bip-schnorr 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 726ee90533a30264534d3ba2fff1e967334c56e870a25e778d86688001e6a5e2
-  data.tar.gz: 50b8e0df0e3c5bacb276b5dc77b088e2b59dddf6485c8f62ba95f68f4a4a4e3d
+  metadata.gz: 69bdb0abd7ac947cf22620a9255558c156f33dd9176a4624303aa331e5c47604
+  data.tar.gz: 251e9488c10c854c94ce4335382616c3efbb4b976797c5cecf6bb80925bdfa1a
 SHA512:
-  metadata.gz: 0ac0a2ec193d10e41cba96f1a5071998abf6602a0cf05fc44dc8bdd82853fb392f554857d6632cb1d3c655d7d0155c22efaea20ec0b0d089ee690de4a7443af0
-  data.tar.gz: 8b9023e307606166981b1ac136fb6e84382a0de003175fc67bc6e07624ae997c0554674ad96f5f56782539427d2d1cf441b993b78b9a62f0812881538604dd5a
+  metadata.gz: 11b9401858d45aecac6f26564c31cbb3829233ce9ada0dee75d7456b95d2ec7299522e47691636da7cc54e110b936343b8862afef2184a610ba51f5095df8b4d
+  data.tar.gz: c823d9c89c26494389f53e3502b4a450d6a1dc0a5ad6a4ca5cb39bfdf154e97c893f16b9cbb6ef84bcc3f05ecb87f4edb960b15e8ab69ddaee562aca55aeb263

data/.github/workflows/ruby.yml

@@ -15,21 +15,21 @@ on:
 
 jobs:
   test:
-
     runs-on: ubuntu-latest
+    name: Ruby ${{ matrix.ruby }}
     strategy:
       matrix:
-        ruby-version: ['2.6', '2.7', '3.0']
-
+        ruby:
+          - '2.7.7'
+          - '3.0.5'
+          - '3.1.3'
+          - '3.2.1'
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
-    # change this to (see https://github.com/ruby/setup-ruby#versioning):
-    # uses: ruby/setup-ruby@v1
-      uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
     - name: Run tests
       run: bundle exec rake spec

data/.ruby-version

@@ -1 +1 @@
-ruby-3.0.0
+ruby-3.2.0

data/README.md

@@ -1,4 +1,4 @@
-# bip-schnorrrb [![Build Status](https://travis-ci.org/chaintope/bip-schnorrrb.svg?branch=master)](https://travis-ci.org/chaintope/bip-schnorrrb) [![Gem Version](https://badge.fury.io/rb/bip-schnorr.svg)](https://badge.fury.io/rb/bip-schnorr) [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE) 
+# bip-schnorrrb [![Build Status](https://github.com/chaintope/bip-schnorrrb/actions/workflows/ruby.yml/badge.svg?branch=master)](https://travis-ci.org/chaintope/bip-schnorrrb) [![Gem Version](https://badge.fury.io/rb/bip-schnorr.svg)](https://badge.fury.io/rb/bip-schnorr) [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE) 
 
 This is a Ruby implementation of the Schnorr signature scheme over the elliptic curve. 
 This implementation relies on the [ecdsa gem](https://github.com/DavidEGrayson/ruby_ecdsa) for operate elliptic curves.
@@ -69,11 +69,82 @@ result = Schnorr.valid_sig?(message, public_key, signature)
 sig = Schnorr::Signature.decode(signature) 
 ```
 
+### MuSig2*
+
+This library support MuSig2* as defined [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki).
+
+```ruby
+require 'schnorr'
+
+sk1 = 1 + SecureRandom.random_number(Schnorr::GROUP.order - 1)
+pk1 = (Schnorr::GROUP.generator.to_jacobian * sk1).to_affine.encode
+
+sk2 = 1 + SecureRandom.random_number(Schnorr::GROUP.order - 1)
+pk2 = (Schnorr::GROUP.generator.to_jacobian * sk2).to_affine.encode
+
+pubkeys = [pk1, pk2]
+
+# Key aggregation.
+agg_ctx = Schnorr::MuSig2.aggregate(pubkeys)
+# if you have tweak value.
+agg_ctx = Schnorr::MuSig2.aggregate_with_tweaks(pubkeys, tweaks, modes)
+
+## Aggregated pubkey is
+### Return point:
+agg_ctx.q
+### Return x-only pubkey string
+agg_ctx.x_only_pubkey
+
+msg = SecureRandom.bytes(32)
+
+# Generate secret nonce and public nonce.
