bitcoinrb 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 544382f715d87eb79e185e310c827b2349c0af75c1bd89887a653510e226cd1f
-  data.tar.gz: c807d0965da7c06f71b248d5a543ccfff2375d702a6ab4db70698c4be245720d
+  metadata.gz: 900806837ee6cd6b011a50d6a58c37ea233079e8b86a594c6a5031c338f9a490
+  data.tar.gz: 34b437fee384d630d9b7f1a47faa8175692d9ebe21408d4720828140461b152c
 SHA512:
-  metadata.gz: 22ea36535fb045c35d28809f87c60f4451e2d37801e7a231772068c268d6e58cdeb086456ffc649091a5a28a82815af77f6d35ef286a7a101e53fa3f97e55a9a
-  data.tar.gz: 7ca7b637b77bdde57d2af3faf056184397b1d87fd98dd5c46933dfb40e716d5bf8ef56890691771b97d8e66dde1c9684cb1d03e9f74f99d4f8b5bbaeb6a37e2c
+  metadata.gz: 87bcfdb59403593475f90b49f9f67299bee3bfd8cfae7089080e95ab8e1ffddcdc21ebbb72f8ca49f1caea9d8df2ea5ca613eb97b698ddab3fb3d3c617611165
+  data.tar.gz: 55dcbb9ce3f10a5dd822e98605eb00fa74f3034a8852cdcd714b4dff5cd347cbdc55bffd49ae2f74cc4aeaad2bf86d01d635e7146207ccb6557f55ae0849ff0e

data/.github/workflows/ruby.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.0', '3.1', '3.2']
+        ruby-version: ['3.0', '3.1', '3.2', '3.3']
 
     steps:
     - uses: actions/checkout@v2

data/.ruby-version

@@ -1 +1 @@
-ruby-3.2.0
+ruby-3.3.0

data/README.md

@@ -105,6 +105,15 @@ Bitcoin.chain_params = :signet
 
 This parameter is described in https://github.com/chaintope/bitcoinrb/blob/master/lib/bitcoin/chainparams/signet.yml.
 
+## Test
+
+This library can use the [libsecp256k1](https://github.com/bitcoin-core/secp256k1/) dynamic library.
+Therefore, some tests require this library. In a Linux environment, `spec/lib/libsecp256k1.so` is already located,
+so there is no need to do anything. If you want to test in another environment,
+please set the library path in the environment variable `TEST_LIBSECP256K1_PATH`.
+
+The libsecp256k1 library currently tested for operation with this library is `v0.4.0`.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bitcoinrb. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/bitcoinrb.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'ecdsa_ext', '~> 0.5.0'
+  spec.add_runtime_dependency 'ecdsa_ext', '~> 0.5.1'
   spec.add_runtime_dependency 'eventmachine'
   spec.add_runtime_dependency 'murmurhash3', '~> 0.1.7'
   spec.add_runtime_dependency 'bech32', '>= 1.3.0'
@@ -32,7 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'iniparse'
   spec.add_runtime_dependency 'siphash'
   spec.add_runtime_dependency 'json_pure', '>= 2.3.1'
-  spec.add_runtime_dependency 'bip-schnorr', '>= 0.5.0'
+  spec.add_runtime_dependency 'bip-schnorr', '>= 0.7.0'
   spec.add_runtime_dependency 'base32', '>= 0.3.4'
 
