Merge bitcoin/bitcoin#27479: BIP324: ElligatorSwift integrations

3168b08 Bench test for EllSwift ECDH (Pieter Wuille)
42d759f Bench tests for CKey->EllSwift (dhruv)
2e5a8a4 Fuzz test for Ellswift ECDH (dhruv)
c3ac9f5 Fuzz test for CKey->EllSwift->CPubKey creation/decoding (dhruv)
aae432a Unit test for ellswift creation/decoding roundtrip (dhruv)
eff72a0 Add ElligatorSwift key creation and ECDH logic (Pieter Wuille)
42239f8 Enable ellswift module in libsecp256k1 (dhruv)
901336e Squashed 'src/secp256k1/' changes from 4258c54f4e..705ce7ed8c (Pieter Wuille)

Pull request description:

  This replaces #23432 and part of #23561.

  This PR introduces all of the ElligatorSwift-related changes (libsecp256k1 updates, generation, decoding, ECDH, tests, fuzzing, benchmarks) needed for BIP324.

  ElligatorSwift is a special 64-byte encoding format for public keys introduced in libsecp256k1 in bitcoin-core/secp256k1#1129. It has the property that *every* 64-byte array is a valid encoding for some public key, and every key has approximately $2^{256}$ encodings. Furthermore, it is possible to efficiently generate a uniformly random encoding for a given public key or private key. This is used for the key exchange phase in BIP324, to achieve a byte stream that is entirely pseudorandom, even before the shared encryption key is established.

ACKs for top commit:
  instagibbs:
    reACK bitcoin/bitcoin@3168b08
  achow101:
    ACK 3168b08
  theStack:
    re-ACK 3168b08

Tree-SHA512: 308ac3d33e9a2deecb65826cbf0390480a38de201918429c35c796f3421cdf94c5501d027a043ae8f012cfaa0584656da1de6393bfba3532ab4c20f9533f06a6

Author: achow101

build_msvc/libsecp256k1/libsecp256k1.vcxproj

@@ -14,7 +14,7 @@
   </ItemGroup>
   <ItemDefinitionGroup>
     <ClCompile>
-      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>ENABLE_MODULE_RECOVERY;ENABLE_MODULE_EXTRAKEYS;ENABLE_MODULE_SCHNORRSIG;ENABLE_MODULE_ELLSWIFT;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <UndefinePreprocessorDefinitions>USE_ASM_X86_64;%(UndefinePreprocessorDefinitions)</UndefinePreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\..\src\secp256k1;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DisableSpecificWarnings>4146;4244;4267;4334</DisableSpecificWarnings>

src/Makefile.bench.include

@@ -18,6 +18,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/bench.cpp \
   bench/bench.h \
   bench/bench_bitcoin.cpp \
+  bench/bip324_ecdh.cpp \
   bench/block_assemble.cpp \
   bench/ccoins_caching.cpp \
   bench/chacha20.cpp \
@@ -29,6 +30,7 @@ bench_bench_bitcoin_SOURCES = \
   bench/data.h \
   bench/descriptors.cpp \
   bench/duplicate_inputs.cpp \
+  bench/ellswift.cpp \
   bench/examples.cpp \
   bench/gcs_filter.cpp \
   bench/hashpadding.cpp \

