assets: add support for co-signing a zero-fee deposit HTLC spend

This commit extends the deposit manager and sweeper to support generating
a zero-fee HTLC transaction that spends a selected deposit. Once the HTLC
is prepared, it is partially signed by the client and can be handed to the
server as a safety measure before using the deposit in a trustless swap.

This typically occurs after the client has accepted the swap payment.
If the client becomes unresponsive during the swap process, the server
can use the zero-fee HTLC as part of a recovery package.

Author: bhandras

assets/deposit/manager.go

@@ -1,15 +1,18 @@
 package deposit
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
 	"github.com/btcsuite/btcd/chaincfg"
 	"github.com/btcsuite/btcd/wire"
+	"github.com/btcsuite/btcwallet/wallet"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4"
 	"github.com/lightninglabs/lndclient"
 	"github.com/lightninglabs/loop/assets"
@@ -20,6 +23,7 @@ import (
 	"github.com/lightninglabs/taproot-assets/rpcutils"
 	"github.com/lightninglabs/taproot-assets/taprpc"
 	"github.com/lightninglabs/taproot-assets/taprpc/assetwalletrpc"
+	"github.com/lightningnetwork/lnd/lntypes"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -1244,3 +1248,86 @@ func (m *Manager) RevealDepositKeys(ctx context.Context,
 
 	return err
 }
+
+// PushHtlcSig will partially a deposit spending zero-fee HTLC and send the
+// resulting signature to the swap server.
+func (m *Manager) PushHtlcSig(ctx context.Context, depositID string,
+	serverNonce [musig2.PubNonceSize]byte, hash lntypes.Hash,
+	csvExpiry uint32) error {
+
+	done, err := m.scheduleNextCall()
+	if err != nil {
+		return err
+	}
+	defer done()
+
+	deposit, ok := m.deposits[depositID]
+	if !ok {
+		return fmt.Errorf("deposit %v not available", depositID)
+	}
+
+	_, htlcPkt, _, _, _, err := m.sweeper.GetHTLC(
+		ctx, deposit.Kit, deposit.Proof, deposit.Amount, hash,
+		csvExpiry,
+	)
+	if err != nil {
+		log.Errorf("Unable to get HTLC packet: %v", err)
+
+		return err
+	}
+
+	prevOutFetcher := wallet.PsbtPrevOutputFetcher(htlcPkt)
+	sigHash, err := getSigHash(htlcPkt.UnsignedTx, 0, prevOutFetcher)
+	if err != nil {
+		return err
+	}
+
+	funder := true
+	depositSigner := NewMuSig2Signer(
+		m.signer, deposit.Kit, funder, deposit.AnchorRootHash,
+	)
+
+	err = depositSigner.NewSession(ctx)
+	if err != nil {
+		return fmt.Errorf("Unable to create MuSig2 session: %w", err)
+	}
+
+	publicNonce, err := depositSigner.PubNonce()
+	if err != nil {
+		return err
+	}
+
+	partialSig, err := depositSigner.PartialSignMuSig2(
+		serverNonce, sigHash,
+	)
+	if err != nil {
+		log.Errorf("Unable to create partial deposit signature %v: %v",
+			deposit.ID, err)
+
+		return err
+	}
+
+	var pktBuf bytes.Buffer
+	err = htlcPkt.Serialize(&pktBuf)
+	if err != nil {
+		return err
+	}
+
+	// TODO(bhandras): the server should return the final signature.
+	_, err = m.depositServiceClient.PushAssetDepositHtlcSigs(
+		ctx, &swapserverrpc.PushAssetDepositHtlcSigsReq{
+			Hash:      hash[:],
+			CsvExpiry: csvExpiry,
+			PartialSigs: []*swapserverrpc.AssetDepositPartialSig{
+				{
+					DepositId:  depositID,
+					Nonce:      publicNonce[:],
+					PartialSig: partialSig,
+				},
+			},
+			HtlcPsbt: pktBuf.Bytes(),
+		},
+	)
+
+	return err
+}

assets/deposit/server.go

@@ -5,8 +5,10 @@ import (
 	"encoding/hex"
 	"fmt"
 