   # for options

data/lib/bitcoin/bip324/cipher.rb

@@ -0,0 +1,113 @@
+module Bitcoin
+  module BIP324
+    # The BIP324 packet cipher, encapsulating its key derivation, stream cipher, and AEAD.
+    class Cipher
+      include Bitcoin::Util
+
+      HEADER = [1 << 7].pack('C')
+      HEADER_LEN = 1
+      LENGTH_LEN = 3
+      EXPANSION = LENGTH_LEN + HEADER_LEN + 16
+
+      attr_reader :key
+      attr_reader :our_pubkey
+
+      attr_accessor :session_id
+      attr_accessor :send_garbage_terminator
+      attr_accessor :recv_garbage_terminator
+      attr_accessor :send_l_cipher
+      attr_accessor :send_p_cipher
+      attr_accessor :recv_l_cipher
+      attr_accessor :recv_p_cipher
+
+      # Constructor
+      # @param [Bitcoin::Key] key Private key.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] our_pubkey Ellswift public key for testing.
+      # @raise ArgumentError
+      def initialize(key, our_pubkey = nil)
+        raise ArgumentError, "key must be Bitcoin::Key" unless key.is_a?(Bitcoin::Key)
+        raise ArgumentError, "our_pubkey must be Bitcoin::BIP324::EllSwiftPubkey" if our_pubkey && !our_pubkey.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+        @our_pubkey = our_pubkey ? our_pubkey : key.create_ell_pubkey
+        @key = key
+      end
+
+      # Setup when the other side's public key is received.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] their_pubkey
+      # @param [Boolean] initiator Set true if we are the initiator establishing the v2 P2P connection.
+      # @param [Boolean] self_decrypt only for testing, and swaps encryption/decryption keys, so that encryption
+      # and decryption can be tested without knowing the other side's private key.
+      def setup(their_pubkey, initiator, self_decrypt = false)
+        salt = 'bitcoin_v2_shared_secret' + Bitcoin.chain_params.magic_head.htb
+        ecdh_secret = BIP324.v2_ecdh(key.priv_key, their_pubkey, our_pubkey, initiator).htb
+        terminator = hkdf_sha256(ecdh_secret, salt, 'garbage_terminators')
+        side = initiator != self_decrypt
+        if side
+          self.send_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'initiator_L'))
+          self.send_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'initiator_P'))
+          self.recv_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'responder_L'))
+          self.recv_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'responder_P'))
+        else
+          self.recv_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'initiator_L'))
+          self.recv_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'initiator_P'))
+          self.send_l_cipher = FSChaCha20.new(hkdf_sha256(ecdh_secret, salt, 'responder_L'))
+          self.send_p_cipher = FSChaCha20Poly1305.new(hkdf_sha256(ecdh_secret, salt, 'responder_P'))
+        end
+        if initiator
+          self.send_garbage_terminator = terminator[0...16].bth
+          self.recv_garbage_terminator = terminator[16..-1].bth
+        else
+          self.recv_garbage_terminator = terminator[0...16].bth
+          self.send_garbage_terminator = terminator[16..-1].bth
+        end
+        self.session_id = hkdf_sha256(ecdh_secret, salt, 'session_id').bth
+      end
+
+      # Encrypt a packet. Only after setup.
+      # @param [String] contents Packet with binary format.
+      # @param [String] aad AAD
+      # @param [Boolean] ignore Whether contains ignore bit or not.
+      # @raise Bitcoin::BIP324::TooLargeContent
+      def encrypt(contents, aad: '', ignore: false)
+        raise Bitcoin::BIP324::TooLargeContent unless contents.bytesize <= (2**24 - 1)
+
+        # encrypt length
+        len = Array.new(3)
+        len[0] = contents.bytesize & 0xff
+        len[1] = (contents.bytesize >> 8) & 0xff
+        len[2] = (contents.bytesize >> 16) & 0xff
+        enc_plaintext_len = send_l_cipher.encrypt(len.pack('C*'))
+
+        # encrypt contents
+        header = ignore ? HEADER : "00".htb
+        plaintext = header + contents
+        aead_ciphertext = send_p_cipher.encrypt(aad, plaintext)
+        enc_plaintext_len + aead_ciphertext
+      end
+
+      # Decrypt a packet. Only after setup.
+      # @param [String] input Packet to be decrypt.
+      # @param [String] aad AAD
+      # @param [Boolean] ignore Whether contains ignore bit or not.
+      # @return [String] Plaintext
+      # @raise Bitcoin::BIP324::InvalidPaketLength
+      def decrypt(input, aad: '', ignore: false)
+        len = decrypt_length(input[0...Bitcoin::BIP324::Cipher::LENGTH_LEN])
+        raise Bitcoin::BIP324::InvalidPaketLength unless input.bytesize == len + EXPANSION
+        recv_p_cipher.decrypt(aad, input[Bitcoin::BIP324::Cipher::LENGTH_LEN..-1])
+      end
+
+      private
+
+      # Decrypt the length of a packet. Only after setup.
+      # @param [String] input Length packet with binary format.
+      # @return [Integer] length
+      # @raise Bitcoin::BIP324::InvalidPaketLength
+      def decrypt_length(input)
+        raise Bitcoin::BIP324::InvalidPaketLength unless input.bytesize == LENGTH_LEN
+        ret = recv_l_cipher.decrypt(input)
+        b0, b1, b2 = ret.unpack('CCC')
+        b0 + (b1 << 8) + (b2 << 16)
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/ell_swift_pubkey.rb

@@ -0,0 +1,42 @@
+module Bitcoin
+  module BIP324
+    # An ElligatorSwift-encoded public key.
+    class EllSwiftPubkey
+      include Schnorr::Util
+
+      SIZE = 64
+
+      attr_reader :key
+
+      # Constructor
+      # @param [String] key 64 bytes of key data.
+      # @raise Bitcoin::BIP324::InvalidEllSwiftKey If key is invalid.
+      def initialize(key)
+        @key = hex2bin(key)
+        raise Bitcoin::BIP324::InvalidEllSwiftKey, 'key must be 64 bytes.' unless @key.bytesize == SIZE
+      end
+
+      # Decode to public key.
+      # @return [Bitcoin::Key] Decoded public key.
+      def decode
+        if Bitcoin.secp_impl.is_a?(Bitcoin::Secp256k1::Native)
+          pubkey = Bitcoin.secp_impl.ellswift_decode(key)
+          Bitcoin::Key.new(pubkey: pubkey, key_type: Bitcoin::Key::TYPES[:compressed])
+        else
+          u = key[0...32].bth
+          t = key[32..-1].bth
+          x = BIP324.xswiftec(u, t)
+          Bitcoin::Key.new(pubkey: "03#{x}")
+        end
+      end
+
+      # Check whether same public key or not?
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] other
+      # @return [Boolean]
+      def ==(other)
+        return false unless other.is_a?(EllSwiftPubkey)
+        key == other.key
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/fs_chacha20.rb

