bitcoinrb 1.4.0 → 1.6.0

data/lib/bitcoin/descriptor.rb

@@ -3,145 +3,221 @@ module Bitcoin
   module Descriptor
 
     include Bitcoin::Opcodes
-
-    # generate P2PK output for the given public key.
+    autoload :Expression, 'bitcoin/descriptor/expression'
+    autoload :KeyExpression, 'bitcoin/descriptor/key_expression'
+    autoload :ScriptExpression, 'bitcoin/descriptor/script_expression'
+    autoload :Pk, 'bitcoin/descriptor/pk'
+    autoload :Pkh, 'bitcoin/descriptor/pkh'
+    autoload :Wpkh, 'bitcoin/descriptor/wpkh'
+    autoload :Sh, 'bitcoin/descriptor/sh'
+    autoload :Wsh, 'bitcoin/descriptor/wsh'
+    autoload :Combo, 'bitcoin/descriptor/combo'
+    autoload :Multi, 'bitcoin/descriptor/multi'
+    autoload :SortedMulti, 'bitcoin/descriptor/sorted_multi'
+    autoload :Raw, 'bitcoin/descriptor/raw'
+    autoload :Addr,  'bitcoin/descriptor/addr'
+    autoload :Tr,  'bitcoin/descriptor/tr'
+    autoload :MultiA,  'bitcoin/descriptor/multi_a'
+    autoload :SortedMultiA, 'bitcoin/descriptor/sorted_multi_a'
+    autoload :Checksum, 'bitcoin/descriptor/checksum'
+
+    module_function
+
+    # Generate P2PK output for the given public key.
     # @param [String] key private key or public key with hex format
-    # @return [Bitcoin::Script] P2PK script.
+    # @return [Bitcoin::Descriptor::Pk]
     def pk(key)
-      Bitcoin::Script.new << extract_pubkey(key) << OP_CHECKSIG
+      Pk.new(key)
     end
 
-    # generate P2PKH output for the given public key.
+    # Generate P2PKH output for the given public key.
     # @param [String] key private key or public key with hex format.
-    # @return [Bitcoin::Script] P2PKH script.
+    # @return [Bitcoin::Descriptor::Pkh]
     def pkh(key)
-      Bitcoin::Script.to_p2pkh(Bitcoin.hash160(extract_pubkey(key)))
+      Pkh.new(key)
     end
 
-    # generate P2PKH output for the given public key.
+    # Generate P2PKH output for the given public key.
     # @param [String] key private key or public key with hex format.
-    # @return [Bitcoin::Script] P2WPKH script.
+    # @return [Bitcoin::Descriptor::Wpkh]
     def wpkh(key)
-      pubkey = extract_pubkey(key)
-      raise ArgumentError, "Uncompressed key are not allowed." unless compressed_key?(pubkey)
-      Bitcoin::Script.to_p2wpkh(Bitcoin.hash160(pubkey))
+      Wpkh.new(key)
     end
 
-    # generate P2SH embed the argument.
-    # @param [String or Script] script script to be embed.
-    # @return [Bitcoin::Script] P2SH script.
-    def sh(script)
-      script = script.to_hex if script.is_a?(Bitcoin::Script)
-      raise ArgumentError, "P2SH script is too large, 547 bytes is larger than #{Bitcoin::MAX_SCRIPT_ELEMENT_SIZE} bytes." if script.htb.bytesize > Bitcoin::MAX_SCRIPT_ELEMENT_SIZE
-      Bitcoin::Script.to_p2sh(Bitcoin.hash160(script))
+    # Generate P2SH embed the argument.
+    # @param [Bitcoin::Descriptor::Base] exp script expression to be embed.
+    # @return [Bitcoin::Descriptor::Sh]
+    def sh(exp)
+      Sh.new(exp)
     end
 
