Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ #590
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| * Returns 1 on success, 0 on failure. | ||
| * Args: ctx: pointer to a context object (cannot be NULL) | ||
| * Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL) | ||
| * In: rand32: the 32-byte randomness to commit to (cannot be NULL) |
There was a problem hiding this comment.
Maybe it's even better to make this function responsible for calling secp256k1_rand256 to avoid that the user screws up when producing randomness.
(But then the user can't use his fancy hardware RNG... If we want to support that, then maybe there could also a callback to a randomness function, and if it's NULL, then just call lsecp256k1_rand256. But in general, I don't like the idea of the user providing randomness, unless really necessary.)
benma
reviewed
Jun 11, 2019
include/secp256k1_schnorrsig.h
Outdated
| * 2. The client commits to its sign-to-contract original nonce (which is the nonce without the | ||
| * sign-to-contract tweak) using the hosts commitment by calling the | ||
| * `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit` function. The client sends the | ||
| * rusulting commitment to the host |
benma
reviewed
Jun 11, 2019
benma
reviewed
Jun 16, 2019
jonasnick
changed the title
…ning, verification and batch verification. [0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
…eaks of public keys. The functionality is not exposed.
|
This thing needs a better name. Covert channel is a much better term for this than side channel. If no one comes up with something better I'll go on with |
jonasnick
force-pushed
the
schnorrsig-s2c-only-new-ans
branch
from
ae5fb7f
to
ed4add7
Compare
|
Rebased |
benma
reviewed
Jul 18, 2019
elichai
reviewed
Jul 28, 2019
| /* Return commitment == commitment_tmp */ | ||
| secp256k1_gej_set_infinity(&pj); | ||
| secp256k1_pubkey_load(ctx, &p, &commitment_tmp); | ||
| secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL); |
There was a problem hiding this comment.
You can use secp256k1_gej_set_ge() instead of setting to infinity and adding
Merged
real-or-random
added a commit
that referenced
this pull request
Jul 3, 2021
5f6ceaf schnorrsig: allow setting MSGLEN != 32 in benchmark (Jonas Nick) fdd06b7 schnorrsig: add tests for sign_custom and varlen msg verification (Jonas Nick) d8d806a schnorrsig: add extra parameter struct for sign_custom (Jonas Nick) a0c3fc1 schnorrsig: allow signing and verification of variable length msgs (Jonas Nick) 5a8e499 Add secp256k1_tagged_sha256 as defined in BIP-340 (Jonas Nick) b6c0b72 schnorrsig: remove noncefp args from sign; add sign_custom function (Jonas Nick) 442cee5 schnorrsig: add algolen argument to nonce_function_hardened (Jonas Nick) df3bfa1 schnorrsig: clarify result of calling nonce_function_bip340 without data (Jonas Nick) 99e8614 README: mention schnorrsig module (Jonas Nick) Pull request description: This is a work in progress because I wanted to put this up for discussion before writing tests. It addresses the TODOs that didn't make it in the schnorrsig PR and changes the APIs of `schnorrsig_sign`, `schnorrsig_verify` and `hardened_nonce_function`. - Ideally, the new `aux_rand32` argument for `sign` would be const, but didn't find a solution I was happy with. - Support for variable length message signing and verification supports the [suggested BIP amendment](sipa/bips#207 (comment)) for such messages. - ~~`sign_custom` with its opaque config object allows adding more arguments later without having to change the API again. Perhaps there are other sensible customization options, but I'm thinking of [sign-to-contract/covert-channel](#590) in particular. It would require adding the fields `unsigned char *s2c_data32` and `secp256k1_s2c_opening *s2c_opening` to the config struct. The former is the data to commit to and the latter is written to by `sign_custom`.~~ (EDIT: see below) ACKs for top commit: ariard: utACK 5f6ceaf LLFourn: utACK 5f6ceaf Tree-SHA512: cf1716dddf4f29bcacf542ed22622a817d0ec9c20d0592333cb7e6105902c77d819952e776b9407fae1333cbd03d63fded492d3a5df7769dcc5b450d91bb4761
|
Closing this PR since it's based on a closed sign-to-contract PR. Another attempt at adding an anti-nonce-sidechannel should have a close look at the same protocol for ECDSA in secp256k1-zkp which was inspired by this PR (https://github.com/ElementsProject/secp256k1-zkp/blob/master/include/secp256k1_ecdsa_s2c.h). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an alternative to #572based on #589 (EDIT: this seems to be generally preferred now). It's a demonstration that the anti nonce-sidechannel protocol can be build just as well on #589 as on #588.