Add schnorrsig module which implements BIP-340 compliant signatures#558
Merged
real-or-random merged 15 commits intobitcoin-core:masterfrom Sep 11, 2020
Merged
Add schnorrsig module which implements BIP-340 compliant signatures#558real-or-random merged 15 commits intobitcoin-core:masterfrom
real-or-random merged 15 commits intobitcoin-core:masterfrom
Conversation
DesWurstes
reviewed
Sep 25, 2018
jonasnick
force-pushed
the
schnorrsig
branch
2 times, most recently
from
220012e to
547ad32
Compare
Contributor
Author
|
Replaced the chacha20 commit with a similar commit from secp256k1-zkp (BlockstreamResearch/secp256k1-zkp@c3794f9). |
apoelstra
reviewed
Sep 26, 2018
apoelstra
reviewed
Sep 26, 2018
Contributor
|
ACK except nit about |
Contributor
|
Maybe we should consider adopting an anti-covert-channel warden workflow as the standard interface for this function? |
jimpo
reviewed
Sep 30, 2018
jimpo
left a comment
jimpo
left a comment
There was a problem hiding this comment.
Nice! Such hype.
I skipped the tests, hoping to get back around to them.
Contributor
|
@gmaxwell By anti-covert channel do you mean essentially sign-to-contracting random data? I would like this. One thing blocking it is that our nonce function does not take a secp context currently, which makes sign-to-contract unergonmic -- see in sighacker how the sign-to-contract context needs to contain a pointer to the secp context. I think we should fix that but it should probably be in another PR. |
Contributor
Author
|
Thanks @jimpo. I added a commit that addresses your comments. |
|
how does this relate to #212 ? |
Contributor
|
#212 is not secure against rogue-key attacks nor does it commit to the public key being signed for. |
Contributor
Author
Contributor
|
Oh I was not aware of this PR. |
Contributor
Author
|
@real-or-random Thanks for the review. I added a commit to address your comments. |
Contributor
Author
|
Added a test to increase the coverage of schnorrsig_sign. Now coverage in the schnorrsig module is 100% when excluding the lines that can't be hit. See https://htmlpreview.github.io/?https://raw.githubusercontent.com/jonasnick/secp256k1/schnorrsig-stats/coverage.src_modules_schnorrsig_main_impl.h.html |
jonasnick
force-pushed
the
schnorrsig
branch
2 times, most recently
from
bd39a05 to
f12dd1a
Compare
Contributor
Author
|
squashed and rebased on master |
sipa
reviewed
Nov 5, 2018
Contributor
Author
|
Added commit that will switch to little endian format when interpreting chacha20 output, replace chacha20 tests with test vectors from the RFC, add sipa's chacha20 test. |
deadalnix
reviewed
Dec 1, 2018
real-or-random
approved these changes
Sep 11, 2020
Contributor
real-or-random
left a comment
real-or-random
left a comment
There was a problem hiding this comment.
ACK f431b3f careful code review
I have a few minor comments in my notes but all of those can be addressed later.
