Wladimir J. van der Laan
8 years ago
33 changed files with 676 additions and 937 deletions
@ -1,173 +0,0 @@ |
|||||||
#ifndef _SECP256K1_SCHNORR_ |
|
||||||
# define _SECP256K1_SCHNORR_ |
|
||||||
|
|
||||||
# include "secp256k1.h" |
|
||||||
|
|
||||||
# ifdef __cplusplus |
|
||||||
extern "C" { |
|
||||||
# endif |
|
||||||
|
|
||||||
/** Create a signature using a custom EC-Schnorr-SHA256 construction. It
|
|
||||||
* produces non-malleable 64-byte signatures which support public key recovery |
|
||||||
* batch validation, and multiparty signing. |
|
||||||
* Returns: 1: signature created |
|
||||||
* 0: the nonce generation function failed, or the private key was |
|
||||||
* invalid. |
|
||||||
* Args: ctx: pointer to a context object, initialized for signing |
|
||||||
* (cannot be NULL) |
|
||||||
* Out: sig64: pointer to a 64-byte array where the signature will be |
|
||||||
* placed (cannot be NULL) |
|
||||||
* In: msg32: the 32-byte message hash being signed (cannot be NULL) |
|
||||||
* seckey: pointer to a 32-byte secret key (cannot be NULL) |
|
||||||
* noncefp:pointer to a nonce generation function. If NULL, |
|
||||||
* secp256k1_nonce_function_default is used |
|
||||||
* ndata: pointer to arbitrary data used by the nonce generation |
|
||||||
* function (can be NULL) |
|
||||||
*/ |
|
||||||
SECP256K1_API int secp256k1_schnorr_sign( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
unsigned char *sig64, |
|
||||||
const unsigned char *msg32, |
|
||||||
const unsigned char *seckey, |
|
||||||
secp256k1_nonce_function noncefp, |
|
||||||
const void *ndata |
|
||||||
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); |
|
||||||
|
|
||||||
/** Verify a signature created by secp256k1_schnorr_sign.
|
|
||||||
* Returns: 1: correct signature |
|
||||||
* 0: incorrect signature |
|
||||||
* Args: ctx: a secp256k1 context object, initialized for verification. |
|
||||||
* In: sig64: the 64-byte signature being verified (cannot be NULL) |
|
||||||
* msg32: the 32-byte message hash being verified (cannot be NULL) |
|
||||||
* pubkey: the public key to verify with (cannot be NULL) |
|
||||||
*/ |
|
||||||
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
const unsigned char *sig64, |
|
||||||
const unsigned char *msg32, |
|
||||||
const secp256k1_pubkey *pubkey |
|
||||||
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); |
|
||||||
|
|
||||||
/** Recover an EC public key from a Schnorr signature created using
|
|
||||||
* secp256k1_schnorr_sign. |
|
||||||
* Returns: 1: public key successfully recovered (which guarantees a correct |
|
||||||
* signature). |
|
||||||
* 0: otherwise. |
|
||||||
* Args: ctx: pointer to a context object, initialized for |
|
||||||
* verification (cannot be NULL) |
|
||||||
* Out: pubkey: pointer to a pubkey to set to the recovered public key |
|
||||||
* (cannot be NULL). |
|
||||||
* In: sig64: signature as 64 byte array (cannot be NULL) |
|
||||||
* msg32: the 32-byte message hash assumed to be signed (cannot |
|
||||||
* be NULL) |
|
||||||
*/ |
|
||||||
SECP256K1_API int secp256k1_schnorr_recover( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
secp256k1_pubkey *pubkey, |
|
||||||
const unsigned char *sig64, |
|
||||||
const unsigned char *msg32 |
|
||||||
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); |
|
||||||
|
|
||||||
/** Generate a nonce pair deterministically for use with
|
|
||||||
* secp256k1_schnorr_partial_sign. |
|
||||||
* Returns: 1: valid nonce pair was generated. |
|
||||||
* 0: otherwise (nonce generation function failed) |
|
||||||
* Args: ctx: pointer to a context object, initialized for signing |
|
||||||
* (cannot be NULL) |
|
||||||
* Out: pubnonce: public side of the nonce (cannot be NULL) |
|
||||||
* privnonce32: private side of the nonce (32 byte) (cannot be NULL) |
|
||||||
* In: msg32: the 32-byte message hash assumed to be signed (cannot |
|
||||||
* be NULL) |
|
||||||
* sec32: the 32-byte private key (cannot be NULL) |
|
||||||
* noncefp: pointer to a nonce generation function. If NULL, |
|
||||||
* secp256k1_nonce_function_default is used |
|
||||||
* noncedata: pointer to arbitrary data used by the nonce generation |
|
||||||
* function (can be NULL) |
|
||||||
* |
|
||||||
* Do not use the output as a private/public key pair for signing/validation. |
|
||||||
*/ |
|
||||||
SECP256K1_API int secp256k1_schnorr_generate_nonce_pair( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
secp256k1_pubkey *pubnonce, |
|
||||||
unsigned char *privnonce32, |
|
||||||
const unsigned char *msg32, |
|
||||||
const unsigned char *sec32, |
|
||||||
secp256k1_nonce_function noncefp, |
|
||||||
const void* noncedata |
|
||||||
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); |
|
||||||
|
|
||||||
/** Produce a partial Schnorr signature, which can be combined using
|
|
||||||
* secp256k1_schnorr_partial_combine, to end up with a full signature that is |
|
||||||
* verifiable using secp256k1_schnorr_verify. |
|
||||||
* Returns: 1: signature created successfully. |
|
||||||
* 0: no valid signature exists with this combination of keys, nonces |
|
||||||
* and message (chance around 1 in 2^128) |
|
||||||
* -1: invalid private key, nonce, or public nonces. |
|
||||||
* Args: ctx: pointer to context object, initialized for signing (cannot |
|
||||||
* be NULL) |
|
||||||
* Out: sig64: pointer to 64-byte array to put partial signature in |
|
||||||
* In: msg32: pointer to 32-byte message to sign |
|
||||||
* sec32: pointer to 32-byte private key |
|
||||||
* pubnonce_others: pointer to pubkey containing the sum of the other's |
|
||||||
* nonces (see secp256k1_ec_pubkey_combine) |
|
||||||
* secnonce32: pointer to 32-byte array containing our nonce |
|
||||||
* |
|
||||||
* The intended procedure for creating a multiparty signature is: |
|
||||||
* - Each signer S[i] with private key x[i] and public key Q[i] runs |
|
||||||
* secp256k1_schnorr_generate_nonce_pair to produce a pair (k[i],R[i]) of |
|
||||||
* private/public nonces. |
|
||||||
* - All signers communicate their public nonces to each other (revealing your |
|
||||||
* private nonce can lead to discovery of your private key, so it should be |
|
||||||
* considered secret). |
|
||||||
* - All signers combine all the public nonces they received (excluding their |
|
||||||
* own) using secp256k1_ec_pubkey_combine to obtain an |
|
||||||
* Rall[i] = sum(R[0..i-1,i+1..n]). |
|
||||||
* - All signers produce a partial signature using |
|
||||||
* secp256k1_schnorr_partial_sign, passing in their own private key x[i], |
|
||||||
* their own private nonce k[i], and the sum of the others' public nonces |
|
||||||
* Rall[i]. |
|
||||||
* - All signers communicate their partial signatures to each other. |
|
||||||
* - Someone combines all partial signatures using |
|
||||||
* secp256k1_schnorr_partial_combine, to obtain a full signature. |
|
||||||
* - The resulting signature is validatable using secp256k1_schnorr_verify, with |
|
||||||
* public key equal to the result of secp256k1_ec_pubkey_combine of the |
|
||||||
* signers' public keys (sum(Q[0..n])). |
|
||||||
* |
|
||||||
* Note that secp256k1_schnorr_partial_combine and secp256k1_ec_pubkey_combine |
|
||||||
* function take their arguments in any order, and it is possible to |
|
||||||
* pre-combine several inputs already with one call, and add more inputs later |
|
||||||
* by calling the function again (they are commutative and associative). |
|
||||||
*/ |
|
||||||
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_partial_sign( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
unsigned char *sig64, |
|
||||||
const unsigned char *msg32, |
|
||||||
const unsigned char *sec32, |
|
||||||
const secp256k1_pubkey *pubnonce_others, |
|
||||||
const unsigned char *secnonce32 |
|
||||||
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6); |
|
||||||
|
|
||||||
/** Combine multiple Schnorr partial signatures.
