summaryrefslogtreecommitdiff
path: root/bip-0340
diff options
context:
space:
mode:
authorPieter Wuille <pieter.wuille@gmail.com>2020-04-02 16:34:24 -0700
committerGitHub <noreply@github.com>2020-04-02 16:34:24 -0700
commit038615b7c7eb44d47c41261565ef54cdbc1d9f05 (patch)
treea220f40bd9543f26a584197eda9f494e09289806 /bip-0340
parent39ba507e01cbae43ff32f1f3c993c74719b18873 (diff)
parent72657270d8e4d6ef193878f1e743301edfae0e31 (diff)
Merge pull request #200 from real-or-random/prints
Add debug print for intermediate values
Diffstat (limited to 'bip-0340')
-rw-r--r--bip-0340/reference.py102
-rw-r--r--bip-0340/test-vectors.py2
2 files changed, 71 insertions, 33 deletions
diff --git a/bip-0340/reference.py b/bip-0340/reference.py
index 79f9578..6b1645c 100644
--- a/bip-0340/reference.py
+++ b/bip-0340/reference.py
@@ -1,6 +1,15 @@
import hashlib
import binascii
+# Set DEBUG to True to get a detailed debug output including
+# intermediate values during key generation, signing, and
+# verification. This is implemented via calls to the
+# debug_print_vars() function.
+#
+# If you want to print values on an individual basis, use
+# the pretty() function, e.g., print(pretty(foo)).
+DEBUG = False
+
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
@@ -24,13 +33,13 @@ def y(P):
return P[1]
def point_add(P1, P2):
- if (P1 is None):
+ if P1 is None:
return P2
- if (P2 is None):
+ if P2 is None:
return P1
- if (x(P1) == x(P2) and y(P1) != y(P2)):
+ if (x(P1) == x(P2)) and (y(P1) != y(P2)):
return None
- if (P1 == P2):
+ if P1 == P2:
lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p
else:
lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p
@@ -40,7 +49,7 @@ def point_add(P1, P2):
def point_mul(P, n):
R = None
for i in range(256):
- if ((n >> i) & 1):
+ if (n >> i) & 1:
R = point_add(R, P)
P = point_add(P, P)
return R
@@ -62,14 +71,14 @@ def lift_x_square_y(b):
y = pow(y_sq, (p + 1) // 4, p)
if pow(y, 2, p) != y_sq:
return None
- return [x, y]
+ return (x, y)
def lift_x_even_y(b):
P = lift_x_square_y(b)
if P is None:
return None
else:
- return [x(P), y(P) if y(P) % 2 == 0 else p - y(P)]
+ return (x(P), y(P) if y(P) % 2 == 0 else p - y(P))
def int_from_bytes(b):
return int.from_bytes(b, byteorder="big")
@@ -81,38 +90,39 @@ def is_square(x):
return pow(x, (p - 1) // 2, p) == 1
def has_square_y(P):
- return not is_infinity(P) and is_square(y(P))
+ return (not is_infinity(P)) and is_square(y(P))
def has_even_y(P):
return y(P) % 2 == 0
def pubkey_gen(seckey):
- x = int_from_bytes(seckey)
- if not (1 <= x <= n - 1):
+ d0 = int_from_bytes(seckey)
+ if not (1 <= d0 <= n - 1):
raise ValueError('The secret key must be an integer in the range 1..n-1.')
- P = point_mul(G, x)
+ P = point_mul(G, d0)
return bytes_from_point(P)
-def schnorr_sign(msg, seckey0, aux_rand):
+def schnorr_sign(msg, seckey, aux_rand):
if len(msg) != 32:
raise ValueError('The message must be a 32-byte array.')
- seckey0 = int_from_bytes(seckey0)
- if not (1 <= seckey0 <= n - 1):
+ d0 = int_from_bytes(seckey)
+ if not (1 <= d0 <= n - 1):
raise ValueError('The secret key must be an integer in the range 1..n-1.')
if len(aux_rand) != 32:
raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand))
- P = point_mul(G, seckey0)
- seckey = seckey0 if has_even_y(P) else n - seckey0
- t = xor_bytes(bytes_from_int(seckey), tagged_hash("BIP340/aux", aux_rand))
+ P = point_mul(G, d0)
+ d = d0 if has_even_y(P) else n - d0
+ t = xor_bytes(bytes_from_int(d), tagged_hash("BIP340/aux", aux_rand))
k0 = int_from_bytes(tagged_hash("BIP340/nonce", t + bytes_from_point(P) + msg)) % n
if k0 == 0:
raise RuntimeError('Failure. This happens only with negligible probability.')
