Use Wscalar instead of DlogProverInput in ExtSecretKey

Now that DlogProverInput eagerly evaluates public key, it's a bad fit for ExtSecretKey since it causes unnecessary EC operations

Author: sethdusek

Cargo.toml

@@ -1,4 +1,3 @@
-
 [workspace]
 resolver = "2"
 members = [

ergo-lib/src/wallet/ext_pub_key.rs

@@ -28,7 +28,8 @@ type HmacSha512 = Hmac<Sha512>;
 pub struct ExtPubKey {
     /// Parsed public key (EcPoint)
     pub public_key: EcPoint,
-    chain_code: ChainCode,
+    /// Chain code bytes
+    pub chain_code: ChainCode,
     /// Derivation path for this extended public key
     pub derivation_path: DerivationPath,
 }

ergo-lib/src/wallet/ext_secret_key.rs

@@ -1,6 +1,4 @@
 //! Extended private key operations according to BIP-32
-use core::convert::TryInto;
-
 use super::{
     derivation_path::{ChildIndex, ChildIndexError, DerivationPath},
     ext_pub_key::ExtPubKey,
@@ -28,14 +26,23 @@ type HmacSha512 = Hmac<Sha512>;
 
 /// Extended secret key
 /// implemented according to BIP-32
-#[derive(PartialEq, Eq, Debug, Clone)]
+#[derive(PartialEq, Eq, Clone)]
 pub struct ExtSecretKey {
-    /// The secret key
-    private_input: DlogProverInput,
+    private_input: Wscalar,
     chain_code: ChainCode,
     derivation_path: DerivationPath,
 }
 
+impl core::fmt::Debug for ExtSecretKey {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        f.debug_struct("ExtSecretKey")
+            .field("private_input", &"*****") // disable debug output for secret key to prevent key leakage in logs
+            .field("chain_code", &self.chain_code)
+            .field("derivation_path", &self.derivation_path)
+            .finish()
+    }
+}
+
 /// Extended secret key errors
 #[derive(Error, PartialEq, Eq, Debug, Clone)]
 pub enum ExtSecretKeyError {
@@ -66,8 +73,8 @@ impl ExtSecretKey {
         chain_code: ChainCode,
         derivation_path: DerivationPath,
     ) -> Result<Self, ExtSecretKeyError> {
-        let private_input = DlogProverInput::from_bytes(&secret_key_bytes)
-            .ok_or(ExtSecretKeyError::ScalarEncodingError)?;
+        let private_input =
+            Wscalar::from_bytes(&secret_key_bytes).ok_or(ExtSecretKeyError::ScalarEncodingError)?;
         Ok(Self {
             private_input,
             chain_code,
@@ -82,7 +89,7 @@ impl ExtSecretKey {
 
     /// Returns secret key
     pub fn secret_key(&self) -> SecretKey {
-        self.private_input.clone().into()
+        DlogProverInput::new(self.private_input.clone()).into()
     }
 
     /// Byte representation of the underlying scalar
@@ -92,7 +99,7 @@ impl ExtSecretKey {
 
     /// Public image associated with the private input
     pub fn public_image(&self) -> ProveDlog {
-        self.private_input.public_image()
+        DlogProverInput::new(self.private_input.clone()).public_image()
     }
 
     /// Public image bytes in SEC-1 encoded & compressed format
@@ -103,12 +110,11 @@ impl ExtSecretKey {
     /// The extended public key associated with this secret key
     pub fn public_key(&self) -> Result<ExtPubKey, ExtSecretKeyError> {
         #[allow(clippy::unwrap_used)]
-        Ok(ExtPubKey::new(
-            // unwrap is safe as it is used on an Infallible result type
-            self.public_image_bytes()?.try_into().unwrap(),
-            self.chain_code,
-            self.derivation_path.clone(),
-        )?)
+        Ok(ExtPubKey {
+            public_key: *self.public_image().h,
+            chain_code: self.chain_code,
+            derivation_path: self.derivation_path.clone(),
+        })
     }
 
