Generate public/secret nonces for MuSig2

Author: MatthewLM

coinlib/bin/build_wasm.dart

@@ -81,6 +81,8 @@ RUN ${WASI_SDK_PATH}/bin/wasm-ld \
   --export secp256k1_ec_pubkey_sort \
   --export secp256k1_musig_pubkey_agg \
   --export secp256k1_musig_pubkey_xonly_tweak_add \
+  --export secp256k1_musig_nonce_gen \
+  --export secp256k1_musig_pubnonce_serialize \
   # The secp256k1 library file
   build/lib/libsecp256k1.a \
   # Need to include libc for wasi here as it isn't done for us

coinlib/lib/src/musig/signing.dart

@@ -0,0 +1,30 @@
+import 'dart:typed_data';
+import 'package:coinlib/src/crypto/ec_public_key.dart';
+import 'package:coinlib/src/secp256k1/secp256k1.dart';
+import 'package:coinlib/src/musig/keys.dart';
+
+/// A MuSig signing session state to be used for one signing session only.
+///
+/// This class is stateful unlike most of the classes in the library. This is to
+/// prevent re-use of earlier parts of the signing session, ensuring signing
+/// nonces are used no more than once.
+class MuSigStatefulSigningSession {
+
+  final MuSigPublicKeys keys;
+  final ECPublicKey ourPublicKey;
+
+  late final MuSigSecretNonce _ourSecretNonce;
+  late final Uint8List ourPublicNonce;
+
+  /// Starts a signing session with the MuSig [keys] and specifying the public
+  /// key for the signer with [ourPublicKey].
+  MuSigStatefulSigningSession({
+    required this.keys,
+    required this.ourPublicKey,
+  }) {
+    final (secret, public) = secp256k1.muSigGenerateNonce(ourPublicKey.data);
+    _ourSecretNonce = secret;
+    ourPublicNonce = public;
+  }
+
+}

coinlib/lib/src/secp256k1/secp256k1.dart

@@ -1,5 +1,5 @@
 import 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart';
 export 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart'
-  show MuSigCache;
+  show MuSigCache, MuSigSecretNonce;
 
 final secp256k1 = Secp256k1();

coinlib/lib/src/secp256k1/secp256k1.wasm.g.dart

@@ -1,4 +1,5 @@
 import 'dart:typed_data';
+import 'package:coinlib/src/crypto/random.dart';
 import 'heap.dart';
 
 class Secp256k1Exception implements Exception {
@@ -14,15 +15,15 @@ class SigWithRecId {
   SigWithRecId(this.signature, this.recid);
 }
 
-class MuSigCacheGeneric<MuSigAggCachePtr> {
-  final Heap<MuSigAggCachePtr> _cache;
-  MuSigCacheGeneric(this._cache);
+class OpaqueGeneric<Ptr> {
+  final Heap<Ptr> _heap;
+  OpaqueGeneric(this._heap);
 }
 
 abstract class Secp256k1Base<
   CtxPtr, UCharPtr, PubKeyPtr, SizeTPtr, SignaturePtr,
   RecoverableSignaturePtr, KeyPairPtr, XPubKeyPtr, IntPtr, MuSigAggCachePtr,
-  PubKeyPtrPtr, NullPtr
+  PubKeyPtrPtr, MuSigSecNoncePtr, MuSigPubNoncePtr, NullPtr
 > {
 
   static const contextNone = 1;
@@ -36,6 +37,7 @@ abstract class Secp256k1Base<
   static const uncompressedPubkeySize = 65;
   static const sigSize = 64;
   static const derSigSize = 72;
+  static const muSigPubNonceSize = 66;
   static const recSigSize = 65;
   static const keyPairSize = 96;
   static const xonlySize = 32;
@@ -107,6 +109,13 @@ abstract class Secp256k1Base<
   late int Function(
     CtxPtr, PubKeyPtr, MuSigAggCachePtr, UCharPtr,
   ) extMuSigPubkeyXOnlyTweakAdd;
+  late int Function(
+    CtxPtr, MuSigSecNoncePtr, MuSigPubNoncePtr, UCharPtr, NullPtr, PubKeyPtr,
+    NullPtr, NullPtr, NullPtr,
+  ) extMuSigNonceGen;
+  late int Function(
+    CtxPtr, UCharPtr, MuSigPubNoncePtr,
+  ) extMuSigPubNonceSerialize;
 
