ecdsa_sign_to_contract: add Anti Nonce Covert Channel util functions

benma · benma · commit d459059de93d · 2019-07-29T19:23:26.000+02:00
diff --git a/include/secp256k1_ecdsa_sign_to_contract.h b/include/secp256k1_ecdsa_sign_to_contract.h
@@ -54,6 +54,74 @@ SECP256K1_API int secp256k1_ecdsa_s2c_verify_commit(
     const secp256k1_s2c_opening *opening
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Compute commitment on the client as part of the ECDSA Anti Nonce Covert Channel Protocol.
+ *
+ * ECDSA Anti Nonce Covert Channel Protocol:
+ * 1. The host draws randomness `k2`, commits to it with sha256 and sends the commitment to the client.
+ * 2. The client commits to its original nonce `k1` using the host commitment by calling
+ *    `secp256k1_ecdsa_anti_covert_channel_client_commit`. The client sends the resulting commitment
+ *   `R1` to the host.
+ * 3. The host replies with `k2` generated in step 1.
+ * 4. The client signs with `secp256k1_ecdsa_s2c_sign`, using the `k2` as `s2c_data` and
+ *    sends the signature and opening to the host.
+ * 5. The host verifies that `R_x = (R1 + H(R1, k2)*G)_x`, where R_x is the `r` part of the signature by using
+ *    `secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify` with the client's
+ *     commitment from step 2 and the signature and opening received in step 4. If verification does
+ *     not succeed, the protocol failed and can be restarted.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object (cannot be NULL)
+ *  Out:  client_commit: pointer to a pubkey where the clients public nonce will be
+ *                       placed. (cannot be NULL)
+ *  In:           msg32: the 32-byte message hash to be signed (cannot be NULL)
+ *             seckey32: the 32-byte secret key used for signing (cannot be NULL)
+ *              noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
+ *    rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *client_commit,
+    const unsigned char *msg32,
+    const unsigned char *seckey32,
+    unsigned char *rand_commitment32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Create a randomness commitment on the host as part of the ECDSA Anti Nonce Covert Channel Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:              ctx: pointer to a context object (cannot be NULL)
+ *  Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
+ *  In:             rand32: the 32-byte randomness to commit to (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(
+    secp256k1_context *ctx,
+    unsigned char *rand_commitment32,
+    const unsigned char *rand32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Verify that a clients signature contains the hosts randomness as part of the Anti
+ *  Nonce Covert Channel Protocol. Does not verify the signature itself.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:         ctx: pointer to a context object (cannot be NULL)
+ *  In:           sig: pointer to the signature whose randomness should be verified
+ *                     (cannot be NULL)
+ *             rand32: pointer to the 32-byte randomness from the host which should
+ *                     be included by the signature (cannot be NULL)
+ *            opening: pointer to the opening produced by the client when signing
+ *                     with `rand32` as `s2c_data` (cannot be NULL)
+ *      client_commit: pointer to the client's commitment created in
+ *                     `secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit`
+ *                     (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(
+    secp256k1_context *ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *rand32,
+    const secp256k1_s2c_opening *opening,
+    const secp256k1_pubkey *client_commit
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/modules/ecdsa_sign_to_contract/main_impl.h b/src/modules/ecdsa_sign_to_contract/main_impl.h
@@ -136,4 +136,82 @@ int secp256k1_ecdsa_s2c_verify_commit(const secp256k1_context* ctx, const secp25
 