|
|
||||||
* Returns: 1: the passed signatures were successfully combined. |
|
||||||
* 0: the resulting signature is not valid (chance of 1 in 2^256) |
|
||||||
* -1: some inputs were invalid, or the signatures were not created |
|
||||||
* using the same set of nonces |
|
||||||
* Args: ctx: pointer to a context object |
|
||||||
* Out: sig64: pointer to a 64-byte array to place the combined signature |
|
||||||
* (cannot be NULL) |
|
||||||
* In: sig64sin: pointer to an array of n pointers to 64-byte input |
|
||||||
* signatures |
|
||||||
* n: the number of signatures to combine (at least 1) |
|
||||||
*/ |
|
||||||
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_partial_combine( |
|
||||||
const secp256k1_context* ctx, |
|
||||||
unsigned char *sig64, |
|
||||||
const unsigned char * const * sig64sin, |
|
||||||
size_t n |
|
||||||
) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); |
|
||||||
|
|
||||||
# ifdef __cplusplus |
|
||||||
} |
|
||||||
# endif |
|
||||||
|
|
||||||
#endif |
|
@ -1,10 +0,0 @@ |
|||||||
include_HEADERS += include/secp256k1_schnorr.h |
|
||||||
noinst_HEADERS += src/modules/schnorr/main_impl.h |
|
||||||
noinst_HEADERS += src/modules/schnorr/schnorr.h |
|
||||||
noinst_HEADERS += src/modules/schnorr/schnorr_impl.h |
|
||||||
noinst_HEADERS += src/modules/schnorr/tests_impl.h |
|
||||||
if USE_BENCHMARK |
|
||||||
noinst_PROGRAMS += bench_schnorr_verify |
|
||||||
bench_schnorr_verify_SOURCES = src/bench_schnorr_verify.c |
|
||||||
bench_schnorr_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB) |
|
||||||
endif |
|
@ -1,164 +0,0 @@ |
|||||||
/**********************************************************************
|
|
||||||
* Copyright (c) 2014-2015 Pieter Wuille * |
|
||||||
* Distributed under the MIT software license, see the accompanying * |
|
||||||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|
||||||
**********************************************************************/ |
|
||||||
|
|
||||||
#ifndef SECP256K1_MODULE_SCHNORR_MAIN |
|
||||||
#define SECP256K1_MODULE_SCHNORR_MAIN |
|
||||||
|
|
||||||
#include "include/secp256k1_schnorr.h" |
|
||||||
#include "modules/schnorr/schnorr_impl.h" |
|
||||||
|
|
||||||
static void secp256k1_schnorr_msghash_sha256(unsigned char *h32, const unsigned char *r32, const unsigned char *msg32) { |
|
||||||
secp256k1_sha256_t sha; |
|
||||||
secp256k1_sha256_initialize(&sha); |
|
||||||
secp256k1_sha256_write(&sha, r32, 32); |
|
||||||
secp256k1_sha256_write(&sha, msg32, 32); |
|
||||||
secp256k1_sha256_finalize(&sha, h32); |
|
||||||
} |
|
||||||
|
|
||||||
static const unsigned char secp256k1_schnorr_algo16[17] = "Schnorr+SHA256 "; |
|
||||||
|
|
||||||
int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { |
|
||||||
secp256k1_scalar sec, non; |
|
||||||
int ret = 0; |
|
||||||
int overflow = 0; |
|
||||||
unsigned int count = 0; |
|
||||||
VERIFY_CHECK(ctx != NULL); |
|
||||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
|
||||||
ARG_CHECK(msg32 != NULL); |
|
||||||
ARG_CHECK(sig64 != NULL); |
|
||||||
ARG_CHECK(seckey != NULL); |
|
||||||
if (noncefp == NULL) { |
|
||||||
noncefp = secp256k1_nonce_function_default; |
|
||||||
} |
|
||||||
|
|
||||||
secp256k1_scalar_set_b32(&sec, seckey, NULL); |
|
||||||
while (1) { |
|
||||||
unsigned char nonce32[32]; |
|
||||||
ret = noncefp(nonce32, msg32, seckey, secp256k1_schnorr_algo16, (void*)noncedata, count); |
|
||||||
if (!ret) { |
|
||||||
break; |
|
||||||
} |
|
||||||
secp256k1_scalar_set_b32(&non, nonce32, &overflow); |
|
||||||
memset(nonce32, 0, 32); |
|
||||||
if (!secp256k1_scalar_is_zero(&non) && !overflow) { |
|
||||||
if (secp256k1_schnorr_sig_sign(&ctx->ecmult_gen_ctx, sig64, &sec, &non, NULL, secp256k1_schnorr_msghash_sha256, msg32)) { |
|
||||||
break; |
|
||||||
} |
|
||||||
} |
|
||||||
count++; |
|
||||||
} |
|
||||||
if (!ret) { |
|
||||||
memset(sig64, 0, 64); |
|
||||||
} |
|
||||||
secp256k1_scalar_clear(&non); |
|
||||||
secp256k1_scalar_clear(&sec); |
|
||||||
return ret; |
|
||||||
} |
|
||||||
|
|
||||||
int secp256k1_schnorr_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_pubkey *pubkey) { |
|
||||||
secp256k1_ge q; |
|
||||||
VERIFY_CHECK(ctx != NULL); |
|
||||||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|
||||||
ARG_CHECK(msg32 != NULL); |
|
||||||
ARG_CHECK(sig64 != NULL); |
|
||||||
ARG_CHECK(pubkey != NULL); |
|
||||||
|
|
||||||
secp256k1_pubkey_load(ctx, &q, pubkey); |
|
||||||
return secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64, &q, secp256k1_schnorr_msghash_sha256, msg32); |
|
||||||
} |
|
||||||
|
|
||||||
int secp256k1_schnorr_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *sig64, const unsigned char *msg32) { |
|
||||||
secp256k1_ge q; |
|
||||||
|
|
||||||
VERIFY_CHECK(ctx != NULL); |
|
||||||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|
||||||
ARG_CHECK(msg32 != NULL); |
|
||||||
ARG_CHECK(sig64 != NULL); |
|
||||||
ARG_CHECK(pubkey != NULL); |
|
||||||
|
|
||||||
if (secp256k1_schnorr_sig_recover(&ctx->ecmult_ctx, sig64, &q, secp256k1_schnorr_msghash_sha256, msg32)) { |
|
||||||
secp256k1_pubkey_save(pubkey, &q); |
|
||||||
return 1; |
|
||||||
} else { |
|
||||||
memset(pubkey, 0, sizeof(*pubkey)); |
|
||||||
return 0; |
|
||||||
} |
|
||||||
} |
|
||||||
|
|
||||||
int secp256k1_schnorr_generate_nonce_pair(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, unsigned char *privnonce32, const unsigned char *sec32, const unsigned char *msg32, secp256k1_nonce_function noncefp, const void* noncedata) { |
|
||||||
int count = 0; |
|
||||||
int ret = 1; |
|
||||||
secp256k1_gej Qj; |
|
||||||
secp256k1_ge Q; |
|
||||||
secp256k1_scalar sec; |
|
||||||
|
|
||||||
VERIFY_CHECK(ctx != NULL); |
|
||||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
|
||||||
ARG_CHECK(msg32 != NULL); |
|
||||||
ARG_CHECK(sec32 != NULL); |
|
||||||
ARG_CHECK(pubnonce != NULL); |
|
||||||
ARG_CHECK(privnonce32 != NULL); |
|
||||||
|
|
||||||
if (noncefp == NULL) { |
|
||||||
noncefp = secp256k1_nonce_function_default; |
|
||||||
} |
|
||||||
|
|
||||||
do { |
|
||||||
int overflow; |
|
||||||
ret = noncefp(privnonce32, sec32, msg32, secp256k1_schnorr_algo16, (void*)noncedata, count++); |
|
||||||
if (!ret) { |
|
||||||
break; |
|
||||||
} |
|
||||||
secp256k1_scalar_set_b32(&sec, privnonce32, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&sec)) { |
|
||||||
