|
@ -7,17 +7,17 @@ |
|
|
|
|
|
|
|
|
/* BOLT #3:
|
|
|
/* BOLT #3:
|
|
|
* |
|
|
* |
|
|
* ### `localkey`, `remotekey`, `local-delayedkey` and `remote-delayedkey` Derivation |
|
|
* ### `localkey`, `remotekey`, `local_delayedkey` and `remote_delayedkey` Derivation |
|
|
* |
|
|
* |
|
|
* These keys are simply generated by addition from their base points: |
|
|
* These keys are simply generated by addition from their base points: |
|
|
* |
|
|
* |
|
|
* pubkey = basepoint + SHA256(per-commitment-point || basepoint)*G |
|
|
* pubkey = basepoint + SHA256(per_commitment_point || basepoint)*G |
|
|
* |
|
|
* |
|
|
* The `localkey` uses the local node's `payment-basepoint`, `remotekey` |
|
|
* The `localkey` uses the local node's `payment_basepoint`, `remotekey` |
|
|
* uses the remote node's `payment-basepoint`, the `local-delayedkey` |
|
|
* uses the remote node's `payment_basepoint`, the `local_delayedkey` |
|
|
* uses the local node's `delayed-payment-basepoint`, and the |
|
|
* uses the local node's `delayed_payment_basepoint`, and the |
|
|
* `remote-delayedkey` uses the remote node's |
|
|
* `remote_delayedkey` uses the remote node's |
|
|
* `delayed-payment-basepoint`. |
|
|
* `delayed_payment_basepoint`. |
|
|
*/ |
|
|
*/ |
|
|
bool derive_simple_key(const struct pubkey *basepoint, |
|
|
bool derive_simple_key(const struct pubkey *basepoint, |
|
|
const struct pubkey *per_commitment_point, |
|
|
const struct pubkey *per_commitment_point, |
|
@ -30,7 +30,7 @@ bool derive_simple_key(const struct pubkey *basepoint, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(per-commitment-point || basepoint)\n"); |
|
|
printf("# SHA256(per_commitment_point || basepoint)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -54,9 +54,9 @@ bool derive_simple_key(const struct pubkey *basepoint, |
|
|
/* BOLT #3:
|
|
|
/* BOLT #3:
|
|
|
* |
|
|
* |
|
|
* The corresponding private keys can be derived similarly if the basepoint |
|
|
* The corresponding private keys can be derived similarly if the basepoint |
|
|
* secrets are known (i.e., `localkey` and `local-delayedkey` only): |
|
|
* secrets are known (i.e., `localkey` and `local_delayedkey` only): |
|
|
* |
|
|
* |
|
|
* secretkey = basepoint-secret + SHA256(per-commitment-point || basepoint) |
|
|
* secretkey = basepoint_secret + SHA256(per_commitment_point || basepoint) |
|
|
*/ |
|
|
*/ |
|
|
bool derive_simple_privkey(const struct secret *base_secret, |
|
|
bool derive_simple_privkey(const struct secret *base_secret, |
|
|
const struct pubkey *basepoint, |
|
|
const struct pubkey *basepoint, |
|
@ -70,7 +70,7 @@ bool derive_simple_privkey(const struct secret *base_secret, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(per-commitment-point || basepoint)\n"); |
|
|
printf("# SHA256(per_commitment_point || basepoint)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -92,19 +92,22 @@ bool derive_simple_privkey(const struct secret *base_secret, |
|
|
|
|
|
|
|
|
/* BOLT #3:
|
|
|
/* BOLT #3:
|
|
|
* |
|
|
* |
|
|
* The revocationkey is a blinded key: the remote node provides the base, |
|
|
* The `revocationkey` is a blinded key: when a node wishes to create a new |
|
|
* and the local node provides the blinding factor which it later |
|
|
* commitment for a remote node, it uses its own `revocation_basepoint` and |
|
|
* reveals, so the remote node can use the secret revocationkey for a |
|
|
* the remote node's `per_commitment_point` to derive a new `revocationkey` |
|
|
* penalty transaction. |
|
|
* for the commitment. Once the remote node reveals (thereby revoking that |
|
|
|
|
|
* commitment) the `per_commitment_secret` used, the node can now derive the |
|
|
|
|
|
* `revocationsecretkey` as they now know the two secrets necessary to derive |
|
|
|
|
|
* the key (`revocation_basepoint_secret` and `per_commitment_secret`). |
|
|
* |
|
|
* |
|
|
* The `per-commitment-point` is generated using EC multiplication: |
|
|
* The `per_commitment_point` is generated using EC multiplication: |
|
|
* |
|
|
* |
|
|
* per-commitment-point = per-commitment-secret * G |
|
|
* per_commitment_point = per_commitment_secret * G |
|
|
* |
|
|
* |
|
|
* And this is used to derive the revocation key from the remote node's |
|
|
* And this is used to derive the revocation key from the remote node's |
|
|
* `revocation-basepoint`: |
|
|
* `revocation_basepoint`: |
|
|
* |
|
|
* |
|
|
* revocationkey = revocation-basepoint * SHA256(revocation-basepoint || per-commitment-point) + per-commitment-point*SHA256(per-commitment-point || revocation-basepoint) |
|
|
* revocationkey = revocation_basepoint * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_point*SHA256(per_commitment_point || revocation_basepoint) |
|
|
*/ |
|
|
*/ |
|
|
bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
const struct pubkey *per_commitment_point, |
|
|
const struct pubkey *per_commitment_point, |
|
