schnorr_sig 0.0.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9cd55fdf9335f6ea817837d76d3ce130f9752ab7cbf582c822e061dc68574583
+  data.tar.gz: dbc20c45aac2f0d9443d278a93ff6e7ae88cea2fc26b68eaf5226c6dd47979bc
+SHA512:
+  metadata.gz: e180ad80feddacf2ee05dd4a66d8518a53233ac56ba393917bac45e19e5cae25530e87aacdcd330523ce6751e2fb754efc5359571a564db21197d7063bb3e737
+  data.tar.gz: fc67524a97a42b517efff14b7c4bcc21732d8f6e83a353d51220f3e7627aab646edce9e25fd9676f6f7e13bc62eceb3d52062bdbc234a0d640dfe3eba7f78086

data/README.md

@@ -0,0 +1,288 @@
+# Schnorr Signatures
+
+This is a simple, minimal library written in Ruby for the purpose of
+calculating and verifying so-called
+[Schnorr signatures](https://en.wikipedia.org/wiki/Schnorr_signature),
+based on elliptic curve cryptography.  This cryptographic method was
+[patented by Claus P. Schnorr](https://patents.google.com/patent/US4995082)
+in 1989 (expired 2010), and by 2021 it was adopted and popularized
+by the [Bitcoin](https://en.wikipedia.org/wiki/Bitcoin) project.
+
+This work is based on [BIP340](https://bips.xyz/340), one of the many
+[Bitcoin Improvement Proposals](https://bips.xyz/), which are open documents
+and specifications similar to
+[IETF RFCs](https://en.wikipedia.org/wiki/Request_for_Comments).
+BIP340 specifies elliptic curve `secp256k1` for use with Schnorr signatures.
+
+# Usage
+
+This library is provided as a RubyGem.  It has a single dependency on
+[ecdsa_ext](https://github.com/azuchi/ruby_ecdsa_ext), with a
+corresponding transitive dependency on
+[ecdsa](https://github.com/DavidEGrayson/ruby_ecdsa/).
+
+## Install
+
+Install locally:
+
+```
+$ gem install schnorr_sig
+```
+
+Or add to your project `Gemfile`:
+
+```
+gem 'schnorr_sig'
+```
+
+By default, only the dependencies for the Ruby implementation will be
+installed: **ecdsa_ext** gem and its dependencies.
+
+### Fast Implementation
+
+After installing the **schnorr_sig** gem, then install
+[rbsecp256k1](https://github.com/etscrivner/rbsecp256k1).
+Here's how I did it on NixOS:
+
+```
+nix-shell -p secp256k1 autoconf automake libtool
+gem install rbsecp256k1 -- --with-system-libraries
+```
+
+## Example
+
+```ruby
+require 'schnorr_sig'
+
+msg = 'hello world'
+
+# generate secret key and public key
+sk, pk = SchnorrSig.keypair
+
+# sign a message; exception raised on failure
+sig = SchnorrSig.sign(sk, msg)
+
+# the signature has already been verified, but let's check
+SchnorrSig.verify?(pk, msg, sig)  # => true
+```
+
+### Fast Implementation
+
+```ruby
+require 'schnorr_sig/fast' # not 'schnorr_sig'
+
+# everything else as above ...
+```
+
+# Elliptic Curves
+
+Note that [elliptic curves](https://en.wikipedia.org/wiki/Elliptic_curve)
+are not ellipses, but can instead be described by cubic equations of
+the form: `y^2 = x^3 + ax + b` where `a` and `b` are the parameters of the
+resulting curve.  All points `(x, y)` which satisfy a given parameterized
+equation provide the exact definition of an elliptic curve.
+
+## Curve `secp256k1`
+
+`secp256k1` uses `a = 0` and `b = 7`, so `y^2 = x^3 + 7`
+
+![secp256k1: y^2 = x^3 + 7](assets/secp256k1.png)
+
+Here is one
+[minimal definition of `secp256k1`](https://github.com/DavidEGrayson/ruby_ecdsa/blob/master/lib/ecdsa/group/secp256k1.rb):
+
+```
+{
+  name: 'secp256k1',
+  p: 0xFFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFE_FFFFFC2F,
+  a: 0,
+  b: 7,
+  g: [0x79BE667E_F9DCBBAC_55A06295_CE870B07_029BFCDB_2DCE28D9_59F2815B_16F81798,
+      0x483ADA77_26A3C465_5DA4FBFC_0E1108A8_FD17B448_A6855419_9C47D08F_FB10D4B8],
+  n: 0xFFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFE_BAAEDCE6_AF48A03B_BFD25E8C_D0364141,
+  h: 1,
+}
+```
+
+* `p` is the prime for the Field, below INTMAX(32) (256^32)
+* `a` is zero, as above
+* `b` is seven, as above