fanquake
added a commit
to bitcoin/bitcoin
that referenced
this pull request
Sep 14, 2020
b9c1a76 Squashed 'src/secp256k1/' changes from 2ed54da..8ab24e8 (Pieter Wuille) Pull request description: This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version. As it adds BIP340 support (see bitcoin-core/secp256k1#558), this is a prerequisite for #17977. In particular, it contains: * A few generic library improvements * Support for x-only public keys as used by BIP340. * Support for "key pair" objects, making signing more efficient by using a precomputed public key. * Signing support for BIP340 Schnorr (single-party) signatures. * Verification support for BIP340 Schnorr signatures. * Support for verifying tweaked x-only keys, as used by BIP341's Taproot construction. Things that are not included: * MuSig, nor any kind of multisignatures, threshold signatures, ... on top. * Batch verification. * Support for variable-length messages in BIP340 (which are still being discussed, but won't affect BIP341, or Bitcoin Core). * A few more generic improvements that are still in the pipeline, including faster modular inversions. ACKs for top commit: instagibbs: ACK 894fb33 fanquake: ACK 894fb33. Any Valgrind concerns will be addressed upstream, see discussion in bitcoin-core/secp256k1#813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it's current state. benthecarman: ACK `894fb33` Tree-SHA512: 6dc992f4477069b7fbd223316f1be955750923be1479c38adad2312649fdca1f316edb375c42ef9d97cea2407caaef49fb8c93abd6c037fe1a522910cbbc2479
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Sep 15, 2020
b9c1a76 Squashed 'src/secp256k1/' changes from 2ed54da..8ab24e8 (Pieter Wuille) Pull request description: This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version. As it adds BIP340 support (see bitcoin-core/secp256k1#558), this is a prerequisite for bitcoin#17977. In particular, it contains: * A few generic library improvements * Support for x-only public keys as used by BIP340. * Support for "key pair" objects, making signing more efficient by using a precomputed public key. * Signing support for BIP340 Schnorr (single-party) signatures. * Verification support for BIP340 Schnorr signatures. * Support for verifying tweaked x-only keys, as used by BIP341's Taproot construction. Things that are not included: * MuSig, nor any kind of multisignatures, threshold signatures, ... on top. * Batch verification. * Support for variable-length messages in BIP340 (which are still being discussed, but won't affect BIP341, or Bitcoin Core). * A few more generic improvements that are still in the pipeline, including faster modular inversions. ACKs for top commit: instagibbs: ACK 894fb33 fanquake: ACK 894fb33. Any Valgrind concerns will be addressed upstream, see discussion in bitcoin-core/secp256k1#813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it's current state. benthecarman: ACK `894fb33` Tree-SHA512: 6dc992f4477069b7fbd223316f1be955750923be1479c38adad2312649fdca1f316edb375c42ef9d97cea2407caaef49fb8c93abd6c037fe1a522910cbbc2479
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is required to declassify pointers to constant memory. Declassify should never modify its argument. This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@3e08b02 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7636
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is to prepare for xonly_pubkeys and keypairs. This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@47e6618 Test Plan: ninja check-secp256k1 And with the module on: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D7638
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4cd2ee4 Depends on D7638 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7639
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is in preparation for allowing code reuse by xonly tweak add functions This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@176bfb1 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7640
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@910d9c2 Depends on D7639 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7641
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is in preparation for allowing code reuse by keypair functions This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f001034 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7642
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@5825446 Depends on D7641 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7643
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@6fcb5b8 Depends on D7643 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7644
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This will be used by the schnorrsig module This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@eabd9bc Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7645
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7a703fd Test Plan: ninja check-secp256k1 With missing extrakeys: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On Check that we get an error. And with the module: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7646
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@7332d2d Depends on D7646 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7647
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4e43520 Depends on D7647 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7648
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@8dfd53e Depends on D7648 Test Plan: ninja bench-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7649
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@16ffa9d Depends on D7649 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7650
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f431b3f Depends on D7650 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7651
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is required to declassify pointers to constant memory. Declassify should never modify its argument. This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@3e08b02 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7636
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is to prepare for xonly_pubkeys and keypairs. This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@47e6618 Test Plan: ninja check-secp256k1 And with the module on: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D7638
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@4cd2ee4 Depends on D7638 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7639
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is in preparation for allowing code reuse by xonly tweak add functions This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@176bfb1 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7640
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@910d9c2 Depends on D7639 Test Plan: cmake -GNinja .. -DSECP256K1_ENABLE_MODULE_EXTRAKEYS=On ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7641
deadalnix
pushed a commit
to Bitcoin-ABC/secp256k1
that referenced
this pull request
Sep 30, 2020
Summary: This is in preparation for allowing code reuse by keypair functions This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#558 | PR558]] : bitcoin-core/secp256k1@f001034 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7642
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements signing, verification and batch verification as described in BIP-340 in an experimental module named
schnorrsig. It includes the test vectors and a benchmarking tool.This PR also adds a module
extrakeysthat allows BIP-341-style key tweaking.(Adding ChaCha20 as a CSPRNG and batch verification was moved to PR #760).
In order to enable the module run
./configurewith--enable-experimental --enable-module-schnorrsig.Based on apoelstra's work.