Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add schnorrsig module which implements BIP-schnorr compliant signatures #558

Open
wants to merge 22 commits into
base: master
from

Conversation

@jonasnick
Copy link
Contributor

jonasnick commented Sep 25, 2018

This PR implements signing, verification and batch verification as described in BIP-Schnorr (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) in an experimental module schnorrsig. It includes the test vectors and a benchmarking tool and also adds ChaCha20 as a CSPRNG for batch verification.

In order to enable the module run ./configure with --enable-experimental --enable-module-schnorrsig.

Based on @apoelstra's work.

@jonasnick jonasnick force-pushed the jonasnick:schnorrsig branch 2 times, most recently from 220012e to 547ad32 Sep 25, 2018
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Sep 25, 2018

Replaced the chacha20 commit with a similar commit from secp256k1-zkp (ElementsProject/secp256k1-zkp@c3794f9).

@apoelstra

This comment has been minimized.

Copy link
Member

apoelstra commented Sep 26, 2018

ACK except nit about sha object, bikeshedding about the module name, and also I did not check that the static test vectors match those in the BIP.

@gmaxwell

This comment has been minimized.

Copy link
Contributor

gmaxwell commented Sep 30, 2018

Maybe we should consider adopting an anti-covert-channel warden workflow as the standard interface for this function?

Copy link

jimpo left a comment

Nice! Such hype.

I skipped the tests, hoping to get back around to them.

src/bench_schnorrsig.c Outdated Show resolved Hide resolved
src/bench_schnorrsig.c Outdated Show resolved Hide resolved
src/bench_schnorrsig.c Show resolved Hide resolved
src/bench_schnorrsig.c Show resolved Hide resolved
include/secp256k1_schnorrsig.h Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
@apoelstra

This comment has been minimized.

Copy link
Member

apoelstra commented Oct 1, 2018

@gmaxwell By anti-covert channel do you mean essentially sign-to-contracting random data? I would like this. One thing blocking it is that our nonce function does not take a secp context currently, which makes sign-to-contract unergonmic -- see in sighacker how the sign-to-contract context needs to contain a pointer to the secp context.

I think we should fix that but it should probably be in another PR.

@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Oct 2, 2018

Thanks @jimpo. I added a commit that addresses your comments.

@sken77

This comment has been minimized.

Copy link

sken77 commented Oct 8, 2018

how does this relate to #212 ?

@apoelstra

This comment has been minimized.

Copy link
Member

apoelstra commented Oct 9, 2018

#212 is not secure against rogue-key attacks nor does it commit to the public key being signed for.

@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Oct 9, 2018

and #212 was removed in #425

@real-or-random

This comment has been minimized.

Copy link
Contributor

real-or-random commented Oct 12, 2018

Oh I was not aware of this PR.
FYI, I suggested that a CSPRNG is not enough for batch validation and we need a hash function to generate the seed (https://github.com/sipa/bips/pull/15/files) but now I see that this PR is doing that anyway. :)

src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Outdated Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Show resolved Hide resolved
src/modules/schnorrsig/main_impl.h Outdated Show resolved Hide resolved
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Oct 15, 2018

@real-or-random Thanks for the review. I added a commit to address your comments.

@jonasnick jonasnick force-pushed the jonasnick:schnorrsig branch from 7d8391d to 8193edd Oct 16, 2018
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Oct 24, 2018

Added a test to increase the coverage of schnorrsig_sign. Now coverage in the schnorrsig module is 100% when excluding the lines that can't be hit. See https://htmlpreview.github.io/?https://raw.githubusercontent.com/jonasnick/secp256k1/schnorrsig-stats/coverage.src_modules_schnorrsig_main_impl.h.html

@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Nov 1, 2018

squashed and rebased on master

src/tests.c Show resolved Hide resolved
src/scalar_8x32_impl.h Outdated Show resolved Hide resolved
include/secp256k1_schnorrsig.h Show resolved Hide resolved
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Nov 8, 2018

Added commit that will switch to little endian format when interpreting chacha20 output, replace chacha20 tests with test vectors from the RFC, add sipa's chacha20 test.

@jonasnick jonasnick mentioned this pull request Dec 22, 2018
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Feb 4, 2020

I pushed a few commits to experiment with bringing this PR in sync with the proposed changes to bip-schnorr: switching from squareness to evenness as tie breaker, new challenge and nonce hash tags, new nonce function that takes pubkeys as argument.

It was mentioned that with the evenness tiebreaker we could maybe remove the xonly_pubkey altogether. I created https://gist.github.com/jonasnick/a122acd8395ac4c6ae7b648450f5ec07 with three different versions of the taproot test (from schnorrsig/tests_impl.h):

  1. Current version
  2. xonly_pubkey_create is removed but the xonly_pubkey type still exists as arguments to schnorrsig_verify and secp256k1_xonly_pubkey_tweak_test. Output of secp256k1_xonly_pubkey_tweak_add is a normal pubkey
  3. There's no xonly_pubkey anymore. schnorrsig_verify and xonly_pubkey_tweak_test Return 0 if they get a pubkey with an uneven Y.

With 3 you can't simply use schnorrsig_verify with your normal pubkey because it will (or should) fail if called with an odd Y pubkey.
You'll need to call a convert function (or do a serialization roundtrip with the XONLY flag). Therefore, I think it's better to keep the xonly_pubkey type in the schnorrsig_verify() arguments.

The current sitation (1) isn't too bad actually. 2 has the advantage to gets rid of the is_negated variable which seems more redundant now that evenness is used as a tie breaker. But it will reappear in the form of conversion functions unless we want people to mess with the compressed pubkey format to make use of the evenness information in the taproot control block bit. This is how I originally proposed doing this, but it was viewed as too complicated.
In light of 2 (or 3), it would also make sense to rename is_negated in taproot_tweak_pubkey in bip-taproot (https://github.com/sipa/bips/blob/bip-taproot/bip-0341.mediawiki) to is_even_y.

@jonasnick jonasnick force-pushed the jonasnick:schnorrsig branch from f86442b to 90b5915 Feb 12, 2020
@jonasnick

This comment has been minimized.

Copy link
Contributor Author

jonasnick commented Feb 12, 2020

Had to rebase because of a conflict in .travis.yml, and travis failing due to a 404 when fetching java dependencies (hehe).

@jonasnick jonasnick force-pushed the jonasnick:schnorrsig branch from 90b5915 to 23c3b00 Feb 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.