Merge pull request #128 from buidl-bitcoin/musig2

MuSig2 implementation

Author: jimmysong

buidl/block.py

@@ -1,3 +1,5 @@
+from io import BytesIO
+
 from buidl.helper import (
     bits_to_target,
     hash256,
@@ -9,19 +11,6 @@
 from buidl.tx import Tx
 
 
-GENESIS_BLOCK_HASH = {
-    "mainnet": bytes.fromhex(
-        "000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f"
-    ),
-    "testnet": bytes.fromhex(
-        "000000000933ea01ad0ee984209779baaec3ced90fa3f408719526f8d77f4943"
-    ),
-    "signet": bytes.fromhex(
-        "00000008819873e925422c1ff0f99f7cc9bbb232af63a077a480a3633bee1ef6"
-    ),
-}
-
-
 class Block:
     command = b"block"
 
@@ -58,21 +47,25 @@ def __repr__(self):
 """
 
     @classmethod
-    def parse_header(cls, s):
+    def parse_header(cls, stream=None, hex=None):
         """Takes a byte stream and parses block headers. Returns a Block object"""
-        # s.read(n) will read n bytes from the stream
+        if hex:
+            if stream:
+                raise RuntimeError("One of stream or hex should be defined")
+            stream = BytesIO(bytes.fromhex(hex))
+        # stream.read(n) will read n bytes from the stream
         # version - 4 bytes, little endian, interpret as int
-        version = little_endian_to_int(s.read(4))
+        version = little_endian_to_int(stream.read(4))
         # prev_block - 32 bytes, little endian (use [::-1] to reverse)
-        prev_block = s.read(32)[::-1]
+        prev_block = stream.read(32)[::-1]
         # merkle_root - 32 bytes, little endian (use [::-1] to reverse)
-        merkle_root = s.read(32)[::-1]
+        merkle_root = stream.read(32)[::-1]
         # timestamp - 4 bytes, little endian, interpret as int
-        timestamp = little_endian_to_int(s.read(4))
+        timestamp = little_endian_to_int(stream.read(4))
         # bits - 4 bytes
-        bits = s.read(4)
+        bits = stream.read(4)
         # nonce - 4 bytes
-        nonce = s.read(4)
+        nonce = stream.read(4)
         # initialize class
         return cls(version, prev_block, merkle_root, timestamp, bits, nonce)
 
@@ -177,3 +170,18 @@ def get_outpoints(self):
             for tx_out in t.tx_outs:
                 if not tx_out.script_pubkey.has_op_return():
                     yield (tx_out.script_pubkey.raw_serialize())
+
+
+GENESIS_BLOCK_MAINNET_HEX = "0100000000000000000000000000000000000000000000000000000000000000000000003ba3edfd7a7b12b27ac72c3e67768f617fc81bc3888a51323a9fb8aa4b1e5e4a29ab5f49ffff001d1dac2b7c"
+GENESIS_BLOCK_TESTNET_HEX = "0100000000000000000000000000000000000000000000000000000000000000000000003ba3edfd7a7b12b27ac72c3e67768f617fc81bc3888a51323a9fb8aa4b1e5e4adae5494dffff001d1aa4ae18"
+GENESIS_BLOCK_SIGNET_HEX = "0100000000000000000000000000000000000000000000000000000000000000000000003ba3edfd7a7b12b27ac72c3e67768f617fc81bc3888a51323a9fb8aa4b1e5e4a008f4d5fae77031e8ad22203"
+GENESIS_BLOCK_HEADERS = {
+    "mainnet": Block.parse_header(hex=GENESIS_BLOCK_MAINNET_HEX),
+    "testnet": Block.parse_header(hex=GENESIS_BLOCK_TESTNET_HEX),
+    "signet": Block.parse_header(hex=GENESIS_BLOCK_SIGNET_HEX),
+}
+GENESIS_BLOCK_HASH = {
+    "mainnet": GENESIS_BLOCK_HEADERS["mainnet"].hash(),
+    "testnet": GENESIS_BLOCK_HEADERS["testnet"].hash(),
+    "signet": GENESIS_BLOCK_HEADERS["signet"].hash(),
+}

buidl/cecc.py

@@ -1,5 +1,6 @@
 import hashlib
 import hmac
+import secrets
 
 from buidl.helper import (
     big_endian_to_int,
@@ -348,6 +349,12 @@ def hex(self):
         return "{:x}".format(self.secret).zfill(64)
 
