bip-schnorr 0.1.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c22da99e3fed7eea60436b7007532b752066996c9f2dd87f1f71028d7eaec357
-  data.tar.gz: 87bf98d7796bb6a31aad59e12914dd2f67584b852d45a7561e505061b3876284
+  metadata.gz: 726ee90533a30264534d3ba2fff1e967334c56e870a25e778d86688001e6a5e2
+  data.tar.gz: 50b8e0df0e3c5bacb276b5dc77b088e2b59dddf6485c8f62ba95f68f4a4a4e3d
 SHA512:
-  metadata.gz: aa3263695c27d8453971bb881c19f5b05c5d69bea52770823de956fc5cfe8d65fdd5393790fbd282eb8a78a13f56fbde3046f0222d9bbfefc668fedb099d150d
-  data.tar.gz: f828993f5d2c149aebc61dbd51c3569bf3ba97fe71aaab5e5aafbf1c7742d880e55b2db6dfa698e7dae521c50eea5d43c7ace1eb1e750b389ab11e8c2a0d9991
+  metadata.gz: 0ac0a2ec193d10e41cba96f1a5071998abf6602a0cf05fc44dc8bdd82853fb392f554857d6632cb1d3c655d7d0155c22efaea20ec0b0d089ee690de4a7443af0
+  data.tar.gz: 8b9023e307606166981b1ac136fb6e84382a0de003175fc67bc6e07624ae997c0554674ad96f5f56782539427d2d1cf441b993b78b9a62f0812881538604dd5a

data/.github/workflows/ruby.yml

@@ -0,0 +1,35 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6', '2.7', '3.0']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+    # change this to (see https://github.com/ruby/setup-ruby#versioning):
+    # uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake spec

data/.ruby-version

@@ -1 +1 @@
-2.7.0
+ruby-3.0.0

data/README.md

@@ -3,7 +3,7 @@
 This is a Ruby implementation of the Schnorr signature scheme over the elliptic curve. 
 This implementation relies on the [ecdsa gem](https://github.com/DavidEGrayson/ruby_ecdsa) for operate elliptic curves.
 
-The code is based upon the initial proposal of Pieter Wuille's [bip-schnorr](https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki).
+The code is based upon the [BIP340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 
 ## Installation
 
@@ -23,17 +23,20 @@ Or install it yourself as:
 
