fixup! use optimized tagged hashes

jonasnick · jonasnick · commit 2a0d934540e5 · 2024-03-08T19:54:13.000Z
diff --git a/src/modules/musig/session_impl.h b/src/modules/musig/session_impl.h
@@ -310,14 +310,45 @@ static void secp256k1_nonce_function_musig_helper(secp256k1_sha256 *sha, unsigne
     }
 }
 
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("MuSig/aux")||SHA256("MuSig/aux"). */
+static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0xa19e884bul;
+    sha->s[1] = 0xf463fe7eul;
+    sha->s[2] = 0x2f18f9a2ul;
+    sha->s[3] = 0xbeb0f9fful;
+    sha->s[4] = 0x0f37e8b0ul;
+    sha->s[5] = 0x06ebd26ful;
+    sha->s[6] = 0xe3b243d2ul;
+    sha->s[7] = 0x522fb150ul;
+    sha->bytes = 64;
+
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("MuSig/nonce")||SHA256("MuSig/nonce"). */
+static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x07101b64ul;
+    sha->s[1] = 0x18003414ul;
+    sha->s[2] = 0x0391bc43ul;
+    sha->s[3] = 0x0e6258eeul;
+    sha->s[4] = 0x29d26b72ul;
+    sha->s[5] = 0x8343937eul;
+    sha->s[6] = 0xb7a0a4fbul;
+    sha->s[7] = 0xff568a30ul;
+    sha->bytes = 64;
+}
+
 static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_id, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32) {
     secp256k1_sha256 sha;
     unsigned char rand[32];
     unsigned char i;
     unsigned char msg_present;
 
     if (seckey32 != NULL) {
-        secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/aux", sizeof("MuSig/aux") - 1);
+        secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
         secp256k1_sha256_write(&sha, session_id, 32);
         secp256k1_sha256_finalize(&sha, rand);
         for (i = 0; i < 32; i++) {
@@ -328,7 +359,7 @@ static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned c
     }
 
     /* Subtract one from `sizeof` to avoid hashing the implicit null byte */
-    secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/nonce", sizeof("MuSig/nonce") - 1);
+    secp256k1_nonce_function_musig_sha256_tagged(&sha);
     secp256k1_sha256_write(&sha, rand, sizeof(rand));
     secp256k1_nonce_function_musig_helper(&sha, 1, pk33, 33);
     secp256k1_nonce_function_musig_helper(&sha, 1, agg_pk32, 32);
@@ -465,13 +496,28 @@ int secp256k1_musig_nonce_agg(const secp256k1_context* ctx, secp256k1_musig_aggn
     return 1;
 }
 
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("MuSig/noncecoef")||SHA256("MuSig/noncecoef"). */
+static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x2c7d5a45ul;
+    sha->s[1] = 0x06bf7e53ul;
+    sha->s[2] = 0x89be68a6ul;
+    sha->s[3] = 0x971254c0ul;
+    sha->s[4] = 0x60ac12d2ul;
+    sha->s[5] = 0x72846dcdul;
+    sha->s[6] = 0x6c81212ful;
+    sha->s[7] = 0xde7a2500ul;
+    sha->bytes = 64;
+}
+
 /* tagged_hash(aggnonce[0], aggnonce[1], agg_pk, msg) */
 static int secp256k1_musig_compute_noncehash(unsigned char *noncehash, secp256k1_ge *aggnonce, const unsigned char *agg_pk32, const unsigned char *msg) {
     unsigned char buf[33];
     secp256k1_sha256 sha;
     int i;
 
-    secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/noncecoef", sizeof("MuSig/noncecoef") - 1);
+    secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
     for (i = 0; i < 2; i++) {
         secp256k1_musig_ge_serialize_ext(buf, &aggnonce[i]);
         secp256k1_sha256_write(&sha, buf, sizeof(buf));
diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h
@@ -23,6 +23,7 @@
 #include "../../util.h"
 
 #include "vectors.h"
+#include <inttypes.h>
 
 static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
     int ret;
@@ -490,45 +491,38 @@ static void musig_nonce_test(void) {
 
 static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen) {
     secp256k1_sha256 sha;
-    unsigned char buf[32];
-    unsigned char buf2[32];
-    size_t i;
-
-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, tag, taglen);
-    secp256k1_sha256_finalize(&sha, buf);
-    /* buf = SHA256(tag) */
-
-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, buf, 32);
-    secp256k1_sha256_write(&sha, buf, 32);
-    /* Is buffer fully consumed? */
-    CHECK((sha.bytes & 0x3F) == 0);
-
-    /* Compare with tagged SHA */
-    for (i = 0; i < 8; i++) {
-        CHECK(sha_tagged->s[i] == sha.s[i]);
-    }
-    secp256k1_sha256_write(&sha, buf, 32);
-    secp256k1_sha256_write(sha_tagged, buf, 32);
-    secp256k1_sha256_finalize(&sha, buf);
-    secp256k1_sha256_finalize(sha_tagged, buf2);
-    CHECK(secp256k1_memcmp_var(buf, buf2, 32) == 0);
+    secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
+    test_sha256_eq(&sha, sha_tagged);
 }
 
 /* Checks that the initialized tagged hashes initialized have the expected
  * state. */
 static void sha256_tag_test(void) {
-    secp256k1_sha256 sha_tagged;
+    secp256k1_sha256 sha;
     {
         char tag[11] = "KeyAgg list";
-        secp256k1_musig_keyagglist_sha256(&sha_tagged);
-        sha256_tag_test_internal(&sha_tagged, (unsigned char*)tag, sizeof(tag));
+        secp256k1_musig_keyagglist_sha256(&sha);
+        sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag));
     }
     {
         char tag[18] = "KeyAgg coefficient";
-        secp256k1_musig_keyaggcoef_sha256(&sha_tagged);
-        sha256_tag_test_internal(&sha_tagged, (unsigned char*)tag, sizeof(tag));
+        secp256k1_musig_keyaggcoef_sha256(&sha);
+        sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag));
+    }
+    {
+        unsigned char tag[9] = "MuSig/aux";
+        secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
+        sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag));
+    }
+    {
+        unsigned char tag[11] = "MuSig/nonce";
+        secp256k1_nonce_function_musig_sha256_tagged(&sha);
+        sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag));
+    }
+    {
+        unsigned char tag[15] = "MuSig/noncecoef";
+        secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
+        sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag));
     }
 }
 