R = point_mul(G, k0)
k = n - k0 if not has_square_y(R) else k0
e = int_from_bytes(tagged_hash("BIP340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
- sig = bytes_from_point(R) + bytes_from_int((k + e * seckey) % n)
+ sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n)
+ debug_print_vars()
if not schnorr_verify(msg, bytes_from_point(P), sig):
- raise RuntimeError('The signature does not pass verification.')
+ raise RuntimeError('The created signature does not pass verification.')
return sig
def schnorr_verify(msg, pubkey, sig):
@@ -123,26 +133,29 @@ def schnorr_verify(msg, pubkey, sig):
if len(sig) != 64:
raise ValueError('The signature must be a 64-byte array.')
P = lift_x_even_y(pubkey)
- if (P is None):
- return False
r = int_from_bytes(sig[0:32])
s = int_from_bytes(sig[32:64])
- if (r >= p or s >= n):
+ if (P is None) or (r >= p) or (s >= n):
+ debug_print_vars()
return False
e = int_from_bytes(tagged_hash("BIP340/challenge", sig[0:32] + pubkey + msg)) % n
R = point_add(point_mul(G, s), point_mul(P, n - e))
- if R is None or not has_square_y(R) or x(R) != r:
+ if (R is None) or (not has_square_y(R)) or (x(R) != r):
+ debug_print_vars()
return False
+ debug_print_vars()
return True
#
# The following code is only used to verify the test vectors.
#
import csv
+import os
+import sys
def test_vectors():
all_passed = True
- with open('test-vectors.csv', newline='') as csvfile:
+ with open(os.path.join(sys.path[0], 'test-vectors.csv'), newline='') as csvfile:
reader = csv.reader(csvfile)
reader.__next__()
for row in reader:
@@ -151,7 +164,7 @@ def test_vectors():
msg = bytes.fromhex(msg)
sig = bytes.fromhex(sig)
result = result == 'TRUE'
- print('\nTest vector #%-3i: ' % int(index))
+ print('\nTest vector', ('#' + index).rjust(3, ' ') + ':')
if seckey != '':
seckey = bytes.fromhex(seckey)
pubkey_actual = pubkey_gen(seckey)
@@ -160,13 +173,17 @@ def test_vectors():
print(' Expected key:', pubkey.hex().upper())
print(' Actual key:', pubkey_actual.hex().upper())
aux_rand = bytes.fromhex(aux_rand)
- sig_actual = schnorr_sign(msg, seckey, aux_rand)
- if sig == sig_actual:
- print(' * Passed signing test.')
- else:
- print(' * Failed signing test.')
- print(' Expected signature:', sig.hex().upper())
- print(' Actual signature:', sig_actual.hex().upper())
+ try:
+ sig_actual = schnorr_sign(msg, seckey, aux_rand)
+ if sig == sig_actual:
+ print(' * Passed signing test.')
+ else:
+ print(' * Failed signing test.')
+ print(' Expected signature:', sig.hex().upper())
+ print(' Actual signature:', sig_actual.hex().upper())
+ all_passed = False
+ except RuntimeError as e:
+ print(' * Signing test raised exception:', e)
all_passed = False
result_actual = schnorr_verify(msg, pubkey, sig)
if result == result_actual:
@@ -185,5 +202,26 @@ def test_vectors():
print('Some test vectors failed.')
return all_passed
+#
+# The following code is only used for debugging
+#
+import inspect
+
+def pretty(v):
+ if isinstance(v, bytes):
+ return '0x' + v.hex()
+ if isinstance(v, int):
+ return pretty(bytes_from_int(v))
+ if isinstance(v, tuple):
+ return tuple(map(pretty, v))
+ return v
+
+def debug_print_vars():
+ if DEBUG:
+ frame = inspect.currentframe().f_back
+ print(' Variables in function ', frame.f_code.co_name, ' at line ', frame.f_lineno, ':', sep='')
+ for var_name, var_val in frame.f_locals.items():
+ print(' ' + var_name.rjust(11, ' '), '==', pretty(var_val))
+
if __name__ == '__main__':
test_vectors()
diff --git a/bip-0340/test-vectors.py b/bip-0340/test-vectors.py
index d1a52c8..9c029ec 100644
--- a/bip-0340/test-vectors.py
+++ b/bip-0340/test-vectors.py
@@ -15,7 +15,7 @@ def vector0():
P = point_mul(G, x)
assert(y(P) % 2 == 0)
- # For historic reasons (pubkey tiebreaker was squareness and not evenness)
+ # For historical reasons (pubkey tiebreaker was squareness and not evenness)
# we should have at least one test vector where the the point reconstructed
# from the public key has a square and one where it has a non-square Y
# coordinate. In this one Y is non-square.