nonce rfc6979

iskyd · iskyd · commit 79e3dc2abeb8 · 2024-11-08T13:07:02.000+01:00
diff --git a/src/bip32.zig b/src/bip32.zig
@@ -228,6 +228,7 @@ pub const WifPrivateKey = struct {
         const netslice: [1]u8 = switch (net) {
             Network.mainnet => [1]u8{0b10000000},
             Network.testnet => [1]u8{0b11101111},
+            Network.regtest => [1]u8{0b11101111},
             else => unreachable,
         };
 
diff --git a/src/crypto/crypto.zig b/src/crypto/crypto.zig
@@ -3,6 +3,7 @@ pub const Secp256k1Point = @import("secp256k1.zig").Point;
 pub const secp256k1_number_of_points = @import("secp256k1.zig").number_of_points;
 pub const secp256k1_base_point = @import("secp256k1.zig").base_point;
 pub const signEcdsa = @import("ecdsa.zig").sign;
+pub const nonceFnRfc6979 = @import("ecdsa.zig").nonceFnRfc6979;
 pub const EcdsaSignature = @import("ecdsa.zig").Signature;
 pub const Bech32Encoder = @import("bech32.zig").standard.Encoder;
 pub const Bech32Decoder = @import("bech32.zig").standard.Decoder;
diff --git a/src/crypto/ecdsa.zig b/src/crypto/ecdsa.zig
@@ -4,6 +4,7 @@ const modinv = @import("math.zig").modinv;
 const math = std.math;
 const crypto = @import("crypto.zig");
 const is_test = @import("builtin").is_test;
+const HmacSha256 = std.crypto.auth.hmac.sha2.HmacSha256;
 
 fn intToHexStr(comptime T: type, data: T, buffer: []u8) !void {
     // Number of characters to represent data in hex
@@ -48,15 +49,10 @@ pub const Signature = struct {
 // pk is the private key
 // z is the hash of the msg we want to sign
 // nonce is used in tests to recreate deterministic signature.
-// I don't like this parameter, using the same nonce can expose the private key, but I havent found any better solution
-pub fn sign(pk: [32]u8, z: [32]u8, comptime nonce: ?u256) Signature {
-    comptime if (nonce != null and is_test == false) {
-        unreachable;
-    };
+pub fn sign(pk: [32]u8, z: [32]u8, comptime nonce_fn: fn (pk: [32]u8, z: [32]u8) u256) Signature {
     const n = crypto.secp256k1_number_of_points;
     while (true) {
-        const k: u256 = if (comptime nonce != null) nonce.? else rand.intRangeAtMost(u256, 0, n - 1);
-        // const k = rand.intRangeAtMost(u256, 0, n - 1);
+        const k: u256 = nonce_fn(pk, z);
         var p = crypto.Secp256k1Point{ .x = crypto.secp256k1_base_point.x, .y = crypto.secp256k1_base_point.y };
         p.multiply(k);
         const r = @mod(p.x, n);
@@ -78,6 +74,75 @@ pub fn sign(pk: [32]u8, z: [32]u8, comptime nonce: ?u256) Signature {
     unreachable;
 }
 
