schnorr_sig 0.0.0.4 → 0.2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cd55fdf9335f6ea817837d76d3ce130f9752ab7cbf582c822e061dc68574583
-  data.tar.gz: dbc20c45aac2f0d9443d278a93ff6e7ae88cea2fc26b68eaf5226c6dd47979bc
+  metadata.gz: 37ba87126b971e1e74099bbed572cb7e088902db0cba9fdf38ef5de96ab75f69
+  data.tar.gz: 9001aae50944fcf3daf558db01a44c6b5f4ee7e74f729292026c83fe38c1367d
 SHA512:
-  metadata.gz: e180ad80feddacf2ee05dd4a66d8518a53233ac56ba393917bac45e19e5cae25530e87aacdcd330523ce6751e2fb754efc5359571a564db21197d7063bb3e737
-  data.tar.gz: fc67524a97a42b517efff14b7c4bcc21732d8f6e83a353d51220f3e7627aab646edce9e25fd9676f6f7e13bc62eceb3d52062bdbc234a0d640dfe3eba7f78086
+  metadata.gz: a85306c995daa8ce6b30b303e530892a4014f367854dccda5a3f119dc2170087e04fd069d6a8516f30bfe5d1b2e5e351ae495f331b65d1ab920ec767d60f154b
+  data.tar.gz: e7abe94145d870f072924e555e7510e886159aef5119375892ac10243abd08ccf72ff078f545b68b3502a9d09f644f38d5512220796e71b138b24f642813bc78

data/README.md

@@ -14,6 +14,24 @@ and specifications similar to
 [IETF RFCs](https://en.wikipedia.org/wiki/Request_for_Comments).
 BIP340 specifies elliptic curve `secp256k1` for use with Schnorr signatures.
 
+Two separate implementations are provided.
+
+## Ruby Implementation
+
+This is the default implementation: entirely Ruby code within this library,
+with mostly-Ruby dependencies:
+
+* [ecdsa_ext](https://github.com/azuchi/ruby_ecdsa_ext)
+  - [ecdsa](https://github.com/DavidEGrayson/ruby_ecdsa/)
+
+## "Fast" Implementation
+
+This is based on the [rbsecp256k1](https://github.com/etscrivner/rbsecp256k1)
+gem, which is not installed by default.  The gem wraps the
+[secp256k1](https://github.com/bitcoin-core/secp256k1) library from the
+Bitcoin project, which provides battle-tested performance, correctness, and
+security guarantees.
+
 # Usage
 
 This library is provided as a RubyGem.  It has a single dependency on
@@ -77,9 +95,9 @@ require 'schnorr_sig/fast' # not 'schnorr_sig'
 # Elliptic Curves
 
 Note that [elliptic curves](https://en.wikipedia.org/wiki/Elliptic_curve)
-are not ellipses, but can instead be described by cubic equations of
+are not ellipses, but are instead described by cubic equations of
 the form: `y^2 = x^3 + ax + b` where `a` and `b` are the parameters of the
-resulting curve.  All points `(x, y)` which satisfy a given parameterized
+resulting equation.  All points `(x, y)` which satisfy a given parameterized
 equation provide the exact definition of an elliptic curve.
 
 ## Curve `secp256k1`
@@ -104,11 +122,11 @@ Here is one
 }
 ```
 
-* `p` is the prime for the Field, below INTMAX(32) (256^32)
+* `p` is the prime for the Field, below `INTMAX(32)` (256^32)
 * `a` is zero, as above
 * `b` is seven, as above
-* `g` is the generator point: [x, y]
-* `n` is the Group order, significantly below INTMAX(32)
+* `g` is the generator point: `[x, y]`
+* `n` is the Group order, significantly below `INTMAX(32)`
 
 Elliptic curves have algebraic structures called
 [Groups](https://en.wikipedia.org/wiki/Group_\(mathematics\)) and
@@ -224,6 +242,7 @@ required.
