Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ #590

Closed

Conversation

jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Feb 15, 2019

This is an alternative to #572 based on #589 (EDIT: this seems to be generally preferred now). It's a demonstration that the anti nonce-sidechannel protocol can be build just as well on #589 as on #588.

Copy link
Contributor

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK

* Returns 1 on success, 0 on failure.
* Args: ctx: pointer to a context object (cannot be NULL)
* Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
* In: rand32: the 32-byte randomness to commit to (cannot be NULL)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's even better to make this function responsible for calling secp256k1_rand256 to avoid that the user screws up when producing randomness.

(But then the user can't use his fancy hardware RNG... If we want to support that, then maybe there could also a callback to a randomness function, and if it's NULL, then just call lsecp256k1_rand256. But in general, I don't like the idea of the user providing randomness, unless really necessary.)

* 2. The client commits to its sign-to-contract original nonce (which is the nonce without the
* sign-to-contract tweak) using the hosts commitment by calling the
* `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit` function. The client sends the
* rusulting commitment to the host
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rusulting -> resulting :)

@jonasnick jonasnick changed the title Add anti nonce-sidechannel protocol to schnorrsigs [alternative] Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ Jul 3, 2019
@jonasnick
Copy link
Contributor Author

This thing needs a better name. Covert channel is a much better term for this than side channel. If no one comes up with something better I'll go on with anti_covert_channel.

@jonasnick jonasnick force-pushed the schnorrsig-s2c-only-new-ans branch from ae5fb7f to ed4add7 Compare July 5, 2019 20:47
@jonasnick
Copy link
Contributor Author

Rebased

/* Return commitment == commitment_tmp */
secp256k1_gej_set_infinity(&pj);
secp256k1_pubkey_load(ctx, &p, &commitment_tmp);
secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use secp256k1_gej_set_ge() instead of setting to infinity and adding

@jonasnick jonasnick mentioned this pull request Nov 2, 2020
real-or-random added a commit that referenced this pull request Jul 3, 2021
5f6ceaf schnorrsig: allow setting MSGLEN != 32 in benchmark (Jonas Nick)
fdd06b7 schnorrsig: add tests for sign_custom and varlen msg verification (Jonas Nick)
d8d806a schnorrsig: add extra parameter struct for sign_custom (Jonas Nick)
a0c3fc1 schnorrsig: allow signing and verification of variable length msgs (Jonas Nick)
5a8e499 Add secp256k1_tagged_sha256 as defined in BIP-340 (Jonas Nick)
b6c0b72 schnorrsig: remove noncefp args from sign; add sign_custom function (Jonas Nick)
442cee5 schnorrsig: add algolen argument to nonce_function_hardened (Jonas Nick)
df3bfa1 schnorrsig: clarify result of calling nonce_function_bip340 without data (Jonas Nick)
99e8614 README: mention schnorrsig module (Jonas Nick)

Pull request description:

  This is a work in progress because I wanted to put this up for discussion before writing tests. It addresses the TODOs that didn't make it in the schnorrsig PR and changes the APIs of `schnorrsig_sign`, `schnorrsig_verify` and `hardened_nonce_function`.

  - Ideally, the new `aux_rand32` argument for `sign` would be const, but didn't find a solution I was happy with.
  - Support for variable length message signing and verification supports the [suggested BIP amendment](sipa/bips#207 (comment)) for such messages.
  - ~~`sign_custom` with its opaque config object allows adding more arguments later without having to change the API again. Perhaps there are other sensible customization options, but I'm thinking of [sign-to-contract/covert-channel](#590) in particular. It would require adding the fields `unsigned char *s2c_data32` and `secp256k1_s2c_opening *s2c_opening` to the config struct. The former is the data to commit to and the latter is written to by `sign_custom`.~~ (EDIT: see below)

ACKs for top commit:
  ariard:
    utACK 5f6ceaf
  LLFourn:
    utACK 5f6ceaf

Tree-SHA512: cf1716dddf4f29bcacf542ed22622a817d0ec9c20d0592333cb7e6105902c77d819952e776b9407fae1333cbd03d63fded492d3a5df7769dcc5b450d91bb4761
@jonasnick
Copy link
Contributor Author

Closing this PR since it's based on a closed sign-to-contract PR. Another attempt at adding an anti-nonce-sidechannel should have a close look at the same protocol for ECDSA in secp256k1-zkp which was inspired by this PR (https://github.com/ElementsProject/secp256k1-zkp/blob/master/include/secp256k1_ecdsa_s2c.h).

@jonasnick jonasnick closed this Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants