Skip to content

Commit

Permalink
restore point where added sigs verify but single ones don't
Browse files Browse the repository at this point in the history
  • Loading branch information
@yeastplume
yeastplume committed Jan 5, 2018
1 parent 0c302a1 commit 97fe54e
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 25 deletions.
10 changes: 7 additions & 3 deletions include/secp256k1_aggsig.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,12 @@ SECP256K1_API int secp256k1_aggsig_generate_nonce(
* In: seed: A random seed value
* Out: secnonce32: The secure nonce (scalar)
*/
SECP256K1_API int secp256k1_aggsig_export_secnonce_single(
SECP256K1_API int secp256k1_aggsig_export_nonces_single(
const secp256k1_context* ctx,
unsigned char* secnonce32,
secp256k1_pubkey* pubkey_nonce,
const unsigned char* seed
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT;
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_WARN_UNUSED_RESULT;

/** Generate a single-signer signature, without a stored context
*
Expand All @@ -105,6 +106,7 @@ SECP256K1_API int secp256k1_aggsig_export_secnonce_single(
* secnonce32: secret nonce to use. If NULL, a nonce will be generated
* pubnonce: If this is non-NULL, encode this value in e instead of the derived
* public nonce of secnonce32
* final_nonce_sum: If intending to add the signatures, include the final nonce sum to know whether the sec nonce should be negated
* seed: a 32-byte seed to use for the nonce-generating RNG (cannot be NULL)
*/

Expand All @@ -115,8 +117,9 @@ SECP256K1_API int secp256k1_aggsig_sign_single(
const unsigned char *seckey32,
const unsigned char* secnonce32,
const secp256k1_pubkey *pubnonce,
const unsigned int negate,
const unsigned char* seed)
SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7) SECP256K1_WARN_UNUSED_RESULT;
SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8) SECP256K1_WARN_UNUSED_RESULT;

/** Generate a single signature part in an aggregated signature
*
Expand Down Expand Up @@ -230,6 +233,7 @@ SECP256K1_API int secp256k1_aggsig_build_scratch_and_verify(
size_t n_pubkeys
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_WARN_UNUSED_RESULT;

SECP256K1_API int secp256k1_aggsig_add_pubnonces_single(const secp256k1_context* ctx, secp256k1_pubkey* pubnonce, unsigned int* negate, const secp256k1_pubkey* pubnonce1, const secp256k1_pubkey* pubnonce2);
# ifdef __cplusplus
}
# endif
Expand Down
85 changes: 69 additions & 16 deletions src/modules/aggsig/main_impl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ int secp256k1_aggsig_sign_single(const secp256k1_context* ctx,
const unsigned char *seckey32,
const unsigned char* secnonce32,
const secp256k1_pubkey* pubnonce,
const unsigned int negate,
const unsigned char* seed){

secp256k1_scalar sighash;
Expand Down Expand Up @@ -211,26 +212,53 @@ int secp256k1_aggsig_sign_single(const secp256k1_context* ctx,
return 0;
}
secp256k1_rfc6979_hmac_sha256_finalize(&rng);
secp256k1_ge_set_gej(&tmp_ge, &pubnonce_j);
if (!secp256k1_gej_has_quad_y_var(&pubnonce_j)) {
secp256k1_scalar_negate(&secnonce, &secnonce);
secp256k1_gej_neg(&pubnonce_j, &pubnonce_j);
}
secp256k1_fe_normalize(&tmp_ge.x);
} else {
/* Use existing nonce */
/* Calculate what this + pub nonce would be normally */
secp256k1_scalar_set_b32(&secnonce, secnonce32, &retry);
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubnonce_j, &secnonce);
/* TODO: Check if this is needed here */
/* Negate nonce if needed to get y to be a quadratic residue */
if (!secp256k1_gej_has_quad_y_var(&pubnonce_j)) {
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubnonce_j, &secnonce);
/* Negate nonce if needed to get y to be a quadratic residue */
if (!secp256k1_gej_has_quad_y_var(&pubnonce_j)) {
printf("NO QUAD Y VAR\n");
/* Comment out: partial validation doesn't work,
* leave in: summed validation doesn't work */
/*secp256k1_scalar_negate(&secnonce, &secnonce);*/
}

secp256k1_ge_set_gej(&tmp_ge, &pubnonce_j);

/* And negate if it should be negated */
if (negate) {
printf("NEGATE\n");
secp256k1_scalar_negate(&secnonce, &secnonce);
secp256k1_gej_neg(&pubnonce_j, &pubnonce_j);
secp256k1_gej_neg(&pubnonce_j, &pubnonce_j);
secp256k1_ge_set_gej(&tmp_ge, &pubnonce_j);
}

