Merge pull request #7904 from lightningnetwork/simple-taproot-chans-staging

multi: merge simple taproot channels staging branch into master

Author: Roasbeef

chanbackup/single.go

@@ -48,6 +48,10 @@ const (
 	// commitment and HTLC outputs that pay directly to the channel
 	// initiator.
 	ScriptEnforcedLeaseVersion = 4
+
+	// SimpleTaprootVersion is a version that denotes this channel is using
+	// the musig2 based taproot commitment format.
+	SimpleTaprootVersion = 5
 )
 
 // Single is a static description of an existing channel that can be used for
@@ -213,6 +217,9 @@ func NewSingle(channel *channeldb.OpenChannel,
 	}
 
 	switch {
+	case channel.ChanType.IsTaproot():
+		single.Version = SimpleTaprootVersion
+
 	case channel.ChanType.HasLeaseExpiration():
 		single.Version = ScriptEnforcedLeaseVersion
 		single.LeaseExpiry = channel.ThawHeight
@@ -244,6 +251,7 @@ func (s *Single) Serialize(w io.Writer) error {
 	case AnchorsCommitVersion:
 	case AnchorsZeroFeeHtlcTxCommitVersion:
 	case ScriptEnforcedLeaseVersion:
+	case SimpleTaprootVersion:
 	default:
 		return fmt.Errorf("unable to serialize w/ unknown "+
 			"version: %v", s.Version)
@@ -420,6 +428,7 @@ func (s *Single) Deserialize(r io.Reader) error {
 	case AnchorsCommitVersion:
 	case AnchorsZeroFeeHtlcTxCommitVersion:
 	case ScriptEnforcedLeaseVersion:
+	case SimpleTaprootVersion:
 	default:
 		return fmt.Errorf("unable to de-serialize w/ unknown "+
 			"version: %v", s.Version)

channeldb/channel.go

@@ -2,6 +2,7 @@ package channeldb
 
 import (
 	"bytes"
+	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/binary"
 	"errors"
@@ -13,6 +14,7 @@ import (
 	"sync"
 
 	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
 	"github.com/btcsuite/btcd/btcutil"
 	"github.com/btcsuite/btcd/chaincfg/chainhash"
 	"github.com/btcsuite/btcd/wire"
@@ -303,6 +305,10 @@ const (
 	// ScidAliasFeatureBit indicates that the scid-alias feature bit was
 	// negotiated during the lifetime of this channel.
 	ScidAliasFeatureBit ChannelType = 1 << 9
+
+	// SimpleTaprootFeatureBit indicates that the simple-taproot-channels
+	// feature bit was negotiated during the lifetime of the channel.
+	SimpleTaprootFeatureBit ChannelType = 1 << 10
 )
 
 // IsSingleFunder returns true if the channel type if one of the known single
@@ -368,6 +374,11 @@ func (c ChannelType) HasScidAliasFeature() bool {
 	return c&ScidAliasFeatureBit == ScidAliasFeatureBit
 }
 
+// IsTaproot returns true if the channel is using taproot features.
+func (c ChannelType) IsTaproot() bool {
+	return c&SimpleTaprootFeatureBit == SimpleTaprootFeatureBit
+}
+
 // ChannelConstraints represents a set of constraints meant to allow a node to
 // limit their exposure, enact flow control and ensure that all HTLCs are
 // economically relevant. This struct will be mirrored for both sides of the
@@ -1372,6 +1383,65 @@ func (c *OpenChannel) SecondCommitmentPoint() (*btcec.PublicKey, error) {
 	return input.ComputeCommitmentPoint(revocation[:]), nil
 }
 
