btcec/v2/schnorr: add initial BIP-340 schnorr sig implementation

In this commit, we add an initial implementation of BIP-340. Mirroring the recently added `ecsda` package, we create a new `schnorr` package with a unique `Signature` type and `ParsePubkey` function. The new `Signature` type implements the fixed-sized 64-byte signatures, and the `ParsePubkey` method only accepts pubkeys that are 32-bytes in length, with an implicit sign byte. The signing implementation by default, deviates from BIP-340 as it opts to use rfc6979 deterministic signatures by default, which means callers don't need to always pass in their own `auxNonce` randomness. A set of functional arguments allows callers to pass in their own value, which is the way all the included test vectors function. The other optional functional argument added is the `FastSign` option that allows callers to skip the final step of verifying each signature they generate.
btcsuite · Dec 5, 2021 · f922c95 · f922c95
1 parent d62bde6
commit f922c95
Show file tree

Hide file tree

Showing 7 changed files with 903 additions and 49 deletions.
diff --git a/btcec/v2/go.mod b/btcec/v2/go.mod
@@ -7,3 +7,9 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1
 )
+
+require github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect
+
+// We depend on chainhash as is, so we need to raplce to use the version of
+// chainhash included in the version of btcd we're buidling in.
+replace github.com/btcsuite/btcd => ../../
diff --git a/btcec/v2/go.sum b/btcec/v2/go.sum
@@ -1,49 +1,6 @@
-github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
-github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
-github.com/btcsuite/btcd v0.22.0-beta h1:LTDpDKUM5EeOFBPM8IXpinEcmZ6FWfNZbE3lfrfdnWo=
-github.com/btcsuite/btcd v0.22.0-beta/go.mod h1:9n5ntfhhHQBIhUvlhDvD3Qg6fRUj4jkN0VB8L8svzOA=
-github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA=
-github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d/go.mod h1:+5NJ2+qvTyV9exUAL/rxXi3DcLg2Ts+ymUAY5y4NvMg=
-github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce/go.mod h1:0DVlHczLPewLcPGEIeUEzfOJhqGPQ0mJJRDBtD307+o=
-github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd/go.mod h1:HHNXQzUsZCxOoE+CPiyCTO6x34Zs86zZUiwtpXoGdtg=
-github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd/go.mod h1:F+uVaaLLH7j4eDXPRvw78tMflu7Ie2bzYOH4Y8rRKBY=
-github.com/btcsuite/goleveldb v1.0.0/go.mod h1:QiK9vBlgftBg6rWQIj6wFzbPfRjiykIEhBH4obrXJ/I=
-github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
-github.com/btcsuite/snappy-go v1.0.0/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
-github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY=
-github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs=
-github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/crypto/blake256 v1.0.0 h1:/8DMNYp9SGi5f0w7uCm6d6M4OU2rGFK09Y2A4Xv7EE0=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
-github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
-github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200115085410-6d4e4cb37c7d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/btcec/v2/pubkey.go b/btcec/v2/pubkey.go
@@ -9,17 +9,55 @@ import (
 	secp "github.com/decred/dcrd/dcrec/secp256k1/v4"
 )
 
-// These constants define the lengths of serialized public keys.
-const (
-	PubKeyBytesLenCompressed = 33
-)
-
 const (
 	pubkeyCompressed   byte = 0x2 // y_bit + x coord
 	pubkeyUncompressed byte = 0x4 // x coord + y coord
 	pubkeyHybrid       byte = 0x6 // y_bit + x coord + y coord
 )
 
