 |
Dash Core
0.12.2.1
P2P Digital Currency
|
|
Dash Core
0.12.2.1
P2P Digital Currency
|
#include <string.h>#include "schnorr.h"#include "num.h"#include "field.h"#include "group.h"#include "ecmult.h"#include "ecmult_gen.h"Go to the source code of this file.
Functions | |
| static int | secp256k1_schnorr_sig_sign (const secp256k1_ecmult_gen_context *ctx, unsigned char *sig64, const secp256k1_scalar *key, const secp256k1_scalar *nonce, const secp256k1_ge *pubnonce, secp256k1_schnorr_msghash hash, const unsigned char *msg32) |
| static int | secp256k1_schnorr_sig_verify (const secp256k1_ecmult_context *ctx, const unsigned char *sig64, const secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32) |
| static int | secp256k1_schnorr_sig_recover (const secp256k1_ecmult_context *ctx, const unsigned char *sig64, secp256k1_ge *pubkey, secp256k1_schnorr_msghash hash, const unsigned char *msg32) |
| static int | secp256k1_schnorr_sig_combine (unsigned char *sig64, size_t n, const unsigned char *const *sig64ins) |
|
static |
Definition at line 181 of file schnorr_impl.h.
|
static |
Definition at line 144 of file schnorr_impl.h.
|
static |
Custom Schnorr-based signature scheme. They support multiparty signing, public key recovery and batch validation.
Rationale for verifying R's y coordinate: In order to support batch validation and public key recovery, the full R point must be known to verifiers, rather than just its x coordinate. In order to not risk being more strict in batch validation than normal validation, validators must be required to reject signatures with incorrect y coordinate. This is only possible by including a (relatively slow) field inverse, or a field square root. However, batch validation offers potentially much higher benefits than this cost.
Rationale for having an implicit y coordinate oddness: If we commit to having the full R point known to verifiers, there are two mechanism. Either include its oddness in the signature, or give it an implicit fixed value. As the R y coordinate can be flipped by a simple negation of the nonce, we choose the latter, as it comes with nearly zero impact on signing or validation performance, and saves a byte in the signature.
Signing: Inputs: 32-byte message m, 32-byte scalar key x (!=0), 32-byte scalar nonce k (!=0)
Compute point R = k * G. Reject nonce if R's y coordinate is odd (or negate nonce). Compute 32-byte r, the serialization of R's x coordinate. Compute scalar h = Hash(r || m). Reject nonce if h == 0 or h >= order. Compute scalar s = k - h * x. The signature is (r, s).
Verification: Inputs: 32-byte message m, public key point Q, signature: (32-byte r, scalar s)
Signature is invalid if s >= order. Signature is invalid if r >= p. Compute scalar h = Hash(r || m). Signature is invalid if h == 0 or h >= order. Option 1 (faster for single verification): Compute point R = h * Q + s * G. Signature is invalid if R is infinity or R's y coordinate is odd. Signature is valid if the serialization of R's x coordinate equals r. Option 2 (allows batch validation and pubkey recovery): Decompress x coordinate r into point R, with odd y coordinate. Fail if R is not on the curve. Signature is valid if R + h * Q + s * G == 0.
Definition at line 62 of file schnorr_impl.h.
|
static |
Definition at line 106 of file schnorr_impl.h.
1.8.14