feat: add DKG verification window

Cargo.toml

@@ -39,6 +39,7 @@ backoff = { version = "0.4.0", default-features = false, features = ["tokio"] }
 base64 = { version = "0.22.1", default-features = false, features = ["alloc"] }
 bincode = { version = "1.3.3", default-features = false }
 bitcoin = { version = "0.32.5", default-features = false, features = ["serde", "rand-std"] }
+bitcoinconsensus = { version = "0.106.0", default-features = false }
 bitcoincore-rpc = { version = "0.19.0", default-features = false }
 bitcoincore-rpc-json = { version = "0.19.0", default-features = false }
 bitcoincore-zmq = { version = "1.5.2", default-features = false, features = ["async"] }

docker/sbtc/signer/signer-config.toml

@@ -225,6 +225,14 @@ bootstrap_signatures_required = 2
 # Environment: SIGNER_SIGNER__DKG_TARGET_ROUNDS
 # dkg_target_rounds = 1
 
+# The number of bitcoin blocks after a DKG start where we attempt to verify the
+# shares. After this many blocks, we mark the shares as failed. Please only use
+# this parameter when instructed to by the sBTC team.
+#
+# Required: false
+# Environment: SIGNER_SIGNER__DKG_VERIFICATION_WINDOW
+# dkg_verification_window = 10
+
 # !! ==============================================================================
 # !! Stacks Event Observer Configuration
 # !!

signer/Cargo.toml

@@ -14,6 +14,7 @@ testing = ["fake", "mockall", "sbtc/testing"]
 aquamarine.workspace = true
 axum.workspace = true
 bitcoin.workspace = true
+bitcoinconsensus.workspace = true
 bitcoincore-rpc.workspace = true
 bitcoincore-rpc-json.workspace = true
 bitcoincore-zmq.workspace = true

signer/migrations/0012__dkg_verification_extensions.sql

@@ -0,0 +1,52 @@
+
+CREATE TYPE sbtc_signer.dkg_shares_status AS ENUM (
+    'unverified',
+    'verified',
+    'failed'
+);
+
+-- Add the new columns to the `dkg_shares` table. We're not adding indexes for
+-- now because the table is so small that the overhead likely outweighs the
+-- benefits.
+ALTER TABLE sbtc_signer.dkg_shares
+    ADD COLUMN dkg_shares_status sbtc_signer.dkg_shares_status,
+    ADD COLUMN started_at_bitcoin_block_hash BYTEA,
+    ADD COLUMN started_at_bitcoin_block_height BIGINT;
+
+
+UPDATE sbtc_signer.dkg_shares
+SET dkg_shares_status = 'unverified';
+
+-- These are all DKG shares associated scriptPubKeys that have been successfully spent
+UPDATE sbtc_signer.dkg_shares
+SET dkg_shares_status = 'verified'
+FROM sbtc_signer.bitcoin_tx_inputs
+WHERE sbtc_signer.dkg_shares.script_pubkey = sbtc_signer.bitcoin_tx_inputs.script_pubkey;
+
+
+-- Fill in the started at bitcoin blockhash and block height. The timestamp
+-- of when we write the DKG shares row to the database should correspond
+-- with the tenure of the block that started the DKG round.
+WITH block_times AS (
+    SELECT 
+        bb1.block_hash
+      , bb1.block_height
+      , bb1.created_at
+      , bb2.created_at AS ended_at
+    FROM sbtc_signer.bitcoin_blocks AS bb2
+    JOIN sbtc_signer.bitcoin_blocks AS bb1
+      ON bb2.parent_hash = bb1.block_hash
+)
+UPDATE sbtc_signer.dkg_shares
+SET 
+    started_at_bitcoin_block_hash = block_times.block_hash
+  , started_at_bitcoin_block_height = block_times.block_height
+FROM block_times
+WHERE sbtc_signer.dkg_shares.created_at >= block_times.created_at
+  AND sbtc_signer.dkg_shares.created_at < block_times.ended_at;
+
+-- Make the new column `NOT NULL` now that they should all have a value.
+ALTER TABLE sbtc_signer.dkg_shares
+    ALTER COLUMN dkg_shares_status SET NOT NULL,
+    ALTER COLUMN started_at_bitcoin_block_hash SET NOT NULL,
+    ALTER COLUMN started_at_bitcoin_block_height SET NOT NULL;

signer/src/bitcoin/utxo.rs

@@ -5,6 +5,7 @@ use std::ops::Deref as _;
 use std::sync::LazyLock;
 
 use bitcoin::absolute::LockTime;
+use bitcoin::consensus::Encodable;
 use bitcoin::hashes::Hash as _;
 use bitcoin::sighash::Prevouts;
 use bitcoin::sighash::SighashCache;
@@ -712,6 +713,22 @@ impl SignerUtxo {
     }
 }
 
