CIP-0049? | ECDSA and Schnorr signatures in Plutus Core #250
Conversation
KtorZ
changed the title
There was a problem hiding this comment.
This looks good. I would, however, give a little more information on how the builtins work. I suggested that we add some further details on the serialisation format. I think it would also be useful to provide some detail on how the verification works. For Schnorr, it is sufficient to say that we are compatible with BIP340, and for ECDSA I would put somewhere more explicit that the function takes as input the hash of the message. It is important to insist that the verifier must hash the 'claimed' message before verification, and not accept the hash directly from the signer (maybe point to this explanation of why?)
CIP-0043/README.md
Outdated
| provides us with improved interoperability with systems based on Bitcoin, but | ||
| also compatibility with other interoperability systems, such as Wanchain and | ||
| Renbridge, which use SECP256k1 signatures for verification. | ||
|
|
There was a problem hiding this comment.
| Moreover, introducing Schnorr signature verification would enable verification of Schnorr compatible multi/threshold signatures such as [MuSig2](https://eprint.iacr.org/2020/1261.pdf) or [Frost](https://eprint.iacr.org/2020/852) among others. |
CIP-0043/README.md
Outdated
| * A verification function for ECDSA signatures using the SECP256k1 curve; and | ||
| * A verification function for Schnorr signatures using the SECP256k1 curve. | ||
|
|
||
| These would be based on `libsecp256k1`, a reference implementation of both kinds |
There was a problem hiding this comment.
| These would be based on `libsecp256k1`, a reference implementation of both kinds | |
| These would be based on `[bitcoin-core/libsecp256k1](https://github.com/bitcoin-core/secp256k1)`, a reference implementation of both kinds |
CIP-0043/README.md
Outdated
|
|
||
| More specifically, Plutus would gain the following primitive operations: | ||
|
|
||
| * ```verifyEcdsaSecp256k1Signature :: BuiltinByteString -> BuiltinByteString -> |
There was a problem hiding this comment.
This doesn't parse nicely. I believe we only need one `
| * ```verifyEcdsaSecp256k1Signature :: BuiltinByteString -> BuiltinByteString -> | |
| * `verifyEcdsaSecp256k1Signature :: BuiltinByteString -> BuiltinByteString -> |
CIP-0043/README.md
Outdated
| More specifically, Plutus would gain the following primitive operations: | ||
|
|
||
| * ```verifyEcdsaSecp256k1Signature :: BuiltinByteString -> BuiltinByteString -> | ||
| BuiltinByteString -> BuiltinBool```, for verifying 32-byte message hashes signed |
There was a problem hiding this comment.
| BuiltinByteString -> BuiltinBool```, for verifying 32-byte message hashes signed | |
| BuiltinByteString -> BuiltinBool`, for verifying 32-byte message hashes signed |
CIP-0043/README.md
Outdated
| BuiltinByteString -> BuiltinBool```, for verifying 32-byte message hashes signed | ||
| using the ECDSA signature scheme on the SECP256k1 curve; and | ||
| * ```verifySchnorrSecp256k1Signature :: BuiltinByteString -> BuiltinByteString | ||
| -> BuiltinByteString -> BuiltinBool```, for verifying arbitrary binary messages |
CIP-0043/README.md
Outdated
| correspond to the result produced by | ||
| [``secp256k1_xonly_pubkey_serialize``](https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1_extrakeys.h#L61). | ||
| * The message can be of any length, and can contain any bytes in any position. | ||
| * The signature must be 64 bytes. |
There was a problem hiding this comment.
| * The signature must be 64 bytes. | |
| * The signature must be 64 bytes. Again this follows the bip340 standard, and the 64 bytes correspond to: | |
| * 32 bytes for the big-endian representation of the `x` coordinate of `R`, and | |
| * 32 bytes for the big-endian representation of `s` |
CIP-0043/README.md
Outdated
|
|
||
| We consider the implementation trustworthy: `libsecp256k1` is the reference | ||
| implementation for both signature schemes, and is already being used in | ||
| production by Bitcoin. |
There was a problem hiding this comment.
is it the reference implementation for both signature schemes over secp256k1? And regarding being used in production by bitcoin, I think it is of interest to say that both primitives have been used in bitcoin. ECDSA before taproot and Schnorr BIP340 after that.
There was a problem hiding this comment.
I am fairly sure that it is the reference implementation for both. I agree about the history of use notes, will add those.
CIP-0043/README.md
Outdated
|
|
||
| * It requires 'rolling your own crypto', rather than re-using existing | ||
| implementations. This has been shown historically to be a bad idea; | ||
| furthermore, if existing implementations have undergone review and audit, and |
There was a problem hiding this comment.
| furthermore, if existing implementations have undergone review and audit, and | |
| furthermore, if existing implementations have undergone review and audit, |
CIP-0042/README.md
Outdated
| @@ -1,4 +1,3 @@ | |||
| --- | |||
CIP-0043/README.md
Outdated
| @@ -0,0 +1,153 @@ | |||
| CIP: ?0043 | |||
There was a problem hiding this comment.
