f use tagged hash for musig coefficients

jonasnick · jonasnick · commit c5e9fa26543e · 2019-02-04T16:14:53.000Z
diff --git a/src/modules/musig/main_impl.h b/src/modules/musig/main_impl.h
@@ -29,13 +29,28 @@ static int secp256k1_musig_compute_ell(const secp256k1_context *ctx, unsigned ch
     return 1;
 }
 
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("MuSig coefficient")||SHA256("MuSig coefficient"). */
+static void secp256k1_musig_sha256_init_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+
+    sha->s[0] = 0x0fd0690cul;
+    sha->s[1] = 0xfefeae97ul;
+    sha->s[2] = 0x996eac7ful;
+    sha->s[3] = 0x5c30d864ul;
+    sha->s[4] = 0x8c4a0573ul;
+    sha->s[5] = 0xaca1a22ful;
+    sha->s[6] = 0x6f43b801ul;
+    sha->s[7] = 0x85ce27cdul;
+}
+
 /* Compute r = SHA256(ell, idx). The four bytes of idx are serialized least significant byte first. */
 static void secp256k1_musig_coefficient(secp256k1_scalar *r, const unsigned char *ell, uint32_t idx) {
     secp256k1_sha256 sha;
     unsigned char buf[32];
     size_t i;
 
-    secp256k1_sha256_initialize(&sha);
+    secp256k1_musig_sha256_init_tagged(&sha);
     secp256k1_sha256_write(&sha, ell, 32);
     /* We're hashing the index of the signer instead of its public key as specified
      * in the MuSig paper. This reduces the total amount of data that needs to be
diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h
@@ -706,6 +706,33 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) {
     CHECK(secp256k1_schnorrsig_verify(ctx, &final_sig_a, msg32_a, &combined_pk_a) == 1);
 }
 
+/* Checks that hash initialized by secp256k1_musig_sha256_init_tagged has the
+ * expected state. */
+void sha256_tag_test(void) {
+    char tag[17] = "MuSig coefficient";
+    secp256k1_sha256 sha;
+    secp256k1_sha256 sha_tagged;
+    unsigned char buf[32];
+    size_t i;
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, (unsigned char *) tag, 17);
+    secp256k1_sha256_finalize(&sha, buf);
+    /* buf = SHA256("MuSig coefficient") */
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, buf, 32);
+    secp256k1_sha256_write(&sha, buf, 32);
+    /* Is buffer fully consumed? */
+    CHECK((sha.bytes & 0x3F) == 0);
+
+    /* Compare with tagged SHA */
+    secp256k1_musig_sha256_init_tagged(&sha_tagged);
+    for (i = 0; i < 8; i++) {
+        CHECK(sha_tagged.s[i] == sha.s[i]);
+    }
+}
+
 void run_musig_tests(void) {
     int i;
     secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);
@@ -716,6 +743,7 @@ void run_musig_tests(void) {
         /* Run multiple times to ensure that the nonce is negated in some tests */
         scriptless_atomic_swap(scratch);
     }
+    sha256_tag_test();
 
     secp256k1_scratch_space_destroy(scratch);
 }
