Add MuSig Key Aggregation spec #120
Conversation
|
Just realized that this does not reflect the currently implemented key aggregation because I was looking at the wrong branch (master instead of secp256k1-zkp...). |
|
Fixed |
|
We may also want to consider how this relates to signature aggregation (H/T @roconnor-blockstream) |
|
My specific consideration was whether we want this key aggregation function to be use both for key aggregation and signature aggregation. If we want it to be usable for signature aggregation, I believe that will place some constraints on the answers to Jonas's question. |
|
If we want our Key Aggregation function to be compatible with multi-message signing (i.e. cross-input aggregation), then we want to allow the same public key to be able to aggregate their signatures on multiple (different) messages. This all but precludes hashing by key because each different signed message for the same public key will need a different musig coefficient. There needs to be an association between the unique musig coefficient and the message being signed. One way of making this association would be to put the signed message directly into the musig coefficient. However we would like to be able to compute the Key Aggregation before the messages are known. Therefore the association between the message and the musig coefficient needs be indirect. Using indexes is one natural way of building this indirection. Another way would be to create a guid and add guid × message pairs to the aggregate message, but that appears to have no advantages over using indexes. While hashing by key essentially forces unordered keys, hashing by index allows for the possibility of using an ordered set of pubkeys. Protocols wanting an unordered set of pubkeys, such as Bitcoin's multisig descriptor, can easily build upon an ordered api by sorting their keys. Indeed this is what the descriptor currently does. For the specific application of cross-input aggregation, if the ordered api is available, what we'd likely do is order the pubkey × message pairs by input and then by execution order within the input. If only an unordered api is available, then we would collect those pairs and sort them by pubkey, and then within each repeated set of pubkeys, sort the messages when created the aggregate message. It strikes me that being forced to use the unordered api is slightly more complex than going with the ordered api. OTOH, if the unsorted API handles all the work, maybe it isn't so bad. (Sorry, I've failed to come to a conclusion on the sorting question.) (self-aside: Because Simplicity doesn't have a consensus critical execution order, so I would probably end up sorting the pubkey × message pairs emitted by a Simplicity execution.) I haven't yet given any consideration to nested multi-message signing. I understand the jonas has an MBDL security proof sketch for the 1 optimization and tim has a security proof sketch for the OMDL + ROM. P.S. I hate little endian formats. Also isn't 32-bytes too much? P.P.S. indexes should be 0 based per Dijkstra. |
My mistake, should have been 4 bytes. Also changed spec and C code to encode index with MSB first. |
|
@jonasnick has explained to me in private that signature aggregation does not work the way I had imagined it to work. signature aggregation requires a (modified) Bellare-Neven signature, which is not the same thing as a Schnorr signature. (In particular jonas pointed out that the scheme I had in mind is broken.) Thus we can disregard my comments about signature aggregation. This puts hash-by-key back on the table as an option. IMHO it is an option we should seriously consider. |
|
What would be the advantage of hash-by-key? My understanding is that we need to serialize the whole multiset of public keys before hashing them to a MuSig coefficient and therefore have to assign an order anyway. |
|
As @roconnor-blockstream mentioned to me in a separate channel, there isn't really an advantage of hash-by-key besides perhaps being a little bit simpler. OTOH there isn't a disadvantage either. Since the input public keys are 32 byte arrays ("x-only"), |
|
Here's my take: Data structure that contains the public keys: ordered listThis could be a set, a multiset (as in the paper), or an ordered list. I think it should be an ordered list. Duplicate public keys allowed: yesI don't think there's any use case that strictly needs duplicate public keys when all involved peers are honest. But making duplicate public keys illegal is difficult in higher-level protocols, where an attacker simply copies the key: Say you run MuSig with random strangers of which you don't know their public keys in a higher-level protocol (e.g., in a CoinJoin-like protocol). Moreover say there's a honest peer with public key A, and there's a malicious peer who also claims to have public key A. If key aggregation with [A, A] is illegal, then the higher-level protocol must fail. In this case, you'd at least like to know who is to blame for the failure but this at least requires additional complexity to make it possible to tell apart which of the peers is malicious. You could also canonicalize the key aggregation to [A] then, effectively removing duplicates. But this again adds complexity. So we