Merge #61: Add ELIP-deterministic-descriptor-blinding-key module

apoelstra · apoelstra · commit 259f7c43917e · 2024-01-09T16:23:59.000Z
34005bc Add ELIP-151 module (Leonardo Comandini) Pull request description: Reference implementation for ElementsProject/ELIPs#8 ACKs for top commit: apoelstra: ACK 34005bc Tree-SHA512: 8f376d246f6240820606dc555401e94bfadc92614644c3eeafde57674bc62b8e20cde766632540325ceb4e35e51a7006d9bdf175e5b9eb3948a5f5fe56f137eb
diff --git a/src/confidential/elip151.rs b/src/confidential/elip151.rs
@@ -0,0 +1,207 @@
+// Miniscript
+// Written in 2023 by Leonardo Comandini
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this software to
+// the public domain worldwide. This software is distributed without
+// any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication
+// along with this software.
+// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+//
+
+//! ELIP151
+//!
+//! Implementation of the ELIP151 protocol, documented at
+//! https://github.com/ElementsProject/ELIPs/blob/main/elip-0151.md
+//!
+
+use bitcoin::hashes::{sha256t_hash_newtype, Hash};
+use bitcoin::secp256k1;
+use bitcoin::Network;
+use elements::encode::Encodable;
+use elements::opcodes;
+use elements::script::Builder;
+
+use crate::confidential::{Descriptor as ConfidentialDescriptor, Key};
+use crate::descriptor::{DescriptorSecretKey, SinglePriv};
+use crate::extensions::{Extension, ParseableExt};
+use crate::{Descriptor as OrdinaryDescriptor, DescriptorPublicKey, Error};
+
+/// The SHA-256 initial midstate value for the [`Elip151Hash`].
+const MIDSTATE_ELIP151: [u8; 32] = [
+    0x49, 0x81, 0x61, 0xd8, 0x52, 0x45, 0xf7, 0xaa, 0xd8, 0x24, 0x27, 0xb5, 0x64, 0x69, 0xe7, 0xd6,
+    0x98, 0x17, 0xeb, 0x0f, 0x27, 0x14, 0x6f, 0x4e, 0x7b, 0x95, 0xb3, 0x6e, 0x46, 0xc1, 0xb5, 0x61,
+];
+
+sha256t_hash_newtype!(
+    Elip151Hash,
+    Elip151Tag,
+    MIDSTATE_ELIP151,
+    64,
+    doc = "ELIP-151 Deterministic descriptor blinding keys",
+    forward
+);
+
+impl Key {
+    pub fn from_elip151<T: Extension + ParseableExt>(
+        descriptor: &OrdinaryDescriptor<DescriptorPublicKey, T>,
+    ) -> Result<Self, Error> {
+        if !descriptor.has_wildcard() {
+            return Err(Error::Unexpected(
+                "Descriptors without wildcards are not supported in elip151".into(),
+            ));
+        }
+
+        // Handle multi-path
+        let script_pubkeys: Vec<_> = descriptor
+            .clone()
+            .into_single_descriptors()
+            .expect("valid descriptor")
+            .iter()
+            .map(|descriptor| {
+                // Remove wildcards
+                descriptor
+                    .at_derivation_index((1 << 31) - 1)
+                    .expect("index not hardened, not multi-path")
+                    .script_pubkey()
+            })
+            .collect();
+
+        let mut eng = Elip151Hash::engine();
+        for script_pubkey in script_pubkeys {
+            Builder::new()
+                .push_opcode(opcodes::all::OP_INVALIDOPCODE)
+                .into_script()
+                .consensus_encode(&mut eng)
+                .expect("engines don't error");
+            script_pubkey
+                .consensus_encode(&mut eng)
+                .expect("engines don't error");
+        }
+        let hash_bytes = Elip151Hash::from_engine(eng).to_byte_array();
+
+        // This computes mod n
+        let scalar = secp256k1::scalar::Scalar::from_be_bytes(hash_bytes).expect("bytes from hash");
+        let secret_key =
+            secp256k1::SecretKey::from_slice(&scalar.to_be_bytes()).expect("bytes from scalar");
+
+        // Single view keys are displayed as hex (not WIF) so we can choose any netowrk here
+        let network = Network::Bitcoin;
+        Ok(Key::View(DescriptorSecretKey::Single(SinglePriv {
+            origin: None,
+            key: bitcoin::key::PrivateKey::new(secret_key, network),
+        })))
+    }
+}
+
+impl<T: Extension + ParseableExt> ConfidentialDescriptor<DescriptorPublicKey, T> {
+    pub fn with_elip151_descriptor_blinding_key(
+        descriptor: OrdinaryDescriptor<DescriptorPublicKey, T>,
+    ) -> Result<Self, Error> {
+        Ok(ConfidentialDescriptor {
+            key: Key::from_elip151(&descriptor)?,
+            descriptor,
+        })
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use crate::descriptor::checksum::desc_checksum;
+    use bitcoin::hashes::{sha256, HashEngine};
+    use std::str::FromStr;
+
+    #[test]
+    fn tagged_hash_elip151() {
+        // Check that cached midstate is computed correctly, code from rust-bitcoin
