input

package
v0.3.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 16, 2020 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// InputSize is the size of the fixed (always present) elements serialized,
	// stored and relayed for each transaction input. When calculating the full
	// serialized size of an input, add the length of the corresponding
	// sigScript and of the varint that encodes the length of the sigScript. It
	// is calculated as:
	//
	//		- PreviousOutPoint:                   ┐
	//		    - hash                32 bytes    │
	//		    - index                4 bytes    ├  Part of Prefix Serialization
	//		    - tree                 1 byte     │
	//		- Sequence                 4 bytes    │
	//		                                      ┘
	//		                                      ┐
	//		- ValueIn                8 bytes      │
	//		- Height                 4 bytes      ├  Part of Witness Serialization
	//		- Index                  4 bytes      │
	//		                                      ┘
	// Total: 57 bytes
	InputSize int64 = 32 + 4 + 1 + 4 + 8 + 4 + 4

	// OutputSize is the size of the fixed (always present) elements serialized,
	// stored and relayed for each transaction output. When calculating the full
	// serialized size of an output, add the length of the corresponding
	// pkscript and of the varint that encodes the length of the pkscript. It is
	// calculated as:
	//
	//		- Value                    8 bytes
	//		- ScriptVersion            2 bytes
	//
	// Total: 10 bytes
	OutputSize int64 = 8 + 2

	// P2PKHPkScriptSize is the size of a transaction output script that
	// pays to a compressed pubkey hash.  It is calculated as:
	//
	//		- OP_DUP                  1 byte
	//		- OP_HASH160              1 byte
	//		- OP_DATA_20              1 byte
	//		- pubkey hash            20 bytes
	//		- OP_EQUALVERIFY          1 byte
	//		- OP_CHECKSIG             1 byte
	//
	// Total: 25 bytes
	P2PKHPkScriptSize int64 = 1 + 1 + 1 + 20 + 1 + 1

	// P2SHPkScriptSize is the size of a transaction output script that
	// pays to a script hash.  It is calculated as:
	//
	//		- OP_HASH160               1 byte
	//		- OP_DATA_20               1 byte
	//		- script hash             20 bytes
	//		- OP_EQUAL                 1 byte
	//
	// Total: 23 bytes
	P2SHPkScriptSize int64 = 1 + 1 + 20 + 1

	// P2PKHSigScriptSize is the worst case (largest) serialize size of a
	// transaction input script that redeems a compressed P2PKH output. It is
	// calculated as:
	//
	//      - OP_DATA_73                 1 byte
	//      - signature+hash_type       73 bytes
	//      - OP_DATA_33                 1 byte
	//      - compressed pubkey         33 bytes
	//
	// Total: 108 bytes
	P2PKHSigScriptSize int64 = 1 + 73 + 1 + 33

	// AnchorRedeemScriptSize is the size of the redeem script used for
	// anchor outputs of commitment transactions.
	//
	// This is calculated as:
	//
	//      - pubkey_length 		 1 byte
	//      - pubkey			33 bytes
	//      - OP_CHECKSIG			 1 byte
	//      - OP_IFDUP			 1 byte
	//      - OP_NOTIF			 1 byte
	//              - OP_16			 1 byte
	//              - OP_CSV		 1 byte
	//      - OP_ENDIF			 1 byte
	//
	// Total: 40 bytes
	AnchorRedeemScriptSize = 1 + 33 + 6*1

	// FundingOutputSigScriptSize is the size of a sigScript used when
	// redeeming a funding transaction output. This includes signatures for
	// both alice's and bob's keys plus the 2-of-2 multisig redeemScript. It
	// is calculated as:
	//
	//		- OP_DATA_73                     1 byte
	//		- alice_sig+hash_type           73 bytes
	//		- OP_DATA_73                     1 byte
	//		- bob_sig+hash_type             73 bytes
	//		- OP_DATA_71                     1 byte
	//		- multisig_2of2_script          71 bytes
	//
	// Total: 220 bytes
	FundingOutputSigScriptSize int64 = 1 + 73 + 1 + 73 + 1 +
		multiSig2Of2RedeemScriptSize

	// ToLocalTimeoutSigScriptSize is the size of sigScript used when
	// redeeming a toLocalScript using the "timeout" code path.
	//
	//		- OP_DATA_73                     1 byte
	//		- local_delay_sig+hash_type     73 bytes
	//		- OP_0                           1 byte
	//		- OP_PUSHDATA1                   1 byte
	//		- 80                             1 byte
	//		- to_local_timeout script       80 bytes
	//
	// Total: 157 bytes
	ToLocalTimeoutSigScriptSize int64 = 1 + 73 + 1 + 1 + 1 +
		toLocalRedeemScriptSize

	// ToLocalPenaltySigScriptSize is the size of a sigScript used when
	// redeeming a toLocalScript using the "penalty" code path.
	//
	//		- OP_DATA_73                      1 byte
	//		- revocation_sig+hash_type       73 bytes
	//		- OP_TRUE                         1 byte
	//		- OP_PUSHDATA1                    1 byte
	//		- 80                              1 byte
	//		- to_local_timeout script        80 bytes
	//
	// Total: 157 bytes
	// old ToLocalPenaltyWitnessSize
	ToLocalPenaltySigScriptSize int64 = 1 + 73 + 1 + 1 + 1 +
		toLocalRedeemScriptSize

	// ToRemoteConfirmedRedeemScriptSize
	// 		- OP_DATA			 1 byte
	//		- to_remote_key			33 bytes
	//		- OP_CHECKSIGVERIFY		 1 byte
	//		- OP_1				 1 byte
	// 		- OP_CHECKSEQUENCEVERIFY	 1 byte
	//
	// Total: 37 bytes
	ToRemoteConfirmedRedeemScriptSize = 1 + 33 + 1 + 1 + 1

	// ToRemoteConfirmedWitnessSize
	//
	//		- OP_DATA_73			  1 byte
	//		- sender_sig + hash_type	 73 bytes
	//		- OP_DATA_37			  1 byte
	//		- confirmed_redeem_script	 37 bytes
	//
	// Total:
	ToRemoteConfirmedWitnessSize = 1 + 73 + 1 + ToRemoteConfirmedRedeemScriptSize

	// AcceptedHtlcTimeoutSigScriptSize is the size of a sigScript used
	// when redeeming an acceptedHtlcScript using the "timeout" code path.
	//
	//		- OP_DATA_73                      1 byte
	//		- sender_sig+hash_type           73 bytes
	//		- OP_0                            1 byte
	//		- OP_PUSHDATA1                    1 byte
	//		- 140                             1 byte
	//		- accepted_htlc script          145 bytes
	//
	// Total: 222 bytes
	AcceptedHtlcTimeoutSigScriptSize int64 = 1 + 73 + 1 + 1 + 1 +
		acceptedHtlcRedeemScriptSize

	// AcceptedHtlcSuccessSigScriptSize is the size of a sigScript used
	// when redeeming an acceptedHtlcScript using the "success" code path.
	//
	//		- OP_DATA_73                         1 byte
	//		- sig_alice+hash_type               73 bytes
	//		- OP_DATA_73                         1 byte
	//		- sig_bob+hash_type                 73 bytes
	//		- OP_DATA_32                         1 byte
	//		- payment_preimage                  32 bytes
	//		- OP_PUSHDATA1                       1 byte
	//		- 145                                1 byte
	//		- accepted_htlc script             145 bytes
	//
	// Total: 328 bytes
	AcceptedHtlcSuccessSigScriptSize int64 = 1 + 73 + 1 + 73 + 1 + 32 +
		1 + 1 + acceptedHtlcRedeemScriptSize

