def test_bip340_vectors(self): """BIP340 (Schnorr) test vectors https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv """ fname = "bip340_test_vectors.csv" filename = path.join(path.dirname(__file__), "test_data", fname) with open(filename, newline='') as csvfile: reader = csv.reader(csvfile) # skip column headers while checking that there are 7 columns _, _, _, _, _, _, _ = reader.__next__() for row in reader: (index, seckey, pubkey, mhd, sig, result, comment) = row errmsg = f"Test vector #{int(index)}" if seckey != '': seckey = bytes.fromhex(seckey) _, pubkey_actual = ssa.gen_keys(seckey) self.assertEqual(pubkey, hex(pubkey_actual).upper()[2:], errmsg) sig_actual = ssa.serialize(*ssa.sign(mhd, seckey)) self.assertEqual(sig, sig_actual.hex().upper(), errmsg) result = result == 'TRUE' if comment: errmsg += ": " + comment result_actual = ssa.verify(mhd, pubkey, sig) self.assertEqual(result, result_actual, errmsg)
def test_ecssa(self): """Basic tests""" ec = secp256k1 q = 0x1 Q = mult(ec, q, ec.G) msg = hf('Satoshi Nakamoto'.encode()).digest() sig = ssa.sign(ec, hf, msg, q, None) # no source for the following... but # https://bitcointalk.org/index.php?topic=285142.40 # same r because of rfc6979 exp_sig = ( 0x934B1EA10A4B3C1757E2B0C017D0B6143CE3C9A7E6A4A49860D7A6AB210EE3D8, 0x2DF2423F70563E3C4BD0E00BDEF658081613858F110ECF937A2ED9190BF4A01A) self.assertEqual(sig[0], exp_sig[0]) self.assertEqual(sig[1], exp_sig[1]) ssa._verify(ec, hf, msg, Q, sig) self.assertTrue(ssa.verify(ec, hf, msg, Q, sig)) self.assertTrue(ssa._verify(ec, hf, msg, Q, sig)) fmsg = hf('Craig Wright'.encode()).digest() self.assertFalse(ssa.verify(ec, hf, fmsg, Q, sig)) self.assertFalse(ssa._verify(ec, hf, fmsg, Q, sig)) fssasig = (sig[0], sig[1], sig[1]) self.assertFalse(ssa.verify(ec, hf, msg, Q, fssasig)) self.assertRaises(TypeError, ssa._verify, ec, hf, msg, Q, fssasig) # y(sG - eP) is not a quadratic residue fq = 0x2 fQ = mult(ec, fq, ec.G) self.assertFalse(ssa.verify(ec, hf, msg, fQ, sig)) self.assertRaises(ValueError, ssa._verify, ec, hf, msg, fQ, sig) fq = 0x4 fQ = mult(ec, fq, ec.G) self.assertFalse(ssa.verify(ec, hf, msg, fQ, sig)) self.assertFalse(ssa._verify(ec, hf, msg, fQ, sig)) # not ec.pIsThreeModFour self.assertFalse(ssa.verify(secp224k1, hf, msg, Q, sig)) self.assertRaises(ValueError, ssa._verify, secp224k1, hf, msg, Q, sig) # verify: message of wrong size wrongmsg = msg[:-1] self.assertFalse(ssa.verify(ec, hf, wrongmsg, Q, sig)) self.assertRaises(ValueError, ssa._verify, ec, hf, wrongmsg, Q, sig) #ssa._verify(ec, hf, wrongmsg, Q, sig) # sign: message of wrong size self.assertRaises(ValueError, ssa.sign, ec, hf, wrongmsg, q, None) #ssa.sign(ec, hf, wrongmsg, q, None) # invalid (zero) challenge e self.assertRaises(ValueError, ssa._pubkey_recovery, ec, hf, 0, sig)
def test_signtocontract(self): prv = 0x1 pub = mult(ec, prv, ec.G) m = "to be signed".encode() c = "to be committed".encode() dsa_sig, dsa_receipt = ecdsa_commit_sign(c, ec, hf, m, prv, None) self.assertTrue(dsa.verify(ec, hf, m, pub, dsa_sig)) self.assertTrue(verify_commit(c, ec, hf, dsa_receipt)) # 32 bytes message for ECSSA m = hf(m).digest() ssa_sig, ssa_receipt = ecssa_commit_sign(c, ec, hf, m, prv, None) self.assertTrue(ssa.verify(ec, hf, m, pub, ssa_sig)) self.assertTrue(verify_commit(c, ec, hf, ssa_receipt))
def test_signtocontract(self): prv = 0x1 pub = mult(prv) m = b"to be signed" c = b"to be committed" dsa_sig, dsa_receipt = ecdsa_commit_sign(c, m, prv, None) self.assertTrue(dsa.verify(m, pub, dsa_sig)) self.assertTrue(verify_commit(c, dsa_receipt)) # 32 bytes message for ECSSA m = sha256(m).digest() ssa_sig, ssa_receipt = ecssa_commit_sign(c, m, prv, None) self.assertTrue(ssa.verify(m, pub, ssa_sig)) self.assertTrue(verify_commit(c, ssa_receipt))
