implement adaptor signature verification

Author: keithsue

crypto/adaptor/types.go

@@ -0,0 +1,29 @@
+package adaptor
+
+import (
+	"github.com/btcsuite/btcd/btcec/v2"
+)
+
+// scalarSize is the size of an encoded big endian scalar
+const scalarSize = 32
+
+// Signature is same with schnorr.Signature
+type Signature struct {
+	r btcec.FieldVal
+	s btcec.ModNScalar
+}
+
+// NewSignature creates a new Signature from bytes
+// Assume that the given byte slice is valid
+func NewSignature(sigBytes []byte) *Signature {
+	var r btcec.FieldVal
+	_ = r.SetByteSlice(sigBytes[0:32])
+
+	var s btcec.ModNScalar
+	_ = s.SetByteSlice(sigBytes[32:])
+
+	return &Signature{
+		r,
+		s,
+	}
+}

crypto/adaptor/verifier.go

@@ -0,0 +1,179 @@
+package adaptor
+
+import (
+	"fmt"
+
+	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr"
+	"github.com/btcsuite/btcd/chaincfg/chainhash"
+	"github.com/decred/dcrd/dcrec/secp256k1/v4"
+)
+
+// Verify verifies the provided schnorr adaptor signature against the given adaptor point
+func Verify(sigBytes []byte, msg []byte, pubKeyBytes []byte, adaptorPointBytes []byte) bool {
+	_, err := schnorr.ParseSignature(sigBytes)
+	if err != nil {
+		return false
+	}
+
+	pubKey, err := schnorr.ParsePubKey(pubKeyBytes)
+	if err != nil {
+		return false
+	}
+
+	adaptorPoint, err := btcec.ParsePubKey(adaptorPointBytes)
+	if err != nil {
+		return false
+	}
+
+	return verifySchnorrAdaptorSignature(NewSignature(sigBytes), msg, pubKey, adaptorPoint) == nil
+}
+
+// verifySchnorrAdaptorSignature verifies the given schnorr adaptor signature
+//
+// The algorithm is based on the verifier for schnorr signature
+// Specifically, step 3 and 6 are added, step 7 and 10 are modified
+//
+// Annotation:
+// AP: adaptor point
+// AR: adapted R
+func verifySchnorrAdaptorSignature(sig *Signature, hash []byte, pubKey *secp256k1.PublicKey, adaptorPoint *secp256k1.PublicKey) error {
+	// 1. Fail if m is not 32 bytes
+	// 2. P = lift_x(int(pk)).
+	// 3. AP = lift_x(int(ap)).
+	// 4. r = int(sig[0:32]); fail is r >= p.
+	// 5. s = int(sig[32:64]); fail if s >= n.
+	// 6. AR = R + AP.
+	// 7. e = int(tagged_hash("BIP0340/challenge", bytes(AR) || bytes(P) || M)) mod n.
+	// 8. R = s*G - e*P
+	// 9. Fail if is_infinite(R)
+	// 10. Fail if not has_even_y(R+AP)
+	// 11. Fail is x(R) != r.
+	// 12. Return success iff not failure occured before reaching this
+	// point.
+
+	// Step 1.
+	//
+	// Fail if m is not 32 bytes
+	if len(hash) != scalarSize {
+		str := fmt.Sprintf("wrong size for message (got %v, want %v)",
+			len(hash), scalarSize)
+		return fmt.Errorf("invalid hash length: %s", str)
+	}
+
+	// Step 2.
+	//
+	// P = lift_x(int(pk))
+	//
+	// Fail if P is not a point on the curve
+	if !pubKey.IsOnCurve() {
+		str := "pubkey point is not on curve"
+		return fmt.Errorf("invalid pub key: %s", str)
+	}
+
+	// Step 3.
+	//
+	// AP = lift_x(int(ap))
+	//
+	// Fail if AP is not a point on the curve
+	if !adaptorPoint.IsOnCurve() {
+		str := "adaptor point is not on curve"
+		return fmt.Errorf("invalid adaptor point: %s", str)
+	}
+
+	// Step 4.
+	//
+	// Fail if r >= p
+	//
+	// Note this is already handled by the fact r is a field element.
+
+	// Step 5.
+	//
+	// Fail if s >= n
+	//
+	// Note this is already handled by the fact s is a mod n scalar.
+
+	// Step 6.
+	//
+	// AR = R + AP
+	var rBytes [32]byte
+	sig.r.PutBytesUnchecked(rBytes[:])
+
+	rPoint, err := schnorr.ParsePubKey(rBytes[:])
+	if err != nil {
+		str := "failed to parse r"
+		return fmt.Errorf("invalid r: %s", str)
+	}
+
+	var R, AP, AR btcec.JacobianPoint
+	rPoint.AsJacobian(&R)
+	adaptorPoint.AsJacobian(&AP)
+	btcec.AddNonConst(&R, &AP, &AR)
+
+	// Step 7.
+	//
+	// e = int(tagged_hash("BIP0340/challenge", bytes(ar) || bytes(P) || M)) mod n.
+	AR.ToAffine()
+	var arBytes [32]byte
+	AR.X.PutBytesUnchecked(arBytes[:])
+
+	pBytes := schnorr.SerializePubKey(pubKey)
+
+	commitment := chainhash.TaggedHash(
+		chainhash.TagBIP0340Challenge, arBytes[:], pBytes, hash,
+	)
+
+	var e btcec.ModNScalar
+	if overflow := e.SetBytes((*[32]byte)(commitment)); overflow != 0 {
+		str := "hash of (r || P || m) too big"
+		return fmt.Errorf("invalid schnorr hash: %s", str)
+	}
+
+	// Negate e here so we can use AddNonConst below to subtract the s*G
+	// point from e*P.
+	e.Negate()
+
+	// Step 8.
+	//
+	// R = s*G - e*P
+	var P, sG, eP btcec.JacobianPoint
+	pubKey.AsJacobian(&P)
+	btcec.ScalarBaseMultNonConst(&sig.s, &sG)
+	btcec.ScalarMultNonConst(&e, &P, &eP)
+	btcec.AddNonConst(&sG, &eP, &R)
+
+	// Step 9.
+	//
+	// Fail if R is the point at infinity
+	if (R.X.IsZero() && R.Y.IsZero()) || R.Z.IsZero() {
+		str := "calculated R point is the point at infinity"
+		return fmt.Errorf("invalid signature: %s", str)
+	}
+
+	// Step 10.
+	//
+	// Fail if (R+AP).y is odd
+	//
+	// Note that R+AP must be in affine coordinates for this check.
+	btcec.AddNonConst(&R, &AP, &AR)
+	AR.ToAffine()
+	if AR.Y.IsOdd() {
+		str := "calculated AR y-value is odd"
+		return fmt.Errorf("invalid signature: %s", str)
+	}
+
+	// Step 11.
+	//
+	// Verified if R.x == r
+	//
+	// Note that R must be in affine coordinates for this check.
+	if !sig.r.Equals(&R.X) {
+		str := "calculated R point was not given R"
+		return fmt.Errorf("invalid signature: %s", str)
+	}
+
+	// Step 12.
+	//
+	// Return success iff not failure occured before reaching this
+	return nil
+}

