Allow creating and verifying Schnorr sign-to-contract commitments

Author: jonasnick

include/secp256k1_schnorrsig.h

@@ -61,19 +61,24 @@ SECP256K1_API int secp256k1_schnorrsig_parse(
  * Returns 1 on success, 0 on failure.
  *  Args:    ctx: pointer to a context object, initialized for signing (cannot be NULL)
  *  Out:     sig: pointer to the returned signature (cannot be NULL)
- *       nonce_is_negated: a pointer to an integer indicates if signing algorithm negated the
- *                nonce (can be NULL)
+ *      s2c_data: pointer to an secp256k1_s2c_opening structure which can be
+ *                NULL but is required to be not NULL if this signature creates
+ *                a sign-to-contract commitment (i.e. the `s2c_data` argument
+ *                is not NULL).
  *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
  *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *    s2c_data32: pointer to a 32-byte data to create an optional
+ *                sign-to-contract commitment to if non-NULL (non-NULL).
  *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bipschnorr is used
  *         ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
  */
 SECP256K1_API int secp256k1_schnorrsig_sign(
     const secp256k1_context* ctx,
     secp256k1_schnorrsig *sig,
-    int *nonce_is_negated,
+    secp256k1_s2c_opening *s2c_opening,
     const unsigned char *msg32,
     const unsigned char *seckey,
+    const unsigned char *s2c_data32,
     secp256k1_nonce_function noncefp,
     void *ndata
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
@@ -115,4 +120,21 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch
     const secp256k1_pubkey *const *pk,
     size_t n_sigs
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
+/** Verify a sign-to-contract commitment.
+ *
+ *  Returns: 1: the signature contains a commitment to data32
+ *           0: incorrect opening
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature containing the sign-to-contract commitment (cannot be NULL)
+ *        data32: the 32-byte data that was committed to (cannot be NULL)
+ *       opening: pointer to the opening created during signing (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_schnorrsig_verify_s2c_commit(
+    const secp256k1_context* ctx,
+    const secp256k1_schnorrsig *sig,
+    const unsigned char *data32,
+    const secp256k1_s2c_opening *opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #endif

src/bench_schnorrsig.c

@@ -35,7 +35,7 @@ void bench_schnorrsig_sign(void* arg) {
         msg[1] = i >> 8;
         sk[0] = i;
         sk[1] = i >> 8;
-        CHECK(secp256k1_schnorrsig_sign(data->ctx, &sig, NULL, msg, sk, NULL, NULL));
+        CHECK(secp256k1_schnorrsig_sign(data->ctx, &sig, NULL, msg, sk, NULL, NULL, NULL));
     }
 }
 
@@ -100,7 +100,7 @@ int main(void) {
 
         CHECK(secp256k1_ec_pubkey_create(data.ctx, &pk, sk));
         CHECK(secp256k1_ec_pubkey_serialize(data.ctx, pk_char, &pk_len, &pk, SECP256K1_EC_COMPRESSED) == 1);
-        CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, NULL, msg, sk, NULL, NULL));
+        CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, NULL, msg, sk, NULL, NULL, NULL));
     }
 
     run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, 1000);

src/modules/schnorrsig/main_impl.h

@@ -29,7 +29,31 @@ int secp256k1_schnorrsig_parse(const secp256k1_context* ctx, secp256k1_schnorrsi
     return 1;
 }
 
-int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, int *nonce_is_negated, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, void *ndata) {
+int secp256k1_schnorrsig_verify_s2c_commit(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *data32, const secp256k1_s2c_opening *opening) {
+    secp256k1_fe rx;
+    secp256k1_ge R;
+    secp256k1_pubkey pubnonce;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig != NULL);
+    ARG_CHECK(data32 != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(secp256k1_s2c_commit_is_init(opening));
+
+    if (!secp256k1_fe_set_b32(&rx, &sig->data[0])) {
+        return 0;
+    }
+    if (!secp256k1_ge_set_xquad(&R, &rx)) {
+        return 0;
+    }
+    if (opening->nonce_is_negated) {
+        secp256k1_ge_neg(&R, &R);
+    }
+    secp256k1_pubkey_save(&pubnonce, &R);
+    return secp256k1_ec_commit_verify(ctx, &pubnonce, &opening->original_pubnonce, data32, 32);
+}
+
+int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, secp256k1_s2c_opening *s2c_opening, const unsigned char *msg32, const unsigned char *seckey, const unsigned char *s2c_data32, secp256k1_nonce_function noncefp, void *ndata) {
     secp256k1_scalar x;
     secp256k1_scalar e;
     secp256k1_scalar k;
@@ -41,12 +65,17 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     int overflow;
     unsigned char buf[33];
     size_t buflen = sizeof(buf);
+    unsigned char noncedata[32];
 
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
     ARG_CHECK(sig != NULL);
     ARG_CHECK(msg32 != NULL);
     ARG_CHECK(seckey != NULL);
+    /* sign-to-contract commitments only work with the default nonce function,
+     * because we need to ensure that s2c_data is actually hashed into the nonce and
+     * not just ignored. */
+    ARG_CHECK(s2c_data32 == NULL || (noncefp == NULL || noncefp == secp256k1_nonce_function_bipschnorr));
 
     if (noncefp == NULL) {
         noncefp = secp256k1_nonce_function_bipschnorr;
@@ -61,6 +90,24 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pkj, &x);
     secp256k1_ge_set_gej(&pk, &pkj);
 
+    if(s2c_data32 != NULL) {
+        /* Provide s2c_data32 and ndata (if not NULL) to the the nonce function
+         * as additional data to derive the nonce from. If both pointers are
+         * not NULL, they need to be hashed to get the nonce data 32 bytes.
+         * Even if only s2c_data32 is not NULL, it's hashed because it should
+         * be possible to derive nonces even if only a SHA256 commitment to the
+         * data is known.  This is for example important in the
+         * anti-nonce-sidechannel protocol.
+         */
+        secp256k1_sha256_initialize(&sha);
+        secp256k1_sha256_write(&sha, s2c_data32, 32);
+        if (ndata != NULL) {
+            secp256k1_sha256_write(&sha, ndata, 32);
+        }
+        secp256k1_sha256_finalize(&sha, noncedata);
+        ndata = &noncedata;
+    }
+
     if (!noncefp(buf, msg32, seckey, NULL, (void*)ndata, 0)) {
         return 0;
     }
@@ -71,14 +118,21 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
 
     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
     secp256k1_ge_set_gej(&r, &rj);
-
-    if (nonce_is_negated != NULL) {
-        *nonce_is_negated = 0;
+    if (s2c_opening != NULL) {
+        secp256k1_s2c_opening_init(s2c_opening);
+        if (s2c_data32 != NULL) {
+            /* Create sign-to-contract commitment */
+            secp256k1_pubkey_save(&s2c_opening->original_pubnonce, &r);
+            secp256k1_ec_commit_seckey(ctx, buf, &s2c_opening->original_pubnonce, s2c_data32, 32);
+            secp256k1_scalar_set_b32(&k, buf, NULL);
+            secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+            secp256k1_ge_set_gej(&r, &rj);
+        }
     }
     if (!secp256k1_fe_is_quad_var(&r.y)) {
         secp256k1_scalar_negate(&k, &k);
-        if (nonce_is_negated != NULL) {
-            *nonce_is_negated = 1;
+        if (s2c_opening != NULL) {
+            s2c_opening->nonce_is_negated = 1;
         }
     }
     secp256k1_fe_normalize(&r.x);

src/modules/schnorrsig/tests_impl.h

@@ -25,20 +25,24 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
     unsigned char sk2[32];
     unsigned char sk3[32];
     unsigned char msg[32];
+    unsigned char data32[32];
+    unsigned char s2c_data32[32];
     unsigned char sig64[64];
     secp256k1_pubkey pk[3];
     secp256k1_schnorrsig sig;
     const secp256k1_schnorrsig *sigptr = &sig;
     const unsigned char *msgptr = msg;
     const secp256k1_pubkey *pkptr = &pk[0];
-    int nonce_is_negated;
+    secp256k1_s2c_opening s2c_opening;
+    unsigned char ones[32];
 
     /** setup **/
     secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
     secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
     secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
     secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
     int ecount;
+    memset(ones, 0xff, 32);
 
     secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
     secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
@@ -59,20 +63,25 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
 
     /** main test body **/
     ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign(none, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(none, &sig, &s2c_opening, msg, sk1, s2c_data32, NULL, NULL) == 0);
     CHECK(ecount == 1);
-    CHECK(secp256k1_schnorrsig_sign(vrfy, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(vrfy, &sig, &s2c_opening, msg, sk1, s2c_data32, NULL, NULL) == 0);
     CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, sk1, s2c_data32, NULL, NULL) == 1);
     CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign(sign, NULL, &nonce_is_negated, msg, sk1, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(sign, NULL, &s2c_opening, msg, sk1, s2c_data32, NULL, NULL) == 0);
     CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_sign(sign, &sig, NULL, msg, sk1, NULL, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, NULL, msg, sk1, s2c_data32, NULL, NULL) == 1);
     CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, NULL, sk1, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, NULL, sk1, s2c_data32, NULL, NULL) == 0);
     CHECK(ecount == 4);
-    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, NULL, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, NULL, s2c_data32, NULL, NULL) == 0);
     CHECK(ecount == 5);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, sk1, NULL, NULL, NULL) == 1);
+    CHECK(ecount == 5);
+    /* s2c commitments with a different nonce function than bipschnorr are not allowed */
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, sk1, s2c_data32, secp256k1_nonce_function_rfc6979, NULL) == 0);
+    CHECK(ecount == 6);
 
     ecount = 0;
     CHECK(secp256k1_schnorrsig_serialize(none, sig64, &sig) == 1);
@@ -88,6 +97,33 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
     CHECK(secp256k1_schnorrsig_parse(none, &sig, NULL) == 0);
     CHECK(ecount == 4);
 
+    /* Create sign-to-contract commitment to data32 for testing verify_s2c_commit */
+    secp256k1_rand256(data32);
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, sk1, data32, NULL, NULL) == 1);
+    ecount = 0;
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(none, &sig, data32, &s2c_opening) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, &sig, data32, &s2c_opening) == 1);
+    CHECK(ecount == 1);
+    {
+        /* Overflowing x-coordinate in signature */
+        secp256k1_schnorrsig sig_tmp = sig;
+        memcpy(&sig_tmp.data[0], ones, 32);
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, &sig_tmp, data32, &s2c_opening) == 0);
+    }
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, NULL, data32, &s2c_opening) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, &sig, NULL, &s2c_opening) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, &sig, data32, NULL) == 0);
+    CHECK(ecount == 4);
+    {
+        /* Verification with uninitialized s2c_opening should fail */
+        secp256k1_s2c_opening s2c_opening_tmp;
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(vrfy, &sig, data32, &s2c_opening_tmp) == 0);
+        CHECK(ecount == 5);
+    }
+
     ecount = 0;
     CHECK(secp256k1_schnorrsig_verify(none, &sig, msg, &pk[0]) == 0);
     CHECK(ecount == 1);
@@ -134,10 +170,10 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un
     secp256k1_schnorrsig sig;
     unsigned char serialized_sig[64];
     secp256k1_pubkey pk;
-    int nonce_is_negated;
+    secp256k1_s2c_opening s2c_opening;
 
-    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &nonce_is_negated, msg, sk, NULL, NULL));
-    CHECK(nonce_is_negated == expected_nonce_is_negated);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &s2c_opening, msg, sk, NULL, NULL, NULL));
+    CHECK(s2c_opening.nonce_is_negated == expected_nonce_is_negated);
     CHECK(secp256k1_schnorrsig_serialize(ctx, serialized_sig, &sig));
     CHECK(memcmp(serialized_sig, expected_sig, 64) == 0);
 
@@ -639,15 +675,15 @@ void test_schnorrsig_sign(void) {
     secp256k1_schnorrsig sig;
 
     memset(sk, 23, sizeof(sk));
-    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL, NULL) == 1);
 
     /* Overflowing secret key */
     memset(sk, 0xFF, sizeof(sk));
-    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL, NULL) == 0);
     memset(sk, 23, sizeof(sk));
 
-    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_failing, NULL) == 0);
-    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_0, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, nonce_function_failing, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, nonce_function_0, NULL) == 0);
 }
 
 #define N_SIGS  200
@@ -669,7 +705,7 @@ void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) {
 
     for (i = 0; i < N_SIGS; i++) {
         secp256k1_rand256(msg[i]);
-        CHECK(secp256k1_schnorrsig_sign(ctx, &sig[i], NULL, msg[i], sk, NULL, NULL));
+        CHECK(secp256k1_schnorrsig_sign(ctx, &sig[i], NULL, msg[i], sk, NULL, NULL, NULL));
         CHECK(secp256k1_schnorrsig_verify(ctx, &sig[i], msg[i], &pk));
         sig_arr[i] = &sig[i];
         msg_arr[i] = msg[i];
@@ -711,15 +747,80 @@ void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) {
 }
 #undef N_SIGS
 
+void test_schnorrsig_s2c_commit_verify(void) {
+    unsigned char data32[32];
+    secp256k1_schnorrsig sig;
+    secp256k1_s2c_opening s2c_opening;
+    unsigned char msg[32];
+    unsigned char sk[32];
+    secp256k1_pubkey pk;
+    unsigned char noncedata[32];
+
+    secp256k1_rand256(data32);
+    secp256k1_rand256(msg);
+    secp256k1_rand256(sk);
+    secp256k1_rand256(noncedata);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+
+    /* Create and verify correct commitment */
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &s2c_opening, msg, sk, data32, NULL, noncedata) == 1);
+    CHECK(secp256k1_schnorrsig_verify(ctx, &sig, msg, &pk));
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig, data32, &s2c_opening) == 1);
+    {
+        /* verify_s2c_commit fails if nonce_is_negated is wrong */
+        secp256k1_s2c_opening s2c_opening_tmp;
+        s2c_opening_tmp = s2c_opening;
+        s2c_opening_tmp.nonce_is_negated = !s2c_opening.nonce_is_negated;
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig, data32, &s2c_opening_tmp) == 0);
+    }
+    {
+        /* verify_s2c_commit fails if given data does not match committed data */
+        unsigned char data32_tmp[32];
+        memcpy(data32_tmp, data32, sizeof(data32_tmp));
+        data32_tmp[31] ^= 1;
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig, data32_tmp, &s2c_opening) == 0);
+    }
+    {
+        /* verify_s2c_commit fails if signature does not commit to data */
+        secp256k1_schnorrsig sig_tmp;
+        sig_tmp = sig;
+        secp256k1_rand256(&sig_tmp.data[0]);
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig_tmp, data32, &s2c_opening) == 0);
+    }
+    {
+        /* A commitment to different data creates a different original_pubnonce
+         * (i.e. data is hashed into the nonce) */
+        secp256k1_s2c_opening s2c_opening_tmp;
+        secp256k1_schnorrsig sig_tmp;
+        unsigned char data32_tmp[32];
+        unsigned char serialized_nonce[33];
+        unsigned char serialized_nonce_tmp[33];
+        size_t outputlen = 33;
+        secp256k1_rand256(data32_tmp);
+        CHECK(secp256k1_schnorrsig_sign(ctx, &sig_tmp, &s2c_opening_tmp, msg, sk, data32_tmp, NULL, NULL) == 1);
+        CHECK(secp256k1_schnorrsig_verify(ctx, &sig_tmp, msg, &pk));
+        CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig_tmp, data32_tmp, &s2c_opening_tmp) == 1);
+        secp256k1_ec_pubkey_serialize(ctx, serialized_nonce, &outputlen, &s2c_opening.original_pubnonce, SECP256K1_EC_COMPRESSED);
+        secp256k1_ec_pubkey_serialize(ctx, serialized_nonce_tmp, &outputlen, &s2c_opening_tmp.original_pubnonce, SECP256K1_EC_COMPRESSED);
+        CHECK(outputlen == 33);
+        CHECK(memcmp(serialized_nonce, serialized_nonce_tmp, outputlen) != 0);
+    }
+}
+
 void run_schnorrsig_tests(void) {
+    int i;
     secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);
 
     test_schnorrsig_serialize();
     test_schnorrsig_api(scratch);
     test_schnorrsig_bip_vectors(scratch);
     test_schnorrsig_sign();
     test_schnorrsig_sign_verify(scratch);
-
+    for (i = 0; i < count; i++) {
+        /* Run multiple times to increase probability that the nonce is negated in
+         * a test. */
+        test_schnorrsig_s2c_commit_verify();
+    }
     secp256k1_scratch_space_destroy(scratch);
 }