Merge #779: Add signature grinding for ECDSA signatures

danielabrozzoni · danielabrozzoni · commit 1c76084db865 · 2022-10-17T11:48:19.000+01:00
68dd6d2 Add signature grinding for ECDSA signatures (Vladimir Fomene) Pull request description: ### Description This PR adds a new field called `allow_grinding` in the Signer's `SignOptions` struct that is used to determine whether or not to grind an ECDSA signature during the signing process. ### Changelog notice Breaking change: the BDK Signer now produces low-R signatures by default, saving one byte. If you want to preserve the original behavior, set `allow_grinding` in the `SignOptions` to `false`. ### Notes to the reviewers This PR resolves issue #695 #### All Submissions: * [x] I've signed all my commits * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) * [x] I ran `cargo fmt` and `cargo clippy` before committing #### New Features: * [ ] I've added tests for the new feature * [x] I've added docs for the new feature #### Bugfixes: * [ ] This pull request breaks the existing API * [ ] I've added tests to reproduce the issue which are now passing * [x] I'm linking the issue being fixed by this PR ACKs for top commit: danielabrozzoni: ACK 68dd6d2 rajarshimaitra: ACK 68dd6d2 Tree-SHA512: 6472338c611b4b32986cf66fcd313ef84f17f5b0ae9e7991ea7da47142641ab812f8b325d4d18314e1a58abe462683101160e62e2363a048fdab3f18aee4d699
diff --git a/src/wallet/mod.rs b/src/wallet/mod.rs
@@ -5524,6 +5524,7 @@ pub(crate) mod test {
                     SignOptions {
                         remove_partial_sigs: false,
                         try_finalize: false,
+                        allow_grinding: false,
                         ..Default::default()
                     },
                 )
@@ -5538,6 +5539,7 @@ pub(crate) mod test {
                 &mut psbt,
                 SignOptions {
                     remove_partial_sigs: false,
+                    allow_grinding: false,
                     ..Default::default()
                 },
             )
@@ -5546,6 +5548,39 @@ pub(crate) mod test {
         assert_fee_rate!(psbt, details.fee.unwrap_or(0), fee_rate);
     }
 
+    #[test]
+    fn test_fee_rate_sign_grinding_low_r() {
+        // Our goal is to obtain a transaction with a signature with low-R (70 bytes)
+        // by setting the `allow_grinding` signing option as true.
+        // We then check that our fee rate and fee calculation is alright and that our
+        // signature is 70 bytes.
+        let (wallet, _, _) = get_funded_wallet("wpkh(tprv8ZgxMBicQKsPd3EupYiPRhaMooHKUHJxNsTfYuScep13go8QFfHdtkG9nRkFGb7busX4isf6X9dURGCoKgitaApQ6MupRhZMcELAxTBRJgS/*)");
+        let addr = wallet.get_address(New).unwrap();
+        let fee_rate = FeeRate::from_sat_per_vb(1.0);
+        let mut builder = wallet.build_tx();
+        builder
+            .drain_to(addr.script_pubkey())
+            .drain_wallet()
+            .fee_rate(fee_rate);
+        let (mut psbt, details) = builder.finish().unwrap();
+
+        wallet
+            .sign(
+                &mut psbt,
+                SignOptions {
+                    remove_partial_sigs: false,
+                    allow_grinding: true,
+                    ..Default::default()
+                },
+            )
+            .unwrap();
+
+        let key = psbt.inputs[0].partial_sigs.keys().next().unwrap();
+        let sig_len = psbt.inputs[0].partial_sigs[key].sig.serialize_der().len();
+        assert_eq!(sig_len, 70);
+        assert_fee_rate!(psbt, details.fee.unwrap_or(0), fee_rate);
+    }
+
     #[cfg(feature = "test-hardware-signer")]
     #[test]
     fn test_create_signer() {
diff --git a/src/wallet/signer.rs b/src/wallet/signer.rs
@@ -472,6 +472,7 @@ impl InputSigner for SignerWrapper<PrivateKey> {
             hash,
             hash_ty,
             secp,
+            sign_options.allow_grinding,
         );
 
         Ok(())
@@ -485,9 +486,14 @@ fn sign_psbt_ecdsa(
     hash: bitcoin::Sighash,
     hash_ty: EcdsaSighashType,
     secp: &SecpCtx,
+    allow_grinding: bool,
 ) {
     let msg = &Message::from_slice(&hash.into_inner()[..]).unwrap();
-    let sig = secp.sign_ecdsa(msg, secret_key);
+    let sig = if allow_grinding {
+        secp.sign_ecdsa_low_r(msg, secret_key)
+    } else {
+        secp.sign_ecdsa(msg, secret_key)
+    };
     secp.verify_ecdsa(msg, &sig, &pubkey.inner)
         .expect("invalid or corrupted ecdsa signature");
 
@@ -718,6 +724,11 @@ pub struct SignOptions {
     ///
     /// Defaults to `true`, i.e., we always try to sign with the taproot internal key.
     pub sign_with_tap_internal_key: bool,
+
+    /// Whether we should grind ECDSA signature to ensure signing with low r
+    /// or not.
+    /// Defaults to `true`, i.e., we always grind ECDSA signature to sign with low r.
+    pub allow_grinding: bool,
 }
 
 /// Customize which taproot script-path leaves the signer should sign.
@@ -751,6 +762,7 @@ impl Default for SignOptions {
             try_finalize: true,
             tap_leaves_options: TapLeavesOptions::default(),
             sign_with_tap_internal_key: true,
+            allow_grinding: true,
         }
     }
 }
