Payment Points

In our recent posts, we discussed all the benefits and features enabled by Payment Points on the Lightning Network. We explored how they can protect us from wormhole attacks and payment correlation, how they enable “stuckless” payments, and how they allow escrow contracts over Lightning. In this post we will discuss one of my favorite new features: trustlessly selling signatures!


Payment Points Part 1 – Introduction

Payment Points Part 2 – “Stuckless” Payments

Payment Points Part 3 – Escrow Contracts


As we have covered previously, the Lightning Network enables selling data with some minimal trust in the seller by ensuring that the data is received atomically with payment completion. This still requires trust in the seller because although the data is received if and only if the user pays, the user has no way of validating that they will receive the data that they expect – as opposed to some random garbage. This is fine for many applications such as paying an oracle for data.  But what about enabling payment in exchange for data in more adversarial contexts?

This is where Payment Points come to the rescue. Since a point reveals some information about its underlying scalar, we are going to be able to do some validation. Whereas this is impossible with hashes since they destroy all information. 

In particular, note that every Schnorr signature, s, of a message, m, with (public) keys P and R has the property that s*G = R + m*P. This means that without knowing anything useful about the signature s itself, s*G (the payment point associated with s) is computable from public information, namely R, P and m. Thus, using s*G as the payment point will ensure that s will be the Proof of Payment (PoP) which is received by the buyer atomically with payment completion!

This scheme mitigates all trust in the seller as they must reveal exactly the s the buyer has specified in order to claim the funds they have been offered. There is no way for the seller to get paid without revealing a valid signature of a message m specified by the buyer.

Jonas Nick has discussed in depth how this kind of signature selling enables ecash/blind side-chains as well as selling anonymous credentials. He also mentions that this scheme can be used to sell Discreet Log Contract (DLC) signatures.

I would like to take this last idea one step further. Not only can DLC signatures be bought and sold, but they can be bought in only one direction enabling Discreet Log Option Contracts (DLOCs). An option contract is when one party, say Alice, purchases the option or right, but not the obligation, to execute a contract (e.g. to buy Bitcoin tomorrow at double the price, which would be favorable if she thinks the price will more than double) from some other party, say Bob. 

If the Lightning Network were to move to payment points, Alice could enter into a DLOC with Bob in which she would buy his signatures to the transactions which spend the funding transaction. In this way, only she can execute these transactions (since Bob cannot generate Alice’s signatures), or choose not to after which the contract will timeout and Alice and Bob will have their funds returned (except for the premium Alice paid Bob for his signatures). Thus, a Payment Point Lightning Network would enable fully P2P option contracts.

This concludes our Payment Point Proposals series. We covered how the Lightning Network is currently prone to payment correlation and wormhole attacks due to its use of payment hashes. We showed how these problems are solved by Payment Points. And we covered how a point-based Lightning Network enables “stuckless” payments, escrow contracts, and selling signatures. Although Payment Points are not currently slated for Lightning v1.1, I’m hopeful that we migrate to this objectively better routing solution once bip-taproot gets into bitcoin-core.


All of our API services are built using Lightning technology and the Lightning Network. All API services are live on Bitcoin’s mainnet. Our fully customizable data service allows customers to stream as much or as little data as they wish and pay using bitcoin.  Be sure to check out our recently released Historical Crypto Prices API!

You can connect to our Lightning node at the url:

038[email protected]ln.suredbits.com

To learn more about how our Lightning APIs work please visit our API documentation or checkout our new websocket playground to start exploring custom data feeds.

If you are a company or cryptocurrency exchange interested in learning more about how Lightning can help grow your business, contact us at [email protected]. We would love to talk to you.