common: add blinding helpers.

We'll want this once we add blinded HTLCs. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-11-19 09:54:16 +01:00 · 2020-04-03 13:46:56 +10:30 · 2020-04-03 13:46:56 +10:30 · 91251b1870
commit 91251b1870
parent d9fc99ea39
7 changed files with 78 additions and 84 deletions
--- a/channeld/Makefile
+++ b/channeld/Makefile
@ -37,6 +37,7 @@ CHANNELD_COMMON_OBJS :=				\
 	common/base32.o				\
 	common/bigsize.o			\
 	common/bip32.o				\
 	common/blinding.o			\
 	common/channel_config.o			\
 	common/crypto_state.o			\
 	common/crypto_sync.o			\
--- a/channeld/channeld.c
+++ b/channeld/channeld.c
@ -27,6 +27,7 @@
 #include <channeld/commit_tx.h>
 #include <channeld/full_channel.h>
 #include <channeld/gen_channel_wire.h>
 #include <common/blinding.h>
 #include <common/crypto_sync.h>
 #include <common/dev_disconnect.h>
 #include <common/features.h>
@ -1629,37 +1630,6 @@ static bool channeld_handle_custommsg(const u8 *msg)
 }
 #if EXPERIMENTAL_FEATURES
 /* H(E(i) || ss(i)) */
 static struct sha256 hash_e_and_ss(const struct pubkey *e,
 				   const struct secret *ss)
 {
 	u8 der[PUBKEY_CMPR_LEN];
 	struct sha256_ctx shactx;
 	struct sha256 h;
 	pubkey_to_der(der, e);
 	sha256_init(&shactx);
 	sha256_update(&shactx, der, sizeof(der));
 	sha256_update(&shactx, ss->data, sizeof(ss->data));
 	sha256_done(&shactx, &h);
 	return h;
 }
 /* E(i-1) = H(E(i) || ss(i)) * E(i) */
 static struct pubkey next_pubkey(const struct pubkey *pk,
 				 const struct sha256 *h)
 {
 	struct pubkey ret;
 	ret = *pk;
 	if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &ret.pubkey, h->u.u8)
 	    != 1)
 		abort();
 	return ret;
 }
 /* Peer sends onion msg. */
 static void handle_onion_message(struct peer *peer, const u8 *msg)
 {
@ -1866,9 +1836,10 @@ static void handle_onion_message(struct peer *peer, const u8 *msg)
 		if (blinding_ss) {
 			/* E(i-1) = H(E(i) || ss(i)) * E(i) */
-			struct sha256 h = hash_e_and_ss(blinding_in, blinding_ss);
+			struct sha256 h;
 			blinding_hash_e_and_ss(blinding_in, blinding_ss, &h);
 			next_blinding = tal(msg, struct pubkey);
-			*next_blinding = next_pubkey(blinding_in, &h);
+			blinding_next_pubkey(blinding_in, &h, next_blinding);
 		} else
 			next_blinding = NULL;
--- a/common/Makefile
+++ b/common/Makefile
@ -7,6 +7,7 @@ COMMON_SRC_NOGEN :=				\
 	common/bech32_util.c			\
 	common/bigsize.c			\
 	common/bip32.c				\
 	common/blinding.c			\
 	common/bolt11.c				\
 	common/channel_config.c			\
 	common/close_tx.c			\
--- a/common/blinding.c
+++ b/common/blinding.c
@ -0,0 +1,39 @@
 #include <bitcoin/privkey.h>
 #include <bitcoin/pubkey.h>
 #include <common/blinding.h>
 #include <common/utils.h>
 void blinding_hash_e_and_ss(const struct pubkey *e,
 			    const struct secret *ss,
 			    struct sha256 *sha)
 {
 	u8 der[PUBKEY_CMPR_LEN];
 	struct sha256_ctx shactx;
 	pubkey_to_der(der, e);
 	sha256_init(&shactx);
 	sha256_update(&shactx, der, sizeof(der));
 	sha256_update(&shactx, ss->data, sizeof(ss->data));
 	sha256_done(&shactx, sha);
 }
 /* E(i+1) = H(E(i) || ss(i)) * E(i) */
 bool blinding_next_pubkey(const struct pubkey *pk,
 			  const struct sha256 *h,
 			  struct pubkey *next)
 {
 	*next = *pk;
 	return secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &next->pubkey,
 					     h->u.u8) == 1;
 }
 /* e(i+1) = H(E(i) || ss(i)) * e(i) */
 bool blinding_next_privkey(const struct privkey *e,
 			   const struct sha256 *h,
 			   struct privkey *next)
 {
 	*next = *e;
 	return secp256k1_ec_privkey_tweak_mul(secp256k1_ctx, next->secret.data,
 					      h->u.u8) == 1;
 }
--- a/common/blinding.h
+++ b/common/blinding.h
@ -0,0 +1,25 @@
 #ifndef LIGHTNING_COMMON_BLINDING_H
 #define LIGHTNING_COMMON_BLINDING_H
 #include "config.h"
 struct privkey;
 struct pubkey;
 struct secret;
 struct sha256;
 /* H(E(i) || ss(i)) */
 void blinding_hash_e_and_ss(const struct pubkey *e,
 			    const struct secret *ss,
 			    struct sha256 *sha);
 /* E(i+1) = H(E(i) || ss(i)) * E(i) */
 bool blinding_next_pubkey(const struct pubkey *pk,
 			  const struct sha256 *h,
 			  struct pubkey *next);
 /* e(i+1) = H(E(i) || ss(i)) * e(i) */
 bool blinding_next_privkey(const struct privkey *e,
 			   const struct sha256 *h,
 			   struct privkey *next);
 #endif /* LIGHTNING_COMMON_BLINDING_H */
--- a/devtools/Makefile
+++ b/devtools/Makefile
@ -70,7 +70,7 @@ devtools/onion.c: ccan/config.h
 devtools/onion: $(DEVTOOLS_OBJS) $(DEVTOOLS_COMMON_OBJS) $(JSMN_OBJS) $(CCAN_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o devtools/onion.o common/sphinx.o
-devtools/blindedpath: $(DEVTOOLS_OBJS) $(DEVTOOLS_COMMON_OBJS) $(JSMN_OBJS) $(CCAN_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o devtools/blindedpath.o common/sphinx.o
+devtools/blindedpath: $(DEVTOOLS_OBJS) $(DEVTOOLS_COMMON_OBJS) $(JSMN_OBJS) $(CCAN_OBJS) common/blinding.o $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o devtools/blindedpath.o common/sphinx.o
 devtools/gossipwith: $(DEVTOOLS_OBJS) $(DEVTOOLS_COMMON_OBJS) $(JSMN_OBJS) $(CCAN_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o wire/gen_peer_wire.o devtools/gossipwith.o common/cryptomsg.o common/cryptomsg.o common/crypto_sync.o
--- a/devtools/blindedpath.c
+++ b/devtools/blindedpath.c
@ -6,6 +6,7 @@
 #include <ccan/opt/opt.h>
 #include <ccan/str/hex/hex.h>
 #include <ccan/tal/tal.h>
 #include <common/blinding.h>
 #include <common/hmac.h>
 #include <common/sphinx.h>
 #include <common/type_to_string.h>
@ -40,51 +41,6 @@ static void tal_freefn(void *ptr)
 	tal_free(ptr);
 }
 /* E(i-1) = H(E(i) || ss(i)) * E(i) */
 static struct sha256 hash_e_and_ss(const struct pubkey *e,
 				   const struct secret *ss)
 {
 	u8 der[PUBKEY_CMPR_LEN];
 	struct sha256_ctx shactx;
 	struct sha256 h;
 	pubkey_to_der(der, e);
 	sha256_init(&shactx);
 	sha256_update(&shactx, der, sizeof(der));
 	sha256_update(&shactx, ss->data, sizeof(ss->data));
 	sha256_done(&shactx, &h);
 	return h;
 }
 /* E(i-1) = H(E(i) || ss(i)) * E(i) */
 static struct pubkey next_pubkey(const struct pubkey *pk,
 				 const struct sha256 *h)
 {
 	struct pubkey ret;
 	ret = *pk;
 	if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &ret.pubkey, h->u.u8)
 	    != 1)
 		abort();
 	return ret;
 }
 /* e(i+1) = H(E(i) || ss(i)) * e(i) */
 static struct privkey next_privkey(const struct privkey *e,
 				   const struct sha256 *h)
 {
 	struct privkey ret;
 	ret = *e;
 	if (secp256k1_ec_privkey_tweak_mul(secp256k1_ctx, ret.secret.data,
 					   h->u.u8) != 1)
 		abort();
 	return ret;
 }
 int main(int argc, char **argv)
 {
 	bool first = false;
@ -155,10 +111,11 @@ int main(int argc, char **argv)
 					abort();
 			}
 			subkey_from_hmac("rho", &ss, &rho[i]);
-			h = hash_e_and_ss(&pk_e[i], &ss);
+			blinding_hash_e_and_ss(&pk_e[i], &ss, &h);
 			if (i != num-1)
-				pk_e[i+1] = next_pubkey(&pk_e[i], &h);
+				blinding_next_pubkey(&pk_e[i], &h,
-			e = next_privkey(&e, &h);
+						     &pk_e[i+1]);
 			blinding_next_privkey(&e, &h, &e);
 		}
 		/* Print initial blinding factor */
@ -326,8 +283,8 @@ int main(int argc, char **argv)
 		printf("Contents: %s\n", tal_hex(tmpctx, dec));
 		/* E(i-1) = H(E(i) || ss(i)) * E(i) */
-		h = hash_e_and_ss(&blinding, &ss);
+		blinding_hash_e_and_ss(&blinding, &ss, &h);
-		res = next_pubkey(&blinding, &h);
+		blinding_next_pubkey(&blinding, &h, &res);
 		printf("Next blinding: %s\n",
 		       type_to_string(tmpctx, struct pubkey, &res));
 		printf("Next onion: %s\n", tal_hex(tmpctx, serialize_onionpacket(tmpctx, rs->next)));