	// AcceptedHtlcPenaltySigScriptSize is the size of a sigScript used
	// when redeeming an acceptedHtlcScript using the "penalty" code path.
	//
	//		- OP_DATA_73                        1 byte
	//		- revocation_sig+hash_type         73 bytes
	//		- OP_DATA_33                        1 byte
	//		- revocation_key                   33 bytes
	//		- OP_PUSHDATA1                      1 byte
	//		- 140                               1 byte
	//		- accepted_htlc script            145 bytes
	//
	// Total: 255 bytes
	AcceptedHtlcPenaltySigScriptSize int64 = 1 + 73 + 1 + 33 + 1 + 1 +
		acceptedHtlcRedeemScriptSize

	// OfferedHtlcTimeoutSigScriptSize is the size of a sigScript used
	// when redeeming an offeredHtlcScript using the "timeout" code path.
	//
	//		- OP_DATA_73                         1 byte
	//		- sig_alice+hash_type               73 bytes
	//		- OP_DATA_73                         1 byte
	//		- sig_bob+hash_type                 73 bytes
	//		- OP_0                               1 byte
	//		- OP_PUSHDATA1                       1 byte
	//		- 137                                1 byte
	//		- offered_htlc script              137 bytes
	//
	// Total: 288 bytes
	OfferedHtlcTimeoutSigScriptSize int64 = 1 + 73 + 1 + 73 + 1 + 1 +
		1 + offeredHtlcRedeemScriptSize

	// OfferedHtlcSuccessSigScriptSize is the size of a sigScript used
	// when redeeming an offeredHtlcScript using the "success" code path.
	//
	//		- OP_DATA_73                      1 byte
	//		- receiver_sig+hash_type         73 bytes
	//		- OP_DATA_32                      1 byte
	//		- payment_preimage               32 bytes
	//		- OP_PUSHDATA1                    1 byte
	//		- 137                             1 byte
	//		- offered_htlc script           137 bytes
	//
	// Total: 246 bytes
	OfferedHtlcSuccessSigScriptSize int64 = 1 + 73 + 1 + 32 +
		1 + 1 + offeredHtlcRedeemScriptSize

	// OfferedHtlcPenaltySigScriptSize is the size of a sigScript used
	// when redeeming an offeredHtlcScript using the "penalty" code path.
	//
	//		- OP_DATA_73                      1 byte
	//		- revocation_sig+hash_type       73 bytes
	//		- OP_DATA_33                      1 byte
	//		- revocation_key                 33 bytes
	//		- OP_PUSHDATA1                    1 byte
	//		- 137                             1 byte
	//		- offered_htlc script           137 bytes
	//
	// Total: 247 bytes
	OfferedHtlcPenaltySigScriptSize int64 = 1 + 73 + 1 + 33 + 1 + 1 +
		offeredHtlcRedeemScriptSize

	// AnchorSigScriptSize is the size of the signature script used when
	// redeeming anchor outputs of commitment transactions.
	//
	// It is calculated as:
	//
	//      - signature_length			 1 byte
	//      - signature				73 bytes
	//      - anchor_script_length			 1 byte
	//      - anchor_script				40 bytes
	//
	// Total: 115 bytes
	AnchorSigScriptSize = 1 + 73 + 1 + AnchorRedeemScriptSize

	// AnchorAnyoneSigScriptSize is the size of the signature script used
	// when redeeming anchor outputs via the anyone-can-redeem branch of
	// the anchor script.
	//
	// It is calculated as:
	//
	//	- OP_FALSE 				 1 byte
	//	- anchor_script_length			 1 byte
	//	- anchor_script				40 bytes
	//
	// Total: 42 bytes
	AnchorAnyoneSigScriptSize = 1 + 1 + AnchorRedeemScriptSize

	// HTLCOutputSize is the size of an HTLC Output (a p2sh output) used in
	// commitment transactions.
	//
	//		- Output (value+version)        10 bytes
	//		- pkscript varint                1 byte
	//		- p2sh pkscript                 23 bytes
	//
	// Total: 34 bytes
	HTLCOutputSize int64 = OutputSize + 1 + P2SHPkScriptSize

	// CommitmentTxSize is the base size of a commitment transaction without any
	// HTLCs.
	//
	// Note: This uses 2 byte varints for output counts to account for the fact
	// that a full commitment transaction using the maximum allowed number of
	// HTLCs may use one extra byte for the output count varint.
	//
	// It is calculated as:
	//
	//		- base tx size                             12 bytes
	//		- input count prefix varint                 1 byte
	//		- input                                    57 bytes
	//		- output count prefix varint                3 bytes
	//		- remote output                            10 bytes
	//		- p2pkh remote varint                       1 byte
	//		- p2pkh remote pkscript                    25 bytes
	//		- local output                             10 bytes
	//		- p2sh local varint                         1 byte
	//		- p2sh local pkscript                      23 bytes
	//		- input count witness varint                1 byte
	//		- funding tx sigscript varint               1 byte
	//		- funding tx sigscript                    220 bytes
	//
	// Unfortunately, a previous version of this constant erroneously
	// listed the "output count prefix varint" as 2 bytes instead of the
	// correct 3 bytes, so we need to subtract this one byte otherwise
	// opening channels between new and old versions get broken and
	// channels are automatically closed upon new HTLCs.
	//
	// Total: 364 bytes
	CommitmentTxSize int64 = baseTxSize + 1 + InputSize + 3 +
		OutputSize + 1 + P2PKHPkScriptSize + OutputSize + 1 + P2SHPkScriptSize +
		1 + 1 + FundingOutputSigScriptSize + offByOneCompatDecrement

	// CommitmentWithAnchorsTxSize is the base size of a commitment
	// transaction that also contains 2 anchor outputs. It is based on the
	// original commitment tx size with the additional outputs added to it.
	//
	// Given the current limits for maximum number of HTLCs in a single
	// commitment tx, the addition of two outputs doesn't trigger a bump in
	// the varints for output counts.
	//
	// It is calculated as:
	//
	//		- CommitmentTxSize			364 bytes
	//		- remote anchor output			 10 bytes
	//		- p2sh remote varint			  1 byte
	//		- p2sh remote pkscript			 23 bytes
	//		- p2sh local anchor output		 10 bytes
	//		- p2sh local varint			  1 byte
	//		- p2sh local pkscript			 23 bytes
	//
	// Total: 432 bytes
	CommitmentWithAnchorsTxSize int64 = CommitmentTxSize + 2*OutputSize +
		2*1 + 2*P2SHPkScriptSize

	// HTLCTimeoutSize is the worst case (largest) size of the HTLC timeout
	// transaction which will transition an outgoing HTLC to the
	// delay-and-claim state. The worst case for a timeout transaction is
	// when redeeming an offered HTCL (which uses a larger sigScript). It
	// is calculated as:
	//
	//		- base tx size                                     12 bytes
	//		- input count prefix varint                         1 byte
	//		- input                                            57 bytes
	//		- output count prefix varint                        1 byte
	//		- output                                           10 bytes
	//		- p2sh pkscript varint                              1 byte
	//		- p2sh pkscript                                    23 bytes
	//		- input count witness varint                        1 byte
	//		- offered_htlc_timeout sigscript varint             3 bytes
	//		- offered_htlc_timeout sigscript                  287 bytes
	//
	// Total: 396 bytes
	//
	// Note that we subtract the htlcConfirmedScriptOverhead here to
	// account for the fact that this is the size of the unconfirmed
	// version of the timeout tx (that is, the one that uses the
	// offered_htlc_timeout redeem script without the extra csv check).
	//
	// Also note that due to a previous mistake in calculating the varint
	// size, the "offered_htlc_timeout sigscript varint" was initially one
	// byte smaller than it should have been (2 vs 3). We subtract this
	// byte so that new nodes can still send payments to older nodes. Not
	// doing this would mean HTLC timeout signatures exchanged duting a
	// commit_sig message become invalid.
	//
	// TODO(decred) Double check correctness of selected sigScript
	// alternative
	HTLCTimeoutTxSize int64 = baseTxSize + 1 + InputSize + 1 + OutputSize + 1 +
		P2SHPkScriptSize + 1 + 3 + OfferedHtlcTimeoutSigScriptSize -
		htlcConfirmedScriptOverhead + offByOneCompatDecrement

