Merge pull request #224 from LLFourn/bip340-domain-separation

Implement BIP340 domain separation and simplify Message/Signature types

Author: nickfarrow

CHANGELOG.md

@@ -10,6 +10,10 @@
   - `hash_to_curve` - Simple try-and-increment with uniform distribution (recommended)
   - `hash_to_curve_sswu` - RFC 9380 compliant constant-time hashing
   - `hash_to_curve_rfc9381_tai` - RFC 9381 VRF try-and-increment format
+- Add `Message::new` for BIP340-compliant domain separation using 33-byte padded prefix
+- Deprecate `Message::plain` which uses non-standard 64-byte prefix
+- Remove type parameters from `Message` and `Signature` types (always public now)
+- Remove unused `Slice` type from secp256kfun
 
 ## v0.11.0
 
@@ -21,7 +25,6 @@
 - Add `Hash32` trait to collect all the useful hash traits we use all over the place
 - Add our own take on [chill-dkg](ttps://github.com/BlockstreamResearch/bip-frost-dkg/tree/master) WIP BIP
 
-
 ## v0.10.0
 
 - Change `Scalar::from_bytes` to work for `Scalar<_, NonZero>` as well.
@@ -67,7 +70,6 @@
 - Change the `from_bytes` type commands to not assume secrecy in `Scalar` and `Point`.
 - Update to rust-secp256k1 v0.25.0
 
-
 ## 0.7.1
 
 - Fix critical bug in MuSig2 implementation where multiple tweaks would break it
@@ -88,4 +90,3 @@
 ## 0.6.1
 
 - Fix serialization of `Point<EvenY>`
-

schnorr_fun/README.md

@@ -39,7 +39,7 @@ let schnorr = Schnorr::<Sha256, _>::new(nonce_gen.clone());
 // Generate your public/private key-pair
 let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
 // Sign a variable length message
-let message = Message::<Public>::plain("the-times-of-london", b"Chancellor on brink of second bailout for banks");
+let message = Message::new("the-times-of-london", b"Chancellor on brink of second bailout for banks");
 // Sign the message with our keypair
 let signature = schnorr.sign(&keypair, message);
 // Get the verifier's key

schnorr_fun/benches/bench_schnorr.rs

@@ -20,7 +20,7 @@ fn sign_schnorr(c: &mut Criterion) {
     {
         let keypair = schnorr.new_keypair(*SK);
         group.bench_function("fun::schnorr_sign", |b| {
-            b.iter(|| schnorr.sign(&keypair, Message::<Public>::raw(MESSAGE)))
+            b.iter(|| schnorr.sign(&keypair, Message::raw(MESSAGE)))
         });
     }
 
@@ -40,19 +40,14 @@ fn verify_schnorr(c: &mut Criterion) {
     let mut group = c.benchmark_group("schnorr_verify");
     let keypair = schnorr.new_keypair(*SK);
     {
-        let message = Message::<Public>::raw(MESSAGE);
+        let message = Message::raw(MESSAGE);
         let sig = schnorr.sign(&keypair, message);
         let verification_key = &keypair.public_key();
         group.bench_function("fun::schnorr_verify", |b| {
             b.iter(|| schnorr.verify(verification_key, message, &sig))
         });
 
-        {
-            let sig = sig.set_secrecy::<Secret>();
-            group.bench_function("fun::schnorr_verify_ct", |b| {
-                b.iter(|| schnorr.verify(verification_key, message, &sig))
-            });
-        }
+        // Constant-time verification is no longer supported after removing type parameters
     }
 
     {

schnorr_fun/src/adaptor/encrypted_signature.rs

@@ -47,11 +47,8 @@ mod test {
         let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
         let kp = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
         let encryption_key = Point::random(&mut rand::thread_rng());
-        let encrypted_signature = schnorr.encrypted_sign(
-            &kp,
-            &encryption_key,
-            Message::<Public>::plain("test", b"foo"),
-        );
+        let encrypted_signature =
+            schnorr.encrypted_sign(&kp, &encryption_key, Message::new("test", b"foo"));
         let serialized = bincode::encode_to_vec(
             bincode::serde::Compat(&encrypted_signature),
             bincode::config::standard(),

schnorr_fun/src/adaptor/mod.rs

@@ -23,7 +23,7 @@
 //! let verification_key = signing_keypair.public_key();
 //! let decryption_key = Scalar::random(&mut rand::thread_rng());
 //! let encryption_key = schnorr.encryption_key_for(&decryption_key);
-//! let message = Message::<Public>::plain("text-bitcoin", b"send 1 BTC to Bob");
+//! let message = Message::new("text-bitcoin", b"send 1 BTC to Bob");
 //!
 //! // Alice knows: signing_keypair, encryption_key
 //! // Bob knows: decryption_key, verification_key
@@ -68,7 +68,7 @@ pub trait EncryptedSign {
         &self,
         signing_keypair: &KeyPair<EvenY>,
         encryption_key: &Point<Normal, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
     ) -> EncryptedSignature;
 }
 
@@ -81,7 +81,7 @@ where
         &self,
         signing_key: &KeyPair<EvenY>,
         encryption_key: &Point<Normal, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
     ) -> EncryptedSignature {
         let (x, X) = signing_key.as_tuple();
         let Y = encryption_key;
@@ -139,7 +139,7 @@ pub trait Adaptor {
         &self,
         verification_key: &Point<EvenY, impl Secrecy>,
         encryption_key: &Point<impl PointType, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
     ) -> bool;
 
