lightningnetwork
diff --git a/‎crypto.go‎
Lines changed: 32 additions & 2 deletions b/‎crypto.go‎
Lines changed: 32 additions & 2 deletions
diff --git a/‎path.go‎
Lines changed: 172 additions & 9 deletions b/‎path.go‎
Lines changed: 172 additions & 9 deletions
@@ -10,6 +10,7 @@ import (
 	"github.com/aead/chacha20"
 	"github.com/btcsuite/btcd/btcec/v2"
 	secp "github.com/decred/dcrd/dcrec/secp256k1/v4"
+	"golang.org/x/crypto/chacha20poly1305"
 )
 
 const (
@@ -19,6 +20,10 @@ const (
 	HMACSize = 32
 )
 
+// chaChaPolyZeroNonce is a slice of zero bytes used in the chacha20poly1305
+// encryption and decryption.
+var chaChaPolyZeroNonce [chacha20poly1305.NonceSize]byte
+
 // Hash256 is a statically sized, 32-byte array, typically containing
 // the output of a SHA256 hash.
 type Hash256 [sha256.Size]byte
@@ -61,8 +66,8 @@ func (p *PrivKeyECDH) PubKey() *btcec.PublicKey {
 // k is our private key, and P is the public key, we perform the following
 // operation:
 //
-//  sx := k*P
-//  s := sha256(sx.SerializeCompressed())
+//	sx := k*P
+//	s := sha256(sx.SerializeCompressed())
 //
 // NOTE: This is part of the SingleKeyECDH interface.
 func (p *PrivKeyECDH) ECDH(pub *btcec.PublicKey) ([32]byte, error) {
@@ -199,6 +204,31 @@ func blindBaseElement(blindingFactor btcec.ModNScalar) *btcec.PublicKey {
 	return priv.PubKey()
 }
 
+// chacha20polyEncrypt initialises the ChaCha20Poly1305 algorithm with the given
+// key and uses it to encrypt the passed message. This uses an all-zero nonce as
+// required by the route-blinding spec.
+func chacha20polyEncrypt(key, plainTxt []byte) ([]byte, error) {
+	aead, err := chacha20poly1305.New(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return aead.Seal(plainTxt[:0], chaChaPolyZeroNonce[:], plainTxt, nil),
+		nil
+}
+
+// chacha20polyDecrypt initialises the ChaCha20Poly1305 algorithm with the given
+// key and uses it to decrypt the passed cipher text. This uses an all-zero
+// nonce as required by the route-blinding spec.
+func chacha20polyDecrypt(key, cipherTxt []byte) ([]byte, error) {
+	aead, err := chacha20poly1305.New(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return aead.Open(cipherTxt[:0], chaChaPolyZeroNonce[:], cipherTxt, nil)
+}
+
 // sharedSecretGenerator is an interface that abstracts away exactly *how* the
 // shared secret for each hop is generated.
 //
 
@@ -1,18 +1,26 @@
 package sphinx
 
 import (
+	"errors"
+	"fmt"
+
 	"github.com/btcsuite/btcd/btcec/v2"
 )
 
-// NumMaxHops is the maximum path length. There is a maximum of 1300 bytes in
-// the routing info block. Legacy hop payloads are always 65 bytes, while tlv
-// payloads are at least 47 bytes (tlvlen 1, amt 2, timelock 2, nextchan 10,
-// hmac 32) for the intermediate hops and 37 bytes (tlvlen 1, amt 2, timelock 2,
-// hmac 32) for the exit hop. The maximum path length can therefore only be
-// reached by using tlv payloads only. With that, the maximum number of
-// intermediate hops is: Floor((1300 - 37) / 47) = 26. Including the exit hop,
-// the maximum path length is 27 hops.
-const NumMaxHops = 27
+const (
+	// NumMaxHops is the maximum path length. There is a maximum of 1300
+	// bytes in the routing info block. Legacy hop payloads are always 65
+	// bytes, while tlv payloads are at least 47 bytes (tlvlen 1, amt 2,
+	// timelock 2, nextchan 10, hmac 32) for the intermediate hops and 37
+	// bytes (tlvlen 1, amt 2, timelock 2, hmac 32) for the exit hop. The
+	// maximum path length can therefore only be reached by using tlv
+	// payloads only. With that, the maximum number of intermediate hops
+	// is: Floor((1300 - 37) / 47) = 26. Including the exit hop, the
+	// maximum path length is 27 hops.
+	NumMaxHops = 27
+
+	routeBlindingHMACKey = "blinded_node_id"
+)
 