	// HTLCTimeoutConfirmedTxSize is the size of the HTLC timeout
	// transaction which will transition an outgoing HTLC to the
	// delay-and-claim state, for the confirmed HTLC outputs. It is 3 bytes
	// larger because of the additional CSV check in the input script.
	HTLCTimeoutConfirmedTxSize = HTLCTimeoutTxSize + htlcConfirmedScriptOverhead

	// HTLCSuccessSize is the worst case (largest) size of the HTLC success
	// transaction which will transition an HTLC tx to the delay-and-claim
	// state. The worst case for a success transaction is when redeeming an
	// accepted HTLC (which has a larger sigScript). It is calculated as:
	//
	//		- base tx Size                                   12 bytes
	//		- input count prefix varint                       1 byte
	//		- input                                          57 bytes
	//		- output count prefix varint                      1 byte
	//		- output                                         10 bytes
	//		- p2pkh pkscript varint                           1 byte
	//		- p2pkh pkscript                                 25 bytes
	//		- input count witness varint                      1 byte
	//		- accepted_htlc_success sigscript varint          3 bytes
	//		- accepted_htlc_timeout sigscript               326 bytes
	//
	// Total: 437 bytes
	//
	// Note that we subtract the htlcConfirmedScriptOverhead here to
	// account for the fact that this is the size of the unconfirmed
	// version of the timeout tx (that is, the one that uses the
	// offered_htlc_timeout redeem script without the extra csv check).
	//
	// TODO(decred) Double check correctness of selected sigScript
	// alternative
	HTLCSuccessTxSize int64 = baseTxSize + 1 + InputSize + 1 + OutputSize + 1 +
		P2PKHPkScriptSize + 1 + 3 + AcceptedHtlcSuccessSigScriptSize -
		htlcConfirmedScriptOverhead + offByOneCompatDecrement

	// HTLCSuccessConfirmedTxSize is the size of the HTLC success
	// transaction which will transition an incoming HTLC to the
	// delay-and-claim state, for the confirmed HTLC outputs. It is 3 bytes
	// larger because of the conditional CSV check in the input script.
	HTLCSuccessConfirmedTxSize = HTLCSuccessTxSize + htlcConfirmedScriptOverhead

	// MaxHTLCNumber is the maximum number HTLCs which can be included in a
	// commitment transaction. This limit was chosen such that, in the case
	// of a contract breach, the punishment transaction is able to sweep
	// all the HTLC's yet still remain below the widely used standard size
	// limits.
	//
	// This number is derived (as explained in BOLT-0005) by assuming a
	// penalty transaction will redeem the following elements (along with
	// their respective sizes):
	//
	// 		- base tx size				 12 bytes
	//		- output count varint			  1 byte
	//		- p2pkh output				 36 bytes
	//		- input count prefix varint		  3 bytes
	//		- input count witness varint		  3 bytes
	//		- to_remote commitment output
	//			- input 			 57 bytes
	//			- sigscript varint		  1 byte
	//			- 2-of-2 multisig sigscript 	220 bytes
	//		- to_local commitment output
	//			- input				 57 bytes
	//			- sigscript varint		  1 byte
	//			- to_local penalty sigscript	157 bytes
	//		- n accepted_htlc_penalty inputs
	//			- input				 57 bytes
	//			- sigscript varint		  3 bytes
	//			- sigscript			255 bytes
	//
	// The "n" maximum number of redeemable htlcs can thus be calculated
	// (where static_data is everything _except_ the variable number of
	// htlc outputs):
	//
	//	= (max_tx_size - static_data) / accepted_htlc_penalty_size
	//      = (  100000    -     548   )  /      (57 + 3 + 255)
	//      = 315 htlcs
	//
	// To guard for the fact that we might have made a mistake in the above
	// calculations, we'll further reduce this down by ~5% for the moment
	// until others have thoroughly reviewed these numbers.
	MaxHTLCNumber = 300
)
View Source
const LNTxVersion uint16 = 2

LNTxVersion is the version that transactions need to be defined to use so that they are usable as ln transactions.

View Source
const ScriptVerifyFlags = txscript.ScriptDiscourageUpgradableNops |
	txscript.ScriptVerifyCleanStack |
	txscript.ScriptVerifyCheckLockTimeVerify |
	txscript.ScriptVerifyCheckSequenceVerify |

	txscript.ScriptVerifySHA256 // consensus (lnfeatures)

ScriptVerifyFlags are the flags used in script VMs when testing LN-related scripts. These need to correspond to the current state of consensus rules necessary for LN operation and the overall standard mempool settings.

Variables

View Source
var (

	// AnchorWitnessSize 116 bytes
	AnchorWitnessSize = int64(dummyAnchorWitness.WitnessSerializeSize())
)
View Source
var (
	// ErrTweakOverdose signals a SignDescriptor is invalid because both of its
	// SingleTweak and DoubleTweak are non-nil.
	ErrTweakOverdose = errors.New("sign descriptor should only have one tweak")
)
View Source
var (

	// SequenceLockTimeSeconds is the 22nd bit which indicates the lock
	// time is in seconds.
	SequenceLockTimeSeconds = uint32(1 << 22)
)

Functions

func CommitScriptAnchor added in v0.3.0

func CommitScriptAnchor(key *secp256k1.PublicKey) ([]byte, error)

CommitScriptAnchor constructs the script for the anchor output spendable by the given key immediately, or by anyone after 16 confirmations.

Possible Input Scripts:

By owner:				<sig>
By anyone (after 16 conf):	<emptyvector>

Output Script:

<funding_pubkey> OP_CHECKSIG OP_IFDUP
OP_NOTIF
  OP_16 OP_CSV
OP_ENDIF

func CommitScriptToRemoteConfirmed added in v0.3.0

func CommitScriptToRemoteConfirmed(key *secp256k1.PublicKey) ([]byte, error)

CommitScriptToRemoteConfirmed constructs the script for the output on the commitment transaction paying to the remote party of said commitment transaction. The money can only be spend after one confirmation.

Possible Input Scripts:

SWEEP: <sig>

Output Script:

<key> OP_CHECKSIGVERIFY
1 OP_CHECKSEQUENCEVERIFY

func CommitScriptToSelf

func CommitScriptToSelf(csvTimeout uint32, selfKey, revokeKey *secp256k1.PublicKey) ([]byte, error)

CommitScriptToSelf constructs the public key script for the output on the commitment transaction paying to the "owner" of said commitment transaction. If the other party learns of the preimage to the revocation hash, then they can claim all the settled funds in the channel, plus the unsettled funds.

