bips/bip-0089/bip32.py

"""BIP32 helpers for the CCD reference implementation."""

from __future__ import annotations

from dataclasses import dataclass
import hmac
from hashlib import new as hashlib_new, sha256, sha512
from typing import List, Tuple, Mapping, Sequence

from secp256k1lab.secp256k1 import G, GE, Scalar

CURVE_N = Scalar.SIZE

def int_to_bytes(value: int, length: int) -> bytes:
    return value.to_bytes(length, "big")


def bytes_to_int(data: bytes) -> int:
    return int.from_bytes(data, "big")

def compress_point(point: GE) -> bytes:
    if point.infinity:
        raise ValueError("Cannot compress point at infinity")
    return point.to_bytes_compressed()


def decompress_point(data: bytes) -> GE:
    return GE.from_bytes_compressed(data)

def apply_tweak_to_public(base_public: bytes, tweak: int) -> bytes:
    base_point = GE.from_bytes_compressed(base_public)
    tweaked_point = base_point + (tweak % CURVE_N) * G
    if tweaked_point.infinity:
        raise ValueError("Tweaked key is at infinity")
    return tweaked_point.to_bytes_compressed()


def apply_tweak_to_secret(base_secret: int, tweak: int) -> int:
    if not (0 < base_secret < CURVE_N):
        raise ValueError("Invalid base secret scalar")
    return (base_secret + tweak) % CURVE_N

def decode_path(path_elements: Sequence[object]) -> List[int]:
    result: List[int] = []
    for element in path_elements:
        if isinstance(element, int):
            index = element
        else:
            element_str = str(element)
            hardened = element_str.endswith("'") or element_str.endswith("h")
            suffix = element_str[:-1] if hardened else element_str
            if not suffix:
                raise AssertionError("invalid derivation index")
            index = int(suffix)
            if hardened:
                index |= HARDENED_INDEX
        result.append(index)
    return result

HARDENED_INDEX = 0x80000000


def _hash160(data: bytes) -> bytes:
    return hashlib_new("ripemd160", sha256(data).digest()).digest()


@dataclass
class ExtendedPublicKey:
    point: GE
    chain_code: bytes
    depth: int = 0
    parent_fingerprint: bytes = b"\x00\x00\x00\x00"
    child_number: int = 0

    def fingerprint(self) -> bytes:
        return _hash160(compress_point(self.point))[:4]

    def derive_child(self, index: int) -> Tuple[int, "ExtendedPublicKey"]:
        tweak, child_point, child_chain = derive_public_child(self.point, self.chain_code, index)
        child = ExtendedPublicKey(
            point=child_point,
            chain_code=child_chain,
            depth=self.depth + 1,
            parent_fingerprint=self.fingerprint(),
            child_number=index,
        )
        return tweak, child


def derive_public_child(parent_point: GE, chain_code: bytes, index: int) -> Tuple[int, GE, bytes]:
    if index >= HARDENED_INDEX:
        raise ValueError("Hardened derivations are not supported for delegates")

    data = compress_point(parent_point) + int_to_bytes(index, 4)
    il_ir = hmac.new(chain_code, data, sha512).digest()
    il, ir = il_ir[:32], il_ir[32:]
    tweak = bytes_to_int(il)
    if tweak >= CURVE_N:
        raise ValueError("Invalid tweak derived (>= curve order)")

    child_point_bytes = apply_tweak_to_public(compress_point(parent_point), tweak)
    child_point = decompress_point(child_point_bytes)
    return tweak, child_point, ir


def parse_path(path: str) -> List[int]:
    if not path or path in {"m", "M"}:
        return []
    if path.startswith(("m/", "M/")):
        path = path[2:]

    components: List[int] = []
    for element in path.split("/"):
        if element.endswith("'") or element.endswith("h"):
            raise ValueError("Hardened steps are not allowed in CCD derivations")
        index = int(element)
        if index < 0 or index >= HARDENED_INDEX:
            raise ValueError("Derivation index out of range")
        components.append(index)
    return components

def parse_extended_public_key(data: Mapping[str, object]) -> ExtendedPublicKey:
    compressed_hex = data.get("compressed")
    if not isinstance(compressed_hex, str):
        raise ValueError("Compressed must be a string")

    chain_code_hex = data.get("chain_code")
    if not isinstance(chain_code_hex, str):
        raise ValueError("Chain code must be a string")
    
    depth = data.get("depth")
    if not isinstance(depth, int):
        raise ValueError("Depth must be an integer")
    
    child_number = data.get("child_number", 0)
    if not isinstance(child_number, int):
        raise ValueError("Child number must be an integer")

    parent_fp_hex = data.get("parent_fingerprint", "00000000")

    compressed = bytes.fromhex(compressed_hex)
    chain_code = bytes.fromhex(chain_code_hex)
    parent_fp = bytes.fromhex(str(parent_fp_hex))
    return build_extended_public_key(
        compressed,
        chain_code,
        depth=depth,
        parent_fingerprint=parent_fp,
        child_number=child_number,
    )


def build_extended_public_key(
    compressed: bytes,
    chain_code: bytes,
    *,
    depth: int = 0,
    parent_fingerprint: bytes = b"\x00\x00\x00\x00",
    child_number: int = 0,
) -> ExtendedPublicKey:
    if len(chain_code) != 32:
        raise ValueError("Chain code must be 32 bytes")
    point = decompress_point(compressed)
    return ExtendedPublicKey(
        point=point,
        chain_code=chain_code,
        depth=depth,
        parent_fingerprint=parent_fingerprint,
        child_number=child_number,
    )
BIP 89: Chain Code Delegation for Private Collaborative Custody (#2004) * Add Chaincode Delegation BIP * Update license to BSD-3-Clause and expand blinded signing documentation * Address initial PR comments * Update with BIP number assignment * Fix delegator_sign test vector * Upgrade secp256k1lab and add license file - Upgrade vendored secp256k1lab to commit a265da1 (adds type annotations) - Add COPYING file to satisfy MIT license requirements - Document secp256k1lab commit reference in BIP text * Fix type checker and linter issues in reference implementation - Fix TweakContext to use Scalar types for gacc/tacc - Replace HashFunction enum with Callable type alias - Fix bytearray to bytes conversion in blind_sign - Move imports to top of file - Fix boolean comparison style (use 'not' instead of '== False') - Add proper type annotations and casts for dict handling - Remove unused imports and type ignore comments * Address PR review comments on terminology and clarity - Add intro explaining delegation naming (chain code is delegated, not signing authority) - Reorder terminology to list Delegator before Delegatee - Replace "quorum" with clearer "can co-sign for UTXOs" language - Clarify derivation constraints in terms of delegatee's extended key - Rename "Delegatee Signing" section to "Signing Modes" - Fix "delegatee can apply" to "delegator can produce" (line 112) - Replace undefined "caller" with "delegatee" (line 173) - Clarify "Change outputs" to "Tweaks for change outputs" (line 98) - Add note that message is separate from CCD bundle - Add note on application-specific verification (addresses, amounts) - Add transition sentence clarifying non-concurrent protocol scope * Add changelog entry for 0.1.3 * Fix header: use Authors (plural) for multiple authors * Fix BIP header format for CI compliance - Change Type from 'Standards Track' to 'Specification' (valid type) - Change 'Created' to 'Assigned' (correct field name per BIP format) - Change 'Post-History' to 'Discussion' (recognized field in buildtable.pl) * Apply suggestion from @murchandamus --------- Co-authored-by: Jesse Posner <jesse.posner@gmail.com> 2026-02-05 04:58:08 +08:00			`"""BIP32 helpers for the CCD reference implementation."""`

			`from __future__ import annotations`

			`from dataclasses import dataclass`
			`import hmac`
			`from hashlib import new as hashlib_new, sha256, sha512`
			`from typing import List, Tuple, Mapping, Sequence`

			`from secp256k1lab.secp256k1 import G, GE, Scalar`

			`CURVE_N = Scalar.SIZE`

			`def int_to_bytes(value: int, length: int) -> bytes:`
			`return value.to_bytes(length, "big")`


			`def bytes_to_int(data: bytes) -> int:`
			`return int.from_bytes(data, "big")`

			`def compress_point(point: GE) -> bytes:`
			`if point.infinity:`
			`raise ValueError("Cannot compress point at infinity")`
			`return point.to_bytes_compressed()`


			`def decompress_point(data: bytes) -> GE:`
			`return GE.from_bytes_compressed(data)`

			`def apply_tweak_to_public(base_public: bytes, tweak: int) -> bytes:`
			`base_point = GE.from_bytes_compressed(base_public)`
			`tweaked_point = base_point + (tweak % CURVE_N) * G`
			`if tweaked_point.infinity:`
			`raise ValueError("Tweaked key is at infinity")`
			`return tweaked_point.to_bytes_compressed()`


			`def apply_tweak_to_secret(base_secret: int, tweak: int) -> int:`
			`if not (0 < base_secret < CURVE_N):`
			`raise ValueError("Invalid base secret scalar")`
			`return (base_secret + tweak) % CURVE_N`