src/bench/bip324_ecdh.cpp

@@ -0,0 +1,51 @@
+// Copyright (c) 2022 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <pubkey.h>
+#include <random.h>
+#include <span.h>
+
+#include <array>
+#include <cstddef>
+
+static void BIP324_ECDH(benchmark::Bench& bench)
+{
+    ECC_Start();
+    FastRandomContext rng;
+
+    std::array<std::byte, 32> key_data;
+    std::array<std::byte, EllSwiftPubKey::size()> our_ellswift_data;
+    std::array<std::byte, EllSwiftPubKey::size()> their_ellswift_data;
+
+    rng.fillrand(key_data);
+    rng.fillrand(our_ellswift_data);
+    rng.fillrand(their_ellswift_data);
+
+    bench.batch(1).unit("ecdh").run([&] {
+        CKey key;
+        key.Set(UCharCast(key_data.data()), UCharCast(key_data.data()) + 32, true);
+        EllSwiftPubKey our_ellswift(our_ellswift_data);
+        EllSwiftPubKey their_ellswift(their_ellswift_data);
+
+        auto ret = key.ComputeBIP324ECDHSecret(their_ellswift, our_ellswift, true);
+
+        // To make sure that the computation is not the same on every iteration (ellswift decoding
+        // is variable-time), distribute bytes from the shared secret over the 3 inputs. The most
+        // important one is their_ellswift, because that one is actually decoded, so it's given most
+        // bytes. The data is copied into the middle, so that both halves are affected:
+        // - Copy 8 bytes from the resulting shared secret into middle of the private key.
+        std::copy(ret.begin(), ret.begin() + 8, key_data.begin() + 12);
+        // - Copy 8 bytes from the resulting shared secret into the middle of our ellswift key.
+        std::copy(ret.begin() + 8, ret.begin() + 16, our_ellswift_data.begin() + 28);
+        // - Copy 16 bytes from the resulting shared secret into the middle of their ellswift key.
+        std::copy(ret.begin() + 16, ret.end(), their_ellswift_data.begin() + 24);
+    });
+
+    ECC_Stop();
+}
+
+BENCHMARK(BIP324_ECDH, benchmark::PriorityLevel::HIGH);

src/bench/ellswift.cpp

@@ -0,0 +1,31 @@
+// Copyright (c) 2022-2023 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+
+#include <key.h>
+#include <random.h>
+
+static void EllSwiftCreate(benchmark::Bench& bench)
+{
+    ECC_Start();
+
+    CKey key;
+    key.MakeNewKey(true);
+
+    uint256 entropy = GetRandHash();
+
+    bench.batch(1).unit("pubkey").run([&] {
+        auto ret = key.EllSwiftCreate(AsBytes(Span{entropy}));
+        /* Use the first 32 bytes of the ellswift encoded public key as next private key. */
+        key.Set(UCharCast(ret.data()), UCharCast(ret.data()) + 32, true);
+        assert(key.IsValid());
+        /* Use the last 32 bytes of the ellswift encoded public key as next entropy. */
+        std::copy(ret.begin() + 32, ret.begin() + 64, AsBytePtr(entropy.data()));
+    });
+
+    ECC_Stop();
+}
+
+BENCHMARK(EllSwiftCreate, benchmark::PriorityLevel::HIGH);

src/key.cpp

@@ -11,6 +11,7 @@
 #include <random.h>
 
 #include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
@@ -331,6 +332,42 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
     return ret;
 }
 
+EllSwiftPubKey CKey::EllSwiftCreate(Span<const std::byte> ent32) const
+{
+    assert(fValid);
+    assert(ent32.size() == 32);
+    std::array<std::byte, EllSwiftPubKey::size()> encoded_pubkey;
+
+    auto success = secp256k1_ellswift_create(secp256k1_context_sign,
+                                             UCharCast(encoded_pubkey.data()),
+                                             keydata.data(),
+                                             UCharCast(ent32.data()));
+
+    // Should always succeed for valid keys (asserted above).
+    assert(success);
+    return {encoded_pubkey};
+}
+
+ECDHSecret CKey::ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const
+{
+    assert(fValid);
+
+    ECDHSecret output;
+    // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs
+    // accordingly:
+    bool success = secp256k1_ellswift_xdh(secp256k1_context_sign,
+                                          UCharCast(output.data()),
+                                          UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()),
+                                          UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()),
+                                          keydata.data(),
+                                          initiating ? 0 : 1,
+                                          secp256k1_ellswift_xdh_hash_function_bip324,
+                                          nullptr);
+    // Should always succeed for valid keys (assert above).
+    assert(success);
+    return output;
+}
+
 bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const {
     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     out.nDepth = nDepth + 1;

src/key.h

@@ -22,6 +22,12 @@
  */
 typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
 
