crypto: add some notes re considerations

electrum/crypto.py

@@ -410,6 +410,9 @@ def chacha20_poly1305_decrypt(
 
 
 def chacha20_encrypt(*, key: bytes, nonce: bytes, data: bytes) -> bytes:
+    """note: for any new protocol you design, please consider using chacha20_poly1305_encrypt instead
+             (for its Authenticated Encryption property).
+    """
     assert isinstance(key, (bytes, bytearray))
     assert isinstance(nonce, (bytes, bytearray))
     assert isinstance(data, (bytes, bytearray))

electrum/lnutil.py

@@ -1606,7 +1606,12 @@ def extract_nodeid(connect_contents: str) -> Tuple[bytes, Optional[str]]:
 
 
 # key derivation
-# see lnd/keychain/derivation.go
+# originally based on lnd/keychain/derivation.go
+# notes:
+# - Add a new path for each use case. Do not reuse existing paths.
+#   (to avoid having to carefully consider if reuse would be safe)
+# - Always prefer to use hardened derivation for new paths you add.
+#   (to avoid having to carefully consider if unhardened would be safe)
 class LnKeyFamily(IntEnum):
     MULTISIG = 0 | BIP32_PRIME
     REVOCATION_BASE = 1 | BIP32_PRIME

electrum/lnworker.py

@@ -1383,6 +1383,8 @@ class LNWallet(LNWorker):
     def encrypt_cb_data(self, data, funding_address):
         funding_scripthash = bytes.fromhex(address_to_scripthash(funding_address))
         nonce = funding_scripthash[0:12]
+        # note: we are only using chacha20 instead of chacha20+poly1305 to save onchain space
+        #       (not have the 16 byte MAC). Otherwise, the latter would be preferable.
         return chacha20_encrypt(key=self.backup_key, data=data, nonce=nonce)
 
     def mktx_for_open_channel(