diff options
| author | Anthony Towns <aj@erisian.com.au> | 2019-08-22 11:06:19 +1000 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 4e13ec730162131802dda081569cea009ea7eb4c (patch) | |
| tree | 5a6ec8764d7b10069d867f46842c0bd5b09f0a84 | |
| parent | a3f74a204e55d708e40f35761b1ea9b302cb195b (diff) | |
make secret key a 32-byte array called sk, introduce pubkey()
| -rw-r--r-- | bip-schnorr.mediawiki | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index 4de2596..8e53403 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -117,13 +117,16 @@ The following convention is used, with constants as defined for secp256k1: ** The function ''point(x)'', where ''x'' is a 32-byte array, returns the point ''P = lift_x(int(x))''. ** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''. ** The function ''jacobi(x)'', where ''x'' is an integer, returns the [https://en.wikipedia.org/wiki/Jacobi_symbol Jacobi symbol] of ''x / p''. It is equal to ''x<sup>(p-1)/2</sup> mod p'' ([https://en.wikipedia.org/wiki/Euler%27s_criterion Euler's criterion])<ref>For points ''P'' on the secp256k1 curve it holds that ''jacobi(y(P)) ≠ 0''.</ref>. +** The function ''pubkey(x)'', where ''x'' is a 32-byte array, returns ''bytes(dG)'' where ''d = int(x) mod n''. -=== Public Key Generation === +==== Public Key Generation ==== Input: -* The secret key ''d'': an integer in the range ''1..n-1'' chosen uniformly at random. +* The secret key ''sk'': a 32-byte array, generated uniformly at random -The public key corresponding to secret key ''d'' is ''bytes(dG)''. +To generate the corresponding public key: +* Fail if ''int(sk) = 0'' or ''int(sk) >= n'' +* The public key corresponding to secret key ''sk'' is ''pubkey(sk)''. Alternatively, the public key can be created according to [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP32] which describes the derivation of 33-byte compressed public keys. In order to translate such public keys into bip-schnorr compatible keys, the first byte must be dropped. @@ -165,11 +168,13 @@ All provided signatures are valid with overwhelming probability if and only if t ==== Signing ==== Input: -* The secret key ''d' '': an integer in the range ''1..n-1'' +* The secret key ''sk'': a 32-byte array * The message ''m'': a 32-byte array -To sign ''m'' for public key ''bytes(dG)'': -* Let ''P = dG'' +To sign ''m'' for public key ''pubkey(sk)'': +* Let ''d' = int(sk)'' +* Fail if ''d' = 0'' or ''d' >= n'' +* Let ''P = d'G'' * Let ''d = d' '' if ''jacobi(y(P)) = 1'', otherwise let ''d = n - d' ''. * Let ''k' = int(hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m)) mod n''<ref>Note that in general, taking the output of a hash function modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>. * Fail if ''k' = 0''. |