crypto: add in secp256k1 support (#5500)

Secp256k1 was removed in the protobuf migration, this pr adds it back in order to provide this functionality for users (band)

Closes: #5495

Author: tac0turtle

.markdownlintignore

@@ -1,5 +1,6 @@
 docs/node_modules
 CHANGELOG.md
 docs/architecture/*
+crypto/secp256k1/**
 scripts/*
 .github

CHANGELOG.md

@@ -51,7 +51,6 @@ Friendly reminder, we have a [bug bounty program](https://hackerone.com/tendermi
     - [evidence] [\#5319](https://github.com/tendermint/tendermint/issues/5319) Remove Amnesia & potentialAmnesia evidence types and removed POLC. (@marbar3778)
     - [evidence] [\#5361](https://github.com/tendermint/tendermint/pull/5361) Add LightClientAttackEvidence and change evidence interface (@cmwaters)
     - [params] [\#5319](https://github.com/tendermint/tendermint/issues/5319) Remove `ProofofTrialPeriod` from evidence params (@marbar3778)
-    - [crypto/secp256k1] [\#5280](https://github.com/tendermint/tendermint/issues/5280) `secp256k1` has been removed from the Tendermint repo. (@marbar3778)
     - [light] [\#5347](https://github.com/tendermint/tendermint/issues/5347) `NewClient`, `NewHTTPClient`, `VerifyHeader` and `VerifyLightBlockAtHeight` now accept `context.Context` as 1st param (@melekes)
     - [state] [\#5348](https://github.com/tendermint/tendermint/issues/5348) Define an Interface for the state store. (@marbar3778)
 

UPGRADING.md

@@ -10,63 +10,63 @@ the encoding format (see "Protocol Buffers," below) and the block header (see "B
 
 ### ABCI Changes
 
-* New ABCI methods (`ListSnapshots`, `LoadSnapshotChunk`, `OfferSnapshot`, and `ApplySnapshotChunk`) 
-  were added to support the new State Sync feature. 
-  Previously, syncing a new node to a preexisting network could take days; but with State Sync, 
-  new nodes are able to join a network in a matter of seconds. 
-  Read [the spec](https://docs.tendermint.com/master/spec/abci/apps.html#state-sync) 
-  if you want to learn more about State Sync, or if you'd like your application to use it. 
-  (If you don't want to support State Sync in your application, you can just implement these new 
-  ABCI methods as no-ops, leaving them empty.) 
-
-* `KV.Pair` has been replaced with `abci.EventAttribute`. The `EventAttribute.Index` field 
+* New ABCI methods (`ListSnapshots`, `LoadSnapshotChunk`, `OfferSnapshot`, and `ApplySnapshotChunk`)
+  were added to support the new State Sync feature.
+  Previously, syncing a new node to a preexisting network could take days; but with State Sync,
+  new nodes are able to join a network in a matter of seconds.
+  Read [the spec](https://docs.tendermint.com/master/spec/abci/apps.html#state-sync)
+  if you want to learn more about State Sync, or if you'd like your application to use it.
+  (If you don't want to support State Sync in your application, you can just implement these new
+  ABCI methods as no-ops, leaving them empty.)
+
+* `KV.Pair` has been replaced with `abci.EventAttribute`. The `EventAttribute.Index` field
   allows ABCI applications to dictate which events should be indexed.
 
-* The blockchain can now start from an arbitrary initial height, 
+* The blockchain can now start from an arbitrary initial height,
   provided to the application via `RequestInitChain.InitialHeight`.
 
-* ABCI evidence type is now an enum with two recognized types of evidence: 
-  `DUPLICATE_VOTE` and `LIGHT_CLIENT_ATTACK`. 
-  Applications should be able to handle these evidence types 
+* ABCI evidence type is now an enum with two recognized types of evidence:
+  `DUPLICATE_VOTE` and `LIGHT_CLIENT_ATTACK`.
+  Applications should be able to handle these evidence types
   (i.e., through slashing or other accountability measures).
 
-* The [`PublicKey` type](https://github.com/tendermint/tendermint/blob/master/proto/tendermint/crypto/keys.proto#L13-L15) 
-  (used in ABCI as part of `ValidatorUpdate`) now uses a `oneof` protobuf type. 
-  Note that since Tendermint only supports ed25519 validator keys, there's only one 
+* The [`PublicKey` type](https://github.com/tendermint/tendermint/blob/master/proto/tendermint/crypto/keys.proto#L13-L15)
+  (used in ABCI as part of `ValidatorUpdate`) now uses a `oneof` protobuf type.
+  Note that since Tendermint only supports ed25519 validator keys, there's only one
   option in the `oneof`.  For more, see "Protocol Buffers," below.
 
