-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ELIP-deterministic-descriptor-blinding-key module #61
Merged
apoelstra
merged 1 commit into
ElementsProject:master
from
LeoComandini:2023-11-17-deterministic-descriptor-blinding-key
Jan 9, 2024
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,207 @@ | ||
| // Miniscript | ||
| // Written in 2023 by Leonardo Comandini | ||
| // | ||
| // To the extent possible under law, the author(s) have dedicated all | ||
| // copyright and related and neighboring rights to this software to | ||
| // the public domain worldwide. This software is distributed without | ||
| // any warranty. | ||
| // | ||
| // You should have received a copy of the CC0 Public Domain Dedication | ||
| // along with this software. | ||
| // If not, see <http://creativecommons.org/publicdomain/zero/1.0/>. | ||
| // | ||
|
|
||
| //! ELIP151 | ||
| //! | ||
| //! Implementation of the ELIP151 protocol, documented at | ||
| //! https://github.com/ElementsProject/ELIPs/blob/main/elip-0151.md | ||
| //! | ||
|
|
||
| use bitcoin::hashes::{sha256t_hash_newtype, Hash}; | ||
| use bitcoin::secp256k1; | ||
| use bitcoin::Network; | ||
| use elements::encode::Encodable; | ||
| use elements::opcodes; | ||
| use elements::script::Builder; | ||
|
|
||
| use crate::confidential::{Descriptor as ConfidentialDescriptor, Key}; | ||
| use crate::descriptor::{DescriptorSecretKey, SinglePriv}; | ||
| use crate::extensions::{Extension, ParseableExt}; | ||
| use crate::{Descriptor as OrdinaryDescriptor, DescriptorPublicKey, Error}; | ||
|
|
||
| /// The SHA-256 initial midstate value for the [`Elip151Hash`]. | ||
| const MIDSTATE_ELIP151: [u8; 32] = [ | ||
| 0x49, 0x81, 0x61, 0xd8, 0x52, 0x45, 0xf7, 0xaa, 0xd8, 0x24, 0x27, 0xb5, 0x64, 0x69, 0xe7, 0xd6, | ||
| 0x98, 0x17, 0xeb, 0x0f, 0x27, 0x14, 0x6f, 0x4e, 0x7b, 0x95, 0xb3, 0x6e, 0x46, 0xc1, 0xb5, 0x61, | ||
| ]; | ||
|
|
||
| sha256t_hash_newtype!( | ||
| Elip151Hash, | ||
| Elip151Tag, | ||
| MIDSTATE_ELIP151, | ||
| 64, | ||
| doc = "ELIP-151 Deterministic descriptor blinding keys", | ||
| forward | ||
| ); | ||
|
|
||
| impl Key { | ||
| pub fn from_elip151<T: Extension + ParseableExt>( | ||
| descriptor: &OrdinaryDescriptor<DescriptorPublicKey, T>, | ||
| ) -> Result<Self, Error> { | ||
| if !descriptor.has_wildcard() { | ||
| return Err(Error::Unexpected( | ||
| "Descriptors without wildcards are not supported in elip151".into(), | ||
| )); | ||
| } | ||
|
|
||
| // Handle multi-path | ||
| let script_pubkeys: Vec<_> = descriptor | ||
| .clone() | ||
| .into_single_descriptors() | ||
| .expect("valid descriptor") | ||
| .iter() | ||
| .map(|descriptor| { | ||
| // Remove wildcards | ||
| descriptor | ||
| .at_derivation_index((1 << 31) - 1) | ||
| .expect("index not hardened, not multi-path") | ||
| .script_pubkey() | ||
| }) | ||
| .collect(); | ||
|
|
||
| let mut eng = Elip151Hash::engine(); | ||
| for script_pubkey in script_pubkeys { | ||
| Builder::new() | ||
| .push_opcode(opcodes::all::OP_INVALIDOPCODE) | ||
| .into_script() | ||
| .consensus_encode(&mut eng) | ||
| .expect("engines don't error"); | ||
| script_pubkey | ||
| .consensus_encode(&mut eng) | ||
| .expect("engines don't error"); | ||
| } | ||
| let hash_bytes = Elip151Hash::from_engine(eng).to_byte_array(); | ||
|
|
||
| // This computes mod n | ||
| let scalar = secp256k1::scalar::Scalar::from_be_bytes(hash_bytes).expect("bytes from hash"); | ||
| let secret_key = | ||
| secp256k1::SecretKey::from_slice(&scalar.to_be_bytes()).expect("bytes from scalar"); | ||
|
|
||
| // Single view keys are displayed as hex (not WIF) so we can choose any netowrk here | ||
| let network = Network::Bitcoin; | ||
| Ok(Key::View(DescriptorSecretKey::Single(SinglePriv { | ||
| origin: None, | ||
| key: bitcoin::key::PrivateKey::new(secret_key, network), | ||
| }))) | ||
| } | ||
| } | ||
|
|
||
| impl<T: Extension + ParseableExt> ConfidentialDescriptor<DescriptorPublicKey, T> { | ||
| pub fn with_elip151_descriptor_blinding_key( | ||
| descriptor: OrdinaryDescriptor<DescriptorPublicKey, T>, | ||
| ) -> Result<Self, Error> { | ||
| Ok(ConfidentialDescriptor { | ||
| key: Key::from_elip151(&descriptor)?, | ||
| descriptor, | ||
| }) | ||
| } | ||
| } | ||
|
|
||
| #[cfg(test)] | ||
| mod test { | ||
| use super::*; | ||
| use crate::descriptor::checksum::desc_checksum; | ||
| use bitcoin::hashes::{sha256, HashEngine}; | ||
| use std::str::FromStr; | ||
|
|
||
| #[test] | ||
| fn tagged_hash_elip151() { | ||
| // Check that cached midstate is computed correctly, code from rust-bitcoin | ||
| let mut engine = sha256::Hash::engine(); | ||
