From 8a4246cb368d6ed60b34c45bacd62d43515ebb88 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Mon, 20 Jul 2015 09:56:15 +0930 Subject: [PATCH] permute: use BIP69 order. It's a canonical ordering, rather than a random shuffle. Far simpler. Signed-off-by: Rusty Russell --- anchor.c | 6 +-- close_tx.c | 2 +- commit_tx.c | 2 +- lightning.pb-c.c | 35 +++++---------- lightning.pb-c.h | 6 +-- lightning.proto | 2 - permute_tx.c | 95 ++++++++--------------------------------- permute_tx.h | 16 ++----- pkt.c | 2 - pkt.h | 2 - test-cli/open-channel.c | 8 +--- 11 files changed, 37 insertions(+), 139 deletions(-) diff --git a/anchor.c b/anchor.c index a1d1ecd51..69f5059f9 100644 --- a/anchor.c +++ b/anchor.c @@ -127,10 +127,8 @@ struct bitcoin_tx *anchor_tx_create(const tal_t *ctx, else outmap = NULL; - permute_inputs(o1->seed, o2->seed, 0, tx->input, tx->input_count, - inmap); - permute_outputs(o1->seed, o2->seed, 0, tx->output, tx->output_count, - outmap); + permute_inputs(tx->input, tx->input_count, inmap); + permute_outputs(tx->output, tx->output_count, outmap); return tx; } diff --git a/close_tx.c b/close_tx.c index c4bd1f4bd..7ee22b8bb 100644 --- a/close_tx.c +++ b/close_tx.c @@ -55,6 +55,6 @@ struct bitcoin_tx *create_close_tx(const tal_t *ctx, tx->output[1].script_length = tal_count(tx->output[1].script); tx->fee = ours->commitment_fee + theirs->commitment_fee; - permute_outputs(ours->seed, theirs->seed, 1, tx->output, 2, NULL); + permute_outputs(tx->output, 2, NULL); return tx; } diff --git a/commit_tx.c b/commit_tx.c index e9a855497..63d877b48 100644 --- a/commit_tx.c +++ b/commit_tx.c @@ -76,6 +76,6 @@ struct bitcoin_tx *create_commit_tx(const tal_t *ctx, tx->fee = tx->input[0].input_amount - (tx->output[0].amount + tx->output[1].amount); - permute_outputs(ours->seed, theirs->seed, 1, tx->output, 2, NULL); + permute_outputs(tx->output, 2, NULL); return tx; } diff --git a/lightning.pb-c.c b/lightning.pb-c.c index 2962b6741..b2966d8f9 100644 --- a/lightning.pb-c.c +++ b/lightning.pb-c.c @@ -1474,20 +1474,8 @@ const ProtobufCMessageDescriptor anchor__descriptor = (ProtobufCMessageInit) anchor__init, NULL,NULL,NULL /* reserved[123] */ }; -static const ProtobufCFieldDescriptor open_channel__field_descriptors[8] = +static const ProtobufCFieldDescriptor open_channel__field_descriptors[7] = { - { - "seed", - 1, - PROTOBUF_C_LABEL_REQUIRED, - PROTOBUF_C_TYPE_UINT64, - 0, /* quantifier_offset */ - offsetof(OpenChannel, seed), - NULL, - NULL, - 0, /* flags */ - 0,NULL,NULL /* reserved1,reserved2, etc */ - }, { "locktime_seconds", 2, @@ -1574,19 +1562,18 @@ static const ProtobufCFieldDescriptor open_channel__field_descriptors[8] = }, }; static const unsigned open_channel__field_indices_by_name[] = { - 6, /* field[6] = anchor */ - 5, /* field[5] = commitment_fee */ - 4, /* field[4] = final */ - 2, /* field[2] = locktime_blocks */ - 1, /* field[1] = locktime_seconds */ - 3, /* field[3] = revocation_hash */ - 0, /* field[0] = seed */ - 7, /* field[7] = tx_version */ + 5, /* field[5] = anchor */ + 4, /* field[4] = commitment_fee */ + 3, /* field[3] = final */ + 1, /* field[1] = locktime_blocks */ + 0, /* field[0] = locktime_seconds */ + 2, /* field[2] = revocation_hash */ + 6, /* field[6] = tx_version */ }; static const ProtobufCIntRange open_channel__number_ranges[1 + 1] = { - { 1, 0 }, - { 0, 8 } + { 2, 0 }, + { 0, 7 } }; const ProtobufCMessageDescriptor open_channel__descriptor = { @@ -1596,7 +1583,7 @@ const ProtobufCMessageDescriptor open_channel__descriptor = "OpenChannel", "", sizeof(OpenChannel), - 8, + 7, open_channel__field_descriptors, open_channel__field_indices_by_name, 1, open_channel__number_ranges, diff --git a/lightning.pb-c.h b/lightning.pb-c.h index abf25539e..f9d5fed9a 100644 --- a/lightning.pb-c.h +++ b/lightning.pb-c.h @@ -185,10 +185,6 @@ typedef enum { struct _OpenChannel { ProtobufCMessage