@@ -0,0 +1,132 @@
+module Bitcoin
+  module BIP324
+
+    module ChaCha20
+      module_function
+
+      INDICES = [
+        [0, 4, 8, 12], [1, 5, 9, 13], [2, 6, 10, 14], [3, 7, 11, 15],
+        [0, 5, 10, 15], [1, 6, 11, 12], [2, 7, 8, 13], [3, 4, 9, 14]
+      ]
+
+      CONSTANTS = [0x61707865, 0x3320646e, 0x79622d32, 0x6b206574]
+
+      # Rotate the 32-bit value v left by bits bits.
+      # @param [Integer] v
+      # @param [Integer] bits
+      # @return [Integer]
+      def rotl32(v, bits)
+        raise Bitcoin::BIP324::Error, "v must be integer" unless v.is_a?(Integer)
+        raise Bitcoin::BIP324::Error, "bits must be integer" unless bits.is_a?(Integer)
+        ((v << bits) & 0xffffffff) | (v >> (32 - bits))
+      end
+
+      # Apply a ChaCha20 double round to 16-element state array +s+.
+      # @param [Array[Integer]] s
+      # @return
+      def double_round(s)
+        raise Bitcoin::BIP324::Error, "s must be Array" unless s.is_a?(Array)
+        INDICES.each do |a, b, c, d|
+          s[a] = (s[a] + s[b]) & 0xffffffff
+          s[d] = rotl32(s[d] ^ s[a], 16)
+          s[c] = (s[c] + s[d]) & 0xffffffff
+          s[b] = rotl32(s[b] ^ s[c], 12)
+          s[a] = (s[a] + s[b]) & 0xffffffff
+          s[d] = rotl32(s[d] ^ s[a], 8)
+          s[c] = (s[c] + s[d]) & 0xffffffff
+          s[b] = rotl32(s[b] ^ s[c], 7)
+        end
+        s
+      end
+
+      # Compute the 64-byte output of the ChaCha20 block function.
+      # @param [String] key 32-bytes key with binary format.
+      # @param [String] nonce 12-byte nonce with binary format.
+      # @param [Integer] count 32-bit integer counter.
+      # @return [String] 64-byte output.
+      def block(key, nonce, count)
+        raise Bitcoin::BIP324::Error, "key must be 32 byte string" if !key.is_a?(String) || key.bytesize != 32
+        raise Bitcoin::BIP324::Error, "nonce must be 12 byte string" if !nonce.is_a?(String) || nonce.bytesize != 12
+        raise Bitcoin::BIP324::Error, "count must be integer" unless count.is_a?(Integer)
+        # Initialize state
+        init = Array.new(16, 0)
+        4.times {|i| init[i] = CONSTANTS[i]}
+        key = key.unpack("V*")
+        8.times {|i| init[4 + i] = key[i]}
+        init[12] = count
+        nonce = nonce.unpack("V*")
+        3.times {|i| init[13 + i] = nonce[i]}
+        # Perform 20 rounds
+        state = init.dup
+        10.times do
+          state = double_round(state)
+        end
+        # Add initial values back into state.
+        16.times do |i|
+          state[i] = (state[i] + init[i]) & 0xffffffff
+        end
+        state.pack("V16")
+      end
+    end
+
+    # Rekeying wrapper stream cipher around ChaCha20.
+    class FSChaCha20
+      attr_accessor :key
+      attr_reader :rekey_interval
+      attr_accessor :chunk_counter
+      attr_accessor :block_counter
+      attr_accessor :key_stream
+
+      def initialize(initial_key, rekey_interval = BIP324::REKEY_INTERVAL)
+        @block_counter = 0
+        @chunk_counter = 0
+        @key = initial_key
+        @rekey_interval = rekey_interval
+        @key_stream = ''
+      end
+
+      # Encrypt a chunk
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String] Encrypted data with binary format.
+      def encrypt(chunk)
+        crypt(chunk)
+      end
+
+      # Decrypt a chunk
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String] Decrypted data with binary format.
+      def decrypt(chunk)
+        crypt(chunk)
+      end
+
+      private
+
+      def key_stream_bytes(n_bytes)
+        while key_stream.bytesize < n_bytes
+          nonce = [0, (chunk_counter / REKEY_INTERVAL)].pack("VQ<")
+          self.key_stream << ChaCha20.block(key, nonce, block_counter)
+          self.block_counter += 1
+        end
+        ret = self.key_stream[0...n_bytes]
+        self.key_stream = self.key_stream[n_bytes..-1]
+        ret
+      end
+
+      # Encrypt or decrypt a chunk.
+      # @param [String] chunk Chunk data with binary format.
+      # @return [String]
+      def crypt(chunk)
+        ks = key_stream_bytes(chunk.bytesize)
+        ret = chunk.unpack("C*").zip(ks.unpack("C*")).map do |c, k|
+          c ^ k
+        end.pack("C*")
+        if (self.chunk_counter + 1) % rekey_interval == 0
+          self.key = key_stream_bytes(32)
+          self.block_counter = 0
+        end
+        self.chunk_counter += 1
+        ret
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324/fs_chacha_poly1305.rb

