Add aggregation of MuSig2 signatures including adaptor signatures

Author: MatthewLM

coinlib/bin/build_wasm.dart

@@ -90,6 +90,10 @@ RUN ${WASI_SDK_PATH}/bin/wasm-ld \
   --export secp256k1_musig_partial_sig_parse \
   --export secp256k1_musig_partial_sig_serialize \
   --export secp256k1_musig_partial_sig_verify \
+  --export secp256k1_musig_partial_sig_agg \
+  --export secp256k1_musig_nonce_parity \
+  --export secp256k1_musig_adapt \
+  --export secp256k1_musig_extract_adaptor \
   # The secp256k1 library file
   build/lib/libsecp256k1.a \
   # Need to include libc for wasi here as it isn't done for us

coinlib/lib/src/coinlib_base.dart

@@ -14,6 +14,7 @@ export 'package:coinlib/src/crypto/hd_key.dart';
 export 'package:coinlib/src/crypto/message_signature.dart';
 export 'package:coinlib/src/crypto/nums_public_key.dart';
 export 'package:coinlib/src/crypto/random.dart';
+export 'package:coinlib/src/crypto/schnorr_adaptor_signature.dart';
 export 'package:coinlib/src/crypto/schnorr_signature.dart';
 
 export 'package:coinlib/src/encode/base58.dart';

coinlib/lib/src/crypto/ecdsa_signature.dart

@@ -1,6 +1,5 @@
 import 'dart:typed_data';
 import 'package:coinlib/src/secp256k1/secp256k1.dart';
-import 'package:coinlib/src/secp256k1/secp256k1_base.dart';
 import 'package:coinlib/src/common/bytes.dart';
 import 'package:coinlib/src/common/hex.dart';
 import 'ec_private_key.dart';

coinlib/lib/src/crypto/schnorr_adaptor_signature.dart

@@ -0,0 +1,55 @@
+import 'ec_private_key.dart';
+import 'schnorr_signature.dart';
+import 'package:coinlib/src/secp256k1/secp256k1.dart';
+
+/// A Schnorr signature where the nonce has been adapted by a point. The
+/// signature can be adapted (decrypted) using [adapt] with the discrete-log of
+/// the point (private key to a public key). The signature will be complete and
+/// valid if the correct adaptor was given.
+class SchnorrAdaptorSignature {
+
+  /// The signature that contains the adapted nonce but requires the adaptor
+  /// scalar
+  final SchnorrSignature preSig;
+  /// True when the nonce y-coord is odd
+  final bool parity;
+
+  SchnorrAdaptorSignature(this.preSig, this.parity);
+
+  /// Adapts the adaptor signature with the discrete log to the adaptor point
+  /// given as an [ECPrivateKey]. The resulting signature is not verified.
+  /// Either the [adaptorScalar] should be known to be correct or the signature
+  /// can be verified afterwards.
+  ///
+  /// If the signature has malformed data, this may throw
+  /// [InvalidSchnorrSignature].
+  SchnorrSignature adapt(ECPrivateKey adaptorScalar) {
+    try {
+      return SchnorrSignature(
+        secp256k1.adaptSchnorr(preSig.data, adaptorScalar.data, parity),
+      );
+    } on Secp256k1Exception {
+      throw InvalidSchnorrSignature();
+    }
+  }
+
+  /// Extracts the adaptor scalar using the [completeSig]. The scalar is
+  /// provided as an [ECPrivateKey].
+  ///
+  /// The [completeSig] must be a different signature or else
+  /// [InvalidPrivateKey] will be thrown. It should also be verified as the
+  /// correct valid signature to obtain the correct adaptor scalar.
+  ///
+  /// If either signature has malformed data, this may also throw
+  /// [InvalidSchnorrSignature].
+  ECPrivateKey extract(SchnorrSignature completeSig) {
+    try {
+      return ECPrivateKey(
+        secp256k1.extractSchnorrAdaptor(preSig.data, completeSig.data, parity),
+      );
+    } on Secp256k1Exception {
+      throw InvalidSchnorrSignature();
+    }
+  }
+
+}

coinlib/lib/src/musig/library.dart

@@ -4,8 +4,12 @@ import 'dart:typed_data';
 import 'package:coinlib/src/common/bytes.dart';
 import 'package:coinlib/src/crypto/ec_private_key.dart';
 import 'package:coinlib/src/crypto/ec_public_key.dart';
+import 'package:coinlib/src/crypto/schnorr_adaptor_signature.dart';
+import 'package:coinlib/src/crypto/schnorr_signature.dart';
 import 'package:coinlib/src/secp256k1/secp256k1.dart';
-import 'package:coinlib/src/secp256k1/secp256k1_base.dart';
 
