mirrors/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2024-11-19 09:53:54 +01:00
Code Issues Projects Releases Wiki Activity
74b30a71cb
lnd/lnwallet/musig_session.go

579 lines
18 KiB
Go
Raw Normal View History

lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
package lnwallet
import (
"bytes"
"fmt"
"io"
"github.com/btcsuite/btcd/btcec/v2"
"github.com/btcsuite/btcd/btcec/v2/schnorr"
"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
"github.com/btcsuite/btcd/txscript"
"github.com/btcsuite/btcd/wire"
"github.com/lightningnetwork/lnd/input"
"github.com/lightningnetwork/lnd/keychain"
"github.com/lightningnetwork/lnd/lnwire"
"github.com/lightningnetwork/lnd/shachain"
)
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
// MusigCommitType is an enum that denotes if this is the local or remote
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
// commitment.
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
type MusigCommitType uint8
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
const (
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
// LocalMusigCommit denotes that this a session for the local
// commitment.
LocalMusigCommit MusigCommitType = iota
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
// RemoteMusigCommit denotes that this is a session for the remote
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
// commitment.
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
RemoteMusigCommit
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
)
var (
// ErrSessionNotFinalized is returned when the SignCommit method is
// called for a local commitment, without the session being finalized
// (missing nonce).
ErrSessionNotFinalized = fmt.Errorf("musig2 session not finalized")
)
// MusigPartialSig is a wrapper around the base musig2.PartialSignature type
// that also includes information about the set of nonces used, and also the
// signer. This allows us to implement the input.Signature interface, as that
// requires the ability to perform abstract verification based on a public key.
type MusigPartialSig struct {
// sig is the actual musig2 partial signature.
sig *musig2.PartialSignature
// signerNonce is the nonce used by the signer to generate the partial
// signature.
signerNonce lnwire.Musig2Nonce
// combinedNonce is the combined nonce of all signers.
combinedNonce lnwire.Musig2Nonce
// signerKeys is the set of public keys of all signers.
signerKeys []*btcec.PublicKey
}
// NewMusigPartialSig creates a new musig partial signature.
func NewMusigPartialSig(sig *musig2.PartialSignature,
signerNonce, combinedNonce lnwire.Musig2Nonce,
signerKeys []*btcec.PublicKey) *MusigPartialSig {
return &MusigPartialSig{
sig: sig,
signerNonce: signerNonce,
combinedNonce: combinedNonce,
signerKeys: signerKeys,
}
}
// FromWireSig maps a wire partial sig to this internal type that we'll use to
// perform signature validation.
func (p *MusigPartialSig) FromWireSig(sig *lnwire.PartialSigWithNonce,
) *MusigPartialSig {
p.sig = &musig2.PartialSignature{
S: &sig.Sig,
}
p.signerNonce = sig.Nonce
return p
}
// ToWireSig maps the partial signature to something that we can use to write
// out for the wire protocol.
func (p *MusigPartialSig) ToWireSig() *lnwire.PartialSigWithNonce {
return &lnwire.PartialSigWithNonce{
PartialSig: lnwire.NewPartialSig(*p.sig.S),
Nonce: p.signerNonce,
}
}
// Serialize serializes the musig2 partial signature. The serializing includes
// the signer's public nonce _and_ the partial signature. The final signature
// is always 98 bytes in length.
func (p *MusigPartialSig) Serialize() []byte {
var b bytes.Buffer
_ = p.ToWireSig().Encode(&b)
return b.Bytes()
}
// ToSchnorrShell converts the musig partial signature to a regular schnorr.
// This schnorr signature uses a zero value for the 'r' field, so we're just
// only using the last 32-bytes of the signature. This is useful when we need
// to convert an HTLC schnorr signature into something we can send using the
// existing messages.
func (p *MusigPartialSig) ToSchnorrShell() *schnorr.Signature {
var zeroVal btcec.FieldVal
return schnorr.NewSignature(&zeroVal, p.sig.S)
}
// FromSchnorrShell takes a schnorr signature and parses out the last 32 bytes
// as a normal musig2 partial signature.
func (p *MusigPartialSig) FromSchnorrShell(sig *schnorr.Signature) {
var (
partialS btcec.ModNScalar
partialSBytes [32]byte
)
copy(partialSBytes[:], sig.Serialize()[32:])
partialS.SetBytes(&partialSBytes)
p.sig = &musig2.PartialSignature{
S: &partialS,
}
}
// Verify attempts to verify the partial musig2 signature using the passed
// message and signer public key.