@@ -0,0 +1,129 @@
+module Bitcoin
+  module BIP324
+    # Class representing a running poly1305 computation.
+    class Poly1305
+
+      MODULUS = 2**130 - 5
+      TAG_LEN = 16
+
+      attr_reader :r
+      attr_reader :s
+      attr_accessor :acc
+
+      # Constructor
+      #
+      def initialize(key)
+        @r = key[0...16].reverse.bti & 0xffffffc0ffffffc0ffffffc0fffffff
+        @s = key[16..-1].reverse.bti
+        @acc = 0
+      end
+
+      # Add a message of any length. Input so far must be a multiple of 16 bytes.
+      # @param [String] msg A message with binary format.
+      # @return [Poly1305] self
+      def add(msg, length: nil, padding: false)
+        len = length ? length : msg.bytesize
+        ((len + 15) / 16).times do |i|
+          chunk = msg[(i * 16)...(i * 16 + [16, len - i * 16].min)]
+          val = chunk.reverse.bti + 256**(padding ? 16 : chunk.bytesize)
+          self.acc = r * (acc + val) % MODULUS
+        end
+        self
+      end
+
+      # Compute the poly1305 tag.
+      # @return Poly1305 tag wit binary format.
+      def tag
+        ECDSA::Format::IntegerOctetString.encode((acc + s) & 0xffffffffffffffffffffffffffffffff, TAG_LEN).reverse
+      end
+    end
+
+    # Forward-secure wrapper around AEADChaCha20Poly1305.
+    class FSChaCha20Poly1305
+      attr_accessor :aead
+      attr_reader :rekey_interval
+      attr_accessor :packet_counter
+      attr_accessor :key
+
+      def initialize(initial_key, rekey_interval = REKEY_INTERVAL)
+        @packet_counter = 0
+        @rekey_interval = rekey_interval
+        @key = initial_key
+      end
+
+      # Encrypt a +plaintext+ with a specified +aad+.
+      # @param [String] aad AAD
+      # @param [String] plaintext Data to be encrypted with binary format.
+      # @return [String] Ciphertext
+      def encrypt(aad, plaintext)
+        crypt(aad, plaintext, false)
+      end
+
+      # Decrypt a *ciphertext* with a specified +aad+.
+      # @param [String] aad AAD
+      # @param [String] ciphertext Data to be decrypted with binary format.
+      # @return [Array] [header, plaintext]
+      def decrypt(aad, ciphertext)
+        contents = crypt(aad, ciphertext, true)
+        [contents[0], contents[1..-1]]
+      end
+
+      private
+
+      # Encrypt or decrypt the specified (plain/cipher)text.
+      def crypt(aad, text, is_decrypt)
+        nonce = [packet_counter % rekey_interval, packet_counter / rekey_interval].pack("VQ<")
+        ret = if is_decrypt
+                chacha20_poly1305_decrypt(key, nonce, aad, text)
+              else
+                chacha20_poly1305_encrypt(key, nonce, aad, text)
+              end
+        if (packet_counter + 1) % rekey_interval == 0
+          rekey_nonce = "ffffffff".htb + nonce[4..-1]
+          newkey1 = chacha20_poly1305_encrypt(key, rekey_nonce, "", "00".htb * 32)[0...32]
+          newkey2 = ChaCha20.block(key, rekey_nonce, 1)[0...32]
+          raise Bitcoin::BIP324::Error, "newkey1 != newkey2" unless newkey1 == newkey2
+          self.key = newkey1
+        end
+        self.packet_counter += 1
+        ret
+      end
+
+      # Encrypt a plaintext using ChaCha20Poly1305.
+      def chacha20_poly1305_encrypt(key, nonce, aad, plaintext)
+        msg_len = plaintext.bytesize
+        ret = ((msg_len + 63) / 64).times.map do |i|
+          now = [64, msg_len - 64 * i].min
+          keystream = ChaCha20.block(key, nonce, i + 1)
+          now.times.map do |j|
+            plaintext[j + 64 * i].unpack1('C') ^ keystream[j].unpack1('C')
+          end
+        end
+        ret = ret.flatten.pack('C*')
+        poly1305 = Poly1305.new(ChaCha20.block(key, nonce, 0)[0...32])
+        poly1305.add(aad, padding: true).add(ret, padding: true)
+        poly1305.add([aad.bytesize, msg_len].pack("Q<Q<"))
+        ret + poly1305.tag
+      end
+
+      # Decrypt a ChaCha20Poly1305 ciphertext.
+      def chacha20_poly1305_decrypt(key, nonce, aad, ciphertext)
+        return nil if ciphertext.bytesize < 16
+        msg_len = ciphertext.bytesize - 16
+        poly1305 = Poly1305.new(ChaCha20.block(key, nonce, 0)[0...32])
+        poly1305.add(aad, padding: true)
+        poly1305.add(ciphertext, length: msg_len, padding: true)
+        poly1305.add([aad.bytesize, msg_len].pack("Q<Q<"))
+        return nil unless ciphertext[-16..-1] == poly1305.tag
+        ret = ((msg_len + 63) / 64).times.map do |i|
+          now = [64, msg_len - 64 * i].min
+          keystream = ChaCha20.block(key, nonce, i + 1)
+          now.times.map do |j|
+            ciphertext[j + 64 * i].unpack1('C') ^ keystream[j].unpack1('C')
+          end
+        end
+        ret.flatten.pack('C*')
+      end
+    end
+  end
+end

