ElementsProject
diff --git a/‎Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/confidential/hash_to_sk.rs
Lines changed: 99 additions & 0 deletions b/‎src/confidential/hash_to_sk.rs
Lines changed: 99 additions & 0 deletions
diff --git a/‎src/confidential/mod.rs
Lines changed: 226 additions & 0 deletions b/‎src/confidential/mod.rs
Lines changed: 226 additions & 0 deletions
@@ -17,6 +17,7 @@ rand = ["bitcoin/rand"]
 
 [dependencies]
 bitcoin = "0.28.1"
+bitcoin_hashes = "0.11.0"
 elements = "0.19.0"
 bitcoin-miniscript = {package = "miniscript", git = "https://github.com/rust-bitcoin/rust-miniscript", rev = "44c0e4b8df30439bb22b13a0ee642a3330360613"}
 
 
@@ -0,0 +1,99 @@
+// Miniscript
+// Written in 2022 by
+//     Andrew Poelstra <[email protected]>
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this software to
+// the public domain worldwide. This software is distributed without
+// any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication
+// along with this software.
+// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+//
+
+//! Hash-To-Secret-Key blinding keys
+//!
+
+use bitcoin_hashes::{sha256t_hash_newtype, Hash, HashEngine};
+use elements::encode::Encodable;
+use elements::secp256k1_zkp;
+
+use crate::ToPublicKey;
+
+/// The SHA-256 initial midstate value for the [`HashToSkHash`].
+const MIDSTATE_HASH_TO_SK_HASH: [u8; 32] = [
+    0x2f, 0x85, 0x61, 0xec, 0x30, 0x88, 0xad, 0xa9, 0x5a, 0xe7, 0x43, 0xcd, 0x3c, 0x5f, 0x59, 0x7d,
+    0xc0, 0x4b, 0xd0, 0x7f, 0x06, 0x5f, 0x1c, 0x06, 0x47, 0x89, 0x36, 0x63, 0xf3, 0x92, 0x6e, 0x65,
+];
+
+sha256t_hash_newtype!(HashToSkHash, HashToSkTag, MIDSTATE_HASH_TO_SK_HASH, 64,
+    doc="BIP-340 Tagged hash for deriving blinding private keys from a list of public keys", false
+);
+
+/// Derives a blinding private key from a given script pubkey
+pub fn blinding_private_key<'a, Pk, I>(spk: &elements::Script, keys: I) -> secp256k1_zkp::SecretKey
+where
+    Pk: ToPublicKey + 'a,
+    I: Iterator<Item = &'a Pk>,
+{
+    let mut eng = HashToSkHash::engine();
+    spk.consensus_encode(&mut eng).expect("engines don't error");
+    let mut sorted_keys: Vec<_> = keys.map(|k| k.to_public_key().inner.serialize()).collect();
+    sorted_keys.sort();
+    for key in sorted_keys {
+        eng.input(&key);
+    }
+    // lol why is this conversion so hard
+    secp256k1_zkp::SecretKey::from_slice(&HashToSkHash::from_engine(eng).into_inner()).unwrap()
+}
+
+/// Derives a public blinding key from a given script pubkey
+pub fn blinding_key<'a, C, Pk, I>(
+    secp: &secp256k1_zkp::Secp256k1<C>,
+    spk: &elements::Script,
+    keys: I,
+) -> secp256k1_zkp::PublicKey
+where
+    C: secp256k1_zkp::Signing,
+    Pk: ToPublicKey + 'a,
+    I: Iterator<Item = &'a Pk>,
+{
+    let sk = blinding_private_key(spk, keys);
+    secp256k1_zkp::PublicKey::from_secret_key(secp, &sk)
+}
+
+#[cfg(test)]
+mod tests {
+    use bitcoin_hashes::{hex::ToHex, sha256, sha256t::Tag};
+    use super::*;
+
+    #[test]
+    fn tagged_hash() {
+        // Check that cached midstate is computed correctly
+        // This code taken from `tag_engine` in the rust-bitcoin tests; it is identical
+        // to that used by the BIP-0340 hashes in Taproot
+        let mut engine = sha256::Hash::engine();
+        let tag_hash = sha256::Hash::hash(b"CT-Blinding-Key/1.0");
+        engine.input(&tag_hash[..]);
+        engine.input(&tag_hash[..]);
+        assert_eq!(MIDSTATE_HASH_TO_SK_HASH, engine.midstate().into_inner());
+
+        // Test empty hash
