batch: Add batch_add_* APIs

This commit adds the batch APIs:

1. batch_add_schnorrsig
    Adds a Schnorr signature to the batch.

2. batch_add_xonlypub_tweak_check
	Adds a tweaked x-only pubkey check to the batch.

3. batch_usable
	Checks if a batch can be used by _batch_add_* APIs.

**Side Note:**
Exposing batch_add_schnorrsig in the secp256k1_schnorrsig.h header
file (with batch module header guards) will force the user to define
ENABLE_MODULE_BATCH during their code compilation. Hence, it is in a
standalone secp256k1_schnorrsig_batch.h header file. A similar argument
could be made for batch_add_xonlypub_tweak_check.

Author: siv2r

include/secp256k1_batch.h

@@ -63,6 +63,31 @@ SECP256K1_API void secp256k1_batch_destroy(
     secp256k1_batch* batch
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
 
+/** Checks if a batch can be used by the `secp256k1_batch_add_*` APIs.
+ *
+ *  Returns: 1: batch can be used by `secp256k1_batch_add_*` APIs.
+ *           0: batch cannot be used by `secp256k1_batch_add_*` APIs.
+ *
+ *  Args:    ctx: a secp256k1 context object (can be initialized for none).
+ *         batch: a secp256k1 batch object that contains a set of schnorrsigs/tweaks.
+ *
+ *  You are advised to check if `secp256k1_batch_usable` returns 1 before calling
+ *  any `secp256k1_batch_add_*` API. We recommend this because `secp256k1_batch_add_*`
+ *  will fail in two cases:
+ *       - case 1: unparsable input (schnorrsig or tweak check)
+ *       - case 2: unusable (or invalid) batch
+ *  Calling `secp256k1_batch_usable` beforehand helps eliminate case 2 if
+ *  `secp256k1_batch_add_*` fails.
+ *
+ *  If you ignore the above advice, all the secp256k1_batch APIs will still
+ *  work correctly. It simply makes it hard to understand the reason behind
+ *  `secp256k1_batch_add_*` failure (if occurs).
+ */
+SECP256K1_API int secp256k1_batch_usable(
+    const secp256k1_context *ctx,
+    const secp256k1_batch *batch
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
 /** Verify the set of schnorr signatures or tweaked pubkeys present in the secp256k1_batch.
  *
  *  Returns: 1: every schnorrsig/tweak (in batch) is valid

include/secp256k1_schnorrsig_batch.h

@@ -0,0 +1,42 @@
+#ifndef SECP256K1_SCHNORRSIG_BATCH_H
+#define SECP256K1_SCHNORRSIG_BATCH_H
+
+#include "secp256k1.h"
+#include "secp256k1_schnorrsig.h"
+#include "secp256k1_batch.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** This header file implements batch verification functionality for Schnorr
+ *  signature (see include/secp256k1_schnorrsig.h).
+ */
+
+/** Adds a Schnorr signature to the batch object (secp256k1_batch)
+ *  defined in the Batch module (see include/secp256k1_batch.h).
+ *
+ *  Returns: 1: successfully added the signature to the batch
+ *           0: unparseable signature or unusable batch (according to
+ *              secp256k1_batch_usable).
+ *  Args:    ctx: a secp256k1 context object (can be initialized for none).
+ *         batch: a secp256k1 batch object created using `secp256k1_batch_create`.
+ *  In:    sig64: pointer to the 64-byte signature to verify.
+ *           msg: the message being verified. Can only be NULL if msglen is 0.
+ *        msglen: length of the message.
+ *        pubkey: pointer to an x-only public key to verify with (cannot be NULL).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_batch_add_schnorrsig(
+    const secp256k1_context* ctx,
+    secp256k1_batch *batch,
+    const unsigned char *sig64,
+    const unsigned char *msg,
+    size_t msglen,
+    const secp256k1_xonly_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(6);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_SCHNORRSIG_BATCH_H */