continue; |
|
||||||
} |
|
||||||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sec); |
|
||||||
secp256k1_ge_set_gej(&Q, &Qj); |
|
||||||
|
|
||||||
secp256k1_pubkey_save(pubnonce, &Q); |
|
||||||
break; |
|
||||||
} while(1); |
|
||||||
|
|
||||||
secp256k1_scalar_clear(&sec); |
|
||||||
if (!ret) { |
|
||||||
memset(pubnonce, 0, sizeof(*pubnonce)); |
|
||||||
} |
|
||||||
return ret; |
|
||||||
} |
|
||||||
|
|
||||||
int secp256k1_schnorr_partial_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const unsigned char *sec32, const secp256k1_pubkey *pubnonce_others, const unsigned char *secnonce32) { |
|
||||||
int overflow = 0; |
|
||||||
secp256k1_scalar sec, non; |
|
||||||
secp256k1_ge pubnon; |
|
||||||
VERIFY_CHECK(ctx != NULL); |
|
||||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
|
||||||
ARG_CHECK(msg32 != NULL); |
|
||||||
ARG_CHECK(sig64 != NULL); |
|
||||||
ARG_CHECK(sec32 != NULL); |
|
||||||
ARG_CHECK(secnonce32 != NULL); |
|
||||||
ARG_CHECK(pubnonce_others != NULL); |
|
||||||
|
|
||||||
secp256k1_scalar_set_b32(&sec, sec32, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&sec)) { |
|
||||||
return -1; |
|
||||||
} |
|
||||||
secp256k1_scalar_set_b32(&non, secnonce32, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&non)) { |
|
||||||
return -1; |
|
||||||
} |
|
||||||
secp256k1_pubkey_load(ctx, &pubnon, pubnonce_others); |
|
||||||
return secp256k1_schnorr_sig_sign(&ctx->ecmult_gen_ctx, sig64, &sec, &non, &pubnon, secp256k1_schnorr_msghash_sha256, msg32); |
|
||||||
} |
|
||||||
|
|
||||||
int secp256k1_schnorr_partial_combine(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char * const *sig64sin, size_t n) { |
|
||||||
ARG_CHECK(sig64 != NULL); |
|
||||||
ARG_CHECK(n >= 1); |
|
||||||
ARG_CHECK(sig64sin != NULL); |
|
||||||
return secp256k1_schnorr_sig_combine(sig64, n, sig64sin); |
|
||||||
} |
|
||||||
|
|
||||||
#endif |
|
@ -1,20 +0,0 @@ |
|||||||
/***********************************************************************
|
|
||||||
* Copyright (c) 2014-2015 Pieter Wuille * |
|
||||||
* Distributed under the MIT software license, see the accompanying * |
|
||||||
* file COPYING or http://www.opensource.org/licenses/mit-license.php. *
|
|
||||||
***********************************************************************/ |
|
||||||
|
|
||||||
#ifndef _SECP256K1_MODULE_SCHNORR_H_ |
|
||||||
#define _SECP256K1_MODULE_SCHNORR_H_ |
|
||||||
|
|
||||||
#include "scalar.h" |
|
||||||
#include "group.h" |
|
||||||
|
|
||||||
typedef void (*secp256k1_schnorr_msghash)(unsigned char *h32, const unsigned char *r32, const unsigned char *msg32); |
|
||||||
|
|
||||||
static int secp256k1_schnorr_sig_sign(const secp256k1_ecmult_gen_context* ctx, unsigned char *sig64, const secp256k1_scalar *key, const secp256k1_scalar *nonce, const secp256k1_ge *pubnonce, secp256k1_schnorr_msghash hash, const unsigned char *msg32); |
|
||||||
static int secp256k1_schnorr_sig_verify(const secp256k1_ecmult_context* ctx, const unsigned char *sig64, const secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32); |
|
||||||
static int secp256k1_schnorr_sig_recover(const secp256k1_ecmult_context* ctx, const unsigned char *sig64, secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32); |
|
||||||
static int secp256k1_schnorr_sig_combine(unsigned char *sig64, size_t n, const unsigned char * const *sig64ins); |
|
||||||
|
|
||||||
#endif |
|
@ -1,207 +0,0 @@ |
|||||||
/***********************************************************************
|
|
||||||
* Copyright (c) 2014-2015 Pieter Wuille * |
|
||||||
* Distributed under the MIT software license, see the accompanying * |
|
||||||
* file COPYING or http://www.opensource.org/licenses/mit-license.php. *
|
|
||||||
***********************************************************************/ |
|
||||||
|
|
||||||
#ifndef _SECP256K1_SCHNORR_IMPL_H_ |
|
||||||
#define _SECP256K1_SCHNORR_IMPL_H_ |
|
||||||
|
|
||||||
#include <string.h> |
|
||||||
|
|
||||||
#include "schnorr.h" |
|
||||||
#include "num.h" |
|
||||||
#include "field.h" |
|
||||||
#include "group.h" |
|
||||||
#include "ecmult.h" |
|
||||||
#include "ecmult_gen.h" |
|
||||||
|
|
||||||
/**
|
|
||||||
* Custom Schnorr-based signature scheme. They support multiparty signing, public key |
|
||||||
* recovery and batch validation. |
|
||||||
* |
|
||||||
* Rationale for verifying R's y coordinate: |
|
||||||
* In order to support batch validation and public key recovery, the full R point must |
|
||||||
* be known to verifiers, rather than just its x coordinate. In order to not risk |
|
||||||
* being more strict in batch validation than normal validation, validators must be |
|
||||||
* required to reject signatures with incorrect y coordinate. This is only possible |
|
||||||
* by including a (relatively slow) field inverse, or a field square root. However, |
|
||||||
* batch validation offers potentially much higher benefits than this cost. |
|
||||||
* |
|
||||||
* Rationale for having an implicit y coordinate oddness: |
|
||||||
* If we commit to having the full R point known to verifiers, there are two mechanism. |
|
||||||
* Either include its oddness in the signature, or give it an implicit fixed value. |
|
||||||
* As the R y coordinate can be flipped by a simple negation of the nonce, we choose the |
|
||||||
* latter, as it comes with nearly zero impact on signing or validation performance, and |
|
||||||
* saves a byte in the signature. |
|
||||||
* |
|
||||||
* Signing: |
|
||||||
* Inputs: 32-byte message m, 32-byte scalar key x (!=0), 32-byte scalar nonce k (!=0) |
|
||||||
* |
|
||||||
* Compute point R = k * G. Reject nonce if R's y coordinate is odd (or negate nonce). |
|
||||||
* Compute 32-byte r, the serialization of R's x coordinate. |
|
||||||
* Compute scalar h = Hash(r || m). Reject nonce if h == 0 or h >= order. |
|
||||||
* Compute scalar s = k - h * x. |
|
||||||
* The signature is (r, s). |
|
||||||
* |
|
||||||
* |
|
||||||
* Verification: |
|
||||||
* Inputs: 32-byte message m, public key point Q, signature: (32-byte r, scalar s) |
|
||||||
* |
|
||||||
* Signature is invalid if s >= order. |
|
||||||
* Signature is invalid if r >= p. |
|
||||||
* Compute scalar h = Hash(r || m). Signature is invalid if h == 0 or h >= order. |
|
||||||
* Option 1 (faster for single verification): |
|
||||||
* Compute point R = h * Q + s * G. Signature is invalid if R is infinity or R's y coordinate is odd. |