base; - /* - * Seed which sets order we create outputs for all transactions. - */ - uint64_t seed; /* * Hash seed for revoking commitment transactions. */ @@ -217,7 +213,7 @@ struct _OpenChannel }; #define OPEN_CHANNEL__INIT \ { PROTOBUF_C_MESSAGE_INIT (&open_channel__descriptor) \ - , 0, NULL, NULL, 0, NULL, 0, OPEN_CHANNEL__LOCKTIME__NOT_SET, {} } + , NULL, NULL, 0, NULL, 0, OPEN_CHANNEL__LOCKTIME__NOT_SET, {} } /* diff --git a/lightning.proto b/lightning.proto index 53db7dc7e..002e2a3ad 100644 --- a/lightning.proto +++ b/lightning.proto @@ -70,8 +70,6 @@ message anchor { // Set channel params. message open_channel { - // Seed which sets order we create outputs for all transactions. - required uint64 seed = 1; // Relative locktime for outputs going to us. oneof locktime { uint32 locktime_seconds = 2; diff --git a/permute_tx.c b/permute_tx.c index 0aea2c975..7c521a2c0 100644 --- a/permute_tx.c +++ b/permute_tx.c @@ -1,39 +1,7 @@ -#include #include #include #include "permute_tx.h" -static u32 get_next_rand(struct sha256 *h, size_t *randidx) -{ - u32 ret = h->u.u32[(*randidx)++]; - if (*randidx == 8) { - *randidx = 0; - sha256(h, h, sizeof(*h)); - } - return ret; -} - -static void init_rand(struct sha256 *h, size_t *randidx, - uint64_t seed1, uint64_t seed2, - uint64_t transaction_num, - enum permute_style style) -{ - struct sha256_ctx shactx; - - sha256_init(&shactx); - if (seed1 < seed2) { - sha256_le64(&shactx, seed1); - sha256_le64(&shactx, seed2); - } else { - sha256_le64(&shactx, seed2); - sha256_le64(&shactx, seed1); - } - sha256_le64(&shactx, transaction_num); - sha256_u8(&shactx, style); - sha256_done(&shactx, h); - *randidx = 0; -} - static void init_map(size_t *map, size_t len) { size_t i; @@ -45,21 +13,6 @@ static void init_map(size_t *map, size_t len) map[i] = i; } -/* This map says where things ended up, eg. 0 might be in slot 3. we - * want to change it so map[0] = 3. */ -static void invert_map(size_t *map, size_t len) -{ - if (map) { - size_t i, newmap[len]; - - memset(newmap, 0, sizeof(newmap)); - for (i = 0; i < len; i++) { - newmap[map[i]] = i; - } - memcpy(map, newmap, sizeof(newmap)); - } -} - static bool input_better(const struct bitcoin_tx_input *a, const struct bitcoin_tx_input *b) { @@ -108,13 +61,11 @@ static void swap_inputs(struct bitcoin_tx_input *inputs, size_t *map, } } -void permute_inputs(uint64_t seed1, uint64_t seed2, uint64_t tx_num, - struct bitcoin_tx_input *inputs, +void permute_inputs(struct bitcoin_tx_input *inputs, size_t num_inputs, size_t *map) { - struct sha256 h; - size_t i, randidx; + size_t i; init_map(map, num_inputs); @@ -124,16 +75,6 @@ void permute_inputs(uint64_t seed1, uint64_t seed2, uint64_t tx_num, swap_inputs(inputs, map, i, i + find_best_in(inputs + i, num_inputs - i)); } - - init_rand(&h, &randidx, seed1, seed2, tx_num, PERMUTE_INPUT_STYLE); - - /* Now, Fisher-Yates shuffle, but using SHA256 as "random" source. */ - for (i = 0; i + 1 < num_inputs; i++) { - size_t r = get_next_rand(&h, &randidx) % (num_inputs - i - 1); - swap_inputs(inputs, map, i, i + 1 + r); - } - - invert_map(map, num_inputs); } static void swap_outputs(struct bitcoin_tx_output *outputs, size_t *map, @@ -156,13 +97,23 @@ static void swap_outputs(struct bitcoin_tx_output *outputs, size_t *map, static bool output_better(const struct bitcoin_tx_output *a, const struct bitcoin_tx_output *b) { + size_t len; + int ret; + if (a->amount != b->amount) return a->amount < b->amount; - if (a->script_length != b->script_length) - return a->script_length < b->script_length; + /* Lexographic sort. */ + if (a->script_length < b->script_length) + len = a->script_length; + else + len = b->script_length; + + ret = memcmp(a->script, b->script, len); + if (ret != 0) + return ret < 0; - return memcmp(a->script, b->script, a->script_length) < 0; + return a->script_length < b->script_length; } static size_t