multi: update sweeping to allow different sighashes and claim scripts

Taproot spends require a different sighash, so we update our HtlcScript
interface to provide the appropriate sighash when sweeping. We also add
distinct Timeout/Success Script functions to allow for tapleaf spends
which have different locking scripts for different paths. Note that the
timeout and success paths will be the same for segwit v0 htlcs, because
it has a single branched script containing all spend paths.

In future iterations, this differentiation of claim scripts can also
be used to use musig2 to collaboratively keyspend P2TR htlcs with the
server. This script can be expressed as PriorityScript (because we'll
try to keyspend as a priority, and then fall back to a tap leaf spend).
As we've done here, segwit v0 spends would just return their single
script for PriorityScript, and the claim would be no different from
our other claims.

Author: carlaKC

loopin.go

@@ -937,14 +937,18 @@ func (s *loopInSwap) publishTimeoutTx(ctx context.Context,
 		return 0, err
 	}
 
+	// Create a function that will assemble our timeout witness.
 	witnessFunc := func(sig []byte) (wire.TxWitness, error) {
 		return s.htlc.GenTimeoutWitness(sig)
 	}
 
+	// Retrieve the full script required to unlock the output.
+	redeemScript := s.htlc.TimeoutScript()
+
 	sequence := uint32(0)
 	timeoutTx, err := s.sweeper.CreateSweepTx(
 		ctx, s.height, sequence, s.htlc, *htlcOutpoint, s.SenderKey,
-		witnessFunc, htlcValue, fee, s.timeoutAddr,
+		redeemScript, witnessFunc, htlcValue, fee, s.timeoutAddr,
 	)
 	if err != nil {
 		return 0, err

loopout.go

@@ -1231,6 +1231,9 @@ func (s *loopOutSwap) sweep(ctx context.Context,
 		return s.htlc.GenSuccessWitness(sig, s.Preimage)
 	}
 
+	// Retrieve the full script required to unlock the output.
+	redeemScript := s.htlc.SuccessScript()
+
 	remainingBlocks := s.CltvExpiry - s.height
 	blocksToLastReveal := remainingBlocks - MinLoopOutPreimageRevealDelta
 	preimageRevealed := s.state == loopdb.StatePreimageRevealed
@@ -1287,7 +1290,8 @@ func (s *loopOutSwap) sweep(ctx context.Context,
 	// Create sweep tx.
 	sweepTx, err := s.sweeper.CreateSweepTx(
 		ctx, s.height, s.htlc.SuccessSequence(), s.htlc, htlcOutpoint,
-		s.ReceiverKey, witnessFunc, htlcValue, fee, s.DestAddr,
+		s.ReceiverKey, redeemScript, witnessFunc, htlcValue, fee,
+		s.DestAddr,
 	)
 	if err != nil {
 		return err

swap/htlc.go

@@ -64,9 +64,6 @@ type HtlcScript interface {
 	// redeeming the htlc.
 	IsSuccessWitness(witness wire.TxWitness) bool
 
-	// Script returns the htlc script.
-	Script() []byte
-
 	// lockingConditions return the address, pkScript and sigScript (if
 	// required) for a htlc script.
 	lockingConditions(HtlcOutputType, *chaincfg.Params) (btcutil.Address,
@@ -80,9 +77,21 @@ type HtlcScript interface {
 	// timeout case witness.
 	MaxTimeoutWitnessSize() int
 
+	// TimeoutScript returns the redeem script required to unlock the htlc
+	// after timeout.
+	TimeoutScript() []byte
+
+	// SuccessScript returns the redeem script required to unlock the htlc
+	// using the preimage.
+	SuccessScript() []byte
+
 	// SuccessSequence returns the sequence to spend this htlc in the
 	// success case.
 	SuccessSequence() uint32
+
+	// SigHash is the signature hash to use for transactions spending from
+	// the htlc.
+	SigHash() txscript.SigHashType
 }
 
 // Htlc contains relevant htlc information from the receiver perspective.
@@ -291,8 +300,8 @@ func (h *Htlc) AddSuccessToEstimator(estimator *input.TxWeightEstimator) error {
 			return ErrInvalidOutputSelected
 		}
 
