modules: add ecdsa_sign_to_contract

benma · benma · commit 962ce23f8904 · 2019-10-08T18:30:00.000+02:00
Sign a message while comitting to some data at the same time by by
adding `hash(k1*G, data)` to the rfc6979 deterministic nonce. Includes
verification function to check that the signature commits to the data.
diff --git a/.travis.yml b/.travis.yml
@@ -11,15 +11,16 @@ cache:
   - src/java/guava/
 env:
   global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no  JNI=no
+    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  ECDSA_SIGN_TO_CONTRACT=no  EXPERIMENTAL=no  JNI=no
     - GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar
   matrix:
     - SCALAR=32bit    RECOVERY=yes
-    - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes
+    - SCALAR=32bit    FIELD=32bit       ECDH=yes ECDSA_SIGN_TO_CONTRACT=yes EXPERIMENTAL=yes
+    - SCALAR=32bit    FIELD=32bit       EXPERIMENTAL=yes
     - SCALAR=64bit
     - FIELD=64bit     RECOVERY=yes
     - FIELD=64bit     ENDOMORPHISM=yes
-    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes EXPERIMENTAL=yes
+    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes ECDSA_SIGN_TO_CONTRACT=yes EXPERIMENTAL=yes
     - FIELD=64bit                       ASM=x86_64
     - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
     - FIELD=32bit     ENDOMORPHISM=yes
@@ -67,4 +68,4 @@ before_script: ./autogen.sh
 script:
  - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
  - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --with-ecmult-gen-precision=$ECMULTGENPRECISION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
+ - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --with-ecmult-gen-precision=$ECMULTGENPRECISION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-module-ecdsa-sign-to-contract=$ECDSA_SIGN_TO_CONTRACT --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
diff --git a/Makefile.am b/Makefile.am
@@ -181,3 +181,7 @@ endif
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif
+
+if ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT
+include src/modules/ecdsa_sign_to_contract/Makefile.am.include
+endif
diff --git a/configure.ac b/configure.ac
@@ -134,6 +134,11 @@ AC_ARG_ENABLE(module_recovery,
     [enable_module_recovery=$enableval],
     [enable_module_recovery=no])
 
+AC_ARG_ENABLE(module_ecdsa_sign_to_contract,
+    AS_HELP_STRING([--enable-module-ecdsa-sign-to-contract],[enable ECDSA sign-to-contract module [default=no]]),
+    [enable_module_ecdsa_sign_to_contract=$enableval],
+    [enable_module_ecdsa_sign_to_contract=no])
+
 AC_ARG_ENABLE(external_default_callbacks,
     AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]),
     [use_external_default_callbacks=$enableval],
@@ -516,6 +521,10 @@ if test x"$enable_module_recovery" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
 fi
 
+if test x"$enable_module_ecdsa_sign_to_contract" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT, 1, [Define this symbol to enable the ECDSA sign-to-contract module])
+fi
+
 AC_C_BIGENDIAN()
 
 if test x"$use_external_asm" = x"yes"; then
@@ -531,11 +540,15 @@ if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([WARNING: experimental build])
   AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
   AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
+  AC_MSG_NOTICE([Building ECDSA sign-to-contract module: $enable_module_ecdsa_sign_to_contract])
   AC_MSG_NOTICE([******])
 else
   if test x"$enable_module_ecdh" = x"yes"; then
     AC_MSG_ERROR([ECDH module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_ecdsa_sign_to_contract" = x"yes"; then
+    AC_MSG_ERROR([ECDA sign-to-contract module module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
@@ -555,6 +568,7 @@ AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_ECDSA_SIGN_TO_CONTRACT], [test x"$enable_module_ecdsa_sign_to_contract" = x"yes"])
 AM_CONDITIONAL([USE_JNI], [test x"$use_jni" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
@@ -568,24 +582,25 @@ AC_OUTPUT
 