//
// NOTE: This implements the input.Signature interface.
func (p *MusigPartialSig) Verify(msg []byte, pub *btcec.PublicKey) bool {
var m [32]byte
copy(m[:], msg)
return p.sig.Verify(
p.signerNonce, p.combinedNonce, p.signerKeys, pub, m,
musig2.WithSortedKeys(), musig2.WithBip86SignTweak(),
)
}
// MusigNoncePair holds the two nonces needed to sign/verify a new commitment
// state. The signer nonce is the nonce used by the signer (remote nonce), and
// the verification nonce, the nonce used by the verifier (local nonce).
type MusigNoncePair struct {
// SigningNonce is the nonce used by the signer to sign the commitment.
SigningNonce musig2.Nonces
// VerificationNonce is the nonce used by the verifier to verify the
// commitment.
VerificationNonce musig2.Nonces
}
// String returns a string representation of the MusigNoncePair.
func (n *MusigNoncePair) String() string {
return fmt.Sprintf("NoncePair(verification_nonce=%x, "+
"signing_nonce=%x)", n.VerificationNonce.PubNonce[:],
n.SigningNonce.PubNonce[:])
}
// MusigSession abstracts over the details of a logical musig session. A single
// session is used for each commitment transactions. The sessions use a JIT
// nonce style, wherein part of the session can be created using only the
// verifier nonce. Once a new state is signed, then the signer nonce is
// generated. Similarly, the verifier then uses the received signer nonce to
// complete the session and verify the incoming signature.
type MusigSession struct {
// session is the backing musig2 session. We'll use this to interact
// with the musig2 signer.
session *input.MuSig2SessionInfo
// combinedNonce is the combined nonce of all signers.
combinedNonce lnwire.Musig2Nonce
// nonces is the set of nonces that'll be used to generate/verify the
// next commitment.
nonces MusigNoncePair
// inputTxOut is the funding input.
inputTxOut *wire.TxOut
// signerKeys is the set of public keys of all signers.
signerKeys []*btcec.PublicKey
// remoteKey is the key desc of the remote key.
remoteKey keychain.KeyDescriptor
// localKey is the key desc of the local key.
localKey keychain.KeyDescriptor
// signer is the signer that'll be used to interact with the musig
// session.
signer input.MuSig2Signer
// commitType tracks if this is the session for the local or remote
// commitment.
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
commitType MusigCommitType
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
}
// NewPartialMusigSession creates a new musig2 session given only the
// verification nonce (local nonce), and the other information that has already
// been bound to the session.
func NewPartialMusigSession(verificationNonce musig2.Nonces,
localKey, remoteKey keychain.KeyDescriptor,
signer input.MuSig2Signer, inputTxOut *wire.TxOut,
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
commitType MusigCommitType) *MusigSession {
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
signerKeys := []*btcec.PublicKey{localKey.PubKey, remoteKey.PubKey}
nonces := MusigNoncePair{
VerificationNonce: verificationNonce,
}
return &MusigSession{
nonces: nonces,
remoteKey: remoteKey,
localKey: localKey,
inputTxOut: inputTxOut,
signerKeys: signerKeys,
signer: signer,
commitType: commitType,
}
}
// FinalizeSession finalizes the session given the signer nonce. This is
// called before signing or verifying a new commitment.
func (m *MusigSession) FinalizeSession(signingNonce musig2.Nonces) error {
var (
localNonce, remoteNonce musig2.Nonces
err error
)
// First, we'll stash the freshly generated signing nonce. Depending on
// who's commitment we're handling, this'll either be our generated
// nonce, or the one we just got from the remote party.
m.nonces.SigningNonce = signingNonce
switch m.commitType {
// If we're making a session for the remote commitment, then the nonce
// we use to sign is actually will be the signing nonce for the
// session, and their nonce the verification nonce.
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
case RemoteMusigCommit:
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
localNonce = m.nonces.SigningNonce
remoteNonce = m.nonces.VerificationNonce
// Otherwise, we're generating/receiving a signature for our local
// commitment (to broadcast), so now our verification nonce is the one
// we've already generated, and we want to bind their new signing
// nonce.
