Merge pull request #1568 from lightninglabs/verify-stxo-in-v0-proofs

proof: verify stxo proofs if present in v0 proofs

Author: guggero

proof/append.go

@@ -14,15 +14,19 @@ import (
 // GenConfig is a struct that holds the configuration for creating Taproot Asset
 // proofs.
 type GenConfig struct {
-	// transitionVersion is the version of the asset state transition proof
+	// TransitionVersion is the version of the asset state transition proof
 	// that is going to be used.
-	transitionVersion TransitionVersion
+	TransitionVersion TransitionVersion
+
+	// NoSTXOProofs indicates whether to skip the generation of STXO
+	// inclusion and exclusion proofs for the transition proof.
+	NoSTXOProofs bool
 }
 
 // DefaultGenConfig returns a default proof generation configuration.
 func DefaultGenConfig() GenConfig {
 	return GenConfig{
-		transitionVersion: TransitionV0,
+		TransitionVersion: TransitionV0,
 	}
 }
 
@@ -34,7 +38,15 @@ type GenOption func(*GenConfig)
 // given version.
 func WithVersion(v TransitionVersion) GenOption {
 	return func(cfg *GenConfig) {
-		cfg.transitionVersion = v
+		cfg.TransitionVersion = v
+	}
+}
+
+// WithNoSTXOProofs is an option that can be used to skip the generation of
+// STXO inclusion and exclusion proofs for the transition proof.
+func WithNoSTXOProofs() GenOption {
+	return func(cfg *GenConfig) {
+		cfg.NoSTXOProofs = true
 	}
 }
 
@@ -158,7 +170,7 @@ func CreateTransitionProof(prevOut wire.OutPoint, params *TransitionParams,
 	}
 
 	proof, err := baseProof(
-		&params.BaseProofParams, prevOut, cfg.transitionVersion,
+		&params.BaseProofParams, prevOut, cfg.TransitionVersion,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error creating base proofs: %w", err)
@@ -194,7 +206,7 @@ func CreateTransitionProof(prevOut wire.OutPoint, params *TransitionParams,
 		TapSiblingPreimage: params.TapscriptSibling,
 	}
 
-	if proof.Asset.IsTransferRoot() {
+	if proof.Asset.IsTransferRoot() && !cfg.NoSTXOProofs {
 		stxoInclusionProofs := make(
 			map[asset.SerializedKey]commitment.Proof,
 			len(proof.Asset.PrevWitnesses),

proof/mint.go

@@ -266,7 +266,7 @@ func NewMintingBlobs(params *MintParams, vCtx VerifierCtx,
 
 	base, err := baseProof(
 		&params.BaseProofParams, params.GenesisPoint,
-		opts.genConfig.transitionVersion,
+		opts.genConfig.TransitionVersion,
 	)
 	if err != nil {
 		return nil, err

proof/verifier.go

@@ -206,10 +206,12 @@ func (p *Proof) verifyInclusionProof() (*commitment.TapCommitment, error) {
 			ErrStxoInputProofMissing)
 	}
 
-	// We ignore the STXO proofs if the proof signals version 0, or if there
-	// are no STXO proofs present (because they're not needed for this type
-	// of asset).
-	if p.IsVersionV0() || !hasStxoProofs {
+	// We ignore the STXO proofs if they're not needed for this type of
+	// asset or if there are no STXO proofs. At this point we can be sure
+	// that if they are needed they also are present (because of the check
+	// above). If they are not needed, but still present we verify them for
+	// good measure.
+	if !p.Asset.IsTransferRoot() || !hasStxoProofs {
 		return v0Commitment, nil
 	}
 
@@ -292,7 +294,7 @@ func (p *Proof) verifyExclusionProofs() (*commitment.TapCommitmentVersion,
 		maps.Clone(p2trOutputs),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("error veryfying v0 exclusion proof: %w",
+		return nil, fmt.Errorf("error verifying v0 exclusion proof: %w",
 			err)
 	}
 
