Add Musig2 module

[jlest01]

This PR adds a musig module based on bitcoin-core/secp256k1#1479.
The structure is based on @sanket1729's BlockstreamResearch/rust-secp256k1-zkp#48, but I removed the code related to adaptor signatures.

There is an example file in examples/musig.rs and can be run with cargo run --example musig --features "rand std".
The ffi functions were added to secp256k1-sys/src/lib.rs and the API level functions to the new src/musig.rs file.

[Kixunil]

Awesome!!! I would wait until the upstream PR merges (and releases) before merging this but I'm looking forward to it. I gave it a quick look anyway.

[Kixunil]

IMO this should be just panic. It can only happen if someone passes wrong value to dangerous ID creation function.

[tcharding]

This is a 10 thousand line diff, is something commited that shouldn't be?

[apoelstra]

It updates the vendored library to bring in the upstream MuSig PR.

[jlest01]

It updates the vendored library to bring in the upstream MuSig PR.

Yes. For now, only the last three commits matter for review purposes.
The others will be discarded when the upstream MuSig PR is merged.

[tcharding]

Cool, thanks. To clarify this is going to wait till upstream merges before being considered for merge, right? What sort of review are you chasing?

[Kixunil]

@tcharding I will definitely not ack this until it's upstream is released. However I appreciate the experiment/demo.

[jlest01]

To clarify this is going to wait till upstream merges before being considered for merge, right? What sort of review are you chasing?

Yes, the idea is to wait for the upstream PR to be merged.
Regarding the review, I mean that the last three commits are the ones that are intended to be merged.

[Kixunil]

Isn't this highly misleading? If it's all-zeros it's not a nonce and thus broken. Where would one need it?

[jlest01]

Same as here: #716 (comment)

[Kixunil]

The documentation of these methods is intended for the higher-level API implementors not for for end consumers so it should rather properly describe what's going on here.

[jlest01]

Done. Thanks.

[Kixunil]

Looks also broken.

[jlest01]

Same as here: #716 (comment)

[Kixunil]

It looks to me that none of these Defaults should exist. People should just use arrays or MaybeUninit<T> to represent the uninitialized state.

[jlest01]

Are you suggesting something like this ?

let key_agg_cache = MaybeUninit::<ffi::MusigKeyAggCache>::uninit();
let mut key_agg_cache = key_agg_cache.assume_init();

This will cause UB (without MaybeUninit::write).
The reason for pub fn new() is that the internal array is private (ex: pub struct MusigKeyAggCache([c_uchar; MUSIG_KEYAGG_LEN]);), which is consistent with the other structs in the code.

[Kixunil]

No, provide a function that constructs initialized types only.

[Kixunil]

Oh, now I see that I was confused because these are the FFI structs. However, I still maintain they are highly confusing.

The correct usage (inside secp256k1::musig::MusigKeyAggCache::new) is this:

let mut key_agg_cache = MaybeUninit::<ffi::MusigKeyAggCache>::uninit();
let mut agg_pk = MaybeUninit::<ffi::XOnlyPublicKey>::uninit();
unsafe {
    if ffi::secp256k1_musig_pubkey_agg(
        cx,
        agg_pk.as_mut_ptr(),
        key_agg_cache.as_mut_ptr(),
        pubkeys.as_ptr(),
        pubkey_ptrs.len(),
    ) == 0 {
        panic!(...);
    } else {
        // secp256k1_musig_pubkey_agg overwrites the cache and the key so this is sound.
        let key_agg_cache = key_agg_cache.assume_init();
        let agg_pk = agg_pk.assume_init();
        MusigKeyAggCache(key_agg_cache, pk);
    }
}

[jlest01]

Thanks for the clarification.
Done in 2ea5674

[jlest01]

I've also applied the same approach to the other structs.

[Kixunil]

FTR these struct declarations looked wrong but are indeed correct based on the current API.

[jlest01]

Do you think they should be changed?

[Kixunil]

We usually name these InvalidLength.

[jlest01]

Done. Thanks.

[sanket1729]

Upstream was released yesterday

[apoelstra]

Can you rebase and format each commit with the nightly formatter? That should fix CI.

[jlest01]

Can you rebase and format each commit with the nightly formatter? That should fix CI.

Yes, done. Thanks.

[tcharding]

Patch 1 can be removed now, right? Then your shellcheck CI fail should disappear.