+// The original implementation can be found here: https://github.com/Raiden1411/zabi/blob/main/src/crypto/Signer.zig#L192
+// Thanks Raiden1411
+pub fn nonceFnRfc6979(pk: [32]u8, z: [32]u8) u256 {
+    // We already ask for the hashed message.
+    // message_hash == h1 and x == private_key.
+    // Section 3.2.a
+    var v: [33]u8 = undefined;
+    var k: [32]u8 = undefined;
+    var buffer: [97]u8 = undefined;
+
+    // Section 3.2.b
+    @memset(v[0..32], 0x01);
+    v[32] = 0x00;
+
+    // Section 3.2.c
+    @memset(&k, 0x00);
+
+    // Section 3.2.d
+    @memcpy(buffer[0..32], v[0..32]);
+    buffer[32] = 0x00;
+
+    @memcpy(buffer[33..65], &pk);
+    @memcpy(buffer[65..97], &z);
+
+    HmacSha256.create(&k, &buffer, &k);
+
+    // Section 3.2.e
+    HmacSha256.create(v[0..32], v[0..32], &k);
+
+    // Section 3.2.f
+    @memcpy(buffer[0..32], v[0..32]);
+    buffer[32] = 0x01;
+
+    @memcpy(buffer[33..65], &pk);
+    @memcpy(buffer[65..97], &z);
+    HmacSha256.create(&k, &buffer, &k);
+
+    // Section 3.2.g
+    HmacSha256.create(v[0..32], v[0..32], &k);
+
+    // Section 3.2.h
+    HmacSha256.create(v[0..32], v[0..32], &k);
+
+    while (true) {
+        const k_int = std.mem.readInt(u256, v[0..32], .big);
+
+        // K is within [1,q-1] and is in R value.
+        // that is not 0 so we break here.
+        if (k_int > 0 and k_int < crypto.secp256k1_number_of_points) {
+            break;
+        }
+
+        // Keep generating until we found a valid K.
+        HmacSha256.create(&k, v[0..], &k);
+        HmacSha256.create(v[0..32], v[0..32], &k);
+    }
+
+    const n = std.mem.readInt(u256, v[0..32], .big);
+
+    std.debug.print("calculated nonce = {d}\n", .{n});
+    return n;
+}
+
+fn nonceFn123456789(pk: [32]u8, z: [32]u8) u256 {
+    _ = pk;
+    _ = z;
+    return 123456789;
+}
+
 test "sign" {
     var buffer: [32]u8 = undefined;
     rand.bytes(&buffer);
@@ -88,7 +153,7 @@ test "sign" {
     rand.bytes(&pk);
     var pkhex: [64]u8 = undefined;
     _ = std.fmt.bufPrint(&pkhex, "{x}", .{std.fmt.fmtSliceHexLower(&bytes)}) catch unreachable;
-    const signature = sign(pk, bytes, null);
+    const signature = sign(pk, bytes, nonceFnRfc6979);
 
     try std.testing.expectEqual(true, signature.s >= 1);
     try std.testing.expectEqual(true, signature.r >= 1);
@@ -116,13 +181,12 @@ test "sign" {
 test "signWithDeterministicNonce" {
     const msghex = "d7b60220e1b9b2c1ab40845118baf515203f7b6f0ad83cbb68d3c89b5b3098a6";
     const privkeyhex = "7306f5092467981e66eff98b6b03bfe925922c5ecfaf14c4257ef18e81becf1f";
-    const nonce: u256 = 123456789;
     var pk: [32]u8 = undefined;
     _ = try std.fmt.hexToBytes(&pk, privkeyhex);
     var msg: [32]u8 = undefined;
     _ = try std.fmt.hexToBytes(&msg, msghex);
 
-    const signature = sign(pk, msg, nonce);
+    const signature = sign(pk, msg, nonceFn123456789);
     try std.testing.expectEqual(4051293998585674784991639592782214972820158391371785981004352359465450369227, signature.r);
     try std.testing.expectEqual(22928756034338380041288899807245402174768928418361705349511346173579327129676, signature.s);
 }
@@ -145,3 +209,17 @@ test "derEncode" {
     try std.testing.expectEqual(signature2.r, 20563619043091547917171744686276600212876833865692707756359368710575856337166);
     try std.testing.expectEqual(signature2.s, 53911059558236206164581555165446301142462550061465543326712028582562493425622);
 }
+
+test "generateNonceRfc6979" {
+    const msghex = "d7b60220e1b9b2c1ab40845118baf515203f7b6f0ad83cbb68d3c89b5b3098a6";
+    const privkeyhex = "7306f5092467981e66eff98b6b03bfe925922c5ecfaf14c4257ef18e81becf1f";
+    var pk: [32]u8 = undefined;
+    _ = try std.fmt.hexToBytes(&pk, privkeyhex);
+    var msg: [32]u8 = undefined;
+    _ = try std.fmt.hexToBytes(&msg, msghex);
+
+    const s1 = sign(pk, msg, nonceFnRfc6979);
+    const s2 = sign(pk, msg, nonceFnRfc6979);
+    try std.testing.expectEqual(s1.r, s2.r);
+    try std.testing.expectEqual(s1.s, s2.s);
+}
diff --git a/src/tx.zig b/src/tx.zig
@@ -4,6 +4,7 @@ const utils = @import("utils.zig");
 const KeyPath = @import("bip44.zig").KeyPath;
 const assert = @import("std").debug.assert;
 const signEcdsa = @import("crypto").signEcdsa;
+const nonceFnRfc6979 = @import("crypto").nonceFnRfc6979;
 const db = @import("db/db.zig");
 const sqlite = @import("sqlite");
 const bip32 = @import("bip32.zig");
@@ -318,7 +319,7 @@ test "createTx" {
 }
 