@@ -318,10 +320,12 @@ func (p *Proof) verifyExclusionProofs() (*commitment.TapCommitmentVersion,
 			ErrStxoInputProofMissing)
 	}
 
-	// We ignore the STXO proofs if the proof signals version 0, or if there
-	// are no STXO proofs present (because they're not needed for this type
-	// of asset).
-	if p.IsVersionV0() || !hasStxoProofs {
+	// We ignore the STXO proofs if they're not needed for this type of
+	// asset or if there are no STXO proofs. At this point we can be sure
+	// that if they are needed they also are present (because of the check
+	// above). If they are not needed, but still present we verify them for
+	// good measure.
+	if !p.Asset.IsTransferRoot() || !hasStxoProofs {
 		return assertVersionConsistency(commitVersions)
 	}
 

proof/verifier_test.go

@@ -453,6 +453,44 @@ func TestVerifyV1InclusionProof(t *testing.T) {
 		},
 		expectedErrContains: "error verifying STXO proof: invalid " +
 			"taproot proof",
+	}, {
+		name: "valid v0 and invalid v1 proofs but with v0 version",
+		makeProof: func(t *testing.T) []*Proof {
+			p, rootCommitments := makeV0InclusionProof(t)
+
+			// We add an STXO asset to the root commitment.
+			_, key := addV1InclusionProof(
+				t, p[0], rootCommitments[0], withAddStxoProof(),
+				withUpdateAnchorTx(),
+			)
+
+			// At this point both proofs are valid. But we want to
+			// invalidate just the v1 proof, so we replace it by one
+			// that is derived from a different commitment. We can
+			// achieve that by downgrading the commitment and
+			// re-deriving the same proof, without updating the
+			// anchor output transaction.
+			clonedCommitment, err := rootCommitments[0].Downgrade()
+			require.NoError(t, err)
+
+			_, v1ProofOld, err := clonedCommitment.Proof(
+				asset.EmptyGenesisID,
+				p[0].Asset.AssetCommitmentKey(),
+			)
+			require.NoError(t, err)
+
+			cp := p[0].InclusionProof.CommitmentProof
+			cp.STXOProofs[key] = *v1ProofOld
+
+			// We now have a invalid v1 proof, but the proof's
+			// version is still set to 0. We do however expect the
+			// verification to fail, since the v1 proof is present
+			// and will be verified..
+
+			return p
+		},
+		expectedErrContains: "error verifying STXO proof: invalid " +
+			"taproot proof",
 	}, {
 		name: "stxo proof missing",
 		makeProof: func(t *testing.T) []*Proof {
@@ -670,6 +708,31 @@ func TestVerifyV1ExclusionProof(t *testing.T) {
 
 			return p
 		},
+	}, {
+		name: "invalid v1 exclusion proof but with v0 version",
+		makeProof: func(t *testing.T) []*Proof {
+			p, _ := makeV0InclusionProof(t)
+
+			// We now correctly prove that the asset isn't in the
+			// second output.
+			emptyCommitment, err := commitment.NewTapCommitment(nil)
+			require.NoError(t, err)
+
+			addV0ExclusionOutput(
+				t, p[0], emptyCommitment,
+				p[0].Asset.TapCommitmentKey(),
+				p[0].Asset.AssetCommitmentKey(), internalKey, 1,
+			)
+
+			randAsset := makeTransferAsset(t)
+			addV1ExclusionProof(
+				t, p[0], *randAsset, emptyCommitment, 1,
+			)
+
+			return p
+		},
+		expectedErrContains: "error verifying v1 exclusion proof: " +
+			"missing STXO asset for key",
 	}, {
 		name: "multiple assets with an exclusion proof each",
 		makeProof: func(t *testing.T) []*Proof {

tapchannel/aux_closer.go

@@ -726,6 +726,7 @@ func (a *AuxChanCloser) FinalizeClose(desc chancloser.AuxCloseDesc,
 			proofSuffix, err := tapsend.CreateProofSuffixCustom(
 				closeTx, vPkt, closeInfo.outputCommitments,
 				outIdx, closeInfo.vPackets, exclusionCreator,
+				proof.WithNoSTXOProofs(),
 			)
 			if err != nil {
 				return fmt.Errorf("unable to create proof "+

