Add method to derive Peer Storage encryption key

Add get_peer_storage_key method to derive a 32-byte encryption key for securing Peer Storage.
This method utilizes HKDF with the node's secret key as input and a fixed info string to generate the encryption key.

 - Add 'get_peer_storage_key' to NodeSigner.
 - Implement 'get_peer_storage_key' for KeysManager & PhantomKeysManager.

Author: Aditya Sharma

fuzz/src/chanmon_consistency.rs

@@ -62,7 +62,9 @@ use lightning::onion_message::messenger::{Destination, MessageRouter, OnionMessa
 use lightning::routing::router::{
 	InFlightHtlcs, Path, PaymentParameters, Route, RouteHop, RouteParameters, Router,
 };
-use lightning::sign::{EntropySource, InMemorySigner, NodeSigner, Recipient, SignerProvider};
+use lightning::sign::{
+	EntropySource, InMemorySigner, NodeSigner, PeerStorageKey, Recipient, SignerProvider,
+};
 use lightning::types::payment::{PaymentHash, PaymentPreimage, PaymentSecret};
 use lightning::util::config::UserConfig;
 use lightning::util::hash_tables::*;
@@ -337,6 +339,10 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		PeerStorageKey::new([42; 32])
+	}
+
 	fn sign_bolt12_invoice(
 		&self, _invoice: &UnsignedBolt12Invoice,
 	) -> Result<schnorr::Signature, ()> {

fuzz/src/full_stack.rs

@@ -34,7 +34,7 @@ use lightning::blinded_path::message::{BlindedMessagePath, MessageContext};
 use lightning::blinded_path::payment::{BlindedPaymentPath, ReceiveTlvs};
 use lightning::chain;
 use lightning::chain::chaininterface::{BroadcasterInterface, ConfirmationTarget, FeeEstimator};
-use lightning::chain::chainmonitor;
+use lightning::chain::chainmonitor::{self, PeerStorageKey};
 use lightning::chain::transaction::OutPoint;
 use lightning::chain::{BestBlock, ChannelMonitorUpdateStatus, Confirm, Listen};
 use lightning::events::Event;
@@ -420,6 +420,10 @@ impl NodeSigner for KeyProvider {
 		let secp_ctx = Secp256k1::signing_only();
 		Ok(secp_ctx.sign_ecdsa(&msg_hash, &self.node_secret))
 	}
+
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		PeerStorageKey::new([42; 32])
+	}
 }
 
 impl SignerProvider for KeyProvider {
@@ -608,6 +612,14 @@ pub fn do_test(mut data: &[u8], logger: &Arc<dyn Logger>) {
 	];
 
 	let broadcast = Arc::new(TestBroadcaster { txn_broadcasted: Mutex::new(Vec::new()) });
+
+	let keys_manager = Arc::new(KeyProvider {
+		node_secret: our_network_key.clone(),
+		inbound_payment_key: ExpandedKey::new(inbound_payment_key),
+		counter: AtomicU64::new(0),
+		signer_state: RefCell::new(new_hash_map()),
+	});
+
 	let monitor = Arc::new(chainmonitor::ChainMonitor::new(
 		None,
 		broadcast.clone(),
@@ -616,12 +628,6 @@ pub fn do_test(mut data: &[u8], logger: &Arc<dyn Logger>) {
 		Arc::new(TestPersister { update_ret: Mutex::new(ChannelMonitorUpdateStatus::Completed) }),
 	));
 
-	let keys_manager = Arc::new(KeyProvider {
-		node_secret: our_network_key.clone(),
-		inbound_payment_key: ExpandedKey::new(inbound_payment_key),
-		counter: AtomicU64::new(0),
-		signer_state: RefCell::new(new_hash_map()),
-	});
 	let network = Network::Bitcoin;
 	let best_block_timestamp = genesis_block(network).header.time;
 	let params = ChainParameters { network, best_block: BestBlock::from_network(network) };

fuzz/src/onion_message.rs

@@ -9,6 +9,7 @@ use lightning::blinded_path::message::{
 	AsyncPaymentsContext, BlindedMessagePath, MessageContext, OffersContext,
 };
 use lightning::blinded_path::EmptyNodeIdLookUp;
+use lightning::chain::chainmonitor::PeerStorageKey;
 use lightning::ln::inbound_payment::ExpandedKey;
 use lightning::ln::msgs::{self, BaseMessageHandler, DecodeError, OnionMessageHandler};
 use lightning::ln::peer_handler::IgnoringMessageHandler;
@@ -249,6 +250,10 @@ impl NodeSigner for KeyProvider {
 	) -> Result<bitcoin::secp256k1::ecdsa::Signature, ()> {
 		unreachable!()
 	}
+
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		unreachable!()
+	}
 }
 
