multi: return the last ephemeral pub key for a blinded path

Update BuildBlindedPath to also return the very last ephemeral public
key of the route. This can be used by the recipient (ie, the path
builder) to identify an incoming payment.

Author: ellemouton

crypto.go

@@ -332,7 +332,7 @@ func (o *OnionErrorDecrypter) DecryptError(encryptedData []byte) (
 			len(encryptedData))
 	}
 
-	sharedSecrets, err := generateSharedSecrets(
+	sharedSecrets, _, err := generateSharedSecrets(
 		o.circuit.PaymentPath,
 		o.circuit.SessionKey,
 	)

obfuscation_test.go

@@ -29,7 +29,7 @@ func TestOnionFailure(t *testing.T) {
 	errorPath := paymentPath[:len(paymentPath)-1]
 
 	failureData := bytes.Repeat([]byte{'A'}, minOnionErrorLength-sha256.Size)
-	sharedSecrets, err := generateSharedSecrets(paymentPath, sessionKey)
+	sharedSecrets, _, err := generateSharedSecrets(paymentPath, sessionKey)
 	if err != nil {
 		t.Fatalf("Unexpected error while generating secrets: %v", err)
 	}
@@ -196,7 +196,7 @@ func TestOnionFailureSpecVector(t *testing.T) {
 	}
 
 	var obfuscatedData []byte
-	sharedSecrets, err := generateSharedSecrets(paymentPath, sessionKey)
+	sharedSecrets, _, err := generateSharedSecrets(paymentPath, sessionKey)
 	if err != nil {
 		t.Fatalf("Unexpected error while generating secrets: %v", err)
 	}

path.go

@@ -163,11 +163,30 @@ func (i *HopInfo) Encrypt(sharedSecret Hash256) (*BlindedHopInfo, error) {
 	}, nil
 }
 
+// BlindedPathInfo holds a BlindedPath and any other items that a path
+// constructor may find useful.
+type BlindedPathInfo struct {
+	// Path holds the constructed BlindedPath which holds all info about a
+	// blinded path that must be communicated to a potential path user.
+	Path *BlindedPath
+
+	// SessionKey holds the private key that was used as the session key
+	// of the path. This is the private key for the first ephemeral blinding
+	// key of the path.
+	SessionKey *btcec.PrivateKey
+
+	// LastEphemeralKey is the very last ephemeral blinding key used on the
+	// path. This may be useful to the path creator as they can use this
+	// key to uniquely identify the path that was used for an incoming
+	// payment.
+	LastEphemeralKey *btcec.PublicKey
+}
+
 // BuildBlindedPath creates a new BlindedPath from a session key along with a
 // list of HopInfo representing the nodes in the blinded path. The first hop in
 // paymentPath is expected to be the introduction node.
 func BuildBlindedPath(sessionKey *btcec.PrivateKey,
-	paymentPath []*HopInfo) (*BlindedPath, error) {
+	paymentPath []*HopInfo) (*BlindedPathInfo, error) {
 
 	if len(paymentPath) < 1 {
 		return nil, errors.New("at least 1 hop is required to create " +
@@ -185,7 +204,9 @@ func BuildBlindedPath(sessionKey *btcec.PrivateKey,
 		keys[i] = p.NodePub
 	}
 
-	hopSharedSecrets, err := generateSharedSecrets(keys, sessionKey)
+	hopSharedSecrets, lastEphem, err := generateSharedSecrets(
+		keys, sessionKey,
+	)
 	if err != nil {
 		return nil, fmt.Errorf("error generating shared secret: %v",
 			err)
@@ -200,7 +221,11 @@ func BuildBlindedPath(sessionKey *btcec.PrivateKey,
 		bp.BlindedHops[i] = blindedInfo
 	}
 
-	return bp, nil
+	return &BlindedPathInfo{
+		Path:             bp,
+		SessionKey:       sessionKey,
+		LastEphemeralKey: lastEphem,
+	}, nil
 }
 
 // blindNodeID blinds the given public key using the provided shared secret.

path_test.go

@@ -68,10 +68,10 @@ func TestBuildBlindedRoute(t *testing.T) {
 
 	// Construct the concatenated path.
 	path := &BlindedPath{
-		IntroductionPoint: pathBC.IntroductionPoint,
-		BlindingPoint:     pathBC.BlindingPoint,
-		BlindedHops: append(pathBC.BlindedHops,
-			pathED.BlindedHops...),
+		IntroductionPoint: pathBC.Path.IntroductionPoint,
+		BlindingPoint:     pathBC.Path.BlindingPoint,
+		BlindedHops: append(pathBC.Path.BlindedHops,
+			pathED.Path.BlindedHops...),
 	}
 
 	// Check that the constructed path is equal to the test vector path.

sphinx.go

@@ -114,7 +114,7 @@ type OnionPacket struct {
 // generateSharedSecrets by the given nodes pubkeys, generates the shared
 // secrets.
 func generateSharedSecrets(paymentPath []*btcec.PublicKey,
-	sessionKey *btcec.PrivateKey) ([]Hash256, error) {
+	sessionKey *btcec.PrivateKey) ([]Hash256, *btcec.PublicKey, error) {
 
 	// Each hop performs ECDH with our ephemeral key pair to arrive at a
 	// shared secret. Additionally, each hop randomizes the group element
@@ -131,7 +131,7 @@ func generateSharedSecrets(paymentPath []*btcec.PublicKey,
 	sessionKeyECDH := &PrivKeyECDH{PrivKey: sessionKey}
 	sharedSecret, err := sessionKeyECDH.ECDH(paymentPath[0])
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	hopSharedSecrets[0] = sharedSecret
 	lastBlindingFactor := computeBlindingFactor(
@@ -187,7 +187,7 @@ func generateSharedSecrets(paymentPath []*btcec.PublicKey,
 		)
 	}
 
-	return hopSharedSecrets, nil
+	return hopSharedSecrets, lastEphemeralPubKey, nil
 }
 
 // NewOnionPacket creates a new onion packet which is capable of obliviously
@@ -214,7 +214,7 @@ func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
 		return nil, fmt.Errorf("packet filler must be specified")
 	}
 
-	hopSharedSecrets, err := generateSharedSecrets(
+	hopSharedSecrets, _, err := generateSharedSecrets(
 		paymentPath.NodeKeys(), sessionKey,
 	)
 	if err != nil {