+sec_nonce1, pub_nonce1 = Schnorr::MuSig2.gen_nonce(
+        pk: pk1,
+        sk: sk1,  # optional
+        agg_pubkey: agg_ctx.x_only_pubkey,  # optional
+        msg: msg, # optional
+        extra_in: SecureRandom.bytes(4),  # optional
+        rand: SecureRandom.bytes(32)  # optional
+)
+
+## for stateless signer.
+agg_other_nonce = described_class.aggregate_nonce([pub_nonce1])
+pub_nonce2, sig2 = described_class.deterministic_sign(
+        sk2, agg_other_nonce, pubkeys, msg, 
+        tweaks: tweaks, # optional
+        modes: modes, # optional
+        rand: SecureRandom.bytes(32)  # optional
+)
+
+# Nonce aggregation
+agg_nonce = Schnorr::MuSig2.aggregate_nonce([pub_nonce1, pub_nonce2])
+
+# Generate partial signature.
+session_ctx = Schnorr::MuSig2::SessionContext.new(
+        agg_nonce, pubkeys, msg, 
+        tweaks, # optional
+        modes # optional
+)
+sig1 = session_ctx.sign(sec_nonce1, sk1)
+
+# Verify partial signature.
+signer_index = 0
+session_ctx.valid_partial_sig?(sig1, pub_nonce1, signer_index)
+
+# Signature aggregation.
+sig = session_ctx.aggregate_partial_sigs([sig1, sig2])
+
+# Verify signature.
+Schnorr.valid_sig?(msg, agg_ctx.x_only_pubkey, sig.encode)
+```
+
 ## Note
 
 This library changes the following functions of `ecdsa` gem in `lib/schnorr/ec_point_ext.rb`.
 
 * `ECDSA::Point` class has following two instance methods.
-    * `#has_even_y?` check the y-coordinate of this point is an even.
-    * `#encode(only_x = false)` encode this point into a binary string.
-* `ECDSA::Format::PointOctetString#decode` supports decoding only from x coordinate.
+  * `#has_even_y?` check the y-coordinate of this point is an even.
+  * `#encode(only_x = false)` encode this point into a binary string.
+* `ECDSA::Format::PointOctetString#decode`:
+  * supports decoding only from x coordinate.
+  * decode 33 bytes of zeros as infinity points.

data/bip-schnorrrb.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_runtime_dependency "ecdsa", "~> 1.2.0"
+  spec.add_runtime_dependency "ecdsa_ext", "~> 0.5.0"
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake", ">= 12.3.3"

data/lib/schnorr/ec_point_ext.rb

@@ -14,7 +14,11 @@ module ECDSA
       if only_x
         ECDSA::Format::FieldElementOctetString.encode(x, group.field)
       else
-        ECDSA::Format::PointOctetString.encode(self, {compression: true})
+        if infinity?
+          "\x00" * 33
+        else
+          ECDSA::Format::PointOctetString.encode(self, {compression: true})
+        end
       end
     end
 
@@ -34,7 +38,8 @@ module ECDSA
         else
           case string[0].ord
           when 0
-            check_length string, 1
+            check_length string, 33
+            raise DecodeError, 'Unrecognized infinity point.' unless ['00' * 33].pack('H*') == string
             return group.infinity
           when 2
             decode_compressed string, group, 0

data/lib/schnorr/musig2/context/key_agg.rb

@@ -0,0 +1,46 @@
+module Schnorr
+  module MuSig2
+    class KeyAggContext
+      include Schnorr::Util
+
+      attr_reader :q, :gacc, :tacc
+
+      # @param [ECDSA::Point] q Aggregated point.
+      # @param [Integer] gacc
+      # @param [Integer] tacc
+      def initialize(q, gacc, tacc)
+        raise ArgumentError, 'The gacc must be Integer.' unless gacc.is_a?(Integer)
+        raise ArgumentError, 'The tacc must be Integer.' unless tacc.is_a?(Integer)
+        raise ArgumentError, 'The q must be ECDSA::Point.' unless q.is_a?(ECDSA::Point)
+        @q = q
+        @gacc = gacc
+        @tacc = tacc
+      end
+
+      # Get x-only public key.
+      # @return [String] x-only public key(hex format).
+      def x_only_pubkey
+        q.encode(true).unpack1('H*')
+      end
+
+      # Tweaking the aggregate public key
+      # @param [String] tweak 32 bytes tweak value.
+      # @param [Boolean] is_xonly_t Tweak mode.
