Merge #31: Reference implementation of CT descriptors

725f450 confidential: hack in view descriptor support (Andrew Poelstra)
6359f03 confidential: switch test vectors to use xpubs rather than bare keys (Andrew Poelstra)
a332208 re-export confidential::Descirptor as ConfidentialDescirptor (Andrew Poelstra)
694628f CT descriptors: add fuzz test (Andrew Poelstra)
2b5bd55 CT descriptors: generate ELIP test vectors (Andrew Poelstra)
604c7e3 CT descriptors: add test vectors (Andrew Poelstra)
e9ac0bc CT descriptors: add `bare` module (Andrew Poelstra)
f5b2fe5 CT descriptors: add `slip77` module (Andrew Poelstra)
277b1a5 CT descriptors: block in module (Andrew Poelstra)
450d4d1 expression: stop special-casing the text `slip77` (Andrew Poelstra)
5d2755d delete descriptor::Blinded (Andrew Poelstra)
67e9422 descriptor: expose checksum function to whole crate (Andrew Poelstra)
b11c818 descriptor: fix Display impl for legacy CSFS covenants (Andrew Poelstra)

Pull request description:

  I'm aware that there are already a basic form of CT descriptors in this library, and this does not remove them, it just adds a new module which should act as a reference implementation for ElementsProject/ELIPs#1

  WIP because it needs a new rust-elements release to get tagged hashes in `bitcoin_hashes`.

ACKs for top commit:
  sanket1729:
    ACK 725f450.

Tree-SHA512: 52d5961e653f19a6378f6abfbf812cedfb295e56cc08ea6ab8c80cdd5c0ee3b8da209f7c65c87193bf42448c0d5db86ead27dbe0bcb1e245f6c3f0b9ccce0f11

Author: apoelstra

.github/workflows/fuzz.yml

@@ -24,6 +24,7 @@ parse_descriptor_secret,
 roundtrip_descriptor,
 roundtrip_concrete,
 compile_descriptor,
+roundtrip_confidential,
         ]
     steps:
       - name: Install test dependencies

fuzz/Cargo.toml

@@ -44,3 +44,7 @@ path = "fuzz_targets/roundtrip_concrete.rs"
 [[bin]]
 name = "compile_descriptor"
 path = "fuzz_targets/compile_descriptor.rs"
+
+[[bin]]
+name = "roundtrip_confidential"
+path = "fuzz_targets/roundtrip_confidential.rs"

fuzz/fuzz_targets/roundtrip_confidential.rs

@@ -0,0 +1,38 @@
+extern crate elements_miniscript as miniscript;
+extern crate regex;
+
+use std::str::FromStr;
+
+use miniscript::confidential;
+
+fn do_test(data: &[u8]) {
+    // This is how we test in rust-miniscript. It is difficult to enforce wrapping logic in fuzzer
+    // for alias like t: and_v(1), likely and unlikely.
+    // Just directly check whether the inferred descriptor is the same.
+    let s = String::from_utf8_lossy(data);
+    if let Ok(desc) = confidential::Descriptor::<String>::from_str(&s) {
+        let str2 = desc.to_string();
+        let desc2 = confidential::Descriptor::<String>::from_str(&str2).unwrap();
+
+        assert_eq!(desc.to_string(), desc2.to_string());
+    }
+}
+
+fn main() {
+    loop {
+        honggfuzz::fuzz!(|data| {
+            do_test(data);
+        });
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use miniscript::elements::hex::FromHex;
+
+    #[test]
+    fn duplicate_crash() {
+        let hex = Vec::<u8>::from_hex("00").unwrap();
+        super::do_test(&hex);
+    }
+}