Possible Input Scripts:

REVOKE:     <sig> 1
SENDRSWEEP: <sig> <emptyvector>

Output Script:

OP_IF
    <revokeKey>
OP_ELSE
    <numRelativeBlocks> OP_CHECKSEQUENCEVERIFY OP_DROP
    <timeKey>
OP_ENDIF
OP_CHECKSIG

func CommitScriptUnencumbered

func CommitScriptUnencumbered(key *secp256k1.PublicKey) ([]byte, error)

CommitScriptUnencumbered constructs the public key script on the commitment transaction paying to the "other" party. The constructed output is a normal p2wkh output spendable immediately, requiring no contestation period.

func ComputeCommitmentPoint

func ComputeCommitmentPoint(commitSecret []byte) *secp256k1.PublicKey

ComputeCommitmentPoint generates a commitment point given a commitment secret. The commitment point for each state is used to randomize each key in the key-ring and also to used as a tweak to derive new public+private keys for the state.

func DeriveRevocationPrivKey

func DeriveRevocationPrivKey(revokeBasePriv *secp256k1.PrivateKey,
	commitSecret *secp256k1.PrivateKey) *secp256k1.PrivateKey

DeriveRevocationPrivKey derives the revocation private key given a node's commitment private key, and the preimage to a previously seen revocation hash. Using this derived private key, a node is able to claim the output within the commitment transaction of a node in the case that they broadcast a previously revoked commitment transaction.

The private key is derived as follows:

revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
              (commitSecret * sha256(commitPoint || revocationBase)) mod N

Where N is the order of the sub-group.

func DeriveRevocationPubkey

func DeriveRevocationPubkey(revokeBase, commitPoint *secp256k1.PublicKey) *secp256k1.PublicKey

DeriveRevocationPubkey derives the revocation public key given the counterparty's commitment key, and revocation preimage derived via a pseudo-random-function. In the event that we (for some reason) broadcast a revoked commitment transaction, then if the other party knows the revocation preimage, then they'll be able to derive the corresponding private key to this private key by exploiting the homomorphism in the elliptic curve group:

The derivation is performed as follows:

revokeKey := revokeBase * sha256(revocationBase || commitPoint) +
             commitPoint * sha256(commitPoint || revocationBase)

          := G*(revokeBasePriv * sha256(revocationBase || commitPoint)) +
             G*(commitSecret * sha256(commitPoint || revocationBase))

          := G*(revokeBasePriv * sha256(revocationBase || commitPoint) +
                commitSecret * sha256(commitPoint || revocationBase))

Therefore, once we divulge the revocation secret, the remote peer is able to compute the proper private key for the revokeKey by computing:

revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
              (commitSecret * sha256(commitPoint || revocationBase)) mod N

Where N is the order of the sub-group.

func EstimateCommitmentTxSize

func EstimateCommitmentTxSize(count int) int64

EstimateCommitmentTxSize estimates the size of a commitment transaction assuming that it has an additional 'count' HTLC outputs appended to it.

func FindScriptOutputIndex

func FindScriptOutputIndex(tx *wire.MsgTx, script []byte) (bool, uint32)

FindScriptOutputIndex finds the index of the public key script output matching 'script'. Additionally, a boolean is returned indicating if a matching output was found at all.

NOTE: The search stops after the first matching script is found.

func GenFundingPkScript

func GenFundingPkScript(aPub, bPub []byte, amt int64) ([]byte, *wire.TxOut, error)

GenFundingPkScript creates a redeem script, and its matching p2sh output for the funding transaction.

func GenMultiSigScript

func GenMultiSigScript(aPub, bPub []byte) ([]byte, error)

GenMultiSigScript generates the non-p2sh'd multisig script for 2 of 2 pubkeys.

func LockTimeToSequence

func LockTimeToSequence(isSeconds bool, locktime uint32) uint32

LockTimeToSequence converts the passed relative locktime to a sequence number in accordance to BIP-68. See: https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki * (Compatibility)

func ReadSignDescriptor

func ReadSignDescriptor(r io.Reader, sd *SignDescriptor) error

ReadSignDescriptor deserializes a SignDescriptor struct from the passed io.Reader stream.

func ReceiverHTLCScript

func ReceiverHTLCScript(cltvExpiry uint32, senderHtlcKey,
	receiverHtlcKey, revocationKey *secp256k1.PublicKey,
	paymentHash []byte, confirmedSpend bool) ([]byte, error)

ReceiverHTLCScript constructs the public key script for an incoming HTLC output payment for the receiver's version of the commitment transaction. The possible execution paths from this script include: * The receiver of the HTLC uses its second level HTLC transaction to advance the state of the HTLC into the delay+claim state. * The sender of the HTLC sweeps all the funds of the HTLC as a breached commitment was broadcast. * The sender of the HTLC sweeps the HTLC on-chain after the timeout period of the HTLC has passed.

If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation cases, to allow sweeping only after confirmation.

Possible Input Scripts:

RECVR: <sender sig> <recvr sig> <preimage> (spend using HTLC success transaction)
REVOK: <sig> <key>
SENDR: <sig> 0

OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL OP_IF

OP_CHECKSIG

OP_ELSE

<sendr htlc key>
OP_SWAP OP_SIZE 32 OP_EQUAL
OP_IF
    OP_HASH160 <ripemd160(payment hash)> OP_EQUALVERIFY
    2 OP_SWAP <recvr htlc key> 2 OP_CHECKMULTISIG
OP_ELSE
    OP_DROP <cltv expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
    OP_CHECKSIG
OP_ENDIF
[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed spend only.

OP_ENDIF

func ReplaceReceiverHtlcSpendRedeemPreimage

func ReplaceReceiverHtlcSpendRedeemPreimage(sigScript, preimage []byte) ([]byte, error)

ReplaceReceiverHtlcSpendRedeemPreimage replaces the pregimage in a sigScript generated by receiverHtlcSpendRedeemPreimage with the provided preimage. This will generate an undefined result script if the sigScript was *not* generated by the provided function (ie: this must be the sigScript of a SignedSuccessTx, used to redeem an HTLC).

This function returns the new sigScript to replace the older sigScript.

func Ripemd160H

func Ripemd160H(d []byte) []byte

Ripemd160H calculates the ripemd160 of the passed byte slice. This is used to calculate the intermediate hash for payment pre-images. Payment hashes are the result of ripemd160(sha256(paymentPreimage)). As a result, the value passed in should be the sha256 of the payment hash.

func ScriptHashPkScript

func ScriptHashPkScript(redeemScript []byte) ([]byte, error)

ScriptHashPkScript returns the p2sh pkscript for a given redeem script. This is ready to be included in a transaction output.

func SecondLevelHtlcScript

func SecondLevelHtlcScript(revocationKey, delayKey *secp256k1.PublicKey,
	csvDelay uint32) ([]byte, error)

SecondLevelHtlcScript is the uniform script that's used as the output for the second-level HTLC transactions. The second level transaction act as a sort of covenant, ensuring that a 2-of-2 multi-sig output can only be spent in a particular way, and to a particular output.

Possible Input Scripts:

  • To revoke an HTLC output that has been transitioned to the claim+delay state:

  • <revoke sig> 1

  • To claim and HTLC output, either with a pre-image or due to a timeout:

  • <delay sig> 0

OP_IF

<revoke key>

OP_ELSE

<delay in blocks>
OP_CHECKSEQUENCEVERIFY
OP_DROP
<delay key>

OP_ENDIF OP_CHECKSIG

TODO(roasbeef): possible renames for second-level

  • transition?
  • covenant output

func SenderHTLCScript

func SenderHTLCScript(senderHtlcKey, receiverHtlcKey,
	revocationKey *secp256k1.PublicKey, paymentHash []byte,
	confirmedSpend bool) ([]byte, error)

SenderHTLCScript constructs the public key script for an outgoing HTLC output payment for the sender's version of the commitment transaction. The possible script paths from this output include:

  • The sender timing out the HTLC using the second level HTLC timeout transaction.
  • The receiver of the HTLC claiming the output on-chain with the payment preimage.
  • The receiver of the HTLC sweeping all the funds in the case that a revoked commitment transaction bearing this HTLC was broadcast.

