[Bitcoin-development] 0.8.5 with libsecp256k1

[Bitcoin-development] 0.8.5 with libsecp256k1

[Warren Togami Jr.]

[-- Attachment #1: Type: text/plain, Size: 1001 bytes --]

https://github.com/sipa/secp256k1
sipa's secp256k1, optimized ecdsa, significantly faster than openssl

Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's
secp256k1.  Litecoin has been shipping test builds with secp256k1 for
several months now so it was a simple matter to throw together a branch of
Bitcoin 0.8.5 with secp256k1.

https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1
This branch should theoretically work for Linux, win32 gitian and mac
builds.  These commits are rather ugly because it was thrown together just
to make it build with the old 0.8 makefiles without intent for production
code merge. cfields is working on autotoolizing it as one of the
prerequisites prior to inclusion into bitcoin master where it will be an
option disabled by default.

http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/
Untested win32 gitian build.  Build your own Linux or Mac builds if you
want to test it.  Not recommended for production wallet or mining uses.

Warren

[-- Attachment #2: Type: text/html, Size: 1385 bytes --]

Re: [Bitcoin-development] 0.8.5 with libsecp256k1

[Jeremy Spilman]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

Can this be combined with the ideas on deterministic signing to show  
matching signatures with OpenSSL's implementation?

Not sure if that's worth much, since we would just be testing needles in a  
very large haystack, but better than nothing?

On Wed, 09 Oct 2013 20:50:30 -0700, Warren Togami Jr. <wtogami@gmail.com>  
wrote:

> https://github.com/sipa/secp256k1
> sipa's secp256k1, optimized ecdsa, significantly faster than openssl
>
> Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's  
> secp256k1.  Litecoin has been shipping test builds with secp256k1 for  
> several months >now so it was a simple matter to throw together a branch  
> of Bitcoin 0.8.5 with secp256k1.
>
> https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1
> This branch should theoretically work for Linux, win32 gitian and mac  
> builds.  These commits are rather ugly because it was thrown together  
> just to make >it build with the old 0.8 makefiles without intent for  
> production code merge. cfields is working on autotoolizing it as one of  
> the prerequisites prior to >inclusion into bitcoin master where it will  
> be an option disabled by default.
>
> http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/
> Untested win32 gitian build.  Build your own Linux or Mac builds if you  
> want to test it.  Not recommended for production wallet or mining uses.
>
> Warren

[-- Attachment #2.1: Type: text/html, Size: 2048 bytes --]

[Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1)

[Adam Back]

Determinstic ECDSA signature aka k=H(d,m) insead of k=random, with signature
(r,s) calculated r=[kG].x, s=k^-1(H(m)+rd) with public key Q=dG and
verificaton relation [H(m)s^-1G+rs^-1Q].x=?r is cool and should be done. 
Otherwise RNG issues like EC_DRBG or even leaked partial bits like the RNG
bias in the original DSA spec that Bleichenbacher pointed out and then they
corrected.

On Wed, Oct 09, 2013 at 09:10:09PM -0700, Jeremy Spilman wrote:
>Can this be combined with the ideas on deterministic signing to show 
>matching signatures with OpenSSL's implementation?

But k=random and k=H(d,m) create compatible signatures - or were you eaning
to cross check the two implementations with fuzz tester on lots of messages?

btw about malleability:

Mike Hearn <mike@plan99.net> wrote:
>   I believe the main issue at the moment is the malleability issues? If
>   so, it would seem possible to use OpenSSL to parse the signature into
>   components and then libsecp256k1 to verify them.

other than the ASN.1 related parsing ambiguity, if any (openSSL asn.1
parsing code is evil and shold not be used), the (r,s) vs (r,-s) ambiguity
can be plugged as discussed (eg define -s as invalid).  But that is ECDSA
specific, and signature malleability and its impact is a generic problem. 
Its probably a non-requirement of a signature scheme in terms of the
analysis effort put in by cryptanalysts that the signature itself be
non-malleable, eg there are some encryption schemes which are publicly
reblindable, like Elgamal.  By plugging the (r,s), (r,-s) specific case as a
DSA specific work-around there may be other malleability even in DSA, unless
someone has a clear proof that there is not.

And we may want to add ECS (schnorr) because it's simpler and allows more
flexibility and efficiency (eg native n of n multisig at the storage cost of
1 signature vs n with ECDSA, and k of n threshold signature at the cost of 1
sig (but some threshold secret share setup up front).  The relying party
doesnt need to know how many multi-sigs there are there is a single public
key.

So I was thinking a more generic / robust way to fix this would be to change
the txid from H(sig,inputs,outputs,script) to H(pubkey,inputs,outputs,script)
or something like that in effect so that the malleability of the signature
mechanism doesnt affect the security of conditional payments.

Adam

Re: [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1)

[Adam Back]

btw if I got that right, it means you dont even have to fix the asn.1 level
ambiguity (though its a good idea to remove openSSL asn.1 parsing code) to
have conditional payments using not yet broadcast txid outputs as inputs to
work with high assurance.  (And even in the event that a new crypto level
malleability is discovered in ECDSA it remains secure.)

Adam

Adam Back wrote:
>So I was thinking a more generic / robust way to fix this would be to change
>the txid from H(sig,inputs,outputs,script) to H(pubkey,inputs,outputs,script)
>or something like that in effect so that the malleability of the signature
>mechanism doesnt affect the security of conditional payments.

Adam

Re: [Bitcoin-development] 0.8.5 with libsecp256k1

[Mike Hearn]

[-- Attachment #1: Type: text/plain, Size: 2093 bytes --]

Thanks! I'd love to see this library become usable behind a command line
flag or config setting. At some point we're going to want to switch to it.

I believe the main issue at the moment is the malleability issues? If so,
it would seem possible to use OpenSSL to parse the signature into
components and then libsecp256k1 to verify them.




On Thu, Oct 10, 2013 at 5:50 AM, Warren Togami Jr. <wtogami@gmail.com>wrote:

> https://github.com/sipa/secp256k1
> sipa's secp256k1, optimized ecdsa, significantly faster than openssl
>
> Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's
> secp256k1.  Litecoin has been shipping test builds with secp256k1 for
> several months now so it was a simple matter to throw together a branch of
> Bitcoin 0.8.5 with secp256k1.
>
> https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1
> This branch should theoretically work for Linux, win32 gitian and mac
> builds.  These commits are rather ugly because it was thrown together just
> to make it build with the old 0.8 makefiles without intent for production
> code merge. cfields is working on autotoolizing it as one of the
> prerequisites prior to inclusion into bitcoin master where it will be an
> option disabled by default.
>
> http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/
> Untested win32 gitian build.  Build your own Linux or Mac builds if you
> want to test it.  Not recommended for production wallet or mining uses.
>
> Warren
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 3272 bytes --]

Re: [Bitcoin-development] 0.8.5 with libsecp256k1

[Pieter Wuille]

On Thu, Oct 10, 2013 at 10:29 AM, Mike Hearn <mike@plan99.net> wrote:
> Thanks! I'd love to see this library become usable behind a command line
> flag or config setting. At some point we're going to want to switch to it.
>

The current idea is to provide a compile-time flag to enable it, which
at the same time disables the wallet and mining RPCs. In that state,
it should be safe enough to provide test builds.

> I believe the main issue at the moment is the malleability issues? If so, it
> would seem possible to use OpenSSL to parse the signature into components
> and then libsecp256k1 to verify them.

I'm pretty sure that libsecp256k1 supports every signature that
OpenSSL supports, so that direction is likely covered. The other
direction - the fact that libsecp256k1 potentially supports more than
OpenSSL - is only a problem if a majority of the hash power would be
running on it. However, with canonical encodings enforced by recent
relaying nodes, I hope that by then we're able to schedule a softfork
and require them inside blocks.

Apart from that, there is of course the issue that there may be actual
exploitable mistakes in the crypto code. There are unit tests,
including ones that create signatures with libsecp256k1 and verify
them using OpenSSL and the other way around, but errors are certainly
more likely to occur in edge cases that you don't hit with randomized
tests. The only way to catch those is review I suppose. I certainly
welcome people looking at it - even if just to get comments like "Can
you add an explanation for why this works?".

-- 
Pieter