add BIP-341 in Motoko threshold Schnorr example (#1076)

Author: altkdf

.github/workflows/motoko-threshold-schnorr-example.yaml

@@ -22,8 +22,8 @@ jobs:
       - name: Motoko Threshold Schnorr Darwin
         run: |
           dfx start --background
-          npm install @noble/curves
           pushd motoko/threshold-schnorr
+          npm install
           make test
   motoko-threshold-schnorr-linux:
     runs-on: ubuntu-20.04
@@ -34,6 +34,6 @@ jobs:
       - name: Motoko Threshold Schnorr Linux
         run: |
           dfx start --background
-          npm install @noble/curves
           pushd motoko/threshold-schnorr
+          npm install
           make test

motoko/threshold-schnorr/Makefile

@@ -6,10 +6,19 @@ all: deploy
 deploy:
 	dfx deploy
 
+.PHONY: mock
+.SILENT: mock
+mock: deploy
+	SCHNORR_MOCK_CANISTER_ID=$(shell dfx canister id chainkey_testing_canister); \
+	SCHNORR_EXAMPLE_CANISTER_ID=$(shell dfx canister id schnorr_example_motoko); \
+	echo "Changing to using mock canister instead of management canister for signing"; \
+	CMD="dfx canister call "$${SCHNORR_EXAMPLE_CANISTER_ID}" for_test_only_change_management_canister_id '("\"$${SCHNORR_MOCK_CANISTER_ID}\"")'"; \
+	eval "$${CMD}"
+
 .PHONY: test
 .SILENT: test
-test: deploy
-	bash test.sh hello
+test: mock
+	bash test.sh hellohellohellohellohellohello12
 
 .PHONY: clean
 .SILENT: clean

motoko/threshold-schnorr/README.md

@@ -3,7 +3,7 @@
 We present a minimal example canister smart contract for showcasing the [threshold Schnorr](https://internetcomputer.org/docs/current/references/ic-interface-spec/#ic-sign_with_schnorr) API.
 
 The example canister is a signing oracle that creates Schnorr signatures with
-keys derived based on the canister ID and the chosen algorithm, either BIP340 or
+keys derived based on the canister ID and the chosen algorithm, either BIP340/BIP341 or
 Ed25519.
 
 More specifically:
@@ -27,6 +27,7 @@ This example requires an installation of:
 
 - [x] Install the [IC SDK](https://internetcomputer.org/docs/current/developer-docs/getting-started/install).
 - [x] Clone the example dapp project: `git clone https://github.com/dfinity/examples`
+- [x] For running tests also install [`npm`](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
 
 Begin by opening a terminal window.
 
@@ -64,37 +65,71 @@ If you open the URL in a web browser, you will see a web UI that shows the
 public methods the canister exposes. Since the canister exposes `public_key`, 
 `sign`, and `verify`, those are rendered in the web UI.
 
+### Step 3 (optional): Run tests
+
+```bash
+npm install
+make test
+```
+
+#### What this does
+
+- `npm install` installs test javascript dependencies
+- `make test` deploys and tests the canister code on the local version of the
+  IC, and also makes the canister call a mock canister for Schnorr API instead
+  of the management canister
+
+
 ## Deploying the canister on the mainnet
 
-To deploy this canister the mainnet, one needs to do two things:
+To deploy this canister on the mainnet, one needs to do two things:
 
 - Acquire cycles (equivalent of "gas" in other blockchains). This is necessary for all canisters.
 - Update the sample source code to have the right key ID. This is unique to this canister.
 
 ### Acquire cycles to deploy
 
-Deploying to the Internet Computer requires [cycles](https://internetcomputer.org/docs/current/developer-docs/getting-started/tokens-and-cycles) (the equivalent of "gas" on other blockchains).
+Deploying to the Internet Computer requires
+[cycles](https://internetcomputer.org/docs/current/developer-docs/getting-started/tokens-and-cycles)
+(the equivalent of "gas" on other blockchains).
+
+#### Update management canister ID reference for testing
+
+The latest version of `dfx`, `v0.24.3`, does not yet support BIP341
+`opt_merkle_tree_root_hex` that is not `None`. Therefore, for local tests, [the
+chain-key testing canister](https://github.com/dfinity/chainkey-testing-canister)
+can be installed and used instead of the management canister. Note also that the
+chain-key testing canister is deployed on the mainnet and can be used for mainnet
+testing to reduce the costs, see the linked repo for more details.
+
+This sample canister allows the caller to change the management canister address
+for Schnorr by calling the `for_test_only_change_management_canister_id`
+endpoint with the target canister principal. With `dfx`, this can be done
+automatically with `make mock`, which will install the chain-key testing canister
+and use it instead of the management canister. Note that `dfx` should be running
+to successfully run `make mock`.
 
 ### Update source code with the right key ID
 
 To deploy the sample code, the canister needs the right key ID for the right environment. Specifically, one needs to replace the value of the `key_id` in the `src/schnorr_example_motoko/src/lib.rs` file of the sample code. Before deploying to mainnet, one should modify the code to use the right name of the `key_id`.
 
-There are three options that are planed to be supported:
+There are four options that are supported:
 
+* `insecure_test_key_1`: the key ID supported by the `chainkey_testing_canister`
+  ([link](https://github.com/dfinity/chainkey-testing-canister/)).
 * `dfx_test_key`: a default key ID that is used in deploying to a local version of IC (via IC SDK).
 * `test_key_1`: a master **test** key ID that is used in mainnet.
 * `key_1`: a master **production** key ID that is used in mainnet.
 
 For example, the default code in `src/schnorr_example_motoko/src/main.mo`
-hard-codes the used of `dfx_test_key` and derives the key ID as follows and can
+hard-codes the use of `insecure_test_key_1` and derives the key ID as follows and can
 be deployed locally:
 
-
 ```motoko
-key_id = { algorithm = algorithm_arg; name = "dfx_test_key" }
+key_id = { algorithm = algorithm_arg; name = "insecure_test_key_1" }
 ```
 
-IMPORTANT: To deploy to IC mainnet, one needs to replace `"dfx_test_key"` with
+IMPORTANT: To deploy to IC mainnet, one needs to replace `"insecure_test_key_1"` with
 either `"test_key_1"` or `"key_1"` depending on the desired intent. Both uses of
 key ID in `src/schnorr_example_motoko/src/main.mo` must be consistent.
 
@@ -124,7 +159,7 @@ mainnet.
 
 ### Using the Candid UI
 
-If you deployed your canister locally or to the mainnet, you should have a URL to the Candid web UI where you can access the public methods. We can call the `public-key` method.
+If you deployed your canister locally or to the mainnet, you should have a URL to the Candid web UI where you can access the public methods. We can call the `public_key` method.
 
 In the example below, the method returns
 `6e48e755842d0323be83edc7fc8766a20423c8127f7731993873d2f123d01a34` as the
@@ -141,23 +176,23 @@ Ed25519 public key.
 
 
 ### Code walkthrough
-Open the file `lib.rs`, which will show the following Motoko code that
+Open the file `main.mo`, which will show the following Motoko code that
 demonstrates how to obtain a Schnorr public key.
 
 ```motoko
-  public shared ({ caller }) func public_key(algorithm_arg : SchnorrAlgotirhm) : async {
-    #Ok : { public_key_hex : Text };
-    #Err : Text;
+  public shared ({ caller }) func public_key(algorithm : SchnorrAlgorithm) : async {
+    #ok : { public_key_hex : Text };
+    #err : Text;
   } {
     try {
       let { public_key } = await ic.schnorr_public_key({
         canister_id = null;
         derivation_path = [Principal.toBlob(caller)];
-        key_id = { algorithm = algorithm_arg; name = "dfx_test_key" };
+        key_id = { algorithm; name = "insecure_test_key_1" };
       });
       #Ok({ public_key_hex = Hex.encode(Blob.toArray(public_key)) });
     } catch (err) {
-      #Err(Error.message(err));
+      #err(Error.message(err));
     };
   };
 ```
@@ -187,20 +222,28 @@ For obtaining the canister's root public key, the derivation path in the API can
 Computing threshold Schnorr signatures is the core functionality of this feature. **Canisters do not hold Schnorr keys themselves**, but keys are derived from a master key held by dedicated subnets. A canister can request the computation of a signature through the management canister API. The request is then routed to a subnet holding the specified key and the subnet computes the requested signature using threshold cryptography. Thereby, it derives the canister root key or a key obtained through further derivation, as part of the signature protocol, from a shared secret and the requesting canister's principal identifier. Thus, a canister can only request signatures to be created for its canister root key or a key derived from it. This means, that canisters "control" their private Schnorr keys in that they decide when signatures are to be created with them, but don't hold a private key themselves.
 
 ```motoko
-  public shared ({ caller }) func sign(message_arg : Text, algorithm_arg : SchnorrAlgotirhm) : async {
-    #Ok : { signature_hex : Text };
-    #Err : Text;
+  public shared ({ caller }) func sign(message_arg : Text, algorithm : SchnorrAlgorithm, bip341TweakHex : ?Text) : async {
+    #ok : { signature_hex : Text };
+    #err : Text;
   } {
+    let aux = switch (Option.map(bip341TweakHex, tryHexToTweak)) {
+      case (null) null;
+      case (?#ok some) ?some;
+      case (?#err err) return #err err;
+    };
+
     try {
-      Cycles.add(25_000_000_000);
-      let { signature } = await ic.sign_with_schnorr({
+      Cycles.add<system>(25_000_000_000);
+      let signArgs = {
         message = Text.encodeUtf8(message_arg);
         derivation_path = [Principal.toBlob(caller)];
-        key_id = { algorithm = algorithm_arg; name = "dfx_test_key" };
-      });
-      #Ok({ signature_hex = Hex.encode(Blob.toArray(signature)) });
+        key_id = { algorithm; name = "insecure_test_key_1" };
+        aux;
+      };
+      let { signature } = await ic.sign_with_schnorr(signArgs);
+      #ok({ signature_hex = Hex.encode(Blob.toArray(signature)) });
     } catch (err) {
-      #Err(Error.message(err));
+      #err(Error.message(err));
     };
   };
 ```
@@ -215,41 +258,79 @@ externally.
 
 Ed25519 can be verified as follows:
 ```javascript
-import('@noble/curves/ed25519').then((ed25519) => { verify(ed25519.ed25519); })
-  .catch((err) => { console.log(err) });
+    async function run() {
+        try {
+            const ed25519 = await import('@noble/ed25519');
+            const sha512 = await import('@noble/hashes/sha512');
 
-function verify(ed25519) {
-  const test_sig = '1efa03b7b7f9077449a0f4b3114513f9c90ccf214166a8907c23d9c2bbbd0e0e6e630f67a93c1bd525b626120e86846909aedf4c58763ae8794bcef57401a301'
-  const test_pubkey = '566d53caf990f5f096d151df70b2a75107fac6724cb61a9d6d2aa63e1496b003'
-  const test_msg = Uint8Array.from(Buffer.from("hello", 'utf8'));
+            ed25519.etc.sha512Sync = (...m) => sha512.sha512(ed25519.etc.concatBytes(...m));
 
-  console.log(ed25519.verify(test_sig, test_msg, test_pubkey));
-  }
+            const test_sig = '1efa03b7b7f9077449a0f4b3114513f9c90ccf214166a8907c23d9c2bbbd0e0e6e630f67a93c1bd525b626120e86846909aedf4c58763ae8794bcef57401a301';
+            const test_pubkey = '566d53caf990f5f096d151df70b2a75107fac6724cb61a9d6d2aa63e1496b003'
+            const test_msg = Uint8Array.from(Buffer.from("hello", 'utf8'));
+
+            console.log(ed25519.verify(test_sig, test_msg, test_pubkey));
+        }
+        catch(err) {
+            console.log(err);
+        }
+    }
+
+    run();
 ```
 
