Add partial signing

Author: MatthewLM

coinlib/bin/build_wasm.dart

@@ -86,6 +86,9 @@ RUN ${WASI_SDK_PATH}/bin/wasm-ld \
   --export secp256k1_musig_pubnonce_serialize \
   --export secp256k1_musig_nonce_agg \
   --export secp256k1_musig_nonce_process \
+  --export secp256k1_musig_partial_sign \
+  --export secp256k1_musig_partial_sig_parse \
+  --export secp256k1_musig_partial_sig_serialize \
   # The secp256k1 library file
   build/lib/libsecp256k1.a \
   # Need to include libc for wasi here as it isn't done for us

coinlib/lib/src/musig/signing.dart

@@ -28,6 +28,30 @@ class MuSigPublicNonce {
 
 }
 
+class InvalidMuSigPartialSig implements Exception {}
+
+/// The partial signature from a participant that needs to be shared.
+class MuSigPartialSig {
+
+  final OpaqueMuSigPartialSig _underlying;
+  final Uint8List bytes;
+
+  MuSigPartialSig._(this._underlying, this.bytes);
+  MuSigPartialSig._fromUnderlying(this._underlying)
+    : bytes = secp256k1.muSigSerialisePartialSig(_underlying);
+
+  /// Creates the partial signature from the [bytes]. If the [bytes] are
+  /// invalid, [InvalidMuSigPartialSig] will be thrown.
+  factory MuSigPartialSig.fromBytes(Uint8List bytes) {
+    try {
+      return MuSigPartialSig._(secp256k1.muSigParsePartialSig(bytes), bytes);
+    } on Secp256k1Exception {
+      throw InvalidMuSigPartialSig();
+    }
+  }
+
+}
+
 /// A MuSig signing session state to be used for one signing session only.
 ///
 /// This class is stateful unlike most of the classes in the library. This is to
@@ -51,8 +75,8 @@ class MuSigStatefulSigningSession {
   /// key for the signer with [ourPublicKey].
   ///
   /// [ourPublicNonce] needs to be shared with other signers. Once all details
-  /// and public nonces have been obtained, the signing session can be prepared
-  /// with [prepare].
+  /// and public nonces have been obtained, [sign] can be called to create a
+  /// partial signature.
   MuSigStatefulSigningSession({
     required this.keys,
     required this.ourPublicKey,
@@ -72,25 +96,37 @@ class MuSigStatefulSigningSession {
 
   }
 
-  /// Prepares the MuSig signing session with details required to produce
-  /// partial signatures. This can only be done once.
+  /// Produces a partial signature with the required details. This can only be
+  /// done once or a [StateError] will be thrown.
   ///
   /// [otherNonces] must map the public key of all other participants with their
   /// shared public nonces.
   ///
   /// [hash] must be the 32-byte hash to be signed.
   ///
+  /// The [privKey] must be paired with [ourPublicKey].
+  ///
   /// An optional [adaptor] point can be provided to produce an adaptor
   /// signature.
-  void prepare({
+  MuSigPartialSig sign({
     required KeyToNonceMap otherNonces,
     required Uint8List hash,
+    required ECPrivateKey privKey,
     ECPublicKey? adaptor,
   }) {
 
     checkBytes(hash, 32);
 
-    // Ensure we haven't already aggregated the nonces
+    // Check private key matches the participant's public key
+    if (privKey.pubkey != ourPublicKey) {
+      throw ArgumentError.value(
+        privKey,
+        "privKey",
+        "doesn't match outPublicKey",
+      );
+    }
+
+    // Ensure we haven't already produced a partial signature
     if (_underlyingSession != null) {
       throw StateError("Already prepared signing session");
     }
@@ -120,6 +156,13 @@ class MuSigStatefulSigningSession {
     );
     _otherNonces = otherNonces;
 
