bitcoin/signtx: cache xpubs

When loading a transaction, every input and change address requires
the public key in order to compute the pkScript, which is used in the
sighash that is signed.

For single-sig, these public keys are currently always at keypaths:

- `m/(49'|84'|86')/coin'/account'/0/*` (receive inputs)
- `m/(49'|84'|86')/coin'/account'/1/*` (change inputs)

where `coin` and `account` are the same for all inputs/changes in the
transaction.

Instead of deriving the xpub at these keypaths repeatedly, we cache
the xpubs at the account level and the receive/change level. The xpub
then only has to be derived once for the account level and once for
change/receive per script type.

Benefits:

- Greatly increased speed. Loading inputs is now about 3x faster for
  segwit inputs (with regularly sized previous transactions) and around
  5-6x faster for Taproot transactions (where no previous transactions
  need to be streamed).
- The seed only has to be used once (to derive the account-level xpub)
  instead of once per input/change. This increases security assuming the
  seed receives additional protection (currently it is sitting in RAM
  unencrypted after unlock, but that will likely change). Fewer seed
  accesses means it is harder to exploit a potential RAM extraction
  bug.

Note that these benefits are for loading the transaction. When signing
the inputs, the private key is required twice per input (once for the
antiklepto commit and once for the signature), so xpub cacing does not
apply there.

Author: benma

CHANGELOG.md

@@ -7,6 +7,7 @@ customers cannot upgrade their bootloader, its changes are recorded separately.
 ## Firmware
 
 ### [Unreleased]
+- Increased performance when signing Bitcoin transactions
 - Warn if the transaction fee is higher than 10% of the coins sent
 - ETH Testnets: add Goerli and remove deprecated Rinkeby and Ropsten
 

src/CMakeLists.txt

@@ -15,6 +15,7 @@
 # limitations under the License.
 
 set(DBB-FIRMWARE-SOURCES
+  ${CMAKE_SOURCE_DIR}/src/bip32.c
   ${CMAKE_SOURCE_DIR}/src/firmware_main_loop.c
   ${CMAKE_SOURCE_DIR}/src/keystore.c
   ${CMAKE_SOURCE_DIR}/src/random.c
@@ -271,6 +272,7 @@ add_custom_target(rust-bindgen
     --use-core
     --with-derive-default
     --ctypes-prefix util::c_types
+    --allowlist-function bip32_derive_xpub
     --allowlist-function strftime
     --allowlist-function localtime
     --allowlist-function wally_free_string

src/bip32.c

@@ -0,0 +1,42 @@
+// Copyright 2023 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "bip32.h"
+
+#include <string.h>
+#include <wally_bip32.h>
+
+bool bip32_derive_xpub(
+    const uint8_t* xpub78,
+    const uint32_t* keypath,
+    size_t keypath_len,
+    uint8_t* xpub78_out)
+{
+    if (keypath_len == 0) {
+        memcpy(xpub78_out, xpub78, BIP32_SERIALIZED_LEN);
+        return true;
+    }
+
+    struct ext_key xpub = {0};
+    if (bip32_key_unserialize(xpub78, BIP32_SERIALIZED_LEN, &xpub) != WALLY_OK) {
+        return false;
+    }
+    struct ext_key derived_xpub = {0};
+    if (bip32_key_from_parent_path(
+            &xpub, keypath, keypath_len, BIP32_FLAG_KEY_PUBLIC, &derived_xpub) != WALLY_OK) {
+        return false;
+    }
+    return bip32_key_serialize(
+               &derived_xpub, BIP32_FLAG_KEY_PUBLIC, xpub78_out, BIP32_SERIALIZED_LEN) == WALLY_OK;
+}

src/bip32.h

@@ -0,0 +1,30 @@
+// Copyright 2023 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _BIP32_H_
+#define _BIP32_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <compiler_util.h>
+
+USE_RESULT bool bip32_derive_xpub(
+    const uint8_t* xpub78,
+    const uint32_t* keypath,
+    size_t keypath_len,
+    uint8_t* xpub78_out);
+
+#endif

src/rust/bitbox02-rust/src/bip32.rs

@@ -56,6 +56,7 @@ impl Xpub {
             public_key: xpub[45..78].to_vec(),
         }))
     }
+
     /// Serializes a protobuf XPub to bytes according to the BIP32 specification. If xpub_type is
     /// None, the four version bytes are skipped.
     pub fn serialize(&self, xpub_type: Option<XPubType>) -> Result<Vec<u8>, ()> {
@@ -100,6 +101,12 @@ impl Xpub {
             .into_string())
     }
 
