Schnorr adaptor signatures (#171)

* refactor comments

* add extract function

* remove rt calculation logic from _verify

* modify internal _verify function

* fix changelog

* add adaptorVerify and modify extract function

* add scalar validation in extract

* readme

---------

Co-authored-by: Artem Chystiakov <artem.ch31@gmail.com>

Author: mllwchrry

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## [patch]
+
+- Added `extract` function to the `Schnorr256` library to extract a secret from a standard/adaptor Schnorr signature pair.
+
 ## [3.2.6]
 
 - Enhanced the `ABridge` contract architecture.

README.md

@@ -64,7 +64,7 @@ contracts
 │   │   ├── ECDSA256 — "ECDSA verification over any 256-bit curve"
 │   │   ├── ECDSA384 — "ECDSA verification over any 384-bit curve"
 │   │   ├── ECDSA512 — "ECDSA verification over any 512-bit curve"
-│   │   ├── Schnorr256 — "Schnorr signature verification over any 256-bit curve"
+│   │   ├── Schnorr256 — "Schnorr + adaptor signature verification over any 256-bit curve"
 │   │   └── RSASSAPSS — "RSASSA-PSS signature verification with MGF1"
 │   ├── data—structures
 │   │   ├── AvlTree — "AVL tree implementation with an iterator traversal"

contracts/libs/crypto/Schnorr256.sol

@@ -7,21 +7,24 @@ import {MemoryUtils} from "../utils/MemoryUtils.sol";
 /**
  * @notice Cryptography module
  *
- * This library provides functionality for Schnorr signature verification over any 256-bit curve.
+ * This library provides functionality for Schnorr signature verification over any 256-bit curve,
+ * together with secret extraction from a standard/adaptor Schnorr signature pair.
  */
 library Schnorr256 {
     using MemoryUtils for *;
     using EC256 for *;
 
     error LengthIsNot64();
     error LengthIsNot96();
+    error InvalidSignatureScalar();
 
     /**
-     * @notice The function to verify the Schnorr signature
+     * @notice The function to verify the Schnorr signature.
      * @param ec the 256-bit curve parameters.
      * @param hashedMessage_ the already hashed message to be verified.
      * @param signature_ the Schnorr signature. Equals to `bytes(R) + bytes(e)`.
      * @param pubKey_ the full public key of a signer. Equals to `bytes(x) + bytes(y)`.
+     * @return True if the signature is valid, false otherwise.
      */
     function verify(
         EC256.Curve memory ec,
@@ -39,7 +42,7 @@ library Schnorr256 {
         EC256.JPoint memory lhs_ = ec.jMultShamir(ec.jbasepoint(), e_);
 
         uint256 c_ = ec.toScalar(
-            uint256(keccak256(abi.encodePacked(ec.gx, ec.gy, r_.x, r_.y, hashedMessage_)))
+            uint256(keccak256(abi.encodePacked(p_.x, p_.y, r_.x, r_.y, hashedMessage_)))
         );
 
         EC256.JPoint memory rhs_ = ec.jMultShamir(p_.toJacobian(), c_);
@@ -48,6 +51,81 @@ library Schnorr256 {
         return ec.jEqual(lhs_, rhs_);
     }
 
