bitcoinjs-lib/test/integration/stealth.js

/* global describe, it */

let assert = require('assert')
let bitcoin = require('../../')
let ecc = require('tiny-secp256k1')

// TODO: remove
let baddress = bitcoin.address
let bcrypto = bitcoin.crypto
function getAddress (node) {
  return baddress.toBase58Check(bcrypto.hash160(node.publicKey), bitcoin.networks.bitcoin.pubKeyHash)
}

// vG = (dG \+ sha256(e * dG)G)
function stealthSend (e, Q) {
  var eQ = ecc.pointMultiply(Q, e, true) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var Qc = ecc.pointAddScalar(Q, c)
  var vG = bitcoin.ECPair.fromPublicKey(Qc)

  return vG
}

// v = (d + sha256(eG * d))
function stealthReceive (d, eG) {
  var eQ = ecc.pointMultiply(eG, d) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var dc = ecc.privateAdd(d, c)
  var v = bitcoin.ECPair.fromPrivateKey(dc)

  return v
}

// d = (v - sha256(e * dG))
function stealthRecoverLeaked (v, e, Q) {
  var eQ = ecc.pointMultiply(Q, e) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var vc = ecc.privateSub(v, c)
  var d = bitcoin.ECPair.fromPrivateKey(vc)

  return d
}

// vG = (rG \+ sha256(e * dG)G)
function stealthDualSend (e, R, Q) {
  var eQ = ecc.pointMultiply(Q, e) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var Rc = ecc.pointAddScalar(R, c)
  var vG = bitcoin.ECPair.fromPublicKey(Rc)

  return vG
}

// vG = (rG \+ sha256(eG * d)G)
function stealthDualScan (d, R, eG) {
  var eQ = ecc.pointMultiply(eG, d) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var Rc = ecc.pointAddScalar(R, c)
  var vG = bitcoin.ECPair.fromPublicKey(Rc)

  return vG
}

// v = (r + sha256(eG * d))
function stealthDualReceive (d, r, eG) {
  var eQ = ecc.pointMultiply(eG, d) // shared secret
  var c = bitcoin.crypto.sha256(eQ)
  var rc = ecc.privateAdd(r, c)
  var v = bitcoin.ECPair.fromPrivateKey(rc)

  return v
}

describe('bitcoinjs-lib (crypto)', function () {
  it('can generate a single-key stealth address', function () {
    // XXX: should be randomly generated, see next test for example
    var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
    var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.privateKey, recipient.publicKey)
    assert.equal(getAddress(forSender), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)
    assert.equal(getAddress(forRecipient), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
    assert.equal(forRecipient.toWIF(), 'L1yjUN3oYyCXV3LcsBrmxCNTa62bZKWCybxVJMvqjMmmfDE8yk7n')

    // sender and recipient, both derived same address
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can generate a single-key stealth address (randomly)', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.privateKey, recipient.publicKey)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // sender and recipient, both derived same address
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can recover parent recipient.d, if a derived private key is leaked [and nonce was revealed]', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key (recipient.Q) to sender
    var forSender = stealthSend(nonce.privateKey, recipient.publicKey)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to recipient
    var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // ... recipient accidentally leaks forRecipient.d on the blockchain
    var leaked = stealthRecoverLeaked(forRecipient.privateKey, nonce.privateKey, recipient.publicKey)
    assert.equal(leaked.toWIF(), recipient.toWIF())
  })

  it('can generate a dual-key stealth address', function () {
    // XXX: should be randomly generated, see next test for example
    var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
    var scan = bitcoin.ECPair.fromWIF('L5DkCk3xLLoGKncqKsWQTdaPSR4V8gzc14WVghysQGkdryRudjBM') // private to scanner/recipient
    var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender

    // ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
    var forSender = stealthDualSend(nonce.privateKey, recipient.publicKey, scan.publicKey)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to scanner
    var forScanner = stealthDualScan(scan.privateKey, recipient.publicKey, nonce.publicKey)
    assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)

    // ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
    var forRecipient = stealthDualReceive(scan.privateKey, recipient.privateKey, nonce.publicKey)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // scanner, sender and recipient, all derived same address
    assert.equal(getAddress(forSender), getAddress(forScanner))
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })

  it('can generate a dual-key stealth address (randomly)', function () {
    var recipient = bitcoin.ECPair.makeRandom() // private to recipient
    var scan = bitcoin.ECPair.makeRandom() // private to scanner/recipient
    var nonce = bitcoin.ECPair.makeRandom() // private to sender

    // ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
    var forSender = stealthDualSend(nonce.privateKey, recipient.publicKey, scan.publicKey)
    assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)

    // ... sender reveals nonce public key (nonce.Q) to scanner
    var forScanner = stealthDualScan(scan.privateKey, recipient.publicKey, nonce.publicKey)
    assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)

    // ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
    var forRecipient = stealthDualReceive(scan.privateKey, recipient.privateKey, nonce.publicKey)
    assert.doesNotThrow(function () { forRecipient.toWIF() })

    // scanner, sender and recipient, all derived same address
    assert.equal(getAddress(forSender), getAddress(forScanner))
    assert.equal(getAddress(forSender), getAddress(forRecipient))
  })
})
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`/* global describe, it */`

rm getAddress 2018-05-22 09:43:25 +02:00			`let assert = require('assert')`
			`let bitcoin = require('../../')`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`let ecc = require('tiny-secp256k1')`
rm getAddress 2018-05-22 09:43:25 +02:00
			`// TODO: remove`
			`let baddress = bitcoin.address`
			`let bcrypto = bitcoin.crypto`
			`function getAddress (node) {`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`return baddress.toBase58Check(bcrypto.hash160(node.publicKey), bitcoin.networks.bitcoin.pubKeyHash)`
rm getAddress 2018-05-22 09:43:25 +02:00			`}`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (dG \+ sha256(e * dG)G)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`function stealthSend (e, Q) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(Q, e, true) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var Qc = ecc.pointAddScalar(Q, c)`
			`var vG = bitcoin.ECPair.fromPublicKey(Qc)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`return vG`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`}`

stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`// v = (d + sha256(eG * d))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`function stealthReceive (d, eG) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(eG, d) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var dc = ecc.privateAdd(d, c)`
			`var v = bitcoin.ECPair.fromPrivateKey(dc)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00
stealth: more explicit inner variable names 2016-10-05 02:05:28 +02:00			`return v`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`}`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00
stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`// d = (v - sha256(e * dG))`
			`function stealthRecoverLeaked (v, e, Q) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(Q, e) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var vc = ecc.privateSub(v, c)`
			`var d = bitcoin.ECPair.fromPrivateKey(vc)`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00
stealth: clarify super simply 2016-12-10 02:34:06 +01:00			`return d`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`}`

stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (rG \+ sha256(e * dG)G)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualSend (e, R, Q) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(Q, e) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var Rc = ecc.pointAddScalar(R, c)`
			`var vG = bitcoin.ECPair.fromPublicKey(Rc)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return vG`
			`}`

stealth: use \+ to represent point addition 2016-12-10 05:01:41 +01:00			`// vG = (rG \+ sha256(eG * d)G)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualScan (d, R, eG) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(eG, d) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var Rc = ecc.pointAddScalar(R, c)`
			`var vG = bitcoin.ECPair.fromPublicKey(Rc)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return vG`
			`}`

stealth: d is not involved in the receiver private key 2016-12-10 04:33:51 +01:00			`// v = (r + sha256(eG * d))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`function stealthDualReceive (d, r, eG) {`
rm ecdsa, add new ECPair using secp256k1 2018-05-22 08:33:43 +02:00			`var eQ = ecc.pointMultiply(eG, d) // shared secret`
			`var c = bitcoin.crypto.sha256(eQ)`
			`var rc = ecc.privateAdd(r, c)`
			`var v = bitcoin.ECPair.fromPrivateKey(rc)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00
			`return v`
			`}`

tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`describe('bitcoinjs-lib (crypto)', function () {`
			`it('can generate a single-key stealth address', function () {`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`// XXX: should be randomly generated, see next test for example`
			`var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient`
			`var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forSender = stealthSend(nonce.privateKey, recipient.publicKey)`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forRecipient), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.equal(forRecipient.toWIF(), 'L1yjUN3oYyCXV3LcsBrmxCNTa62bZKWCybxVJMvqjMmmfDE8yk7n')`

			`// sender and recipient, both derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`})`

			`it('can generate a single-key stealth address (randomly)', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forSender = stealthSend(nonce.privateKey, recipient.publicKey)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)`
tests: improved readability for stealth address code 2016-08-17 05:06:31 +02:00			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// sender and recipient, both derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`})`

stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`it('can recover parent recipient.d, if a derived private key is leaked [and nonce was revealed]', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key (recipient.Q) to sender`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forSender = stealthSend(nonce.privateKey, recipient.publicKey)`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to recipient`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forRecipient = stealthReceive(recipient.privateKey, nonce.publicKey)`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// ... recipient accidentally leaks forRecipient.d on the blockchain`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var leaked = stealthRecoverLeaked(forRecipient.privateKey, nonce.privateKey, recipient.publicKey)`
stealth: add stealth child key recover example 2016-11-25 03:42:17 +01:00			`assert.equal(leaked.toWIF(), recipient.toWIF())`
			`})`

stealth: add randomly 2016-12-10 04:37:14 +01:00			`it('can generate a dual-key stealth address', function () {`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`// XXX: should be randomly generated, see next test for example`
			`var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient`
			`var scan = bitcoin.ECPair.fromWIF('L5DkCk3xLLoGKncqKsWQTdaPSR4V8gzc14WVghysQGkdryRudjBM') // private to scanner/recipient`
			`var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender`

			`// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forSender = stealthDualSend(nonce.privateKey, recipient.publicKey, scan.publicKey)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to scanner`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forScanner = stealthDualScan(scan.privateKey, recipient.publicKey, nonce.publicKey)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)`

			`// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forRecipient = stealthDualReceive(scan.privateKey, recipient.privateKey, nonce.publicKey)`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// scanner, sender and recipient, all derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forScanner))`
			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
stealth: add dual key example 2016-12-10 03:52:08 +01:00			`})`
stealth: add randomly 2016-12-10 04:37:14 +01:00
			`it('can generate a dual-key stealth address (randomly)', function () {`
			`var recipient = bitcoin.ECPair.makeRandom() // private to recipient`
			`var scan = bitcoin.ECPair.makeRandom() // private to scanner/recipient`
			`var nonce = bitcoin.ECPair.makeRandom() // private to sender`

			`// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forSender = stealthDualSend(nonce.privateKey, recipient.publicKey, scan.publicKey)`
stealth: add randomly 2016-12-10 04:37:14 +01:00			`assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)`

			`// ... sender reveals nonce public key (nonce.Q) to scanner`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forScanner = stealthDualScan(scan.privateKey, recipient.publicKey, nonce.publicKey)`
stealth: add randomly 2016-12-10 04:37:14 +01:00			`assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)`

			`// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient`
transition ECPair to properties over getters 2018-05-30 03:19:46 +02:00			`var forRecipient = stealthDualReceive(scan.privateKey, recipient.privateKey, nonce.publicKey)`
stealth: add randomly 2016-12-10 04:37:14 +01:00			`assert.doesNotThrow(function () { forRecipient.toWIF() })`

			`// scanner, sender and recipient, all derived same address`
rm getAddress 2018-05-22 09:43:25 +02:00			`assert.equal(getAddress(forSender), getAddress(forScanner))`
			`assert.equal(getAddress(forSender), getAddress(forRecipient))`
stealth: add randomly 2016-12-10 04:37:14 +01:00			`})`
tests/integration: separate crypto tests 2016-08-13 03:42:53 +02:00			`})`