Implement simple taproot channels

This matches changes done on Eclair, and adds support for taproot channels (including splices) with the same TLV extensions.
Support for signing commit tx with alternative feerates is not implemented.

Author: sstone

modules/core/src/commonMain/kotlin/fr/acinq/lightning/Features.kt

@@ -217,6 +217,13 @@ sealed class Feature {
         override val scopes: Set<FeatureScope> get() = setOf(FeatureScope.Init, FeatureScope.Node)
     }
 
+    // README: this is not the feature bit specified in the BOLT, this one is specific to Phoenix
+    @Serializable
+    object SimpleTaprootChannels : Feature() {
+        override val rfcName get() = "simple_taproot_channels"
+        override val mandatory get() = 564
+        override val scopes: Set<FeatureScope> get() = setOf(FeatureScope.Init, FeatureScope.Node)
+    }
 }
 
 @Serializable
@@ -294,7 +301,8 @@ data class Features(val activated: Map<Feature, FeatureSupport>, val unknown: Se
             Feature.WakeUpNotificationProvider,
             Feature.ExperimentalSplice,
             Feature.OnTheFlyFunding,
-            Feature.FundingFeeCredit
+            Feature.FundingFeeCredit,
+            Feature.SimpleTaprootChannels
         )
 
         operator fun invoke(bytes: ByteVector): Features = invoke(bytes.toByteArray())

modules/core/src/commonMain/kotlin/fr/acinq/lightning/channel/ChannelException.kt

@@ -92,4 +92,7 @@ data class PleasePublishYourCommitment             (override val channelId: Byte
 data class CommandUnavailableInThisState           (override val channelId: ByteVector32, val state: String) : ChannelException(channelId, "cannot execute command in state=$state")
 data class ForbiddenDuringSplice                   (override val channelId: ByteVector32, val command: String?) : ChannelException(channelId, "cannot process $command while splicing")
 data class InvalidSpliceRequest                    (override val channelId: ByteVector32) : ChannelException(channelId, "invalid splice request")
+data class MissingCommitNonce                      (override val channelId: ByteVector32, val fundingTxId: TxId, val commitmentNumber: Long) : ChannelException(channelId, "missing commit nonce for funding tx $fundingTxId commitmentNumber $commitmentNumber")
+data class InvalidCommitNonce                      (override val channelId: ByteVector32, val fundingTxId: TxId, val commitmentNumber: Long) : ChannelException(channelId, "invalid commit nonce for funding tx $fundingTxId commitmentNumber $commitmentNumber")
+data class MissingClosingNonce                     (override val channelId: ByteVector32) : ChannelException(channelId, "missing closing nonce")
 // @formatter:on

modules/core/src/commonMain/kotlin/fr/acinq/lightning/channel/ChannelFeatures.kt

@@ -32,7 +32,7 @@ data class ChannelFeatures(val features: Set<Feature>) {
          * In addition to channel types features, the following features will be added to the permanent channel features if they
          * are supported by both peers.
          */
-        private val permanentChannelFeatures = setOf(Feature.DualFunding)
+        private val permanentChannelFeatures: Set<Feature> = setOf(Feature.DualFunding, Feature.SimpleTaprootChannels)
     }
 
 }
@@ -65,6 +65,12 @@ sealed class ChannelType {
             override val commitmentFormat: Transactions.CommitmentFormat get() = Transactions.CommitmentFormat.AnchorOutputs
         }
 
+        object SimpleTaprootChannels : SupportedChannelType() {
+            override val name: String get() = "simple_taproot_channel"
+            override val features: Set<Feature> get() = setOf(Feature.SimpleTaprootChannels, Feature.ZeroReserveChannels)
+            override val permanentChannelFeatures: Set<Feature> get() = setOf()
+            override val commitmentFormat: Transactions.CommitmentFormat get() = Transactions.CommitmentFormat.SimpleTaprootChannels
+        }
     }
 