+      # @return [Schnorr::MuSig2::KeyAggContext] Tweaked context.
+      def apply_tweak(tweak, is_xonly_t)
+        tweak = hex2bin(tweak)
+        raise ArgumentError, 'The tweak must be a 32-bytes.' unless tweak.bytesize == 32
+
+        g = is_xonly_t && !q.has_even_y? ? q.group.order - 1 : 1
+        t = tweak.bti
+
+        raise ArgumentError, 'The tweak must be less than curve order.' if t >= q.group.order
+        new_q = (q.to_jacobian * g + q.group.generator.to_jacobian * t).to_affine
+        raise ArgumentError, 'The result of tweaking cannot be infinity.' if new_q.infinity?
+        new_gacc = (g * gacc) % q.group.order
+        new_tacc = (t + g * tacc) % q.group.order
+        KeyAggContext.new(new_q, new_gacc, new_tacc)
+      end
+    end
+  end
+end

data/lib/schnorr/musig2/context/session.rb

@@ -0,0 +1,124 @@
+module Schnorr
+  module MuSig2
+    class SessionContext
+      include Schnorr::Util
+      attr_reader :agg_nonce, :pubkeys, :tweaks, :modes, :msg, :r, :agg_ctx, :b, :used_secnonces
+
+      # @param [String] agg_nonce
+      # @param [Array(String)] pubkeys An array of public keys.
+      # @param [String] msg A message to be signed.
+      # @param [Array(String)] tweaks An array of tweaks(32 bytes).
+      # @param [Array(Boolean)] modes An array of tweak mode(Boolean).
+      def initialize(agg_nonce, pubkeys, msg, tweaks = [], modes = [])
+        @used_secnonces = []
+        @agg_nonce = hex2bin(agg_nonce)
+        @pubkeys = pubkeys.map do |pubkey|
+          pubkey = hex2bin(pubkey)
+          raise ArgumentError, 'pubkey must be 33 bytes' unless pubkey.bytesize == 33
+          pubkey
+        end
+        @msg = hex2bin(msg)
+        @tweaks = tweaks
+        @modes = modes
+        @modes.each do |mode|
+          raise ArgumentError, 'mode must be Boolean.' unless [TrueClass, FalseClass].include?(mode.class)
+        end
+        @agg_ctx = MuSig2.aggregate_with_tweaks(@pubkeys, @tweaks, @modes)
+        @b = Schnorr.tagged_hash('MuSig/noncecoef', @agg_nonce + agg_ctx.q.encode(true) + @msg).bti
+        begin
+          r1 = string2point(@agg_nonce[0...33]).to_jacobian
+          r2 = string2point(@agg_nonce[33...66]).to_jacobian
+        rescue ECDSA::Format::DecodeError
+          raise ArgumentError, 'Invalid agg_nonce'
+        end
+        r = (r1 + r2 * @b).to_affine
+        @r = r.infinity? ? GROUP.generator : r
+      end
+
+      # Get message digest.
+      # @return [Integer]
+      def e
+        Schnorr.tagged_hash('BIP0340/challenge', r.encode(true) + agg_ctx.q.encode(true) + msg).bti
+      end
+
+      # Create partial signature.
+      # @param [String] nonce The secret nonce.
+      # @param [String] sk The secret key.
+      # @return [String] Partial signature with hex format.
+      def sign(nonce, sk)
+        nonce = hex2bin(nonce)
+        raise ArgumentError, 'Same nonce already used.' if used_secnonces.include?(nonce)
+        sk = hex2bin(sk)
+        k1 = nonce[0...32].bti
+        k2 = nonce[32...64].bti
+        raise ArgumentError, 'first nonce value is out of range.' if k1 <= 0 || GROUP.order <= k1
+        raise ArgumentError, 'second nonce value is out of range.' if k2 <= 0 || GROUP.order <= k2
+        k1 = r.has_even_y? ? k1 : GROUP.order - k1
+        k2 = r.has_even_y? ? k2 : GROUP.order - k2
+        d = sk.bti
+        raise ArgumentError, 'secret key value is out of range.' if d <= 0 || GROUP.order <= d
+        p = (GROUP.generator.to_jacobian * d).to_affine.encode
+        raise ArgumentError, 'Public key does not match nonce_gen argument' unless p == nonce[64...97]
+        a = key_agg_coeff(pubkeys, p)
+        g = agg_ctx.q.has_even_y? ? 1 : GROUP.order - 1
+        d = (g * agg_ctx.gacc * d)  % GROUP.order
+        s = (k1 + b * k2 + e * a * d) % GROUP.order
+        r1 = (GROUP.generator.to_jacobian * k1).to_affine
+        r2 = (GROUP.generator.to_jacobian * k2).to_affine
+        raise ArgumentError, 'R1 can not be infinity.' if r1.infinity?
