schnorr 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27c028f23478e028b813e4bf12bbb1bd6b9f92b75d758554c71e298b0f3a9077
-  data.tar.gz: 2943cdc9afc73fecc8804b6c498ef0f55a850a63b71422ecf716c0d3b496e164
+  metadata.gz: 552fd9baac0e3e4242003e0844c1e5d08dc69f46bf6b605f59293f9793c2c8a1
+  data.tar.gz: 4de25e1831dc171450435256e4e15f5734bfa8da522c57b5ffb90c9d0f1c32f9
 SHA512:
-  metadata.gz: 94e5c230cbda7f0fa66a30da0f3a62d2950aaf42b34e2c0d24980f65616d0c31b5b289eac48eaf717fd3052d3ea57d8664d373bec16298c36611c38d51162804
-  data.tar.gz: f83ad1edee227ee190495ae58743dc461ca1e0753925ad3c01fe6d68ab92bf02b8e4d00c3043fdb1eb2f2bd568791e0f80b3615d478c6c99f66565a72090eddf
+  metadata.gz: dcff61f96ee167a43e31fa71b196c118ae8471c949271282c8d0f7b7bee3cc0ce94323d24e70c43619fdd3571f0084e652c1d251e0c07c59deccf63155757085
+  data.tar.gz: 891acabe7a536901ae0209798df11a6f3031dc90e534446ac8982a225ce1ce21c1d011d4e4378942af7cd52c11962082690c4bd51830d604fb0ff31d1a057391

data/.travis.yml

@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 2.6.2
   - 2.5.5
+  - 2.4.5
 
 bundler_args: --jobs=2
 

data/README.md

@@ -98,9 +98,61 @@ Schnorr.valid_sig?(message, public_key, signature, group: ECDSA::Group::xxx)
 
 Note: But this library has only been tested with `secp256k1`. So another curve are not tested.
 
+### MuSig
+
+The MuSig signature scheme is based on the implementation of the 
+[secp256k1-zkp](https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md) 
+and [bip-schnorr](https://github.com/guggero/bip-schnorr).
+
+Note: In this scheme, this library only supports secp256k1 curve.
+
+```ruby
+require 'schnorr'
+
+# Key generation
+## First, MuSig participants must compute combined public key.
+
+combined_pubkey = Schnorr::MuSig.pubkey_combine(pubkeys) # pubkeys is an array of public key with binary format.
+
+## combined_pubkey is the point which added the point which performed the following multiplication to each participant's public key.
+## SHA256(TAG || TAG || ell || pubkey index) * Participant's Pubkey Point
+## ell is calculated by SHA256(pubkey1 + pubkey2 + .... pubkeyn) 
+
+ell = Schnorr::MuSig.compute_ell(pubkeys)
+
+# Signing participant
+
+## the signer create new session
+session = Schnorr::MuSig.session_initialize(nil, private_key, message, combined_pubkey, ell, index) # index = 0
+
+## each participant use same session id
+session_id = session.id
+
+## each participant create own session.
+session = Schnorr::MuSig.session_initialize(session_id, private_key, message, combined_pubkey, ell, index)
+
+## participant send his nonce and collect other participant's nonce.
+session.nonce
+
+other_nonces = [...]
+
+## If collect all participant's nonce, then calculate combined nonce.
+## In this method, if jacobi(y(combined_point)) != 1, 
+## combined_point changed to combined_point.negate and session#nonce_negate changed to true.
+combined_nonce = session.nonce_combine(other_nonces)
+
+## each participants create partial signature
+partial_sig = session.partial_sign(message, combined_nonce, combined_pubkey)
+
+## Aggregate signature.
+signature = Schnorr::MuSig.partial_sig_combine(combined_nonce, signatures)
+ 
+## Verify. If signature is valid, following method will return true.
+Schnorr.valid_sig?(message, combined_pubkey, signature.encode) 
+```
+
 ## TODO
 
 The following is unimplemented now.
 
