Signature Subtraction function

include/secp256k1_aggsig.h

@@ -143,6 +143,25 @@ SECP256K1_API int secp256k1_aggsig_partial_sign(
     size_t index
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_WARN_UNUSED_RESULT;
 
+/** Subtract a partial signature from a completed signature, resulting in another partial signature
+ *
+ *  Returns: 0 on failure, 1 if there is only one possible result, 2 if there is a second possiblity due
+ *           to two possiblities for the chosen y value of the original public nonce
+ *  Args:    ctx: an existing context object, initialized for verifying (cannot be NULL)
+ *  Out:     result: the (partial) signature resulting from subtracting partial from sig64
+ *           result_alt: alternative possible signature resulting from subtracting partial from sig64
+ *  In:      sig64: a completed signature
+ *           partial64: the signature (partial) to subtract from sig64
+ */
+
+SECP256K1_API int secp256k1_aggsig_subtract_partial_signature(
+    const secp256k1_context* ctx,
+    unsigned char *result,
+    unsigned char *result_alt,
+    const unsigned char *sig64,
+    const unsigned char *partial64
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_WARN_UNUSED_RESULT;
+
 
 /** Aggregate multiple signature parts into a single aggregated signature
  *

src/modules/aggsig/main_impl.h

@@ -346,6 +346,116 @@ int secp256k1_aggsig_partial_sign(const secp256k1_context* ctx, secp256k1_aggsig
     return 1;
 }
 
+int secp256k1_aggsig_subtract_partial_signature(
+    const secp256k1_context* ctx,
+    unsigned char* result,
+    unsigned char* result_alt,
+    const unsigned char *sig64,
+    const unsigned char *partial64
+) {
+    secp256k1_scalar tmp, tmp2;
+    secp256k1_fe noncesum_fe;
+    secp256k1_ge noncesum_ge;
+    secp256k1_gej noncesum_gej;
+    secp256k1_ge noncesum_ge_neg;
+    secp256k1_gej noncesum_gej_neg;
+    secp256k1_fe noncepartial_fe;
+    secp256k1_ge noncepartial_ge;
+    secp256k1_ge noncepartial_ge_neg;
+    secp256k1_gej nonceresult_gej;
+    secp256k1_gej nonceresult_gej_neg;
+    secp256k1_ge final;
+    int overflow;
+    int neg_version_has_quad = 0;
+    int pos_version_has_quad = 0;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(result != NULL);
+    ARG_CHECK(result_alt != NULL);
+    ARG_CHECK(sig64 != NULL);
+    ARG_CHECK(partial64 != NULL);
+    (void) ctx;
+
+    /* Scalar portion */
+    secp256k1_scalar_set_b32(&tmp, sig64 + 32, &overflow);
+    if (overflow) {
+        secp256k1_scalar_clear(&tmp);
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&tmp2, partial64 + 32, &overflow);
+    if (overflow) {
+        secp256k1_scalar_clear(&tmp);
+        secp256k1_scalar_clear(&tmp2);
+        return 0;
+    }
+    secp256k1_scalar_negate(&tmp2, &tmp2);
+    secp256k1_scalar_add(&tmp, &tmp, &tmp2);
+
+    secp256k1_scalar_get_b32(result + 32, &tmp);
+    secp256k1_scalar_get_b32(result_alt + 32, &tmp);
+    secp256k1_scalar_clear(&tmp);
+    secp256k1_scalar_clear(&tmp2);
+
+    /* nonce portion 
+     * Note that we are unable to determine with 100% certainty
+     * what nonce was originally chosen due to only the x coordinate
+     * being stored. We can sometimes determine which was correct, but
+     * may have to return a second possibility.
+     */
+
+    /* Parse nonce sum total and negated version (R, -R) */
+    if (!secp256k1_fe_set_b32(&noncesum_fe, sig64)) {
+        return 0;
+    }
+    secp256k1_ge_set_xquad(&noncesum_ge, &noncesum_fe);
+    secp256k1_gej_set_ge(&noncesum_gej, &noncesum_ge);
+    secp256k1_ge_neg(&noncesum_ge_neg, &noncesum_ge);
+    secp256k1_gej_set_ge(&noncesum_gej_neg, &noncesum_ge_neg);
+
+    /* Parse provided partial-sig nonce and negate */
+    if (!secp256k1_fe_set_b32(&noncepartial_fe, partial64)) {
+        return 0;
+    }
+    secp256k1_ge_set_xquad(&noncepartial_ge, &noncepartial_fe);
+    secp256k1_ge_neg(&noncepartial_ge_neg, &noncepartial_ge);
+
+    /* Try positive (Rr = R-Rs) */
+    secp256k1_gej_add_ge(&nonceresult_gej, &noncesum_gej, &noncepartial_ge_neg);
+
+    /* Now try neg (Rr = -R-Rs) */
+    secp256k1_gej_add_ge(&nonceresult_gej_neg, &noncesum_gej_neg, &noncepartial_ge_neg);
+
+    if (secp256k1_gej_has_quad_y_var(&nonceresult_gej)) {
+        pos_version_has_quad = 1;
+    }
+    if (secp256k1_gej_has_quad_y_var(&nonceresult_gej_neg)) {
+        neg_version_has_quad = 1;
+    }
+    if (pos_version_has_quad && !neg_version_has_quad) {
+        secp256k1_ge_set_gej(&final, &nonceresult_gej);
+        secp256k1_fe_normalize_var(&final.x);
+        secp256k1_fe_get_b32(result, &final.x);
+        return 1;
+    } else if (!pos_version_has_quad && neg_version_has_quad) {
+        secp256k1_ge_set_gej(&final, &nonceresult_gej_neg);
+        secp256k1_fe_normalize_var(&final.x);
+        secp256k1_fe_get_b32(result, &final.x);
+        return 1;
+    } else {
+        /* if both, we need to return both possibilities */
+        secp256k1_ge_set_gej(&final, &nonceresult_gej);
+        secp256k1_fe_normalize_var(&final.x);
+        secp256k1_fe_get_b32(result, &final.x);
+
+        secp256k1_ge_set_gej(&final, &nonceresult_gej_neg);
+        secp256k1_fe_normalize_var(&final.x);
+        secp256k1_fe_get_b32(result_alt, &final.x);
+        return 2;
+    } 
+
+    return 0;
+}
+
 int secp256k1_aggsig_combine_signatures(const secp256k1_context* ctx, secp256k1_aggsig_context* aggctx, unsigned char *sig64, const secp256k1_aggsig_partial_signature *partial, size_t n_sigs) {
     size_t i;
     secp256k1_scalar s;