 part "keys.dart";
+part "partial_sig.dart";
+part "public_nonce.dart";
+part "result.dart";
 part "signing.dart";

coinlib/lib/src/musig/partial_sig.dart

@@ -0,0 +1,25 @@
+part of "library.dart";
+
+class InvalidMuSigPartialSig implements Exception {}
+
+/// The partial signature from a participant that needs to be shared.
+class MuSigPartialSig {
+
+  final OpaqueMuSigPartialSig _underlying;
+  final Uint8List bytes;
+
+  MuSigPartialSig._(this._underlying, this.bytes);
+  MuSigPartialSig._fromUnderlying(this._underlying)
+    : bytes = secp256k1.muSigSerialisePartialSig(_underlying);
+
+  /// Creates the partial signature from the [bytes]. If the [bytes] are
+  /// invalid, [InvalidMuSigPartialSig] will be thrown.
+  factory MuSigPartialSig.fromBytes(Uint8List bytes) {
+    try {
+      return MuSigPartialSig._(secp256k1.muSigParsePartialSig(bytes), bytes);
+    } on Secp256k1Exception {
+      throw InvalidMuSigPartialSig();
+    }
+  }
+
+}

coinlib/lib/src/musig/public_nonce.dart

@@ -0,0 +1,26 @@
+part of "library.dart";
+
+class InvalidMuSigPublicNonce implements Exception {}
+
+/// The public nonce of a participant for a single signing session only.
+class MuSigPublicNonce {
+
+  final OpaqueMuSigPublicNonce _underlying;
+  /// The serialised bytes that can be shared with other signers
+  final Uint8List bytes;
+
+  MuSigPublicNonce._(this._underlying, this.bytes);
+  MuSigPublicNonce._fromUnderlying(this._underlying)
+    : bytes = secp256k1.muSigSerialisePublicNonce(_underlying);
+
+  /// Creates the public nonce from the [bytes]. If the [bytes] are invalid,
+  /// [InvalidMuSigPublicNonce] will be thrown.
+  factory MuSigPublicNonce.fromBytes(Uint8List bytes) {
+    try {
+      return MuSigPublicNonce._(secp256k1.muSigParsePublicNonce(bytes), bytes);
+    } on Secp256k1Exception {
+      throw InvalidMuSigPublicNonce();
+    }
+  }
+
+}

coinlib/lib/src/musig/result.dart

@@ -0,0 +1,16 @@
+part of "library.dart";
+
+sealed class MuSigResult {}
+
+/// A MuSig result with a completed [signature].
+class MuSigResultComplete extends MuSigResult {
+  final SchnorrSignature signature;
+  MuSigResultComplete._(this.signature);
+}
+
+/// A MuSig result with an [adaptorSignature] that requires decrypting with the
+/// adaptor discrete-log scalar.
+class MuSigResultAdaptor extends MuSigResult {
+  final SchnorrAdaptorSignature adaptorSignature;
+  MuSigResultAdaptor._(this.adaptorSignature);
+}

coinlib/lib/src/musig/signing.dart

@@ -3,55 +3,6 @@ part of "library.dart";
 /// Maps the public key of a participant to their public nonce
 typedef KeyToNonceMap = Map<ECPublicKey, MuSigPublicNonce>;
 