+/// A struct for constructing a mock transaction that can be signed. This is
+/// used as part of the verification process after a new DKG round has been
+/// completed.
+///
+/// The Bitcoin transaction has the following layout:
+/// 1. The first input is spending the signers' UTXO.
+/// 2. There is only one output which is an OP_RETURN with the bytes [0x01,
+///    0x02, 0x03] as the data and amount equal to the UTXO's value (i.e. the
+///    transaction has a zero-fee).
+pub struct UnsignedMockTransaction {
+    /// The Bitcoin transaction that needs to be signed.
+    tx: Transaction,
+    /// The signers' UTXO used as an input to this transaction.
+    utxo: SignerUtxo,
+}
+
 /// Given a set of requests, create a BTC transaction that can be signed.
 ///
 /// This BTC transaction in this struct has correct amounts but no witness
@@ -802,6 +819,94 @@ impl SignatureHashes<'_> {
     }
 }
 
+impl UnsignedMockTransaction {
+    const AMOUNT: u64 = 0;
+
+    /// Construct an unsigned mock transaction.
+    ///
+    /// This will use the provided `aggregate_key` and `amount` to
+    /// construct a [`Transaction`] with a single input and output.
+    pub fn new(signer_public_key: XOnlyPublicKey) -> Self {
+        let utxo = SignerUtxo {
+            outpoint: OutPoint::null(),
+            amount: Self::AMOUNT,
+            public_key: signer_public_key,
+        };
+
+        let tx = Transaction {
+            version: Version::TWO,
+            lock_time: LockTime::ZERO,
+            input: vec![utxo.as_tx_input(&DUMMY_SIGNATURE)],
+            output: vec![TxOut {
+                value: Amount::from_sat(Self::AMOUNT),
+                script_pubkey: ScriptBuf::new_op_return([]),
+            }],
+        };
+
+        Self { tx, utxo }
+    }
+
+    /// Gets the sighash for the signers' input UTXO which needs to be signed
+    /// before the transaction can be broadcast.
+    pub fn compute_sighash(&self) -> Result<TapSighash, Error> {
+        let prevouts = [self.utxo.as_tx_output()];
+        let mut sighasher = SighashCache::new(&self.tx);
+
+        sighasher
+            .taproot_key_spend_signature_hash(0, &Prevouts::All(&prevouts), TapSighashType::All)
+            .map_err(Into::into)
+    }
+
+    /// Tests if the provided taproot [`Signature`] is valid for spending the
+    /// signers' UTXO. This function will return  [`Error::BitcoinConsensus`]
+    /// error if the signature fails verification, passing the underlying error
+    /// from [`bitcoinconsensus`].
+    pub fn verify_signature(&self, signature: &Signature) -> Result<(), Error> {
+        // Create a copy of the transaction so that we don't modify the
+        // transaction stored in the struct.
+        let mut tx = self.tx.clone();
+
+        // Set the witness data on the input from the provided signature.
+        tx.input[0].witness = Witness::p2tr_key_spend(signature);
+
+        // Encode the transaction to bytes (needed by the bitcoinconsensus
+        // library).
+        let mut tx_bytes: Vec<u8> = Vec::new();
+        tx.consensus_encode(&mut tx_bytes)
+            .map_err(Error::BitcoinIo)?;
+
+        // Get the prevout for the signers' UTXO.
+        let prevout = self.utxo.as_tx_output();
+        let prevout_script_bytes = prevout.script_pubkey.as_script().as_bytes();
+
+        // Create the bitcoinconsensus UTXO object.
+        let prevout_utxo = bitcoinconsensus::Utxo {
+            script_pubkey: prevout_script_bytes.as_ptr(),
+            script_pubkey_len: prevout_script_bytes.len() as u32,
+            value: Self::AMOUNT as i64,
+        };
+
+        // We specify the flags to include all pre-taproot and taproot
+        // verifications explicitly.
+        // https://github.com/rust-bitcoin/rust-bitcoinconsensus/blob/master/src/lib.rs
+        let flags = bitcoinconsensus::VERIFY_ALL_PRE_TAPROOT | bitcoinconsensus::VERIFY_TAPROOT;
+
+        // Verify that the transaction updated with the provided signature can
+        // successfully spend the signers' UTXO. Note that the amount is not
+        // used in the verification process for taproot spends, only the
+        // signature.
+        bitcoinconsensus::verify_with_flags(
+            prevout_script_bytes,
+            Self::AMOUNT,
+            &tx_bytes,
+            Some(&[prevout_utxo]),
+            0,
+            flags,
+        )
+        .map_err(Error::BitcoinConsensus)
+    }
+}
+
 impl<'a> UnsignedTransaction<'a> {
     /// Construct an unsigned transaction.
     ///
@@ -1457,6 +1562,7 @@ mod tests {
     use std::str::FromStr;
 