     def sign(self, z):
+        # per libsecp256k1 documentation, this helps against side-channel attacks
+        if not lib.secp256k1_context_randomize(
+            GLOBAL_CTX,
+            secrets.token_bytes(32),
+        ):
+            raise RuntimeError("libsecp256k1 context randomization error")
         secret = int_to_big_endian(self.secret, 32)
         msg = int_to_big_endian(z, 32)
         csig = ffi.new("secp256k1_ecdsa_signature *")
@@ -365,6 +372,12 @@ def sign_schnorr(self, msg, aux):
             raise ValueError("msg needs to be 32 bytes")
         if len(aux) != 32:
             raise ValueError("aux needs to be 32 bytes")
+        # per libsecp256k1 documentation, this helps against side-channel attacks
+        if not lib.secp256k1_context_randomize(
+            GLOBAL_CTX,
+            secrets.token_bytes(32),
+        ):
+            raise RuntimeError("libsecp256k1 context randomization error")
         keypair = ffi.new("secp256k1_keypair *")
         if not lib.secp256k1_keypair_create(
             GLOBAL_CTX, keypair, int_to_big_endian(self.secret, 32)

buidl/chash.py

@@ -0,0 +1,65 @@
+from buidl._libsec import ffi, lib
+
+
+GLOBAL_CTX = ffi.gc(
+    lib.secp256k1_context_create(
+        lib.SECP256K1_CONTEXT_SIGN | lib.SECP256K1_CONTEXT_VERIFY
+    ),
+    lib.secp256k1_context_destroy,
+)
+
+
+def tagged_hash(tag, msg):
+    result = ffi.new("unsigned char [32]")
+    tag_length = len(tag)
+    msg_length = len(msg)
+    if not lib.secp256k1_tagged_sha256(
+        GLOBAL_CTX,
+        result,
+        tag,
+        tag_length,
+        msg,
+        msg_length,
+    ):
+        raise RuntimeError("libsecp256k1 tagged hash problem")
+    return bytes(ffi.buffer(result, 32))
+
+
+def hash_aux(msg):
+    return tagged_hash(b"BIP0340/aux", msg)
+
+
+def hash_challenge(msg):
+    return tagged_hash(b"BIP0340/challenge", msg)
+
+
+def hash_keyaggcoef(msg):
+    return tagged_hash(b"KeyAgg coefficient", msg)
+
+
+def hash_keyagglist(msg):
+    return tagged_hash(b"KeyAgg list", msg)
+
+
+def hash_musignonce(msg):
+    return tagged_hash(b"MuSig/noncecoef", msg)
+
+
+def hash_nonce(msg):
+    return tagged_hash(b"BIP0340/nonce", msg)
+
+
+def hash_tapbranch(msg):
+    return tagged_hash(b"TapBranch", msg)
+
+
+def hash_tapleaf(msg):
+    return tagged_hash(b"TapLeaf", msg)
+
+
+def hash_tapsighash(msg):
+    return tagged_hash(b"TapSighash", msg)
+
+
+def hash_taptweak(msg):
+    return tagged_hash(b"TapTweak", msg)

buidl/hash.py

@@ -0,0 +1,4 @@
+try:
+    from buidl.chash import *  # noqa: F401,F403
+except ModuleNotFoundError:
+    from buidl.phash import *  # noqa: F401,F403

buidl/helper.py

@@ -449,48 +449,5 @@ def is_intable(int_as_string):
         return False
 
 
-TAGS = {
-    "aux": sha256(b"BIP0340/aux") * 2,
-    "nonce": sha256(b"BIP0340/nonce") * 2,
-    "challenge": sha256(b"BIP0340/challenge") * 2,
-    "tapbranch": sha256(b"TapBranch") * 2,
-    "tapleaf": sha256(b"TapLeaf") * 2,
-    "tapsighash": sha256(b"TapSighash") * 2,
-    "taptweak": sha256(b"TapTweak") * 2,
-}
-
-
-def _tagged_hash(tag, msg):
-    return sha256(TAGS[tag] + msg)
-
-
-def hash_aux(msg):
-    return _tagged_hash("aux", msg)
-
-
-def hash_challenge(msg):
-    return _tagged_hash("challenge", msg)
-
-
-def hash_nonce(msg):
-    return _tagged_hash("nonce", msg)
-
-
-def hash_tapbranch(msg):
-    return _tagged_hash("tapbranch", msg)
-
-
-def hash_tapleaf(msg):
-    return _tagged_hash("tapleaf", msg)
-
-
-def hash_tapsighash(msg):
-    return _tagged_hash("tapsighash", msg)
-
-
-def hash_taptweak(msg):
-    return _tagged_hash("taptweak", msg)
-
-
 def xor_bytes(a, b):
     return bytes(x ^ y for x, y in zip(a, b))

