frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

musig: shorten partial nonce byte array from 33 to 32 bytes

Browse Source
This commit is contained in:
Jonas Nick 2019-12-12 21:45:02 +00:00
parent 62f0b2d867
commit 5b4eb18ec5
4 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/secp256k1_musig.h
View File

@ -75,7 +75,8 @@ typedef struct {
int has_secret_data; int has_secret_data;
unsigned char seckey[32]; unsigned char seckey[32];
unsigned char secnonce[32]; unsigned char secnonce[32];
secp256k1_pubkey nonce; secp256k1_xonly_pubkey nonce;
int partial_nonce_parity;
unsigned char nonce_commitments_hash[32]; unsigned char nonce_commitments_hash[32];
secp256k1_xonly_pubkey combined_nonce; secp256k1_xonly_pubkey combined_nonce;
int combined_nonce_parity; int combined_nonce_parity;
@ -111,7 +112,7 @@ typedef struct {
typedef struct { typedef struct {
int present; int present;
uint32_t index; uint32_t index;
secp256k1_pubkey nonce; secp256k1_xonly_pubkey nonce;
unsigned char nonce_commitment[32]; unsigned char nonce_commitment[32];
} secp256k1_musig_session_signer_data; } secp256k1_musig_session_signer_data;
@ -207,7 +208,7 @@ SECP256K1_API int secp256k1_musig_session_init(
* signers: an array of signers' data initialized with * signers: an array of signers' data initialized with
* `musig_session_init`. Array length must equal to * `musig_session_init`. Array length must equal to
* `n_commitments` (cannot be NULL) * `n_commitments` (cannot be NULL)
* Out: nonce33: filled with a 33-byte public nonce which is supposed to be * Out: nonce32: filled with a 32-byte public nonce which is supposed to be
* sent to the other signers and then used in `musig_set nonce` * sent to the other signers and then used in `musig_set nonce`
* (cannot be NULL) * (cannot be NULL)
* In: commitments: array of pointers to 32-byte nonce commitments (cannot be NULL) * In: commitments: array of pointers to 32-byte nonce commitments (cannot be NULL)
@ -220,7 +221,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi
const secp256k1_context* ctx, const secp256k1_context* ctx,
secp256k1_musig_session *session, secp256k1_musig_session *session,
secp256k1_musig_session_signer_data *signers, secp256k1_musig_session_signer_data *signers,
unsigned char *nonce33, unsigned char *nonce32,
const unsigned char *const *commitments, const unsigned char *const *commitments,
size_t n_commitments, size_t n_commitments,
const unsigned char *msg32 const unsigned char *msg32
@ -266,12 +267,12 @@ SECP256K1_API int secp256k1_musig_session_init_verifier(
* signer: pointer to the signer data to update (cannot be NULL). Must have * signer: pointer to the signer data to update (cannot be NULL). Must have
* been used with `musig_session_get_public_nonce` or initialized * been used with `musig_session_get_public_nonce` or initialized
* with `musig_session_init_verifier`. * with `musig_session_init_verifier`.
* In: nonce33: signer's alleged public nonce (cannot be NULL) * In: nonce32: signer's alleged public nonce (cannot be NULL)
*/ */
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce( SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce(
const secp256k1_context* ctx, const secp256k1_context* ctx,
secp256k1_musig_session_signer_data *signer, secp256k1_musig_session_signer_data *signer,
const unsigned char *nonce33 const unsigned char *nonce32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
/** Updates a session with the combined public nonce of all signers. The combined /** Updates a session with the combined public nonce of all signers. The combined

2
src/modules/musig/example.c
View File

@ -45,7 +45,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
unsigned char nonce_commitment[N_SIGNERS][32]; unsigned char nonce_commitment[N_SIGNERS][32];
const unsigned char *nonce_commitment_ptr[N_SIGNERS]; const unsigned char *nonce_commitment_ptr[N_SIGNERS];
secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS]; secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS];
unsigned char nonce[N_SIGNERS][33]; unsigned char nonce[N_SIGNERS][32];
int i, j; int i, j;
secp256k1_musig_partial_signature partial_sig[N_SIGNERS]; secp256k1_musig_partial_signature partial_sig[N_SIGNERS];

