Prevent malicious taproot commitment

Author: jonasnick

python/chilldkg_ref/chilldkg.py

@@ -684,6 +684,7 @@ def recover(
     certeq_verify(hostpubkeys, eq_input, cert)
 
     # Compute threshold pubkey and individual pubshares
+    sum_coms, secshare_tweak = sum_coms.invalid_taproot_commit()
     threshold_pubkey = sum_coms.commitment_to_secret()
     pubshares = [sum_coms.pubshare(i) for i in range(n)]
 
@@ -706,6 +707,7 @@ def recover(
             idx,
             enc_secshares[idx],
         )
+        secshare += secshare_tweak
 
         # This is just a sanity check. Our signature is valid, so we have done
         # this check already during the actual session.

python/chilldkg_ref/simplpedpop.py

@@ -2,7 +2,7 @@
 from typing import List, NamedTuple, NewType, Tuple, Optional, NoReturn
 
 from secp256k1proto.bip340 import schnorr_sign, schnorr_verify
-from secp256k1proto.secp256k1 import GE, Scalar
+from secp256k1proto.secp256k1 import G, GE, Scalar
 from .util import (
     BIP_TAG,
     SecretKeyError,
@@ -112,6 +112,7 @@ class ParticipantBlameState(NamedTuple):
     n: int
     idx: int
     secshare: Scalar
+    secshare_tweak: Scalar
     pubshare: GE
 
 
@@ -204,16 +205,20 @@ def participant_step2(
                 i, "Participant sent invalid proof-of-knowledge"
             )
     sum_coms = assemble_sum_coms(coms_to_secrets, sum_coms_to_nonconst_terms)
-    threshold_pubkey = sum_coms.commitment_to_secret()
-    pubshare = sum_coms.pubshare(idx)
+    sum_coms_tweaked, secshare_tweak = sum_coms.invalid_taproot_commit()
+    secshare += secshare_tweak
+    threshold_pubkey = sum_coms_tweaked.commitment_to_secret()
+    pubshare = sum_coms_tweaked.pubshare(idx)
 
     if not VSSCommitment.verify_secshare(secshare, pubshare):
         raise UnknownFaultyParticipantOrCoordinatorError(
-            ParticipantBlameState(n, idx, secshare, pubshare),
+            ParticipantBlameState(n, idx, secshare, secshare_tweak, pubshare),
             "Received invalid secshare, consider blaming to determine faulty party",
         )
 
-    pubshares = [sum_coms.pubshare(i) if i != idx else pubshare for i in range(n)]
+    pubshares = [
+        sum_coms_tweaked.pubshare(i) if i != idx else pubshare for i in range(n)
+    ]
     dkg_output = DKGOutput(
         secshare.to_bytes(),
         threshold_pubkey.to_bytes_compressed(),
@@ -228,13 +233,13 @@ def participant_blame(
     cblame: CoordinatorBlameMsg,
     partial_secshares: List[Scalar],
 ) -> NoReturn:
-    n, idx, secshare, pubshare = blame_state
+    n, idx, secshare, secshare_tweak, pubshare = blame_state
     partial_pubshares = cblame.partial_pubshares
 
-    if GE.sum(*partial_pubshares) != pubshare:
+    if GE.sum(*partial_pubshares) + secshare_tweak * G != pubshare:
         raise FaultyCoordinatorError("Sum of partial pubshares not equal to pubshare")
 
-    if Scalar.sum(*partial_secshares) != secshare:
+    if Scalar.sum(*partial_secshares) + secshare_tweak != secshare:
         raise SecshareSumError("Sum of partial secshares not equal to secshare")
 
     for i in range(n):
@@ -286,8 +291,9 @@ def coordinator_step(
     cmsg = CoordinatorMsg(coms_to_secrets, sum_coms_to_nonconst_terms, pops)
 
     sum_coms = assemble_sum_coms(coms_to_secrets, sum_coms_to_nonconst_terms)
-    threshold_pubkey = sum_coms.commitment_to_secret()
-    pubshares = [sum_coms.pubshare(i) for i in range(n)]
+    sum_coms_tweaked, secshare_tweak = sum_coms.invalid_taproot_commit()
+    threshold_pubkey = sum_coms_tweaked.commitment_to_secret()
+    pubshares = [sum_coms_tweaked.pubshare(i) for i in range(n)]
 
     dkg_output = DKGOutput(
         None,

python/chilldkg_ref/vss.py

@@ -1,8 +1,9 @@
 from __future__ import annotations
 
-from typing import List
+from typing import List, Tuple
 
 from secp256k1proto.secp256k1 import GE, G, Scalar
+from secp256k1proto.util import tagged_hash
 
 from .util import tagged_hash_bip_dkg
 
@@ -74,6 +75,32 @@ def commitment_to_secret(self) -> GE:
     def commitment_to_nonconst_terms(self) -> List[GE]:
         return self.ges[1 : self.t()]
 
+    def invalid_taproot_commit(self) -> Tuple[VSSCommitment, Scalar]:
+        # Create VSS commitment that Taproot-commits to a message that is
+        # invalid for BIP 341 script path spends.
+        #
+        # Specifically, for a VSS commitment `com`, we have:
+        # `com.add_invalid_taproot_commitment().commitment_to_secret() = com.commitment_to_secret() + t*G`.
+        #
+        # The tweak `t` commits to a message chosen such that the new
+        # `commitment_to_secret()` is unspendable via a BIP 341 Taproot script
+        # path.
+        #
+        # This prevents a malicious participant from secretly inserting a _valid_
+        # Taproot commitment to a script path into the summed VSS commitment during
+        # the DKG protocol. If the resulting threshold public key was used directly
+        # in a BIP 341 Taproot output, the malicious participant would be able to
+        # spend the output using their hidden script path.
+        #
+        # The function returns the updated VSS commitment and the tweak `t` which
+        # must be added to all secret shares of the commitment.
+        pk = self.commitment_to_secret()
+        secshare_tweak = Scalar.from_bytes(
+            tagged_hash("TapTweak", pk.to_bytes_compressed())
+        )
+        vss_tweak = VSSCommitment([secshare_tweak * G] + [GE()] * (self.t() - 1))
+        return (self + vss_tweak, secshare_tweak)
+
 
 class VSS:
     f: Polynomial