+    // Produce partial signature
+    return MuSigPartialSig._fromUnderlying(
+      secp256k1.muSigPartialSign(
+        _ourSecretNonce, privKey.data, keys._aggCache, _underlyingSession!,
+      ),
+    );
+
   }
 
 }

coinlib/lib/src/secp256k1/secp256k1.dart

@@ -1,6 +1,6 @@
 import 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart';
 export 'secp256k1_web.dart' if (dart.library.io) 'secp256k1_io.dart'
   show OpaqueMuSigCache, OpaqueMuSigSecretNonce, OpaqueMuSigPublicNonce,
-  OpaqueMuSigSession;
+  OpaqueMuSigSession, OpaqueMuSigPartialSig;
 
 final secp256k1 = Secp256k1();

coinlib/lib/src/secp256k1/secp256k1.wasm.g.dart

@@ -1,4 +1,5 @@
 import 'dart:typed_data';
+import 'package:coinlib/coinlib.dart';
 import 'package:coinlib/src/crypto/random.dart';
 import 'heap.dart';
 
@@ -24,7 +25,7 @@ abstract class Secp256k1Base<
   CtxPtr, UCharPtr, PubKeyPtr, SizeTPtr, SignaturePtr,
   RecoverableSignaturePtr, KeyPairPtr, XPubKeyPtr, IntPtr, MuSigAggCachePtr,
   PubKeyPtrPtr, MuSigSecNoncePtr, MuSigPubNoncePtr, MuSigAggNoncePtr,
-  MuSigPubNoncePtrPtr, MuSigSessionPtr, NullPtr
+  MuSigPubNoncePtrPtr, MuSigSessionPtr, MuSigPartialSigPtr, NullPtr
 > {
 
   static const contextNone = 1;
@@ -39,6 +40,7 @@ abstract class Secp256k1Base<
   static const sigSize = 64;
   static const derSigSize = 72;
   static const muSigPubNonceSize = 66;
+  static const muSigPartialSigSize = 32;
   static const recSigSize = 65;
   static const keyPairSize = 96;
   static const xonlySize = 32;
@@ -125,6 +127,16 @@ abstract class Secp256k1Base<
     CtxPtr, MuSigSessionPtr, MuSigAggNoncePtr, UCharPtr, MuSigAggCachePtr,
     NullPtr,
   ) extMuSigNonceProcess;
+  late int Function(
+    CtxPtr, MuSigPartialSigPtr, MuSigSecNoncePtr, KeyPairPtr, MuSigAggCachePtr,
+    MuSigSessionPtr,
+  ) extMuSigPartialSign;
+  late int Function(
+    CtxPtr, MuSigPartialSigPtr, UCharPtr,
+  ) extMuSigPartialSigParse;
+  late int Function(
+    CtxPtr, UCharPtr, MuSigPartialSigPtr,
+  ) extMuSigPartialSigSerialize;
 
   // Heap arrays
 
@@ -640,8 +652,8 @@ abstract class Secp256k1Base<
 
   }
 
-  /// Returns an opaque allocated public MuSig2 nonce from the 66-byte [bytes].
-  /// If the nonce is invalid, [Secp256k1Exception] may be thrown.
+  /// Returns an opaque public MuSig2 nonce from the 66-byte [bytes]. If the
+  /// nonce is invalid, [Secp256k1Exception] may be thrown.
   OpaqueGeneric<MuSigPubNoncePtr> muSigParsePublicNonce(Uint8List bytes) {
     _requireLoad();
 
@@ -660,6 +672,7 @@ abstract class Secp256k1Base<
 
   }
 
+  /// Obtains the 66 byte serialised public MuSig nonce
   Uint8List muSigSerialisePublicNonce(OpaqueGeneric<MuSigPubNoncePtr> nonce) {
     _requireLoad();
     extMuSigPubNonceSerialize(ctxPtr, muSigPubNonceArray.ptr, nonce._heap.ptr);
@@ -712,6 +725,65 @@ abstract class Secp256k1Base<
 