find_best_out(struct bitcoin_tx_output *outputs, size_t num) @@ -176,13 +127,11 @@ static size_t find_best_out(struct bitcoin_tx_output *outputs, size_t num) return best; } -void permute_outputs(uint64_t seed1, uint64_t seed2, size_t tx_num, - struct bitcoin_tx_output *outputs, +void permute_outputs(struct bitcoin_tx_output *outputs, size_t num_outputs, size_t *map) { - struct sha256 h; - size_t i, randidx; + size_t i; init_map(map, num_outputs); @@ -192,14 +141,4 @@ void permute_outputs(uint64_t seed1, uint64_t seed2, size_t tx_num, swap_outputs(outputs, map, i, i + find_best_out(outputs + i, num_outputs - i)); } - - init_rand(&h, &randidx, seed1, seed2, tx_num, PERMUTE_OUTPUT_STYLE); - - /* Now, Fisher-Yates shuffle, but using SHA256 as "random" source. */ - for (i = 0; i + 1 < num_outputs; i++) { - size_t r = get_next_rand(&h, &randidx) % (num_outputs - i - 1); - swap_outputs(outputs, map, i, i + 1 + r); - } - - invert_map(map, num_outputs); } diff --git a/permute_tx.h b/permute_tx.h index 1b56469c9..dd91786c5 100644 --- a/permute_tx.h +++ b/permute_tx.h @@ -2,24 +2,14 @@ #define LIGHTNING_PERMUTE_TX_H #include "bitcoin/tx.h" -/* Given the two seeds, permute the transaction inputs. +/* Permute the transaction into BIP69 order. * map[0] is set to the new index of input 0, etc. */ -void permute_inputs(uint64_t seed1, uint64_t seed2, - size_t transaction_num, - struct bitcoin_tx_input *inputs, +void permute_inputs(struct bitcoin_tx_input *inputs, size_t num_inputs, size_t *map); -void permute_outputs(uint64_t seed1, uint64_t seed2, - size_t transaction_num, - struct bitcoin_tx_output *outputs, +void permute_outputs(struct bitcoin_tx_output *outputs, size_t num_outputs, size_t *map); - -enum permute_style { - PERMUTE_INPUT_STYLE = 0, - PERMUTE_OUTPUT_STYLE = 1 -}; - #endif /* LIGHTNING_PERMUTE_TX_H */ diff --git a/pkt.c b/pkt.c index 9b4943f8c..7e783b475 100644 --- a/pkt.c +++ b/pkt.c @@ -32,7 +32,6 @@ static struct pkt *to_pkt(const tal_t *ctx, Pkt__PktCase type, void *msg) } struct pkt *openchannel_pkt(const tal_t *ctx, - u64 seed, const struct sha256 *revocation_hash, const struct pubkey *to_me, u64 commitment_fee, @@ -45,7 +44,6 @@ struct pkt *openchannel_pkt(const tal_t *ctx, assert(anchor->inputs); assert(anchor->pubkey); - o.seed = seed; o.revocation_hash = sha256_to_proto(ctx, revocation_hash); o.final = pubkey_to_proto(ctx, to_me); o.commitment_fee = commitment_fee; diff --git a/pkt.h b/pkt.h index 2b65edbdc..20d7fd066 100644 --- a/pkt.h +++ b/pkt.h @@ -31,7 +31,6 @@ struct pubkey; /** * openchannel_pkt - create an openchannel message * @ctx: tal context to allocate off. - * @seed: psuedo-random seed to shuffle inputs. * @revocation_hash: first hash value generated from seed. * @to_me: the pubkey for the commit transactions' P2SH output. * @commitment_fee: the fee to use for commitment tx. @@ -39,7 +38,6 @@ struct pubkey; * @anchor: the anchor transaction details. */ struct pkt *openchannel_pkt(const tal_t *ctx, - u64 seed, const struct sha256 *revocation_hash, const struct pubkey *to_me, u64 commitment_fee, diff --git a/test-cli/open-channel.c b/test-cli/open-channel.c index 73ad2f1ba..71c6ca65f 100644 --- a/test-cli/open-channel.c +++ b/test-cli/open-channel.c @@ -59,12 +59,6 @@ static BitcoinInput *parse_anchor_input(const tal_t *ctx, const char *spec) return in; } -/* FIXME: This is too weak, even for us! */ -static u64 weak_random64(void) -{ - return time(NULL); -} - /* Simple helper to open a channel. */ int main(int argc, char *argv[]) { @@ -166,7 +160,7 @@ int main(int argc, char *argv[]) sha256(&revocation_hash, revocation_hash.u.u8, sizeof(revocation_hash.u.u8)); - pkt = openchannel_pkt(ctx, weak_random64(), &revocation_hash, &outkey, + pkt = openchannel_pkt(ctx, &revocation_hash, &outkey, commit_tx_fee, locktime_seconds, &anchor); if (!write_all(STDOUT_FILENO, pkt, pkt_totlen(pkt)))