// newHandshakeState returns a new instance of the handshake state initialized
// with the prologue and protocol name. If this is the respodner's handshake
// state, then the remotePub can be nil.
func newHandshakeState(initiator bool, prologue []byte,
localPub *btcec.PrivateKey, remotePub *btcec.PublicKey) handshakeState {
h := handshakeState{
initiator: initiator,
localStatic: localPub,
remoteStatic: remotePub,
}
// Set the current chainking key and handshake digest to the hash of
// the protocol name, and additionally mix in the prologue. If either
// sides disagree about the prologue or protocol name, then the
// handshake will fail.
h.InitializeSymmetric([]byte(protocolName))
h.mixHash(prologue)
// In Noise_XK, then initiator should know the responder's static
// public key, therefore we include the responder's static key in the
// handshake digest. If the initiator gets this value wrong, then the
// handshake will fail.
if initiator {
h.mixHash(remotePub.SerializeCompressed())
} else {
h.mixHash(localPub.PubKey().SerializeCompressed())
}
return h
}
// newManagedAddress returns a new managed address based on the passed account,
// private key, and whether or not the public key is compressed. The managed
// address will have access to the private and public keys.
func newManagedAddress(m *Manager, account uint32, privKey *btcec.PrivateKey,
compressed bool, addrType addressType) (*managedAddress, error) {
// Encrypt the private key.
//
// NOTE: The privKeyBytes here are set into the managed address which
// are cleared when locked, so they aren't cleared here.
privKeyBytes := privKey.Serialize()
privKeyEncrypted, err := m.cryptoKeyPriv.Encrypt(privKeyBytes)
if err != nil {
str := "failed to encrypt private key"
return nil, managerError(ErrCrypto, str, err)
}
// Leverage the code to create a managed address without a private key
// and then add the private key to it.
ecPubKey := (*btcec.PublicKey)(&privKey.PublicKey)
managedAddr, err := newManagedAddressWithoutPrivKey(m, account,
ecPubKey, compressed, addrType)
if err != nil {
return nil, err
}
managedAddr.privKeyEncrypted = privKeyEncrypted
managedAddr.privKeyCT = privKeyBytes
return managedAddr, nil
}
// keyToAddr maps the passed private to corresponding p2pkh address.
func keyToAddr(key *btcec.PrivateKey, net *chaincfg.Params) (btcutil.Address, error) {
serializedKey := key.PubKey().SerializeCompressed()
pubKeyAddr, err := btcutil.NewAddressPubKey(serializedKey, net)
if err != nil {
return nil, err
}
return pubKeyAddr.AddressPubKeyHash(), nil
}
// RawTxInSignature returns the serialized ECDSA signature for the input idx of
// the given transaction, with hashType appended to it.
func RawTxInSignature(tx *wire.MsgTx, idx int, subScript []byte,
hashType SigHashType, key *btcec.PrivateKey) ([]byte, error) {
parsedScript, err := parseScript(subScript)
if err != nil {
return nil, fmt.Errorf("cannot parse output script: %v", err)
}
hash := calcSignatureHash(parsedScript, hashType, tx, idx)
signature, err := key.Sign(hash)
if err != nil {
return nil, fmt.Errorf("cannot sign tx input: %s", err)
}
return append(signature.Serialize(), byte(hashType)), nil
}
// NewRouter creates a new instance of a Sphinx onion Router given the node's
// currently advertised onion private key, and the target Bitcoin network.
func NewRouter(nodeKey *btcec.PrivateKey, net *chaincfg.Params) *Router {
var nodeID [securityParameter]byte
copy(nodeID[:], btcutil.Hash160(nodeKey.PubKey().SerializeCompressed()))
// Safe to ignore the error here, nodeID is 20 bytes.
nodeAddr, _ := btcutil.NewAddressPubKeyHash(nodeID[:], net)
return &Router{
nodeID: nodeID,
nodeAddr: nodeAddr,
onionKey: nodeKey,
// TODO(roasbeef): replace instead with bloom filter?
// * https://moderncrypto.org/mail-archive/messaging/2015/001911.html
seenSecrets: make(map[[sharedSecretSize]byte]struct{}),
}
}
// deriveElkremRoot derives an elkrem root unique to a channel given the
// private key for our public key in the 2-of-2 multi-sig, and the remote
// node's multi-sig public key. The root is derived using the HKDF[1][2]
// instantiated with sha-256. The secret data used is our multi-sig private
// key, with the salt being the remote node's public key.
//
// [1]: https://eprint.iacr.org/2010/264.pdf
// [2]: https://tools.ietf.org/html/rfc5869
func deriveElkremRoot(elkremDerivationRoot *btcec.PrivateKey,
localMultiSigKey *btcec.PublicKey,
remoteMultiSigKey *btcec.PublicKey) wire.ShaHash {
secret := elkremDerivationRoot.Serialize()
salt := localMultiSigKey.SerializeCompressed()
info := remoteMultiSigKey.SerializeCompressed()
rootReader := hkdf.New(sha256.New, secret, salt, info)
// It's safe to ignore the error her as we know for sure that we won't
// be draining the HKDF past its available entropy horizon.