+/** Size of ECDH shared secrets. */
+constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE;
+
+// Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes)
+using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>;
+
 /** An encapsulated private key. */
 class CKey
 {
@@ -156,6 +162,27 @@ class CKey
 
     //! Load private key and check that public key matches.
     bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
+
+    /** Create an ellswift-encoded public key for this key, with specified entropy.
+     *
+     *  entropy must be a 32-byte span with additional entropy to use in the encoding. Every
+     *  public key has ~2^256 different encodings, and this function will deterministically pick
+     *  one of them, based on entropy. Note that even without truly random entropy, the
+     *  resulting encoding will be indistinguishable from uniform to any adversary who does not
+     *  know the private key (because the private key itself is always used as entropy as well).
+     */
+    EllSwiftPubKey EllSwiftCreate(Span<const std::byte> entropy) const;
+
+    /** Compute a BIP324-style ECDH shared secret.
+     *
+     *  - their_ellswift: EllSwiftPubKey that was received from the other side.
+     *  - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated
+     *                  from *this using EllSwiftCreate()).
+     *  - initiating: whether we are the initiating party (true) or responding party (false).
+     */
+    ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift,
+                                       const EllSwiftPubKey& our_ellswift,
+                                       bool initiating) const;
 };
 
 struct CExtKey {

src/pubkey.cpp

@@ -7,6 +7,7 @@
 
 #include <hash.h>
 #include <secp256k1.h>
+#include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
@@ -335,6 +336,20 @@ bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChi
     return true;
 }
 
+CPubKey EllSwiftPubKey::Decode() const
+{
+    secp256k1_pubkey pubkey;
+    secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));
+
+    size_t sz = CPubKey::COMPRESSED_SIZE;
+    std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;
+
+    secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
+    assert(sz == vch_bytes.size());
+
+    return CPubKey{vch_bytes.begin(), vch_bytes.end()};
+}
+
 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
     code[0] = nDepth;
     memcpy(code+1, vchFingerprint, 4);

src/pubkey.h

@@ -291,6 +291,38 @@ class XOnlyPubKey
     SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); }
 };
 
+/** An ElligatorSwift-encoded public key. */
+struct EllSwiftPubKey
+{
+private:
+    static constexpr size_t SIZE = 64;
+    std::array<std::byte, SIZE> m_pubkey;
+
+public:
+    /** Construct a new ellswift public key from a given serialization. */
+    EllSwiftPubKey(const std::array<std::byte, SIZE>& ellswift) :
+        m_pubkey(ellswift) {}
+
+    /** Decode to normal compressed CPubKey (for debugging purposes). */
+    CPubKey Decode() const;
+
+    // Read-only access for serialization.
+    const std::byte* data() const { return m_pubkey.data(); }
+    static constexpr size_t size() { return SIZE; }
+    auto begin() const { return m_pubkey.cbegin(); }
+    auto end() const { return m_pubkey.cend(); }
+
+    bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
+    {
+        return a.m_pubkey == b.m_pubkey;
+    }
+
+    bool friend operator!=(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
+    {
+        return a.m_pubkey != b.m_pubkey;
+    }
+};
+
 struct CExtPubKey {
     unsigned char version[4];
     unsigned char nDepth;

src/random.cpp

@@ -599,6 +599,12 @@ std::vector<unsigned char> FastRandomContext::randbytes(size_t len)
     return ret;
 }
 
+void FastRandomContext::fillrand(Span<std::byte> output)
+{
+    if (requires_seed) RandomSeed();
+    rng.Keystream(UCharCast(output.data()), output.size());
+}
+
 FastRandomContext::FastRandomContext(const uint256& seed) noexcept : requires_seed(false), bitbuf_size(0)
 {
     rng.SetKey32(seed.begin());

src/random.h

@@ -213,6 +213,9 @@ class FastRandomContext
     /** Generate random bytes. */
     std::vector<unsigned char> randbytes(size_t len);
 
+    /** Fill a byte Span with random bytes. */
+    void fillrand(Span<std::byte> output);
+
     /** Generate a random 32-bit integer. */
     uint32_t rand32() noexcept { return randbits(32); }