Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ #590
pull jonasnick wants to merge 8 commits into bitcoin-core:master from jonasnick:schnorrsig-s2c-only-new-ans changing 16 files +2445 −7-
jonasnick commented at 1:35 pm on February 15, 2019: contributor
-
jonasnick cross-referenced this on Feb 15, 2019 from issue Allow sign-to-contract commitments in schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ by jonasnick
-
in include/secp256k1_schnorrsig.h:103 in ae5fb7f8f1 outdated
82+/** Create a randomness commitment on the host as part of the Anti Nonce Sidechannel Protocol. 83+ * 84+ * Returns 1 on success, 0 on failure. 85+ * Args: ctx: pointer to a context object (cannot be NULL) 86+ * Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL) 87+ * In: rand32: the 32-byte randomness to commit to (cannot be NULL)
real-or-random commented at 2:54 pm on February 15, 2019:Maybe it’s even better to make this function responsible for calling
secp256k1_rand256
to avoid that the user screws up when producing randomness.(But then the user can’t use his fancy hardware RNG… If we want to support that, then maybe there could also a callback to a randomness function, and if it’s NULL, then just call
lsecp256k1_rand256
. But in general, I don’t like the idea of the user providing randomness, unless really necessary.)real-or-random commented at 2:55 pm on February 15, 2019: contributorConcept ACKin include/secp256k1_schnorrsig.h:72 in ae5fb7f8f1 outdated
67+ * 1. The host draws the randomness, commits to it with the `anti_nonce_sidechan_host_commit` 68+ * function and sends the commitment to the client. 69+ * 2. The client commits to its sign-to-contract original nonce (which is the nonce without the 70+ * sign-to-contract tweak) using the hosts commitment by calling the 71+ * `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit` function. The client sends the 72+ * rusulting commitment to the host
benma commented at 9:59 am on June 11, 2019:rusulting -> resulting :)in include/secp256k1_schnorrsig.h:123 in ae5fb7f8f1 outdated
102+ * be NULL) 103+ * In: msg32: the 32-byte message hash to be signed (cannot be NULL) 104+ * seckey32: the 32-byte secret key used for signing (cannot be NULL) 105+ * rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL) 106+ */ 107+SECP256K1_API int secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(
benma commented at 11:25 am on June 11, 2019:To keep the api / interface smaller, the client could also call the sign function and get the commitment from the signature. Would there be any security downside in that (except for code readability?).
jonasnick commented at 8:51 pm on June 11, 2019:That doesn’t seem to work if I understand you correctly. The client needs the hosts randomness to produce the signature which it doesn’t get until it sends the commitment.
benma commented at 9:15 pm on June 11, 2019:I meant a first of two calls to the signing function, with the first one being a plain call with no host randomness, just to extract the client commitment (R = k*G
likesecp256k1_schnorrsig_anti_nonce_sidechan_client_commit
computes, but,R
can also be reconstructed from the sig).
jonasnick commented at 9:26 pm on June 11, 2019:If you callsign
twice your wasting a lot of time producing a signature that’s unnecessary?
benma commented at 9:36 pm on June 11, 2019::+1: I see.benma cross-referenced this on Jun 11, 2019 from issue ecdsa sign-to-contract module, with anti nonce covert chan util functions by benmain src/modules/schnorrsig/main_impl.h:87 in ae5fb7f8f1 outdated
82+ 83+ if (!secp256k1_nonce_function_bipschnorr(nonce32, msg32, seckey32, NULL, rand_commitment32, 0)) { 84+ return 0; 85+ } 86+ 87+ secp256k1_scalar_set_b32(&k, nonce32, NULL);
benma commented at 10:41 am on June 16, 2019:Is there an overflow check missing here?
real-or-random commented at 4:30 pm on June 16, 2019:No, the BIP draft intentionally does not check for overflow here. (It happens with negligible probability.)
benma commented at 4:35 pm on June 16, 2019::+1:jonasnick cross-referenced this on Jul 3, 2019 from issue Add anti nonce-sidechannel protocol to schnorrsigs by jonasnickjonasnick renamed this:
Add anti nonce-sidechannel protocol to schnorrsigs [alternative]
Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶
on Jul 3, 2019add chacha20 function 2f40e1ec2eAdd schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
[0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
Add ec_commitments which are essentially the pay-to-contract-style tweaks of public keys.
The functionality is not exposed.
Add and expose sign-to-contract opening with parse and serialize functions 854c1c495fAllow creating and verifying Schnorr sign-to-contract commitments 9037bcf5e8Add anti nonce sidechannel protocol for schnorrsigs f8f9337a49jonasnick commented at 10:40 pm on July 4, 2019: contributorThis thing needs a better name. Covert channel is a much better term for this than side channel. If no one comes up with something better I’ll go on withanti_covert_channel
.f add rationale to protocol doc ed4add7ec2jonasnick force-pushed on Jul 5, 2019jonasnick commented at 8:48 pm on July 5, 2019: contributorRebasedin src/modules/schnorrsig/main_impl.h:83 in ed4add7ec2 outdated
78+ ARG_CHECK(client_commit != NULL); 79+ ARG_CHECK(msg32 != NULL); 80+ ARG_CHECK(seckey32 != NULL); 81+ ARG_CHECK(rand_commitment32 != NULL); 82+ 83+ if (!secp256k1_nonce_function_bipschnorr(nonce32, msg32, seckey32, NULL, rand_commitment32, 0)) {
benma commented at 3:57 pm on July 18, 2019:~since
secp256k1_schnorrsig_sign
acceptsndata
ands2c_data32
and combines them as input to the nonce function, would it make sense that this client_commit function also gets anndata
param which is mixed in in the same way?~pls disregard ;) of course this is impossible here, as only the caller can do this with the preimage :see_no_evil:
f simplify setting a gej bdad1402f1in src/secp256k1.c:784 in ed4add7ec2 outdated
779+ } 780+ 781+ /* Return commitment == commitment_tmp */ 782+ secp256k1_gej_set_infinity(&pj); 783+ secp256k1_pubkey_load(ctx, &p, &commitment_tmp); 784+ secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL);
elichai commented at 3:15 am on July 28, 2019:You can usesecp256k1_gej_set_ge()
instead of setting to infinity and addinglandanhu cross-referenced this on Dec 29, 2019 from issue Problem: rust-secp256k1 fork diverged from upstream by landanhujonasnick cross-referenced this on Nov 2, 2020 from issue schnorrsig API overhaul by jonasnickreal-or-random referenced this in commit 0440945fb5 on Jul 3, 2021real-or-random cross-referenced this on Mar 24, 2022 from issue antiklepto / anti-exfil protocol for Schnorr sigs by benmajonasnick commented at 2:08 pm on March 24, 2022: contributorClosing this PR since it’s based on a closed sign-to-contract PR. Another attempt at adding an anti-nonce-sidechannel should have a close look at the same protocol for ECDSA in secp256k1-zkp which was inspired by this PR (https://github.com/ElementsProject/secp256k1-zkp/blob/master/include/secp256k1_ecdsa_s2c.h).jonasnick closed this on Mar 24, 2022
github-metadata-mirror
This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 05:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me