f add tweak functions for xonly_pubkeys

Author: jonasnick

include/secp256k1.h

@@ -776,6 +776,120 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_create(
     const unsigned char *seckey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
+/** Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey. This
+ *  function optionally outputs a sign bit that can be used to convert
+ *  the secp256k1_xonly_pubkey back into the same secp256k1_pubkey.
+ *  The sign bit is 0 if the input pubkey encodes a positive point (has a Y
+ *  coordinate that is a quadratic residue), otherwise it is 1.
+ *
+ *  Returns: 1 if the public key was successfully converted
+ *           0 otherwise
+ *
+ *  Args:         ctx: pointer to a context object
+ *  Out: xonly_pubkey: pointer to an x-only public key object for placing the
+ *                     converted public key (cannot be NULL)
+ *              sign: sign bit of the pubkey. Can be used to reconstruct a
+ *                    public key from x-only public key (can be NULL)
+ *  In:       pubkey: pointer to a public key that is converted (cannot be
+ *                    NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(
+    const secp256k1_context* ctx,
+    secp256k1_xonly_pubkey *xonly_pubkey,
+    int *sign,
+    const secp256k1_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
+/** Convert a secp256k1_xonly_pubkey into a secp256k1_pubkey. If this
+ *  function is used to invert secp256k1_xonly_pubkey_from_pubkey, the
+ *  sign bit must be set to the output of that function. If the sign bit
+ *  is 0 the output pubkey encodes a positive point (has a Y coordinate that is a
+ *  quadratic residue), otherwise it is negative.
+ *
+ *  Returns: 1 if the public key was successfully converted
+ *           0 otherwise
+ *
+ *  Args:           ctx: pointer to a context object
+ *  Out:         pubkey: pointer to a public key object for placing the
+ *                       converted public key (cannot be NULL)
+ *  In: xonly_pubkey: pointer to an x-only public key that is converted
+ *                    (cannot be NULL)
+ *                 sign: sign bit of the resulting public key (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_to_pubkey(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *pubkey,
+    const secp256k1_xonly_pubkey *xonly_pubkey,
+    int sign
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Tweak the private key of an x-only pubkey by adding a tweak to it. The public
+ *  key of the resulting private key will be the same as the output of
+ *  secp256k1_xonly_pubkey_tweak_add called with the same tweak and corresponding
+ *  input public key.
+ *
+ *  If the public key corresponds to a positive point, tweak32 is added to the
+ *  seckey (modulo the group order). If the public key corresponds to a
+ *  negative point, tweak32 is added to the negation of the seckey (modulo the
+ *  group order).
+ *
+ *  Returns: 1 if the tweak was successfully added to seckey
+ *           0 if the tweak was out of range or the resulting private key would be
+ *             invalid (only when the tweak is the complement of the private key) or
+ *             seckey is 0.
+ *
+ *  Args:      ctx: pointer to a context object, initialized for signing (cannot be NULL)
+ *  In/Out: seckey: pointer to a 32-byte private key
+ *  In:    tweak32: pointer to a 32-byte tweak
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_privkey_tweak_add(
+    const secp256k1_context* ctx,
+    unsigned char *seckey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Tweak an x-only public key by adding tweak times the generator to it. Note that
+ *  the output is a secp256k1_pubkey and not a secp256k1_xonly_pubkey.
+ *  Returns: 1 if tweak times the generator was successfully added to pubkey
+ *           0 if the tweak was out of range or the resulting public key would be
+ *             invalid (only when the tweak is the complement of the corresponding
+ *             private key).
+ *
+ *  Args:           ctx: pointer to a context object initialized for validation
+ *                       (cannot be NULL)
+ *  Out:  output_pubkey: pointer to a public key object (cannot be NULL)
+ *  In: internal_pubkey: pointer to an x-only public key object to apply the
+ *                       tweak to (cannot be NULL)
+ *              tweak32: pointer to a 32-byte tweak (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *output_pubkey,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Verifies that output_pubkey is the result of calling
+ *  secp256k1_xonly_pubkey_tweak_add with internal_pubkey and tweak32.
+ *
+ *  Returns: 1 if output_pubkey is the result of tweaking the internal_pubkey with
+ *             tweak32
+ *           0 otherwise
+ *
+ *  Args:           ctx: pointer to a context object initialized for validation
+ *                       (cannot be NULL)
+ *  In:   output_pubkey: pointer to a public key object (cannot be NULL)
+ *      internal_pubkey: pointer to an x-only public key object to apply the
+ *                       tweak to (cannot be NULL)
+ *              tweak32: pointer to a 32-byte tweak (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_verify(
+    const secp256k1_context* ctx,
+    const secp256k1_pubkey *output_pubkey,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
 #ifdef __cplusplus
 }
 #endif

