tapchannel: tweak HTLC second level transaction internal key

Author: guggero

tapchannel/aux_leaf_creator.go

@@ -129,6 +129,7 @@ func FetchLeavesFromCommit(chainParams *address.ChainParams,
 			leaf, err := CreateSecondLevelHtlcTx(
 				chanState, com.CommitTx, htlc.Amt.ToSatoshis(),
 				keys, chainParams, htlcOutputs, cltvTimeout,
+				htlc.HtlcIndex,
 			)
 			if err != nil {
 				return lfn.Err[returnType](fmt.Errorf("unable "+
@@ -169,6 +170,7 @@ func FetchLeavesFromCommit(chainParams *address.ChainParams,
 			leaf, err := CreateSecondLevelHtlcTx(
 				chanState, com.CommitTx, htlc.Amt.ToSatoshis(),
 				keys, chainParams, htlcOutputs, cltvTimeout,
+				htlc.HtlcIndex,
 			)
 			if err != nil {
 				return lfn.Err[returnType](fmt.Errorf("unable "+

tapchannel/aux_leaf_signer.go

@@ -370,7 +370,7 @@ func verifyHtlcSignature(chainParams *address.ChainParams,
 
 	vPackets, err := htlcSecondLevelPacketsFromCommit(
 		chainParams, chanState, commitTx, baseJob.KeyRing, htlcOutputs,
-		baseJob, htlcTimeout,
+		baseJob, htlcTimeout, baseJob.HTLC.HtlcIndex,
 	)
 	if err != nil {
 		return fmt.Errorf("error generating second level packets: %w",
@@ -514,7 +514,7 @@ func (s *AuxLeafSigner) generateHtlcSignature(chanState lnwallet.AuxChanState,
 
 	vPackets, err := htlcSecondLevelPacketsFromCommit(
 		s.cfg.ChainParams, chanState, commitTx, baseJob.KeyRing,
-		htlcOutputs, baseJob, htlcTimeout,
+		htlcOutputs, baseJob, htlcTimeout, baseJob.HTLC.HtlcIndex,
 	)
 	if err != nil {
 		return lnwallet.AuxSigJobResp{}, fmt.Errorf("error generating "+
@@ -602,12 +602,12 @@ func (s *AuxLeafSigner) generateHtlcSignature(chanState lnwallet.AuxChanState,
 func htlcSecondLevelPacketsFromCommit(chainParams *address.ChainParams,
 	chanState lnwallet.AuxChanState, commitTx *wire.MsgTx,
 	keyRing lnwallet.CommitmentKeyRing, htlcOutputs []*cmsg.AssetOutput,
-	baseJob lnwallet.BaseAuxJob,
-	htlcTimeout fn.Option[uint32]) ([]*tappsbt.VPacket, error) {
+	baseJob lnwallet.BaseAuxJob, htlcTimeout fn.Option[uint32],
+	htlcIndex uint64) ([]*tappsbt.VPacket, error) {
 
 	packets, _, err := CreateSecondLevelHtlcPackets(
 		chanState, commitTx, baseJob.HTLC.Amount.ToSatoshis(),
-		keyRing, chainParams, htlcOutputs, htlcTimeout,
+		keyRing, chainParams, htlcOutputs, htlcTimeout, htlcIndex,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error creating second level HTLC "+

tapchannel/aux_sweeper.go

@@ -217,10 +217,12 @@ func (a *AuxSweeper) createSweepVpackets(sweepInputs []*cmsg.AssetOutput,
 			cltvTimeout = fn.Some(uint32(delay))
 		})
 
+		htlcIndex := resReq.HtlcID.UnwrapOr(math.MaxUint64)
 		alloc, err := createSecondLevelHtlcAllocations(
 			resReq.ChanType, resReq.Initiator, sweepInputs,
 			resReq.HtlcAmt, resReq.CommitCsvDelay, *resReq.KeyRing,
 			fn.Some(resReq.ContractPoint.Index), cltvTimeout,
+			htlcIndex,
 		)
 		if err != nil {
 			return lfn.Err[returnType](err)
@@ -364,8 +366,7 @@ func (a *AuxSweeper) signSweepVpackets(vPackets []*tappsbt.VPacket,
 		// tweaks to generate the key we'll use to verify the
 		// signature.
 		signingKey, leafToSign := applySignDescToVIn(
-			signDesc, vIn, &a.cfg.ChainParams,
-			tapTweak,
+			signDesc, vIn, &a.cfg.ChainParams, tapTweak,
 		)
 
 		// In this case, the witness isn't special, so we'll set the
@@ -876,7 +877,7 @@ func localHtlcTimeoutSweepDesc(req lnwallet.ResolutionReq,
 	// As this is an HTLC on our local commitment transaction, we'll also
 	// need to generate a sweep desc for second level HTLC.
 	secondLevelScriptTree, err := input.TaprootSecondLevelScriptTree(
-		req.KeyRing.RevocationKey, req.KeyRing.ToLocalKey,
+		tweakedKeyRing.RevocationKey, req.KeyRing.ToLocalKey,
 		req.CommitCsvDelay, lfn.None[txscript.TapLeaf](),
 	)
 	if err != nil {
@@ -978,7 +979,7 @@ func localHtlcSuccessSweepDesc(req lnwallet.ResolutionReq,
 	// As this is an HTLC on our local commitment transaction, we'll also
 	// need to generate a sweep desc for second level HTLC.
 	secondLevelScriptTree, err := input.TaprootSecondLevelScriptTree(
-		req.KeyRing.RevocationKey, req.KeyRing.ToLocalKey,
+		tweakedKeyRing.RevocationKey, req.KeyRing.ToLocalKey,
 		req.CommitCsvDelay, lfn.None[txscript.TapLeaf](),
 	)
 	if err != nil {
@@ -2408,9 +2409,7 @@ func (a *AuxSweeper) registerAndBroadcastSweep(req *sweep.BumpRequest,
 	}
 