     /// Derive a child extended secret key using the provided index
@@ -127,16 +133,14 @@ impl ExtSecretKey {
         let mac_bytes = mac.finalize().into_bytes();
         let mut secret_key_bytes = [0; SecretKeyBytes::LEN];
         secret_key_bytes.copy_from_slice(&mac_bytes[..32]);
-        if let Some(dlog_prover) = DlogProverInput::from_bytes(&secret_key_bytes) {
+        if let Some(wscalar) = Wscalar::from_bytes(&secret_key_bytes) {
             // parse256(IL) + kpar (mod n).
             // via https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions
-            let child_secret_key: DlogProverInput = Wscalar::from(
-                dlog_prover
-                    .w
+            let child_secret_key = Wscalar::from(
+                wscalar
                     .as_scalar_ref()
-                    .add(self.private_input.w.as_scalar_ref()),
-            )
-            .into();
+                    .add(self.private_input.as_scalar_ref()),
+            );
             if child_secret_key.is_zero() {
                 // ki == 0 case of:
                 // > In case parse256(IL) ≥ n or ki = 0, the resulting key is invalid, and one

ergotree-interpreter/src/sigma_protocol/private_input.rs

@@ -107,7 +107,7 @@ impl DlogProverInput {
 
     /// byte representation of the underlying scalar
     pub fn to_bytes(&self) -> [u8; DlogProverInput::SIZE_BYTES] {
-        self.w.as_scalar_ref().to_bytes().into()
+        self.w.to_bytes()
     }
 
     /// public key of discrete logarithm signature protocol
@@ -117,7 +117,7 @@ impl DlogProverInput {
 
     /// Return true if the secret is 0
     pub fn is_zero(&self) -> bool {
-        self.w.as_scalar_ref().is_zero().into()
+        self.w.is_zero()
     }
 }
 

ergotree-interpreter/src/sigma_protocol/wscalar.rs

@@ -7,6 +7,7 @@ use core::fmt::Formatter;
 
 use derive_more::From;
 use derive_more::Into;
+use elliptic_curve::PrimeField;
 use ergo_chain_types::Base16DecodedBytes;
 use ergo_chain_types::Base16EncodedBytes;
 use k256::elliptic_curve::generic_array::GenericArray;
@@ -31,10 +32,30 @@ use super::SOUNDNESS_BYTES;
 pub struct Wscalar(Scalar);
 
 impl Wscalar {
+    /// Scalar(secret key) size in bytes
+    pub const SIZE_BYTES: usize = 32;
+
     /// Returns a reference to underlying Scalar
     pub fn as_scalar_ref(&self) -> &Scalar {
         &self.0
     }
+
+    /// Attempts to parse the given byte array as an SEC-1-encoded scalar(secret key).
+    /// Returns None if the byte array does not contain a big-endian integer in the range [0, modulus).
+    pub fn from_bytes(bytes: &[u8; Self::SIZE_BYTES]) -> Option<Self> {
+        k256::Scalar::from_repr((*bytes).into())
+            .map(Wscalar::from)
+            .into()
+    }
+
+    /// Convert scalar to big-endian byte representation
+    pub fn to_bytes(&self) -> [u8; Self::SIZE_BYTES] {
+        self.0.to_bytes().into()
+    }
+    /// Return true if the scalar is 0
+    pub fn is_zero(&self) -> bool {
+        self.0.is_zero().into()
+    }
 }
 
 impl From<GroupSizedBytes> for Wscalar {

ergotree-ir/src/chain/address.rs

@@ -542,8 +542,8 @@ impl AddressEncoder {
         let mut address_bytes = address.content_bytes();
         let mut bytes = vec![prefix_byte];
         bytes.append(&mut address_bytes);
-        let mut calculated_checksum = AddressEncoder::calc_checksum(&bytes[..]).to_vec();
-        bytes.append(&mut calculated_checksum);
+        let calculated_checksum = AddressEncoder::calc_checksum(&bytes[..]);
+        bytes.extend_from_slice(&calculated_checksum);
         bytes
     }