BOLT 3: Add test vectors for key derivation. (#83)

* BOLT 3: Add test vectors for key derivation.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

03-transactions.md

@@ -30,6 +30,7 @@ This details the exact format of on-chain transactions, which both sides need to
   * [Appendix C: Per-commitment Secret Generation Test Vectors](#appendix-c-per-commitment-secret-generation-test-vectors)    
     * [Generation tests](#generation-tests)
     * [Storage tests](#storage-tests)
+  * [Appendix D: Key Derivation Test Vectors](#appendix-d-key-derivation-test-vectors)
   * [References](#references)   
   * [Authors](#authors)   
   
@@ -323,6 +324,11 @@ This construction ensures that neither the node providing the
 basepoint nor the node providing the `per-commitment-point` can know the
 private key without the other node's secret.
 
+The corresponding private key can be derived once the `per-commitment-secret`
+is known:
+
+    revocationsecretkey = revocation-basepoint-secret * SHA256(revocation-basepoint || per-commitment-point) + per-commitment-secret*SHA256(per-commitment-point || revocation-basepoint)
+
 ### Per-commitment Secret Requirements
 
 A node MUST select an unguessable 256-bit seed for each connection,
@@ -916,6 +922,58 @@ seeded with `0x000...00`.
 	secret: 0xa7efbc61aac46d34f77778bac22c8a20c6a46ca460addc49009bda875ec88fa4
 	output: ERROR
 	
+# Appendix D: Key Derivation Test Vectors
+
+These test the derivation for `localkey`, `remotekey`, `local-delayedkey` and
+`remote-delayedkey` (which use the formula), as well as the `revocation-key`.
+
+All of them use the following secrets (and thus the derived points):
+
+    base_secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+    per_commitment_secret: 0x1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100
+    base_point: 0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2
+    per_commitment_point: 0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486
+
+    name: derivation of key from basepoint and per-commitment-point
+    # SHA256(per-commitment-point || basepoint)
+    # => SHA256(0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486 || 0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2)
+    # = 0xcbcdd70fcfad15ea8e9e5c5a12365cf00912504f08ce01593689dd426bca9ff0
+    # + basepoint (0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2)
+    # = 0x0235f2dbfaa89b57ec7b055afe29849ef7ddfeb1cefdb9ebdc43f5494984db29e5
+    localkey: 0x0235f2dbfaa89b57ec7b055afe29849ef7ddfeb1cefdb9ebdc43f5494984db29e5
+
+    name: derivation of secret key from basepoint secret and per-commitment-secret
+	# SHA256(per-commitment-point || basepoint)
+    # => SHA256(0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486 || 0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2)
+    # = 0xcbcdd70fcfad15ea8e9e5c5a12365cf00912504f08ce01593689dd426bca9ff0
+    # + basepoint_secret (0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f)
+    # = 0xcbced912d3b21bf196a766651e436aff192362621ce317704ea2f75d87e7be0f
+    localprivkey: 0xcbced912d3b21bf196a766651e436aff192362621ce317704ea2f75d87e7be0f
+
+    name: derivation of revocation key from basepoint and per-commitment-point
+    # SHA256(revocation-basepoint || per-commitment-point)
+    # => SHA256(0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2 || 0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486)
+    # = 0xefbf7ba5a074276701798376950a64a90f698997cce0dff4d24a6d2785d20963
+    # x revocation-basepoint = 0x02c00c4aadc536290422a807250824a8d87f19d18da9d610d45621df22510db8ce
+    # SHA256(per-commitment-point || revocation-basepoint)
+    # => SHA256(0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486 || 0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2)
+    # = 0xcbcdd70fcfad15ea8e9e5c5a12365cf00912504f08ce01593689dd426bca9ff0
+    # x per-commitment-point = 0x0325ee7d3323ce52c4b33d4e0a73ab637711057dd8866e3b51202a04112f054c43
+    # 0x02c00c4aadc536290422a807250824a8d87f19d18da9d610d45621df22510db8ce + 0x0325ee7d3323ce52c4b33d4e0a73ab637711057dd8866e3b51202a04112f054c43 => 0x02916e326636d19c33f13e8c0c3a03dd157f332f3e99c317c141dd865eb01f8ff0
+    revocationkey: 0x02916e326636d19c33f13e8c0c3a03dd157f332f3e99c317c141dd865eb01f8ff0
+
+    name: derivation of revocation secret from basepoint-secret and per-commitment-secret
+    # SHA256(revocation-basepoint || per-commitment-point)
+    # => SHA256(0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2 || 0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486)
+    # = 0xefbf7ba5a074276701798376950a64a90f698997cce0dff4d24a6d2785d20963
+    # * revocation-basepoint-secret (0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f)# = 0x44bfd55f845f885b8e60b2dca4b30272d5343be048d79ce87879d9863dedc842
+    # SHA256(per-commitment-point || revocation-basepoint)
+    # => SHA256(0x025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486 || 0x036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2)
+    # = 0xcbcdd70fcfad15ea8e9e5c5a12365cf00912504f08ce01593689dd426bca9ff0
+    # * per-commitment-secret (0x1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100)# = 0x8be02a96a97b9a3c1c9f59ebb718401128b72ec009d85ee1656319b52319b8ce
+    # => 0xd09ffff62ddb2297ab000cc85bcb4283fdeb6aa052affbc9dddcf33b61078110
+    revocationprivkey: 0xd09ffff62ddb2297ab000cc85bcb4283fdeb6aa052affbc9dddcf33b61078110
+
 # References
 
 # Authors