|
||||||
* Signature is valid if the serialization of R's x coordinate equals r. |
|
||||||
* Option 2 (allows batch validation and pubkey recovery): |
|
||||||
* Decompress x coordinate r into point R, with odd y coordinate. Fail if R is not on the curve. |
|
||||||
* Signature is valid if R + h * Q + s * G == 0. |
|
||||||
*/ |
|
||||||
|
|
||||||
static int secp256k1_schnorr_sig_sign(const secp256k1_ecmult_gen_context* ctx, unsigned char *sig64, const secp256k1_scalar *key, const secp256k1_scalar *nonce, const secp256k1_ge *pubnonce, secp256k1_schnorr_msghash hash, const unsigned char *msg32) { |
|
||||||
secp256k1_gej Rj; |
|
||||||
secp256k1_ge Ra; |
|
||||||
unsigned char h32[32]; |
|
||||||
secp256k1_scalar h, s; |
|
||||||
int overflow; |
|
||||||
secp256k1_scalar n; |
|
||||||
|
|
||||||
if (secp256k1_scalar_is_zero(key) || secp256k1_scalar_is_zero(nonce)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
n = *nonce; |
|
||||||
|
|
||||||
secp256k1_ecmult_gen(ctx, &Rj, &n); |
|
||||||
if (pubnonce != NULL) { |
|
||||||
secp256k1_gej_add_ge(&Rj, &Rj, pubnonce); |
|
||||||
} |
|
||||||
secp256k1_ge_set_gej(&Ra, &Rj); |
|
||||||
secp256k1_fe_normalize(&Ra.y); |
|
||||||
if (secp256k1_fe_is_odd(&Ra.y)) { |
|
||||||
/* R's y coordinate is odd, which is not allowed (see rationale above).
|
|
||||||
Force it to be even by negating the nonce. Note that this even works |
|
||||||
for multiparty signing, as the R point is known to all participants, |
|
||||||
which can all decide to flip the sign in unison, resulting in the |
|
||||||
overall R point to be negated too. */ |
|
||||||
secp256k1_scalar_negate(&n, &n); |
|
||||||
} |
|
||||||
secp256k1_fe_normalize(&Ra.x); |
|
||||||
secp256k1_fe_get_b32(sig64, &Ra.x); |
|
||||||
hash(h32, sig64, msg32); |
|
||||||
overflow = 0; |
|
||||||
secp256k1_scalar_set_b32(&h, h32, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&h)) { |
|
||||||
secp256k1_scalar_clear(&n); |
|
||||||
return 0; |
|
||||||
} |
|
||||||
secp256k1_scalar_mul(&s, &h, key); |
|
||||||
secp256k1_scalar_negate(&s, &s); |
|
||||||
secp256k1_scalar_add(&s, &s, &n); |
|
||||||
secp256k1_scalar_clear(&n); |
|
||||||
secp256k1_scalar_get_b32(sig64 + 32, &s); |
|
||||||
return 1; |
|
||||||
} |
|
||||||
|
|
||||||
static int secp256k1_schnorr_sig_verify(const secp256k1_ecmult_context* ctx, const unsigned char *sig64, const secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32) { |
|
||||||
secp256k1_gej Qj, Rj; |
|
||||||
secp256k1_ge Ra; |
|
||||||
secp256k1_fe Rx; |
|
||||||
secp256k1_scalar h, s; |
|
||||||
unsigned char hh[32]; |
|
||||||
int overflow; |
|
||||||
|
|
||||||
if (secp256k1_ge_is_infinity(pubkey)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
hash(hh, sig64, msg32); |
|
||||||
overflow = 0; |
|
||||||
secp256k1_scalar_set_b32(&h, hh, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&h)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
overflow = 0; |
|
||||||
secp256k1_scalar_set_b32(&s, sig64 + 32, &overflow); |
|
||||||
if (overflow) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
if (!secp256k1_fe_set_b32(&Rx, sig64)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
secp256k1_gej_set_ge(&Qj, pubkey); |
|
||||||
secp256k1_ecmult(ctx, &Rj, &Qj, &h, &s); |
|
||||||
if (secp256k1_gej_is_infinity(&Rj)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
secp256k1_ge_set_gej_var(&Ra, &Rj); |
|
||||||
secp256k1_fe_normalize_var(&Ra.y); |
|
||||||
if (secp256k1_fe_is_odd(&Ra.y)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
return secp256k1_fe_equal_var(&Rx, &Ra.x); |
|
||||||
} |
|
||||||
|
|
||||||
static int secp256k1_schnorr_sig_recover(const secp256k1_ecmult_context* ctx, const unsigned char *sig64, secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32) { |
|
||||||
secp256k1_gej Qj, Rj; |
|
||||||
secp256k1_ge Ra; |
|
||||||
secp256k1_fe Rx; |
|
||||||
secp256k1_scalar h, s; |
|
||||||
unsigned char hh[32]; |
|
||||||
int overflow; |
|
||||||
|
|
||||||
hash(hh, sig64, msg32); |
|
||||||
overflow = 0; |
|
||||||
secp256k1_scalar_set_b32(&h, hh, &overflow); |
|
||||||
if (overflow || secp256k1_scalar_is_zero(&h)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
overflow = 0; |
|
||||||
secp256k1_scalar_set_b32(&s, sig64 + 32, &overflow); |
|
||||||
if (overflow) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
if (!secp256k1_fe_set_b32(&Rx, sig64)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
if (!secp256k1_ge_set_xo_var(&Ra, &Rx, 0)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
secp256k1_gej_set_ge(&Rj, &Ra); |
|
||||||
secp256k1_scalar_inverse_var(&h, &h); |
|
||||||
secp256k1_scalar_negate(&s, &s); |
|
||||||
secp256k1_scalar_mul(&s, &s, &h); |
|
||||||
secp256k1_ecmult(ctx, &Qj, &Rj, &h, &s); |
|
||||||
if (secp256k1_gej_is_infinity(&Qj)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
secp256k1_ge_set_gej(pubkey, &Qj); |
|
||||||
return 1; |
|
||||||
} |
|
||||||
|
|
||||||
static int secp256k1_schnorr_sig_combine(unsigned char *sig64, size_t n, const unsigned char * const *sig64ins) { |
|
||||||
secp256k1_scalar s = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); |
|
||||||
size_t i; |
|
||||||
for (i = 0; i < n; i++) { |
|
||||||
secp256k1_scalar si; |
|
||||||
int overflow; |
|
||||||
secp256k1_scalar_set_b32(&si, sig64ins[i] + 32, &overflow); |
|
||||||
if (overflow) { |
|
||||||
return -1; |
|
||||||
} |
|
||||||
if (i) { |
|
||||||
if (memcmp(sig64ins[i - 1], sig64ins[i], 32) != 0) { |
|
||||||
return -1; |
|
||||||
} |
|
||||||
} |
|
||||||
secp256k1_scalar_add(&s, &s, &si); |
|
||||||
} |
|
||||||
if (secp256k1_scalar_is_zero(&s)) { |
|
||||||
return 0; |
|
||||||
} |
|
||||||
memcpy(sig64, sig64ins[0], 32); |
|
||||||
secp256k1_scalar_get_b32(sig64 + 32, &s); |
|
||||||
secp256k1_scalar_clear(&s); |
|
||||||
return 1; |
|
||||||
} |
|
||||||
|
|
||||||
#endif |
|
@ -1,175 +0,0 @@ |
|||||||
/**********************************************************************
|
|
||||||
* Copyright (c) 2014-2015 Pieter Wuille * |
|
||||||
* Distributed under the MIT software license, see the accompanying * |
|
||||||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|
||||||
**********************************************************************/ |
|
||||||
|
|
||||||
#ifndef SECP256K1_MODULE_SCHNORR_TESTS |
|
||||||
#define SECP256K1_MODULE_SCHNORR_TESTS |