-* The field `Proof`, on the ABCI type `ResponseQuery`, is now named `ProofOps`. 
-  For more, see "Crypto," below. 
+* The field `Proof`, on the ABCI type `ResponseQuery`, is now named `ProofOps`.
+  For more, see "Crypto," below.
 
 ### P2P Protocol
 
 The default codec is now proto3, not amino. The schema files can be found in the `/proto`
-directory. For more, see "Protobuf," below. 
+directory. For more, see "Protobuf," below.
 
 ### Blockchain Protocol
 
-* `Header#LastResultsHash` previously was the root hash of a Merkle tree built from `ResponseDeliverTx(Code, Data)` responses. 
+* `Header#LastResultsHash` previously was the root hash of a Merkle tree built from `ResponseDeliverTx(Code, Data)` responses.
   As of 0.34,`Header#LastResultsHash` is now the root hash of a Merkle tree built from:
     * `BeginBlock#Events`
     * Root hash of a Merkle tree built from `ResponseDeliverTx(Code, Data,
       GasWanted, GasUsed, Events)` responses
     * `BeginBlock#Events`
 
 * Merkle hashes of empty trees previously returned nothing, but now return the hash of an empty input,
-  to conform with [RFC-6962](https://tools.ietf.org/html/rfc6962). 
+  to conform with [RFC-6962](https://tools.ietf.org/html/rfc6962).
   This mainly affects `Header#DataHash`, `Header#LastResultsHash`, and
   `Header#EvidenceHash`, which are often empty. Non-empty hashes can also be affected, e.g. if their
   inputs depend on other (empty) Merkle hashes, giving different results.
 
 ### Transaction Indexing
 
-Tendermint now relies on the application to tell it which transactions to index. This means that 
-in the `config.toml`, generated by Tendermint, there is no longer a way to specify which 
+Tendermint now relies on the application to tell it which transactions to index. This means that
+in the `config.toml`, generated by Tendermint, there is no longer a way to specify which
 transactions to index. `tx.height` & `tx.hash` will always be indexed when using the `kv` indexer.
 