src/modules/schnorrsig/tests_impl.h

@@ -718,6 +718,43 @@ void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) {
 }
 #undef N_SIGS
 
+void test_schnorrsig_taproot(void) {
+    unsigned char sk[32];
+    secp256k1_xonly_pubkey internal_pk;
+    unsigned char internal_pk_bytes[32];
+    secp256k1_pubkey output_pk;
+    secp256k1_xonly_pubkey output_pk_pos;
+    unsigned char output_pk_bytes[32];
+    unsigned char tweak[32];
+    int sign;
+    unsigned char msg[32];
+    secp256k1_schnorrsig sig;
+
+    /* Create output key */
+    secp256k1_rand256(sk);
+    CHECK(secp256k1_xonly_pubkey_create(ctx, &internal_pk, sk) == 1);
+    memset(tweak, 1, sizeof(tweak));
+    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_pk_pos, &sign, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk_pos) == 1);
+
+    /* Key spend */
+    secp256k1_rand256(msg);
+    CHECK(secp256k1_xonly_privkey_tweak_add(ctx, sk, tweak) == 1);
+    CHECK(secp256k1_schnorrsig_sign(ctx, &sig, msg, sk, NULL, NULL) == 1);
+    /* Verify key spend */
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk_pos, output_pk_bytes) == 1);
+    CHECK(secp256k1_schnorrsig_verify(ctx, &sig, msg, &output_pk_pos) == 1);
+
+    /* Script spend */
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
+    /* Verify script spend */
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk_pos, output_pk_bytes) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
+    CHECK(secp256k1_xonly_pubkey_to_pubkey(ctx, &output_pk, &output_pk_pos, sign) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_verify(ctx, &output_pk, &internal_pk, tweak) == 1);
+}
+
 void run_schnorrsig_tests(void) {
     secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);
 
@@ -728,6 +765,7 @@ void run_schnorrsig_tests(void) {
     /* test_schnorrsig_bip_vectors(scratch); */
     test_schnorrsig_sign();
     test_schnorrsig_sign_verify(scratch);
+    test_schnorrsig_taproot();
 
     secp256k1_scratch_space_destroy(ctx, scratch);
 }

src/secp256k1.c

@@ -730,13 +730,20 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *
     return 1;
 }
 
-/* Converts a point into its absolute value, i.e. keeps it as is if it is
- * positive and otherwise negates it. */
-static void secp256k1_ec_pubkey_absolute(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
-    secp256k1_ge ge;
+/* Converts the point encoded by a secp256k1_pubkey into its absolute value,
+ * i.e. keeps it as is if it is positive and otherwise negates it. Sign is set
+ * to 1 if the input point was negative and set to 0 otherwise. */
+static void secp256k1_ec_pubkey_absolute(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, int *sign) {
+   secp256k1_ge ge;
     secp256k1_pubkey_load(ctx, &ge, pubkey);
+    if (sign != NULL) {
+        *sign = 0;
+    }
     if (!secp256k1_fe_is_quad_var(&ge.y)) {
         secp256k1_ge_neg(&ge, &ge);
+        if (sign != NULL) {
+            *sign = 1;
+        }
     }
     secp256k1_pubkey_save(pubkey, &ge);
 }
@@ -750,7 +757,7 @@ int secp256k1_xonly_pubkey_create(const secp256k1_context* ctx, secp256k1_xonly_
     if (!secp256k1_ec_pubkey_create(ctx, (secp256k1_pubkey *) pubkey, seckey)) {
         return 0;
     }
-    secp256k1_ec_pubkey_absolute(ctx, (secp256k1_pubkey *) pubkey);
+    secp256k1_ec_pubkey_absolute(ctx, (secp256k1_pubkey *) pubkey, NULL);
     return 1;
 }
 