+        assert_eq!(
+            HashToSkHash::from_engine(HashToSkTag::engine()).to_hex(),
+            "d12a140aca856fbb917b931f263c42f064608985e2ce17ae5157daa17c55e8d9",
+        );
+        assert_eq!(
+            HashToSkHash::hash(&[]).to_hex(),
+            "d12a140aca856fbb917b931f263c42f064608985e2ce17ae5157daa17c55e8d9",
+        );
+
+        // And hash of 100 bytes
+        let data: Vec<u8> = (0..80).collect();
+        assert_eq!(
+            HashToSkHash::hash(&data).to_hex(),
+            "e1e52419a2934d278c50e29608969d2f23c1bd1243a09bfc8026d4ed4b085e39",
+        );
+    }
+}
@@ -0,0 +1,226 @@
+// Miniscript
+// Written in 2022 by
+//     Andrew Poelstra <[email protected]>
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this software to
+// the public domain worldwide. This software is distributed without
+// any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication
+// along with this software.
+// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+//
+
+//! Confidential Descriptors
+//!
+//! Implements ELIP ????, described at `URL`
+//!
+
+pub mod hash_to_sk;
+pub mod slip77;
+
+use crate::{Error, MiniscriptKey, ToPublicKey};
+use elements::hashes::hex;
+use elements::secp256k1_zkp;
+use crate::extensions::{CovenantExt, CovExtArgs, Extension, ParseableExt};
+use std::{fmt, iter};
+
+/// A description of a blinding key
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
+pub enum Key<Pk: MiniscriptKey> {
+    /// Blinding key is computed from the hash of a sorted list of public keys
+    ///
+    /// The first public key is included outside of the `Vec` to reduce allocations
+    /// and to enforce that the list of keys is not empty; but it is not special in
+    /// any way.
+    HashToSk(Pk, Vec<Pk>),
+    /// Blinding key is computed using SLIP77 with the given master key
+    Slip77(slip77::MasterBlindingKey),
+    /// Blinding key is given directly
+    Bare(Pk),
+}
+
+impl<Pk: MiniscriptKey + fmt::Display> fmt::Display for Key<Pk> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match *self {
+            Key::HashToSk(ref key1, ref keys) => {
+                write!(f, "hash_to_sk({}", key1)?;
+                for k in keys {
+                    write!(f, ",{}", k)?;
+                }
+                f.write_str(")")
+            },
+            Key::Slip77(ref data) => {
+                f.write_str("slip77(")?;
+                hex::format_hex(data.as_bytes(), f)?;
+                f.write_str(")")
+            },
+            Key::Bare(ref pk) => fmt::Display::fmt(pk, f),
+        }
+    }
+}
+
+impl<Pk: MiniscriptKey + ToPublicKey> Key<Pk> {
+    fn to_public_key<C: secp256k1_zkp::Signing>(
+        &self,
+        secp: &secp256k1_zkp::Secp256k1<C>,
+        spk: &elements::Script,
+    ) -> secp256k1_zkp::PublicKey {
+        match *self {
+            Key::HashToSk(ref k1, ref keys) => hash_to_sk::blinding_key(
+                secp,
+                spk,
+                iter::once(k1).chain(keys.iter()),
+            ),
+            Key::Slip77(ref mbk) => mbk.blinding_key(secp, spk),
+            Key::Bare(ref pk) => pk.to_public_key().inner,
+        }
+    }
+}
+
+/// A confidential descriptor
+pub struct Descriptor<Pk: MiniscriptKey, T: Extension = CovenantExt<CovExtArgs>> {
+    /// The blinding key
+    pub key: Key<Pk>,
+    /// The script descriptor
+    pub descriptor: crate::Descriptor<Pk, T>,
+}
+
+impl<Pk: MiniscriptKey, T: Extension> Descriptor<Pk, T> {
+    /// Sanity checks for the underlying descriptor.
