The highest tagged major version is
README
¶
Schnorr
This package is the modified version from https://github.com/decred/dcrd/blob/master/dcrec/secp256k1/schnorr to support the use cases of Bandchain's TSS module.
Modification
- Adjust r and s in Signature to be public fields
- Adjust r to be Jacobian points to keep both x and y since we won't enforce even y in our TSS.
- Add a complaint signature to keep A1, A2, and Z.
- Adjust ComputeSignatureS and Verify to be compatible with our TSS.
Documentation
¶
Index ¶
Constants ¶
const ( // ErrSigTooShort is returned when a signature that should be a Schnorr // signature is too short. ErrSigTooShort = ErrorKind("ErrSigTooShort") // ErrSigTooLong is returned when a signature that should be a Schnorr // signature is too long. ErrSigTooLong = ErrorKind("ErrSigTooLong") // ErrSigRTooBig is returned when a signature has r with a value that is // greater than or equal to the prime of the field underlying the group. ErrSigRTooBig = ErrorKind("ErrSigRTooBig") // ErrSigSTooBig is returned when a signature has s with a value that is // greater than or equal to the group order. ErrSigSTooBig = ErrorKind("ErrSigSTooBig") // ErrSigA1TooBig is returned when a complaint signature has a1 with a value that is // greater than or equal to the prime of the field underlying the group. ErrSigA1TooBig = ErrorKind("ErrSigA1TooBig") // ErrSigA2TooBig is returned when a complaint signature has a2 with a value that is // greater than or equal to the prime of the field underlying the group. ErrSigA2TooBig = ErrorKind("ErrSigA2TooBig") // ErrSigZTooBig is returned when a complaint signature has s with a value that is // greater than or equal to the group order. ErrSigZTooBig = ErrorKind("ErrSigZTooBig") // ErrPrivateKeyZero is returned when a private key is zero. ErrPrivateKeyZero = ErrorKind("ErrPrivateKeyZero") // ErrNotOnCurve is returned when a public key is not on curve. ErrNotOnCurve = ErrorKind("ErrNotOnCurve") // ErrRInfinity is returned when a calculated R is at infinity. ErrRInfinity = ErrorKind("ErrRInfinity") // ErrIncorrectR is returned when a calculated R is not given R. ErrIncorrectR = ErrorKind("ErrIncorrectR") )
These constants are used to identify a specific RuleError.
const (
// ComplaintSignatureSize is the size of an encoded complaint signature.
ComplaintSignatureSize = 98
)
const (
// SignatureSize is the size of an encoded Schnorr signature.
SignatureSize = 65
)
Variables ¶
var RFC6979ExtraDataV0 = [32]byte{
0x0b, 0x75, 0xf9, 0x7b, 0x60, 0xe8, 0xa5, 0x76,
0x28, 0x76, 0xc0, 0x04, 0x82, 0x9e, 0xe9, 0xb9,
0x26, 0xfa, 0x6f, 0x0d, 0x2e, 0xea, 0xec, 0x3a,
0x4f, 0xd1, 0x44, 0x6a, 0x76, 0x83, 0x31, 0xcb,
}
RFC6979ExtraDataV0 is the extra data to feed to RFC6979 when generating the deterministic nonce for the EC-Schnorr-DCRv0 scheme. This ensures the same nonce is not generated for the same message and key as for other signing algorithms such as ECDSA.
It is equal to BLAKE-256([]byte("EC-Schnorr-DCRv0")).
Functions ¶
func ComputeSignatureS ¶
func ComputeSignatureS( privKey *secp256k1.PrivateKey, nonce *secp256k1.ModNScalar, challenge *secp256k1.ModNScalar, ) (*secp256k1.ModNScalar, error)
ComputeSignatureS generates a S part of schnorr signature over the secp256k1 curve for the provided challenge using the given nonce, and private key.
func Verify ¶
func Verify( expectR *secp256k1.JacobianPoint, signatureS *secp256k1.ModNScalar, challenge *secp256k1.ModNScalar, pubKey *secp256k1.PublicKey, generator *secp256k1.JacobianPoint, ) error
Verify attempt to verify the signature for the provided challenge, generator and secp256k1 public key and either returns nil if successful or a specific error indicating why it failed if not successful.
Types ¶
type ComplaintSignature ¶
type ComplaintSignature struct {
A1 secp256k1.JacobianPoint
A2 secp256k1.JacobianPoint
Z secp256k1.ModNScalar
}
ComplaintSignature is a type representing a complaint signature.
func NewComplaintSignature ¶
func NewComplaintSignature( a1 *secp256k1.JacobianPoint, a2 *secp256k1.JacobianPoint, z *secp256k1.ModNScalar, ) *ComplaintSignature
NewComplaintSignature instantiates a new complaint signature given some a1, a2 and z values.
func ParseComplaintSignature ¶
func ParseComplaintSignature(signature []byte) (*ComplaintSignature, error)
ParseComplaintSignature parses a signature from bytes
- The a1 component must be in the valid range for secp256k1 field elements - The a2 component must be in the valid range for secp256k1 field elements - The s component must be in the valid range for secp256k1 scalars
func (ComplaintSignature) Serialize ¶
func (signature ComplaintSignature) Serialize() []byte
Serialize returns the complaint signature in the more strict format.
The signatures are encoded as:
bytes at 0-32 jacobian point R with z as 1 (A1), encoded by SerializeCompressed of secp256k1.PublicKey bytes at 33-65 jacobian point R with z as 1 (A2), encoded by SerializeCompressed of secp256k1.PublicKey bytes at 66-97 s, encoded also as big-endian uint256 (Z)
type Error ¶
Error identifies an error related to a schnorr signature. It has full support for errors.Is and errors.As, so the caller can ascertain the specific reason for the error by checking the underlying error.
type ErrorKind ¶
type ErrorKind string
ErrorKind identifies a kind of error. It has full support for errors.Is and errors.As, so the caller can directly check against an error kind when determining the reason for an error.
type Signature ¶
type Signature struct {
R secp256k1.JacobianPoint
S secp256k1.ModNScalar
}
Signature is a type representing a Schnorr signature.
func NewSignature ¶
func NewSignature(r *secp256k1.JacobianPoint, s *secp256k1.ModNScalar) *Signature
NewSignature instantiates a new signature given some r and s values.
func ParseSignature ¶
ParseSignature parses a signature according to the EC-Schnorr-DCRv0 specification and enforces the following additional restrictions specific to secp256k1:
- The r component must be in the valid range for secp256k1 field elements - The s component must be in the valid range for secp256k1 scalars
func (Signature) IsEqual ¶
IsEqual compares this Signature instance to the one passed, returning true if both Signatures are equivalent. A signature is equivalent to another, if they both have the same scalar value for R and S. Note: Both R must be affine coordinate.
Source Files