Incremental Half-Aggregation for Schnorr Signatures.

BlockstreamResearch · Aug 6, 2023 · 6045c3d · 6045c3d
1 parent b2ccc8d
commit 6045c3d
Show file tree

Hide file tree

Showing 7 changed files with 738 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,8 @@ schnorr_example
 *.trs
 *.sage.py
 
+.vscode/
+
 Makefile
 configure
 .libs/

diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h
@@ -183,6 +183,81 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
     const secp256k1_xonly_pubkey *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
 
+
+/** Incrementally (Half-)Aggregate a sequence of Schnorr signatures to an existing half-aggregate signature.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: a secp256k1 context object.
+ *  In/Out:      aggsig: pointer to the serialized aggregate signature that is input. Will be overwritten by the new serialized aggregate signature.
+ *          aggsig_size: size of the memory allocated in aggsig. Should be large enough to hold the new serialized aggregate signature.
+ *  In:     all_pubkeys: Array of x-only public keys, including both the ones for the already aggregated signature
+ *                       and the ones for the signatures that should be added. 
+ *                       Assumed to contain n = n_before + n_new many public keys.
+ *           all_msgs32: Array of 32-byte messages, including both the ones for the already aggregated signature
+ *                       and the ones for the signatures that should be added. 
+ *                       Assumed to contain n = n_before + n_new many messages.
+ *           new_sigs64: Array of 64-byte signatures, containing the new signatures that should be added.
+ *                       Assumed to contain n_new many signatures.
+ *             n_before: Number of signatures that are already "contained" in the aggregate signature
+ *                n_new: Number of signatures that should now be added to the aggregate signature 
+ */
+SECP256K1_API int secp256k1_schnorrsig_inc_aggregate(
+    const secp256k1_context* ctx,
+    unsigned char* aggsig,
+    size_t* aggsig_size,
+    const secp256k1_xonly_pubkey* all_pubkeys,
+    const unsigned char* all_msgs32,
+    const unsigned char* new_sigs64,
+    size_t n_before,
+    size_t n_new
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+
+
+/** (Half-)Aggregate a sequence of Schnorr signatures.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: a secp256k1 context object.
+ *  Out:         aggsig: pointer to an array of aggsig_size many bytes to store the serialized aggregate signature
+ *  In/Out: aggsig_size: size of the aggsig array that is passed; will be overwritten to be the exact size of aggsig.  
+ *  In:         pubkeys: Array of x-only public keys. Assumed to contain n many public keys.
+ *               msgs32: Array of 32-byte messages. Assumed to contain n many messages.
+ *               sigs64: Array of 64-byte signatures. Assumed to contain n many signatures.
+ *                    n: number of signatures to be aggregated.
+ */
+SECP256K1_API int secp256k1_schnorrsig_aggregate(
+    const secp256k1_context* ctx,
+    unsigned char* aggsig,
+    size_t* aggsig_size,
+    const secp256k1_xonly_pubkey* pubkeys,
+    const unsigned char* msgs32,
+    const unsigned char* sigs64,
+    size_t n
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+
+
+/** Verify a (Half-)aggregate Schnorr signature.
+ *
+ *  Returns:          1: correct signature
+ *                    0: incorrect signature.
+ *  Args:           ctx: a secp256k1 context object.
+ *  In:         pubkeys: Array of x-only public keys. Assume to contain n many public keys.
+ *               msgs32: Array of 32-byte messages. Assumed to contain n many messages.
+ *                    n: number of signatures to that have been aggregated.