def test_signature(self): """Basic tests""" q, x_Q = ssa.gen_keys() mhd = hf(b'Satoshi Nakamoto').digest() sig = ssa.sign(mhd, q, None) self.assertEqual(sig, ssa.deserialize(sig)) ssa._verify(mhd, x_Q, sig, ec, hf) self.assertTrue(ssa.verify(mhd, x_Q, sig)) fmhd = hf(b'Craig Wright').digest() self.assertRaises(AssertionError, ssa._verify, fmhd, x_Q, sig, ec, hf) fssasig = (sig[0], sig[1], sig[1]) self.assertRaises(ValueError, ssa._verify, mhd, x_Q, fssasig, ec, hf) # y(sG - eP) is not a quadratic residue _, fQ = ssa.gen_keys(0x2) self.assertRaises(AssertionError, ssa._verify, mhd, fQ, sig, ec, hf) _, fQ = ssa.gen_keys(0x4) self.assertRaises(AssertionError, ssa._verify, mhd, fQ, sig, ec, hf) # not ec.pIsThreeModFour self.assertRaises(ValueError, ssa._verify, mhd, x_Q, sig, secp224k1, hf) # verify: message of wrong size wrongmhd = mhd[:-1] self.assertRaises(ValueError, ssa._verify, wrongmhd, x_Q, sig, ec, hf) # ssa._verify(wrongmhd, x_Q, sig) # sign: message of wrong size self.assertRaises(ValueError, ssa.sign, wrongmhd, q, None) # ssa.sign(wrongmhd, q, None) # invalid (zero) challenge e self.assertRaises(ValueError, ssa._recover_pubkeys, 0, sig[0], sig[1], ec) # ssa._recover_pubkeys(0, sig) # not a BIP340 public key self.assertRaises(ValueError, ssa._to_bip340_point, ["not", "a BIP340", "public key"])
def test_ecssa(self): """Basic tests""" q = 0x1 Q = mult(q) mhd = hf(b'Satoshi Nakamoto').digest() sig = ssa.sign(mhd, q, None) ssa._verify(mhd, Q, sig, ec, hf) self.assertTrue(ssa.verify(mhd, Q, sig)) fmhd = hf(b'Craig Wright').digest() self.assertRaises(AssertionError, ssa._verify, fmhd, Q, sig, ec, hf) fssasig = (sig[0], sig[1], sig[1]) self.assertRaises(ValueError, ssa._verify, mhd, Q, fssasig, ec, hf) # y(sG - eP) is not a quadratic residue fq = 0x2 fQ = mult(fq) self.assertRaises(ValueError, ssa._verify, mhd, fQ, sig, ec, hf) fq = 0x4 fQ = mult(fq) self.assertRaises(AssertionError, ssa._verify, mhd, fQ, sig, ec, hf) # not ec.pIsThreeModFour self.assertRaises(ValueError, ssa._verify, mhd, Q, sig, secp224k1, hf) # verify: message of wrong size wrongmhd = mhd[:-1] self.assertRaises(ValueError, ssa._verify, wrongmhd, Q, sig, ec, hf) #ssa._verify(wrongmhd, Q, sig) # sign: message of wrong size self.assertRaises(ValueError, ssa.sign, wrongmhd, q, None) #ssa.sign(wrongmhd, q, None) # invalid (zero) challenge e self.assertRaises(ValueError, ssa._recover_pubkeys, 0, sig[0], sig[1], ec) #ssa._recover_pubkeys(0, sig) # not a BIP340 public key self.assertRaises(ValueError, ssa.to_bip340_pubkey_tuple, ["not", "a BIP340", "public key"])
def test_signature() -> None: ec = CURVES["secp256k1"] msg = "Satoshi Nakamoto" q, x_Q = ssa.gen_keys(0x01) sig = ssa.sign(msg, q) ssa.assert_as_valid(msg, x_Q, sig) assert ssa.verify(msg, x_Q, sig) assert sig == ssa.deserialize(sig) ssa.assert_as_valid(msg, x_Q, sig) ssa.assert_as_valid(msg, x_Q, ssa.serialize(*sig)) ssa.assert_as_valid(msg, x_Q, ssa.serialize(*sig).hex()) msg_fake = "Craig Wright" assert not ssa.verify(msg_fake, x_Q, sig) err_msg = r"y_K is odd|signature verification failed" with pytest.raises(BTClibRuntimeError, match=err_msg): ssa.assert_as_valid(msg_fake, x_Q, sig) _, x_Q_fake = ssa.gen_keys(0x02) assert not ssa.verify(msg, x_Q_fake, sig) with pytest.raises(BTClibRuntimeError, match=err_msg): ssa.assert_as_valid(msg, x_Q_fake, sig) _, x_Q_fake = ssa.gen_keys(0x4) assert not ssa.verify(msg, x_Q_fake, sig) with pytest.raises(BTClibRuntimeError, match=err_msg): ssa.assert_as_valid(msg, x_Q_fake, sig) err_msg = "not a BIP340 public key" with pytest.raises(BTClibValueError, match=err_msg): ssa.assert_as_valid(msg, INF, sig) # type: ignore with pytest.raises(BTClibValueError, match=err_msg): ssa.point_from_bip340pubkey(INF) # type: ignore sig_fake = (sig[0], sig[1], sig[1]) assert not ssa.verify(msg, x_Q, sig_fake) # type: ignore err_msg = "too many values to unpack " with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(msg, x_Q, sig_fake) # type: ignore sig_invalid = ec.p, sig[1] assert not ssa.verify(msg, x_Q, sig_invalid) err_msg = "x-coordinate not in 0..p-1: " with pytest.raises(BTClibValueError, match=err_msg): ssa.assert_as_valid(msg, x_Q, sig_invalid) sig_invalid = sig[0], ec.p assert not ssa.verify(msg, x_Q, sig_invalid) err_msg = "scalar s not in 0..n-1: " with pytest.raises(BTClibValueError, match=err_msg): ssa.assert_as_valid(msg, x_Q, sig_invalid) m_fake = b"\x00" * 31 err_msg = "invalid size: 31 bytes instead of 32" with pytest.raises(BTClibValueError, match=err_msg): ssa._assert_as_valid(m_fake, x_Q, sig) with pytest.raises(BTClibValueError, match=err_msg): ssa._sign(m_fake, q) err_msg = "private key not in 1..n-1: " with pytest.raises(BTClibValueError, match=err_msg): ssa.sign(msg, 0) # ephemeral key not in 1..n-1 err_msg = "private key not in 1..n-1: " with pytest.raises(BTClibValueError, match=err_msg): ssa._sign(reduce_to_hlen(msg, hf), q, 0) with pytest.raises(BTClibValueError, match=err_msg): ssa._sign(reduce_to_hlen(msg, hf), q, ec.n) err_msg = "invalid zero challenge" with pytest.raises(BTClibValueError, match=err_msg): ssa.__recover_pubkey(0, sig[0], sig[1], ec)
