Derive the per-commitment point from a per-commitment secret.

per_commitment_point = per_commitment_secret * G

>>> let secret = PerCommitmentSecret (BS.replicate 32 0x01)
>>> derive_per_commitment_point secret
Just (PerCommitmentPoint ...)

Derive a pubkey from a basepoint and per-commitment point.

pubkey = basepoint + SHA256(per_commitment_point || basepoint) * G

This is the general derivation formula used for localpubkey, local_htlcpubkey, remote_htlcpubkey, local_delayedpubkey, and remote_delayedpubkey.

>>> derive_pubkey basepoint per_commitment_point
Just (Pubkey ...)

Derive localpubkey from payment_basepoint and per_commitment_point.

>>> derive_localpubkey payment_basepoint per_commitment_point
Just (LocalPubkey ...)

Derive local_htlcpubkey from htlc_basepoint and per_commitment_point.

>>> derive_local_htlcpubkey htlc_basepoint per_commitment_point
Just (LocalHtlcPubkey ...)

Derive remote_htlcpubkey from htlc_basepoint and per_commitment_point.

>>> derive_remote_htlcpubkey htlc_basepoint per_commitment_point
Just (RemoteHtlcPubkey ...)

Derive local_delayedpubkey from delayed_payment_basepoint and per_commitment_point.

>>> derive_local_delayedpubkey delayed_payment_basepoint per_commitment_point
Just (LocalDelayedPubkey ...)

Derive remote_delayedpubkey from delayed_payment_basepoint and per_commitment_point.

>>> derive_remote_delayedpubkey delayed_payment_basepoint pcp
Just (RemoteDelayedPubkey ...)

Derive revocationpubkey from revocation_basepoint and per_commitment_point.

revocationpubkey = revocation_basepoint
                     * SHA256(revocation_basepoint || per_commitment_point)
                 + per_commitment_point
                     * SHA256(per_commitment_point || revocation_basepoint)

>>> derive_revocationpubkey revocation_basepoint per_commitment_point
Just (RevocationPubkey ...)

Generate the I'th per-commitment secret from a seed.

Implements the generate_from_seed algorithm from BOLT #3:

generate_from_seed(seed, I):
    P = seed
    for B in 47 down to 0:
        if B set in I:
            flip(B) in P
            P = SHA256(P)
    return P

>>> generate_from_seed seed 281474976710655
<32-byte secret>

Derive a secret from a base secret.

This is a generalization of generate_from_seed used for efficient secret storage. Given a base secret whose index has bits..47 the same as target index I, derive the I'th secret.

derive_secret(base, bits, I):
    P = base
    for B in bits - 1 down to 0:
        if B set in I:
            flip(B) in P
            P = SHA256(P)
    return P

Compact storage for per-commitment secrets.

Stores up to 49 (value, index) pairs, allowing efficient derivation of any previously-received secret. This is possible because for a given secret on a 2^X boundary, all secrets up to the next 2^X boundary can be derived from it.

Empty secret store.

Insert a secret into the store, validating against existing secrets.

Returns Nothing if the secret doesn't derive correctly from known secrets (indicating the secrets weren't generated from the same seed).

>>> insert_secret secret 281474976710655 empty_store
Just (SecretStore ...)

Derive a previously-received secret from the store.

Iterates over known secrets to find one whose index is a prefix of the target index, then derives the target secret from it.

>>> derive_old_secret 281474976710654 store
Just <32-byte secret>

Calculate the obscured commitment number.

The 48-bit commitment number is obscured by XOR with the lower 48 bits of SHA256(payment_basepoint from open_channel || payment_basepoint from accept_channel).

>>> obscured_commitment_number local_payment_bp remote_payment_bp cn
<obscured value>