Derive MuSigPublicKeys for DLCs avoiding key reuse

Author: MatthewLM

coinlib/CHANGELOG.md

@@ -15,6 +15,7 @@ secp256k1-coinlib fork.
     inclusion.
 - Moves to underlying secp256k1-coinlib.
 - Removed dependency to wasm_interop that had a broken js dependency.
+- `Writable.toBytes()` returns a copy of the cached bytes to avoid mutation.
 - Fixes `extraEntropy` being ignored for `Secp256k1Base.schnorrSign`.
 
 ## 4.1.0

coinlib/lib/src/common/serial.dart

@@ -1,9 +1,6 @@
 import 'dart:typed_data';
 import 'package:coinlib/src/common/hex.dart';
-import 'package:coinlib/src/crypto/ec_compressed_public_key.dart';
-import 'package:coinlib/src/crypto/ec_public_key.dart';
 import 'package:coinlib/src/tx/locktime.dart';
-
 import 'checks.dart';
 
 /// Thrown when attempting to read or write beyond the boundary of data
@@ -97,22 +94,6 @@ class BytesReader extends _ReadWriteBase {
   List<T> readListWithFunc<T>(T Function() read)
     => List<T>.generate(readVarInt().toInt(), (_) => read());
 
-  /// Reads a list of public keys that are in compressed format.
-  List<ECPublicKey> readPubKeyVector() => readListWithFunc(
-    () => ECPublicKey(readSlice(33)),
-  );
-
-  Map<K, V> readMap<K, V>(K Function() readKey, V Function() readValue)
-    => Map.fromEntries(
-      Iterable.generate(
-        readVarInt().toInt(),
-        (_) => MapEntry(readKey(), readValue()),
-      ),
-    );
-
-  Map<ECPublicKey, V> readPubKeyMap<V>(V Function() readValue)
-    => readMap(() => ECPublicKey(readSlice(33)), readValue);
-
   Locktime readLocktime() => Locktime(readUInt32());
 
 }
@@ -153,37 +134,6 @@ mixin Writer {
     }
   }
 
-  /// Writes a list of public keys. They will be converted to compressed format
-  /// if necessary.
-  void writePubKeyVector(List<ECPublicKey> keys) => writeListWithFunc(
-    keys, (key) => writeSlice(ECCompressedPublicKey.fromPubkey(key).data),
-  );
-
-  /// Writes a map serialising the keys and values using [writeKey] and
-  /// [writeValue].
-  void writeMap<K, V>(
-    Map<K, V> map,
-    void Function(K) writeKey,
-    void Function(V) writeValue,
-  ) {
-    writeVarInt(BigInt.from(map.length));
-    for (final entry in map.entries) {
-      writeKey(entry.key);
-      writeValue(entry.value);
-    }
-  }
-
-  /// Writes a map using public keys as map keys which will be converted into
-  /// compressed format if necessary.
-  void writePubKeyMap<V>(
-    Map<ECPublicKey, V> map,
-    void Function(V) writeValue,
-  ) => writeMap(
-    map,
-    (key) => writeSlice(ECCompressedPublicKey.fromPubkey(key).data),
-    writeValue,
-  );
-
   /// Writes a vector of all the writable elements
   void writeWritableVector(List<Writable> list) {
     writeVarInt(BigInt.from(list.length));
@@ -316,14 +266,19 @@ mixin Writable {
   /// Override to write data into [writer]
   void write(Writer writer);
 
-  /// Obtains a cached [Uint8List] with data serialized for this object
+  /// Obtains a copy of a [Uint8List] with data serialized for this
+  /// object. The serialisation is cached allowing this to be called multiple
+  /// times without writing from the object each time.
   Uint8List toBytes() {
-    if (_cache != null) return _cache!;
-    final bytes = Uint8List(size);
-    final writer = BytesWriter(bytes);
-    write(writer);
-    _sizeCache = bytes.length;
-    return _cache = bytes;
+
+    if (_cache == null) {
+      _cache = Uint8List(size);
+      write(BytesWriter(_cache!));
+      _sizeCache = _cache!.length;
+    }
+
+    return Uint8List.fromList(_cache!);
+
   }
 