+* `g` is the generator point: [x, y]
+* `n` is the Group order, significantly below INTMAX(32)
+
+Elliptic curves have algebraic structures called
+[Groups](https://en.wikipedia.org/wiki/Group_\(mathematics\)) and
+[Fields](https://en.wikipedia.org/wiki/Field_\(mathematics\)),
+and prime numbers are useful.  I won't elaborate further here, as I am
+still learning in this area and reluctant to publish misunderstandings.
+
+## Generator Point
+
+Every elliptic curve has an *infinity point*, and one step away from the
+infinity point is a so-called *generator point*, `G`, a pair of large
+integers, `(x, y)`.  Add `G` to the infinity point; the result is `G`.
+Add `G` again, and the result is `2G`.  Where `N` is the *order* of the
+curve, `NG` returns to the infinity point.
+
+You can multiply `G` by any integer < `N` to get a corresponding point on
+the curve, `(x, y)`. `G` can be compressed to just the x-value, as the
+y-value can be derived from the x-value with a little bit of algebra:
+`y = sign(x) * sqrt(x^3 + ax + b)`.
+
+## Bignums
+
+We can conjure into existence a gigantic *32-byte* integer. Until recently,
+most consumer CPUs could only handle *32-bit* integers.  A 32-byte integer
+is 8x larger than common hardware integers, so math on large integers must
+be done in software.
+
+In Ruby, you can get a 32-byte value with: `Random.bytes(32)`, which will
+return a 32-byte binary string.  There are several ways to convert this to
+an integer value, which in Ruby is called a **Bignum** when it exceeds
+the highest value for a **Fixnum**, which corresponds to a hardware integer.
+
+*Fixnums are fast; Bignums are slow*
+
+## Keypairs
+
+Let's conjure into existence a gigantic 32-byte integer, `sk` (secret key):
+
+```
+sk = Random.bytes(32) # a binary string, length 32
+hex = [sk].pack('H*') # convert to a hex string like: "199ace9bc1 ..."
+bignum = hex.to_i(16) # convert hex to integer, possibly a bignum
+```
+
+`sk` is now our 32-byte **secret key**, and `bignum` is the integer value
+of `sk`.  We can multiply `bignum` by `G` to get a corresponding point on
+the elliptic curve, `P`.
+
+`P.x` is now our **public key**, the x-value of a point on
+the curve.  Technically, we would want to convert the large integer `P.x`
+to a binary string in order to make it a peer with `sk`.
+
+```
+group = ECDSA::Group::Secp256k1  # get a handle for secp256k1 curve
+point = group.generator * bignum # generate a point corresponding to sk
+pk = big2bin(point.x)            # public key: point.x as a binary string
+```
+
+The implementation of
+[big2bin](https://github.com/rickhull/schnorr_sig/blob/master/lib/schnorr_sig/util.rb#L30)
+is left as an exercise for the reader.
+
+## Formatting
+
+* Binary String
+* Integer
+* Hexadecimal String
+
+Our baseline format is the binary string:
+
+```
+'asdf'.encoding   # => #<Encoding:UTF-8>
+'asdf'.b          # => "asdf"
+'asdf'.b.encoding # => #<Encoding:ASCII-8BIT>
+Encoding::BINARY  # => #<Encoding:ASCII-8BIT>
+"\x00".encoding   # => #<Encoding:UTF-8>
+"\xFF".encoding   # => #<Encoding:UTF-8>
+```
+
+Default encoding for Ruby's `String` is `UTF-8`.  This encoding can be used
+for messages and tags in BIP340.  Call `String#b` to return
+a new string with the same value, but with `BINARY` encoding.  Note that
+Ruby still calls `BINARY` encoding `ASCII-8BIT`, but this may change, and
+`BINARY` is preferred.  Anywhere you might say `ASCII-8BIT` you can say
+`BINARY` instead.
+
+Any `UTF-8` strings will never be converted to integers.  `UTF-8` strings tend
+to be unrestricted or undeclared in size.  So let's turn to the `BINARY`
+strings.
+
+`BINARY` strings will tend to have a known, fixed size (almost certainly 32),
+and they can be expected to be converted to integers, likely Bignums.
+
+Hexadecimal strings (aka "hex") are like `"deadbeef0123456789abcdef00ff00ff"`.
+These are never used internally, but they are typically used at the user
+interface layer, as binary strings are not handled well by most user
+interfaces.
+
+Any Schnorr Signature implementation must be able to efficiently convert:
+
+* binary to bignum
+* bignum to binary
+* binary to hex
+* hex to binary
+
+Note that "bignum to hex" can be handled transitively and is typically not
+required.
+
+## Takeaways
+
+* For any given secret key (32 byte value), a public key is easily generated
+* A public key is an x-value on the curve
+* For any given x-value on the curve, the y-value is easily generated
+* For most curves, there are two different y-values for an x-value
+* We are always dealing with 32-byte integers: **Bignums**
+* Converting between integer format and 32-byte strings can be expensive
+* The Schnorr algorithm requires lots of `string <--> integer` conversion
+* Hex strings are never used internally
+* Provide efficient, obvious routines for the fundamental conversions
+
+# Implementation
+
+There are two independent implementations, the primary aiming for as
+pure Ruby as is feasible while matching the BIP340 pseudocode,
+with the secondary aiming for speed and correctness, relying on the
+battle-tested [sep256k1 library](https://github.com/bitcoin-core/secp256k1)
+provided by the Bitcoin project.
+
+## Ruby Implementation
+
+This is the default implementation and the only implementation for which
+this gem specifies its dependencies:
+the [ecdsa_ext](https://github.com/azuchi/ruby_ecdsa_ext) gem, which depends
+on the [ecdsa](https://github.com/DavidEGrayson/ruby_ecdsa/) gem,
+which implements the Elliptic Curve Digital Signature Algorithm (ECDSA)
+almost entirely in pure Ruby.
+
+**ecdsa_ext** provides computational efficiency for points on elliptic
+curves by using projective (Jacobian) rather than affine coordinates.
+Very little of the code in this library relies on these gems -- mainly
+for elliptical curve computations and the `secp256k1` curve definition.
+
+Most of the code in this implementaion is based directly on the pseudocode
+from [BIP340](https://bips.xyz/340).  i.e. A top-to-bottom implementation
+of most of the spec.  Enough to generate keypairs, signatures, and perform
+signature verification.  Extra care was taken to make the Ruby code match
+the pseudocode as close as feasible.  The pseudocode is commented
+[inline](lib/schnorr_sig.rb#L58).
+
+A lot of care was taken to keep conversions and checks to a minimum.  The
+functions are very strict about what they accept and attempt to be as fast
+as possible, while remaining expressive.  This implementation should
+outperform [bip-schnorrb](https://github.com/chaintope/bip-schnorrrb)
+in speed, simplicity, and expressiveness.
+
+## Fast Implementation
+
+This implementation depends on the
+[rbsecp256k1](https://github.com/etscrivner/rbsecp256k1) gem, which is a
+C extension that wraps the
+[secp256k1](https://github.com/bitcoin-core/secp256k1) library, also known
+as **libsecp256k1**.  There is much less code here, but the `SchnorrSig`
+module functions perform some input checking and match the function
+signatures from the Ruby implementation.  There are many advantages to
+using this implementation over the Ruby implementation, aside from
+efficiency, mostly having to with resistance to timing and side-channel
+attacks.
+
+The downside of using this implementation is a more difficult and involved
+install process, along with a certain level of inscrutability.
+
+### Temporary Restriction
+
+Currently, **rbsecp256k1** restricts messages to exactly 32 bytes, which
+was part of the BIPS340 spec until April 2023, when the restriction was lifted.
+
+See https://github.com/etscrivner/rbsecp256k1/issues/80