   // Heap arrays
 
@@ -119,6 +128,7 @@ abstract class Secp256k1Base<
   late HeapBytes<UCharPtr> entropyArray;
   late HeapBytes<UCharPtr> serializedSigArray;
   late HeapBytes<UCharPtr> derSigArray;
+  late HeapBytes<UCharPtr> muSigPubNonceArray;
 
   // Other pre-allocated heap objects
   late Heap<PubKeyPtr> pubKey;
@@ -128,6 +138,7 @@ abstract class Secp256k1Base<
   late Heap<KeyPairPtr> keyPair;
   late Heap<XPubKeyPtr> xPubKey;
   late HeapInt<IntPtr> recId;
+  late Heap<MuSigPubNoncePtr> muSigPubNonce;
 
   // Context pointer is allocated by underlying library
   late CtxPtr ctxPtr;
@@ -473,6 +484,7 @@ abstract class Secp256k1Base<
 
     _parsePrivKeyIntoKeyPairPtr(privKey);
     hashArray.load(hash);
+    if (extraEntropy != null) entropyArray.load(extraEntropy);
 
     if (
       extSchnorrSign32(
@@ -528,7 +540,7 @@ abstract class Secp256k1Base<
   ///
   /// Returns the aggregated public key bytes and an opaque object for the MuSig
   /// aggregation cache used for signing.
-  (Uint8List, MuSigCacheGeneric<MuSigAggCachePtr>) muSigAgggregate(
+  (Uint8List, OpaqueGeneric<MuSigAggCachePtr>) muSigAgggregate(
     List<Uint8List> pubKeysBytes,
   ) {
     _requireLoad();
@@ -556,23 +568,23 @@ abstract class Secp256k1Base<
       throw Secp256k1Exception("Couldn't aggregate public keys for MuSig2");
     }
 
-    return (_serializeXPubKeyFromPtr(), MuSigCacheGeneric(musigCache));
+    return (_serializeXPubKeyFromPtr(), OpaqueGeneric(musigCache));
 
   }
 
   /// Tweaks the aggregate MuSig key returning the new aggregate key and cache.
   /// The new cache is a new object. The previous cache is not valid for the
   /// tweaked key
-  (Uint8List, MuSigCacheGeneric<MuSigAggCachePtr>) muSigTweakXOnly(
-    MuSigCacheGeneric<MuSigAggCachePtr> cache,
+  (Uint8List, OpaqueGeneric<MuSigAggCachePtr>) muSigTweakXOnly(
+    OpaqueGeneric<MuSigAggCachePtr> cache,
     Uint8List scalar,
   ) {
     _requireLoad();
 
     scalarArray.load(scalar);
 
     // Copy cache to avoid side-effects
-    final newCache = copyMuSigCache(cache._cache.ptr);
+    final newCache = copyMuSigCache(cache._heap.ptr);
 
     if (
       extMuSigPubkeyXOnlyTweakAdd(
@@ -582,7 +594,45 @@ abstract class Secp256k1Base<
       throw Secp256k1Exception("Couldn't apply tweak to MuSig key");
     }
 
-    return (_serializePubKeyFromPtr(true), MuSigCacheGeneric(newCache));
+    return (_serializePubKeyFromPtr(true), OpaqueGeneric(newCache));
+
+  }
+
+  /// Generates and returns an opaque secret and serialised public nonce for
+  /// a MuSig signing session. This produces a unique nonce each time.
+  ///
+  /// The nonce must only be used once for a single signing session and
+  /// discarded after the signing session succeeds or fails for any reason.
+  ///
+  /// The [pubKeyBytes] must be the compressed or uncompressed public key used
+  /// by the signer.
+  (OpaqueGeneric<MuSigSecNoncePtr>, Uint8List) muSigGenerateNonce(
+    Uint8List pubKeyBytes,
+  ) {
+    _requireLoad();
+
+    _parsePubkeyIntoPtr(pubKeyBytes);
+    entropyArray.load(generateRandomBytes(32));
+
+    final secNonce = allocMuSigSecNonce();
+
+    if(
+      extMuSigNonceGen(
+        ctxPtr, secNonce.ptr, muSigPubNonce.ptr, entropyArray.ptr, nullPtr,
+        pubKey.ptr, nullPtr, nullPtr, nullPtr,
+      ) != 1
+    ) {
+      throw Secp256k1Exception("Couldn't generate MuSig nonce for key");
+    }
+
+    extMuSigPubNonceSerialize(
+      ctxPtr, muSigPubNonceArray.ptr, muSigPubNonce.ptr,
+    );
+
+    return (
+      OpaqueGeneric(secNonce),
+      Uint8List.fromList(muSigPubNonceArray.list),
+    );
 