 * For any given x-value on the curve, the y-value is easily generated
 * For most curves, there are two different y-values for an x-value
 * We are always dealing with 32-byte integers: **Bignums**
+* Bignum math can be expensive
 * Converting between integer format and 32-byte strings can be expensive
 * The Schnorr algorithm requires lots of `string <--> integer` conversion
 * Hex strings are never used internally

data/VERSION

@@ -1 +1 @@
-0.0.0.4
+0.2.0.1

data/lib/schnorr_sig/fast.rb

@@ -1,5 +1,5 @@
-require 'schnorr_sig/util'
-require 'rbsecp256k1' # gem, C extension
+require 'schnorr_sig/util' # project
+require 'rbsecp256k1'      # gem, C extension
 
 # re-open SchnorrSig to add more functions, errors, and constants
 module SchnorrSig

data/lib/schnorr_sig/pure.rb

@@ -0,0 +1,221 @@
+require 'schnorr_sig/util'             # project
+require 'ecdsa_ext'                    # gem
+autoload :SecureRandom, 'securerandom' # stdlib
+
+# This implementation is based on the BIP340 spec: https://bips.xyz/340
+# re-open SchnorrSig to add more functions, errors, and constants
+module SchnorrSig
+  class Error < RuntimeError; end
+  class BoundsError < Error; end
+  class SanityCheck < Error; end
+  class VerifyFail < Error; end
+  class InfinityPoint < Error; end
+
+  GROUP = ECDSA::Group::Secp256k1
+  P = GROUP.field.prime # smaller than 256**32
+  N = GROUP.order       # smaller than P
+  B = GROUP.byte_length # 32
+
+  # val (dot) G, returns ECDSA::Point
+  def self.dot_group(val)
+    # ecdsa_ext uses jacobian projection: 10x faster than GROUP.generator * val
+    (GROUP.generator.to_jacobian * val).to_affine
+  end
+
+  # returns even_val or N - even_val
+  def self.select_even_y(point, even_val)
+    point.y.even? ? even_val : N - even_val
+  end
+
+  # int(x) function signature matches BIP340, returns a bignum (presumably)
+  class << self
+    alias_method :int, :bin2big
+  end
+
+  # bytes(val) function signature matches BIP340, returns a binary string
+  def self.bytes(val)
+    case val
+    when Integer
+      # BIP340: The function bytes(x), where x is an integer,
+      # returns the 32-byte encoding of x, most significant byte first.
+      big2bin(val)
+    when ECDSA::Point
+      # BIP340: The function bytes(P), where P is a point, returns bytes(x(P)).
+      val.infinity? ? raise(InfinityPoint, va.inspect) : big2bin(val.x)
+    else
+      raise(SanityCheck, val.inspect)
+    end
+  end
+
+  # Input
+  #   The secret key, sk:       32 bytes binary
+  #   The message, m:           binary / UTF-8 / agnostic
+  #   Auxiliary random data, a: 32 bytes binary
+  # Output
+  #   The signature, sig:       64 bytes binary
+  def self.sign(sk, m, a = Random.bytes(B))
+    bytestring!(sk, B) and string!(m) and bytestring!(a, B)
+
+    # BIP340: Let d' = int(sk)
+    # BIP340: Fail if d' = 0 or d' >= n
+    d0 = int(sk)
+    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
+
+    # BIP340: Let P = d' . G
+    p = dot_group(d0) # this is a point on the elliptic curve
+    bytes_p = bytes(p)
+
+    # BIP340: Let d = d' if has_even_y(P), otherwise let d = n - d'
+    d = select_even_y(p, d0)
+
+    # BIP340: Let t be the bytewise xor of bytes(d) and hash[BIP0340/aux](a)
+    t = d ^ int(tagged_hash('BIP0340/aux', a))
+
+    # BIP340: Let rand = hash[BIP0340/nonce](t || bytes(P) || m)
+    nonce = tagged_hash('BIP0340/nonce', bytes(t) + bytes_p + m)
+
+    # BIP340: Let k' = int(rand) mod n
+    # BIP340: Fail if k' = 0
+    k0 = int(nonce) % N
+    raise(BoundsError, "k0") if !k0.positive?
