f use xonly_pubkeys in schnorrsig sign and verify

Author: jonasnick

include/secp256k1_schnorrsig.h

@@ -88,13 +88,13 @@ SECP256K1_API int secp256k1_schnorrsig_sign(
  *  Args:    ctx: a secp256k1 context object, initialized for verification.
  *  In:      sig: the signature being verified (cannot be NULL)
  *         msg32: the 32-byte message being verified (cannot be NULL)
- *        pubkey: pointer to a public key to verify with (cannot be NULL)
+ *        pubkey: pointer to an x-only public key to verify with (cannot be NULL)
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
     const secp256k1_context* ctx,
     const secp256k1_schnorrsig *sig,
     const unsigned char *msg32,
-    const secp256k1_pubkey *pubkey
+    const secp256k1_xonly_pubkey *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
 /** Verifies a set of Schnorr signatures.
@@ -105,7 +105,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
  *       scratch: scratch space used for the multiexponentiation
  *  In:      sig: array of signatures, or NULL if there are no signatures
  *         msg32: array of messages, or NULL if there are no signatures
- *            pk: array of public keys, or NULL if there are no signatures
+ *            pk: array of x-only public keys, or NULL if there are no signatures
  *        n_sigs: number of signatures in above arrays. Must be smaller than
  *                2^31 and smaller than half the maximum size_t value. Must be 0
  *                if above arrays are NULL.
@@ -115,7 +115,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch
     secp256k1_scratch_space *scratch,
     const secp256k1_schnorrsig *const *sig,
     const unsigned char *const *msg32,
-    const secp256k1_pubkey *const *pk,
+    const secp256k1_xonly_pubkey *const *pk,
     size_t n_sigs
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
 

src/bench_schnorrsig.c

@@ -44,22 +44,22 @@ void bench_schnorrsig_verify(void* arg) {
     size_t i;
 
     for (i = 0; i < 1000; i++) {
-        secp256k1_pubkey pk;
-        CHECK(secp256k1_ec_pubkey_parse(data->ctx, &pk, data->pk[i], 33) == 1);
+        secp256k1_xonly_pubkey pk;
+        CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pk[i]) == 1);
         CHECK(secp256k1_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk));
     }
 }
 
 void bench_schnorrsig_verify_n(void* arg) {
     bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
     size_t i, j;
-    const secp256k1_pubkey **pk = (const secp256k1_pubkey **)malloc(data->n * sizeof(*pk));
+    const secp256k1_xonly_pubkey **pk = (const secp256k1_xonly_pubkey **)malloc(data->n * sizeof(*pk));
 
     CHECK(pk != NULL);
     for (j = 0; j < MAX_SIGS/data->n; j++) {
         for (i = 0; i < data->n; i++) {
-            secp256k1_pubkey *pk_nonconst = (secp256k1_pubkey *)malloc(sizeof(*pk_nonconst));
-            CHECK(secp256k1_ec_pubkey_parse(data->ctx, pk_nonconst, data->pk[i], 33) == 1);
+            secp256k1_xonly_pubkey *pk_nonconst = (secp256k1_xonly_pubkey *)malloc(sizeof(*pk_nonconst));
+            CHECK(secp256k1_xonly_pubkey_parse(data->ctx, pk_nonconst, data->pk[i]) == 1);
             pk[i] = pk_nonconst;
         }
         CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, data->sigs, data->msgs, pk, data->n));
@@ -84,9 +84,8 @@ int main(void) {
         unsigned char sk[32];
         unsigned char *msg = (unsigned char *)malloc(32);
         secp256k1_schnorrsig *sig = (secp256k1_schnorrsig *)malloc(sizeof(*sig));
-        unsigned char *pk_char = (unsigned char *)malloc(33);
-        secp256k1_pubkey pk;
-        size_t pk_len = 33;
+        unsigned char *pk_char = (unsigned char *)malloc(32);
+        secp256k1_xonly_pubkey pk;
         msg[0] = sk[0] = i;
         msg[1] = sk[1] = i >> 8;
         msg[2] = sk[2] = i >> 16;
@@ -98,8 +97,8 @@ int main(void) {
         data.msgs[i] = msg;
         data.sigs[i] = sig;
 