     use super::*;
+    use bitcoin::key::TapTweak;
     use bitcoin::BlockHash;
     use bitcoin::CompressedPublicKey;
     use bitcoin::Txid;
@@ -1652,6 +1758,88 @@ mod tests {
         }
     }
 
+    /// This test verifies that our implementation of Bitcoin script
+    /// verification using [`bitcoinconsensus`] works as expected. This
+    /// functionality is used in the verification of WSTS signing after a new
+    /// DKG round has completed.
+    #[test]
+    fn mock_signer_utxo_signing_and_spending_verification() {
+        let secp = secp256k1::Secp256k1::new();
+
+        // Generate a key pair which will serve as the signers' aggregate key.
+        let secret_key = SecretKey::new(&mut OsRng);
+        let keypair = secp256k1::Keypair::from_secret_key(&secp, &secret_key);
+        let tweaked = keypair.tap_tweak(&secp, None);
+        let (aggregate_key, _) = keypair.x_only_public_key();
+
+        // Create a new transaction using the aggregate key.
+        let unsigned = UnsignedMockTransaction::new(aggregate_key);
+
+        let tapsig = unsigned
+            .compute_sighash()
+            .expect("failed to compute taproot sighash");
+
+        // Sign the taproot sighash.
+        let message = secp256k1::Message::from_digest_slice(tapsig.as_byte_array())
+            .expect("Failed to create message");
+
+        // [1] Verify the correct signature, which should succeed.
+        let schnorr_sig = secp.sign_schnorr(&message, &tweaked.to_inner());
+        let taproot_sig = bitcoin::taproot::Signature {
+            signature: schnorr_sig,
+            sighash_type: TapSighashType::All,
+        };
+        unsigned
+            .verify_signature(&taproot_sig)
+            .expect("signature verification failed");
+
+        // [2] Verify the correct signature, but with a different sighash type,
+        // which should fail.
+        let taproot_sig = bitcoin::taproot::Signature {
+            signature: schnorr_sig,
+            sighash_type: TapSighashType::None,
+        };
+        unsigned
+            .verify_signature(&taproot_sig)
+            .expect_err("signature verification should have failed");
+
+        // [3] Verify an incorrect signature with the correct sighash type,
+        // which should fail. In this case we've created the signature using
+        // the untweaked keypair.
+        let schnorr_sig = secp.sign_schnorr(&message, &keypair);
+        let taproot_sig = bitcoin::taproot::Signature {
+            signature: schnorr_sig,
+            sighash_type: TapSighashType::All,
+        };
+        unsigned
+            .verify_signature(&taproot_sig)
+            .expect_err("signature verification should have failed");
+
+        // [4] Verify an incorrect signature with the correct sighash type, which
+        // should fail. In this case we use a completely newly generated keypair.
+        let secret_key = SecretKey::new(&mut OsRng);
+        let keypair = secp256k1::Keypair::from_secret_key(&secp, &secret_key);
+        let schnorr_sig = secp.sign_schnorr(&message, &keypair);
+        let taproot_sig = bitcoin::taproot::Signature {
+            signature: schnorr_sig,
+            sighash_type: TapSighashType::All,
+        };
+        unsigned
+            .verify_signature(&taproot_sig)
+            .expect_err("signature verification should have failed");
+
+        // [5] Same as [4], but using its tweaked key.
+        let tweaked = keypair.tap_tweak(&secp, None);
+        let schnorr_sig = secp.sign_schnorr(&message, &tweaked.to_inner());
+        let taproot_sig = bitcoin::taproot::Signature {
+            signature: schnorr_sig,
+            sighash_type: TapSighashType::All,
+        };
+        unsigned
+            .verify_signature(&taproot_sig)
+            .expect_err("signature verification should have failed");
+    }
+
     #[ignore = "For generating the SOLO_(DEPOSIT|WITHDRAWAL)_SIZE constants"]
     #[test]
     fn create_deposit_only_tx() {