9915780197

Committed 13 Jul 2024 12:30AM UTC coverage: 49.268% (-9.1%) from 58.413%

Build # 9915780197

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #8653 from ProofOfKeags/fn-prim

DynComms [0/n]: `fn` package additions

Run Details

92837 of 188433 relevant lines covered (49.27%)

1.55 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.29

/lnwallet/musig_session.go

package lnwallet

import (
        "bytes"
        "fmt"
        "io"

        "github.com/btcsuite/btcd/btcec/v2"
        "github.com/btcsuite/btcd/btcec/v2/schnorr"
        "github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
        "github.com/btcsuite/btcd/txscript"
        "github.com/btcsuite/btcd/wire"
        "github.com/lightningnetwork/lnd/input"
        "github.com/lightningnetwork/lnd/keychain"
        "github.com/lightningnetwork/lnd/lnwire"
        "github.com/lightningnetwork/lnd/shachain"
)

// MusigCommitType is an enum that denotes if this is the local or remote
// commitment.
type MusigCommitType uint8

const (
        // LocalMusigCommit denotes that this a session for the local
        // commitment.
        LocalMusigCommit MusigCommitType = iota

        // RemoteMusigCommit denotes that this is a session for the remote
        // commitment.
        RemoteMusigCommit
)

var (
        // ErrSessionNotFinalized is returned when the SignCommit method is
        // called for a local commitment, without the session being finalized
        // (missing nonce).
        ErrSessionNotFinalized = fmt.Errorf("musig2 session not finalized")
)

// MusigPartialSig is a wrapper around the base musig2.PartialSignature type
// that also includes information about the set of nonces used, and also the
// signer. This allows us to implement the input.Signature interface, as that
// requires the ability to perform abstract verification based on a public key.
type MusigPartialSig struct {
        // sig is the actual musig2 partial signature.
        sig *musig2.PartialSignature

        // signerNonce is the nonce used by the signer to generate the partial
        // signature.
        signerNonce lnwire.Musig2Nonce

        // combinedNonce is the combined nonce of all signers.
        combinedNonce lnwire.Musig2Nonce

        // signerKeys is the set of public keys of all signers.
        signerKeys []*btcec.PublicKey
}

// NewMusigPartialSig creates a new musig partial signature.
func NewMusigPartialSig(sig *musig2.PartialSignature,
        signerNonce, combinedNonce lnwire.Musig2Nonce,
        signerKeys []*btcec.PublicKey) *MusigPartialSig {

        return &MusigPartialSig{
                sig:           sig,
                signerNonce:   signerNonce,
                combinedNonce: combinedNonce,
                signerKeys:    signerKeys,
        }
}

// FromWireSig maps a wire partial sig to this internal type that we'll use to
// perform signature validation.
func (p *MusigPartialSig) FromWireSig(sig *lnwire.PartialSigWithNonce,
) *MusigPartialSig {

        p.sig = &musig2.PartialSignature{
                S: &sig.Sig,
        }
        p.signerNonce = sig.Nonce

        return p
}

// ToWireSig maps the partial signature to something that we can use to write
// out for the wire protocol.
func (p *MusigPartialSig) ToWireSig() *lnwire.PartialSigWithNonce {
        return &lnwire.PartialSigWithNonce{
                PartialSig: lnwire.NewPartialSig(*p.sig.S),
                Nonce:      p.signerNonce,
        }
}

// Serialize serializes the musig2 partial signature. The serializing includes
// the signer's public nonce _and_ the partial signature. The final signature
// is always 98 bytes in length.
func (p *MusigPartialSig) Serialize() []byte {
        var b bytes.Buffer

        _ = p.ToWireSig().Encode(&b)

        return b.Bytes()
}

// ToSchnorrShell converts the musig partial signature to a regular schnorr.
// This schnorr signature uses a zero value for the 'r' field, so we're just
// only using the last 32-bytes of the signature. This is useful when we need
// to convert an HTLC schnorr signature into something we can send using the
// existing messages.
func (p *MusigPartialSig) ToSchnorrShell() *schnorr.Signature {
        var zeroVal btcec.FieldVal
        return schnorr.NewSignature(&zeroVal, p.sig.S)
}