[jlest01]

@stevenroose thanks for the review.
Unlike this project, rust-secp256k1-zkp supports Vec, which makes it compatible with the use of &[T].
You can do let pubkey_ptrs = pubkeys.iter().map(|k| k.as_c_ptr()).collect::<Vec<_>>(); there, for example.

As far as I know, there is no way to add &[T] or &[impl Borrow<T>] here because the compiler needs to know the exact size of types at compile time.

If I change to:
pub fn new<C: Verification, P: Borrow<PublicKey>>(secp: &Secp256k1<C>, pubkeys: &[P]) -> Self {,
it causes SIGSEGV (Address boundary error).

If I change to:
pub fn new<C: Verification>(secp: &Secp256k1<C>, pubkeys: &[Borrow<PublicKey>]) -> Self {,
the error is:
the size for values of type 'dyn std::borrow::Borrow<key::PublicKey>' cannot be known at compilation time the trait 'Sized' is not implemented for 'dyn std::borrow::Borrow<key::PublicKey>'

[Kixunil]

Not too deep review, I mainly looked at the API. It still needs polishing, I think. Also some of my earlier comments were not addressed.

[Kixunil]

Oh, now I see that I was confused because these are the FFI structs. However, I still maintain they are highly confusing.

The correct usage (inside secp256k1::musig::MusigKeyAggCache::new) is this:

let mut key_agg_cache = MaybeUninit::<ffi::MusigKeyAggCache>::uninit();
let mut agg_pk = MaybeUninit::<ffi::XOnlyPublicKey>::uninit();
unsafe {
    if ffi::secp256k1_musig_pubkey_agg(
        cx,
        agg_pk.as_mut_ptr(),
        key_agg_cache.as_mut_ptr(),
        pubkeys.as_ptr(),
        pubkey_ptrs.len(),
    ) == 0 {
        panic!(...);
    } else {
        // secp256k1_musig_pubkey_agg overwrites the cache and the key so this is sound.
        let key_agg_cache = key_agg_cache.assume_init();
        let agg_pk = agg_pk.assume_init();
        MusigKeyAggCache(key_agg_cache, pk);
    }
}

[Kixunil]

I'd prefer named fields.

[jlest01]

Ok. I can change the Musig structs to have named fields, but they will be inconsistent with other structs in the src folder.

[Kixunil]

Please don't worry about inconsistencies too much if there's a clearly better way to do things. The library is old and some parts were not written perfectly or had to obey old MSRV and nobody had the time to fix it yet. We should improve them eventually but that doesn't mean we should make the new code intentionally worse just to stay consistent.

[jlest01]

Named fields added in ddae0f0

[Kixunil]

This leaks the nonce. We need to hide it.

[jlest01]

Good catch. Done in 2ea5674

[Kixunil]

Why is this called MusigSecRand and not SessionId?

[apoelstra]

If this is the value I'm thinking of, the name "session ID" was leading people to store and reuse this.

[jlest01]

This comment can help: BlockstreamResearch/rust-secp256k1-zkp#48 (review)

[Kixunil]

Oh, OK. Then we should also change the parameter names. However it's unclear to me how it's different from secret nonce other than different purpose. MusigSecRand isn't readable to me. If the thing must not be reused and kept secret and is per-session perhaps SecretSessionNonce would be more readable. (But honestly, I'm not sure if I got the properties right.)

[apoelstra]

Please file an issue upstream if you want to rename this.

[Kixunil]

@apoelstra I've noticed that it's already named differntly - session_secrand32 and reading the discussion, it doesn't have to be a nonce. So it's already named much better in upstream. However, I'd rather spell out the whole word "secret" ("does 'sec' mean 'second'?") and drop the 32 which is pointless in Rust since we carry that information in the type. If you think I should still suggest this upstream, I will.

[apoelstra]

I'm fine with expanding upstream's sec to Secret here. Glad they've added session -- I agree that this is a better name -- but I didn't want to add it here if upstream hadn't.

So I think we're in agreement here now.

[jlest01]

Renamed MusigSecRand to MusigSessionSecRand in 7a13c8f to match upstream.

[Kixunil]

Given we are already in the musig module, I find the Musig prefix redundant and potentially annoying. I'd rather spend those characters on spelling out the word Secret.

