From 4e13ec730162131802dda081569cea009ea7eb4c Mon Sep 17 00:00:00 2001 From: Anthony Towns Date: Thu, 22 Aug 2019 11:06:19 +1000 Subject: make secret key a 32-byte array called sk, introduce pubkey() --- bip-schnorr.mediawiki | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'bip-schnorr.mediawiki') diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index 4de2596..8e53403 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -117,13 +117,16 @@ The following convention is used, with constants as defined for secp256k1: ** The function ''point(x)'', where ''x'' is a 32-byte array, returns the point ''P = lift_x(int(x))''. ** The function ''hashtag(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''. ** The function ''jacobi(x)'', where ''x'' is an integer, returns the [https://en.wikipedia.org/wiki/Jacobi_symbol Jacobi symbol] of ''x / p''. It is equal to ''x(p-1)/2 mod p'' ([https://en.wikipedia.org/wiki/Euler%27s_criterion Euler's criterion])For points ''P'' on the secp256k1 curve it holds that ''jacobi(y(P)) ≠ 0''.. +** The function ''pubkey(x)'', where ''x'' is a 32-byte array, returns ''bytes(dG)'' where ''d = int(x) mod n''. -=== Public Key Generation === +==== Public Key Generation ==== Input: -* The secret key ''d'': an integer in the range ''1..n-1'' chosen uniformly at random. +* The secret key ''sk'': a 32-byte array, generated uniformly at random -The public key corresponding to secret key ''d'' is ''bytes(dG)''. +To generate the corresponding public key: +* Fail if ''int(sk) = 0'' or ''int(sk) >= n'' +* The public key corresponding to secret key ''sk'' is ''pubkey(sk)''. Alternatively, the public key can be created according to [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP32] which describes the derivation of 33-byte compressed public keys. In order to translate such public keys into bip-schnorr compatible keys, the first byte must be dropped. @@ -165,11 +168,13 @@ All provided signatures are valid with overwhelming probability if and only if t ==== Signing ==== Input: -* The secret key ''d' '': an integer in the range ''1..n-1'' +* The secret key ''sk'': a 32-byte array * The message ''m'': a 32-byte array -To sign ''m'' for public key ''bytes(dG)'': -* Let ''P = dG'' +To sign ''m'' for public key ''pubkey(sk)'': +* Let ''d' = int(sk)'' +* Fail if ''d' = 0'' or ''d' >= n'' +* Let ''P = d'G'' * Let ''d = d' '' if ''jacobi(y(P)) = 1'', otherwise let ''d = n - d' ''. * Let ''k' = int(hashBIPSchnorrDerive(bytes(d) || m)) mod n''Note that in general, taking the output of a hash function modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2256'' that this bias is not observable (''1 - n / 2256'' is around ''1.27 * 2-128'').. * Fail if ''k' = 0''. -- cgit v1.2.3