-Applications must now choose to either a) enable indexing for all transactions, or 
+Applications must now choose to either a) enable indexing for all transactions, or
 b) allow node operators to decide which transactions to index.
-Applications can notify Tendermint to index a specific transaction by setting 
+Applications can notify Tendermint to index a specific transaction by setting
 `Index: bool` to `true` in the Event Attribute:
 
 ```go
@@ -82,19 +82,19 @@ Applications can notify Tendermint to index a specific transaction by setting
 
 ### Protocol Buffers
 
-Tendermint 0.34 replaces Amino with Protocol Buffers for encoding. 
-This migration is extensive and results in a number of changes, however, 
+Tendermint 0.34 replaces Amino with Protocol Buffers for encoding.
+This migration is extensive and results in a number of changes, however,
 Tendermint only uses the types generated from Protocol Buffers for disk and
-wire serialization. 
+wire serialization.
 **This means that these changes should not affect you as a Tendermint user.**
 
 However, Tendermint users and contributors may note the following changes:
 
-* Directory layout changes: All proto files have been moved under one directory, `/proto`. 
-  This is in line with the recommended file layout by [Buf](https://buf.build).  
+* Directory layout changes: All proto files have been moved under one directory, `/proto`.
+  This is in line with the recommended file layout by [Buf](https://buf.build).
   For more, see the [Buf documentation](https://buf.build/docs/lint-checkers#file_layout).
-* ABCI Changes: As noted in the "ABCI Changes" section above, the `PublicKey` type now uses 
-  a `oneof` type. 
+* ABCI Changes: As noted in the "ABCI Changes" section above, the `PublicKey` type now uses
+  a `oneof` type.
 
 For more on the Protobuf changes, please see our [blog post on this migration](https://medium.com/tendermint/tendermint-0-34-protocol-buffers-and-you-8c40558939ae).
 
@@ -114,30 +114,27 @@ Tendermint 0.34 includes new and updated consensus parameters.
 
 #### Keys
 
-* Keys no longer include a type prefix. For example, ed25519 pubkeys have been renamed from 
-  `PubKeyEd25519` to `PubKey`. This reduces stutter (e.g., `ed25519.PubKey`). 
+* Keys no longer include a type prefix. For example, ed25519 pubkeys have been renamed from
+  `PubKeyEd25519` to `PubKey`. This reduces stutter (e.g., `ed25519.PubKey`).
 * Keys are now byte slices (`[]byte`) instead of byte arrays (`[<size>]byte`).
-* The multisig functionality that was previously in Tendermint now has 
-  a new home within the Cosmos SDK: 
+* The multisig functionality that was previously in Tendermint now has
+  a new home within the Cosmos SDK:
   [`cosmos/cosmos-sdk/types/multisig`](https://github.com/cosmos/cosmos-sdk/blob/master/crypto/types/multisig/multisignature.go).
-* Similarly, secp256k1 has been removed from the Tendermint repo. 
-  There is still [a secp256k1 implementation in the Cosmos SDK](https://github.com/cosmos/cosmos-sdk/tree/443e0c1f89bd3730a731aea30453bd732f7efa35/crypto/keys/secp256k1), 
-  and we recommend you use that package for all your secp256k1 needs.
 
 #### `merkle` Package
 
 * `SimpleHashFromMap()` and `SimpleProofsFromMap()` were removed.
-* The prefix `Simple` has been removed. (For example, `SimpleProof` is now called `Proof`.) 
-* All protobuf messages have been moved to the `/proto` directory. 
-* The protobuf message `Proof` that contained multiple ProofOp's has been renamed to `ProofOps`. 
-  As noted above, this affects the ABCI type `ResponseQuery`: 
+* The prefix `Simple` has been removed. (For example, `SimpleProof` is now called `Proof`.)
+* All protobuf messages have been moved to the `/proto` directory.
+* The protobuf message `Proof` that contained multiple ProofOp's has been renamed to `ProofOps`.
+  As noted above, this affects the ABCI type `ResponseQuery`:
   The field that was named Proof is now named `ProofOps`.
 * `HashFromByteSlices` and `ProofsFromByteSlices` now return a hash for empty inputs, to conform with
   [RFC-6962](https://tools.ietf.org/html/rfc6962).
 
 ### `libs` Package
 
-The `bech32` package has moved to the Cosmos SDK: 