@@ -179,7 +179,7 @@ pub trait Adaptor {
         &self,
         encryption_key: &Point<impl Normalized, impl Secrecy>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
-        signature: &Signature<impl Secrecy>,
+        signature: &Signature,
     ) -> Option<Scalar>;
 }
 
@@ -195,7 +195,7 @@ where
         &self,
         verification_key: &Point<EvenY, impl Secrecy>,
         encryption_key: &Point<impl PointType, impl Secrecy>,
-        message: Message<'_, impl Secrecy>,
+        message: Message<'_>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
     ) -> bool {
         let EncryptedSignature {
@@ -236,7 +236,7 @@ where
         &self,
         encryption_key: &Point<impl PointType, impl Secrecy>,
         encrypted_signature: &EncryptedSignature<impl Secrecy>,
-        signature: &Signature<impl Secrecy>,
+        signature: &Signature,
     ) -> Option<Scalar> {
         if signature.R != encrypted_signature.R {
             return None;
@@ -298,7 +298,7 @@ mod test {
         let signing_keypair = schnorr.new_keypair(secret_key);
         let verification_key = signing_keypair.public_key();
         let encryption_key = schnorr.encryption_key_for(&decryption_key);
-        let message = Message::<Public>::plain("test", b"give 100 coins to Bob".as_ref());
+        let message = Message::new("test", b"give 100 coins to Bob".as_ref());
 
         let encrypted_signature =
             schnorr.encrypted_sign(&signing_keypair, &encryption_key, message);

schnorr_fun/src/frost/chilldkg.rs

@@ -101,7 +101,7 @@ pub mod simplepedpop {
             let secret_poly = poly::scalar::generate(threshold as usize, rng);
             let pop_keypair = KeyPair::new_xonly(secret_poly[0]);
             // XXX The thing that's singed differs from the spec
-            let pop = schnorr.sign(&pop_keypair, Message::<Public>::empty());
+            let pop = schnorr.sign(&pop_keypair, Message::empty());
             let com = poly::scalar::to_point_poly(&secret_poly);
 
             let shares = share_receivers
@@ -201,7 +201,7 @@ pub mod simplepedpop {
             }
 
             let (first_coeff_even_y, _) = input.com[0].into_point_with_even_y();
-            if !schnorr.verify(&first_coeff_even_y, Message::<Public>::empty(), &input.pop) {
+            if !schnorr.verify(&first_coeff_even_y, Message::empty(), &input.pop) {
                 return Err("☠ pop didn't verify");
             }
             *entry = Some(input);
@@ -324,7 +324,7 @@ pub mod simplepedpop {
     {
         for (key_contrib, pop) in &agg_input.key_contrib {
             let (first_coeff_even_y, _) = key_contrib.into_point_with_even_y();
-            if !schnorr.verify(&first_coeff_even_y, Message::<Public>::empty(), pop) {
+            if !schnorr.verify(&first_coeff_even_y, Message::empty(), pop) {
                 return Err(ReceiveShareError::InvalidPop);
             }
         }
@@ -606,7 +606,7 @@ pub mod encpedpop {
         {
             schnorr.sign(
                 keypair,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::new("BIP DKG/cert", self.cert_bytes().as_ref()),
             )
         }
 
@@ -620,7 +620,7 @@ pub mod encpedpop {
         ) -> bool {
             schnorr.verify(
                 &cert_key,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::new("BIP DKG/cert", self.cert_bytes().as_ref()),
                 &signature,
             )
         }

schnorr_fun/src/frost/mod.rs

@@ -30,7 +30,7 @@
 //! let xonly_shared_key = shared_key.into_xonly(); // this is the key signatures will be valid under
 //! let xonly_my_secret_share = my_secret_share.into_xonly();
 //! # let xonly_secret_share3 = secret_share3.into_xonly();
-//! let message =  Message::plain("my-app", b"chancellor on brink of second bailout for banks");
+//! let message =  Message::new("my-app", b"chancellor on brink of second bailout for banks");
 //! // Generate nonces for this signing session (and send them to coordinator somehow)
 //! // ⚠ session_id MUST be different for every signing attempt to avoid nonce reuse (if using deterministic nonces).
 //! let session_id = b"signing-ominous-message-about-banks-attempt-1".as_slice();
@@ -446,7 +446,7 @@ mod test {
         let session = frost.coordinator_sign_session(
             &frost_poly.into_xonly(),
             BTreeMap::from_iter([(s!(1).public(), nonce), (s!(2).public(), malicious_nonce)]),
-            Message::<Public>::plain("test", b"hello"),
+            Message::new("test", b"hello"),
         );
 
         assert_eq!(session.final_nonce(), *G);

schnorr_fun/src/frost/shared_key.rs

@@ -231,7 +231,7 @@ impl<T: PointType, Z: ZeroChoice> SharedKey<T, Z> {
 }
 
 impl SharedKey<Normal> {
-    /// Convert the key into a BIP340 "x-only" SharedKey.
+    /// Convert the key into a [BIP340] "x-only" SharedKey.
     ///
     /// This is the [BIP340] compatible version of the key which you can put in a segwitv1 output.
     ///