 }
 
+int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(const secp256k1_context* ctx, secp256k1_pubkey *client_commit, const unsigned char *msg32, const unsigned char *seckey32, unsigned char *rand_commitment32) {
+    unsigned char nonce32[32];
+    secp256k1_scalar k;
+    secp256k1_gej rj;
+    secp256k1_ge r;
+    unsigned int count = 0;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(client_commit != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(seckey32 != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+
+    while (1) {
+        int overflow = 0;
+        if (!secp256k1_nonce_function_default(nonce32, msg32, seckey32, NULL, rand_commitment32, count)) {
+            return 0;
+        }
+
+        secp256k1_scalar_set_b32(&k, nonce32, &overflow);
+        if (!overflow && !secp256k1_scalar_is_zero(&k)) {
+            break;
+        }
+        count++;
+    }
+
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+    secp256k1_ge_set_gej(&r, &rj);
+    secp256k1_pubkey_save(client_commit, &r);
+    return 1;
+}
+
+int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *rand32, const secp256k1_s2c_opening *opening, const secp256k1_pubkey *client_commit) {
+
+    secp256k1_ge gcommit;
+    secp256k1_ge gopening;
+    secp256k1_gej pj;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig != NULL);
+    ARG_CHECK(rand32 != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(secp256k1_s2c_commit_is_init(opening));
+    ARG_CHECK(client_commit != NULL);
+
+    /* Check that client_commit == opening->original_pubnonce */
+    secp256k1_gej_set_infinity(&pj);
+    if (!secp256k1_pubkey_load(ctx, &gcommit, client_commit)) {
+        return 0;
+    }
+    secp256k1_ge_neg(&gcommit, &gcommit);
+    secp256k1_gej_add_ge(&pj, &pj, &gcommit);
+    if (!secp256k1_pubkey_load(ctx, &gopening, &opening->original_pubnonce)) {
+        return 0;
+    }
+    secp256k1_gej_add_ge(&pj, &pj, &gopening);
+    if (!secp256k1_gej_is_infinity(&pj)) {
+        return 0;
+    }
+    if (!secp256k1_ecdsa_s2c_verify_commit(ctx, sig, rand32, opening)) {
+        return 0;
+    }
+    return 1;
+}
+
+int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(secp256k1_context *ctx, unsigned char *rand_commitment32, const unsigned char *rand32) {
+    secp256k1_sha256 sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+    ARG_CHECK(rand32 != NULL);
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, rand32, 32);
+    secp256k1_sha256_finalize(&sha, rand_commitment32);
+    return 1;
+}
+
 #endif /* SECP256K1_ECDSA_SIGN_TO_CONTRACT_MAIN_H */
diff --git a/src/modules/ecdsa_sign_to_contract/tests_impl.h b/src/modules/ecdsa_sign_to_contract/tests_impl.h
@@ -147,7 +147,7 @@ static void test_ecdsa_s2c_api(void) {
         CHECK(secp256k1_ecdsa_s2c_sign(sign, &signature, &s2c_opening, message, privkey, NULL, NULL, NULL) == 0);
         CHECK(ecount == 2);
     }
-    { /* verify_commit, ctx */
+    { /* verify_commit: ctx */
         ecount = 0;
         CHECK(secp256k1_ecdsa_s2c_sign(sign, &signature, &s2c_opening, message, privkey, s2c_data, NULL, NULL) == 1);
         CHECK(secp256k1_ecdsa_s2c_verify_commit(none, &signature, s2c_data, &s2c_opening) == 0);
@@ -159,7 +159,7 @@ static void test_ecdsa_s2c_api(void) {
         CHECK(secp256k1_ecdsa_s2c_verify_commit(both, &signature, s2c_data, &s2c_opening) == 1);
         CHECK(ecount == 2);
     }
-    { /* verify_commit, NULL signature, s2c_data, s2c_opening */
+    { /* verify_commit: NULL signature, s2c_data, s2c_opening */
         ecount = 0;
         CHECK(secp256k1_ecdsa_s2c_sign(sign, &signature, &s2c_opening, message, privkey, s2c_data, NULL, NULL) == 1);
         CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, NULL, s2c_data, &s2c_opening) == 0);
@@ -169,12 +169,75 @@ static void test_ecdsa_s2c_api(void) {
         CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &signature, s2c_data, NULL) == 0);
         CHECK(ecount == 3);
     }
-    { /* verify_commit, invalid opening */
+    { /* verify_commit: invalid opening */
         secp256k1_s2c_opening invalid_opening = {0};
         ecount = 0;
         CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &signature, s2c_data, &invalid_opening) == 0);
         CHECK(ecount == 1);
     }
+    { /* anti_nonce_covert_channel_client_commit: ctx */
+        secp256k1_pubkey commitment;
+        uint8_t rand_commitment[32] = {0};
+        ecount = 0;
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(none, &commitment, message, privkey, rand_commitment) == 0);
+        CHECK(ecount == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(sign, &commitment, message, privkey, rand_commitment) == 1);
+        CHECK(ecount == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(vrfy, &commitment, message, privkey, rand_commitment) == 0);
+        CHECK(ecount == 2);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(both, &commitment, message, privkey, rand_commitment) == 1);
+        CHECK(ecount == 2);
+    }
+    { /* anti_nonce_covert_channel_client_commit: client_commitment, msg32, seckey32, rand_commitment32 */
+        secp256k1_pubkey commitment;
+        uint8_t rand_commitment[32] = {0};
+        ecount = 0;
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(sign, NULL, message, privkey, rand_commitment) == 0);
+        CHECK(ecount == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(sign, &commitment, NULL, privkey, rand_commitment) == 0);
+        CHECK(ecount == 2);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(sign, &commitment, message, NULL, rand_commitment) == 0);
+        CHECK(ecount == 3);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(sign, &commitment, message, privkey, NULL) == 0);
+        CHECK(ecount == 4);
+    }
+    { /* anti_nonce_covert_channel_host_verify */
+        uint8_t host_nonce[32] = {0};
+        uint8_t host_commitment[32] = {0};
+        secp256k1_pubkey client_commitment = {0};
+        secp256k1_s2c_opening invalid_opening = {0};
+        secp256k1_pubkey invalid_pubkey = {0};
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(ctx, &client_commitment, message, privkey, host_commitment) == 1);
+        ecount = 0;
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, NULL, host_nonce, &s2c_opening, &client_commitment) == 0);
+        CHECK(ecount == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, NULL, &s2c_opening, &client_commitment) == 0);
+        CHECK(ecount == 2);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, host_nonce, NULL, &client_commitment) == 0);
+        CHECK(ecount == 3);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, host_nonce, &invalid_opening, &client_commitment) == 0);
+        CHECK(ecount == 4);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, host_nonce, &s2c_opening, NULL) == 0);
+        CHECK(ecount == 5);
+        /* invalid client commitment */
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, host_nonce, &s2c_opening, &invalid_pubkey) == 0);
+        CHECK(ecount == 6);
+        /* invalid original pubnonce */
+        memset(&s2c_opening.original_pubnonce, 0, sizeof(s2c_opening.original_pubnonce));
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(vrfy, &signature, host_nonce, &s2c_opening, &client_commitment) == 0);
+        CHECK(ecount == 7);
+    }
+    { /* anti_nonce_covert_channel_host_commit */
+        uint8_t rand_commitment[32];
+        uint8_t rand[32] = {1};
+        ecount = 0;
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(none, rand_commitment, rand) == 1);
+        CHECK(ecount == 0);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(none, NULL, rand) == 0);
+        CHECK(ecount == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(none, rand_commitment, NULL) == 0);
+        CHECK(ecount == 2);
+    }
 }
 