include/secp256k1_tweak_check_batch.h

@@ -0,0 +1,50 @@
+#ifndef SECP256K1_TWEAK_CHECK_BATCH_H
+#define SECP256K1_TWEAK_CHECK_BATCH_H
+
+#include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
+#include "secp256k1_batch.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** This header file implements batch verification functionality for
+ *  x-only tweaked public key check (see include/secp256k1_extrakeys.h).
+ */
+
+/** Adds a x-only tweaked pubkey check to the batch object (secp256k1_batch)
+ *  defined in the Batch module (see include/secp256k1_batch.h).
+ *
+ *  The tweaked pubkey is represented by its 32-byte x-only serialization and
+ *  its pk_parity, which can both be obtained by converting the result of
+ *  tweak_add to a secp256k1_xonly_pubkey.
+ *
+ *  Returns: 1: successfully added the tweaked pubkey check to the batch
+ *           0: unparseable tweaked pubkey check or unusable batch (according to
+ *              secp256k1_batch_usable).
+ *  Args:            ctx: pointer to a context object initialized for verification.
+ *                 batch: a secp256k1 batch object created using `secp256k1_batch_create`.
+ *  In: tweaked_pubkey32: pointer to a serialized xonly_pubkey.
+ *     tweaked_pk_parity: the parity of the tweaked pubkey (whose serialization
+ *                        is passed in as tweaked_pubkey32). This must match the
+ *                        pk_parity value that is returned when calling
+ *                        secp256k1_xonly_pubkey_from_pubkey with the tweaked pubkey, or
+ *                        the final secp256k1_batch_verify on this batch will fail.
+ *       internal_pubkey: pointer to an x-only public key object to apply the tweak to.
+ *               tweak32: pointer to a 32-byte tweak.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_batch_add_xonlypub_tweak_check(
+    const secp256k1_context* ctx,
+    secp256k1_batch *batch,
+    const unsigned char *tweaked_pubkey32,
+    int tweaked_pk_parity,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_TWEAK_CHECK_BATCH_H */

src/CMakeLists.txt

@@ -33,11 +33,17 @@ if(SECP256K1_ENABLE_MODULE_SCHNORRSIG)
   set(SECP256K1_ENABLE_MODULE_EXTRAKEYS ON)
   add_compile_definitions(ENABLE_MODULE_SCHNORRSIG=1)
   set_property(TARGET secp256k1 APPEND PROPERTY PUBLIC_HEADER ${PROJECT_SOURCE_DIR}/include/secp256k1_schnorrsig.h)
+  if(SECP256K1_ENABLE_MODULE_BATCH)
+    set_property(TARGET secp256k1 APPEND PROPERTY PUBLIC_HEADER ${PROJECT_SOURCE_DIR}/include/secp256k1_schnorrsig_batch.h)
+  endif()
 endif()
 
 if(SECP256K1_ENABLE_MODULE_EXTRAKEYS)
   add_compile_definitions(ENABLE_MODULE_EXTRAKEYS=1)
   set_property(TARGET secp256k1 APPEND PROPERTY PUBLIC_HEADER ${PROJECT_SOURCE_DIR}/include/secp256k1_extrakeys.h)
+  if(SECP256K1_ENABLE_MODULE_BATCH)
+    set_property(TARGET secp256k1 APPEND PROPERTY PUBLIC_HEADER ${PROJECT_SOURCE_DIR}/include/secp256k1_tweak_check_batch.h)
+  endif()
 endif()
 
 if(SECP256K1_ENABLE_MODULE_RECOVERY)

src/modules/batch/main_impl.h

@@ -3,6 +3,14 @@
 
 #include "../../../include/secp256k1_batch.h"
 
+/* Assume two batch objects (batch1 and batch2) and we call
+ * `batch_add_tweak_check` on batch1 and `batch_add_schnorrsig` on batch2.
+ * In this case, the same randomizer will be generated if the input bytes to
+ * batch1 and batch2 are the same (even though we use different `batch_add_` funcs).
+ * Including this tag during randomizer generation (to differentiate btw
+ * `batch_add_` funcs) will prevent such mishaps. */
+enum batch_add_type {schnorrsig = 1, tweak_check = 2};
+
 /** Opaque data structure that holds information required for the batch verification.
  *
  *  Members:
@@ -146,6 +154,13 @@ void secp256k1_batch_destroy(const secp256k1_context *ctx, secp256k1_batch *batc
     }
 }
 
+int secp256k1_batch_usable(const secp256k1_context *ctx, const secp256k1_batch *batch) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(batch != NULL);
+
+    return batch->result;
+}
+
 /** verifies the inputs (schnorrsig or tweak_check) by performing multi-scalar point
  *  multiplication on the scalars (`batch->scalars`) and points (`batch->points`)
  *  present in the batch. Uses `secp256k1_ecmult_strauss_batch_internal` to perform

src/modules/extrakeys/Makefile.am.include

@@ -1,4 +1,10 @@
 include_HEADERS += include/secp256k1_extrakeys.h
+if ENABLE_MODULE_BATCH
+include_HEADERS += include/secp256k1_tweak_check_batch.h
+endif
 noinst_HEADERS += src/modules/extrakeys/tests_impl.h
 noinst_HEADERS += src/modules/extrakeys/tests_exhaustive_impl.h
 noinst_HEADERS += src/modules/extrakeys/main_impl.h
+if ENABLE_MODULE_BATCH
+noinst_HEADERS += src/modules/extrakeys/batch_add_impl.h
+endif

src/modules/extrakeys/batch_add_impl.h

@@ -0,0 +1,151 @@
+#ifndef SECP256K1_MODULE_EXTRAKEYS_BATCH_ADD_IMPL_H
+#define SECP256K1_MODULE_EXTRAKEYS_BATCH_ADD_IMPL_H
+
+#include "../../../include/secp256k1_extrakeys.h"
+#include "../../../include/secp256k1_tweak_check_batch.h"
+#include "../batch/main_impl.h"
+
+/* The number of scalar-point pairs allocated on the scratch space
+ * by `secp256k1_batch_add_xonlypub_tweak_check` */
+#define BATCH_TWEAK_CHECK_SCRATCH_OBJS 1
+
+/** Computes a 16-byte deterministic randomizer by
+ *  SHA256(batch_add_tag || tweaked pubkey || parity || tweak || internal pubkey) */
+static void secp256k1_batch_xonlypub_tweak_randomizer_gen(unsigned char *randomizer32, secp256k1_sha256 *sha256, const unsigned char *tweaked_pubkey32, const unsigned char *tweaked_pk_parity, const unsigned char *internal_pk33, const unsigned char *tweak32) {
+    secp256k1_sha256 sha256_cpy;
+    unsigned char batch_add_type = (unsigned char) tweak_check;
+
+    secp256k1_sha256_write(sha256, &batch_add_type, sizeof(batch_add_type));
+    /* add tweaked pubkey check data to sha object */
+    secp256k1_sha256_write(sha256, tweaked_pubkey32, 32);
+    secp256k1_sha256_write(sha256, tweaked_pk_parity, 1);
+    secp256k1_sha256_write(sha256, tweak32, 32);
+    secp256k1_sha256_write(sha256, internal_pk33, 33);
+
+    /* generate randomizer */
+    sha256_cpy = *sha256;
+    secp256k1_sha256_finalize(&sha256_cpy, randomizer32);
+    /* 16 byte randomizer is sufficient */
+    memset(randomizer32, 0, 16);
+}
+
+static int secp256k1_batch_xonlypub_tweak_randomizer_set(const secp256k1_context* ctx, secp256k1_batch *batch, secp256k1_scalar *r, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey,const unsigned char *tweak32) {
+    unsigned char randomizer[32];
+    unsigned char internal_buf[33];
+    size_t internal_buflen = sizeof(internal_buf);
+    unsigned char parity = (unsigned char) tweaked_pk_parity;
+    int overflow;
+    /* t = 2^127 */
+    secp256k1_scalar t = SECP256K1_SCALAR_CONST(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x80000000, 0x00000000, 0x00000000, 0x00000000);
+
+    /* We use compressed serialization here. If we would use
+    * xonly_pubkey serialization and a user would wrongly memcpy
+    * normal secp256k1_pubkeys into xonly_pubkeys then the randomizer
+    * would be the same for two different pubkeys. */
+    if (!secp256k1_ec_pubkey_serialize(ctx, internal_buf, &internal_buflen, (const secp256k1_pubkey *) internal_pubkey, SECP256K1_EC_COMPRESSED)) {
+        return 0;
+    }
+
+    secp256k1_batch_xonlypub_tweak_randomizer_gen(randomizer, &batch->sha256, tweaked_pubkey32, &parity, internal_buf, tweak32);
+    secp256k1_scalar_set_b32(r, randomizer, &overflow);
+    /* Shift scalar to range [-2^127, 2^127-1] */
+    secp256k1_scalar_negate(&t, &t);
+    secp256k1_scalar_add(r, r, &t);