     data class UnsupportedChannelType(val featureBits: Features) : ChannelType() {
@@ -79,6 +85,7 @@ sealed class ChannelType {
         // NB: Bolt 2: features must exactly match in order to identify a channel type.
         fun fromFeatures(features: Features): ChannelType = when (features) {
             // @formatter:off
+            Features(Feature.SimpleTaprootChannels to FeatureSupport.Mandatory, Feature.ZeroReserveChannels to FeatureSupport.Mandatory) -> SupportedChannelType.SimpleTaprootChannels
             Features(Feature.StaticRemoteKey to FeatureSupport.Mandatory, Feature.AnchorOutputs to FeatureSupport.Mandatory, Feature.ZeroReserveChannels to FeatureSupport.Mandatory) -> SupportedChannelType.AnchorOutputsZeroReserve
             Features(Feature.StaticRemoteKey to FeatureSupport.Mandatory, Feature.AnchorOutputs to FeatureSupport.Mandatory) -> SupportedChannelType.AnchorOutputs
             else -> UnsupportedChannelType(features)

modules/core/src/commonMain/kotlin/fr/acinq/lightning/channel/Commitments.kt

@@ -16,6 +16,7 @@ import fr.acinq.lightning.channel.states.ChannelContext
 import fr.acinq.lightning.crypto.ChannelKeys
 import fr.acinq.lightning.crypto.KeyManager
 import fr.acinq.lightning.crypto.LocalCommitmentKeys
+import fr.acinq.lightning.crypto.NonceGenerator
 import fr.acinq.lightning.crypto.RemoteCommitmentKeys
 import fr.acinq.lightning.crypto.ShaChain
 import fr.acinq.lightning.logging.MDCLogger
@@ -34,6 +35,7 @@ import fr.acinq.lightning.transactions.incomings
 import fr.acinq.lightning.transactions.outgoings
 import fr.acinq.lightning.utils.*
 import fr.acinq.lightning.wire.*
+import kotlinx.serialization.Transient
 import kotlin.math.min
 
 /** Static channel parameters shared by all commitments. */
@@ -63,7 +65,7 @@ data class RemoteChanges(val proposed: List<UpdateMessage>, val acked: List<Upda
     val all: List<UpdateMessage> get() = proposed + signed + acked
 }
 
-/** Changes are applied to all commitments, and must be be valid for all commitments. */
+/** Changes are applied to all commitments, and must be valid for all commitments. */
 data class CommitmentChanges(val localChanges: LocalChanges, val remoteChanges: RemoteChanges, val localNextHtlcId: Long, val remoteNextHtlcId: Long) {
     fun addLocalProposal(proposal: UpdateMessage): CommitmentChanges = copy(localChanges = localChanges.copy(proposed = localChanges.proposed + proposal))
 
