lightningnetwork
diff --git a/‎attributable_error_crypto.go
+138 b/‎attributable_error_crypto.go
+138
@@ -0,0 +1,138 @@
+package sphinx
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"io"
+)
+
+type payloadSource byte
+
+const (
+	// payloadIntermediateNode is a marker to signal that this attributable
+	// error payload is originating from a node between the payer and the error
+	// source.
+	payloadIntermediateNode payloadSource = 0
+
+	// payloadErrorNode is a marker to signal that this attributable error
+	// payload is originating from the error source.
+	payloadErrorNode payloadSource = 1
+)
+
+// AttributableErrorStructure contains the parameters that define the structure
+// of the error message that is passed back.
+type AttributableErrorStructure struct {
+	// HopCount is the assumed maximum number of hops in the path.
+	HopCount int
+
+	// FixedPayloadLen is the length of the payload data that each hop along the
+	// route can add.
+	FixedPayloadLen int
+}
+
+func (o *AttributableErrorStructure) maxHops() int {
+	return o.HopCount
+}
+
+func (o *AttributableErrorStructure) payloadDataLen() int {
+	return o.FixedPayloadLen
+}
+
+// totalHmacs is the total number of hmacs that is present in the failure
+// message. Every hop adds HopCount hmacs to the message, but as the error
+// back-propagates, downstream hmacs can be pruned. This results in the number
+// of hmacs for each hop decreasing by one for each step that we move away from
+// the current node.
+func (o *AttributableErrorStructure) totalHmacs() int {
+	return (o.HopCount * (o.HopCount + 1)) / 2
+}
+
+// allHmacsLen is the total length in the bytes of all hmacs in the failure
+// message.
+func (o *AttributableErrorStructure) allHmacsLen() int {
+	return o.totalHmacs() * sha256.Size
+}
+
+// hmacsAndPayloadsLen is the total length in bytes of all hmacs and payloads
+// together.
+func (o *AttributableErrorStructure) hmacsAndPayloadsLen() int {
+	return o.allHmacsLen() + o.allPayloadsLen()
+}
+
+// allPayloadsLen is the total length in bytes of all payloads in the failure
+// message.
+func (o *AttributableErrorStructure) allPayloadsLen() int {
+	return o.payloadLen() * o.HopCount
+}
+
+// payloadLen is the size of the per-node payload. It consists of a 1-byte
+// payload type followed by the payload data.
+func (o *AttributableErrorStructure) payloadLen() int {
+	return 1 + o.payloadDataLen()
+}
+
+// message returns a slice containing the message in the given failure data
+// block. The message is positioned at the beginning of the block.
+func (o *AttributableErrorStructure) message(data []byte) []byte {
+	return data[:len(data)-o.hmacsAndPayloadsLen()]
+}
+
+// payloads returns a slice containing all payloads in the given failure
+// data block. The payloads follow the message in the block.
+func (o *AttributableErrorStructure) payloads(data []byte) []byte {
+	return data[len(data)-o.hmacsAndPayloadsLen() : len(data)-o.allHmacsLen()]
+}
+
+// hmacs returns a slice containing all hmacs in the given failure data block.
+// The hmacs are positioned at the end of the data block.
+func (o *AttributableErrorStructure) hmacs(data []byte) []byte {
+	return data[len(data)-o.allHmacsLen():]
+}
+
+// calculateHmac calculates an hmac given a shared secret and a presumed
+// position in the path. Position is expressed as the distance to the error
+// source. The error source itself is at position 0.
+func (o *AttributableErrorStructure) calculateHmac(sharedSecret Hash256,
+	position int, message, payloads, hmacs []byte) []byte {
+
+	umKey := generateKey("um", &sharedSecret)
+	hash := hmac.New(sha256.New, umKey[:])
+
+	// Include message.
+	_, _ = hash.Write(message)
+
+	// Include payloads including our own.
+	_, _ = hash.Write(payloads[:(o.maxHops()-position)*o.payloadLen()])
+
+	// Include downstream hmacs.
+	writeDownstreamHmacs(position, o.maxHops(), hmacs, hash)
+
+	return hash.Sum(nil)
+}
+
+// writeDownstreamHmacs writes the hmacs of downstream nodes that are relevant
+// for the given position to a writer instance.
+func writeDownstreamHmacs(position, maxHops int, hmacs []byte, w io.Writer) {
+	// Track the index of the next hmac to write in a variable. The first
+	// maxHops slots are reserved for the hmacs of the current hop and can
+	// therefore be skipped. The first hmac to write is part of the block of
+	// hmacs that was written by the first downstream node. Which hmac exactly
+	// is determined by the assumed position of the current node.
+	var currentHmacIdx = maxHops + position
+
+	// Iterate over all downstream nodes.
+	for j := 0; j < maxHops-position-1; j++ {
+		_, _ = w.Write(
+			hmacs[currentHmacIdx*sha256.Size : (currentHmacIdx+1)*sha256.Size],
+		)
+
+		// Calculate the total number of hmacs in the block of the current
+		// downstream node.
+		blockSize := maxHops - j - 1
+
+		// Skip to the next block. The new hmac index will point to the hmac
+		// that corresponds to the next downstream node which is one step closer
+		// to the assumed error source.
+		currentHmacIdx += blockSize
+	}
+}