 BIP340 can be verified as follows:
 ```javascript
-import('@noble/curves/secp256k1').then((bip340) => { verify(bip340.schnorr); })
-  .catch((err) => { console.log(err) });
+    async function run() {
+        try {
+            const ecc = await import('tiny-secp256k1');
+
+            const test_sig = Buffer.from('311e1dceddd1380d0424e01b19711e926ca2f26c0dda57b405bec1359510674871a22487c96afa4a4bf47858d1d79caa400bb51ab793d9fad2a689f8bfc681aa', 'hex');
+            const test_pubkey = Buffer.from('02472bb4da5c5ce627d599feba90d0257a558d4e226f9fc7914f811e301ad06f38'.substring(2), 'hex');
+            const test_msg = Uint8Array.from(Buffer.from("hellohellohellohellohellohello12", 'utf8'));
+
+            console.log(ecc.verifySchnorr(test_msg, test_pubkey, test_sig));
+        }
+        catch(err) {
+            console.log(err);
+        }
+    }
+
+    run();
+```
+
+BIP341 can be verified as follows:
+```javascript
+    async function run() {
+        try {
+            const bip341 = await import('bitcoinjs-lib/src/payments/bip341.js');
+            const bitcoin = await import('bitcoinjs-lib');
+            const ecc = await import('tiny-secp256k1');
 
-function verify(bip340) {
-  const test_sig = '1b64ca7a7f02c76633954f320675267685b3b80560eb6a35cda20291ddefc709364e59585771c284e46264bfbb0620e23eb8fb274994f7a6f2fcbc8a9430e5d7';
-  // the first byte of the BIP340 public key is truncated
-  const pubkey = '0341d7cf39688e10b5f11f168ad0a9e790bcb429d7d486eab07d2c824b85821470'.substring(2)
-  const test_msg = Uint8Array.from(Buffer.from("hello", 'utf8'));
+            bitcoin.initEccLib(ecc);
 
-  console.log(bip340.verify(test_sig, test_msg, test_pubkey));
-}
+            const test_tweak = Buffer.from('012345678901234567890123456789012345678901234567890123456789abcd', 'hex');
+            const test_sig = Buffer.from('3c3e51fc771a5a8cb553bf2dd151bb02d0f473ff274a92d32310267977918d72121f97c318226422c033d33daf376d42c9a07e71643ff332cb30611fe5e163da', 'hex');
+            const test_pubkey = Buffer.from('02472bb4da5c5ce627d599feba90d0257a558d4e226f9fc7914f811e301ad06f38'.substring(2), 'hex');
+            const test_msg = Uint8Array.from(Buffer.from("hellohellohellohellohellohello12", 'utf8'));
+
+            const tweaked_test_pubkey = bip341.tweakKey(test_pubkey, test_tweak).x;
+
+            console.log(ecc.verifySchnorr(test_msg, tweaked_test_pubkey, test_sig));
+        }
+        catch(err) {
+            console.log(err);
+        }
+    }
+
+    run();
 ```
 
-The call to `verify` function should always return `true` for correct parameters
+The call to `verify/verifySchnorr` function should always return `true` for correct parameters
 and `false` or error otherwise.
 
 Similar verifications can be done in many other languages with the help of
-cryptographic libraries that support the `bip340secp256k1` signing *with
-arbitrary message length* as specified in
-[BIP340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#user-content-Messages_of_Arbitrary_Size)
-and `ed25519` signing.
+cryptographic libraries that support the BIP340/BIP341 and `ed25519` signing.
 
 ## Conclusion
 

motoko/threshold-schnorr/dfx.json

@@ -5,6 +5,11 @@
       "package": "schnorr_example_motoko",
       "main": "src/schnorr_example_motoko/main.mo",
       "type": "motoko"
+    },
+    "chainkey_testing_canister": {
+      "type": "custom",
+      "candid": "https://github.com/dfinity/chainkey-testing-canister/releases/download/v0.1.0/chainkey_testing_canister.did",
+      "wasm": "https://github.com/dfinity/chainkey-testing-canister/releases/download/v0.1.0/chainkey_testing_canister.wasm.gz"
     }
   }
 }