-* batch verification.
-* MuSig
+* (t, n) threshold signature.

data/lib/schnorr.rb

@@ -1,6 +1,7 @@
 require 'ecdsa'
 require 'securerandom'
 require_relative 'schnorr/signature'
+require_relative 'schnorr/mu_sig'
 
 module Schnorr
 
@@ -115,6 +116,31 @@ module Schnorr
     field.mod(ECDSA.normalize_digest(Digest::SHA256.digest(r + public_key + message), group.bit_length))
   end
 
-  private_class_method :create_challenge
+  class ::Integer
+
+    def to_hex
+      hex = to_s(16)
+      hex.rjust((hex.length / 2.0).ceil * 2, '0')
+    end
+
+    def method_missing(method, *args)
+      return mod_pow(args[0], args[1]) if method == :pow && args.length < 3
+      super
+    end
+
+    # alternative implementation of Integer#pow for ruby 2.4 and earlier.
+    def mod_pow(x, y)
+      return self ** x unless y
+      b = self
+      result = 1
+      while x > 0
+        result = (result * b) % y if (x & 1) == 1
+        x >>= 1
+        b = (b * b) % y
+      end
+      result
+    end
+
+  end
 
 end

data/lib/schnorr/mu_sig.rb

@@ -0,0 +1,84 @@
+require_relative 'mu_sig/session'
+
+module Schnorr
+
+  # https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md
+  module MuSig
+
+    # SHA256("MuSig coefficient")
+    TAG = ['74894a2bec01af68225002cae9b0430ab63151ede5d31f641791976c7140b57b'].pack('H*')
+
+    module_function
+
+    # Computes ell = SHA256(pk[0], ..., pk[np-1])
+    # @param public_keys (Array[String]) The set of public keys with binary format.
+    # @return (String) ell
+    def compute_ell(public_keys)
+      Digest::SHA256.digest(public_keys.join)
+    end
+
+    # Combine public keys.
+    # @param public_keys (Array[String]) The set of public keys with binary format.
+    # @return (String) a combined public key point with binary format.
+    def pubkey_combine(public_keys, ell: nil)
+      ell = compute_ell(public_keys) unless ell
+      points = public_keys.map.with_index do |p, idx|
+        xi = ECDSA::Format::PointOctetString.decode(p, ECDSA::Group::Secp256k1)
+        xi.multiply_by_scalar(coefficient(ell, idx))
+      end
+      sum = points.inject(:+)
+      ECDSA::Format::PointOctetString.encode(sum, compression: true)
+    end
+
+    # Computes MuSig coefficient SHA256(TAG || TAG || ++ell++ || ++idx++).
+    # @param ell (String) a ell with binary format.
+    # @param idx (Integer) an index of public key.
+    # @return (Integer) coefficient value.
+    def coefficient(ell, idx)
+      field = ECDSA::PrimeField.new(ECDSA::Group::Secp256k1.order)
+      field.mod(Digest::SHA256.digest(TAG + TAG + ell + [idx].pack('I*')).unpack('H*').first.to_i(16))
+    end
+
+    # Initialize session to signer starts the session.
+    # @param session_id (String) if ++session_id++ is nil, generate new one.
+    # @param private_key (Integer) a private key.
+    # @param message (String) a message for sign with binary format.
+    # @param combined_pubkey (String) combined public key with binary format.
+    # @param ell (String) ell with binary format.
+    # @param index (Integer) public key index.
+    # @return (Schnorr::MuSig::Session) session object.
+    def session_initialize(session_id, private_key, message, combined_pubkey, ell, index)
+      raise ArgumentError, 'session_id must be 32 bytes.' if session_id && session_id.bytesize != 32
+      raise ArgumentError, 'message must be 32 bytes.' unless message.bytesize == 32
+      raise ArgumentError, 'combined_pubkey must be 33 bytes.' unless combined_pubkey.bytesize == 33
+      raise ArgumentError, 'ell must be 32 bytes.' unless ell.bytesize == 32
+      secret = ECDSA::Format::IntegerOctetString.encode(private_key, ECDSA::Group::Secp256k1.byte_length)
+
+      field = ECDSA::PrimeField.new(ECDSA::Group::Secp256k1.order)
+      session = Schnorr::MuSig::Session.new(session_id)
+      coefficient = coefficient(ell, index)
+      session.secret_key = field.mod(private_key * coefficient)
+      session.secret_nonce = Digest::SHA256.digest(session.id + message + combined_pubkey + secret).unpack('H*').first.to_i(16)
+      raise ArgumentError, 'secret nonce must be an integer in the ragen 1..n-1' unless field.include?(session.secret_nonce)
+      point_r = ECDSA::Group::Secp256k1.new_point(session.secret_nonce)
+      session.nonce = ECDSA::Format::PointOctetString.encode(point_r, compression: true)
+      session.commitment = Digest::SHA256.digest(session.nonce)
+      session
+    end
+
+    # Combine the partial signatures to obtain a complete signature.
+    # @param combined_nonce (Array)
+    # @param signatures (Array) co-signer's signature.
+    # @return (Schnorr::Signature) a combined signature.
+    def partial_sig_combine(combined_nonce, signatures)
+      point_r = ECDSA::Format::PointOctetString.decode(combined_nonce, ECDSA::Group::Secp256k1)
+      field = ECDSA::PrimeField.new(ECDSA::Group::Secp256k1.order)
+      signature = signatures.inject{|sum, s|field.mod(sum + s)}
+      Schnorr::Signature.new(point_r.x, signature)
+    end
+
+    private_class_method :coefficient
+
+  end
+
+end