 ## Usage
 
-### Singing
+### Signing
 
 ```ruby
 require 'schnorr'
 
-private_key = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF
+private_key = ['B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF'].pack("H*")
 
 message = ['5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C'].pack('H*')
 
 # create signature
 signature = Schnorr.sign(message, private_key)
+# if use auxiliary random data, specify it to the 3rd arguments.
+aux_rand = SecureRandom.bytes(32) # aux_rand must be a 32-byte binary.
+signature = Schnorr.sign(message, private_key, aux_rand)
 
 # signature r value
 signature.r 
@@ -55,9 +58,9 @@ require 'schnorr'
 # public key does not start with 02 or 03.
 public_key = ['DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659'].pack('H*')
 
-signature = ['e7758e20e67a0607433cf8a1f0383a02c7b56792aab71763173ab7085cab8768082aae167787bc3572d15176dc26c073d9b03726aed0b59c728aa6538dc03d57'].pack('H*')
+signature = ['6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A'].pack('H*')
 
-message = ['5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C'].pack('H*')
+message = ['243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89'].pack('H*')
 
 # verify signature.(result is true or false)
 result = Schnorr.valid_sig?(message, public_key, signature) 
@@ -71,6 +74,6 @@ sig = Schnorr::Signature.decode(signature)
 This library changes the following functions of `ecdsa` gem in `lib/schnorr/ec_point_ext.rb`.
 
 * `ECDSA::Point` class has following two instance methods.
-    * `#has_square_y?` check this point does not infinity and square?(y coordinate)
-    * `#square?(x)` check whether `x` is a quadratic residue modulo p.
-* `ECDSA::Format::PointOctetString#decode` supports decoding only from x coordinate.
+    * `#has_even_y?` check the y-coordinate of this point is an even.
+    * `#encode(only_x = false)` encode this point into a binary string.
+* `ECDSA::Format::PointOctetString#decode` supports decoding only from x coordinate.

data/bip-schnorrrb.gemspec

@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "ecdsa", "~> 1.2.0"
 
   spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

data/lib/schnorr.rb

@@ -4,32 +4,40 @@ require_relative 'schnorr/ec_point_ext'
 require_relative 'schnorr/signature'
 
 module Schnorr
-
   module_function
 
   GROUP = ECDSA::Group::Secp256k1
 
   # Generate schnorr signature.
   # @param message (String) A message to be signed with binary format.
-  # @param private_key (Integer) The private key.
-  # (The number of times to add the generator point to itself to get the public key.)
+  # @param private_key (String) The private key with binary format.
+  # @param aux_rand (String) The auxiliary random data with binary format.
+  # If not specified, random data is not used and the private key is used to calculate the nonce.
   # @return (Schnorr::Signature)
-  def sign(message, private_key)
+  def sign(message, private_key, aux_rand = nil)
     raise 'The message must be a 32-byte array.' unless message.bytesize == 32
-    p = GROUP.new_point(private_key)
-    seckey = p.has_square_y? ? private_key : GROUP.order - private_key
-    secret = ECDSA::Format::IntegerOctetString.encode(seckey, GROUP.byte_length)
 
-    k0 = ECDSA::Format::IntegerOctetString.decode(tagged_hash('BIPSchnorrDerive', secret + message)) % GROUP.order
+    d0 = private_key.unpack1('H*').to_i(16)
+    raise 'private_key must be an integer in the range 1..n-1.' unless 0 < d0 && d0 <= (GROUP.order - 1)
+    raise 'aux_rand must be 32 bytes.' if !aux_rand.nil? && aux_rand.bytesize != 32
+
+    p = GROUP.new_point(d0)
+    d = p.has_even_y? ? d0 : GROUP.order - d0
+
+    t = aux_rand.nil? ? d : d ^ tagged_hash('BIP0340/aux', aux_rand).unpack1('H*').to_i(16)
+    t = ECDSA::Format::IntegerOctetString.encode(t, GROUP.byte_length)
+
+    k0 = ECDSA::Format::IntegerOctetString.decode(tagged_hash('BIP0340/nonce', t + p.encode(true) + message)) % GROUP.order
     raise 'Creation of signature failed. k is zero' if k0.zero?
 
     r = GROUP.new_point(k0)
+    k = r.has_even_y? ? k0 : GROUP.order - k0
+    e = create_challenge(r.x, p, message)
 
-    k = r.has_square_y? ? k0 : GROUP.order - k0
-
-    e = create_challenge(r.x, p, message, GROUP)
+    sig = Schnorr::Signature.new(r.x, (k + e * d) % GROUP.order)
+    raise 'The created signature does not pass verification.' unless valid_sig?(message, p.encode(true), sig.encode)
 
-    Schnorr::Signature.new(r.x, (k + e * seckey) % GROUP.order)
+    sig
   end
 
   # Verifies the given {Signature} and returns true if it is valid.
@@ -49,22 +57,23 @@ module Schnorr
   # @param signature (String) The signature with binary format.
   # @return (Boolean)
   def check_sig!(message, public_key, signature)
+    raise InvalidSignatureError, 'The message must be a 32-byte array.' unless message.bytesize == 32
+    raise InvalidSignatureError, 'The public key must be a 32-byte array.' unless public_key.bytesize == 32
+
     sig = Schnorr::Signature.decode(signature)
-    pubkey = ECDSA::Format::PointOctetString.decode(public_key, GROUP)
+    pubkey = ECDSA::Format::PointOctetString.decode_from_x(public_key, GROUP)
     field = GROUP.field
 
-    raise Schnorr::InvalidSignatureError, 'Invalid signature: r is not in the field.' unless field.include?(sig.r)
-    raise Schnorr::InvalidSignatureError, 'Invalid signature: s is not in the field.' unless field.include?(sig.s)
     raise Schnorr::InvalidSignatureError, 'Invalid signature: r is zero.' if sig.r.zero?
     raise Schnorr::InvalidSignatureError, 'Invalid signature: s is zero.' if sig.s.zero?
     raise Schnorr::InvalidSignatureError, 'Invalid signature: r is larger than field size.' if sig.r >= field.prime
     raise Schnorr::InvalidSignatureError, 'Invalid signature: s is larger than group order.' if sig.s >= GROUP.order
 
-    e = create_challenge(sig.r, pubkey, message, GROUP)
+    e = create_challenge(sig.r, pubkey, message)
 