 echo
 echo "Build Options:"
-echo "  with endomorphism       = $use_endomorphism"
-echo "  with ecmult precomp     = $set_precomp"
-echo "  with external callbacks = $use_external_default_callbacks"
-echo "  with jni                = $use_jni"
-echo "  with benchmarks         = $use_benchmark"
-echo "  with coverage           = $enable_coverage"
-echo "  module ecdh             = $enable_module_ecdh"
-echo "  module recovery         = $enable_module_recovery"
+echo "  with endomorphism             = $use_endomorphism"
+echo "  with ecmult precomp           = $set_precomp"
+echo "  with external callbacks       = $use_external_default_callbacks"
+echo "  with jni                      = $use_jni"
+echo "  with benchmarks               = $use_benchmark"
+echo "  with coverage                 = $enable_coverage"
+echo "  module ecdh                   = $enable_module_ecdh"
+echo "  module recovery               = $enable_module_recovery"
+echo "  module ecdsa sign-to-contract = $enable_module_ecdsa_sign_to_contract"
 echo
-echo "  asm                     = $set_asm"
-echo "  bignum                  = $set_bignum"
-echo "  field                   = $set_field"
-echo "  scalar                  = $set_scalar"
-echo "  ecmult window size      = $set_ecmult_window"
-echo "  ecmult gen prec. bits   = $set_ecmult_gen_precision"
+echo "  asm                           = $set_asm"
+echo "  bignum                        = $set_bignum"
+echo "  field                         = $set_field"
+echo "  scalar                        = $set_scalar"
+echo "  ecmult window size            = $set_ecmult_window"
+echo "  ecmult gen prec. bits         = $set_ecmult_gen_precision"
 echo
-echo "  CC                      = $CC"
-echo "  CFLAGS                  = $CFLAGS"
-echo "  CPPFLAGS                = $CPPFLAGS"
-echo "  LDFLAGS                 = $LDFLAGS"
+echo "  CC                            = $CC"
+echo "  CFLAGS                        = $CFLAGS"
+echo "  CPPFLAGS                      = $CPPFLAGS"
+echo "  LDFLAGS                       = $LDFLAGS"
 echo
diff --git a/include/secp256k1_ecdsa_sign_to_contract.h b/include/secp256k1_ecdsa_sign_to_contract.h
@@ -0,0 +1,61 @@
+#ifndef SECP256K1_ECDSA_SIGN_TO_CONTRACT_H
+#define SECP256K1_ECDSA_SIGN_TO_CONTRACT_H
+
+#include "secp256k1.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Same as secp256k1_ecdsa_sign, but s2c_data32 is committed to by adding `hash(R1, s2c_data32)` to
+ *  the nonce generated by noncefp, with `ndata=hash(s2c_data32, ndata)`.
+ *  Returns: 1: signature created
+ *           0: the nonce generation function failed, or the private key was invalid.
+ *  Args:    ctx:  pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:     sig:  pointer to an array where the signature will be placed (cannot be NULL)
+ *   s2c_opening:  pointer to an secp256k1_s2c_opening structure which can be
+ *                 NULL but is required to be not NULL if this signature creates
+ *                 a sign-to-contract commitment (i.e. the `s2c_data` argument
+ *                 is not NULL).
+ *  In:
+ *         msg32: the 32-byte message hash being signed (cannot be NULL)
+ *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *    s2c_data32: pointer to a 32-byte data to create an optional
+ *                sign-to-contract commitment to if not NULL (can be NULL).
+ *       noncefp: pointer to a nonce generation function.
+ *                If NULL, secp256k1_nonce_function_default is used.
+ *                Must be the default if s2c_data32 is not NULL.
+ *        ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_sign(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature *sig,
+    secp256k1_s2c_opening *s2c_opening,
+    const unsigned char *msg32,
+    const unsigned char *seckey,
+    const unsigned char* s2c_data32,
+    secp256k1_nonce_function noncefp,
+    const void *ndata
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify a sign-to-contract commitment.
+ *
+ *  Returns: 1: the signature contains a commitment to data32
+ *           0: incorrect opening
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature containing the sign-to-contract commitment (cannot be NULL)
+ *        data32: the 32-byte data that was committed to (cannot be NULL)
+ *       opening: pointer to the opening created during signing (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_verify_commit(
+    const secp256k1_context* ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *data32,
+    const secp256k1_s2c_opening *opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_ECDSA_SIGN_TO_CONTRACT_H */
diff --git a/src/modules/ecdsa_sign_to_contract/Makefile.am.include b/src/modules/ecdsa_sign_to_contract/Makefile.am.include
@@ -0,0 +1,3 @@
+include_HEADERS += include/secp256k1_ecdsa_sign_to_contract.h
+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/main_impl.h
+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/tests_impl.h
diff --git a/src/modules/ecdsa_sign_to_contract/main_impl.h b/src/modules/ecdsa_sign_to_contract/main_impl.h
@@ -0,0 +1,139 @@
+/**********************************************************************
+ * Copyright (c) 2019 Marko Bencun, Jonas Nick                        *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_MODULE_ECDSA_SIGN_TO_CONTRACT_MAIN_H
+#define SECP256K1_MODULE_ECDSA_SIGN_TO_CONTRACT_MAIN_H
+
+#include "include/secp256k1_ecdsa_sign_to_contract.h"
+
+int secp256k1_ecdsa_s2c_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, secp256k1_s2c_opening *s2c_opening, const unsigned char *msg32, const unsigned char *seckey, const unsigned char* s2c_data32, secp256k1_nonce_function noncefp, const void* noncedata) {
+    secp256k1_scalar r, s;
+    secp256k1_scalar sec, non, msg;
+    secp256k1_sha256 sha;
+    int ret = 0;
+    int overflow = 0;
+    int is_zero = 0;
+    unsigned char ndata[32];
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(signature != NULL);
+    ARG_CHECK(seckey != NULL);
+    if (noncefp == NULL) {
+        noncefp = secp256k1_nonce_function_default;
+    }
+    /* sign-to-contract commitments only work with the default nonce function,
+     * because we need to ensure that s2c_data is actually hashed into the nonce and
+     * not just ignored. */
+    ARG_CHECK(s2c_data32 == NULL || noncefp == secp256k1_nonce_function_default);
+    /* s2c_opening and s2c_data32 should be either both non-NULL or both NULL. */
+    ARG_CHECK((s2c_opening != NULL) == (s2c_data32 != NULL));
+
+    if (s2c_opening != NULL) {
+        secp256k1_s2c_opening_init(s2c_opening);
+    }
+
+    if(s2c_data32 != NULL) {
+        /* Provide s2c_data32 and ndata (if not NULL) to the the nonce function
+         * as additional data to derive the nonce from. If both pointers are
+         * not NULL, they need to be hashed to get the nonce data 32 bytes.
+         * Even if only s2c_data32 is not NULL, it's hashed because it should
+         * be possible to derive nonces even if only a SHA256 commitment to the
+         * data is known.  This is for example important in the
+         * anti-nonce-sidechannel protocol.
+         */
+        secp256k1_sha256_initialize(&sha);
+        secp256k1_sha256_write(&sha, s2c_data32, 32);
+        if (noncedata != NULL) {
+            secp256k1_sha256_write(&sha, noncedata, 32);
+        }
+        secp256k1_sha256_finalize(&sha, ndata);
+        noncedata = &ndata;
+    }
+
+    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
+    /* Fail if the secret key is invalid. */
+    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
+        unsigned char nonce32[32];
+        unsigned int count = 0;
+        secp256k1_scalar_set_b32(&msg, msg32, NULL);
+        while (1) {
+            ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
+            if (!ret) {
+                break;
+            }
+            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
+            is_zero = secp256k1_scalar_is_zero(&non);
+            if (!overflow && !is_zero) {
+                if (s2c_data32 != NULL) {
+                    secp256k1_gej nonce_pj;
+                    secp256k1_ge nonce_p;
+
+                    /* Compute original nonce commitment/pubkey */
+                    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non);
+                    secp256k1_ge_set_gej(&nonce_p, &nonce_pj);
+                    secp256k1_pubkey_save(&s2c_opening->original_pubnonce, &nonce_p);
+
+                    /* Tweak nonce with s2c commitment. */
+                    if (!secp256k1_ec_commit_seckey(ctx, nonce32, &s2c_opening->original_pubnonce, s2c_data32, 32)) {
+                        return 0;
+                    }
+                    secp256k1_scalar_set_b32(&non, nonce32, &overflow);
+                    is_zero = secp256k1_scalar_is_zero(&non);
+                }
+
+                if (!overflow && !is_zero) {
+                    if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
+                        break;
+                    }
+                }
+            }
+            count++;
+        }
+        memset(nonce32, 0, 32);
+        secp256k1_scalar_clear(&msg);
+        secp256k1_scalar_clear(&non);
+        secp256k1_scalar_clear(&sec);
+    }
+    if (ret) {
+        secp256k1_ecdsa_signature_save(signature, &r, &s);
+    } else {
+        memset(signature, 0, sizeof(*signature));
+    }
+    return ret;
+}
+
+int secp256k1_ecdsa_s2c_verify_commit(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *data32, const secp256k1_s2c_opening *opening) {
+    secp256k1_pubkey commitment;
+    secp256k1_ge commitment_ge;
+    unsigned char x_bytes1[32];
+    unsigned char x_bytes2[32];
+    secp256k1_scalar sigr, sigs;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig != NULL);
+    ARG_CHECK(data32 != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(secp256k1_s2c_commit_is_init(opening));
+
+    if (!secp256k1_ec_commit(ctx, &commitment, &opening->original_pubnonce, data32, 32)) {
+        return 0;
+    }
+
+    /* Check that sigr (x coordinate of R) matches the x coordinate of the commitment. */
+    secp256k1_ecdsa_signature_load(ctx, &sigr, &sigs, sig);
+
+    if (!secp256k1_pubkey_load(ctx, &commitment_ge, &commitment)) {
+        return 0;
+    }
+    secp256k1_fe_normalize(&commitment_ge.x);
+    secp256k1_fe_get_b32(x_bytes1, &commitment_ge.x);
+    secp256k1_scalar_get_b32(x_bytes2, &sigr);
+    return memcmp(x_bytes1, x_bytes2, 32) == 0;
+
+}
+
+#endif /* SECP256K1_ECDSA_SIGN_TO_CONTRACT_MAIN_H */
diff --git a/src/modules/ecdsa_sign_to_contract/tests_impl.h b/src/modules/ecdsa_sign_to_contract/tests_impl.h
diff --git a/src/secp256k1.c b/src/secp256k1.c
diff --git a/src/tests.c b/src/tests.c

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+include_HEADERS += include/secp256k1_ecdsa_sign_to_contract.h`
	`2`	`+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/main_impl.h`
	`3`	`+noinst_HEADERS += src/modules/ecdsa_sign_to_contract/tests_impl.h`