If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation cases, to allow sweeping only after confirmation.

Possible Input Scripts:

SENDR: <sendr sig> <recvr sig> <0> (spend using HTLC timeout transaction)
RECVR: <recvr sig> <preimage>
REVOK: <revoke sig> <revoke key>
 * receiver revoke

OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL OP_IF

OP_CHECKSIG

OP_ELSE

<recv htlc key>
OP_SWAP OP_SIZE 32 OP_EQUAL
OP_NOTIF
    OP_DROP 2 OP_SWAP <sender htlc key> 2 OP_CHECKMULTISIG
OP_ELSE
    OP_SHA256 OP_RIPEMD160 <ripemd160(payment hash)> OP_EQUALVERIFY
    OP_CHECKSIG
OP_ENDIF
[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed spend only.

OP_ENDIF

func SigScriptToWitnessStack

func SigScriptToWitnessStack(sigScript []byte) ([][]byte, error)

SigScriptToWitnessStack converts a signatureScript to a slice of data pushes (a witness stack). This is the inverse of the WitnessStackToSigScript operation.

This is currently restricted to a version 0 signature script.

func SingleTweakBytes

func SingleTweakBytes(commitPoint, basePoint *secp256k1.PublicKey) []byte

SingleTweakBytes computes set of bytes we call the single tweak. The purpose of the single tweak is to randomize all regular delay and payment base points. To do this, we generate a hash that binds the commitment point to the pay/delay base point. The end result is that the basePoint is tweaked as follows:

  • key = basePoint + sha256(commitPoint || basePoint)*G

func SpendMultiSig

func SpendMultiSig(witnessScript, pubA []byte, sigA Signature,
	pubB []byte, sigB Signature) [][]byte

SpendMultiSig generates the witness stack required to redeem the 2-of-2 p2sh multi-sig output.

func TweakPrivKey

func TweakPrivKey(basePriv *secp256k1.PrivateKey, commitTweak []byte) *secp256k1.PrivateKey

TweakPrivKey tweaks the private key of a public base point given a per commitment point. The per commitment secret is the revealed revocation secret for the commitment state in question. This private key will only need to be generated in the case that a channel counter party broadcasts a revoked state. Precisely, the following operation is used to derive a tweaked private key:

  • tweakPriv := basePriv + sha256(commitment || basePub) mod N

Where N is the order of the sub-group.

func TweakPubKey

func TweakPubKey(basePoint, commitPoint *secp256k1.PublicKey) *secp256k1.PublicKey

TweakPubKey tweaks a public base point given a per commitment point. The per commitment point is a unique point on our target curve for each commitment transaction. When tweaking a local base point for use in a remote commitment transaction, the remote party's current per commitment point is to be used. The opposite applies for when tweaking remote keys. Precisely, the following operation is used to "tweak" public keys:

tweakPub := basePoint + sha256(commitPoint || basePoint) * G
         := G*k + sha256(commitPoint || basePoint)*G
         := G*(k + sha256(commitPoint || basePoint))

Therefore, if a party possess the value k, the private key of the base point, then they are able to derive the proper private key for the revokeKey by computing:

revokePriv := k + sha256(commitPoint || basePoint) mod N

Where N is the order of the sub-group.

The rationale for tweaking all public keys used within the commitment contracts is to ensure that all keys are properly delinearized to avoid any funny business when jointly collaborating to compute public and private keys. Additionally, the use of the per commitment point ensures that each commitment state houses a unique set of keys which is useful when creating blinded channel outsourcing protocols.

TODO(roasbeef): should be using double-scalar mult here

func TweakPubKeyWithTweak

func TweakPubKeyWithTweak(pubKey *secp256k1.PublicKey, tweakBytes []byte) *secp256k1.PublicKey

TweakPubKeyWithTweak is the exact same as the TweakPubKey function, however it accepts the raw tweak bytes directly rather than the commitment point.

func WitnessStackToSigScript

func WitnessStackToSigScript(witness [][]byte) ([]byte, error)

WitnessStackToSigScript converts a witness stack, which is essentially just an array of byte slices, to the equivalent signature script such that each element in the witness stack is a data push.

func WriteSignDescriptor

func WriteSignDescriptor(w io.Writer, sd *SignDescriptor) error

WriteSignDescriptor serializes a SignDescriptor struct into the passed io.Writer stream.

NOTE: We assume the SigHashes and InputIndex fields haven't been assigned yet, since that is usually done just before broadcast by the witness generator.

Types

type BaseInput

type BaseInput struct {
	// contains filtered or unexported fields
}

BaseInput contains all the information needed to sweep a basic output (CSV/CLTV/no time lock)

func MakeBaseInput

func MakeBaseInput(outpoint *wire.OutPoint, witnessType WitnessType,
	signDescriptor *SignDescriptor, heightHint uint32) BaseInput

MakeBaseInput assembles a new BaseInput that can be used to construct a sweep transaction.

func NewBaseInput

func NewBaseInput(outpoint *wire.OutPoint, witnessType WitnessType,
	signDescriptor *SignDescriptor, heightHint uint32) *BaseInput

NewBaseInput allocates and assembles a new *BaseInput that can be used to construct a sweep transaction.

func NewCsvInput added in v0.3.0

func NewCsvInput(outpoint *wire.OutPoint, witnessType WitnessType,
	signDescriptor *SignDescriptor, heightHint uint32,
	blockToMaturity uint32) *BaseInput

NewCsvInput assembles a new csv-locked input that can be used to construct a sweep transaction.

func (*BaseInput) BlocksToMaturity

func (i *BaseInput) BlocksToMaturity() uint32

BlocksToMaturity returns the relative timelock, as a number of blocks, that must be built on top of the confirmation height before the output can be spent. For non-CSV locked inputs this is always zero.

func (*BaseInput) CraftInputScript

func (bi *BaseInput) CraftInputScript(signer Signer, txn *wire.MsgTx,
	txinIdx int) (*Script, error)

CraftInputScript returns a valid set of input scripts allowing this output to be spent. The returned input scripts should target the input at location txIndex within the passed transaction. The input scripts generated by this method support spending p2wkh, p2wsh, and also nested p2sh outputs.

func (*BaseInput) HeightHint

func (i *BaseInput) HeightHint() uint32

HeightHint returns the minimum height at which a confirmed spending tx can occur.

func (*BaseInput) OutPoint

func (i *BaseInput) OutPoint() *wire.OutPoint

OutPoint returns the breached output's identifier that is to be included as a transaction input.

func (*BaseInput) SignDesc

func (i *BaseInput) SignDesc() *SignDescriptor

SignDesc returns the breached output's SignDescriptor, which is used during signing to compute the witness.

func (*BaseInput) WitnessType

func (i *BaseInput) WitnessType() WitnessType

WitnessType returns the type of witness that must be generated to spend the breached output.

type HtlcSucceedInput

type HtlcSucceedInput struct {
	// contains filtered or unexported fields
}

HtlcSucceedInput constitutes a sweep input that needs a pre-image. The input is expected to reside on the commitment tx of the remote party and should not be a second level tx output.

func MakeHtlcSucceedInput

func MakeHtlcSucceedInput(outpoint *wire.OutPoint,
	signDescriptor *SignDescriptor, preimage []byte, heightHint,
	blocksToMaturity uint32) HtlcSucceedInput

MakeHtlcSucceedInput assembles a new redeem input that can be used to construct a sweep transaction.

func (*HtlcSucceedInput) BlocksToMaturity

func (i *HtlcSucceedInput) BlocksToMaturity() uint32

BlocksToMaturity returns the relative timelock, as a number of blocks, that must be built on top of the confirmation height before the output can be spent. For non-CSV locked inputs this is always zero.