src/modules/aggsig/tests_impl.h

@@ -20,6 +20,10 @@ void test_aggsig_api(void) {
     unsigned char seckeys[5][32];
     secp256k1_pubkey pubkeys[5];
     secp256k1_aggsig_partial_signature partials[5];
+    unsigned char sub_result[64];
+    unsigned char sub_result_alt[64];
+    int sub_return_val;
+    int sub_check;
     secp256k1_aggsig_context *aggctx;
     unsigned char seed[32] = { 1, 2, 3, 4, 0 };
     unsigned char sig[64];
@@ -134,6 +138,7 @@ void test_aggsig_api(void) {
     CHECK(!secp256k1_aggsig_verify(vrfy, scratch, sig, msg, pubkeys, 0));
     CHECK(secp256k1_aggsig_verify(vrfy, scratch, sig, msg, pubkeys, 5));
     CHECK(ecount == 15);
+
     CHECK(!secp256k1_aggsig_verify(none, scratch, sig, msg, pubkeys, 5));
     CHECK(ecount == 16);
 
@@ -264,7 +269,37 @@ void test_aggsig_api(void) {
         msg[2]=3;
         CHECK(!secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, NULL, &combiner_sum_2, NULL, NULL, 0));
         CHECK(!secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, NULL, &combiner_sum_2, &combiner_sum_2, NULL, 0));
-    }
+
+        /* Test subtracting partial sig from the completed sig (as used in early payment proofs)*/
+        sub_return_val = secp256k1_aggsig_subtract_partial_signature(none, sub_result, sub_result_alt, combined_sig, sigs[0]);
+        CHECK(sub_return_val);
+
+        /* If there's only one possible result, it should be the only one that needs to be tested */
+        if (sub_return_val == 1) {
+            for (j = 0; j < 64; j++){
+                CHECK(sub_result[j] == sigs[1][j]);
+            }
+        }
+
+        /* if there are two possible results, both potentially need to be checked */
+        if (sub_return_val == 2) {
+            sub_check = 1;
+            for (j = 0; j < 64; j++){
+                if (sub_result[j] != sigs[1][j]) {
+                    sub_check = 0;
+                }
+            }
+            if (!sub_check) {
+                sub_check = 1;
+                for (j = 0; j < 64; j++){
+                    if (sub_result_alt[j] != sigs[1][j]) {
+                        sub_check = 0;
+                    }
+                }
+            }
+            CHECK(sub_check);
+        }
+     }
     /*** End aggsig for Grin exchange test ***/
 
     /* cleanup */