-    # generate P2WSH embed the argument.
-    # @param [String or Script] script script to be embed.
-    # @return [Bitcoin::Script] P2WSH script.
-    def wsh(script)
-      script = Bitcoin::Script(script.htb) if script.is_a?(String)
-      raise ArgumentError, "P2SH script is too large, 547 bytes is larger than #{Bitcoin::MAX_SCRIPT_ELEMENT_SIZE} bytes." if script.to_payload.bytesize > Bitcoin::MAX_SCRIPT_ELEMENT_SIZE
-      raise ArgumentError, "Uncompressed key are not allowed." if script.get_pubkeys.any?{|p|!compressed_key?(p)}
-      Bitcoin::Script.to_p2wsh(script)
+    # Generate P2WSH embed the argument.
+    # @param [Bitcoin::Descriptor::Expression] exp script expression to be embed.
+    # @return [Bitcoin::Descriptor::Wsh]
+    def wsh(exp)
+      Wsh.new(exp)
     end
 
-    # an alias for the collection of `pk(KEY)` and `pkh(KEY)`.
+    # An alias for the collection of `pk(KEY)` and `pkh(KEY)`.
     # If the key is compressed, it also includes `wpkh(KEY)` and `sh(wpkh(KEY))`.
     # @param [String] key private key or public key with hex format.
-    # @return [Array[Bitcoin::Script]]
+    # @return [Bitcoin::Descriptor::Combo]
     def combo(key)
-      result = [pk(key), pkh(key)]
-      pubkey = extract_pubkey(key)
-      if compressed_key?(pubkey)
-        result << wpkh(key)
-        result << sh(result.last)
-      end
-      result
+      Combo.new(key)
     end
 
-    # generate multisig output for given keys.
+    # Generate multisig output for given keys.
     # @param [Integer] threshold the threshold of multisig.
     # @param [Array[String]] keys an array of keys.
-    # @return [Bitcoin::Script] multisig script.
-    def multi(threshold, *keys, sort: false)
-      raise ArgumentError, 'Multisig threshold is not valid.' unless threshold.is_a?(Integer)
-      raise ArgumentError, 'Multisig threshold cannot be 0, must be at least 1.' unless threshold > 0
-      raise ArgumentError, 'Multisig threshold cannot be larger than the number of keys.' if threshold > keys.size
-      raise ArgumentError, 'Multisig must have between 1 and 16 keys, inclusive.' if keys.size > 16
-      pubkeys = keys.map{|key| extract_pubkey(key) }
-      Bitcoin::Script.to_multisig_script(threshold, pubkeys, sort: sort)
+    # @return [Bitcoin::Descriptor::Multi] multisig script.
+    def multi(threshold, *keys)
+      Multi.new(threshold, keys)
     end
 
-    # generate sorted multisig output for given keys.
+    # Generate sorted multisig output for given keys.
     # @param [Integer] threshold the threshold of multisig.
     # @param [Array[String]] keys an array of keys.
-    # @return [Bitcoin::Script] multisig script.
+    # @return [Bitcoin::Descriptor::SortedMulti]
     def sortedmulti(threshold, *keys)
-      multi(threshold, *keys, sort: true)
-    end
-
-    private
-
-    # extract public key from KEY format.
-    # @param [String] key KEY string.
-    # @return [String] public key.
-    def extract_pubkey(key)
-      if key.start_with?('[') # BIP32 fingerprint
-        raise ArgumentError, 'Invalid key origin.' if key.count('[') > 1 || key.count(']') > 1
-        info = key[1...key.index(']')] # TODO
-        fingerprint, *paths = info.split('/')
-        raise ArgumentError, 'Fingerprint is not hex.' unless fingerprint.valid_hex?
-        raise ArgumentError, 'Fingerprint is not 4 bytes.' unless fingerprint.size == 8
-        key = key[(key.index(']') + 1)..-1]
-      else
-        raise ArgumentError, 'Invalid key origin.' if key.include?(']')
-      end
+      SortedMulti.new(threshold, keys)
+    end
 
-      # check BIP32 derivation path
-      key, *paths = key.split('/')
+    # Generate raw output script about +hex+.
+    # @param [String] hex Hex string of bitcoin script.
+    # @return [Bitcoin::Descriptor::Raw]
+    def raw(hex)
+      Raw.new(hex)
+    end
 