+
+    # BIP340: Let R = k' . G
+    r = dot_group(k0) # this is a point on the elliptic curve
+    bytes_r = bytes(r)
+
+    # BIP340: Let k = k' if has_even_y(R), otherwise let k = n - k'
+    k = select_even_y(r, k0)
+
+    # BIP340:
+    #   Let e = int(hash[BIP0340/challenge](bytes(R) || bytes(P) || m)) mod n
+    e = int(tagged_hash('BIP0340/challenge', bytes_r + bytes_p + m)) % N
+
+    # BIP340: Let sig = bytes(R) || bytes((k + ed) mod n)
+    # BIP340: Fail unless Verify(bytes(P), m, sig)
+    # BIP340: Return the signature sig
+    sig = bytes_r + bytes((k + e * d) % N)
+    raise(VerifyFail) unless verify?(bytes_p, m, sig)
+    sig
+  end
+
+  # see https://bips.xyz/340#design (Tagged hashes)
+  # Input
+  #   A tag:            UTF-8 > binary > agnostic
+  #   The payload, msg: UTF-8 / binary / agnostic
+  # Output
+  #   32 bytes binary
+  def self.tagged_hash(tag, msg)
+    string!(tag) and string!(msg)
+    warn("tag expected to be UTF-8") unless tag.encoding == Encoding::UTF_8
+
+    # BIP340: The function hash[name](x) where x is a byte array
+    #         returns the 32-byte hash
+    #         SHA256(SHA256(tag) || SHA256(tag) || x)
+    #         where tag is the UTF-8 encoding of name.
+    tag_hash = Digest::SHA256.digest(tag)
+    Digest::SHA256.digest(tag_hash + tag_hash + msg)
+  end
+
+  # Input
+  #   The public key, pk: 32 bytes binary
+  #   The message, m:     UTF-8 / binary / agnostic
+  #   A signature, sig:   64 bytes binary
+  # Output
+  #   Boolean
+  def self.verify?(pk, m, sig)
+    bytestring!(pk, B) and string!(m) and bytestring!(sig, B * 2)
+
+    # BIP340: Let P = lift_x(int(pk))
+    p = lift_x(int(pk))
+
+    # BIP340: Let r = int(sig[0:32]) fail if r >= p
+    r = int(sig[0..B-1])
+    raise(BoundsError, "r >= p") if r >= P
+
+    # BIP340: Let s = int(sig[32:64]); fail if s >= n
+    s = int(sig[B..-1])
+    raise(BoundsError, "s >= n") if s >= N
+
+    # BIP340:
+    #   Let e = int(hash[BIP0340/challenge](bytes(r) || bytes(P) || m)) mod n
+    e = bytes(r) + bytes(p) + m
+    e = int(tagged_hash('BIP0340/challenge', e)) % N
+
+    # BIP340: Let R = s . G - e . P
+    # BIP340: Fail if is_infinite(R)
+    # BIP340: Fail if not has_even_y(R)
+    # BIP340: Fail if x(R) != r
+    # BIP340: Return success iff no failure occurred before reaching this point
+    big_r = dot_group(s) + p.multiply_by_scalar(e).negate
+    !big_r.infinity? and big_r.y.even? and big_r.x == r
+  end
+
+  # BIP340: The function lift_x(x), where x is a 256-bit unsigned integer,
+  #         returns the point P for which x(P) = x and has_even_y(P),
+  #         or fails if x is greater than p-1 or no such point exists.