+The `bech32` package has moved to the Cosmos SDK:
 [`cosmos/cosmos-sdk/types/bech32`](https://github.com/cosmos/cosmos-sdk/tree/4173ea5ebad906dd9b45325bed69b9c655504867/types/bech32).
 
 ### CLI
@@ -147,37 +144,37 @@ See [the docs](https://docs.tendermint.com/master/tendermint-core/light-client-p
 
 ### Light Client
 
-We have a new, rewritten light client! You can 
+We have a new, rewritten light client! You can
 [read more](https://medium.com/tendermint/everything-you-need-to-know-about-the-tendermint-light-client-f80d03856f98)
-about the justifications and details behind this change. 
+about the justifications and details behind this change.
 
 Other user-relevant changes include:
 
 * The old `lite` package was removed; the new light client uses the `light` package.
-* The `Verifier` was broken up into two pieces: 
-    * Core verification logic (pure `VerifyX` functions) 
+* The `Verifier` was broken up into two pieces:
+    * Core verification logic (pure `VerifyX` functions)
     * `Client` object, which represents the complete light client
-* The RPC client can be found in the `/rpc` directory. 
+* The RPC client can be found in the `/rpc` directory.
 * The HTTP(S) proxy is located in the `/proxy` directory.
 
 ### `state` Package
 
 * A new field `State.InitialHeight` has been added to record the initial chain height, which must be `1`
   (not `0`) if starting from height `1`. This can be configured via the genesis field `initial_height`.
-* The `state` package now has a `Store` interface. All functions in 
-  [state/store.go](https://github.com/tendermint/tendermint/blob/56911ee35298191c95ef1c7d3d5ec508237aaff4/state/store.go#L42-L42) 
+* The `state` package now has a `Store` interface. All functions in
+  [state/store.go](https://github.com/tendermint/tendermint/blob/56911ee35298191c95ef1c7d3d5ec508237aaff4/state/store.go#L42-L42)
   are now part of the interface. The interface returns errors on all methods and can be used by calling `state.NewStore(dbm.DB)`.
 
 ### `privval` Package
 
 All requests are now accompanied by the chain ID from the network.
-This is a optional field and can be ignored by key management systems. 
+This is a optional field and can be ignored by key management systems.
 It is recommended to check the chain ID if using the same key management system for multiple chains.
 
 ### RPC
 
 `/unsafe_start_cpu_profiler`, `/unsafe_stop_cpu_profiler` and
-`/unsafe_write_heap_profile` were removed. 
+`/unsafe_write_heap_profile` were removed.
 For profiling, please use the pprof server, which can
 be enabled through `--rpc.pprof_laddr=X` flag or `pprof_laddr=X` config setting
 in the rpc section.

abci/example/kvstore/persistent_kvstore.go

@@ -243,11 +243,11 @@ func (app *PersistentKVStoreApplication) execValidatorTx(tx []byte) types.Respon
 
 // add, update, or remove a validator
 func (app *PersistentKVStoreApplication) updateValidator(v types.ValidatorUpdate) types.ResponseDeliverTx {
-	key := []byte("val:" + string(v.PubKey.GetEd25519()))
 	pubkey, err := cryptoenc.PubKeyFromProto(v.PubKey)
 	if err != nil {
 		panic(fmt.Errorf("can't decode public key: %w", err))
 	}
+	key := []byte("val:" + string(pubkey.Bytes()))
 
 	if v.Power == 0 {
 		// remove validator

crypto/ed25519/ed25519.go

@@ -31,7 +31,7 @@ const (
 	// private key representations used by RFC 8032.
 	SeedSize = 32
 
-	keyType = "ed25519"
+	KeyType = "ed25519"
 )
 
 func init() {
@@ -93,7 +93,7 @@ func (privKey PrivKey) Equals(other crypto.PrivKey) bool {
 }
 
 func (privKey PrivKey) Type() string {
-	return keyType
+	return KeyType
 }
 
 // GenPrivKey generates a new ed25519 private key.
@@ -159,7 +159,7 @@ func (pubKey PubKey) String() string {
 }
 
 func (pubKey PubKey) Type() string {
-	return keyType
+	return KeyType
 }
 
 func (pubKey PubKey) Equals(other crypto.PubKey) bool {

crypto/encoding/codec.go

@@ -5,13 +5,15 @@ import (
 
 	"github.com/tendermint/tendermint/crypto"
 	"github.com/tendermint/tendermint/crypto/ed25519"
+	"github.com/tendermint/tendermint/crypto/secp256k1"
 	"github.com/tendermint/tendermint/libs/json"
 	pc "github.com/tendermint/tendermint/proto/tendermint/crypto"
 )
 
 func init() {
 	json.RegisterType((*pc.PublicKey)(nil), "tendermint.crypto.PublicKey")
 	json.RegisterType((*pc.PublicKey_Ed25519)(nil), "tendermint.crypto.PublicKey_Ed25519")
+	json.RegisterType((*pc.PublicKey_Secp256K1)(nil), "tendermint.crypto.PublicKey_Secp256K1")
 }
 
 // PubKeyToProto takes crypto.PubKey and transforms it to a protobuf Pubkey
@@ -24,6 +26,12 @@ func PubKeyToProto(k crypto.PubKey) (pc.PublicKey, error) {
 				Ed25519: k,
 			},
 		}
+	case secp256k1.PubKey:
+		kp = pc.PublicKey{
+			Sum: &pc.PublicKey_Secp256K1{
+				Secp256K1: k,
+			},
+		}
 	default:
 		return kp, fmt.Errorf("toproto: key type %v is not supported", k)
 	}
@@ -41,6 +49,14 @@ func PubKeyFromProto(k pc.PublicKey) (crypto.PubKey, error) {
 		pk := make(ed25519.PubKey, ed25519.PubKeySize)
 		copy(pk, k.Ed25519)
 		return pk, nil
+	case *pc.PublicKey_Secp256K1:
+		if len(k.Secp256K1) != secp256k1.PubKeySize {
+			return nil, fmt.Errorf("invalid size for PubKeyEd25519. Got %d, expected %d",
+				len(k.Secp256K1), secp256k1.PubKeySize)
+		}
+		pk := make(secp256k1.PubKey, secp256k1.PubKeySize)
+		copy(pk, k.Secp256K1)
+		return pk, nil
 	default:
 		return nil, fmt.Errorf("fromproto: key type %v is not supported", k)
 	}

crypto/secp256k1/secp256k1.go

@@ -0,0 +1,173 @@
+package secp256k1
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/subtle"
+	"fmt"
+	"io"
+	"math/big"
+
+	secp256k1 "github.com/btcsuite/btcd/btcec"
+	"golang.org/x/crypto/ripemd160" // nolint: staticcheck // necessary for Bitcoin address format
+
+	"github.com/tendermint/tendermint/crypto"
+	tmjson "github.com/tendermint/tendermint/libs/json"
+)
+
+//-------------------------------------
+const (
+	PrivKeyName = "tendermint/PrivKeySecp256k1"
+	PubKeyName  = "tendermint/PubKeySecp256k1"
+
+	KeyType     = "secp256k1"
+	PrivKeySize = 32
+)
+
+func init() {
+	tmjson.RegisterType(PubKey{}, PubKeyName)
+	tmjson.RegisterType(PrivKey{}, PrivKeyName)
+}
+
+var _ crypto.PrivKey = PrivKey{}
+
+// PrivKey implements PrivKey.
+type PrivKey []byte
+
+// Bytes marshalls the private key using amino encoding.
+func (privKey PrivKey) Bytes() []byte {
+	return []byte(privKey)
+}
+
+// PubKey performs the point-scalar multiplication from the privKey on the
+// generator point to get the pubkey.
+func (privKey PrivKey) PubKey() crypto.PubKey {
+	_, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey)
+
+	pk := pubkeyObject.SerializeCompressed()
+
+	return PubKey(pk)
+}
+
+// Equals - you probably don't need to use this.
+// Runs in constant time based on length of the keys.
+func (privKey PrivKey) Equals(other crypto.PrivKey) bool {
+	if otherSecp, ok := other.(PrivKey); ok {
+		return subtle.ConstantTimeCompare(privKey[:], otherSecp[:]) == 1
+	}
+	return false
+}
+
+func (privKey PrivKey) Type() string {
+	return KeyType
+}
+
+// GenPrivKey generates a new ECDSA private key on curve secp256k1 private key.
+// It uses OS randomness to generate the private key.
+func GenPrivKey() PrivKey {
+	return genPrivKey(crypto.CReader())
+}
+
+// genPrivKey generates a new secp256k1 private key using the provided reader.
+func genPrivKey(rand io.Reader) PrivKey {
+	var privKeyBytes [PrivKeySize]byte
+	d := new(big.Int)
+
+	for {
+		privKeyBytes = [PrivKeySize]byte{}
+		_, err := io.ReadFull(rand, privKeyBytes[:])
+		if err != nil {
+			panic(err)
+		}
+
+		d.SetBytes(privKeyBytes[:])
+		// break if we found a valid point (i.e. > 0 and < N == curverOrder)
+		isValidFieldElement := 0 < d.Sign() && d.Cmp(secp256k1.S256().N) < 0
+		if isValidFieldElement {
+			break
+		}
+	}
+
+	return PrivKey(privKeyBytes[:])
+}
+
+var one = new(big.Int).SetInt64(1)
+
+// GenPrivKeySecp256k1 hashes the secret with SHA2, and uses
+// that 32 byte output to create the private key.
+//
+// It makes sure the private key is a valid field element by setting:
+//
+// c = sha256(secret)
+// k = (c mod (n − 1)) + 1, where n = curve order.
+//
+// NOTE: secret should be the output of a KDF like bcrypt,
+// if it's derived from user input.
+func GenPrivKeySecp256k1(secret []byte) PrivKey {
+	secHash := sha256.Sum256(secret)
+	// to guarantee that we have a valid field element, we use the approach of:
+	// "Suite B Implementer’s Guide to FIPS 186-3", A.2.1
+	// https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/suite-b-implementers-guide-to-fips-186-3-ecdsa.cfm
+	// see also https://github.com/golang/go/blob/0380c9ad38843d523d9c9804fe300cb7edd7cd3c/src/crypto/ecdsa/ecdsa.go#L89-L101
+	fe := new(big.Int).SetBytes(secHash[:])
+	n := new(big.Int).Sub(secp256k1.S256().N, one)
+	fe.Mod(fe, n)
+	fe.Add(fe, one)
+
+	feB := fe.Bytes()
+	privKey32 := make([]byte, PrivKeySize)
+	// copy feB over to fixed 32 byte privKey32 and pad (if necessary)
+	copy(privKey32[32-len(feB):32], feB)
+
+	return PrivKey(privKey32)
+}
+
+//-------------------------------------
+
+var _ crypto.PubKey = PubKey{}
+
+// PubKeySize is comprised of 32 bytes for one field element
+// (the x-coordinate), plus one byte for the parity of the y-coordinate.
+const PubKeySize = 33
+
+// PubKey implements crypto.PubKey.
+// It is the compressed form of the pubkey. The first byte depends is a 0x02 byte
+// if the y-coordinate is the lexicographically largest of the two associated with
+// the x-coordinate. Otherwise the first byte is a 0x03.
+// This prefix is followed with the x-coordinate.
+type PubKey []byte
+
+// Address returns a Bitcoin style addresses: RIPEMD160(SHA256(pubkey))
+func (pubKey PubKey) Address() crypto.Address {
+	if len(pubKey) != PubKeySize {
+		panic("length of pubkey is incorrect")
+	}
+	hasherSHA256 := sha256.New()
+	_, _ = hasherSHA256.Write(pubKey) // does not error
+	sha := hasherSHA256.Sum(nil)
+
+	hasherRIPEMD160 := ripemd160.New()
+	_, _ = hasherRIPEMD160.Write(sha) // does not error
+
+	return crypto.Address(hasherRIPEMD160.Sum(nil))
+}
+
+// Bytes returns the pubkey marshalled with amino encoding.
+func (pubKey PubKey) Bytes() []byte {
+	return []byte(pubKey)
+}
+
+func (pubKey PubKey) String() string {
+	return fmt.Sprintf("PubKeySecp256k1{%X}", pubKey[:])
+}
+
+func (pubKey PubKey) Equals(other crypto.PubKey) bool {
+	if otherSecp, ok := other.(PubKey); ok {
+		return bytes.Equal(pubKey[:], otherSecp[:])
+	}
+	return false
+}
+
+func (pubKey PubKey) Type() string {
+	return KeyType
+}

crypto/secp256k1/secp256k1_internal_test.go

@@ -0,0 +1,74 @@
+package secp256k1
+
+import (
+	"bytes"
+	"math/big"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	secp256k1 "github.com/btcsuite/btcd/btcec"
+)
+
+func Test_genPrivKey(t *testing.T) {
+
+	empty := make([]byte, 32)
+	oneB := big.NewInt(1).Bytes()
+	onePadded := make([]byte, 32)
+	copy(onePadded[32-len(oneB):32], oneB)
+	t.Logf("one padded: %v, len=%v", onePadded, len(onePadded))
+
+	validOne := append(empty, onePadded...)
+	tests := []struct {
+		name        string
+		notSoRand   []byte
+		shouldPanic bool
+	}{
+		{"empty bytes (panics because 1st 32 bytes are zero and 0 is not a valid field element)", empty, true},
+		{"curve order: N", secp256k1.S256().N.Bytes(), true},
+		{"valid because 0 < 1 < N", validOne, false},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.shouldPanic {
+				require.Panics(t, func() {
+					genPrivKey(bytes.NewReader(tt.notSoRand))
+				})
+				return
+			}
+			got := genPrivKey(bytes.NewReader(tt.notSoRand))
+			fe := new(big.Int).SetBytes(got[:])
+			require.True(t, fe.Cmp(secp256k1.S256().N) < 0)
+			require.True(t, fe.Sign() > 0)
+		})
+	}
+}
+
+// Ensure that signature verification works, and that
+// non-canonical signatures fail.
+// Note: run with CGO_ENABLED=0 or go test -tags !cgo.
+func TestSignatureVerificationAndRejectUpperS(t *testing.T) {
+	msg := []byte("We have lingered long enough on the shores of the cosmic ocean.")
+	for i := 0; i < 500; i++ {
+		priv := GenPrivKey()
+		sigStr, err := priv.Sign(msg)
+		require.NoError(t, err)
+		sig := signatureFromBytes(sigStr)
+		require.False(t, sig.S.Cmp(secp256k1halfN) > 0)
+
+		pub := priv.PubKey()
+		require.True(t, pub.VerifySignature(msg, sigStr))
+
+		// malleate:
+		sig.S.Sub(secp256k1.S256().CurveParams.N, sig.S)
+		require.True(t, sig.S.Cmp(secp256k1halfN) > 0)
+		malSigStr := serializeSig(sig)
+
+		require.False(t, pub.VerifySignature(msg, malSigStr),
+			"VerifyBytes incorrect with malleated & invalid S. sig=%v, key=%v",
+			sig,
+			priv,
+		)
+	}
+}

crypto/secp256k1/secp256k1_nocgo.go

@@ -0,0 +1,75 @@
+// +build !libsecp256k1
+
+package secp256k1