-      if key.start_with?('xprv')
-        key = Bitcoin::ExtKey.from_base58(key)
-        key = derive_path(key, paths, true) if paths
-      elsif key.start_with?('xpub')
-        key = Bitcoin::ExtPubkey.from_base58(key)
-        key = derive_path(key, paths, false) if paths
-      else
-        begin
-          key = Bitcoin::Key.from_wif(key)
-        rescue ArgumentError
-          key_type =  compressed_key?(key) ? Bitcoin::Key::TYPES[:compressed] : Bitcoin::Key::TYPES[:uncompressed]
-          key = Bitcoin::Key.new(pubkey: key, key_type: key_type)
+    # Generate raw output script about +hex+.
+    # @param [String] addr Bitcoin address.
+    # @return [Bitcoin::Descriptor::Addr]
+    def addr(addr)
+      Addr.new(addr)
+    end
+
+    # Generate taproot output script descriptor.
+    # @param [String] key
+    # @param [String] tree
+    # @return [Bitcoin::Descriptor::Tr]
+    def tr(key, tree = nil)
+      Tr.new(key, tree)
+    end
+
+    # Generate tapscript multisig output for given keys.
+    # @param [Integer] threshold the threshold of multisig.
+    # @param [Array[String]] keys an array of keys.
+    # @return [Bitcoin::Descriptor::MultiA] multisig script.
+    def multi_a(threshold, *keys)
+      MultiA.new(threshold, keys)
+    end
+
+    # Generate tapscript sorted multisig output for given keys.
+    # @param [Integer] threshold the threshold of multisig.
+    # @param [Array[String]] keys an array of keys.
+    # @return [Bitcoin::Descriptor::SortedMulti]
+    def sortedmulti_a(threshold, *keys)
+      SortedMultiA.new(threshold, keys)
+    end
+
+    # Parse descriptor string.
+    # @param [String] string Descriptor string.
+    # @return [Bitcoin::Descriptor::Expression]
+    def parse(string, top_level = true)
+      validate_checksum!(string)
+      content, _ = string.split('#')
+      exp, args_str = content.match(/(\w+)\((.+)\)/).captures
+      case exp
+      when 'pk'
+        pk(args_str)
+      when 'pkh'
+        pkh(args_str)
+      when 'wpkh'
+        wpkh(args_str)
+      when 'sh'
+        sh(parse(args_str, false))
+      when 'wsh'
+        wsh(parse(args_str, false))
+      when 'combo'
+        combo(args_str)
+      when 'multi', 'sortedmulti', 'multi_a', 'sortedmulti_a'
+        args = args_str.split(',')
+        threshold = args[0].to_i
+        keys = args[1..-1]
+        case exp
+        when 'multi'
+          multi(threshold, *keys)
+        when 'sortedmulti'
+          sortedmulti(threshold, *keys)
+        when 'multi_a'
+          raise ArgumentError, "Can only have multi_a/sortedmulti_a inside tr()." if top_level
+          multi_a(threshold, *keys)
+        when 'sortedmulti_a'
+          raise ArgumentError, "Can only have multi_a/sortedmulti_a inside tr()." if top_level
+          sortedmulti_a(threshold, *keys)
         end
+      when 'raw'
+        raw(args_str)
+      when 'addr'
+        addr(args_str)
+      when 'tr'
+        key, rest = args_str.split(',', 2)
+        if rest.nil?
+          tr(key)
+        elsif rest.start_with?('{')
+          tr(key, parse_nested_string(rest))
+        else
+          tr(key, parse(rest, false))
+        end
+      else
+        raise ArgumentError, "Parse failed: #{string}"
       end
-      key = key.is_a?(Bitcoin::Key) ? key : key.key
-      raise ArgumentError, Errors::Messages::INVALID_PUBLIC_KEY unless key.fully_valid_pubkey?
-      key.pubkey
     end
 