-        CHECK(secp256k1_ec_pubkey_create(data.ctx, &pk, sk));
-        CHECK(secp256k1_ec_pubkey_serialize(data.ctx, pk_char, &pk_len, &pk, SECP256K1_EC_COMPRESSED) == 1);
+        CHECK(secp256k1_xonly_pubkey_create(data.ctx, &pk, sk));
+        CHECK(secp256k1_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1);
         CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, msg, sk, NULL, NULL));
     }
 

src/modules/schnorrsig/main_impl.h

@@ -54,8 +54,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     secp256k1_ge r;
     secp256k1_sha256 sha;
     int overflow;
-    unsigned char buf[33];
-    size_t buflen = sizeof(buf);
+    unsigned char buf[32];
 
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
@@ -76,6 +75,13 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pkj, &x);
     secp256k1_ge_set_gej(&pk, &pkj);
 
+    /* Because we are signing for a x-only pubkey, the secret key is negated
+     * before signing if the point corresponding to the secret key is not
+     * positive. */
+    if (!secp256k1_fe_is_quad_var(&pk.y)) {
+        secp256k1_scalar_negate(&x, &x);
+    }
+
     if (!noncefp(buf, msg32, seckey, (unsigned char *) "BIPSchnorrDerive", (void*)ndata, 0)) {
         return 0;
     }
@@ -93,12 +99,12 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     secp256k1_fe_normalize(&r.x);
     secp256k1_fe_get_b32(&sig->data[0], &r.x);
 
-
-    /* tagged hash(r.x, pk, msg32) */
+    /* tagged hash(r.x, pk.x, msg32) */
     secp256k1_schnorrsig_sha256_tagged(&sha);
     secp256k1_sha256_write(&sha, &sig->data[0], 32);
-    secp256k1_eckey_pubkey_serialize(&pk, buf, &buflen, 1);
-    secp256k1_sha256_write(&sha, buf, buflen);
+    secp256k1_fe_normalize(&pk.x);
+    secp256k1_fe_get_b32(buf, &pk.x);
+    secp256k1_sha256_write(&sha, buf, sizeof(buf));
     secp256k1_sha256_write(&sha, msg32, 32);
     secp256k1_sha256_finalize(&sha, buf);
 
@@ -115,14 +121,14 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
 
 /* Helper function for verification and batch verification.
  * Computes R = sG - eP. */
-static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp256k1_gej *rj, const secp256k1_scalar *s, const secp256k1_scalar *e, const secp256k1_pubkey *pk) {
+static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp256k1_gej *rj, const secp256k1_scalar *s, const secp256k1_scalar *e, const secp256k1_xonly_pubkey *pk) {
     secp256k1_scalar nege;
     secp256k1_ge pkp;
     secp256k1_gej pkj;
 
     secp256k1_scalar_negate(&nege, e);
 
-    if (!secp256k1_pubkey_load(ctx, &pkp, pk)) {
+    if (!secp256k1_pubkey_load(ctx, &pkp, (secp256k1_pubkey *) pk)) {
         return 0;
     }
     secp256k1_gej_set_ge(&pkj, &pkp);
@@ -132,14 +138,13 @@ static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp25
     return 1;
 }
 
-int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *msg32, const secp256k1_pubkey *pk) {
+int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *msg32, const secp256k1_xonly_pubkey *pk) {
     secp256k1_scalar s;
     secp256k1_scalar e;
     secp256k1_gej rj;
     secp256k1_fe rx;
     secp256k1_sha256 sha;
-    unsigned char buf[33];
-    size_t buflen = sizeof(buf);
+    unsigned char buf[32];
     int overflow;
 