+  # Input
+  #   A large integer, x
+  # Output
+  #   ECDSA::Point
+  def self.lift_x(x)
+    integer!(x)
+
+    # BIP340: Fail if x >= p
+    raise(BoundsError, "x") if x >= P or x <= 0
+
+    # BIP340: Let c = x^3 + 7 mod p
+    c = (x.pow(3, P) + 7) % P
+
+    # BIP340: Let y = c ^ ((p + 1) / 4) mod p
+    y = c.pow((P + 1) / 4, P) # use pow to avoid Bignum overflow
+
+    # BIP340: Fail if c != y^2 mod p
+    raise(SanityCheck, "c != y^2 mod p") if c != y.pow(2, P)
+
+    # BIP340: Return the unique point P such that:
+    #   x(P) = x and y(P) = y    if y mod 2 = 0
+    #   y(P) = p - y             otherwise
+    GROUP.new_point [x, y.even? ? y : P - y]
+  end
+
+  # Input
+  #   The secret key, sk: 32 bytes binary
+  # Output
+  #   32 bytes binary (represents P.x for point P on the curve)
+  def self.pubkey(sk)
+    bytestring!(sk, B)
+
+    # BIP340: Let d' = int(sk)
+    # BIP340: Fail if d' = 0 or d' >= n
+    # BIP340: Return bytes(d' . G)
+    d0 = int(sk)
+    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
+    bytes(dot_group(d0))
+  end
+
+  # generate a new keypair based on random data
+  def self.keypair
+    sk = Random.bytes(B)
+    [sk, pubkey(sk)]
+  end
+
+  # as above, but using SecureRandom
+  def self.secure_keypair
+    sk = SecureRandom.bytes(B)
+    [sk, pubkey(sk)]
+  end
+end
+
+if __FILE__ == $0
+  msg = 'hello world'
+  sk, pk = SchnorrSig.keypair
+  puts "Message: #{msg}"
+  puts "Secret key: #{SchnorrSig.bin2hex(sk)}"
+  puts "Public key: #{SchnorrSig.bin2hex(pk)}"
+
+  sig = SchnorrSig.sign(sk, msg)
+  puts
+  puts "Verified signature: #{SchnorrSig.bin2hex(sig)}"
+  puts "Encoding: #{sig.encoding}"
+  puts "Length: #{sig.length}"
+end

data/lib/schnorr_sig/util.rb

@@ -18,7 +18,7 @@ module SchnorrSig
   def self.bytestring!(str, size)
     string!(str)
     raise(EncodingError, str.encoding) unless str.encoding == Encoding::BINARY
-    str.size == size or raise(SizeError, str.size)
+    str.bytesize == size or raise(SizeError, str.bytesize)
   end
 
   # likely returns a Bignum, larger than a 64-bit hardware integer

data/lib/schnorr_sig.rb

@@ -1,220 +1,5 @@
-require 'schnorr_sig/util'
-require 'ecdsa_ext'                    # gem
-autoload :SecureRandom, 'securerandom' # stdlib
-
-# This implementation is based on the BIP340 spec: https://bips.xyz/340
-# re-open SchnorrSig to add more functions, errors, and constants
-module SchnorrSig
-  class Error < RuntimeError; end
-  class BoundsError < Error; end
-  class SanityCheck < Error; end
-  class VerifyFail < Error; end
-
-  GROUP = ECDSA::Group::Secp256k1
-  P = GROUP.field.prime # smaller than 256**32
-  N = GROUP.order       # smaller than P
-  B = GROUP.byte_length # 32
-
-  # val (dot) G, returns ECDSA::Point
-  def self.dot_group(val)
-    # ecdsa_ext uses jacobian projection: 10x faster than GROUP.generator * val
-    (GROUP.generator.to_jacobian * val).to_affine
-  end
-
-  # returns even_val or N - even_val
-  def self.select_even_y(point, even_val)
-    point.y.even? ? even_val : N - even_val
-  end
-
-  # int(x) function signature matches BIP340, returns a bignum (presumably)
-  class << self
-    alias_method :int, :bin2big
-  end
-
-  # bytes(val) function signature matches BIP340, returns a binary string
-  def self.bytes(val)
-    case val
-    when Integer
-      # BIP340: The function bytes(x), where x is an integer,
-      # returns the 32-byte encoding of x, most significant byte first.
-      big2bin(val)
-    when ECDSA::Point
-      # BIP340: The function bytes(P), where P is a point, returns bytes(x(P)).
