[experiment/wip] ecdsa nonce anti sidechan util functions

This is based on the description of the fix by Stepan: https://medium.com/cryptoadvance/hardware-wallets-can-be-hacked-but-this-is-fine-a6156bbd199

The protocol wording and functions are copied/adapted from Jonas
Nick's PRs which do the same for BIP-Schnorr:

ae5fb7f#diff-b19c5ee427283d4d82bc5beb4e2f4777R59

ae5fb7f#diff-313ca26f0048bc16a608709915d0111eR70

1.
Add secp256k1_ecdsa_anti_nonce_sidechan_client_commit to return the
curve point committing to the signing client nonce.

This is a convenience function and can technically be emulated by
calling secp256k1_ecdsa_sign() and reconstructing the curve point from
the signature r/s values.

2.

secp256k1_ecdsa_sign_nonce_tweak_add, which is the same as
secp256k1_ecdsa_sign_nonce, but with an additional optional tweak parameter to
add to the nonce.

The nicer way to do this is to redefine `secp256k1_nonce_function` to
have a tweak param, but this would break API compatiblity. The way it
is implemented is fully backwards compatible.

Author: benma

include/secp256k1.h

@@ -526,6 +526,37 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc
 /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default;
 
+/** Compute commitment on the client as part of the ECDSA Anti Nonce Sidechannel Protocol.
+ *
+ * ECDSA Anti Nonce Sidechannel Protocol:
+ * 1. The host draws randomness `k2`, commits to it with sha256 and sends the commitment to the client.
+ * 2. The client commits to it's original nonce `k1` using the host commitment by calling
+ *    `secp256k1_ecdsa_anti_nonce_sidechan_client_commit`. The client sends the resulting commitment
+ *   `R1` to the host.
+ * 3. The host replies with `k2` generated in step 1.
+ * 4. The client checks that the host commitment from step 1 commits to `k2` from step 3 and signs
+ *    with `secp256k1_ecdsa_sign_nonce_tweak_add`, using the `k2` as the tweak and the host
+ *    commitment as additional noncedata and sends the signature to the host.
+ * 5. The host reconstructs the curve point `R` from the signature and verifies that `R = R1 + k2*G`.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object (cannot be NULL)
+ *  Out:  client_commit: pointer to a pubkey where the clients public nonce will be
+ *                       placed. (cannot be NULL)
+ *  In:           msg32: the 32-byte message hash to be signed (cannot be NULL)
+ *             seckey32: the 32-byte secret key used for signing (cannot be NULL)
+ *              noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
+ *    rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_anti_nonce_sidechan_client_commit(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *client_commit,
+    const unsigned char *msg32,
+    const unsigned char *seckey32,
+    secp256k1_nonce_function noncefp,
+    unsigned char *rand_commitment32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6);
+
 /** Create an ECDSA signature.
  *
  *  Returns: 1: signature created
@@ -549,6 +580,18 @@ SECP256K1_API int secp256k1_ecdsa_sign(
     const void *ndata
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Same as secp256k1_ecdsa_sign, but nonce_tweak32 is added to the nonce generated by noncefp.
+ */
+SECP256K1_API int secp256k1_ecdsa_sign_nonce_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature *sig,
+    const unsigned char *msg32,
+    const unsigned char *seckey,
+    secp256k1_nonce_function noncefp,
+    const void *ndata,
+    const unsigned char* nonce_tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 /** Verify an ECDSA secret key.
  *
  *  Returns: 1: secret key is valid

src/secp256k1.c

@@ -446,9 +446,52 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
 
+int secp256k1_ecdsa_anti_nonce_sidechan_client_commit(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *client_commit,
+    const unsigned char *msg32,
+    const unsigned char *seckey32,
+    secp256k1_nonce_function noncefp,
+    unsigned char *rand_commitment32
+) {
+    unsigned char nonce32[32];
+    secp256k1_scalar k;
+    secp256k1_gej rj;
+    secp256k1_ge r;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(client_commit != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(seckey32 != NULL);
+    if (noncefp == NULL) {
+        noncefp = secp256k1_nonce_function_default;
+    }
+    ARG_CHECK(rand_commitment32 != NULL);
+
+
+    if (!noncefp(nonce32, msg32, seckey32, NULL, rand_commitment32, 0)) {
+        return 0;
+    }
+
+    secp256k1_scalar_set_b32(&k, nonce32, NULL);
+    if (secp256k1_scalar_is_zero(&k)) {
+        return 0;
+    }
+
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+    secp256k1_ge_set_gej(&r, &rj);
+    secp256k1_pubkey_save(client_commit, &r);
+    return 1;
+}
+
 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
+    return secp256k1_ecdsa_sign_nonce_tweak_add(ctx, signature, msg32, seckey, noncefp, noncedata, NULL);
+}
+
+int secp256k1_ecdsa_sign_nonce_tweak_add(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata, const unsigned char* nonce_tweak32) {
     secp256k1_scalar r, s;
-    secp256k1_scalar sec, non, msg;
+    secp256k1_scalar sec, non, msg, nonce_tweak;
     int ret = 0;
     int overflow = 0;
     VERIFY_CHECK(ctx != NULL);
@@ -460,6 +503,13 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
         noncefp = secp256k1_nonce_function_default;
     }
 
+    if (nonce_tweak32 != NULL) {
+        secp256k1_scalar_set_b32(&nonce_tweak, nonce_tweak32, &overflow);
+        if (overflow || secp256k1_scalar_is_zero(&nonce_tweak)) {
+            return 0;
+        }
+    }
+
     secp256k1_scalar_set_b32(&sec, seckey, &overflow);
     /* Fail if the secret key is invalid. */
     if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
@@ -472,6 +522,9 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
                 break;
             }
             secp256k1_scalar_set_b32(&non, nonce32, &overflow);
+            if (nonce_tweak32 != NULL) {
+                secp256k1_scalar_add(&non, &non, &nonce_tweak);
+            }
             if (!overflow && !secp256k1_scalar_is_zero(&non)) {
                 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
                     break;