tapchannel/aux_funding_controller.go

@@ -1114,6 +1114,7 @@ func (f *FundingController) anchorVPackets(fundedPkt *tapsend.FundedPsbt,
 			proofSuffix, err := tapsend.CreateProofSuffix(
 				fundedPkt.Pkt.UnsignedTx, fundedPkt.Pkt.Outputs,
 				vPkt, outputCommitments, vOutIdx, allPackets,
+				proof.WithNoSTXOProofs(),
 			)
 			if err != nil {
 				return nil, fmt.Errorf("unable to create "+

tapchannel/aux_sweeper.go

@@ -1612,6 +1612,7 @@ func (a *AuxSweeper) importCommitTx(req lnwallet.ResolutionReq,
 			proofSuffix, err := tapsend.CreateProofSuffixCustom(
 				req.CommitTx, vPkt, outCommitments, outIdx,
 				vPackets, exclusionCreator,
+				proof.WithNoSTXOProofs(),
 			)
 			if err != nil {
 				return fmt.Errorf("unable to create "+
@@ -2450,7 +2451,7 @@ func (a *AuxSweeper) registerAndBroadcastSweep(req *sweep.BumpRequest,
 
 			proofSuffix, err := tapsend.CreateProofSuffixCustom(
 				sweepTx, vPkt, outCommitments, outIdx, allVpkts,
-				exclusionCreator,
+				exclusionCreator, proof.WithNoSTXOProofs(),
 			)
 			if err != nil {
 				return fmt.Errorf("unable to create proof "+

tapchannel/commitment.go

@@ -612,7 +612,7 @@ func GenerateCommitmentAllocations(prevState *cmsg.Commitment,
 				fakeCommitTx, vPkt, outCommitments, outIdx,
 				vPackets, tapsend.NonAssetExclusionProofs(
 					allocations,
-				),
+				), proof.WithNoSTXOProofs(),
 			)
 			if err != nil {
 				return nil, nil, fmt.Errorf("unable to create "+

tapsend/proof.go

@@ -155,9 +155,14 @@ func CreateProofSuffixCustom(finalTx *wire.MsgTx, vPacket *tappsbt.VPacket,
 
 	inputPrevID := vPacket.Inputs[0].PrevID
 
+	cfg := proof.DefaultGenConfig()
+	for _, opt := range opts {
+		opt(&cfg)
+	}
+
 	params, err := proofParams(
 		finalTx, vPacket, outputCommitments, outIndex,
-		allAnchoredVPackets,
+		allAnchoredVPackets, cfg.NoSTXOProofs,
 	)
 	if err != nil {
 		return nil, err
@@ -233,7 +238,8 @@ func newParams(finalTx *wire.MsgTx, a *asset.Asset, outputIndex int,
 // proofs for the sender and receiver.
 func proofParams(finalTx *wire.MsgTx, vPkt *tappsbt.VPacket,
 	outputCommitments tappsbt.OutputCommitments, outIndex int,
-	allAnchoredVPackets []*tappsbt.VPacket) (*proof.TransitionParams, error) {
+	allAnchoredVPackets []*tappsbt.VPacket,
+	noStxoProofs bool) (*proof.TransitionParams, error) {
 
 	isSplit, err := vPkt.HasSplitCommitment()
 	if err != nil {
@@ -269,6 +275,12 @@ func proofParams(finalTx *wire.MsgTx, vPkt *tappsbt.VPacket,
 			outputCommitments,
 		)
 
+		// If we don't require STXO exclusion proofs, then we are done
+		// here.
+		if noStxoProofs {
+			return rootParams, err
+		}
+
 		// Add STXO exclusion proofs for all the other outputs, for all
 		// STXOs spent by _all_ VOutputs that anchor in this output.
 		// First Collect all STXOs for this anchor output. Then add