-      val.infinity? ? ("\x00" * B).b : big2bin(val.x)
-    else
-      raise(SanityCheck, val.inspect)
-    end
-  end
-
-  # Input
-  #   The secret key, sk:       32 bytes binary
-  #   The message, m:           binary / UTF-8 / agnostic
-  #   Auxiliary random data, a: 32 bytes binary
-  # Output
-  #   The signature, sig:       64 bytes binary
-  def self.sign(sk, m, a = Random.bytes(B))
-    bytestring!(sk, B) and string!(m) and bytestring!(a, B)
-
-    # BIP340: Let d' = int(sk)
-    # BIP340: Fail if d' = 0 or d' >= n
-    d0 = int(sk)
-    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
-
-    # BIP340: Let P = d' . G
-    p = dot_group(d0) # this is a point on the elliptic curve
-    bytes_p = bytes(p)
-
-    # BIP340: Let d = d' if has_even_y(P), otherwise let d = n - d'
-    d = select_even_y(p, d0)
-
-    # BIP340: Let t be the bytewise xor of bytes(d) and hash[BIP0340/aux](a)
-    t = d ^ int(tagged_hash('BIP0340/aux', a))
-
-    # BIP340: Let rand = hash[BIP0340/nonce](t || bytes(P) || m)
-    nonce = tagged_hash('BIP0340/nonce', bytes(t) + bytes_p + m)
-
-    # BIP340: Let k' = int(rand) mod n
-    # BIP340: Fail if k' = 0
-    k0 = int(nonce) % N
-    raise(BoundsError, "k0") if !k0.positive?
-
-    # BIP340: Let R = k' . G
-    r = dot_group(k0) # this is a point on the elliptic curve
-    bytes_r = bytes(r)
-
-    # BIP340: Let k = k' if has_even_y(R), otherwise let k = n - k'
-    k = select_even_y(r, k0)
-
-    # BIP340:
-    #   Let e = int(hash[BIP0340/challenge](bytes(R) || bytes(P) || m)) mod n
-    e = int(tagged_hash('BIP0340/challenge', bytes_r + bytes_p + m)) % N
-
-    # BIP340: Let sig = bytes(R) || bytes((k + ed) mod n)
-    # BIP340: Fail unless Verify(bytes(P), m, sig)
-    # BIP340: Return the signature sig
-    sig = bytes_r + bytes((k + e * d) % N)
-    raise(VerifyFail) unless verify?(bytes_p, m, sig)
-    sig
-  end
-
-  # see https://bips.xyz/340#design (Tagged hashes)
-  # Input
-  #   A tag:            UTF-8 > binary > agnostic
-  #   The payload, msg: UTF-8 / binary / agnostic
-  # Output
-  #   32 bytes binary
-  def self.tagged_hash(tag, msg)
-    string!(tag) and string!(msg)
-    warn("tag expected to be UTF-8") unless tag.encoding == Encoding::UTF_8
-
-    # BIP340: The function hash[name](x) where x is a byte array
-    #         returns the 32-byte hash
-    #         SHA256(SHA256(tag) || SHA256(tag) || x)
-    #         where tag is the UTF-8 encoding of name.
-    tag_hash = Digest::SHA256.digest(tag)
-    Digest::SHA256.digest(tag_hash + tag_hash + msg)
-  end
-
-  # Input
-  #   The public key, pk: 32 bytes binary
-  #   The message, m:     UTF-8 / binary / agnostic
-  #   A signature, sig:   64 bytes binary
-  # Output
-  #   Boolean
-  def self.verify?(pk, m, sig)
-    bytestring!(pk, B) and string!(m) and bytestring!(sig, B * 2)
-
-    # BIP340: Let P = lift_x(int(pk))
-    p = lift_x(int(pk))
-
-    # BIP340: Let r = int(sig[0:32]) fail if r >= p
-    r = int(sig[0..B-1])
-    raise(BoundsError, "r >= p") if r >= P
-
-    # BIP340: Let s = int(sig[32:64]); fail if s >= n
-    s = int(sig[B..-1])
-    raise(BoundsError, "s >= n") if s >= N
-
-    # BIP340:
-    #   Let e = int(hash[BIP0340/challenge](bytes(r) || bytes(P) || m)) mod n
-    e = bytes(r) + bytes(p) + m
-    e = int(tagged_hash('BIP0340/challenge', e)) % N
-
-    # BIP340: Let R = s . G - e . P
-    # BIP340: Fail if is_infinite(R)
-    # BIP340: Fail if not has_even_y(R)
-    # BIP340: Fail if x(R) != r
-    # BIP340: Return success iff no failure occurred before reaching this point
-    big_r = dot_group(s) + p.multiply_by_scalar(e).negate
-    !big_r.infinity? and big_r.y.even? and big_r.x == r
-  end
-
-  # BIP340: The function lift_x(x), where x is a 256-bit unsigned integer,
-  #         returns the point P for which x(P) = x[10] and has_even_y(P),
-  #         or fails if x is greater than p-1 or no such point exists.
