.me will probably suffer a lot of downtime whenever this happens, but it's nothing compared to living in a bombed city, etc., so it doesn't matter much for now. If you search a person who deserves encouragement and praise for his bravery and support, consider Anton Kumaigorodsky, the author of SBW (https://sbw.app) Lightning wallet, serving in an Ukrainian militia with a purpose to kill as much invaders as possible. Consider helping his country throwing out Russians away as soon as possible, so he can return to developing SBW, Hosted channels and other useful stuff. By doing it, you probably help Lightning Network more than by running a routing node. Consider donating to https://savelife.in.ua/en/donate/ (Bitcoin accepted).

If you are a Reformed Christian like me, consider supporting Gennady Mohnenko's ministry or getting some directions where the help is needed: https://www.facebook.com/gennadiy.mokhnenko (if you're a Reformed Christian from the US, following him might also unfuck your mind about NATO/Biden/Geopolitical shenanigans, if there's any hope for you at all).

Lnurl-pay.me continues to operate in both RUB and UAH directions. As I have no companions or technical personnel to oversee the service and top-up reserves when I'm not present, it can stop any time now. Fortunately I'm not a custodian for anyone's funds, and the invariant of either paying out fiat or getting your LN payment back should persist anyway.

Again, please spare me your warnings about what I'm doing being treason and putting me in a dangerous position. I believe in both grace and sovereignty of our Lord Jesus Christ, and if He decides that some time in prison will improve my weak faith, then I have no objection altogether. If He decides another way, then good luck for petty statist slaves catching me.

Good bye and thanks for all the fish

Until 2022-01-07, every LNURL and lightning address generated by https://lnurl-pay.me had a destination fiat payment system account visible in plain text. Sometimes it's fine: if you're collecting mass donations to a bank card whose number you've already published anyway. Sometimes it's even good: when you call for lightning donations to a public person who has published his fiat account, everyone can see that you aren't scamming the donors, as exactly that account is visible in the address.

Sometimes, however, this is not what you want. When you're charging a random person for your services using LNURL, or when you're collecting donations for yourself, there's no point in sharing your fiat account to anyone but the source of fiat payment (i.e., me). I'm adding optional account encryption today so you don't have to do it anymore.

It's just a checkbox labelled “Encrypt”: you may turn it on before (or after) entering the destination, and both the LNURL link and the lightning address cease to reveal the specific account in the destination payment system.

Every other thing remains visible: fiat currency, pre-specified fiat amount, and the payment direction (is it a Russian bank card or an Ukrainian mobile phone balance?). The exact amount of a successful fiat payment continues to be displayed in LUD-09-compliant wallets. The recipient's account, however, is not revealed even to the payer after a successful payment. First characters of the encrypted address are included in the message (they cover the whole AES-GCM MAC for the encrypted account, so I don't believe you can make it collide for different addresses to construct a fake LNURL-style “proof of payment”).

Anticipated FAQ

Q: Why are encrypted addresses so long? A: I've chosen an asymmetric encryption scheme to ensure that my server would know nothing about your account until someone actually pays to an encrypted address (you can create 100500 donation links, and I'll only know target accounts for those that are actually paid to). Unfortunately, the ECIES authenticated encryption scheme is rather heavy, requiring 33 bytes for an ephemeral public key + 16 bytes for MAC + the original length of plain text.

Q: Why not encrypt payment direction, currency etc.? A: With the current service implementation, these things may leak easily anyway, and I'm trying hard to avoid any illusion of privacy. Payment size limits, payment provider outages, and countless other things may reveal what system you're paying to. If it's interesting to anyone, I'll consider a special kind of encrypted addresses in the future, where the satoshi payment range or amount is user-specified, and no feedback on fiat amount is given during payment.

Q: How's encryption implemented? A: Code is published at https://git.int.sw4me.com/akovalenko/lnurl-pay.me/src/branch/master/src/ecies.js. The result of ecEncrypt is always prefixed with “0g” fixed prefix for some obscure legacy technical reasons. The bytes are encoded using bech32 alphabet, but without a hrp or a checksum to save some space (checksum makes no sense here as long as authenticated encryption is used). I use https://github.com/ecies/go for decryption, jumping through a few hoops to save space: passing a compressed representation of an ephemeral public key, plus assuming zero nonce (which I consider to be safe here because each ephemeral key is only used once).

Q: No padding? Doesn't it reveal account length? Isn't that bad? A: The calling code of ecEncrypt pads very short account names/numbers to 8 characters, preventing cases where the leak could be most harmful.

Q: Can the government see where my payment goes? A: Please assume it can. Surveillance of my outgoing payment rails is entirely possible, though not always easy. A government official can donate to an address and observe outgoing fiat payments, it's rather easy. I console myself that at least it's not free, and it's a bit harder to correlate third party payments to encrypted addresses this way.