2020-03-19 03:14:08 +01:00
|
|
|
from typing import Tuple, Optional, Any
|
2018-07-06 03:45:34 +02:00
|
|
|
import hashlib
|
|
|
|
import binascii
|
|
|
|
|
2020-03-04 21:21:36 +01:00
|
|
|
# Set DEBUG to True to get a detailed debug output including
|
|
|
|
# intermediate values during key generation, signing, and
|
|
|
|
# verification. This is implemented via calls to the
|
|
|
|
# debug_print_vars() function.
|
|
|
|
#
|
|
|
|
# If you want to print values on an individual basis, use
|
|
|
|
# the pretty() function, e.g., print(pretty(foo)).
|
|
|
|
DEBUG = False
|
|
|
|
|
2018-07-06 03:45:34 +02:00
|
|
|
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
|
|
|
|
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
|
2019-11-01 17:14:57 +01:00
|
|
|
|
2019-11-02 13:19:17 +01:00
|
|
|
# Points are tuples of X and Y coordinates and the point at infinity is
|
2019-11-01 17:14:57 +01:00
|
|
|
# represented by the None keyword.
|
2018-07-06 03:45:34 +02:00
|
|
|
G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
Point = Tuple[int, int]
|
|
|
|
|
2019-08-26 22:46:08 +02:00
|
|
|
# This implementation can be sped up by storing the midstate after hashing
|
|
|
|
# tag_hash instead of rehashing it all the time.
|
2020-03-19 03:14:08 +01:00
|
|
|
def tagged_hash(tag: str, msg: bytes) -> bytes:
|
2019-08-26 13:32:04 +02:00
|
|
|
tag_hash = hashlib.sha256(tag.encode()).digest()
|
|
|
|
return hashlib.sha256(tag_hash + tag_hash + msg).digest()
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def is_infinity(P: Optional[Point]) -> bool:
|
2019-11-04 20:56:48 +01:00
|
|
|
return P is None
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def x(P: Point) -> int:
|
2019-09-26 23:18:53 +02:00
|
|
|
return P[0]
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def y(P: Point) -> int:
|
2019-09-26 23:18:53 +02:00
|
|
|
return P[1]
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def point_add(P1: Optional[Point], P2: Optional[Point]) -> Optional[Point]:
|
2020-03-12 21:13:09 +01:00
|
|
|
if P1 is None:
|
2018-07-06 03:45:34 +02:00
|
|
|
return P2
|
2020-03-12 21:13:09 +01:00
|
|
|
if P2 is None:
|
2018-07-06 03:45:34 +02:00
|
|
|
return P1
|
2020-03-12 21:13:09 +01:00
|
|
|
if (x(P1) == x(P2)) and (y(P1) != y(P2)):
|
2018-07-06 03:45:34 +02:00
|
|
|
return None
|
2020-03-12 21:13:09 +01:00
|
|
|
if P1 == P2:
|
2019-09-26 23:18:53 +02:00
|
|
|
lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p
|
2018-07-06 03:45:34 +02:00
|
|
|
else:
|
2019-09-26 23:18:53 +02:00
|
|
|
lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p
|
|
|
|
x3 = (lam * lam - x(P1) - x(P2)) % p
|
|
|
|
return (x3, (lam * (x(P1) - x3) - y(P1)) % p)
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def point_mul(P: Optional[Point], n: int) -> Optional[Point]:
|
2018-07-06 03:45:34 +02:00
|
|
|
R = None
|
|
|
|
for i in range(256):
|
2020-03-12 21:13:09 +01:00
|
|
|
if (n >> i) & 1:
|
2018-07-06 03:45:34 +02:00
|
|
|
R = point_add(R, P)
|
|
|
|
P = point_add(P, P)
|
|
|
|
return R
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def bytes_from_int(x: int) -> bytes:
|
2018-07-06 03:45:34 +02:00
|
|
|
return x.to_bytes(32, byteorder="big")
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def bytes_from_point(P: Point) -> bytes:
|
2019-09-26 23:18:53 +02:00
|
|
|
return bytes_from_int(x(P))
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def xor_bytes(b0: bytes, b1: bytes) -> bytes:
|
2020-02-03 22:56:03 +01:00
|
|
|
return bytes(x ^ y for (x, y) in zip(b0, b1))
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def lift_x_square_y(b: bytes) -> Optional[Point]:
|
2019-07-06 18:32:41 +02:00
|
|
|
x = int_from_bytes(b)
|
2019-11-04 13:53:37 +01:00
|
|
|
if x >= p:
|
|
|
|
return None
|
2018-07-06 03:45:34 +02:00
|
|
|
y_sq = (pow(x, 3, p) + 7) % p
|
2019-07-06 18:32:41 +02:00
|
|
|
y = pow(y_sq, (p + 1) // 4, p)
|
|
|
|
if pow(y, 2, p) != y_sq:
|
2018-07-06 03:45:34 +02:00
|
|
|
return None
|
2020-03-04 21:21:36 +01:00
|
|
|
return (x, y)
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def lift_x_even_y(b: bytes) -> Optional[Point]:
|
2020-02-02 17:14:30 +01:00
|
|
|
P = lift_x_square_y(b)
|
|
|
|
if P is None:
|
|
|
|
return None
|
|
|
|
else:
|
2020-03-17 02:13:26 +01:00
|
|
|
return (x(P), y(P) if y(P) % 2 == 0 else p - y(P))
|
2020-02-02 17:14:30 +01:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def int_from_bytes(b: bytes) -> int:
|
2018-07-06 03:45:34 +02:00
|
|
|
return int.from_bytes(b, byteorder="big")
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def hash_sha256(b: bytes) -> bytes:
|
2018-07-06 03:45:34 +02:00
|
|
|
return hashlib.sha256(b).digest()
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def is_square(x: int) -> bool:
|
|
|
|
return int(pow(x, (p - 1) // 2, p)) == 1
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def has_square_y(P: Optional[Point]) -> bool:
|
|
|
|
infinity = is_infinity(P)
|
|
|
|
if infinity: return False
|
|
|
|
assert P is not None
|
|
|
|
return is_square(y(P))
|
2019-09-27 11:56:21 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def has_even_y(P: Point) -> bool:
|
2020-02-02 17:14:30 +01:00
|
|
|
return y(P) % 2 == 0
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def pubkey_gen(seckey: bytes) -> bytes:
|
2020-03-04 21:21:36 +01:00
|
|
|
d0 = int_from_bytes(seckey)
|
|
|
|
if not (1 <= d0 <= n - 1):
|
2019-09-26 23:12:21 +02:00
|
|
|
raise ValueError('The secret key must be an integer in the range 1..n-1.')
|
2020-03-04 21:21:36 +01:00
|
|
|
P = point_mul(G, d0)
|
2020-03-19 03:14:08 +01:00
|
|
|
assert P is not None
|
2019-07-06 18:32:41 +02:00
|
|
|
return bytes_from_point(P)
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def schnorr_sign(msg: bytes, seckey: bytes, aux_rand: bytes) -> bytes:
|
2018-07-06 03:45:34 +02:00
|
|
|
if len(msg) != 32:
|
|
|
|
raise ValueError('The message must be a 32-byte array.')
|
2020-03-04 21:21:36 +01:00
|
|
|
d0 = int_from_bytes(seckey)
|
|
|
|
if not (1 <= d0 <= n - 1):
|
2018-07-06 03:45:34 +02:00
|
|
|
raise ValueError('The secret key must be an integer in the range 1..n-1.')
|
2020-02-03 22:56:03 +01:00
|
|
|
if len(aux_rand) != 32:
|
|
|
|
raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand))
|
2020-03-04 21:21:36 +01:00
|
|
|
P = point_mul(G, d0)
|
2020-03-19 03:14:08 +01:00
|
|
|
assert P is not None
|
2020-03-04 21:21:36 +01:00
|
|
|
d = d0 if has_even_y(P) else n - d0
|
|
|
|
t = xor_bytes(bytes_from_int(d), tagged_hash("BIP340/aux", aux_rand))
|
2020-02-03 22:56:03 +01:00
|
|
|
k0 = int_from_bytes(tagged_hash("BIP340/nonce", t + bytes_from_point(P) + msg)) % n
|
2018-07-06 03:45:34 +02:00
|
|
|
if k0 == 0:
|
|
|
|
raise RuntimeError('Failure. This happens only with negligible probability.')