   String toHex() => bytesToHex(toBytes());

coinlib/lib/src/dlc/terms.dart

@@ -1,11 +1,15 @@
 import 'dart:typed_data';
+import 'package:coinlib/src/common/bytes.dart';
 import 'package:coinlib/src/common/hex.dart';
 import 'package:coinlib/src/common/serial.dart';
 import 'package:coinlib/src/crypto/ec_public_key.dart';
+import 'package:coinlib/src/crypto/hash.dart';
+import 'package:coinlib/src/musig/library.dart';
 import 'package:coinlib/src/network.dart';
 import 'package:coinlib/src/tx/locktime.dart';
 import 'package:coinlib/src/tx/output.dart';
 import 'package:coinlib/src/tx/transaction.dart';
+import 'package:collection/collection.dart';
 
 class InvalidDLCTerms implements Exception {
 
@@ -21,13 +25,50 @@ class InvalidDLCTerms implements Exception {
     : this("Contains output value less than min of $min");
   InvalidDLCTerms.smallFunding(BigInt min)
     : this("Contains funding value less than min of $min");
+  InvalidDLCTerms.notOrdered()
+    : this("The input bytes contain out-of-order keys");
 
 }
 
-BigInt addBigInts(Iterable<BigInt> ints) => ints.fold(
+BigInt _addBigInts(Iterable<BigInt> ints) => ints.fold(
   BigInt.zero, (a, b) => a+b,
 );
 
+Map<ECPublicKey, T> _xOnlyUnmodifiableMap<T>(Map<ECPublicKey, T> map)
+  => Map.unmodifiable(map.map((key, v) => MapEntry(key.xonly, v)));
+
+Map<ECPublicKey, T> _readPubKeyMap<T>(
+  BytesReader reader,
+  T Function() readValue,
+) => Map.fromEntries(
+  Iterable.generate(
+    reader.readVarInt().toInt(),
+    (_) => MapEntry(
+      ECPublicKey.fromXOnly(reader.readSlice(32)),
+      readValue(),
+    ),
+  ),
+);
+
+void _writeOrderedPubkeyMap<T>(
+  Writer writer,
+  Map<ECPublicKey, T> map,
+  void Function(T) writeValue,
+) {
+
+  writer.writeVarInt(BigInt.from(map.length));
+
+  final orderedEntries = map.entries
+    .map((entry) => MapEntry(entry.key.x, entry.value))
+    .sortedByCompare((entry) => entry.key, compareBytes);
+
+  for (final entry in orderedEntries) {
+    writer.writeSlice(entry.key);
+    writeValue(entry.value);
+  }
+
+}
+
 /// A CET will pay to the [outputs] with the value of each output evenly reduced
 /// to cover the transaction fee.
 class CETOutputs {
@@ -53,7 +94,7 @@ class CETOutputs {
     }
   }
 
-  BigInt get totalValue => addBigInts(outputs.map((out) => out.value));
+  BigInt get totalValue => _addBigInts(outputs.map((out) => out.value));
 
 }
 
@@ -72,8 +113,8 @@ class DLCTerms with Writable {
   /// The version of the protocol is currently 1
   static final int version = 1;
 
-  /// A list of participants that must sign all CETs and RTs for the DLCs.
-  final List<ECPublicKey> participants;
+  /// A set of participants that must sign all CETs and RTs for the DLCs.
+  final Set<ECPublicKey> participants;
 
   /// How much each participant is expected to fund the DLC. A public key may
   /// refer to a funder outside of [participants] if they are not expected to
@@ -105,17 +146,18 @@ class DLCTerms with Writable {
   /// broadcast of a CET, but this is not checked.
   final Locktime refundLocktime;
 
-  /// May throw [InvalidDLCTerms].
+  /// All [ECPublicKey]s will be coerced into x-only public keys. May throw
+  /// [InvalidDLCTerms].
   DLCTerms({
-    required List<ECPublicKey> participants,
+    required Set<ECPublicKey> participants,
     required Map<ECPublicKey, BigInt> fundAmounts,
     required Map<ECPublicKey, CETOutputs> outcomes,
     required this.refundLocktime,
     required Network network,
   }) :
-    participants = List.unmodifiable(participants),
-    fundAmounts = Map.unmodifiable(fundAmounts),
-    outcomes = Map.unmodifiable(outcomes) {
+    participants = Set.unmodifiable(participants.map((key) => key.xonly)),
+    fundAmounts = _xOnlyUnmodifiableMap(fundAmounts),
+    outcomes = _xOnlyUnmodifiableMap(outcomes) {
 
     // There should not be any funding amount for a participant which is under
     // the minimum output
@@ -124,7 +166,7 @@ class DLCTerms with Writable {
     }
 
     // The outcome output amounts must add up to the total funded amount
-    final totalToFund = addBigInts(fundAmounts.values);
+    final totalToFund = _addBigInts(fundAmounts.values);
     if (
       outcomes.values.any(
         (outcome) => outcome.totalValue.compareTo(totalToFund) != 0,
@@ -146,10 +188,14 @@ class DLCTerms with Writable {
       throw InvalidDLCTerms.badVersion(version);
     }
 