 static void test_ecdsa_s2c_sign_verify(void) {
@@ -263,12 +326,88 @@ static void test_ecdsa_s2c_sign_verify(void) {
     }
 }
 
+static void test_ecdsa_s2c_anti_nonce_covert_channel_client_commit(void) {
+    size_t i;
+    unsigned char privkey[32] = {
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+    };
+    unsigned char message[32] = {
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+    };
+    secp256k1_pubkey client_commit;
+    unsigned char pubnonce[33];
+    /*
+      Check that original pubnonce is derived from s2c_data and ndata.
+    */
+    for (i = 0; i < sizeof(ecdsa_s2c_tests) / sizeof(ecdsa_s2c_tests[0]); i++) {
+        size_t pubnonce_size = 33;
+        const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(ctx, &client_commit, message, privkey, (unsigned char*)test->host_commitment) == 1);
+        CHECK(secp256k1_ec_pubkey_serialize(ctx, pubnonce, &pubnonce_size, &client_commit, SECP256K1_EC_COMPRESSED) == 1);
+        CHECK(memcmp(test->expected_pubnonce, pubnonce, pubnonce_size) == 0);
+    }
+}
+
+/* This tests the full ECDSA Anti Nonce Covert Channel Protocol */
+static void test_ecdsa_s2c_anti_nonce_covert_channel(void) {
+    unsigned char client_privkey[32];
+    unsigned char host_msg[32];
+    unsigned char host_commitment[32];
+    unsigned char host_nonce_contribution[32];
+    secp256k1_pubkey client_commitment;
+    secp256k1_ecdsa_signature signature;
+    secp256k1_s2c_opening s2c_opening;
+
+    /* Generate a random key, message. */
+    {
+        secp256k1_scalar key;
+        random_scalar_order_test(&key);
+        secp256k1_scalar_get_b32(client_privkey, &key);
+        secp256k1_rand256_test(host_msg);
+        secp256k1_rand256_test(host_nonce_contribution);
+    }
+
+    /* Protocol step 1. */
+    CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(ctx, host_commitment, host_nonce_contribution) == 1);
+    /* Protocol step 2. */
+    CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(ctx, &client_commitment, host_msg, client_privkey, host_commitment) == 1);
+    /* Protocol step 3: host_nonce_contribution send to client to be used in step 4. */
+    /* Protocol step 4. */
+    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, client_privkey, host_nonce_contribution, NULL, NULL) == 1);
+    /* Protocol step 5. */
+    CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(ctx, &signature, host_nonce_contribution, &s2c_opening, &client_commitment) == 1);
+
+    { /* host_verify: commitment does not match */
+        uint8_t sigbytes[64];
+        size_t i;
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1);
+        for(i = 0; i < 32; i++) {
+            /* change one byte */
+            sigbytes[i] = (((int)sigbytes[i]) + 1) % 256;
+            CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+            CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(ctx, &signature, host_nonce_contribution, &s2c_opening, &client_commitment) == 0);
+            /* revert */
+            sigbytes[i] = (((int)sigbytes[i]) + 255) % 256;
+        }
+    }
+    { /* host_verify: client commitment != opening original pubnonce */
+
+        uint8_t tweak[32] = {1};
+        CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &client_commitment, tweak) == 1);
+        CHECK(secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(ctx, &signature, host_nonce_contribution, &s2c_opening, &client_commitment) == 0);
+    }
+}
+
 static void run_ecdsa_sign_to_contract_tests(void) {
     int i;
     test_ecdsa_s2c_api();
     test_ecdsa_s2c_original_pubnonce();
+    test_ecdsa_s2c_anti_nonce_covert_channel_client_commit();
     for (i = 0; i < count; i++) {
         test_ecdsa_s2c_sign_verify();
+        test_ecdsa_s2c_anti_nonce_covert_channel();
     }
 }
 