+ *               aggsig: Pointer to an array of aggsig_size many bytes containing the serialized aggregate signatur to be verified
+ *          aggsig_size: Size of the aggregate signature
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_aggverify(
+    const secp256k1_context* ctx,
+    const secp256k1_xonly_pubkey* pubkeys,
+    const unsigned char* msgs32,
+    size_t n,
+    const unsigned char* aggsig,
+    size_t aggsig_size
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/libsecp256k1-config.h b/src/libsecp256k1-config.h
@@ -0,0 +1,149 @@
+/* src/libsecp256k1-config.h.  Generated from libsecp256k1-config.h.in by configure.  */
+/* src/libsecp256k1-config.h.in.  Generated from configure.ac by autoheader.  */
+
+#ifndef LIBSECP256K1_CONFIG_H
+
+#define LIBSECP256K1_CONFIG_H
+
+/* Define this symbol to compile out all VERIFY code */
+/* #undef COVERAGE */
+
+/* Set ecmult gen precision bits */
+#define ECMULT_GEN_PREC_BITS 4
+
+/* Set window size for ecmult precomputation */
+#define ECMULT_WINDOW_SIZE 15
+
+/* Define this symbol to enable the Bulletproofs++ module */
+/* #undef ENABLE_MODULE_BPPP */
+
+/* Define this symbol to enable the ECDH module */
+/* #undef ENABLE_MODULE_ECDH */
+
+/* Define this symbol to enable the ECDSA adaptor module */
+/* #undef ENABLE_MODULE_ECDSA_ADAPTOR */
+
+/* Define this symbol to enable the ECDSA sign-to-contract module */
+/* #undef ENABLE_MODULE_ECDSA_S2C */
+
+/* Define this symbol to enable the extrakeys module */
+#define ENABLE_MODULE_EXTRAKEYS 1
+
+/* Define this symbol to enable the NUMS generator module */
+/* #undef ENABLE_MODULE_GENERATOR */
+
+/* Define this symbol to enable the MuSig module */
+/* #undef ENABLE_MODULE_MUSIG */
+
+/* Define this symbol to enable the Pedersen / zero knowledge range proof
+   module */
+/* #undef ENABLE_MODULE_RANGEPROOF */
+
+/* Define this symbol to enable the ECDSA pubkey recovery module */
+/* #undef ENABLE_MODULE_RECOVERY */
+
+/* Define this symbol to enable the schnorrsig module */
+#define ENABLE_MODULE_SCHNORRSIG 1
+
+/* Define this symbol to enable the surjection proof module */
+/* #undef ENABLE_MODULE_SURJECTIONPROOF */
+
+/* Define this symbol to enable the key whitelisting module */
+/* #undef ENABLE_MODULE_WHITELIST */
+
+/* Define this symbol if __builtin_clzll is available */
+/* #undef HAVE_BUILTIN_CLZLL */
+
+/* Define this symbol if __builtin_popcount is available */
+/* #undef HAVE_BUILTIN_POPCOUNT */
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#define HAVE_STDIO_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define this symbol if valgrind is installed, and it supports the host
+   platform */
+/* #undef HAVE_VALGRIND */
+
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
+#define LT_OBJDIR ".libs/"
+
+/* Name of package */
+#define PACKAGE "libsecp256k1"
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT "https://github.com/bitcoin-core/secp256k1/issues"
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "libsecp256k1"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "libsecp256k1 0.1.0-pre"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "libsecp256k1"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL "https://github.com/bitcoin-core/secp256k1"
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "0.1.0-pre"
+
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+   required in a freestanding environment). This macro is provided for
+   backward compatibility; new code need not use it. */
+#define STDC_HEADERS 1
+
+/* Define this symbol to enable x86_64 assembly optimizations */
+/* #undef USE_ASM_X86_64 */
+
+/* Define this symbol if an external (non-inline) assembly implementation is
+   used */
+/* #undef USE_EXTERNAL_ASM */
+
+/* Define this symbol if an external implementation of the default callbacks