 impl SignerProvider for KeyProvider {

lightning/src/ln/blinded_payment_tests.rs

@@ -32,7 +32,7 @@ use crate::offers::invoice::UnsignedBolt12Invoice;
 use crate::offers::nonce::Nonce;
 use crate::prelude::*;
 use crate::routing::router::{BlindedTail, Path, Payee, PaymentParameters, RouteHop, RouteParameters, TrampolineHop};
-use crate::sign::{NodeSigner, Recipient};
+use crate::sign::{NodeSigner, PeerStorageKey, Recipient};
 use crate::util::config::UserConfig;
 use crate::util::ser::{WithoutLength, Writeable};
 use crate::util::test_utils;
@@ -1609,6 +1609,7 @@ fn route_blinding_spec_test_vector() {
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,
 		) -> Result<RecoverableSignature, ()> { unreachable!() }
+		fn get_peer_storage_key(&self) -> PeerStorageKey { unreachable!() }
 		fn sign_bolt12_invoice(
 			&self, _invoice: &UnsignedBolt12Invoice,
 		) -> Result<schnorr::Signature, ()> { unreachable!() }
@@ -1918,6 +1919,7 @@ fn test_trampoline_inbound_payment_decoding() {
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,
 		) -> Result<RecoverableSignature, ()> { unreachable!() }
+		fn get_peer_storage_key(&self) -> PeerStorageKey { unreachable!() }
 		fn sign_bolt12_invoice(
 			&self, _invoice: &UnsignedBolt12Invoice,
 		) -> Result<schnorr::Signature, ()> { unreachable!() }

lightning/src/ln/channelmanager.rs

@@ -16400,19 +16400,19 @@ pub mod bench {
 		config.channel_config.max_dust_htlc_exposure = MaxDustHTLCExposure::FeeRateMultiplier(5_000_000 / 253);
 		config.channel_handshake_config.minimum_depth = 1;
 
-		let chain_monitor_a = ChainMonitor::new(None, &tx_broadcaster, &logger_a, &fee_estimator, &persister_a);
 		let seed_a = [1u8; 32];
 		let keys_manager_a = KeysManager::new(&seed_a, 42, 42);
+		let chain_monitor_a = ChainMonitor::new(None, &tx_broadcaster, &logger_a, &fee_estimator, &persister_a, keys_manager_a.get_peer_storage_key());
 		let node_a = ChannelManager::new(&fee_estimator, &chain_monitor_a, &tx_broadcaster, &router, &message_router, &logger_a, &keys_manager_a, &keys_manager_a, &keys_manager_a, config.clone(), ChainParameters {
 			network,
 			best_block: BestBlock::from_network(network),
 		}, genesis_block.header.time);
 		let node_a_holder = ANodeHolder { node: &node_a };
 
 		let logger_b = test_utils::TestLogger::with_id("node a".to_owned());
-		let chain_monitor_b = ChainMonitor::new(None, &tx_broadcaster, &logger_a, &fee_estimator, &persister_b);
 		let seed_b = [2u8; 32];
 		let keys_manager_b = KeysManager::new(&seed_b, 42, 42);
+		let chain_monitor_b = ChainMonitor::new(None, &tx_broadcaster, &logger_a, &fee_estimator, &persister_b, keys_manager_b.get_peer_storage_key());
 		let node_b = ChannelManager::new(&fee_estimator, &chain_monitor_b, &tx_broadcaster, &router, &message_router, &logger_b, &keys_manager_b, &keys_manager_b, &keys_manager_b, config.clone(), ChainParameters {
 			network,
 			best_block: BestBlock::from_network(network),

lightning/src/sign/mod.rs

@@ -794,6 +794,13 @@ pub trait ChannelSigner {
 	fn channel_keys_id(&self) -> [u8; 32];
 }
 
+/// Represents Secret Key used for encrypting Peer Storage.
+#[derive(Clone, Copy, PartialEq, Eq)]
+pub struct PeerStorageKey {
+	/// Represents the key used to encrypt and decrypt Peer Storage.
+	pub inner: [u8; 32],
+}
+
 /// Specifies the recipient of an invoice.
 ///
 /// This indicates to [`NodeSigner::sign_invoice`] what node secret key should be used to sign
@@ -832,6 +839,15 @@ pub trait NodeSigner {
 	/// [phantom node payments]: PhantomKeysManager
 	fn get_inbound_payment_key(&self) -> ExpandedKey;
 
+	/// Defines a method to derive a 32-byte encryption key for peer storage.
+	///
+	/// Implementations of this method must derive a secure encryption key.
+	/// The key is used to encrypt or decrypt backups of our state stored with our peers.
+	///
+	/// Thus, if you wish to rely on recovery using this method, you should use a key which
+	/// can be re-derived from data which would be available after state loss (eg the wallet seed).
+	fn get_peer_storage_key(&self) -> PeerStorageKey;
+
 	/// Get node id based on the provided [`Recipient`].
 	///
 	/// This method must return the same value each time it is called with a given [`Recipient`]
@@ -1771,6 +1787,7 @@ pub struct KeysManager {
 	shutdown_pubkey: PublicKey,
 	channel_master_key: Xpriv,
 	channel_child_index: AtomicUsize,
+	peer_storage_key: PeerStorageKey,
 