// FromSchnorrShell takes a schnorr signature and parses out the last 32 bytes
// as a normal musig2 partial signature.
func (p *MusigPartialSig) FromSchnorrShell(sig *schnorr.Signature) {
        var (
                partialS      btcec.ModNScalar
                partialSBytes [32]byte
        )
        copy(partialSBytes[:], sig.Serialize()[32:])
        partialS.SetBytes(&partialSBytes)

        p.sig = &musig2.PartialSignature{
                S: &partialS,
        }
}

// Verify attempts to verify the partial musig2 signature using the passed
// message and signer public key.
//
// NOTE: This implements the input.Signature interface.
func (p *MusigPartialSig) Verify(msg []byte, pub *btcec.PublicKey) bool {
        var m [32]byte
        copy(m[:], msg)

        return p.sig.Verify(
                p.signerNonce, p.combinedNonce, p.signerKeys, pub, m,
                musig2.WithSortedKeys(), musig2.WithBip86SignTweak(),
        )
}

// MusigNoncePair holds the two nonces needed to sign/verify a new commitment
// state. The signer nonce is the nonce used by the signer (remote nonce), and
// the verification nonce, the nonce used by the verifier (local nonce).
type MusigNoncePair struct {
        // SigningNonce is the nonce used by the signer to sign the commitment.
        SigningNonce musig2.Nonces

        // VerificationNonce is the nonce used by the verifier to verify the
        // commitment.
        VerificationNonce musig2.Nonces
}

// String returns a string representation of the MusigNoncePair.
func (n *MusigNoncePair) String() string {
        return fmt.Sprintf("NoncePair(verification_nonce=%x, "+
                "signing_nonce=%x)", n.VerificationNonce.PubNonce[:],
                n.SigningNonce.PubNonce[:])
}

// MusigSession abstracts over the details of a logical musig session. A single
// session is used for each commitment transactions. The sessions use a JIT
// nonce style, wherein part of the session can be created using only the
// verifier nonce. Once a new state is signed, then the signer nonce is
// generated. Similarly, the verifier then uses the received signer nonce to
// complete the session and verify the incoming signature.
type MusigSession struct {
        // session is the backing musig2 session. We'll use this to interact
        // with the musig2 signer.
        session *input.MuSig2SessionInfo

        // combinedNonce is the combined nonce of all signers.
        combinedNonce lnwire.Musig2Nonce

        // nonces is the set of nonces that'll be used to generate/verify the
        // next commitment.
        nonces MusigNoncePair

        // inputTxOut is the funding input.
        inputTxOut *wire.TxOut

        // signerKeys is the set of public keys of all signers.
        signerKeys []*btcec.PublicKey

        // remoteKey is the key desc of the remote key.
        remoteKey keychain.KeyDescriptor

        // localKey is the key desc of the local key.
        localKey keychain.KeyDescriptor

        // signer is the signer that'll be used to interact with the musig
        // session.
        signer input.MuSig2Signer

        // commitType tracks if this is the session for the local or remote
        // commitment.
        commitType MusigCommitType
}

// NewPartialMusigSession creates a new musig2 session given only the
// verification nonce (local nonce), and the other information that has already
// been bound to the session.
func NewPartialMusigSession(verificationNonce musig2.Nonces,
        localKey, remoteKey keychain.KeyDescriptor,
        signer input.MuSig2Signer, inputTxOut *wire.TxOut,
        commitType MusigCommitType) *MusigSession {

        signerKeys := []*btcec.PublicKey{localKey.PubKey, remoteKey.PubKey}

        nonces := MusigNoncePair{
                VerificationNonce: verificationNonce,
        }

        return &MusigSession{
                nonces:     nonces,
                remoteKey:  remoteKey,
                localKey:   localKey,
                inputTxOut: inputTxOut,
                signerKeys: signerKeys,
                signer:     signer,
                commitType: commitType,
        }
}

// FinalizeSession finalizes the session given the signer nonce.  This is
// called before signing or verifying a new commitment.
func (m *MusigSession) FinalizeSession(signingNonce musig2.Nonces) error {
        var (
                localNonce, remoteNonce musig2.Nonces
                err                     error
        )

