From 13404243cf6e65f40b13b768b6747b40eb162272 Mon Sep 17 00:00:00 2001 From: Olaoluwa Osuntokun Date: Sat, 29 Jul 2017 17:55:05 -0700 Subject: [PATCH] lnwallet: revocation root generation is now based on a block hash + node key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit modifies the prior revocation root generation to a newer version which is intended to allow for easy recovery of revocation state. Rather than using the node’s keys (which we can’t count on NOT to change), we instead now use the block hash as a salt. With this, given the block hash prior to the one that funded the channel, and the node’s identity key, we can reconstruct our revocation state. --- lnwallet/script_utils.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lnwallet/script_utils.go b/lnwallet/script_utils.go index 471adc85..30187ac7 100644 --- a/lnwallet/script_utils.go +++ b/lnwallet/script_utils.go @@ -753,20 +753,20 @@ func DeriveRevocationPrivKey(commitPrivKey *btcec.PrivateKey, } // DeriveRevocationRoot derives an root unique to a channel given the -// private key for our public key in the 2-of-2 multi-sig, and the remote -// node's multi-sig public key. The seed is derived using the HKDF[1][2] -// instantiated with sha-256. The secret data used is our multi-sig private -// key, with the salt being the remote node's public key. +// derivation root, and the blockhash that the funding process began at and the +// remote node's identity public key. The seed is derived using the HKDF[1][2] +// instantiated with sha-256. With this schema, once we know the block hash of +// the funding transaction, and who we funded the channel with, we can +// reconstruct all of our revocation state. // // [1]: https://eprint.iacr.org/2010/264.pdf // [2]: https://tools.ietf.org/html/rfc5869 func DeriveRevocationRoot(derivationRoot *btcec.PrivateKey, - localMultiSigKey *btcec.PublicKey, - remoteMultiSigKey *btcec.PublicKey) *chainhash.Hash { + blockSalt chainhash.Hash, nodePubKey *btcec.PublicKey) chainhash.Hash { secret := derivationRoot.Serialize() - salt := localMultiSigKey.SerializeCompressed() - info := remoteMultiSigKey.SerializeCompressed() + salt := blockSalt[:] + info := nodePubKey.SerializeCompressed() seedReader := hkdf.New(sha256.New, secret, salt, info) @@ -776,7 +776,7 @@ func DeriveRevocationRoot(derivationRoot *btcec.PrivateKey, var root chainhash.Hash seedReader.Read(root[:]) - return &root + return root } // SetStateNumHint encodes the current state number within the passed