   }
 
+  /// Produces a partial signature for the MuSig signing [session] using the
+  /// [secNonce], key [cache] and [privKeyBytes].
+  ///
+  /// The caller must ensure that the private key scalar is 32-bytes.
+  OpaqueGeneric<MuSigPartialSigPtr> muSigPartialSign(
+    OpaqueGeneric<MuSigSecNoncePtr> secNonce,
+    Uint8List privKeyBytes,
+    OpaqueGeneric<MuSigAggCachePtr> cache,
+    OpaqueGeneric<MuSigSessionPtr> session,
+  ) {
+    _requireLoad();
+
+    _parsePrivKeyIntoKeyPairPtr(privKeyBytes);
+
+    final partialSig = allocMuSigPartialSig();
+
+    if (
+      extMuSigPartialSign(
+        ctxPtr, partialSig.ptr, secNonce._heap.ptr, keyPair.ptr,
+        cache._heap.ptr, session._heap.ptr,
+      ) != 1
+    ) {
+      throw Secp256k1Exception("Could not create partial MuSig signature");
+    }
+
+    return OpaqueGeneric(partialSig);
+
+  }
+
+  /// Returns an opaque MuSig2 partial signature from the 32-byte [bytes].
+  /// If the partial signature is invalid, [Secp256k1Exception] may be thrown.
+  OpaqueGeneric<MuSigPartialSigPtr> muSigParsePartialSig(Uint8List bytes) {
+    _requireLoad();
+
+    if (bytes.length != muSigPartialSigSize) {
+      throw Secp256k1Exception("MuSig partial signature size must be 32");
+    }
+
+    // Reuse scalarArray as it is 32 bytes
+    scalarArray.load(bytes);
+    final partialSig = allocMuSigPartialSig();
+
+    if (extMuSigPartialSigParse(ctxPtr, partialSig.ptr, scalarArray.ptr) != 1) {
+      throw Secp256k1Exception("Invalid MuSig partial signature");
+    }
+
+    return OpaqueGeneric(partialSig);
+
+  }
+
+  /// Obtains the serialised 32 bytes of a MuSig partial signature
+  Uint8List muSigSerialisePartialSig(
+    OpaqueGeneric<MuSigPartialSigPtr> partialSig,
+  ) {
+    _requireLoad();
+    extMuSigPartialSigSerialize(ctxPtr, scalarArray.ptr, partialSig._heap.ptr);
+    return scalarArray.copy;
+  }
+
   /// Specialised sub-classes should override to allocate a [size] number of
   /// secp256k1_pubkey and then alloate and set an array of pointers on the heap
   /// to them.
@@ -745,4 +817,8 @@ abstract class Secp256k1Base<
   /// secp256k1_musig_session on the heap.
   Heap<MuSigSessionPtr> allocMuSigSession();
 
+  /// Specialised sub-classes should override to allocate an
+  /// secp256k1_musig_partial_sig on the heap.
+  Heap<MuSigPartialSigPtr> allocMuSigPartialSig();
+
 }

coinlib/lib/src/secp256k1/secp256k1_base.dart

@@ -43,11 +43,13 @@ typedef MuSigAggCachePtr = Pointer<secp256k1_musig_keyagg_cache>;
 typedef MuSigSecNoncePtr = Pointer<secp256k1_musig_secnonce>;
 typedef MuSigPublicNoncePtr = Pointer<secp256k1_musig_pubnonce>;
 typedef MuSigSessionPtr = Pointer<secp256k1_musig_session>;
+typedef MuSigPartialSigPtr = Pointer<secp256k1_musig_partial_sig>;
 
 typedef OpaqueMuSigCache = OpaqueGeneric<MuSigAggCachePtr>;
 typedef OpaqueMuSigSecretNonce = OpaqueGeneric<MuSigSecNoncePtr>;
 typedef OpaqueMuSigPublicNonce = OpaqueGeneric<MuSigPublicNoncePtr>;
 typedef OpaqueMuSigSession = OpaqueGeneric<MuSigSessionPtr>;
+typedef OpaqueMuSigPartialSig = OpaqueGeneric<MuSigPartialSigPtr>;
 