data/Rakefile

@@ -0,0 +1,20 @@
+require 'rake/testtask'
+
+Rake::TestTask.new :test do |t|
+  t.pattern = "test/*.rb"
+  t.warning = true
+end
+
+task default: :test
+
+begin
+  require 'buildar'
+
+  Buildar.new do |b|
+    b.gemspec_file = 'schnorr_sig.gemspec'
+    b.version_file = 'VERSION'
+    b.use_git = true
+  end
+rescue LoadError
+  warn "buildar tasks unavailable"
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.0.4

data/lib/schnorr_sig/fast.rb

@@ -0,0 +1,85 @@
+require 'schnorr_sig/util'
+require 'rbsecp256k1' # gem, C extension
+
+# re-open SchnorrSig to add more functions, errors, and constants
+module SchnorrSig
+  CONTEXT = Secp256k1::Context.create
+  Error = Secp256k1::Error # enable: rescue SchnorrSig::Error
+  FORCE_32_BYTE_MSG = true
+
+  # Input
+  #   The secret key, sk: 32 bytes binary
+  #   The message, m:     UTF-8 / binary / agnostic
+  # Output
+  #   64 bytes binary
+  def self.sign(sk, m)
+    bytestring!(sk, 32) and string!(m)
+    m = m[0..31].ljust(32, ' ') if FORCE_32_BYTE_MSG
+    CONTEXT.sign_schnorr(key_pair(sk), m).serialized
+  end
+
+  # Input
+  #   The public key, pk: 32 bytes binary
+  #   The message, m:     UTF-8 / binary / agnostic
+  #   A signature, sig:   64 bytes binary
+  # Output
+  #   Boolean, may raise SchnorrSig::Error
+  def self.verify?(pk, m, sig)
+    bytestring!(pk, 32) and string!(m) and bytestring!(sig, 64)
+    signature(sig).verify(m, Secp256k1::XOnlyPublicKey.from_data(pk))
+  end
+
+  # Input
+  #   (The secret key, sk: 32 bytes binary)
+  # Output
+  #   Secp256k1::KeyPair
+  def self.key_pair(sk = nil)
+    if sk
+      bytestring!(sk, 32)
+      CONTEXT.key_pair_from_private_key(sk)
+    else
+      CONTEXT.generate_key_pair
+    end
+  end
+
+  # Input
+  #   (The secret key, sk: 32 bytes binary)
+  # Output
+  #   [sk, pk]
+  def self.keypair(sk = nil)
+    kp = self.key_pair(sk)
+    [kp.private_key.data, kp.xonly_public_key.serialized]
+  end
+
+  # Input
+  #   The secret key, sk: 32 bytes binary
+  # Output
+  #   The public key: 32 bytes binary
+  def self.pubkey(sk)
+    keypair(sk)[1]
+  end
+
+  # Input
+  #   The signature, str: 64 bytes binary
+  # Output
+  #   Secp256k1::SchnorrSignature
+  def self.signature(str)
+    bytestring!(str, 64)
+    Secp256k1::SchnorrSignature.from_data(str)
+  end
+end
+
+if __FILE__ == $0
+  msg = 'hello world'
+
+  sk, pk = SchnorrSig.keypair
+  puts "Message: #{msg}"
+  puts "Secret key: #{SchnorrSig.bin2hex(sk)}"
+  puts "Public key: #{SchnorrSig.bin2hex(pk)}"
+
+  sig = SchnorrSig.sign(sk, msg)
+  puts
+  puts "Verified signature: #{SchnorrSig.bin2hex(sig)}"
+  puts "Encoding: #{sig.encoding}"
+  puts "Length: #{sig.length}"
+end