 	#[cfg(test)]
 	pub(crate) entropy_source: RandomBytes,
@@ -1839,6 +1856,10 @@ impl KeysManager {
 					.private_key;
 				let mut inbound_pmt_key_bytes = [0; 32];
 				inbound_pmt_key_bytes.copy_from_slice(&inbound_payment_key[..]);
+				let peer_storage_key: SecretKey = master_key
+					.derive_priv(&secp_ctx, &ChildNumber::from_hardened_idx(6).unwrap())
+					.expect("Your RNG is busted")
+					.private_key;
 
 				let mut rand_bytes_engine = Sha256::engine();
 				rand_bytes_engine.input(&starting_time_secs.to_be_bytes());
@@ -1854,6 +1875,8 @@ impl KeysManager {
 					node_id,
 					inbound_payment_key: ExpandedKey::new(inbound_pmt_key_bytes),
 
+					peer_storage_key: PeerStorageKey { inner: peer_storage_key.secret_bytes() },
+
 					destination_script,
 					shutdown_pubkey,
 
@@ -2079,6 +2102,10 @@ impl NodeSigner for KeysManager {
 		self.inbound_payment_key.clone()
 	}
 
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		self.peer_storage_key.clone()
+	}
+
 	fn sign_invoice(
 		&self, invoice: &RawBolt11Invoice, recipient: Recipient,
 	) -> Result<RecoverableSignature, ()> {
@@ -2240,6 +2267,10 @@ impl NodeSigner for PhantomKeysManager {
 		self.inbound_payment_key.clone()
 	}
 
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		self.inner.peer_storage_key.clone()
+	}
+
 	fn sign_invoice(
 		&self, invoice: &RawBolt11Invoice, recipient: Recipient,
 	) -> Result<RecoverableSignature, ()> {

lightning/src/util/dyn_signer.rs

@@ -17,7 +17,9 @@ use crate::sign::taproot::TaprootChannelSigner;
 use crate::sign::ChannelSigner;
 use crate::sign::InMemorySigner;
 use crate::sign::{EntropySource, HTLCDescriptor, OutputSpender, PhantomKeysManager};
-use crate::sign::{NodeSigner, Recipient, SignerProvider, SpendableOutputDescriptor};
+use crate::sign::{
+	NodeSigner, PeerStorageKey, Recipient, SignerProvider, SpendableOutputDescriptor,
+};
 use bitcoin;
 use bitcoin::absolute::LockTime;
 use bitcoin::secp256k1::All;
@@ -214,7 +216,8 @@ inner,
 	fn sign_bolt12_invoice(,
 		invoice: &crate::offers::invoice::UnsignedBolt12Invoice
 	) -> Result<secp256k1::schnorr::Signature, ()>,
-	fn get_inbound_payment_key(,) -> ExpandedKey
+	fn get_inbound_payment_key(,) -> ExpandedKey,
+	fn get_peer_storage_key(,) -> PeerStorageKey
 );
 
 delegate!(DynKeysInterface, SignerProvider,
@@ -278,7 +281,8 @@ delegate!(DynPhantomKeysInterface, NodeSigner,
 	fn sign_invoice(, invoice: &RawBolt11Invoice, recipient: Recipient) -> Result<RecoverableSignature, ()>,
 	fn sign_bolt12_invoice(, invoice: &crate::offers::invoice::UnsignedBolt12Invoice
 	) -> Result<secp256k1::schnorr::Signature, ()>,
-	fn get_inbound_payment_key(,) -> ExpandedKey
+	fn get_inbound_payment_key(,) -> ExpandedKey,
+	fn get_peer_storage_key(,) -> PeerStorageKey
 );
 
 impl SignerProvider for DynPhantomKeysInterface {

lightning/src/util/test_utils.rs

@@ -46,7 +46,7 @@ use crate::routing::router::{
 use crate::routing::scoring::{ChannelUsage, ScoreLookUp, ScoreUpdate};
 use crate::routing::utxo::{UtxoLookup, UtxoLookupError, UtxoResult};
 use crate::sign;
-use crate::sign::ChannelSigner;
+use crate::sign::{ChannelSigner, PeerStorageKey};
 use crate::sync::RwLock;
 use crate::types::features::{ChannelFeatures, InitFeatures, NodeFeatures};
 use crate::util::config::UserConfig;
@@ -1490,6 +1490,10 @@ impl NodeSigner for TestNodeSigner {
 		unreachable!()
 	}
 
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		unreachable!()
+	}
+
 	fn get_node_id(&self, recipient: Recipient) -> Result<PublicKey, ()> {
 		let node_secret = match recipient {
 			Recipient::Node => Ok(&self.node_secret),
@@ -1569,6 +1573,10 @@ impl NodeSigner for TestKeysInterface {
 		self.backing.sign_invoice(invoice, recipient)
 	}
 
+	fn get_peer_storage_key(&self) -> PeerStorageKey {
+		self.backing.get_peer_storage_key()
+	}
+
 	fn sign_bolt12_invoice(
 		&self, invoice: &UnsignedBolt12Invoice,
 	) -> Result<schnorr::Signature, ()> {