 	// Now that we have our vPkts, we'll re-create the output commitments.
-	outCommitments, err := tapsend.CreateOutputCommitments(
-		vPkts.allPkts(),
-	)
+	outCommitments, err := tapsend.CreateOutputCommitments(vPkts.allPkts())
 	if err != nil {
 		return fmt.Errorf("unable to create output "+
 			"commitments: %w", err)

tapchannel/commitment.go

@@ -1263,7 +1263,7 @@ func createSecondLevelHtlcAllocations(chanType channeldb.ChannelType,
 	initiator bool, htlcOutputs []*cmsg.AssetOutput, htlcAmt btcutil.Amount,
 	commitCsvDelay uint32, keys lnwallet.CommitmentKeyRing,
 	outputIndex fn.Option[uint32], htlcTimeout fn.Option[uint32],
-) ([]*Allocation, error) {
+	htlcIndex uint64) ([]*Allocation, error) {
 
 	// TODO(roasbeef): thaw height not implemented for taproot chans rn
 	// (lease expiry)
@@ -1284,6 +1284,13 @@ func createSecondLevelHtlcAllocations(chanType channeldb.ChannelType,
 			"script sibling: %w", err)
 	}
 
+	// To ensure uniqueness of the script key across HTLCs with the same
+	// payment hash and timeout (which would be equal otherwise), we tweak
+	// the asset level internal key of the second-level script key as well
+	// with the HTLC index. We'll ONLY use this for the asset level, NOT for
+	// the BTC level.
+	tweakedTree := TweakHtlcTree(htlcTree, htlcIndex)
+
 	allocations := []*Allocation{{
 		Type: SecondLevelHtlcAllocation,
 		// If we're making the second-level transaction just to sign,
@@ -1299,12 +1306,14 @@ func createSecondLevelHtlcAllocations(chanType channeldb.ChannelType,
 		),
 		InternalKey:    htlcTree.InternalKey,
 		NonAssetLeaves: sibling,
-		ScriptKey:      asset.NewScriptKey(htlcTree.TaprootKey),
+		ScriptKey:      asset.NewScriptKey(tweakedTree.TaprootKey),
 		SortTaprootKeyBytes: schnorr.SerializePubKey(
+			// This _must_ remain the non-tweaked key, since this is
+			// used for sorting _before_ applying any TAP tweaks.
 			htlcTree.TaprootKey,
 		),
-		// TODO(roasbeef): don't need it here?
-		CLTV: htlcTimeout.UnwrapOr(0),
+		CLTV:      htlcTimeout.UnwrapOr(0),
+		HtlcIndex: htlcIndex,
 	}}
 
 	return allocations, nil
@@ -1316,12 +1325,12 @@ func CreateSecondLevelHtlcPackets(chanState lnwallet.AuxChanState,
 	commitTx *wire.MsgTx, htlcAmt btcutil.Amount,
 	keys lnwallet.CommitmentKeyRing, chainParams *address.ChainParams,
 	htlcOutputs []*cmsg.AssetOutput, htlcTimeout fn.Option[uint32],
-) ([]*tappsbt.VPacket, []*Allocation, error) {
+	htlcIndex uint64) ([]*tappsbt.VPacket, []*Allocation, error) {
 
 	allocations, err := createSecondLevelHtlcAllocations(
 		chanState.ChanType, chanState.IsInitiator,
 		htlcOutputs, htlcAmt, uint32(chanState.LocalChanCfg.CsvDelay),
-		keys, fn.None[uint32](), htlcTimeout,
+		keys, fn.None[uint32](), htlcTimeout, htlcIndex,
 	)
 	if err != nil {
 		return nil, nil, err
@@ -1367,13 +1376,13 @@ func CreateSecondLevelHtlcTx(chanState lnwallet.AuxChanState,
 	commitTx *wire.MsgTx, htlcAmt btcutil.Amount,
 	keys lnwallet.CommitmentKeyRing, chainParams *address.ChainParams,
 	htlcOutputs []*cmsg.AssetOutput, htlcTimeout fn.Option[uint32],
-) (input.AuxTapLeaf, error) {
+	htlcIndex uint64) (input.AuxTapLeaf, error) {
 
 	none := input.NoneTapLeaf()
 
 	vPackets, allocations, err := CreateSecondLevelHtlcPackets(
 		chanState, commitTx, htlcAmt, keys, chainParams, htlcOutputs,
-		htlcTimeout,
+		htlcTimeout, htlcIndex,
 	)
 	if err != nil {
 		return none, fmt.Errorf("error creating second level HTLC "+