data/lib/schnorr_sig/util.rb

@@ -0,0 +1,44 @@
+module SchnorrSig
+  class InputError < RuntimeError; end
+  class SizeError < InputError; end
+  class TypeError < InputError; end
+  class EncodingError < InputError; end
+
+  # true or raise
+  def self.integer!(i)
+    i.is_a?(Integer) or raise(TypeError, i.class)
+  end
+
+  # true or raise
+  def self.string!(str)
+    str.is_a?(String) or raise(TypeError, str.class)
+  end
+
+  # true or raise
+  def self.bytestring!(str, size)
+    string!(str)
+    raise(EncodingError, str.encoding) unless str.encoding == Encoding::BINARY
+    str.size == size or raise(SizeError, str.size)
+  end
+
+  # likely returns a Bignum, larger than a 64-bit hardware integer
+  def self.bin2big(str)
+    bin2hex(str).to_i(16)
+  end
+
+  # convert a giant integer to a binary string
+  def self.big2bin(bignum)
+    # much faster than ECDSA::Format -- thanks ParadoxV5
+    hex2bin(bignum.to_s(16).rjust(B * 2, '0'))
+  end
+
+  # convert a binary string to a lowercase hex string
+  def self.bin2hex(str)
+    str.unpack1('H*')
+  end
+
+  # convert a hex string to a binary string
+  def self.hex2bin(hex)
+    [hex].pack('H*')
+  end
+end

data/lib/schnorr_sig.rb

@@ -0,0 +1,220 @@
+require 'schnorr_sig/util'
+require 'ecdsa_ext'                    # gem
+autoload :SecureRandom, 'securerandom' # stdlib
+
+# This implementation is based on the BIP340 spec: https://bips.xyz/340
+# re-open SchnorrSig to add more functions, errors, and constants
+module SchnorrSig
+  class Error < RuntimeError; end
+  class BoundsError < Error; end
+  class SanityCheck < Error; end
+  class VerifyFail < Error; end
+
+  GROUP = ECDSA::Group::Secp256k1
+  P = GROUP.field.prime # smaller than 256**32
+  N = GROUP.order       # smaller than P
+  B = GROUP.byte_length # 32
+
+  # val (dot) G, returns ECDSA::Point
+  def self.dot_group(val)
+    # ecdsa_ext uses jacobian projection: 10x faster than GROUP.generator * val
+    (GROUP.generator.to_jacobian * val).to_affine
+  end
+
+  # returns even_val or N - even_val
+  def self.select_even_y(point, even_val)
+    point.y.even? ? even_val : N - even_val
+  end
+
+  # int(x) function signature matches BIP340, returns a bignum (presumably)
+  class << self
+    alias_method :int, :bin2big
+  end
+
+  # bytes(val) function signature matches BIP340, returns a binary string
+  def self.bytes(val)
+    case val
+    when Integer
+      # BIP340: The function bytes(x), where x is an integer,
+      # returns the 32-byte encoding of x, most significant byte first.
+      big2bin(val)
+    when ECDSA::Point
+      # BIP340: The function bytes(P), where P is a point, returns bytes(x(P)).
+      val.infinity? ? ("\x00" * B).b : big2bin(val.x)
+    else
+      raise(SanityCheck, val.inspect)
+    end
+  end
+
+  # Input
+  #   The secret key, sk:       32 bytes binary
+  #   The message, m:           binary / UTF-8 / agnostic
+  #   Auxiliary random data, a: 32 bytes binary
+  # Output
+  #   The signature, sig:       64 bytes binary
+  def self.sign(sk, m, a = Random.bytes(B))
+    bytestring!(sk, B) and string!(m) and bytestring!(a, B)
+
+    # BIP340: Let d' = int(sk)
+    # BIP340: Fail if d' = 0 or d' >= n
+    d0 = int(sk)
+    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
+
+    # BIP340: Let P = d' . G
+    p = dot_group(d0) # this is a point on the elliptic curve
+    bytes_p = bytes(p)
+
+    # BIP340: Let d = d' if has_even_y(P), otherwise let d = n - d'
+    d = select_even_y(p, d0)
+
+    # BIP340: Let t be the bytewise xor of bytes(d) and hash[BIP0340/aux](a)
+    t = d ^ int(tagged_hash('BIP0340/aux', a))
+
+    # BIP340: Let rand = hash[BIP0340/nonce](t || bytes(P) || m)
+    nonce = tagged_hash('BIP0340/nonce', bytes(t) + bytes_p + m)
+
+    # BIP340: Let k' = int(rand) mod n
+    # BIP340: Fail if k' = 0
+    k0 = int(nonce) % N
+    raise(BoundsError, "k0") if !k0.positive?
+
+    # BIP340: Let R = k' . G
+    r = dot_group(k0) # this is a point on the elliptic curve
+    bytes_r = bytes(r)
+
+    # BIP340: Let k = k' if has_even_y(R), otherwise let k = n - k'
+    k = select_even_y(r, k0)
+
+    # BIP340:
+    #   Let e = int(hash[BIP0340/challenge](bytes(R) || bytes(P) || m)) mod n
+    e = int(tagged_hash('BIP0340/challenge', bytes_r + bytes_p + m)) % N
+
+    # BIP340: Let sig = bytes(R) || bytes((k + ed) mod n)
+    # BIP340: Fail unless Verify(bytes(P), m, sig)
+    # BIP340: Return the signature sig
+    sig = bytes_r + bytes((k + e * d) % N)
+    raise(VerifyFail) unless verify?(bytes_p, m, sig)
+    sig
+  end
+
+  # see https://bips.xyz/340#design (Tagged hashes)
+  # Input
+  #   A tag:            UTF-8 > binary > agnostic
+  #   The payload, msg: UTF-8 / binary / agnostic
+  # Output