-		successLeaf := txscript.NewBaseTapLeaf(trHtlc.SuccessScript)
-		timeoutLeaf := txscript.NewBaseTapLeaf(trHtlc.TimeoutScript)
+		successLeaf := txscript.NewBaseTapLeaf(trHtlc.SuccessScript())
+		timeoutLeaf := txscript.NewBaseTapLeaf(trHtlc.TimeoutScript())
 		timeoutLeafHash := timeoutLeaf.TapHash()
 
 		tapscript := input.TapscriptPartialReveal(
@@ -324,8 +333,8 @@ func (h *Htlc) AddTimeoutToEstimator(estimator *input.TxWeightEstimator) error {
 			return ErrInvalidOutputSelected
 		}
 
-		successLeaf := txscript.NewBaseTapLeaf(trHtlc.SuccessScript)
-		timeoutLeaf := txscript.NewBaseTapLeaf(trHtlc.TimeoutScript)
+		successLeaf := txscript.NewBaseTapLeaf(trHtlc.SuccessScript())
+		timeoutLeaf := txscript.NewBaseTapLeaf(trHtlc.TimeoutScript())
 		successLeafHash := successLeaf.TapHash()
 
 		tapscript := input.TapscriptPartialReveal(
@@ -440,8 +449,19 @@ func (h *HtlcScriptV1) IsSuccessWitness(witness wire.TxWitness) bool {
 	return !isTimeoutTx
 }
 
-// Script returns the htlc script.
-func (h *HtlcScriptV1) Script() []byte {
+// TimeoutScript returns the redeem script required to unlock the htlc after
+// timeout.
+//
+// In the case of HtlcScriptV1, this is the full segwit v0 script.
+func (h *HtlcScriptV1) TimeoutScript() []byte {
+	return h.script
+}
+
+// SuccessScript returns the redeem script required to unlock the htlc using
+// the preimage.
+//
+// In the case of HtlcScriptV1, this is the full segwit v0 script.
+func (h *HtlcScriptV1) SuccessScript() []byte {
 	return h.script
 }
 
@@ -478,6 +498,11 @@ func (h *HtlcScriptV1) SuccessSequence() uint32 {
 	return 0
 }
 
+// Sighash is the signature hash to use for transactions spending from the htlc.
+func (h *HtlcScriptV1) SigHash() txscript.SigHashType {
+	return txscript.SigHashAll
+}
+
 // lockingConditions return the address, pkScript and sigScript (if
 // required) for a htlc script.
 func (h *HtlcScriptV1) lockingConditions(htlcOutputType HtlcOutputType,
@@ -581,8 +606,19 @@ func (h *HtlcScriptV2) GenTimeoutWitness(
 	return witnessStack, nil
 }
 
-// Script returns the htlc script.
-func (h *HtlcScriptV2) Script() []byte {
+// TimeoutScript returns the redeem script required to unlock the htlc after
+// timeout.
+//
+// In the case of HtlcScriptV2, this is the full segwit v0 script.
+func (h *HtlcScriptV2) TimeoutScript() []byte {
+	return h.script
+}
+
+// SuccessScript returns the redeem script required to unlock the htlc using
+// the preimage.
+//
+// In the case of HtlcScriptV2, this is the full segwit v0 script.
+func (h *HtlcScriptV2) SuccessScript() []byte {
 	return h.script
 }
 
@@ -620,6 +656,11 @@ func (h *HtlcScriptV2) SuccessSequence() uint32 {
 	return 1
 }
 
+// Sighash is the signature hash to use for transactions spending from the htlc.
+func (h *HtlcScriptV2) SigHash() txscript.SigHashType {
+	return txscript.SigHashAll
+}
+
 // lockingConditions return the address, pkScript and sigScript (if
 // required) for a htlc script.
 func (h *HtlcScriptV2) lockingConditions(htlcOutputType HtlcOutputType,
@@ -630,13 +671,13 @@ func (h *HtlcScriptV2) lockingConditions(htlcOutputType HtlcOutputType,
 