crypto/hash/sha256.go

@@ -0,0 +1,12 @@
+package hash
+
+import (
+	"crypto/sha256"
+)
+
+// Sha256 returns the SHA256 hash of the given data
+func Sha256(data []byte) []byte {
+	hash := sha256.Sum256(data)
+
+	return hash[:]
+}

crypto/schnorr/verifier.go

@@ -0,0 +1,20 @@
+package schnorr
+
+import (
+	"github.com/btcsuite/btcd/btcec/v2/schnorr"
+)
+
+// Verify verifies the provided schnorr signature against the given msg and public key
+func Verify(sigBytes []byte, msg []byte, pubKeyBytes []byte) bool {
+	signature, err := schnorr.ParseSignature(sigBytes)
+	if err != nil {
+		return false
+	}
+
+	pubKey, err := schnorr.ParsePubKey(pubKeyBytes)
+	if err != nil {
+		return false
+	}
+
+	return signature.Verify(msg, pubKey)
+}

x/dlc/keeper/attestation.go

@@ -7,6 +7,8 @@ import (
 	storetypes "cosmossdk.io/store/types"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 
+	"github.com/sideprotocol/side/crypto/hash"
+	"github.com/sideprotocol/side/crypto/schnorr"
 	"github.com/sideprotocol/side/x/dlc/types"
 )
 
@@ -23,9 +25,9 @@ func (k Keeper) HandleAttestation(ctx sdk.Context, sender string, eventId uint64
 
 	pubKeyBytes, _ := hex.DecodeString(event.Pubkey)
 	sigBytes, _ := hex.DecodeString(signature)
-	msg := types.Sha256(sdk.Uint64ToBigEndian(event.TriggerPrice.Uint64()))
+	msg := hash.Sha256(sdk.Uint64ToBigEndian(event.TriggerPrice.Uint64()))
 
-	if !types.VerifySchnorrSignature(sigBytes, msg, pubKeyBytes) {
+	if !schnorr.Verify(sigBytes, msg, pubKeyBytes) {
 		return errorsmod.Wrap(types.ErrInvalidSignature, "failed to verify the signature")
 	}
 

x/dlc/keeper/nonce.go

@@ -9,6 +9,8 @@ import (
 	storetypes "cosmossdk.io/store/types"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 
+	"github.com/sideprotocol/side/crypto/hash"
+	"github.com/sideprotocol/side/crypto/schnorr"
 	"github.com/sideprotocol/side/x/dlc/types"
 )
 
@@ -22,7 +24,7 @@ func (k Keeper) HandleNonce(ctx sdk.Context, sender string, nonce string, oracle
 	nonceBytes, _ := hex.DecodeString(nonce)
 	sigBytes, _ := hex.DecodeString(signature)
 
-	if !types.VerifySchnorrSignature(sigBytes, types.Sha256(nonceBytes), oraclePKBytes) {
+	if !schnorr.Verify(sigBytes, hash.Sha256(nonceBytes), oraclePKBytes) {
 		return errorsmod.Wrap(types.ErrInvalidSignature, "failed to verify the signature")
 	}
 

x/dlc/types/crypto.go

@@ -5,6 +5,8 @@ import (
 	"crypto/ed25519"
 	"encoding/binary"
 	"slices"
+
+	"github.com/sideprotocol/side/crypto/hash"
 )
 
 // ParticipantExists returns true if the given public key is a participant, false otherwise
@@ -36,7 +38,7 @@ func GetSigMsg(id uint64, pubKey []byte) []byte {
 
 	rawMsg = append(rawMsg, pubKey...)
 
-	return Sha256(rawMsg)
+	return hash.Sha256(rawMsg)
 }
 
 // VerifySignature verifies the given signature