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
 	"github.com/lightninglabs/loop/looprpc"
 	"github.com/lightninglabs/taproot-assets/asset"
+	"github.com/lightningnetwork/lnd/lntypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -176,3 +178,39 @@ func (s *Server) WithdrawAssetDeposits(ctx context.Context,
 
 	return &looprpc.WithdrawAssetDepositsResponse{}, nil
 }
+
+// PushAssetDepositHtlcSig is the rpc endpoint for loop clients to push partial
+// signatures for asset deposit spending zero fee HTLCs to the server.
+func (s *Server) PushAssetDepositHtlcSig(ctx context.Context,
+	in *looprpc.PushAssetDepositHtlcSigRequest) (
+	*looprpc.PushAssetDepositHtlcSigResponse, error) {
+
+	if len(in.Nonce) != musig2.PubNonceSize {
+		return nil, status.Error(codes.InvalidArgument,
+			fmt.Sprintf("invalid nonce length: expected %d bytes, "+
+				"got %d", musig2.PubNonceSize, len(in.Nonce)))
+	}
+
+	if len(in.PreimageHash) != lntypes.HashSize {
+		return nil, status.Error(codes.InvalidArgument,
+			fmt.Sprintf("invalid preimage hash length: expected "+
+				"%d bytes, got %d", lntypes.HashSize,
+				len(in.PreimageHash)))
+	}
+
+	var (
+		nonce        [musig2.PubNonceSize]byte
+		preimageHash lntypes.Hash
+	)
+	copy(nonce[:], in.Nonce)
+	copy(preimageHash[:], in.PreimageHash)
+
+	err := s.manager.PushHtlcSig(
+		ctx, in.DepositId, nonce, preimageHash, in.CsvExpiry,
+	)
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+
+	return &looprpc.PushAssetDepositHtlcSigResponse{}, nil
+}

assets/deposit/signer.go

@@ -0,0 +1,112 @@
+package deposit
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
+	"github.com/lightninglabs/lndclient"
+	"github.com/lightningnetwork/lnd/input"
+)
+
+type MuSig2Signer struct {
+	signer lndclient.SignerClient
+
+	scriptKey      *btcec.PublicKey
+	otherPubKey    *btcec.PublicKey
+	anchorRootHash []byte
+
+	session input.MuSig2Session
+}
+
+func NewMuSig2Signer(signer lndclient.SignerClient, deposit *Kit, funder bool,
+	anchorRootHash []byte) *MuSig2Signer {
+
+	scriptKey := deposit.FunderScriptKey
+	otherPubKey := deposit.CoSignerInternalKey
+	if !funder {
+		scriptKey = deposit.CoSignerScriptKey
+		otherPubKey = deposit.FunderInternalKey
+	}
+
+	return &MuSig2Signer{
+		signer:         signer,
+		scriptKey:      scriptKey,
+		otherPubKey:    otherPubKey,
+		anchorRootHash: anchorRootHash,
+	}
+}
+
+func (s *MuSig2Signer) NewSession(ctx context.Context) error {
+	// Derive the internal key that will be used to sign the message.
+	signingPubKey, signingPrivKey, err := DeriveSharedDepositKey(
+		ctx, s.signer, s.scriptKey,
+	)
+	if err != nil {
+		return err
+	}
+
+	pubKeys := []*btcec.PublicKey{
+		signingPubKey, s.otherPubKey,
+	}
+
+	tweaks := &input.MuSig2Tweaks{
+		TaprootTweak: s.anchorRootHash,
+	}
+
+	_, session, err := input.MuSig2CreateContext(
+		input.MuSig2Version100RC2, signingPrivKey, pubKeys, tweaks, nil,
+	)
+	if err != nil {
+		return fmt.Errorf("error creating signing context: %w", err)
+	}
+
+	s.session = session
+
+	return nil
+}
+
+func (s *MuSig2Signer) Session() input.MuSig2Session {
+	return s.session
+}
+
+func (s *MuSig2Signer) PubNonce() ([musig2.PubNonceSize]byte, error) {
+	// If we don't have a session, we can't return a public nonce.
+	if s.session == nil {
+		return [musig2.PubNonceSize]byte{}, fmt.Errorf("no session " +
+			"available")
+	}
+
+	// Return the public nonce of the current session.
+	return s.session.PublicNonce(), nil
+}
+
+// PartialSignMuSig2 is used to partially sign a message hash with the deposit's
+// keys.
+func (s *MuSig2Signer) PartialSignMuSig2(otherNonce [musig2.PubNonceSize]byte,
+	message [32]byte) ([]byte, error) {
+
+	if s.session == nil {
+		return nil, fmt.Errorf("no session available")
+	}
+
+	_, err := s.session.RegisterPubNonce(otherNonce)
+	if err != nil {
+		return nil, err
+	}
+
+	partialSig, err := input.MuSig2Sign(s.session, message, true)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	err = partialSig.Encode(&buf)
+	if err != nil {
+		return nil, fmt.Errorf("error encoding partial sig: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}