   }
 
@@ -600,4 +650,8 @@ abstract class Secp256k1Base<
   /// struct into it.
   Heap<MuSigAggCachePtr> copyMuSigCache(MuSigAggCachePtr copyFrom);
 
+  /// Specialised sub-classes should override to allocate an
+  /// secp256k1_musig_secnonce on the heap.
+  Heap<MuSigSecNoncePtr> allocMuSigSecNonce();
+
 }

coinlib/lib/src/secp256k1/secp256k1_base.dart

@@ -40,8 +40,10 @@ DynamicLibrary _openLibrary() => DynamicLibrary.open(_libraryPath());
 
 typedef PubKeyPtr = Pointer<secp256k1_pubkey>;
 typedef MuSigAggCachePtr = Pointer<secp256k1_musig_keyagg_cache>;
+typedef MuSigSecNoncePtr = Pointer<secp256k1_musig_secnonce>;
 
-typedef MuSigCache = MuSigCacheGeneric<MuSigAggCachePtr>;
+typedef MuSigCache = OpaqueGeneric<MuSigAggCachePtr>;
+typedef MuSigSecretNonce = OpaqueGeneric<MuSigSecNoncePtr>;
 
 /// Specialises Secp256k1Base to use the FFI
 class Secp256k1 extends Secp256k1Base<
@@ -56,6 +58,8 @@ class Secp256k1 extends Secp256k1Base<
   Pointer<Int>,
   MuSigAggCachePtr,
   Pointer<PubKeyPtr>,
+  MuSigSecNoncePtr,
+  Pointer<secp256k1_musig_pubnonce>,
   Pointer<Never>
 > {
 
@@ -96,6 +100,8 @@ class Secp256k1 extends Secp256k1Base<
     extEcPubkeySort = _lib.secp256k1_ec_pubkey_sort;
     extMuSigPubkeyAgg = _lib.secp256k1_musig_pubkey_agg;
     extMuSigPubkeyXOnlyTweakAdd = _lib.secp256k1_musig_pubkey_xonly_tweak_add;
+    extMuSigNonceGen = _lib.secp256k1_musig_nonce_gen;
+    extMuSigPubNonceSerialize = _lib.secp256k1_musig_pubnonce_serialize;
 
     // Set heap arrays
     key32Array = HeapBytesFfi(Secp256k1Base.privkeySize);
@@ -105,6 +111,7 @@ class Secp256k1 extends Secp256k1Base<
     entropyArray = HeapBytesFfi(Secp256k1Base.entropySize);
     serializedSigArray = HeapBytesFfi(Secp256k1Base.sigSize);
     derSigArray = HeapBytesFfi(Secp256k1Base.derSigSize);
+    muSigPubNonceArray = HeapBytesFfi(Secp256k1Base.muSigPubNonceSize);
 
     // Set other heap data
     sizeT = HeapSizeFfi();
@@ -114,6 +121,7 @@ class Secp256k1 extends Secp256k1Base<
     keyPair = HeapFfi(malloc());
     xPubKey = HeapFfi(malloc());
     recId = HeapIntFfi();
+    muSigPubNonce = HeapFfi(malloc());
 
     nullPtr = nullptr;
 
@@ -146,4 +154,7 @@ class Secp256k1 extends Secp256k1Base<
     return newCache;
   }
 
+  @override
+  Heap<MuSigSecNoncePtr> allocMuSigSecNonce() => HeapFfi(malloc());
+
 }

coinlib/lib/src/secp256k1/secp256k1_io.dart

@@ -5,14 +5,17 @@ import 'heap_wasm.dart';
 import "secp256k1_base.dart";
 import 'secp256k1.wasm.g.dart';
 
-typedef MuSigCache = MuSigCacheGeneric<int>;
+typedef MuSigCache = OpaqueGeneric<int>;
+typedef MuSigSecretNonce = OpaqueGeneric<int>;
 