 // PaymentPath represents a series of hops within the Lightning Network
 // starting at a sender and terminating at a receiver. Each hop contains a set
@@ -93,3 +101,158 @@ func (p *PaymentPath) TotalPayloadSize() int {
 
 	return totalSize
 }
+
+// BlindedPath represents all the data that the creator of a blinded path must
+// transmit to the builder of route that will send to this path.
+type BlindedPath struct {
+	// IntroductionPoint is the real node ID of the first hop in the blinded
+	// path. The sender should be able to find this node in the network
+	// graph and route to it.
+	IntroductionPoint *btcec.PublicKey
+
+	// BlindingPoint is the first ephemeral blinding point. This is the
+	// point that the introduction node will use in order to create a shared
+	// secret with the builder of the blinded route. This point will need
+	// to be communicated to the introduction node by the sender in some
+	// way.
+	BlindingPoint *btcec.PublicKey
+
+	// BlindedHops is a list of ordered BlindedHopInfo. Each entry
+	// represents a hop in the blinded path along with the encrypted data to
+	// be sent to that node. Note that the first entry in the list
+	// represents the introduction point of the path and so the node ID of
+	// this point does not strictly need to be transmitted to the sender
+	// since they will be able to derive the point using the BlindingPoint.
+	BlindedHops []*BlindedHopInfo
+}
+
+// BlindedHopInfo represents a blinded node pub key along with the encrypted
+// data for a node in a blinded route.
+type BlindedHopInfo struct {
+	// BlindedNodePub is the blinded public key of the node in the blinded
+	// route.
+	BlindedNodePub *btcec.PublicKey
+
+	// CipherText is the encrypted payload to be transported to the hop in
+	// the blinded route.
+	CipherText []byte
+}
+
+// HopInfo represents a real node pub key along with the plaintext data for a
+// node in a blinded route.
+type HopInfo struct {
+	// NodePub is the real public key of the node in the blinded route.
+	NodePub *btcec.PublicKey
+
+	// PlainText is the un-encrypted payload to be transported to the hop
+	// the blinded route.
+	PlainText []byte
+}
+
+// Encrypt uses the given sharedSecret to blind the public key of the node and
+// encrypt the payload and returns the resulting BlindedHopInfo.
+func (i *HopInfo) Encrypt(sharedSecret Hash256) (*BlindedHopInfo, error) {
+	blindedData, err := encryptBlindedHopData(sharedSecret, i.PlainText)
+	if err != nil {
+		return nil, err
+	}
+
+	return &BlindedHopInfo{
+		BlindedNodePub: blindNodeID(sharedSecret, i.NodePub),
+		CipherText:     blindedData,
+	}, nil
+}
+
+// BuildBlindedPath creates a new BlindedPath from a session key along with a
+// list of HopInfo representing the nodes in the blinded path. The first hop in
+// paymentPath is expected to be the introduction node.
+func BuildBlindedPath(sessionKey *btcec.PrivateKey,
+	paymentPath []*HopInfo) (*BlindedPath, error) {
+
+	if len(paymentPath) < 1 {
+		return nil, errors.New("at least 1 hop is required to create " +
+			"a blinded path")
+	}
+
+	bp := &BlindedPath{
+		IntroductionPoint: paymentPath[0].NodePub,
+		BlindingPoint:     sessionKey.PubKey(),
+		BlindedHops:       make([]*BlindedHopInfo, len(paymentPath)),
+	}
+
+	keys := make([]*btcec.PublicKey, len(paymentPath))
+	for i, p := range paymentPath {
+		keys[i] = p.NodePub
+	}
+
+	hopSharedSecrets, err := generateSharedSecrets(keys, sessionKey)
+	if err != nil {
+		return nil, fmt.Errorf("error generating shared secret: %v",
+			err)
+	}
+
+	for i, hop := range paymentPath {
+		blindedInfo, err := hop.Encrypt(hopSharedSecrets[i])
+		if err != nil {
+			return nil, err
+		}
+
+		bp.BlindedHops[i] = blindedInfo
+	}
+
+	return bp, nil
+}
+
+// blindNodeID blinds the given public key using the provided shared secret.
+func blindNodeID(sharedSecret Hash256,
+	pubKey *btcec.PublicKey) *btcec.PublicKey {
+
+	blindingFactorBytes := generateKey(routeBlindingHMACKey, &sharedSecret)
+
+	var blindingFactor btcec.ModNScalar
+	blindingFactor.SetBytes(&blindingFactorBytes)
+
+	return blindGroupElement(pubKey, blindingFactor)
+}
+
+// encryptBlindedHopData blinds/encrypts the given plain text data using the
+// provided shared secret.
+func encryptBlindedHopData(sharedSecret Hash256, plainTxt []byte) ([]byte,
+	error) {
+
+	rhoKey := generateKey("rho", &sharedSecret)
+
+	return chacha20polyEncrypt(rhoKey[:], plainTxt)
+}
+
+// decryptBlindedHopData decrypts the data encrypted by the creator of the
+// blinded route.
+func decryptBlindedHopData(privKey SingleKeyECDH, ephemPub *btcec.PublicKey,
+	encryptedData []byte) ([]byte, error) {
+
+	ss, err := privKey.ECDH(ephemPub)
+	if err != nil {
+		return nil, err
+	}
+
+	ssHash := Hash256(ss)
+	rho := generateKey("rho", &ssHash)
+
+	return chacha20polyDecrypt(rho[:], encryptedData)
+}
+
+// NextEphemeral computes the next ephemeral key given the current ephemeral
+// key and this node's private key.
+func NextEphemeral(privKey SingleKeyECDH,
+	ephemPub *btcec.PublicKey) (*btcec.PublicKey, error) {
+
+	ss, err := privKey.ECDH(ephemPub)
+	if err != nil {
+		return nil, err
+	}
+
+	blindingFactor := computeBlindingFactor(ephemPub, ss[:])
+	nextEphem := blindGroupElement(ephemPub, blindingFactor)
+
+	return nextEphem, nil
+}