highperfocused/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2025-04-03 17:40:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Properly calculate shared secret for each hop

Browse Source 
* Hmm turns out the “optimization” I cooked up results in the incorrect
computation. After the first hop, all shared secrets were being
computed incorrectly.

* Will revisit, thought that “optimization” checked out in sage?
This commit is contained in:
Olaoluwa Osuntokun 2015-10-24 13:21:00 -07:00
parent e7def0be20
commit fe98fecebe
1 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
sphinx.go
View File

@ -7,7 +7,6 @@ import (
"crypto/hmac"
"crypto/sha256"
"fmt"
"math/big"
"github.com/btcsuite/btcd/btcec"
"github.com/btcsuite/btcd/chaincfg"
@ -110,11 +109,6 @@ func NewMixHeader(dest LightningAddress, identifier [securityParameter]byte,
hopSharedSecrets[0] = sha256.Sum256(btcec.GenerateSharedSecret(sessionKey, paymentPath[0]))
hopBlindingFactors[0] = computeBlindingFactor(hopEphemeralPubKeys[0], hopSharedSecrets[0][:])
// x * b_{0} mod n. Becomes x * b_{0} * b_{1} * ..... * b_{n} mod curve_order, etc.
cummulativeBlind := new(big.Int).Mul(
sessionKey.X, new(big.Int).SetBytes(hopBlindingFactors[0][:]),
)
cummulativeBlind.Mod(cummulativeBlind, btcec.S256().N)
// Now recursively compute the ephemeral ECDH pub keys, the shared
// secret, and blinding factor for each hop.
@ -124,19 +118,15 @@ func NewMixHeader(dest LightningAddress, identifier [securityParameter]byte,
hopBlindingFactors[i-1][:])
// s_{n} = sha256( y_{n} x c_{n-1} ) ->
// Y_their_pub_key x (x_our_priv * all prev blinding factors mod curve_order)
hopSharedSecrets[i] = sha256.Sum256(
blindGroupElement(paymentPath[i], cummulativeBlind.Bytes()).X.Bytes(),
)
// (Y_their_pub_key x x_our_priv) x all prev blinding factors
yToX := blindGroupElement(paymentPath[i], sessionKey.D.Bytes())
hopSharedSecrets[i] = sha256.Sum256(multiScalarMult(yToX, hopBlindingFactors[:i]).X.Bytes())
// TODO(roasbeef): prob don't need to store all blinding factors, only the prev...
// b_{n} = sha256(a_{n} || s_{n})
hopBlindingFactors[i] = computeBlindingFactor(hopEphemeralPubKeys[i],
hopSharedSecrets[i][:])
// c_{n} = c_{n-1} * b_{n} mod curve_order
cummulativeBlind.Mul(cummulativeBlind, new(big.Int).SetBytes(hopBlindingFactors[i][:]))
cummulativeBlind.Mod(cummulativeBlind, btcec.S256().N)
}
// Generate the padding, called "filler strings" in the paper.
@ -350,6 +340,17 @@ func blindGroupElement(hopPubKey *btcec.PublicKey, blindingFactor []byte) *btcec
return &btcec.PublicKey{hopPubKey.Curve, newX, newY}
}
// multiScalarMult...
func multiScalarMult(hopPubKey *btcec.PublicKey, blindingFactors [][sha256.Size]byte) *btcec.PublicKey {
finalPubKey := hopPubKey
for _, blindingFactor := range blindingFactors {
finalPubKey = blindGroupElement(finalPubKey, blindingFactor[:])
}
return finalPubKey
}
type ProcessCode int
const (