-    def compressed_key?(key)
-      %w(02 03).include?(key[0..1]) && [key].pack("H*").bytesize == 33
+    # Validate descriptor checksum.
+    # @raise [ArgumentError] If +descriptor+ has invalid checksum.
+    def validate_checksum!(descriptor)
+      return unless descriptor.include?("#")
+      content, *checksums = descriptor.split("#")
+      raise ArgumentError, "Multiple '#' symbols." if checksums.length > 1
+      checksum = checksums.first
+      len = checksum.nil? ? 0 : checksum.length
+      raise ArgumentError, "Expected 8 character checksum, not #{len} characters." unless len == 8
+      _, calc_checksum = Checksum.descsum_create(content).split('#')
+      unless calc_checksum == checksum
+        raise ArgumentError, "Provided checksum '#{checksum}' does not match computed checksum '#{calc_checksum}'."
+      end
     end
 
-    def derive_path(key, paths, is_private)
-      paths.each do |path|
-        raise ArgumentError, 'xpub can not derive hardened key.' if !is_private && path.end_with?("'")
-        if is_private
-          hardened = path.end_with?("'")
-          path = hardened ? path[0..-2] : path
-          raise ArgumentError, 'Key path value is not a valid value.' unless path =~ /^[0-9]+$/
-          raise ArgumentError, 'Key path value is out of range.' if !hardened && path.to_i >= Bitcoin::HARDENED_THRESHOLD
-          key = key.derive(path.to_i, hardened)
+    def parse_nested_string(string)
+      return nil if string.nil?
+      stack = []
+      current = []
+      buffer = ""
+      string.each_char do |c|
+        case c
+        when '{'
+          stack << current
+          current = []
+        when '}'
+          unless buffer.empty?
+            current << parse(buffer, false)
+            buffer = ""
+          end
+          nested = current
+          current = stack.pop
+          current << nested
+        when ','
+          unless buffer.empty?
+            current << parse(buffer, false)
+            buffer = ""
+          end
         else
-          raise ArgumentError, 'Key path value is not a valid value.' unless path =~ /^[0-9]+$/
-          raise ArgumentError, 'Key path value is out of range.' if path.to_i >= Bitcoin::HARDENED_THRESHOLD
-          key = key.derive(path.to_i)
+          buffer << c
         end
       end
-      key
+      current << parse(buffer, false) unless buffer.empty?
+      current.first
     end
-
   end
-
 end

data/lib/bitcoin/ext/ecdsa.rb

@@ -10,12 +10,6 @@ class ::ECDSA::Signature
   end
 end
 
-class ::ECDSA::Point
-  def to_hex(compression = true)
-    ECDSA::Format::PointOctetString.encode(self, compression: compression).bth
-  end
-end
-
 module ::ECDSA::Format::PointOctetString
 
   class << self

data/lib/bitcoin/key.rb

@@ -83,7 +83,7 @@ module Bitcoin
     # @return [Bitcoin::Key] key object has public key.
     def self.from_xonly_pubkey(xonly_pubkey)
       raise ArgumentError, "xonly_pubkey must be #{X_ONLY_PUBKEY_SIZE} bytes" unless xonly_pubkey.htb.bytesize == X_ONLY_PUBKEY_SIZE
-      Bitcoin::Key.new(pubkey: "02#{xonly_pubkey}", key_type: TYPES[:compressed])
+      Bitcoin::Key.new(pubkey: "02#{xonly_pubkey}", key_type: TYPES[:p2tr])
     end
 
     # Generate from public key point.
@@ -146,9 +146,9 @@ module Bitcoin
     # @return [Bitcoin::Key] Recovered public key.
     def self.recover_compact(data, signature)
       rec_id = signature.unpack1('C')
-      rec = rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE
-      raise ArgumentError, 'Invalid signature parameter' if rec < 0 || rec > 15
-      rec = rec & 3
+      rec = (rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE) & 3
+      raise ArgumentError, 'Invalid signature parameter' if rec < 0 || rec > 3
+
       compressed = (rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE) & 4 != 0
       Bitcoin.secp_impl.recover_compact(data, signature, rec, compressed)
     end
@@ -344,6 +344,18 @@ module Bitcoin
       valid_pubkey? && secp256k1_module.parse_ec_pubkey?(pubkey, allow_hybrid)
     end
 
