diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 883ef3aab5..b4e5f602e3 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -136,9 +136,9 @@ Input: * The secret key ''sk'': a 32-byte array, freshly generated uniformly at random The algorithm ''PubKey(sk)'' is defined as: -* Let ''d = int(sk)''. -* Fail if ''d = 0'' or ''d ≥ n''. -* Return ''bytes(d⋅G)''. +* Let ''d' = int(sk)''. +* Fail if ''d' = 0'' or ''d' ≥ n''. +* Return ''bytes(d'⋅G)''. Note that we use a very different public key format (32 bytes) than the ones used by existing systems (which typically use elliptic curve points as public keys, or 33-byte or 65-byte encodings of them). A side effect is that ''PubKey(sk) = PubKey(bytes(n - int(sk))'', so every public key has two corresponding secret keys. diff --git a/bip-0340/reference.py b/bip-0340/reference.py index 79f957816d..6b1645ccd4 100644 --- a/bip-0340/reference.py +++ b/bip-0340/reference.py @@ -1,6 +1,15 @@ import hashlib import binascii +# Set DEBUG to True to get a detailed debug output including +# intermediate values during key generation, signing, and +# verification. This is implemented via calls to the +# debug_print_vars() function. +# +# If you want to print values on an individual basis, use +# the pretty() function, e.g., print(pretty(foo)). +DEBUG = False + p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 @@ -24,13 +33,13 @@ def y(P): return P[1] def point_add(P1, P2): - if (P1 is None): + if P1 is None: return P2 - if (P2 is None): + if P2 is None: return P1 - if (x(P1) == x(P2) and y(P1) != y(P2)): + if (x(P1) == x(P2)) and (y(P1) != y(P2)): return None - if (P1 == P2): + if P1 == P2: lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p else: lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p @@ -40,7 +49,7 @@ def point_add(P1, P2): def point_mul(P, n): R = None for i in range(256): - if ((n >> i) & 1): + if (n >> i) & 1: R = point_add(R, P) P = point_add(P, P) return R @@ -62,14 +71,14 @@ def lift_x_square_y(b): y = pow(y_sq, (p + 1) // 4, p) if pow(y, 2, p) != y_sq: return None - return [x, y] + return (x, y) def lift_x_even_y(b): P = lift_x_square_y(b) if P is None: return None else: - return [x(P), y(P) if y(P) % 2 == 0 else p - y(P)] + return (x(P), y(P) if y(P) % 2 == 0 else p - y(P)) def int_from_bytes(b): return int.from_bytes(b, byteorder="big") @@ -81,38 +90,39 @@ def is_square(x): return pow(x, (p - 1) // 2, p) == 1 def has_square_y(P): - return not is_infinity(P) and is_square(y(P)) + return (not is_infinity(P)) and is_square(y(P)) def has_even_y(P): return y(P) % 2 == 0 def pubkey_gen(seckey): - x = int_from_bytes(seckey) - if not (1 <= x <= n - 1): + d0 = int_from_bytes(seckey) + if not (1 <= d0 <= n - 1): raise ValueError('The secret key must be an integer in the range 1..n-1.') - P = point_mul(G, x) + P = point_mul(G, d0) return bytes_from_point(P) -def schnorr_sign(msg, seckey0, aux_rand): +def schnorr_sign(msg, seckey, aux_rand): if len(msg) != 32: raise ValueError('The message must be a 32-byte array.') - seckey0 = int_from_bytes(seckey0) - if not (1 <= seckey0 <= n - 1): + d0 = int_from_bytes(seckey) + if not (1 <= d0 <= n - 1): raise ValueError('The secret key must be an integer in the range 1..n-1.') if len(aux_rand) != 32: raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand)) - P = point_mul(G, seckey0) - seckey = seckey0 if has_even_y(P) else n - seckey0 - t = xor_bytes(bytes_from_int(seckey), tagged_hash("BIP340/aux", aux_rand)) + P = point_mul(G, d0) + d = d0 if has_even_y(P) else n - d0 + t = xor_bytes(bytes_from_int(d), tagged_hash("BIP340/aux", aux_rand)) k0 = int_from_bytes(tagged_hash("BIP340/nonce", t + bytes_from_point(P) + msg)) % n if k0 == 0: raise RuntimeError('Failure. This happens only with negligible probability.') R = point_mul(G, k0) k = n - k0 if not has_square_y(R) else k0 e = int_from_bytes(tagged_hash("BIP340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n - sig = bytes_from_point(R) + bytes_from_int((k + e * seckey) % n) + sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n) + debug_print_vars() if not schnorr_verify(msg, bytes_from_point(P), sig): - raise RuntimeError('The signature does not pass verification.') + raise RuntimeError('The created signature does not pass verification.') return sig def schnorr_verify(msg, pubkey, sig): @@ -123,26 +133,29 @@ def schnorr_verify(msg, pubkey, sig): if len(sig) != 64: raise ValueError('The signature must be a 64-byte array.') P = lift_x_even_y(pubkey) - if (P is None): - return False r = int_from_bytes(sig[0:32]) s = int_from_bytes(sig[32:64]) - if (r >= p or s >= n): + if (P is None) or (r >= p) or (s >= n): + debug_print_vars() return False e = int_from_bytes(tagged_hash("BIP340/challenge", sig[0:32] + pubkey + msg)) % n R = point_add(point_mul(G, s), point_mul(P, n - e)) - if R is None or not has_square_y(R) or x(R) != r: + if (R is None) or (not has_square_y(R)) or (x(R) != r): + debug_print_vars() return False + debug_print_vars() return True # # The following code is only used to verify the test vectors. # import csv +import os +import sys def test_vectors(): all_passed = True - with open('test-vectors.csv', newline='') as csvfile: + with open(os.path.join(sys.path[0], 'test-vectors.csv'), newline='') as csvfile: reader = csv.reader(csvfile) reader.__next__() for row in reader: @@ -151,7 +164,7 @@ def test_vectors(): msg = bytes.fromhex(msg) sig = bytes.fromhex(sig) result = result == 'TRUE' - print('\nTest vector #%-3i: ' % int(index)) + print('\nTest vector', ('#' + index).rjust(3, ' ') + ':') if seckey != '': seckey = bytes.fromhex(seckey) pubkey_actual = pubkey_gen(seckey) @@ -160,13 +173,17 @@ def test_vectors(): print(' Expected key:', pubkey.hex().upper()) print(' Actual key:', pubkey_actual.hex().upper()) aux_rand = bytes.fromhex(aux_rand) - sig_actual = schnorr_sign(msg, seckey, aux_rand) - if sig == sig_actual: - print(' * Passed signing test.') - else: - print(' * Failed signing test.') - print(' Expected signature:', sig.hex().upper()) - print(' Actual signature:', sig_actual.hex().upper()) + try: + sig_actual = schnorr_sign(msg, seckey, aux_rand) + if sig == sig_actual: + print(' * Passed signing test.') + else: + print(' * Failed signing test.') + print(' Expected signature:', sig.hex().upper()) + print(' Actual signature:', sig_actual.hex().upper()) + all_passed = False + except RuntimeError as e: + print(' * Signing test raised exception:', e) all_passed = False result_actual = schnorr_verify(msg, pubkey, sig) if result == result_actual: @@ -185,5 +202,26 @@ def test_vectors(): print('Some test vectors failed.') return all_passed +# +# The following code is only used for debugging +# +import inspect + +def pretty(v): + if isinstance(v, bytes): + return '0x' + v.hex() + if isinstance(v, int): + return pretty(bytes_from_int(v)) + if isinstance(v, tuple): + return tuple(map(pretty, v)) + return v + +def debug_print_vars(): + if DEBUG: + frame = inspect.currentframe().f_back + print(' Variables in function ', frame.f_code.co_name, ' at line ', frame.f_lineno, ':', sep='') + for var_name, var_val in frame.f_locals.items(): + print(' ' + var_name.rjust(11, ' '), '==', pretty(var_val)) + if __name__ == '__main__': test_vectors() diff --git a/bip-0340/test-vectors.py b/bip-0340/test-vectors.py index d1a52c823d..9c029ec925 100644 --- a/bip-0340/test-vectors.py +++ b/bip-0340/test-vectors.py @@ -15,7 +15,7 @@ def vector0(): P = point_mul(G, x) assert(y(P) % 2 == 0) - # For historic reasons (pubkey tiebreaker was squareness and not evenness) + # For historical reasons (pubkey tiebreaker was squareness and not evenness) # we should have at least one test vector where the the point reconstructed # from the public key has a square and one where it has a non-square Y # coordinate. In this one Y is non-square.