Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add schnorrsig module which implements BIP-340 compliant signatures #558

Merged
merged 15 commits into from Sep 11, 2020

Conversation

jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Sep 25, 2018

This PR implements signing, verification and batch verification as described in BIP-340 in an experimental module named schnorrsig. It includes the test vectors and a benchmarking tool.
This PR also adds a module extrakeys that allows BIP-341-style key tweaking.

(Adding ChaCha20 as a CSPRNG and batch verification was moved to PR #760).

In order to enable the module run ./configure with --enable-experimental --enable-module-schnorrsig.

Based on apoelstra's work.

src/scalar_8x32_impl.h Outdated Show resolved Hide resolved
@jonasnick jonasnick force-pushed the schnorrsig branch 2 times, most recently from 220012e to 547ad32 Compare Sep 25, 2018
@jonasnick
Copy link
Contributor Author

jonasnick commented Sep 25, 2018

Replaced the chacha20 commit with a similar commit from secp256k1-zkp (ElementsProject/secp256k1-zkp@c3794f9).

include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
@apoelstra
Copy link
Member

apoelstra commented Sep 26, 2018

ACK except nit about sha object, bikeshedding about the module name, and also I did not check that the static test vectors match those in the BIP.

@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 30, 2018

Maybe we should consider adopting an anti-covert-channel warden workflow as the standard interface for this function?

Copy link

@jimpo jimpo left a comment

Nice! Such hype.

I skipped the tests, hoping to get back around to them.

src/bench_schnorrsig.c Outdated Show resolved Hide resolved
src/bench_schnorrsig.c Outdated Show resolved Hide resolved
src/bench_schnorrsig.c Outdated Show resolved Hide resolved
src/bench_schnorrsig.c Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
@apoelstra
Copy link
Member

apoelstra commented Oct 1, 2018

@gmaxwell By anti-covert channel do you mean essentially sign-to-contracting random data? I would like this. One thing blocking it is that our nonce function does not take a secp context currently, which makes sign-to-contract unergonmic -- see in sighacker how the sign-to-contract context needs to contain a pointer to the secp context.

I think we should fix that but it should probably be in another PR.

@jonasnick
Copy link
Contributor Author

jonasnick commented Oct 2, 2018

Thanks @jimpo. I added a commit that addresses your comments.

@ghost
Copy link

ghost commented Oct 8, 2018

how does this relate to #212 ?

@apoelstra
Copy link
Member

apoelstra commented Oct 9, 2018

#212 is not secure against rogue-key attacks nor does it commit to the public key being signed for.

@jonasnick
Copy link
Contributor Author

jonasnick commented Oct 9, 2018

and #212 was removed in #425

@real-or-random
Copy link
Contributor

real-or-random commented Oct 12, 2018

Oh I was not aware of this PR.
FYI, I suggested that a CSPRNG is not enough for batch validation and we need a hash function to generate the seed (https://github.com/sipa/bips/pull/15/files) but now I see that this PR is doing that anyway. :)

src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
@jonasnick
Copy link
Contributor Author

jonasnick commented Oct 15, 2018

@real-or-random Thanks for the review. I added a commit to address your comments.

@jonasnick
Copy link
Contributor Author

jonasnick commented Oct 24, 2018

Added a test to increase the coverage of schnorrsig_sign. Now coverage in the schnorrsig module is 100% when excluding the lines that can't be hit. See https://htmlpreview.github.io/?https://raw.githubusercontent.com/jonasnick/secp256k1/schnorrsig-stats/coverage.src_modules_schnorrsig_main_impl.h.html

@jonasnick
Copy link
Contributor Author

jonasnick commented Nov 1, 2018

squashed and rebased on master

src/tests.c Outdated Show resolved Hide resolved
src/scalar_8x32_impl.h Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
@jonasnick
Copy link
Contributor Author

jonasnick commented Nov 8, 2018

Added commit that will switch to little endian format when interpreting chacha20 output, replace chacha20 tests with test vectors from the RFC, add sipa's chacha20 test.

jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is in preparation for allowing code reuse by xonly tweak add functions

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@176bfb1

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7640
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@910d9c2

Depends on D7639

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7641
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is in preparation for allowing code reuse by keypair functions

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f001034

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7642
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@5825446

Depends on D7641

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7643
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@6fcb5b8

Depends on D7643

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7644
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This will be used by the schnorrsig module
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@eabd9bc

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7645
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7a703fd

Test Plan:
  ninja check-secp256k1

With missing extrakeys:
    cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On

Check that we get an error.

And with the module:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7646
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7332d2d

Depends on D7646

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7647
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4e43520

Depends on D7647

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7648
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@8dfd53e

Depends on D7648

Test Plan:
  ninja bench-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7649
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@16ffa9d

Depends on D7649

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7650
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this issue Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f431b3f

Depends on D7650

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7651
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is required to declassify pointers to constant memory. Declassify should
never modify its argument.

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@3e08b02

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7636
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is to prepare for xonly_pubkeys and keypairs.

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@47e6618

Test Plan:
  ninja check-secp256k1

And with the module on:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Subscribers: Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7638
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4cd2ee4

Depends on D7638

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7639
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is in preparation for allowing code reuse by xonly tweak add functions

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@176bfb1

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7640
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@910d9c2

Depends on D7639

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7641
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is in preparation for allowing code reuse by keypair functions

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f001034

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7642
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@5825446

Depends on D7641

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7643
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@6fcb5b8

Depends on D7643

Test Plan:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7644
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This will be used by the schnorrsig module
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@eabd9bc

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7645
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7a703fd

Test Plan:
  ninja check-secp256k1

With missing extrakeys:
    cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On

Check that we get an error.

And with the module:
  cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7646
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7332d2d

Depends on D7646

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7647
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4e43520

Depends on D7647

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7648
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@8dfd53e

Depends on D7648

Test Plan:
  ninja bench-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7649
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@16ffa9d

Depends on D7649

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7650
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this issue Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f431b3f

Depends on D7650

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7651
UdjinM6 pushed a commit to UdjinM6/dash that referenced this issue Aug 10, 2021
b9c1a76 Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad (Pieter Wuille)

Pull request description:

  This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version.

  As it adds BIP340 support (see bitcoin-core/secp256k1#558), this is a prerequisite for bitcoin#17977. In particular, it contains:
  * A few generic library improvements
  * Support for x-only public keys as used by BIP340.
  * Support for "key pair" objects, making signing more efficient by using a precomputed public key.
  * Signing support for BIP340 Schnorr (single-party) signatures.
  * Verification support for BIP340 Schnorr signatures.
  * Support for verifying tweaked x-only keys, as used by BIP341's Taproot construction.

  Things that are not included:
  * MuSig, nor any kind of multisignatures, threshold signatures, ... on top.
  * Batch verification.
  * Support for variable-length messages in BIP340 (which are still being discussed, but won't affect BIP341, or Bitcoin Core).
  * A few more generic improvements that are still in the pipeline, including faster modular inversions.

ACKs for top commit:
  instagibbs:
    ACK 894fb33
  fanquake:
    ACK 894fb33. Any Valgrind concerns will be addressed upstream, see discussion in bitcoin-core/secp256k1#813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it's current state.
  benthecarman:
    ACK `894fb33`

Tree-SHA512: 6dc992f4477069b7fbd223316f1be955750923be1479c38adad2312649fdca1f316edb375c42ef9d97cea2407caaef49fb8c93abd6c037fe1a522910cbbc2479
5tefan pushed a commit to 5tefan/dash that referenced this issue Aug 12, 2021
b9c1a76 Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad (Pieter Wuille)

Pull request description:

  This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version.

  As it adds BIP340 support (see bitcoin-core/secp256k1#558), this is a prerequisite for bitcoin#17977. In particular, it contains:
  * A few generic library improvements
  * Support for x-only public keys as used by BIP340.
  * Support for "key pair" objects, making signing more efficient by using a precomputed public key.
  * Signing support for BIP340 Schnorr (single-party) signatures.
  * Verification support for BIP340 Schnorr signatures.
  * Support for verifying tweaked x-only keys, as used by BIP341's Taproot construction.

  Things that are not included:
  * MuSig, nor any kind of multisignatures, threshold signatures, ... on top.
  * Batch verification.
  * Support for variable-length messages in BIP340 (which are still being discussed, but won't affect BIP341, or Bitcoin Core).
  * A few more generic improvements that are still in the pipeline, including faster modular inversions.

ACKs for top commit:
  instagibbs:
    ACK 894fb33
  fanquake:
    ACK 894fb33. Any Valgrind concerns will be addressed upstream, see discussion in bitcoin-core/secp256k1#813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it's current state.
  benthecarman:
    ACK `894fb33`

Tree-SHA512: 6dc992f4477069b7fbd223316f1be955750923be1479c38adad2312649fdca1f316edb375c42ef9d97cea2407caaef49fb8c93abd6c037fe1a522910cbbc2479
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment