Recovery Module (#211)

* WIP Recovery Module

* Adding tests and updating documentation

Author: csjones

Package.swift

@@ -148,12 +148,13 @@ let package = Package(
             sources: [
                 "Asymmetric.swift",
                 "DH.swift",
-                "Digests.swift",
+                "Hash32BytesDigest.swift",
                 "ECDH.swift",
                 "ECDSA.swift",
                 "EdDSA.swift",
                 "Errors.swift",
                 "PrettyBytes.swift",
+                "Recovery.swift",
                 "SafeCompare.swift",
                 "Schnorr.swift",
                 "secp256k1.swift",

README.md

@@ -59,8 +59,8 @@ let privateKey = try! secp256k1.Signing.PrivateKey(rawRepresentation: privateByt
 
 // Adding a tweak to the private key and public key
 let tweak = try! "5f0da318c6e02f653a789950e55756ade9f194e1ec228d7f368de1bd821322b6".bytes
-let tweakedPrivateKey = try! privateKey.tweak(tweak)
-let tweakedPublicKeyKey = try! privateKey.publicKey.tweak(tweak)
+let tweakedPrivateKey = try! privateKey.add(tweak)
+let tweakedPublicKeyKey = try! privateKey.publicKey.add(tweak)
 ```
 
 ## Elliptic Curve Diffie Hellman
@@ -95,6 +95,22 @@ let xonlyTweak2 = try! sharedSecretSign2.publicKey.xonly.add(privateSign1.public
 let privateTweak1 = try! sharedSecretSign1.add(xonly: privateSign1.publicKey.xonly.bytes)
 ```
 
+## Recovery
+
+```swift
+let privateKey = try! secp256k1.Signing.PrivateKey()
+let messageData = "We're all Satoshi.".data(using: .utf8)!
+
+// Create a recoverable ECDSA signature
+let recoverySignature = try! privateKey.ecdsa.recoverableSignature(for: messageData)
+
+// Recover an ECDSA public key from a signature
+let publicKey = try! secp256k1.Recovery.PublicKey(messageData, signature: recoverySignature)
+
+// Convert a recoverable signature into a normal signature
+let signature = try! recoverySignature.normalize
+```
+
 
 # Getting Started
 

Sources/implementation/ECDSA.swift

@@ -51,7 +51,7 @@ public extension secp256k1.Signing {
 
         /// Initializes ECDSASignature from the raw representation.
         /// - Parameters:
-        ///   - rawRepresentation: A raw representation of the key as a collection of contiguous bytes.
+        ///   - dataRepresentation: A data representation of the key as a collection of contiguous bytes.
         /// - Throws: If there is a failure with the dataRepresentation count
         internal init(_ dataRepresentation: Data) throws {
             guard dataRepresentation.count == 4 * secp256k1.CurveDetails.coordinateByteCount else {
@@ -146,6 +146,28 @@ public extension secp256k1.Signing {
 }
 
 extension secp256k1.Signing.ECDSASigner: DigestSigner, Signer {
+    ///  Generates a recoverable ECDSA signature.
+    ///
+    /// - Parameter digest: The digest to sign.
+    /// - Returns: The recoverable ECDSA Signature.
+    /// - Throws: If there is a failure producing the signature
+    public func recoverableSignature<D: Digest>(for digest: D) throws -> secp256k1.Recovery.ECDSASignature {
+        var signature = secp256k1_ecdsa_recoverable_signature()
+        
+        guard secp256k1_ecdsa_sign_recoverable(
+            secp256k1.Context.raw,
+            &signature,
+            Array(digest),
+            Array(signingKey.rawRepresentation),
+            nil,
+            nil
+        ).boolValue else {
+            throw secp256k1Error.underlyingCryptoError
+        }
+
+        return try secp256k1.Recovery.ECDSASignature(signature.dataValue)
+    }
+    
     ///  Generates an ECDSA signature over the secp256k1 elliptic curve.
     ///
     /// - Parameter digest: The digest to sign.
@@ -154,12 +176,29 @@ extension secp256k1.Signing.ECDSASigner: DigestSigner, Signer {
     public func signature<D: Digest>(for digest: D) throws -> secp256k1.Signing.ECDSASignature {
         var signature = secp256k1_ecdsa_signature()
 
-        guard secp256k1_ecdsa_sign(secp256k1.Context.raw, &signature, Array(digest), Array(signingKey.rawRepresentation), nil, nil).boolValue else {
+        guard secp256k1_ecdsa_sign(
+            secp256k1.Context.raw,
+            &signature,
+            Array(digest),
+            Array(signingKey.rawRepresentation),
+            nil,
+            nil
+        ).boolValue else {
             throw secp256k1Error.underlyingCryptoError
         }
 
         return try secp256k1.Signing.ECDSASignature(signature.dataValue)
     }
+    
+    /// Generates an ECDSA signature over the secp256k1 elliptic curve.
+    /// SHA256 is used as the hash function.
+    ///
+    /// - Parameter data: The data to sign.
+    /// - Returns: The ECDSA Signature.
+    /// - Throws: If there is a failure producing the signature.
+    public func recoverableSignature<D: DataProtocol>(for data: D) throws -> secp256k1.Recovery.ECDSASignature {
+        try recoverableSignature(for: SHA256.hash(data: data))
+    }
 
     /// Generates an ECDSA signature over the secp256k1 elliptic curve.
     /// SHA256 is used as the hash function.

Sources/implementation/Digests.swift …s/implementation/Hash32BytesDigest.swiftSources/implementation/Digests.swift renamed to Sources/implementation/Hash32BytesDigest.swift Sources/implementation/Digests.swift renamed to Sources/implementation/Hash32BytesDigest.swift

@@ -1,5 +1,5 @@
 //
-//  Digests.swift
+//  Hash32BytesDigest.swift
 //  GigaBitcoin/secp256k1.swift
 //
 //  Modifications Copyright (c) 2021 GigaBitcoin LLC

Sources/implementation/Recovery.swift

@@ -0,0 +1,177 @@
+//
+//  Recovery.swift
+//  GigaBitcoin/secp256k1.swift
+//
+//  Copyright (c) 2022 GigaBitcoin LLC
+//  Distributed under the MIT software license
+//
+//  See the accompanying file LICENSE for information
+//
+
+import Foundation
+import secp256k1_bindings
+
+// MARK: - secp256k1 + Recovery
+
+public extension secp256k1 {
+    enum Recovery {
+        public struct PublicKey {
+            let baseKey: PublicKeyImplementation
+            
+            /// Initializes a secp256k1 public key using a data message and a recovery signature.
+            /// - Parameters:
+            ///   - data: The data to be hash and assumed signed.
+            ///   - signature: A raw representation of the initialized signature that supports pubkey recovery.
+            ///   - format: the format of the public key object
+            public init<D: DataProtocol>(
+                _ data: D,
+                signature: secp256k1.Recovery.ECDSASignature,
+                format: secp256k1.Format = .compressed
+            ) throws {
+                self.baseKey = try PublicKeyImplementation(
+                    SHA256.hash(data: data),
+                    signature: signature,
+                    format: format
+                )
+            }
+
+            /// Initializes a secp256k1 public key using a hash digest and a recovery signature.
+            /// - Parameters:
+            ///   - digest: The hash digest assumed to be signed.
+            ///   - signature: A raw representation of the initialized signature that supports pubkey recovery.
+            ///   - format: the format of the public key object
+            public init<D: Digest>(
+                _ digest: D,
+                signature: secp256k1.Recovery.ECDSASignature,
+                format: secp256k1.Format = .compressed
+            ) throws {
+                self.baseKey = try PublicKeyImplementation(digest, signature: signature, format: format)
+            }
+
+            /// Initializes a secp256k1 public key for recovery.
+            /// - Parameter baseKey: generated secp256k1 public key.
+            init(baseKey: PublicKeyImplementation) {
+                self.baseKey = baseKey
+            }
+
+            /// A data representation of the public key
+            public var rawRepresentation: Data { baseKey.rawRepresentation }
+
+            /// Implementation public key object
+            var bytes: [UInt8] { baseKey.bytes }
+        }
+    }
+}
+
+/// An ECDSA (Elliptic Curve Digital Signature Algorithm) Recovery Signature
+public extension secp256k1.Recovery {
+    
+    /// Recovery Signature
+    struct ECDSACompactSignature {
+        let signature: Data
+        let recoveryId: Int32
+    }
+    
+    struct ECDSASignature: ContiguousBytes, RawSignature {
+        /// Returns the raw signature.
+        public var rawRepresentation: Data
+
+        /// Initializes ECDSASignature from the raw representation.
+        /// - Parameters:
+        ///   - rawRepresentation: A raw representation of the key as a collection of contiguous bytes.
+        /// - Throws: If there is a failure with the dataRepresentation count
+        public init<D: DataProtocol>(rawRepresentation: D) throws {
+            guard rawRepresentation.count == 4 * secp256k1.CurveDetails.coordinateByteCount + 1 else {
+                throw secp256k1Error.incorrectParameterSize
+            }
+
+            self.rawRepresentation = Data(rawRepresentation)
+        }
+
+        /// Initializes ECDSASignature from the raw representation.
+        /// - Parameters:
+        ///   - rawRepresentation: A raw representation of the key as a collection of contiguous bytes.
+        /// - Throws: If there is a failure with the dataRepresentation count
+        internal init(_ dataRepresentation: Data) throws {
+            guard dataRepresentation.count == 4 * secp256k1.CurveDetails.coordinateByteCount + 1 else {
+                throw secp256k1Error.incorrectParameterSize
+            }
+
+            self.rawRepresentation = dataRepresentation
+        }
+
+        /// Initializes ECDSASignature from the Compact representation.
+        /// - Parameter compactRepresentation: A Compact representation of the key as a collection of contiguous bytes.
+        /// - Throws: If there is a failure with parsing the derRepresentation
+        public init<D: DataProtocol>(compactRepresentation: D, recoveryId: Int32) throws {
+            var recoverableSignature = secp256k1_ecdsa_recoverable_signature()
+
+            guard secp256k1_ecdsa_recoverable_signature_parse_compact(
+                secp256k1.Context.raw,
+                &recoverableSignature,
+                Array(compactRepresentation),
+                recoveryId
+            ).boolValue else {
+                throw secp256k1Error.underlyingCryptoError
+            }
+
+            self.rawRepresentation = recoverableSignature.dataValue
+        }
+
+        /// Invokes the given closure with a buffer pointer covering the raw bytes of the digest.
+        /// - Parameter body: A closure that takes a raw buffer pointer to the bytes of the digest and returns the digest.
+        /// - Throws: If there is a failure with underlying `withUnsafeBytes`
+        /// - Returns: The signature as returned from the body closure.
+        public func withUnsafeBytes<R>(_ body: (UnsafeRawBufferPointer) throws -> R) rethrows -> R {
+            try rawRepresentation.withUnsafeBytes(body)
+        }
+
+        /// Serialize an ECDSA signature in compact (64 byte) format.
+        /// - Throws: If there is a failure parsing signature
+        /// - Returns: a 64-byte data representation of the compact serialization
+        public var compactRepresentation: ECDSACompactSignature {
+            get throws {
+                let compactSignatureLength = 64
+                var recoveryId = Int32()
+                var recoverableSignature = secp256k1_ecdsa_recoverable_signature()
+                var compactSignature = [UInt8](repeating: 0, count: compactSignatureLength)
+
+                rawRepresentation.copyToUnsafeMutableBytes(of: &recoverableSignature.data)
+
+                guard secp256k1_ecdsa_recoverable_signature_serialize_compact(
+                    secp256k1.Context.raw,
+                    &compactSignature,
+                    &recoveryId,
+                    &recoverableSignature
+                ).boolValue else {
+                    throw secp256k1Error.underlyingCryptoError
+                }
+                
+                return secp256k1.Recovery.ECDSACompactSignature(
+                    signature: Data(bytes: &compactSignature, count: compactSignatureLength),
+                    recoveryId: recoveryId
+                )
+            }
+        }
+        
+        /// Convert a recoverable signature into a normal signature.
+        public var normalize: secp256k1.Signing.ECDSASignature {
+            get throws {
+                var normalizedSignature = secp256k1_ecdsa_signature()
+                var recoverableSignature = secp256k1_ecdsa_recoverable_signature()
+                
+                rawRepresentation.copyToUnsafeMutableBytes(of: &recoverableSignature.data)
+                
+                guard secp256k1_ecdsa_recoverable_signature_convert(
+                    secp256k1.Context.raw,
+                    &normalizedSignature,
+                    &recoverableSignature
+                ).boolValue else {
+                    throw secp256k1Error.underlyingCryptoError
+                }
+                
+                return try secp256k1.Signing.ECDSASignature(normalizedSignature.dataValue)
+            }
+        }
+    }
+}

Sources/implementation/Utility.swift

@@ -42,6 +42,13 @@ public extension secp256k1_ecdsa_signature {
     }
 }
 
+public extension secp256k1_ecdsa_recoverable_signature {
+    var dataValue: Data {
+        var mutableSig = self
+        return Data(bytes: &mutableSig.data, count: MemoryLayout.size(ofValue: data))
+    }
+}
+
 public extension String {
     /// Public initializer backed by the `BytesUtil.swift` DataProtocol extension property `hexString`
     /// - Parameter bytes: byte array to initialize

Sources/implementation/secp256k1.swift

@@ -182,6 +182,32 @@ extension secp256k1 {
         self._xonlyBytes = xonly
         self._keyParity = keyParity
     }
+    
+    /// Backing initialization that sets the public key from a digest and recoverable signature.
+    /// - Parameters:
+    ///   - digest: The digest that was signed.
+    ///   - signature: The signature to recover the public key from
+    ///   - format: the format of the public key object
+    /// - Throws: An error is thrown when a public key is not recoverable from the  signature.  
+    @usableFromInline init<D: Digest>(_ digest: D, signature: secp256k1.Recovery.ECDSASignature, format: secp256k1.Format) throws {
+        var keyParity = Int32()
+        var pubKeyLen = format.length
+        var pubKey = secp256k1_pubkey()
+        var pubBytes = [UInt8](repeating: 0, count: pubKeyLen)
+        var recoverySignature = secp256k1_ecdsa_recoverable_signature()
+
+        signature.rawRepresentation.copyToUnsafeMutableBytes(of: &recoverySignature.data)
+
+        guard secp256k1_ecdsa_recover(secp256k1.Context.raw, &pubKey, &recoverySignature, Array(digest)).boolValue,
+              secp256k1_ec_pubkey_serialize(secp256k1.Context.raw, &pubBytes, &pubKeyLen, &pubKey, format.rawValue).boolValue else {
+            throw secp256k1Error.underlyingCryptoError
+        }
+
+        self._xonlyBytes = try XonlyKeyImplementation.generate(bytes: pubBytes, keyParity: &keyParity, format: format)
+        self._keyParity = keyParity
+        self.format = format
+        self.bytes = pubBytes
+    }
 
     /// Generates a secp256k1 public key from bytes representation.
     /// - Parameter privateBytes: a private key object in bytes form