// TODO(roasbeef): revisit...
var elkremRoot wire.ShaHash
rootReader.Read(elkremRoot[:])
return elkremRoot
}
// NewMixHeader creates a new mix header which is capable of
// obliviously routing a message through the mix-net path outline by
// 'paymentPath'. This function returns the created mix header along
// with a derived shared secret for each node in the path.
func NewMixHeader(paymentPath []*btcec.PublicKey, sessionKey *btcec.PrivateKey,
rawHopPayloads [][]byte, assocData []byte) (*MixHeader,
[][sharedSecretSize]byte, error) {
// Each hop performs ECDH with our ephemeral key pair to arrive at a
// shared secret. Additionally, each hop randomizes the group element
// for the next hop by multiplying it by the blinding factor. This way
// we only need to transmit a single group element, and hops can't link
// a session back to us if they have several nodes in the path.
numHops := len(paymentPath)
hopEphemeralPubKeys := make([]*btcec.PublicKey, numHops)
hopSharedSecrets := make([][sha256.Size]byte, numHops)
hopBlindingFactors := make([][sha256.Size]byte, numHops)
// Compute the triplet for the first hop outside of the main loop.
// Within the loop each new triplet will be computed recursively based
// off of the blinding factor of the last hop.
hopEphemeralPubKeys[0] = sessionKey.PubKey()
hopSharedSecrets[0] = sha256.Sum256(btcec.GenerateSharedSecret(sessionKey, paymentPath[0]))
hopBlindingFactors[0] = computeBlindingFactor(hopEphemeralPubKeys[0], hopSharedSecrets[0][:])
// Now recursively compute the ephemeral ECDH pub keys, the shared
// secret, and blinding factor for each hop.
for i := 1; i <= numHops-1; i++ {
// a_{n} = a_{n-1} x c_{n-1} -> (Y_prev_pub_key x prevBlindingFactor)
hopEphemeralPubKeys[i] = blindGroupElement(hopEphemeralPubKeys[i-1],
hopBlindingFactors[i-1][:])
// s_{n} = sha256( y_{n} x c_{n-1} ) ->
// (Y_their_pub_key x x_our_priv) x all prev blinding factors
yToX := blindGroupElement(paymentPath[i], sessionKey.D.Bytes())
hopSharedSecrets[i] = sha256.Sum256(multiScalarMult(yToX, hopBlindingFactors[:i]).X.Bytes())
// TODO(roasbeef): prob don't need to store all blinding factors, only the prev...
// b_{n} = sha256(a_{n} || s_{n})
hopBlindingFactors[i] = computeBlindingFactor(hopEphemeralPubKeys[i],
hopSharedSecrets[i][:])
}
// Generate the padding, called "filler strings" in the paper.
filler := generateHeaderPadding("rho", numHops, 2*securityParameter, hopSharedSecrets)
hopFiller := generateHeaderPadding("gamma", numHops, HopPayloadSize, hopSharedSecrets)
// Allocate and initialize fields to zero-filled slices
var mixHeader [routingInfoSize]byte
var hopPayloads [NumMaxHops * HopPayloadSize]byte
// Same goes for the HMAC
var next_hmac [20]byte
next_address := bytes.Repeat([]byte{0x00}, 20)
// Now we compute the routing information for each hop, along with a
// MAC of the routing info using the shared key for that hop.
for i := numHops - 1; i >= 0; i-- {
rhoKey := generateKey("rho", hopSharedSecrets[i])
gammaKey := generateKey("gamma", hopSharedSecrets[i])
muKey := generateKey("mu", hopSharedSecrets[i])
// Shift and obfuscate routing info
streamBytes := generateCipherStream(rhoKey, numStreamBytes)
rightShift(mixHeader[:], 2*securityParameter)
copy(mixHeader[:], next_address[:])
copy(mixHeader[securityParameter:], next_hmac[:])
xor(mixHeader[:], mixHeader[:], streamBytes[:routingInfoSize])
// Shift and obfuscate per-hop payload
rightShift(hopPayloads[:], HopPayloadSize)
copy(hopPayloads[:], rawHopPayloads[i])
hopStreamBytes := generateCipherStream(gammaKey, uint(len(hopPayloads)))
xor(hopPayloads[:], hopPayloads[:], hopStreamBytes)
// We need to overwrite these so every node generates a correct padding
if i == numHops-1 {
copy(mixHeader[len(mixHeader)-len(filler):], filler)
copy(hopPayloads[len(hopPayloads)-len(hopFiller):], hopFiller)
}
packet := append(append(mixHeader[:], hopPayloads[:]...), assocData...)
next_hmac = calcMac(muKey, packet)
next_address = btcutil.Hash160(paymentPath[i].SerializeCompressed())
}
header := &MixHeader{
Version: 0x01,
EphemeralKey: hopEphemeralPubKeys[0],
RoutingInfo: mixHeader,
HeaderMAC: next_hmac,
HopPayload: hopPayloads,
}
return header, hopSharedSecrets, nil
}
