Merge #131: Replace MuSig(1) module with MuSig2

ac1e367 musig: turn off multiexponentiation for now (Jonas Nick)
3c79d97 ci: increase timeout for macOS tasks (Jonas Nick)
22c8881 musig: replace MuSig(1) with MuSig2 (Jonas Nick)

Pull request description:

  The main commit comprises `905 insertions(+), 1253 deletions(-)`. The diff isn't as small as I had hoped, but that's mostly because it was possible to simplify the API quite substantially which required rewriting large parts. Sorry, almost all of the changes are in one big commit which makes the diff very hard to read. Perhaps best to re-review most parts from scratch.

  A few key changes:

  - Obviously no commitment round. No big session struct and no `verifier` sessions. No `signer` struct.
  - There's a new `secnonce` struct that is the output of musig_nonce_gen and derived from a uniformly random session_id32. The derivation can be strengthened by adding whatever session parameters (combined_pk, msg) are available. The nonce function is my ad-hoc construction that allows for these optional inputs. Please have a look at that.
  - The secnonce is made invalid after being used in partial_sign.
  - Adaptor signatures basically work as before, according to BlockstreamResearch/scriptless-scripts#24 (with the exception that they operate on aggregate instead of partial sigs)
  - To avoid making this PR overly complex I did not consider how this implementation interacts with nested-MuSig, sign-to-contract, and antiklepto.
  - Testing should be close to complete. There's no reachable line or branch that isn't exercised by the tests.
  - [x] ~In the current implementation when a signer sends an invalid nonce (i.e. some garbage that can't be mapped to a group element), it is ignored when combining nonces. Only after receiving the signers partial signature and running `partial_sig_verify` will we notice that the signer misbehaved. The reason for this is that 1) this makes the API simpler and 2) malicious peers don't gain any additional powers because they can always interrupt the protocol by refusing to sign. However, this is up for discussion.~ EDIT: this is not the case anymore since invalid nonces are rejected when they're parsed.
  - [x] ~For every partial signature we verify we have to parse the pubnonce (two compressed points), despite having parsed it in `process_nonces` already. This is not great. `process_nonces` could optionally output the array of parsed pubnonces.~ EDIT: fixed by having a dedicated type for nonces.
  - [x] ~I left `src/modules/musig/musig.md` unchanged for now. Perhaps we should merge it with the `musig-spec`~ EDIT: musig.md is updated
  - [x] partial verification should use multiexp to compute `R1 + b*R2 + c*P`, but this can be done in a separate PR
  - [x] renaming wishlist
      - pre_session -> keyagg_cache (because there is no session anymore)
      - pubkey_combine, nonce_combine, partial_sig_combine -> pubkey_agg, nonce_agg, partial_sig_agg (shorter, matches terminology in musig2)
      - musig_session_init -> musig_start (shorter, simpler) or [musig_generate_nonce](#131 (comment)) or musig_prepare
      - musig_partial_signature to musig_partial_sig (shorter)
  - [x] perhaps remove pubnonces and n_pubnonces argument from process_nonces (and then also add a opaque type for the combined nonce?)
  - [x] write the `combined_pubkey` into the `pre_session` struct (as suggested [below](#131 (comment)): then 1) session_init and process_nonces don't need a combined_pk argument (and there can't be mix up between tweaked and untweaked keys) and 2) pubkey_tweak doesn't need an input_pubkey and the output_pubkey can be written directly into the pre_session (reducing frustration such as Replace MuSig(1) module with MuSig2 #131 (comment))
  - [x] perhaps allow adapting both partial sigs (`partial_sig` struct) and aggregate partial sigs (64 raw bytes) as suggested [below](#131 (comment)).

  Based on #120.

ACKs for top commit:
  robot-dreams:
    ACK ac1e367
  real-or-random:
    ACK ac1e367

Tree-SHA512: 916b42811aa5c00649cfb923d2002422c338106a6936a01253ba693015a242f21f7f7b4cce60d5ab5764a129926c6fd6676977c69c9e6e0aedc51b308ac6578d

.cirrus.yml

@@ -119,8 +119,8 @@ task:
   name: "x86_64: macOS Catalina"
   macos_instance:
     image: catalina-base
-  # As of d4ca81f48e tasks with valgrind enabled take about 60 minutes
-  timeout_in: 90m
+  # tasks with valgrind enabled take about 90 minutes
+  timeout_in: 120m
   env:
     HOMEBREW_NO_AUTO_UPDATE: 1
     HOMEBREW_NO_INSTALL_CLEANUP: 1