+        raise ArgumentError, 'R2 can not be infinity.' if r2.infinity?
+        used_secnonces << nonce
+        ECDSA::Format::IntegerOctetString.encode(s, GROUP.byte_length).unpack1('H*')
+      end
+
+      # Verify partial signature.
+      # @param [String] partial_sig The partial signature.
+      # @param [String] pub_nonce A public nonce.
+      # @param [Integer] signer_index The index of signer.
+      # @return [Boolean]
+      def valid_partial_sig?(partial_sig, pub_nonce, signer_index)
+        begin
+          partial_sig = hex2bin(partial_sig)
+          pub_nonce = hex2bin(pub_nonce)
+          s = partial_sig.bti
+          return false if s >= GROUP.order
+          r1 = string2point(pub_nonce[0...33]).to_jacobian
+          r2 = string2point(pub_nonce[33...66]).to_jacobian
+          r_s = (r1 + r2 * b).to_affine
+          r_s = r.has_even_y? ? r_s : r_s.negate
+          pk = string2point(pubkeys[signer_index])
+          a = key_agg_coeff(pubkeys, pubkeys[signer_index])
+          g = agg_ctx.q.has_even_y? ? 1 : GROUP.order - 1
+          g = (g * agg_ctx.gacc) % GROUP.order
+          GROUP.generator.to_jacobian * s == r_s.to_jacobian + pk.to_jacobian * (e * a * g % GROUP.order)
+        rescue ECDSA::Format::DecodeError => e
+          raise ArgumentError, e
+        end
+      end
+
+      # Aggregate partial signatures.
+      # @param [Array] partial_sigs An array of partial signature.
+      # @return [Schnorr::Signature] An aggregated signature.
+      def aggregate_partial_sigs(partial_sigs)
+        s = 0
+        partial_sigs.each do |partial_sig|
+          s_i = hex2bin(partial_sig).bti
+          raise ArgumentError, 'Invalid partial sig.' if s_i >= GROUP.order
+          s = (s + s_i) % GROUP.order
+        end
+        g = agg_ctx.q.has_even_y? ? 1 : GROUP.order - 1
+        s = (s + e * g * agg_ctx.tacc) % GROUP.order
+        Schnorr::Signature.new(r.x, s)
+      end
+
+      private
+
+      def key_agg_coeff(pubkeys, public_key)
+        raise ArgumentError, 'The signer\'s pubkey must be included in the list of pubkeys.' unless pubkeys.include?(public_key)
+        l = MuSig2.hash_keys(pubkeys)
+        pk2 = MuSig2.second_key(pubkeys)
+        public_key == pk2 ? 1 : Schnorr.tagged_hash('KeyAgg coefficient', l + public_key).bti
+      end
+    end
+  end
+end

data/lib/schnorr/musig2.rb

@@ -0,0 +1,207 @@
+require_relative 'musig2/context/key_agg'
+require_relative 'musig2/context/session'
+
+module Schnorr
+  module MuSig2
+    extend Util
+
+    class Error < StandardError
+    end
+
+    module_function
+
+    # Sort the list of public keys in lexicographical order.
+    # @param [Array(String)] pubkeys An array of public keys.
+    # @return [Array(String)] Sorted public keys with hex format.
+    def sort_pubkeys(pubkeys)
+      pubkeys.map{|p| hex_string?(p) ? p : p.unpack1('H*')}.sort
+    end
+
+    # Compute aggregate public key.
+    # @param [Array[String]] pubkeys An array of public keys.
+    # @return [Schnorr::MuSig2::KeyAggContext]
+    def aggregate(pubkeys)
+      pubkeys = pubkeys.map do |p|
+        pubkey = hex2bin(p)
+        raise ArgumentError, "Public key must be 33 bytes." unless pubkey.bytesize == 33
+        pubkey
+      end
+      pk2 = second_key(pubkeys)
+      q = ECDSA::Ext::JacobianPoint.infinity_point(GROUP)
+      l = hash_keys(pubkeys)
+      pubkeys.each do |p|
+        begin
+          point = string2point(p).to_jacobian
+        rescue ECDSA::Format::DecodeError
+          raise ArgumentError, 'Invalid public key.'
+        end
+        coeff = p == pk2 ? 1 : Schnorr.tagged_hash('KeyAgg coefficient', l + p).bti
+        q += point * coeff
+      end
+      KeyAggContext.new(q.to_affine, 1, 0)
+    end
+
+    # Compute aggregate public key with tweaks.
+    # @param [Array[String]] pubkeys An array of public keys.
+    # @param [Array] tweaks An array of tweak.
+    # @param [Array] modes An array of x_only mode.
+    # @return [Schnorr::MuSig2::KeyAggContext]
+    def aggregate_with_tweaks(pubkeys, tweaks, modes)
+      raise ArgumentError, 'tweaks and modes must be same length' unless tweaks.length == modes.length
+      agg_ctx = aggregate(pubkeys)
+      tweaks.each.with_index do |tweak, i|
+        tweak = hex2bin(tweak)
+        raise ArgumentError, 'tweak value must be 32 bytes' unless tweak.bytesize == 32
+        agg_ctx = agg_ctx.apply_tweak(tweak, modes[i])
+      end
+      agg_ctx
+    end
+
+    # Generate nonce.
+    # @param [String] pk The public key (33 bytes).
+    # @param [String] sk (Optional) The secret key string (32 bytes).
+    # @param [String] agg_pubkey (Optional) The aggregated public key (32 bytes).
+    # @param [String] msg (Optional) The message to be signed.
+    # @param [String] extra_in (Optional) The auxiliary input.
+    # @param [String] rand (Optional) A 32-byte array freshly drawn uniformly at random.
+    # @return [Array(String)] The array of sec nonce and pub nonce with hex format.
+    def gen_nonce(pk: , sk: nil, agg_pubkey: nil, msg: nil, extra_in: nil, rand: SecureRandom.bytes(32))
+      rand = hex2bin(rand)
+      raise ArgumentError, 'The rand must be 32 bytes.' unless rand.bytesize == 32
+
+      pk = hex2bin(pk)
+      raise ArgumentError, 'The pk must be 33 bytes.' unless pk.bytesize == 33
+
+      rand = if sk.nil?
+               rand
+             else
+               sk = hex2bin(sk)
+               raise ArgumentError, "The sk must be 32 bytes." unless sk.bytesize == 32
+               gen_aux(sk, rand)
+             end
+      agg_pubkey = if agg_pubkey
+                     agg_pubkey = hex2bin(agg_pubkey)
+                     raise ArgumentError, 'The agg_pubkey must be 33 bytes.' unless agg_pubkey.bytesize == 32
+                     agg_pubkey
+                   else
+                     ''
+                   end
+      msg_prefixed = if msg.nil?
+                       [0].pack('C')
+                     else
+                       msg = hex2bin(msg)
+                       [1, msg.bytesize].pack('CQ>') + msg
+                     end
+      extra_in = extra_in ? hex2bin(extra_in) : ''
+
+      k1 = nonce_hash(rand, pk, agg_pubkey, 0, msg_prefixed, extra_in)
+      k1_i = k1.bti % GROUP.order
+      k2 = nonce_hash(rand, pk, agg_pubkey, 1, msg_prefixed, extra_in)
+      k2_i = k2.bti % GROUP.order
+      raise ArgumentError, 'k1 must not be zero.' if k1_i.zero?
+      raise ArgumentError, 'k2 must not be zero.' if k2_i.zero?
+
+      r1 = (GROUP.generator.to_jacobian * k1_i).to_affine
+      r2 = (GROUP.generator.to_jacobian * k2_i).to_affine
+      pub_nonce = r1.encode + r2.encode
+      sec_nonce = k1 + k2 + pk
+      [sec_nonce.unpack1('H*'), pub_nonce.unpack1('H*')]
+    end
+
+    # Aggregate public nonces.
+    # @param [Array] pub_nonces Array of public nonce. Each public nonce consists 66 bytes.
+    # @return [String] An aggregated public nonce(R1 || R2) with hex format.
+    def aggregate_nonce(pub_nonces)
+      2.times.map do |i|
+        r = GROUP.generator.to_jacobian.infinity_point
+        pub_nonces = pub_nonces.each do |nonce|
+          nonce = hex2bin(nonce)
+          raise ArgumentError, "" unless nonce.bytesize == 66
+          begin
+            p = string2point(nonce[(i * 33)...(i + 1)*33]).to_jacobian
+            raise ArgumentError, 'Public nonce is infinity' if p.infinity?
+          rescue ECDSA::Format::DecodeError
+            raise ArgumentError, "Invalid public nonce."