def test_musig(self): """testing 3-of-3 MuSig https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md https://blockstream.com/2019/02/18/musig-a-new-multisignature-standard/ https://eprint.iacr.org/2018/068 https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html https://medium.com/@snigirev.stepan/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744 """ M = sha256(b'message to sign').digest() ec = secp256k1 hf = sha256 # key setup is not interactive # first signer q1 = int_from_octets( '0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d92ad1d') Q1 = mult(q1) k1 = rfc6979(M, q1) K1 = mult(k1) # second signer q2 = int_from_octets( '0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d') Q2 = mult(q2) k2 = rfc6979(M, q2) K2 = mult(k2) # third signer q3 = int_from_octets( '0c28fca386c7aff7600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d') Q3 = mult(q3) k3 = rfc6979(M, q3) K3 = mult(k3) # this is MuSig core: the rest is just Schnorr signature additivity L: List[Point] = list() # multiset of public keys L.append(octets_from_point(Q1, False, ec)) L.append(octets_from_point(Q2, False, ec)) L.append(octets_from_point(Q3, False, ec)) L.sort() # using lexicographic ordering L_brackets = b'' for i in range(len(L)): L_brackets += L[i] h1 = hf(L_brackets + octets_from_point(Q1, False, ec)).digest() a1 = int_from_bits(h1, ec) h2 = hf(L_brackets + octets_from_point(Q2, False, ec)).digest() a2 = int_from_bits(h2, ec) h3 = hf(L_brackets + octets_from_point(Q3, False, ec)).digest() a3 = int_from_bits(h3, ec) # aggregated public key Q = ec.add(double_mult(a1, Q1, a2, Q2), mult(a3, Q3)) Q_bytes = octets_from_point(Q, True, ec) ######################## # interactive signature: exchange K, compute s # WARNING: the signers should exchange commitments to the public # nonces before sending the nonces themselves # first signer # K, r_bytes, and e as calculated by any signer # are the same as the ones by the other signers K = ec.add(ec.add(K1, K2), K3) r_bytes = K[0].to_bytes(32, byteorder='big') e = int_from_bits(hf(r_bytes + Q_bytes + M).digest(), ec) if legendre_symbol(K[1], ec._p) != 1: # no need to actually change K[1], as it is not used anymore # let's fix k1 instead, as it is used later # note that all other signers will change their k too k1 = ec.n - k1 s1 = (k1 + e * a1 * q1) % ec.n # second signer # K, r_bytes, and e as calculated by any signer # are the same as the ones by the other signers if legendre_symbol(K[1], ec._p) != 1: # no need to actually change K[1], as it is not used anymore # let's fix k2 instead, as it is used later # note that all other signers will change their k too k2 = ec.n - k2 s2 = (k2 + e * a2 * q2) % ec.n # third signer # K, r_bytes, and e as calculated by any signer # are the same as the ones by the other signers if legendre_symbol(K[1], ec._p) != 1: # no need to actually change K[1], as it is not used anymore # let's fix k3 instead, as it is used later # note that all other signers will change their k too k3 = ec.n - k3 s3 = (k3 + e * a3 * q3) % ec.n ############################################ # interactive signature: exchange signatures # combine all (K[0], s) signatures into a single signature # anyone can do the following sig = K[0], (s1 + s2 + s3) % ec.n self.assertTrue(ssa.verify(M, Q, sig))
ec = secp256k1 hf = sha256 hsize = hf().digest_size hlen = hsize * 8 # n = 1 loops forever and does not really test batch verify n_sig = [2, 4, 8, 16, 32, 64, 128] m = [] sig = [] Q = [] for j in range(max(n_sig)): m.append(random.getrandbits(hlen).to_bytes(hsize, 'big')) q = random.getrandbits(ec.nlen) % ec.n sig.append(sign(ec, hf, m[j], q)) Q.append(mult(ec, q, ec.G)) for n in n_sig: # no batch start = time.time() for j in range(n): assert verify(ec, hf, m[j], Q[j], sig[j]) elapsed1 = time.time() - start # batch start = time.time() assert batch_verify(ec, hf, m[:n], Q[:n], sig[:n]) elapsed2 = time.time() - start print(n, elapsed2 / elapsed1)
random.seed(42) hsize = hf().digest_size hlen = hsize * 8 # n = 1 loops forever and does not really test batch verify n_sig = [2, 4, 8, 16, 32, 64, 128] m = [] sig = [] Q = [] for j in range(max(n_sig)): m.append(random.getrandbits(hlen).to_bytes(hsize, 'big')) q = random.getrandbits(ec.nlen) % ec.n sig.append(sign(m[j], q)) Q.append(mult(q, ec.G)) for n in n_sig: # no batch start = time.time() for j in range(n): assert verify(m[j], Q[j], sig[j]) elapsed1 = time.time() - start # batch start = time.time() assert batch_verify(m[:n], Q[:n], sig[:n]) elapsed2 = time.time() - start print(n, elapsed2 / elapsed1)
def test_musig(self): """ testing 3-of-3 MuSig https://eprint.iacr.org/2018/068 https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html https://medium.com/@snigirev.stepan/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744 """ ec = secp256k1 L: List[Point] = list() # multiset of public keys M = hf('message to sign'.encode()).digest() # first signer q1 = int_from_octets( '0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d92ad1d') Q1 = mult(ec, q1, ec.G) L.append(octets_from_point(ec, Q1, False)) # ephemeral private nonce k1 = 0x012a2a833eac4e67e06611aba01345b85cdd4f5ad44f72e369ef0dd640424dbb K1 = mult(ec, k1, ec.G) K1_x = K1[0] if legendre_symbol(K1[1], ec._p) != 1: k1 = ec.n - k1 K1 = K1_x, ec.y_quadratic_residue(K1_x, True) #K1 = mult(ec, k1, ec.G) # second signer q2 = int_from_octets( '0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d') Q2 = mult(ec, q2, ec.G) L.append(octets_from_point(ec, Q2, False)) k2 = 0x01a2a0d3eac4e67e06611aba01345b85cdd4f5ad44f72e369ef0dd640424dbdb K2 = mult(ec, k2, ec.G) K2_x = K2[0] if legendre_symbol(K2[1], ec._p) != 1: k2 = ec.n - k2 K2 = K2_x, ec.y_quadratic_residue(K2_x, True) #K2 = mult(ec, k2, ec.G) # third signer q3 = random.getrandbits(ec.nlen) % ec.n Q3 = mult(ec, q3, ec.G) while Q3 == None: # plausible only for small (test) cardinality groups q3 = random.getrandbits(ec.nlen) % ec.n Q3 = mult(ec, q3, ec.G) L.append(octets_from_point(ec, Q3, False)) k3 = random.getrandbits(ec.nlen) % ec.n K3 = mult(ec, k3, ec.G) while K3 == None: # plausible only for small (test) cardinality groups k3 = random.getrandbits(ec.nlen) % ec.n K3 = mult(ec, k3, ec.G) K3_x = K3[0] if legendre_symbol(K3[1], ec._p) != 1: k3 = ec.n - k3 K3 = K3_x, ec.y_quadratic_residue(K3_x, True) #K3 = mult(ec, k3, ec.G) L.sort() # using lexicographic ordering L_brackets = b'' for i in range(len(L)): L_brackets += L[i] h1 = hf(L_brackets + octets_from_point(ec, Q1, False)).digest() a1 = int_from_bits(ec, h1) h2 = hf(L_brackets + octets_from_point(ec, Q2, False)).digest() a2 = int_from_bits(ec, h2) h3 = hf(L_brackets + octets_from_point(ec, Q3, False)).digest() a3 = int_from_bits(ec, h3) # aggregated public key Q_All = double_mult(ec, a1, Q1, a2, Q2) Q_All = ec.add(Q_All, mult(ec, a3, Q3)) Q_All_bytes = octets_from_point(ec, Q_All, True) ######################## # exchange K_x, compute s # WARNING: the signers should exchange commitments to the public # nonces before sending the nonces themselves # first signer use K2_x and K3_x y = ec.y_quadratic_residue(K2_x, True) K2_recovered = (K2_x, y) y = ec.y_quadratic_residue(K3_x, True) K3_recovered = (K3_x, y) K1_All = ec.add(ec.add(K1, K2_recovered), K3_recovered) if legendre_symbol(K1_All[1], ec._p) != 1: # no need to actually change K1_All[1], as it is not used anymore # let's fix k1 instead, as it is used later k1 = ec.n - k1 K1_All0_bytes = K1_All[0].to_bytes(32, byteorder="big") h1 = hf(K1_All0_bytes + Q_All_bytes + M).digest() c1 = int_from_bits(ec, h1) assert 0 < c1 and c1 < ec.n, "sign fail" s1 = (k1 + c1 * a1 * q1) % ec.n # second signer use K1_x and K3_x y = ec.y_quadratic_residue(K1_x, True) K1_recovered = (K1_x, y) y = ec.y_quadratic_residue(K3_x, True) K3_recovered = (K3_x, y) K2_All = ec.add(ec.add(K2, K1_recovered), K3_recovered) if legendre_symbol(K2_All[1], ec._p) != 1: # no need to actually change K2_All[1], as it is not used anymore # let's fix k2 