github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/modules/musig/session_impl.h (about) 1 /*********************************************************************** 2 * Distributed under the MIT software license, see the accompanying * 3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 4 ***********************************************************************/ 5 6 #ifndef SECP256K1_MODULE_MUSIG_SESSION_IMPL_H 7 #define SECP256K1_MODULE_MUSIG_SESSION_IMPL_H 8 9 #include <string.h> 10 11 #include "../../../include/secp256k1.h" 12 #include "../../../include/secp256k1_extrakeys.h" 13 #include "../../../include/secp256k1_musig.h" 14 15 #include "keyagg.h" 16 #include "session.h" 17 #include "../../eckey.h" 18 #include "../../hash.h" 19 #include "../../scalar.h" 20 #include "../../util.h" 21 22 /* Outputs 33 zero bytes if the given group element is the point at infinity and 23 * otherwise outputs the compressed serialization */ 24 static void secp256k1_musig_ge_serialize_ext(unsigned char *out33, secp256k1_ge* ge) { 25 if (secp256k1_ge_is_infinity(ge)) { 26 memset(out33, 0, 33); 27 } else { 28 int ret; 29 size_t size = 33; 30 ret = secp256k1_eckey_pubkey_serialize(ge, out33, &size, 1); 31 #ifdef VERIFY 32 /* Serialize must succeed because the point is not at infinity */ 33 VERIFY_CHECK(ret && size == 33); 34 #else 35 (void) ret; 36 #endif 37 } 38 } 39 40 /* Outputs the point at infinity if the given byte array is all zero, otherwise 41 * attempts to parse compressed point serialization. */ 42 static int secp256k1_musig_ge_parse_ext(secp256k1_ge* ge, const unsigned char *in33) { 43 unsigned char zeros[33] = { 0 }; 44 45 if (secp256k1_memcmp_var(in33, zeros, sizeof(zeros)) == 0) { 46 secp256k1_ge_set_infinity(ge); 47 return 1; 48 } 49 if (!secp256k1_eckey_pubkey_parse(ge, in33, 33)) { 50 return 0; 51 } 52 return secp256k1_ge_is_in_correct_subgroup(ge); 53 } 54 55 static const unsigned char secp256k1_musig_secnonce_magic[4] = { 0x22, 0x0e, 0xdc, 0xf1 }; 56 57 static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk) { 58 memcpy(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4); 59 secp256k1_scalar_get_b32(&secnonce->data[4], &k[0]); 60 secp256k1_scalar_get_b32(&secnonce->data[36], &k[1]); 61 secp256k1_ge_to_bytes(&secnonce->data[68], pk); 62 } 63 64 static int secp256k1_musig_secnonce_load(const secp256k1_context* ctx, secp256k1_scalar *k, secp256k1_ge *pk, const secp256k1_musig_secnonce *secnonce) { 65 int is_zero; 66 ARG_CHECK(secp256k1_memcmp_var(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4) == 0); 67 /* We make very sure that the nonce isn't invalidated by checking the values 68 * in addition to the magic. */ 69 is_zero = secp256k1_is_zero_array(&secnonce->data[4], 2 * 32); 70 secp256k1_declassify(ctx, &is_zero, sizeof(is_zero)); 71 ARG_CHECK(!is_zero); 72 73 secp256k1_scalar_set_b32(&k[0], &secnonce->data[4], NULL); 74 secp256k1_scalar_set_b32(&k[1], &secnonce->data[36], NULL); 75 secp256k1_ge_from_bytes(pk, &secnonce->data[68]); 76 return 1; 77 } 78 79 /* If flag is true, invalidate the secnonce; otherwise leave it. Constant-time. */ 80 static void secp256k1_musig_secnonce_invalidate(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, int flag) { 81 secp256k1_memczero(secnonce->data, sizeof(secnonce->data), flag); 82 /* The flag argument is usually classified. So, the line above makes the 83 * magic and public key classified. However, we need both to be 84 * declassified. Note that we don't declassify the entire object, because if 85 * flag is 0, then k[0] and k[1] have not been zeroed. */ 86 secp256k1_declassify(ctx, secnonce->data, sizeof(secp256k1_musig_secnonce_magic)); 87 secp256k1_declassify(ctx, &secnonce->data[68], 64); 88 } 89 90 static const unsigned char secp256k1_musig_pubnonce_magic[4] = { 0xf5, 0x7a, 0x3d, 0xa0 }; 91 92 /* Saves two group elements into a pubnonce. Requires that none of the provided 93 * group elements is infinity. */ 94 static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce* nonce, const secp256k1_ge* ges) { 95 int i; 96 memcpy(&nonce->data[0], secp256k1_musig_pubnonce_magic, 4); 97 for (i = 0; i < 2; i++) { 98 secp256k1_ge_to_bytes(nonce->data + 4+64*i, &ges[i]); 99 } 100 } 101 102 /* Loads two group elements from a pubnonce. Returns 1 unless the nonce wasn't 103 * properly initialized */ 104 static int secp256k1_musig_pubnonce_load(const secp256k1_context* ctx, secp256k1_ge* ges, const secp256k1_musig_pubnonce* nonce) { 105 int i; 106 107 ARG_CHECK(secp256k1_memcmp_var(&nonce->data[0], secp256k1_musig_pubnonce_magic, 4) == 0); 108 for (i = 0; i < 2; i++) { 109 secp256k1_ge_from_bytes(&ges[i], nonce->data + 4 + 64*i); 110 } 111 return 1; 112 } 113 114 static const unsigned char secp256k1_musig_aggnonce_magic[4] = { 0xa8, 0xb7, 0xe4, 0x67 }; 115 116 static void secp256k1_musig_aggnonce_save(secp256k1_musig_aggnonce* nonce, const secp256k1_ge* ges) { 117 int i; 118 memcpy(&nonce->data[0], secp256k1_musig_aggnonce_magic, 4); 119 for (i = 0; i < 2; i++) { 120 secp256k1_ge_to_bytes_ext(&nonce->data[4 + 64*i], &ges[i]); 121 } 122 } 123 124 static int secp256k1_musig_aggnonce_load(const secp256k1_context* ctx, secp256k1_ge* ges, const secp256k1_musig_aggnonce* nonce) { 125 int i; 126 127 ARG_CHECK(secp256k1_memcmp_var(&nonce->data[0], secp256k1_musig_aggnonce_magic, 4) == 0); 128 for (i = 0; i < 2; i++) { 129 secp256k1_ge_from_bytes_ext(&ges[i], &nonce->data[4 + 64*i]); 130 } 131 return 1; 132 } 133 134 static const unsigned char secp256k1_musig_session_cache_magic[4] = { 0x9d, 0xed, 0xe9, 0x17 }; 135 136 /* A session consists of 137 * - 4 byte session cache magic 138 * - 1 byte the parity of the final nonce 139 * - 32 byte serialized x-only final nonce 140 * - 32 byte nonce coefficient b 141 * - 32 byte signature challenge hash e 142 * - 32 byte scalar s that is added to the partial signatures of the signers 143 */ 144 static void secp256k1_musig_session_save(secp256k1_musig_session *session, const secp256k1_musig_session_internal *session_i) { 145 unsigned char *ptr = session->data; 146 147 memcpy(ptr, secp256k1_musig_session_cache_magic, 4); 148 ptr += 4; 149 *ptr = session_i->fin_nonce_parity; 150 ptr += 1; 151 memcpy(ptr, session_i->fin_nonce, 32); 152 ptr += 32; 153 secp256k1_scalar_get_b32(ptr, &session_i->noncecoef); 154 ptr += 32; 155 secp256k1_scalar_get_b32(ptr, &session_i->challenge); 156 ptr += 32; 157 secp256k1_scalar_get_b32(ptr, &session_i->s_part); 158 } 159 160 static int secp256k1_musig_session_load(const secp256k1_context* ctx, secp256k1_musig_session_internal *session_i, const secp256k1_musig_session *session) { 161 const unsigned char *ptr = session->data; 162 163 ARG_CHECK(secp256k1_memcmp_var(ptr, secp256k1_musig_session_cache_magic, 4) == 0); 164 ptr += 4; 165 session_i->fin_nonce_parity = *ptr; 166 ptr += 1; 167 memcpy(session_i->fin_nonce, ptr, 32); 168 ptr += 32; 169 secp256k1_scalar_set_b32(&session_i->noncecoef, ptr, NULL); 170 ptr += 32; 171 secp256k1_scalar_set_b32(&session_i->challenge, ptr, NULL); 172 ptr += 32; 173 secp256k1_scalar_set_b32(&session_i->s_part, ptr, NULL); 174 return 1; 175 } 176 177 static const unsigned char secp256k1_musig_partial_sig_magic[4] = { 0xeb, 0xfb, 0x1a, 0x32 }; 178 179 static void secp256k1_musig_partial_sig_save(secp256k1_musig_partial_sig* sig, secp256k1_scalar *s) { 180 memcpy(&sig->data[0], secp256k1_musig_partial_sig_magic, 4); 181 secp256k1_scalar_get_b32(&sig->data[4], s); 182 } 183 184 static int secp256k1_musig_partial_sig_load(const secp256k1_context* ctx, secp256k1_scalar *s, const secp256k1_musig_partial_sig* sig) { 185 int overflow; 186 187 ARG_CHECK(secp256k1_memcmp_var(&sig->data[0], secp256k1_musig_partial_sig_magic, 4) == 0); 188 secp256k1_scalar_set_b32(s, &sig->data[4], &overflow); 189 /* Parsed signatures can not overflow */ 190 VERIFY_CHECK(!overflow); 191 return 1; 192 } 193 194 int secp256k1_musig_pubnonce_parse(const secp256k1_context* ctx, secp256k1_musig_pubnonce* nonce, const unsigned char *in66) { 195 secp256k1_ge ges[2]; 196 int i; 197 198 VERIFY_CHECK(ctx != NULL); 199 ARG_CHECK(nonce != NULL); 200 ARG_CHECK(in66 != NULL); 201 202 for (i = 0; i < 2; i++) { 203 if (!secp256k1_eckey_pubkey_parse(&ges[i], &in66[33*i], 33)) { 204 return 0; 205 } 206 if (!secp256k1_ge_is_in_correct_subgroup(&ges[i])) { 207 return 0; 208 } 209 } 210 secp256k1_musig_pubnonce_save(nonce, ges); 211 return 1; 212 } 213 214 int secp256k1_musig_pubnonce_serialize(const secp256k1_context* ctx, unsigned char *out66, const secp256k1_musig_pubnonce* nonce) { 215 secp256k1_ge ges[2]; 216 int i; 217 218 VERIFY_CHECK(ctx != NULL); 219 ARG_CHECK(out66 != NULL); 220 memset(out66, 0, 66); 221 ARG_CHECK(nonce != NULL); 222 223 if (!secp256k1_musig_pubnonce_load(ctx, ges, nonce)) { 224 return 0; 225 } 226 for (i = 0; i < 2; i++) { 227 int ret; 228 size_t size = 33; 229 ret = secp256k1_eckey_pubkey_serialize(&ges[i], &out66[33*i], &size, 1); 230 #ifdef VERIFY 231 /* serialize must succeed because the point was just loaded */ 232 VERIFY_CHECK(ret && size == 33); 233 #else 234 (void) ret; 235 #endif 236 } 237 return 1; 238 } 239 240 int secp256k1_musig_aggnonce_parse(const secp256k1_context* ctx, secp256k1_musig_aggnonce* nonce, const unsigned char *in66) { 241 secp256k1_ge ges[2]; 242 int i; 243 244 VERIFY_CHECK(ctx != NULL); 245 ARG_CHECK(nonce != NULL); 246 ARG_CHECK(in66 != NULL); 247 248 for (i = 0; i < 2; i++) { 249 if (!secp256k1_musig_ge_parse_ext(&ges[i], &in66[33*i])) { 250 return 0; 251 } 252 } 253 secp256k1_musig_aggnonce_save(nonce, ges); 254 return 1; 255 } 256 257 int secp256k1_musig_aggnonce_serialize(const secp256k1_context* ctx, unsigned char *out66, const secp256k1_musig_aggnonce* nonce) { 258 secp256k1_ge ges[2]; 259 int i; 260 261 VERIFY_CHECK(ctx != NULL); 262 ARG_CHECK(out66 != NULL); 263 memset(out66, 0, 66); 264 ARG_CHECK(nonce != NULL); 265 266 if (!secp256k1_musig_aggnonce_load(ctx, ges, nonce)) { 267 return 0; 268 } 269 for (i = 0; i < 2; i++) { 270 secp256k1_musig_ge_serialize_ext(&out66[33*i], &ges[i]); 271 } 272 return 1; 273 } 274 275 int secp256k1_musig_partial_sig_parse(const secp256k1_context* ctx, secp256k1_musig_partial_sig* sig, const unsigned char *in32) { 276 secp256k1_scalar tmp; 277 int overflow; 278 VERIFY_CHECK(ctx != NULL); 279 ARG_CHECK(sig != NULL); 280 ARG_CHECK(in32 != NULL); 281 282 /* Ensure that using the signature will fail if parsing fails (and the user 283 * doesn't check the return value). */ 284 memset(sig, 0, sizeof(*sig)); 285 286 secp256k1_scalar_set_b32(&tmp, in32, &overflow); 287 if (overflow) { 288 return 0; 289 } 290 secp256k1_musig_partial_sig_save(sig, &tmp); 291 return 1; 292 } 293 294 int secp256k1_musig_partial_sig_serialize(const secp256k1_context* ctx, unsigned char *out32, const secp256k1_musig_partial_sig* sig) { 295 VERIFY_CHECK(ctx != NULL); 296 ARG_CHECK(out32 != NULL); 297 ARG_CHECK(sig != NULL); 298 ARG_CHECK(secp256k1_memcmp_var(&sig->data[0], secp256k1_musig_partial_sig_magic, 4) == 0); 299 300 memcpy(out32, &sig->data[4], 32); 301 return 1; 302 } 303 304 /* Write optional inputs into the hash */ 305 static void secp256k1_nonce_function_musig_helper(secp256k1_sha256 *sha, unsigned int prefix_size, const unsigned char *data, unsigned char len) { 306 unsigned char zero[7] = { 0 }; 307 /* The spec requires length prefixes to be between 1 and 8 bytes 308 * (inclusive) */ 309 VERIFY_CHECK(prefix_size >= 1 && prefix_size <= 8); 310 /* Since the length of all input data fits in a byte, we can always pad the 311 * length prefix with prefix_size - 1 zero bytes. */ 312 secp256k1_sha256_write(sha, zero, prefix_size - 1); 313 if (data != NULL) { 314 secp256k1_sha256_write(sha, &len, 1); 315 secp256k1_sha256_write(sha, data, len); 316 } else { 317 len = 0; 318 secp256k1_sha256_write(sha, &len, 1); 319 } 320 } 321 322 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying 323 * SHA256 to SHA256("MuSig/aux")||SHA256("MuSig/aux"). */ 324 static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha) { 325 secp256k1_sha256_initialize(sha); 326 sha->s[0] = 0xa19e884bul; 327 sha->s[1] = 0xf463fe7eul; 328 sha->s[2] = 0x2f18f9a2ul; 329 sha->s[3] = 0xbeb0f9fful; 330 sha->s[4] = 0x0f37e8b0ul; 331 sha->s[5] = 0x06ebd26ful; 332 sha->s[6] = 0xe3b243d2ul; 333 sha->s[7] = 0x522fb150ul; 334 sha->bytes = 64; 335 } 336 337 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying 338 * SHA256 to SHA256("MuSig/nonce")||SHA256("MuSig/nonce"). */ 339 static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha) { 340 secp256k1_sha256_initialize(sha); 341 sha->s[0] = 0x07101b64ul; 342 sha->s[1] = 0x18003414ul; 343 sha->s[2] = 0x0391bc43ul; 344 sha->s[3] = 0x0e6258eeul; 345 sha->s[4] = 0x29d26b72ul; 346 sha->s[5] = 0x8343937eul; 347 sha->s[6] = 0xb7a0a4fbul; 348 sha->s[7] = 0xff568a30ul; 349 sha->bytes = 64; 350 } 351 352 static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32) { 353 secp256k1_sha256 sha; 354 unsigned char rand[32]; 355 unsigned char i; 356 unsigned char msg_present; 357 358 if (seckey32 != NULL) { 359 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha); 360 secp256k1_sha256_write(&sha, session_secrand, 32); 361 secp256k1_sha256_finalize(&sha, rand); 362 for (i = 0; i < 32; i++) { 363 rand[i] ^= seckey32[i]; 364 } 365 } else { 366 memcpy(rand, session_secrand, sizeof(rand)); 367 } 368 369 secp256k1_nonce_function_musig_sha256_tagged(&sha); 370 secp256k1_sha256_write(&sha, rand, sizeof(rand)); 371 secp256k1_nonce_function_musig_helper(&sha, 1, pk33, 33); 372 secp256k1_nonce_function_musig_helper(&sha, 1, agg_pk32, 32); 373 msg_present = msg32 != NULL; 374 secp256k1_sha256_write(&sha, &msg_present, 1); 375 if (msg_present) { 376 secp256k1_nonce_function_musig_helper(&sha, 8, msg32, 32); 377 } 378 secp256k1_nonce_function_musig_helper(&sha, 4, extra_input32, 32); 379 380 for (i = 0; i < 2; i++) { 381 unsigned char buf[32]; 382 secp256k1_sha256 sha_tmp = sha; 383 secp256k1_sha256_write(&sha_tmp, &i, 1); 384 secp256k1_sha256_finalize(&sha_tmp, buf); 385 secp256k1_scalar_set_b32(&k[i], buf, NULL); 386 387 /* Attempt to erase secret data */ 388 secp256k1_memclear(buf, sizeof(buf)); 389 secp256k1_sha256_clear(&sha_tmp); 390 } 391 secp256k1_memclear(rand, sizeof(rand)); 392 secp256k1_sha256_clear(&sha); 393 } 394 395 static int secp256k1_musig_nonce_gen_internal(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, const unsigned char *input_nonce, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) { 396 secp256k1_scalar k[2]; 397 secp256k1_ge nonce_pts[2]; 398 int i; 399 unsigned char pk_ser[33]; 400 size_t pk_ser_len = sizeof(pk_ser); 401 unsigned char aggpk_ser[32]; 402 unsigned char *aggpk_ser_ptr = NULL; 403 secp256k1_ge pk; 404 int pk_serialize_success; 405 int ret = 1; 406 407 ARG_CHECK(pubnonce != NULL); 408 memset(pubnonce, 0, sizeof(*pubnonce)); 409 ARG_CHECK(pubkey != NULL); 410 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 411 412 /* Check that the seckey is valid to be able to sign for it later. */ 413 if (seckey != NULL) { 414 secp256k1_scalar sk; 415 ret &= secp256k1_scalar_set_b32_seckey(&sk, seckey); 416 secp256k1_scalar_clear(&sk); 417 } 418 419 if (keyagg_cache != NULL) { 420 secp256k1_keyagg_cache_internal cache_i; 421 if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) { 422 return 0; 423 } 424 /* The loaded point cache_i.pk can not be the point at infinity. */ 425 secp256k1_fe_get_b32(aggpk_ser, &cache_i.pk.x); 426 aggpk_ser_ptr = aggpk_ser; 427 } 428 if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) { 429 return 0; 430 } 431 pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, 1); 432 433 #ifdef VERIFY 434 /* A pubkey cannot be the point at infinity */ 435 VERIFY_CHECK(pk_serialize_success); 436 VERIFY_CHECK(pk_ser_len == sizeof(pk_ser)); 437 #else 438 (void) pk_serialize_success; 439 #endif 440 441 secp256k1_nonce_function_musig(k, input_nonce, msg32, seckey, pk_ser, aggpk_ser_ptr, extra_input32); 442 VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[0])); 443 VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[1])); 444 secp256k1_musig_secnonce_save(secnonce, k, &pk); 445 secp256k1_musig_secnonce_invalidate(ctx, secnonce, !ret); 446 447 for (i = 0; i < 2; i++) { 448 secp256k1_gej nonce_ptj; 449 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_ptj, &k[i]); 450 secp256k1_ge_set_gej(&nonce_pts[i], &nonce_ptj); 451 secp256k1_declassify(ctx, &nonce_pts[i], sizeof(nonce_pts[i])); 452 secp256k1_scalar_clear(&k[i]); 453 secp256k1_gej_clear(&nonce_ptj); 454 } 455 /* None of the nonce_pts will be infinity because k != 0 with overwhelming 456 * probability */ 457 secp256k1_musig_pubnonce_save(pubnonce, nonce_pts); 458 return ret; 459 } 460 461 int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) { 462 int ret = 1; 463 464 VERIFY_CHECK(ctx != NULL); 465 ARG_CHECK(secnonce != NULL); 466 memset(secnonce, 0, sizeof(*secnonce)); 467 ARG_CHECK(session_secrand32 != NULL); 468 469 /* Check in constant time that the session_secrand32 is not 0 as a 470 * defense-in-depth measure that may protect against a faulty RNG. */ 471 ret &= !secp256k1_is_zero_array(session_secrand32, 32); 472 473 /* We can declassify because branching on ret is only relevant when this 474 * function called with an invalid session_secrand32 argument */ 475 secp256k1_declassify(ctx, &ret, sizeof(ret)); 476 if (ret == 0) { 477 secp256k1_musig_secnonce_invalidate(ctx, secnonce, 1); 478 return 0; 479 } 480 481 ret &= secp256k1_musig_nonce_gen_internal(ctx, secnonce, pubnonce, session_secrand32, seckey, pubkey, msg32, keyagg_cache, extra_input32); 482 483 /* Set the session_secrand32 buffer to zero to prevent the caller from using 484 * nonce_gen multiple times with the same buffer. */ 485 secp256k1_memczero(session_secrand32, 32, ret); 486 return ret; 487 } 488 489 int secp256k1_musig_nonce_gen_counter(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) { 490 unsigned char buf[32] = { 0 }; 491 unsigned char seckey[32]; 492 secp256k1_pubkey pubkey; 493 int ret; 494 495 VERIFY_CHECK(ctx != NULL); 496 ARG_CHECK(secnonce != NULL); 497 memset(secnonce, 0, sizeof(*secnonce)); 498 ARG_CHECK(keypair != NULL); 499 500 secp256k1_write_be64(buf, nonrepeating_cnt); 501 /* keypair_sec and keypair_pub do not fail if the arguments are not NULL */ 502 ret = secp256k1_keypair_sec(ctx, seckey, keypair); 503 VERIFY_CHECK(ret); 504 ret = secp256k1_keypair_pub(ctx, &pubkey, keypair); 505 VERIFY_CHECK(ret); 506 #ifndef VERIFY 507 (void) ret; 508 #endif 509 510 if (!secp256k1_musig_nonce_gen_internal(ctx, secnonce, pubnonce, buf, seckey, &pubkey, msg32, keyagg_cache, extra_input32)) { 511 return 0; 512 } 513 secp256k1_memclear(seckey, sizeof(seckey)); 514 return 1; 515 } 516 517 static int secp256k1_musig_sum_pubnonces(const secp256k1_context* ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce * const* pubnonces, size_t n_pubnonces) { 518 size_t i; 519 int j; 520 521 secp256k1_gej_set_infinity(&summed_pubnonces[0]); 522 secp256k1_gej_set_infinity(&summed_pubnonces[1]); 523 524 for (i = 0; i < n_pubnonces; i++) { 525 secp256k1_ge nonce_pts[2]; 526 if (!secp256k1_musig_pubnonce_load(ctx, nonce_pts, pubnonces[i])) { 527 return 0; 528 } 529 for (j = 0; j < 2; j++) { 530 secp256k1_gej_add_ge_var(&summed_pubnonces[j], &summed_pubnonces[j], &nonce_pts[j], NULL); 531 } 532 } 533 return 1; 534 } 535 536 int secp256k1_musig_nonce_agg(const secp256k1_context* ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce * const* pubnonces, size_t n_pubnonces) { 537 secp256k1_gej aggnonce_ptsj[2]; 538 secp256k1_ge aggnonce_pts[2]; 539 VERIFY_CHECK(ctx != NULL); 540 ARG_CHECK(aggnonce != NULL); 541 ARG_CHECK(pubnonces != NULL); 542 ARG_CHECK(n_pubnonces > 0); 543 544 if (!secp256k1_musig_sum_pubnonces(ctx, aggnonce_ptsj, pubnonces, n_pubnonces)) { 545 return 0; 546 } 547 secp256k1_ge_set_all_gej_var(aggnonce_pts, aggnonce_ptsj, 2); 548 secp256k1_musig_aggnonce_save(aggnonce, aggnonce_pts); 549 return 1; 550 } 551 552 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying 553 * SHA256 to SHA256("MuSig/noncecoef")||SHA256("MuSig/noncecoef"). */ 554 static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha) { 555 secp256k1_sha256_initialize(sha); 556 sha->s[0] = 0x2c7d5a45ul; 557 sha->s[1] = 0x06bf7e53ul; 558 sha->s[2] = 0x89be68a6ul; 559 sha->s[3] = 0x971254c0ul; 560 sha->s[4] = 0x60ac12d2ul; 561 sha->s[5] = 0x72846dcdul; 562 sha->s[6] = 0x6c81212ful; 563 sha->s[7] = 0xde7a2500ul; 564 sha->bytes = 64; 565 } 566 567 /* tagged_hash(aggnonce[0], aggnonce[1], agg_pk, msg) */ 568 static void secp256k1_musig_compute_noncehash(unsigned char *noncehash, secp256k1_ge *aggnonce, const unsigned char *agg_pk32, const unsigned char *msg) { 569 unsigned char buf[33]; 570 secp256k1_sha256 sha; 571 int i; 572 573 secp256k1_musig_compute_noncehash_sha256_tagged(&sha); 574 for (i = 0; i < 2; i++) { 575 secp256k1_musig_ge_serialize_ext(buf, &aggnonce[i]); 576 secp256k1_sha256_write(&sha, buf, sizeof(buf)); 577 } 578 secp256k1_sha256_write(&sha, agg_pk32, 32); 579 secp256k1_sha256_write(&sha, msg, 32); 580 secp256k1_sha256_finalize(&sha, noncehash); 581 } 582 583 /* out_nonce = nonce_pts[0] + b*nonce_pts[1] */ 584 static void secp256k1_effective_nonce(secp256k1_gej *out_nonce, const secp256k1_ge *nonce_pts, const secp256k1_scalar *b) { 585 secp256k1_gej tmp; 586 587 secp256k1_gej_set_ge(&tmp, &nonce_pts[1]); 588 secp256k1_ecmult(out_nonce, &tmp, b, NULL); 589 secp256k1_gej_add_ge_var(out_nonce, out_nonce, &nonce_pts[0], NULL); 590 } 591 592 static void secp256k1_musig_nonce_process_internal(int *fin_nonce_parity, unsigned char *fin_nonce, secp256k1_scalar *b, secp256k1_ge *aggnonce_pts, const unsigned char *agg_pk32, const unsigned char *msg) { 593 unsigned char noncehash[32]; 594 secp256k1_ge fin_nonce_pt; 595 secp256k1_gej fin_nonce_ptj; 596 597 secp256k1_musig_compute_noncehash(noncehash, aggnonce_pts, agg_pk32, msg); 598 secp256k1_scalar_set_b32(b, noncehash, NULL); 599 /* fin_nonce = aggnonce_pts[0] + b*aggnonce_pts[1] */ 600 secp256k1_effective_nonce(&fin_nonce_ptj, aggnonce_pts, b); 601 secp256k1_ge_set_gej(&fin_nonce_pt, &fin_nonce_ptj); 602 if (secp256k1_ge_is_infinity(&fin_nonce_pt)) { 603 fin_nonce_pt = secp256k1_ge_const_g; 604 } 605 /* fin_nonce_pt is not the point at infinity */ 606 secp256k1_fe_normalize_var(&fin_nonce_pt.x); 607 secp256k1_fe_get_b32(fin_nonce, &fin_nonce_pt.x); 608 secp256k1_fe_normalize_var(&fin_nonce_pt.y); 609 *fin_nonce_parity = secp256k1_fe_is_odd(&fin_nonce_pt.y); 610 } 611 612 int secp256k1_musig_nonce_process(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) { 613 secp256k1_keyagg_cache_internal cache_i; 614 secp256k1_ge aggnonce_pts[2]; 615 unsigned char fin_nonce[32]; 616 secp256k1_musig_session_internal session_i; 617 unsigned char agg_pk32[32]; 618 619 VERIFY_CHECK(ctx != NULL); 620 ARG_CHECK(session != NULL); 621 ARG_CHECK(aggnonce != NULL); 622 ARG_CHECK(msg32 != NULL); 623 ARG_CHECK(keyagg_cache != NULL); 624 625 if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) { 626 return 0; 627 } 628 secp256k1_fe_get_b32(agg_pk32, &cache_i.pk.x); 629 630 if (!secp256k1_musig_aggnonce_load(ctx, aggnonce_pts, aggnonce)) { 631 return 0; 632 } 633 634 secp256k1_musig_nonce_process_internal(&session_i.fin_nonce_parity, fin_nonce, &session_i.noncecoef, aggnonce_pts, agg_pk32, msg32); 635 secp256k1_schnorrsig_challenge(&session_i.challenge, fin_nonce, msg32, 32, agg_pk32); 636 637 /* If there is a tweak then set `challenge` times `tweak` to the `s`-part.*/ 638 secp256k1_scalar_set_int(&session_i.s_part, 0); 639 if (!secp256k1_scalar_is_zero(&cache_i.tweak)) { 640 secp256k1_scalar e_tmp; 641 secp256k1_scalar_mul(&e_tmp, &session_i.challenge, &cache_i.tweak); 642 if (secp256k1_fe_is_odd(&cache_i.pk.y)) { 643 secp256k1_scalar_negate(&e_tmp, &e_tmp); 644 } 645 session_i.s_part = e_tmp; 646 } 647 memcpy(session_i.fin_nonce, fin_nonce, sizeof(session_i.fin_nonce)); 648 secp256k1_musig_session_save(session, &session_i); 649 return 1; 650 } 651 652 static void secp256k1_musig_partial_sign_clear(secp256k1_scalar *sk, secp256k1_scalar *k) { 653 secp256k1_scalar_clear(sk); 654 secp256k1_scalar_clear(&k[0]); 655 secp256k1_scalar_clear(&k[1]); 656 } 657 658 int secp256k1_musig_partial_sign(const secp256k1_context* ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) { 659 secp256k1_scalar sk; 660 secp256k1_ge pk, keypair_pk; 661 secp256k1_scalar k[2]; 662 secp256k1_scalar mu, s; 663 secp256k1_keyagg_cache_internal cache_i; 664 secp256k1_musig_session_internal session_i; 665 int ret; 666 667 VERIFY_CHECK(ctx != NULL); 668 669 ARG_CHECK(secnonce != NULL); 670 /* Fails if the magic doesn't match */ 671 ret = secp256k1_musig_secnonce_load(ctx, k, &pk, secnonce); 672 /* Set nonce to zero to avoid nonce reuse. This will cause subsequent calls 673 * of this function to fail */ 674 memset(secnonce, 0, sizeof(*secnonce)); 675 if (!ret) { 676 secp256k1_musig_partial_sign_clear(&sk, k); 677 return 0; 678 } 679 680 ARG_CHECK(partial_sig != NULL); 681 ARG_CHECK(keypair != NULL); 682 ARG_CHECK(keyagg_cache != NULL); 683 ARG_CHECK(session != NULL); 684 685 if (!secp256k1_keypair_load(ctx, &sk, &keypair_pk, keypair)) { 686 secp256k1_musig_partial_sign_clear(&sk, k); 687 return 0; 688 } 689 ARG_CHECK(secp256k1_fe_equal(&pk.x, &keypair_pk.x) 690 && secp256k1_fe_equal(&pk.y, &keypair_pk.y)); 691 if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) { 692 secp256k1_musig_partial_sign_clear(&sk, k); 693 return 0; 694 } 695 696 /* Negate sk if secp256k1_fe_is_odd(&cache_i.pk.y)) XOR cache_i.parity_acc. 697 * This corresponds to the line "Let d = g⋅gacc⋅d' mod n" in the 698 * specification. */ 699 if ((secp256k1_fe_is_odd(&cache_i.pk.y) 700 != cache_i.parity_acc)) { 701 secp256k1_scalar_negate(&sk, &sk); 702 } 703 704 /* Multiply KeyAgg coefficient */ 705 secp256k1_musig_keyaggcoef(&mu, &cache_i, &pk); 706 secp256k1_scalar_mul(&sk, &sk, &mu); 707 708 if (!secp256k1_musig_session_load(ctx, &session_i, session)) { 709 secp256k1_musig_partial_sign_clear(&sk, k); 710 return 0; 711 } 712 713 if (session_i.fin_nonce_parity) { 714 secp256k1_scalar_negate(&k[0], &k[0]); 715 secp256k1_scalar_negate(&k[1], &k[1]); 716 } 717 718 /* Sign */ 719 secp256k1_scalar_mul(&s, &session_i.challenge, &sk); 720 secp256k1_scalar_mul(&k[1], &session_i.noncecoef, &k[1]); 721 secp256k1_scalar_add(&k[0], &k[0], &k[1]); 722 secp256k1_scalar_add(&s, &s, &k[0]); 723 secp256k1_musig_partial_sig_save(partial_sig, &s); 724 secp256k1_musig_partial_sign_clear(&sk, k); 725 return 1; 726 } 727 728 int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) { 729 secp256k1_keyagg_cache_internal cache_i; 730 secp256k1_musig_session_internal session_i; 731 secp256k1_scalar mu, e, s; 732 secp256k1_gej pkj; 733 secp256k1_ge nonce_pts[2]; 734 secp256k1_gej rj; 735 secp256k1_gej tmp; 736 secp256k1_ge pkp; 737 738 VERIFY_CHECK(ctx != NULL); 739 ARG_CHECK(partial_sig != NULL); 740 ARG_CHECK(pubnonce != NULL); 741 ARG_CHECK(pubkey != NULL); 742 ARG_CHECK(keyagg_cache != NULL); 743 ARG_CHECK(session != NULL); 744 745 if (!secp256k1_musig_session_load(ctx, &session_i, session)) { 746 return 0; 747 } 748 749 if (!secp256k1_musig_pubnonce_load(ctx, nonce_pts, pubnonce)) { 750 return 0; 751 } 752 /* Compute "effective" nonce rj = nonce_pts[0] + b*nonce_pts[1] */ 753 /* TODO: use multiexp to compute -s*G + e*mu*pubkey + nonce_pts[0] + b*nonce_pts[1] */ 754 secp256k1_effective_nonce(&rj, nonce_pts, &session_i.noncecoef); 755 756 if (!secp256k1_pubkey_load(ctx, &pkp, pubkey)) { 757 return 0; 758 } 759 if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) { 760 return 0; 761 } 762 /* Multiplying the challenge by the KeyAgg coefficient is equivalent 763 * to multiplying the signer's public key by the coefficient, except 764 * much easier to do. */ 765 secp256k1_musig_keyaggcoef(&mu, &cache_i, &pkp); 766 secp256k1_scalar_mul(&e, &session_i.challenge, &mu); 767 768 /* Negate e if secp256k1_fe_is_odd(&cache_i.pk.y)) XOR cache_i.parity_acc. 769 * This corresponds to the line "Let g' = g⋅gacc mod n" and the multiplication "g'⋅e" 770 * in the specification. */ 771 if (secp256k1_fe_is_odd(&cache_i.pk.y) 772 != cache_i.parity_acc) { 773 secp256k1_scalar_negate(&e, &e); 774 } 775 776 if (!secp256k1_musig_partial_sig_load(ctx, &s, partial_sig)) { 777 return 0; 778 } 779 /* Compute -s*G + e*pkj + rj (e already includes the keyagg coefficient mu) */ 780 secp256k1_scalar_negate(&s, &s); 781 secp256k1_gej_set_ge(&pkj, &pkp); 782 secp256k1_ecmult(&tmp, &pkj, &e, &s); 783 if (session_i.fin_nonce_parity) { 784 secp256k1_gej_neg(&rj, &rj); 785 } 786 secp256k1_gej_add_var(&tmp, &tmp, &rj, NULL); 787 788 return secp256k1_gej_is_infinity(&tmp); 789 } 790 791 int secp256k1_musig_partial_sig_agg(const secp256k1_context* ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig * const* partial_sigs, size_t n_sigs) { 792 size_t i; 793 secp256k1_musig_session_internal session_i; 794 795 VERIFY_CHECK(ctx != NULL); 796 ARG_CHECK(sig64 != NULL); 797 ARG_CHECK(session != NULL); 798 ARG_CHECK(partial_sigs != NULL); 799 ARG_CHECK(n_sigs > 0); 800 801 if (!secp256k1_musig_session_load(ctx, &session_i, session)) { 802 return 0; 803 } 804 for (i = 0; i < n_sigs; i++) { 805 secp256k1_scalar term; 806 if (!secp256k1_musig_partial_sig_load(ctx, &term, partial_sigs[i])) { 807 return 0; 808 } 809 secp256k1_scalar_add(&session_i.s_part, &session_i.s_part, &term); 810 } 811 secp256k1_scalar_get_b32(&sig64[32], &session_i.s_part); 812 memcpy(&sig64[0], session_i.fin_nonce, 32); 813 return 1; 814 } 815 816 #endif