@ -119,7 +122,7 @@ bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, per_commitment_point); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, per_commitment_point); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(revocation-basepoint || per-commitment-point)\n"); |
|
|
printf("# SHA256(revocation_basepoint || per_commitment_point)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -130,7 +133,7 @@ bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &add[0], sha.u.u8) != 1) |
|
|
if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &add[0], sha.u.u8) != 1) |
|
|
return false; |
|
|
return false; |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# x revocation-basepoint = 0x%s\n", |
|
|
printf("# x revocation_basepoint = 0x%s\n", |
|
|
type_to_string(tmpctx, secp256k1_pubkey, &add[0])); |
|
|
type_to_string(tmpctx, secp256k1_pubkey, &add[0])); |
|
|
#endif |
|
|
#endif |
|
|
|
|
|
|
|
@ -138,7 +141,7 @@ bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(per-commitment-point || revocation-basepoint)\n"); |
|
|
printf("# SHA256(per_commitment_point || revocation_basepoint)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -149,7 +152,7 @@ bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &add[1], sha.u.u8) != 1) |
|
|
if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &add[1], sha.u.u8) != 1) |
|
|
return false; |
|
|
return false; |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# x per-commitment-point = 0x%s\n", |
|
|
printf("# x per_commitment_point = 0x%s\n", |
|
|
type_to_string(tmpctx, secp256k1_pubkey, &add[1])); |
|
|
type_to_string(tmpctx, secp256k1_pubkey, &add[1])); |
|
|
#endif |
|
|
#endif |
|
|
|
|
|
|
|
@ -170,10 +173,10 @@ bool derive_revocation_key(const struct pubkey *basepoint, |
|
|
|
|
|
|
|
|
/* BOLT #3:
|
|
|
/* BOLT #3:
|
|
|
* |
|
|
* |
|
|
* The corresponding private key can be derived once the `per-commitment-secret` |
|
|
* The corresponding private key can be derived once the `per_commitment_secret` |
|
|
* is known: |
|
|
* is known: |
|
|
* |
|
|
* |
|
|
* revocationsecretkey = revocation-basepoint-secret * SHA256(revocation-basepoint || per-commitment-point) + per-commitment-secret*SHA256(per-commitment-point || revocation-basepoint) |
|
|
* revocationsecretkey = revocation_basepoint_secret * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_secret*SHA256(per_commitment_point || revocation_basepoint) |
|
|
*/ |
|
|
*/ |
|
|
bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
const struct secret *per_commitment_secret, |
|
|
const struct secret *per_commitment_secret, |
|
@ -189,7 +192,7 @@ bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, per_commitment_point); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, per_commitment_point); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(revocation-basepoint || per-commitment-point)\n"); |
|
|
printf("# SHA256(revocation_basepoint || per_commitment_point)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -202,7 +205,7 @@ bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
!= 1) |
|
|
!= 1) |
|
|
return false; |
|
|
return false; |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# * revocation-basepoint-secret (0x%s)", |
|
|
printf("# * revocation_basepoint_secret (0x%s)", |
|
|
tal_hexstr(tmpctx, base_secret, sizeof(*base_secret))), |
|
|
tal_hexstr(tmpctx, base_secret, sizeof(*base_secret))), |
|
|
printf("# = 0x%s\n", tal_hexstr(tmpctx, key, sizeof(*key))), |
|
|
printf("# = 0x%s\n", tal_hexstr(tmpctx, key, sizeof(*key))), |
|
|
#endif |
|
|
#endif |
|
@ -211,7 +214,7 @@ bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
pubkey_to_der(der_keys + PUBKEY_DER_LEN, basepoint); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
sha256(&sha, der_keys, sizeof(der_keys)); |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# SHA256(per-commitment-point || revocation-basepoint)\n"); |
|
|
printf("# SHA256(per_commitment_point || revocation_basepoint)\n"); |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
printf("# => SHA256(0x%s || 0x%s)\n", |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys, PUBKEY_DER_LEN), |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
|
tal_hexstr(tmpctx, der_keys + PUBKEY_DER_LEN, PUBKEY_DER_LEN)); |
|
@ -223,7 +226,7 @@ bool derive_revocation_privkey(const struct secret *base_secret, |
|
|
sha.u.u8) != 1) |
|
|
sha.u.u8) != 1) |
|
|
return false; |
|
|
return false; |
|
|
#ifdef SUPERVERBOSE |
|
|
#ifdef SUPERVERBOSE |
|
|
printf("# * per-commitment-secret (0x%s)", |
|
|
printf("# * per_commitment_secret (0x%s)", |
|
|
tal_hexstr(tmpctx, per_commitment_secret, |
|
|
tal_hexstr(tmpctx, per_commitment_secret, |
|
|
sizeof(*per_commitment_secret))), |
|
|
sizeof(*per_commitment_secret))), |
|
|
printf("# = 0x%s\n", tal_hexstr(tmpctx, &part2, sizeof(part2))); |
|
|
printf("# = 0x%s\n", tal_hexstr(tmpctx, &part2, sizeof(part2))); |
|
|