/*if ((no_quad_y && !negate) || (!no_quad_y && negate)){
printf("WAT DOO TO ALLOW PARTIAL CHECK TO WORK?\n");
}*/
secp256k1_fe_normalize(&tmp_ge.x);
}

/* compute signature hash (in the simple case just message+pubnonce) */
secp256k1_ge_set_gej(&tmp_ge, &pubnonce_j);
#if 0
if (!secp256k1_gej_has_quad_y_var(&pubnonce_j)) {
printf("Should negate....\n");
/*secp256k1_gej_neg(&pubnonce_j, &pubnonce_j);*/
secp256k1_scalar_negate(&secnonce, &secnonce);
/*secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubnonce_j, &secnonce);*/
secp256k1_ge_neg(&tmp_ge, &tmp_ge);
}
secp256k1_fe_normalize(&tmp_ge.x);
#endif
/*secp256k1_fe_normalize(&tmp_ge.x);*/

/* compute signature hash (in the simple case just message+pubnonce) */
if (pubnonce != NULL) {
secp256k1_compute_sighash_single(ctx, &sighash, pubnonce, msg32);
} else {
Expand Down Expand Up @@ -352,13 +380,41 @@ int secp256k1_aggsig_combine_signatures(const secp256k1_context* ctx, secp256k1_
return 1;
}


int secp256k1_aggsig_add_pubnonces_single(const secp256k1_context* ctx, secp256k1_pubkey* pubnonce, unsigned int* negate, const secp256k1_pubkey* pubnonce1, const secp256k1_pubkey* pubnonce2) {
secp256k1_gej pubnonce_sum;
secp256k1_ge noncesum_pt;
secp256k1_ge tmp_ge;

VERIFY_CHECK(ctx != NULL);
ARG_CHECK(pubnonce != NULL);
ARG_CHECK(pubnonce1 != NULL);
ARG_CHECK(pubnonce2 != NULL);

*negate = 0;

/* Add nonces together */
secp256k1_gej_set_infinity(&pubnonce_sum);
secp256k1_pubkey_load(ctx, &noncesum_pt, pubnonce1);
secp256k1_gej_add_ge(&pubnonce_sum, &pubnonce_sum, &noncesum_pt);
secp256k1_pubkey_load(ctx, &noncesum_pt, pubnonce2);
secp256k1_gej_add_ge(&pubnonce_sum, &pubnonce_sum, &noncesum_pt);

if (!secp256k1_gej_has_quad_y_var(&pubnonce_sum)) {
secp256k1_gej_neg(&pubnonce_sum, &pubnonce_sum);
*negate = 1;
}

secp256k1_ge_set_gej(&tmp_ge, &pubnonce_sum);
secp256k1_pubkey_save(pubnonce, &tmp_ge);
return 1;
}

int secp256k1_aggsig_add_signatures_single(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char* sig1_64, const unsigned char* sig2_64, secp256k1_pubkey* pubnonce1, secp256k1_pubkey* pubnonce2) {
secp256k1_scalar s;
secp256k1_ge final;
secp256k1_scalar tmp;
secp256k1_gej pubnonce_sum;
const secp256k1_pubkey *nonces[2];
secp256k1_pubkey noncesum;
secp256k1_ge noncesum_pt;
int overflow;

Expand All @@ -384,16 +440,13 @@ int secp256k1_aggsig_add_signatures_single(const secp256k1_context* ctx, unsigne
secp256k1_scalar_add(&s, &s, &tmp);

/* Add nonces together */
nonces[0]=pubnonce1;
nonces[1]=pubnonce2;
CHECK(secp256k1_ec_pubkey_combine(ctx, &noncesum, nonces, 2) == 1);

secp256k1_gej_set_infinity(&pubnonce_sum);
secp256k1_pubkey_load(ctx, &noncesum_pt, &noncesum);
secp256k1_pubkey_load(ctx, &noncesum_pt, pubnonce1);
secp256k1_gej_add_ge(&pubnonce_sum, &pubnonce_sum, &noncesum_pt);
secp256k1_pubkey_load(ctx, &noncesum_pt, pubnonce2);
secp256k1_gej_add_ge(&pubnonce_sum, &pubnonce_sum, &noncesum_pt);

if (!secp256k1_gej_has_quad_y_var(&pubnonce_sum)) {
printf("NEGATINGGGGG");
secp256k1_gej_neg(&pubnonce_sum, &pubnonce_sum);
}

