multi: hide long-term private key behind interface

To be able to eventually extract the private keys out of the node
itself into a hardware wallet or HSM, we need to abstract the ECDH
operation against the long-term key behind an interface.

Author: guggero

cmd/main.go

@@ -136,8 +136,11 @@ func main() {
 		}
 
 		privkey := secp256k1.PrivKeyFromBytes(binKey)
+		privKeyECDH := &sphinx.PrivKeyECDH{PrivKey: privkey}
 		replayLog := sphinx.NewMemoryReplayLog()
-		s := sphinx.NewRouter(privkey, chaincfg.TestNet3Params(), replayLog)
+		s := sphinx.NewRouter(
+			privKeyECDH, chaincfg.TestNet3Params(), replayLog,
+		)
 
 		replayLog.Start()
 		defer replayLog.Stop()

crypto.go

@@ -228,29 +228,7 @@ func (r *Router) generateSharedSecret(dhKey *secp256k1.PublicKey) (Hash256, erro
 	}
 
 	// Compute our shared secret.
-	return generateSharedSecret(dhKey, r.onionKey)
-}
-
-// generateSharedSecret generates the shared secret for a particular hop. The
-// shared secret is generated by taking the group element contained in the
-// mix-header, and performing an ECDH operation with the node's long term onion
-// key. We then take the _entire_ point generated by the ECDH operation,
-// serialize that using a compressed format, then feed the raw bytes through a
-// single SHA256 invocation.  The resulting value is the shared secret.
-func generateSharedSecret(pub *secp256k1.PublicKey, priv *secp256k1.PrivateKey) (Hash256,
-	error) {
-	var modNScalar secp256k1.ModNScalar
-	modNScalar.SetByteSlice(priv.ToECDSA().D.Bytes())
-
-	var point secp256k1.JacobianPoint
-	pub.AsJacobian(&point)
-
-	var result secp256k1.JacobianPoint
-	secp256k1.ScalarMultNonConst(&modNScalar, &point, &result)
-	result.ToAffine()
-
-	s := secp256k1.NewPublicKey(&result.X, &result.Y)
-	return sha256.Sum256(s.SerializeCompressed()), nil
+	return r.onionKey.ECDH(dhKey)
 }
 
 // onionEncrypt obfuscates the data with compliance with BOLT#4. As we use a

sphinx.go

@@ -131,7 +131,8 @@ func generateSharedSecrets(paymentPath []*secp256k1.PublicKey,
 	// Within the loop each new triplet will be computed recursively based
 	// off of the blinding factor of the last hop.
 	lastEphemeralPubKey := sessionKey.PubKey()
-	sharedSecret, err := generateSharedSecret(paymentPath[0], sessionKey)
+	sessionKeyECDH := &PrivKeyECDH{PrivKey: sessionKey}
+	sharedSecret, err := sessionKeyECDH.ECDH(paymentPath[0])
 	if err != nil {
 		return nil, err
 	}
@@ -488,14 +489,14 @@ type Router struct {
 	nodeID   [AddressSize]byte
 	nodeAddr *dcrutil.AddressPubKeyHash
 
-	onionKey *secp256k1.PrivateKey
+	onionKey SingleKeyECDH
 
 	log ReplayLog
 }
 
 // NewRouter creates a new instance of a Sphinx onion Router given the node's
 // currently advertised onion private key, and the target Bitcoin network.
-func NewRouter(nodeKey *secp256k1.PrivateKey, net dcrutil.AddressParams, log ReplayLog) *Router {
+func NewRouter(nodeKey SingleKeyECDH, net dcrutil.AddressParams, log ReplayLog) *Router {
 	var nodeID [AddressSize]byte
 	copy(nodeID[:], dcrutil.Hash160(nodeKey.PubKey().SerializeCompressed()))
 

sphinx_test.go

@@ -52,7 +52,8 @@ func newTestRoute(numHops int) ([]*Router, *PaymentPath, *[]HopData, *OnionPacke
 		}
 
 		nodes[i] = NewRouter(
-			privKey, netParams, NewMemoryReplayLog(),
+			&PrivKeyECDH{PrivKey: privKey}, netParams,
+			NewMemoryReplayLog(),
 		)
 	}
 
@@ -494,7 +495,8 @@ func newEOBRoute(numHops uint32,
 		}
 
 		nodes[i] = NewRouter(
-			privKey, netParams, NewMemoryReplayLog(),
+			&PrivKeyECDH{PrivKey: privKey}, netParams,
+			NewMemoryReplayLog(),
 		)
 	}