+var (
+	// taprootRevRootKey is the key used to derive the revocation root for
+	// the taproot nonces. This is done via HMAC of the existing revocation
+	// root.
+	taprootRevRootKey = []byte("taproot-rev-root")
+)
+
+// DeriveMusig2Shachain derives a shachain producer for the taproot channel
+// from normal shachain revocation root.
+func DeriveMusig2Shachain(revRoot shachain.Producer) (shachain.Producer, error) { //nolint:lll
+	// In order to obtain the revocation root hash to create the taproot
+	// revocation, we'll encode the producer into a buffer, then use that
+	// to derive the shachain root needed.
+	var rootHashBuf bytes.Buffer
+	if err := revRoot.Encode(&rootHashBuf); err != nil {
+		return nil, fmt.Errorf("unable to encode producer: %w", err)
+	}
+
+	revRootHash := chainhash.HashH(rootHashBuf.Bytes())
+
+	// For taproot channel types, we'll also generate a distinct shachain
+	// root using the same seed information. We'll use this to generate
+	// verification nonces for the channel. We'll bind with this a simple
+	// hmac.
+	taprootRevHmac := hmac.New(sha256.New, taprootRevRootKey)
+	if _, err := taprootRevHmac.Write(revRootHash[:]); err != nil {
+		return nil, err
+	}
+
+	taprootRevRoot := taprootRevHmac.Sum(nil)
+
+	// Once we have the root, we can then generate our shachain producer
+	// and from that generate the per-commitment point.
+	return shachain.NewRevocationProducerFromBytes(
+		taprootRevRoot,
+	)
+}
+
+// NewMusigVerificationNonce generates the local or verification nonce for
+// another musig2 session. In order to permit our implementation to not have to
+// write any secret nonce state to disk, we'll use the _next_ shachain
+// pre-image as our primary randomness source. When used to generate the nonce
+// again to broadcast our commitment hte current height will be used.
+func NewMusigVerificationNonce(pubKey *btcec.PublicKey, targetHeight uint64,
+	shaGen shachain.Producer) (*musig2.Nonces, error) {
+
+	// Now that we know what height we need, we'll grab the shachain
+	// pre-image at the target destination.
+	nextPreimage, err := shaGen.AtIndex(targetHeight)
+	if err != nil {
+		return nil, err
+	}
+
+	shaChainRand := musig2.WithCustomRand(bytes.NewBuffer(nextPreimage[:]))
+	pubKeyOpt := musig2.WithPublicKey(pubKey)
+
+	return musig2.GenNonces(pubKeyOpt, shaChainRand)
+}
+
 // ChanSyncMsg returns the ChannelReestablish message that should be sent upon
 // reconnection with the remote peer that we're maintaining this channel with.
 // The information contained within this message is necessary to re-sync our
@@ -1443,6 +1513,30 @@ func (c *OpenChannel) ChanSyncMsg() (*lnwire.ChannelReestablish, error) {
 		}
 	}
 
+	// If this is a taproot channel, then we'll need to generate our next
+	// verification nonce to send to the remote party. They'll use this to
+	// sign the next update to our commitment transaction.
+	var nextTaprootNonce *lnwire.Musig2Nonce
+	if c.ChanType.IsTaproot() {
+		taprootRevProducer, err := DeriveMusig2Shachain(
+			c.RevocationProducer,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		nextNonce, err := NewMusigVerificationNonce(
+			c.LocalChanCfg.MultiSigKey.PubKey,
+			nextLocalCommitHeight, taprootRevProducer,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to gen next "+
+				"nonce: %w", err)
+		}
+
+		nextTaprootNonce = (*lnwire.Musig2Nonce)(&nextNonce.PubNonce)
+	}
+
 	return &lnwire.ChannelReestablish{
 		ChanID: lnwire.NewChanIDFromOutPoint(
 			&c.FundingOutpoint,
@@ -1453,6 +1547,7 @@ func (c *OpenChannel) ChanSyncMsg() (*lnwire.ChannelReestablish, error) {
 		LocalUnrevokedCommitPoint: input.ComputeCommitmentPoint(
 			currentCommitSecret[:],
 		),
+		LocalNonce: nextTaprootNonce,
 	}, nil
 }
 
@@ -3854,8 +3949,6 @@ func putChanRevocationState(chanBucket kvdb.RwBucket, channel *OpenChannel) erro
 		return err
 	}
 
-	// TODO(roasbeef): don't keep producer on disk
-
 	// If the next revocation is present, which is only the case after the
 	// ChannelReady message has been sent, then we'll write it to disk.
 	if channel.RemoteNextRevocation != nil {

channeldb/graph.go

@@ -2727,7 +2727,7 @@ func (l *LightningNode) NodeAnnouncement(signed bool) (*lnwire.NodeAnnouncement,
 		return nodeAnn, nil
 	}
 