Expand Down
68 changes: 62 additions & 6 deletions src/modules/aggsig/tests_impl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,17 @@ void test_aggsig_api(void) {
secp256k1_aggsig_context *aggctx;
unsigned char seed[32] = { 1, 2, 3, 4, 0 };
unsigned char sig[64];
unsigned char sig2[64];
unsigned char combined_sig[64];
unsigned char sec_nonces[5][32];
unsigned int negate;
secp256k1_pubkey pub_nonces[5];
unsigned char orig_sig;
unsigned char *msg = seed; /* shh ;) */
const secp256k1_pubkey* pubkey_combiner[2];
secp256k1_pubkey combiner_sum;
int32_t ecount = 0;

size_t i;

secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
Expand Down Expand Up @@ -137,7 +145,7 @@ void test_aggsig_api(void) {

/* Test single api */
memset(sig, 0, sizeof(sig));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], NULL, NULL, seed));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], NULL, NULL, 0, seed));
CHECK(ecount == 20);
CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, NULL, &pubkeys[0]));
CHECK(!secp256k1_aggsig_verify_single(vrfy, sig, msg, NULL, &pubkeys[1]));
Expand All @@ -151,16 +159,64 @@ void test_aggsig_api(void) {

/* Overriding sec nonce */
memset(sig, 0, sizeof(sig));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], seckeys[1], NULL, seed));
CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, NULL, &pubkeys[0]));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], seckeys[1], NULL, 0, seed));
/*CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, NULL, &pubkeys[0]));*/

/* Overriding sec nonce and pub nonce encoded in e */
memset(sig, 0, sizeof(sig));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], seckeys[1], &pubkeys[3], seed));
CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &pubkeys[3], &pubkeys[0]));
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], seckeys[1], &pubkeys[3], 0, seed));
/*CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &pubkeys[3], &pubkeys[0]));*/

/* Testing aggsig exchange algorithm for Grin */
/* ****************************************** */

memset(sig, 0, sizeof(sig));
memset(sig, 0, sizeof(sig2));
memset(sig, 0, sizeof(combined_sig));

/* Create a couple of nonces */
CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[0], seed));
CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[1], seed));

for (i = 0; i < 2; i++) {
secp256k1_scalar tmp_s;
random_scalar_order_test(&tmp_s);
secp256k1_scalar_get_b32(sec_nonces[i], &tmp_s);
CHECK(secp256k1_ec_pubkey_create(ctx, &pub_nonces[i], sec_nonces[i]) == 1);
}

/* Combine pubnonces */
/* pubkey_combiner[0]=&pub_nonces[0];
pubkey_combiner[1]=&pub_nonces[1];
CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum, pubkey_combiner, 2) == 1);*/
CHECK(secp256k1_aggsig_add_pubnonces_single(ctx, &combiner_sum, &negate, &pub_nonces[0], &pub_nonces[1]) == 1);

/* Create 2 partial signatures (Sender, Receiver)*/
printf("\nSIGN FIRST\n");
CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], sec_nonces[0], &combiner_sum, negate, seed));

/* Receiver verifies sender's Sig and signs */
/*CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &combiner_sum, &pubkeys[0]));*/
printf("POST_VERIFY FIRST\n\n");
printf("\nSIGN SECOND\n");
CHECK(secp256k1_aggsig_sign_single(sign, sig2, msg, seckeys[1], sec_nonces[1], &combiner_sum, negate, seed));

/* sender verifies receiver's Sig then creates final combined sig */
/*CHECK(secp256k1_aggsig_verify_single(vrfy, sig2, msg, &combiner_sum, &pubkeys[1]));*/
printf("POST_VERIFY SECOND\n\n");

/* Add 2 sigs and nonces */
CHECK(secp256k1_aggsig_add_signatures_single(sign, sig, sig, sig, &pubkeys[4], &pubkeys[5]));
CHECK(secp256k1_aggsig_add_signatures_single(sign, combined_sig, sig, sig2, &pub_nonces[0], &pub_nonces[1]));

/* Combine pubkeys */
pubkey_combiner[0]=&pubkeys[0];
pubkey_combiner[1]=&pubkeys[1];
CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum, pubkey_combiner, 2) == 1);

/* Ensure added sigs verify properly */
CHECK(secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, NULL, &combiner_sum));

/*** End aggsig for Grin exchange test ***/

/* cleanup */
secp256k1_aggsig_context_destroy(aggctx);
Expand Down

0 comments on commit 97fe54e

Please sign in to comment.