should allow for duplicate public keys. However, we don't really need to optimize for this case, I think. Canonical ordering/sorted: noUsers of the spec know best in what representation they want to deal with the public keys, so I believe we should not put any further restrictions. In particular, we shouldn't require that public keys are in some particular canonical ordering. I don't see how anyone would strictly need order-independence. If users really need this, they can always enforce this by sorting. I believe there are many cases where higher-level protocol already have some indexed list of peers, so it should possible to simply take that list and use it. Optimize first coefficient to be 1: yesWe should do this, simply because it's more efficient. Removing a scalar multiplication is just not a micro-optimization, it can be a real difference for embedded devices, in particular when the number n of peers is small. Of course, we need to double-check that the security proof still works out. Hashing the index instead of the public key: probably yesI don't think this makes much of a difference in terms of complexity. It makes a difference for duplicate public keys but I don't think we should optimize for this case (see above). So if a saves a compression, we should probably hash the index it. But this depends on how the hash is constructed exactly Additional argument for the hash: yes?Should we hash an additional byte string that can be chosen by the user? This would make it possible for instance to have a series of aggregate keys ~X that look unrelated to each other if you don't know the underlying list of public keys (by using a counter as the additional argument). Is this useful to avoid key reuse? I believe yes but I'm not entirely sure. Here we should also take into account possible extensions to threshold signing, where key setup is more difficult and there may be good reasons to avoid doing setup over and user. |
My thinking is that ideally, they wouldn't have to care about the representation at all. @apoelstra mentioned that wallet devs are in favor of sorting the public keys in a MuSig descriptor. Then why not sort in MuSig key aggregation directly? The argument would be that that's not flexible enough, has additional computational cost for callers who really don't need them signed or has a high penalty in terms of usability. In the meantime I have been working on an implementation of sorting inside key aggregation to explore these questions. It required a few refactorings but the meat of it happens at the beginning of If the I haven't fully repaired the tests yet, because the main problem is that the initial pubkey array can not be reused for other signers, because its order changed after the |
Indeed, that's my argument. I don't want to stop anyone from sorting the keys but as I as a spec writer I wouldn't want to force the decision upon users of the spec who may not need it.
Are you aware of https://en.wikipedia.org/wiki/Adaptive_sort ? |
|
I think that the fact that we anyway have indexed arrays in our API makes sorting somewhat pointless: The user sometimes needs to pass an index to identify a specific public key. In that sense, the user anyway needs to look at this as an indexed data structure. Since the indices are there anyway, sorting the keys internally won't make anything significantly simpler from the perspective of the user. (Even if we'd require the user to pass public keys instead of indices, the user probably needs to look these public keys up in an array, so that doesn't really help.) |
Alternatively, users can p2c-tweak their keys. The current API only supports doing that once which prevents adding an additional taproot commitment. |
|
After talking with @jonasnick I agree with @real-or-random that we should not try to sort the keys internally. It seemed like the simpler option but actually it makes the API a fair bit more complex, as well as (potentially) imposing a performance hit on users who don't want it. |
One way to fix this would be to sort the pubkey array back into the original order, but that would only work by requiring additional space even if no signin session is initiated. Instead, I pushed the following changes
|
jonasnick
force-pushed
the
musig-spec
branch
3 times, most recently
from
163508a to
36ec8e2
Compare
|
I pushed a commit to add an optimization where the second unique key in the pubkey list gets MuSig coefficient 1 as per the latest (unpublished) revision of the MuSig2 paper. To quickly summarize the changes:
It doesn't yet accept an additional argument like a counter to allow generating distinct keys from the same list of pubkeys as @real-or-random suggested. |
jonasnick
changed the title
|
This sounds good. What caught my eye on a first glimpse is that there are a few places where |
|
rebased |
|
Asan is complaining here |
| @@ -129,6 +131,7 @@ int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scrat | |||
| return 0; | |||
| } | |||
| if (!secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &pkj, NULL, secp256k1_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) { | |||
| /* The current implementation of ecmult_multi_var makes this code unreachable with tests. */ | |||
There was a problem hiding this comment.