instead, as it is used later k2 = ec.n - k2 K2_All0_bytes = K2_All[0].to_bytes(32, byteorder="big") h2 = hf(K2_All0_bytes + Q_All_bytes + M).digest() c2 = int_from_bits(ec, h2) assert 0 < c2 and c2 < ec.n, "sign fail" s2 = (k2 + c2 * a2 * q2) % ec.n # third signer use K1_x and K2_x y = ec.y_quadratic_residue(K1_x, True) K1_recovered = (K1_x, y) y = ec.y_quadratic_residue(K2_x, True) K2_recovered = (K2_x, y) K3_All = ec.add(ec.add(K1_recovered, K2_recovered), K3) if legendre_symbol(K3_All[1], ec._p) != 1: # no need to actually change K3_All[1], as it is not used anymore # let's fix k3 instead, as it is used later k3 = ec.n - k3 K3_All0_bytes = K3_All[0].to_bytes(32, byteorder="big") h3 = hf(K3_All0_bytes + Q_All_bytes + M).digest() c3 = int_from_bits(ec, h3) assert 0 < c3 and c3 < ec.n, "sign fail" s3 = (k3 + c3 * a3 * q3) % ec.n ############################################ # combine signatures into a single signature # anyone can do the following assert K1_All[0] == K2_All[0], "sign fail" assert K2_All[0] == K3_All[0], "sign fail" s_All = (s1 + s2 + s3) % ec.n sig = (K1_All[0], s_All) self.assertTrue(ssa.verify(ec, hf, M, Q_All, sig))
def test_musig(self): """testing 3-of-3 MuSig https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md https://blockstream.com/2019/02/18/musig-a-new-multisignature-standard/ https://eprint.iacr.org/2018/068 https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html https://medium.com/@snigirev.stepan/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744 """ mhd = hf(b'message to sign').digest() # the signers private and public keys, # including both the curve Point and the BIP340-Schnorr public key q1 = 0x010101 Q1 = mult(q1) Q1_x = Q1[0].to_bytes(ec.psize, 'big') q2 = 0x020202 Q2 = mult(q2) Q2_x = Q2[0].to_bytes(ec.psize, 'big') q3 = 0x030303 Q3 = mult(q3) Q3_x = Q3[0].to_bytes(ec.psize, 'big') # ready to sign: nonces and nonce commitments k1 = 1 + secrets.randbelow(ec.n - 1) K1 = mult(k1) k2 = 1 + secrets.randbelow(ec.n - 1) K2 = mult(k2) k3 = 1 + secrets.randbelow(ec.n - 1) K3 = mult(k3) #### (non interactive) key setup # this is MuSig core: the rest is just Schnorr signature additivity # 1. lexicographic sorting of public keys keys: List[bytes] = list() keys.append(Q1_x) keys.append(Q2_x) keys.append(Q3_x) keys.sort() # 2. coefficients prefix = b''.join(keys) a1 = int_from_bits(hf(prefix + Q1_x).digest(), ec.nlen) % ec.n a2 = int_from_bits(hf(prefix + Q2_x).digest(), ec.nlen) % ec.n a3 = int_from_bits(hf(prefix + Q3_x).digest(), ec.nlen) % ec.n # 3. aggregated public key Q = ec.add(double_mult(a1, Q1, a2, Q2), mult(a3, Q3)) #### exchange {K_i} (interactive) #### computes s_i (non interactive) # WARNING: # the signers must exchange the nonces # commitments {K_i} before sharing {s_i} # same for all signers K = ec.add(ec.add(K1, K2), K3) r = K[0] e = ssa._challenge(r, Q[0], mhd, ec, hf) # first signer if not ec.has_square_y(K): k1 = ec.n - k1 s1 = (k1 + e * a1 * q1) % ec.n # second signer if not ec.has_square_y(K): k2 = ec.n - k2 s2 = (k2 + e * a2 * q2) % ec.n # third signer if not ec.has_square_y(K): k3 = ec.n - k3 s3 = (k3 + e * a3 * q3) % ec.n #### exchange s_i (interactive) #### finalize signature (non interactive) s = (s1 + s2 + s3) % ec.n sig = r, s # check signature is valid self.assertTrue(ssa.verify(mhd, Q, sig))
def test_threshold(self): """testing 2-of-3 threshold signature (Pedersen secret sharing)""" # parameters t = 2 H = second_generator(ec, hf) mhd = hf(b'message to sign').digest() ### FIRST PHASE: key pair generation ### # signer one acting as the dealer commits1: List[Point] = list() q1 = (1 + random.getrandbits(ec.nlen)) % ec.n q1_prime = (1 + random.getrandbits(ec.nlen)) % ec.n commits1.append(double_mult(q1_prime, H, q1)) # sharing polynomials f1: List[int] = list() f1.append(q1) f1_prime: List[int] = list() f1_prime.append(q1_prime) for i in range(1, t): temp = (1 + random.getrandbits(ec.nlen)) % ec.n f1.append(temp) temp = (1 + random.getrandbits(ec.nlen)) % ec.n f1_prime.append(temp) commits1.append(double_mult(f1_prime[i], H, f1[i])) # shares of the secret alpha12 = 0 # share of q1 belonging to P2 alpha12_prime = 0 alpha13 = 0 # share of q1 belonging to P3 alpha13_prime = 0 for i in range(t): alpha12 += (f1[i] * pow(2, i)) % ec.n alpha12_prime += (f1_prime[i] * pow(2, i)) % ec.n alpha13 += (f1[i] * pow(3, i)) % ec.n alpha13_prime += (f1_prime[i] * pow(3, i)) % ec.n # player two verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(2, i), commits1[i])) assert double_mult(alpha12_prime, H, alpha12) == RHS, 'player one is cheating' # player three verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(3, i), commits1[i])) assert double_mult(alpha13_prime, H, alpha13) == RHS, 'player one is cheating' # signer two acting as the dealer commits2: List[Point] = list() q2 = (1 + random.getrandbits(ec.nlen)) % ec.n q2_prime = (1 + random.getrandbits(ec.nlen)) % ec.n commits2.append(double_mult(q2_prime, H, q2)) # sharing polynomials f2: List[int] = list() f2.append(q2) f2_prime: List[int] = list() f2_prime.append(q2_prime) for i in range(1, t): temp = (1 + random.getrandbits(ec.nlen)) % ec.n f2.append(temp) temp = (1 + random.getrandbits(ec.nlen)) % ec.n f2_prime.append(temp) commits2.append(double_mult(f2_prime[i], H, f2[i])) # shares of the secret alpha21 = 0 # share of q2 belonging to P1 alpha21_prime = 0 alpha23 = 0 # share of q2 belonging to P3 alpha23_prime = 0 for i in range(t): alpha21 += (f2[i] * pow(1, i)) % ec.n alpha21_prime += (f2_prime[i] * pow(1, i)) % ec.n alpha23 += (f2[i] * pow(3, i)) % ec.n alpha23_prime += (f2_prime[i] * pow(3, i)) % ec.n # player one verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(1, i), commits2[i])) assert double_mult(alpha21_prime, H, alpha21) == RHS, 'player two is cheating' # player three verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(3, i), commits2[i])) assert double_mult(alpha23_prime, H, alpha23) == RHS, 'player two is cheating' # signer three acting as the dealer commits3: List[Point] = list() q3 = (1 + random.getrandbits(ec.nlen)) % ec.n q3_prime = (1 + random.getrandbits(ec.nlen)) % ec.n commits3.append(double_mult(q3_prime, H, q3)) # sharing polynomials f3: List[int] = list() f3.append(q3) f3_prime: List[int] = list() f3_prime.append(q3_prime) for i in range(1, t): temp = (1 + random.getrandbits(ec.nlen)) % ec.n f3.append(temp) temp = (1 + random.getrandbits(ec.nlen)) % ec.n f3_prime.append(temp) commits3.append(double_mult(f3_prime[i], H, f3[i])) # shares of the secret alpha31 = 0 # share of q3 belonging to P1 alpha31_prime = 0 alpha32 = 0 # share of q3 belonging to P2 alpha32_prime = 0 for i in range(t): alpha31 += (f3[i] * pow(1, i)) % ec.n alpha31_prime += (f3_prime[i] * pow(1, i)) % ec.n alpha32 += (f3[i] * pow(2, i)) % ec.n alpha32_prime += (f3_prime[i] * pow(2, i)) % ec.n # player one verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(1, i), commits3[i])) assert double_mult(alpha31_prime, H, alpha31) == RHS, 'player three is cheating' # player two verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(2, i), commits3[i])) assert double_mult(alpha32_prime, H, alpha32) == RHS, 'player two is cheating' # shares of the secret key q = q1 + q2 + q3 alpha1 = (alpha21 + alpha31) % ec.n alpha2 = (alpha12 + alpha32) % ec.n alpha3 = (alpha13 + alpha23) % ec.n for i in range(t): alpha1 += (f1[i] * pow(1, i)) % ec.n alpha2 += (f2[i] * pow(2, i)) % ec.n alpha3 += (f3[i] * pow(3, i)) % ec.n # it's time to recover the public key Q = Q1 + Q2 + Q3 = (q1 + q2 + q3)G A1: List[Point] = list() A2: List[Point] = list() A3: List[Point] = list() # each participant i = 1, 2, 3 shares Qi as follows # he broadcasts these values for i in range(t): A1.append(mult(f1[i])) A2.append(mult(f2[i])) A3.append(mult(f3[i])) # he checks the others' values # player one RHS2 = INF RHS3 = INF for i in range(t): RHS2 = ec.add(RHS2, mult(pow(1, i), A2[i])) RHS3 = ec.add(RHS3, mult(pow(1, i), A3[i])) assert mult(alpha21) == RHS2, 'player two is cheating' assert mult(alpha31) == RHS3, 'player three is cheating' # player two RHS1 = INF RHS3 = INF for i in range(t): RHS1 = ec.add(RHS1, mult(pow(2, i), A1[i])) RHS3 = ec.add(RHS3, mult(pow(2, i), A3[i])) assert mult(alpha12) == RHS1, 'player one is cheating' assert mult(alpha32) == RHS3, 'player three is cheating' # player three RHS1 = INF RHS2 = INF for i in range(t): RHS1 = ec.add(RHS1, mult(pow(3, i), A1[i])) RHS2 = ec.add(RHS2, mult(pow(3, i), A2[i])) assert mult(alpha13) == RHS1, 'player one is cheating' assert mult(alpha23) == RHS2, 'player two is cheating' A: List[Point] = list() # commitment at the global sharing polynomial for i in range(t): A.append(ec.add(A1[i], ec.add(A2[i], A3[i]))) Q = A[0] # aggregated public key ### SECOND PHASE: generation of the nonces' pair ### # This phase follows exactly the key generation procedure # suppose that player one and three want to sign # signer one acting as the dealer commits1: List[Point] = list() k1 = (1 + random.getrandbits(ec.nlen)) % ec.n k1_prime = (1 + random.getrandbits(ec.nlen)) % ec.n commits1.append(double_mult(k1_prime, H, k1)) # sharing polynomials f1: List[int] = list() f1.append(k1) f1_prime: List[int] = list() f1_prime.append(k1_prime) for i in range(1, t): temp = (1 + random.getrandbits(ec.nlen)) % ec.n f1.append(temp) temp = (1 + random.getrandbits(ec.nlen)) % ec.n f1_prime.append(temp) commits1.append(double_mult(f1_prime[i], H, f1[i])) # shares of the secret beta13 = 0 # share of k1 belonging to P3 beta13_prime = 0 for i in range(t): beta13 += (f1[i] * pow(3, i)) % ec.n beta13_prime += (f1_prime[i] * pow(3, i)) % ec.n # player three verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(3, i), commits1[i])) assert double_mult(beta13_prime, H, beta13) == RHS, 'player one is cheating' # signer three acting as the dealer commits3: List[Point] = list() k3 = (1 + random.getrandbits(ec.nlen)) % ec.n k3_prime = (1 + random.getrandbits(ec.nlen)) % ec.n commits3.append(double_mult(k3_prime, H, k3)) # sharing polynomials f3: List[int] = list() f3.append(k3) f3_prime: List[int] = list() f3_prime.append(k3_prime) for i in range(1, t): temp = (1 + random.getrandbits(ec.nlen)) % ec.n f3.append(temp) temp = (1 + random.getrandbits(ec.nlen)) % ec.n f3_prime.append(temp) commits3.append(double_mult(f3_prime[i], H, f3[i])) # shares of the secret beta31 = 0 # share of k3 belonging to P1 beta31_prime = 0 for i in range(t): beta31 += (f3[i] * pow(1, i)) % ec.n beta31_prime += (f3_prime[i] * pow(1, i)) % ec.n # player one verifies consistency of his share RHS = INF for i in range(t): RHS = ec.add(RHS, mult(pow(1, i), commits3[i])) assert double_mult(beta31_prime, H, beta31) == RHS, 'player three is cheating' # shares of the secret nonce beta1 = beta31 % ec.n beta3 = beta13 % ec.n for i in range(t): beta1 += (f1[i] * pow(1, i)) % ec.n beta3 += (f3[i] * pow(3, i)) % ec.n # it's time to recover the public nonce B1: List[Point] = list() B3: List[Point] = list() # each participant i = 1, 3 shares Qi as follows # he broadcasts these values for i in range(t): B1.append(mult(f1[i])) B3.append(mult(f3[i])) # he checks the others' values # player one RHS3 = INF for i in range(t): RHS3 = ec.add(RHS3, mult(pow(1, i), B3[i])) assert mult(beta31) == RHS3, 'player three is cheating' # player three RHS1 = INF for i in range(t): RHS1 = ec.add(RHS1, mult(pow(3, i), B1[i])) assert mult(beta13) == RHS1, 'player one is cheating' B: List[Point] = list() # commitment at the global sharing polynomial for i in range(t): B.append(ec.add(B1[i], B3[i])) K = B[0] # aggregated public nonce if not ec.has_square_y(K): beta1 = ec.n - beta1 beta3 = ec.n - beta3 ### PHASE THREE: signature generation ### # partial signatures e = ssa._challenge(K[0], Q[0], mhd, ec, hf) gamma1 = (beta1 + e * alpha1) % ec.n gamma3 = (beta3 + e * alpha3) % ec.n # each participant verifies the other partial signatures # player one if ec.has_square_y(K): RHS3 = ec.add(K, mult(e, Q)) for i in range(1, t): temp = double_mult(pow(3, i), B[i], e * pow(3, i), A[i]) RHS3 = ec.add(RHS3, temp) else: RHS3 = ec.add(ec.opposite(K), mult(e, Q)) for i in range(1, t): temp = double_mult(pow(3, i), ec.opposite(B[i]), e * pow(3, i), A[i]) RHS3 = ec.add(RHS3, temp) assert mult(gamma3) == RHS3, 'player three is cheating' # player three if ec.has_square_y(K): RHS1 = ec.add(K, mult(e, Q)) for i in range(1, t): temp = double_mult(pow(1, i), B[i], e * pow(1, i), A[i]) RHS1 = ec.add(RHS1, temp) else: RHS1 = ec.add(ec.opposite(K), mult(e, Q)) for i in range(1, t): temp = double_mult(pow(1, i), ec.opposite(B[i]), e * pow(1, i), A[i]) RHS1 = ec.add(RHS1, temp) assert mult(gamma1) == RHS1, 'player two is cheating' ### PHASE FOUR: aggregating the signature ### omega1 = 3 * mod_inv(3 - 1, ec.n) % ec.n omega3 = 1 * mod_inv(1 - 3, ec.n) % ec.n sigma = (gamma1 * omega1 + gamma3 * omega3) % ec.n sig = K[0], sigma self.assertTrue(ssa.verify(mhd, Q, sig)) ### ADDITIONAL PHASE: reconstruction of the private key ### secret = (omega1 * alpha1 + omega3 * alpha3) % ec.n self.assertEqual((q1 + q2 + q3) % ec.n, secret)