+    # Create an ellswift-encoded public key for this key, with specified entropy.
+    # @return [Bitcoin::BIP324::EllSwiftPubkey]
+    # @raise ArgumentError If ent32 does not 32 bytes.
+    def create_ell_pubkey
+      raise ArgumentError, "private_key required." unless priv_key
+      if secp256k1_module.is_a?(Bitcoin::Secp256k1::Native)
+        Bitcoin::BIP324::EllSwiftPubkey.new(secp256k1_module.ellswift_create(priv_key))
+      else
+        Bitcoin::BIP324::EllSwiftPubkey.new(Bitcoin::BIP324.xelligatorswift(xonly_pubkey))
+      end
+    end
+
     private
 
     def self.compare_big_endian(c1, c2)

data/lib/bitcoin/message_sign.rb

@@ -50,18 +50,22 @@ module Bitcoin
     # @param [String] message The message that was signed.
     # @return [Boolean] Verification result.
     def verify_message(address, signature, message, prefix: Bitcoin.chain_params.message_magic)
-      validate_address!(address)
+      addr_script = Bitcoin::Script.parse_from_addr(address)
       begin
         sig = Base64.strict_decode64(signature)
       rescue ArgumentError
         raise ArgumentError, 'Invalid signature'
       end
-      begin
-        # Legacy verification
-        pubkey = Bitcoin::Key.recover_compact(message_hash(message, prefix: prefix, legacy: true), sig)
-        return false unless pubkey
-        pubkey.to_p2pkh == address
-      rescue ArgumentError
+      if addr_script.p2pkh?
+        begin
+          # Legacy verification
+          pubkey = Bitcoin::Key.recover_compact(message_hash(message, prefix: prefix, legacy: true), sig)
+          return false unless pubkey
+          pubkey.to_p2pkh == address
+        rescue RuntimeError
+          return false
+        end
+      elsif addr_script.witness_program?
         # BIP322 verification
         tx = to_sign_tx(message_hash(message, prefix: prefix, legacy: false), address)
         tx.in[0].script_witness = Bitcoin::ScriptWitness.parse_from_payload(sig)
@@ -69,6 +73,8 @@ module Bitcoin
         tx_out = Bitcoin::TxOut.new(script_pubkey: script_pubkey)
         interpreter = Bitcoin::ScriptInterpreter.new(checker: Bitcoin::TxChecker.new(tx: tx, input_index: 0, prevouts: [tx_out]))
         interpreter.verify_script(Bitcoin::Script.new, script_pubkey, tx.in[0].script_witness)
+      else
+        raise ArgumentError, "This address unsupported."
       end
     end
 
@@ -82,7 +88,6 @@ module Bitcoin
     end
 
     def validate_address!(address)
-      raise ArgumentError, 'Invalid address' unless Bitcoin.valid_address?(address)
       script = Bitcoin::Script.parse_from_addr(address)
       raise ArgumentError, 'This address unsupported' if script.p2sh? || script.p2wsh?
     end

data/lib/bitcoin/script/script.rb

@@ -55,7 +55,9 @@ module Bitcoin
 
     # generate p2sh script with this as a redeem script
     # @return [Script] P2SH script
+    # @raise [RuntimeError] If the script size exceeds 520 bytes
     def to_p2sh
+      raise RuntimeError, "P2SH redeem script must be 520 bytes or less." if size > Bitcoin::MAX_SCRIPT_ELEMENT_SIZE
       Script.to_p2sh(to_hash160)
     end
 
@@ -74,9 +76,11 @@ module Bitcoin
     end
 
     # generate p2wsh script for +redeem_script+
-    # @param [Script] redeem_script target redeem script
-    # @param [Script] p2wsh script
+    # @param [Bitcoin::Script] redeem_script target redeem script
+    # @return [Bitcoin::Script] p2wsh script
+    # @raise [ArgumentError] If the script size exceeds 10,000 bytes
     def self.to_p2wsh(redeem_script)
+      raise ArgumentError, 'P2WSH witness script must be 10,000 bytes or less.' if redeem_script.size > Bitcoin::MAX_SCRIPT_SIZE
       new << WITNESS_VERSION_V0 << redeem_script.to_sha256
     end
 