 /// Loads and wraps WASM code to be run via the browser JS APIs
 class Secp256k1 extends Secp256k1Base<
-  int, int, int, int, int, int, int, int, int, int, int, int
+  int, int, int, int, int, int, int, int, int, int, int, int, int, int
 > {
 
   static const _muSigCacheSize = 197;
+  static const _muSigSecNonceSize = 132;
+  static const _muSigPubNonceSize = 132;
 
   late final HeapFactory _heapFactory;
 
@@ -60,6 +63,9 @@ class Secp256k1 extends Secp256k1Base<
     extMuSigPubkeyAgg = wasm.field("secp256k1_musig_pubkey_agg");
     extMuSigPubkeyXOnlyTweakAdd
       = wasm.field("secp256k1_musig_pubkey_xonly_tweak_add");
+    extMuSigNonceGen = wasm.field("secp256k1_musig_nonce_gen");
+    extMuSigPubNonceSerialize
+      = wasm.field("secp256k1_musig_pubnonce_serialize");
 
     // Local functions for loading purposes
     final int Function(int) contextCreate
@@ -81,6 +87,7 @@ class Secp256k1 extends Secp256k1Base<
     );
     serializedSigArray = _heapFactory.bytes(Secp256k1Base.sigSize);
     derSigArray = _heapFactory.bytes(Secp256k1Base.derSigSize);
+    muSigPubNonceArray = _heapFactory.bytes(Secp256k1Base.muSigPubNonceSize);
 
     // Heap objects
     pubKey = _heapFactory.alloc(Secp256k1Base.pubkeySize);
@@ -90,6 +97,7 @@ class Secp256k1 extends Secp256k1Base<
     keyPair = _heapFactory.alloc(Secp256k1Base.keyPairSize);
     xPubKey = _heapFactory.alloc(Secp256k1Base.xonlySize);
     recId = _heapFactory.integer();
+    muSigPubNonce = _heapFactory.alloc(_muSigPubNonceSize);
 
     nullPtr = 0;
 
@@ -118,4 +126,7 @@ class Secp256k1 extends Secp256k1Base<
     _muSigCacheSize, copyFrom: copyFrom,
   );
 
+  @override
+  Heap<int> allocMuSigSecNonce() => _heapFactory.alloc(_muSigSecNonceSize);
+
 }

coinlib/lib/src/secp256k1/secp256k1_web.dart

@@ -1,6 +1,7 @@
 import 'dart:typed_data';
 import 'package:coinlib/coinlib.dart';
 import 'package:test/test.dart';
+import '../vectors/keys.dart';
 
 void main() {
 
@@ -13,18 +14,10 @@ void main() {
       () => expect(() => MuSigPublicKeys({}), throwsArgumentError),
     );
 
-    Set<ECPublicKey> getKeys(bool compressed) => Iterable.generate(
-      3,
-      (i) => ECPrivateKey(
-        Uint8List(32)..last = i+1,
-        compressed: compressed,
-      ).pubkey,
-    ).toSet();
-
     test("aggregation works regardless of format", () {
 
-      final compressed = MuSigPublicKeys(getKeys(true)).aggregate;
-      final uncompressed = MuSigPublicKeys(getKeys(false)).aggregate;
+      final compressed = getMuSigKeys(true).aggregate;
+      final uncompressed = getMuSigKeys(false).aggregate;
 
       expect(compressed, uncompressed);
       expect(
@@ -36,7 +29,7 @@ void main() {
 
     test(".tweak", () {
 
-      final musig = MuSigPublicKeys(getKeys(true));
+      final musig = getMuSigKeys(true);
       final scalar = Uint8List(32)..last = 1;
 
       // Do twice to ensure cache doesn't mutate
@@ -58,4 +51,3 @@ void main() {
   });
 
 }
-

coinlib/test/musig/keys_test.dart

@@ -0,0 +1,29 @@
+import 'dart:typed_data';
+
+import 'package:coinlib/coinlib.dart';
+import 'package:coinlib/src/musig/signing.dart';
+import 'package:test/test.dart';
+import '../vectors/keys.dart';
+
+void main() {
+
+  group("MuSigStatefulSigningSession", () {
+
+    setUpAll(loadCoinlib);
+
+    test("creates unique public nonces", () {
+
+      final keys = getMuSigKeys();
+      final ourKey = keys.pubKeys.first;
+      Uint8List getNonce() => MuSigStatefulSigningSession(
+        keys: keys,
+        ourPublicKey: ourKey,
+      ).ourPublicNonce;
+
+      expect(getNonce(), isNot(getNonce()));
+
+    });
+
+  });
+
+}