Add ec_commitments which are essentially the pay-to-contract-style tweaks of public keys.

jonasnick · jonasnick · commit da4ed8d5acf6 · 2019-07-04T22:05:39.000Z
The functionality is not exposed.
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -705,6 +705,89 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *
     return 1;
 }
 
+/* Compute an ec commitment tweak as hash(pubkey, data). */
+static int secp256k1_ec_commit_tweak(const secp256k1_context *ctx, unsigned char *tweak32, const secp256k1_pubkey *pubkey, const unsigned char *data, size_t data_size) {
+    secp256k1_ge p;
+    unsigned char rbuf[33];
+    size_t rbuf_size = sizeof(rbuf);
+    secp256k1_sha256 sha;
+
+    if (data_size == 0) {
+        /* That's probably not what the caller wanted */
+        return 0;
+    }
+    if(!secp256k1_pubkey_load(ctx, &p, pubkey)) {
+        return 0;
+    }
+    secp256k1_eckey_pubkey_serialize(&p, rbuf, &rbuf_size, 1);
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, rbuf, rbuf_size);
+    secp256k1_sha256_write(&sha, data, data_size);
+    secp256k1_sha256_finalize(&sha, tweak32);
+    return 1;
+}
+
+/* Compute an ec commitment as pubkey + hash(pubkey, data)*G. */
+static int secp256k1_ec_commit(const secp256k1_context* ctx, secp256k1_pubkey *commitment, const secp256k1_pubkey *pubkey, const unsigned char *data, size_t data_size) {
+    unsigned char tweak[32];
+
+    *commitment = *pubkey;
+    if (!secp256k1_ec_commit_tweak(ctx, tweak, commitment, data, data_size)) {
+        return 0;
+    }
+    return secp256k1_ec_pubkey_tweak_add(ctx, commitment, tweak);
+}
+
+/* Compute the seckey of an ec commitment from the original secret key of the pubkey as seckey +
+ * hash(pubkey, data). */
+static int secp256k1_ec_commit_seckey(const secp256k1_context* ctx, unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *data, size_t data_size) {
+    unsigned char tweak[32];
+    secp256k1_pubkey pubkey_tmp;
+
+    if (pubkey == NULL) {
+        /* Compute pubkey from seckey if not provided */
+        int overflow;
+        secp256k1_scalar x;
+        secp256k1_gej pj;
+        secp256k1_ge p;
+
+        secp256k1_scalar_set_b32(&x, seckey, &overflow);
+        if (overflow != 0) {
+            return 0;
+        }
+        secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &x);
+        secp256k1_ge_set_gej(&p, &pj);
+        secp256k1_pubkey_save(&pubkey_tmp, &p);
+        pubkey = &pubkey_tmp;
+    }
+
+    if (!secp256k1_ec_commit_tweak(ctx, tweak, pubkey, data, data_size)) {
+        return 0;
+    }
+    return secp256k1_ec_privkey_tweak_add(ctx, seckey, tweak);
+}
+
+/* Verify an ec commitment as pubkey + hash(pubkey, data)*G ?= commitment. */
+static int secp256k1_ec_commit_verify(const secp256k1_context* ctx, const secp256k1_pubkey *commitment, const secp256k1_pubkey *pubkey, const unsigned char *data, size_t data_size) {
+    secp256k1_gej pj;
+    secp256k1_ge p;
+    secp256k1_pubkey commitment_tmp;
+
+    if (!secp256k1_ec_commit(ctx, &commitment_tmp, pubkey, data, data_size)) {
+        return 0;
+    }
+
+    /* Return commitment == commitment_tmp */
+    secp256k1_gej_set_infinity(&pj);
+    secp256k1_pubkey_load(ctx, &p, &commitment_tmp);
+    secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL);
+    secp256k1_pubkey_load(ctx, &p, commitment);
+    secp256k1_ge_neg(&p, &p);
+    secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL);
+    return secp256k1_gej_is_infinity(&pj);
+}
+
 #ifdef ENABLE_MODULE_ECDH
 # include "modules/ecdh/main_impl.h"
 #endif
diff --git a/src/tests.c b/src/tests.c
@@ -2475,6 +2475,85 @@ void run_ec_combine(void) {
     }
 }
 
