Add Musig2 module

[jlest01]

This PR adds a musig module based on bitcoin-core/secp256k1#1479.
The structure is based on @sanket1729's BlockstreamResearch/rust-secp256k1-zkp#48, but I removed the code related to adaptor signatures.

There is an example file in examples/musig.rs and can be run with cargo run --example musig --features "rand std".
The ffi functions were added to secp256k1-sys/src/lib.rs and the API level functions to the new src/musig.rs file.

[Kixunil]

Awesome!!! I would wait until the upstream PR merges (and releases) before merging this but I'm looking forward to it. I gave it a quick look anyway.

[Kixunil]

IMO this should be just panic. It can only happen if someone passes wrong value to dangerous ID creation function.

[tcharding]

This is a 10 thousand line diff, is something commited that shouldn't be?

[apoelstra]

It updates the vendored library to bring in the upstream MuSig PR.

[jlest01]

It updates the vendored library to bring in the upstream MuSig PR.

Yes. For now, only the last three commits matter for review purposes.
The others will be discarded when the upstream MuSig PR is merged.

[tcharding]

Cool, thanks. To clarify this is going to wait till upstream merges before being considered for merge, right? What sort of review are you chasing?

[Kixunil]

@tcharding I will definitely not ack this until it's upstream is released. However I appreciate the experiment/demo.

[jlest01]

To clarify this is going to wait till upstream merges before being considered for merge, right? What sort of review are you chasing?

Yes, the idea is to wait for the upstream PR to be merged.
Regarding the review, I mean that the last three commits are the ones that are intended to be merged.

[Kixunil]

Isn't this highly misleading? If it's all-zeros it's not a nonce and thus broken. Where would one need it?

[jlest01]

Same as here: #716 (comment)

[Kixunil]

The documentation of these methods is intended for the higher-level API implementors not for for end consumers so it should rather properly describe what's going on here.

[jlest01]

Done. Thanks.

[Kixunil]

Looks also broken.

[jlest01]

Same as here: #716 (comment)

[Kixunil]

It looks to me that none of these Defaults should exist. People should just use arrays or MaybeUninit<T> to represent the uninitialized state.

[jlest01]

Are you suggesting something like this ?

let key_agg_cache = MaybeUninit::<ffi::MusigKeyAggCache>::uninit();
let mut key_agg_cache = key_agg_cache.assume_init();

This will cause UB (without MaybeUninit::write).
The reason for pub fn new() is that the internal array is private (ex: pub struct MusigKeyAggCache([c_uchar; MUSIG_KEYAGG_LEN]);), which is consistent with the other structs in the code.

[Kixunil]

No, provide a function that constructs initialized types only.

[Kixunil]

Oh, now I see that I was confused because these are the FFI structs. However, I still maintain they are highly confusing.

The correct usage (inside secp256k1::musig::MusigKeyAggCache::new) is this:

let mut key_agg_cache = MaybeUninit::<ffi::MusigKeyAggCache>::uninit();
let mut agg_pk = MaybeUninit::<ffi::XOnlyPublicKey>::uninit();
unsafe {
    if ffi::secp256k1_musig_pubkey_agg(
        cx,
        agg_pk.as_mut_ptr(),
        key_agg_cache.as_mut_ptr(),
        pubkeys.as_ptr(),
        pubkey_ptrs.len(),
    ) == 0 {
        panic!(...);
    } else {
        // secp256k1_musig_pubkey_agg overwrites the cache and the key so this is sound.
        let key_agg_cache = key_agg_cache.assume_init();
        let agg_pk = agg_pk.assume_init();
        MusigKeyAggCache(key_agg_cache, pk);
    }
}

[jlest01]

Thanks for the clarification.
Done in 2ea5674

[jlest01]

I've also applied the same approach to the other structs.

[Kixunil]

FTR these struct declarations looked wrong but are indeed correct based on the current API.

[jlest01]

Do you think they should be changed?

[Kixunil]

We usually name these InvalidLength.

[jlest01]

Done. Thanks.

[sanket1729]

Upstream was released yesterday

[apoelstra]

Can you rebase and format each commit with the nightly formatter? That should fix CI.

[jlest01]

Can you rebase and format each commit with the nightly formatter? That should fix CI.

Yes, done. Thanks.

[tcharding]

Patch 1 can be removed now, right? Then your shellcheck CI fail should disappear.

[Kixunil]

Still not deep review, just some problems I noticed when I was digging into the API for other reasons.

[Kixunil]

This signature is invalid. It's supposed to be a mut pointer pointing to a const pointer. IIUC this is unsound.

@apoelstra this is exactly why I advocate for using bindgen. Bugs like this can happen and without it we have to spend time to audit every single function to make sure the signature is correct.

[apoelstra]

Yeah, ok, we should use bindgen. But (at least initially) I would like to commit the generated code and verify it in CI rather than putting it as part of the build process, to minimize the number of dependencies that downstream users need.

We would also need to figure out what to do about secp256k1-sys/src/types.rs. Will bindgen require some sort of tweaking to use these types? Or will we need a post-processing step? Or maybe we should just bump our MSRV to 1.64 so we don't need this file anymore?

[jlest01]

Good catch. Fixed in ff77611

[jlest01]

However, it is interesting that Rust does not enforce the const modifier in this case.

[Kixunil]

But (at least initially) I would like to commit the generated code and verify it in CI rather than putting it as part of the build process, to minimize the number of dependencies that downstream users need.

Yes, but maybe use xtask pattern for that? Rather than committing, we would have a subcrate that generates it and the developers would run it when contributing or publishing the crate (so the code would still be on crates.io). The upside is no CI job needed, the downside is that every contributor has to run the xtask even for unrelated contributions.

Rust does not enforce the const modifier in this case.

The compiler has no way of understanding the C code.

[apoelstra]

Moved bindgen discussion to #775

[Kixunil]

This is definitely unsound. The function is mutating the argument but it's not using mut.

[jlest01]

Fixed in 2755c15

[Kixunil]

Given this has only one variant, either it should be a struct or it should have #[non_exhaustive] if we anticipate new errors in the future (personally I don't believe we have a reason to think there will be new ones).

[jlest01]

Done in 404a93b

[Kixunil]

Rename

[jlest01]

To deserialize(...) ?

[jlest01]

Now I saw it in the comment above.
Updated to from_byte_array() in 3e9d296

[Kixunil]

Damn, I was unclear. I only meant to have named fields in structs that have more than one field. This could've been tuple struct. You don't have to change it back if you don't want to but you can if you wish.

[jlest01]

No problem. Reverted to the tuple struct those with only one field in 5cf37bd.

[Kixunil]

Missing space.

[jlest01]

Updated in 5cf37bd

[Kixunil]

Thanks for doing this! I'd like the doc toe be more in-depth.

/// Returns the aggregated signature [`schnorr::Signature`] assuming it is valid.
///
/// The `partial_sig_agg` function cannot guarantee that the produced signature is valid because participants
/// may send invalid signatures. In some applications this doesn't matter because the invalid message is simply
/// dropped with no consequences. These can simply call this function to obtain the resulting signature. However
/// in applications that require having valid signatures before continuing (e.g. presigned transactions in Bitcoin Lightning Network) this would be exploitable. Such applications MUST verify the resulting signature using the
/// [`verify`](Self::verify) method.
///
/// Note that while an alternative approach of verifying partial signatures is valid, verifying the aggregated
/// signature is more performant. Thus it should be generally better to verify the signature using this function first
/// and fall back to detection of violators if it fails.

[jlest01]

Thanks for this. Updated in 982e877.

[philipr-za]

The references to libsecp256k1-zkp and secp256k1-zkp in the comments below seem to be left over from Sanket's original PR?

[jlest01]

Correct. Good catch.
Updated in 4012ed5

[stevenroose]

What is the status of this PR?

[Kixunil]

@stevenroose it needs reviewers, I guess. :) This is quite difficult to review. I really wanted to but it requires a significant chunk of undisrupted time and I had more pressing things to do. I suspect I might be able to do it Friday. The good news is over the previous reviews and some more digging I got to understand Musig much better so it should be easier now.

[jirijakes]

Wouldn't it make more sense to use Option in the from_byte_array functions? The underlying functions do not provide information about why they failed anyway, so this type is not too useful (unless it is expected to be expanded in the future, in which case it should be #[non_exhaustive]).

[apoelstra]

IMO we should make it #[non_exhaustive].

[Kixunil]

Even if we didn't intend to expand it, an empty error type is often better than Option (which is the case here since passing malformed argument is clearly an error as opposed to stuff like passing non-existing key to get function on a map).

[jirijakes]

As an exercise, I am adding test vectors from BIP327, so far they revealed this. Will continue tomorrow.

[jirijakes]

Suggested change

	pub fn serialize(&self) -> [u8; 32] {
	let mut data = MaybeUninit::<[u8; 32]>::uninit();
	pub fn serialize(&self) -> [u8; ffi::MUSIG_PART_SIG_SERIALIZED_LEN] {
	let mut data = MaybeUninit::<[u8; ffi::MUSIG_PART_SIG_SERIALIZED_LEN]>::uninit();

(Edited, previously suggested wrong constant)

[jirijakes]

Correcting my previous review comments.

Partial signature occupies 36 bytes in memory but it is 32 in serialized form.

[jirijakes]

This one is missing from_byte_array.

[jirijakes]

Suggested change

	pub const MUSIG_PART_SIG_LEN: usize = 36;
	pub const MUSIG_PART_SIG_LEN: usize = 36;
	pub const MUSIG_PART_SIG_SERIALIZED_LEN: usize = 32;

FTR, I previously suggested changing MUSIG_PART_SIG_LEN to 32 but that is wrong. It really holds 36 bytes in memory, however, it is 32 bytes in serialized form. Therefore need for another constant.

[Kixunil]

Comments on the constants explaining this would be great too.

[jirijakes]

Suggested change

	pub fn from_byte_array(data: &[u8; ffi::MUSIG_PART_SIG_LEN]) -> Result<Self, ParseError> {
	pub fn from_byte_array(data: &[u8; ffi::MUSIG_PART_SIG_SERIALIZED_LEN]) -> Result<Self, ParseError> {

[jirijakes]

At some point, it would be useful to somehow have a way of creating SecretNonce from bytes, which is needed for testing, either of this module via test vectors or for downstream users.

---

The upstream does not provide parse function (there is no standard serialization) but it also needs to be able to create SecretNonces for its tests.

Test vectors contain secnonce as 97-byte, see footnote 11:

The algorithms as specified here assume that the secnonce is stored as a 97-byte array using the serialization secnonce = bytes(32, k1) || bytes(32, k2) || pk. The same format is used in the reference implementation and in the test vectors. However, since the secnonce is (obviously) not meant to be sent over the wire, compatibility between implementations is not a concern, and this method of storing the secnonce is merely a suggestion.

Internal memory representation of secnonce has 132 bytes:

• 4 bytes: magic 0x22, 0x0e, 0xdc, 0xf1
• 32 bytes: k1
• 32 bytes: k2
• 64 bytes: group element of pk (is it curve coordinates?)

And this is how libsecp256k1 converts the 97-byte values from tests into 132-byte secnonce: loads public key in musig_test_set_secnonce and prepends magic in secp256k1_musig_secnonce_save.

[Kixunil]

We should just generate them from session. We don't have to use every single test vector since upstream already uses them.