@@ -130,7 +132,20 @@ data class LocalCommit(val index: Long, val spec: CommitmentSpec, val txId: TxId
                 commitmentFormat = commitmentFormat,
                 spec = spec,
             )
-            if (!localCommitTx.checkRemoteSig(fundingKey.publicKey(), remoteFundingPubKey, commit.signature)) {
+            val remoteSigOk = when (commitmentFormat) {
+                Transactions.CommitmentFormat.SimpleTaprootChannels ->
+                    when (commit.sigOrPartialSig) {
+                        is ChannelSpendSignature.PartialSignatureWithNonce -> {
+                            val localNonce = NonceGenerator.verificationNonce(commitInput.outPoint.txid, fundingKey, remoteFundingPubKey, localCommitIndex)
+                            localCommitTx.checkRemotePartialSignature(fundingKey.publicKey(), remoteFundingPubKey, commit.sigOrPartialSig, localNonce.publicNonce)
+                        }
+
+                        is ChannelSpendSignature.IndividualSignature -> false
+                    }
+
+                else -> localCommitTx.checkRemoteSig(fundingKey.publicKey(), remoteFundingPubKey, commit.signature)
+            }
+            if (!remoteSigOk) {
                 log.error { "remote signature $commit is invalid" }
                 return Either.Left(InvalidCommitmentSignature(channelParams.channelId, localCommitTx.tx.txid))
             }
@@ -142,7 +157,7 @@ data class LocalCommit(val index: Long, val spec: CommitmentSpec, val txId: TxId
                     return Either.Left(InvalidHtlcSignature(channelParams.channelId, htlcTx.tx.txid))
                 }
             }
-            return Either.Right(LocalCommit(localCommitIndex, spec, localCommitTx.tx.txid, commit.signature, commit.htlcSignatures))
+            return Either.Right(LocalCommit(localCommitIndex, spec, localCommitTx.tx.txid, commit.sigOrPartialSig, commit.htlcSignatures))
         }
     }
 }
@@ -157,6 +172,7 @@ data class RemoteCommit(val index: Long, val spec: CommitmentSpec, val txid: TxI
         remoteFundingPubKey: PublicKey,
         commitInput: Transactions.InputInfo,
         commitmentFormat: Transactions.CommitmentFormat,
+        remoteNonce: IndividualNonce?,
         batchSize: Int = 1
     ): CommitSig {
         val fundingKey = channelKeys.fundingKey(fundingTxIndex)
@@ -172,23 +188,28 @@ data class RemoteCommit(val index: Long, val spec: CommitmentSpec, val txid: TxI
             commitmentFormat = commitmentFormat,
             spec = spec
         )
-        val sig = remoteCommitTx.sign(fundingKey, remoteFundingPubKey)
-        val htlcSigs = sortedHtlcsTxs.map { it.localSig(commitKeys) }
-        val tlvs = buildSet<CommitSigTlv> {
-            if (batchSize > 1) add(CommitSigTlv.Batch(batchSize))
+        val sig = when (commitmentFormat) {
+            is Transactions.CommitmentFormat.SimpleTaprootChannels -> {
+                val localNonce = NonceGenerator.signingNonce(fundingKey.publicKey(), remoteFundingPubKey, commitInput.outPoint.txid)
+                remoteCommitTx.partialSign(fundingKey, remoteFundingPubKey, mapOf(), localNonce, listOf(localNonce.publicNonce, remoteNonce!!)).right!! // FIXME
+            }
+
+            else -> remoteCommitTx.sign(fundingKey, remoteFundingPubKey)
         }
-        return CommitSig(channelParams.channelId, sig, htlcSigs.toList(), TlvStream(tlvs))
+        val htlcSigs = sortedHtlcsTxs.map { it.localSig(commitKeys) }
+        return CommitSig(channelParams.channelId, sig, htlcSigs.toList(), batchSize)
     }
 
-    fun sign(channelParams: ChannelParams, channelKeys: ChannelKeys, signingSession: InteractiveTxSigningSession): CommitSig {
+    fun sign(channelParams: ChannelParams, channelKeys: ChannelKeys, signingSession: InteractiveTxSigningSession, remoteNonce: IndividualNonce?): CommitSig {
         return sign(
             channelParams,
             signingSession.remoteCommitParams,
             channelKeys,
             signingSession.fundingTxIndex,
             signingSession.fundingParams.remoteFundingPubkey,
             signingSession.commitInput(channelKeys),
-            signingSession.fundingParams.commitmentFormat
+            signingSession.fundingParams.commitmentFormat,
+            remoteNonce
         )
     }
 }
@@ -255,7 +276,14 @@ data class Commitment(
                 val localSig = unsignedCommitTx.sign(fundingKey, remoteFundingPubkey)
                 unsignedCommitTx.aggregateSigs(fundingKey.publicKey(), remoteFundingPubkey, localSig, remoteSig)
             }
-            else -> throw IllegalArgumentException("not implemented") // FIXME
+            is ChannelSpendSignature.PartialSignatureWithNonce -> {
+                val localNonce = NonceGenerator.verificationNonce(fundingTxId, fundingKey, remoteFundingPubkey, localCommit.index)
+                // We have already validated the remote nonce and partial signature when we received it, so we're guaranteed
+                // that the following code cannot produce an error.
+                val localSig = unsignedCommitTx.partialSign(fundingKey, remoteFundingPubkey, mapOf(), localNonce, listOf(localNonce.publicNonce, remoteSig.nonce)).right!!
+                val signedTx = unsignedCommitTx.aggregateSigs(fundingKey.publicKey(), remoteFundingPubkey, localSig, remoteSig, mapOf()).right!!
+                signedTx
+            }
         }
     }
 
