syntax = "proto3"; package signrpc; option go_package = "github.com/lightningnetwork/lnd/lnrpc/signrpc"; // Signer is a service that gives access to the signing functionality of the // daemon's wallet. service Signer { /* SignOutputRaw is a method that can be used to generated a signature for a set of inputs/outputs to a transaction. Each request specifies details concerning how the outputs should be signed, which keys they should be signed with, and also any optional tweaks. The return value is a fixed 64-byte signature (the same format as we use on the wire in Lightning). If we are unable to sign using the specified keys, then an error will be returned. */ rpc SignOutputRaw (SignReq) returns (SignResp); /* ComputeInputScript generates a complete InputIndex for the passed transaction with the signature as defined within the passed SignDescriptor. This method should be capable of generating the proper input script for both regular p2wkh/p2tr outputs and p2wkh outputs nested within a regular p2sh output. Note that when using this method to sign inputs belonging to the wallet, the only items of the SignDescriptor that need to be populated are pkScript in the TxOut field, the value in that same field, and finally the input index. */ rpc ComputeInputScript (SignReq) returns (InputScriptResp); /* SignMessage signs a message with the key specified in the key locator. The returned signature is fixed-size LN wire format encoded. The main difference to SignMessage in the main RPC is that a specific key is used to sign the message instead of the node identity private key. */ rpc SignMessage (SignMessageReq) returns (SignMessageResp); /* VerifyMessage verifies a signature over a message using the public key provided. The signature must be fixed-size LN wire format encoded. The main difference to VerifyMessage in the main RPC is that the public key used to sign the message does not have to be a node known to the network. */ rpc VerifyMessage (VerifyMessageReq) returns (VerifyMessageResp); /* DeriveSharedKey returns a shared secret key by performing Diffie-Hellman key derivation between the ephemeral public key in the request and the node's key specified in the key_desc parameter. Either a key locator or a raw public key is expected in the key_desc, if neither is supplied, defaults to the node's identity private key: P_shared = privKeyNode * ephemeralPubkey The resulting shared public key is serialized in the compressed format and hashed with sha256, resulting in the final key length of 256bit. */ rpc DeriveSharedKey (SharedKeyRequest) returns (SharedKeyResponse); /* MuSig2CombineKeys (experimental!) is a stateless helper RPC that can be used to calculate the combined MuSig2 public key from a list of all participating signers' public keys. This RPC is completely stateless and deterministic and does not create any signing session. It can be used to determine the Taproot public key that should be put in an on-chain output once all public keys are known. A signing session is only needed later when that output should be _spent_ again. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2CombineKeys (MuSig2CombineKeysRequest) returns (MuSig2CombineKeysResponse); /* MuSig2CreateSession (experimental!) creates a new MuSig2 signing session using the local key identified by the key locator. The complete list of all public keys of all signing parties must be provided, including the public key of the local signing key. If nonces of other parties are already known, they can be submitted as well to reduce the number of RPC calls necessary later on. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2CreateSession (MuSig2SessionRequest) returns (MuSig2SessionResponse); /* MuSig2RegisterNonces (experimental!) registers one or more public nonces of other signing participants for a session identified by its ID. This RPC can be called multiple times until all nonces are registered. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2RegisterNonces (MuSig2RegisterNoncesRequest) returns (MuSig2RegisterNoncesResponse); /* MuSig2Sign (experimental!) creates a partial signature using the local signing key that was specified when the session was created. This can only be called when all public nonces of all participants are known and have been registered with the session. If this node isn't responsible for combining all the partial signatures, then the cleanup flag should be set, indicating that the session can be removed from memory once the signature was produced. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2Sign (MuSig2SignRequest) returns (MuSig2SignResponse); /* MuSig2CombineSig (experimental!) combines the given partial signature(s) with the local one, if it already exists. Once a partial signature of all participants is registered, the final signature will be combined and returned. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2CombineSig (MuSig2CombineSigRequest) returns (MuSig2CombineSigResponse); /* MuSig2Cleanup (experimental!) allows a caller to clean up a session early in cases where it's obvious that the signing session won't succeed and the resources can be released. NOTE: The MuSig2 BIP is not final yet and therefore this API must be considered to be HIGHLY EXPERIMENTAL and subject to change in upcoming releases. Backward compatibility is not guaranteed! */ rpc MuSig2Cleanup (MuSig2CleanupRequest) returns (MuSig2CleanupResponse); } message KeyLocator { // The family of key being identified. int32 key_family = 1; // The precise index of the key being identified. int32 key_index = 2; } message KeyDescriptor { /* The raw bytes of the public key in the key pair being identified. Either this or the KeyLocator must be specified. */ bytes raw_key_bytes = 1; /* The key locator that identifies which private key to use for signing. Either this or the raw bytes of the target public key must be specified. */ KeyLocator key_loc = 2; } message TxOut { // The value of the output being spent. int64 value = 1; // The script of the output being spent. bytes pk_script = 2; } enum SignMethod { /* Specifies that a SegWit v0 (p2wkh, np2wkh, p2wsh) input script should be signed. */ SIGN_METHOD_WITNESS_V0 = 0; /* Specifies that a SegWit v1 (p2tr) input should be signed by using the BIP0086 method (commit to internal key only). */ SIGN_METHOD_TAPROOT_KEY_SPEND_BIP0086 = 1; /* Specifies that a SegWit v1 (p2tr) input should be signed by using a given taproot hash to commit to in addition to the internal key. */ SIGN_METHOD_TAPROOT_KEY_SPEND = 2; /* Specifies that a SegWit v1 (p2tr) input should be spent using the script path and that a specific leaf script should be signed for. */ SIGN_METHOD_TAPROOT_SCRIPT_SPEND = 3; } message SignDescriptor { /* A descriptor that precisely describes *which* key to use for signing. This may provide the raw public key directly, or require the Signer to re-derive the key according to the populated derivation path. Note that if the key descriptor was obtained through walletrpc.DeriveKey, then the key locator MUST always be provided, since the derived keys are not persisted unlike with DeriveNextKey. */ KeyDescriptor key_desc = 1; /* A scalar value that will be added to the private key corresponding to the above public key to obtain the private key to be used to sign this input. This value is typically derived via the following computation: * derivedKey = privkey + sha256(perCommitmentPoint || pubKey) mod N */ bytes single_tweak = 2; /* A private key that will be used in combination with its corresponding private key to derive the private key that is to be used to sign the target input. Within the Lightning protocol, this value is typically the commitment secret from a previously revoked commitment transaction. This value is in combination with two hash values, and the original private key to derive the private key to be used when signing. * k = (privKey*sha256(pubKey || tweakPub) + tweakPriv*sha256(tweakPub || pubKey)) mod N */ bytes double_tweak = 3; /* The 32 byte input to the taproot tweak derivation that is used to derive the output key from an internal key: outputKey = internalKey + tagged_hash("tapTweak", internalKey || tapTweak). When doing a BIP 86 spend, this field can be an empty byte slice. When doing a normal key path spend, with the output key committing to an actual script root, then this field should be: the tapscript root hash. */ bytes tap_tweak = 10; /* The full script required to properly redeem the output. This field will only be populated if a p2tr, p2wsh or a p2sh output is being signed. If a taproot script path spend is being attempted, then this should be the raw leaf script. */ bytes witness_script = 4; /* A description of the output being spent. The value and script MUST be provided. */ TxOut output = 5; /* The target sighash type that should be used when generating the final sighash, and signature. */ uint32 sighash = 7; /* The target input within the transaction that should be signed. */ int32 input_index = 8; /* The sign method specifies how the input should be signed. Depending on the method, either the tap_tweak, witness_script or both need to be specified. Defaults to SegWit v0 signing to be backward compatible