If you want, you could try playing around with https://gcovr.com/en/stable/guide.html#exclusion-markers . (But this can be done later)
There was a problem hiding this comment.
let's do this later
|
Wait, the sorting function has disappeared. Is this intentional? |
|
@real-or-random oops...messed up the rebase |
This is done to be consistent with the MuSig2 paper
... instead of taking an array of pubkeys directly
Also add musig to build options output.
|
ACK fc26ca8 |
| memcpy(pk_ser_tmp[2], pk_ser[1], sizeof(pk_ser_tmp[2])); | ||
| memcpy(pk_ser_tmp[3], pk_ser[1], sizeof(pk_ser_tmp[3])); | ||
| has_second_pk = 1; | ||
| second_pk_idx = 3; |
There was a problem hiding this comment.
this should be 2?
I don't think this is the issue but my toy code is failing on this case (while the other 3 are ok)
There was a problem hiding this comment.
second_pk_idx = 2 and second_pk_idx = 3 are both correct since they both get keyagg coefficient = 1. But agree that it's better to use the first one encountered here (and perhaps add comment that second_pk_idx = 3 is equally valid).
| * Return ''bytes(S)''. | ||
|
|
||
| The algorithm ''HashKeys(pk<sub>1..u</sub>)'' is defined as: | ||
| * Return ''hash(pk<sub>1</sub> || pk<sub>2</sub> || ... || pk<sub>u</sub>)'' |
There was a problem hiding this comment.
May I know why this is not a tagged hash?
There was a problem hiding this comment.
The key agg coefficient should be domain separated since the outer hash is tagged. But since to the best of my knowledge domain separation isn't well defined, I'm leaning towards making this tagged. This would also prevent discussions like this in the future (and we're obviously already using a lot of tagged hashes). How about tag "KeyAgg list"?
There was a problem hiding this comment.
How about tag "KeyAgg list"?
Sounds good
5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec fc26ca8ddef musig: remove unnecessary constant time normalize in combine 48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add 5860b5e0fe7 musig: do not also require schnorrsig module config flag f27fd1d5e75 musig: improve test coverage of pubkey_combine 56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks 08fa02d5791 musig: add key aggregation spec draft 4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient 4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key 2310849f50f musig: compute musig coefficient by hashing key instead of index 9683c8a7eb6 musig: add static test vectors for key aggregation 9b3d7bf5361 extrakeys: add xonly_sort function f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC 6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950 cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind 7226cf215aa ecdsa_adaptor: fix too small buffer in tests b053e853d4f ecdsa_adaptor: fix test case with invalid signature 91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range 907633e2e9a sync-upstream: fix "end" parameter for specifying range 394f49fd1a6 sync-upstream: quote variables 1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier 9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier d27e4598610 Revert "Remove unused Jacobi symbol support" edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950 1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build c58c4ea4707 ci: Add ppc64le build 7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark 8f879c2887e Fix array size in bench_ecmult 2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark 593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks 50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686 a35fdd3478f ci: Run PRs on merge result even for i686 3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a63ad Merge ElementsProject#941: Clean up git tree 09b3bb8648f Clean up git tree bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI 202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method 0d9561ae879 add `secp256k1_ec_pubkey_cmp` method 22a9ea154a2 contrib: Explain explicit header guards 6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/' 14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir 45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a18e5 Add asm build to ARM32 CI 7d65ed52142 Add ARM32/ARM64 CI c8483520c90 Makefile.am: Don't pass a variable twice 2161f31785e Makefile.am: Honor config when building gen_context 99f47c20ec4 gen_context: Don't use external ASM because it complicates the build 98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build 7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199bed6 tests: fopen /dev/urandom in binary mode ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf81b5 Add mingw32-w64/wine CI build 0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context 07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h a3aa2628c7b gen_context: Don't include basic-config.h be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62 277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time 