+const (
+	// PubKeyBytesLenCompressed is the number of bytes of a serialized
+	// compressed public key.
+	PubKeyBytesLenCompressed = 33
+
+	// PubKeyBytesLenUncompressed is the number of bytes of a serialized
+	// uncompressed public key.
+	PubKeyBytesLenUncompressed = 65
+
+	// PubKeyFormatCompressedEven is the identifier prefix byte for a public key
+	// whose Y coordinate is even when serialized in the compressed format per
+	// section 2.3.4 of [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.4).
+	PubKeyFormatCompressedEven byte = 0x02
+
+	// PubKeyFormatCompressedOdd is the identifier prefix byte for a public key
+	// whose Y coordinate is odd when serialized in the compressed format per
+	// section 2.3.4 of [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.4).
+	PubKeyFormatCompressedOdd byte = 0x03
+
+	// PubKeyFormatUncompressed is the identifier prefix byte for a public key
+	// when serialized according in the uncompressed format per section 2.3.3 of
+	// [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.3).
+	PubKeyFormatUncompressed byte = 0x04
+
+	// PubKeyFormatHybridEven is the identifier prefix byte for a public key
+	// whose Y coordinate is even when serialized according to the hybrid format
+	// per section 4.3.6 of [ANSI X9.62-1998].
+	//
+	// NOTE: This format makes little sense in practice an therefore this
+	// package will not produce public keys serialized in this format.  However,
+	// it will parse them since they exist in the wild.
+	PubKeyFormatHybridEven byte = 0x06
+
+	// PubKeyFormatHybridOdd is the identifier prefix byte for a public key
+	// whose Y coordingate is odd when serialized according to the hybrid format
+	// per section 4.3.6 of [ANSI X9.62-1998].
+	//
+	// NOTE: This format makes little sense in practice an therefore this
+	// package will not produce public keys serialized in this format.  However,
+	// it will parse them since they exist in the wild.
+	PubKeyFormatHybridOdd byte = 0x07
+)
+
 // IsCompressedPubKey returns true the the passed serialized public key has
 // been encoded in compressed format, and false otherwise.
 func IsCompressedPubKey(pubKey []byte) bool {

diff --git a/btcec/v2/schnorr/error.go b/btcec/v2/schnorr/error.go
@@ -0,0 +1,25 @@
+// Copyright (c) 2013-2017 The btcsuite developers
+// Copyright (c) 2015-2021 The Decred developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package schnorr
+
+import (
+	ecdsa_schnorr "github.com/decred/dcrd/dcrec/secp256k1/v4/schnorr"
+)
+
+// ErrorKind identifies a kind of error.  It has full support for errors.Is
+// and errors.As, so the caller can directly check against an error kind
+// when determining the reason for an error.
+type ErrorKind = ecdsa_schnorr.ErrorKind
+
+// Error identifies an error related to a schnorr signature. It has full
+// support for errors.Is and errors.As, so the caller can ascertain the
+// specific reason for the error by checking the underlying error.
+type Error = ecdsa_schnorr.Error
+
+// signatureError creates an Error given a set of arguments.
+func signatureError(kind ErrorKind, desc string) Error {
+	return Error{Err: kind, Description: desc}
+}
diff --git a/btcec/v2/schnorr/pubkey.go b/btcec/v2/schnorr/pubkey.go
@@ -0,0 +1,44 @@
+// Copyright (c) 2013-2017 The btcsuite developers
+// Copyright (c) 2015-2021 The Decred developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package schnorr
+
+import (
+	"fmt"
+
+	"github.com/btcsuite/btcd/btcec/v2"
+)
+
+// These constants define the lengths of serialized public keys.
+const (
+	PubKeyBytesLen = 32
+
+	pubkeyCompressed byte = 0x2 // y_bit + x coord
+)
+
+// ParsePubKey parses a public key for a koblitz curve from a bytestring into a
+// ecdsa.Publickey, verifying that it is valid. It only supports public keys in
+// the BIP-340 32-byte format.
+func ParsePubKey(pubKeyStr []byte) (*btcec.PublicKey, error) {
+	if pubKeyStr == nil {
+		err := fmt.Errorf("nil pubkey byte string")
+		return nil, err
+	}
+	if len(pubKeyStr) != PubKeyBytesLen {
+		err := fmt.Errorf("bad pubkey byte string size (want %v, have %v)",
+			PubKeyBytesLen, len(pubKeyStr))
+		return nil, err
+	}
+
+	// We'll manually append the compressed so we can re-use the existing
+	// pubkey parsing routine of the main btcec package.
+	var keyCompressed [btcec.PubKeyBytesLenCompressed]byte
+	keyCompressed[0] = pubkeyCompressed
+	copy(keyCompressed[1:], pubKeyStr)
+
+	return btcec.ParsePubKey(keyCompressed[:])
+}
+
+// TODO(roasbeef): new type aliases on main pubkey struct for diff serialization?