 // HtlcScriptV3 encapsulates the htlc v3 script.
 type HtlcScriptV3 struct {
-	// TimeoutScript is the final locking script for the timeout path which
+	// timeoutScript is the final locking script for the timeout path which
 	// is available to the sender after the set blockheight.
-	TimeoutScript []byte
+	timeoutScript []byte
 
-	// SuccessScript is the final locking script for the success path in
+	// successScript is the final locking script for the success path in
 	// which the receiver reveals the preimage.
-	SuccessScript []byte
+	successScript []byte
 
 	// InternalPubKey is the public key for the keyspend path which bypasses
 	// the above two locking scripts.
@@ -707,8 +748,8 @@ func newHTLCScriptV3(cltvExpiry int32, senderHtlcKey, receiverHtlcKey [33]byte,
 	)
 
 	return &HtlcScriptV3{
-		TimeoutScript:  timeoutPathScript,
-		SuccessScript:  successPathScript,
+		timeoutScript:  timeoutPathScript,
+		successScript:  successPathScript,
 		InternalPubKey: aggregateKey.PreTweakedKey,
 		TaprootKey:     taprootKey,
 		RootHash:       rootHash,
@@ -787,15 +828,15 @@ func (h *HtlcScriptV3) genControlBlock(leafScript []byte) ([]byte, error) {
 func (h *HtlcScriptV3) genSuccessWitness(
 	receiverSig []byte, preimage lntypes.Preimage) (wire.TxWitness, error) {
 
-	controlBlockBytes, err := h.genControlBlock(h.TimeoutScript)
+	controlBlockBytes, err := h.genControlBlock(h.timeoutScript)
 	if err != nil {
 		return nil, err
 	}
 
 	return wire.TxWitness{
 		preimage[:],
 		receiverSig,
-		h.SuccessScript,
+		h.successScript,
 		controlBlockBytes,
 	}, nil
 }
@@ -805,14 +846,14 @@ func (h *HtlcScriptV3) genSuccessWitness(
 func (h *HtlcScriptV3) GenTimeoutWitness(
 	senderSig []byte) (wire.TxWitness, error) {
 
-	controlBlockBytes, err := h.genControlBlock(h.SuccessScript)
+	controlBlockBytes, err := h.genControlBlock(h.successScript)
 	if err != nil {
 		return nil, err
 	}
 
 	return wire.TxWitness{
 		senderSig,
-		h.TimeoutScript,
+		h.timeoutScript,
 		controlBlockBytes,
 	}, nil
 }
@@ -823,9 +864,20 @@ func (h *HtlcScriptV3) IsSuccessWitness(witness wire.TxWitness) bool {
 	return len(witness) == 4
 }
 
-// Script is not implemented, but necessary to conform to interface.
-func (h *HtlcScriptV3) Script() []byte {
-	return nil
+// TimeoutScript returns the redeem script required to unlock the htlc after
+// timeout.
+//
+// In the case of HtlcScriptV3, this is the timeout tapleaf.
+func (h *HtlcScriptV3) TimeoutScript() []byte {
+	return h.timeoutScript
+}
+
+// SuccessScript returns the redeem script required to unlock the htlc using
+// the preimage.
+//
+// In the case of HtlcScriptV3, this is the claim tapleaf.
+func (h *HtlcScriptV3) SuccessScript() []byte {
+	return h.successScript
 }
 
 // MaxSuccessWitnessSize returns the maximum witness size for the
@@ -872,6 +924,11 @@ func (h *HtlcScriptV3) SuccessSequence() uint32 {
 	return 1
 }
 
+// Sighash is the signature hash to use for transactions spending from the htlc.
+func (h *HtlcScriptV3) SigHash() txscript.SigHashType {
+	return txscript.SigHashDefault
+}
+
 // lockingConditions return the address, pkScript and sigScript (if required)
 // for a htlc script.
 func (h *HtlcScriptV3) lockingConditions(outputType HtlcOutputType,

swap/htlc_test.go

@@ -159,16 +159,17 @@ func TestHtlcV2(t *testing.T) {
 	)
 
 	signTx := func(tx *wire.MsgTx, pubkey *btcec.PublicKey,
-		signer *input.MockSigner) (input.Signature, error) {
+		signer *input.MockSigner, witnessScript []byte) (
+		input.Signature, error) {
 
 		signDesc := &input.SignDescriptor{
 			KeyDesc: keychain.KeyDescriptor{
 				PubKey: pubkey,
 			},
 
