tapchannel+tapscript: derive unique funding script keys

guggero · guggero · commit 7356ae488d88 · 2025-03-26T16:30:27.000-05:00
To avoid a proof collision in the universe, we need to make sure we
derive unique funding output script keys for multiple asset IDs within
the same channel funding outpoint. We do that by adding a second
OP_RETURN leaf into the tapscript tree of the funding script key. That
should ensure uniqueness of the top-level Taproot output key and only
requires us to slightly alter the control block when creating the
witness (it will now include an inclusion proof element for the
OP_RETURN leaf).
diff --git a/tapchannel/aux_closer.go b/tapchannel/aux_closer.go
@@ -161,16 +161,23 @@ func createCloseAlloc(isLocal bool, outputSum uint64,
 func signCommitVirtualPackets(ctx context.Context,
 	vPackets []*tappsbt.VPacket) error {
 
-	// Now that we've added all the relevant vPackets, we'll prepare the
-	// funding witness which includes the OP_TRUE ctrl block.
-	fundingWitness, err := fundingSpendWitness().Unpack()
-	if err != nil {
-		return fmt.Errorf("unable to make funding witness: %w", err)
-	}
-
-	// With all the vPackets created, we'll create output commitments from
-	// them, as we'll need them to ship the transaction off to the porter.
+	useUniqueScriptKey := len(vPackets) > 1
 	for idx := range vPackets {
+		assetID, err := vPackets[idx].AssetID()
+		if err != nil {
+			return fmt.Errorf("unable to get asset ID: %w", err)
+		}
+
+		// First, we'll prepare the funding witness which includes the
+		// OP_TRUE ctrl block.
+		fundingWitness, err := tapscript.ChannelFundingSpendWitness(
+			useUniqueScriptKey, assetID,
+		)
+		if err != nil {
+			return fmt.Errorf("unable to make funding witness: %w",
+				err)
+		}
+
 		err = tapsend.PrepareOutputAssets(ctx, vPackets[idx])
 		if err != nil {
 			return fmt.Errorf("unable to prepare output "+
@@ -203,26 +210,6 @@ func signCommitVirtualPackets(ctx context.Context,
 	return nil
 }
 
-// fundingSpendWitness creates a complete witness to spend the OP_TRUE funding
-// script of an asset funding output.
-func fundingSpendWitness() lfn.Result[wire.TxWitness] {
-	fundingScriptTree := tapscript.NewChannelFundingScriptTree()
-
-	tapscriptTree := fundingScriptTree.TapscriptTree
-	ctrlBlock := tapscriptTree.LeafMerkleProofs[0].ToControlBlock(
-		&input.TaprootNUMSKey,
-	)
-	ctrlBlockBytes, err := ctrlBlock.ToBytes()
-	if err != nil {
-		return lfn.Errf[wire.TxWitness]("unable to serialize control "+
-			"block: %w", err)
-	}
-
-	return lfn.Ok(wire.TxWitness{
-		tapscript.AnyoneCanSpendScript(), ctrlBlockBytes,
-	})
-}
-
 // AuxCloseOutputs returns the set of close outputs to use for this co-op close
 // attempt. We'll add some extra outputs to the co-op close transaction, and
 // also give the caller a custom sorting routine.
diff --git a/tapchannel/aux_funding_controller.go b/tapchannel/aux_funding_controller.go
@@ -31,7 +31,6 @@ import (
 	"github.com/lightninglabs/taproot-assets/tapfreighter"
 	"github.com/lightninglabs/taproot-assets/tapgarden"
 	"github.com/lightninglabs/taproot-assets/tappsbt"
-	"github.com/lightninglabs/taproot-assets/tapscript"
 	"github.com/lightninglabs/taproot-assets/tapsend"
 	"github.com/lightninglabs/taproot-assets/vm"
 	lfn "github.com/lightningnetwork/lnd/fn/v2"
@@ -758,27 +757,18 @@ func (f *FundingController) fundVirtualPacket(ctx context.Context,
 		amt)
 