22
src/modules/musig/main_impl.h
View File

@ -141,7 +141,7 @@ int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_s
secp256k1_sha256 sha; secp256k1_sha256 sha;
secp256k1_gej pj; secp256k1_gej pj;
secp256k1_ge p; secp256k1_ge p;
unsigned char nonce_ser[33]; unsigned char nonce_ser[32];
size_t nonce_ser_size = sizeof(nonce_ser); size_t nonce_ser_size = sizeof(nonce_ser);
VERIFY_CHECK(ctx != NULL); VERIFY_CHECK(ctx != NULL);
@ -221,10 +221,12 @@ int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_s
/* Compute public nonce and commitment */ /* Compute public nonce and commitment */
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret);
secp256k1_ge_set_gej(&p, &pj); secp256k1_ge_set_gej(&p, &pj);
secp256k1_pubkey_save(&session->nonce, &p); secp256k1_fe_normalize_var(&p.y);
session->partial_nonce_parity = secp256k1_extrakeys_ge_even_y(&p);
secp256k1_xonly_pubkey_save(&session->nonce, &p);
secp256k1_sha256_initialize(&sha); secp256k1_sha256_initialize(&sha);
secp256k1_ec_pubkey_serialize(ctx, nonce_ser, &nonce_ser_size, &session->nonce, SECP256K1_EC_COMPRESSED); secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
secp256k1_sha256_write(&sha, nonce_ser, nonce_ser_size); secp256k1_sha256_write(&sha, nonce_ser, nonce_ser_size);
secp256k1_sha256_finalize(&sha, nonce_commitment32); secp256k1_sha256_finalize(&sha, nonce_commitment32);
@ -237,7 +239,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
secp256k1_sha256 sha; secp256k1_sha256 sha;
unsigned char nonce_commitments_hash[32]; unsigned char nonce_commitments_hash[32];
size_t i; size_t i;
unsigned char nonce_ser[33]; unsigned char nonce_ser[32];
size_t nonce_ser_size = sizeof(nonce_ser); size_t nonce_ser_size = sizeof(nonce_ser);
(void) ctx; (void) ctx;
@ -271,7 +273,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
secp256k1_sha256_finalize(&sha, nonce_commitments_hash); secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32); memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32);
secp256k1_ec_pubkey_serialize(ctx, nonce_ser, &nonce_ser_size, &session->nonce, SECP256K1_EC_COMPRESSED); secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
memcpy(nonce, &nonce_ser, nonce_ser_size); memcpy(nonce, &nonce_ser, nonce_ser_size);
session->round = 1; session->round = 1;
return 1; return 1;
@ -326,14 +328,14 @@ int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_sess
ARG_CHECK(nonce != NULL); ARG_CHECK(nonce != NULL);
secp256k1_sha256_initialize(&sha); secp256k1_sha256_initialize(&sha);
secp256k1_sha256_write(&sha, nonce, 33); secp256k1_sha256_write(&sha, nonce, 32);
secp256k1_sha256_finalize(&sha, commit); secp256k1_sha256_finalize(&sha, commit);
if (memcmp(commit, signer->nonce_commitment, 32) != 0) { if (memcmp(commit, signer->nonce_commitment, 32) != 0) {
return 0; return 0;
} }
memcpy(&signer->nonce, nonce, sizeof(*nonce)); memcpy(&signer->nonce, nonce, sizeof(*nonce));
if (!secp256k1_ec_pubkey_parse(ctx, &signer->nonce, nonce, 33)) { if (!secp256k1_xonly_pubkey_parse(ctx, &signer->nonce, nonce)) {
return 0; return 0;
} }
signer->present = 1; signer->present = 1;
@ -362,7 +364,7 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
return 0; return 0;
} }
secp256k1_sha256_write(&sha, signers[i].nonce_commitment, 32); secp256k1_sha256_write(&sha, signers[i].nonce_commitment, 32);
secp256k1_pubkey_load(ctx, &noncep, &signers[i].nonce); secp256k1_xonly_pubkey_load(ctx, &noncep, &signers[i].nonce);
secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL);
} }
secp256k1_sha256_finalize(&sha, nonce_commitments_hash); secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
@ -458,7 +460,7 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m
secp256k1_scalar_clear(&k); secp256k1_scalar_clear(&k);
return 0; return 0;
} }
if (session->combined_nonce_parity) { if (session->partial_nonce_parity != session->combined_nonce_parity) {
secp256k1_scalar_negate(&k, &k); secp256k1_scalar_negate(&k, &k);
} }
@ -543,7 +545,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2
secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index); secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index);
secp256k1_scalar_mul(&e, &e, &mu); secp256k1_scalar_mul(&e, &e, &mu);
if (!secp256k1_pubkey_load(ctx, &rp, &signer->nonce)) { if (!secp256k1_xonly_pubkey_load(ctx, &rp, &signer->nonce)) {
return 0; return 0;
} }
/* If the MuSig-combined point has an odd Y coordinate, the signers will /* If the MuSig-combined point has an odd Y coordinate, the signers will

18
src/modules/musig/tests_impl.h
View File

@ -31,7 +31,7 @@ void musig_simple_test(secp256k1_scratch_space *scratch) {
unsigned char session_id[2][32]; unsigned char session_id[2][32];
secp256k1_xonly_pubkey pk[2]; secp256k1_xonly_pubkey pk[2];
const unsigned char *ncs[2]; const unsigned char *ncs[2];
unsigned char public_nonce[3][33]; unsigned char public_nonce[3][32];
secp256k1_musig_partial_signature partial_sig[2]; secp256k1_musig_partial_signature partial_sig[2];
unsigned char final_sig[64]; unsigned char final_sig[64];
@ -238,7 +238,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
/** Signing step 0 -- exchange nonce commitments */ /** Signing step 0 -- exchange nonce commitments */
ecount = 0; ecount = 0;
{ {
unsigned char nonce[33]; unsigned char nonce[32];
secp256k1_musig_session session_0_tmp; secp256k1_musig_session session_0_tmp;
memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp));
@ -252,7 +252,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
/** Signing step 1 -- exchange nonces */ /** Signing step 1 -- exchange nonces */
ecount = 0; ecount = 0;
{ {
unsigned char public_nonce[3][33]; unsigned char public_nonce[3][32];
secp256k1_musig_session session_0_tmp; secp256k1_musig_session session_0_tmp;
memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp));
@ -479,7 +479,7 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25
secp256k1_xonly_pubkey pks_tmp[2]; secp256k1_xonly_pubkey pks_tmp[2];
secp256k1_xonly_pubkey combined_pk_tmp; secp256k1_xonly_pubkey combined_pk_tmp;
secp256k1_musig_pre_session pre_session_tmp; secp256k1_musig_pre_session pre_session_tmp;
unsigned char nonce[33]; unsigned char nonce[32];
/* Set up signers with different public keys */ /* Set up signers with different public keys */
secp256k1_testrand256(sk_dummy); secp256k1_testrand256(sk_dummy);
@ -512,7 +512,7 @@ int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey *
secp256k1_musig_session_signer_data *signers_to_use; secp256k1_musig_session_signer_data *signers_to_use;
unsigned char nonce_commitment[32]; unsigned char nonce_commitment[32];
unsigned char session_id[32]; unsigned char session_id[32];
unsigned char nonce[33]; unsigned char nonce[32];
const unsigned char *ncs[2]; const unsigned char *ncs[2];
/* Initialize new signers */ /* Initialize new signers */
@ -545,7 +545,7 @@ void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xo
secp256k1_musig_session_signer_data signers[2]; secp256k1_musig_session_signer_data signers[2];
unsigned char nonce_commitment[32]; unsigned char nonce_commitment[32];
const unsigned char *ncs[2]; const unsigned char *ncs[2];
unsigned char nonce[33]; unsigned char nonce[32];
secp256k1_musig_partial_signature partial_sig; secp256k1_musig_partial_signature partial_sig;
secp256k1_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); secp256k1_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount);
@ -586,7 +586,7 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) {
secp256k1_xonly_pubkey pk[2]; secp256k1_xonly_pubkey pk[2];
secp256k1_xonly_pubkey combined_pk; secp256k1_xonly_pubkey combined_pk;
secp256k1_musig_pre_session pre_session; secp256k1_musig_pre_session pre_session;
unsigned char nonce[2][33]; unsigned char nonce[2][32];
const unsigned char *ncs[2]; const unsigned char *ncs[2];
secp256k1_musig_partial_signature partial_sig[2]; secp256k1_musig_partial_signature partial_sig[2];
unsigned char sig[64]; unsigned char sig[64];
@ -706,8 +706,8 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) {
unsigned char noncommit_b[2][32]; unsigned char noncommit_b[2][32];
const unsigned char *noncommit_a_ptr[2]; const unsigned char *noncommit_a_ptr[2];
const unsigned char *noncommit_b_ptr[2]; const unsigned char *noncommit_b_ptr[2];
unsigned char pubnon_a[2][33]; unsigned char pubnon_a[2][32];
unsigned char pubnon_b[2][33]; unsigned char pubnon_b[2][32];
int combined_nonce_parity_a; int combined_nonce_parity_a;
int combined_nonce_parity_b; int combined_nonce_parity_b;
secp256k1_musig_session_signer_data data_a[2]; secp256k1_musig_session_signer_data data_a[2];