|
|
|
|
R = point_mul(G, k0)
|
2020-03-19 03:14:08 +01:00
|
|
|
assert R is not None
|
2019-11-04 20:56:48 +01:00
|
|
|
k = n - k0 if not has_square_y(R) else k0
|
2020-02-02 17:14:30 +01:00
|
|
|
e = int_from_bytes(tagged_hash("BIP340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
|
2020-03-04 21:21:36 +01:00
|
|
|
sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n)
|
2020-03-17 02:13:26 +01:00
|
|
|
debug_print_vars()
|
2020-02-24 18:01:19 +01:00
|
|
|
if not schnorr_verify(msg, bytes_from_point(P), sig):
|
2020-03-17 02:30:39 +01:00
|
|
|
raise RuntimeError('The created signature does not pass verification.')
|
2020-02-24 18:01:19 +01:00
|
|
|
return sig
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def schnorr_verify(msg: bytes, pubkey: bytes, sig: bytes) -> bool:
|
2018-07-06 03:45:34 +02:00
|
|
|
if len(msg) != 32:
|
|
|
|
raise ValueError('The message must be a 32-byte array.')
|
2019-07-06 18:32:41 +02:00
|
|
|
if len(pubkey) != 32:
|
|
|
|
raise ValueError('The public key must be a 32-byte array.')
|
2018-07-06 03:45:34 +02:00
|
|
|
if len(sig) != 64:
|
|
|
|
raise ValueError('The signature must be a 64-byte array.')
|
2020-02-02 17:14:30 +01:00
|
|
|
P = lift_x_even_y(pubkey)
|
2018-07-06 03:45:34 +02:00
|
|
|
r = int_from_bytes(sig[0:32])
|
|
|
|
s = int_from_bytes(sig[32:64])
|
2020-03-04 21:21:36 +01:00
|
|
|
if (P is None) or (r >= p) or (s >= n):
|
|
|
|
debug_print_vars()
|
2018-07-06 03:45:34 +02:00
|
|
|
return False
|
2020-02-02 17:14:30 +01:00
|
|
|
e = int_from_bytes(tagged_hash("BIP340/challenge", sig[0:32] + pubkey + msg)) % n
|
2018-07-06 03:45:34 +02:00
|
|
|
R = point_add(point_mul(G, s), point_mul(P, n - e))
|
2020-03-12 21:13:09 +01:00
|
|
|
if (R is None) or (not has_square_y(R)) or (x(R) != r):
|
2020-03-04 21:21:36 +01:00
|
|
|
debug_print_vars()
|
2018-07-06 03:45:34 +02:00
|
|
|
return False
|
2020-03-04 21:21:36 +01:00
|
|
|
debug_print_vars()
|
2018-07-06 03:45:34 +02:00
|
|
|
return True
|
|
|
|
|
|
|
|
#
|
|
|
|
# The following code is only used to verify the test vectors.
|
|
|
|
#
|
|
|
|
import csv
|
2020-03-04 21:21:36 +01:00
|
|
|
import os
|
|
|
|
import sys
|
2018-07-06 03:45:34 +02:00
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def test_vectors() -> bool:
|
2018-07-06 03:45:34 +02:00
|
|
|
all_passed = True
|
2020-03-04 21:21:36 +01:00
|
|
|
with open(os.path.join(sys.path[0], 'test-vectors.csv'), newline='') as csvfile:
|
2018-07-06 03:45:34 +02:00
|
|
|
reader = csv.reader(csvfile)
|
|
|
|
reader.__next__()
|
|
|
|
for row in reader:
|
2020-03-19 03:14:08 +01:00
|
|
|
(index, seckey_hex, pubkey_hex, aux_rand_hex, msg_hex, sig_hex, result_str, comment) = row
|
|
|
|
pubkey = bytes.fromhex(pubkey_hex)
|
|
|
|
msg = bytes.fromhex(msg_hex)
|
|
|
|
sig = bytes.fromhex(sig_hex)
|
|
|
|
result = result_str == 'TRUE'
|
2020-03-12 21:13:09 +01:00
|
|
|
print('\nTest vector', ('#' + index).rjust(3, ' ') + ':')
|
2020-03-19 03:14:08 +01:00
|
|
|
if seckey_hex != '':
|
|
|
|
seckey = bytes.fromhex(seckey_hex)
|
2019-07-06 18:32:41 +02:00
|
|
|
pubkey_actual = pubkey_gen(seckey)
|
|
|
|
if pubkey != pubkey_actual:
|
|
|
|
print(' * Failed key generation.')