 /// Specialises Secp256k1Base to use the FFI
 class Secp256k1 extends Secp256k1Base<
@@ -67,6 +69,7 @@ class Secp256k1 extends Secp256k1Base<
   Pointer<secp256k1_musig_aggnonce>,
   Pointer<MuSigPublicNoncePtr>,
   MuSigSessionPtr,
+  MuSigPartialSigPtr,
   Pointer<Never>
 > {
 
@@ -112,6 +115,9 @@ class Secp256k1 extends Secp256k1Base<
     extMuSigPubNonceSerialize = _lib.secp256k1_musig_pubnonce_serialize;
     extMuSigNonceAgg = _lib.secp256k1_musig_nonce_agg;
     extMuSigNonceProcess = _lib.secp256k1_musig_nonce_process;
+    extMuSigPartialSign = _lib.secp256k1_musig_partial_sign;
+    extMuSigPartialSigParse = _lib.secp256k1_musig_partial_sig_parse;
+    extMuSigPartialSigSerialize = _lib.secp256k1_musig_partial_sig_serialize;
 
     // Set heap arrays
     key32Array = HeapBytesFfi(Secp256k1Base.privkeySize);
@@ -179,4 +185,7 @@ class Secp256k1 extends Secp256k1Base<
   @override
   Heap<MuSigSessionPtr> allocMuSigSession() => HeapFfi(malloc());
 
+  @override
+  Heap<MuSigPartialSigPtr> allocMuSigPartialSig() => HeapFfi(malloc());
+
 }

coinlib/lib/src/secp256k1/secp256k1_io.dart

@@ -9,16 +9,18 @@ typedef OpaqueMuSigCache = OpaqueGeneric<int>;
 typedef OpaqueMuSigSecretNonce = OpaqueGeneric<int>;
 typedef OpaqueMuSigPublicNonce = OpaqueGeneric<int>;
 typedef OpaqueMuSigSession = OpaqueGeneric<int>;
+typedef OpaqueMuSigPartialSig = OpaqueGeneric<int>;
 
 /// Loads and wraps WASM code to be run via the browser JS APIs
 class Secp256k1 extends Secp256k1Base<
   int, int, int, int, int, int, int, int, int, int, int, int, int, int, int,
-  int, int
+  int, int, int
 > {
 
   static const _muSigCacheSize = 197;
   static const _muSigNonceSize = 132;
   static const _muSigSessionSize = 133;
+  static const _muSigPartialSigSize = 36;
 
   late final HeapFactory _heapFactory;
 
@@ -72,6 +74,10 @@ class Secp256k1 extends Secp256k1Base<
       = wasm.field("secp256k1_musig_pubnonce_serialize");
     extMuSigNonceAgg = wasm.field("secp256k1_musig_nonce_agg");
     extMuSigNonceProcess = wasm.field("secp256k1_musig_nonce_process");
+    extMuSigPartialSign = wasm.field("secp256k1_musig_partial_sign");
+    extMuSigPartialSigParse = wasm.field("secp256k1_musig_partial_sig_parse");
+    extMuSigPartialSigSerialize
+      = wasm.field("secp256k1_musig_partial_sig_serialize");
 
     // Local functions for loading purposes
     final int Function(int) contextCreate
@@ -146,4 +152,7 @@ class Secp256k1 extends Secp256k1Base<
   @override
   Heap<int> allocMuSigSession() => _heapFactory.alloc(_muSigSessionSize);
 
+  @override
+  Heap<int> allocMuSigPartialSig() => _heapFactory.alloc(_muSigPartialSigSize);
+
 }