descriptor: expose elip-150 blinding key tweaking

Author: jgriffiths

include/wally.hpp

@@ -2438,6 +2438,24 @@ inline int elements_pegout_script_size(size_t genesis_blockhash_len, size_t main
     return detail::check_ret(__FUNCTION__, ret);
 }
 
+template <class BYTES, class SCRIPT, class BYTES_OUT>
+inline int elip150_private_key_to_ec_private_key(const BYTES& bytes, const SCRIPT& script, BYTES_OUT& bytes_out) {
+    int ret = ::wally_elip150_private_key_to_ec_private_key(bytes.data(), bytes.size(), script.data(), script.size(), bytes_out.data(), bytes_out.size());
+    return detail::check_ret(__FUNCTION__, ret);
+}
+
+template <class BYTES, class SCRIPT, class BYTES_OUT>
+inline int elip150_private_key_to_ec_public_key(const BYTES& bytes, const SCRIPT& script, BYTES_OUT& bytes_out) {
+    int ret = ::wally_elip150_private_key_to_ec_public_key(bytes.data(), bytes.size(), script.data(), script.size(), bytes_out.data(), bytes_out.size());
+    return detail::check_ret(__FUNCTION__, ret);
+}
+
+template <class BYTES, class SCRIPT, class BYTES_OUT>
+inline int elip150_public_key_to_ec_public_key(const BYTES& bytes, const SCRIPT& script, BYTES_OUT& bytes_out) {
+    int ret = ::wally_elip150_public_key_to_ec_public_key(bytes.data(), bytes.size(), script.data(), script.size(), bytes_out.data(), bytes_out.size());
+    return detail::check_ret(__FUNCTION__, ret);
+}
+
 template <class NONCE, class VBF, class COMMITMENT, class GENERATOR, class BYTES_OUT>
 inline int explicit_rangeproof(uint64_t value, const NONCE& nonce, const VBF& vbf, const COMMITMENT& commitment, const GENERATOR& generator, BYTES_OUT& bytes_out, size_t* written) {
     int ret = ::wally_explicit_rangeproof(value, nonce.data(), nonce.size(), vbf.data(), vbf.size(), commitment.data(), commitment.size(), generator.data(), generator.size(), bytes_out.data(), bytes_out.size(), written);

include/wally_elements.h

@@ -495,7 +495,7 @@ WALLY_CORE_API int wally_asset_blinding_key_from_seed(
     size_t len);
 
 /**
- * Generate a blinding private key for a scriptPubkey.
+ * Generate a blinding private key for a scriptPubkey from a SLIP-0077 master blinding key.
  *
  * :param bytes: A full master blinding key, e.g. from `wally_asset_blinding_key_from_seed`,
  *|    or a partial key of length `SHA256_LEN`, typically from the last half of the full key.
@@ -514,7 +514,7 @@ WALLY_CORE_API int wally_asset_blinding_key_to_ec_private_key(
     size_t len);
 
 /**
- * Generate a blinding public key for a scriptPubkey.
+ * Generate a blinding public key for a scriptPubkey from a SLIP-0077 master blinding key.
  *
  * :param bytes: A full master blinding key, e.g. from `wally_asset_blinding_key_from_seed`,
  *|    or a partial key of length `SHA256_LEN`, typically from the last half of the full key.
@@ -532,6 +532,51 @@ WALLY_CORE_API int wally_asset_blinding_key_to_ec_public_key(
     unsigned char *bytes_out,
     size_t len);
 