-			WitnessScript: htlc.Script(),
+			WitnessScript: witnessScript,
 			Output:        htlcOutput,
-			HashType:      txscript.SigHashAll,
+			HashType:      htlc.SigHash(),
 			SigHashes: txscript.NewTxSigHashes(
 				tx, prevOutFetcher,
 			),
@@ -190,6 +191,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.TxIn[0].Sequence = htlc.SuccessSequence()
 				sweepSig, err := signTx(
 					sweepTx, receiverPubKey, receiverSigner,
+					htlc.SuccessScript(),
 				)
 				require.NoError(t, err)
 
@@ -210,6 +212,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.TxIn[0].Sequence = 0
 				sweepSig, err := signTx(
 					sweepTx, receiverPubKey, receiverSigner,
+					htlc.SuccessScript(),
 				)
 				require.NoError(t, err)
 
@@ -228,6 +231,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.LockTime = testCltvExpiry - 1
 				sweepSig, err := signTx(
 					sweepTx, senderPubKey, senderSigner,
+					htlc.TimeoutScript(),
 				)
 				require.NoError(t, err)
 
@@ -246,6 +250,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.LockTime = testCltvExpiry
 				sweepSig, err := signTx(
 					sweepTx, senderPubKey, senderSigner,
+					htlc.TimeoutScript(),
 				)
 				require.NoError(t, err)
 
@@ -264,6 +269,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.LockTime = testCltvExpiry
 				sweepSig, err := signTx(
 					sweepTx, receiverPubKey, receiverSigner,
+					htlc.TimeoutScript(),
 				)
 				require.NoError(t, err)
 
@@ -299,6 +305,7 @@ func TestHtlcV2(t *testing.T) {
 				sweepTx.LockTime = testCltvExpiry
 				sweepSig, err := signTx(
 					sweepTx, senderPubKey, senderSigner,
+					htlc.TimeoutScript(),
 				)
 				require.NoError(t, err)
 
@@ -392,7 +399,7 @@ func TestHtlcV3(t *testing.T) {
 
 		sig, err := txscript.RawTxInTapscriptSignature(
 			tx, hashCache, 0, value, p2trPkScript, leaf,
-			txscript.SigHashDefault, privateKey,
+			htlc.SigHash(), privateKey,
 		)
 		require.NoError(t, err)
 
@@ -417,7 +424,7 @@ func TestHtlcV3(t *testing.T) {
 				sig := signTx(
 					tx, receiverPrivKey,
 					txscript.NewBaseTapLeaf(
-						trHtlc.SuccessScript,
+						trHtlc.SuccessScript(),
 					),
 				)
 				witness, err := htlc.genSuccessWitness(
@@ -441,7 +448,7 @@ func TestHtlcV3(t *testing.T) {
 				sig := signTx(
 					tx, receiverPrivKey,
 					txscript.NewBaseTapLeaf(
-						trHtlc.SuccessScript,
+						trHtlc.SuccessScript(),
 					),
 				)
 				witness, err := htlc.genSuccessWitness(
@@ -465,7 +472,7 @@ func TestHtlcV3(t *testing.T) {
 				sig := signTx(
 					tx, senderPrivKey,
 					txscript.NewBaseTapLeaf(
-						trHtlc.TimeoutScript,
+						trHtlc.TimeoutScript(),
 					),
 				)
 
@@ -488,7 +495,7 @@ func TestHtlcV3(t *testing.T) {
 				sig := signTx(
 					tx, senderPrivKey,
 					txscript.NewBaseTapLeaf(
-						trHtlc.TimeoutScript,
+						trHtlc.TimeoutScript(),
 					),
 				)
 
@@ -511,7 +518,7 @@ func TestHtlcV3(t *testing.T) {
 				sig := signTx(
 					tx, receiverPrivKey,
 					txscript.NewBaseTapLeaf(
-						trHtlc.TimeoutScript,
+						trHtlc.TimeoutScript(),
 					),
 				)