376ca366db0 Fix typo in explanation 1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module 5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc b0ffa923199 ecdsa_adaptor: add tests 6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const 6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl cc82ad5ab74 Make function argument name consistent with doc 4504472269d changed import to use brackets <> for openssl as they are not local to the project 26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality d8f336564fe ecdsa_adaptor: add nonce function and tags 654cd633f50 ecdsa_adaptor: initialize project 23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const 24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits 9164a1b6582 Optimization: special-case zero modulus limbs in modinv64 1f233b3fa05 Remove num/gmp support fac477f822a Merge ElementsProject#126: Upstream PRs ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901 20448b8d09a Remove unused Jacobi symbol support 5437e7bdfbf Remove unused scalar_sqr aa9cc521800 Improve field/scalar inverse tests 1e0e885c8ac Make field/scalar code use the new modinv modules for inverses 436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files 08d54964e51 Improve bounds checks in modinv modules 6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs 4091e619248 cirrus: increase timeout for macOS tasks 136ed8f84d9 sync-upstream: Fix output of command to reproduce 38f1e777d49 sync-upstream: Create proper links to upstream PRs 79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS 649bf201d85 musig: fix tests for 32-bit 151aac00d31 Add tests for modinv modules d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation 8e415acba25 Add safegcd based modular inverse modules de0a643c3dc Add secp256k1_ctz{32,64}_var functions d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901 4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements 9361f360bb0 ci: Select number of parallel make jobs depending on CI environment 28eccdf8064 ci: Split output of logs into multiple sections c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch b994a8be3cf ci: Print information about binaries using "file" f24e122d13d ci: Switch all Linux builds to Debian ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older 3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end 6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil 7d3497cdc4c ctime_test: move context randomization test to the end 99a1cfec174 print warnings for conditional-uninitialized 3d2cf6c5bd3 initialize variable in tests f329bba2442 build: Add workaround for automake 1.13 and older 24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI cc2a5451dc8 ci: Refactor Nix shell files 2480e55c8f3 ci: Remove support for Travis CI 2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS 8c02e465c5a ci: Add support for Cirrus CI 659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter. b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl. 5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs. db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values. 75d2ae149ef Remove unused secp256k1_fe_inv_all_var 482e4a9cfce Add missing secp256k1_ge_set_gej_var decl. 27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs 7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements 328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair 3c15130709d Improve CC_FOR_BUILD detection 47802a47624 Restructure and tidy configure.ac 252c19dfc65 Ask brew for valgrind include path 8c727b9087a Merge ElementsProject#860: fixed trivial typo cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config 96c83a83dcf Remove repeated schnorr flag from travis config d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind 41d6963bc1c rangeproof: clarify rewind outlen argument 673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module b7bc3a4aaa5 fixed typo 47efb5e39a1 ecdsa-s2c: add ctime tests 396b558273c ecdsa-s2c: add anti-klepto protocol 290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality 8e46cac5b31 ecdsa-s2c: block in module 826bd04b43f add eccommit functionality 33cb3c2b1fc Add secret key extraction from keypair to constant time tests 36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests fc96aa73f5c Add a function to extract the secretkey from a keypair 98dac878398 Merge ElementsProject#858: Fix insecure links 07aa4c70ffb Fix insecure links b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency 18aadf9d288 docs: fix simple typo, dependecy -> dependency 2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 6e85d675aaf Rename tweak to tweak32 in public API f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants f554dfc7088 sage: Reorganize files git-subtree-dir: src/secp256k1 git-subtree-split: 5d2df0541960554be5c0ba58d86e5fa479935000