        // First, we'll stash the freshly generated signing nonce. Depending on
        // who's commitment we're handling, this'll either be our generated
        // nonce, or the one we just got from the remote party.
        m.nonces.SigningNonce = signingNonce

        switch m.commitType {
        // If we're making a session for the remote commitment, then the nonce
        // we use to sign is actually will be the signing nonce for the
        // session, and their nonce the verification nonce.
        case RemoteMusigCommit:
                localNonce = m.nonces.SigningNonce
                remoteNonce = m.nonces.VerificationNonce

        // Otherwise, we're generating/receiving a signature for our local
        // commitment (to broadcast), so now our verification nonce is the one
        // we've already generated, and we want to bind their new signing
        // nonce.
        case LocalMusigCommit:
                localNonce = m.nonces.VerificationNonce
                remoteNonce = m.nonces.SigningNonce
        }

        tweakDesc := input.MuSig2Tweaks{
                TaprootBIP0086Tweak: true,
        }
        m.session, err = m.signer.MuSig2CreateSession(
                input.MuSig2Version100RC2, m.localKey.KeyLocator, m.signerKeys,
                &tweakDesc, [][musig2.PubNonceSize]byte{remoteNonce.PubNonce},
                &localNonce,
        )
        if err != nil {
                return err
        }

        // We'll need the raw combined nonces later to be able to verify
        // partial signatures, and also combine partial signatures, so we'll
        // generate it now ourselves.
        aggNonce, err := musig2.AggregateNonces([][musig2.PubNonceSize]byte{
                m.nonces.SigningNonce.PubNonce,
                m.nonces.VerificationNonce.PubNonce,
        })
        if err != nil {
                return nil
        }

        m.combinedNonce = aggNonce

        return nil
}

// taprootKeyspendSighash generates the sighash for a taproot key spend. As
// this is a musig2 channel output, the keyspend is the only path we can take.
func taprootKeyspendSighash(tx *wire.MsgTx, pkScript []byte,
        value int64) ([]byte, error) {

        prevOutputFetcher := txscript.NewCannedPrevOutputFetcher(
                pkScript, value,
        )

        sigHashes := txscript.NewTxSigHashes(tx, prevOutputFetcher)

        return txscript.CalcTaprootSignatureHash(
                sigHashes, txscript.SigHashDefault, tx, 0, prevOutputFetcher,
        )
}

// SignCommit signs the passed commitment w/ the current signing (relative
// remote) nonce. Given nonces should only ever be used once, once the method
// returns a new nonce is returned, w/ the existing nonce blanked out.
func (m *MusigSession) SignCommit(tx *wire.MsgTx) (*MusigPartialSig, error) {
        switch {
        // If we already have a session, then we don't need to finalize as this
        // was done up front (symmetric nonce case, like for co-op close).
        case m.session == nil && m.commitType == RemoteMusigCommit:
                // Before we can sign a new commitment, we'll need to generate
                // a fresh nonce that'll be sent along side our signature. With
                // the nonce in hand, we can finalize the session.
                txHash := tx.TxHash()
                signingNonce, err := musig2.GenNonces(
                        musig2.WithPublicKey(m.localKey.PubKey),
                        musig2.WithNonceAuxInput(txHash[:]),
                )
                if err != nil {
                        return nil, err
                }
                if err := m.FinalizeSession(*signingNonce); err != nil {
                        return nil, err
                }

        // Otherwise, we're trying to make a new commitment transaction without
        // an active session, so we'll error out.
        case m.session == nil:
                return nil, ErrSessionNotFinalized
        }

        // Next we can sign, we'll need to generate the sighash for their
        // commitment transaction.
        sigHash, err := taprootKeyspendSighash(
                tx, m.inputTxOut.PkScript, m.inputTxOut.Value,
        )
        if err != nil {
                return nil, err
        }

