expose dleq_prove and dleq_verify

These functions in the ecdsa_adaptor module are static/internal. We want to make use of them in the BitBox firmware, so we expose them. They are useful in the context of silent payments (BIP-352). In the future, we expect new BIPs for silent payments in PSBT including a DLEQ specification, and a dedicated silent payment module in libsecp256k1 that includes the DLEQ functions. Until then, we use the ones here. See also: - https://delvingbitcoin.org/t/bip352-psbt-support/877 - https://gist.github.com/andrewtoth/df97c3260cc8d12f09d3855ee61322ea - bitcoin-core/secp256k1#1519
BitBoxSwiss · Jul 23, 2024 · e881028 · e881028
1 parent 0b916d3
commit e881028
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 0 deletions.
diff --git a/include/secp256k1_ecdsa_adaptor.h b/include/secp256k1_ecdsa_adaptor.h
@@ -157,6 +157,30 @@ SECP256K1_API int secp256k1_ecdsa_adaptor_recover(
     const secp256k1_pubkey *enckey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
+
+/**
+ * This exposes `secp256k1_dleq_prove()` in dleq_impl.h so the BitBox firmware can use it.
+ */
+SECP256K1_API int bitbox_secp256k1_dleq_prove(
+    const secp256k1_context* ctx,
+    unsigned char *s,
+    unsigned char *e,
+    const unsigned char *sk,
+    const secp256k1_pubkey *gen2,
+    const secp256k1_pubkey *p1,
+    const secp256k1_pubkey *p2);
+
+/**
+ * This exposes `secp256k1_dleq_verify()` in dleq_impl.h so the BitBox firmware can use it.
+ */
+SECP256K1_API int bitbox_secp256k1_dleq_verify(
+    const secp256k1_context* ctx,
+    const unsigned char *s,
+    const unsigned char *e,
+    const secp256k1_pubkey *p1,
+    const secp256k1_pubkey *gen2,
+    const secp256k1_pubkey *p2);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/modules/ecdsa_adaptor/dleq_impl.h b/src/modules/ecdsa_adaptor/dleq_impl.h
@@ -155,4 +155,57 @@ static int secp256k1_dleq_verify(const secp256k1_scalar *s, const secp256k1_scal
     return secp256k1_scalar_is_zero(&e_expected);
 }
 
+int bitbox_secp256k1_dleq_prove(const secp256k1_context* ctx, unsigned char *s, unsigned char *e, const unsigned char *sk, const secp256k1_pubkey *gen2, const secp256k1_pubkey *p1, const secp256k1_pubkey *p2)
+{
+    secp256k1_ge c_gen2;
+    secp256k1_ge c_p1;
+    secp256k1_ge c_p2;
+    secp256k1_scalar c_s;
+    secp256k1_scalar c_e;
+    secp256k1_scalar c_sk;
+    if (!secp256k1_pubkey_load(ctx, &c_gen2, gen2)) {
+        return 0;
+    }
+    if (!secp256k1_pubkey_load(ctx, &c_p1, p1)) {
+        return 0;
+    }
+    if (!secp256k1_pubkey_load(ctx, &c_p2, p2)) {
+        return 0;
+    }
+    if (!secp256k1_scalar_set_b32_seckey(&c_sk, sk)) {
+        return 0;
+    }
+    int result = secp256k1_dleq_prove(ctx, &c_s, &c_e, &c_sk, &c_gen2, &c_p1, &c_p2, NULL, NULL);
+    secp256k1_scalar_clear(&c_sk);
+    if (!result) {
+        return 0;
+    }
+    secp256k1_scalar_get_b32(s, &c_s);
+    secp256k1_scalar_get_b32(e, &c_e);
+    return 1;
+}
+
+int bitbox_secp256k1_dleq_verify(const secp256k1_context* ctx, const unsigned char *s, const unsigned char *e, const secp256k1_pubkey *p1, const secp256k1_pubkey *gen2, const secp256k1_pubkey *p2) {
+    secp256k1_scalar c_s;
+    secp256k1_scalar c_e;
+    secp256k1_ge c_p1;
+    secp256k1_ge c_gen2;
+    secp256k1_ge c_p2;
+    secp256k1_scalar_set_b32(&c_s, s, NULL);
+    secp256k1_scalar_set_b32(&c_e, e, NULL);
+    if (!secp256k1_pubkey_load(ctx, &c_p1, p1)) {
+        return 0;
+    }
+    if (!secp256k1_pubkey_load(ctx, &c_gen2, gen2)) {
+        return 0;
+    }
+    if (!secp256k1_pubkey_load(ctx, &c_p2, p2)) {
+        return 0;
+    }
+    if (!secp256k1_dleq_verify(&c_s, &c_e, &c_p1, &c_gen2, &c_p2)) {
+        return 0;
+    }
+    return 1;
+}
+
 #endif