90580edcc98 Merge pull request ElementsProject#140 from apoelstra/2021-07--resync 6ad66de6802 rangeproof: add an (unnecessary) variable initialization to shut up CI 2979e4d9d46 Merge commits '8ae56e33 75ce488c 4866178d 446d28d9 253f90cd ec3aaa50 0440945f 7688a4f1 be8d9c26 ' into temp-merge-965 5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec fc26ca8ddef musig: remove unnecessary constant time normalize in combine 48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add 5860b5e0fe7 musig: do not also require schnorrsig module config flag f27fd1d5e75 musig: improve test coverage of pubkey_combine 56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks 08fa02d5791 musig: add key aggregation spec draft 4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient 4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key 2310849f50f musig: compute musig coefficient by hashing key instead of index 9683c8a7eb6 musig: add static test vectors for key aggregation 9b3d7bf5361 extrakeys: add xonly_sort function f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort be8d9c262f4 Merge bitcoin-core/secp256k1#965: gen_context: Don't use any ASM d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC aeece445997 gen_context: Don't use any ASM 6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950 cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind 7226cf215aa ecdsa_adaptor: fix too small buffer in tests b053e853d4f ecdsa_adaptor: fix test case with invalid signature 91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range 907633e2e9a sync-upstream: fix "end" parameter for specifying range 394f49fd1a6 sync-upstream: quote variables 1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier 9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier 7688a4f13a3 Merge bitcoin-core/secp256k1#963: "Schnorrsig API overhaul" fixups 90e83449b2c ci: Add C++ test f698caaff6a Use unsigned char consistently for byte arrays b5b8e7b7190 Don't declare constants twice 769528f3071 Don't use string literals for char arrays without NUL termination 2cc3cfa5838 Fix -Wmissing-braces warning in clang 0440945fb5c Merge ElementsProject#844: schnorrsig API overhaul ec3aaa5014f Merge ElementsProject#960: tests_exhaustive: check the result of secp256k1_ecdsa_sign a1ee83c6546 tests_exhaustive: check the result of secp256k1_ecdsa_sign 253f90cdeb1 Merge bitcoin-core/secp256k1#951: configure: replace AC_PATH_PROG to AC_CHECK_PROG 446d28d9de3 Merge bitcoin-core/secp256k1#944: Various improvements related to CFLAGS 0302138f750 ci: Make compiler warning into errors on CI b924e1e605d build: Ensure that configure's compile checks default to -O2 7939cd571c7 build: List *CPPFLAGS before *CFLAGS like on the compiler command line 595e8a35d80 build: Enable -Wcast-align=strict warning 07256267ffa build: Use own variable SECP_CFLAGS instead of touching user CFLAGS 4866178dfc9 Merge bitcoin-core/secp256k1#955: Add random field multiply/square tests 75ce488c2a6 Merge bitcoin-core/secp256k1#959: tests: really test the non-var scalar inverse 41ed13942bd tests: really test the non-var scalar inverse 5f6ceafcfa4 schnorrsig: allow setting MSGLEN != 32 in benchmark fdd06b79671 schnorrsig: add tests for sign_custom and varlen msg verification d8d806aaf38 schnorrsig: add extra parameter struct for sign_custom a0c3fc177f7 schnorrsig: allow signing and verification of variable length msgs 5a8e4991ad4 Add secp256k1_tagged_sha256 as defined in BIP-340 b6c0b72fb06 schnorrsig: remove noncefp args from sign; add sign_custom function bdf19f105c6 Add random field multiply/square tests 8ae56e33e74 Merge ElementsProject#879: Avoid passing out-of-bound pointers to 0-size memcpy a4642fa15ee configure: replace AC_PATH_PROG to AC_CHECK_PROG d27e4598610 Revert "Remove unused Jacobi symbol support" edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950 1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build c58c4ea4707 ci: Add ppc64le build 7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark 8f879c2887e Fix array size in bench_ecmult 2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark 593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks 50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686 a35fdd3478f ci: Run PRs on merge result even for i686 442cee5bafb schnorrsig: add algolen argument to nonce_function_hardened df3bfa12c3b schnorrsig: clarify result of calling nonce_function_bip340 without data 99e8614812b README: mention schnorrsig module 3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a63ad Merge ElementsProject#941: Clean up git tree 09b3bb8648f Clean up git tree bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI 202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method 0d9561ae879 add `secp256k1_ec_pubkey_cmp` method 22a9ea154a2 contrib: Explain explicit header guards 6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/' 14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir 45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a18e5 Add asm build to ARM32 CI 7d65ed52142 Add ARM32/ARM64 CI c8483520c90 Makefile.am: Don't pass a variable twice 2161f31785e Makefile.am: Honor config when building gen_context 99f47c20ec4 gen_context: Don't use external ASM because it complicates the build 98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build 7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199bed6 tests: fopen /dev/urandom in binary mode ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf81b5 Add mingw32-w64/wine CI build 0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context 07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h a3aa2628c7b gen_context: Don't include basic-config.h be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62 277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time 376ca366db0 Fix typo in explanation 1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module 5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc b0ffa923199 ecdsa_adaptor: add tests 6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const 6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl cc82ad5ab74 Make function argument name consistent with doc 4504472269d changed import to use brackets <> for openssl as they are not local to the project 26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality d8f336564fe ecdsa_adaptor: add nonce function and tags 654cd633f50 ecdsa_adaptor: initialize project 23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const 24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits 9164a1b6582 Optimization: special-case zero modulus limbs in modinv64 1f233b3fa05 Remove num/gmp support fac477f822a Merge ElementsProject#126: Upstream PRs ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901 20448b8d09a Remove unused Jacobi symbol support 5437e7bdfbf Remove unused scalar_sqr aa9cc521800 Improve field/scalar inverse tests 1e0e885c8ac Make field/scalar code use the new modinv modules for inverses 436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files 08d54964e51 Improve bounds checks in modinv modules 6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs 4091e619248 cirrus: increase timeout for macOS tasks 136ed8f84d9 sync-upstream: Fix output of command to reproduce 38f1e777d49 sync-upstream: Create proper links to upstream PRs 79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS 649bf201d85 musig: fix tests for 32-bit 151aac00d31 Add tests for modinv modules d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation 8e415acba25 Add safegcd based modular inverse modules de0a643c3dc Add secp256k1_ctz{32,64}_var functions d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901 4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements 9361f360bb0 ci: Select number of parallel make jobs depending on CI environment 28eccdf8064 ci: Split output of logs into multiple sections c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch b994a8be3cf ci: Print information about binaries using "file" f24e122d13d ci: Switch all Linux builds to Debian ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older 3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end 6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil 7d3497cdc4c ctime_test: move context randomization test to the end 99a1cfec174 print warnings for conditional-uninitialized 3d2cf6c5bd3 initialize variable in tests f329bba2442 build: Add workaround for automake 1.13 and older 24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI cc2a5451dc8 ci: Refactor Nix shell files 2480e55c8f3 ci: Remove support for Travis CI 2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS 8c02e465c5a ci: Add support for Cirrus CI 659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter. b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl. 5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs. db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values. 9570f674cc7 Avoid passing out-of-bound pointers to 0-size memcpy 75d2ae149ef Remove unused secp256k1_fe_inv_all_var 482e4a9cfce Add missing secp256k1_ge_set_gej_var decl. 27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs 7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements 328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair 3c15130709d Improve CC_FOR_BUILD detection 47802a47624 Restructure and tidy configure.ac 252c19dfc65 Ask brew for valgrind include path 8c727b9087a Merge ElementsProject#860: fixed trivial typo cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config 96c83a83dcf Remove repeated schnorr flag from travis config d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind 41d6963bc1c rangeproof: clarify rewind outlen argument 673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module b7bc3a4aaa5 fixed typo 47efb5e39a1 ecdsa-s2c: add ctime tests 396b558273c ecdsa-s2c: add anti-klepto protocol 290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality 8e46cac5b31 ecdsa-s2c: block in module 826bd04b43f add eccommit functionality 33cb3c2b1fc Add secret key extraction from keypair to constant time tests 36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests fc96aa73f5c Add a function to extract the secretkey from a keypair 98dac878398 Merge ElementsProject#858: Fix insecure links 07aa4c70ffb Fix insecure links b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency 18aadf9d288 docs: fix simple typo, dependecy -> dependency 2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 6e85d675aaf Rename tweak to tweak32 in public API f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants f554dfc7088 sage: Reorganize files git-subtree-dir: src/secp256k1 git-subtree-split: 90580edcc98350c9df9bebee58d2f9616d801849