+    pub fn sanity_check(&self) -> Result<(), Error> {
+        self.descriptor.sanity_check()?;
+        Ok(())
+    }
+}
+
+impl<Pk: MiniscriptKey + ToPublicKey, T: Extension + ParseableExt> Descriptor<Pk, T> {
+    /// Obtains the unblinded address for this descriptor.
+    pub fn unconfidential_address(
+        &self,
+        params: &'static elements::AddressParams,
+    ) -> Result<elements::Address, Error> {
+        self.descriptor.address(params)
+    }
+
+    /// Obtains the blinded address for this descriptor.
+    pub fn address<C: secp256k1_zkp::Signing>(
+        &self,
+        secp: &secp256k1_zkp::Secp256k1<C>,
+        params: &'static elements::AddressParams,
+    ) -> Result<elements::Address, Error> {
+        let spk = self.descriptor.script_pubkey();
+        self.descriptor
+            .blinded_address(self.key.to_public_key(secp, &spk), params)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use crate::NoExt;
+    use elements::Address;
+    use std::str::FromStr;
+
+    #[test]
+    fn bare_addr_to_confidential() {
+        let secp = secp256k1_zkp::Secp256k1::new();
+
+        // taken from libwally src/test/test_confidential_addr.py
+        let mut addr = Address::from_str("Q7qcjTLsYGoMA7TjUp97R6E6AM5VKqBik6").unwrap();
+        let key = Key::Bare(bitcoin::PublicKey::from_str("02dce16018bbbb8e36de7b394df5b5166e9adb7498be7d881a85a09aeecf76b623").unwrap());
+        addr.blinding_pubkey = Some(key.to_public_key(&secp, &addr.script_pubkey()));
+        assert_eq!(addr.to_string(), "VTpz1bNuCALgavJKgbAw9Lpp9A72rJy64XPqgqfnaLpMjRcPh5UHBqyRUE4WMZ3asjqu7YEPVAnWw2EK");
+    }
+
+    #[test]
+    fn hash_to_sk_addr_to_confidential() {
+        let secp = secp256k1_zkp::Secp256k1::new();
+
+        // Single key
+        let desc: Descriptor::<secp256k1_zkp::PublicKey, NoExt> = Descriptor {
+            key: Key::HashToSk(FromStr::from_str("02dce16018bbbb8e36de7b394df5b5166e9adb7498be7d881a85a09aeecf76b623").unwrap(), vec![]),
+            descriptor: FromStr::from_str("elpkh(020000000000000000000000000000000000000000000000000000000000000002)").unwrap(),
+        };
+
+        assert_eq!(
+            desc.address(&secp, &elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "CTExk1cWwWsm8PP8c9KK1nPhvYin5Ac3a7xcg9U92f76oCyRi3Zh1QcAPPavQ7UDhax5tKMTajUYyaLu",
+        );
+        assert_eq!(
+            desc.unconfidential_address(&elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "2dmYXpSu8YP6aLcJYhHfB1C19mdzSx2GPB9",
+        );
+
+        // Multiple keys
+        let keys = vec![
+            "02fb7a8c3b2fc3e42095b51d8c28e37f15ec3da8f84ec7d51cbbc83abd39eec2d6",
+            "03d5614e0f8983f8d1bed90299e8cb40b1f0fd61d36d7e2958682cca625d14d744",
+            "03cb8d2ef4aaf7be6a9bb80afe798e6cf72fd102b46c44f81c31593ae62a3c7de8",
+            "032ea1c87f4023d48ad3a30acf1ac63b6d8a876b880c0ddc9a4163ab6a25f28a2b",
+            "03d38adcd566db859f59ba28cc6cba54e9c9ae5399b875034e6038f1e22fe3f2ff",
+            "02729d8336d93c59ab20edb4cf7589ff5dbc159d2e239e80d0db01ddd22b994f0b",
+            "02fde5e64596d934e0d560afff13d7f9732b3751555f836c5093ee69d4fa3d836f",