@@ -146,7 +150,7 @@ module Bitcoin
                 end
           if buf.eof?
             s.chunks << [len].pack('C')
-          else buf.eof?
+          else
             chunk = (packed_size ? (opcode + packed_size) : (opcode)) + buf.read(len)
             s.chunks << chunk
           end
@@ -555,6 +559,7 @@ module Bitcoin
       return 'multisig' if multisig?
       return 'witness_v0_keyhash' if p2wpkh?
       return 'witness_v0_scripthash' if p2wsh?
+      return 'witness_v1_taproot' if p2tr?
       'nonstandard'
     end
 

data/lib/bitcoin/secp256k1/native.rb

@@ -5,9 +5,9 @@ module Bitcoin
   module Secp256k1
 
     # binding for secp256k1 (https://github.com/bitcoin-core/secp256k1/)
-    # commit: efad3506a8937162e8010f5839fdf3771dfcf516
+    # tag: v0.4.0
     # this is not included by default, to enable set shared object path to ENV['SECP256K1_LIB_PATH']
-    # for linux, ENV['SECP256K1_LIB_PATH'] = '/usr/local/lib/libsecp256k1.so'
+    # for linux, ENV['SECP256K1_LIB_PATH'] = '/usr/local/lib/libsecp256k1.so' or '/usr/lib64/libsecp256k1.so'
     # for mac,
     module Native
       include ::FFI::Library
@@ -50,14 +50,20 @@ module Bitcoin
         attach_function(:secp256k1_ecdsa_signature_parse_der, [:pointer, :pointer, :pointer, :size_t], :int)
         attach_function(:secp256k1_ecdsa_signature_normalize, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_verify, [:pointer, :pointer, :pointer, :pointer], :int)
-        attach_function(:secp256k1_schnorrsig_sign, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
-        attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_sign32, [:pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :size_t, :pointer], :int)
         attach_function(:secp256k1_keypair_create, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_xonly_pubkey_parse, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_sign_recoverable, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recoverable_signature_serialize_compact, [:pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recover, [:pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recoverable_signature_parse_compact, [:pointer, :pointer, :pointer, :int], :int)
+        attach_function(:secp256k1_ellswift_decode, [:pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ellswift_create, [:pointer, :pointer, :pointer, :pointer], :int)
+        # Define function pointer
+        callback(:secp256k1_ellswift_xdh_hash_function, [:pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_variable(:secp256k1_ellswift_xdh_hash_function_bip324, :secp256k1_ellswift_xdh_hash_function)
+        attach_function(:secp256k1_ellswift_xdh, [:pointer, :pointer, :pointer, :pointer, :pointer, :int, :pointer, :pointer], :int)
       end
 
       def with_context(flags: (SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN))
@@ -224,6 +230,56 @@ module Bitcoin
         true
       end
 