ac1e367 musig: turn off multiexponentiation for now (Jonas Nick) 3c79d97 ci: increase timeout for macOS tasks (Jonas Nick) 22c8881 musig: replace MuSig(1) with MuSig2 (Jonas Nick) Pull request description: The main commit comprises `905 insertions(+), 1253 deletions(-)`. The diff isn't as small as I had hoped, but that's mostly because it was possible to simplify the API quite substantially which required rewriting large parts. Sorry, almost all of the changes are in one big commit which makes the diff very hard to read. Perhaps best to re-review most parts from scratch. A few key changes: - Obviously no commitment round. No big session struct and no `verifier` sessions. No `signer` struct. - There's a new `secnonce` struct that is the output of musig_nonce_gen and derived from a uniformly random session_id32. The derivation can be strengthened by adding whatever session parameters (combined_pk, msg) are available. The nonce function is my ad-hoc construction that allows for these optional inputs. Please have a look at that. - The secnonce is made invalid after being used in partial_sign. - Adaptor signatures basically work as before, according to BlockstreamResearch/scriptless-scripts#24 (with the exception that they operate on aggregate instead of partial sigs) - To avoid making this PR overly complex I did not consider how this implementation interacts with nested-MuSig, sign-to-contract, and antiklepto. - Testing should be close to complete. There's no reachable line or branch that isn't exercised by the tests. - [x] ~In the current implementation when a signer sends an invalid nonce (i.e. some garbage that can't be mapped to a group element), it is ignored when combining nonces. Only after receiving the signers partial signature and running `partial_sig_verify` will we notice that the signer misbehaved. The reason for this is that 1) this makes the API simpler and 2) malicious peers don't gain any additional powers because they can always interrupt the protocol by refusing to sign. However, this is up for discussion.~ EDIT: this is not the case anymore since invalid nonces are rejected when they're parsed. - [x] ~For every partial signature we verify we have to parse the pubnonce (two compressed points), despite having parsed it in `process_nonces` already. This is not great. `process_nonces` could optionally output the array of parsed pubnonces.~ EDIT: fixed by having a dedicated type for nonces. - [x] ~I left `src/modules/musig/musig.md` unchanged for now. Perhaps we should merge it with the `musig-spec`~ EDIT: musig.md is updated - [x] partial verification should use multiexp to compute `R1 + b*R2 + c*P`, but this can be done in a separate PR - [x] renaming wishlist - pre_session -> keyagg_cache (because there is no session anymore) - pubkey_combine, nonce_combine, partial_sig_combine -> pubkey_agg, nonce_agg, partial_sig_agg (shorter, matches terminology in musig2) - musig_session_init -> musig_start (shorter, simpler) or [musig_generate_nonce](#131 (comment)) or musig_prepare - musig_partial_signature to musig_partial_sig (shorter) - [x] perhaps remove pubnonces and n_pubnonces argument from process_nonces (and then also add a opaque type for the combined nonce?) - [x] write the `combined_pubkey` into the `pre_session` struct (as suggested [below](#131 (comment)): then 1) session_init and process_nonces don't need a combined_pk argument (and there can't be mix up between tweaked and untweaked keys) and 2) pubkey_tweak doesn't need an input_pubkey and the output_pubkey can be written directly into the pre_session (reducing frustration such as Replace MuSig(1) module with MuSig2 #131 (comment)) - [x] perhaps allow adapting both partial sigs (`partial_sig` struct) and aggregate partial sigs (64 raw bytes) as suggested [below](#131 (comment)). Based on #120. ACKs for top commit: robot-dreams: ACK ac1e367 real-or-random: ACK ac1e367 Tree-SHA512: 916b42811aa5c00649cfb923d2002422c338106a6936a01253ba693015a242f21f7f7b4cce60d5ab5764a129926c6fd6676977c69c9e6e0aedc51b308ac6578d
This PR is for discussing the MuSig (Key Agg) specification. I started this by documenting what the code does currently.
In particular, the open design questions include:
right now it's least significant first(EDIT: changed that) but it's most significant for every other integer)?