Taproot: BIP32 extended keys using Scep256k1 keys instead of bitcoin ECDSA

[dr-orlovsky]

This is third step required to introduce Schnorr key support according to #588. This PR starts API-breaking changes and is follow-up to non-API breaking #589, which is already merged.

PR rationale: BIP32 does not support uncompressed keys and using type with compression flag was a mistake

[thomaseizinger]

ACK d155115

[dr-orlovsky]

Rebased on master, addressed comments, now ready for review

[sanket1729]

Thanks for this. The code looks great. I have a discussion point about API naming which might use more feedback from other contributors.

[sanket1729]

I have a slight preference in favor of to_schnorr_keypair.

I also like to_ecdsa_privkey, to_ecdsa_pubkey, and to_schnorr_pubkey over the current ones. But this one is more debatable since the user has the context of what return type to expect.

[dr-orlovsky]

Changed to to_keypair since there is no other keypair (and @apoelstra does not like "Schnorr" surname :D because of him patenting signature algo)

[sanket1729]

I would prefer to_schnorr_keypair. It's sad that this has patent history, but IMO the convenience and usability triumphs this.

Would like to get input from other contributors as well, but IMO to_keypair is just confusing. It could main ecdsa_keypair as well as schnorr_keypair.

[dr-orlovsky]

Do we have a keypair type for non-BIP-340 keys?

[dr-orlovsky]

I really do not like inconsistency in function names for extended keys that we have today in the API: derive_priv, derive_pub, new_master, from_private - and now to_ecdsa_privkey.... :(

[dr-orlovsky]

Did a temporal version with priv/pub instead of privkey for more consisted naming for now; will wait for others to comment

[sanket1729]

Reviewing the discussion, after some thinking I think my vote is for to_ec_pubkey, to_xonly_keypair for rationale mentioned here:
#588 (comment)

[sgeisler]

Looks pretty good. I just now saw @sanket1729's comment 😆 so take my comments with a grain of salt. As explained in the first comment my aversion to the more descriptive names comes from the idea of unifying the interface of x-keys via a common trait. For that the different names would be very annoying (but no blocker here, won't cut a release too soon anyway). I'll try to build it in a separate PR, the basic idea is to have:

pub trait XKey: Sized {
    type EcdsaKey;
    type SchnorrKey;

    fn derive<P: IntoIterator<Item=ChildNumber>>(&self, path: P) -> Self;
    fn to_ecdsa(&self) -> Self::EcdsaKey;
    fn to_schnorr(&self) -> Self::SchnorrKey;
}

[sgeisler]

I wonder if the _priv part is really useful. You know you are operating on an xpriv and the return type is a private key. Kinda related: I'd like to explore the possibility of putting the derive and conversion functions into a trait (not here though) to allow generic code over x-keys.

[sanket1729]

After #755, I think this should be just to_priv. As mentioned and discussed in several places, keys are not related to signature algorithms.

[sgeisler]

Same here _keypair seems redundant.

[sanket1729]

I missed this. This should also be to_keypair

[sgeisler]

redundant _pub

[sanket1729]

Same, this should be to_pub

[sgeisler]

redundant _pub

[sanket1729]

And this should be to_x_only_pub

[apoelstra]

What is the status of this? Does it need a rebase and/or the PR description updated to have different commit IDs?

[dr-orlovsky]

@apoelstra rebased, description update, ready for (re)reviews

[sanket1729]

I think we should resolve our discussion #588 (comment) before proceeding with this.

[dr-orlovsky]

@sanket1729 that discussion much more relates to previous PR #589 which is already merged (and a bitcoin-rust version with it is already released). If we need to change that approach, that should be a matter of a new PR.

This PR is very specifically removes unnecessary non-Secp256k1 pubkeys from BIP32/PSBT related data structures and does not directly related to the key type naming discussion within rust-bitcoin

[sanket1729]

@dr-orlovsky, there is a discussion to possibly undo things in #589 (in a non-breaking way). If there is a consensus for that, this PR would be updated, namely, the function names that use ecdsa_ and schnorr_ should be ec_ and xonly_(x_only_)

[dr-orlovsky]

Why we can't do that alltogether after merging this PR, independently from it?

[sanket1729]

I don't have a strong opinion but appears that there is consensus for removing signature names from functions names using x_only, ec.