|
||||||
|
|
||||||
#include "include/secp256k1_schnorr.h" |
|
||||||
|
|
||||||
void test_schnorr_end_to_end(void) { |
|
||||||
unsigned char privkey[32]; |
|
||||||
unsigned char message[32]; |
|
||||||
unsigned char schnorr_signature[64]; |
|
||||||
secp256k1_pubkey pubkey, recpubkey; |
|
||||||
|
|
||||||
/* Generate a random key and message. */ |
|
||||||
{ |
|
||||||
secp256k1_scalar key; |
|
||||||
random_scalar_order_test(&key); |
|
||||||
secp256k1_scalar_get_b32(privkey, &key); |
|
||||||
secp256k1_rand256_test(message); |
|
||||||
} |
|
||||||
|
|
||||||
/* Construct and verify corresponding public key. */ |
|
||||||
CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); |
|
||||||
CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); |
|
||||||
|
|
||||||
/* Schnorr sign. */ |
|
||||||
CHECK(secp256k1_schnorr_sign(ctx, schnorr_signature, message, privkey, NULL, NULL) == 1); |
|
||||||
CHECK(secp256k1_schnorr_verify(ctx, schnorr_signature, message, &pubkey) == 1); |
|
||||||
CHECK(secp256k1_schnorr_recover(ctx, &recpubkey, schnorr_signature, message) == 1); |
|
||||||
CHECK(memcmp(&pubkey, &recpubkey, sizeof(pubkey)) == 0); |
|
||||||
/* Destroy signature and verify again. */ |
|
||||||
schnorr_signature[secp256k1_rand_bits(6)] += 1 + secp256k1_rand_int(255); |
|
||||||
CHECK(secp256k1_schnorr_verify(ctx, schnorr_signature, message, &pubkey) == 0); |
|
||||||
CHECK(secp256k1_schnorr_recover(ctx, &recpubkey, schnorr_signature, message) != 1 || |
|
||||||
memcmp(&pubkey, &recpubkey, sizeof(pubkey)) != 0); |
|
||||||
} |
|
||||||
|
|
||||||
/** Horribly broken hash function. Do not use for anything but tests. */ |
|
||||||
void test_schnorr_hash(unsigned char *h32, const unsigned char *r32, const unsigned char *msg32) { |
|
||||||
int i; |
|
||||||
for (i = 0; i < 32; i++) { |
|
||||||
h32[i] = r32[i] ^ msg32[i]; |
|
||||||
} |
|
||||||
} |
|
||||||
|
|
||||||
void test_schnorr_sign_verify(void) { |
|
||||||
unsigned char msg32[32]; |
|
||||||
unsigned char sig64[3][64]; |
|
||||||
secp256k1_gej pubkeyj[3]; |
|
||||||
secp256k1_ge pubkey[3]; |
|
||||||
secp256k1_scalar nonce[3], key[3]; |
|
||||||
int i = 0; |
|
||||||
int k; |
|
||||||
|
|
||||||
secp256k1_rand256_test(msg32); |
|
||||||
|
|
||||||
for (k = 0; k < 3; k++) { |
|
||||||
random_scalar_order_test(&key[k]); |
|
||||||
|
|
||||||
do { |
|
||||||
random_scalar_order_test(&nonce[k]); |
|
||||||
if (secp256k1_schnorr_sig_sign(&ctx->ecmult_gen_ctx, sig64[k], &key[k], &nonce[k], NULL, &test_schnorr_hash, msg32)) { |
|
||||||
break; |
|
||||||
} |
|
||||||
} while(1); |
|
||||||
|
|
||||||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj[k], &key[k]); |
|
||||||
secp256k1_ge_set_gej_var(&pubkey[k], &pubkeyj[k]); |
|
||||||
CHECK(secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64[k], &pubkey[k], &test_schnorr_hash, msg32)); |
|
||||||
|
|
||||||
for (i = 0; i < 4; i++) { |
|
||||||
int pos = secp256k1_rand_bits(6); |
|
||||||
int mod = 1 + secp256k1_rand_int(255); |
|
||||||
sig64[k][pos] ^= mod; |
|
||||||
CHECK(secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64[k], &pubkey[k], &test_schnorr_hash, msg32) == 0); |
|
||||||
sig64[k][pos] ^= mod; |
|
||||||
} |
|
||||||
} |
|
||||||
} |
|
||||||
|
|
||||||
void test_schnorr_threshold(void) { |
|
||||||
unsigned char msg[32]; |
|
||||||
unsigned char sec[5][32]; |
|
||||||
secp256k1_pubkey pub[5]; |
|
||||||
unsigned char nonce[5][32]; |
|
||||||
secp256k1_pubkey pubnonce[5]; |
|
||||||
unsigned char sig[5][64]; |
|
||||||
const unsigned char* sigs[5]; |
|
||||||
unsigned char allsig[64]; |
|
||||||
const secp256k1_pubkey* pubs[5]; |
|
||||||
secp256k1_pubkey allpub; |
|
||||||
int n, i; |
|
||||||
int damage; |
|
||||||
int ret = 0; |
|
||||||
|
|
||||||
damage = secp256k1_rand_bits(1) ? (1 + secp256k1_rand_int(4)) : 0; |
|
||||||
secp256k1_rand256_test(msg); |
|
||||||
n = 2 + secp256k1_rand_int(4); |
|
||||||
for (i = 0; i < n; i++) { |
|
||||||
do { |
|
||||||
secp256k1_rand256_test(sec[i]); |
|
||||||
} while (!secp256k1_ec_seckey_verify(ctx, sec[i])); |
|
||||||
CHECK(secp256k1_ec_pubkey_create(ctx, &pub[i], sec[i])); |
|
||||||
CHECK(secp256k1_schnorr_generate_nonce_pair(ctx, &pubnonce[i], nonce[i], msg, sec[i], NULL, NULL)); |
|
||||||
pubs[i] = &pub[i]; |
|
||||||
} |
|
||||||
if (damage == 1) { |
|
||||||
nonce[secp256k1_rand_int(n)][secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
||||||
} else if (damage == 2) { |
|
||||||
sec[secp256k1_rand_int(n)][secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
||||||
} |
|
||||||
for (i = 0; i < n; i++) { |
|
||||||
secp256k1_pubkey allpubnonce; |
|
||||||
const secp256k1_pubkey *pubnonces[4]; |
|
||||||
int j; |
|
||||||
for (j = 0; j < i; j++) { |
|
||||||
pubnonces[j] = &pubnonce[j]; |
|
||||||
} |
|
||||||
for (j = i + 1; j < n; j++) { |
|
||||||
pubnonces[j - 1] = &pubnonce[j]; |
|
||||||
} |
|
||||||
CHECK(secp256k1_ec_pubkey_combine(ctx, &allpubnonce, pubnonces, n - 1)); |
|
||||||
ret |= (secp256k1_schnorr_partial_sign(ctx, sig[i], msg, sec[i], &allpubnonce, nonce[i]) != 1) * 1; |
|
||||||
sigs[i] = sig[i]; |
|
||||||
} |
|
||||||
if (damage == 3) { |
|
||||||
sig[secp256k1_rand_int(n)][secp256k1_rand_bits(6)] ^= 1 + secp256k1_rand_int(255); |
|
||||||
} |
|
||||||
ret |= (secp256k1_ec_pubkey_combine(ctx, &allpub, pubs, n) != 1) * 2; |
|
||||||
if ((ret & 1) == 0) { |
|
||||||
ret |= (secp256k1_schnorr_partial_combine(ctx, allsig, sigs, n) != 1) * 4; |
|
||||||
} |
|
||||||
if (damage == 4) { |
|
||||||
allsig[secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
||||||
} |
|
||||||
if ((ret & 7) == 0) { |
|
||||||
ret |= (secp256k1_schnorr_verify(ctx, allsig, msg, &allpub) != 1) * 8; |
|
||||||
} |
|
||||||
CHECK((ret == 0) == (damage == 0)); |
|
||||||
} |
|
||||||
|
|
||||||
void test_schnorr_recovery(void) { |
|
||||||
unsigned char msg32[32]; |
|
||||||
unsigned char sig64[64]; |
|
||||||
secp256k1_ge Q; |
|
||||||
|
|
||||||
secp256k1_rand256_test(msg32); |
|
||||||
secp256k1_rand256_test(sig64); |
|
||||||
secp256k1_rand256_test(sig64 + 32); |
|
||||||
if (secp256k1_schnorr_sig_recover(&ctx->ecmult_ctx, sig64, &Q, &test_schnorr_hash, msg32) == 1) { |
|
||||||
CHECK(secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64, &Q, &test_schnorr_hash, msg32) == 1); |
|
||||||
} |
|
||||||
} |
|
||||||
|
|
||||||
void run_schnorr_tests(void) { |
|
||||||
int i; |
|
||||||
for (i = 0; i < 32*count; i++) { |
|
||||||
test_schnorr_end_to_end(); |
|
||||||
} |
|
||||||
for (i = 0; i < 32 * count; i++) { |
|
||||||
test_schnorr_sign_verify(); |
|
||||||
} |
|
||||||
for (i = 0; i < 16 * count; i++) { |
|
||||||
test_schnorr_recovery(); |
|
||||||
} |
|
||||||
for (i = 0; i < 10 * count; i++) { |
|
||||||
test_schnorr_threshold(); |
|
||||||
} |
|
||||||
} |
|
||||||
|
|
||||||
#endif |
|
@ -0,0 +1,15 @@ |
|||||||
|
/**********************************************************************
|
||||||
|
* Copyright (c) 2015 Andrew Poelstra * |
||||||
|
* Distributed under the MIT software license, see the accompanying * |
||||||
|
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
||||||
|
**********************************************************************/ |
||||||
|
|
||||||
|
#ifndef _SECP256K1_SCALAR_REPR_ |
||||||
|
#define _SECP256K1_SCALAR_REPR_ |
||||||
|
|
||||||
|
#include <stdint.h> |
||||||
|
|
||||||
|
/** A scalar modulo the group order of the secp256k1 curve. */ |
||||||
|
typedef uint32_t secp256k1_scalar; |
||||||
|
|
||||||
|
#endif |
@ -0,0 +1,114 @@ |
|||||||
|
/**********************************************************************
|
||||||
|
* Copyright (c) 2015 Andrew Poelstra * |
||||||
|
* Distributed under the MIT software license, see the accompanying * |
||||||
|
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
||||||
|
**********************************************************************/ |
||||||
|
|
||||||
|
#ifndef _SECP256K1_SCALAR_REPR_IMPL_H_ |
||||||
|
#define _SECP256K1_SCALAR_REPR_IMPL_H_ |
||||||
|
|
||||||
|
#include "scalar.h" |
||||||
|
|
||||||
|
#include <string.h> |
||||||
|
|
||||||
|
SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) { |
||||||
|
return !(*a & 1); |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static void secp256k1_scalar_clear(secp256k1_scalar *r) { *r = 0; } |
||||||
|
SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) { *r = v; } |
||||||
|
|
||||||
|
SECP256K1_INLINE static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { |
||||||
|
if (offset < 32) |
||||||
|
return ((*a >> offset) & ((((uint32_t)1) << count) - 1)); |
||||||
|
else |
||||||
|
return 0; |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { |
||||||
|
return secp256k1_scalar_get_bits(a, offset, count); |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } |
||||||
|
|
||||||
|
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { |
||||||
|
*r = (*a + *b) % EXHAUSTIVE_TEST_ORDER; |
||||||
|
return *r < *b; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag) { |
||||||
|
if (flag && bit < 32) |
||||||
|
*r += (1 << bit); |
||||||
|
#ifdef VERIFY |
||||||
|
VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0); |
||||||
|
#endif |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) { |
||||||
|
const int base = 0x100 % EXHAUSTIVE_TEST_ORDER; |
||||||
|
int i; |
||||||
|
*r = 0; |
||||||
|
for (i = 0; i < 32; i++) { |
||||||
|
*r = ((*r * base) + b32[i]) % EXHAUSTIVE_TEST_ORDER; |
||||||
|
} |
||||||
|
/* just deny overflow, it basically always happens */ |
||||||
|
if (overflow) *overflow = 0; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) { |
||||||
|
memset(bin, 0, 32); |
||||||
|
bin[28] = *a >> 24; bin[29] = *a >> 16; bin[30] = *a >> 8; bin[31] = *a; |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) { |
||||||
|
return *a == 0; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a) { |
||||||
|
if (*a == 0) { |
||||||
|
*r = 0; |
||||||
|
} else { |
||||||
|
*r = EXHAUSTIVE_TEST_ORDER - *a; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static int secp256k1_scalar_is_one(const secp256k1_scalar *a) { |
||||||
|
return *a == 1; |
||||||
|
} |
||||||
|
|
||||||
|
static int secp256k1_scalar_is_high(const secp256k1_scalar *a) { |
||||||
|
return *a > EXHAUSTIVE_TEST_ORDER / 2; |
||||||
|
} |
||||||
|
|
||||||
|
static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) { |
||||||
|
if (flag) secp256k1_scalar_negate(r, r); |
||||||
|
return flag ? -1 : 1; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { |
||||||
|
*r = (*a * *b) % EXHAUSTIVE_TEST_ORDER; |
||||||
|
} |
||||||
|
|
||||||
|
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n) { |
||||||
|
int ret; |
||||||
|
VERIFY_CHECK(n > 0); |
||||||
|
VERIFY_CHECK(n < 16); |
||||||
|
ret = *r & ((1 << n) - 1); |
||||||
|
*r >>= n; |
||||||
|
return ret; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a) { |
||||||
|
*r = (*a * *a) % EXHAUSTIVE_TEST_ORDER; |
||||||
|
} |
||||||
|
|
||||||
|
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) { |
||||||
|
*r1 = *a; |
||||||
|
*r2 = 0; |
||||||
|
} |
||||||
|
|
||||||
|
SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b) { |
||||||
|
return *a == *b; |
||||||
|
} |
||||||
|
|
||||||
|
#endif |
@ -0,0 +1,329 @@ |
|||||||
|
/***********************************************************************
|
||||||
|
* Copyright (c) 2016 Andrew Poelstra * |
||||||
|
* Distributed under the MIT software license, see the accompanying * |
||||||
|
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
||||||
|
**********************************************************************/ |
||||||
|
|
||||||
|
#if defined HAVE_CONFIG_H |
||||||
|
#include "libsecp256k1-config.h" |
||||||
|
#endif |
||||||
|
|
||||||
|
#include <stdio.h> |
||||||
|
#include <stdlib.h> |
||||||
|
|
||||||
|
#include <time.h> |
||||||
|
|
||||||
|
#undef USE_ECMULT_STATIC_PRECOMPUTATION |
||||||
|
|
||||||
|
#ifndef EXHAUSTIVE_TEST_ORDER |
||||||
|
/* see group_impl.h for allowable values */ |
||||||
|
#define EXHAUSTIVE_TEST_ORDER 13 |
||||||
|
#define EXHAUSTIVE_TEST_LAMBDA 9 /* cube root of 1 mod 13 */ |
||||||
|
#endif |
||||||
|
|
||||||
|
#include "include/secp256k1.h" |
||||||
|
#include "group.h" |
||||||
|
#include "secp256k1.c" |
||||||
|
#include "testrand_impl.h" |
||||||
|
|
||||||
|
/** stolen from tests.c */ |
||||||
|
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) { |
||||||
|
CHECK(a->infinity == b->infinity); |
||||||
|
if (a->infinity) { |
||||||
|
return; |
||||||
|
} |
||||||
|
CHECK(secp256k1_fe_equal_var(&a->x, &b->x)); |
||||||
|
CHECK(secp256k1_fe_equal_var(&a->y, &b->y)); |
||||||
|
} |
||||||
|
|
||||||
|
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) { |
||||||
|
secp256k1_fe z2s; |
||||||
|
secp256k1_fe u1, u2, s1, s2; |
||||||
|
CHECK(a->infinity == b->infinity); |
||||||
|
if (a->infinity) { |
||||||
|
return; |
||||||
|
} |
||||||
|
/* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ |
||||||
|
secp256k1_fe_sqr(&z2s, &b->z); |
||||||
|
secp256k1_fe_mul(&u1, &a->x, &z2s); |
||||||
|
u2 = b->x; secp256k1_fe_normalize_weak(&u2); |
||||||
|
secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z); |
||||||
|
s2 = b->y; secp256k1_fe_normalize_weak(&s2); |
||||||
|
CHECK(secp256k1_fe_equal_var(&u1, &u2)); |
||||||
|
CHECK(secp256k1_fe_equal_var(&s1, &s2)); |
||||||
|
} |
||||||
|
|
||||||
|
void random_fe(secp256k1_fe *x) { |
||||||
|
unsigned char bin[32]; |
||||||
|
do { |
||||||
|
secp256k1_rand256(bin); |
||||||
|
if (secp256k1_fe_set_b32(x, bin)) { |
||||||
|
return; |
||||||
|
} |
||||||
|
} while(1); |
||||||
|
} |
||||||
|
/** END stolen from tests.c */ |
||||||
|
|
||||||
|
int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, |
||||||
|
const unsigned char *key32, const unsigned char *algo16, |
||||||
|
void *data, unsigned int attempt) { |
||||||
|
secp256k1_scalar s; |
||||||
|
int *idata = data; |
||||||
|
(void)msg32; |
||||||
|
(void)key32; |
||||||
|
(void)algo16; |
||||||
|
/* Some nonces cannot be used because they'd cause s and/or r to be zero.
|
||||||
|
* The signing function has retry logic here that just re-calls the nonce |
||||||
|
* function with an increased `attempt`. So if attempt > 0 this means we |
||||||
|
* need to change the nonce to avoid an infinite loop. */ |
||||||
|
if (attempt > 0) { |
||||||
|
(*idata)++; |
||||||
|
} |
||||||
|
secp256k1_scalar_set_int(&s, *idata); |
||||||
|
secp256k1_scalar_get_b32(nonce32, &s); |
||||||
|
return 1; |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef USE_ENDOMORPHISM |
||||||
|
void test_exhaustive_endomorphism(const secp256k1_ge *group, int order) { |
||||||
|
int i; |
||||||
|
for (i = 0; i < order; i++) { |
||||||
|
secp256k1_ge res; |
||||||
|
secp256k1_ge_mul_lambda(&res, &group[i]); |
||||||
|
ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res); |
||||||
|
} |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
||||||
|
void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj, int order) { |
||||||
|
int i, j; |
||||||
|
|
||||||
|
/* Sanity-check (and check infinity functions) */ |
||||||
|
CHECK(secp256k1_ge_is_infinity(&group[0])); |
||||||
|
CHECK(secp256k1_gej_is_infinity(&groupj[0])); |
||||||
|
for (i = 1; i < order; i++) { |
||||||
|
CHECK(!secp256k1_ge_is_infinity(&group[i])); |
||||||
|
CHECK(!secp256k1_gej_is_infinity(&groupj[i])); |
||||||
|
} |
||||||
|
|
||||||
|
/* Check all addition formulae */ |
||||||
|
for (j = 0; j < order; j++) { |
||||||
|
secp256k1_fe fe_inv; |
||||||
|
secp256k1_fe_inv(&fe_inv, &groupj[j].z); |
||||||
|
for (i = 0; i < order; i++) { |
||||||
|
secp256k1_ge zless_gej; |
||||||
|
secp256k1_gej tmp; |
||||||
|
/* add_var */ |
||||||
|
secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); |
||||||
|
ge_equals_gej(&group[(i + j) % order], &tmp); |
||||||
|
/* add_ge */ |
||||||
|
if (j > 0) { |
||||||
|
secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]); |
||||||
|
ge_equals_gej(&group[(i + j) % order], &tmp); |
||||||
|
} |
||||||
|
/* add_ge_var */ |
||||||
|
secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); |
||||||
|
ge_equals_gej(&group[(i + j) % order], &tmp); |
||||||
|
/* add_zinv_var */ |
||||||
|
zless_gej.infinity = groupj[j].infinity; |
||||||
|
zless_gej.x = groupj[j].x; |
||||||
|
zless_gej.y = groupj[j].y; |
||||||
|
secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); |
||||||
|
ge_equals_gej(&group[(i + j) % order], &tmp); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
/* Check doubling */ |
||||||
|
for (i = 0; i < order; i++) { |
||||||
|
secp256k1_gej tmp; |
||||||
|
if (i > 0) { |
||||||
|
secp256k1_gej_double_nonzero(&tmp, &groupj[i], NULL); |
||||||
|
ge_equals_gej(&group[(2 * i) % order], &tmp); |
||||||
|
} |
||||||
|
secp256k1_gej_double_var(&tmp, &groupj[i], NULL); |
||||||
|
ge_equals_gej(&group[(2 * i) % order], &tmp); |
||||||
|
} |
||||||
|
|
||||||
|
/* Check negation */ |
||||||
|
for (i = 1; i < order; i++) { |
||||||
|
secp256k1_ge tmp; |
||||||
|
secp256k1_gej tmpj; |
||||||
|
secp256k1_ge_neg(&tmp, &group[i]); |
||||||
|
ge_equals_ge(&group[order - i], &tmp); |
||||||
|
secp256k1_gej_neg(&tmpj, &groupj[i]); |
||||||
|
ge_equals_gej(&group[order - i], &tmpj); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *group, const secp256k1_gej *groupj, int order) { |
||||||
|
int i, j, r_log; |
||||||
|
for (r_log = 1; r_log < order; r_log++) { |
||||||
|
for (j = 0; j < order; j++) { |
||||||
|
for (i = 0; i < order; i++) { |
||||||
|
secp256k1_gej tmp; |
||||||
|
secp256k1_scalar na, ng; |
||||||
|
secp256k1_scalar_set_int(&na, i); |
||||||
|
secp256k1_scalar_set_int(&ng, j); |
||||||
|
|
||||||
|
secp256k1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); |
||||||
|
ge_equals_gej(&group[(i * r_log + j) % order], &tmp); |
||||||
|
|
||||||
|
if (i > 0) { |
||||||
|
secp256k1_ecmult_const(&tmp, &group[i], &ng); |
||||||
|
ge_equals_gej(&group[(i * j) % order], &tmp); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k) { |
||||||
|
secp256k1_fe x; |
||||||
|
unsigned char x_bin[32]; |
||||||
|
k %= EXHAUSTIVE_TEST_ORDER; |
||||||
|
x = group[k].x; |
||||||
|
secp256k1_fe_normalize(&x); |
||||||
|
secp256k1_fe_get_b32(x_bin, &x); |
||||||
|
secp256k1_scalar_set_b32(r, x_bin, NULL); |
||||||
|
} |
||||||
|
|
||||||
|
void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { |
||||||
|
int s, r, msg, key; |
||||||
|
for (s = 1; s < order; s++) { |
||||||
|
for (r = 1; r < order; r++) { |
||||||
|
for (msg = 1; msg < order; msg++) { |
||||||
|
for (key = 1; key < order; key++) { |
||||||
|
secp256k1_ge nonconst_ge; |
||||||
|
secp256k1_ecdsa_signature sig; |
||||||
|
secp256k1_pubkey pk; |
||||||
|
secp256k1_scalar sk_s, msg_s, r_s, s_s; |
||||||
|
secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s; |
||||||
|
int k, should_verify; |
||||||
|
unsigned char msg32[32]; |
||||||
|
|
||||||
|
secp256k1_scalar_set_int(&s_s, s); |
||||||
|
secp256k1_scalar_set_int(&r_s, r); |
||||||
|
secp256k1_scalar_set_int(&msg_s, msg); |
||||||
|
secp256k1_scalar_set_int(&sk_s, key); |
||||||
|
|
||||||
|
/* Verify by hand */ |
||||||
|
/* Run through every k value that gives us this r and check that *one* works.