func (*HtlcSucceedInput) CraftInputScript

func (h *HtlcSucceedInput) CraftInputScript(signer Signer, txn *wire.MsgTx,
	txinIdx int) (*Script, error)

CraftInputScript returns a valid set of input scripts allowing this output to be spent. The returns input scripts should target the input at location txIndex within the passed transaction. The input scripts generated by this method support spending p2wkh, p2wsh, and also nested p2sh outputs.

func (*HtlcSucceedInput) HeightHint

func (i *HtlcSucceedInput) HeightHint() uint32

HeightHint returns the minimum height at which a confirmed spending tx can occur.

func (*HtlcSucceedInput) OutPoint

func (i *HtlcSucceedInput) OutPoint() *wire.OutPoint

OutPoint returns the breached output's identifier that is to be included as a transaction input.

func (*HtlcSucceedInput) SignDesc

func (i *HtlcSucceedInput) SignDesc() *SignDescriptor

SignDesc returns the breached output's SignDescriptor, which is used during signing to compute the witness.

func (*HtlcSucceedInput) WitnessType

func (i *HtlcSucceedInput) WitnessType() WitnessType

WitnessType returns the type of witness that must be generated to spend the breached output.

type Input

type Input interface {
	// Outpoint returns the reference to the output being spent, used to
	// construct the corresponding transaction input.
	OutPoint() *wire.OutPoint

	// WitnessType returns an enum specifying the type of witness that must
	// be generated in order to spend this output.
	WitnessType() WitnessType

	// SignDesc returns a reference to a spendable output's sign
	// descriptor, which is used during signing to compute a valid witness
	// that spends this output.
	SignDesc() *SignDescriptor

	// CraftInputScript returns a valid set of input scripts allowing this
	// output to be spent. The returns input scripts should target the
	// input at location txIndex within the passed transaction. The input
	// scripts generated by this method support spending p2pkh and p2sh
	// outputs.
	CraftInputScript(signer Signer, txn *wire.MsgTx,
		txinIdx int) (*Script, error)

	// BlocksToMaturity returns the relative timelock, as a number of
	// blocks, that must be built on top of the confirmation height before
	// the output can be spent. For non-CSV locked inputs this is always
	// zero.
	BlocksToMaturity() uint32

	// HeightHint returns the minimum height at which a confirmed spending
	// tx can occur.
	HeightHint() uint32
}

Input represents an abstract UTXO which is to be spent using a sweeping transaction. The method provided give the caller all information needed to construct a valid input within a sweeping transaction to sweep this lingering UTXO.

type MockSigner

type MockSigner struct {
	Privkeys  []*secp256k1.PrivateKey
	NetParams *chaincfg.Params
}

MockSigner is a simple implementation of the Signer interface. Each one has a set of private keys in a slice and can sign messages using the appropriate one.

func (*MockSigner) ComputeInputScript

func (m *MockSigner) ComputeInputScript(tx *wire.MsgTx, signDesc *SignDescriptor) (*Script, error)

func (*MockSigner) SignOutputRaw

func (m *MockSigner) SignOutputRaw(tx *wire.MsgTx,
	signDesc *SignDescriptor) (Signature, error)

SignOutputRaw generates a signature for the passed transaction according to the data within the passed SignDescriptor.

type Script

type Script struct {
	// Witness is the full witness stack required to unlock this output.
	//
	// On decred this is used to store the individual elements used to
	// build the final signature script.
	Witness [][]byte

	//  SigScript contains the full signature script witness data.
	//
	// On Decred this is mostly unused since we use the invidual elements
	// of Witness above and convert to the final sig script by using the
	// WitnessStackToSigScript() function.
	SigScript []byte
}

InputScript represents any script inputs required to redeem a previous output. This struct is used rather than just a witness, or scripSig in order to accommodate nested p2sh which utilizes both types of input scripts.

type SignDescriptor

type SignDescriptor struct {
	// KeyDesc is a descriptor that precisely describes *which* key to use
	// for signing. This may provide the raw public key directly, or
	// require the Signer to re-derive the key according to the populated
	// derivation path.
	KeyDesc keychain.KeyDescriptor

	// SingleTweak is a scalar value that will be added to the private key
	// corresponding to the above public key to obtain the private key to
	// be used to sign this input. This value is typically derived via the
	// following computation:
	//
	//  * derivedKey = privkey + sha256(perCommitmentPoint || pubKey) mod N
	//
	// NOTE: If this value is nil, then the input can be signed using only
	// the above public key. Either a SingleTweak should be set or a
	// DoubleTweak, not both.
	SingleTweak []byte

	// DoubleTweak is a private key that will be used in combination with
	// its corresponding private key to derive the private key that is to
	// be used to sign the target input. Within the Lightning protocol,
	// this value is typically the commitment secret from a previously
	// revoked commitment transaction. This value is in combination with
	// two hash values, and the original private key to derive the private
	// key to be used when signing.
	//
	//  * k = (privKey*sha256(pubKey || tweakPub) +
	//        tweakPriv*sha256(tweakPub || pubKey)) mod N
	//
	// NOTE: If this value is nil, then the input can be signed using only
	// the above public key. Either a SingleTweak should be set or a
	// DoubleTweak, not both.
	DoubleTweak *secp256k1.PrivateKey

	// WitnessScript is the full script required to properly redeem the
	// output. This field will only be populated if a p2sh
	// output is being signed.
	//
	// On Decred this is usually referred to as the "redeemScript".
	WitnessScript []byte

	// Output is the target output which should be signed. The PkScript and
	// Value fields within the output should be properly populated,
	// otherwise an invalid signature may be generated.
	Output *wire.TxOut

	// HashType is the target sighash type that should be used when
	// generating the final sighash, and signature.
	HashType txscript.SigHashType

	// InputIndex is the target input within the transaction that should be
	// signed.
	InputIndex int
}

SignDescriptor houses the necessary information required to successfully sign a given output. This struct is used by the Signer interface in order to gain access to critical data needed to generate a valid signature.

type Signature added in v0.3.0

type Signature interface {
	// Serialize returns a DER-encoded ECDSA signature.
	Serialize() []byte

	// Verify return true if the ECDSA signature is valid for the passed
	// message digest under the provided public key.
	Verify([]byte, *secp256k1.PublicKey) bool
}

Signature is an interface for objects that can populate signatures during witness construction.

type Signer

type Signer interface {
	// SignOutputRaw generates a signature for the passed transaction
	// according to the data within the passed SignDescriptor.
	//
	// NOTE: The resulting signature should be void of a sighash byte.
	SignOutputRaw(tx *wire.MsgTx,
		signDesc *SignDescriptor) (Signature, error)

	// ComputeInputScript generates a complete InputIndex for the passed
	// transaction with the signature as defined within the passed
	// SignDescriptor. This method should be capable of generating the
	// proper input script for regular p2pkh.
	//
	// NOTE: This method will ignore any tweak parameters set within the
	// passed SignDescriptor as it assumes a set of typical script
	// templates (p2wkh, np2wkh, etc).
	ComputeInputScript(tx *wire.MsgTx, signDesc *SignDescriptor) (*Script, error)
}

Signer represents an abstract object capable of generating raw signatures as well as full complete input scripts given a valid SignDescriptor and transaction. This interface fully abstracts away signing paving the way for Signer implementations such as hardware wallets, hardware tokens, HSM's, or simply a regular wallet.

type StandardWitnessType added in v0.3.0

type StandardWitnessType uint16

StandardWitnessType is a numeric representation of standard pre-defined types of witness configurations.