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
case LocalMusigCommit:
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
localNonce = m.nonces.VerificationNonce
remoteNonce = m.nonces.SigningNonce
}
tweakDesc := input.MuSig2Tweaks{
TaprootBIP0086Tweak: true,
}
m.session, err = m.signer.MuSig2CreateSession(
input.MuSig2Version100RC2, m.localKey.KeyLocator, m.signerKeys,
&tweakDesc, [][musig2.PubNonceSize]byte{remoteNonce.PubNonce},
input+lnwallet: modify musig2 interfaces use explicit optional local nonces In this commit, we modify the musig2 interfaces to instead use an explicit value for the local nonces. Before this commit, we used the functional option, but we want to also support specifying this value over RPC for the remote signer. The functional option pattern is opaque, so we can't get the nonce value we need. To get around this, we'll just make this an explicit pointer, then map this to the functional option at the very last moment.
2023-09-16 02:51:45 +02:00
&localNonce,
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
)
if err != nil {
return err
}
// We'll need the raw combined nonces later to be able to verify
// partial signatures, and also combine partial signatures, so we'll
// generate it now ourselves.
aggNonce, err := musig2.AggregateNonces([][musig2.PubNonceSize]byte{
m.nonces.SigningNonce.PubNonce,
m.nonces.VerificationNonce.PubNonce,
})
if err != nil {
return nil
}
m.combinedNonce = aggNonce
return nil
}
// taprootKeyspendSighash generates the sighash for a taproot key spend. As
// this is a musig2 channel output, the keyspend is the only path we can take.
func taprootKeyspendSighash(tx *wire.MsgTx, pkScript []byte,
value int64) ([]byte, error) {
prevOutputFetcher := txscript.NewCannedPrevOutputFetcher(
pkScript, value,
)
sigHashes := txscript.NewTxSigHashes(tx, prevOutputFetcher)
return txscript.CalcTaprootSignatureHash(
sigHashes, txscript.SigHashDefault, tx, 0, prevOutputFetcher,
)
}
// SignCommit signs the passed commitment w/ the current signing (relative
// remote) nonce. Given nonces should only ever be used once, once the method
// returns a new nonce is returned, w/ the existing nonce blanked out.
func (m *MusigSession) SignCommit(tx *wire.MsgTx) (*MusigPartialSig, error) {
switch {
// If we already have a session, then we don't need to finalize as this
// was done up front (symmetric nonce case, like for co-op close).
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
case m.session == nil && m.commitType == RemoteMusigCommit:
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
// Before we can sign a new commitment, we'll need to generate
// a fresh nonce that'll be sent along side our signature. With
// the nonce in hand, we can finalize the session.
txHash := tx.TxHash()
signingNonce, err := musig2.GenNonces(
musig2.WithPublicKey(m.localKey.PubKey),
musig2.WithNonceAuxInput(txHash[:]),
)
if err != nil {
return nil, err
}
if err := m.FinalizeSession(*signingNonce); err != nil {
return nil, err
}
// Otherwise, we're trying to make a new commitment transaction without
// an active session, so we'll error out.
case m.session == nil:
return nil, ErrSessionNotFinalized
}
// Next we can sign, we'll need to generate the sighash for their
// commitment transaction.
sigHash, err := taprootKeyspendSighash(
tx, m.inputTxOut.PkScript, m.inputTxOut.Value,
)
if err != nil {
return nil, err
}
// Now that we have our session created, we'll use it to generate the
// initial partial signature over our sighash.
var sigHashMsg [32]byte
copy(sigHashMsg[:], sigHash)
walletLog.Infof("Generating new musig2 sig for session=%x, nonces=%s",
m.session.SessionID[:], m.nonces.String())
sig, err := m.signer.MuSig2Sign(
m.session.SessionID, sigHashMsg, false,
)
if err != nil {
return nil, err
}
return NewMusigPartialSig(
sig, m.session.PublicNonce, m.combinedNonce, m.signerKeys,
), nil
}
// Refresh is called once we receive a new verification nonce from the remote
// party after sending a signature. This nonce will be coupled within the
// revoke-and-ack message of the remote party.
func (m *MusigSession) Refresh(verificationNonce *musig2.Nonces,
) (*MusigSession, error) {
return NewPartialMusigSession(
*verificationNonce, m.localKey, m.remoteKey, m.signer,
m.inputTxOut, m.commitType,
), nil
}
// VerificationNonce returns the current verification nonce for the session.