| let tag_hash = sha256::Hash::hash(b"Deterministic-View-Key/1.0"); | ||
| engine.input(&tag_hash[..]); | ||
| engine.input(&tag_hash[..]); | ||
| assert_eq!(MIDSTATE_ELIP151, engine.midstate().to_byte_array()); | ||
| } | ||
|
|
||
| fn add_checksum(desc: &str) -> String { | ||
| if desc.find('#').is_some() { | ||
| desc.into() | ||
| } else { | ||
| format!("{}#{}", desc, desc_checksum(desc).unwrap()) | ||
| } | ||
| } | ||
|
|
||
| fn confidential_descriptor( | ||
| desc: &str, | ||
| ) -> Result<ConfidentialDescriptor<DescriptorPublicKey>, Error> { | ||
| let desc = add_checksum(desc); | ||
| let desc = OrdinaryDescriptor::<DescriptorPublicKey>::from_str(&desc).unwrap(); | ||
| ConfidentialDescriptor::with_elip151_descriptor_blinding_key(desc) | ||
| } | ||
|
|
||
| fn _first_address(desc: &ConfidentialDescriptor<DescriptorPublicKey>) -> String { | ||
| let single_desc = if desc.descriptor.is_multipath() { | ||
| let descriptor = desc | ||
| .descriptor | ||
| .clone() | ||
| .into_single_descriptors() | ||
| .unwrap() | ||
| .first() | ||
| .unwrap() | ||
| .clone(); | ||
| ConfidentialDescriptor { | ||
| key: desc.key.clone(), | ||
| descriptor, | ||
| } | ||
| } else { | ||
| desc.clone() | ||
| }; | ||
| let definite_desc = single_desc.at_derivation_index(0).unwrap(); | ||
| let secp = elements::secp256k1_zkp::Secp256k1::new(); | ||
| let params = &elements::AddressParams::ELEMENTS; | ||
| definite_desc.address(&secp, params).unwrap().to_string() | ||
| } | ||
|
|
||
| #[test] | ||
| fn test_vectors_elip151() { | ||
| let xpub = "xpub661MyMwAqRbcFkPHucMnrGNzDwb6teAX1RbKQmqtEF8kK3Z7LZ59qafCjB9eCRLiTVG3uxBxgKvRgbubRhqSKXnGGb1aoaqLrpMBDrVxga8"; | ||
| let pubkey = "03d902f35f560e0470c63313c7369168d9d7df2d49bf295fd9fb7cb109ccee0494"; | ||
|
|
||
| let mut _i = 0; | ||
| for desc in [ | ||
| &format!("elwpkh({xpub}/<0;1>/*)"), | ||
| &format!("elwpkh({xpub}/0/*)"), | ||
| ] { | ||
| let conf_desc = confidential_descriptor(desc).unwrap(); | ||
| let elip151_desc = add_checksum(&format!("ct(elip151,{})", desc)); | ||
| let conf_desc_elip151 = ConfidentialDescriptor::<DescriptorPublicKey>::from_str(&elip151_desc).unwrap(); | ||
| assert_eq!(conf_desc, conf_desc_elip151); | ||
|
|
||
| // Uncomment this and below to regenerate test vectors; to see the output, run | ||
| // cargo test test_vectors_elip151 -- --nocapture | ||
| /* | ||
| _i = _i + 1; | ||
| println!("* Test vector {}", _i); | ||
| println!("** Ordinary descriptor: <code>{}</code>", add_checksum(desc)); | ||
| println!("** Derived descriptor blinding key: <code>{}</code>", conf_desc.key); | ||
| println!("** Derived confidential descriptor: <code>{}</code>", conf_desc); | ||
| println!("** Derived confidential descriptor (equivalent version): <code>{}</code>", elip151_desc); | ||
| println!("** First address: <code>{}</code>", _first_address(&conf_desc)) | ||
| */ | ||
| } | ||
|
|
||
| _i = 0; | ||
| for invalid_desc in [&format!("elwpkh({xpub})"), &format!("elwpkh({pubkey})")] { | ||
| let err = confidential_descriptor(invalid_desc).unwrap_err(); | ||
| let text = "Descriptors without wildcards are not supported in elip151".to_string(); | ||
| assert_eq!(err, Error::Unexpected(text)); | ||
| /* | ||
| _i = _i + 1; | ||
| println!("* Invalid Test vector {}", _i); | ||
| println!("** Ordinary descriptor: <code>{}</code>", add_checksum(invalid_desc)); | ||
| println!("** Invalid confidential descriptor: <code>{}</code>", add_checksum(&format!("ct(elip151,{})", invalid_desc))); | ||
| */ | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 34005bc:
Can you remind me why we would've had trouble parsing WIF with a network here? (I don't think we should support WIF anyway for various reasons, but I'm curious now.)
Otherwise ACK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main issue is converting
ct(elip151,desc)toct(key,desc)wherekeyis the actual view key.If we use WIF, we should deduce the network from
descwhich however it might not be possible (eg ifdeschas only single public keys).There are other options to handle the conversion, but we decided to go for the "hex" solution.
These were discussed here #61 (comment)
Other issues with WIF are that we might have mismatching network between the descriptor blinding key and the ordinary descriptor, and that single pub keys have no network, while single priv keys in WIF have a network so it's somehow inconsistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, the conversion thing makes sense, thanks!
The other issues, about mismatching networks etc., we have to deal with anyway with xprivs and xpubs. I think that most software "deals with it" by just ignoring the network bytes :)