 // [72]u8 = 64 txid + 8 vout
-pub fn signTx(allocator: std.mem.Allocator, tx: *Transaction, privkeys: std.AutoHashMap([72]u8, [32]u8), pubkeys: std.AutoHashMap([72]u8, bip32.PublicKey), comptime nonce: ?u256) !void {
+pub fn signTx(allocator: std.mem.Allocator, tx: *Transaction, privkeys: std.AutoHashMap([72]u8, [32]u8), pubkeys: std.AutoHashMap([72]u8, bip32.PublicKey), comptime nonce_fn: fn (pk: [32]u8, z: [32]u8) u256) !void {
     const inputs_preimage_hash = try getTxInputsPreImageHash(allocator, tx.inputs.items);
     const inputs_sequences_preimage_hash = try getTxInputsSequencesPreImageHash(allocator, tx.inputs.items);
     const outputs_preimage_hash = try getTxOutputsPreImageHash(allocator, tx.outputs.items);
@@ -334,7 +335,7 @@ pub fn signTx(allocator: std.mem.Allocator, tx: *Transaction, privkeys: std.Auto
         const pubkey = pubkeys.get(key).?;
         const privkey = privkeys.get(key).?;
         const preimage_hash = try getPreImageHash(tx.version, inputs_preimage_hash, inputs_sequences_preimage_hash, outputs_preimage_hash, tx.locktime, input, pubkey, sighash_type);
-        const witness = try createWitness(allocator, preimage_hash, privkey, pubkey, sighash_type, nonce);
+        const witness = try createWitness(allocator, preimage_hash, privkey, pubkey, sighash_type, nonce_fn);
         try tx.addWitness(witness);
     }
 }
@@ -367,7 +368,7 @@ test "signTx" {
     var tx = try createTx(allocator, &inputs, &outputs);
     defer tx.deinit();
 
-    try signTx(allocator, &tx, privkeys, pubkeys, 123456789);
+    try signTx(allocator, &tx, privkeys, pubkeys, nonceFn123456789);
     var tx_raw: [194]u8 = undefined;
     try encodeTx(allocator, &tx_raw, tx, true);
     const expected_tx_raw_hex = "02000000000101ac4994014aa36b7f53375658ef595b3cb2891e1735fe5b441686f5e53338e76a0100000000ffffffff01204e0000000000001976a914ce72abfd0e6d9354a660c18f2825eb392f060fdc88ac02473044022008f4f37e2d8f74e18c1b8fde2374d5f28402fb8ab7fd1cc5b786aa40851a70cb022032b1374d1a0f125eae4f69d1bc0b7f896c964cfdba329f38a952426cf427484c012103eed0d937090cae6ffde917de8a80dc6156e30b13edd5e51e2e50d52428da1c8700000000";
@@ -818,8 +819,8 @@ test "getPreImageHash" {
     try std.testing.expectEqualSlices(u8, &expected_bytes, &hash);
 }
 
-pub fn createWitness(allocator: std.mem.Allocator, preimage_hash: [32]u8, privkey: [32]u8, pubkey: bip32.PublicKey, sighash_type: SighashType, comptime nonce: ?u256) !TxWitness {
-    const signature = signEcdsa(privkey, preimage_hash, nonce);
+pub fn createWitness(allocator: std.mem.Allocator, preimage_hash: [32]u8, privkey: [32]u8, pubkey: bip32.PublicKey, sighash_type: SighashType, comptime nonce_fn: fn (pk: [32]u8, z: [32]u8) u256) !TxWitness {
+    const signature = signEcdsa(privkey, preimage_hash, nonce_fn);
     const partial_serialized = try signature.derEncode(allocator);
     defer allocator.free(partial_serialized);
     var sighash_type_hex: [2]u8 = undefined;
@@ -838,6 +839,12 @@ pub fn createWitness(allocator: std.mem.Allocator, preimage_hash: [32]u8, privke
     return witness;
 }
 