data/lib/bitcoin/bip324.rb

@@ -0,0 +1,144 @@
+module Bitcoin
+  # BIP 324 module
+  # https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki
+  module BIP324
+
+    class Error < StandardError; end
+    class InvalidPaketLength < Error; end
+    class TooLargeContent < Error; end
+    class InvalidEllSwiftKey < Error; end
+
+    autoload :EllSwiftPubkey, 'bitcoin/bip324/ell_swift_pubkey'
+    autoload :Cipher, 'bitcoin/bip324/cipher'
+    autoload :FSChaCha20, 'bitcoin/bip324/fs_chacha20'
+    autoload :FSChaCha20Poly1305, 'bitcoin/bip324/fs_chacha_poly1305'
+
+    FIELD_SIZE = 2**256 - 2**32 - 977
+    FIELD = ECDSA::PrimeField.new(FIELD_SIZE)
+
+    REKEY_INTERVAL = 224 # packets
+
+    module_function
+
+    def sqrt(n)
+      candidate = FIELD.power(n, (FIELD.prime + 1) / 4)
+      return nil unless FIELD.square(candidate) == n
+      candidate
+    end
+
+    MINUS_3_SQRT = sqrt(FIELD.mod(-3))
+
+    # Decode field elements (u, t) to an X coordinate on the curve.
+    # @param [String] u u of ElligatorSwift encoding with hex format.
+    # @param [String] t t of ElligatorSwift encoding with hex format.
+    # @return [String] x coordinate with hex format.
+    def xswiftec(u, t)
+      u = FIELD.mod(u.hex)
+      t = FIELD.mod(t.hex)
+      u = 1 if u == 0
+      t = 1 if t == 0
+      t = FIELD.mod(2 * t) if FIELD.mod(FIELD.power(u, 3) + FIELD.power(t, 2) + 7) == 0
+      x = FIELD.mod(FIELD.mod(FIELD.power(u, 3) + 7 - FIELD.power(t, 2)) * FIELD.inverse(2 * t))
+      y = FIELD.mod((x + t) * FIELD.inverse(MINUS_3_SQRT * u))
+      x1 = FIELD.mod(u + 4 * FIELD.power(y, 2))
+      x2 = FIELD.mod(FIELD.mod(FIELD.mod(-x) * FIELD.inverse(y) - u) * FIELD.inverse(2))
+      x3 = FIELD.mod(FIELD.mod(x * FIELD.inverse(y) - u) * FIELD.inverse(2))
+      [x1, x2, x3].each do |x|
+        unless ECDSA::Group::Secp256k1.solve_for_y(x).empty?
+          return ECDSA::Format::IntegerOctetString.encode(x, 32).bth
+        end
+      end
+      raise ArgumentError, 'Decode failed.'
+    end
+
+    # Inverse map for ElligatorSwift. Given x and u, find t such that xswiftec(u, t) = x, or return nil.
+    # @param [String] x x coordinate with hex format
+    # @param [String] u u of ElligatorSwift encoding with hex format
+    # @param [Integer] c Case selects which of the up to 8 results to return.
+    # @return [String] Inverse of xswiftec(u, t) with hex format or nil.
+    def xswiftec_inv(x, u, c)
+      x = FIELD.mod(x.hex)
+      u = FIELD.mod(u.hex)
+      if c & 2 == 0
+        return nil unless ECDSA::Group::Secp256k1.solve_for_y(FIELD.mod(-x - u)).empty?
+        v = x
+        s = FIELD.mod(
+          -FIELD.mod(FIELD.power(u, 3) + 7) *
+            FIELD.inverse(FIELD.mod(FIELD.power(u, 2) + u * v + FIELD.power(v, 2))))
+      else
+        s = FIELD.mod(x - u)
+        return nil if s == 0
+        r = sqrt(FIELD.mod(-s * (4 * (FIELD.power(u, 3) + 7) + 3 * s * FIELD.power(u, 2))))
+        return nil if r.nil?
+        return nil if c & 1 == 1 && r == 0
+        v = FIELD.mod(FIELD.mod(-u + r * FIELD.inverse(s)) * FIELD.inverse(2))
+      end
+      w = sqrt(s)
+      return nil if w.nil?
+      result = if c & 5 == 0
+                 FIELD.mod(-w * FIELD.mod(u * (1 - MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 1
+                 FIELD.mod(w * FIELD.mod(u * (1 + MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 4
+                 FIELD.mod(w * FIELD.mod(u * (1 - MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               elsif c & 5 == 5
+                 FIELD.mod(-w * FIELD.mod(u * (1 + MINUS_3_SQRT) * FIELD.inverse(2) + v))
+               else
+                 return nil
+                 end
+      ECDSA::Format::IntegerOctetString.encode(result, 32).bth
+    end
+
+    # Given a field element X on the curve, find (u, t) that encode them.
+    # @param [String] x coordinate with hex format.
+    # @return [String] ElligatorSwift public key with hex format.
+    def xelligatorswift(x)
+      loop do
+        u = SecureRandom.random_number(1..ECDSA::Group::Secp256k1.order).to_s(16)
+        c = Random.rand(0..8)
+        t = xswiftec_inv(x, u, c)
+        unless t.nil?
+          return (ECDSA::Format::IntegerOctetString.encode(u.hex, 32) +
+            ECDSA::Format::IntegerOctetString.encode(t.hex, 32)).bth
+        end
+      end
+    end
+
+    # Compute x coordinate of shared ECDH point between +ellswift_theirs+ and +priv_key+.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_theirs Their EllSwift public key.
+    # @param [String] priv_key Private key with hex format.
+    # @return [String] x coordinate of shared ECDH point with hex format.
+    # @raise ArgumentError
+    def ellswift_ecdh_xonly(ellswift_theirs, priv_key)
+      raise ArgumentError, "ellswift_theirs must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_theirs.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+      d = priv_key.hex
+      x = ellswift_theirs.decode.to_point.x
+      field = BIP324::FIELD
+      y = BIP324.sqrt(field.mod(field.power(x, 3) + 7))
+      return nil unless y
+      point = ECDSA::Point.new(ECDSA::Group::Secp256k1, x, y) * d
+      ECDSA::Format::FieldElementOctetString.encode(point.x, point.group.field).bth
+    end
+
+    # Compute BIP324 shared secret.
+    # @param [String] priv_key Private key with hex format.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_theirs Their EllSwift public key.
+    # @param [Bitcoin::BIP324::EllSwiftPubkey] ellswift_ours Our EllSwift public key.
+    # @param [Boolean] initiating Whether your initiator or not.
+    # @return [String] Shared secret with hex format.
+    # @raise ArgumentError
+    def v2_ecdh(priv_key, ellswift_theirs, ellswift_ours, initiating)
+      raise ArgumentError, "ellswift_theirs must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_theirs.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+      raise ArgumentError, "ellswift_ours must be a Bitcoin::BIP324::EllSwiftPubkey" unless ellswift_ours.is_a?(Bitcoin::BIP324::EllSwiftPubkey)
+
+      if Bitcoin.secp_impl.is_a?(Bitcoin::Secp256k1::Native)
+        Bitcoin::Secp256k1::Native.ellswift_ecdh_xonly(ellswift_theirs, ellswift_ours, priv_key, initiating)
+      else
+        ecdh_point_x32 = ellswift_ecdh_xonly(ellswift_theirs, priv_key).htb
+        content = initiating ? ellswift_ours.key + ellswift_theirs.key + ecdh_point_x32 :
+                    ellswift_theirs.key + ellswift_ours.key + ecdh_point_x32
+        Bitcoin.tagged_hash('bip324_ellswift_xonly_ecdh', content).bth
+      end
+    end
+  end
+end

data/lib/bitcoin/ext/ecdsa.rb

@@ -10,12 +10,6 @@ class ::ECDSA::Signature
   end
 end
 
-class ::ECDSA::Point
-  def to_hex(compression = true)
-    ECDSA::Format::PointOctetString.encode(self, compression: compression).bth
-  end
-end
-
 module ::ECDSA::Format::PointOctetString
 
   class << self

data/lib/bitcoin/key.rb

@@ -146,9 +146,9 @@ module Bitcoin
     # @return [Bitcoin::Key] Recovered public key.
     def self.recover_compact(data, signature)
       rec_id = signature.unpack1('C')
-      rec = rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE
-      raise ArgumentError, 'Invalid signature parameter' if rec < 0 || rec > 15
-      rec = rec & 3
+      rec = (rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE) & 3
+      raise ArgumentError, 'Invalid signature parameter' if rec < 0 || rec > 3
+
       compressed = (rec_id - Bitcoin::Key::COMPACT_SIG_HEADER_BYTE) & 4 != 0
       Bitcoin.secp_impl.recover_compact(data, signature, rec, compressed)
     end
@@ -344,6 +344,18 @@ module Bitcoin
       valid_pubkey? && secp256k1_module.parse_ec_pubkey?(pubkey, allow_hybrid)
     end
 
+    # Create an ellswift-encoded public key for this key, with specified entropy.
+    # @return [Bitcoin::BIP324::EllSwiftPubkey]
+    # @raise ArgumentError If ent32 does not 32 bytes.
+    def create_ell_pubkey
+      raise ArgumentError, "private_key required." unless priv_key
+      if secp256k1_module.is_a?(Bitcoin::Secp256k1::Native)
+        Bitcoin::BIP324::EllSwiftPubkey.new(secp256k1_module.ellswift_create(priv_key))
+      else
+        Bitcoin::BIP324::EllSwiftPubkey.new(Bitcoin::BIP324.xelligatorswift(xonly_pubkey))
+      end
+    end
+
     private
 
     def self.compare_big_endian(c1, c2)

data/lib/bitcoin/message_sign.rb

@@ -50,18 +50,22 @@ module Bitcoin
     # @param [String] message The message that was signed.
     # @return [Boolean] Verification result.
     def verify_message(address, signature, message, prefix: Bitcoin.chain_params.message_magic)
-      validate_address!(address)
+      addr_script = Bitcoin::Script.parse_from_addr(address)
       begin
         sig = Base64.strict_decode64(signature)
       rescue ArgumentError
         raise ArgumentError, 'Invalid signature'
       end
-      begin
-        # Legacy verification
-        pubkey = Bitcoin::Key.recover_compact(message_hash(message, prefix: prefix, legacy: true), sig)
-        return false unless pubkey
-        pubkey.to_p2pkh == address
-      rescue ArgumentError
+      if addr_script.p2pkh?
+        begin
+          # Legacy verification
+          pubkey = Bitcoin::Key.recover_compact(message_hash(message, prefix: prefix, legacy: true), sig)
+          return false unless pubkey
+          pubkey.to_p2pkh == address
+        rescue RuntimeError
+          return false
+        end
+      elsif addr_script.witness_program?
         # BIP322 verification
         tx = to_sign_tx(message_hash(message, prefix: prefix, legacy: false), address)
         tx.in[0].script_witness = Bitcoin::ScriptWitness.parse_from_payload(sig)
@@ -69,6 +73,8 @@ module Bitcoin
         tx_out = Bitcoin::TxOut.new(script_pubkey: script_pubkey)
         interpreter = Bitcoin::ScriptInterpreter.new(checker: Bitcoin::TxChecker.new(tx: tx, input_index: 0, prevouts: [tx_out]))
         interpreter.verify_script(Bitcoin::Script.new, script_pubkey, tx.in[0].script_witness)
+      else
+        raise ArgumentError, "This address unsupported."
       end
     end
 
@@ -82,7 +88,6 @@ module Bitcoin
     end
 
     def validate_address!(address)
-      raise ArgumentError, 'Invalid address' unless Bitcoin.valid_address?(address)
       script = Bitcoin::Script.parse_from_addr(address)
       raise ArgumentError, 'This address unsupported' if script.p2sh? || script.p2wsh?
     end

data/lib/bitcoin/secp256k1/native.rb

@@ -5,7 +5,7 @@ module Bitcoin
   module Secp256k1
 
     # binding for secp256k1 (https://github.com/bitcoin-core/secp256k1/)
-    # commit: efad3506a8937162e8010f5839fdf3771dfcf516
+    # tag: v0.4.0
     # this is not included by default, to enable set shared object path to ENV['SECP256K1_LIB_PATH']
     # for linux, ENV['SECP256K1_LIB_PATH'] = '/usr/local/lib/libsecp256k1.so'
     # for mac,
@@ -50,14 +50,20 @@ module Bitcoin
         attach_function(:secp256k1_ecdsa_signature_parse_der, [:pointer, :pointer, :pointer, :size_t], :int)
         attach_function(:secp256k1_ecdsa_signature_normalize, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_verify, [:pointer, :pointer, :pointer, :pointer], :int)
-        attach_function(:secp256k1_schnorrsig_sign, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
-        attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_sign32, [:pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :size_t, :pointer], :int)
         attach_function(:secp256k1_keypair_create, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_xonly_pubkey_parse, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_sign_recoverable, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recoverable_signature_serialize_compact, [:pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recover, [:pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_recoverable_signature_parse_compact, [:pointer, :pointer, :pointer, :int], :int)
+        attach_function(:secp256k1_ellswift_decode, [:pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ellswift_create, [:pointer, :pointer, :pointer, :pointer], :int)
+        # Define function pointer
+        callback(:secp256k1_ellswift_xdh_hash_function, [:pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_variable(:secp256k1_ellswift_xdh_hash_function_bip324, :secp256k1_ellswift_xdh_hash_function)
+        attach_function(:secp256k1_ellswift_xdh, [:pointer, :pointer, :pointer, :pointer, :pointer, :int, :pointer, :pointer], :int)
       end
 
       def with_context(flags: (SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN))
@@ -224,6 +230,56 @@ module Bitcoin
         true
       end
 
+      # Decode ellswift public key.
+      # @param [String] ell_key ElligatorSwift key with binary format.
+      # @return [String] Decoded public key with hex format
+      def ellswift_decode(ell_key)
+        with_context do |context|
+          ell64 = FFI::MemoryPointer.new(:uchar, ell_key.bytesize).put_bytes(0, ell_key)
+          internal = FFI::MemoryPointer.new(:uchar, 64)
+          result = secp256k1_ellswift_decode(context, internal, ell64)
+          raise ArgumentError, 'Decode failed.' unless result == 1
+          serialize_pubkey_internal(context, internal, true)
+        end
+      end
+
+      # Compute an ElligatorSwift public key for a secret key.
+      # @param [String] priv_key private key with hex format
+      # @return [String] ElligatorSwift public key with hex format.
+      def ellswift_create(priv_key)
+        with_context(flags: SECP256K1_CONTEXT_SIGN) do |context|
+          ell64 = FFI::MemoryPointer.new(:uchar, 64)
+          seckey32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, priv_key.htb)
+          result = secp256k1_ellswift_create(context, ell64, seckey32, nil)
+          raise ArgumentError, 'Failed to create ElligatorSwift public key.' unless result == 1
+          ell64.read_string(64).bth
+        end
+      end
+
+      # Compute X coordinate of shared ECDH point between elswift pubkey and privkey.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] their_ell_pubkey Their EllSwift public key.
+      # @param [Bitcoin::BIP324::EllSwiftPubkey] our_ell_pubkey Our EllSwift public key.
+      # @param [String] priv_key private key with hex format.
+      # @param [Boolean] initiating Whether your initiator or not.
+      # @return [String] x coordinate with hex format.
+      def ellswift_ecdh_xonly(their_ell_pubkey, our_ell_pubkey, priv_key, initiating)
+        with_context(flags: SECP256K1_CONTEXT_SIGN) do |context|
+          output = FFI::MemoryPointer.new(:uchar, 32)
+          our_ell_ptr = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, our_ell_pubkey.key)
+          their_ell_ptr = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, their_ell_pubkey.key)
+          seckey32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, priv_key.htb)
+          hashfp = secp256k1_ellswift_xdh_hash_function_bip324
+          result = secp256k1_ellswift_xdh(context, output,
+                                          initiating ? our_ell_ptr : their_ell_ptr,
+                                          initiating ? their_ell_ptr : our_ell_ptr,
+                                          seckey32,
+                                          initiating ? 0 : 1,
+                                          hashfp, nil)
+          raise ArgumentError, "secret was invalid or hashfp returned 0" unless result == 1
+          output.read_string(32).bth
+        end
+      end
+
       private
 
