ecdsa sign-to-contract module, with anti nonce covert chan util functions

.travis.yml

@@ -11,14 +11,15 @@ compiler:
   - gcc
 env:
   global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no CTIMETEST=yes BENCH=yes SECP256K1_BENCH_ITERS=2
+    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  ECDSA_SIGN_TO_CONTRACT=no  EXPERIMENTAL=no CTIMETEST=yes BENCH=yes SECP256K1_BENCH_ITERS=2
   matrix:
     - SCALAR=32bit    RECOVERY=yes
-    - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes
+    - SCALAR=32bit    FIELD=32bit       ECDH=yes ECDSA_SIGN_TO_CONTRACT=yes EXPERIMENTAL=yes
+    - SCALAR=32bit    FIELD=32bit       EXPERIMENTAL=yes
     - SCALAR=64bit
     - FIELD=64bit     RECOVERY=yes
     - FIELD=64bit     ENDOMORPHISM=yes
-    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes EXPERIMENTAL=yes
+    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes ECDSA_SIGN_TO_CONTRACT=yes EXPERIMENTAL=yes
     - FIELD=64bit                       ASM=x86_64
     - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
     - FIELD=32bit     ENDOMORPHISM=yes
@@ -85,7 +86,7 @@ before_script: ./autogen.sh
 script:
  - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
  - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-asm=$ASM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --with-ecmult-gen-precision=$ECMULTGENPRECISION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY $EXTRAFLAGS $USE_HOST
+ - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-asm=$ASM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --with-ecmult-gen-precision=$ECMULTGENPRECISION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-module-ecdsa-sign-to-contract=$ECDSA_SIGN_TO_CONTRACT $EXTRAFLAGS $USE_HOST
  - if [ -n "$BUILD" ]; then make -j2 $BUILD; fi
  - # travis_wait extends the 10 minutes without output allowed (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received)
  - # the `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (http://valgrind.org/docs/manual/manual-core.html)

Makefile.am

@@ -152,3 +152,7 @@ endif
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif
+
+if ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT
+include src/modules/ecdsa_sign_to_contract/Makefile.am.include
+endif

configure.ac

@@ -136,6 +136,11 @@ AC_ARG_ENABLE(module_recovery,
     [enable_module_recovery=$enableval],
     [enable_module_recovery=no])
 
+AC_ARG_ENABLE(module_ecdsa_sign_to_contract,
+    AS_HELP_STRING([--enable-module-ecdsa-sign-to-contract],[enable ECDSA sign-to-contract module [default=no]]),
+    [enable_module_ecdsa_sign_to_contract=$enableval],
+    [enable_module_ecdsa_sign_to_contract=no])
+
 AC_ARG_ENABLE(external_default_callbacks,
     AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]),
     [use_external_default_callbacks=$enableval],
@@ -493,6 +498,10 @@ if test x"$enable_module_recovery" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
 fi
 
+if test x"$enable_module_ecdsa_sign_to_contract" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT, 1, [Define this symbol to enable the ECDSA sign-to-contract module])
+fi
+
 AC_C_BIGENDIAN()
 
 if test x"$use_external_asm" = x"yes"; then
@@ -508,11 +517,15 @@ if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([WARNING: experimental build])
   AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
   AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
+  AC_MSG_NOTICE([Building ECDSA sign-to-contract module: $enable_module_ecdsa_sign_to_contract])
   AC_MSG_NOTICE([******])
 else
   if test x"$enable_module_ecdh" = x"yes"; then
     AC_MSG_ERROR([ECDH module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_ecdsa_sign_to_contract" = x"yes"; then
+    AC_MSG_ERROR([ECDA sign-to-contract module module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
@@ -531,6 +544,7 @@ AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT], [test x"$enable_module_ecdsa_sign_to_contract" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
 
@@ -543,20 +557,21 @@ AC_OUTPUT
 
 echo
 echo "Build Options:"
-echo "  with endomorphism       = $use_endomorphism"
-echo "  with ecmult precomp     = $set_precomp"
-echo "  with external callbacks = $use_external_default_callbacks"
-echo "  with benchmarks         = $use_benchmark"
-echo "  with coverage           = $enable_coverage"
-echo "  module ecdh             = $enable_module_ecdh"
-echo "  module recovery         = $enable_module_recovery"
+echo "  with endomorphism             = $use_endomorphism"
+echo "  with ecmult precomp           = $set_precomp"
+echo "  with external callbacks       = $use_external_default_callbacks"
+echo "  with benchmarks               = $use_benchmark"
+echo "  with coverage                 = $enable_coverage"
+echo "  module ecdh                   = $enable_module_ecdh"
+echo "  module recovery               = $enable_module_recovery"
+echo "  module ecdsa sign-to-contract = $enable_module_ecdsa_sign_to_contract"
 echo
-echo "  asm                     = $set_asm"
-echo "  bignum                  = $set_bignum"
-echo "  field                   = $set_field"
-echo "  scalar                  = $set_scalar"
-echo "  ecmult window size      = $set_ecmult_window"
-echo "  ecmult gen prec. bits   = $set_ecmult_gen_precision"
+echo "  asm                           = $set_asm"
+echo "  bignum                        = $set_bignum"
+echo "  field                         = $set_field"
+echo "  scalar                        = $set_scalar"
+echo "  ecmult window size            = $set_ecmult_window"
+echo "  ecmult gen prec. bits         = $set_ecmult_gen_precision"
 echo
 echo "  valgrind                = $enable_valgrind"
 echo "  CC                      = $CC"

