From 16be1eb8c1286bd756c59795d79e35cb41b1df48 Mon Sep 17 00:00:00 2001
From: MPins <pinsdorf@proton.me>
Date: Fri, 15 May 2026 13:45:58 -0300
Subject: [PATCH 1/3] go.mod: update btcec/v2 for VerifyLowS

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index af03897854..bea18305cf 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ require (
 	github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344
 	github.com/andybalholm/brotli v1.0.4
 	github.com/btcsuite/btcd v0.25.1-0.20260310163610-1c55c7c18179
-	github.com/btcsuite/btcd/btcec/v2 v2.3.6
+	github.com/btcsuite/btcd/btcec/v2 v2.4.0
 	github.com/btcsuite/btcd/btcutil v1.1.6
 	github.com/btcsuite/btcd/btcutil/psbt v1.1.10
 	github.com/btcsuite/btcd/chaincfg/chainhash v1.1.0
diff --git a/go.sum b/go.sum
index 065b5a1820..65714e9dd8 100644
--- a/go.sum
+++ b/go.sum
@@ -44,8 +44,8 @@ github.com/btcsuite/btcd v0.25.1-0.20260310163610-1c55c7c18179 h1:yJOTxkbxxtuSFr
 github.com/btcsuite/btcd v0.25.1-0.20260310163610-1c55c7c18179/go.mod h1:qbPE+pEiR9643E1s1xu57awsRhlCIm1ZIi6FfeRA4KE=
 github.com/btcsuite/btcd/btcec/v2 v2.1.0/go.mod h1:2VzYrv4Gm4apmbVVsSq5bqf1Ec8v56E48Vt0Y/umPgA=
 github.com/btcsuite/btcd/btcec/v2 v2.1.3/go.mod h1:ctjw4H1kknNJmRN4iP1R7bTQ+v3GJkZBd6mui8ZsAZE=
-github.com/btcsuite/btcd/btcec/v2 v2.3.6 h1:IzlsEr9olcSRKB/n7c4351F3xHKxS2lma+1UFGCYd4E=
-github.com/btcsuite/btcd/btcec/v2 v2.3.6/go.mod h1:m22FrOAiuxl/tht9wIqAoGHcbnCCaPWyauO8y2LGGtQ=
+github.com/btcsuite/btcd/btcec/v2 v2.4.0 h1:9JgnRkOL8J1UKuGlpJs7oL5tFRgrBgyM/uhwfS+cUiI=
+github.com/btcsuite/btcd/btcec/v2 v2.4.0/go.mod h1:64BXFSNzV1koQHPqljB4LaD6lZPQEQNZ38zMImajCRo=
 github.com/btcsuite/btcd/btcutil v1.0.0/go.mod h1:Uoxwv0pqYWhD//tfTiipkxNfdhG9UrLwaeswfjfdF0A=
 github.com/btcsuite/btcd/btcutil v1.1.0/go.mod h1:5OapHB7A2hBBWLm48mmw4MOHNJCcUBTwmWH/0Jn8VHE=
 github.com/btcsuite/btcd/btcutil v1.1.5/go.mod h1:PSZZ4UitpLBWzxGd5VGOrLnmOjtPP/a6HaFo12zMs00=

From 7acada4084c6c7f4f8350d6320dddac5e09b67ba Mon Sep 17 00:00:00 2001
From: MPins <pinsdorf@proton.me>
Date: Fri, 14 Nov 2025 12:00:03 -0300
Subject: [PATCH 2/3] zpay32: enforce low-S signature when the `n` is present

Enforce low-S canonical signatures when the `n` is present and include
test vectors to validate the new behavior.
---
 zpay32/decode.go       |  5 +++++
 zpay32/invoice_test.go | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/zpay32/decode.go b/zpay32/decode.go
index 577f6a6d13..2e38b3820b 100644
--- a/zpay32/decode.go
+++ b/zpay32/decode.go
@@ -186,6 +186,11 @@ func Decode(invoice string, net *chaincfg.Params, opts ...DecodeOption) (
 			return nil, fmt.Errorf("unable to deserialize "+
 				"signature: %v", err)
 		}
+		// Ensure the signature is in canonical low-S form.
+		if err = ecdsa.VerifyLowS(sig.ToSignatureBytes()); err != nil {
+			return nil, fmt.Errorf("invalid invoice "+
+				"signature: %w", err)
+		}
 		if !signature.Verify(hash, decodedInvoice.Destination) {
 			return nil, fmt.Errorf("invalid invoice signature")
 		}
diff --git a/zpay32/invoice_test.go b/zpay32/invoice_test.go
index bfa1539f3e..2ddf61357c 100644
--- a/zpay32/invoice_test.go
+++ b/zpay32/invoice_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+//nolint:ll
 var (
 	testMillisat24BTC    = lnwire.MilliSatoshi(2400000000000)
 	testMillisat2500uBTC = lnwire.MilliSatoshi(250000000)
@@ -61,6 +62,9 @@ var (
 	testPrivKeyBytes, _     = hex.DecodeString("e126f68f7eafcc8b74f54d269fe206be715000f94dac067d1c04a8ca3b2db734")
 	testPrivKey, testPubKey = btcec.PrivKeyFromBytes(testPrivKeyBytes)
 