+    VERIFY_CHECK(overflow == 0);
+
+    return 1;
+}
+
+/** Adds the given x-only tweaked public key check to the batch.
+ *
+ *  Updates the batch object by:
+ *     1. adding the point P-Q to the scratch space
+ *          -> the point is of type `secp256k1_gej`
+ *     2. adding the scalar ai to the scratch space
+ *          -> ai is the scalar coefficient of P-Q (in multi multiplication)
+ *     3. incrementing sc_g (scalar of G) by ai.tweak
+ *
+ *  Conventions used above:
+ *     -> Q (tweaked pubkey)   = EC point where parity(y) = tweaked_pk_parity
+ *                               and x = tweaked_pubkey32
+ *     -> P (internal pubkey)  = internal pubkey
+ *     -> ai (randomizer)      = sha256_tagged(batch_add_tag || tweaked_pubkey32  ||
+ *                                             tweaked_pk_parity || tweak32 || pubkey)
+ *     -> tweak (challenge)    = tweak32
+ *
+ * This function is based on `secp256k1_xonly_pubkey_tweak_add_check`.
+ */
+int secp256k1_batch_add_xonlypub_tweak_check(const secp256k1_context* ctx, secp256k1_batch *batch, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey,const unsigned char *tweak32) {
+    secp256k1_scalar tweak;
+    secp256k1_scalar ai;
+    secp256k1_ge pk;
+    secp256k1_ge q;
+    secp256k1_gej tmpj;
+    secp256k1_fe qx;
+    int overflow;
+    size_t i;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(batch != NULL);
+    ARG_CHECK(internal_pubkey != NULL);
+    ARG_CHECK(tweaked_pubkey32 != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    if(batch->result == 0) {
+        return 0;
+    }
+
+    if (!secp256k1_fe_set_b32_limit(&qx, tweaked_pubkey32)) {
+        return 0;
+    }
+
+    secp256k1_scalar_set_b32(&tweak, tweak32, &overflow);
+    if (overflow) {
+        return 0;
+    }
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)) {
+        return 0;
+    }
+
+    /* if insufficient space in batch, verify the inputs (stored in curr batch) and
+     * save the result. This extends the batch capacity since `secp256k1_batch_verify`
+     * clears the batch after verification. */
+    if (batch->capacity - batch->len < BATCH_TWEAK_CHECK_SCRATCH_OBJS) {
+        secp256k1_batch_verify(ctx, batch);
+    }
+
+    i = batch->len;
+    /* append point P-Q to the scratch space */
+    if (!secp256k1_ge_set_xo_var(&q, &qx, tweaked_pk_parity)) {
+        return 0;
+    }
+    if (!secp256k1_ge_is_in_correct_subgroup(&q)) {
+        return 0;
+    }
+    secp256k1_ge_neg(&q, &q);
+    secp256k1_gej_set_ge(&tmpj, &q);
+    secp256k1_gej_add_ge_var(&tmpj, &tmpj, &pk, NULL);
+    batch->points[i] = tmpj;
+
+    /* Compute ai (randomizer) */
+    if (batch->len == 0) {
+        /* set randomizer as 1 for the first term in batch */
+        ai = secp256k1_scalar_one;
+    } else if(!secp256k1_batch_xonlypub_tweak_randomizer_set(ctx, batch, &ai, tweaked_pubkey32, tweaked_pk_parity, internal_pubkey, tweak32)) {
+        return 0;
+    }
+
+    /* append scalar ai to scratch space */
+    batch->scalars[i] = ai;
+
+    /* increment scalar of G by ai.tweak */
+    secp256k1_scalar_mul(&tweak, &tweak, &ai);
+    secp256k1_scalar_add(&batch->sc_g, &batch->sc_g, &tweak);
+
+    batch->len += 1;
+
+    return 1;
+}
+
+#endif /* SECP256K1_MODULE_EXTRAKEYS_BATCH_ADD_IMPL_H */

src/modules/schnorrsig/Makefile.am.include

@@ -1,5 +1,11 @@
 include_HEADERS += include/secp256k1_schnorrsig.h
+if ENABLE_MODULE_BATCH
+include_HEADERS += include/secp256k1_schnorrsig_batch.h
+endif
 noinst_HEADERS += src/modules/schnorrsig/main_impl.h
 noinst_HEADERS += src/modules/schnorrsig/tests_impl.h
 noinst_HEADERS += src/modules/schnorrsig/tests_exhaustive_impl.h
 noinst_HEADERS += src/modules/schnorrsig/bench_impl.h
+if ENABLE_MODULE_BATCH
+noinst_HEADERS += src/modules/schnorrsig/batch_add_impl.h
+endif