const (
	// CommitmentTimeLock is a witness that allows us to spend our output
	// on our local commitment transaction after a relative lock-time
	// lockout.
	CommitmentTimeLock StandardWitnessType = 0

	// CommitmentNoDelay is a witness that allows us to spend a settled
	// no-delay output immediately on a counterparty's commitment
	// transaction.
	CommitmentNoDelay StandardWitnessType = 1

	// CommitmentRevoke is a witness that allows us to sweep the settled
	// output of a malicious counterparty's who broadcasts a revoked
	// commitment transaction.
	CommitmentRevoke StandardWitnessType = 2

	// HtlcOfferedRevoke is a witness that allows us to sweep an HTLC which
	// we offered to the remote party in the case that they broadcast a
	// revoked commitment state.
	HtlcOfferedRevoke StandardWitnessType = 3

	// HtlcAcceptedRevoke is a witness that allows us to sweep an HTLC
	// output sent to us in the case that the remote party broadcasts a
	// revoked commitment state.
	HtlcAcceptedRevoke StandardWitnessType = 4

	// HtlcOfferedTimeoutSecondLevel is a witness that allows us to sweep
	// an HTLC output that we extended to a party, but was never fulfilled.
	// This HTLC output isn't directly on the commitment transaction, but
	// is the result of a confirmed second-level HTLC transaction. As a
	// result, we can only spend this after a CSV delay.
	HtlcOfferedTimeoutSecondLevel StandardWitnessType = 5

	// HtlcAcceptedSuccessSecondLevel is a witness that allows us to sweep
	// an HTLC output that was offered to us, and for which we have a
	// payment preimage. This HTLC output isn't directly on our commitment
	// transaction, but is the result of confirmed second-level HTLC
	// transaction. As a result, we can only spend this after a CSV delay.
	HtlcAcceptedSuccessSecondLevel StandardWitnessType = 6

	// HtlcOfferedRemoteTimeout is a witness that allows us to sweep an
	// HTLC that we offered to the remote party which lies in the
	// commitment transaction of the remote party. We can spend this output
	// after the absolute CLTV timeout of the HTLC as passed.
	HtlcOfferedRemoteTimeout StandardWitnessType = 7

	// HtlcAcceptedRemoteSuccess is a witness that allows us to sweep an
	// HTLC that was offered to us by the remote party. We use this witness
	// in the case that the remote party goes to chain, and we know the
	// pre-image to the HTLC. We can sweep this without any additional
	// timeout.
	HtlcAcceptedRemoteSuccess StandardWitnessType = 8

	// HtlcSecondLevelRevoke is a witness that allows us to sweep an HTLC
	// from the remote party's commitment transaction in the case that the
	// broadcast a revoked commitment, but then also immediately attempt to
	// go to the second level to claim the HTLC.
	HtlcSecondLevelRevoke StandardWitnessType = 9

	// WitnessKeyHash is a witness type that allows us to spend a regular
	// p2wkh output that's sent to an output which is under complete
	// control of the backing wallet.
	WitnessKeyHash StandardWitnessType = 10

	// NestedWitnessKeyHash is a witness type that allows us to sweep an
	// output that sends to a nested P2SH script that pays to a key solely
	// under our control. The witness generated needs to include the
	NestedWitnessKeyHash StandardWitnessType = 11

	// PublicKeyHash is a witness type that allows us to sweep an output
	// that sends to a standard p2pkh script that pays to a key solely
	// under the control of the backing wallet.
	//
	// NOTE(decred): The value was chosen so that it won't conflict with
	// future new types added to the upstream lnd project.
	PublicKeyHash StandardWitnessType = 901

	// CommitSpendNoDelayTweakless is similar to the CommitSpendNoDelay
	// type, but it omits the tweak that randomizes the key we need to
	// spend with a channel peer supplied set of randomness.
	CommitSpendNoDelayTweakless StandardWitnessType = 12

	// CommitmentToRemoteConfirmed is a witness that allows us to spend our
	// output on the counterparty's commitment transaction after a
	// confirmation.
	CommitmentToRemoteConfirmed StandardWitnessType = 13

	// CommitmentAnchor is a witness that allows us to spend our anchor on
	// the commitment transaction.
	CommitmentAnchor StandardWitnessType = 14
)

func (StandardWitnessType) AddSizeEstimation added in v0.3.0

func (wt StandardWitnessType) AddSizeEstimation(e *TxSizeEstimator) error

AddSizeEstimation adds the estimated size of the witness in bytes to the given weight estimator.

NOTE: This is part of the WitnessType interface.

func (StandardWitnessType) SizeUpperBound added in v0.3.0

func (wt StandardWitnessType) SizeUpperBound() (int64, bool, error)

SizeUpperBound returns the maximum length of the witness of this witness type if it would be included in a tx. We also return if the output itself is a nested p2sh output, if so then we need to take into account the extra sigScript data size.

NOTE: This is part of the WitnessType interface.

func (StandardWitnessType) String added in v0.3.0

func (wt StandardWitnessType) String() string

String returns a human readable version of the target WitnessType.

NOTE: This is part of the WitnessType interface.

func (StandardWitnessType) WitnessGenerator added in v0.3.0

func (wt StandardWitnessType) WitnessGenerator(signer Signer,
	descriptor *SignDescriptor) WitnessGenerator

WitnessGenerator will return a WitnessGenerator function that an output uses to generate the witness and optionally the sigScript for a sweep transaction. The sigScript will be generated if the witness type warrants one for spending, such as the NestedWitnessKeyHash witness type.

NOTE: This is part of the WitnessType interface.

type TxSizeEstimator

type TxSizeEstimator struct {
	InputSize  int64
	OutputSize int64
	// contains filtered or unexported fields
}

TxSizeEstimator is able to calculate size estimates for transactions based on the input and output types. For purposes of estimation, all signatures are assumed to be of the maximum possible size, 73 bytes. Each method of the estimator returns an instance with the estimate applied. This allows callers to chain each of the methods

func (*TxSizeEstimator) AddCustomInput

func (twe *TxSizeEstimator) AddCustomInput(sigScriptSize int64) *TxSizeEstimator

AddCustomInput updates the size estimate to account for an additional input, such that the caller is responsible for specifying the full estimated size of the sigScript.

Note that the caller is entirely responsible for calculating the correct size of the sigScript. This function only adds the overhead of the fixed input data (prefix serialization) and of the varint for recording the sigScript size.

func (*TxSizeEstimator) AddP2PKHInput

func (twe *TxSizeEstimator) AddP2PKHInput() *TxSizeEstimator

AddP2PKHInput updates the size estimate to account for an additional input spending a P2PKH output.

func (*TxSizeEstimator) AddP2PKHOutput

func (twe *TxSizeEstimator) AddP2PKHOutput() *TxSizeEstimator

AddP2PKHOutput updates the size estimate to account for an additional P2PKH output.

func (*TxSizeEstimator) AddP2SHOutput

func (twe *TxSizeEstimator) AddP2SHOutput() *TxSizeEstimator

AddP2SHOutput updates the size estimate to account for an additional P2SH output.

func (*TxSizeEstimator) Size

func (twe *TxSizeEstimator) Size() int64

Size gets the estimated size of the transaction.

type TxWitness

type TxWitness [][]byte

TxWitness represents the witness data for a transaction.

func CommitSpendAnchor added in v0.3.0

func CommitSpendAnchor(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

CommitSpendAnchor constructs a valid witness allowing a node to spend their anchor output on the commitment transaction using their funding key. This is used for the anchor channel type.

func CommitSpendAnchorAnyone added in v0.3.0

func CommitSpendAnchorAnyone(script []byte) (TxWitness, error)

CommitSpendAnchorAnyone constructs a witness allowing anyone to spend the anchor output after it has gotten 16 confirmations. Since no signing is required, only knowledge of the redeem script is necessary to spend it.

func CommitSpendNoDelay

func CommitSpendNoDelay(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, tweakless bool) (TxWitness, error)

CommitSpendNoDelay constructs a valid witness allowing a node to spend their settled no-delay output on the counterparty's commitment transaction. If the tweakless field is true, then we'll omit the set where we tweak the pubkey with a random set of bytes, and use it directly in the witness stack.