-class InvalidMuSigPublicNonce implements Exception {}
-
-/// The public nonce of a participant for a single signing session only.
-class MuSigPublicNonce {
-
-  final OpaqueMuSigPublicNonce _underlying;
-  /// The serialised bytes that can be shared with other signers
-  final Uint8List bytes;
-
-  MuSigPublicNonce._(this._underlying, this.bytes);
-  MuSigPublicNonce._fromUnderlying(this._underlying)
-    : bytes = secp256k1.muSigSerialisePublicNonce(_underlying);
-
-  /// Creates the public nonce from the [bytes]. If the [bytes] are invalid,
-  /// [InvalidMuSigPublicNonce] will be thrown.
-  factory MuSigPublicNonce.fromBytes(Uint8List bytes) {
-    try {
-      return MuSigPublicNonce._(secp256k1.muSigParsePublicNonce(bytes), bytes);
-    } on Secp256k1Exception {
-      throw InvalidMuSigPublicNonce();
-    }
-  }
-
-}
-
-class InvalidMuSigPartialSig implements Exception {}
-
-/// The partial signature from a participant that needs to be shared.
-class MuSigPartialSig {
-
-  final OpaqueMuSigPartialSig _underlying;
-  final Uint8List bytes;
-
-  MuSigPartialSig._(this._underlying, this.bytes);
-  MuSigPartialSig._fromUnderlying(this._underlying)
-    : bytes = secp256k1.muSigSerialisePartialSig(_underlying);
-
-  /// Creates the partial signature from the [bytes]. If the [bytes] are
-  /// invalid, [InvalidMuSigPartialSig] will be thrown.
-  factory MuSigPartialSig.fromBytes(Uint8List bytes) {
-    try {
-      return MuSigPartialSig._(secp256k1.muSigParsePartialSig(bytes), bytes);
-    } on Secp256k1Exception {
-      throw InvalidMuSigPartialSig();
-    }
-  }
-
-}
-
 /// A MuSig signing session state to be used for one signing session only.
 ///
 /// This class is stateful unlike most of the classes in the library. This is to
@@ -69,8 +20,10 @@ class MuSigStatefulSigningSession {
   late final OpaqueMuSigSecretNonce _ourSecretNonce;
 
   OpaqueMuSigSession? _underlyingSession;
+  bool _isAdaptor = false;
   KeyToNonceMap? _otherNonces;
-  Map<ECPublicKey, MuSigPartialSig> _partialSigs = {};
+  OpaqueMuSigPartialSig? _ourPartialSig;
+  final Map<ECPublicKey, OpaqueMuSigPartialSig> _partialSigs = {};
 
   /// Starts a signing session with the MuSig [keys] and specifying the public
   /// key for the signer with [ourPublicKey].
@@ -156,13 +109,13 @@ class MuSigStatefulSigningSession {
       adaptor?.data,
     );
     _otherNonces = otherNonces;
+    _isAdaptor = adaptor != null;
 
     // Produce partial signature
-    return MuSigPartialSig._fromUnderlying(
-      secp256k1.muSigPartialSign(
-        _ourSecretNonce, privKey.data, keys._aggCache, _underlyingSession!,
-      ),
+    _ourPartialSig = secp256k1.muSigPartialSign(
+      _ourSecretNonce, privKey.data, keys._aggCache, _underlyingSession!,
     );
+    return MuSigPartialSig._fromUnderlying(_ourPartialSig!);
 
   }
 
@@ -209,7 +162,7 @@ class MuSigStatefulSigningSession {
     );
 
     if (valid) {
-      _partialSigs[participantKey] = partialSig;
+      _partialSigs[participantKey] = partialSig._underlying;
     }
 
     return valid;
@@ -221,4 +174,36 @@ class MuSigStatefulSigningSession {
   bool havePartialSignature(ECPublicKey participantKey) =>
     _partialSigs.containsKey(participantKey);
 
+  MuSigResult finish() {
+
+    if (_underlyingSession == null) {
+      throw StateError("Need to call sign before finishing");
+    }
+
+    final actualSigs = _partialSigs.length;
+    final reqSigs = keys.pubKeys.length - 1;
+    if (actualSigs != reqSigs) {
+      throw StateError(
+        "Need $reqSigs partial signatures. Only have $actualSigs",
+      );
+    }
+
+    final sig = SchnorrSignature(
+      secp256k1.muSigSignatureAggregate(
+        { _ourPartialSig!, ..._partialSigs.values },
+        _underlyingSession!,
+      ),
+    );
+
+    return _isAdaptor
+      ? MuSigResultAdaptor._(
+        SchnorrAdaptorSignature(
+          sig,
+          secp256k1.muSigNonceParity(_underlyingSession!),
+        ),
+      )
+      : MuSigResultComplete._(sig);
+
+  }
+
 }

coinlib/lib/src/secp256k1/secp256k1.dart

@@ -2,5 +2,6 @@ import 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart';
 export 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart'
   show OpaqueMuSigCache, OpaqueMuSigSecretNonce, OpaqueMuSigPublicNonce,
   OpaqueMuSigSession, OpaqueMuSigPartialSig;
+export 'secp256k1_base.dart' show Secp256k1Exception;
 
 final secp256k1 = Secp256k1();