This PR is not dependant on it and can get in without the other one, but there is no reason to have poor API names here just so we can change them later.

[dr-orlovsky]

@sanket1729 can you pls explain what exactly you propose to update in this PR?

[sanket1729]

I was about to suggest APIs like

- pub fn to_ecdsa_priv(&self) -> ecdsa::PrivateKey
+ pub fn to_ec_priv(&self) -> ecdsa::PrivateKey

but reading this seems odd that API because it currently does not match the return type

ACK 7c565ec.

We can change this later when we address #588

[sanket1729]

ACK 7c565ec . Once we rename ecdsa and schnorr keys to ec and xonly, we should update the API names in this PR too.

[apoelstra]

Can you add a unit test which tries to parse an xpriv with a secret key of all zeros and one where the secret key is all ffs? I'm worried that this panic can be triggered.

[dr-orlovsky]

Well, you can't construct xpriv with such secret keys - it errors during the construction on incorrect secret key. However I added general test case for this method.

[GeneFerneau]

utACK 7c565ec

[Kixunil]

ACK 1ff5730

[sanket1729]

Left two comments. I don't think we should wait for a point release of secp for a purpose of a test (which I think is not testing anything concrete). We can add the test later after a point release of secp.

[sanket1729]

I missed this. This should also be to_keypair

[sanket1729]

I don't see any value in this test? What is this test testing? It is a one-line function code that is repeated in the test.

If you feel there is value in this, we can check that the x-only public keys from the keypairs are the same for now. After another point release, we can re-add this test. I don't think we are losing any features for the next release because of this.

[dr-orlovsky]

@sanket1729 addressed issues and removed test.

@Kixunil pls re-ACK

[Kixunil]

Would've reacked but it's uncompilable...

[dr-orlovsky]

@Kixunil sorry, my bad: introduced last minute "improvement" with additional commit and didn't properly checked it. Should be fixed now

[Kixunil]

Still some issue.

[dr-orlovsky]

@Kixunil I do not know what the ... is happening with CI, but it perfectly builds locally while it fails with exactly the same config on GitHub:

orlovsky@alienware:~/repos/rust-bitcoin$ rustup update
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
info: syncing channel updates for 'nightly-x86_64-unknown-linux-gnu'
info: cleaning up downloads & tmp directories
orlovsky@alienware:~/repos/rust-bitcoin$ cargo +stable build --features=no-std --no-default-features
    Finished dev [unoptimized + debuginfo] target(s) in 0.27s
orlovsky@alienware:~/repos/rust-bitcoin$ cargo +nightly build --features=no-std --no-default-features
    Finished dev [unoptimized + debuginfo] target(s) in 0.26s

[sanket1729]

@dr-orlovsky , the tests are not building. Not the binary.

[sanket1729]

Looks like we are not deriving Debug in nostd. I was not involved in no-std and I do not understand embedded development. But what was the rationale for this?

#[derive(Copy, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Debug))]
pub struct ExtendedPrivKey {

[sanket1729]

Why are you doing this? I think this is causing the issue? Why cannot use derive debug in no-std? And how is that related to this PR.

[dr-orlovsky]

We need this since SecretKey in the upstream does custom Debug which works only on std. Without this change it foes not compile on no_std

[sanket1729]

I think we should leave all the secret display stuff out of this PR and this should build.

[dr-orlovsky]

@Kixunil @sanket1729 sorry it was my bad: probably was too tired yesterday and thought that I had no-std Debug impl for ExtendedPrivateKey. Fixed

[apoelstra]

ACK cf0c48c

It's a little eyebrow-raising that the nostd Debug impl just silently omits the secret key, but whatever. I have no opinions about the renaming, though I think after we get all the key-changing PRs in (but before we do the Taproot release) we should go through everything and possibly do a rename cleanup.

[dr-orlovsky]

@apoelstra there is not a lot of options for no_std Debug: in secp256k1 secret key do not have any Debug in no_std and is hashed in std. If we just plainly print secret key here we will abandon "never display secrets in logs" policy we introduced in secp256k1 with that hashing.

[apoelstra]

Right, I understand that we have no good options here. I think I might've stuck the literal string [secret] in there or something, but just eliding the field is fine.

[sanket1729]

ACK cf0c48c. #757 might need rework after this

[sanket1729]

Note that there would be some conflicts with #757