NOTE: The passed SignDescriptor should include the raw (untweaked) public key of the receiver and also the proper single tweak value based on the current commitment point.

func CommitSpendRevoke

func CommitSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

CommitSpendRevoke constructs a valid witness allowing a node to sweep the settled output of a malicious counterparty who broadcasts a revoked commitment transaction.

NOTE: The passed SignDescriptor should include the raw (untweaked) revocation base public key of the receiver and also the proper double tweak value based on the commitment secret of the revoked commitment.

func CommitSpendTimeout

func CommitSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

CommitSpendTimeout constructs a valid witness allowing the owner of a particular commitment transaction to spend the output returning settled funds back to themselves after a relative block timeout. In order to properly spend the transaction, the target input's sequence number should be set accordingly based off of the target relative block timeout within the redeem script. Additionally, OP_CSV requires that the version of the transaction spending a pkscript with OP_CSV within it *must* be >= 2.

func CommitSpendToRemoteConfirmed added in v0.3.0

func CommitSpendToRemoteConfirmed(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

CommitSpendToRemoteConfirmed constructs a valid witness allowing a node to spend their settled output on the counterparty's commitment transaction when it has one confirmetion. This is used for the anchor channel type. The spending key will always be non-tweaked for this output type.

func HtlcSecondLevelSpend

func HtlcSecondLevelSpend(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

HtlcSecondLevelSpend exposes the public witness generation function for spending an HTLC success transaction, either due to an expiring time lock or having had the payment preimage. This method is able to spend any second-level HTLC transaction, assuming the caller sets the locktime or seqno properly.

NOTE: The caller MUST set the txn version, sequence number, and sign descriptor's sig hash cache before invocation.

func HtlcSpendRevoke

func HtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	revokeTx *wire.MsgTx) (TxWitness, error)

HtlcSpendRevoke spends a second-level HTLC output. This function is to be used by the sender or receiver of an HTLC to claim the HTLC after a revoked commitment transaction was broadcast.

func HtlcSpendSuccess

func HtlcSpendSuccess(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, csvDelay uint32) (TxWitness, error)

HtlcSpendSuccess spends a second-level HTLC output. This function is to be used by the sender of an HTLC to claim the output after a relative timeout or the receiver of the HTLC to claim on-chain with the pre-image.

func ReceiverHtlcSpendRedeem

func ReceiverHtlcSpendRedeem(senderSig Signature,
	senderSigHash txscript.SigHashType, paymentPreimage []byte,
	signer Signer, signDesc *SignDescriptor, htlcSuccessTx *wire.MsgTx) (
	TxWitness, error)

ReceiverHtlcSpendRedeem constructs a valid witness allowing the receiver of an HTLC to redeem the conditional payment in the event that their commitment transaction is broadcast. This clause transitions the state of the HLTC output into the delay+claim state by activating the off-chain covenant bound by the 2-of-2 multi-sig output. The HTLC success timeout transaction being signed has a relative timelock delay enforced by its sequence number. This delay give the sender of the HTLC enough time to revoke the output if this is a breach commitment transaction.

func ReceiverHtlcSpendRevoke

func ReceiverHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

ReceiverHtlcSpendRevoke constructs a valid witness allowing the sender of an HTLC within a previously revoked commitment transaction to re-claim the pending funds in the case that the receiver broadcasts this revoked commitment transaction. This method first derives the appropriate revocation key, and requires that the provided SignDescriptor has a local revocation basepoint and commitment secret in the PubKey and DoubleTweak fields, respectively.

func ReceiverHtlcSpendTimeout

func ReceiverHtlcSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, cltvExpiry int32) (TxWitness, error)

ReceiverHtlcSpendTimeout constructs a valid witness allowing the sender of an HTLC to recover the pending funds after an absolute timeout in the scenario that the receiver of the HTLC broadcasts their version of the commitment transaction. If the caller has already set the lock time on the spending transaction, than a value of -1 can be passed for the cltvExpiry value.

NOTE: The target input of the passed transaction MUST NOT have a final sequence number. Otherwise, the OP_CHECKLOCKTIMEVERIFY check will fail.

func SenderHtlcSpendRedeem

func SenderHtlcSpendRedeem(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, paymentPreimage []byte) (TxWitness, error)

SenderHtlcSpendRedeem constructs a valid witness allowing the receiver of an HTLC to redeem the pending output in the scenario that the sender broadcasts their version of the commitment transaction. A valid spend requires knowledge of the payment preimage, and a valid signature under the receivers public key.

func SenderHtlcSpendRevoke

func SenderHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error)

SenderHtlcSpendRevoke constructs a valid witness allowing the receiver of an HTLC to claim the output with knowledge of the revocation private key in the scenario that the sender of the HTLC broadcasts a previously revoked commitment transaction. This method first derives the appropriate revocation key, and requires that the provided SignDescriptor has a local revocation basepoint and commitment secret in the PubKey and DoubleTweak fields, respectively.

func SenderHtlcSpendTimeout

func SenderHtlcSpendTimeout(receiverSig Signature,
	receiverSigHash txscript.SigHashType, signer Signer,
	signDesc *SignDescriptor, htlcTimeoutTx *wire.MsgTx) (
	TxWitness, error)

SenderHtlcSpendTimeout constructs a valid witness allowing the sender of an HTLC to activate the time locked covenant clause of a soon to be expired HTLC. This script simply spends the multi-sig output using the pre-generated HTLC timeout transaction.

func (TxWitness) WitnessSerializeSize added in v0.3.0

func (t TxWitness) WitnessSerializeSize() int

WitnessSerializeSize returns the number of bytes it would take to serialize the given slice as if it were a bitcoin witness program.

Note: this is only used as an acessory in certain tests in Decred.

type WitnessGenerator

type WitnessGenerator func(tx *wire.MsgTx, inputIndex int) (*Script, error)

WitnessGenerator represents a function that is able to generate the final witness for a particular public key script. Additionally, if required, this function will also return the sigScript for spending nested P2SH witness outputs. This function acts as an abstraction layer, hiding the details of the underlying script.

type WitnessType

type WitnessType interface {
	// String returns a human readable version of the WitnessType.
	String() string

	// WitnessGenerator will return a WitnessGenerator function that an
	// output uses to generate the witness and optionally the sigScript for
	// a sweep transaction.
	WitnessGenerator(signer Signer,
		descriptor *SignDescriptor) WitnessGenerator

	// SizeUpperBound returns the maximum length of the SigScript of this
	// WitnessType if it would be included in a tx. It also returns if the
	// output itself is a nested p2sh output, if so then we need to take
	// into account the extra sigScript data size.
	SizeUpperBound() (int64, bool, error)

	// AddSizeEstimation adds the estimated size of the witness in bytes to
	// the given weight estimator.
	AddSizeEstimation(e *TxSizeEstimator) error
}

WitnessType determines how an output's witness will be generated. This interface can be implemented to be used for custom sweep scripts if the pre-defined StandardWitnessType list doesn't provide a suitable one.

NOTE(decred): This would ordinarily be called 'SigScriptType'.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL