Add and expose sign-to-contract contexts and make nonce_function_bipschnorr do sign-to-contract commitments if an s2c context is provided as nonce data

jonasnick · jonasnick · commit 01dd66c6db5f · 2018-11-01T15:31:00.000Z
diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -80,6 +80,22 @@ typedef struct {
     unsigned char data[64];
 } secp256k1_ecdsa_signature;
 
+/** Opaque data structured that holds a sign-to-contract ("s2c") context
+ *  structure. Sign-to-contract allows a signer to commit to some data as part of
+ *  a signature. If the nonce function supports sign-to-contract, the context can
+ *  be given to a signing algorithm via the nonce argument after creating it with
+ *  secp256k1_s2c_commit_context_create.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 128 bytes in size, and can be safely copied/moved.
+ */
+typedef struct {
+    unsigned char data[32];
+    unsigned char data_commitment[32];
+    secp256k1_pubkey original_pubnonce;
+} secp256k1_s2c_commit_context;
+
 /** A pointer to a function to deterministically generate a nonce.
  *
  * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
@@ -471,6 +487,33 @@ SECP256K1_API int secp256k1_ecdsa_signature_normalize(
     const secp256k1_ecdsa_signature *sigin
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3);
 
+/** Creates a sign-to-contract context.
+ *
+ *  Returns: 1 if the context was created successfully, 0 otherwise
+ *  Args:    ctx: a secp256k1 context object
+ *  Out: s2c_ctx: pointer to an s2c context to initialize (cannot be NULL)
+ *  In:   data32: the 32-byte data to commit to (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_s2c_commit_context_create(
+    secp256k1_context *ctx,
+    secp256k1_s2c_commit_context *s2c_ctx,
+    const unsigned char *data32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Gets the opening of a sign-to-contract commitment from an s2c_ctx after signing.
+ *  The "opening" is the original public nonce before adding the s2c commitment tweak.
+ *
+ *  Returns: 1 if getting the opening was successful, 0 otherwise
+ *  Args:    ctx: a secp256k1 context object
+ *  Out: opening: pointer to a pubkey object where the opening will be placed  (cannot be NULL)
+ *  In:  s2c_ctx: pointer to an s2c context to get the opening from (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_s2c_commit_get_opening(
+    secp256k1_context *ctx,
+    secp256k1_pubkey *opening,
+    const secp256k1_s2c_commit_context *s2c_ctx
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
 /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
  * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
  * extra entropy.
diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h
@@ -66,7 +66,9 @@ SECP256K1_API int secp256k1_schnorrsig_parse(
  *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
  *        seckey: pointer to a 32-byte secret key (cannot be NULL)
  *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bipschnorr is used
- *         ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
+ *         ndata: pointer to arbitrary data used by the nonce generation function. If non-NULL must
+ *                be a pointer to a s2c_context object when using the default nonce function
+ *                secp256k1_nonce_function_bipschnorr (can be NULL)
  */
 SECP256K1_API int secp256k1_schnorrsig_sign(
     const secp256k1_context* ctx,
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -322,27 +322,6 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off
     *offset += len;
 }
 
-/* This nonce function is described in BIP-schnorr
- * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) */
-static int secp256k1_nonce_function_bipschnorr(const secp256k1_context *ctx, unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
-    secp256k1_sha256 sha;
-    (void) data;
-    (void) counter;
-    VERIFY_CHECK(counter == 0);
-
-    /* Hash x||msg as per the spec */
-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, key32, 32);
-    secp256k1_sha256_write(&sha, msg32, 32);
-    /* Hash in algorithm, which is not in the spec, but may be critical to
-     * users depending on it to avoid nonce reuse across algorithms. */
-    if (algo16 != NULL) {
-        secp256k1_sha256_write(&sha, algo16, 16);
-    }
-    secp256k1_sha256_finalize(&sha, nonce32);
-    return 1;
-}
-
 static int nonce_function_rfc6979(const secp256k1_context *ctx, unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
    unsigned char keydata[112];
    unsigned int offset = 0;
@@ -707,6 +686,72 @@ int secp256k1_ec_commit_verify(const secp256k1_context* ctx, const secp256k1_pub
     return secp256k1_gej_is_infinity(&pj);
 }
 