with older RPC clients. */ SignMethod sign_method = 9; } message SignReq { // The raw bytes of the transaction to be signed. bytes raw_tx_bytes = 1; // A set of sign descriptors, for each input to be signed. repeated SignDescriptor sign_descs = 2; /* The full list of UTXO information for each of the inputs being spent. This is required when spending one or more taproot (SegWit v1) outputs. */ repeated TxOut prev_outputs = 3; } message SignResp { /* A set of signatures realized in a fixed 64-byte format ordered in ascending input order. */ repeated bytes raw_sigs = 1; } message InputScript { // The serializes witness stack for the specified input. repeated bytes witness = 1; /* The optional sig script for the specified witness that will only be set if the input specified is a nested p2sh witness program. */ bytes sig_script = 2; } message InputScriptResp { // The set of fully valid input scripts requested. repeated InputScript input_scripts = 1; } message SignMessageReq { /* The message to be signed. When using REST, this field must be encoded as base64. */ bytes msg = 1; // The key locator that identifies which key to use for signing. KeyLocator key_loc = 2; // Double-SHA256 hash instead of just the default single round. bool double_hash = 3; /* Use the compact (pubkey recoverable) format instead of the raw lnwire format. This option cannot be used with Schnorr signatures. */ bool compact_sig = 4; /* Use Schnorr signature. This option cannot be used with compact format. */ bool schnorr_sig = 5; /* The optional Taproot tweak bytes to apply to the private key before creating a Schnorr signature. The private key is tweaked as described in BIP-341: privKey + h_tapTweak(internalKey || tapTweak) */ bytes schnorr_sig_tap_tweak = 6; } message SignMessageResp { /* The signature for the given message in the fixed-size LN wire format. */ bytes signature = 1; } message VerifyMessageReq { // The message over which the signature is to be verified. When using // REST, this field must be encoded as base64. bytes msg = 1; /* The fixed-size LN wire encoded signature to be verified over the given message. When using REST, this field must be encoded as base64. */ bytes signature = 2; /* The public key the signature has to be valid for. When using REST, this field must be encoded as base64. If the is_schnorr_sig option is true, then the public key is expected to be in the 32-byte x-only serialization according to BIP-340. */ bytes pubkey = 3; /* Specifies if the signature is a Schnorr signature. */ bool is_schnorr_sig = 4; } message VerifyMessageResp { // Whether the signature was valid over the given message. bool valid = 1; } message SharedKeyRequest { // The ephemeral public key to use for the DH key derivation. bytes ephemeral_pubkey = 1; /* Deprecated. The optional key locator of the local key that should be used. If this parameter is not set then the node's identity private key will be used. */ KeyLocator key_loc = 2 [deprecated = true]; /* A key descriptor describes the key used for performing ECDH. Either a key locator or a raw public key is expected, if neither is supplied, defaults to the node's identity private key. */ KeyDescriptor key_desc = 3; } message SharedKeyResponse { // The shared public key, hashed with sha256. bytes shared_key = 1; } message TweakDesc { /* Tweak is the 32-byte value that will modify the public key. */ bytes tweak = 1; /* Specifies if the target key should be converted to an x-only public key before tweaking. If true, then the public key will be mapped to an x-only key before the tweaking operation is applied. */ bool is_x_only = 2; } message TaprootTweakDesc { /* The root hash of the tapscript tree if a script path is committed to. If the MuSig2 key put on chain doesn't also commit to a script path (BIP-0086 key spend only), then this needs to be empty and the key_spend_only field below must be set to true. This is required because gRPC cannot differentiate between a zero-size byte slice and a nil byte slice (both would be serialized the same way). So the extra boolean is required. */ bytes script_root = 1; /* Indicates that the above script_root is expected to be empty because this is a BIP-0086 key spend only commitment where only the internal key is committed to instead of also including a script root hash. */ bool key_spend_only = 2; } message MuSig2CombineKeysRequest { /* A list of all public keys (serialized in 32-byte x-only format!) participating in the signing session. The list will always be sorted lexicographically internally. This must include the local key which is described by the above key_loc. */ repeated bytes all_signer_pubkeys = 1; /* A series of optional generic tweaks to be applied to the the aggregated public key. */ repeated TweakDesc tweaks = 2; /* An optional taproot specific tweak that must be specified if the MuSig2 combined key will be used as the main taproot key of a taproot output on-chain. */ TaprootTweakDesc taproot_tweak = 3; } message MuSig2CombineKeysResponse { /* The combined public key (in the 32-byte x-only format) with all tweaks applied to it. If a taproot tweak is specified, this corresponds to the taproot key that can be put into the on-chain output. */ bytes combined_key = 1; /* The raw combined public key (in the 32-byte x-only format) before any tweaks are applied to it. If a taproot tweak is specified, this corresponds to the internal key that needs to be put into the witness if the script spend path is used. */ bytes taproot_internal_key = 2; } message MuSig2SessionRequest { /* The key locator that identifies which key to use for signing. */ KeyLocator key_loc = 1; /* A list of all public keys (serialized in 32-byte x-only format!) participating in the signing session. The list will always be sorted lexicographically internally. This must include the local key which is described by the above key_loc. */ repeated bytes all_signer_pubkeys = 2; /* An optional list of all public nonces of other signing participants that might already be known. */ repeated bytes other_signer_public_nonces = 3; /* A series of optional generic tweaks to be applied to the the aggregated public key. */ repeated TweakDesc tweaks = 4; /* An optional taproot specific tweak that must be specified if the MuSig2 combined key will be used as the main taproot key of a taproot output on-chain. */ TaprootTweakDesc taproot_tweak = 5; } message MuSig2SessionResponse { /* The unique ID that represents this signing session. A session can be used for producing a signature a single time. If the signing fails for any reason, a new session with the same participants needs to be created. */ bytes session_id = 1; /* The combined public key (in the 32-byte x-only format) with all tweaks applied to it. If a taproot tweak is specified, this corresponds to the taproot key that can be put into the on-chain output. */ bytes combined_key = 2; /* The raw combined public key (in the 32-byte x-only format) before any tweaks are applied to it. If a taproot tweak is specified, this corresponds to the internal key that needs to be put into the witness if the script spend path is used. */ bytes taproot_internal_key = 3; /* The two public nonces the local signer uses, combined into a single value of 66 bytes. Can be split into the two 33-byte points to get the individual nonces. */ bytes local_public_nonces = 4; /* Indicates whether all nonces required to start the signing process are known now. */ bool have_all_nonces = 5; } message MuSig2RegisterNoncesRequest { /* The unique ID of the signing session those nonces should be registered with. */ bytes session_id = 1; /* A list of all public nonces of other signing participants that should be registered. */ repeated bytes other_signer_public_nonces = 3; } message MuSig2RegisterNoncesResponse { /* Indicates whether all nonces required to start the signing process are known now. */ bool have_all_nonces = 1; } message MuSig2SignRequest { /* The unique ID of the signing session to use for signing. */ bytes session_id = 1; /* The 32-byte SHA256 digest of the message to sign. */ bytes message_digest = 2; /* Cleanup indicates that after signing, the session state can be cleaned up, since another participant is going to be responsible for combining the partial signatures. */ bool cleanup = 3; } message MuSig2SignResponse { /* The partial signature created by the local signer. */ bytes local_partial_signature = 1; } message MuSig2CombineSigRequest { /* The unique ID of the signing session to combine the signatures for. */ bytes session_id = 1; /* The list of all other participants' partial signatures to add to the current session. */ repeated bytes other_partial_signatures = 2; } message MuSig2CombineSigResponse { /* Indicates whether all partial signatures required to create a final, full signature are known yet. If this is true, then the final_signature field is set, otherwise it is empty. */ bool have_all_signatures = 1; /* The final, full signature that is valid for the combined public key. */ bytes final_signature = 2; } message MuSig2CleanupRequest { /* The unique ID of the signing session that should be removed/cleaned up. */ bytes session_id = 1; } message MuSig2CleanupResponse { }