|
|
|
|
print(' Expected key:', pubkey.hex().upper())
|
|
|
|
print(' Actual key:', pubkey_actual.hex().upper())
|
2020-03-19 03:14:08 +01:00
|
|
|
aux_rand = bytes.fromhex(aux_rand_hex)
|
2020-03-17 02:30:39 +01:00
|
|
|
try:
|
|
|
|
sig_actual = schnorr_sign(msg, seckey, aux_rand)
|
|
|
|
if sig == sig_actual:
|
|
|
|
print(' * Passed signing test.')
|
|
|
|
else:
|
|
|
|
print(' * Failed signing test.')
|
|
|
|
print(' Expected signature:', sig.hex().upper())
|
|
|
|
print(' Actual signature:', sig_actual.hex().upper())
|
|
|
|
all_passed = False
|
|
|
|
except RuntimeError as e:
|
|
|
|
print(' * Signing test raised exception:', e)
|
2018-07-06 03:45:34 +02:00
|
|
|
all_passed = False
|
|
|
|
result_actual = schnorr_verify(msg, pubkey, sig)
|
|
|
|
if result == result_actual:
|
|
|
|
print(' * Passed verification test.')
|
|
|
|
else:
|
|
|
|
print(' * Failed verification test.')
|
2019-07-06 18:32:41 +02:00
|
|
|
print(' Expected verification result:', result)
|
2018-07-06 03:45:34 +02:00
|
|
|
print(' Actual verification result:', result_actual)
|
|
|
|
if comment:
|
|
|
|
print(' Comment:', comment)
|
|
|
|
all_passed = False
|
|
|
|
print()
|
|
|
|
if all_passed:
|
|
|
|
print('All test vectors passed.')
|
|
|
|
else:
|
|
|
|
print('Some test vectors failed.')
|
|
|
|
return all_passed
|
|
|
|
|
2020-03-04 21:21:36 +01:00
|
|
|
#
|
|
|
|
# The following code is only used for debugging
|
|
|
|
#
|
|
|
|
import inspect
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def pretty(v: Any) -> Any:
|
2020-03-04 21:21:36 +01:00
|
|
|
if isinstance(v, bytes):
|
|
|
|
return '0x' + v.hex()
|
|
|
|
if isinstance(v, int):
|
|
|
|
return pretty(bytes_from_int(v))
|
|
|
|
if isinstance(v, tuple):
|
|
|
|
return tuple(map(pretty, v))
|
|
|
|
return v
|
|
|
|
|
2020-03-19 03:14:08 +01:00
|
|
|
def debug_print_vars() -> None:
|
2020-03-04 21:21:36 +01:00
|
|
|
if DEBUG:
|
2020-03-19 03:14:08 +01:00
|
|
|
current_frame = inspect.currentframe()
|
|
|
|
assert current_frame is not None
|
|
|
|
frame = current_frame.f_back
|
|
|
|
assert frame is not None
|
2020-03-04 21:21:36 +01:00
|
|
|
print(' Variables in function ', frame.f_code.co_name, ' at line ', frame.f_lineno, ':', sep='')
|
|
|
|
for var_name, var_val in frame.f_locals.items():
|
|
|
|
print(' ' + var_name.rjust(11, ' '), '==', pretty(var_val))
|
|
|
|
|
2018-07-06 03:45:34 +02:00
|
|
|
if __name__ == '__main__':
|
|
|
|
test_vectors()
|