+
+import (
+	"math/big"
+
+	secp256k1 "github.com/btcsuite/btcd/btcec"
+
+	"github.com/tendermint/tendermint/crypto"
+)
+
+// used to reject malleable signatures
+// see:
+//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
+//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39
+var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1)
+
+// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.
+// The returned signature will be of the form R || S (in lower-S form).
+func (privKey PrivKey) Sign(msg []byte) ([]byte, error) {
+	priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey)
+
+	sig, err := priv.Sign(crypto.Sha256(msg))
+	if err != nil {
+		return nil, err
+	}
+
+	sigBytes := serializeSig(sig)
+	return sigBytes, nil
+}
+
+// VerifySignature verifies a signature of the form R || S.
+// It rejects signatures which are not in lower-S form.
+func (pubKey PubKey) VerifySignature(msg []byte, sigStr []byte) bool {
+	if len(sigStr) != 64 {
+		return false
+	}
+
+	pub, err := secp256k1.ParsePubKey(pubKey, secp256k1.S256())
+	if err != nil {
+		return false
+	}
+
+	// parse the signature:
+	signature := signatureFromBytes(sigStr)
+	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
+	// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
+	if signature.S.Cmp(secp256k1halfN) > 0 {
+		return false
+	}
+
+	return signature.Verify(crypto.Sha256(msg), pub)
+}
+
+// Read Signature struct from R || S. Caller needs to ensure
+// that len(sigStr) == 64.
+func signatureFromBytes(sigStr []byte) *secp256k1.Signature {
+	return &secp256k1.Signature{
+		R: new(big.Int).SetBytes(sigStr[:32]),
+		S: new(big.Int).SetBytes(sigStr[32:64]),
+	}
+}
+
+// Serialize signature to R || S.
+// R, S are padded to 32 bytes respectively.
+func serializeSig(sig *secp256k1.Signature) []byte {
+	rBytes := sig.R.Bytes()
+	sBytes := sig.S.Bytes()
+	sigBytes := make([]byte, 64)
+	// 0 pad the byte arrays from the left if they aren't big enough.
+	copy(sigBytes[32-len(rBytes):32], rBytes)
+	copy(sigBytes[64-len(sBytes):64], sBytes)
+	return sigBytes
+}

crypto/secp256k1/secp256k1_test.go

@@ -0,0 +1,116 @@
+package secp256k1_test
+
+import (
+	"encoding/hex"
+	"math/big"
+	"testing"
+
+	"github.com/btcsuite/btcutil/base58"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/tendermint/tendermint/crypto"
+	"github.com/tendermint/tendermint/crypto/secp256k1"
+
+	underlyingSecp256k1 "github.com/btcsuite/btcd/btcec"
+)
+
+type keyData struct {
+	priv string
+	pub  string
+	addr string
+}
+
+var secpDataTable = []keyData{
+	{
+		priv: "a96e62ed3955e65be32703f12d87b6b5cf26039ecfa948dc5107a495418e5330",
+		pub:  "02950e1cdfcb133d6024109fd489f734eeb4502418e538c28481f22bce276f248c",
+		addr: "1CKZ9Nx4zgds8tU7nJHotKSDr4a9bYJCa3",
+	},
+}
+
+func TestPubKeySecp256k1Address(t *testing.T) {
+	for _, d := range secpDataTable {
+		privB, _ := hex.DecodeString(d.priv)
+		pubB, _ := hex.DecodeString(d.pub)
+		addrBbz, _, _ := base58.CheckDecode(d.addr)
+		addrB := crypto.Address(addrBbz)
+
+		var priv secp256k1.PrivKey = secp256k1.PrivKey(privB)
+
+		pubKey := priv.PubKey()
+		pubT, _ := pubKey.(secp256k1.PubKey)
+		pub := pubT
+		addr := pubKey.Address()
+
+		assert.Equal(t, pub, secp256k1.PubKey(pubB), "Expected pub keys to match")
+		assert.Equal(t, addr, addrB, "Expected addresses to match")
+	}
+}
+
+func TestSignAndValidateSecp256k1(t *testing.T) {
+	privKey := secp256k1.GenPrivKey()
+	pubKey := privKey.PubKey()
+
+	msg := crypto.CRandBytes(128)
+	sig, err := privKey.Sign(msg)
+	require.Nil(t, err)
+
+	assert.True(t, pubKey.VerifySignature(msg, sig))
+
+	// Mutate the signature, just one bit.
+	sig[3] ^= byte(0x01)
+
+	assert.False(t, pubKey.VerifySignature(msg, sig))
+}
+
+// This test is intended to justify the removal of calls to the underlying library
+// in creating the privkey.
+func TestSecp256k1LoadPrivkeyAndSerializeIsIdentity(t *testing.T) {
+	numberOfTests := 256
+	for i := 0; i < numberOfTests; i++ {
+		// Seed the test case with some random bytes
+		privKeyBytes := [32]byte{}
+		copy(privKeyBytes[:], crypto.CRandBytes(32))
+
+		// This function creates a private and public key in the underlying libraries format.