+    /**
+     * @notice The function to verify the adaptor Schnorr signature.
+     * @dev The adaptor Schnorr signature is expected to be computed as:
+     *
+     *          c = H(P || (R + T) || m)
+     *          e' = (r + c * privKey) mod n
+     *          signature = (R, e')
+     *
+     * @param ec the 256-bit curve parameters.
+     * @param hashedMessage_ the already hashed message to be verified.
+     * @param signature_ The adaptor Schnorr signature. Equals to `bytes(R) + bytes(e′)`.
+     * @param pubKey_ the full public key of a signer. Equals to `bytes(x) + bytes(y)`.
+     * @param t_ the adaptor secret point added to the nonce in the challenge computation.
+     * @return True if the adaptor signature is valid, false otherwise.
+     */
+    function adaptorVerify(
+        EC256.Curve memory ec,
+        bytes32 hashedMessage_,
+        bytes memory signature_,
+        bytes memory pubKey_,
+        EC256.APoint memory t_
+    ) internal view returns (bool) {
+        (EC256.APoint memory r_, uint256 e_) = _parseSignature(signature_);
+        EC256.APoint memory p_ = _parsePubKey(pubKey_);
+
+        if (!ec.isOnCurve(r_) || !ec.isOnCurve(p_) || !ec.isOnCurve(t_) || !ec.isValidScalar(e_)) {
+            return false;
+        }
+
+        EC256.JPoint memory lhs_ = ec.jMultShamir(ec.jbasepoint(), e_);
+        EC256.APoint memory rt_ = ec.toAffine(ec.jAddPoint(r_.toJacobian(), t_.toJacobian()));
+
+        uint256 c_ = ec.toScalar(
+            uint256(keccak256(abi.encodePacked(p_.x, p_.y, rt_.x, rt_.y, hashedMessage_)))
+        );
+
+        EC256.JPoint memory rhs_ = ec.jMultShamir(p_.toJacobian(), c_);
+        rhs_ = ec.jAddPoint(rhs_, r_.toJacobian());
+
+        return ec.jEqual(lhs_, rhs_);
+    }
+
+    /**
+     * @notice The function to extract the adaptor secret from a pair of Schnorr signatures.
+     * @dev This function does not verify the validity of either signature.
+     *      Callers are responsible for verifying both the standard and adaptor signatures
+     *      separately via `verify` and `adaptorVerify` before extraction.
+     *
+     *      The standard Schnorr signature is expected to be computed from the adaptor one as:
+     *          e = e' + t = (r + t + c * privKey) mod n
+     *          signature = (R + T, e)
+     *
+     *      Secret extraction is performed as follows:
+     *          t = (e - e') mod n
+     *
+     * @param ec the 256-bit curve parameters.
+     * @param signature_ the Schnorr signature. Equals to `bytes(R + T) + bytes(e)`.
+     * @param adaptorSignature_ the adaptor Schnorr signature. Equals to `bytes(R) + bytes(e')`.
+     * @return The secret scalar used in the signature.
+     */
+    function extract(
+        EC256.Curve memory ec,
+        bytes memory signature_,
+        bytes memory adaptorSignature_
+    ) internal pure returns (uint256) {
+        (, uint256 sigScalar_) = _parseSignature(signature_);
+        (, uint256 adaptorScalar_) = _parseSignature(adaptorSignature_);
+
+        if (!ec.isValidScalar(sigScalar_) || !ec.isValidScalar(adaptorScalar_)) {
+            revert InvalidSignatureScalar();
+        }
+
+        return addmod(sigScalar_, ec.n - adaptorScalar_, ec.n);
+    }
+
     /**
      * @dev Helper function for splitting 96-byte signature into R (affine point) and e (scalar) components.
      */

contracts/mock/libs/crypto/Schnorr256Mock.sol

@@ -22,4 +22,27 @@ contract Schnorr256Mock {
     ) external view returns (bool isVerified_) {
         return Schnorr256.verify(_secp256k1CurveParams, hashedMessage_, signature_, pubKey_);
     }
+
+    function adaptorVerifySECP256k1(
+        bytes32 hashedMessage_,
+        bytes memory signature_,
+        bytes memory pubKey_,
+        EC256.APoint memory rt_
+    ) external view returns (bool isVerified_) {
+        return
+            Schnorr256.adaptorVerify(
+                _secp256k1CurveParams,
+                hashedMessage_,
+                signature_,
+                pubKey_,
+                rt_
+            );
+    }
+
+    function extractSECP256k1(
+        bytes memory signature_,
+        bytes memory adaptorSignature_
+    ) external view returns (uint256 isVerified_) {
+        return Schnorr256.extract(_secp256k1CurveParams, signature_, adaptorSignature_);
+    }
 }

test/libs/crypto/Schnorr256.test.ts

@@ -25,28 +25,54 @@ describe("Schnorr256", () => {
     return ethers.solidityPacked(["uint256", "uint256"], [p.x, p.y]);
   };
 
-  const schnorrSign = function (hashedMessage: string, privKey: bigint) {
+  const schnorrSign = function (hashedMessage: string, privKey: bigint, pubKey: AffinePoint<bigint>) {
     const randomness = schnorrKeyPair();
     const k = randomness.privKey;
     const R = randomness.pubKey;
 
     const c = BigInt(
       ethers.solidityPackedKeccak256(
         ["uint256", "uint256", "uint256", "uint256", "bytes32"],
-        [secp256k1.CURVE.Gx, secp256k1.CURVE.Gy, R.x, R.y, hashedMessage],
+        [pubKey.x, pubKey.y, R.x, R.y, hashedMessage],
       ),
     );
     const e = (k + c * privKey) % secp256k1.CURVE.n;
 
     return ethers.solidityPacked(["uint256", "uint256", "uint256"], [R.x, R.y, e]);
   };
 
+  const schnorrAdaptorSign = function (
+    hashedMessage: string,
+    privKey: bigint,
+    pubKey: AffinePoint<bigint>,
+    T: AffinePoint<bigint>,
+  ) {
+    const randomness = schnorrKeyPair();
+    const k = randomness.privKey;
+    const R = randomness.pubKey;
+
+    const RT = secp256k1.ProjectivePoint.fromAffine(R).add(secp256k1.ProjectivePoint.fromAffine(T)).toAffine();
+
+    const c = BigInt(
+      ethers.solidityPackedKeccak256(
+        ["uint256", "uint256", "uint256", "uint256", "bytes32"],
+        [pubKey.x, pubKey.y, RT.x, RT.y, hashedMessage],
+      ),
+    );
+
+    const e = (k + c * privKey) % secp256k1.CURVE.n;
+
+    const signature = ethers.solidityPacked(["uint256", "uint256", "uint256"], [R.x, R.y, e]);
+
+    return { signature, RT, e };
+  };
+
   const prepareParameters = function (message: string) {
     const { privKey, pubKey } = schnorrKeyPair();
 
     const hashedMessage = ethers.keccak256(message);
 