func (m *MusigSession) VerificationNonce() *musig2.Nonces {
return &m.nonces.VerificationNonce
}
// musigSessionOpts is a set of options that can be used to modify calls to the
// musig session.
type musigSessionOpts struct {
// customRand is an optional custom random source that can be used to
// generate nonces via a counter scheme.
customRand io.Reader
}
// defaultMusigSessionOpts returns the default set of options for the musig
// session.
func defaultMusigSessionOpts() *musigSessionOpts {
return &musigSessionOpts{}
}
// MusigSessionOpt is a functional option that can be used to modify calls to
// the musig session.
type MusigSessionOpt func(*musigSessionOpts)
// WithLocalCounterNonce is used to generate local nonces based on the shachain
// producer and the current height. This allows us to not have to write secret
// nonce state to disk. Instead, we can use this to derive the nonce we need to
// sign and broadcast our own commitment transaction.
func WithLocalCounterNonce(targetHeight uint64,
shaGen shachain.Producer) MusigSessionOpt {
return func(opt *musigSessionOpts) {
nextPreimage, _ := shaGen.AtIndex(targetHeight)
opt.customRand = bytes.NewBuffer(nextPreimage[:])
}
}
lnwallet: update genHtlcSigValidationJobs to be taproot aware In this commit, we update the genHtlcSigValidationJobs function to be taproot aware. As we actually need a schnorr signature for the taproot validation, we need to coerce the entire wire type into a schnorr sig with the ForceSchnorr() method.
2023-01-20 04:24:48 +01:00
// invalidPartialSigError is used to return additional debug information to a
// caller that encounters an invalid partial sig.
type invalidPartialSigError struct {
partialSig []byte
sigHash []byte
signingNonce [musig2.PubNonceSize]byte
verificationNonce [musig2.PubNonceSize]byte
}
// Error returns the error string for the partial sig error.
func (i invalidPartialSigError) Error() string {
return fmt.Sprintf("invalid partial sig: partial_sig=%x, "+
"sig_hash=%x, signing_nonce=%x, verification_nonce=%x",
i.partialSig, i.sigHash, i.signingNonce[:],
i.verificationNonce[:])
}
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
// VerifyCommitSig attempts to verify the passed partial signature against the
// passed commitment transaction. A keyspend sighash is assumed to generate the
// signed message. As we never re-use nonces, a new verification nonce (our
// relative local nonce) returned to transmit to the remote party, which allows
// them to generate another signature.
func (m *MusigSession) VerifyCommitSig(commitTx *wire.MsgTx,
sig *lnwire.PartialSigWithNonce,
musigOpts ...MusigSessionOpt) (*musig2.Nonces, error) {
opts := defaultMusigSessionOpts()
for _, optFunc := range musigOpts {
optFunc(opts)
}
lnwallet: add extra sanity check in VerifyCommitSig
2023-07-26 02:10:53 +02:00
if sig == nil {
return nil, fmt.Errorf("sig not provided")
}
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
// Before we can verify the signature, we'll need to finalize the
// session by binding the remote party's provided signing nonce.
if err := m.FinalizeSession(musig2.Nonces{
PubNonce: sig.Nonce,
}); err != nil {
return nil, err
}
// When we verify a commitment signature, we always assume that we're
// verifying a signature on our local commitment. Therefore, we'll use:
// their remote nonce, and also public key.
partialSig := NewMusigPartialSig(
&musig2.PartialSignature{S: &sig.Sig},
m.nonces.SigningNonce.PubNonce, m.combinedNonce, m.signerKeys,
)
// With the partial sig loaded with the proper context, we'll now
// generate the sighash that the remote party should have signed.