        // Now that we have our session created, we'll use it to generate the
        // initial partial signature over our sighash.
        var sigHashMsg [32]byte
        copy(sigHashMsg[:], sigHash)

        walletLog.Infof("Generating new musig2 sig for session=%x, nonces=%s",
                m.session.SessionID[:], m.nonces.String())

        sig, err := m.signer.MuSig2Sign(
                m.session.SessionID, sigHashMsg, false,
        )
        if err != nil {
                return nil, err
        }

        return NewMusigPartialSig(
                sig, m.session.PublicNonce, m.combinedNonce, m.signerKeys,
        ), nil
}

// Refresh is called once we receive a new verification nonce from the remote
// party after sending a signature. This nonce will be coupled within the
// revoke-and-ack message of the remote party.
func (m *MusigSession) Refresh(verificationNonce *musig2.Nonces,
) (*MusigSession, error) {

        return NewPartialMusigSession(
                *verificationNonce, m.localKey, m.remoteKey, m.signer,
                m.inputTxOut, m.commitType,
        ), nil
}

// VerificationNonce returns the current verification nonce for the session.
func (m *MusigSession) VerificationNonce() *musig2.Nonces {
        return &m.nonces.VerificationNonce
}

// musigSessionOpts is a set of options that can be used to modify calls to the
// musig session.
type musigSessionOpts struct {
        // customRand is an optional custom random source that can be used to
        // generate nonces via a counter scheme.
        customRand io.Reader
}

// defaultMusigSessionOpts returns the default set of options for the musig
// session.
func defaultMusigSessionOpts() *musigSessionOpts {
        return &musigSessionOpts{}
}

// MusigSessionOpt is a functional option that can be used to modify calls to
// the musig session.
type MusigSessionOpt func(*musigSessionOpts)

// WithLocalCounterNonce is used to generate local nonces based on the shachain
// producer and the current height. This allows us to not have to write secret
// nonce state to disk. Instead, we can use this to derive the nonce we need to
// sign and broadcast our own commitment transaction.
func WithLocalCounterNonce(targetHeight uint64,
        shaGen shachain.Producer) MusigSessionOpt {

        return func(opt *musigSessionOpts) {
                nextPreimage, _ := shaGen.AtIndex(targetHeight)

                opt.customRand = bytes.NewBuffer(nextPreimage[:])
        }
}

// invalidPartialSigError is used to return additional debug information to a
// caller that encounters an invalid partial sig.
type invalidPartialSigError struct {
        partialSig        []byte
        sigHash           []byte
        signingNonce      [musig2.PubNonceSize]byte
        verificationNonce [musig2.PubNonceSize]byte
}

// Error returns the error string for the partial sig error.
func (i invalidPartialSigError) Error() string {
        return fmt.Sprintf("invalid partial sig: partial_sig=%x, "+
                "sig_hash=%x, signing_nonce=%x, verification_nonce=%x",
                i.partialSig, i.sigHash, i.signingNonce[:],
                i.verificationNonce[:])
}

// VerifyCommitSig attempts to verify the passed partial signature against the
// passed commitment transaction. A keyspend sighash is assumed to generate the
// signed message. As we never re-use nonces, a new verification nonce (our
// relative local nonce) returned to transmit to the remote party, which allows
// them to generate another signature.
func (m *MusigSession) VerifyCommitSig(commitTx *wire.MsgTx,
        sig *lnwire.PartialSigWithNonce,
        musigOpts ...MusigSessionOpt) (*musig2.Nonces, error) {

        opts := defaultMusigSessionOpts()
        for _, optFunc := range musigOpts {
                optFunc(opts)
        }

        if sig == nil {
                return nil, fmt.Errorf("sig not provided")
        }

        // Before we can verify the signature, we'll need to finalize the
        // session by binding the remote party's provided signing nonce.
        if err := m.FinalizeSession(musig2.Nonces{
                PubNonce: sig.Nonce,
        }); err != nil {
                return nil, err
        }

        // When we verify a commitment signature, we always assume that we're
        // verifying a signature on our local commitment. Therefore, we'll use:
        // their remote nonce, and also public key.
        partialSig := NewMusigPartialSig(
                &musig2.PartialSignature{S: &sig.Sig},
                m.nonces.SigningNonce.PubNonce, m.combinedNonce, m.signerKeys,
        )