			`def decode_path(path_elements: Sequence[object]) -> List[int]:`
			`result: List[int] = []`
			`for element in path_elements:`
			`if isinstance(element, int):`
			`index = element`
			`else:`
			`element_str = str(element)`
			`hardened = element_str.endswith("'") or element_str.endswith("h")`
			`suffix = element_str[:-1] if hardened else element_str`
			`if not suffix:`
			`raise AssertionError("invalid derivation index")`
			`index = int(suffix)`
			`if hardened:`
			`index \|= HARDENED_INDEX`
			`result.append(index)`
			`return result`

			`HARDENED_INDEX = 0x80000000`


			`def _hash160(data: bytes) -> bytes:`
			`return hashlib_new("ripemd160", sha256(data).digest()).digest()`


			`@dataclass`
			`class ExtendedPublicKey:`
			`point: GE`
			`chain_code: bytes`
			`depth: int = 0`
			`parent_fingerprint: bytes = b"\x00\x00\x00\x00"`
			`child_number: int = 0`

			`def fingerprint(self) -> bytes:`
			`return _hash160(compress_point(self.point))[:4]`

			`def derive_child(self, index: int) -> Tuple[int, "ExtendedPublicKey"]:`
			`tweak, child_point, child_chain = derive_public_child(self.point, self.chain_code, index)`
			`child = ExtendedPublicKey(`
			`point=child_point,`
			`chain_code=child_chain,`
			`depth=self.depth + 1,`
			`parent_fingerprint=self.fingerprint(),`
			`child_number=index,`
			`)`
			`return tweak, child`


			`def derive_public_child(parent_point: GE, chain_code: bytes, index: int) -> Tuple[int, GE, bytes]:`
			`if index >= HARDENED_INDEX:`
			`raise ValueError("Hardened derivations are not supported for delegates")`

			`data = compress_point(parent_point) + int_to_bytes(index, 4)`
			`il_ir = hmac.new(chain_code, data, sha512).digest()`
			`il, ir = il_ir[:32], il_ir[32:]`
			`tweak = bytes_to_int(il)`
			`if tweak >= CURVE_N:`
			`raise ValueError("Invalid tweak derived (>= curve order)")`

			`child_point_bytes = apply_tweak_to_public(compress_point(parent_point), tweak)`
			`child_point = decompress_point(child_point_bytes)`
			`return tweak, child_point, ir`


			`def parse_path(path: str) -> List[int]:`
			`if not path or path in {"m", "M"}:`
			`return []`
			`if path.startswith(("m/", "M/")):`
			`path = path[2:]`

			`components: List[int] = []`
			`for element in path.split("/"):`
			`if element.endswith("'") or element.endswith("h"):`
			`raise ValueError("Hardened steps are not allowed in CCD derivations")`
			`index = int(element)`
			`if index < 0 or index >= HARDENED_INDEX:`
			`raise ValueError("Derivation index out of range")`
			`components.append(index)`
			`return components`

			`def parse_extended_public_key(data: Mapping[str, object]) -> ExtendedPublicKey:`
			`compressed_hex = data.get("compressed")`
			`if not isinstance(compressed_hex, str):`
			`raise ValueError("Compressed must be a string")`

			`chain_code_hex = data.get("chain_code")`
			`if not isinstance(chain_code_hex, str):`
			`raise ValueError("Chain code must be a string")`

			`depth = data.get("depth")`
			`if not isinstance(depth, int):`
			`raise ValueError("Depth must be an integer")`

			`child_number = data.get("child_number", 0)`
			`if not isinstance(child_number, int):`
			`raise ValueError("Child number must be an integer")`

			`parent_fp_hex = data.get("parent_fingerprint", "00000000")`

			`compressed = bytes.fromhex(compressed_hex)`
			`chain_code = bytes.fromhex(chain_code_hex)`
			`parent_fp = bytes.fromhex(str(parent_fp_hex))`
			`return build_extended_public_key(`
			`compressed,`
			`chain_code,`
			`depth=depth,`
			`parent_fingerprint=parent_fp,`
			`child_number=child_number,`
			`)`


			`def build_extended_public_key(`
			`compressed: bytes,`
			`chain_code: bytes,`
			`*,`
			`depth: int = 0,`
			`parent_fingerprint: bytes = b"\x00\x00\x00\x00",`
			`child_number: int = 0,`
			`) -> ExtendedPublicKey:`
			`if len(chain_code) != 32:`
			`raise ValueError("Chain code must be 32 bytes")`
			`point = decompress_point(compressed)`
			`return ExtendedPublicKey(`
			`point=point,`
			`chain_code=chain_code,`
			`depth=depth,`
			`parent_fingerprint=parent_fingerprint,`
			`child_number=child_number,`
			`)`