keysmanager: support phantom payments (aka multi-receive payments)

To support the feature of generating invoices that can be paid to any of multiple nodes, KeysManagers
need to be able to share an inbound_payment_key and phantom secret key

Author: valentinewallace

lightning/src/chain/keysinterface.rs

@@ -30,6 +30,7 @@ use bitcoin::secp256k1::recovery::RecoverableSignature;
 use bitcoin::secp256k1;
 
 use util::{byte_utils, transaction_utils};
+use util::crypto::hkdf_extract_expand;
 use util::ser::{Writeable, Writer, Readable};
 
 use chain::transaction::OutPoint;
@@ -787,6 +788,7 @@ pub struct KeysManager {
 	secp_ctx: Secp256k1<secp256k1::All>,
 	node_secret: SecretKey,
 	inbound_payment_key: KeyMaterial,
+	phantom_secret: Option<SecretKey>,
 	destination_script: Script,
 	shutdown_pubkey: PublicKey,
 	channel_master_key: ExtendedPrivKey,
@@ -821,7 +823,21 @@ impl KeysManager {
 	/// Note that until the 0.1 release there is no guarantee of backward compatibility between
 	/// versions. Once the library is more fully supported, the docs will be updated to include a
 	/// detailed description of the guarantee.
+	///
+	/// This method cannot be used for nodes that wish to support receiving multi-node or phantom
+	/// payments; [`KeysManager::new_multi_receive`] must be used instead.
 	pub fn new(seed: &[u8; 32], starting_time_secs: u64, starting_time_nanos: u32) -> Self {
+		Self::new_inner(seed, starting_time_secs, starting_time_nanos, None)
+	}
+
+	/// Similar to [`KeysManager::new`], but allows the node using this `KeysManager` to receive
+	/// phantom node payments. `cross_node_seed` must be the same across all phantom-receiving nodes
+	/// and also the same across restarts, or else payments may fail.
+	pub fn new_multi_receive(seed: &[u8; 32], starting_time_secs: u64, starting_time_nanos: u32, cross_node_seed: &[u8; 32]) -> Self {
+		Self::new_inner(seed, starting_time_secs, starting_time_nanos, Some(cross_node_seed))
+	}
+
+	fn new_inner(seed: &[u8; 32], starting_time_secs: u64, starting_time_nanos: u32, cross_node_seed: Option<&[u8; 32]>) -> Self {
 		let secp_ctx = Secp256k1::new();
 		// Note that when we aren't serializing the key, network doesn't matter
 		match ExtendedPrivKey::new_master(Network::Testnet, seed) {
@@ -842,9 +858,15 @@ impl KeysManager {
 				};
 				let channel_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(3).unwrap()).expect("Your RNG is busted");
 				let rand_bytes_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(4).unwrap()).expect("Your RNG is busted");
-				let inbound_payment_key: SecretKey = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(5).unwrap()).expect("Your RNG is busted").private_key.key;
-				let mut inbound_pmt_key_bytes = [0; 32];
-				inbound_pmt_key_bytes.copy_from_slice(&inbound_payment_key[..]);
+				let (inbound_payment_key, phantom_secret) = if let Some(key) = cross_node_seed {
+					let hkdf = hkdf_extract_expand(b"LDK Inbound and Phantom Payment Key Expansion", key, 2);
+					(KeyMaterial(hkdf[0]), Some(SecretKey::from_slice(&hkdf[1]).unwrap()))
+				} else {
+					let inbound_payment_key: SecretKey = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(5).unwrap()).expect("Your RNG is busted").private_key.key;
+					let mut inbound_pmt_key_bytes = [0; 32];
+					inbound_pmt_key_bytes.copy_from_slice(&inbound_payment_key[..]);
+					(KeyMaterial(inbound_pmt_key_bytes), None)
+				};
 
 				let mut rand_bytes_unique_start = Sha256::engine();
 				rand_bytes_unique_start.input(&byte_utils::be64_to_array(starting_time_secs));
@@ -854,7 +876,8 @@ impl KeysManager {
 				let mut res = KeysManager {
 					secp_ctx,
 					node_secret,
-					inbound_payment_key: KeyMaterial(inbound_pmt_key_bytes),
+					inbound_payment_key,
+					phantom_secret,
 
 					destination_script,
 					shutdown_pubkey,