+/**
+ * Generate a blinding private key for a scriptPubkey from an ELIP-0150 blinding private key.
+ *
+ * :param bytes: An ELIP-0150 blinding private key ("View Key"), e.g. from a ct() descriptor.
+ * :param bytes_len: Length of ``bytes``. Must be `EC_PRIVATE_KEY_LEN`.
+ * :param script: The scriptPubkey for the confidential output address.
+ * :param script_len: Length of ``script``.
+ * :param bytes_out: Destination for the resulting blinding private key.
+ * FIXED_SIZED_OUTPUT(len, bytes_out, EC_PRIVATE_KEY_LEN)
+ */
+WALLY_CORE_API int wally_elip150_private_key_to_ec_private_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len);
+
+/**
+ * Generate a blinding public key for a scriptPubkey from an ELIP-0150 blinding private key.
+ *
+ * :param bytes: An ELIP-0150 blinding private key ("View Key"), e.g. from a ct() descriptor.
+ * :param bytes_len: Length of ``bytes``. Must be `EC_PRIVATE_KEY_LEN`.
+ * :param script: The scriptPubkey for the confidential output address.
+ * :param script_len: Length of ``script``.
+ * :param bytes_out: Destination for the resulting blinding public key.
+ * FIXED_SIZED_OUTPUT(len, bytes_out, EC_PUBLIC_KEY_LEN)
+ */
+WALLY_CORE_API int wally_elip150_private_key_to_ec_public_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len);
+
+/**
+ * Generate a blinding public key for a scriptPubkey from an ELIP-0150 blinding public key.
+ *
+ * :param bytes: An ELIP-0150 blinding public key, e.g. from a ct() descriptor.
+ * :param bytes_len: Length of ``bytes``. Must be `EC_PUBLIC_KEY_LEN`.
+ * :param script: The scriptPubkey for the confidential output address.
+ * :param script_len: Length of ``script``.
+ * :param bytes_out: Destination for the resulting blinding public key.
+ * FIXED_SIZED_OUTPUT(len, bytes_out, EC_PUBLIC_KEY_LEN)
+ */
+WALLY_CORE_API int wally_elip150_public_key_to_ec_public_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len);
+
 #define WALLY_ABF_VBF_LEN 64
 
 /**

src/descriptor.c

@@ -11,7 +11,6 @@
 #include <include/wally_script.h>
 #ifdef BUILD_ELEMENTS
 #include <include/wally_elements.h>
-#include "tx_io.h"
 #endif
 
 #include <limits.h>
@@ -119,14 +118,6 @@
 #define KIND_MINISCRIPT_OR_D      (0x07000000 | KIND_MINISCRIPT)
 #define KIND_MINISCRIPT_OR_I      (0x08000000 | KIND_MINISCRIPT)
 
-#ifdef BUILD_ELEMENTS
-/* SHA256(CT-Blinding-Key/1.0) */
-static const unsigned char CT_BLINDING_KEY_1_0_SHA256[SHA256_LEN] = {
-    0x02, 0xe0, 0xc2, 0x24, 0x76, 0xf8, 0xc5, 0xfd, 0xb7, 0x30, 0x5d, 0x9f, 0xd0, 0xe0, 0xa3, 0x56,
-    0xb5, 0x88, 0x77, 0x69, 0x24, 0x8e, 0x04, 0xc8, 0x6f, 0xda, 0xad, 0x35, 0x11, 0x37, 0x85, 0xb4
-};
-#endif
-
 struct addr_ver_t {
     const unsigned char network;
     const unsigned char version_p2pkh;
@@ -3087,21 +3078,10 @@ static int descriptor_get_addr(struct wally_descriptor *descriptor,
                                   pubkey, sizeof(pubkey), &written);
             if (ret == WALLY_OK && written != sizeof(pubkey))
                 ret = WALLY_ERROR; /* Unsupported pubkey - should not happen! */
-            if (ret == WALLY_OK) {
-                /* Kblind = K + Htag(K, scriptPubKey)G */
-                struct sha256 sha;
-                struct sha256_ctx ctx;
-                unsigned char tweaked[EC_PUBLIC_KEY_LEN];
-                tagged_hash_init(&ctx, CT_BLINDING_KEY_1_0_SHA256, SHA256_LEN);
-                sha256_update(&ctx, pubkey, sizeof(pubkey));
-                hash_varbuff(&ctx, script, script_len); /* Consensus encoding */
-                sha256_done(&ctx, &sha);
-                ret = wally_ec_public_key_tweak(pubkey, sizeof(pubkey),
-                                                sha.u.u8, sizeof(sha),
-                                                tweaked, sizeof(tweaked));
-                memcpy(pubkey, tweaked, sizeof(tweaked));
-                wally_clear(tweaked, sizeof(tweaked));
-            }
+            if (ret == WALLY_OK)
+                ret = wally_elip150_public_key_to_ec_public_key(pubkey, sizeof(pubkey),
+                                                                script, script_len,
+                                                                pubkey, sizeof(pubkey));
         } else
             ret = WALLY_ERROR; /* FIXME: Support ELIP 151 */
 

src/elements.c

@@ -1,6 +1,7 @@
 #include "internal.h"
 #ifdef BUILD_ELEMENTS
 #include "script_int.h"
+#include "tx_io.h"
 #include <include/wally_address.h>
 #include <include/wally_bip32.h>
 #include <include/wally_elements.h>
@@ -13,10 +14,16 @@
 #include <secp256k1_whitelist.h>
 