+int test_ec_commit_seckey(unsigned char *seckey, secp256k1_pubkey *commitment) {
+    /* Return if seckey is the discrete log of commitment */
+    secp256k1_pubkey pubkey_tmp;
+    return secp256k1_ec_pubkey_create(ctx, &pubkey_tmp, seckey) == 1
+           && memcmp(&pubkey_tmp, commitment, sizeof(pubkey_tmp)) == 0;
+}
+
+void test_ec_commit(void) {
+    unsigned char seckey[32];
+    secp256k1_pubkey pubkey;
+    secp256k1_pubkey commitment;
+    unsigned char data[32];
+
+    /* Create random keypair and data */
+    secp256k1_rand256(seckey);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, seckey));
+    secp256k1_rand256_test(data);
+
+    /* Commit to data and verify */
+    CHECK(secp256k1_ec_commit(ctx, &commitment, &pubkey, data, 32));
+    CHECK(secp256k1_ec_commit_verify(ctx, &commitment, &pubkey, data, 32));
+    CHECK(secp256k1_ec_commit_seckey(ctx, seckey, &pubkey, data, 32));
+    CHECK(test_ec_commit_seckey(seckey, &commitment) == 1);
+
+    /* Check that verification fails with different data */
+    CHECK(secp256k1_ec_commit_verify(ctx, &commitment, &pubkey, data, 31) == 0);
+}
+
+void test_ec_commit_api(void) {
+    unsigned char seckey[32];
+    secp256k1_pubkey pubkey;
+    secp256k1_pubkey commitment;
+    unsigned char data[32];
+
+    memset(data, 23, sizeof(data));
+
+    /* Create random keypair */
+    secp256k1_rand256(seckey);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, seckey));
+
+    CHECK(secp256k1_ec_commit(ctx, &commitment, &pubkey, data, 1) == 1);
+    /* The same pubkey can be both input and output of the function */
+    {
+        secp256k1_pubkey pubkey_tmp = pubkey;
+        CHECK(secp256k1_ec_commit(ctx, &pubkey_tmp, &pubkey_tmp, data, 1) == 1);
+        CHECK(memcmp(commitment.data, pubkey_tmp.data, sizeof(commitment.data)) == 0);
+    }
+
+    /* If the pubkey is not provided it will be computed from seckey */
+    CHECK(secp256k1_ec_commit_seckey(ctx, seckey, NULL, data, 1) == 1);
+    CHECK(test_ec_commit_seckey(seckey, &commitment) == 1);
+    /* pubkey is not provided but seckey overflows */
+    {
+        unsigned char overflowed_seckey[32];
+        memset(overflowed_seckey, 0xFF, sizeof(overflowed_seckey));
+        CHECK(secp256k1_ec_commit_seckey(ctx, overflowed_seckey, NULL, data, 1) == 0);
+    }
+
+    CHECK(secp256k1_ec_commit_verify(ctx, &commitment, &pubkey, data, 1) == 1);
+
+    /* Commitment to 0-len data should fail */
+    CHECK(secp256k1_ec_commit(ctx, &commitment, &pubkey, data, 0) == 0);
+    CHECK(secp256k1_ec_commit_verify(ctx, &commitment, &pubkey, data, 0) == 0);
+    CHECK(memcmp(&pubkey.data, &commitment.data, sizeof(pubkey.data)) == 0);
+    {
+        unsigned char seckey_tmp[32];
+        memcpy(seckey_tmp, seckey, 32);
+        CHECK(secp256k1_ec_commit_seckey(ctx, seckey_tmp, &pubkey, data, 0) == 0);
+    }
+}
+
+void run_ec_commit(void) {
+    int i;
+    for (i = 0; i < count * 8; i++) {
+         test_ec_commit();
+    }
+    test_ec_commit_api();
+}
+
 void test_group_decompress(const secp256k1_fe* x) {
     /* The input itself, normalized. */
     secp256k1_fe fex = *x;
@@ -5372,6 +5451,7 @@ int main(int argc, char **argv) {
     run_ecmult_const_tests();
     run_ecmult_multi_tests();
     run_ec_combine();
+    run_ec_commit();
 
     /* endomorphism tests */
 #ifdef USE_ENDOMORPHISM
