frost: nonce aggregation and adaptor signatures

jesseposner · jesseposner · commit 67c21beadd14 · 2024-07-16T23:36:47.000-07:00
This commit adds nonce aggregation, as well as adaptor signatures.
diff --git a/include/secp256k1_frost.h b/include/secp256k1_frost.h
@@ -17,7 +17,7 @@ extern "C" {
  * (https://crysp.uwaterloo.ca/software/frost/).
  *
  * The module also supports BIP-341 ("Taproot") and BIP-32 ("ordinary") public
- * key tweaking.
+ * key tweaking, and adaptor signatures.
  *
  * Following the convention used in the MuSig module, the API uses the singular
  * term "nonce" to refer to the two "nonces" used by the FROST scheme.
@@ -78,6 +78,16 @@ typedef struct {
     unsigned char data[132];
 } secp256k1_frost_pubnonce;
 
+/** Opaque data structure that holds a FROST session.
+ *
+ *  This structure is not required to be kept secret for the signing protocol
+ *  to be secure. Guaranteed to be 133 bytes in size. It can be safely
+ *  copied/moved. No serialization and parsing functions.
+ */
+typedef struct {
+    unsigned char data[133];
+} secp256k1_frost_session;
+
 /** Parse a signer's public nonce.
  *
  *  Returns: 1 when the nonce could be parsed, 0 otherwise.
@@ -421,6 +431,135 @@ SECP256K1_API int secp256k1_frost_nonce_gen(
     const unsigned char *extra_input32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Takes the public nonces of all signers and computes a session that is
+ *  required for signing and verification of partial signatures. The participant
+ *  IDs can be sorted before combining, but the corresponding pubnonces must be
+ *  resorted as well. All signers must use the same sorting of pubnonces,
+ *  otherwise signing will fail.
+ *
+ *  Returns: 0 if the arguments are invalid or if some signer sent invalid
+ *           pubnonces, 1 otherwise
+ *  Args:          ctx: pointer to a context object
+ *  Out:       session: pointer to a struct to store the session
+ *  In:      pubnonces: array of pointers to public nonces sent by the signers
+ *         n_pubnonces: number of elements in the pubnonces array. Must be
+ *                      greater than 0.
+ *               msg32: the 32-byte message to sign
+ *              agg_pk: the FROST-aggregated public key
+ *            myd_id33: the 33-byte ID of the participant who will use the
+ *                      session for signing
+ *               ids33: array of the 33-byte participant IDs of the signers
+ *         tweak_cache: pointer to frost_tweak_cache struct (can be NULL)
+ *             adaptor: optional pointer to an adaptor point encoded as a
+ *                      public key if this signing session is part of an
+ *                      adaptor signature protocol (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_nonce_process(
+    const secp256k1_context *ctx,
+    secp256k1_frost_session *session,
+    const secp256k1_frost_pubnonce * const *pubnonces,
+    size_t n_pubnonces,
+    const unsigned char *msg32,
+    const secp256k1_xonly_pubkey *agg_pk,
+    const unsigned char *my_id33,
+    const unsigned char * const* ids33,
+    const secp256k1_frost_tweak_cache *tweak_cache,
+    const secp256k1_pubkey *adaptor
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8);
+
+/** Extracts the nonce_parity bit from a session
+ *
+ *  This is used for adaptor signatures.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:         ctx: pointer to a context object
+ *  Out: nonce_parity: pointer to an integer that indicates the parity
+ *                     of the aggregate public nonce. Used for adaptor
+ *                     signatures.
+ *  In:       session: pointer to the session that was created with
+ *                     frost_nonce_process
+ */
+SECP256K1_API int secp256k1_frost_nonce_parity(
+    const secp256k1_context *ctx,
+    int *nonce_parity,
+    const secp256k1_frost_session *session
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Verifies that the adaptor can be extracted by combining the adaptor
+ *  pre-signature and the completed signature.
+ *
+ *  Returns: 0 if the arguments are invalid or the adaptor signature does not
+ *           verify, 1 otherwise
+ *  Args:         ctx: pointer to a context object
+ *  In:     pre_sig64: 64-byte pre-signature
+ *              msg32: the 32-byte message being verified
+ *             pubkey: pointer to an x-only public key to verify with
+ *            adaptor: pointer to the adaptor point being verified
+ *       nonce_parity: the output of `frost_nonce_parity` called with the