buidl/libsec.h

@@ -8,6 +8,10 @@ typedef struct secp256k1_context_struct secp256k1_context;
 secp256k1_context* secp256k1_context_create(
     unsigned int flags
 );
+secp256k1_context* secp256k1_context_randomize(
+    secp256k1_context* ctx,
+    const unsigned char *seed32
+);
 void secp256k1_context_destroy(
     secp256k1_context* ctx
 );

buidl/pecc.py

@@ -3,14 +3,16 @@
 import hmac
 import hashlib
 
+from buidl.hash import (
+    hash_aux,
+    hash_challenge,
+    hash_nonce,
+)
 from buidl.helper import (
     big_endian_to_int,
     encode_base58_checksum,
     hash160,
     hash256,
-    hash_aux,
-    hash_challenge,
-    hash_nonce,
     int_to_big_endian,
     raw_decode_base58,
     xor_bytes,

buidl/phash.py

@@ -0,0 +1,50 @@
+import hashlib
+
+
+TAG_HASH_CACHE = {}
+
+
+def tagged_hash(tag: bytes, msg: bytes) -> bytes:
+    if TAG_HASH_CACHE.get(tag) is None:
+        TAG_HASH_CACHE[tag] = hashlib.sha256(tag).digest() * 2
+    return hashlib.sha256(TAG_HASH_CACHE[tag] + msg).digest()
+
+
+def hash_aux(msg):
+    return tagged_hash(b"BIP0340/aux", msg)
+
+
+def hash_challenge(msg):
+    return tagged_hash(b"BIP0340/challenge", msg)
+
+
+def hash_keyaggcoef(msg):
+    return tagged_hash(b"KeyAgg coefficient", msg)
+
+
+def hash_keyagglist(msg):
+    return tagged_hash(b"KeyAgg list", msg)
+
+
+def hash_musignonce(msg):
+    return tagged_hash(b"MuSig/noncecoef", msg)
+
+
+def hash_nonce(msg):
+    return tagged_hash(b"BIP0340/nonce", msg)
+
+
+def hash_tapbranch(msg):
+    return tagged_hash(b"TapBranch", msg)
+
+
+def hash_tapleaf(msg):
+    return tagged_hash(b"TapLeaf", msg)
+
+
+def hash_tapsighash(msg):
+    return tagged_hash(b"TapSighash", msg)
+
+
+def hash_taptweak(msg):
+    return tagged_hash(b"TapTweak", msg)

buidl/script.py

@@ -549,11 +549,6 @@ def address(self, network="mainnet"):
         # convert to bech32 address using encode_bech32_checksum
         return encode_bech32_checksum(witness_program, network)
 
-    @classmethod
-    def from_address(cls, address):
-        _, _, point_raw = decode_bech32(address)
-        return cls(point_raw)
-
 
 class WitnessScript(Script):
     """Subclass that represents a WitnessScript for p2wsh"""
@@ -618,12 +613,17 @@ def address_to_script_pubkey(s):
         # p2sh
         h160 = decode_base58(s)
         return P2SHScriptPubKey(h160)
-    elif s[:3] in ("bc1", "tb1"):
+    elif s[:4] in ("bc1q", "tb1q"):
         if len(s) == 42:
             # p2wpkh
             return P2WPKHScriptPubKey(decode_bech32(s)[2])
         elif len(s) == 62:
             # p2wskh
             return P2WSHScriptPubKey(decode_bech32(s)[2])
+    elif s[:4] in ("bc1p", "tb1p"):
+        if len(s) != 62:
+            raise RuntimeError(f"unknown type of address: {s}")
+        # p2tr
+        return P2TRScriptPubKey(decode_bech32(s)[2])
 
     raise RuntimeError(f"unknown type of address: {s}")