+          end
+          r += p
+        end
+        r.to_affine.encode.unpack1('H*')
+      end.join
+    end
+
+    # Generate deterministic signature.
+    # @param [String] sk The secret key string (32 bytes).
+    # @param [String] agg_other_nonce Other aggregated nonce.
+    # @param [Array] pubkeys An array of public keys.
+    # @param [String] msg The message to be signed.
+    # @param [Array(String)] tweaks (Optional) An array of tweak value.
+    # @param [Array(Boolean)] modes (Optional) An array of tweak mode.
+    # @param [String] rand (Optional) A 32-byte array freshly drawn uniformly at random.
+    # @return [Array] [public nonce, partial signature]
+    def deterministic_sign(sk, agg_other_nonce, pubkeys, msg, tweaks: [], modes: [], rand: nil)
+      raise ArgumentError, 'The tweaks and modes arrays must have the same length.' unless tweaks.length == modes.length
+      sk = hex2bin(sk)
+      msg = hex2bin(msg)
+      agg_other_nonce = hex2bin(agg_other_nonce)
+      sk_ = rand ? gen_aux(sk, hex2bin(rand)) : sk
+      agg_ctx = aggregate_with_tweaks(pubkeys, tweaks, modes)
+      agg_pk = [agg_ctx.x_only_pubkey].pack("H*")
+      k1 = deterministic_nonce_hash(sk_, agg_other_nonce, agg_pk, msg, 0).bti
+      k2 = deterministic_nonce_hash(sk_, agg_other_nonce, agg_pk, msg, 1).bti
+      r1 = (GROUP.generator.to_jacobian * k1).to_affine
+      r2 = (GROUP.generator.to_jacobian * k2).to_affine
+      raise ArgumentError, 'R1 must not be infinity.' if r1.infinity?
+      raise ArgumentError, 'R2 must not be infinity.' if r2.infinity?
+      pub_nonce = r1.encode + r2.encode
+      pk = (GROUP.generator.to_jacobian * sk.bti).to_affine
+      sec_nonce = ECDSA::Format::IntegerOctetString.encode(k1, GROUP.byte_length) +
+        ECDSA::Format::IntegerOctetString.encode(k2, GROUP.byte_length) + pk.encode
+      agg_nonce = aggregate_nonce([pub_nonce, agg_other_nonce])
+      ctx = SessionContext.new(agg_nonce, pubkeys, msg, tweaks, modes)
+      sig = ctx.sign(sec_nonce, sk)
+      [pub_nonce.unpack1('H*'), sig]
+    end
+
+    def second_key(pubkeys)
+      pubkeys[1..].each do |p|
+        return p unless p == pubkeys[0]
+      end
+      ['00'].pack("H*") * 33
+    end
+
+    # Compute
+    def hash_keys(pubkeys)
+      Schnorr.tagged_hash('KeyAgg list', pubkeys.join)
+    end
+
+    def nonce_hash(rand, pk, agg_pubkey, i, prefixed_msg, extra_in)
+      buf = ''
+      buf << rand
+      buf << [pk.bytesize].pack('C') + pk
+      buf << [agg_pubkey.bytesize].pack('C') + agg_pubkey
+      buf << prefixed_msg
+      buf << [extra_in.bytesize].pack('N') + extra_in
+      buf << [i].pack('C')
+      Schnorr.tagged_hash('MuSig/nonce', buf)
+    end
+    private_class_method :nonce_hash
+
+    def gen_aux(sk, rand)
+      sk.unpack('C*').zip(Schnorr.tagged_hash('MuSig/aux', rand).
+        unpack('C*')).map{|a, b| a ^ b}.pack('C*')
+    end
+    private_class_method :gen_aux
+
+    def deterministic_nonce_hash(sk_, agg_other_nonce, agg_pk, msg, i)
+      buf = ''
+      buf << sk_
+      buf << agg_other_nonce
+      buf << agg_pk
+      buf << [msg.bytesize].pack('Q>')
+      buf << msg
+      buf << [i].pack('C')
+      Schnorr.tagged_hash('MuSig/deterministic/nonce', buf)
+    end
+    private_class_method :deterministic_nonce_hash
+  end
+end

data/lib/schnorr/signature.rb

@@ -22,8 +22,8 @@ module Schnorr
     # @return (Signature) signature instance.
     def self.decode(string)
       raise InvalidSignatureError, 'Invalid schnorr signature length.' unless string.bytesize == 64
-      r = string[0...32].unpack1('H*').to_i(16)
-      s = string[32..-1].unpack1('H*').to_i(16)
+      r = string[0...32].bti
+      s = string[32..-1].bti
       new(r, s)
     end
 
@@ -33,6 +33,12 @@ module Schnorr
       ECDSA::Format::IntegerOctetString.encode(r, 32) + ECDSA::Format::IntegerOctetString.encode(s, 32)
     end
 
+    # Check whether same signature or not.
