schnorr_adaptor: add nonce function and tags

This commit adds a nonce function that will be used by default for
Schnorr adaptor signatures.

This nonce function is similar to secp256k1_nonce_function_hardened with
an extra argument for a compressed 33-byte adaptor point.

Author: siv2r

include/secp256k1_schnorr_adaptor.h

@@ -64,6 +64,47 @@ extern "C" {
  *  [1] https://eprint.iacr.org/2020/476.pdf
  */
 
+/** A pointer to a function to deterministically generate a nonce.
+ *
+ *  In addition to the features of secp256k1_nonce_function_hardened,
+ *  this function introduces an extra argument for a compressed 33-byte
+ *  adaptor point.
+ *
+ *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
+ *           return an error.
+ *  Out:  nonce32: pointer to a 32-byte array to be filled by the function
+ *  In:     msg32: the 32-byte message being verified (will not be NULL)
+ *          key32: pointer to a 32-byte secret key (will not be NULL)
+*       adaptor33: the 33-byte serialized adaptor point (will not be NULL)
+ *     xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32
+ *                 (will not be NULL)
+ *           algo: pointer to an array describing the signature
+ *                 algorithm (will not be NULL)
+ *        algolen: the length of the algo array
+ *           data: arbitrary data pointer that is passed through
+ *
+ *  Except for test cases, this function should compute some cryptographic hash of
+ *  the message, the key, the adaptor point, the pubkey, the algorithm description, and data.
+ */
+typedef int (*secp256k1_nonce_function_hardened_schnorr_adaptor)(
+    unsigned char *nonce32,
+    const unsigned char *msg32,
+    const unsigned char *key32,
+    const unsigned char *adaptor33,
+    const unsigned char *xonly_pk32,
+    const unsigned char *algo,
+    size_t algolen,
+    void *data
+);
+
+/** A modified BIP-340 nonce generation function. If a data pointer is passed, it is
+ *  assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340.
+ *  If the data pointer is NULL, the nonce derivation procedure uses a zeroed 32-byte
+ *  auxiliary random data. The hash will be tagged with algo after removing all
+ *  terminating null bytes.
+ */
+SECP256K1_API const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor;
+
 #ifdef __cplusplus
 }
 #endif

src/modules/schnorr_adaptor/main_impl.h

@@ -10,4 +10,93 @@
 #include "../../../include/secp256k1.h"
 #include "../../../include/secp256k1_schnorr_adaptor.h"
 
+#include "../../hash.h"
+#include "../../scalar.h"
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("SchnorrAdaptor/nonce")||SHA256("SchnorrAdaptor/nonce"). */
+static void secp256k1_nonce_function_schnorr_adaptor_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0xe268ac2aul;
+    sha->s[1] = 0x3a221b84ul;
+    sha->s[2] = 0x69612afdul;
+    sha->s[3] = 0x92ce3040ul;
+    sha->s[4] = 0xc83ca35ful;
+    sha->s[5] = 0xec2ee152ul;
+    sha->s[6] = 0xba136ab7ul;
+    sha->s[7] = 0x3bf6ec7ful;
+
+    sha->bytes = 64;
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("SchnorrAdaptor/aux")||SHA256("SchnorrAdaptor/aux"). */
+static void secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x50685e98ul;
+    sha->s[1] = 0x6313905eul;
+    sha->s[2] = 0x6db24fa0ul;
+    sha->s[3] = 0xc8b15c48ul;
+    sha->s[4] = 0x6b318921ul;
+    sha->s[5] = 0x441d8ff3ul;
+    sha->s[6] = 0xa7033a66ul;
+    sha->s[7] = 0xc3545cddul;
+
+    sha->bytes = 64;
+}
+
+/* algo argument for `nonce_function_schnorr_adaptor` to derive the nonce using a tagged hash function. */
+static const unsigned char schnorr_adaptor_algo[20] = "SchnorrAdaptor/nonce";
+
+/* Modified BIP-340 nonce function */
+static int nonce_function_schnorr_adaptor(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *adaptor33, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
+    secp256k1_sha256 sha;
+    unsigned char masked_key[32];
+    int i;
+
+    if (algo == NULL) {
+        return 0;
+    }
+
+    if (data != NULL) {
+        secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux(&sha);
+        secp256k1_sha256_write(&sha, data, 32);
+        secp256k1_sha256_finalize(&sha, masked_key);
+        for (i = 0; i < 32; i++) {
+            masked_key[i] ^= key32[i];
+        }
+    } else {
+        /* Precomputed TaggedHash("SchnorrAdaptor/aux", 0x0000...00); */
+        static const unsigned char ZERO_MASK[32] = {
+              65, 206, 231, 5, 44, 99, 30, 162,
+             119, 101, 143, 108, 176, 134, 217, 23,
+             54, 150, 157, 221, 198, 161, 164, 85,
+             235, 82, 28, 56, 164, 220, 113, 53
+        };
+        for (i = 0; i < 32; i++) {
+            masked_key[i] = key32[i] ^ ZERO_MASK[i];
+        }
+    }
+
+    /* Tag the hash with algo which is important to avoid nonce reuse across
+     * algorithms. An optimized tagging implementation is used if the default
+     * tag is provided. */
+    if (algolen == sizeof(schnorr_adaptor_algo)
+            && secp256k1_memcmp_var(algo, schnorr_adaptor_algo, algolen) == 0) {
+        secp256k1_nonce_function_schnorr_adaptor_sha256_tagged(&sha);
+    } else {
+        secp256k1_sha256_initialize_tagged(&sha, algo, algolen);
+    }
+
+    /* Hash masked-key||adaptor33||pk||msg using the tagged hash */
+    secp256k1_sha256_write(&sha, masked_key, 32);
+    secp256k1_sha256_write(&sha, adaptor33, 33);
+    secp256k1_sha256_write(&sha, xonly_pk32, 32);
+    secp256k1_sha256_write(&sha, msg32, 32);
+    secp256k1_sha256_finalize(&sha, nonce32);
+    return 1;
+}
+
+const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor = nonce_function_schnorr_adaptor;
+
 #endif