-	sig, err := lnwire.NewSigFromRawSignature(l.AuthSigBytes)
+	sig, err := lnwire.NewSigFromECDSARawSignature(l.AuthSigBytes)
 	if err != nil {
 		return nil, err
 	}

chanrestore.go

@@ -154,6 +154,12 @@ func (c *chanDBRestorer) openChannelShell(backup chanbackup.Single) (
 		chanType |= channeldb.AnchorOutputsBit
 		chanType |= channeldb.SingleFunderTweaklessBit
 
+	case chanbackup.SimpleTaprootVersion:
+		chanType = channeldb.ZeroHtlcTxFeeBit
+		chanType |= channeldb.AnchorOutputsBit
+		chanType |= channeldb.SingleFunderTweaklessBit
+		chanType |= channeldb.SimpleTaprootFeatureBit
+
 	default:
 		return nil, fmt.Errorf("unknown Single version: %v", err)
 	}

cmd/lncli/cmd_open_channel.go

@@ -59,8 +59,9 @@ Signed base64 encoded PSBT or hex encoded raw wire TX (or path to file): `
 	// of memory issues or other weird errors.
 	psbtMaxFileSize = 1024 * 1024
 
-	channelTypeTweakless = "tweakless"
-	channelTypeAnchors   = "anchors"
+	channelTypeTweakless     = "tweakless"
+	channelTypeAnchors       = "anchors"
+	channelTypeSimpleTaproot = "taproot"
 )
 
 // TODO(roasbeef): change default number of confirmations.
@@ -253,8 +254,9 @@ var openChannelCommand = cli.Command{
 		cli.StringFlag{
 			Name: "channel_type",
 			Usage: fmt.Sprintf("(optional) the type of channel to "+
-				"propose to the remote peer (%q, %q)",
-				channelTypeTweakless, channelTypeAnchors),
+				"propose to the remote peer (%q, %q, %q)",
+				channelTypeTweakless, channelTypeAnchors,
+				channelTypeSimpleTaproot),
 		},
 		cli.BoolFlag{
 			Name: "zero_conf",
@@ -443,6 +445,8 @@ func openChannel(ctx *cli.Context) error {
 		req.CommitmentType = lnrpc.CommitmentType_STATIC_REMOTE_KEY
 	case channelTypeAnchors:
 		req.CommitmentType = lnrpc.CommitmentType_ANCHORS
+	case channelTypeSimpleTaproot:
+		req.CommitmentType = lnrpc.CommitmentType_SIMPLE_TAPROOT
 	default:
 		return fmt.Errorf("unsupported channel type %v", channelType)
 	}

contractcourt/anchor_resolver.go

@@ -33,6 +33,9 @@ type anchorResolver struct {
 	// chanPoint is the channel point of the original contract.
 	chanPoint wire.OutPoint
 
+	// chanType denotes the type of channel the contract belongs to.
+	chanType channeldb.ChannelType
+
 	// currentReport stores the current state of the resolver for reporting
 	// over the rpc interface.
 	currentReport ContractReport
@@ -97,12 +100,16 @@ func (c *anchorResolver) Resolve() (ContractResolver, error) {
 	// to the sweeper.
 	relayFeeRate := c.Sweeper.RelayFeePerKW()
 
+	witnessType := input.CommitmentAnchor
+
+	// For taproot channels, we need to use the proper witness type.
+	if c.chanType.IsTaproot() {
+		witnessType = input.TaprootAnchorSweepSpend
+	}
+
 	anchorInput := input.MakeBaseInput(
-		&c.anchor,
-		input.CommitmentAnchor,
-		&c.anchorSignDescriptor,
-		c.broadcastHeight,
-		nil,
+		&c.anchor, witnessType, &c.anchorSignDescriptor,
+		c.broadcastHeight, nil,
 	)
 
 	resultChan, err := c.Sweeper.SweepInput(
@@ -195,7 +202,8 @@ func (c *anchorResolver) IsResolved() bool {
 // state required for the proper resolution of a contract.
 //
 // NOTE: Part of the ContractResolver interface.
-func (c *anchorResolver) SupplementState(_ *channeldb.OpenChannel) {
+func (c *anchorResolver) SupplementState(state *channeldb.OpenChannel) {
+	c.chanType = state.ChanType
 }
 
 // report returns a report on the resolution state of the contract.