-    const signature = schnorrSign(hashedMessage, privKey);
+    const signature = schnorrSign(hashedMessage, privKey, pubKey);
 
     return {
       hashedMessage,
@@ -108,4 +134,80 @@ describe("Schnorr256", () => {
       expect(await schnorr.verifySECP256k1(hashedMessage, signature, wrongPubKey)).to.be.false;
     });
   });
+
+  describe("adaptorVerify", () => {
+    it("should verify the adaptor signature", async () => {
+      const { privKey, pubKey } = schnorrKeyPair();
+
+      const hashedMessage = ethers.keccak256("0x1337");
+
+      const t = bytesToNumberBE(secp256k1.utils.randomPrivateKey());
+      const T = secp256k1.ProjectivePoint.BASE.multiply(t).toAffine();
+
+      const { signature } = schnorrAdaptorSign(hashedMessage, privKey, pubKey, T);
+
+      expect(await schnorr.adaptorVerifySECP256k1(hashedMessage, signature, serializePoint(pubKey), T)).to.be.true;
+    });
+
+    it("should not verify if adaptor signature or public key or T is invalid", async () => {
+      const { privKey, pubKey } = schnorrKeyPair();
+
+      const hashedMessage = ethers.keccak256("0x1337");
+
+      const t = bytesToNumberBE(secp256k1.utils.randomPrivateKey());
+      const t2 = bytesToNumberBE(secp256k1.utils.randomPrivateKey());
+
+      const T = secp256k1.ProjectivePoint.BASE.multiply(t).toAffine();
+      const T2 = secp256k1.ProjectivePoint.BASE.multiply(t2).toAffine();
+
+      const { signature } = schnorrAdaptorSign(hashedMessage, privKey, pubKey, T);
+
+      expect(await schnorr.adaptorVerifySECP256k1(ethers.keccak256("0x1227"), signature, serializePoint(pubKey), T)).to
+        .be.false;
+
+      expect(await schnorr.adaptorVerifySECP256k1(hashedMessage, signature, serializePoint(pubKey), T2)).to.be.false;
+
+      const wrongPubKey = "0x" + ethers.toBeHex(0, 0x40).slice(2);
+      expect(await schnorr.adaptorVerifySECP256k1(hashedMessage, signature, wrongPubKey, T)).to.be.false;
+    });
+  });
+
+  describe("extract", () => {
+    it("should extract secret from two signatures correctly", async () => {
+      const { privKey, pubKey } = schnorrKeyPair();
+
+      const hashedMessage = ethers.keccak256("0x1337");
+
+      const t = bytesToNumberBE(secp256k1.utils.randomPrivateKey());
+      const T = secp256k1.ProjectivePoint.BASE.multiply(t).toAffine();
+
+      const { signature: adaptorSignature, RT, e } = schnorrAdaptorSign(hashedMessage, privKey, pubKey, T);
+
+      const signatureScalar = (e + t) % secp256k1.CURVE.n;
+
+      const signature = ethers.solidityPacked(["uint256", "uint256", "uint256"], [RT.x, RT.y, signatureScalar]);
+
+      expect(await schnorr.extractSECP256k1(signature, adaptorSignature)).to.be.eq(t);
+    });
+
+    it("should revert if invalid signature or adaptor signature scalar is provided", async () => {
+      const signature = ethers.solidityPacked(["uint256", "uint256", "uint256"], [1n, 1n, 10n]);
+      const adaptorSignature = ethers.solidityPacked(["uint256", "uint256", "uint256"], [1n, 1n, 2n]);
+
+      const invalidSignature = ethers.solidityPacked(["uint256", "uint256", "uint256"], [1n, 1n, secp256k1.CURVE.n]);
+      const invalidAdaptorSignature = ethers.solidityPacked(
+        ["uint256", "uint256", "uint256"],
+        [1n, 1n, secp256k1.CURVE.n],
+      );
+
+      await expect(schnorr.extractSECP256k1(invalidSignature, adaptorSignature)).to.be.revertedWithCustomError(
+        schnorr,
+        "InvalidSignatureScalar",
+      );
+      await expect(schnorr.extractSECP256k1(signature, invalidAdaptorSignature)).to.be.revertedWithCustomError(
+        schnorr,
+        "InvalidSignatureScalar",
+      );
+    });
+  });
 });