+    /// Derives child xpub at the keypath. All keypath elements must be unhardened.
+    pub fn derive(&self, keypath: &[u32]) -> Result<Self, ()> {
+        let xpub_ser = self.serialize(Some(XPubType::Xpub))?;
+        Xpub::from_bytes(&bitbox02::bip32::derive_xpub(&xpub_ser, keypath)?)
+    }
+
     /// Returns the 33 bytes secp256k1 compressed pubkey.
     pub fn public_key(&self) -> &[u8] {
         self.xpub.public_key.as_slice()
@@ -116,6 +123,17 @@ impl Xpub {
     pub fn pubkey_uncompressed(&self) -> Result<[u8; 65], ()> {
         bitbox02::keystore::secp256k1_pubkey_compressed_to_uncompressed(self.public_key())
     }
+
+    /// Return the tweaked taproot pubkey.
+    ///
+    /// Instead of returning the original pubkey at the keypath directly, it is tweaked with the
+    /// hash of the pubkey.
+    ///
+    /// See
+    /// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
+    pub fn schnorr_bip86_pubkey(&self) -> Result<[u8; 32], ()> {
+        bitbox02::keystore::secp256k1_schnorr_bip86_pubkey(self.public_key())
+    }
 }
 
 /// Parses a Base58Check-encoded xpub string. The 4 version bytes are not checked and discarded.
@@ -178,6 +196,30 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_derive() {
+        let xpub_str = "xpub661MyMwAqRbcGpuMRXa55WgyqinF4dpxvqQK63xBHtnH5yK4e3cTLqbX9CP4mEMHUbqsjSQ8y3hhbAzuMhpn8eEiLNVSWYaVSbKMAtUPyYH";
+        let xpub = Xpub::from(parse_xpub(xpub_str).unwrap());
+
+        assert_eq!(
+            xpub.derive(&[])
+                .unwrap()
+                .serialize_str(XPubType::Xpub)
+                .unwrap(),
+            xpub_str,
+        );
+        let expected = "xpub6CYiDoWMtLVQNrc4tbAvuRk5wjsp6MFgtYEdBUV7TGLUjutavHdEKLu9KpTpRxEZULbSwM1UQPaQpqAhmWYvngXCGHGE7hSZFNofeSRzmk5";
+        assert_eq!(
+            xpub.derive(&[0, 1, 2])
+                .unwrap()
+                .serialize_str(XPubType::Xpub)
+                .unwrap(),
+            expected,
+        );
+
+        assert!(xpub.derive(&[0, 1, util::bip32::HARDENED]).is_err());
+    }
+
     #[test]
     fn test_pubkey_hash160() {
         let xpub = Xpub::from(parse_xpub("xpub6GugPDcUhrSudznFss7wXvQV3gwFTEanxHdCyoNoHnZEr3PTbh2Fosg4JjfphaYAsqjBhmtTZ3Yo8tmGjSHtaPhExNiMCSvPzreqjrX4Wr7").unwrap());
@@ -201,4 +243,28 @@ mod tests {
             *b"\x04\x77\xa4\x4a\xa9\xe8\xc8\xfb\x51\x05\xef\x5e\xe2\x39\x4e\x8a\xed\x89\xad\x73\xfc\x74\x36\x14\x25\xf0\x63\x47\xec\xfe\x32\x61\x31\xe1\x33\x93\x67\xee\x3c\xbe\x87\x71\x92\x85\xa0\x7f\x77\x4b\x17\xeb\x93\x3e\xcf\x0b\x9b\x82\xac\xeb\xc1\x95\x22\x6d\x63\x42\x44",
         );
     }
+
+    #[test]
+    fn test_schnorr_bip86_pubkey() {
+        // Test vectors from:
+        // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
+        // Here we only test the creation of the tweaked pubkkey. See `Payload::from_simple` for address generation.
+
+        let xpub = Xpub::from(parse_xpub("xpub6BgBgsespWvERF3LHQu6CnqdvfEvtMcQjYrcRzx53QJjSxarj2afYWcLteoGVky7D3UKDP9QyrLprQ3VCECoY49yfdDEHGCtMMj92pReUsQ").unwrap());
+
+        assert_eq!(
+            xpub.derive(&[0, 0]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c",
+        );
+
+        assert_eq!(
+            xpub.derive(&[0, 1]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb",
+        );
+
+        assert_eq!(
+            xpub.derive(&[1, 0]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc",
+        );
+    }
 }

src/rust/bitbox02-rust/src/hww/api/bitcoin.rs

@@ -134,7 +134,13 @@ pub fn derive_address_simple(
         coin_params.taproot_support,
     )
     .or(Err(Error::InvalidInput))?;
-    Ok(common::Payload::from_simple(coin_params, simple_type, keypath)?.address(coin_params)?)
+    Ok(common::Payload::from_simple(
+        &mut crate::xpubcache::XpubCache::new(),
+        coin_params,
+        simple_type,
+        keypath,
+    )?
+    .address(coin_params)?)
 }
 
 /// Processes a SimpleType (single-sig) adress api call.

src/rust/bitbox02-rust/src/hww/api/bitcoin/common.rs

@@ -15,7 +15,7 @@
 use super::pb;
 use super::Error;
 
-use crate::keystore;
+use crate::xpubcache::Bip32XpubCache;
 
 use alloc::string::String;
 use alloc::vec::Vec;
@@ -71,17 +71,19 @@ pub struct Payload {
 
 impl Payload {
     pub fn from_simple(
+        xpub_cache: &mut Bip32XpubCache,
         params: &Params,
         simple_type: SimpleType,
         keypath: &[u32],
     ) -> Result<Self, Error> {
         match simple_type {
             SimpleType::P2wpkh => Ok(Payload {
-                data: keystore::get_xpub(keypath)?.pubkey_hash160(),
+                data: xpub_cache.get_xpub(keypath)?.pubkey_hash160(),
                 output_type: BtcOutputType::P2wpkh,
             }),
             SimpleType::P2wpkhP2sh => {
-                let payload_p2wpkh = Payload::from_simple(params, SimpleType::P2wpkh, keypath)?;
+                let payload_p2wpkh =
+                    Payload::from_simple(xpub_cache, params, SimpleType::P2wpkh, keypath)?;
                 let pkscript_p2wpkh = payload_p2wpkh.pk_script(params)?;
                 Ok(Payload {
                     data: bitbox02::hash160(&pkscript_p2wpkh).to_vec(),
@@ -91,7 +93,10 @@ impl Payload {
             SimpleType::P2tr => {
                 if params.taproot_support {
                     Ok(Payload {
-                        data: keystore::secp256k1_schnorr_bip86_pubkey(keypath)?.to_vec(),
+                        data: xpub_cache
+                            .get_xpub(keypath)?
+                            .schnorr_bip86_pubkey()?
+                            .to_vec(),
                         output_type: BtcOutputType::P2tr,
                     })
                 } else {
@@ -144,6 +149,7 @@ impl Payload {
     /// Computes the payload data from a script config. The payload can then be used generate a
     /// pkScript or an address.
     pub fn from(
+        xpub_cache: &mut Bip32XpubCache,
         params: &Params,
         keypath: &[u32],
         script_config_account: &pb::BtcScriptConfigWithKeypath,
@@ -158,7 +164,7 @@ impl Payload {
             } => {
                 let simple_type = pb::btc_script_config::SimpleType::from_i32(*simple_type)
                     .ok_or(Error::InvalidInput)?;
-                Self::from_simple(params, simple_type, keypath)
+                Self::from_simple(xpub_cache, params, simple_type, keypath)
             }
             pb::BtcScriptConfigWithKeypath {
                 script_config:
@@ -533,10 +539,12 @@ mod tests {
         mock_unlocked_using_mnemonic(
             "sudden tenant fault inject concert weather maid people chunk youth stumble grit",
         );
+        let mut xpub_cache = Bip32XpubCache::new();
         let coin_params = super::super::params::get(pb::BtcCoin::Btc);
         // p2wpkh
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2wpkh,
                 &[84 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]
@@ -550,6 +558,7 @@ mod tests {
         //  p2wpkh-p2sh
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2wpkhP2sh,
                 &[49 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]
@@ -563,6 +572,7 @@ mod tests {
         // p2tr
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2tr,
                 &[86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]