lnwallet+htlcswitch: add fuzz-friendly commitment key deriver hook

MPins · MPins · commit 7a5aa9973ec4 · 2026-04-08T16:40:28.000-03:00
Introduce CommitKeyDeriverFunc and WithCommitKeyDeriver to allow
LightningChannel to bypass the secp256k1-based DeriveCommitmentKeys
on every commit round. All internal call sites are migrated to
lc.deriveCommitmentKeys. The fuzz harness injects fuzzCommitKeyDeriver,
a trivial identity deriver that avoids scalar-multiplication overhead.
diff --git a/htlcswitch/fuzz_link_test.go b/htlcswitch/fuzz_link_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/btcsuite/btcd/btcutil"
 	"github.com/btcsuite/btcd/txscript"
 	"github.com/btcsuite/btcd/wire"
+	"github.com/lightningnetwork/lnd/channeldb"
 	"github.com/lightningnetwork/lnd/fn/v2"
 	"github.com/lightningnetwork/lnd/htlcswitch/hop"
 	"github.com/lightningnetwork/lnd/input"
@@ -99,6 +100,52 @@ func fuzzSigVerifier(sig input.Signature, sigHash []byte,
 	return bytes.Equal(sBytes, expected[:])
 }
 
+// fuzzCommitKeyDeriver is a trivial CommitKeyDeriverFunc for fuzz harnesses.
+// It mirrors the local/remote base-point selection of DeriveCommitmentKeys but
+// returns the raw base points without any secp256k1 scalar multiplication,
+// eliminating the ~30% CPU overhead of TweakPubKey/DeriveRevocationPubkey on
+// every commit round. Both Alice and Bob call this with mirrored arguments and
+// arrive at the same underlying public keys, so commitment tx scripts remain
+// consistent across both sides.
+func fuzzCommitKeyDeriver(commitPoint *btcec.PublicKey,
+	whoseCommit lntypes.ChannelParty, _ channeldb.ChannelType, localChanCfg,
+	remoteChanCfg *channeldb.ChannelConfig) *lnwallet.CommitmentKeyRing {
+
+	localBasePoint := localChanCfg.PaymentBasePoint
+	if whoseCommit.IsLocal() {
+		localBasePoint = localChanCfg.DelayBasePoint
+	}
+
+	var toLocalKey, toRemoteKey, revocationKey *btcec.PublicKey
+	if whoseCommit.IsLocal() {
+		toLocalKey = localChanCfg.DelayBasePoint.PubKey
+		toRemoteKey = remoteChanCfg.PaymentBasePoint.PubKey
+		revocationKey = remoteChanCfg.RevocationBasePoint.PubKey
+	} else {
+		toLocalKey = remoteChanCfg.DelayBasePoint.PubKey
+		toRemoteKey = localChanCfg.PaymentBasePoint.PubKey
+		revocationKey = localChanCfg.RevocationBasePoint.PubKey
+	}
+
+	return &lnwallet.CommitmentKeyRing{
+		CommitPoint: commitPoint,
+		// Tweaks are cheap (just SHA256), keep them accurate.
+		LocalCommitKeyTweak: input.SingleTweakBytes(
+			commitPoint, localBasePoint.PubKey,
+		),
+		LocalHtlcKeyTweak: input.SingleTweakBytes(
+			commitPoint, localChanCfg.HtlcBasePoint.PubKey,
+		),
+		// Skip TweakPubKey/DeriveRevocationPubkey — return base points
+		// directly to avoid secp256k1 scalar multiplications.
+		LocalHtlcKey:  localChanCfg.HtlcBasePoint.PubKey,
+		RemoteHtlcKey: remoteChanCfg.HtlcBasePoint.PubKey,
+		ToLocalKey:    toLocalKey,
+		ToRemoteKey:   toRemoteKey,
+		RevocationKey: revocationKey,
+	}
+}
+
 type Event uint8
 
