In this commit, we update all the taproot scripts spends to optionally
make the control block. This is useful in cases where we've already
created the control block, or may not have the items needed to construct
it in the first place.
We also add the control block to the sign descriptor itself.
By using the multimutex here, we'll no longer rely on a single mutex for
the entire musig session set like we used to. Instead, we can use the
session ID to key into a map of mutexes and use those directly.
In this commit, we extract the musig2 session management into a new
module. This allows us to re-use the session logic elsewhere in unit
tests so we don't need to instantiate the entire wallet.
In this commit, we modify the to_local script to use a script path for
the revocation scenario. With this change, we ensure that the internal
key is always revealed which means the anchor outputs can still always
be swept.
In this commit, we restore usage of the NUMS key for the to remote
output, as this allows a remote party to scan the chain in order to find
their remote output that in emergency recovery scenarios.
Unlike the old HTLC scripts, we now need to handle the various control
block interactions. As is, we opt to simply re-compute the entire tree
when needed, as the tree only has two leaves.
In this commit, we add GenTaprootFundingScript, which'll return the
taproot pkScript and output for a taproot+musig2 channel. This uses
musig2 key aggregation with sorting activated.
The final key produced uses a bip86 tweak, meaning that the output key
provably doesn't commit to any script path. In the future, we may want
to permit this, as then it allows for a greater degree of
programmability of the funding output.
The default allocation of 500 bytes for the script that is
used in NewScriptBuilder is way too much for most of our scripts.
With the new functional option we can tune the allocation to exactly
what we need.
With this commit we bump the github.com/btcd/btcec/v2 library to v2.3.2
which implements the MuSig2 BIP version v1.0.0rc2. With this the
github.com/btcsuite/btcd/btcec/v2/schnorr/musig2 package becomes
v1.0.0rc2 and the github.com/lightningnetwork/lnd/internal/musig2v040
stays at the old v0.4.0 version.
We put the calls that don't use musig2 package specific types as
parameters or return values behind an interface so we can easily call
those directly in the RPC without needing to know the underlying
implementation version. Some calls can't be used in the interface
because they use the specific package version's types. These calls are
implemented in helper functions in the input package instead that do the
necessary type switches.
To allow us to properly test all test vectors, we can't default to true
on key sorting. Instead we add a parameter to the input package and move
the default value to the RPC server.
As a preparation for making it possible to version switch calls to the
MuSig2 API, we move some of the calls to the input package where in a
future commit we'll call the corresponding code in the correct package.
Because the original dcrec secp256k1 library that is used for the
Schnorr signature primitives uses different hash algorithms than the
btcd secp256k1 library. Therefore pulling in the wrong library can lead
to weird and unexpected errors. We try to make it harder to make the
mistake by not using the library directly in lnd in the first place.
Note that it is still indirectly needed by the btcd secp256k1 library,
therefore the module dependency is still expected to be there, just
moved to the indirect section.
In this commit, we add a new field `TapTweak` to be used for key path
spends. Before this commit, we'd overload the existing `WitnessScript`
field to pass this information to the signing context. This was
confusing as for tapscript spends, this was the leaf script, which
mirrors the other script based spending types.
With this new filed, users need to set this to the script root for
keypath spends where the output key commits to a real merkle root, and
nothing when bip 86 spending is being used.
To make the signing even more explicit, we also add a new field called
sign_method with an enum type that differentiates between the different
segwit v0 and v1 signing methods.
Fixes https://github.com/lightningnetwork/lnd/issues/6446.
The inclusion proof field in the TapscriptPartialReveal function was
incorrect. An inclusion proof can be zero or more elements of 32-byte
slices. So an empty inclusion proof can be valid too for a tree that
only consists of a single leaf.