+		// The private key is basically calling new(big.Int).SetBytes(pk), which removes leading zero bytes
+		priv, _ := underlyingSecp256k1.PrivKeyFromBytes(underlyingSecp256k1.S256(), privKeyBytes[:])
+		// this takes the bytes returned by `(big int).Bytes()`, and if the length is less than 32 bytes,
+		// pads the bytes from the left with zero bytes. Therefore these two functions composed
+		// result in the identity function on privKeyBytes, hence the following equality check
+		// always returning true.
+		serializedBytes := priv.Serialize()
+		require.Equal(t, privKeyBytes[:], serializedBytes)
+	}
+}
+
+func TestGenPrivKeySecp256k1(t *testing.T) {
+	// curve oder N
+	N := underlyingSecp256k1.S256().N
+	tests := []struct {
+		name   string
+		secret []byte
+	}{
+		{"empty secret", []byte{}},
+		{
+			"some long secret",
+			[]byte("We live in a society exquisitely dependent on science and technology, " +
+				"in which hardly anyone knows anything about science and technology."),
+		},
+		{"another seed used in cosmos tests #1", []byte{0}},
+		{"another seed used in cosmos tests #2", []byte("mySecret")},
+		{"another seed used in cosmos tests #3", []byte("")},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			gotPrivKey := secp256k1.GenPrivKeySecp256k1(tt.secret)
+			require.NotNil(t, gotPrivKey)
+			// interpret as a big.Int and make sure it is a valid field element:
+			fe := new(big.Int).SetBytes(gotPrivKey[:])
+			require.True(t, fe.Cmp(N) < 0)
+			require.True(t, fe.Sign() > 0)
+		})
+	}
+}

go.mod

@@ -5,6 +5,8 @@ go 1.14
 require (
 	github.com/ChainSafe/go-schnorrkel v0.0.0-20200405005733-88cbf1b4c40d
 	github.com/Workiva/go-datastructures v1.0.52
+	github.com/btcsuite/btcd v0.21.0-beta
+	github.com/btcsuite/btcutil v1.0.2
 	github.com/fortytw2/leaktest v1.3.0
 	github.com/go-kit/kit v0.10.0
 	github.com/go-logfmt/logfmt v0.5.0
@@ -14,6 +16,7 @@ require (
 	github.com/gtank/merlin v0.1.1
 	github.com/libp2p/go-buffer-pool v0.0.2
 	github.com/minio/highwayhash v1.0.1
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1
@@ -25,7 +28,9 @@ require (
 	github.com/spf13/viper v1.7.1
 	github.com/stretchr/testify v1.6.1
 	github.com/tendermint/tm-db v0.6.2
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
 	golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc
+	google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
 	google.golang.org/grpc v1.32.0
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 )

go.sum

@@ -11,6 +11,7 @@ message PublicKey {
   option (gogoproto.equal)   = true;
 
   oneof sum {
-    bytes ed25519 = 1;
+    bytes ed25519   = 1;
+    bytes secp256k1 = 2;
   }
 }

proto/tendermint/crypto/keys.pb.go

@@ -13,7 +13,8 @@ import (
 )
 
 var (
-	valEd25519 = []string{ABCIPubKeyTypeEd25519}
+	valEd25519   = []string{ABCIPubKeyTypeEd25519}
+	valSecp256k1 = []string{ABCIPubKeyTypeSecp256k1}
 )
 
 func TestConsensusParamsValidation(t *testing.T) {
@@ -127,10 +128,10 @@ func TestConsensusParamsUpdate(t *testing.T) {
 					MaxBytes:        50,
 				},
 				Validator: &tmproto.ValidatorParams{
-					PubKeyTypes: valEd25519,
+					PubKeyTypes: valSecp256k1,
 				},
 			},
-			makeParams(100, 200, 10, 300, 50, valEd25519),
+			makeParams(100, 200, 10, 300, 50, valSecp256k1),
 		},
 	}
 	for _, tc := range testCases {

proto/tendermint/crypto/keys.proto

@@ -8,20 +8,23 @@ import (
 	"github.com/tendermint/tendermint/crypto"
 	"github.com/tendermint/tendermint/crypto/ed25519"
 	cryptoenc "github.com/tendermint/tendermint/crypto/encoding"
+	"github.com/tendermint/tendermint/crypto/secp256k1"
 	tmproto "github.com/tendermint/tendermint/proto/tendermint/types"
 )
 
 //-------------------------------------------------------
 // Use strings to distinguish types in ABCI messages
 
 const (
-	ABCIPubKeyTypeEd25519 = "ed25519"
+	ABCIPubKeyTypeEd25519   = ed25519.KeyType
+	ABCIPubKeyTypeSecp256k1 = secp256k1.KeyType
 )
 
 // TODO: Make non-global by allowing for registration of more pubkey types
 
 var ABCIPubKeyTypesToNames = map[string]string{
-	ABCIPubKeyTypeEd25519: ed25519.PubKeyName,
+	ABCIPubKeyTypeEd25519:   ed25519.PubKeyName,
+	ABCIPubKeyTypeSecp256k1: secp256k1.PubKeyName,
 }
 
 //-------------------------------------------------------