diff --git a/jni/src/main/kotlin/fr/acinq/secp256k1/NativeSecp256k1.kt b/jni/src/main/kotlin/fr/acinq/secp256k1/NativeSecp256k1.kt index 20ca735..bcbe03f 100644 --- a/jni/src/main/kotlin/fr/acinq/secp256k1/NativeSecp256k1.kt +++ b/jni/src/main/kotlin/fr/acinq/secp256k1/NativeSecp256k1.kt @@ -117,6 +117,7 @@ public object NativeSecp256k1 : Secp256k1 { } override fun musigPartialSign(secnonce: ByteArray, privkey: ByteArray, keyaggCache: ByteArray, session: ByteArray): ByteArray { + require(musigNonceValidate(secnonce, pubkeyCreate(privkey))) return Secp256k1CFunctions.secp256k1_musig_partial_sign(Secp256k1Context.getContext(), secnonce, privkey, keyaggCache, session) } diff --git a/src/commonMain/kotlin/fr/acinq/secp256k1/Secp256k1.kt b/src/commonMain/kotlin/fr/acinq/secp256k1/Secp256k1.kt index fe7c010..4ea9794 100644 --- a/src/commonMain/kotlin/fr/acinq/secp256k1/Secp256k1.kt +++ b/src/commonMain/kotlin/fr/acinq/secp256k1/Secp256k1.kt @@ -217,6 +217,26 @@ public interface Secp256k1 { */ public fun musigNonceProcess(aggnonce: ByteArray, msg32: ByteArray, keyaggCache: ByteArray): ByteArray + /** + * Check that a secret nonce was generated with a public key that matches the private key used for signing. + * @param secretnonce secret nonce. + * @param pubkey public key for the private key that will be used, with the secret nonce, to generate a partial signature. + * @return false if the secret nonce does not match the public key. + */ + public fun musigNonceValidate(secretnonce: ByteArray, pubkey: ByteArray): Boolean { + if (secretnonce.size != MUSIG2_SECRET_NONCE_SIZE) return false + if (pubkey.size != 33 && pubkey.size != 65) return false + val pk = Secp256k1.pubkeyParse(pubkey) + // this is a bit hackish but the secp256k1 library does not export methods to do this cleanly + val x = secretnonce.copyOfRange(68, 68 + 32) + x.reverse() + val y = secretnonce.copyOfRange(68 + 32, 68 + 32 + 32) + y.reverse() + val pkx = pk.copyOfRange(1, 1 + 32) + val pky = pk.copyOfRange(33, 33 + 32) + return x.contentEquals(pkx) && y.contentEquals(pky) + } + /** * Create a partial signature. * diff --git a/src/nativeMain/kotlin/fr/acinq/secp256k1/Secp256k1Native.kt b/src/nativeMain/kotlin/fr/acinq/secp256k1/Secp256k1Native.kt index 48468fe..50e3360 100644 --- a/src/nativeMain/kotlin/fr/acinq/secp256k1/Secp256k1Native.kt +++ b/src/nativeMain/kotlin/fr/acinq/secp256k1/Secp256k1Native.kt @@ -81,7 +81,7 @@ public object Secp256k1Native : Secp256k1 { return serialized.readBytes(Secp256k1.MUSIG2_PUBLIC_NONCE_SIZE) } - private fun DeferScope.toNat(bytes: ByteArray): CPointer { + private fun DeferScope.toNat(bytes: ByteArray): CPointer { val ubytes = bytes.asUByteArray() val pinned = ubytes.pin() this.defer { pinned.unpin() } @@ -112,7 +112,7 @@ public object Secp256k1Native : Secp256k1 { } public override fun signatureNormalize(sig: ByteArray): Pair { - require(sig.size >= 64){ "invalid signature ${Hex.encode(sig)}" } + require(sig.size >= 64) { "invalid signature ${Hex.encode(sig)}" } memScoped { val nSig = allocSignature(sig) val isHighS = secp256k1_ecdsa_signature_normalize(ctx, nSig.ptr, nSig.ptr) @@ -307,7 +307,16 @@ public object Secp256k1Native : Secp256k1 { memcpy(n.ptr, toNat(it), Secp256k1.MUSIG2_PUBLIC_KEYAGG_CACHE_SIZE.toULong()) n } - secp256k1_musig_nonce_gen(ctx, secnonce.ptr, pubnonce.ptr, toNat(sessionId32), privkey?.let { toNat(it) }, nPubkey.ptr, msg32?.let { toNat(it) },nKeyAggCache?.ptr, extraInput32?.let { toNat(it) }).requireSuccess("secp256k1_musig_nonce_gen() failed") + secp256k1_musig_nonce_gen( + ctx, + secnonce.ptr, + pubnonce.ptr, + toNat(sessionId32), + privkey?.let { toNat(it) }, + nPubkey.ptr, + msg32?.let { toNat(it) }, + nKeyAggCache?.ptr, + extraInput32?.let { toNat(it) }).requireSuccess("secp256k1_musig_nonce_gen() failed") val nPubnonce = allocArray(Secp256k1.MUSIG2_PUBLIC_NONCE_SIZE) secp256k1_musig_pubnonce_serialize(ctx, nPubnonce, pubnonce.ptr).requireSuccess("secp256k1_musig_pubnonce_serialize failed") secnonce.ptr.readBytes(Secp256k1.MUSIG2_SECRET_NONCE_SIZE) + nPubnonce.readBytes(Secp256k1.MUSIG2_PUBLIC_NONCE_SIZE) @@ -339,7 +348,7 @@ public object Secp256k1Native : Secp256k1 { n } secp256k1_musig_pubkey_agg(ctx, combined.ptr, nKeyAggCache?.ptr, nPubkeys.toCValues(), pubkeys.size.convert()).requireSuccess("secp256k1_musig_nonce_agg() failed") - val agg = serializeXonlyPubkey(combined) + val agg = serializeXonlyPubkey(combined) keyaggCache?.let { blob -> nKeyAggCache?.let { memcpy(toNat(blob), it.ptr, Secp256k1.MUSIG2_PUBLIC_KEYAGG_CACHE_SIZE.toULong()) } } return agg } @@ -386,13 +395,14 @@ public object Secp256k1Native : Secp256k1 { memcpy(toNat(session), nSession.ptr, Secp256k1.MUSIG2_PUBLIC_SESSION_SIZE.toULong()) return session } - } + } override fun musigPartialSign(secnonce: ByteArray, privkey: ByteArray, keyaggCache: ByteArray, session: ByteArray): ByteArray { require(secnonce.size == Secp256k1.MUSIG2_SECRET_NONCE_SIZE) require(privkey.size == 32) require(keyaggCache.size == Secp256k1.MUSIG2_PUBLIC_KEYAGG_CACHE_SIZE) require(session.size == Secp256k1.MUSIG2_PUBLIC_SESSION_SIZE) + require(musigNonceValidate(secnonce, pubkeyCreate(privkey))) memScoped { val nSecnonce = alloc() diff --git a/tests/src/commonTest/kotlin/fr/acinq/secp256k1/Secp256k1Test.kt b/tests/src/commonTest/kotlin/fr/acinq/secp256k1/Secp256k1Test.kt index 5cc71f8..c714252 100644 --- a/tests/src/commonTest/kotlin/fr/acinq/secp256k1/Secp256k1Test.kt +++ b/tests/src/commonTest/kotlin/fr/acinq/secp256k1/Secp256k1Test.kt @@ -5,6 +5,14 @@ import kotlin.test.* class Secp256k1Test { + val random = Random.Default + + fun randomBytes(length: Int): ByteArray { + val buffer = ByteArray(length) + random.nextBytes(buffer) + return buffer + } + @Test fun verifyValidPrivateKey() { val priv = Hex.decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".lowercase()) @@ -454,40 +462,55 @@ class Secp256k1Test { @Test fun testMusig2SigningSession() { - val privkeys = listOf( - "0101010101010101010101010101010101010101010101010101010101010101", - "0202020202020202020202020202020202020202020202020202020202020202", - ).map { Hex.decode(it) }.toTypedArray() + val privkeys = listOf(randomBytes(32), randomBytes(32)) + val sessionId = randomBytes(32) + val msg32 = randomBytes(32) val pubkeys = privkeys.map { Secp256k1.pubkeyCreate(it) } - - val sessionId = Hex.decode("0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F") val nonces = pubkeys.map { Secp256k1.musigNonceGen(sessionId, null, it, null, null, null) } + val testData = run { + val builder = StringBuilder() + builder.append("private keys\n") + privkeys.forEach { builder.append(Hex.encode(it)).append("\n") } + builder.append("sessionId ${Hex.encode(sessionId)}\n") + builder.append("msg32 ${Hex.encode(msg32)}\n") + builder.append("nonces\n") + nonces.forEach { builder.append(Hex.encode(it)).append("\n") } + builder.toString() + } val secnonces = nonces.map { it.copyOfRange(0, 132) } val pubnonces = nonces.map { it.copyOfRange(132, 132 + 66) } val aggnonce = Secp256k1.musigNonceAgg(pubnonces.toTypedArray()) val keyaggCaches = (0 until 2).map { ByteArray(Secp256k1.MUSIG2_PUBLIC_KEYAGG_CACHE_SIZE) } val aggpubkey = Secp256k1.musigPubkeyAgg(pubkeys.toTypedArray(), keyaggCaches[0]) - assertContentEquals(aggpubkey, Secp256k1.musigPubkeyAgg(pubkeys.toTypedArray(), keyaggCaches[1])) - assertContentEquals(keyaggCaches[0], keyaggCaches[1]) + assertContentEquals(aggpubkey, Secp256k1.musigPubkeyAgg(pubkeys.toTypedArray(), keyaggCaches[1]), testData) + assertContentEquals(keyaggCaches[0], keyaggCaches[1], testData) - val msg32 = Hex.decode("0303030303030303030303030303030303030303030303030303030303030303") val sessions = (0 until 2).map { Secp256k1.musigNonceProcess(aggnonce, msg32, keyaggCaches[it]) } val psigs = (0 until 2).map { val psig = Secp256k1.musigPartialSign(secnonces[it], privkeys[it], keyaggCaches[it], sessions[it]) - assertEquals(1, Secp256k1.musigPartialSigVerify(psig, pubnonces[it], pubkeys[it], keyaggCaches[it], sessions[it])) - assertEquals(0, Secp256k1.musigPartialSigVerify(Random.nextBytes(32), pubnonces[it], pubkeys[it], keyaggCaches[it], sessions[it])) + assertEquals(1, Secp256k1.musigPartialSigVerify(psig, pubnonces[it], pubkeys[it], keyaggCaches[it], sessions[it]), testData) + assertEquals(0, Secp256k1.musigPartialSigVerify(Random.nextBytes(32), pubnonces[it], pubkeys[it], keyaggCaches[it], sessions[it]), testData) psig } + // signing fails if the secret nonce does not match the private key's public key + assertFails(testData) { + Secp256k1.musigPartialSign(secnonces[1], privkeys[0], keyaggCaches[0], sessions[0]) + } + + assertFails(testData) { + Secp256k1.musigPartialSign(secnonces[0], privkeys[1], keyaggCaches[1], sessions[1]) + } + val sig = Secp256k1.musigPartialSigAgg(sessions[0], psigs.toTypedArray()) - assertContentEquals(sig, Secp256k1.musigPartialSigAgg(sessions[1], psigs.toTypedArray())) - assertTrue(Secp256k1.verifySchnorr(sig, msg32, aggpubkey)) + assertContentEquals(sig, Secp256k1.musigPartialSigAgg(sessions[1], psigs.toTypedArray()), testData) + assertTrue(Secp256k1.verifySchnorr(sig, msg32, aggpubkey), testData) val invalidSig1 = Secp256k1.musigPartialSigAgg(sessions[0], arrayOf(psigs[0], psigs[0])) - assertFalse(Secp256k1.verifySchnorr(invalidSig1, msg32, aggpubkey)) + assertFalse(Secp256k1.verifySchnorr(invalidSig1, msg32, aggpubkey), testData) val invalidSig2 = Secp256k1.musigPartialSigAgg(sessions[0], arrayOf(Random.nextBytes(32), Random.nextBytes(32))) - assertFalse(Secp256k1.verifySchnorr(invalidSig2, msg32, aggpubkey)) + assertFalse(Secp256k1.verifySchnorr(invalidSig2, msg32, aggpubkey), testData) } @Test @@ -523,15 +546,14 @@ class Secp256k1Test { } @Test - fun fuzzEcdsaSignVerify() { - val random = Random.Default - - fun randomBytes(length: Int): ByteArray { - val buffer = ByteArray(length) - random.nextBytes(buffer) - return buffer + fun fuzzMusig2SigningSession() { + repeat(1000) { + testMusig2SigningSession() } + } + @Test + fun fuzzEcdsaSignVerify() { repeat(200) { val priv = randomBytes(32) assertTrue(Secp256k1.secKeyVerify(priv))