# Encoding

Here we take an OP_RETURN payload from the Electrum BIE1 implementation and try to decode its constituent parts.

Note: decoding refers to eg turning base64 into asii. It should not be confused with decrypting, which is another process entirely.

We also decode the wallet private and public keys.

In [1]:
import binascii
import hashlib
import ecdsa
import codecs

from Crypto.Cipher import AES

import base64
import base58

### Bitcoin elliptic curve conventions

In [2]:
# secp256k1, http://www.oid-info.com/get/1.3.132.0.10
p_ec = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
r_ec = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
b_ec = 0x0000000000000000000000000000000000000000000000000000000000000007
a_ec = 0x0000000000000000000000000000000000000000000000000000000000000000
Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
Gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
curve_secp256k1 = ecdsa.ellipticcurve.CurveFp(p_ec, a_ec, b_ec)
generator_secp256k1 = ecdsa.ellipticcurve.Point(curve_secp256k1, Gx, Gy, r_ec)
oid_secp256k1 = (1, 3, 132, 0, 10)
SECP256k1 = ecdsa.curves.Curve("SECP256k1", curve_secp256k1, generator_secp256k1, oid_secp256k1)

### Decode Electrum payload

In [3]:
entire_package = 'QklFMQOzklE/S7Y7q25EbIRID6+l84voNQ5huAqcGgmKFYk39EJyEjlPQZ6tcYtBKRikhPe6phPsScTU5NvUUQnZc5HoHg/JRZ0qijLGvueEgMkEor03ruO4cxk0WsxClF13450='

entire_package = binascii.hexlify(base64.b64decode(entire_package))

print(entire_package)

b'4249453103b392513f4bb63bab6e446c84480fafa5f38be8350e61b80a9c1a098a158937f4427212394f419ead718b412918a484f7baa613ec49c4d4e4dbd45109d97391e81e0fc9459d2a8a32c6bee78480c904a2bd37aee3b87319345acc42945d77e39d'


In [4]:
# Split off protocol flag, ephemeral pub key, ciphertext and HMAC

BIE1 = entire_package[:8]
K = entire_package[8:74]             # 8 + 66 = 74  
ciphertext = entire_package[74:98]   # 74 + 24 = 98
HMAC = entire_package[98:122]         # 98 + 24 = 122

print(BIE1, 'in ascii is', binascii.unhexlify(BIE1))
print('K is', K)
print('ciphertext is', ciphertext)
print('HMAC is', HMAC)

b'42494531' in ascii is b'BIE1'
K is b'03b392513f4bb63bab6e446c84480fafa5f38be8350e61b80a9c1a098a158937f4'
ciphertext is b'427212394f419ead718b4129'
HMAC is b'18a484f7baa613ec49c4d4e4'


At present K is given as a compressed public key.

We would now like to write key in decompressd format.

In [5]:
# Taken from https://stackoverflow.com/questions/43629265/deriving-an-ecdsa-uncompressed-public-key-from-a-compressed-one

def pow_mod(x, y, z):
    "Calculate (x ** y) % z efficiently."
    number = 1
    while y:
        if y & 1:
            number = number * x % z
        y >>= 1
        x = x * x % z
    return number

# prime p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

In [6]:
# bitcoin's compressed public key of private key 99700726144837597339837499243820914618717618365214734329132998527433625976967
compressed_key = K.decode("ascii") 

y_parity = int(compressed_key[:2]) - 2
x = int(compressed_key[2:], 16)

a = (pow_mod(x, 3, p) + 7) % p
y = pow_mod(a, (p+1)//4, p)

if y % 2 != y_parity:
    y = -y % p

uncompressed_key = '04{:x}{:x}'.format(x, y)
print(uncompressed_key) 

04b392513f4bb63bab6e446c84480fafa5f38be8350e61b80a9c1a098a158937f4383335171d29cc6387a5c18d5ccb57e859ff38f3fa1bb8e00475f093cadddfeb


In [7]:
# Turn uncompressed key into an elliptic curve point

PA = ecdsa.ellipticcurve.Point(ecdsa.SECP256k1.curve, int(uncompressed_key[2:66], 16), int(uncompressed_key[66:130], 16))
print(PA)

(81222520315766445915033933156108856478292330375403547871433300150780990928884,25419995136673019914281218521069623169807792832170161614421324055184750272491)


 ### Decode  keys from wallet

Bob's private key and public key.

I obtained this from my Electrum wallet

In [8]:
# The private key in wallet import format is in base64
priv = binascii.hexlify(base58.b58decode('L4cBnoBky32Drn56STohahrd7hutuKuDD5MJFbSTS53U6sLoR2zC'))
print(priv)                        

# The public key is in hex
pub = binascii.hexlify(codecs.decode('03f1fda2e261389cca99c13d85e7c27549d1f59891519aa1c533eb794aa187f58c', 'hex'))
print(pub)

b'80dc6c9c7a71c025a50238e4ca4ac33443cb88eb368a1ac64db8149d854cf2408701af4c9599'
b'03f1fda2e261389cca99c13d85e7c27549d1f59891519aa1c533eb794aa187f58c'


In [9]:
# Private key is in wallet import format
# https://en.bitcoin.it/wiki/Wallet_import_format
# Here we turn it into an actual private key encoded in hex format

print(priv) 
priv = priv[:-8]  #  remove last 4 bytes which is a checksum
print(priv)
priv = priv[2:]   # remove first byte which is mainnet/testnet flag
print(priv)
priv = priv[:-2]  #  remove last bytes which is a compressed public key flag


print('private key =', priv)

b'80dc6c9c7a71c025a50238e4ca4ac33443cb88eb368a1ac64db8149d854cf2408701af4c9599'
b'80dc6c9c7a71c025a50238e4ca4ac33443cb88eb368a1ac64db8149d854cf2408701'
b'dc6c9c7a71c025a50238e4ca4ac33443cb88eb368a1ac64db8149d854cf2408701'
private key = b'dc6c9c7a71c025a50238e4ca4ac33443cb88eb368a1ac64db8149d854cf24087'


In [10]:
def get_point_pubkey(point_input):
    if (point_input.y() % 2) == 1:
        result = '03' + '%064x' % point_input.x()
    else:
        result = '02' + '%064x' % point_input.x()
    return binascii.hexlify(codecs.decode(result, 'hex'))

In [11]:
#SB = int.from_bytes(priv, "little")  
SB = int(priv, 16)
print('Private key as integer =', SB)

PB = SB * generator_secp256k1

CompPB = get_point_pubkey(PB)

print('Compressed public key =', CompPB)

Private key as integer = 99700726144837597339837499243820914618717618365214734329132998527433625976967
Compressed public key = b'03f1fda2e261389cca99c13d85e7c27549d1f59891519aa1c533eb794aa187f58c'


In [12]:
# Check our calculation of the compressed public key is the same as the wallet calculation

CompPB == pub

True