data/lib/schnorr/mu_sig/session.rb

@@ -0,0 +1,51 @@
+module Schnorr
+  module MuSig
+    class Session
+
+      attr_reader :id               # binary
+      attr_accessor :secret_key     # Integer
+      attr_accessor :secret_nonce   # Integer
+      attr_accessor :nonce          # binary
+      attr_accessor :commitment     # binary
+      attr_accessor :nonce_negate   # Boolean
+
+      def initialize(session_id = SecureRandom.random_bytes(32))
+        @id = session_id
+        @nonce_negate = false
+      end
+
+      def nonce_negate?
+        @nonce_negate
+      end
+
+      # Combine nonce
+      # @param nonces (Array[String]) an array of other signer's nonce with binary format.
+      # @return (String) combined nonce with binary format.
+      def nonce_combine(nonces)
+        points = ([nonce]+ nonces).map.with_index {|n, index|ECDSA::Format::PointOctetString.decode(n, ECDSA::Group::Secp256k1)}
+        r_point = points.inject(:+)
+        unless ECDSA::PrimeField.jacobi(r_point.y, ECDSA::Group::Secp256k1.field.prime) == 1
+          self.nonce_negate = true
+          r_point = r_point.negate
+        end
+        ECDSA::Format::PointOctetString.encode(r_point, compression: true)
+      end
+
+      # Compute partial signature.
+      # @param message (String) a message for signature with binary format.
+      # @param combined_nonce (String) combined nonce with binary format.
+      # @param combined_pubkey (String) combined public key with binary format.
+      # @return (Integer) a partial signature.
+      def partial_sign(message, combined_nonce, combined_pubkey)
+        field = ECDSA::PrimeField.new(ECDSA::Group::Secp256k1.order)
+        point_r = ECDSA::Format::PointOctetString.decode(combined_nonce, ECDSA::Group::Secp256k1)
+        point_p = ECDSA::Format::PointOctetString.decode(combined_pubkey, ECDSA::Group::Secp256k1)
+        e = Schnorr.create_challenge(point_r.x, point_p, message, field, point_r.group)
+        k = secret_nonce
+        k = 0 - k if nonce_negate?
+        field.mod(secret_key * e + k)
+      end
+
+    end
+  end
+end

data/lib/schnorr/version.rb

@@ -1,3 +1,3 @@
 module Schnorr
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: schnorr
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2019-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ecdsa
@@ -86,6 +86,8 @@ files:
 - bin/console
 - bin/setup
 - lib/schnorr.rb
+- lib/schnorr/mu_sig.rb
+- lib/schnorr/mu_sig/session.rb
 - lib/schnorr/signature.rb
 - lib/schnorr/version.rb
 - schnorrrb.gemspec
@@ -108,8 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: The ruby implementation of Schnorr signature.