@@ -518,7 +546,16 @@ data class Commitment(
         }
     }
 
-    fun sendCommit(params: ChannelParams, channelKeys: ChannelKeys, commitKeys: RemoteCommitmentKeys, changes: CommitmentChanges, remoteNextPerCommitmentPoint: PublicKey, batchSize: Int, log: MDCLogger): Pair<Commitment, CommitSig> {
+    fun sendCommit(
+        params: ChannelParams,
+        channelKeys: ChannelKeys,
+        commitKeys: RemoteCommitmentKeys,
+        changes: CommitmentChanges,
+        remoteNextPerCommitmentPoint: PublicKey,
+        batchSize: Int,
+        nextRemoteNonce: IndividualNonce?,
+        log: MDCLogger
+    ): Pair<Commitment, CommitSig> {
         val fundingKey = localFundingKey(channelKeys)
         // remote commitment will include all local changes + remote acked changes
         val spec = CommitmentSpec.reduce(remoteCommit.spec, changes.remoteChanges.acked, changes.localChanges.proposed)
@@ -533,7 +570,18 @@ data class Commitment(
             commitmentFormat = commitmentFormat,
             spec = spec
         )
-        val sig = remoteCommitTx.sign(fundingKey, remoteFundingPubkey)
+        val sig = when (commitmentFormat) {
+            Transactions.CommitmentFormat.SimpleTaprootChannels -> ChannelSpendSignature.IndividualSignature(ByteVector64.Zeroes)
+            else -> remoteCommitTx.sign(fundingKey, remoteFundingPubkey)
+        }
+        val partialSig = when (commitmentFormat) {
+            Transactions.CommitmentFormat.SimpleTaprootChannels -> {
+                val localNonce = NonceGenerator.signingNonce(fundingKey.publicKey(), remoteFundingPubkey, remoteCommitTx.input.outPoint.txid)
+                remoteCommitTx.partialSign(fundingKey, remoteFundingPubkey, mapOf(), localNonce, listOf(localNonce.publicNonce, nextRemoteNonce!!)).right!!
+            }
+
+            else -> null
+        }
         val htlcSigs = sortedHtlcTxs.map { it.localSig(commitKeys) }
 
         // NB: IN/OUT htlcs are inverted because this is the remote commit
@@ -566,6 +614,7 @@ data class Commitment(
             if (batchSize > 1) {
                 add(CommitSigTlv.Batch(batchSize))
             }
+            partialSig?.let { add(CommitSigTlv.PartialSignatureWithNonce(it)) }
         }
         val commitSig = CommitSig(params.channelId, sig, htlcSigs.toList(), TlvStream(tlvs))
         val commitment1 = copy(nextRemoteCommit = RemoteCommit(remoteCommit.index + 1, spec, remoteCommitTx.tx.txid, remoteNextPerCommitmentPoint))
@@ -644,6 +693,10 @@ data class Commitments(
     val payments: Map<Long, UUID>, // for outgoing htlcs, maps to paymentId
     val remoteNextCommitInfo: Either<WaitingForRevocation, PublicKey>, // this one is tricky, it must be kept in sync with Commitment.nextRemoteCommit
     val remotePerCommitmentSecrets: ShaChain,
+    @Transient val remoteCommitNonces: Map<TxId, IndividualNonce>,
+    @Transient val localCloseeNonce: Transactions.LocalNonce?,
+    @Transient val remoteCloseeNonce: IndividualNonce?,
+    @Transient val localCloserNonces: Transactions.CloserNonces?,
 ) {
     init {
         require(active.isNotEmpty()) { "there must be at least one active commitment" }
@@ -674,6 +727,10 @@ data class Commitments(
         addAll(active)
     })
 