 	// Our funding script key will be the OP_TRUE addr that we'll use as
-	// the funding script on the asset level.
-	fundingScriptTree := tapscript.NewChannelFundingScriptTree()
-	fundingTaprootKey, _ := schnorr.ParsePubKey(
-		schnorr.SerializePubKey(fundingScriptTree.TaprootKey),
+	// the funding script on the asset level. We start with this one in case
+	// there is only a single asset ID in the channel. This is to remain
+	// backward compatible with previous versions of the channel funding
+	// process, so updated users can still fund channels with a single asset
+	// ID with older clients. Also, we don't know what asset IDs we're going
+	// to be using, so we couldn't derive a unique funding script key for
+	// each asset ID yet anyway.
+	fundingScriptKey, err := deriveFundingScriptKey(
+		ctx, f.cfg.AddrBook, nil,
 	)
-	fundingScriptKey := asset.ScriptKey{
-		PubKey: fundingTaprootKey,
-		TweakedScriptKey: &asset.TweakedScriptKey{
-			RawKey: keychain.KeyDescriptor{
-				PubKey: fundingScriptTree.InternalKey,
-			},
-			Tweak: fundingScriptTree.TapscriptRoot,
-		},
-	}
-
-	// We'll also need to import the funding script key into the wallet so
-	// the asset will be materialized in the asset table and show up in the
-	// balance correctly.
-	err := f.cfg.AddrBook.InsertScriptKey(ctx, fundingScriptKey, true)
 	if err != nil {
-		return nil, fmt.Errorf("unable to insert script key: %w", err)
+		return nil, fmt.Errorf("unable to derive script key: %w", err)
 	}
 
 	// Next, we'll use the asset wallet to fund a new vPSBT which'll be
@@ -805,7 +795,62 @@ func (f *FundingController) fundVirtualPacket(ctx context.Context,
 
 	// Fund the packet. This will derive an anchor internal key for us, but
 	// we'll overwrite that later on.
-	return f.cfg.AssetWallet.FundPacket(ctx, fundDesc, pktTemplate)
+	fundedPkt, err := f.cfg.AssetWallet.FundPacket(
+		ctx, fundDesc, pktTemplate,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fund vPacket: %w", err)
+	}
+
+	// If there was just a single virtual packet created, it means we only
+	// have a single asset ID in the channel, and we can proceed without any
+	// workarounds.
+	if len(fundedPkt.VPackets) == 1 {
+		return fundedPkt, nil
+	}
+
+	// For channels with multiple asset IDs, we'll need to create unique
+	// funding script keys for each asset ID. Otherwise, the proofs for the
+	// assets will collide in the universe because of group key, script key
+	// and outpoint all being equal.
+	for _, vPkt := range fundedPkt.VPackets {
+		assetID, err := vPkt.AssetID()
+		if err != nil {
+			return nil, fmt.Errorf("unable to get asset ID: %w",
+				err)
+		}
+
+		// If there's change from the funding output, it'll be in the
+		// split root output. If there's no change, there will be no
+		// split root output, since the virtual transfer is interactive.
+		// So in either case we just need to get the first non-root
+		// output.
+		fundingOut, err := vPkt.FirstNonSplitRootOutput()
+		if err != nil {
+			return nil, fmt.Errorf("unable to get first non split "+
+				"root output: %w", err)
+		}
+
+		fundingScriptKey, err := deriveFundingScriptKey(
+			ctx, f.cfg.AddrBook, &assetID,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to derive script key: "+
+				"%w", err)
+		}
+
+		// We now set the unique script key. This requires us to
+		// re-calculate the split commitments, so we'll do that right
+		// afterward.
+		fundingOut.ScriptKey = fundingScriptKey
+
+		if err := tapsend.PrepareOutputAssets(ctx, vPkt); err != nil {
+			return nil, fmt.Errorf("unable to prepare output "+
+				"assets after funding key update: %w", err)
+		}
+	}
+
+	return fundedPkt, nil
 }
 
 // sendInputOwnershipProofs sends the input ownership proofs to the remote
@@ -1014,8 +1059,7 @@ func (f *FundingController) signAllVPackets(ctx context.Context,
 // complete, but unsigned PSBT packet that can be used to create out asset
 // channel.
 func (f *FundingController) anchorVPackets(fundedPkt *tapsend.FundedPsbt,
-	allPackets []*tappsbt.VPacket,
-	fundingScriptKey asset.ScriptKey) ([]*proof.Proof, error) {
+	allPackets []*tappsbt.VPacket) ([]*proof.Proof, error) {
 
 	log.Infof("Anchoring funding vPackets to funding PSBT")
 