     VERIFY_CHECK(ctx != NULL);
@@ -159,8 +164,8 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_sc
 
     secp256k1_schnorrsig_sha256_tagged(&sha);
     secp256k1_sha256_write(&sha, &sig->data[0], 32);
-    secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk, SECP256K1_EC_COMPRESSED);
-    secp256k1_sha256_write(&sha, buf, buflen);
+    secp256k1_xonly_pubkey_serialize(ctx, buf, pk);
+    secp256k1_sha256_write(&sha, buf, sizeof(buf));
     secp256k1_sha256_write(&sha, msg32, 32);
     secp256k1_sha256_finalize(&sha, buf);
     secp256k1_scalar_set_b32(&e, buf, NULL);
@@ -186,7 +191,7 @@ typedef struct {
     /* Signature, message, public key tuples to verify */
     const secp256k1_schnorrsig *const *sig;
     const unsigned char *const *msg32;
-    const secp256k1_pubkey *const *pk;
+    const secp256k1_xonly_pubkey *const *pk;
     size_t n_sigs;
 } secp256k1_schnorrsig_verify_ecmult_context;
 
@@ -217,20 +222,19 @@ static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *s
         }
     /* eP */
     } else {
-        unsigned char buf[33];
-        size_t buflen = sizeof(buf);
+        unsigned char buf[32];
         secp256k1_sha256 sha;
         secp256k1_schnorrsig_sha256_tagged(&sha);
         secp256k1_sha256_write(&sha, &ecmult_context->sig[idx / 2]->data[0], 32);
-        secp256k1_ec_pubkey_serialize(ecmult_context->ctx, buf, &buflen, ecmult_context->pk[idx / 2], SECP256K1_EC_COMPRESSED);
-        secp256k1_sha256_write(&sha, buf, buflen);
+        secp256k1_xonly_pubkey_serialize(ecmult_context->ctx, buf, ecmult_context->pk[idx / 2]);
+        secp256k1_sha256_write(&sha, buf, sizeof(buf));
         secp256k1_sha256_write(&sha, ecmult_context->msg32[idx / 2], 32);
         secp256k1_sha256_finalize(&sha, buf);
 
         secp256k1_scalar_set_b32(sc, buf, NULL);
         secp256k1_scalar_mul(sc, sc, &ecmult_context->randomizer_cache[(idx / 2) % 2]);
 
-        if (!secp256k1_pubkey_load(ecmult_context->ctx, pt, ecmult_context->pk[idx / 2])) {
+        if (!secp256k1_pubkey_load(ecmult_context->ctx, pt, (secp256k1_pubkey *) ecmult_context->pk[idx / 2])) {
             return 0;
         }
     }
@@ -251,7 +255,7 @@ static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *s
  *            pk: array of public keys, or NULL if there are no signatures
  *        n_sigs: number of signatures in above arrays (must be 0 if they are NULL)
  */
-static int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) {
+static int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_xonly_pubkey *const *pk, size_t n_sigs) {
     size_t i;
 
     if (n_sigs > 0) {
@@ -265,7 +269,11 @@ static int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_con
         size_t buflen = sizeof(buf);
         secp256k1_sha256_write(sha, sig[i]->data, 64);
         secp256k1_sha256_write(sha, msg32[i], 32);
-        secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk[i], SECP256K1_EC_COMPRESSED);
+        /* We use compressed serialization here. If we would use
+         * xonly_pubkey serialization and a user would wrongly memcpy
+         * normal secp256k1_pubkeys into xonly_pubkeys then the randomizer
+         * would be the same for two different pubkeys. */
+        secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, (secp256k1_pubkey *) pk[i], SECP256K1_EC_COMPRESSED);
         secp256k1_sha256_write(sha, buf, buflen);
     }
     ecmult_context->ctx = ctx;
@@ -313,7 +321,7 @@ static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned
  * Seeds a random number generator with the inputs and derives a random number ai for every
  * signature i. Fails if y-coordinate of any R is not a quadratic residue or if
  * 0 != -(s1 + a2*s2 + ... + au*su)G + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu. */
-int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) {
+int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_xonly_pubkey *const *pk, size_t n_sigs) {
     secp256k1_schnorrsig_verify_ecmult_context ecmult_context;
     secp256k1_sha256 sha;
     secp256k1_scalar s;