include/secp256k1.h

@@ -6,6 +6,7 @@ extern "C" {
 #endif
 
 #include <stddef.h>
+#include <stdint.h>
 
 /* These rules specify the order of arguments in API calls:
  *
@@ -81,6 +82,29 @@ typedef struct {
     unsigned char data[64];
 } secp256k1_ecdsa_signature;
 
+/** Data structure that holds a sign-to-contract ("s2c") opening information.
+ *  Sign-to-contract allows a signer to commit to some data as part of a signature. It
+ *  can be used as an Out-argument in certain signing functions.
+ *
+ *  This structure is not opaque, but it is strongly discouraged to read or write to
+ *  it directly.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It can
+ *  be safely copied/moved.
+ */
+typedef struct {
+    /* magic is set during initialization */
+    uint64_t magic;
+    /* Public nonce before applying the sign-to-contract commitment */
+    secp256k1_pubkey original_pubnonce;
+    /* Byte indicating if signing algorithm negated the nonce. Alternatively when
+     * verifying we could compute the EC commitment of original_pubnonce and the
+     * data and negate if this would not be a valid nonce. But this would prevent
+     * batch verification of sign-to-contract commitments. */
+    int nonce_is_negated;
+} secp256k1_s2c_opening;
+
 /** A pointer to a function to deterministically generate a nonce.
  *
  * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
@@ -446,6 +470,37 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
     const secp256k1_ecdsa_signature* sig
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
+/** Parse a sign-to-contract opening.
+ *
+ *  Returns: 1 if the opening was fully valid.
+ *           0 if the opening could not be parsed or is invalid.
+ *  Args:    ctx: a secp256k1 context object.
+ *  Out: opening: pointer to an opening object. If 1 is returned, it is set to a
+ *                 parsed version of input. If not, its value is undefined.
+ *  In:  input33: pointer to 33-byte array with a serialized opening
+ *
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_s2c_opening_parse(
+    const secp256k1_context* ctx,
+    secp256k1_s2c_opening* opening,
+    const unsigned char *input33
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a sign-to-contract opening into a byte sequence.
+ *
+ *  Returns: 1 if the opening was successfully serialized.
+ *           0 if the opening was not initializaed.
+ *  Args:     ctx: a secp256k1 context object.
+ *  Out: output33: pointer to a 33-byte array to place the serialized opening
+ *                 in.
+ *  In:   opening: a pointer to an initialized `secp256k1_s2c_opening`.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_s2c_opening_serialize(
+    const secp256k1_context* ctx,
+    unsigned char *output33,
+    const secp256k1_s2c_opening* opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
 /** Verify an ECDSA signature.
  *
  *  Returns: 1: correct signature