       # Calculate full public key(64 bytes) from public key(32 bytes).
@@ -280,7 +336,7 @@ module Bitcoin
           signature = FFI::MemoryPointer.new(:uchar, 64)
           msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
           aux_rand = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, aux_rand) if aux_rand
-          raise 'Failed to generate schnorr signature.' unless secp256k1_schnorrsig_sign(context, signature, msg32, keypair, nil, aux_rand) == 1
+          raise 'Failed to generate schnorr signature.' unless secp256k1_schnorrsig_sign32(context, signature, msg32, keypair, aux_rand) == 1
           signature.read_string(64)
         end
       end
@@ -316,7 +372,7 @@ module Bitcoin
           xonly_pubkey = FFI::MemoryPointer.new(:uchar, pubkey.bytesize).put_bytes(0, pubkey)
           signature = FFI::MemoryPointer.new(:uchar, sig.bytesize).put_bytes(0, sig)
           msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
-          result = secp256k1_schnorrsig_verify(context, signature, msg32, xonly_pubkey)
+          result = secp256k1_schnorrsig_verify(context, signature, msg32, 32, xonly_pubkey)
           result == 1
         end
       end

data/lib/bitcoin/secp256k1/ruby.rb

@@ -77,13 +77,30 @@ module Bitcoin
       # @param [Boolean] compressed whether compressed public key or not.
       # @return [Bitcoin::Key] Recovered public key.
       def recover_compact(data, signature, rec, compressed)
+        group = Bitcoin::Secp256k1::GROUP
         r = ECDSA::Format::IntegerOctetString.decode(signature[1...33])
         s = ECDSA::Format::IntegerOctetString.decode(signature[33..-1])
-        ECDSA.recover_public_key(Bitcoin::Secp256k1::GROUP, data, ECDSA::Signature.new(r, s)).each do |p|
-          if p.y & 1 == rec
-            return Bitcoin::Key.from_point(p, compressed: compressed)
-          end
+        return nil if r.zero?
+        return nil if s.zero?
+
+        digest = ECDSA.normalize_digest(data, group.bit_length)
+        field = ECDSA::PrimeField.new(group.order)
+
+        unless rec & 2 == 0
+          r = field.mod(r + group.order)
         end
+
+        is_odd = (rec & 1 == 1)
+        y_coordinate = group.solve_for_y(r).find{|y| is_odd ? y.odd? : y.even?}
+
+        p = group.new_point([r, y_coordinate])
+
+        inv_r = field.inverse(r)
+        u1 = field.mod(inv_r * digest)
+        u2 = field.mod(inv_r * s)
+        q = p * u2 + (group.new_point(u1)).negate
+        return nil if q.infinity?
+        Bitcoin::Key.from_point(q, compressed: compressed)
       end
 
       # verify signature using public key

data/lib/bitcoin/util.rb

@@ -131,10 +131,18 @@ module Bitcoin
       double_sha256(hex.htb).bth[0..7]
     end
 
-    DIGEST_NAME_SHA256 = 'sha256'
-
     def hmac_sha256(key, data)
-      OpenSSL::HMAC.digest(DIGEST_NAME_SHA256, key, data)
+      Bitcoin.hmac_sha256(key, data)
+    end
+
+    # Run HKDF.
+    # @param [String] ikm The input keying material with binary format.
+    # @param [String] salt The salt with binary format.
+    # @param [String] info The context and application specific information with binary format.
+    # @param [Integer] length The output length in octets.
+    # @return [String] The result of HKDF with binary format.
+    def hkdf_sha256(ikm, salt, info, length = 32)
+      OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: length, hash: "SHA256")
     end
 
     # check whether +addr+ is valid address.

data/lib/bitcoin/version.rb

@@ -1,3 +1,3 @@
 module Bitcoin
-  VERSION = "1.4.0"
+  VERSION = "1.5.0"
 end

data/lib/bitcoin.rb

@@ -61,6 +61,7 @@ module Bitcoin
   autoload :SigHashGenerator, 'bitcoin/sighash_generator'
   autoload :MessageSign, 'bitcoin/message_sign'
   autoload :Taproot, 'bitcoin/taproot'
+  autoload :BIP324, 'bitcoin/bip324'
 
   require_relative 'bitcoin/constants'
   require_relative 'bitcoin/ext/ecdsa'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bitcoinrb
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-12-19 00:00:00.000000000 Z
+date: 2024-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ecdsa_ext
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: eventmachine
   requirement: !ruby/object:Gem::Requirement
@@ -184,14 +184,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: base32
   requirement: !ruby/object:Gem::Requirement
@@ -332,6 +332,11 @@ files:
 - exe/bitcoinrbd
 - lib/bitcoin.rb
 - lib/bitcoin/base58.rb
+- lib/bitcoin/bip324.rb
+- lib/bitcoin/bip324/cipher.rb
+- lib/bitcoin/bip324/ell_swift_pubkey.rb
+- lib/bitcoin/bip324/fs_chacha20.rb
+- lib/bitcoin/bip324/fs_chacha_poly1305.rb
 - lib/bitcoin/bip85_entropy.rb
 - lib/bitcoin/bit_stream.rb
 - lib/bitcoin/block.rb
@@ -496,7 +501,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: The implementation of Bitcoin Protocol for Ruby.