+      # Decode ellswift public key.
+      # @param [String] ell_key ElligatorSwift key with binary format.
+      # @return [String] Decoded public key with hex format
+      def ellswift_decode(ell_key)
+        with_context do |context|
+          ell64 = FFI::MemoryPointer.new(:uchar, ell_key.bytesize).put_bytes(0, ell_key)
+          internal = FFI::MemoryPointer.new(:uchar, 64)
+          result = secp256k1_ellswift_decode(context, internal, ell64)
+          raise ArgumentError, 'Decode failed.' unless result == 1
+          serialize_pubkey_internal(context, internal, true)
+        end
+      end
+
+      # Compute an ElligatorSwift public key for a secret key.
+      # @param [String] priv_key private key with hex format
+      # @return [String] ElligatorSwift public key with hex format.
+      def ellswift_create(priv_key)
+        with_context(flags: SECP256K1_CONTEXT_SIGN) do |context|
+          ell64 = FFI::MemoryPointer.new(:uchar, 64)
+          seckey32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, priv_key.htb)
+          result = secp256k1_ellswift_create(context, ell64, seckey32, nil)
+          raise ArgumentError, 'Failed to create ElligatorSwift public key.' unless result == 1
+          ell64.read_string(64).bth
+        end
+      end
+
+      # Compute X coordinate of shared ECDH point between elswift pubkey and privkey.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] their_ell_pubkey Their EllSwift public key.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] our_ell_pubkey Our EllSwift public key.
+      # @param [String] priv_key private key with hex format.
+      # @param [Boolean] initiating Whether your initiator or not.
+      # @return [String] x coordinate with hex format.
+      def ellswift_ecdh_xonly(their_ell_pubkey, our_ell_pubkey, priv_key, initiating)
+        with_context(flags: SECP256K1_CONTEXT_SIGN) do |context|
+          output = FFI::MemoryPointer.new(:uchar, 32)
+          our_ell_ptr = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, our_ell_pubkey.key)
+          their_ell_ptr = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, their_ell_pubkey.key)
+          seckey32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, priv_key.htb)
+          hashfp = secp256k1_ellswift_xdh_hash_function_bip324
+          result = secp256k1_ellswift_xdh(context, output,
+                                          initiating ? our_ell_ptr : their_ell_ptr,
+                                          initiating ? their_ell_ptr : our_ell_ptr,
+                                          seckey32,
+                                          initiating ? 0 : 1,
+                                          hashfp, nil)
+          raise ArgumentError, "secret was invalid or hashfp returned 0" unless result == 1
+          output.read_string(32).bth
+        end
+      end
+
       private
 
       # Calculate full public key(64 bytes) from public key(32 bytes).
@@ -280,7 +336,7 @@ module Bitcoin
           signature = FFI::MemoryPointer.new(:uchar, 64)
           msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
           aux_rand = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, aux_rand) if aux_rand
-          raise 'Failed to generate schnorr signature.' unless secp256k1_schnorrsig_sign(context, signature, msg32, keypair, nil, aux_rand) == 1
+          raise 'Failed to generate schnorr signature.' unless secp256k1_schnorrsig_sign32(context, signature, msg32, keypair, aux_rand) == 1
           signature.read_string(64)
         end
       end
@@ -316,7 +372,7 @@ module Bitcoin
           xonly_pubkey = FFI::MemoryPointer.new(:uchar, pubkey.bytesize).put_bytes(0, pubkey)
           signature = FFI::MemoryPointer.new(:uchar, sig.bytesize).put_bytes(0, sig)
           msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
-          result = secp256k1_schnorrsig_verify(context, signature, msg32, xonly_pubkey)
+          result = secp256k1_schnorrsig_verify(context, signature, msg32, 32, xonly_pubkey)
           result == 1
         end
       end

data/lib/bitcoin/secp256k1/ruby.rb

@@ -77,13 +77,30 @@ module Bitcoin
       # @param [Boolean] compressed whether compressed public key or not.
       # @return [Bitcoin::Key] Recovered public key.
       def recover_compact(data, signature, rec, compressed)
+        group = Bitcoin::Secp256k1::GROUP
         r = ECDSA::Format::IntegerOctetString.decode(signature[1...33])
         s = ECDSA::Format::IntegerOctetString.decode(signature[33..-1])
-        ECDSA.recover_public_key(Bitcoin::Secp256k1::GROUP, data, ECDSA::Signature.new(r, s)).each do |p|
-          if p.y & 1 == rec
-            return Bitcoin::Key.from_point(p, compressed: compressed)
-          end
+        return nil if r.zero?
+        return nil if s.zero?
+
+        digest = ECDSA.normalize_digest(data, group.bit_length)
+        field = ECDSA::PrimeField.new(group.order)
+
+        unless rec & 2 == 0
+          r = field.mod(r + group.order)
         end
+
+        is_odd = (rec & 1 == 1)
+        y_coordinate = group.solve_for_y(r).find{|y| is_odd ? y.odd? : y.even?}
+
+        p = group.new_point([r, y_coordinate])
+
+        inv_r = field.inverse(r)
+        u1 = field.mod(inv_r * digest)
+        u2 = field.mod(inv_r * s)
+        q = p * u2 + (group.new_point(u1)).negate
+        return nil if q.infinity?
+        Bitcoin::Key.from_point(q, compressed: compressed)
       end
 
       # verify signature using public key