Add ELIP-deterministic-descriptor-blinding-key module

LeoComandini · LeoComandini · commit 358f6635079c · 2023-11-23T10:28:16.000+01:00
diff --git a/src/confidential/elip_deterministic_descriptor_blinding_key.rs b/src/confidential/elip_deterministic_descriptor_blinding_key.rs
@@ -0,0 +1,186 @@
+// Miniscript
+// Written in 2023 by Leonardo Comandini
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this software to
+// the public domain worldwide. This software is distributed without
+// any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication
+// along with this software.
+// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+//
+
+//! ELIPXXXX
+//!
+//! Implementation of the ELIPXXXX protocol, documented at
+//! https://github.com/ElementsProject/ELIPs/blob/main/elip-XXXX.md
+//!
+
+use bitcoin::hashes::{sha256t_hash_newtype, Hash};
+use bitcoin::secp256k1;
+use bitcoin::Network;
+use elements::encode::Encodable;
+use elements::opcodes;
+use elements::script::Builder;
+
+use crate::confidential::{Descriptor as ConfidentialDescriptor, Key};
+use crate::descriptor::{DescriptorSecretKey, SinglePriv};
+use crate::extensions::{Extension, ParseableExt};
+use crate::{Descriptor as OrdinaryDescriptor, DescriptorPublicKey};
+
+/// The SHA-256 initial midstate value for the [`ElipXXXXHash`].
+const MIDSTATE_ELIPXXXX: [u8; 32] = [
+    0x61, 0x1b, 0xb5, 0x5c, 0xc1, 0x14, 0x46, 0x66, 0x6e, 0xeb, 0xb3, 0x39, 0x95, 0x57, 0x7b, 0xb4,
+    0x4e, 0xe6, 0x6f, 0xf1, 0x14, 0x42, 0x27, 0x70, 0x0f, 0xfe, 0xeb, 0xb1, 0x17, 0x79, 0x98, 0x8d,
+];
+
+sha256t_hash_newtype!(
+    ElipXXXXHash,
+    ElipXXXXTag,
+    MIDSTATE_ELIPXXXX,
+    64,
+    doc = "ELIP-XXXX Deterministic descriptor blinding keys",
+    forward
+);
+
+impl Key {
+    pub fn from_elipxxx<T: Extension + ParseableExt>(
+        descriptor: &OrdinaryDescriptor<DescriptorPublicKey, T>,
+        network: Network,
+    ) -> Self {
+        // Handle multi-path
+        let script_pubkeys: Vec<_> = descriptor
+            .clone()
+            .into_single_descriptors()
+            .expect("valid descriptor")
+            .iter()
+            .map(|descriptor| {
+                // Remove wildcards
+                descriptor
+                    .at_derivation_index((1 << 31) - 1)
+                    .expect("index not hardened, not multi-path")
+                    .script_pubkey()
+            })
+            .collect();
+
+        let mut eng = ElipXXXXHash::engine();
+        for (i, script_pubkey) in script_pubkeys.iter().enumerate() {
+            if i != 0 {
+                // Separate script_pubkeys with an invalid opcode
+                Builder::new()
+                    .push_opcode(opcodes::all::OP_INVALIDOPCODE)
+                    .into_script()
+                    .consensus_encode(&mut eng)
+                    .expect("engines don't error");
+            }
+            script_pubkey
+                .consensus_encode(&mut eng)
+                .expect("engines don't error");
+        }
+        let hash_bytes = ElipXXXXHash::from_engine(eng).to_byte_array();
+
+        // This computes mod n
+        let scalar = secp256k1::scalar::Scalar::from_be_bytes(hash_bytes).expect("bytes from hash");
+        let secret_key =
+            secp256k1::SecretKey::from_slice(&scalar.to_be_bytes()).expect("bytes from scalar");
+
+        Key::View(DescriptorSecretKey::Single(SinglePriv {
+            origin: None,
+            key: bitcoin::key::PrivateKey::new(secret_key, network),
+        }))
+    }
+}
