frost: key tweaking

This commits add BIP-341 ("Taproot") and BIP-32 ("ordinary") public key tweaking.
2024-07-15 21:55:32 -07:00
parent 5e0019339c
commit 92f48c64d5
3 changed files with 247 additions and 0 deletions
--- a/include/secp256k1_frost.h
+++ b/include/secp256k1_frost.h
@@ -16,6 +16,9 @@ extern "C" {
 * Threshold Signatures (FROST) by Chelsea Komlo and Ian Goldberg
 * (https://crysp.uwaterloo.ca/software/frost/).
 *
+ * The module also supports BIP-341 ("Taproot") and BIP-32 ("ordinary") public
+ * key tweaking.
+ *
 * Following the convention used in the MuSig module, the API uses the singular
 * term "nonce" to refer to the two "nonces" used by the FROST scheme.
 */
@@ -28,6 +31,15 @@ extern "C" {
 *  comparison, use the corresponding serialization and parsing functions.
 */

+/** Opaque data structure that caches information about key tweaking.
+ *
+ *  Guaranteed to be 101 bytes in size. It can be safely copied/moved. No
+ *  serialization and parsing functions.
+ */
+typedef struct {
+    unsigned char data[101];
+} secp256k1_frost_tweak_cache;
+
 /** Opaque data structure that holds a signer's _secret_ share.
 *
 *  Guaranteed to be 36 bytes in size. Serialized and parsed with
@@ -239,6 +251,123 @@ SECP256K1_API int secp256k1_frost_compute_pubshare(
    size_t n_participants
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);

+/** Obtain the aggregate public key from a FROST x-only aggregate public key.
+ *
+ *  This is only useful if you need the non-xonly public key, in particular for
+ *  ordinary (non-xonly) tweaking or batch-verifying multiple key aggregations
+ *  (not implemented).
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:        ctx: pointer to a context object
+ *  Out:   ec_agg_pk: the FROST-aggregated public key.
+ *  In: xonly_agg_pk: the aggregated x-only public key that is the output of
+ *                    `secp256k1_frost_share_agg`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_pubkey_get(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *ec_agg_pk,
+    const secp256k1_xonly_pubkey *xonly_agg_pk
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Initializes a tweak cache used for applying tweaks to a FROST key
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:        ctx: pointer to a context object
+ *  Out: tweak_cache: pointer to a frost_tweak_cache struct that is required
+ *                    for key tweaking
+ *  In:       agg_pk: the aggregated x-only public key that is the output of
+ *                    `secp256k1_frost_share_agg`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_pubkey_tweak(
+    const secp256k1_context *ctx,
+    secp256k1_frost_tweak_cache *tweak_cache,
+    const secp256k1_xonly_pubkey *agg_pk
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Apply ordinary "EC" tweaking to a public key in a given tweak_cache by
+ *  adding the generator multiplied with `tweak32` to it. This is useful for
+ *  deriving child keys from an aggregate public key via BIP32.
+ *
+ *  The tweaking method is the same as `secp256k1_ec_pubkey_tweak_add`. So after
+ *  the following pseudocode buf and buf2 have identical contents (absent
+ *  earlier failures).
+ *
+ *  secp256k1_frost_share_agg(..., xonly_agg_pk, ...)
+ *  secp256k1_frost_pubkey_tweak(..., tweak_cache, xonly_agg_pk)
+ *  secp256k1_frost_pubkey_ec_tweak_add(..., output_pk, tweak_cache, tweak32)
+ *  secp256k1_ec_pubkey_serialize(..., buf, output_pk)
+ *  secp256k1_frost_pubkey_get(..., ec_agg_pk, xonly_agg_pk)
+ *  secp256k1_ec_pubkey_tweak_add(..., ec_agg_pk, tweak32)
+ *  secp256k1_ec_pubkey_serialize(..., buf2, ec_agg_pk)
+ *
+ *  This function is required if you want to _sign_ for a tweaked aggregate key.
+ *  On the other hand, if you are only computing a public key, but not intending
+ *  to create a signature for it, you can just use
+ *  `secp256k1_ec_pubkey_tweak_add`.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *  Args:            ctx: pointer to a context object
+ *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
+ *                        to an invalid value if this function returns 0. If you
+ *                        do not need it, this arg can be NULL.
+ *  In/Out:  tweak_cache: pointer to a `frost_tweak_cache` struct initialized by
+ *                       `frost_pubkey_tweak`
+ *  In:          tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                        according to `secp256k1_ec_seckey_verify`, this function
+ *                        returns 0. For uniformly random 32-byte arrays the
+ *                        chance of being invalid is negligible (around 1 in
+ *                        2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_pubkey_ec_tweak_add(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *output_pubkey,
+    secp256k1_frost_tweak_cache *tweak_cache,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Apply x-only tweaking to a public key in a given tweak_cache by adding the
+ *  generator multiplied with `tweak32` to it. This is useful for creating
+ *  Taproot outputs.
+ *
+ *  The tweaking method is the same as `secp256k1_xonly_pubkey_tweak_add`. So in
+ *  the following pseudocode xonly_pubkey_tweak_add_check (absent earlier
+ *  failures) returns 1.
+ *
+ *  secp256k1_frost_share_agg(..., agg_pk, ...)
+ *  secp256k1_frost_pubkey_tweak(..., tweak_cache, agg_pk)
+ *  secp256k1_frost_pubkey_xonly_tweak_add(..., output_pk, tweak_cache, tweak32)
+ *  secp256k1_xonly_pubkey_serialize(..., buf, output_pk)
+ *  secp256k1_xonly_pubkey_tweak_add_check(..., buf, ..., agg_pk, tweak32)
+ *
+ *  This function is required if you want to _sign_ for a tweaked aggregate key.
+ *  On the other hand, if you are only computing a public key, but not intending
+ *  to create a signature for it, you can just use
+ *  `secp256k1_xonly_pubkey_tweak_add`.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *  Args:            ctx: pointer to a context object
+ *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
+ *                        to an invalid value if this function returns 0. If you
+ *                        do not need it, this arg can be NULL.
+ *  In/Out:  tweak_cache: pointer to a `frost_tweak_cache` struct initialized by
+ *                       `frost_pubkey_tweak`
+ *  In:          tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                        according to secp256k1_ec_seckey_verify, this function
+ *                        returns 0. For uniformly random 32-byte arrays the
+ *                        chance of being invalid is negligible (around 1 in
+ *                        2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_pubkey_xonly_tweak_add(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *output_pubkey,
+    secp256k1_frost_tweak_cache *tweak_cache,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 /** Starts a signing session by generating a nonce
 *
 *  This function outputs a secret nonce that will be required for signing and a