|
||||||
|
* Note there could be none, there could be multiple, ECDSA is weird. */ |
||||||
|
should_verify = 0; |
||||||
|
for (k = 0; k < order; k++) { |
||||||
|
secp256k1_scalar check_x_s; |
||||||
|
r_from_k(&check_x_s, group, k); |
||||||
|
if (r_s == check_x_s) { |
||||||
|
secp256k1_scalar_set_int(&s_times_k_s, k); |
||||||
|
secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); |
||||||
|
secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); |
||||||
|
secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); |
||||||
|
should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); |
||||||
|
} |
||||||
|
} |
||||||
|
/* nb we have a "high s" rule */ |
||||||
|
should_verify &= !secp256k1_scalar_is_high(&s_s); |
||||||
|
|
||||||
|
/* Verify by calling verify */ |
||||||
|
secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s); |
||||||
|
memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); |
||||||
|
secp256k1_pubkey_save(&pk, &nonconst_ge); |
||||||
|
secp256k1_scalar_get_b32(msg32, &msg_s); |
||||||
|
CHECK(should_verify == |
||||||
|
secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk)); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { |
||||||
|
int i, j, k; |
||||||
|
|
||||||
|
/* Loop */ |
||||||
|
for (i = 1; i < order; i++) { /* message */ |
||||||
|
for (j = 1; j < order; j++) { /* key */ |
||||||
|
for (k = 1; k < order; k++) { /* nonce */ |
||||||
|
secp256k1_ecdsa_signature sig; |
||||||
|
secp256k1_scalar sk, msg, r, s, expected_r; |
||||||
|
unsigned char sk32[32], msg32[32]; |
||||||
|
secp256k1_scalar_set_int(&msg, i); |
||||||
|
secp256k1_scalar_set_int(&sk, j); |
||||||
|
secp256k1_scalar_get_b32(sk32, &sk); |
||||||
|
secp256k1_scalar_get_b32(msg32, &msg); |
||||||
|
|
||||||
|
secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k); |
||||||
|
|
||||||
|
secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig); |
||||||
|
/* Note that we compute expected_r *after* signing -- this is important
|
||||||
|
* because our nonce-computing function function might change k during |
||||||
|
* signing. */ |
||||||
|
r_from_k(&expected_r, group, k); |
||||||
|
CHECK(r == expected_r); |
||||||
|
CHECK((k * s) % order == (i + r * j) % order || |
||||||
|
(k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
/* We would like to verify zero-knowledge here by counting how often every
|
||||||
|
* possible (s, r) tuple appears, but because the group order is larger |
||||||
|
* than the field order, when coercing the x-values to scalar values, some |
||||||
|
* appear more often than others, so we are actually not zero-knowledge. |
||||||
|
* (This effect also appears in the real code, but the difference is on the |
||||||
|
* order of 1/2^128th the field order, so the deviation is not useful to a |
||||||
|
* computationally bounded attacker.) |
||||||
|
*/ |
||||||
|
} |
||||||
|
|
||||||
|
int main(void) { |
||||||
|
int i; |
||||||
|
secp256k1_gej groupj[EXHAUSTIVE_TEST_ORDER]; |
||||||
|
secp256k1_ge group[EXHAUSTIVE_TEST_ORDER]; |
||||||
|
|
||||||
|
/* Build context */ |
||||||
|
secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); |
||||||
|
|
||||||
|
/* TODO set z = 1, then do num_tests runs with random z values */ |
||||||
|
|
||||||
|
/* Generate the entire group */ |
||||||
|
secp256k1_gej_set_infinity(&groupj[0]); |
||||||
|
secp256k1_ge_set_gej(&group[0], &groupj[0]); |
||||||
|
for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { |
||||||
|
/* Set a different random z-value for each Jacobian point */ |
||||||
|
secp256k1_fe z; |
||||||
|
random_fe(&z); |
||||||
|
|
||||||
|
secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g); |
||||||
|
secp256k1_ge_set_gej(&group[i], &groupj[i]); |
||||||
|
secp256k1_gej_rescale(&groupj[i], &z); |
||||||
|
|
||||||
|
/* Verify against ecmult_gen */ |
||||||
|
{ |
||||||
|
secp256k1_scalar scalar_i; |
||||||
|
secp256k1_gej generatedj; |
||||||
|
secp256k1_ge generated; |
||||||
|
|
||||||
|
secp256k1_scalar_set_int(&scalar_i, i); |
||||||
|
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); |
||||||
|
secp256k1_ge_set_gej(&generated, &generatedj); |
||||||
|
|
||||||
|
CHECK(group[i].infinity == 0); |
||||||
|
CHECK(generated.infinity == 0); |
||||||
|
CHECK(secp256k1_fe_equal_var(&generated.x, &group[i].x)); |
||||||
|
CHECK(secp256k1_fe_equal_var(&generated.y, &group[i].y)); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
/* Run the tests */ |
||||||
|
#ifdef USE_ENDOMORPHISM |
||||||
|
test_exhaustive_endomorphism(group, EXHAUSTIVE_TEST_ORDER); |
||||||
|
#endif |
||||||
|
test_exhaustive_addition(group, groupj, EXHAUSTIVE_TEST_ORDER); |
||||||
|
test_exhaustive_ecmult(ctx, group, groupj, EXHAUSTIVE_TEST_ORDER); |
||||||
|
test_exhaustive_sign(ctx, group, EXHAUSTIVE_TEST_ORDER); |
||||||
|
test_exhaustive_verify(ctx, group, EXHAUSTIVE_TEST_ORDER); |
||||||
|
|
||||||
|
return 0; |
||||||
|
} |
||||||
|
|
Loading…
Reference in new issue