Add BIP-340 nonce function

Author: jonasnick

include/secp256k1.h

@@ -106,6 +106,23 @@ typedef int (*secp256k1_nonce_function)(
     unsigned int attempt
 );
 
+/** Same as secp256k1_nonce function with the exception of accepting an
+ *  additional pubkey argument. This can protect signature schemes with
+ *  key-prefixed challenge hash inputs against reusing the nonce when signing
+ *  with the wrong precomputed pubkey.
+ *
+ * In:  xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32 (will not be NULL)
+ */
+typedef int (*secp256k1_nonce_function_extended)(
+    unsigned char *nonce32,
+    const unsigned char *msg32,
+    const unsigned char *key32,
+    const unsigned char *xonly_pk32,
+    const unsigned char *algo16,
+    void *data,
+    unsigned int attempt
+);
+
 # if !defined(SECP256K1_GNUC_PREREQ)
 #  if defined(__GNUC__)&&defined(__GNUC_MINOR__)
 #   define SECP256K1_GNUC_PREREQ(_maj,_min) \
@@ -525,6 +542,22 @@ SECP256K1_API int secp256k1_ecdsa_signature_normalize(
  */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979;
 
+
+/** An implementation of the nonce generation function as defined in Bitcoin
+ *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
+ *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
+ *
+ * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
+ * auxiliary random data as defined in BIP-340. If the data pointer is NULL,
+ * schnorrsig_sign does not produce BIP-340 compliant signatures. The algo16
+ * argument must be non-NULL and the attempt argument must be 0, otherwise the
+ * function will fail and return 0. The hash will be tagged with the algo16
+ * argument, except if it is "BIP340/nonce0000" in which case the tag is
+ * "BIP340/nonce" (and the midstate is precomputed). This is used to create BIP
+ * 340 compliant signatures.
+ */
+SECP256K1_API extern const secp256k1_nonce_function_extended secp256k1_nonce_function_bip340;
+
 /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default;
 

src/secp256k1.c

@@ -434,6 +434,80 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off
     *offset += len;
 }
 
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("BIP340/nonce")||SHA256("BIP340/nonce"). */
+static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0xa96e75cbul;
+    sha->s[1] = 0x74f9f0acul;
+    sha->s[2] = 0xc49e3c98ul;
+    sha->s[3] = 0x202f99baul;
+    sha->s[4] = 0x8946a616ul;
+    sha->s[5] = 0x4accf415ul;
+    sha->s[6] = 0x86e335c3ul;
+    sha->s[7] = 0x48d0a072ul;
+
+    sha->bytes = 64;
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("BIP340/aux")||SHA256("BIP340/aux"). */
+static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x5d74a872ul;
+    sha->s[1] = 0xd57064d4ul;
+    sha->s[2] = 0x89495becul;
+    sha->s[3] = 0x910f46f5ul;
+    sha->s[4] = 0xcbc6fd3eul;
+    sha->s[5] = 0xaf05d9d0ul;
+    sha->s[6] = 0xcb781ce6ul;
+    sha->s[7] = 0x062930acul;
+
+    sha->bytes = 64;
+}
+
+static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data, unsigned int counter) {
+    secp256k1_sha256 sha;
+    unsigned char masked_key[32];
+    int i;
+
+    if (counter != 0) {
+        return 0;
+    }
+    if (algo16 == NULL) {
+        return 0;
+    }
+
+    if (data != NULL) {
+        secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha);
+        secp256k1_sha256_write(&sha, data, 32);
+        secp256k1_sha256_finalize(&sha, masked_key);
+        for (i = 0; i < 32; i++) {
+            masked_key[i] ^= key32[i];
+        }
+    }
+
+    /* Tag the hash with algo16 which is important to avoid nonce reuse across
+     * algorithms. If this nonce function is used in BIP-340 signing as defined
+     * in the spec, an optimized tagging implementation is used. */
+    if (memcmp(algo16, "BIP340/nonce0000", 16) == 0) {
+        secp256k1_nonce_function_bip340_sha256_tagged(&sha);
+    } else {
+        secp256k1_sha256_initialize_tagged(&sha, algo16, 16);
+    }
+
+    /* Hash (masked-)key||pk||msg using the tagged hash as per the spec */
+    if (data != NULL) {
+        secp256k1_sha256_write(&sha, masked_key, 32);
+    } else {
+        secp256k1_sha256_write(&sha, key32, 32);
+    }
+    secp256k1_sha256_write(&sha, xonly_pk32, 32);
+    secp256k1_sha256_write(&sha, msg32, 32);
+    secp256k1_sha256_finalize(&sha, nonce32);
+    return 1;
+}
+
 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
    unsigned char keydata[112];
    unsigned int offset = 0;
@@ -464,6 +538,7 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
    return 1;
 }
 