src/modules/schnorrsig/tests_impl.h

@@ -26,11 +26,11 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
     unsigned char sk3[32];
     unsigned char msg[32];
     unsigned char sig64[64];
-    secp256k1_pubkey pk[3];
+    secp256k1_xonly_pubkey pk[3];
     secp256k1_schnorrsig sig;
     const secp256k1_schnorrsig *sigptr = &sig;
     const unsigned char *msgptr = msg;
-    const secp256k1_pubkey *pkptr = &pk[0];
+    const secp256k1_xonly_pubkey *pkptr = &pk[0];
 
     /** setup **/
     secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
@@ -52,9 +52,9 @@ void test_schnorrsig_api(secp256k1_scratch_space *scratch) {
     secp256k1_rand256(sk2);
     secp256k1_rand256(sk3);
     secp256k1_rand256(msg);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk1) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk[1], sk2) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk[2], sk3) == 1);
+    CHECK(secp256k1_xonly_pubkey_create(ctx, &pk[0], sk1) == 1);
+    CHECK(secp256k1_xonly_pubkey_create(ctx, &pk[1], sk2) == 1);
+    CHECK(secp256k1_xonly_pubkey_create(ctx, &pk[2], sk3) == 1);
 
     /** main test body **/
     ecount = 0;
@@ -142,13 +142,13 @@ void test_schnorrsig_sha256_tagged(void) {
 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *msg, const unsigned char *expected_sig) {
     secp256k1_schnorrsig sig;
     unsigned char serialized_sig[64];
-    secp256k1_pubkey pk;
+    secp256k1_xonly_pubkey pk;
 
     CHECK(secp256k1_schnorrsig_sign(ctx, &sig, msg, sk, NULL, NULL));
     CHECK(secp256k1_schnorrsig_serialize(ctx, serialized_sig, &sig));
     CHECK(memcmp(serialized_sig, expected_sig, 64) == 0);
 
-    CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33));
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
     CHECK(secp256k1_schnorrsig_verify(ctx, &sig, msg, &pk));
 }
 
@@ -157,11 +157,11 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un
 void test_schnorrsig_bip_vectors_check_verify(secp256k1_scratch_space *scratch, const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig_serialized, int expected) {
     const unsigned char *msg_arr[1];
     const secp256k1_schnorrsig *sig_arr[1];
-    const secp256k1_pubkey *pk_arr[1];
-    secp256k1_pubkey pk;
+    const secp256k1_xonly_pubkey *pk_arr[1];
+    secp256k1_xonly_pubkey pk;
     secp256k1_schnorrsig sig;
 
-    CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33));
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
     CHECK(secp256k1_schnorrsig_parse(ctx, &sig, sig_serialized));
 
     sig_arr[0] = &sig;
@@ -368,9 +368,9 @@ void test_schnorrsig_bip_vectors(secp256k1_scratch_space *scratch) {
             0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A,
             0x34
         };
-        secp256k1_pubkey pk7_parsed;
+        secp256k1_xonly_pubkey pk7_parsed;
         /* No need to check the signature of the test vector as parsing the pubkey already fails */
-        CHECK(!secp256k1_ec_pubkey_parse(ctx, &pk7_parsed, pk7, 33));
+        CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk7_parsed, pk7));
     }
     {
         /* Test vector 8 */
@@ -667,10 +667,10 @@ void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) {
     size_t i;
     const secp256k1_schnorrsig *sig_arr[N_SIGS];
     const unsigned char *msg_arr[N_SIGS];
-    const secp256k1_pubkey *pk_arr[N_SIGS];
-    secp256k1_pubkey pk;
+    const secp256k1_xonly_pubkey *pk_arr[N_SIGS];
+    secp256k1_xonly_pubkey pk;
 
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk));
+    CHECK(secp256k1_xonly_pubkey_create(ctx, &pk, sk));
 
     CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, NULL, NULL, NULL, 0));