schnorr_adaptor: add adaptor signature APIs

This commit adds the Schnorr adaptor signature APIs:

- adaptor_presign

    Creates a pre-signature for a given message and adaptor point.

- adaptor_extract

    Extracts the adaptor point from a pre-signature.

- adaptor_adapt

    Adapts the pre-signature to produce a BIP-340 Schnorr signature.

- adaptor_extract_sec

    Extracts the secret adaptor (discrete logarithm of adaptor point)
    from a pre-signature and the corresponding BIP-340 signature.

Author: siv2r

include/secp256k1_schnorr_adaptor.h

@@ -105,6 +105,109 @@ typedef int (*secp256k1_nonce_function_hardened_schnorr_adaptor)(
  */
 SECP256K1_API const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor;
 
+/** Creates a pre-signature for a given message and adaptor point.
+ *
+ *  The pre-signature can be converted into a valid BIP-340 Schnorr signature
+ *  (using `schnorr_adaptor_adapt`) by combining it with the discrete logarithm
+ *  of the adaptor point.
+ *
+ *  This function only signs 32-byte messages. If you have messages of a
+ *  different size (or the same size but without a context-specific tag
+ *  prefix), it is recommended to create a 32-byte message hash with
+ *  secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows
+ *  providing an context-specific tag for domain separation. This prevents
+ *  signatures from being valid in multiple contexts by accident.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:        ctx: pointer to a context object (not secp256k1_context_static).
+ *  Out:   pre_sig65: pointer to a 65-byte array to store the pre-signature.
+ *  In:        msg32: the 32-byte message being signed.
+ *           keypair: pointer to an initialized keypair.
+ *           adaptor: pointer to an adaptor point encoded as a public key.
+ *        aux_rand32: pointer to arbitrary data used by the nonce generation
+ *                    function (can be NULL). If it is non-NULL and
+ *                    secp256k1_nonce_function_schnorr_adaptor is used, then
+ *                    aux_rand32 must be a pointer to 32-byte auxiliary randomness
+ *                    as per BIP-340.
+ */
+SECP256K1_API int secp256k1_schnorr_adaptor_presign(
+    const secp256k1_context *ctx,
+    unsigned char *pre_sig65,
+    const unsigned char *msg32,
+    const secp256k1_keypair *keypair,
+    const secp256k1_pubkey *adaptor,
+    const unsigned char *aux_rand32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Extracts the adaptor point from a pre-signature.
+ *
+ *  This function assumes that pre_sig65 was created using the corresponding
+ *  msg32, pubkey, and a valid adaptor point, which it will extract. If these
+ *  inputs are not related (e.g., if pre_sig65 was generated with a different
+ *  key or message), the extracted adaptor point will be incorrect. However,
+ *  the function will still return 1 to indicate a successful extraction.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:         ctx: pointer to a context object.
+ *  Out:      adaptor: pointer to store the adaptor point.
+ *  In:     pre_sig65: pointer to a 65-byte pre-signature.
+ *              msg32: the 32-byte message associated with presig_65
+ *             pubkey: pointer to the x-only public key associated with pre_sig65
+ */
+SECP256K1_API int secp256k1_schnorr_adaptor_extract(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *adaptor,
+    const unsigned char *pre_sig65,
+    const unsigned char *msg32,
+    const secp256k1_xonly_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Adapts the pre-signature to produce a BIP-340 Schnorr signature.
+ *
+ *  The output BIP-340 signature is not verified by this function.
+ *  To verify it, use `secp256k1_schnorrsig_verify`.
+ *
+ *  If the pre_sig65 and sec_adaptor32 values are not related, the
+ *  output signature will be invalid. In this case, the function will
+ *  still return 1 to indicate successful execution.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object.
+ *  Out:          sig64: pointer to a 64-byte array to store the adapted
+ *                       pre-signature. This pointer may point to the same
+ *                       memory area as `pre_sig65`.
+ *  In:       pre_sig65: pointer to a 65-byte pre-signature.
+ *        sec_adaptor32: pointer to a 32-byte secret adaptor associated with pre_sig65
+ */
+SECP256K1_API int secp256k1_schnorr_adaptor_adapt(
+    const secp256k1_context *ctx,
+    unsigned char *sig64,
+    const unsigned char *pre_sig65,
+    const unsigned char *sec_adaptor32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Extracts the secret adaptor (discrete logarithm of the adaptor point)
+ *  from a pre-signature and the corresponding BIP-340 signature.
+ *
+ *  This function assumes that the sig64 was created by adapting pre_sig65.
+ *  If these inputs are not related, the extracted secret adaptor will be
+ *  incorrect. However, the function will still return 1 to indicate successful
+ *  extraction.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object.
+ *  Out:  sec_adaptor32: pointer to a 32-byte array to store the secret adaptor.
+ *  In:       pre_sig65: pointer to a 65-byte pre-signature.
+ *                sig64: pointer to a valid 64-byte BIP-340 Schnorr signature
+ *                       associated with pre_sig65.
+ */
+SECP256K1_API int secp256k1_schnorr_adaptor_extract_sec(
+    const secp256k1_context *ctx,
+    unsigned char *sec_adaptor32,
+    const unsigned char *pre_sig65,
+    const unsigned char *sig64
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #ifdef __cplusplus
 }
 #endif

src/modules/schnorr_adaptor/main_impl.h

@@ -99,4 +99,272 @@ static int nonce_function_schnorr_adaptor(unsigned char *nonce32, const unsigned
 
 const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor = nonce_function_schnorr_adaptor;
 
+static int secp256k1_schnorr_adaptor_presign_internal(const secp256k1_context *ctx, unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_keypair *keypair, const secp256k1_pubkey *adaptor, secp256k1_nonce_function_hardened_schnorr_adaptor noncefp, void *ndata) {
+    secp256k1_scalar sk;
+    secp256k1_scalar e;
+    secp256k1_scalar k;
+    secp256k1_gej rj, rpj;
+    secp256k1_ge r, rp;
+    secp256k1_ge pk;
+    secp256k1_ge adaptor_ge;
+    unsigned char nonce32[32] = { 0 };
+    unsigned char pk_buf[32];
+    unsigned char seckey[32];
+    unsigned char adaptor_buff[33];
+    size_t cmprssd_len = 33; /* for serializing `adaptor_ge` and `pre_sig65` */
+    int serialize_ret = 0;
+    int ret = 1;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(pre_sig65 != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(keypair != NULL);
+    ARG_CHECK(adaptor != NULL);
+
+    if (noncefp == NULL) {
+        noncefp = secp256k1_nonce_function_schnorr_adaptor;
+    }
+
+    /* T := adaptor_ge */
+    if(!secp256k1_pubkey_load(ctx, &adaptor_ge, adaptor)){
+        return 0;
+    }
+
+    ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair);
+    /* Because we are signing for a x-only pubkey, the secret key is negated
+     * before signing if the point corresponding to the secret key does not
+     * have an even Y. */
+    if (secp256k1_fe_is_odd(&pk.y)) {
+        secp256k1_scalar_negate(&sk, &sk);
+    }
+
+    /* Generate the nonce k */
+    secp256k1_scalar_get_b32(seckey, &sk);
+    secp256k1_fe_get_b32(pk_buf, &pk.x);
+    serialize_ret = secp256k1_eckey_pubkey_serialize(&adaptor_ge, adaptor_buff, &cmprssd_len, 1);
+    VERIFY_CHECK(serialize_ret);
+    ret &= !!noncefp(nonce32, msg32, seckey, adaptor_buff, pk_buf, schnorr_adaptor_algo, sizeof(schnorr_adaptor_algo), ndata);
+    secp256k1_scalar_set_b32(&k, nonce32, NULL);
+    ret &= !secp256k1_scalar_is_zero(&k);
+    secp256k1_scalar_cmov(&k, &secp256k1_scalar_one, !ret);
+
+    /* R = k*G */
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+    secp256k1_ge_set_gej(&r, &rj);
+
+    /* We declassify the non-secret values R and T to allow using them
+     * as branch points. */
+    secp256k1_declassify(ctx, &rj, sizeof(rj));
+    secp256k1_declassify(ctx, &adaptor_ge, sizeof(adaptor_ge));
+    /* R' = R + T */
+    secp256k1_gej_add_ge_var(&rpj, &rj, &adaptor_ge, NULL);
+    secp256k1_ge_set_gej(&rp, &rpj);
+
+    /* We declassify R' (non-secret value) to branch on it */
+    secp256k1_declassify(ctx, &rp, sizeof(rp));
+    secp256k1_fe_normalize_var(&rp.y);
+
+    /* Determine if the secret nonce should be negated.
+    *
+    * pre_sig65[0:33] contains the compressed 33-byte encoding of the public
+    * nonce R' = k*G + T, where k is the secret nonce and T is the adaptor point.
+    *
+    * Since a BIP340 signature requires an x-only public nonce, in the case where
+    * R' = k*G + T has odd Y-coordinate, the x-only public nonce corresponding to
+    * the signature is actually -k*G - T. Therefore, we negate k to ensure that the
+    * adapted pre-signature will result in a valid BIP340 signature, with an even R'.y
+    *
+    *  pre_sig65[33:65] =  k + e * d if R'.y is even
+    *                   = -k + e * d if R'.y is odd
+    */
+    if (secp256k1_fe_is_odd(&rp.y)) {
+        secp256k1_scalar_negate(&k, &k);
+    }
+    serialize_ret = secp256k1_eckey_pubkey_serialize(&rp, pre_sig65, &cmprssd_len, 1);
+    /* R' is not the point at infinity with overwhelming probability */
+    VERIFY_CHECK(serialize_ret);
+    (void) serialize_ret;
+
+    secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, pk_buf);
+    secp256k1_scalar_mul(&e, &e, &sk);
+    secp256k1_scalar_add(&e, &e, &k);
+    secp256k1_scalar_get_b32(&pre_sig65[33], &e);
+
+    secp256k1_memczero(pre_sig65, 65, !ret);
+    secp256k1_scalar_clear(&k);
+    secp256k1_scalar_clear(&sk);
+    memset(seckey, 0, sizeof(seckey));
+
+    return ret;
+}
+
+int secp256k1_schnorr_adaptor_presign(const secp256k1_context *ctx, unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_keypair *keypair, const secp256k1_pubkey *adaptor, const unsigned char *aux_rand32) {
+    /* We cast away const from the passed aux_rand32 argument since we know the default nonce function does not modify it. */
+    return secp256k1_schnorr_adaptor_presign_internal(ctx, pre_sig65, msg32, keypair, adaptor, secp256k1_nonce_function_schnorr_adaptor, (unsigned char*)aux_rand32);
+}
+
+
+int secp256k1_schnorr_adaptor_extract(const secp256k1_context *ctx, secp256k1_pubkey *adaptor, const unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) {
+    secp256k1_scalar s;
+    secp256k1_scalar e;
+    secp256k1_ge pk;
+    secp256k1_gej pkj;
+    secp256k1_ge adaptor_ge;
+    secp256k1_gej adaptor_gej;
+    secp256k1_gej rj;
+    secp256k1_ge rp;
+    unsigned char buf[32];
+    int overflow;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(adaptor != NULL);
+    ARG_CHECK(pre_sig65 != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(pubkey != NULL);
+
+    /* R' := pre_sig65[0:33] */
+    if (!secp256k1_eckey_pubkey_parse(&rp, &pre_sig65[0], 33)) {
+        return 0;
+    }
+    /* s := pre_sig65[33:65] */
+    secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow);
+    if (overflow) {
+        return 0;
+    }
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
+        return 0;
+    }
+
+    /* Compute e */
+    secp256k1_fe_get_b32(buf, &pk.x);
+    secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, buf);
+
+    /* Compute R = s*G + (-e)*P */
+    secp256k1_scalar_negate(&e, &e);
+    secp256k1_gej_set_ge(&pkj, &pk);
+    secp256k1_ecmult(&rj, &pkj, &e, &s);
+    if (secp256k1_gej_is_infinity(&rj)) {
+        return 0;
+    }
+
+    /* Determine if R needs to be negated
+     *
+     * `adaptor_presign` negates the secret nonce k when R’.y is odd, during
+     * the computation of the s value (i.e., presig[33:65]). Therefore, we need
+     * to negate R = k*G (if R'.y is odd) before subtracting it from R' = R + T.
+     *
+     *  T =  R' - R if R'.y is even
+     *    =  R' + R  if R'.y is odd
+     */
+    secp256k1_fe_normalize_var(&rp.y);
+    if (!secp256k1_fe_is_odd(&rp.y)) {
+        secp256k1_gej_neg(&rj, &rj);
+    }
+    secp256k1_gej_add_ge_var(&adaptor_gej, &rj, &rp, NULL);
+    secp256k1_ge_set_gej(&adaptor_ge, &adaptor_gej);
+    if (secp256k1_ge_is_infinity(&adaptor_ge)) {
+        return 0;
+    }
+    secp256k1_pubkey_save(adaptor, &adaptor_ge);
+
+    return 1;
+}
+
+int secp256k1_schnorr_adaptor_adapt(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *pre_sig65, const unsigned char *sec_adaptor32) {
+    secp256k1_scalar s;
+    secp256k1_scalar t;
+    int overflow;
+    int ret = 1;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig64 != NULL);
+    ARG_CHECK(pre_sig65 != NULL);
+    ARG_CHECK(sec_adaptor32 != NULL);
+
+    if (pre_sig65[0] != SECP256K1_TAG_PUBKEY_EVEN && pre_sig65[0] != SECP256K1_TAG_PUBKEY_ODD) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow);
+    if (overflow) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&t, sec_adaptor32, &overflow);
+    ret &= !overflow;
+
+    /* Determine if the secret adaptor should be negated.
+     *
+     * pre_sig65[0:33] contains the compressed 33-byte encoding of the public
+     * nonce R' = (k + t)*G, where r is the secret nonce generated by
+     * `adaptor_presign` and t is the secret adaptor.
+     *
+     * Since a BIP340 signature requires an x-only public nonce, in the case where
+     * (k + t)*G has odd Y-coordinate, the x-only public nonce corresponding to the
+     * signature is actually (-k - t)*G. Thus adapting a pre-signature requires
+     * negating t in this case.
+     *
+     * sig64[32:64]  =  s + t if R'.y is even
+     *               =  s - t if R'.y is odd
+     */
+    if (pre_sig65[0] == SECP256K1_TAG_PUBKEY_ODD) {
+        secp256k1_scalar_negate(&t, &t);
+    }
+    secp256k1_scalar_add(&s, &s, &t);
+    secp256k1_scalar_get_b32(&sig64[32], &s);
+    memmove(sig64, &pre_sig65[1], 32);
+
+    secp256k1_memczero(sig64, 64, !ret);
+    secp256k1_scalar_clear(&t);
+    return ret;
+}
+
+int secp256k1_schnorr_adaptor_extract_sec(const secp256k1_context *ctx, unsigned char *sec_adaptor32, const unsigned char *pre_sig65, const unsigned char *sig64) {
+    secp256k1_scalar t;
+    secp256k1_scalar s;
+    int overflow;
+    int ret = 1;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sec_adaptor32 != NULL);
+    ARG_CHECK(pre_sig65 != NULL);
+    ARG_CHECK(sig64 != NULL);
+
+    if (pre_sig65[0] != SECP256K1_TAG_PUBKEY_EVEN && pre_sig65[0] != SECP256K1_TAG_PUBKEY_ODD) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow);
+    if (overflow) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&t, &sig64[32], &overflow);
+    ret &= !overflow;
+
+    /*TODO: should we parse presig[0:33] & sig[0:32], to make sure the presig &
+     * has valid public nonce point?
+     *
+     * But we don't care about their validity here right? Then why do we ARG_CHECK
+     * presig[0] parity byte?
+     *
+     * Here, the inputs are invalid but the output is valid :/  */
+
+    secp256k1_scalar_negate(&s, &s);
+    secp256k1_scalar_add(&t, &t, &s);
+    /* `adaptor_adapt` negates the secret adaptor t when R’.y is odd, during
+     * the computation of the BIP340 signature. Therefore, we need negate
+     * (sig[32:64] - pre_sig65[33:65]) in this case.
+     *
+     *  t =  (sig[32:64] - pre_sig65[33:65])  if R'.y is even
+     *    = -(sig[32:64] - pre_sig65[33:65])  if R'.y is odd
+     */
+    if (pre_sig65[0] == SECP256K1_TAG_PUBKEY_ODD) {
+        secp256k1_scalar_negate(&t, &t);
+    }
+    secp256k1_scalar_get_b32(sec_adaptor32, &t);
+
+    secp256k1_memczero(sec_adaptor32, 32, !ret);
+    secp256k1_scalar_clear(&t);
+    return ret;
+}
+
 #endif