+const secp256k1_nonce_function_extended secp256k1_nonce_function_bip340 = nonce_function_bip340;
 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
 

src/testrand.h

@@ -32,6 +32,9 @@ static void secp256k1_rand256(unsigned char *b32);
 /** Generate a pseudorandom 32-byte array with long sequences of zero and one bits. */
 static void secp256k1_rand256_test(unsigned char *b32);
 
+/** Flip a single random bit in a byte array */
+static void secp256k1_rand_flip(unsigned char *b, size_t len);
+
 /** Generate pseudorandom bytes with long sequences of zero and one bits. */
 static void secp256k1_rand_bytes_test(unsigned char *bytes, size_t len);
 

src/testrand_impl.h

@@ -107,4 +107,8 @@ static void secp256k1_rand256_test(unsigned char *b32) {
     secp256k1_rand_bytes_test(b32, 32);
 }
 
+static void secp256k1_rand_flip(unsigned char *b, size_t len) {
+    b[secp256k1_rand_int(len)] ^= (1 << secp256k1_rand_int(8));
+}
+
 #endif /* SECP256K1_TESTRAND_IMPL_H */

src/tests.c

@@ -443,6 +443,98 @@ void run_sha256_tests(void) {
     }
 }
 
+/* Tests for the equality of two sha256 structs. This function only produces a
+ * correct result if an integer multiple of 64 many bytes have been written
+ * into the hash functions. */
+void test_sha256_eq(secp256k1_sha256 *sha1, secp256k1_sha256 *sha2) {
+    unsigned char buf[32] = { 0 };
+    unsigned char buf2[32];
+
+    /* Is buffer fully consumed? */
+    CHECK((sha1->bytes & 0x3F) == 0);
+
+    /* Compare the struct excluding the buffer, because it may be
+     * uninitialized or already included in the state. */
+    CHECK(sha1->bytes == sha2->bytes);
+    CHECK(memcmp(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
+
+    /* Compare the output */
+    secp256k1_sha256_write(sha1, buf, 32);
+    secp256k1_sha256_write(sha2, buf, 32);
+    secp256k1_sha256_finalize(sha1, buf);
+    secp256k1_sha256_finalize(sha2, buf2);
+    CHECK(memcmp(buf, buf2, 32) == 0);
+}
+
+/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
+ * bytes) changes the hash function
+ */
+void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
+    unsigned char nonces[2][32];
+    CHECK(nonce_function_bip340(nonces[0], args[0], args[1], args[2], args[3], args[4], 0) == 1);
+    secp256k1_rand_flip(args[n_flip], n_bytes);
+    CHECK(nonce_function_bip340(nonces[1], args[0], args[1], args[2], args[3], args[4], 0) == 1);
+    CHECK(memcmp(nonces[0], nonces[1], 32) != 0);
+}
+
+void run_nonce_function_bip340_tests(void) {
+    unsigned char tag[12] = "BIP340/nonce";
+    unsigned char aux_tag[10] = "BIP340/aux";
+    unsigned char algo16[16] = "BIP340/nonce0000";
+    secp256k1_sha256 sha;
+    secp256k1_sha256 sha_optimized;
+    unsigned char nonce[32];
+    unsigned char msg[32];
+    unsigned char key[32];
+    unsigned char pk[32];
+    unsigned char aux_rand[32];
+    unsigned char *args[5];
+
+    /* Check that hash initialized by
+     * secp256k1_nonce_function_bip340_sha256_tagged has the expected
+     * state. */
+    secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
+    secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
+    test_sha256_eq(&sha, &sha_optimized);
+
+   /* Check that hash initialized by
+    * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
+    * state. */
+    secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
+    secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
+    test_sha256_eq(&sha, &sha_optimized);
+
+    secp256k1_rand256(msg);
+    secp256k1_rand256(key);
+    secp256k1_rand256(pk);
+    secp256k1_rand256(aux_rand);
+
+    /* Check that a bitflip in an argument results in different nonces. */
+    args[0] = msg;
+    args[1] = key;
+    args[2] = pk;
+    args[3] = algo16;
+    args[4] = aux_rand;
+    nonce_function_bip340_bitflip(args, 0, 32);
+    nonce_function_bip340_bitflip(args, 1, 32);
+    nonce_function_bip340_bitflip(args, 2, 32);
+    /* Flip algo16 special case "BIP340/nonce0000" */
+    nonce_function_bip340_bitflip(args, 3, 16);
+    /* Flip algo16 again */
+    nonce_function_bip340_bitflip(args, 3, 16);
+    nonce_function_bip340_bitflip(args, 4, 32);
+
+   /* NULL algo16 is disallowed */
+    CHECK(nonce_function_bip340(nonce, msg, key, pk, NULL, NULL, 0) == 0);
+
+    /* NULL aux_rand argument is allowed. */
+    CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL, 0) == 1);
+
+    /* Check that counter != 0 makes nonce function fail. */
+    CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL, 0) == 1);
+    CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL, 1) == 0);
+}
+
 void run_hmac_sha256_tests(void) {
     static const char *keys[6] = {
         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",