+ *                     session used for producing the pre-signature
+ */
+SECP256K1_API int secp256k1_frost_verify_adaptor(
+    const secp256k1_context *ctx,
+    const unsigned char *pre_sig64,
+    const unsigned char *msg32,
+    const secp256k1_xonly_pubkey *pubkey,
+    const secp256k1_pubkey *adaptor,
+    int nonce_parity
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Creates a signature from a pre-signature and an adaptor.
+ *
+ *  If the sec_adaptor32 argument is incorrect, the output signature will be
+ *  invalid. This function does not verify the signature.
+ *
+ *  Returns: 0 if the arguments are invalid, or pre_sig64 or sec_adaptor32 contain
+ *           invalid (overflowing) values. 1 otherwise (which does NOT mean the
+ *           signature or the adaptor are valid!)
+ *  Args:         ctx: pointer to a context object
+ *  Out:        sig64: 64-byte signature. This pointer may point to the same
+ *                     memory area as `pre_sig`.
+ *  In:     pre_sig64: 64-byte pre-signature
+ *      sec_adaptor32: 32-byte secret adaptor to add to the pre-signature
+ *       nonce_parity: the output of `frost_nonce_parity` called with the
+ *                     session used for producing the pre-signature
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_adapt(
+    const secp256k1_context *ctx,
+    unsigned char *sig64,
+    const unsigned char *pre_sig64,
+    const unsigned char *sec_adaptor32,
+    int nonce_parity
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Extracts a secret adaptor from a FROST pre-signature and corresponding
+ *  signature
+ *
+ *  This function will not fail unless given grossly invalid data; if it is
+ *  merely given signatures that do not verify, the returned value will be
+ *  nonsense. It is therefore important that all data be verified at earlier
+ *  steps of any protocol that uses this function. In particular, this includes
+ *  verifying all partial signatures that were aggregated into pre_sig64.
+ *
+ *  Returns: 0 if the arguments are NULL, or sig64 or pre_sig64 contain
+ *           grossly invalid (overflowing) values. 1 otherwise (which does NOT
+ *           mean the signatures or the adaptor are valid!)
+ *  Args:         ctx: pointer to a context object
+ *  Out:sec_adaptor32: 32-byte secret adaptor
+ *  In:         sig64: complete, valid 64-byte signature
+ *          pre_sig64: the pre-signature corresponding to sig64, i.e., the
+ *                     aggregate of partial signatures without the secret
+ *                     adaptor
+ *       nonce_parity: the output of `frost_nonce_parity` called with the
+ *                     session used for producing sig64
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_extract_adaptor(
+    const secp256k1_context *ctx,
+    unsigned char *sec_adaptor32,
+    const unsigned char *sig64,
+    const unsigned char *pre_sig64,
+    int nonce_parity
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/modules/frost/Makefile.am.include b/src/modules/frost/Makefile.am.include
@@ -4,3 +4,4 @@ noinst_HEADERS += src/modules/frost/keygen.h
 noinst_HEADERS += src/modules/frost/keygen_impl.h
 noinst_HEADERS += src/modules/frost/session.h
 noinst_HEADERS += src/modules/frost/session_impl.h
+noinst_HEADERS += src/modules/frost/adaptor_impl.h
diff --git a/src/modules/frost/adaptor_impl.h b/src/modules/frost/adaptor_impl.h
@@ -0,0 +1,168 @@
+/***********************************************************************
+ * Copyright (c) 2022-2024 Jesse Posner                                *
+ * Distributed under the MIT software license, see the accompanying    *
+ * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
+ ***********************************************************************/
+
+#ifndef SECP256K1_MODULE_FROST_ADAPTOR_IMPL_H
+#define SECP256K1_MODULE_FROST_ADAPTOR_IMPL_H
+
+#include <string.h>
+
+#include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_frost.h"
+
+#include "session.h"
+#include "../../scalar.h"
+
+int secp256k1_frost_nonce_parity(const secp256k1_context* ctx, int *nonce_parity, const secp256k1_frost_session *session) {
+    secp256k1_frost_session_internal session_i;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(nonce_parity != NULL);
+    ARG_CHECK(session != NULL);
+
+    if (!secp256k1_frost_session_load(ctx, &session_i, session)) {
+        return 0;
+    }
+    *nonce_parity = session_i.fin_nonce_parity;
+    return 1;
+}
+