sigHash, err := taprootKeyspendSighash(
commitTx, m.inputTxOut.PkScript, m.inputTxOut.Value,
)
if err != nil {
return nil, err
}
walletLog.Infof("Verifying new musig2 sig for session=%x, nonce=%s",
m.session.SessionID[:], m.nonces.String())
lnwallet: return structured error from VerifyCommitSig
2023-07-03 03:11:25 +02:00
if partialSig == nil {
return nil, fmt.Errorf("partial sig not set")
}
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
if !partialSig.Verify(sigHash, m.remoteKey.PubKey) {
lnwallet: return structured error from VerifyCommitSig
2023-07-03 03:11:25 +02:00
return nil, &invalidPartialSigError{
partialSig: partialSig.Serialize(),
sigHash: sigHash,
verificationNonce: m.nonces.VerificationNonce.PubNonce,
signingNonce: m.nonces.SigningNonce.PubNonce,
}
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
}
nonceOpts := []musig2.NonceGenOption{
musig2.WithPublicKey(m.localKey.PubKey),
}
if opts.customRand != nil {
nonceOpts = append(
nonceOpts, musig2.WithCustomRand(opts.customRand),
)
}
// At this point, we know that their signature is valid, so we'll
// generate another verification nonce for them, so they can generate a
// new state transition.
nextVerificationNonce, err := musig2.GenNonces(nonceOpts...)
if err != nil {
return nil, fmt.Errorf("unable to gen new nonce: %w", err)
}
return nextVerificationNonce, nil
}
// CombineSigs combines the passed partial signatures into a valid schnorr
// signature.
func (m *MusigSession) CombineSigs(sigs ...*musig2.PartialSignature,
) (*schnorr.Signature, error) {
sig, _, err := m.signer.MuSig2CombineSig(
m.session.SessionID, sigs,
)
if err != nil {
return nil, err
}
return sig, nil
}
// MusigSessionCfg is used to create a new musig2 pair session. It contains the
// keys for both parties, as well as their initial verification nonces.
type MusigSessionCfg struct {
// LocalKey is a key desc for the local key.
LocalKey keychain.KeyDescriptor
// RemoteKey is a key desc for the remote key.
RemoteKey keychain.KeyDescriptor
// LocalNonce is the local party's initial verification nonce.
LocalNonce musig2.Nonces
// RemoteNonce is the remote party's initial verification nonce.
RemoteNonce musig2.Nonces
// Signer is the signer that will be used to generate the session.
Signer input.MuSig2Signer
// InputTxOut is the output that we're signing for. This will be the
// funding input.
InputTxOut *wire.TxOut
}
// MusigPairSession houses the two musig2 sessions needed to do funding and
// drive forward the state machine. The local session is used to verify
// incoming commitment states. The remote session is used to propose new
// commitment states to the remote party.
type MusigPairSession struct {
// LocalSession is the local party's musig2 session.
LocalSession *MusigSession
// RemoteSession is the remote party's musig2 session.
RemoteSession *MusigSession
// signer is the signer that will be used to drive the session.
signer input.MuSig2Signer
}
// NewMusigPairSession creates a new musig2 pair session.
func NewMusigPairSession(cfg *MusigSessionCfg) *MusigPairSession {
// Given the config passed in, we'll now create our two sessions: one
// for the local commit, and one for the remote commit.
//
// Both sessions will be created using only the verification nonce for
// the local+remote party.
localSession := NewPartialMusigSession(
cfg.LocalNonce, cfg.LocalKey, cfg.RemoteKey,
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
cfg.Signer, cfg.InputTxOut, LocalMusigCommit,
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
)
remoteSession := NewPartialMusigSession(
cfg.RemoteNonce, cfg.LocalKey, cfg.RemoteKey,
lnwallet: export MusigCommitType enum We need to export the enum as it'll now be used in areas such as the chan closer.
2023-06-24 02:34:18 +02:00
cfg.Signer, cfg.InputTxOut, RemoteMusigCommit,
lnwallet: add new structs to abstract over the asymmetric musig commitment state In this commit, we add a series of abstractions that'll allow us to easily do funding and also state updates for the new taproot channels. A partial session is defined by the knowledge of a verification nonce. Once the remote party sends a signature, we learn of their signing nonce, and can then complete a session. By using a JIT nonce approach, we ensure that the signer can generate their nonces randomly and also at the very last step to avoid having to maintain state. For our local nonces, we also have an option to use a counter based nonce derived from the shachain instead of fully random nonces. This allows us to not have to store ay additional state. Instead, when we need to go to broadcast, we can just regenerate the nonce then use that to broadcast.
2023-01-19 04:57:26 +01:00
)
return &MusigPairSession{
LocalSession: localSession,
RemoteSession: remoteSession,
signer: cfg.Signer,
}
}
Reference in New Issue Copy Permalink