Use Wscalar instead of DlogProverInput in ExtSecretKey

Now that DlogProverInput eagerly evaluates public key, it's a bad fit for ExtSecretKey since it causes unnecessary EC operations

Author: sethdusek

Cargo.toml

@@ -35,8 +35,12 @@ ergotree-interpreter = { version = "^0.28.0", path = "./ergotree-interpreter" }
 ergo-nipopow = { version = "^0.15", path = "./ergo-nipopow" }
 ergo-merkle-tree = { version = "^0.15.0", path = "./ergo-merkle-tree" }
 ergo-rest = { version = "^0.13.0", path = "./ergo-rest" }
-ergo-lib = { version = "^0.28.0", path = "./ergo-lib"}
-k256 = { version = "0.13.1", features = ["arithmetic", "ecdsa", "precomputed-tables"] }
+ergo-lib = { version = "^0.28.0", path = "./ergo-lib" }
+k256 = { version = "0.13.1", features = [
+    "arithmetic",
+    "ecdsa",
+    "precomputed-tables",
+] }
 elliptic-curve = { version = "0.13.8", features = ["ff"] }
 thiserror = "1"
 bounded-vec = { version = "^0.7.0" }

ergo-lib/src/wallet/ext_pub_key.rs

@@ -27,7 +27,8 @@ type HmacSha512 = Hmac<Sha512>;
 pub struct ExtPubKey {
     /// Parsed public key (EcPoint)
     pub public_key: EcPoint,
-    chain_code: ChainCode,
+    /// Chain code bytes
+    pub chain_code: ChainCode,
     /// Derivation path for this extended public key
     pub derivation_path: DerivationPath,
 }

ergo-lib/src/wallet/ext_secret_key.rs

@@ -1,5 +1,4 @@
 //! Extended private key operations according to BIP-32
-use std::convert::TryInto;
 
 use super::{
     derivation_path::{ChildIndex, ChildIndexError, DerivationPath},
@@ -27,14 +26,23 @@ type HmacSha512 = Hmac<Sha512>;
 
 /// Extended secret key
 /// implemented according to BIP-32
-#[derive(PartialEq, Eq, Debug, Clone)]
+#[derive(PartialEq, Eq, Clone)]
 pub struct ExtSecretKey {
-    /// The secret key
-    private_input: DlogProverInput,
+    private_input: Wscalar,
     chain_code: ChainCode,
     derivation_path: DerivationPath,
 }
 
+impl std::fmt::Debug for ExtSecretKey {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("ExtSecretKey")
+            .field("private_input", &"*****") // disable debug output for secret key to prevent key leakage in logs
+            .field("chain_code", &self.chain_code)
+            .field("derivation_path", &self.derivation_path)
+            .finish()
+    }
+}
+
 /// Extended secret key errors
 #[derive(Error, PartialEq, Eq, Debug, Clone)]
 pub enum ExtSecretKeyError {
@@ -65,8 +73,8 @@ impl ExtSecretKey {
         chain_code: ChainCode,
         derivation_path: DerivationPath,
     ) -> Result<Self, ExtSecretKeyError> {
-        let private_input = DlogProverInput::from_bytes(&secret_key_bytes)
-            .ok_or(ExtSecretKeyError::ScalarEncodingError)?;
+        let private_input =
+            Wscalar::from_bytes(&secret_key_bytes).ok_or(ExtSecretKeyError::ScalarEncodingError)?;
         Ok(Self {
             private_input,
             chain_code,
@@ -81,7 +89,7 @@ impl ExtSecretKey {
 
     /// Returns secret key
     pub fn secret_key(&self) -> SecretKey {
-        self.private_input.clone().into()
+        DlogProverInput::new(self.private_input.clone()).into()
     }
 
     /// Byte representation of the underlying scalar
@@ -91,7 +99,7 @@ impl ExtSecretKey {
 
     /// Public image associated with the private input
     pub fn public_image(&self) -> ProveDlog {
-        self.private_input.public_image()
+        DlogProverInput::new(self.private_input.clone()).public_image()
     }
 