+	testHighSPubKeyBytes, _ = hex.DecodeString("02d0139ce7427d6dfffd26a326c18be754ef1e64672b42694ba5b23ef6e6e7803d")
+	testHighSPubKey, _      = btcec.ParsePubKey(testHighSPubKeyBytes)
+
 	testDescriptionHashSlice = chainhash.HashB([]byte("One piece of chocolate cake, one icecream cone, one pickle, one slice of swiss cheese, one slice of salami, one lollypop, one piece of cherry pie, one sausage, one cupcake, and one slice of watermelon"))
 
 	testExpiry0  = time.Duration(0) * time.Second
@@ -195,6 +199,7 @@ func TestDecodeEncode(t *testing.T) {
 		decodeOpts     []DecodeOption
 		skipEncoding   bool
 		beforeEncoding func(*Invoice)
+		errContains    string
 	}{
 		{
 			encodedInvoice: "asdsaddnasdnas", // no hrp
@@ -898,6 +903,36 @@ func TestDecodeEncode(t *testing.T) {
 				WithErrorOnUnknownFeatureBit(),
 			},
 		},
+		{
+			// Invoice with high-S signature and Public-key
+			// recovery.
+			encodedInvoice: "lnbc1pvjluezsp5zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zygspp5qqqsyqcyq5rqwzqfqqqsyqcyq5rqwzqfqqqsyqcyq5rqwzqfqypqdpl2pkx2ctnv5sxxmmwwd5kgetjypeh2ursdae8g6twvus8g6rfwvs8qun0dfjkxaq9qrsgq357wnc5r2ueh7ck6q93dj32dlqnls087fxdwk8qakdyafkq3yap2r09nt4ndd0unm3z9u5t48y6ucv4r5sg7lk98c77ctvjczkspk5qprc90gx",
+			valid:          true,
+			skipEncoding:   true,
+			decodedInvoice: func() *Invoice {
+				return &Invoice{
+					Net:         &chaincfg.MainNetParams,
+					Timestamp:   time.Unix(1496314658, 0),
+					PaymentHash: &testPaymentHash,
+					PaymentAddr: fn.Some(specPaymentAddr),
+					Description: &testPleaseConsider,
+					Destination: testHighSPubKey,
+					Features: lnwire.NewFeatureVector(
+						lnwire.NewRawFeatureVector(
+							8, 14,
+						),
+						lnwire.Features,
+					),
+				}
+			},
+		},
+		{
+			// Invoice with high-S signature and 'n' tagged field
+			// for destination pubkey.
+			encodedInvoice: "lnbc25m1p70xwfzpp5qqqsyqcyq5rqwzqfqqqsyqcyq5rqwzqfqqqsyqcyq5rqwzqfqypqdpl2pkx2ctnv5sxxmmwwd5kgetjypeh2ursdae8g6twvus8g6rfwvs8qun0dfjkxaqnp4q0n326hr8v9zprg8gsvezcch06gfaqqhde2aj730yg0durunfhv66sp5zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zygs9qrsgqsp5zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zyg3zygsp5cfzp9ugllvk03rltd6hvndxj26ux6gcxc5azyxk060rj9tzghct5zvjlps76gx8wpq5yuu79688k8gnm2c0al6v608s96l0xzrrlqqwnzxmu",
+			valid:          false,
+			errContains:    "low-S",
+		},
 	}
 
 	for i, test := range tests {
@@ -918,6 +953,11 @@ func TestDecodeEncode(t *testing.T) {
 			)
 			if !test.valid {
 				require.Error(t, err)
+				if test.errContains != "" {
+					require.ErrorContains(
+						t, err, test.errContains,
+					)
+				}
 			} else {
 				require.NoError(t, err)
 				require.Equal(t, decodedInvoice, invoice)

From 2df4e1859bd1a2cf80386d296febd9ebfdfd0152 Mon Sep 17 00:00:00 2001
From: MPins <pinsdorf@proton.me>
Date: Fri, 15 May 2026 13:59:25 -0300
Subject: [PATCH 3/3] docs: release-notes-0.22.0

---
 docs/release-notes/release-notes-0.22.0.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/release-notes/release-notes-0.22.0.md b/docs/release-notes/release-notes-0.22.0.md
index fb31bad566..76d1866e23 100644
--- a/docs/release-notes/release-notes-0.22.0.md
+++ b/docs/release-notes/release-notes-0.22.0.md
@@ -52,6 +52,9 @@
 
 ## BOLT Spec Updates
 
+* LND now [enforces](https://github.com/lightning/bolts/pull/1284) low-S
+  canonical signatures when the `n` field is present in a BOLT11 invoice.
+
 * The fundee now [enforces the BOLT-02 bound on
   `push_msat`](https://github.com/lightningnetwork/lnd/pull/10765),
   rejecting incoming `open_channel` messages where `push_msat` exceeds