[Schnorr API BREAK] Improve Schnorr multisigning API + fix vulnerability

[sipa]

This reworks the Schnorr multisigning API to 4 self-contained functions:

• secp256k1_multischnorr_stage1 computes public nonces
• secp256k1_multischnorr_stage2 computes partial signatures using those public nonces
• secp256k1_multischnorr_combine_sigs combines stage2 sigs into a full signature
• secp256k1_multischnorr_combine_keys combines signers' public keys into a combined public key.

This changes the combined public key to be A*H(A) + B*H(B) + C*H(C) + ..., in an attempt to prevent a pubkey cancellation vulnerability.

The documentation is also moved out to a separate schnorr.md document.

[sipa]

Rebased, and added several guarantee-zeroed-output cases. Ping @gmaxwell

[apoelstra]

I think you should be more explicit: "Different participants may use different nonce generating functions and data, as long as they are each consistent between stage 1 and stage 2."

Up to you.

Edit Oh, you say this in the first sentence. So I think replace "You" with "Each participant" and "Other" with "Different" then.

[sipa]

Fixed. Used your language.

[sipa]

Addressed nits.

[apoelstra]

Hi, sorry for the delays, this fell off my radar. Will review today while in flight.

[sipa]

@apoelstra Subtle ping

[fanatid]

@sipa can you explain Verification (method 1)?

x - private key, k - private nonce
m - 32 byte message, Q - public key, signature pair - (R.x, s)

signing:
R = G^k
e = SHA256(R.x || m)
s = k - e * x
signature is (R.x, s)

verify:
e = SHA256(R.x || m)
R' = Q^e + G^s = G^(x * e) + G^(k - e * x) = ???

How G^(x * e) + G^(k - e * x) can be equal to R = G^k?
if instead + will be * all be ok:

R' = G^(x * e) * G^(k - e * x) = G^(x * e + k - e * x) = G^k

[sipa]

@fanatid I think you're confusing additive notation with multiplicative notation.

We call the EC group operation +, and its repeated application a number of times *, so when a + b = c, then c*G = (a+b)*G = a*G + b*G

[fanatid]

@sipa thank you! I really forgot that EC multiplication is repeated addition.

[fanatid]

(R_all.x, s_all) ?

[sipa]

Going to do this differently.

[prusnak]

Going to do this differently.

Is there a source where I can learn how this is being done today?

Also not sure if helpful, but I found a working two-stage cosigning implementation for ed25519 in Go:

• https://godoc.org/github.com/bford/golang-x-crypto/ed25519/cosi
• https://github.com/bford/golang-x-crypto/tree/master/ed25519/cosi

[sipa]

@prusnak In review we discovered the AH(A) + BH(B) + ... scheme was vulnerable to a generalized birthday attack. We have a new scheme, but no strong proof for security yet. I didn't know about CoSi - I'll have a look at it.

[ysangkok]

@prusnak more details here: https://github.com/kanzure/diyhpluswiki/blob/master/transcripts/bitcoin-core-dev-tech/2017-09-06-signature-aggregation.mdwn

[businessintegrator]

What about collision period of the H function?