Merge #117: Add ECDSA adaptor signatures module

b0ffa92 ecdsa_adaptor: add tests (Jesse Posner)
6955af5 ecdsa_adaptor: add ECDSA adaptor signature APIs (Jesse Posner)
b508e5d ecdsa_adaptor: add support for proof of discrete logarithm equality (Jesse Posner)
d8f3365 ecdsa_adaptor: add nonce function and tags (Jesse Posner)
654cd63 ecdsa_adaptor: initialize project (Jesse Posner)

Pull request description:

ACKs for top commit:
  LLFourn:
    ACK b0ffa92 I've added a small warning to the spec too.
  jonasnick:
    ACK b0ffa92

Tree-SHA512: f14e6f32265518d435d4da00a73423615ba900de68c28039ae26ac7ee7b4088db44358741411d96c42bd497db79483ff0766fc2d076d95a9116bcc168b80802d

.cirrus.yml

@@ -17,6 +17,7 @@ env:
   RANGEPROOF: no
   WHITELIST: no
   MUSIG: no
+  ECDSAADAPTOR: no
   EXPERIMENTAL: no
   CTIMETEST: yes
   BENCH: yes
@@ -59,13 +60,13 @@ task:
     memory: 1G
   matrix: &ENV_MATRIX
     - env: {WIDEMUL:  int64,  RECOVERY: yes}
-    - env: {WIDEMUL:  int64,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes,  RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes}
+    - env: {WIDEMUL:  int64,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes,  RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
     - env: {WIDEMUL: int128}
     - env: {WIDEMUL: int128,  RECOVERY: yes,            EXPERIMENTAL: yes, SCHNORRSIG: yes}
-    - env: {WIDEMUL: int128,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes}
+    - env: {WIDEMUL: int128,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
     - env: {WIDEMUL: int128,  ASM: x86_64}
     - env: {BIGNUM: no}
-    - env: {BIGNUM: no,       RECOVERY: yes,            EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes}
+    - env: {BIGNUM: no,       RECOVERY: yes,            EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
     - env: {BIGNUM: no,       STATICPRECOMPUTATION: no}
     - env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETEST: no, BENCH: no}
     - env: {CPPFLAGS: -DDETERMINISTIC}
@@ -85,6 +86,7 @@ task:
         WHITELIST: yes
         GENERATOR: yes
         MUSIG: yes
+        ECDSAADAPTOR: yes
         CTIMETEST: no
     - env: { ECMULTGENPRECISION: 2 }
     - env: { ECMULTGENPRECISION: 8 }
@@ -101,6 +103,7 @@ task:
         WHITELIST: yes
         GENERATOR: yes
         MUSIG: yes
+        ECDSAADAPTOR: yes
         EXTRAFLAGS: "--disable-openssl-tests"
         BUILD:
   matrix:
@@ -130,6 +133,7 @@ task:
     WHITELIST: yes
     GENERATOR: yes
     MUSIG: yes
+    ECDSAADAPTOR: yes
   matrix:
     - env:
         CC: i686-linux-gnu-gcc
@@ -227,6 +231,7 @@ task:
     WHITELIST: yes
     GENERATOR: yes
     MUSIG: yes
+    ECDSAADAPTOR: yes
     CTIMETEST: no
   << : *MERGE_BASE
   test_script:

Makefile.am

@@ -189,3 +189,6 @@ if ENABLE_MODULE_ECDSA_S2C
 include src/modules/ecdsa_s2c/Makefile.am.include
 endif
 
+if ENABLE_MODULE_ECDSA_ADAPTOR
+include src/modules/ecdsa_adaptor/Makefile.am.include
+endif

README.md

@@ -17,6 +17,7 @@ Features:
 * Suitable for embedded systems.
 * Optional module for public key recovery.
 * Optional module for ECDH key exchange.
+* Optional module for ECDSA adaptor signatures (experimental).
 
 Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.
 

ci/cirrus.sh

@@ -19,7 +19,7 @@ valgrind --version || true
     --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
     --enable-module-ecdsa-s2c="$ECDSA_S2C" \
     --enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \
-    --enable-module-schnorrsig="$SCHNORRSIG"  --enable-module-musig="$MUSIG"\
+    --enable-module-schnorrsig="$SCHNORRSIG"  --enable-module-musig="$MUSIG" --enable-module-ecdsa-adaptor="$ECDSAADAPTOR" \
     --with-valgrind="$WITH_VALGRIND" \
     --host="$HOST" $EXTRAFLAGS
 

configure.ac

@@ -180,6 +180,11 @@ AC_ARG_ENABLE(module_ecdsa_s2c,
     [enable_module_ecdsa_s2c=$enableval],
     [enable_module_ecdsa_s2c=no])
 
+AC_ARG_ENABLE(module_ecdsa-adaptor,
+    AS_HELP_STRING([--enable-module-ecdsa-adaptor],[enable ECDSA adaptor module [default=no]]),
+    [enable_module_ecdsa_adaptor=$enableval],
+    [enable_module_ecdsa_adaptor=no])
+
 AC_ARG_ENABLE(external_default_callbacks,
     AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]),
     [use_external_default_callbacks=$enableval],
@@ -580,6 +585,10 @@ if test x"$use_reduced_surjection_proof_size" = x"yes"; then
   AC_DEFINE(USE_REDUCED_SURJECTION_PROOF_SIZE, 1, [Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16, disabling parsing and verification])
 fi
 
+if test x"$enable_module_ecdsa_adaptor" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_ECDSA_ADAPTOR, 1, [Define this symbol to enable the ECDSA adaptor module])
+fi
+
 ###
 ### Check for --enable-experimental if necessary
 ###
@@ -596,6 +605,7 @@ if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([Building extrakeys module: $enable_module_extrakeys])
   AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
   AC_MSG_NOTICE([Building ECDSA sign-to-contract module: $enable_module_ecdsa_s2c])
+  AC_MSG_NOTICE([Building ECDSA adaptor signatures module: $enable_module_ecdsa_adaptor])
   AC_MSG_NOTICE([******])
 
 
@@ -632,6 +642,9 @@ else
   if test x"$enable_module_ecdsa_s2c" = x"yes"; then
     AC_MSG_ERROR([ECDSA sign-to-contract module module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_ecdsa_adaptor" = x"yes"; then
+    AC_MSG_ERROR([ecdsa adaptor signatures module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
@@ -673,6 +686,7 @@ AM_CONDITIONAL([ENABLE_MODULE_WHITELIST], [test x"$enable_module_whitelist" = x"
 AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDSA_S2C], [test x"$enable_module_ecdsa_s2c" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_ECDSA_ADAPTOR], [test x"$enable_module_ecdsa_adaptor" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
 AM_CONDITIONAL([ENABLE_MODULE_SURJECTIONPROOF], [test x"$enable_module_surjectionproof" = x"yes"])
@@ -698,6 +712,7 @@ echo "  module recovery         = $enable_module_recovery"
 echo "  module extrakeys        = $enable_module_extrakeys"
 echo "  module schnorrsig       = $enable_module_schnorrsig"
 echo "  module ecdsa-s2c        = $enable_module_ecdsa_s2c"
+echo "  module ecdsa-adaptor    = $enable_module_ecdsa_adaptor"
 echo
 echo "  asm                     = $set_asm"
 echo "  bignum                  = $set_bignum"

include/secp256k1_ecdsa_adaptor.h

@@ -0,0 +1,162 @@
+#ifndef SECP256K1_ECDSA_ADAPTOR_H
+#define SECP256K1_ECDSA_ADAPTOR_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** This module implements single signer ECDSA adaptor signatures following
+ *  "One-Time Verifiably Encrypted Signatures A.K.A. Adaptor Signatures" by
+ *  Lloyd Fournier
+ *  (https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002316.html
+ *  and https://github.com/LLFourn/one-time-VES/blob/master/main.pdf).
+ *
+ *  WARNING! DANGER AHEAD!
+ *  As mentioned in Lloyd Fournier's paper, the adaptor signature leaks the
+ *  Elliptic-curve Diffie–Hellman (ECDH) key between the signing key and the
+ *  encryption key. This is not a problem for ECDSA adaptor signatures
+ *  themselves, but may result in a complete loss of security when they are
+ *  composed with other schemes. More specifically, let us refer to the
+ *  signer's public key as X = x*G, and to the encryption key as Y = y*G.
+ *  Given X, Y and the adaptor signature, it is trivial to compute Y^x = X^y.
+ *
+ *  A defense is to not reuse the signing key of ECDSA adaptor signatures in
+ *  protocols that rely on the hardness of the CDH problem, e.g., Diffie-Hellman
+ *  key exchange and ElGamal encryption. In general, it is a well-established
+ *  cryptographic practice to seperate keys for different purposes whenever
+ *  possible.
+ */
+
+/** A pointer to a function to deterministically generate a nonce.
+ *
+ *  Same as secp256k1_nonce_function_hardened with the exception of using the
+ *  compressed 33-byte encoding for the pubkey argument.
+ *
+ *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
+ *           return an error.
+ *  Out:     nonce32:   pointer to a 32-byte array to be filled by the function
+ *  In:        msg32:   the 32-byte message hash being verified
+ *             key32:   pointer to a 32-byte secret key
+ *              pk33:   the 33-byte serialized pubkey corresponding to key32
+ *              algo:   pointer to an array describing the signature algorithm
+ *           algolen:   the length of the algo array
+ *              data:   arbitrary data pointer that is passed through
+ *
+ *  Except for test cases, this function should compute some cryptographic hash of
+ *  the message, the key, the pubkey, the algorithm description, and data.
+ */
+typedef int (*secp256k1_nonce_function_hardened_ecdsa_adaptor)(
+    unsigned char *nonce32,
+    const unsigned char *msg32,
+    const unsigned char *key32,
+    const unsigned char *pk33,
+    const unsigned char *algo,
+    size_t algolen,
+    void *data
+);
+
+/** A modified BIP-340 nonce generation function. If a data pointer is passed, it is
+ *  assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340.
+ *  The hash will be tagged with algo after removing all terminating null bytes.
+ */
+SECP256K1_API extern const secp256k1_nonce_function_hardened_ecdsa_adaptor secp256k1_nonce_function_ecdsa_adaptor;
+
+/** Encrypted Signing
+ *
+ *  Creates an adaptor signature, which includes a proof to verify the adaptor
+ *  signature.
+ *  WARNING: Make sure you have read and understood the WARNING at the top of
+ *  this file and applied the suggested countermeasures.
+ *
+ *  Returns: 1 on success, 0 on failure
+ *  Args:             ctx: a secp256k1 context object, initialized for signing
+ *  Out:   adaptor_sig162: pointer to 162 byte to store the returned signature
+ *  In:          seckey32: pointer to 32 byte secret key that will be used for
+ *                         signing
+ *                 enckey: pointer to the encryption public key
+ *                  msg32: pointer to the 32-byte message hash to sign
+ *                noncefp: pointer to a nonce generation function. If NULL,
+ *                         secp256k1_nonce_function_ecdsa_adaptor is used
+ *                  ndata: pointer to arbitrary data used by the nonce generation
+ *                         function (can be NULL). If it is non-NULL and
+ *                         secp256k1_nonce_function_ecdsa_adaptor is used, then
+ *                         ndata must be a pointer to 32-byte auxiliary randomness
+ *                         as per BIP-340.
+ */
+SECP256K1_API int secp256k1_ecdsa_adaptor_encrypt(
+    const secp256k1_context* ctx,
+    unsigned char *adaptor_sig162,
+    unsigned char *seckey32,
+    const secp256k1_pubkey *enckey,
+    const unsigned char *msg32,
+    secp256k1_nonce_function_hardened_ecdsa_adaptor noncefp,
+    void *ndata
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Encryption Verification
+ *
+ *  Verifies that the adaptor decryption key can be extracted from the adaptor signature
+ *  and the completed ECDSA signature.
+ *
+ *  Returns: 1 on success, 0 on failure
+ *  Args:            ctx: a secp256k1 context object, initialized for verification
+ *  In:   adaptor_sig162: pointer to 162-byte signature to verify
+ *                pubkey: pointer to the public key corresponding to the secret key
+ *                        used for signing
+ *                 msg32: pointer to the 32-byte message hash being verified
+ *                enckey: pointer to the adaptor encryption public key
+ */
+SECP256K1_API int secp256k1_ecdsa_adaptor_verify(
+    const secp256k1_context* ctx,
+    const unsigned char *adaptor_sig162,
+    const secp256k1_pubkey *pubkey,
+    const unsigned char *msg32,
+    const secp256k1_pubkey *enckey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Signature Decryption
+ *
+ *  Derives an ECDSA signature from an adaptor signature and an adaptor decryption key.
+ *
+ *  Returns: 1 on success, 0 on failure
+ *  Args:              ctx: a secp256k1 context object
+ *  Out:               sig: pointer to the ECDSA signature to create
+ *  In:           deckey32: pointer to 32-byte decryption secret key for the adaptor
+ *                          encryption public key
+ *          adaptor_sig162: pointer to 162-byte adaptor sig
+ */
+SECP256K1_API int secp256k1_ecdsa_adaptor_decrypt(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature *sig,
+    const unsigned char *deckey32,
+    const unsigned char *adaptor_sig162
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Decryption Key Recovery
+ *
+ *  Extracts the adaptor decryption key from the complete signature and the adaptor
+ *  signature.
+ *
+ *  Returns: 1 on success, 0 on failure
+ *  Args:             ctx: a secp256k1 context object, initialized for signing
+ *  Out:         deckey32: pointer to 32-byte adaptor decryption key for the adaptor
+ *                         encryption public key
+ *  In:               sig: pointer to ECDSA signature to recover the adaptor decryption
+ *                         key from
+ *         adaptor_sig162: pointer to adaptor signature to recover the adaptor
+ *                         decryption key from
+ *                 enckey: pointer to the adaptor encryption public key
+ */
+SECP256K1_API int secp256k1_ecdsa_adaptor_recover(
+    const secp256k1_context* ctx,
+    unsigned char *deckey32,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *adaptor_sig162,
+    const secp256k1_pubkey *enckey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_ECDSA_ADAPTOR_H */

src/modules/ecdsa_adaptor/Makefile.am.include

@@ -0,0 +1,4 @@
+include_HEADERS += include/secp256k1_ecdsa_adaptor.h
+noinst_HEADERS += src/modules/ecdsa_adaptor/main_impl.h
+noinst_HEADERS += src/modules/ecdsa_adaptor/dleq_impl.h
+noinst_HEADERS += src/modules/ecdsa_adaptor/tests_impl.h