+    fun addRemoteCommitNonce(fundingTxId: TxId, nonce: IndividualNonce?): Commitments = nonce?.let { this.copy(remoteCommitNonces = this.remoteCommitNonces + (fundingTxId to it)) } ?: this
+
+    fun resetNonces(): Commitments = copy(remoteCommitNonces = emptyMap(), localCloseeNonce = null, remoteCloseeNonce = null, localCloserNonces = null)
+
     fun channelKeys(keyManager: KeyManager): ChannelKeys = channelParams.localParams.channelKeys(keyManager)
 
     fun isMoreRecent(other: Commitments): Boolean {
@@ -838,7 +895,7 @@ data class Commitments(
         val remoteNextPerCommitmentPoint = remoteNextCommitInfo.right ?: return Either.Left(CannotSignBeforeRevocation(channelId))
         val commitKeys = channelKeys.remoteCommitmentKeys(channelParams, remoteNextPerCommitmentPoint)
         if (!changes.localHasChanges()) return Either.Left(CannotSignWithoutChanges(channelId))
-        val (active1, sigs) = active.map { it.sendCommit(channelParams, channelKeys, commitKeys, changes, remoteNextPerCommitmentPoint, active.size, log) }.unzip()
+        val (active1, sigs) = active.map { it.sendCommit(channelParams, channelKeys, commitKeys, changes, remoteNextPerCommitmentPoint, active.size, remoteCommitNonces.get(it.fundingTxId), log) }.unzip()
         val commitments1 = copy(
             active = active1,
             remoteNextCommitInfo = Either.Left(WaitingForRevocation(localCommitIndex)),
@@ -868,7 +925,12 @@ data class Commitments(
         // we will send our revocation preimage + our next revocation hash
         val localPerCommitmentSecret = channelKeys.commitmentSecret(localCommitIndex)
         val localNextPerCommitmentPoint = channelKeys.commitmentPoint(localCommitIndex + 2)
-        val revocation = RevokeAndAck(channelId, localPerCommitmentSecret, localNextPerCommitmentPoint)
+        val localCommitNonces = active.filter { it.commitmentFormat == Transactions.CommitmentFormat.SimpleTaprootChannels }.map {
+            val localNonce = NonceGenerator.verificationNonce(it.fundingTxId, it.localFundingKey(channelKeys), it.remoteFundingPubkey, localCommitIndex + 2)
+            it.fundingTxId to localNonce.publicNonce
+        }
+        val tlvs: Set<RevokeAndAckTlv> = if (localCommitNonces.isEmpty()) setOf() else setOf(RevokeAndAckTlv.NextLocalNonces(localCommitNonces))
+        val revocation = RevokeAndAck(channelId, localPerCommitmentSecret, localNextPerCommitmentPoint, TlvStream(tlvs))
         val commitments1 = copy(
             active = active1,
             changes = changes.copy(
@@ -929,10 +991,22 @@ data class Commitments(
             remoteNextCommitInfo = Either.Right(revocation.nextPerCommitmentPoint),
             remotePerCommitmentSecrets = remotePerCommitmentSecrets.addHash(revocation.perCommitmentSecret.value, 0xFFFFFFFFFFFFL - remoteCommitIndex),
             payments = payments1,
+            remoteCommitNonces = revocation.nextCommitNonces
         )
         return Either.Right(Pair(commitments1, actions.toList()))
     }
 
+    fun createShutdown(channelKeys: ChannelKeys, finalScriptPubKey: ByteVector): Pair<Commitments, Shutdown> = when (latest.commitmentFormat) {
+        is Transactions.CommitmentFormat.SimpleTaprootChannels -> {
+            // We create a fresh local closee nonce every time we send shutdown.
+            val localFundingPubKey = channelKeys.fundingKey(latest.fundingTxIndex).publicKey()
+            val localCloseeNonce = NonceGenerator.signingNonce(localFundingPubKey, latest.remoteFundingPubkey, latest.fundingTxId)
+            this.copy(localCloseeNonce = localCloseeNonce) to Shutdown(channelId, finalScriptPubKey, TlvStream<ShutdownTlv>(ShutdownTlv.ShutdownNonce(localCloseeNonce.publicNonce)))
+        }
+
+        else -> this to Shutdown(channelId, finalScriptPubKey)
+    }
+
     private fun ChannelContext.updateFundingStatus(fundingTxId: TxId, updateMethod: (Commitment, Long) -> Commitment): Either<Commitments, Pair<Commitments, Commitment>> {
         return when (val c = all.find { it.fundingTxId == fundingTxId }) {
             is Commitment -> {