+  #   32 bytes binary
+  def self.tagged_hash(tag, msg)
+    string!(tag) and string!(msg)
+    warn("tag expected to be UTF-8") unless tag.encoding == Encoding::UTF_8
+
+    # BIP340: The function hash[name](x) where x is a byte array
+    #         returns the 32-byte hash
+    #         SHA256(SHA256(tag) || SHA256(tag) || x)
+    #         where tag is the UTF-8 encoding of name.
+    tag_hash = Digest::SHA256.digest(tag)
+    Digest::SHA256.digest(tag_hash + tag_hash + msg)
+  end
+
+  # Input
+  #   The public key, pk: 32 bytes binary
+  #   The message, m:     UTF-8 / binary / agnostic
+  #   A signature, sig:   64 bytes binary
+  # Output
+  #   Boolean
+  def self.verify?(pk, m, sig)
+    bytestring!(pk, B) and string!(m) and bytestring!(sig, B * 2)
+
+    # BIP340: Let P = lift_x(int(pk))
+    p = lift_x(int(pk))
+
+    # BIP340: Let r = int(sig[0:32]) fail if r >= p
+    r = int(sig[0..B-1])
+    raise(BoundsError, "r >= p") if r >= P
+
+    # BIP340: Let s = int(sig[32:64]); fail if s >= n
+    s = int(sig[B..-1])
+    raise(BoundsError, "s >= n") if s >= N
+
+    # BIP340:
+    #   Let e = int(hash[BIP0340/challenge](bytes(r) || bytes(P) || m)) mod n
+    e = bytes(r) + bytes(p) + m
+    e = int(tagged_hash('BIP0340/challenge', e)) % N
+
+    # BIP340: Let R = s . G - e . P
+    # BIP340: Fail if is_infinite(R)
+    # BIP340: Fail if not has_even_y(R)
+    # BIP340: Fail if x(R) != r
+    # BIP340: Return success iff no failure occurred before reaching this point
+    big_r = dot_group(s) + p.multiply_by_scalar(e).negate
+    !big_r.infinity? and big_r.y.even? and big_r.x == r
+  end
+
+  # BIP340: The function lift_x(x), where x is a 256-bit unsigned integer,
+  #         returns the point P for which x(P) = x[10] and has_even_y(P),
+  #         or fails if x is greater than p-1 or no such point exists.
+  # Input
+  #   A large integer, x
+  # Output
+  #   ECDSA::Point
+  def self.lift_x(x)
+    integer!(x)
+
+    # BIP340: Fail if x >= p
+    raise(BoundsError, "x") if x >= P or x <= 0
+
+    # BIP340: Let c = x^3 + 7 mod p
+    c = (x.pow(3, P) + 7) % P
+
+    # BIP340: Let y = c ^ ((p + 1) / 4) mod p
+    y = c.pow((P + 1) / 4, P) # use pow to avoid Bignum overflow
+
+    # BIP340: Fail if c != y^2 mod p
+    raise(SanityCheck, "c != y^2 mod p") if c != y.pow(2, P)
+
+    # BIP340: Return the unique point P such that:
+    #   x(P) = x and y(P) = y    if y mod 2 = 0
+    #   y(P) = p - y             otherwise
+    GROUP.new_point [x, y.even? ? y : P - y]
+  end
+
+  # Input
+  #   The secret key, sk: 32 bytes binary
+  # Output
+  #   32 bytes binary (represents P.x for point P on the curve)
+  def self.pubkey(sk)
+    bytestring!(sk, B)
+
+    # BIP340: Let d' = int(sk)
+    # BIP340: Fail if d' = 0 or d' >= n
+    # BIP340: Return bytes(d' . G)
+    d0 = int(sk)
+    raise(BoundsError, "d0") if !d0.positive? or d0 >= N
+    bytes(dot_group(d0))
+  end
+
+  # generate a new keypair based on random data
+  def self.keypair
+    sk = Random.bytes(B)
+    [sk, pubkey(sk)]
+  end
+
+  # as above, but using SecureRandom
+  def self.secure_keypair
+    sk = SecureRandom.bytes(B)
+    [sk, pubkey(sk)]
+  end
+end
+
+if __FILE__ == $0
+  msg = 'hello world'
+  sk, pk = SchnorrSig.keypair
+  puts "Message: #{msg}"
+  puts "Secret key: #{SchnorrSig.bin2hex(sk)}"
+  puts "Public key: #{SchnorrSig.bin2hex(pk)}"
+
+  sig = SchnorrSig.sign(sk, msg)
+  puts
+  puts "Verified signature: #{SchnorrSig.bin2hex(sig)}"
+  puts "Encoding: #{sig.encoding}"
+  puts "Length: #{sig.length}"
+end