     /// Public image bytes in SEC-1 encoded & compressed format
@@ -102,12 +110,11 @@ impl ExtSecretKey {
     /// The extended public key associated with this secret key
     pub fn public_key(&self) -> Result<ExtPubKey, ExtSecretKeyError> {
         #[allow(clippy::unwrap_used)]
-        Ok(ExtPubKey::new(
-            // unwrap is safe as it is used on an Infallible result type
-            self.public_image_bytes()?.try_into().unwrap(),
-            self.chain_code,
-            self.derivation_path.clone(),
-        )?)
+        Ok(ExtPubKey {
+            public_key: *self.public_image().h,
+            chain_code: self.chain_code,
+            derivation_path: self.derivation_path.clone(),
+        })
     }
 
     /// Derive a child extended secret key using the provided index
@@ -126,16 +133,14 @@ impl ExtSecretKey {
         let mac_bytes = mac.finalize().into_bytes();
         let mut secret_key_bytes = [0; SecretKeyBytes::LEN];
         secret_key_bytes.copy_from_slice(&mac_bytes[..32]);
-        if let Some(dlog_prover) = DlogProverInput::from_bytes(&secret_key_bytes) {
+        if let Some(wscalar) = Wscalar::from_bytes(&secret_key_bytes) {
             // parse256(IL) + kpar (mod n).
             // via https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions
-            let child_secret_key: DlogProverInput = Wscalar::from(
-                dlog_prover
-                    .w
+            let child_secret_key = Wscalar::from(
+                wscalar
                     .as_scalar_ref()
-                    .add(self.private_input.w.as_scalar_ref()),
-            )
-            .into();
+                    .add(self.private_input.as_scalar_ref()),
+            );
             if child_secret_key.is_zero() {
                 // ki == 0 case of:
                 // > In case parse256(IL) ≥ n or ki = 0, the resulting key is invalid, and one

ergotree-interpreter/src/sigma_protocol/wscalar.rs

@@ -7,6 +7,7 @@ use std::fmt::Formatter;
 
 use derive_more::From;
 use derive_more::Into;
+use elliptic_curve::PrimeField;
 use ergo_chain_types::Base16DecodedBytes;
 use ergo_chain_types::Base16EncodedBytes;
 use k256::elliptic_curve::generic_array::GenericArray;
@@ -31,10 +32,30 @@ use super::SOUNDNESS_BYTES;
 pub struct Wscalar(Scalar);
 
 impl Wscalar {
+    /// Scalar(secret key) size in bytes
+    pub const SIZE_BYTES: usize = 32;
+
     /// Returns a reference to underlying Scalar
     pub fn as_scalar_ref(&self) -> &Scalar {
         &self.0
     }
+
+    /// Attempts to parse the given byte array as an SEC-1-encoded scalar(secret key).
+    /// Returns None if the byte array does not contain a big-endian integer in the range [0, modulus).
+    pub fn from_bytes(bytes: &[u8; Self::SIZE_BYTES]) -> Option<Self> {
+        k256::Scalar::from_repr((*bytes).into())
+            .map(Wscalar::from)
+            .into()
+    }
+
+    /// Convert scalar to big-endian byte representation
+    pub fn to_bytes(&self) -> [u8; Self::SIZE_BYTES] {
+        self.0.to_bytes().into()
+    }
+    /// Return true if the scalar is 0
+    pub fn is_zero(&self) -> bool {
+        self.0.is_zero().into()
+    }
 }
 
 impl From<GroupSizedBytes> for Wscalar {

ergotree-ir/src/chain/address.rs

@@ -535,8 +535,8 @@ impl AddressEncoder {
         let mut address_bytes = address.content_bytes();
         let mut bytes = vec![prefix_byte];
         bytes.append(&mut address_bytes);
-        let mut calculated_checksum = AddressEncoder::calc_checksum(&bytes[..]).to_vec();
-        bytes.append(&mut calculated_checksum);
+        let calculated_checksum = AddressEncoder::calc_checksum(&bytes[..]);
+        bytes.extend_from_slice(&calculated_checksum);
         bytes
     }