+            "029f00e038dbc4ecd875d5170feff8f56ae7e0c0a90467454d78a4212e1964194d",
+            "0247c0c61ad7b6671c4ea9b277bffb0b27412ae2d2795cccadb405b152a67ff250",
+            "03e8485a732bced45ad81ac259d9889459a0c6128a16b6782cc68edfa43fea2783",
+            "02412e2ba495c3f52f80a6db41524079f293ae2d47f6a239550879b0430b3c0e0e",
+            "023569dac5cefeac572481ad6eb1205c59a774236352c2a34a6f04c9597ea5218f",
+            "02bb22f63397b818ac12f43a47446333cbc3da79427469257561801f0bdd0d8342",
+            "03fbff1f52bb55262c83a66873433e8408eec5f06a24f33eb2f2eab146e47c7d2a",
+            "02253adb8820f73fdeec7a3472baddde79795d7792f4fb6d748b8b33bda9d30449",
+            "03517fb63ed0136223d9b2239ce2594a78b7ad4adf3194dbfe94cd30047d2d868e",
+            "02be9a86606e90a1cc3a97393a295ee9661e943e7585519266d230b31cf8b1812c",
+            "034e93eb5054ab504205855ddafb4bfe1e0deacc51929c784c0b2f9b11123ec2e2",
+            "0212d3048099d52ee4b8153f75623fc7153788f659e8c1df21ac2e6ff21561cb10",
+            "03774eec7a3d550d18e9f89414152025b3b0ad6a342b19481f702d843cff06dfc4",
+        ];
+        // Parse all keys
+        let mut keys: Vec<_> = keys
+            .into_iter()
+            .map(|k| secp256k1_zkp::PublicKey::from_str(k).unwrap())
+            .collect();
+        // Take one to make a spk from
+        let spk_key = keys.pop().unwrap();
+        // Make a sorted copy
+        let mut sorted_keys = keys.clone();
+        sorted_keys.sort_by_key(|k| k.serialize());
+
+        // Normal segwit address
+        let key_1 = keys.pop().unwrap();
+        let mut desc: Descriptor::<secp256k1_zkp::PublicKey, NoExt> = Descriptor {
+            key: Key::HashToSk(key_1, keys),
+            descriptor: crate::Descriptor::new_wpkh(spk_key.clone()).unwrap(),
+        };
+        assert_eq!(
+            desc.address(&secp, &elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "el1qq2rr0dcmn6mfvcf7x486z3djs7j283arxspjj6adzgjsjxsa5r0v2rmqvvk2ce5ksnxcs9ecgtnryt7xg34068lggvfp79zus",
+        );
+        // Same address with sorted blinding keys (should be the same)
+        let key_1 = sorted_keys.pop().unwrap();
+        desc.key = Key::HashToSk(key_1, sorted_keys);
+        assert_eq!(
+            desc.address(&secp, &elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "el1qq2rr0dcmn6mfvcf7x486z3djs7j283arxspjj6adzgjsjxsa5r0v2rmqvvk2ce5ksnxcs9ecgtnryt7xg34068lggvfp79zus",
+        );
+
+        // P2PKH address
+        desc.descriptor = crate::Descriptor::new_pkh(spk_key.clone());
+        assert_eq!(
+            desc.address(&secp, &elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "CTEjvpSstrs9BBTBGP9uEmVkVxETjEPFJoX4g1z2N8RWTFm2N3y4Auw4EfBdWams5A4ryjqYpTspmkqj",
+        );
+
+        // P2TR address
+        desc.descriptor = crate::Descriptor::new_tr(spk_key.clone(), None).unwrap();
+        assert_eq!(
+            desc.address(&secp, &elements::AddressParams::ELEMENTS).unwrap().to_string(),
+            "el1pqdv9pw8heqh3d329tlqyp5nfqfje4aezhp5sjafc39dxtmcwvwkfc6r5jd0rkpzukq6hd965kepcmwtxvg0fh4ak4f636gv25yky23ces7qpvfsp96eq",
+        );
+    }
+}
+
+
+