.gitignore

@@ -64,3 +64,5 @@ build-aux/test-driver
 src/stamp-h1
 libsecp256k1.pc
 contrib/gh-pr-create.sh
+
+example_musig

Makefile.am

@@ -129,6 +129,15 @@ exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif
 
+if ENABLE_MODULE_MUSIG
+noinst_PROGRAMS += example_musig
+example_musig_SOURCES = examples/musig.c
+example_musig_CPPFLAGS = -I$(top_srcdir)/include
+example_musig_LDADD = libsecp256k1.la
+example_musig_LDFLAGS = -static
+TESTS += example_musig
+endif
+
 EXTRA_PROGRAMS = gen_ecmult_static_pre_g
 gen_ecmult_static_pre_g_SOURCES = src/gen_ecmult_static_pre_g.c
 # See Automake manual, Section "Errors with distclean"

examples/musig.c

@@ -0,0 +1,178 @@
+/***********************************************************************
+ * Copyright (c) 2018 Jonas Nick                                       *
+ * Distributed under the MIT software license, see the accompanying    *
+ * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+/**
+ * This file demonstrates how to use the MuSig module to create a multisignature.
+ * Additionally, see the documentation in include/secp256k1_musig.h.
+ */
+
+#include <stdio.h>
+#include <assert.h>
+#include <secp256k1.h>
+#include <secp256k1_schnorrsig.h>
+#include <secp256k1_musig.h>
+
+struct signer_secrets {
+    secp256k1_keypair keypair;
+    secp256k1_musig_secnonce secnonce;
+};
+
+struct signer {
+    secp256k1_xonly_pubkey pubkey;
+    secp256k1_musig_pubnonce pubnonce;
+    secp256k1_musig_partial_sig partial_sig;
+};
+
+ /* Number of public keys involved in creating the aggregate signature */
+#define N_SIGNERS 3
+/* Create a key pair, store it in signer_secrets->keypair and signer->pubkey */
+int create_keypair(const secp256k1_context* ctx, struct signer_secrets *signer_secrets, struct signer *signer) {
+    unsigned char seckey[32];
+    FILE *frand = fopen("/dev/urandom", "r");
+    if (frand == NULL) {
+        return 0;
+    }
+    do {
+        if(!fread(seckey, sizeof(seckey), 1, frand)) {
+             fclose(frand);
+             return 0;
+         }
+    /* The probability that this not a valid secret key is approximately 2^-128 */
+    } while (!secp256k1_ec_seckey_verify(ctx, seckey));
+    fclose(frand);
+    if (!secp256k1_keypair_create(ctx, &signer_secrets->keypair, seckey)) {
+        return 0;
+    }
+    if (!secp256k1_keypair_xonly_pub(ctx, &signer->pubkey, NULL, &signer_secrets->keypair)) {
+        return 0;
+    }
+    return 1;
+}
+
+/* Sign a message hash with the given key pairs and store the result in sig */
+int sign(const secp256k1_context* ctx, struct signer_secrets *signer_secrets, struct signer *signer, const unsigned char* msg32, unsigned char *sig64) {
+    int i;
+    const secp256k1_xonly_pubkey *pubkeys[N_SIGNERS];
+    const secp256k1_musig_pubnonce *pubnonces[N_SIGNERS];
+    const secp256k1_musig_partial_sig *partial_sigs[N_SIGNERS];
+    /* The same for all signers */
+    secp256k1_musig_keyagg_cache cache;
+    secp256k1_musig_session session;
+
+    for (i = 0; i < N_SIGNERS; i++) {
+        FILE *frand;
+        unsigned char seckey[32];
+        unsigned char session_id[32];
+        /* Create random session ID. It is absolutely necessary that the session ID
+         * is unique for every call of secp256k1_musig_nonce_gen. Otherwise
+         * it's trivial for an attacker to extract the secret key! */
+        frand = fopen("/dev/urandom", "r");
+        if(frand == NULL) {
+            return 0;
+        }
+        if (!fread(session_id, 32, 1, frand)) {
+            fclose(frand);
+            return 0;
+        }
+        fclose(frand);
+        if (!secp256k1_keypair_sec(ctx, seckey, &signer_secrets[i].keypair)) {
+            return 0;
+        }
+        /* Initialize session and create secret nonce for signing and public
+         * nonce to send to the other signers. */
+        if (!secp256k1_musig_nonce_gen(ctx, &signer_secrets[i].secnonce, &signer[i].pubnonce, session_id, seckey, msg32, NULL, NULL)) {
+            return 0;
+        }
+        pubkeys[i] = &signer[i].pubkey;
+        pubnonces[i] = &signer[i].pubnonce;
+    }
+    /* Communication round 1: A production system would exchange public nonces
+     * here before moving on. */
+    for (i = 0; i < N_SIGNERS; i++) {
+        secp256k1_musig_aggnonce agg_pubnonce;
+
+        /* Create aggregate pubkey, aggregate nonce and initialize signer data */
+        if (!secp256k1_musig_pubkey_agg(ctx, NULL, NULL, &cache, pubkeys, N_SIGNERS)) {
+            return 0;
+        }
+        if (!secp256k1_musig_nonce_agg(ctx, &agg_pubnonce, pubnonces, N_SIGNERS)) {
+            return 0;
+        }
+        if (!secp256k1_musig_nonce_process(ctx, &session, &agg_pubnonce, msg32, &cache, NULL)) {
+            return 0;
+        }
+        /* partial_sign will clear the secnonce by setting it to 0. That's because
+         * you must _never_ reuse the secnonce (or use the same session_id to
+         * create a secnonce). If you do, you effectively reuse the nonce and
+         * leak the secret key. */
+        if (!secp256k1_musig_partial_sign(ctx, &signer[i].partial_sig, &signer_secrets[i].secnonce, &signer_secrets[i].keypair, &cache, &session)) {
+            return 0;
+        }
+        partial_sigs[i] = &signer[i].partial_sig;
+    }
+    /* Communication round 2: A production system would exchange
+     * partial signatures here before moving on. */
+    for (i = 0; i < N_SIGNERS; i++) {
+        /* To check whether signing was successful, it suffices to either verify
+         * the aggregate signature with the aggregate public key using
+         * secp256k1_schnorrsig_verify, or verify all partial signatures of all
+         * signers individually. Verifying the aggregate signature is cheaper but
+         * verifying the individual partial signatures has the advantage that it
+         * can be used to determine which of the partial signatures are invalid
+         * (if any), i.e., which of the partial signatures cause the aggregate
+         * signature to be invalid and thus the protocol run to fail. It's also
+         * fine to first verify the aggregate sig, and only verify the individual
+         * sigs if it does not work.
+         */
+        if (!secp256k1_musig_partial_sig_verify(ctx, &signer[i].partial_sig, &signer[i].pubnonce, &signer[i].pubkey, &cache, &session)) {
+            return 0;
+        }
+    }
+    return secp256k1_musig_partial_sig_agg(ctx, sig64, &session, partial_sigs, N_SIGNERS);
+}
+
+ int main(void) {
+    secp256k1_context* ctx;
+    int i;
+    struct signer_secrets signer_secrets[N_SIGNERS];
+    struct signer signers[N_SIGNERS];
+    const secp256k1_xonly_pubkey *pubkeys_ptr[N_SIGNERS];
+    secp256k1_xonly_pubkey agg_pk;
+    unsigned char msg[32] = "this_could_be_the_hash_of_a_msg!";
+    unsigned char sig[64];
+
+    /* Create a context for signing and verification */
+    ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+    printf("Creating key pairs......");
+    for (i = 0; i < N_SIGNERS; i++) {
+        if (!create_keypair(ctx, &signer_secrets[i], &signers[i])) {
+            printf("FAILED\n");
+            return 1;
+        }
+        pubkeys_ptr[i] = &signers[i].pubkey;
+    }
+    printf("ok\n");
+    printf("Combining public keys...");
+    if (!secp256k1_musig_pubkey_agg(ctx, NULL, &agg_pk, NULL, pubkeys_ptr, N_SIGNERS)) {
+        printf("FAILED\n");
+        return 1;
+    }
+    printf("ok\n");
+    printf("Signing message.........");
+    if (!sign(ctx, signer_secrets, signers, msg, sig)) {
+        printf("FAILED\n");
+        return 1;
+    }
+    printf("ok\n");
+    printf("Verifying signature.....");
+    if (!secp256k1_schnorrsig_verify(ctx, sig, msg, 32, &agg_pk)) {
+        printf("FAILED\n");
+        return 1;
+    }
+    printf("ok\n");
+    secp256k1_context_destroy(ctx);
+    return 0;
+}