From 6287f0c0aae0b658599557320ac434d626ad78f7 Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Tue, 10 May 2022 17:06:46 -0500 Subject: [PATCH] Correct encoding scheme for obfuscated state hint The upper 64 bits of nSequence are not used to encode the state hint, as there are only 32 bits in nSequence. And the upper 8 bits are not used at all, since that could inadvertently enable a relative timelock by unsetting bit 31 (see BIP 68). From BOLT 3: ``` Commitment Transaction ---------------------- locktime: upper 8 bits are 0x20, lower 24 bits are the lower 24 bits of the obscured commitment number txin[0] sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number ``` --- 07_payment_channels.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/07_payment_channels.asciidoc b/07_payment_channels.asciidoc index 11b34ba..b255215 100644 --- a/07_payment_channels.asciidoc +++ b/07_payment_channels.asciidoc @@ -658,7 +658,7 @@ Once Alice has received the +revoke_and_ack+ from Bob, she can be sure that Bob To more easily allow both sides to keep track of the commitment numbers of the passed revoke commitments, each commitment actually _encodes_ the number of the commitment within the lock time and sequence fields in a transition. Within the ((("state hints")))protocol, this special encoding is referred to as _state hints_. Assuming a party knows the current commitment number, they're able to use the state hints to easily recognize if a broadcasted commitment was a revoked one, and if so, which commitment number was breached, as that number is used to easily look up which revocation secret should be used in the revocation secret tree (shachain). -((("obfuscated state hints")))Rather than encode the state hint in plain sight, an _obfuscated_ state hint is used in its place. This obfuscation is achieved by first XORing the current commitment number with a set of random bytes generated deterministically using the funding public keys of both sides of the channel. A total of 6 bytes across the lock time and sequence (24 bits of the locktime and 24 bits of the sequence) are used to encode the state hint within the commitment transaction, so 6 random bytes are needed to use for XORing. To obtain these 6 bytes, both sides obtain the SHA-256 hash of the initiator's funding key concatenated to the responder's funding key. Before encoding the current commitment height, the integer is XORed with this state hint obfuscator, and then encoded in the lower 24 bits of the locktime, and the upper 64 bits of the sequence. +((("obfuscated state hints")))Rather than encode the state hint in plain sight, an _obfuscated_ state hint is used in its place. This obfuscation is achieved by first XORing the current commitment number with a set of random bytes generated deterministically using the funding public keys of both sides of the channel. A total of 6 bytes across the lock time and sequence (24 bits of the locktime and 24 bits of the sequence) are used to encode the state hint within the commitment transaction, so 6 random bytes are needed to use for XORing. To obtain these 6 bytes, both sides obtain the SHA-256 hash of the initiator's funding key concatenated to the responder's funding key. Before encoding the current commitment height, the integer is XORed with this state hint obfuscator, and then encoded in the lower 24 bits of the locktime and the lower 24 bits of the sequence. Let's review our channel between Alice and Bob and show a specific example of a penalty transaction. In <> we see the four commitments on Alice and Bob's channel. Alice has made three payments to Bob: