Encode CKey to ElligatorSwift representation

Author: dhruv

Diff for: build_msvc/libsecp256k1/libsecp256k1.vcxproj

@@ -14,7 +14,7 @@
   </ItemGroup>
   <ItemDefinitionGroup>
     <ClCompile>
-      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;ENABLE_MODULE_ELLSWIFT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\..\src\secp256k1;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DisableSpecificWarnings>4146;4244;4267;4334</DisableSpecificWarnings>
     </ClCompile>

Diff for: configure.ac

@@ -2012,7 +2012,7 @@ LIBS_TEMP="$LIBS"
 unset LIBS
 LIBS="$LIBS_TEMP"
 
-ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh"
+ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --enable-module-recovery --disable-module-ecdh --enable-experimental --enable-module-ellswift"
 AC_CONFIG_SUBDIRS([src/secp256k1])
 
 AC_OUTPUT

Diff for: src/key.cpp

@@ -9,8 +9,10 @@
 #include <crypto/hmac_sha512.h>
 #include <hash.h>
 #include <random.h>
+#include <span.h>
 
 #include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
@@ -332,6 +334,21 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
     return ret;
 }
 
+EllSwiftPubKey CKey::EllSwiftEncode(const std::array<std::byte, 32>& rnd32) const
+{
+    assert(fValid);
+    EllSwiftPubKey encoded_pubkey;
+
+    auto success = secp256k1_ellswift_create(secp256k1_context_sign,
+                                             reinterpret_cast<unsigned char*>(encoded_pubkey.data()),
+                                             keydata.data(),
+                                             UCharCast(rnd32.data()));
+
+    // Should always succeed for valid keys (asserted above)
+    assert(success);
+    return encoded_pubkey;
+}
+
 bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const {
     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     out.nDepth = nDepth + 1;

Diff for: src/key.h

@@ -12,6 +12,8 @@
 #include <support/allocators/secure.h>
 #include <uint256.h>
 
+#include <array>
+#include <cstddef>
 #include <stdexcept>
 #include <vector>
 
@@ -156,6 +158,8 @@ class CKey
 
     //! Load private key and check that public key matches.
     bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
+
+    EllSwiftPubKey EllSwiftEncode(const std::array<std::byte, 32>& rnd32) const;
 };
 
 struct CExtKey {

Diff for: src/pubkey.h

@@ -12,6 +12,8 @@
 #include <span.h>
 #include <uint256.h>
 
+#include <array>
+#include <cstddef>
 #include <cstring>
 #include <optional>
 #include <vector>
@@ -29,6 +31,9 @@ class CKeyID : public uint160
 
 typedef uint256 ChainCode;
 
+constexpr size_t ELLSWIFT_ENCODED_SIZE = 64;
+using EllSwiftPubKey = std::array<std::byte, ELLSWIFT_ENCODED_SIZE>;
+
 /** An encapsulated public key. */
 class CPubKey
 {

Diff for: src/test/key_tests.cpp

@@ -5,13 +5,18 @@
 #include <key.h>
 
 #include <key_io.h>
+#include <random.h>
+#include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <streams.h>
 #include <test/util/setup_common.h>
 #include <uint256.h>
 #include <util/strencodings.h>
 #include <util/string.h>
 #include <util/system.h>
 
+#include <array>
+#include <cstddef>
 #include <string>
 #include <vector>
 
@@ -344,4 +349,38 @@ BOOST_AUTO_TEST_CASE(bip340_test_vectors)
     }
 }
 
+CPubKey EllSwiftDecode(const EllSwiftPubKey& encoded_pubkey)
+{
+    secp256k1_pubkey pubkey;
+    secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, reinterpret_cast<const unsigned char*>(encoded_pubkey.data()));
+
+    size_t sz = CPubKey::COMPRESSED_SIZE;
+    std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;
+
+    secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
+
+    return CPubKey{vch_bytes.begin(), vch_bytes.end()};
+}
+
+BOOST_AUTO_TEST_CASE(key_ellswift)
+{
+    for (const auto& secret : {strSecret1, strSecret2, strSecret1C, strSecret2C}) {
+        CKey key = DecodeSecret(secret);
+        BOOST_CHECK(key.IsValid());
+
+        std::array<std::byte, 32> rnd32;
+        GetRandBytes({reinterpret_cast<unsigned char*>(rnd32.data()), 32});
+        auto ellswift_encoded_pubkey = key.EllSwiftEncode(rnd32);
+
+        CPubKey decoded_pubkey = EllSwiftDecode(ellswift_encoded_pubkey);
+        if (!key.IsCompressed()) {
+            // The decoding constructor returns a compressed pubkey. If the
+            // original was uncompressed, we must decompress the decoded one
+            // to compare.
+            decoded_pubkey.Decompress();
+        }
+        BOOST_CHECK(key.GetPubKey() == decoded_pubkey);
+    }
+}
+
 BOOST_AUTO_TEST_SUITE_END()