+   is used */
+/* #undef USE_EXTERNAL_DEFAULT_CALLBACKS */
+
+/* Define this symbol to force the use of the (unsigned) __int128 based wide
+   multiplication implementation */
+/* #undef USE_FORCE_WIDEMUL_INT128 */
+
+/* Define this symbol to force the use of the (u)int64_t based wide
+   multiplication implementation */
+/* #undef USE_FORCE_WIDEMUL_INT64 */
+
+/* Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16,
+   disabling parsing and verification */
+/* #undef USE_REDUCED_SURJECTION_PROOF_SIZE */
+
+/* Version number of package */
+#define VERSION "0.1.0-pre"
+
+#endif /*LIBSECP256K1_CONFIG_H*/
diff --git a/src/libsecp256k1-config.h.in b/src/libsecp256k1-config.h.in
@@ -0,0 +1,148 @@
+/* src/libsecp256k1-config.h.in.  Generated from configure.ac by autoheader.  */
+
+#ifndef LIBSECP256K1_CONFIG_H
+
+#define LIBSECP256K1_CONFIG_H
+
+/* Define this symbol to compile out all VERIFY code */
+#undef COVERAGE
+
+/* Set ecmult gen precision bits */
+#undef ECMULT_GEN_PREC_BITS
+
+/* Set window size for ecmult precomputation */
+#undef ECMULT_WINDOW_SIZE
+
+/* Define this symbol to enable the Bulletproofs++ module */
+#undef ENABLE_MODULE_BPPP
+
+/* Define this symbol to enable the ECDH module */
+#undef ENABLE_MODULE_ECDH
+
+/* Define this symbol to enable the ECDSA adaptor module */
+#undef ENABLE_MODULE_ECDSA_ADAPTOR
+
+/* Define this symbol to enable the ECDSA sign-to-contract module */
+#undef ENABLE_MODULE_ECDSA_S2C
+
+/* Define this symbol to enable the extrakeys module */
+#undef ENABLE_MODULE_EXTRAKEYS
+
+/* Define this symbol to enable the NUMS generator module */
+#undef ENABLE_MODULE_GENERATOR
+
+/* Define this symbol to enable the MuSig module */
+#undef ENABLE_MODULE_MUSIG
+
+/* Define this symbol to enable the Pedersen / zero knowledge range proof
+   module */
+#undef ENABLE_MODULE_RANGEPROOF
+
+/* Define this symbol to enable the ECDSA pubkey recovery module */
+#undef ENABLE_MODULE_RECOVERY
+
+/* Define this symbol to enable the schnorrsig module */
+#undef ENABLE_MODULE_SCHNORRSIG
+
+/* Define this symbol to enable the surjection proof module */
+#undef ENABLE_MODULE_SURJECTIONPROOF
+
+/* Define this symbol to enable the key whitelisting module */
+#undef ENABLE_MODULE_WHITELIST
+
+/* Define this symbol if __builtin_clzll is available */
+#undef HAVE_BUILTIN_CLZLL
+
+/* Define this symbol if __builtin_popcount is available */
+#undef HAVE_BUILTIN_POPCOUNT
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#undef HAVE_STDIO_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define this symbol if valgrind is installed, and it supports the host
+   platform */
+#undef HAVE_VALGRIND
+
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
+#undef LT_OBJDIR
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+   required in a freestanding environment). This macro is provided for
+   backward compatibility; new code need not use it. */
+#undef STDC_HEADERS
+
+/* Define this symbol to enable x86_64 assembly optimizations */
+#undef USE_ASM_X86_64
+
+/* Define this symbol if an external (non-inline) assembly implementation is
+   used */
+#undef USE_EXTERNAL_ASM
+
+/* Define this symbol if an external implementation of the default callbacks
+   is used */
+#undef USE_EXTERNAL_DEFAULT_CALLBACKS
+
+/* Define this symbol to force the use of the (unsigned) __int128 based wide
+   multiplication implementation */
+#undef USE_FORCE_WIDEMUL_INT128
+
+/* Define this symbol to force the use of the (u)int64_t based wide
+   multiplication implementation */
+#undef USE_FORCE_WIDEMUL_INT64
+
+/* Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16,
+   disabling parsing and verification */
+#undef USE_REDUCED_SURJECTION_PROOF_SIZE
+
+/* Version number of package */
+#undef VERSION
+
+#endif /*LIBSECP256K1_CONFIG_H*/