+    # @return [Boolean]
+    def ==(other)
+      return false unless other.is_a?(Signature)
+      r == other.r && s == other.s
+    end
   end
 
 end

data/lib/schnorr/util.rb

@@ -0,0 +1,28 @@
+module Schnorr
+  module Util
+
+    # Check whether +str+ is hex string or not.
+    # @param [String] str string.
+    # @return [Boolean]
+    def hex_string?(str)
+      return false if str.bytes.any? { |b| b > 127 }
+      return false if str.length % 2 != 0
+      hex_chars = str.chars.to_a
+      hex_chars.all? { |c| c =~ /[0-9a-fA-F]/ }
+    end
+
+    # If +str+ is a hex value, it is converted to binary. Otherwise, it is returned as is.
+    # @param [String] str
+    # @return [String]
+    def hex2bin(str)
+      hex_string?(str) ? [str].pack('H*') : str
+    end
+
+    # Convert +str+ to the point of elliptic curve.
+    # @param [String] str A byte string for point.
+    # @return [ECDSA::Point]
+    def string2point(str)
+      ECDSA::Format::PointOctetString.decode(str, GROUP)
+    end
+  end
+end

data/lib/schnorr/version.rb

@@ -1,3 +1,3 @@
 module Schnorr
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/schnorr.rb

@@ -1,36 +1,43 @@
-require 'ecdsa'
+require 'ecdsa_ext'
 require 'securerandom'
+require_relative 'schnorr/util'
 require_relative 'schnorr/ec_point_ext'
 require_relative 'schnorr/signature'
+require_relative 'schnorr/musig2'
 
 module Schnorr
+  extend Util
   module_function
 
   GROUP = ECDSA::Group::Secp256k1
 
   # Generate schnorr signature.
-  # @param message (String) A message to be signed with binary format.
-  # @param private_key (String) The private key with binary format.
-  # @param aux_rand (String) The auxiliary random data with binary format.
+  # @param [String] message A message to be signed with binary format.
+  # @param [String] private_key The private key(binary format or hex format).
+  # @param [String] aux_rand The auxiliary random data(binary format or hex format).
   # If not specified, random data is not used and the private key is used to calculate the nonce.
-  # @return (Schnorr::Signature)
+  # @return [Schnorr::Signature]
   def sign(message, private_key, aux_rand = nil)
     raise 'The message must be a 32-byte array.' unless message.bytesize == 32
+    private_key = private_key.unpack1('H*') unless hex_string?(private_key)
 
-    d0 = private_key.unpack1('H*').to_i(16)
+    d0 = private_key.to_i(16)
     raise 'private_key must be an integer in the range 1..n-1.' unless 0 < d0 && d0 <= (GROUP.order - 1)
-    raise 'aux_rand must be 32 bytes.' if !aux_rand.nil? && aux_rand.bytesize != 32
+    if aux_rand
+      aux_rand = [aux_rand].pack("H*") if hex_string?(aux_rand)
+      raise 'aux_rand must be 32 bytes.' unless aux_rand.bytesize == 32
+    end
 
-    p = GROUP.new_point(d0)
+    p = (GROUP.generator.to_jacobian * d0).to_affine
     d = p.has_even_y? ? d0 : GROUP.order - d0
 
-    t = aux_rand.nil? ? d : d ^ tagged_hash('BIP0340/aux', aux_rand).unpack1('H*').to_i(16)
+    t = aux_rand.nil? ? d : d ^ tagged_hash('BIP0340/aux', aux_rand).bti
     t = ECDSA::Format::IntegerOctetString.encode(t, GROUP.byte_length)
 
     k0 = ECDSA::Format::IntegerOctetString.decode(tagged_hash('BIP0340/nonce', t + p.encode(true) + message)) % GROUP.order
     raise 'Creation of signature failed. k is zero' if k0.zero?
 
-    r = GROUP.new_point(k0)
+    r = (GROUP.generator.to_jacobian * k0).to_affine
     k = r.has_even_y? ? k0 : GROUP.order - k0
     e = create_challenge(r.x, p, message)
 
@@ -41,10 +48,10 @@ module Schnorr
   end
 
   # Verifies the given {Signature} and returns true if it is valid.
-  # @param message (String) A message to be signed with binary format.