        // With the partial sig loaded with the proper context, we'll now
        // generate the sighash that the remote party should have signed.
        sigHash, err := taprootKeyspendSighash(
                commitTx, m.inputTxOut.PkScript, m.inputTxOut.Value,
        )
        if err != nil {
                return nil, err
        }

        walletLog.Infof("Verifying new musig2 sig for session=%x, nonce=%s",
                m.session.SessionID[:], m.nonces.String())

        if partialSig == nil {
                return nil, fmt.Errorf("partial sig not set")
        }

        if !partialSig.Verify(sigHash, m.remoteKey.PubKey) {
                return nil, &invalidPartialSigError{
                        partialSig:        partialSig.Serialize(),
                        sigHash:           sigHash,
                        verificationNonce: m.nonces.VerificationNonce.PubNonce,
                        signingNonce:      m.nonces.SigningNonce.PubNonce,
                }
        }

        nonceOpts := []musig2.NonceGenOption{
                musig2.WithPublicKey(m.localKey.PubKey),
        }
        if opts.customRand != nil {
                nonceOpts = append(
                        nonceOpts, musig2.WithCustomRand(opts.customRand),
                )
        }

        // At this point, we know that their signature is valid, so we'll
        // generate another verification nonce for them, so they can generate a
        // new state transition.
        nextVerificationNonce, err := musig2.GenNonces(nonceOpts...)
        if err != nil {
                return nil, fmt.Errorf("unable to gen new nonce: %w", err)
        }

        return nextVerificationNonce, nil
}

// CombineSigs combines the passed partial signatures into a valid schnorr
// signature.
func (m *MusigSession) CombineSigs(sigs ...*musig2.PartialSignature,
) (*schnorr.Signature, error) {

        sig, _, err := m.signer.MuSig2CombineSig(
                m.session.SessionID, sigs,
        )
        if err != nil {
                return nil, err
        }

        return sig, nil
}

// MusigSessionCfg is used to create a new musig2 pair session. It contains the
// keys for both parties, as well as their initial verification nonces.
type MusigSessionCfg struct {
        // LocalKey is a key desc for the local key.
        LocalKey keychain.KeyDescriptor

        // RemoteKey is a key desc for the remote key.
        RemoteKey keychain.KeyDescriptor

        // LocalNonce is the local party's initial verification nonce.
        LocalNonce musig2.Nonces

        // RemoteNonce is the remote party's initial verification nonce.
        RemoteNonce musig2.Nonces

        // Signer is the signer that will be used to generate the session.
        Signer input.MuSig2Signer

        // InputTxOut is the output that we're signing for. This will be the
        // funding input.
        InputTxOut *wire.TxOut
}

// MusigPairSession houses the two musig2 sessions needed to do funding and
// drive forward the state machine.  The local session is used to verify
// incoming commitment states. The remote session is used to propose new
// commitment states to the remote party.
type MusigPairSession struct {
        // LocalSession is the local party's musig2 session.
        LocalSession *MusigSession

        // RemoteSession is the remote party's musig2 session.
        RemoteSession *MusigSession

        // signer is the signer that will be used to drive the session.
        signer input.MuSig2Signer
}

// NewMusigPairSession creates a new musig2 pair session.
func NewMusigPairSession(cfg *MusigSessionCfg) *MusigPairSession {
        // Given the config passed in, we'll now create our two sessions: one
        // for the local commit, and one for the remote commit.
        //
        // Both sessions will be created using only the verification nonce for
        // the local+remote party.
        localSession := NewPartialMusigSession(
                cfg.LocalNonce, cfg.LocalKey, cfg.RemoteKey,
                cfg.Signer, cfg.InputTxOut, LocalMusigCommit,
        )
        remoteSession := NewPartialMusigSession(
                cfg.RemoteNonce, cfg.LocalKey, cfg.RemoteKey,
                cfg.Signer, cfg.InputTxOut, RemoteMusigCommit,
        )

        return &MusigPairSession{
                LocalSession:  localSession,
                RemoteSession: remoteSession,
                signer:        cfg.Signer,
        }
}

lightningnetwork / lnd / 9915780197

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous