Add anti nonce sidechannel protocol for schnorrsigs

jonasnick · jonasnick · commit ae5fb7f8f143 · 2019-02-15T13:30:47.000Z
diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h
@@ -56,6 +56,85 @@ SECP256K1_API int secp256k1_schnorrsig_parse(
     const unsigned char *in64
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
+/** Anti Nonce Sidechannel Protocol
+ *
+ *  The next functions can be used to prevent a signing device from exfiltrating the secret signing
+ *  keys through biased signature nonces. The general idea is that a host provides additional
+ *  randomness to the signing device client and the client commits to the randomness in the nonce
+ *  using sign-to-contract.
+ *  In order to make the randomness unpredictable, the host and client must engage in a
+ *  commit-reveal protocol as follows:
+ *  1. The host draws the randomness, commits to it with the `anti_nonce_sidechan_host_commit`
+ *     function and sends the commitment to the client.
+ *  2. The client commits to its sign-to-contract original nonce (which is the nonce without the
+ *     sign-to-contract tweak) using the hosts commitment by calling the
+ *     `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit` function. The client sends the
+ *     rusulting commitment to the host
+ *  3. The host replies with the randomness generated in step 1.
+ *  4. The client signs with `schnorrsig_sign` using the host provided randomness as `s2c_data` and
+ *     sends the signature and opening to the host.
+ *  5. The host checks that the signature contains an sign-to-contract commitment to the randomness
+ *     by calling `secp256k1_schnorrsig_anti_nonce_sidechan_host_verify` with the client's
+ *     commitment from step 2 and the signature and opening received in step 4. If verification does
+ *     not succeed, the protocol failed and can be restarted.
+ */
+
+/** Create a randomness commitment on the host as part of the Anti Nonce Sidechannel Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:              ctx: pointer to a context object (cannot be NULL)
+ *  Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
+ *  In:             rand32: the 32-byte randomness to commit to (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(
+    secp256k1_context *ctx,
+    unsigned char *rand_commitment32,
+    const unsigned char *rand32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Compute commitment on the client as part of the Anti Nonce Sidechannel Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object (cannot be NULL)
+ *  Out:  client_commit: pointer to a pubkey where the clients public nonce will be
+ *                       placed. This is the public nonce before doing the
+ *                       sign-to-contract commitment to the hosts randomness (cannot
+ *                       be NULL)
+ *  In:           msg32: the 32-byte message hash to be signed (cannot be NULL)
+ *             seckey32: the 32-byte secret key used for signing (cannot be NULL)
+ *    rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(
+    secp256k1_context *ctx,
+    secp256k1_pubkey *client_commit,
+    const unsigned char *msg32,
+    const unsigned char *seckey32,
+    unsigned char *rand_commitment32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify that a clients signature contains the hosts randomness as part of the Anti
+ *  Nonce Sidechannel Protocol. Does not verify the signature itself.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:         ctx: pointer to a context object (cannot be NULL)
+ *  In:           sig: pointer to the signature whose randomness should be verified
+ *                     (cannot be NULL)
+ *             rand32: pointer to the 32-byte randomness from the host which should
+ *                     be included by the signature (cannot be NULL)
+ *            opening: pointer to the opening produced by the client when signing
+ *                     with `rand32` as `s2c_data` (cannot be NULL)
+ *      client_commit: pointer to the client's commitment created in
+ *                     `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit`
+ *                     (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(
+    secp256k1_context *ctx,
+    const secp256k1_schnorrsig *sig,
+    const unsigned char *rand32,
+    const secp256k1_s2c_opening *opening,
+    const secp256k1_pubkey *client_commit
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
 /** Create a Schnorr signature.
  *
  * Returns 1 on success, 0 on failure.
diff --git a/src/modules/schnorrsig/main_impl.h b/src/modules/schnorrsig/main_impl.h
@@ -53,6 +53,80 @@ int secp256k1_schnorrsig_verify_s2c_commit(const secp256k1_context* ctx, const s
     return secp256k1_ec_commit_verify(ctx, &pubnonce, &opening->original_pubnonce, data32, 32);
 }
 
+int secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(secp256k1_context *ctx, unsigned char *rand_commitment32, const unsigned char *rand32) {
+    secp256k1_sha256 sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+    ARG_CHECK(rand32 != NULL);
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, rand32, 32);
+    secp256k1_sha256_finalize(&sha, rand_commitment32);
+
+    return 1;
+}
+
+int secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(secp256k1_context *ctx, secp256k1_pubkey *client_commit, const unsigned char *msg32, const unsigned char *seckey32, unsigned char *rand_commitment32) {
+    unsigned char nonce32[32];
+    secp256k1_scalar k;
+    secp256k1_gej rj;
+    secp256k1_ge r;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(client_commit != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(seckey32 != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+
+    if (!secp256k1_nonce_function_bipschnorr(nonce32, msg32, seckey32, NULL, rand_commitment32, 0)) {
+        return 0;
+    }
+
+    secp256k1_scalar_set_b32(&k, nonce32, NULL);
+    if (secp256k1_scalar_is_zero(&k)) {
+        return 0;
+    }
+
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+    secp256k1_ge_set_gej(&r, &rj);
+    secp256k1_pubkey_save(client_commit, &r);
+    return 1;
+}
+
+SECP256K1_API int secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(secp256k1_context *ctx, const secp256k1_schnorrsig *sig, const unsigned char *rand32, const secp256k1_s2c_opening *opening, const secp256k1_pubkey *client_commit) {
+    secp256k1_ge gcommit;
+    secp256k1_ge gopening;
+    secp256k1_gej pj;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig != NULL);
+    ARG_CHECK(rand32 != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(client_commit != NULL);
+
+    /* Check that client_commit == opening->original_pubnonce */
+    secp256k1_gej_set_infinity(&pj);
+    if (!secp256k1_pubkey_load(ctx, &gcommit, client_commit)) {
+        return 0;
+    }
+    secp256k1_ge_neg(&gcommit, &gcommit);
+    secp256k1_gej_add_ge(&pj, &pj, &gcommit);
+    if (!secp256k1_pubkey_load(ctx, &gopening, &opening->original_pubnonce)) {
+        return 0;
+    }
+    secp256k1_gej_add_ge(&pj, &pj, &gopening);
+    if (!secp256k1_gej_is_infinity(&pj)) {
+        return 0;
+    }
+
+    if (!secp256k1_schnorrsig_verify_s2c_commit(ctx, sig, rand32, opening)) {
+        return 0;
+    }
+    return 1;
+}
+
 int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, secp256k1_s2c_opening *s2c_opening, const unsigned char *msg32, const unsigned char *seckey, const unsigned char *s2c_data32, secp256k1_nonce_function noncefp, void *ndata) {
     secp256k1_scalar x;
     secp256k1_scalar e;
diff --git a/src/modules/schnorrsig/tests_impl.h b/src/modules/schnorrsig/tests_impl.h
@@ -27,13 +27,16 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
     unsigned char msg[32];
     unsigned char data32[32];
     unsigned char s2c_data32[32];
+    unsigned char rand32[32];
+    unsigned char rand_commitment32[32];
     unsigned char sig64[64];
     secp256k1_pubkey pk[3];
     secp256k1_schnorrsig sig;
     const secp256k1_schnorrsig *sigptr = &sig;
     const unsigned char *msgptr = msg;
     const secp256k1_pubkey *pkptr = &pk[0];
     secp256k1_s2c_opening s2c_opening;
+    secp256k1_pubkey client_commit;
     unsigned char ones[32];
 
     /** setup **/
@@ -124,6 +127,48 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
         CHECK(ecount == 5);
     }
 
+    secp256k1_rand256(rand32);
+    ecount = 0;
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(none, rand_commitment32, rand32) == 1);
+    CHECK(ecount == 0);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(none, NULL, rand32) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(none, rand_commitment32, NULL) == 0);
+    CHECK(ecount == 2);
+
+    ecount = 0;
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(sign, &client_commit, msg, sk1, rand_commitment32) == 1);
+    CHECK(ecount == 0);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(none, &client_commit, msg, sk1, rand_commitment32) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(sign, NULL, msg, sk1, rand_commitment32) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(sign, &client_commit, NULL, sk1, rand_commitment32) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(sign, &client_commit, msg, NULL, rand_commitment32) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(sign, &client_commit, msg, sk1, NULL) == 0);
+    CHECK(ecount == 5);
+
+    CHECK(secp256k1_schnorrsig_sign(sign, &sig, &s2c_opening, msg, sk1, rand32, NULL, NULL) == 1);
+
+    ecount = 0;
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(ctx, &sig, rand32, &s2c_opening, &client_commit) == 1);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(none, &sig, rand32, &s2c_opening, &client_commit) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(sign, &sig, rand32, &s2c_opening, &client_commit) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(vrfy, &sig, rand32, &s2c_opening, &client_commit) == 1);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(vrfy, NULL, rand32, &s2c_opening, &client_commit) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(vrfy, &sig, NULL, &s2c_opening, &client_commit) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(vrfy, &sig, rand32, NULL, &client_commit) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(vrfy, &sig, rand32, &s2c_opening, NULL) == 0);
+    CHECK(ecount == 6);
+
     ecount = 0;
     CHECK(secp256k1_schnorrsig_verify(none, &sig, msg, &pk[0]) == 0);
     CHECK(ecount == 1);
@@ -807,6 +852,45 @@ void test_schnorrsig_s2c_commit_verify(void) {
     }
 }
 
+void test_schnorrsig_anti_nonce_sidechannel(void) {
+    unsigned char msg32[32];
+    unsigned char key32[32];
+    unsigned char rand32[32];
+    unsigned char rand_commitment32[32];
+    secp256k1_s2c_opening s2c_opening;
+    secp256k1_pubkey client_commit;
+    secp256k1_schnorrsig sig;
+
+    secp256k1_rand256(msg32);
+    secp256k1_rand256(key32);
+    secp256k1_rand256(rand32);
+
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(ctx, rand_commitment32, rand32) == 1);
+
+    /* Host sends rand_commitment32 to client. */
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(ctx, &client_commit, msg32, key32, rand_commitment32) == 1);
+    /* Client sends client_commit to host. Host replies with rand32. */
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &s2c_opening, msg32, key32, rand32, NULL, NULL) == 1);
+    /* Client sends signature to host. */
+    CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(ctx, &sig, rand32, &s2c_opening, &client_commit) == 1);
+
+    {
+        /* Signature without commitment to randomness fails verification */
+        secp256k1_schnorrsig sig_tmp;
+        CHECK(secp256k1_schnorrsig_sign(ctx, &sig_tmp, NULL, msg32, key32, NULL, NULL, NULL) == 1);
+        CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(ctx, &sig_tmp, rand32, &s2c_opening, &client_commit) == 0);
+    }
+    {
+        /* If sign-to-contract opening doesn't match commitment, verification fails */
+        secp256k1_schnorrsig sig_tmp;
+        secp256k1_s2c_opening s2c_opening_tmp;
+        unsigned char rand32_tmp[32];
+        secp256k1_rand256(rand32_tmp);
+        CHECK(secp256k1_schnorrsig_sign(ctx, &sig_tmp, &s2c_opening_tmp, msg32, key32, rand32_tmp, NULL, NULL) == 1);
+        CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_host_verify(ctx, &sig_tmp, rand32, &s2c_opening_tmp, &client_commit) == 0);
+    }
+}
+
 void run_schnorrsig_tests(void) {
     int i;
     secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);
@@ -821,6 +905,8 @@ void run_schnorrsig_tests(void) {
          * a test. */
         test_schnorrsig_s2c_commit_verify();
     }
+    test_schnorrsig_anti_nonce_sidechannel();
+
     secp256k1_scratch_space_destroy(scratch);
 }
 