+
+impl<T: Extension + ParseableExt> ConfidentialDescriptor<DescriptorPublicKey, T> {
+    pub fn with_elipxxx_descriptor_blinding_key(
+        descriptor: OrdinaryDescriptor<DescriptorPublicKey, T>,
+        network: Network,
+    ) -> Self {
+        ConfidentialDescriptor {
+            key: Key::from_elipxxx(&descriptor, network),
+            descriptor,
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use crate::descriptor::checksum::desc_checksum;
+    use std::str::FromStr;
+
+    fn add_checksum(desc: &str) -> String {
+        if desc.find('#').is_some() {
+            desc.into()
+        } else {
+            format!("{}#{}", desc, desc_checksum(desc).unwrap())
+        }
+    }
+
+    fn confidential_descriptor(
+        desc: &str,
+        network: Network,
+    ) -> ConfidentialDescriptor<DescriptorPublicKey> {
+        let desc = add_checksum(desc);
+        let desc = OrdinaryDescriptor::<DescriptorPublicKey>::from_str(&desc).unwrap();
+        ConfidentialDescriptor::with_elipxxx_descriptor_blinding_key(desc, network)
+    }
+
+    fn _first_address(desc: &ConfidentialDescriptor<DescriptorPublicKey>) -> String {
+        let single_desc = if desc.descriptor.is_multipath() {
+            let descriptor = desc
+                .descriptor
+                .clone()
+                .into_single_descriptors()
+                .unwrap()
+                .first()
+                .unwrap()
+                .clone();
+            ConfidentialDescriptor {
+                key: desc.key.clone(),
+                descriptor,
+            }
+        } else {
+            desc.clone()
+        };
+        let definite_desc = single_desc
+            .at_derivation_index(0)
+            .unwrap();
+        let secp = elements::secp256k1_zkp::Secp256k1::new();
+        let params = &elements::AddressParams::ELEMENTS;
+        definite_desc
+            .address(&secp, params)
+            .unwrap()
+            .to_string()
+    }
+
+    #[test]
+    fn test_vectors_elipxxxx() {
+        let network = Network::Bitcoin;
+        let xpub = "xpub661MyMwAqRbcFkPHucMnrGNzDwb6teAX1RbKQmqtEF8kK3Z7LZ59qafCjB9eCRLiTVG3uxBxgKvRgbubRhqSKXnGGb1aoaqLrpMBDrVxga8";
+        let pubkey = "03d902f35f560e0470c63313c7369168d9d7df2d49bf295fd9fb7cb109ccee0494";
+
+        let mut _i = 0;
+        for desc in [
+            &format!("elwpkh({xpub}/<0;1>/*)"),
+            &format!("elwpkh({xpub}/0/*)"),
+            &format!("elwpkh({xpub})"),
+            &format!("elwpkh({pubkey})"),
+        ] {
+            let _conf_desc = confidential_descriptor(desc, network);
+
+            // Uncomment to regenerate test vectors; to see the output, run
+            // cargo test elipxxxx -- --nocapture
+            /*
+            _i = _i + 1;
+            println!("* Test vector: {}", _i);
+            println!("** Ordinary descriptor: <code>{}</code>", add_checksum(desc));
+            println!("** Confidential descriptor (equivalent version): <code>{}</code>", add_checksum(&format!("ct(elipxxxx,{})", desc)));
+            println!("** Confidential descriptor: <code>{}</code>", _conf_desc);
+            println!("** Descriptor blinding key: <code>{}</code>", _conf_desc.key);
+            println!("** First address: <code>{}</code>", _first_address(&_conf_desc))
+            */
+        }
+    }
+}
diff --git a/src/confidential/mod.rs b/src/confidential/mod.rs
@@ -18,6 +18,7 @@
 //!
 
 pub mod bare;
+pub mod elip_deterministic_descriptor_blinding_key;
 pub mod slip77;
 
 use std::fmt;