[jlest01]

Prefix Musig removed from structs and functions in src\musig.rs in 3204792 as below:

. MusigSecRand -> SessionSecretRand
. MusigKeyAggCache -> KeyAggCache
. MusigPartialSignature -> PartialSignature
. MusigSecNonce -> SecretNonce
. MusigPubNonce -> PublicNonce
. MusigAggNonce -> AggregatedNonce
. MusigSession -> Session
. new_musig_nonce_pair(...) -> new_nonce_pair(...)

[Kixunil]

This doc is confusing. The struct provides generation API that already guarantees uniqueness (by taking an RNG).

[jlest01]

Thanks. Updated in 499326e.

[Kixunil]

I think the message could be just "the tweak is negation of secret key".

[jlest01]

Done in 499326e

[Kixunil]

We should have statically typed API that prevents this from happening so the type shouldn't exist.

[jlest01]

I didn't quite understand this suggestion.
Could you elaborate further?

[Kixunil]

The ID is generated by RNG which means zero is impossible (but OK to panic there to catch broken RNGs) and all functions that accept it accept the strong type. Thus the errors they return are unreachable, so we should panic instead to catch implementation breakage.

[jlest01]

Thanks for the clarification.
Done in 4bf5abd.

[Kixunil]

Grammar. Also it's unclear if it's a limitation of the upstream or the high-level library (looks like the latter in which case I'd very much like to have this).

[jlest01]

Updated in 499326e

[Kixunil]

I believe we've decided that we want to construct things from arrays rather than slices.

[jlest01]

Done in 499326e

Also updated the other slices parameters to use array.

[Kixunil]

You need to also update the name to from_byte_array, since it's no longer a slice (@apoelstra did we agree on this naming in this crate?)

[Kixunil]

The way this example is written makes it difficult to understand how one would use the API in a real-world application where the signers are not in a single binary but distributed and need to exchange messages. I suggest restructuring the code such that operations of each signer are separated. Maybe it'd be even better to use threads and channels to simulate message transmission unless it makes the code too complicated (I think it shouldn't since it should be just a few additional lines.)

[jlest01]

Thanks for the suggestion. Looking into this.

[Kixunil]

Somewhat deeper review but still not super-deep.

[Kixunil]

Could be MaybeUninit as well.

[apoelstra]

I would suggest that we avoid microoptimizations on a first pass. I don't mind using MaybeUninit but it would be better to add it in a followup PR that could be reviewed independently of the rest of the API and logic.

[jlest01]

Done in 44feb9f

[Kixunil]

I personally consider MaybeUninit as improving semantics and optimization is just a side effect. (Theoretically return value is even better for semantics but we can't do that in C API.) That being said, I said "could" to mean "not important, would be nice", I would've said "should" or "must" otherwise. :)

[Kixunil]

Mentioning 32 bytes here is redundant, the type enforces it.

[jlest01]

Done in 668c296

[Kixunil]

This transmute is invalid. You either have to use the as pointer cast or core::slice::from_raw_parts. But even that shouldn't be needed, just cast the thin pointers when passing arguments.

[jlest01]

Done in 668c296

[Kixunil]

Looking at it again, the sort is wrong. It can be used but doesn't have to and you're forcing it. Thus this code makes it impossible to use the library with implementations in other languages that sort the keys differently.

The sort needs to be removed here.

[Kixunil]

These are not pointers in Rust. Just name the argument nones.

[jlest01]

Done in 668c296

[jlest01]

The sort function was removed from KeyAggCache::new(...) in 9b1f7cb

A new commit was added to make the sort function available d5b4e53

[Kixunil]

It might be interesting to benchmark this against core::sort_unstable* methods to see which is better but I suspect C impl will have advantage at least in non-LTO builds.

[Kixunil]

Invalid transmute again.

[jlest01]

Done in 668c296

[Kixunil]

2^128

[jlest01]

Done in 668c296

[Kixunil]

This is impossible because we consume the nonce and drop it.

[apoelstra]

It took me a moment to understand this comment. The trick is that secp256k1_musig_partial_sign can't actually detect "nonce reuse" in general. What it does do is zero out the nonce that is passed to it, and if the user then tries to pass that nonce back in, it'll see all zeroes and error out.

But Kix is correct that this pattern is impossible in the Rust code because of the ownership pattern of these methods. So this error return should be an assertion instead.