+        let mut engine = sha256::Hash::engine();
+        let tag_hash = sha256::Hash::hash(b"Deterministic-View-Key/1.0");
+        engine.input(&tag_hash[..]);
+        engine.input(&tag_hash[..]);
+        assert_eq!(MIDSTATE_ELIP151, engine.midstate().to_byte_array());
+    }
+
+    fn add_checksum(desc: &str) -> String {
+        if desc.find('#').is_some() {
+            desc.into()
+        } else {
+            format!("{}#{}", desc, desc_checksum(desc).unwrap())
+        }
+    }
+
+    fn confidential_descriptor(
+        desc: &str,
+    ) -> Result<ConfidentialDescriptor<DescriptorPublicKey>, Error> {
+        let desc = add_checksum(desc);
+        let desc = OrdinaryDescriptor::<DescriptorPublicKey>::from_str(&desc).unwrap();
+        ConfidentialDescriptor::with_elip151_descriptor_blinding_key(desc)
+    }
+
+    fn _first_address(desc: &ConfidentialDescriptor<DescriptorPublicKey>) -> String {
+        let single_desc = if desc.descriptor.is_multipath() {
+            let descriptor = desc
+                .descriptor
+                .clone()
+                .into_single_descriptors()
+                .unwrap()
+                .first()
+                .unwrap()
+                .clone();
+            ConfidentialDescriptor {
+                key: desc.key.clone(),
+                descriptor,
+            }
+        } else {
+            desc.clone()
+        };
+        let definite_desc = single_desc.at_derivation_index(0).unwrap();
+        let secp = elements::secp256k1_zkp::Secp256k1::new();
+        let params = &elements::AddressParams::ELEMENTS;
+        definite_desc.address(&secp, params).unwrap().to_string()
+    }
+
+    #[test]
+    fn test_vectors_elip151() {
+        let xpub = "xpub661MyMwAqRbcFkPHucMnrGNzDwb6teAX1RbKQmqtEF8kK3Z7LZ59qafCjB9eCRLiTVG3uxBxgKvRgbubRhqSKXnGGb1aoaqLrpMBDrVxga8";
+        let pubkey = "03d902f35f560e0470c63313c7369168d9d7df2d49bf295fd9fb7cb109ccee0494";
+
+        let mut _i = 0;
+        for desc in [
+            &format!("elwpkh({xpub}/<0;1>/*)"),
+            &format!("elwpkh({xpub}/0/*)"),
+        ] {
+            let conf_desc = confidential_descriptor(desc).unwrap();
+            let elip151_desc = add_checksum(&format!("ct(elip151,{})", desc));
+            let conf_desc_elip151 = ConfidentialDescriptor::<DescriptorPublicKey>::from_str(&elip151_desc).unwrap();
+            assert_eq!(conf_desc, conf_desc_elip151);
+
+            // Uncomment this and below to regenerate test vectors; to see the output, run
+            // cargo test test_vectors_elip151 -- --nocapture
+            /*
+            _i = _i + 1;
+            println!("* Test vector {}", _i);
+            println!("** Ordinary descriptor: <code>{}</code>", add_checksum(desc));
+            println!("** Derived descriptor blinding key: <code>{}</code>", conf_desc.key);
+            println!("** Derived confidential descriptor: <code>{}</code>", conf_desc);
+            println!("** Derived confidential descriptor (equivalent version): <code>{}</code>", elip151_desc);
+            println!("** First address: <code>{}</code>", _first_address(&conf_desc))
+            */
+        }
+
+        _i = 0;
+        for invalid_desc in [&format!("elwpkh({xpub})"), &format!("elwpkh({pubkey})")] {
+            let err = confidential_descriptor(invalid_desc).unwrap_err();
+            let text = "Descriptors without wildcards are not supported in elip151".to_string();
+            assert_eq!(err, Error::Unexpected(text));
+            /*
+            _i = _i + 1;
+            println!("* Invalid Test vector {}", _i);
+            println!("** Ordinary descriptor: <code>{}</code>", add_checksum(invalid_desc));
+            println!("** Invalid confidential descriptor: <code>{}</code>", add_checksum(&format!("ct(elip151,{})", invalid_desc)));
+            */
+        }
+    }
+}
diff --git a/src/confidential/mod.rs b/src/confidential/mod.rs
@@ -18,6 +18,7 @@
 //!
 
 pub mod bare;
+pub mod elip151;
 pub mod slip77;
 
 use std::fmt;
@@ -216,6 +217,10 @@ impl_from_str!(
         let keyexpr = &top.args[0];
         Ok(Descriptor {
             key: match (keyexpr.name, keyexpr.args.len()) {
+                ("elip151", 0) => {
+                    let d = crate::Descriptor::<DescriptorPublicKey>::from_tree(&top.args[1])?;
+                    Key::from_elip151(&d)?
+                }
                 ("slip77", 1) => Key::Slip77(expression::terminal(&keyexpr.args[0], slip77::MasterBlindingKey::from_str)?),
                 ("slip77", _) => return Err(Error::BadDescriptor(
                     "slip77() must have exactly one argument".to_owned()
