Add and expose sign-to-contract opening with parse and serialize functions

jonasnick · benma · commit 4c0c66dece35 · 2019-07-18T13:08:10.000+02:00
diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -6,6 +6,7 @@ extern "C" {
 #endif
 
 #include <stddef.h>
+#include <stdint.h>
 
 /* These rules specify the order of arguments in API calls:
  *
@@ -81,6 +82,29 @@ typedef struct {
     unsigned char data[64];
 } secp256k1_ecdsa_signature;
 
+/** Data structure that holds a sign-to-contract ("s2c") opening information.
+ *  Sign-to-contract allows a signer to commit to some data as part of a signature. It
+ *  can be used as an Out-argument in certain signing functions.
+ *
+ *  This structure is not opaque, but it is strongly discouraged to read or write to
+ *  it directly.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It can
+ *  be safely copied/moved.
+ */
+typedef struct {
+    /* magic is set during initialization */
+    uint64_t magic;
+    /* Public nonce before applying the sign-to-contract commitment */
+    secp256k1_pubkey original_pubnonce;
+    /* Byte indicating if signing algorithm negated the nonce. Alternatively when
+     * verifying we could compute the EC commitment of original_pubnonce and the
+     * data and negate if this would not be a valid nonce. But this would prevent
+     * batch verification of sign-to-contract commitments. */
+    int nonce_is_negated;
+} secp256k1_s2c_opening;
+
 /** A pointer to a function to deterministically generate a nonce.
  *
  * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
@@ -444,6 +468,37 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
     const secp256k1_ecdsa_signature* sig
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
+/** Parse a sign-to-contract opening.
+ *
+ *  Returns: 1 if the opening was fully valid.
+ *           0 if the opening could not be parsed or is invalid.
+ *  Args:    ctx: a secp256k1 context object.
+ *  Out: opening: pointer to an opening object. If 1 is returned, it is set to a
+ *                 parsed version of input. If not, its value is undefined.
+ *  In:  input34: pointer to 34-byte array with a serialized opening
+ *
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_s2c_opening_parse(
+    const secp256k1_context* ctx,
+    secp256k1_s2c_opening* opening,
+    const unsigned char *input34
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a sign-to-contract opening into a byte sequence.
+ *
+ *  Returns: 1 if the opening was successfully serialized.
+ *           0 if the opening was not initializaed.
+ *  Args:     ctx: a secp256k1 context object.
+ *  Out: output34: pointer to a 34-byte array to place the serialized opening
+ *                 in.
+ *  In:   opening: a pointer to an initialized `secp256k1_s2c_opening`.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_s2c_opening_serialize(
+    const secp256k1_context* ctx,
+    unsigned char *output34,
+    const secp256k1_s2c_opening* opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
 /** Verify an ECDSA signature.
  *
  *  Returns: 1: correct signature
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -764,6 +764,39 @@ static int secp256k1_ec_commit_verify(const secp256k1_context* ctx, const secp25
     return secp256k1_gej_is_infinity(&pj);
 }
 
+static uint64_t s2c_opening_magic = 0x5d0520b8b7f2b168ULL;
+
+static void secp256k1_s2c_opening_init(secp256k1_s2c_opening *opening) {
+    opening->magic = s2c_opening_magic;
+    opening->nonce_is_negated = 0;
+}
+
+static int secp256k1_s2c_commit_is_init(const secp256k1_s2c_opening *opening) {
+    return opening->magic == s2c_opening_magic;
+}
+
+int secp256k1_s2c_opening_parse(const secp256k1_context* ctx, secp256k1_s2c_opening* opening, const unsigned char *input34) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(input34 != NULL);
+
+    secp256k1_s2c_opening_init(opening);
+    opening->nonce_is_negated = input34[0];
+    return secp256k1_ec_pubkey_parse(ctx, &opening->original_pubnonce, &input34[1], 33);
+}
+
+int secp256k1_s2c_opening_serialize(const secp256k1_context* ctx, unsigned char *output34, const secp256k1_s2c_opening* opening) {
+    size_t outputlen = 33;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output34 != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(secp256k1_s2c_commit_is_init(opening));
+
+    output34[0] = opening->nonce_is_negated;
+    return secp256k1_ec_pubkey_serialize(ctx, &output34[1], &outputlen, &opening->original_pubnonce, SECP256K1_EC_COMPRESSED);
+}
+
 #ifdef ENABLE_MODULE_ECDH
 # include "modules/ecdh/main_impl.h"
 #endif
diff --git a/src/tests.c b/src/tests.c
@@ -4183,6 +4183,59 @@ void run_eckey_edge_case_test(void) {
     secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
 }
 
+
+void run_s2c_opening_test(void) {
+    int i = 0;
+    unsigned char output[34];
+    unsigned char input[34] = {
+            0x01,
+            0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x02
+    };
+    secp256k1_s2c_opening opening;
+    size_t ecount = 0;
+
+    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+
+    /* Uninitialized opening can't be serialized. Actually testing that would be
+     * undefined behavior. Therefore we simulate it by setting the opening to 0. */
+    memset(&opening, 0, sizeof(opening));
+    CHECK(ecount == 0);
+    CHECK(secp256k1_s2c_opening_serialize(ctx, output, &opening) == 0);
+    CHECK(ecount == 1);
+
+    /* First parsing, then serializing works */
+    CHECK(secp256k1_s2c_opening_parse(ctx, &opening, input) == 1);
+    CHECK(secp256k1_s2c_opening_serialize(ctx, output, &opening) == 1);
+
+    {
+        /* Invalid pubkey makes parsing fail */
+        unsigned char input_tmp[34];
+        memcpy(input_tmp, input, sizeof(input_tmp));
+        input_tmp[33] = 0;
+        CHECK(secp256k1_s2c_opening_parse(ctx, &opening, input_tmp) == 0);
+    }
+
+    /* Try parsing and serializing a bunch of openings */
+    do {
+        /* This is expected to fail in about 50% of iterations because the
+         * points' x-coordinates are uniformly random */
+        if (secp256k1_s2c_opening_parse(ctx, &opening, input) == 1) {
+            CHECK(secp256k1_s2c_opening_serialize(ctx, output, &opening) == 1);
+            CHECK(memcmp(output, input, 34) == 0);
+        }
+        secp256k1_rand256(input);
+        /* nonce_is_negated */
+        input[0] = input[0] & 1;
+        /* oddness */
+        input[1] = (input[1] % 2) + 2;
+        i++;
+    } while(i < count);
+}
+
 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
     secp256k1_scalar nonce;
     do {
@@ -5350,6 +5403,8 @@ int main(int argc, char **argv) {
     /* EC key edge cases */
     run_eckey_edge_case_test();
 
+    run_s2c_opening_test();
+
 #ifdef ENABLE_MODULE_ECDH
     /* ecdh tests */
     run_ecdh_tests();