If the user manages to reuse a nonce in a different way (by reusing a session randomness when generating nonces, or just abusing unsafe code to duplicate an existing one) then we can't detect this and the user will just be screwed.

[jlest01]

Good catch. Very interesting. Done in d743a21

[Kixunil]

This API may be a bit misleading. As opposed to normal signatures, the result of this function is not guaranteed to be valid (e.g. if one signer produced an invalid partial signature). This could be a footgun in protocols that require signature validity before signing (such as LN requiring commitment transaction to be signed before signing opening transaction)

I suggest returning a new type AggregatedSignature with two methods: assume_valid(self) -> shnorr::Signature and verify(self, aggregate_key: XOnlyPublicKey, message: &[u8]) -> Result<schnorr::Signature, Error>. The consumers can then verify the signature or explicitly acknowledge they don't need to verify it.

[apoelstra]

I like this.

[jlest01]

Done in 49dd1c1

[Kixunil]

Still not deep review, just some problems I noticed when I was digging into the API for other reasons.

[Kixunil]

This signature is invalid. It's supposed to be a mut pointer pointing to a const pointer. IIUC this is unsound.

@apoelstra this is exactly why I advocate for using bindgen. Bugs like this can happen and without it we have to spend time to audit every single function to make sure the signature is correct.

[apoelstra]

Yeah, ok, we should use bindgen. But (at least initially) I would like to commit the generated code and verify it in CI rather than putting it as part of the build process, to minimize the number of dependencies that downstream users need.

We would also need to figure out what to do about secp256k1-sys/src/types.rs. Will bindgen require some sort of tweaking to use these types? Or will we need a post-processing step? Or maybe we should just bump our MSRV to 1.64 so we don't need this file anymore?

[jlest01]

Good catch. Fixed in ff77611

[jlest01]

However, it is interesting that Rust does not enforce the const modifier in this case.

[Kixunil]

But (at least initially) I would like to commit the generated code and verify it in CI rather than putting it as part of the build process, to minimize the number of dependencies that downstream users need.

Yes, but maybe use xtask pattern for that? Rather than committing, we would have a subcrate that generates it and the developers would run it when contributing or publishing the crate (so the code would still be on crates.io). The upside is no CI job needed, the downside is that every contributor has to run the xtask even for unrelated contributions.

Rust does not enforce the const modifier in this case.

The compiler has no way of understanding the C code.

[apoelstra]

Moved bindgen discussion to #775

[Kixunil]

This is definitely unsound. The function is mutating the argument but it's not using mut.

[jlest01]

Fixed in 2755c15

[Kixunil]

Given this has only one variant, either it should be a struct or it should have #[non_exhaustive] if we anticipate new errors in the future (personally I don't believe we have a reason to think there will be new ones).

[jlest01]

Done in 404a93b

[Kixunil]

Rename

[jlest01]

To deserialize(...) ?

[jlest01]

Now I saw it in the comment above.
Updated to from_byte_array() in 3e9d296

[Kixunil]

Damn, I was unclear. I only meant to have named fields in structs that have more than one field. This could've been tuple struct. You don't have to change it back if you don't want to but you can if you wish.

[jlest01]

No problem. Reverted to the tuple struct those with only one field in 5cf37bd.

[Kixunil]

Missing space.

[jlest01]

Updated in 5cf37bd

[Kixunil]

Thanks for doing this! I'd like the doc toe be more in-depth.

/// Returns the aggregated signature [`schnorr::Signature`] assuming it is valid.
///
/// The `partial_sig_agg` function cannot guarantee that the produced signature is valid because participants
/// may send invalid signatures. In some applications this doesn't matter because the invalid message is simply
/// dropped with no consequences. These can simply call this function to obtain the resulting signature. However
/// in applications that require having valid signatures before continuing (e.g. presigned transactions in Bitcoin Lightning Network) this would be exploitable. Such applications MUST verify the resulting signature using the
/// [`verify`](Self::verify) method.
///
/// Note that while an alternative approach of verifying partial signatures is valid, verifying the aggregated
/// signature is more performant. Thus it should be generally better to verify the signature using this function first
/// and fall back to detection of violators if it fails.

[jlest01]

Thanks for this. Updated in 982e877.

[philipr-za]

The references to libsecp256k1-zkp and secp256k1-zkp in the comments below seem to be left over from Sanket's original PR?

[jlest01]

Correct. Good catch.
Updated in 4012ed5