data/schnorr_sig.gemspec

@@ -0,0 +1,19 @@
+Gem::Specification.new do |s|
+  s.name = 'schnorr_sig'
+  s.summary = "Schnorr signatures in Ruby, multiple implementations"
+  s.description = "Pure ruby based on ECDSA gem; separate libsecp256k1 impl"
+  s.authors = ["Rick Hull"]
+  s.homepage = "https://github.com/rickhull/schnorr_sig"
+  s.license = "LGPL-2.1-only"
+
+  s.required_ruby_version = "~> 3.0"
+
+  s.version = File.read(File.join(__dir__, 'VERSION')).chomp
+
+  s.files = %w[schnorr_sig.gemspec VERSION README.md Rakefile]
+  s.files += Dir['lib/**/*.rb']
+  s.files += Dir['test/**/*.rb']
+  # s.files += Dir['examples/**/*.rb']
+
+  s.add_dependency "ecdsa_ext", "~> 0"
+end

data/test/vectors.rb

@@ -0,0 +1,32 @@
+require ENV['SCHNORR_SIG']&.downcase == 'fast' ?
+          'schnorr_sig/fast' : 'schnorr_sig'
+require 'csv'
+
+path = File.join(__dir__, 'vectors.csv')
+table = CSV.read(path, headers: true)
+
+success = []
+failure = []
+
+table.each { |row|
+  pk       = SchnorrSig.hex2bin row.fetch('public key')
+  m        = SchnorrSig.hex2bin row.fetch('message')
+  sig      = SchnorrSig.hex2bin row.fetch('signature')
+  expected = row.fetch('verification result') == 'TRUE'
+
+  result = begin
+             SchnorrSig.verify?(pk, m, sig)
+           rescue SchnorrSig::Error
+             false
+           end
+  (result == expected ? success : failure) << row
+  print '.'
+}
+puts
+
+puts "Success: #{success.count}"
+puts "Failure: #{failure.count}"
+
+puts failure unless failure.empty?
+
+exit failure.count

data/test/vectors_extra.rb

@@ -0,0 +1,44 @@
+require ENV['SCHNORR_SIG']&.downcase == 'fast' ?
+          'schnorr_sig/fast' : 'schnorr_sig'
+require 'csv'
+
+path = File.join(__dir__, 'vectors.csv')
+table = CSV.read(path, headers: true)
+
+table.each { |row|
+  sk       = SchnorrSig.hex2bin row.fetch('secret key')
+  pk       = SchnorrSig.hex2bin row.fetch('public key')
+  #aux_rand = SchnorrSig.hex2bin row.fetch('aux_rand')
+  m        = SchnorrSig.hex2bin row.fetch('message')
+  sig      = SchnorrSig.hex2bin row.fetch('signature')
+
+  index    = row.fetch('index')
+  comment  = row.fetch('comment')
+  expected = row.fetch('verification result') == 'TRUE'
+
+  pk_msg = nil
+  sig_msg = nil
+  verify_msg = nil
+
+  if sk.empty?
+    pk_msg = "sk empty"
+    sig_msg = "sk empty"
+  else
+    # let's derive pk from sk
+    pubkey = SchnorrSig.pubkey(sk)
+    pk_msg = (pubkey == pk) ? "pk match" : "pk mismatch"
+
+    # calculate a signature
+    calc_sig = SchnorrSig.sign(sk, m)
+    sig_msg = (calc_sig == sig) ? "sig match" : "sig mismatch"
+  end
+
+  result = begin
+             SchnorrSig.verify?(pk, m, sig)
+           rescue SchnorrSig::Error
+             false
+           end
+  verify_msg = (result == expected) ? "verify match" : "verify mismatch"
+  puts [index, pk_msg, sig_msg, verify_msg, comment].join("\t")
+}
+puts

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification
+name: schnorr_sig
+version: !ruby/object:Gem::Version
+  version: 0.0.0.4
+platform: ruby
+authors:
+- Rick Hull
+autorequire:
+bindir: bin
+cert_chain: []
+date: 1980-01-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ecdsa_ext
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Pure ruby based on ECDSA gem; separate libsecp256k1 impl
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- Rakefile
+- VERSION
+- lib/schnorr_sig.rb
+- lib/schnorr_sig/fast.rb
+- lib/schnorr_sig/util.rb
+- schnorr_sig.gemspec
+- test/vectors.rb
+- test/vectors_extra.rb
+homepage: https://github.com/rickhull/schnorr_sig
+licenses:
+- LGPL-2.1-only
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - "~>"
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.9
+signing_key:
+specification_version: 4
+summary: Schnorr signatures in Ruby, multiple implementations
+test_files: []