include/secp256k1_ecdsa_sign_to_contract.h

@@ -0,0 +1,142 @@
+#ifndef SECP256K1_ECDSA_SIGN_TO_CONTRACT_H
+#define SECP256K1_ECDSA_SIGN_TO_CONTRACT_H
+
+#include "secp256k1.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Same as secp256k1_ecdsa_sign, but s2c_data32 is committed to by adding `hash(k*G, s2c_data32)` to
+ *  the signing nonce `k`.
+ *  Returns: 1: signature created
+ *           0: the nonce generation function failed, or the private key was invalid.
+ *  Args:    ctx:  pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:     sig:  pointer to an array where the signature will be placed (cannot be NULL)
+ *   s2c_opening:  pointer to an secp256k1_s2c_opening structure which can be
+ *                 NULL but is required to be not NULL if this signature creates
+ *                 a sign-to-contract commitment (i.e. the `s2c_data` argument
+ *                 is not NULL).
+ *  In:
+ *         msg32: the 32-byte message hash being signed (cannot be NULL)
+ *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *    s2c_data32: pointer to a 32-byte data to create an optional
+ *                sign-to-contract commitment to if not NULL (can be NULL).
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_sign(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature *sig,
+    secp256k1_s2c_opening *s2c_opening,
+    const unsigned char *msg32,
+    const unsigned char *seckey,
+    const unsigned char* s2c_data32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify a sign-to-contract commitment.
+ *
+ *  Returns: 1: the signature contains a commitment to data32
+ *           0: incorrect opening
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature containing the sign-to-contract commitment (cannot be NULL)
+ *        data32: the 32-byte data that was committed to (cannot be NULL)
+ *       opening: pointer to the opening created during signing (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_verify_commit(
+    const secp256k1_context* ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *data32,
+    const secp256k1_s2c_opening *opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Create a randomness commitment on the host as part of the ECDSA Anti Nonce Covert Channel Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:              ctx: pointer to a context object (cannot be NULL)
+ *  Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
+ *  In:             rand32: the 32-byte randomness to commit to (cannot be NULL). It must come from
+ *                          a cryptographically secure RNG. As per the protocol, this value must not
+ *                          be revealed to the client until after the host has received the client
+ *                          commitment.
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_commit(
+    secp256k1_context *ctx,
+    unsigned char *rand_commitment32,
+    const unsigned char *rand32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Compute commitment on the client as part of the ECDSA Anti Nonce Covert Channel Protocol.
+ *
+ *  ECDSA Anti Nonce Covert Channel Protocol:
+ *
+ *  The anti_nonce_covert_channel_* functions can be used to prevent a signing device from
+ *  exfiltrating the secret signing keys through biased signature nonces. The general idea is that a
+ *  host provides additional randomness to the signing device client and the client commits to the
+ *  randomness in the nonce using sign-to-contract.
+ *  In order to make the randomness unpredictable, the host and client must engage in a commit-reveal
+ *  protocol as follows:
+ *  1. The host draws randomness `k2`, commits to it with sha256 and sends the commitment to the client.
+ *  2. The client commits to its original nonce `k1` using the host commitment by calling
+ *     `secp256k1_ecdsa_anti_covert_channel_client_commit`. The client sends the resulting commitment
+ *    `R1` to the host.
+ *  3. The host replies with `k2` generated in step 1.
+ *  4. The client signs with `secp256k1_ecdsa_s2c_sign`, using the `k2` as `s2c_data` and
+ *     sends the signature and opening to the host.
+ *  5. The host verifies that `R_x = (R1 + H(R1, k2)*G)_x`, where R_x is the `r` part of the signature by using
+ *     `secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify` with the client's
+ *      commitment from step 2 and the signature and opening received in step 4. If verification does
+ *      not succeed, the protocol failed and can be restarted.
+ *
+ *  Rationale:
+ *      - The reason for having a host commitment is to allow the client to derive a unique nonce
+ *        for every host randomness. Otherwise the client would reuse the original nonce and thereby
+ *        leaking the secret key to the host.
+ *      - The client does not need to check that the host commitment matches the host's randomness.
+ *        That's because the client derives its nonce using the hosts randomness commitment. If the
+ *        commitment doesn't match then the client will derive a different original nonce and the
+ *        only result will be that the host is not able to verify the sign-to-contract commitment.
+ *        Therefore, the client does not need to maintain state about the progress of the protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object (cannot be NULL)
+ *  Out:  client_commit: pointer to a pubkey where the clients public nonce will be
+ *                       placed. (cannot be NULL)
+ *  In:           msg32: the 32-byte message hash to be signed (cannot be NULL)
+ *             seckey32: the 32-byte secret key used for signing (cannot be NULL)
+ *    rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *client_commit,
+    const unsigned char *msg32,
+    const unsigned char *seckey32,
+    unsigned char *rand_commitment32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify that a clients signature contains the hosts randomness as part of the Anti
+ *  Nonce Covert Channel Protocol. Does not verify the signature itself.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:         ctx: pointer to a context object (cannot be NULL)
+ *  In:           sig: pointer to the signature whose randomness should be verified
+ *                     (cannot be NULL)
+ *             rand32: pointer to the 32-byte randomness from the host which should
+ *                     be included by the signature (cannot be NULL)
+ *            opening: pointer to the opening produced by the client when signing
+ *                     with `rand32` as `s2c_data` (cannot be NULL)
+ *      client_commit: pointer to the client's commitment created in
+ *                     `secp256k1_ecdsa_s2c_anti_nonce_covert_channel_client_commit`
+ *                     (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_anti_nonce_covert_channel_host_verify(
+    secp256k1_context *ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *rand32,
+    const secp256k1_s2c_opening *opening,
+    const secp256k1_pubkey *client_commit
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_ECDSA_SIGN_TO_CONTRACT_H */

src/modules/ecdsa_sign_to_contract/Makefile.am.include

@@ -0,0 +1,3 @@
+include_HEADERS += include/secp256k1_ecdsa_sign_to_contract.h
+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/main_impl.h
+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/tests_impl.h