wallet: Sign transactions containing MuSig2 inputs #31245

pull achow101 wants to merge 24 commits into bitcoin:master from achow101:musig2-signing changing 21 files +1398 −118
  1. achow101 commented at 6:12 pm on November 7, 2024: member

    Implements all of the signing logic for transactions containing MuSig2 inputs.

    Note that this is not actually usable as the session data for MuSig2 is not stored. That will require the PSBT fields from #29675

    Depends on #31242, #31243, and #31244

    Split from #29675

  2. desc spkm: Return SigningProvider only if we have the privkey 
    If we know about a pubkey that's in our descriptor, but we don't have
the private key, don't return a SigningProvider for that pubkey.

This is specifically an issue for Taproot outputs that use the H point
as the resulting PSBTs may end up containing irrelevant information
because the H point was detected as a pubkey each unrelated descriptor
knew about.
    aa2913fe1a
  3. wallet, rpc: Only allow keypool import from single key descriptors 
    Instead of relying on implicit assumptions about whether pubkeys show up
or now after expanding a descriptor, just explicitly allow only single
key descriptors to import keys into a legacy wallet's keypool.
    5065ad250a
  4. descriptors: Have GetPubKey fill origins directly 
    Instead of having ExpandHelper fill in the origins in the
FlatSigningProvider output, have GetPubKey do it by itself. This reduces
the extra variables needed in order to track and set origins in
ExpandHelper.

Also changes GetPubKey to return a std::optional<CPubKey> rather than
using a bool and output parameters.
    b2375ba54b
  5. descriptors: Move FlatSigningProvider pubkey filling to GetPubKey 
    Instead of MakeScripts inconsistently filling the output
FlatSigningProvider with the pubkeys involved, just do it in GetPubKey.
    563da2b909
  6. descriptors: Have GetPrivKey fill keys directly 
    Instead of GetPrivKey returning a key and having the caller fill the
FlatSigningProvider, have GetPrivKey take the FlatSigningProvider and
fill it by itself.

GetPrivKey is now changed to void as the caller no longer cares whether
it succeeds or fails.
    82fdbaeda2
  7. XOnlyPubKey: Add GetCPubKeys 
    We need to retrieve the even and odd compressed pubkeys for xonly
pubkeys, so add a function to do that. Also reuse it in GetKeyIDs.
    7db5e9b5f7
  8. spanparsing: Allow Const to not skip the found constant b2f8cc3270
  9. descriptors: Add PubkeyProvider::IsBIP32() bb0a83271f
  10. build: Enable secp256k1 musig module 256ed61f63
  11. sign: Add GetAggregateParticipantPubkeys to SigningProvider 994719869d
  12. Add MuSig2 Keyagg Cache class and functions 
    - MuSig2KeyAggCache contains a MuSig2KeyAggCacheImpl which has the
  secp256ke_musig_keyagg_cache object to avoid having to link libsecp256k1
  everywhere.
- GetMuSig2KeyAggCache creates the MuSig2KeyAggCache from a
  std::vector<CPubKey>
- GetCPubKeyFromMuSig2KeyAggCache creates a CPubKey from a cache created
  with GetMuSig2KeyAggCache
- MuSig2AggregatePubKeys does the two above functions together.
    cd22790ee0
  13. descriptor: Add MuSigPubkeyProvider 72836cc6ff
  14. descriptor: Parse musig() key expressions 71aac9edd5
  15. tests: Test musig() parsing c30d07c51f
  16. sign: Refactor Schnorr sighash computation out of CreateSchnorrSig 
    There will be other functions within MutableTransactionSignatureCreator
that need to compute the same sighash, so make it a separate member
function.
    93b2b66781
  17. pubkey: Return tweaks from BIP32 derivation 425489081b
  18. sign: Include taproot output key's KeyOriginInfo in sigdata bd94410996
  19. Add MuSig2SecNonce class for secure allocation of musig nonces 13f889a358
  20. signingprovider: Add musig2 secnonces 
    Adds GetMuSig2SecNonces which returns secp256k1_musig_secnonce*, and
DeleteMuSig2Session which removes the MuSig2 secnonce from wherever it
was retrieved. FlatSigningProvider stores it as a pointer to a map of
session id to secnonce so that deletion will actually delete from the
object that actually owns the secnonces.

The session id is just a unique identifier for the caller to determine
what secnonces have been created.
    b7a5ff7963
  21. sign: Add CreateMuSig2AggregateSig 1fb3fb8389
  22. sign: Add CreateMuSig2Nonce 357f4277c9
  23. sign: Add CreateMuSig2PartialSig 56b10a85af
  24. sign: Create MuSig2 signatures for known MuSig2 aggregate keys 
    When creating Taproot signatures, if the key being signed for is known
to be a MuSig2 aggregate key, do the MuSig2 signing algorithms.

First try to create the aggregate signature. This will fail if there are
not enough partial signatures or public nonces. If it does fail, try to
create a partial signature with all participant keys. This will fail for
those keys that we do not have the private keys for, and if there are
not enough public nonces. Lastly, if the partial signatures could be
created, add our own public nonces for the private keys that we know, if
they do not yet exist.
    9c43df13d0
  25. wallet: Keep secnonces in DescriptorScriptPubKeyMan 5a90774a85
  26. DrahtBot commented at 6:12 pm on November 7, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/31245.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

  27. DrahtBot added the label Wallet on Nov 7, 2024
  28. achow101 closed this on Nov 7, 2024


achow101 DrahtBot

Labels
Wallet

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 06:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me