-  # Input
-  #   A large integer, x
-  # Output
-  #   ECDSA::Point
-  def self.lift_x(x)
-    integer!(x)
-
-    # BIP340: Fail if x >= p
-    raise(BoundsError, "x") if x >= P or x <= 0
-
-    # BIP340: Let c = x^3 + 7 mod p
-    c = (x.pow(3, P) + 7) % P
-
-    # BIP340: Let y = c ^ ((p + 1) / 4) mod p
-    y = c.pow((P + 1) / 4, P) # use pow to avoid Bignum overflow
-
-    # BIP340: Fail if c != y^2 mod p
-    raise(SanityCheck, "c != y^2 mod p") if c != y.pow(2, P)
-
-    # BIP340: Return the unique point P such that:
-    #   x(P) = x and y(P) = y    if y mod 2 = 0
-    #   y(P) = p - y             otherwise
-    GROUP.new_point [x, y.even? ? y : P - y]
-  end
-
-  # Input
-  #   The secret key, sk: 32 bytes binary
-  # Output
-  #   32 bytes binary (represents P.x for point P on the curve)
-  def self.pubkey(sk)
-    bytestring!(sk, B)
-
-    # BIP340: Let d' = int(sk)
-    # BIP340: Fail if d' = 0 or d' >= n
-    # BIP340: Return bytes(d' . G)
-    d0 = int(sk)
-    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
-    bytes(dot_group(d0))
-  end
-
-  # generate a new keypair based on random data
-  def self.keypair
-    sk = Random.bytes(B)
-    [sk, pubkey(sk)]
-  end
-
-  # as above, but using SecureRandom
-  def self.secure_keypair
-    sk = SecureRandom.bytes(B)
-    [sk, pubkey(sk)]
-  end
-end
-
-if __FILE__ == $0
-  msg = 'hello world'
-  sk, pk = SchnorrSig.keypair
-  puts "Message: #{msg}"
-  puts "Secret key: #{SchnorrSig.bin2hex(sk)}"
-  puts "Public key: #{SchnorrSig.bin2hex(pk)}"
-
-  sig = SchnorrSig.sign(sk, msg)
-  puts
-  puts "Verified signature: #{SchnorrSig.bin2hex(sig)}"
-  puts "Encoding: #{sig.encoding}"
-  puts "Length: #{sig.length}"
+if ENV['SCHNORR_SIG']&.downcase == 'fast'
+  require 'schnorr_sig/fast'
+else
+  require 'schnorr_sig/pure'
 end

data/test/vectors.rb

@@ -1,5 +1,4 @@
-require ENV['SCHNORR_SIG']&.downcase == 'fast' ?
-          'schnorr_sig/fast' : 'schnorr_sig'
+require 'schnorr_sig'
 require 'csv'
 
 path = File.join(__dir__, 'vectors.csv')
@@ -29,4 +28,4 @@ puts "Failure: #{failure.count}"
 
 puts failure unless failure.empty?
 
-exit failure.count
+# exit failure.count

data/test/vectors_extra.rb

@@ -1,5 +1,4 @@
-require ENV['SCHNORR_SIG']&.downcase == 'fast' ?
-          'schnorr_sig/fast' : 'schnorr_sig'
+require 'schnorr_sig'
 require 'csv'
 
 path = File.join(__dir__, 'vectors.csv')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: schnorr_sig
 version: !ruby/object:Gem::Version
-  version: 0.0.0.4
+  version: 0.2.0.1
 platform: ruby
 authors:
 - Rick Hull
@@ -35,6 +35,7 @@ files:
 - VERSION
 - lib/schnorr_sig.rb
 - lib/schnorr_sig/fast.rb
+- lib/schnorr_sig/pure.rb
 - lib/schnorr_sig/util.rb
 - schnorr_sig.gemspec
 - test/vectors.rb