I think you are missing the --- before the first line for this to parse correctly.
There was a problem hiding this comment.
Indeed I am! This is because of a dirty merge.
There was a problem hiding this comment.
Please, rename the supporting folder and change the CIP number to 49 (without leading-zeros, otherwise Github markdown renderer has the brilliant idea to interpret those numbers in octal base 😬 ).
CIP-0043/README.md
Outdated
|
|
||
| * The verification key must correspond to the _(x, y)_ coordinates of a point |
There was a problem hiding this comment.
This bullet point and the next one might confuse the reader, as we say that a verification key "must correspond" to two different format. I would differentiate this bullet point with the next one using phrasing as follows:
* A verification key corresponds to the _(x, y)_ coordinates of a point in the SECP256k1 curve,
where _x, y_ are unsigned integers in big-endian form.
* The serialised (compressed) verification key format accepted by the builtins must correspond [...]
CIP-0043/README.md
Outdated
| * The input to verify must be a 32-byte hash of the message to be checked. We | ||
| assume that the caller of `verifyEcdsaSecp256k1Signature` receives the | ||
| message and hashes it, rather than accepting a hash directly: doing so | ||
| [can be dangerous](https://bitcoin.stackexchange.com/a/81116/35586). | ||
| Typically, the hashing function used would be SHA256; however, this is not | ||
| required, as only the length is checked. | ||
| * The signature must correspond to two unsigned integers in big-endian form; |
There was a problem hiding this comment.
Same as above. In this case it is a bit less confusing as both formats match, but maybe I would again rephrase in that the first bullet point is what the signature is, and the second is the compressed format accepted by the builtins.
CIP-0043/README.md
Outdated
| * The verification key must follow the | ||
| [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki) | ||
| standard for encoding, as emboded by the [``secp256k1_xonly_pubkey_serialize``](https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1_extrakeys.h#L61). | ||
| * The verification key must correspond to the _(x, y)_ coordinates of a point |
There was a problem hiding this comment.
The same as above. Probably similar phrasing to that of the ECDSA verification keys would be good.
CIP-0043/README.md
Outdated
| For the [ECDSA signature | ||
| scheme](https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm), | ||
| the requirements are as follows. Note that these differ from the serialization | ||
| used by Bitcoin. |
There was a problem hiding this comment.
Note that these differ from the serialization used by Bitcoin
Why is that? May we justify this choice under the Rationale section?
CIP-0043/README.md
Outdated
| This implies all of the following: | ||
| * The signature is 64 bytes long. | ||
| * The first 32 bytes are the bytes of _r_. | ||
| * The last 32 bytes are the bytes of _s_. |
There was a problem hiding this comment.
Suggestion: some visual support to summarize the few points above.
┏━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━┓
┃ r <32 bytes> │ s <32 bytes> ┃
┗━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━┛
<--------- signature ---------->
CIP-0043/README.md
Outdated
| workflow involving interoperability services like Wanchain and Renbridge. An | ||
| example of such a workflow would be: given some Cardano assets, their Bitcoin | ||
| equivalent could be minted, but only if the correct Schnorr signature can be | ||
| provided. |
There was a problem hiding this comment.
This paragraph seems redundant with the Motivation section.
CIP-0043/README.md
Outdated
| Plutus](https://github.com/input-output-hk/plutus/pull/4368). Tests of the | ||
| functionality have also been included, although costing is currently | ||
| outstanding, as it cannot be done by MLabs due to limitations in how costing is | ||
| calculated. Costing will instead be done by the Plutus Core team. |
There was a problem hiding this comment.
👍 cc @michaelpj, I assume you are aware of this.
CIP-0042/README.md
Outdated
| @@ -1,4 +1,3 @@ | |||
| --- | |||
CIP-0043/README.md
Outdated
| @@ -0,0 +1,153 @@ | |||
| CIP: ?0043 | |||
There was a problem hiding this comment.
Please, rename the supporting folder and change the CIP number to 49 (without leading-zeros, otherwise Github markdown renderer has the brilliant idea to interpret those numbers in octal base 😬 ).
|
@kozross this was on the CIP Editors' Meeting agenda today where it was suggested this proposal is being discussed, audited, or somehow moving forward in other channels. If so, could you please update the status here so editors know how to move forward with this (or what we are waiting for)? Also can you please renumber the CIP and its directory name as requested here (#250 (comment)), so that we can merge this proposal when it becomes ready? |
|
@iquerejeta apologies for the distracting references above (from someone else's CIP using your earlier assigned # 49). We've put this on the agenda as "Last Check" for CIP meeting # 56 (theme: "Plutus core changes") (invite) (2022-10-25 at 08:30 UTC). It would be great if you and/or @kozross could be there: in any case it seems to me (@KtorZ?) like this will be merged unless there are any objections at the meeting. |
|
Great, I'll try to be there! 👍 |
This CIP describes the (recently merged) support for ECDSA and Schnorr signatures over the SECP256k1 curve. I've tried to include all the detail I can - any fields I am not sure about, I have left blank.
@michaelpj - does this seem like what you were looking for?