+int secp256k1_frost_verify_adaptor(const secp256k1_context* ctx, const unsigned char *pre_sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey, const secp256k1_pubkey *adaptor, int nonce_parity) {
+    secp256k1_scalar s;
+    secp256k1_scalar e;
+    secp256k1_gej rj;
+    secp256k1_ge pk;
+    secp256k1_gej pkj;
+    secp256k1_ge r;
+    unsigned char buf[32];
+    int overflow;
+    secp256k1_ge adaptorp;
+    secp256k1_xonly_pubkey noncepk;
+    secp256k1_gej fin_nonce_ptj;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pre_sig64 != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(pubkey != NULL);
+    ARG_CHECK(adaptor != NULL);
+    ARG_CHECK(nonce_parity == 0 || nonce_parity == 1);
+
+    if (!secp256k1_xonly_pubkey_parse(ctx, &noncepk, &pre_sig64[0])) {
+        return 0;
+    }
+    if (!secp256k1_xonly_pubkey_load(ctx, &r, &noncepk)) {
+        return 0;
+    }
+    if (!secp256k1_pubkey_load(ctx, &adaptorp, adaptor)) {
+        return 0;
+    }
+    if (!nonce_parity) {
+        secp256k1_ge_neg(&adaptorp, &adaptorp);
+    }
+    secp256k1_gej_set_ge(&fin_nonce_ptj, &adaptorp);
+    secp256k1_gej_add_ge_var(&fin_nonce_ptj, &fin_nonce_ptj, &r, NULL);
+    if (secp256k1_gej_is_infinity(&fin_nonce_ptj)) {
+        /* unreachable with overwhelming probability */
+        return 0;
+    }
+
+    secp256k1_scalar_set_b32(&s, &pre_sig64[32], &overflow);
+    if (overflow) {
+        return 0;
+    }
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
+        return 0;
+    }
+
+    /* Compute e. */
+    secp256k1_fe_get_b32(buf, &pk.x);
+    secp256k1_schnorrsig_challenge(&e, &pre_sig64[0], msg32, 32, buf);
+
+    /* Compute rj =  s*G + (-e)*pkj */
+    secp256k1_scalar_negate(&e, &e);
+    secp256k1_gej_set_ge(&pkj, &pk);
+    secp256k1_ecmult(&rj, &pkj, &e, &s);
+
+    /* secp256k1_ge_set_gej_var(&r, &rj); */
+    if (secp256k1_gej_is_infinity(&rj)) {
+        return 0;
+    }
+
+    secp256k1_gej_neg(&rj, &rj);
+    secp256k1_gej_add_var(&rj, &rj, &fin_nonce_ptj, NULL);
+    return secp256k1_gej_is_infinity(&rj);
+}
+
+int secp256k1_frost_adapt(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *pre_sig64, const unsigned char *sec_adaptor32, int nonce_parity) {
+    secp256k1_scalar s;
+    secp256k1_scalar t;
+    int overflow;
+    int ret = 1;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sig64 != NULL);
+    ARG_CHECK(pre_sig64 != NULL);
+    ARG_CHECK(sec_adaptor32 != NULL);
+    ARG_CHECK(nonce_parity == 0 || nonce_parity == 1);
+
+    secp256k1_scalar_set_b32(&s, &pre_sig64[32], &overflow);
+    if (overflow) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&t, sec_adaptor32, &overflow);
+    ret &= !overflow;
+
+    /* Determine if the secret adaptor should be negated.
+     *
+     * The frost_session stores the X-coordinate and the parity of the "final nonce"
+     * (r + t)*G, where r*G is the aggregate public nonce and t is the secret adaptor.
+     *
+     * Since a BIP340 signature requires an x-only public nonce, in the case where
+     * (r + t)*G has odd Y-coordinate (i.e. nonce_parity == 1), the x-only public nonce
+     * corresponding to the signature is actually (-r - t)*G. Thus adapting a
+     * pre-signature requires negating t in this case.
+     */
+    if (nonce_parity) {
+        secp256k1_scalar_negate(&t, &t);
+    }
+
+    secp256k1_scalar_add(&s, &s, &t);
+    secp256k1_scalar_get_b32(&sig64[32], &s);
+    memmove(sig64, pre_sig64, 32);
+    secp256k1_scalar_clear(&t);
+    return ret;
+}
+
+int secp256k1_frost_extract_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const unsigned char *pre_sig64, int nonce_parity) {
+    secp256k1_scalar t;
+    secp256k1_scalar s;
+    int overflow;
+    int ret = 1;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(sec_adaptor32 != NULL);
+    ARG_CHECK(sig64 != NULL);
+    ARG_CHECK(pre_sig64 != NULL);
+    ARG_CHECK(nonce_parity == 0 || nonce_parity == 1);
+
+    secp256k1_scalar_set_b32(&t, &sig64[32], &overflow);
+    ret &= !overflow;
+    secp256k1_scalar_negate(&t, &t);
+
+    secp256k1_scalar_set_b32(&s, &pre_sig64[32], &overflow);
+    if (overflow) {
+        return 0;
+    }
+    secp256k1_scalar_add(&t, &t, &s);
+
+    if (!nonce_parity) {
+        secp256k1_scalar_negate(&t, &t);
+    }
+    secp256k1_scalar_get_b32(sec_adaptor32, &t);
+    secp256k1_scalar_clear(&t);
+    return ret;
+}
+
+#endif
diff --git a/src/modules/frost/keygen.h b/src/modules/frost/keygen.h
@@ -19,6 +19,10 @@ typedef struct {
     int parity_acc;
 } secp256k1_tweak_cache_internal;
 
+static int secp256k1_tweak_cache_load(const secp256k1_context* ctx, secp256k1_tweak_cache_internal *cache_i, const secp256k1_frost_tweak_cache *cache);
+
 static int secp256k1_frost_share_load(const secp256k1_context* ctx, secp256k1_scalar *s, const secp256k1_frost_share* share);
 
+static int secp256k1_frost_compute_indexhash(secp256k1_scalar *indexhash, const unsigned char *id33);
+
 #endif
diff --git a/src/modules/frost/main_impl.h b/src/modules/frost/main_impl.h
@@ -9,5 +9,6 @@
 
 #include "keygen_impl.h"
 #include "session_impl.h"
+#include "adaptor_impl.h"
 
 #endif
diff --git a/src/modules/frost/session.h b/src/modules/frost/session.h
@@ -7,4 +7,19 @@
 #ifndef SECP256K1_MODULE_FROST_SESSION_H
 #define SECP256K1_MODULE_FROST_SESSION_H
 
+#include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_frost.h"
+
+#include "../../scalar.h"
+
+typedef struct {
+    int fin_nonce_parity;
+    unsigned char fin_nonce[32];
+    secp256k1_scalar noncecoef;
+    secp256k1_scalar challenge;
+    secp256k1_scalar s_part;
+} secp256k1_frost_session_internal;
+
+static int secp256k1_frost_session_load(const secp256k1_context* ctx, secp256k1_frost_session_internal *session_i, const secp256k1_frost_session *session);
+
 #endif
diff --git a/src/modules/frost/session_impl.h b/src/modules/frost/session_impl.h