@@ -766,7 +773,7 @@ int secp256k1_xonly_pubkey_parse(const secp256k1_context* ctx, secp256k1_xonly_p
     if (!secp256k1_ec_pubkey_parse(ctx, (secp256k1_pubkey *) pubkey, buf, sizeof(buf))) {
         return 0;
     }
-    secp256k1_ec_pubkey_absolute(ctx, (secp256k1_pubkey *) pubkey);
+    secp256k1_ec_pubkey_absolute(ctx, (secp256k1_pubkey *) pubkey, NULL);
     return 1;
 }
 
@@ -785,6 +792,74 @@ int secp256k1_xonly_pubkey_serialize(const secp256k1_context* ctx, unsigned char
     return 1;
 }
 
+int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context* ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *sign, const secp256k1_pubkey *pubkey) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(xonly_pubkey != NULL);
+    ARG_CHECK(pubkey != NULL);
+
+    *xonly_pubkey = *(secp256k1_xonly_pubkey *) pubkey;
+
+    secp256k1_ec_pubkey_absolute(ctx, (secp256k1_pubkey *) xonly_pubkey, sign);
+    return 1;
+}
+
+int secp256k1_xonly_pubkey_to_pubkey(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_xonly_pubkey *xonly_pubkey, int sign) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pubkey != NULL);
+    ARG_CHECK(xonly_pubkey != NULL);
+
+    *pubkey = *(secp256k1_pubkey *) xonly_pubkey;
+    if (sign) {
+        return secp256k1_ec_pubkey_negate(ctx, pubkey);
+    }
+    return 1;
+}
+
+int secp256k1_xonly_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey32, const unsigned char *tweak32) {
+    secp256k1_ge ge;
+    secp256k1_pubkey pubkey;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(seckey32 != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    if (!secp256k1_ec_pubkey_create(ctx, &pubkey, seckey32)) {
+        return 0;
+    }
+    secp256k1_pubkey_load(ctx, &ge, &pubkey);
+    if (!secp256k1_fe_is_quad_var(&ge.y)) {
+        if (!secp256k1_ec_privkey_negate(ctx, seckey32)) {
+            return 0;
+        }
+    }
+
+    return secp256k1_ec_privkey_tweak_add(ctx, seckey32, tweak32);
+}
+
+int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(internal_pubkey != NULL);
+    ARG_CHECK(output_pubkey != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    *output_pubkey = *(secp256k1_pubkey *)internal_pubkey;
+    return secp256k1_ec_pubkey_tweak_add(ctx, output_pubkey, tweak32);
+}
+
+int secp256k1_xonly_pubkey_tweak_verify(const secp256k1_context* ctx, const secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
+    secp256k1_pubkey pk_expected;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
+    ARG_CHECK(internal_pubkey != NULL);
+    ARG_CHECK(output_pubkey != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    if (!secp256k1_xonly_pubkey_tweak_add(ctx, &pk_expected, internal_pubkey, tweak32)) {
+        return 0;
+    }
+    return memcmp(&pk_expected, output_pubkey, sizeof(pk_expected)) == 0;
+}
+
 #ifdef ENABLE_MODULE_ECDH
 # include "modules/ecdh/main_impl.h"
 #endif