 
-static const unsigned char LABEL_STR[] = {
+static const unsigned char SLIP77_LABEL[] = {
     'S', 'L', 'I', 'P', '-', '0', '0', '7', '7'
 };
 
+/* SHA256(CT-Blinding-Key/1.0) */
+static const unsigned char CT_BLINDING_KEY_1_0_SHA256[SHA256_LEN] = {
+    0x02, 0xe0, 0xc2, 0x24, 0x76, 0xf8, 0xc5, 0xfd, 0xb7, 0x30, 0x5d, 0x9f, 0xd0, 0xe0, 0xa3, 0x56,
+    0xb5, 0x88, 0x77, 0x69, 0x24, 0x8e, 0x04, 0xc8, 0x6f, 0xda, 0xad, 0x35, 0x11, 0x37, 0x85, 0xb4
+};
+
 static int parse_generator(const secp256k1_context *ctx,
                            const unsigned char *generator, size_t generator_len,
                            secp256k1_generator *dest)
@@ -808,7 +815,8 @@ int wally_asset_blinding_key_from_seed(
 
     ret = wally_symmetric_key_from_seed(bytes, bytes_len, root, sizeof(root));
     if (ret == WALLY_OK) {
-        ret = wally_symmetric_key_from_parent(root, sizeof(root), 0, LABEL_STR, sizeof(LABEL_STR),
+        ret = wally_symmetric_key_from_parent(root, sizeof(root), 0,
+                                              SLIP77_LABEL, sizeof(SLIP77_LABEL),
                                               bytes_out, len);
         wally_clear(root, sizeof(root));
     }
@@ -874,6 +882,93 @@ int wally_asset_blinding_key_to_ec_public_key(
 #endif /* BUILD_ELEMENTS */
 }
 
+#ifdef BUILD_ELEMENTS
+static void elip150_tagged_hash(const unsigned char *pubkey, size_t pubkey_len,
+                                const unsigned char *script, size_t script_len,
+                                struct sha256 *sha_out)
+{
+    struct sha256_ctx ctx;
+    tagged_hash_init(&ctx, CT_BLINDING_KEY_1_0_SHA256, SHA256_LEN);
+    sha256_update(&ctx, pubkey, pubkey_len);
+    hash_varbuff(&ctx, script, script_len); /* Consensus encoding */
+    sha256_done(&ctx, sha_out);
+}
+#endif /* BUILD_ELEMENTS */
+
+int wally_elip150_private_key_to_ec_private_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len)
+{
+#ifndef BUILD_ELEMENTS
+    return WALLY_ERROR;
+#else
+    unsigned char pubkey[EC_PUBLIC_KEY_LEN];
+    int ret;
+
+    if (!bytes || bytes_len != EC_PRIVATE_KEY_LEN || !script || !script_len ||
+        !bytes_out || len != EC_PRIVATE_KEY_LEN)
+        return WALLY_EINVAL;
+
+    ret = wally_ec_public_key_from_private_key(bytes, bytes_len,
+                                               pubkey, sizeof(pubkey));
+    if (ret == WALLY_OK) {
+        struct sha256 sha;
+        unsigned char tweaked[EC_PRIVATE_KEY_LEN];
+        elip150_tagged_hash(pubkey, sizeof(pubkey), script, script_len, &sha);
+        ret = wally_ec_scalar_add(bytes, bytes_len, sha.u.u8, sizeof(sha),
+                                  tweaked, sizeof(tweaked));
+        if (ret == WALLY_OK)
+            memcpy(bytes_out, tweaked, sizeof(tweaked));
+    }
+    return ret;
+#endif /* BUILD_ELEMENTS */
+}
+
+int wally_elip150_private_key_to_ec_public_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len)
+{
+#ifndef BUILD_ELEMENTS
+    return WALLY_ERROR;
+#else
+    unsigned char pubkey[EC_PUBLIC_KEY_LEN];
+    int ret = wally_ec_public_key_from_private_key(bytes, bytes_len,
+                                                   pubkey, sizeof(pubkey));
+    if (ret == WALLY_OK)
+        ret = wally_elip150_public_key_to_ec_public_key(pubkey, sizeof(pubkey),
+                                                        script, script_len,
+                                                        bytes_out, len);
+    return ret;
+#endif /* BUILD_ELEMENTS */
+}
+
+int wally_elip150_public_key_to_ec_public_key(
+    const unsigned char *bytes, size_t bytes_len,
+    const unsigned char *script, size_t script_len,
+    unsigned char *bytes_out, size_t len)
+{
+#ifndef BUILD_ELEMENTS
+    return WALLY_ERROR;
+#else
+    struct sha256 sha;
+    unsigned char tweaked[EC_PUBLIC_KEY_LEN];
+    int ret;
+
+    if (!bytes || bytes_len != EC_PUBLIC_KEY_LEN || !script || !script_len ||
+        !bytes_out || len != EC_PUBLIC_KEY_LEN)
+        return WALLY_EINVAL;
+
+    elip150_tagged_hash(bytes, bytes_len, script, script_len, &sha);
+    ret = wally_ec_public_key_tweak(bytes, bytes_len, sha.u.u8, sizeof(sha),
+                                    tweaked, sizeof(tweaked));
+    if (ret == WALLY_OK)
+        memcpy(bytes_out, tweaked, sizeof(tweaked));
+    return ret;
+#endif /* BUILD_ELEMENTS */
+}
+
 #define BK_ABF 0x1
 #define BK_VBF 0x2
 

src/swig_java/jni_elements_extra.java_in

@@ -47,6 +47,21 @@
       return asset_blinding_key_to_ec_public_key(asset_blinding_key, scriptpubkey, null);
   }
 
+  public final static byte[] elip150_private_key_to_ec_private_key(byte[] priv_key,
+                                                                   byte[] scriptpubkey) {
+      return elip150_private_key_to_ec_private_key(priv_key, scriptpubkey, null);
+  }
+
+  public final static byte[] elip150_private_key_to_ec_public_key(byte[] priv_key,
+                                                                  byte[] scriptpubkey) {
+      return elip150_private_key_to_ec_public_key(priv_key, scriptpubkey, null);
+  }
+
+  public final static byte[] elip150_public_key_to_ec_public_key(byte[] pub_key,
+                                                                 byte[] scriptpubkey) {
+      return elip150_public_key_to_ec_public_key(pub_key, scriptpubkey, null);
+  }
+
   public final static long asset_unblind(byte[] pub_key, byte[] priv_key, byte[] proof,
                                          byte[] commitment, byte[] extra_in,
                                          byte[] generator,

src/swig_java/swig.i

@@ -617,6 +617,9 @@ static jobjectArray create_jstringArray(JNIEnv *jenv, char **p, size_t len) {
 %returns_void__(wally_ec_xonly_public_key_verify);
 %returns_array_(wally_ecdh, 5, 6, SHA256_LEN);
 %returns_array_(wally_ecdh_nonce_hash, 5, 6, SHA256_LEN);
+%returns_array_(wally_elip150_private_key_to_ec_private_key, 5, 6, EC_PUBLIC_KEY_LEN);
+%returns_array_(wally_elip150_private_key_to_ec_public_key, 5, 6, EC_PUBLIC_KEY_LEN);
+%returns_array_(wally_elip150_public_key_to_ec_public_key, 5, 6, EC_PUBLIC_KEY_LEN);
 %returns_size_t(wally_explicit_rangeproof);
 %returns_void__(wally_explicit_rangeproof_verify);
 %returns_array_(wally_explicit_surjectionproof, 7, 8, ASSET_EXPLICIT_SURJECTIONPROOF_LEN);