-  # @param public_key (String) The public key with binary format.
-  # @param signature (String) The signature with binary format.
-  # @return (Boolean) whether signature is valid.
+  # @param [String] message A message to be signed with binary format.
+  # @param [String] public_key The public key with binary format.
+  # @param [String] signature The signature with binary format.
+  # @return [Boolean] whether signature is valid.
   def valid_sig?(message, public_key, signature)
     check_sig!(message, public_key, signature)
   rescue InvalidSignatureError, ECDSA::Format::DecodeError
@@ -52,12 +59,15 @@ module Schnorr
   end
 
   # Verifies the given {Signature} and raises an {InvalidSignatureError} if it is invalid.
-  # @param message (String) A message to be signed with binary format.
-  # @param public_key (String) The public key with binary format.
-  # @param signature (String) The signature with binary format.
-  # @return (Boolean)
+  # @param [String] message A message to be signed with binary format.
+  # @param [String] public_key The public key with binary format.
+  # @param [String] signature The signature with binary format.
+  # @return [Boolean]
   def check_sig!(message, public_key, signature)
+    message = hex2bin(message)
+    public_key = hex2bin(public_key)
     raise InvalidSignatureError, 'The message must be a 32-byte array.' unless message.bytesize == 32
+    public_key = [public_key].pack('H*') if hex_string?(public_key)
     raise InvalidSignatureError, 'The public key must be a 32-byte array.' unless public_key.bytesize == 32
 
     sig = Schnorr::Signature.decode(signature)
@@ -70,8 +80,7 @@ module Schnorr
     raise Schnorr::InvalidSignatureError, 'Invalid signature: s is larger than group order.' if sig.s >= GROUP.order
 
     e = create_challenge(sig.r, pubkey, message)
-
-    r = GROUP.new_point(sig.s) + pubkey.multiply_by_scalar(GROUP.order - e)
+    r = (GROUP.generator.to_jacobian * sig.s + pubkey.to_jacobian * (GROUP.order - e)).to_affine
 
     if r.infinity? || !r.has_even_y? || r.x != sig.r
       raise Schnorr::InvalidSignatureError, 'signature verification failed.'
@@ -81,23 +90,33 @@ module Schnorr
   end
 
   # create signature digest.
-  # @param (Integer) x a x coordinate for R.
-  # @param (ECDSA::Point) p a public key.
-  # @return (Integer) digest e.
+  # @param [Integer] x A x coordinate for R.
+  # @param [ECDSA::Point] p A public key.
+  # @return [Integer] digest e.
   def create_challenge(x, p, message)
     r_x = ECDSA::Format::IntegerOctetString.encode(x, GROUP.byte_length)
     (ECDSA.normalize_digest(tagged_hash('BIP0340/challenge', r_x + p.encode(true) + message), GROUP.bit_length)) % GROUP.order
   end
 
   # Generate tagged hash value.
-  # @param (String) tag tag value.
-  # @param (String) msg the message to be hashed.
-  # @return (String) the hash value with binary format.
+  # @param [String] tag tag value.
+  # @param [String] msg the message to be hashed.
+  # @return [String] the hash value with binary format.
   def tagged_hash(tag, msg)
     tag_hash = Digest::SHA256.digest(tag)
     Digest::SHA256.digest(tag_hash + tag_hash + msg)
   end
 
+  class ::String
+
+    # Convert binary to integer.
+    # @return [Integer]
+    def bti
+      self.unpack1('H*').to_i(16)
+    end
+
+  end
+
   class ::Integer
     def to_hex
       hex = to_s(16)

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bip-schnorr
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-06-29 00:00:00.000000000 Z
+date: 2023-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: ecdsa
+  name: ecdsa_ext
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 0.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 0.5.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -88,7 +88,11 @@ files:
 - bip-schnorrrb.gemspec
 - lib/schnorr.rb
 - lib/schnorr/ec_point_ext.rb
+- lib/schnorr/musig2.rb
+- lib/schnorr/musig2/context/key_agg.rb
+- lib/schnorr/musig2/context/session.rb
 - lib/schnorr/signature.rb
+- lib/schnorr/util.rb
 - lib/schnorr/version.rb
 homepage: https://github.com/chaintope/bip-schnorrrb
 licenses:
@@ -109,7 +113,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.4.1
 signing_key: 
 specification_version: 4
 summary: The ruby implementation of bip-schnorr.