schnorr_adaptor: initialize project

This commit adds the foundational configuration, building scripts, and
an initial structure for the project.

Author: siv2r

CMakeLists.txt

@@ -69,9 +69,18 @@ option(SECP256K1_ENABLE_MODULE_MUSIG "Enable MuSig module." ON)
 option(SECP256K1_ENABLE_MODULE_ECDSA_ADAPTOR "Enable ecdsa adaptor signatures module." ON)
 option(SECP256K1_ENABLE_MODULE_ECDSA_S2C "Enable ECDSA sign-to-contract module." ON)
 option(SECP256K1_ENABLE_MODULE_BPPP "Enable Bulletproofs++ module." ON)
+option(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR "Enable schnorr adaptor signatures module." ON)
 
 # Processing must be done in a topological sorting of the dependency graph
 # (dependent module first).
+if(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR)
+  if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG)
+    message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the schnorr adaptor signatures module.")
+  endif()
+  set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON)
+  add_compile_definitions(ENABLE_MODULE_SCHNORR_ADAPTOR=1)
+endif()
+
 if(SECP256K1_ENABLE_MODULE_BPPP)
   if(DEFINED SECP256K1_ENABLE_MODULE_GENERATOR AND NOT SECP256K1_ENABLE_MODULE_GENERATOR)
     message(FATAL_ERROR "Module dependency error: You have disabled the generator module explicitly, but it is required by the bppp module.")
@@ -362,6 +371,7 @@ message("  musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG
 message("  ecdsa-s2c ........................... ${SECP256K1_ENABLE_MODULE_ECDSA_S2C}")
 message("  ecdsa-adaptor ....................... ${SECP256K1_ENABLE_MODULE_ECDSA_ADAPTOR}")
 message("  bppp ................................ ${SECP256K1_ENABLE_MODULE_BPPP}")
+message("  schnorr-adaptor ..................... ${SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR}")
 message("Parameters:")
 message("  ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}")
 message("  ecmult gen precision bits ........... ${SECP256K1_ECMULT_GEN_PREC_BITS}")

Makefile.am

@@ -320,3 +320,7 @@ endif
 if ENABLE_MODULE_ECDSA_ADAPTOR
 include src/modules/ecdsa_adaptor/Makefile.am.include
 endif
+
+if ENABLE_MODULE_SCHNORR_ADAPTOR
+include src/modules/schnorr_adaptor/Makefile.am.include
+endif

README.md

@@ -12,6 +12,7 @@ Added features:
 * Experimental module for Confidential Assets (Pedersen commitments, range proofs, and [surjection proofs](src/modules/surjection/surjection.md)).
 * Experimental module for Bulletproofs++ range proofs.
 * Experimental module for [address whitelisting](src/modules/whitelist/whitelist.md).
+* Experimental module for Schnorr adaptor signatures.
 
 Experimental features are made available for testing and review by the community. The APIs of these features should not be considered stable.
 

configure.ac

@@ -188,6 +188,10 @@ AC_ARG_ENABLE(module_schnorrsig_halfagg,
     AS_HELP_STRING([--enable-module-schnorrsig-halfagg],[enable schnorrsig half-aggregation module (experimental) [default=no]]), [],
     [SECP_SET_DEFAULT([enable_module_schnorrsig_halfagg], [no], [yes])])
 
+AC_ARG_ENABLE(module_schnorr_adaptor,
+    AS_HELP_STRING([--enable-module-schnorr-adaptor],[enable Schnorr adaptor module [default=no]]), [],
+    [SECP_SET_DEFAULT([enable_module_schnorr_adaptor], [no], [yes])])
+
 AC_ARG_ENABLE(module_ellswift,
     AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
     [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])
@@ -454,6 +458,14 @@ if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then
   enable_module_schnorrsig=yes
 fi
 
+if test x"$enable_module_schnorr_adaptor" = x"yes"; then
+  if test x"$enable_module_schnorrsig" = x"no"; then
+    AC_MSG_ERROR([Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the schnorr adaptor module.])
+  fi
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORR_ADAPTOR=1"
+  enable_module_schnorrsig=yes
+fi
+
 if test x"$enable_module_bppp" = x"yes"; then
   if test x"$enable_module_generator" = x"no"; then
     AC_MSG_ERROR([Module dependency error: You have disabled the generator module explicitly, but it is required by the bppp module.])
@@ -555,6 +567,9 @@ else
   if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then
     AC_MSG_ERROR([Schnorrsig Half-Aggregation module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_schnorr_adaptor" = x"yes"; then
+    AC_MSG_ERROR([Schnorr adaptor signatures module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$enable_module_bppp" = x"yes"; then
     AC_MSG_ERROR([Bulletproofs++ module is experimental. Use --enable-experimental to allow.])
   fi
@@ -611,6 +626,7 @@ AM_CONDITIONAL([ENABLE_MODULE_ECDSA_S2C], [test x"$enable_module_ecdsa_s2c" = x"
 AM_CONDITIONAL([ENABLE_MODULE_ECDSA_ADAPTOR], [test x"$enable_module_ecdsa_adaptor" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_BPPP], [test x"$enable_module_bppp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG_HALFAGG], [test x"$enable_module_schnorrsig_halfagg" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_SCHNORR_ADAPTOR], [test x"$enable_module_schnorr_adaptor" = x"yes"])
 AM_CONDITIONAL([USE_REDUCED_SURJECTION_PROOF_SIZE], [test x"$use_reduced_surjection_proof_size" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
@@ -651,6 +667,7 @@ echo "  module ecdsa-s2c        = $enable_module_ecdsa_s2c"
 echo "  module ecdsa-adaptor    = $enable_module_ecdsa_adaptor"
 echo "  module bppp             = $enable_module_bppp"
 echo "  module schnorrsig-halfagg = $enable_module_schnorrsig_halfagg"
+echo "  module schnorr-adaptor  = $enable_module_schnorr_adaptor"
 echo
 echo "  asm                       = $set_asm"
 echo "  ecmult window size        = $set_ecmult_window"

include/secp256k1_schnorr_adaptor.h

@@ -0,0 +1,71 @@
+#ifndef SECP256K1_SCHNORR_ADAPTOR_H
+#define SECP256K1_SCHNORR_ADAPTOR_H
+
+#include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** This module provides an experimental implementation of a Schnorr adaptor
+ *  signature protocol variant.
+ *
+ *  The test vectors have been generated and cross-verified using a Python
+ *  implementation of this adaptor signature variant available at [0].
+ *
+ *  The protocol involves two parties, Alice and Bob. The general sequence of
+ *  their interaction is as follows:
+ *  1. Alice calls the `schnorr_adaptor_presign` function for an adaptor point T
+ *  and sends the pre-signature to Bob.
+ *  2. Bob extracts the adaptor point T from the pre-signature using
+ *  `schnorr_adaptor_extract`.
+ *  3. Bob provides the pre-signature and the discrete logarithm of T to
+ *  `schnorr_adaptor_adapt` which outputs a valid BIP 340 Schnorr signature.
+ *  4. Alice extracts the discrete logarithm of T from the pre-signature and the
+ *  BIP 340 signature using `schnorr_adaptor_extract_sec`.
+ *
+ *  In contrast to common descriptions of adaptor signature protocols, this
+ *  module does not provide a verification algorithm for pre-signatures.
+ *  Instead, `schnorr_adaptor_extract` returns the adaptor point encoded by a
+ *  pre-signature, reducing communication cost. If a verification function for
+ *  pre-signatures is needed, it can be easily simulated with
+ *  `schnorr_adaptor_extract`.
+ *
+ *  Assuming that BIP 340 Schnorr signatures satisfy strong unforgeability under
+ *  chosen message attack, the Schnorr adaptor signature scheme fulfills the
+ *  following properties as formalized by [1].
+ *
+ *  - Witness extractability:
+ *    If Alice
+ *      1. creates a pre-signature with `schnorr_adaptor_presign` for message m
+ *         and adaptor point T and
+ *      2. receives a Schnorr signature for message m that she hasn't created
+ *         herself,
+ *    then Alice is able to obtain the discrete logarithm of T with
+ *    `schnorr_adaptor_extract_sec`.
+ *
+ *  - Pre-signature adaptability:
+ *    If Bob
+ *      1. receives a pre-signature and extracts an adaptor point T using
+ *         `schnorr_adaptor_extract`, and
+ *      2. obtains the discrete logarithm of the adaptor point T
+ *    Then then Bob is able to adapt the received pre-signature to a valid BIP
+ *    340 Schnorr signature using `schnorr_adaptor_adapt`.
+ *
+ *  - Existential Unforgeability:
+ *    Bob is not able to create a BIP 340 signature from a pre-signature for
+ *    adaptor T without knowing the discrete logarithm of T.
+ *
+ *  - Pre-signature existiential unforgeability:
+ *    Only Alice can create a pre-signature for her public key.
+ *
+ *  [0] https://github.com/ZhePang/Python_Specification_for_Schnorr_Adaptor
+ *  [1] https://eprint.iacr.org/2020/476.pdf
+ */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_SCHNORR_ADAPTOR_H */

src/CMakeLists.txt

@@ -120,6 +120,9 @@ if(SECP256K1_INSTALL)
     "${PROJECT_SOURCE_DIR}/include/secp256k1.h"
     "${PROJECT_SOURCE_DIR}/include/secp256k1_preallocated.h"
   )
+  if(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR)
+    list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_schnorr_adaptor.h")
+  endif()
   if(SECP256K1_ENABLE_MODULE_BPPP)
     list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_bppp.h")
   endif()

src/modules/schnorr_adaptor/Makefile.am.include

@@ -0,0 +1,2 @@
+include_HEADERS += include/secp256k1_schnorr_adaptor.h
+noinst_HEADERS += src/modules/schnorr_adaptor/main_impl.h

src/modules/schnorr_adaptor/main_impl.h

@@ -0,0 +1,13 @@
+/**********************************************************************
+ * Copyright (c) 2023-2024 Zhe Pang and Sivaram Dhakshinamoorthy      *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_MODULE_SCHNORR_ADAPTOR_MAIN_H
+#define SECP256K1_MODULE_SCHNORR_ADAPTOR_MAIN_H
+
+#include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_schnorr_adaptor.h"
+
+#endif

src/secp256k1.c

@@ -877,6 +877,10 @@ static int secp256k1_ge_parse_ext(secp256k1_ge* ge, const unsigned char *in33) {
 # include "modules/schnorrsig_halfagg/main_impl.h"
 #endif
 
+#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR
+# include "modules/schnorr_adaptor/main_impl.h"
+#endif
+
 #ifdef ENABLE_MODULE_ELLSWIFT
 # include "modules/ellswift/main_impl.h"
 #endif