+int secp256k1_s2c_commit_context_create(secp256k1_context *ctx, secp256k1_s2c_commit_context *s2c_ctx, const unsigned char *data32) {
+    secp256k1_sha256 sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(s2c_ctx != NULL);
+    ARG_CHECK(data32 != NULL);
+
+    memcpy(s2c_ctx->data, data32, 32);
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, data32, 32);
+    secp256k1_sha256_finalize(&sha, s2c_ctx->data_commitment);
+    return 1;
+}
+
+int secp256k1_s2c_commit_get_opening(secp256k1_context *ctx, secp256k1_pubkey *opening, const secp256k1_s2c_commit_context *s2c_ctx) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(s2c_ctx != NULL);
+
+    memcpy(opening, &s2c_ctx->original_pubnonce, sizeof(secp256k1_pubkey));
+    return 1;
+}
+
+static int secp256k1_nonce_function_bipschnorr_no_s2c(const secp256k1_context *ctx, unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
+    secp256k1_sha256 sha;
+
+    VERIFY_CHECK(counter == 0);
+    (void) counter;
+
+    /* Hash x||msg as per the spec */
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, key32, 32);
+    secp256k1_sha256_write(&sha, msg32, 32);
+    /* Hash in algorithm, which is not in the spec, but may be critical to
+     * users depending on it to avoid nonce reuse across algorithms. */
+    if (algo16 != NULL) {
+        secp256k1_sha256_write(&sha, algo16, 16);
+    }
+    if (data == NULL) {
+        secp256k1_sha256_finalize(&sha, nonce32);
+    } else {
+        /* Do a sign-to-contract commitment if data is provided */
+        secp256k1_s2c_commit_context *s2c_ctx = (secp256k1_s2c_commit_context *)data;
+        secp256k1_sha256_write(&sha, s2c_ctx->data_commitment, 32);
+        secp256k1_sha256_finalize(&sha, nonce32);
+
+        if (!secp256k1_ec_pubkey_create(ctx, &s2c_ctx->original_pubnonce, nonce32)) {
+            return 0;
+        }
+    }
+    return 1;
+}
+
+/* This nonce function is described in BIP-schnorr
+ * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) */
+static int secp256k1_nonce_function_bipschnorr(const secp256k1_context *ctx, unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
+    if (!secp256k1_nonce_function_bipschnorr_no_s2c(ctx, nonce32, msg32, key32, algo16, data, counter)) {
+        return 0;
+    }
+    if (data != NULL) {
+        secp256k1_s2c_commit_context *s2c_ctx = (secp256k1_s2c_commit_context *)data;
+        return secp256k1_ec_commit_seckey(ctx, nonce32, &s2c_ctx->original_pubnonce, s2c_ctx->data, 32);
+    }
+    return 1;
+}
+
 #ifdef ENABLE_MODULE_ECDH
 # include "modules/ecdh/main_impl.h"
 #endif
diff --git a/src/tests.c b/src/tests.c
@@ -4054,6 +4054,35 @@ void run_eckey_edge_case_test(void) {
     secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
 }
 
+void test_nonce_function_bipschnorr_s2c(void) {
+    unsigned char nonce32[32];
+    unsigned char msg32[32];
+    unsigned char key32[32];
+    unsigned char algo16[16];
+    unsigned char data32[32];
+    secp256k1_s2c_commit_context s2c_ctx;
+    secp256k1_pubkey pubnonce;
+    secp256k1_pubkey opening;
+
+    secp256k1_rand256(msg32);
+    secp256k1_rand256(key32);
+    secp256k1_rand256(data32);
+    memset(algo16, 23, sizeof(algo16));
+
+    CHECK(secp256k1_s2c_commit_context_create(ctx, &s2c_ctx, data32) == 1);
+    CHECK(secp256k1_nonce_function_bipschnorr(ctx, nonce32, msg32, key32, NULL, &s2c_ctx, 0) == 1);
+    CHECK(secp256k1_s2c_commit_get_opening(ctx, &opening, &s2c_ctx) == 1);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pubnonce, nonce32) == 1);
+    CHECK(secp256k1_ec_commit_verify(ctx, &pubnonce, &opening, data32, 32) == 1);
+}
+
+void run_nonce_function_bipschnorr_tests(void) {
+    int i;
+    for (i = 0; i < count * 8; i++) {
+        test_nonce_function_bipschnorr_s2c();
+    }
+}
+
 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
     secp256k1_scalar nonce;
     do {
@@ -5229,6 +5258,8 @@ int main(int argc, char **argv) {
     run_ecdh_tests();
 #endif
 
+    run_nonce_function_bipschnorr_tests();
+
 #ifdef ENABLE_MODULE_SCHNORRSIG
     /* Schnorrsig tests */
     run_schnorrsig_tests();