 const (
@@ -207,6 +254,7 @@ func newFuzzFSM(t *testing.T, channelSize, aliceShareGen uint64) *fuzzFSM {
 		withTestSignerFactory(mkFuzzSigner),
 		withTestChanOpts(
 			lnwallet.WithSigVerifier(fuzzSigVerifier),
+			lnwallet.WithCommitKeyDeriver(fuzzCommitKeyDeriver),
 		),
 	)
 	require.NoError(t, err)
diff --git a/lnwallet/channel.go b/lnwallet/channel.go
@@ -647,15 +647,15 @@ func (lc *LightningChannel) diskCommitToMemCommit(
 	// haven't yet received a responding commitment from the remote party.
 	var commitKeys lntypes.Dual[*CommitmentKeyRing]
 	if localCommitPoint != nil {
-		commitKeys.SetForParty(lntypes.Local, DeriveCommitmentKeys(
+		commitKeys.SetForParty(lntypes.Local, lc.deriveCommitmentKeys(
 			localCommitPoint, lntypes.Local,
 			lc.channelState.ChanType,
 			&lc.channelState.LocalChanCfg,
 			&lc.channelState.RemoteChanCfg,
 		))
 	}
 	if remoteCommitPoint != nil {
-		commitKeys.SetForParty(lntypes.Remote, DeriveCommitmentKeys(
+		commitKeys.SetForParty(lntypes.Remote, lc.deriveCommitmentKeys(
 			remoteCommitPoint, lntypes.Remote,
 			lc.channelState.ChanType,
 			&lc.channelState.LocalChanCfg,
@@ -864,6 +864,10 @@ type channelOpts struct {
 	// standard sig.Verify method is used.
 	sigVerifier SigVerifier
 
+	// commitKeyDeriver is an optional override for DeriveCommitmentKeys.
+	// When nil, the real secp256k1-based function is used.
+	commitKeyDeriver CommitKeyDeriverFunc
+
 	skipNonceInit bool
 }
 
@@ -942,6 +946,25 @@ func (lc *LightningChannel) verifySig(sig input.Signature, sigHash []byte,
 	return sig.Verify(sigHash, pubKey)
 }
 
+// deriveCommitmentKeys calls the injected CommitKeyDeriverFunc if one is set,
+// otherwise falls back to the real secp256k1-based DeriveCommitmentKeys.
+func (lc *LightningChannel) deriveCommitmentKeys(commitPoint *btcec.PublicKey,
+	whoseCommit lntypes.ChannelParty, chanType channeldb.ChannelType,
+	localChanCfg, remoteChanCfg *channeldb.ChannelConfig) *CommitmentKeyRing { //nolint:ll
+
+	if lc.opts.commitKeyDeriver != nil {
+		return lc.opts.commitKeyDeriver(
+			commitPoint, whoseCommit, chanType,
+			localChanCfg, remoteChanCfg,
+		)
+	}
+
+	return DeriveCommitmentKeys(
+		commitPoint, whoseCommit, chanType,
+		localChanCfg, remoteChanCfg,
+	)
+}
+
 // NewLightningChannel creates a new, active payment channel given an
 // implementation of the chain notifier, channel database, and the current
 // settled channel state. Throughout state transitions, then channel will
@@ -1565,7 +1588,7 @@ func (lc *LightningChannel) restoreCommitState(
 
 		// We'll also re-create the set of commitment keys needed to
 		// fully re-derive the state.
-		pendingRemoteKeyChain = DeriveCommitmentKeys(
+		pendingRemoteKeyChain = lc.deriveCommitmentKeys(
 			pendingCommitPoint, lntypes.Remote,
 			lc.channelState.ChanType,
 			&lc.channelState.LocalChanCfg,
@@ -4164,7 +4187,7 @@ func (lc *LightningChannel) SignNextCommitment(
 	// Grab the next commitment point for the remote party. This will be
 	// used within fetchCommitmentView to derive all the keys necessary to
 	// construct the commitment state.
-	keyRing := DeriveCommitmentKeys(
+	keyRing := lc.deriveCommitmentKeys(
 		commitPoint, lntypes.Remote, lc.channelState.ChanType,
 		&lc.channelState.LocalChanCfg, &lc.channelState.RemoteChanCfg,
 	)
@@ -5365,7 +5388,7 @@ func (lc *LightningChannel) ReceiveNewCommitment(commitSigs *CommitSigs) error {
 		return err
 	}
 	commitPoint := input.ComputeCommitmentPoint(commitSecret[:])
-	keyRing := DeriveCommitmentKeys(
+	keyRing := lc.deriveCommitmentKeys(
 		commitPoint, lntypes.Local, lc.channelState.ChanType,
 		&lc.channelState.LocalChanCfg, &lc.channelState.RemoteChanCfg,
 	)
@@ -8901,7 +8924,7 @@ func (lc *LightningChannel) NewAnchorResolutions() (*AnchorResolutions,
 		return nil, err
 	}
 	localCommitPoint := input.ComputeCommitmentPoint(revocation[:])
-	localKeyRing := DeriveCommitmentKeys(
+	localKeyRing := lc.deriveCommitmentKeys(
 		localCommitPoint, lntypes.Local, lc.channelState.ChanType,
 		&lc.channelState.LocalChanCfg, &lc.channelState.RemoteChanCfg,
 	)
@@ -8915,7 +8938,7 @@ func (lc *LightningChannel) NewAnchorResolutions() (*AnchorResolutions,
 	resolutions.Local = localRes
 
 	// Add anchor for remote commitment tx, if any.
-	remoteKeyRing := DeriveCommitmentKeys(
+	remoteKeyRing := lc.deriveCommitmentKeys(
 		lc.channelState.RemoteCurrentRevocation, lntypes.Remote,
 		lc.channelState.ChanType, &lc.channelState.LocalChanCfg,
 		&lc.channelState.RemoteChanCfg,
@@ -8936,7 +8959,7 @@ func (lc *LightningChannel) NewAnchorResolutions() (*AnchorResolutions,
 	}
 
 	if remotePendingCommit != nil {
-		pendingRemoteKeyRing := DeriveCommitmentKeys(
+		pendingRemoteKeyRing := lc.deriveCommitmentKeys(
 			lc.channelState.RemoteNextRevocation, lntypes.Remote,
 			lc.channelState.ChanType, &lc.channelState.LocalChanCfg,
 			&lc.channelState.RemoteChanCfg,
diff --git a/lnwallet/mock.go b/lnwallet/mock.go
@@ -541,3 +541,20 @@ func WithSigVerifier(v SigVerifier) ChannelOpt {
 		o.sigVerifier = v
 	}
 }
+
+// CommitKeyDeriverFunc is an optional function that overrides
+// DeriveCommitmentKeys inside LightningChannel. When nil, the real
+// secp256k1-based derivation is used. Inject a trivial version in fuzz/test
+// harnesses to avoid scalar-multiplication overhead on every commit round.
+type CommitKeyDeriverFunc func(commitPoint *btcec.PublicKey,
+	whoseCommit lntypes.ChannelParty, chanType channeldb.ChannelType,
+	localChanCfg, remoteChanCfg *channeldb.ChannelConfig) *CommitmentKeyRing
+
+// WithCommitKeyDeriver injects a custom commitment key derivation function,
+// overriding the default secp256k1-based DeriveCommitmentKeys on every commit
+// round. Intended for fuzz/test harnesses that need to avoid scalar-mult cost.
+func WithCommitKeyDeriver(fn CommitKeyDeriverFunc) ChannelOpt {
+	return func(o *channelOpts) {
+		o.commitKeyDeriver = fn
+	}
+}