@@ -1062,10 +1106,13 @@ func (f *FundingController) anchorVPackets(fundedPkt *tapsend.FundedPsbt,
 
 			vPkt.Outputs[vOutIdx].ProofSuffix = proofSuffix
 
-			if proofSuffix.Asset.ScriptKey.PubKey.IsEqual(
-				fundingScriptKey.PubKey,
-			) {
-
+			// Any output that isn't a split root output is a
+			// channel funding output, so we'll store the proofs
+			// for those outputs. If there is change, that will be
+			// the split root output. And if there is no change,
+			// there is no split root output, as it's an interactive
+			// transfer.
+			if vPkt.Outputs[vOutIdx].Type == tappsbt.TypeSimple {
 				fundingProofs = append(
 					fundingProofs, proofSuffix,
 				)
@@ -1252,10 +1299,8 @@ func (f *FundingController) completeChannelFunding(ctx context.Context,
 	// With all the vPackets signed, we'll now anchor them to the funding
 	// PSBT. This'll update all the pkScripts for our funding output and
 	// change.
-	fundingScriptTree := tapscript.NewChannelFundingScriptTree()
-	fundingScriptKey := asset.NewScriptKey(fundingScriptTree.TaprootKey)
 	fundingOutputProofs, err := f.anchorVPackets(
-		finalFundedPsbt, signedPkts, fundingScriptKey,
+		finalFundedPsbt, signedPkts,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("unable to anchor vPackets: %w", err)
diff --git a/tapchannel/commitment.go b/tapchannel/commitment.go
@@ -18,6 +18,7 @@ import (
 	"github.com/lightninglabs/taproot-assets/rfqmsg"
 	cmsg "github.com/lightninglabs/taproot-assets/tapchannelmsg"
 	"github.com/lightninglabs/taproot-assets/tappsbt"
+	"github.com/lightninglabs/taproot-assets/tapscript"
 	"github.com/lightninglabs/taproot-assets/tapsend"
 	"github.com/lightningnetwork/lnd/channeldb"
 	lfn "github.com/lightningnetwork/lnd/fn/v2"
@@ -1452,6 +1453,55 @@ func FakeCommitTx(fundingOutpoint wire.OutPoint,
 	return fakeCommitTx, nil
 }
 
+// deriveFundingScriptKey derives the funding script key that'll be used to
+// fund the channel. If an asset ID is provided, then a unique funding script
+// key will be derived for that asset ID.
+func deriveFundingScriptKey(ctx context.Context, addrBook address.Storage,
+	assetID *asset.ID) (asset.ScriptKey, error) {
+
+	fundingScriptTree := tapscript.NewChannelFundingScriptTree()
+
+	// If we're using more than one asset ID in a channel, then this will be
+	// called with the actual asset ID set. So we need to use a different
+	// function to generate the funding script key.
+	if assetID != nil {
+		scriptKey, err := tapscript.NewChannelFundingScriptTreeUniqueID(
+			*assetID,
+		)
+		if err != nil {
+			return asset.ScriptKey{}, fmt.Errorf("error deriving "+
+				"funding script key for asset ID %s: %w",
+				assetID.String(), err)
+		}
+
+		fundingScriptTree = scriptKey
+	}
+
+	fundingTaprootKey, _ := schnorr.ParsePubKey(
+		schnorr.SerializePubKey(fundingScriptTree.TaprootKey),
+	)
+	fundingScriptKey := asset.ScriptKey{
+		PubKey: fundingTaprootKey,
+		TweakedScriptKey: &asset.TweakedScriptKey{
+			RawKey: keychain.KeyDescriptor{
+				PubKey: fundingScriptTree.InternalKey,
+			},
+			Tweak: fundingScriptTree.TapscriptRoot,
+		},
+	}
+
+	// We'll also need to import the funding script key into the wallet so
+	// the asset will be materialized in the asset table and show up in the
+	// balance correctly.
+	err := addrBook.InsertScriptKey(ctx, fundingScriptKey, true)
+	if err != nil {
+		return asset.ScriptKey{}, fmt.Errorf("unable to insert script "+
+			"key: %w", err)
+	}
+
+	return fundingScriptKey, nil
+}
+
 // InPlaceCustomCommitSort performs an in-place sort of a transaction, given a
 // list of allocations. The sort is applied to the transaction outputs, using
 // the allocation's OutputIndex. The transaction inputs are sorted by the
diff --git a/tapscript/script.go b/tapscript/script.go
@@ -1,7 +1,11 @@
 package tapscript
 