src/confidential/bare.rs

@@ -0,0 +1,122 @@
+// Miniscript
+// Written in 2023 by
+//     Andrew Poelstra <[email protected]>
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this software to
+// the public domain worldwide. This software is distributed without
+// any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication
+// along with this software.
+// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+//
+
+//! "Bare Key" Confidential Descriptors
+
+use bitcoin::hashes::{sha256t_hash_newtype, Hash};
+use elements::encode::Encodable;
+use elements::secp256k1_zkp;
+
+use crate::ToPublicKey;
+
+/// The SHA-256 initial midstate value for the [`TweakHash`].
+const MIDSTATE_HASH_TO_PRIVATE_HASH: [u8; 32] = [
+    0x2f, 0x85, 0x61, 0xec, 0x30, 0x88, 0xad, 0xa9, 0x5a, 0xe7, 0x43, 0xcd, 0x3c, 0x5f, 0x59, 0x7d,
+    0xc0, 0x4b, 0xd0, 0x7f, 0x06, 0x5f, 0x1c, 0x06, 0x47, 0x89, 0x36, 0x63, 0xf3, 0x92, 0x6e, 0x65,
+];
+
+sha256t_hash_newtype!(
+    TweakHash,
+    TweakTag,
+    MIDSTATE_HASH_TO_PRIVATE_HASH,
+    64,
+    doc = "BIP-340 Tagged hash for tweaking blinding keys",
+    forward
+);
+
+/// Tweaks a bare key using the scriptPubKey of a descriptor
+pub fn tweak_key<'a, Pk, V>(
+    secp: &secp256k1_zkp::Secp256k1<V>,
+    spk: &elements::Script,
+    pk: &Pk,
+) -> secp256k1_zkp::PublicKey
+where
+    Pk: ToPublicKey + 'a,
+    V: secp256k1_zkp::Verification,
+{
+    let mut eng = TweakHash::engine();
+    pk.to_public_key()
+        .write_into(&mut eng)
+        .expect("engines don't error");
+    spk.consensus_encode(&mut eng).expect("engines don't error");
+    let hash_bytes = TweakHash::from_engine(eng).to_byte_array();
+    let hash_scalar = secp256k1_zkp::Scalar::from_be_bytes(hash_bytes).expect("bytes from hash");
+    pk.to_public_key()
+        .inner
+        .add_exp_tweak(secp, &hash_scalar)
+        .unwrap()
+}
+
+/// Tweaks a bare key using the scriptPubKey of a descriptor
+pub fn tweak_private_key<'a, Pk, V>(
+    secp: &secp256k1_zkp::Secp256k1<V>,
+    spk: &elements::Script,
+    pk: &Pk,
+) -> secp256k1_zkp::PublicKey
+where
+    Pk: ToPublicKey + 'a,
+    V: secp256k1_zkp::Verification,
+{
+    let mut eng = TweakHash::engine();
+    pk.to_public_key()
+        .write_into(&mut eng)
+        .expect("engines don't error");
+    spk.consensus_encode(&mut eng).expect("engines don't error");
+    let hash_bytes = TweakHash::from_engine(eng).to_byte_array();
+    let hash_scalar = secp256k1_zkp::Scalar::from_be_bytes(hash_bytes).expect("bytes from hash");
+    pk.to_public_key()
+        .inner
+        .add_exp_tweak(secp, &hash_scalar)
+        .unwrap()
+}
+
+#[cfg(test)]
+mod tests {
+    use bitcoin::hashes::sha256t::Tag;
+    use bitcoin::hashes::{sha256, HashEngine};
+
+    use super::*;
+
+    #[test]
+    fn tagged_hash() {
+        // Check that cached midstate is computed correctly
+        // This code taken from `tag_engine` in the rust-bitcoin tests; it is identical
+        // to that used by the BIP-0340 hashes in Taproot
+        let mut engine = sha256::Hash::engine();
+        let tag_hash = sha256::Hash::hash(b"CT-Blinding-Key/1.0");
+        engine.input(&tag_hash[..]);
+        engine.input(&tag_hash[..]);
+        assert_eq!(
+            MIDSTATE_HASH_TO_PRIVATE_HASH,
+            engine.midstate().to_byte_array()
+        );
+
+        // Test empty hash
+        assert_eq!(
+            TweakHash::from_engine(TweakTag::engine()).to_string(),
+            "d12a140aca856fbb917b931f263c42f064608985e2ce17ae5157daa17c55e8d9",
+        );
+        assert_eq!(
+            TweakHash::hash(&[]).to_string(),
+            "d12a140aca856fbb917b931f263c42f064608985e2ce17ae5157daa17c55e8d9",
+        );
+
+        // And hash of 100 bytes
+        let data: Vec<u8> = (0..80).collect();
+        assert_eq!(
+            TweakHash::hash(&data).to_string(),
+            "e1e52419a2934d278c50e29608969d2f23c1bd1243a09bfc8026d4ed4b085e39",
+        );
+    }
+}