5

For regular on-chain payments, a txid can prove at least a transferring of value indeedly happened, at a specific time, despite that it may be totally irrelevant. For example, a malicious user can send his own money to himself, to pretend that he purchased some goods from an innocent merchant.

For LN off-chain payments, is it possible for a payer to prove to 3rd party that he had indeedly made a payment to the payee?

Should the preimage be signed by the payer/payee? – Chris Chen – 2019-12-09T10:10:26.087

1the invoice which transports the payment hash is signed by the payee. The payee cannot really sign the preimage to gain something as every routing node could do that. There are currently proposals like stuckless and cancable payments as well as payment decorrelation. In that world the payer could actually proof (s)he was the the payer – Rene Pickhardt – 2019-12-09T10:20:24.803

I still doubt how could a signed invoice (which contains the payment hash) together with the preimage could prove anything. How could the 3rd party be convinced, or be able to spot fake proofs? – Chris Chen – 2019-12-09T10:39:54.450

The proof consists because we assume that the inverse of the hash function is unknown. Being able to provide the preimage is proof that the recipient was paid otherwise (s)he would not have released the secret – Rene Pickhardt – 2019-12-09T14:38:12.070

But invoices can be generated with zero cost, right? How could the 3rd party distinguish between an actually paid invoice and an never-paid invoice which is used to pretend to be a paid one? – Chris Chen – 2019-12-09T17:44:36.263

For the paid one the payer can show the preimage – Rene Pickhardt – 2019-12-09T21:22:52.073

Let us continue this discussion in chat.

– Chris Chen – 2019-12-09T23:13:51.103