+fn nonceFn123456789(pk: [32]u8, z: [32]u8) u256 {
+    _ = pk;
+    _ = z;
+    return 123456789;
+}
+
 test "createWitness" {
     const allocator = std.testing.allocator;
     const preimage_hash_hex = "d7b60220e1b9b2c1ab40845118baf515203f7b6f0ad83cbb68d3c89b5b3098a6";
@@ -848,7 +855,7 @@ test "createWitness" {
     _ = try std.fmt.hexToBytes(&privkey, &privkey_hex);
     const pubkey = bip32.generatePublicKey(privkey);
 
-    const witness = try createWitness(allocator, preimage_hash, privkey, pubkey, SighashType.sighash_all, 123456789);
+    const witness = try createWitness(allocator, preimage_hash, privkey, pubkey, SighashType.sighash_all, nonceFn123456789);
     defer witness.deinit();
 
     const expected_signature_hex = "3044022008f4f37e2d8f74e18c1b8fde2374d5f28402fb8ab7fd1cc5b786aa40851a70cb022032b1374d1a0f125eae4f69d1bc0b7f896c964cfdba329f38a952426cf427484c01";
diff --git a/src/walle.zig b/src/walle.zig
@@ -248,6 +248,13 @@ pub fn main() !void {
                 const extended_privkey = try bip32.ExtendedPrivateKey.fromAddress(private_descriptor.?.extended_key);
                 const privkey = try bip44.generatePrivateFromAccountPrivateKey(extended_privkey, output.keypath.?.path[3], output.keypath.?.path[4]);
 
+                const wif = bip32.WifPrivateKey.fromPrivateKey(privkey, network, true);
+                const wifbase58 = try wif.toBase58();
+                std.debug.print("wifbase58: {s}\n", .{wifbase58});
+
+                utils.debugPrintBytes(64, &privkey);
+                std.debug.print("pubkey: {s}\n", .{try pubkey.toStrCompressed()});
+
                 try pubkeys.put(map_key, pubkey);
                 try privkeys.put(map_key, privkey);
             }
@@ -266,7 +273,13 @@ pub fn main() !void {
 
             var send_transaction = try tx.createTx(allocator, tx_inputs, tx_outputs);
 
-            try tx.signTx(allocator, &send_transaction, privkeys, pubkeys, null);
+            const raw_tx_cap_no_sign = tx.encodeTxCap(send_transaction, false);
+            const raw_tx_no_sign = try allocator.alloc(u8, raw_tx_cap_no_sign);
+            const raw_tx_hex_no_sign = try allocator.alloc(u8, raw_tx_cap_no_sign * 2);
+            try tx.encodeTx(allocator, raw_tx_no_sign, send_transaction, false);
+            _ = try std.fmt.bufPrint(raw_tx_hex_no_sign, "{x}", .{std.fmt.fmtSliceHexLower(raw_tx_no_sign)});
+
+            try tx.signTx(allocator, &send_transaction, privkeys, pubkeys, crypto.nonceFnRfc6979);
             std.debug.print("send transaction\n{}\n", .{send_transaction});
 
             const raw_tx_cap = tx.encodeTxCap(send_transaction, true);
@@ -275,6 +288,7 @@ pub fn main() !void {
             try tx.encodeTx(allocator, raw_tx, send_transaction, true);
             _ = try std.fmt.bufPrint(raw_tx_hex, "{x}", .{std.fmt.fmtSliceHexLower(raw_tx)});
 
+            std.debug.print("\n{s}\n", .{raw_tx_hex_no_sign});
             std.debug.print("\n{s}\n", .{raw_tx_hex});
         },
     }