 import (
+	"fmt"
+
 	"github.com/btcsuite/btcd/txscript"
+	"github.com/btcsuite/btcd/wire"
+	"github.com/lightninglabs/taproot-assets/asset"
 	"github.com/lightningnetwork/lnd/input"
 )
 
@@ -48,3 +52,87 @@ func NewChannelFundingScriptTree() *FundingScriptTree {
 		},
 	}
 }
+
+// NewChannelFundingScriptTreeUniqueID creates a new funding script tree for a
+// custom channel asset-level script key. The script tree is constructed with a
+// simple OP_TRUE script that allows anyone to spend the output and another
+// OP_RETURN script that makes the resulting script key unique. This simplifies
+// the funding process as no signatures for the asset-level witnesses need to be
+// exchanged. This is still safe because the BTC level multi-sig output is still
+// protected by a 2-of-2 MuSig2 output.
+func NewChannelFundingScriptTreeUniqueID(id asset.ID) (*FundingScriptTree,
+	error) {
+
+	// First, we'll generate our OP_TRUE script.
+	fundingScript := AnyoneCanSpendScript()
+	fundingTapLeaf := txscript.NewBaseTapLeaf(fundingScript)
+
+	// Then we'll create the OP_RETURN leaf with the asset ID to make the
+	// resulting script key unique.
+	opReturnLeaf, err := asset.NewNonSpendableScriptLeaf(
+		asset.OpReturnVersion, id[:],
+	)
+	if err != nil {
+		return nil, fmt.Errorf("error deriving op return leaf: %w", err)
+	}
+
+	// With the both scripts derived, we'll now create the tapscript tree
+	// from them.
+	tapscriptTree := txscript.AssembleTaprootScriptTree(
+		fundingTapLeaf, opReturnLeaf,
+	)
+	tapScriptRoot := tapscriptTree.RootNode.TapHash()
+
+	// Finally, we'll make the funding output script which actually uses a
+	// NUMS key to force a script path only.
+	fundingOutputKey := txscript.ComputeTaprootOutputKey(
+		&input.TaprootNUMSKey, tapScriptRoot[:],
+	)
+
+	return &FundingScriptTree{
+		ScriptTree: input.ScriptTree{
+			InternalKey:   &input.TaprootNUMSKey,
+			TaprootKey:    fundingOutputKey,
+			TapscriptTree: tapscriptTree,
+			TapscriptRoot: tapScriptRoot[:],
+		},
+	}, nil
+}
+
+// ChannelFundingSpendWitness creates a complete witness to spend the OP_TRUE
+// funding script of an asset funding output.
+func ChannelFundingSpendWitness(uniqueScriptKeys bool,
+	assetID asset.ID) (wire.TxWitness, error) {
+
+	fundingScriptTree := NewChannelFundingScriptTree()
+
+	// If we're using unique script keys for multiple virtual packets with
+	// different asset IDs, we need to derive a specific script tree that
+	// includes the asset ID. Everything else should still work the same
+	// way (the OP_TRUE leaf we spend is still at index zero.
+	if uniqueScriptKeys {
+		var err error
+		fundingScriptTree, err = NewChannelFundingScriptTreeUniqueID(
+			assetID,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create unique "+
+				"script key: %w", err)
+		}
+	}
+
+	const opTrueIndex = 0
+	tapscriptTree := fundingScriptTree.TapscriptTree
+	ctrlBlock := tapscriptTree.LeafMerkleProofs[opTrueIndex].ToControlBlock(
+		&input.TaprootNUMSKey,
+	)
+	ctrlBlockBytes, err := ctrlBlock.ToBytes()
+	if err != nil {
+		return nil, fmt.Errorf("unable to serialize control "+
+			"block: %w", err)
+	}
+
+	return wire.TxWitness{
+		AnyoneCanSpendScript(), ctrlBlockBytes,
+	}, nil
+}