-    return DLCTerms(
-      participants: reader.readPubKeyVector(),
-      fundAmounts: reader.readPubKeyMap(() => reader.readVarInt()),
-      outcomes: reader.readPubKeyMap(
+    final terms = DLCTerms(
+      participants: Iterable.generate(
+        reader.readVarInt().toInt(),
+        (_) => ECPublicKey.fromXOnly(reader.readSlice(32)),
+      ).toSet(),
+      fundAmounts: _readPubKeyMap(reader, () => reader.readVarInt()),
+      outcomes: _readPubKeyMap(
+        reader,
         () => CETOutputs(
           reader.readListWithFunc(() => Output.fromReader(reader)),
           network,
@@ -159,6 +205,15 @@ class DLCTerms with Writable {
       network: network,
     );
 
+    // Check public keys were ordered correctly
+    // This is not the optimal way to do this but is simple
+    final inBytes = reader.bytes.buffer.asUint8List();
+    if (compareBytes(inBytes, terms.toBytes()) != 0) {
+      throw InvalidDLCTerms.notOrdered();
+    }
+
+    return terms;
+
   }
 
   factory DLCTerms.fromBytes(Uint8List bytes, Network network)
@@ -168,19 +223,43 @@ class DLCTerms with Writable {
     => DLCTerms.fromBytes(hexToBytes(hex), network);
 
   @override
-  /// The public keys will be written as compressed public keys
   void write(Writer writer) {
+
     writer.writeUInt16(version);
-    writer.writePubKeyVector(participants);
-    writer.writePubKeyMap(
+
+    // Sort the public keys ensuring the written set is always the same
+    writer.writeVarInt(BigInt.from(participants.length));
+    for (final key in participants.map((key) => key.x).sorted(compareBytes)) {
+      writer.writeSlice(key);
+    }
+
+    _writeOrderedPubkeyMap(
+      writer,
       fundAmounts,
-      (amount) => writer.writeVarInt(amount),
+      (amt) => writer.writeVarInt(amt),
     );
-    writer.writePubKeyMap(
+
+    _writeOrderedPubkeyMap(
+      writer,
       outcomes,
       (outputs) => writer.writeWritableVector(outputs.outputs),
     );
+
     writer.writeLocktime(refundLocktime);
+
   }
 
+  // Use a tagged hasher to avoid potential conflicts that could lead to key
+  // reuse
+  static final _dlcKeyTweakHash = getTaggedHasher("CoinlibDLCKeyTweak");
+  Uint8List? _tweakHashCache;
+
+  /// Obtains the tweaked MuSig2 aggregate key for this DLC. The key is
+  /// aggregated from the [participants] and then tweaked from the [DLCTerms]
+  /// data to prevent key-reuse across multiple DLCs in the event that
+  /// participants re-use their individual keys.
+  MuSigPublicKeys get musig => MuSigPublicKeys(participants).tweak(
+    _tweakHashCache ??= _dlcKeyTweakHash(toBytes()),
+  );
+
 }

coinlib/lib/src/taproot/taproot.dart

@@ -5,7 +5,6 @@ import 'package:coinlib/src/crypto/ec_private_key.dart';
 import 'package:coinlib/src/crypto/ec_public_key.dart';
 import 'package:coinlib/src/crypto/hash.dart';
 import 'package:coinlib/src/scripts/script.dart';
-import 'package:collection/collection.dart';
 
 /// This class encapsulates the construction of Taproot tweaked keys given an
 /// internal key and MAST consisting of Tapscript leaves constructed with
@@ -135,16 +134,7 @@ class TapBranch implements TapNode {
 
   // Used to determine which hash should be encoded first. The smallest hash
   // should be first.
-  bool _leftFirst() {
-
-    for (final pair in IterableZip([l.hash, r.hash])) {
-      if (pair[0] < pair[1]) return true;
-      if (pair[0] > pair[1]) return false;
-    }
-
-    return true;
-
-  }
+  bool _leftFirst() => compareBytes(l.hash, r.hash) <= 0;
 
   Uint8List? _hashCache;
   @override

coinlib/test/common/serial_test.dart

@@ -278,6 +278,8 @@ void main() {
       // Should work OK twice
       final obj = WritableTestTx();
       for (int i = 0; i < 2; i++) {
+        // Should copy bytes with no mutation to underlying
+        obj.toBytes()[0] = 0xff;
         expect(obj.toBytes(), expData);
         expect(obj.toHex(), bytesToHex(expData));
         expect(obj.size, expSize);