src/swig_python/python_extra.py_in

@@ -285,6 +285,9 @@ if is_elements_build():
     ecdh_nonce_hash = _wrap_bin(ecdh_nonce_hash, SHA256_LEN)
     elements_pegin_contract_script_from_bytes = _wrap_bin(elements_pegin_contract_script_from_bytes, elements_pegin_contract_script_from_bytes_len, resize=True)
     elements_pegout_script_from_bytes = _wrap_bin(elements_pegout_script_from_bytes, elements_pegout_script_from_bytes_len, resize=True)
+    elip150_private_key_to_ec_private_key = _wrap_bin(elip150_private_key_to_ec_private_key, EC_PRIVATE_KEY_LEN)
+    elip150_private_key_to_ec_public_key = _wrap_bin(elip150_private_key_to_ec_public_key, EC_PUBLIC_KEY_LEN)
+    elip150_public_key_to_ec_public_key = _wrap_bin(elip150_public_key_to_ec_public_key, EC_PUBLIC_KEY_LEN)
     explicit_rangeproof = _wrap_bin(explicit_rangeproof, ASSET_EXPLICIT_RANGEPROOF_MAX_LEN, resize=True)
     explicit_surjectionproof = _wrap_bin(explicit_surjectionproof, ASSET_EXPLICIT_SURJECTIONPROOF_LEN)
     psbt_blind = psbt_blind_alloc

src/test/test_elements.py

@@ -256,6 +256,41 @@ def test_deterministic_blinding_factors(self):
                         continue # Skip final VBF
                 self.assertEqual(h(out[:o_len]), utf8(expected))
 
+    def test_elip150_blinding_keys(self):
+        if not wally_is_elements_build()[1]:
+            self.skipTest('Elements support not enabled')
+
+        # Ensure tweaking private and public keys results in the same key
+        priv_key, priv_key_len = make_cbuffer('66'*32)
+        pub_key, pub_key_len = make_cbuffer('00'*33)
+        ret = wally_ec_public_key_from_private_key(priv_key, priv_key_len,
+                                                   pub_key, pub_key_len)
+        self.assertEqual(WALLY_OK, ret)
+        script, script_len = make_cbuffer('11'*40)
+        out_priv, out_priv_len = make_cbuffer('00'*32)
+        out_pub, out_pub_len = make_cbuffer('00'*33)
+        ret = wally_elip150_private_key_to_ec_private_key(priv_key, priv_key_len,
+                                                          script, script_len,
+                                                          out_priv, out_priv_len)
+        self.assertEqual(WALLY_OK, ret)
+        ret = wally_ec_public_key_from_private_key(out_priv, out_priv_len,
+                                                   out_pub, out_pub_len)
+        self.assertEqual(WALLY_OK, ret)
+        expected_pubkey = h(out_pub)
+
+        ret = wally_elip150_private_key_to_ec_public_key(priv_key, priv_key_len,
+                                                         script, script_len,
+                                                         out_pub, out_pub_len)
+        self.assertEqual(WALLY_OK, ret)
+        self.assertEqual(expected_pubkey, h(out_pub))
+
+        ret = wally_elip150_public_key_to_ec_public_key(pub_key, pub_key_len,
+                                                        script, script_len,
+                                                        out_pub, out_pub_len)
+        self.assertEqual(WALLY_OK, ret)
+        self.assertEqual(expected_pubkey, h(out_pub))
+
+
     def test_elements_tx_weights(self):
         if not wally_is_elements_build()[1]:
             self.skipTest('Elements support not enabled')

src/test/util.py

@@ -371,6 +371,9 @@ class wally_psbt(Structure):
     ('wally_elements_pegin_contract_script_from_bytes', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_uint32, c_void_p, c_size_t, c_size_t_p]),
     ('wally_elements_pegout_script_from_bytes', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_uint32, c_void_p, c_size_t, c_size_t_p]),
     ('wally_elements_pegout_script_size', c_int, [c_size_t, c_size_t, c_size_t, c_size_t, c_size_t_p]),
+    ('wally_elip150_private_key_to_ec_private_key', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t]),
+    ('wally_elip150_private_key_to_ec_public_key', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t]),
+    ('wally_elip150_public_key_to_ec_public_key', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t]),
     ('wally_explicit_rangeproof', c_int, [c_uint64, c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_size_t_p]),
     ('wally_explicit_rangeproof_verify', c_int, [c_void_p, c_size_t, c_uint64, c_void_p, c_size_t, c_void_p, c_size_t]),
     ('wally_explicit_surjectionproof', c_int, [c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_void_p, c_size_t]),