assets/deposit/sweeper.go

@@ -16,12 +16,16 @@ import (
 	"github.com/btcsuite/btcwallet/wtxmgr"
 	"github.com/lightninglabs/lndclient"
 	"github.com/lightninglabs/loop/assets"
+	"github.com/lightninglabs/loop/assets/htlc"
 	"github.com/lightninglabs/loop/utils"
 	"github.com/lightninglabs/taproot-assets/address"
 	"github.com/lightninglabs/taproot-assets/asset"
 	"github.com/lightninglabs/taproot-assets/proof"
+	"github.com/lightninglabs/taproot-assets/tappsbt"
 	"github.com/lightninglabs/taproot-assets/taprpc"
+	"github.com/lightninglabs/taproot-assets/taprpc/assetwalletrpc"
 	"github.com/lightningnetwork/lnd/input"
+	"github.com/lightningnetwork/lnd/lntypes"
 	"github.com/lightningnetwork/lnd/lnwallet/chainfee"
 )
 
@@ -346,3 +350,68 @@ func getSigHash(tx *wire.MsgTx, idx int,
 
 	return sigHash, nil
 }
+
+// GetHTLC creates a new zero-fee HTLC packet to be able to partially sign it
+// and send it to the server for further processing.
+//
+// TODO(bhandras): add support for spending multiple deposits into the HTLC.
+func (s *Sweeper) GetHTLC(ctx context.Context, deposit *Kit,
+	depositProof *proof.Proof, amount uint64, hash lntypes.Hash,
+	csvExpiry uint32) (*htlc.SwapKit, *psbt.Packet, []*tappsbt.VPacket,
+	[]*tappsbt.VPacket, *assetwalletrpc.CommitVirtualPsbtsResponse, error) {
+
+	// Genearate the HTLC address that will be used to sweep the deposit to
+	// in case the client is uncooperative.
+	rpcHtlcAddr, swapKit, err := deposit.NewHtlcAddr(
+		ctx, s.tapdClient, amount, hash, csvExpiry,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("unable to create "+
+			"htlc addr: %v", err)
+	}
+
+	htlcAddr, err := address.DecodeAddress(
+		rpcHtlcAddr.Encoded, &s.addressParams,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, err
+	}
+	htlcScriptKey := asset.NewScriptKey(&htlcAddr.ScriptKey)
+
+	// Now we can create the sweep vpacket that'd sweep the deposited
+	// assets to the HTLC output.
+	depositSpendVpkt, err := assets.CreateOpTrueSweepVpkt(
+		ctx, []*proof.Proof{depositProof}, htlcScriptKey,
+		&htlcAddr.InternalKey, htlcAddr.TapscriptSibling,
+		&s.addressParams,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("unable to create "+
+			"deposit spend vpacket: %v", err)
+	}
+
+	// By committing the virtual transaction to the BTC template we
+	// created, our lnd node will fund the BTC level transaction with an
+	// input to pay for the fees. We'll further add a change output to the
+	// transaction that will be generated using the above key descriptor.
+	feeRate := chainfee.SatPerVByte(0)
+
+	// Use an empty lock ID, as we don't need to lock any UTXOs for this
+	// operation.
+	lockID := wtxmgr.LockID{}
+
+	htlcBtcPkt, activeAssets, passiveAssets, commitResp, err :=
+		s.tapdClient.PrepareAndCommitVirtualPsbts(
+			ctx, depositSpendVpkt, feeRate, nil,
+			s.addressParams.Params, nil, &lockID,
+			time.Duration(0),
+		)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("deposit spend "+
+			"HTLC prepare and commit failed: %v", err)
+	}
+
+	htlcBtcPkt.UnsignedTx.Version = 3
+
+	return swapKit, htlcBtcPkt, activeAssets, passiveAssets, commitResp, nil
+}

looprpc/perms.go

@@ -196,4 +196,8 @@ var RequiredPermissions = map[string][]bakery.Op{
 		Entity: "swap",
 		Action: "execute",
 	}},
+	"/looprpc.AssetDepositClient/PushAssetDepositHtlcSig": {{
+		Entity: "swap",
+		Action: "execute",
+	}},
 }