     r = GROUP.new_point(sig.s) + pubkey.multiply_by_scalar(GROUP.order - e)
 
-    if r.infinity? || !r.has_square_y? || r.x != sig.r
+    if r.infinity? || !r.has_even_y? || r.x != sig.r
       raise Schnorr::InvalidSignatureError, 'signature verification failed.'
     end
 
@@ -74,22 +83,22 @@ module Schnorr
   # create signature digest.
   # @param (Integer) x a x coordinate for R.
   # @param (ECDSA::Point) p a public key.
-  # @param (ECDSA::Group) group the group of elliptic curve.
   # @return (Integer) digest e.
-  def create_challenge(x, p, message, group)
-    r_x = ECDSA::Format::IntegerOctetString.encode(x, group.byte_length)
-    p_x = ECDSA::Format::IntegerOctetString.encode(p.x, group.byte_length)
-    (ECDSA.normalize_digest(tagged_hash('BIPSchnorr', r_x + p_x + message), group.bit_length)) % group.order
+  def create_challenge(x, p, message)
+    r_x = ECDSA::Format::IntegerOctetString.encode(x, GROUP.byte_length)
+    (ECDSA.normalize_digest(tagged_hash('BIP0340/challenge', r_x + p.encode(true) + message), GROUP.bit_length)) % GROUP.order
   end
 
   # Generate tagged hash value.
+  # @param (String) tag tag value.
+  # @param (String) msg the message to be hashed.
+  # @return (String) the hash value with binary format.
   def tagged_hash(tag, msg)
     tag_hash = Digest::SHA256.digest(tag)
     Digest::SHA256.digest(tag_hash + tag_hash + msg)
   end
 
   class ::Integer
-
     def to_hex
       hex = to_s(16)
       hex.rjust((hex.length / 2.0).ceil * 2, '0')
@@ -102,7 +111,8 @@ module Schnorr
 
     # alternative implementation of Integer#pow for ruby 2.4 and earlier.
     def mod_pow(x, y)
-      return self ** x unless y
+      return self**x unless y
+
       b = self
       result = 1
       while x > 0
@@ -112,7 +122,5 @@ module Schnorr
       end
       result
     end
-
   end
-
 end

data/lib/schnorr/ec_point_ext.rb

@@ -2,17 +2,20 @@
 module ECDSA
   class Point
 
-    # Check this point does not infinity and square?(y coordinate)
-    # @return (Boolean)
-    def has_square_y?
-      !infinity? && square?(y)
+    # Check the y-coordinate of this point is an even.
+    # @return (Boolean) if even, return true.
+    def has_even_y?
+      y.even?
     end
 
-    # Check whether +x+ is a quadratic residue modulo p.
-    # @param x (Integer)
-    # @return (Boolean)
-    def square?(x)
-      x.pow((group.field.prime - 1) / 2, group.field.prime) == 1
+    # Encode this point into a binary string.
+    # @param (Boolean) only_x whether or not to encode only X-coordinate. default is false.
+    def encode(only_x = false)
+      if only_x
+        ECDSA::Format::FieldElementOctetString.encode(x, group.field)
+      else
+        ECDSA::Format::PointOctetString.encode(self, {compression: true})
+      end
     end
 
   end
@@ -26,29 +29,35 @@ module ECDSA
 
         raise DecodeError, 'Point octet string is empty.' if string.empty?
 
-        case string[0].ord
-        when 0
-          check_length string, 1
-          return group.infinity
-        when 2
-          decode_compressed string, group, 0
-        when 3
-          decode_compressed string, group, 1
-        when 4
-          decode_uncompressed string, group
+        if string.bytesize == 32
+          decode_from_x(string, group)
         else
-          return decode_from_x(string, group) if string.bytesize == 32
-          raise DecodeError, 'Unrecognized start byte for point octet string: 0x%x' % string[0].ord
+          case string[0].ord
+          when 0
+            check_length string, 1
+            return group.infinity
+          when 2
+            decode_compressed string, group, 0
+          when 3
+            decode_compressed string, group, 1
+          when 4
+            decode_uncompressed string, group
+          else
+            raise DecodeError, 'Unrecognized start byte for point octet string: 0x%x' % string[0].ord
+          end
         end
       end
 
       # decode from x coordinate.
+      # @param (String) x_string X-coordinate binary string
+      # @param (ECDSA::Group) group A group of elliptic curves to use.
+      # @return (ECDSA::Point) decoded point.
       def self.decode_from_x(x_string, group)
         x = ECDSA::Format::FieldElementOctetString.decode(x_string, group.field)
         y_sq = group.field.mod(x.pow(3, group.field.prime) + 7)
         y = y_sq.pow((group.field.prime + 1)/4, group.field.prime)
         raise DecodeError, 'Public key not on the curve.' unless y.pow(2, group.field.prime) == y_sq
-        finish_decode(x, y, group)
+        finish_decode(x, y.even? ? y : group.field.prime - y, group)
       end
 
     end

data/lib/schnorr/signature.rb

@@ -22,8 +22,8 @@ module Schnorr
     # @return (Signature) signature instance.
     def self.decode(string)
       raise InvalidSignatureError, 'Invalid schnorr signature length.' unless string.bytesize == 64
-      r = string[0...32].unpack('H*').first.to_i(16)
-      s = string[32..-1].unpack('H*').first.to_i(16)
+      r = string[0...32].unpack1('H*').to_i(16)
+      s = string[32..-1].unpack1('H*').to_i(16)
       new(r, s)
     end
 

data/lib/schnorr/version.rb

@@ -1,3 +1,3 @@
 module Schnorr
-  VERSION = "0.1.0"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bip-schnorr
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.0
 platform: ruby
 authors:
 - azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-22 00:00:00.000000000 Z
+date: 2021-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ecdsa
@@ -42,16 +42,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -73,11 +73,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rspec"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -109,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
 summary: The ruby implementation of bip-schnorr.

data/.travis.yml

@@ -1,11 +0,0 @@
-language: ruby
-rvm:
-  - 2.7.0
-  - 2.6.3
-  - 2.5.5
-  - 2.4.6
-
-bundler_args: --jobs=2
-
-script:
-  - bundle exec rake spec