q = 0x18E14A7B6A307F426A94F8114701E7C8E774E7F9A47E2C2035DB29A206321725 q %= ec.n print("1. Key generation") print(f"prvkey: {hex(q).upper()}") Q = mult(q, ec.G)[0] print(f"PubKey: {hex(Q).upper()}") print("2. Sign message") r, s = sign(msg, q) print(f" r: {hex(r).upper()}") print(f" s: {hex(s).upper()}") print("3. Verify signature") print(verify(msg, Q, (r, s))) print("\n** Malleated signature") sm = ec.n - s print(f" r: {hex(r).upper()}") print(f" sm: {hex(sm).upper()}") print("** Verify malleated signature") print(verify(msg, Q, (r, sm))) print("\n0. Another message to sign") orig_msg2 = "and Paolo is right to be afraid" msg2 = sha256(orig_msg2.encode()).digest() print(msg2.hex().upper()) print("2. Sign message")
def test_threshold() -> None: "testing 2-of-3 threshold signature (Pedersen secret sharing)" ec = CURVES["secp256k1"] # parameters m = 2 H = second_generator(ec) # FIRST PHASE: key pair generation ################################### # 1.1 signer one acting as the dealer commits1: List[Point] = [] q1, _ = ssa.gen_keys() q1_prime, _ = ssa.gen_keys() commits1.append(double_mult(q1_prime, H, q1, ec.G)) # sharing polynomials f1 = [q1] f1_prime = [q1_prime] for i in range(1, m): f1.append(ssa.gen_keys()[0]) f1_prime.append(ssa.gen_keys()[0]) commits1.append(double_mult(f1_prime[i], H, f1[i], ec.G)) # shares of the secret alpha12 = 0 # share of q1 belonging to signer two alpha12_prime = 0 alpha13 = 0 # share of q1 belonging to signer three alpha13_prime = 0 for i in range(m): alpha12 += (f1[i] * pow(2, i)) % ec.n alpha12_prime += (f1_prime[i] * pow(2, i)) % ec.n alpha13 += (f1[i] * pow(3, i)) % ec.n alpha13_prime += (f1_prime[i] * pow(3, i)) % ec.n # signer two verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(2, i), commits1[i])) t = double_mult(alpha12_prime, H, alpha12, ec.G) assert t == RHS, "signer one is cheating" # signer three verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(3, i), commits1[i])) t = double_mult(alpha13_prime, H, alpha13, ec.G) assert t == RHS, "signer one is cheating" # 1.2 signer two acting as the dealer commits2: List[Point] = [] q2, _ = ssa.gen_keys() q2_prime, _ = ssa.gen_keys() commits2.append(double_mult(q2_prime, H, q2, ec.G)) # sharing polynomials f2 = [q2] f2_prime = [q2_prime] for i in range(1, m): f2.append(ssa.gen_keys()[0]) f2_prime.append(ssa.gen_keys()[0]) commits2.append(double_mult(f2_prime[i], H, f2[i], ec.G)) # shares of the secret alpha21 = 0 # share of q2 belonging to signer one alpha21_prime = 0 alpha23 = 0 # share of q2 belonging to signer three alpha23_prime = 0 for i in range(m): alpha21 += (f2[i] * pow(1, i)) % ec.n alpha21_prime += (f2_prime[i] * pow(1, i)) % ec.n alpha23 += (f2[i] * pow(3, i)) % ec.n alpha23_prime += (f2_prime[i] * pow(3, i)) % ec.n # signer one verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(1, i), commits2[i])) t = double_mult(alpha21_prime, H, alpha21, ec.G) assert t == RHS, "signer two is cheating" # signer three verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(3, i), commits2[i])) t = double_mult(alpha23_prime, H, alpha23, ec.G) assert t == RHS, "signer two is cheating" # 1.3 signer three acting as the dealer commits3: List[Point] = [] q3, _ = ssa.gen_keys() q3_prime, _ = ssa.gen_keys() commits3.append(double_mult(q3_prime, H, q3, ec.G)) # sharing polynomials f3 = [q3] f3_prime = [q3_prime] for i in range(1, m): f3.append(ssa.gen_keys()[0]) f3_prime.append(ssa.gen_keys()[0]) commits3.append(double_mult(f3_prime[i], H, f3[i], ec.G)) # shares of the secret alpha31 = 0 # share of q3 belonging to signer one alpha31_prime = 0 alpha32 = 0 # share of q3 belonging to signer two alpha32_prime = 0 for i in range(m): alpha31 += (f3[i] * pow(1, i)) % ec.n alpha31_prime += (f3_prime[i] * pow(1, i)) % ec.n alpha32 += (f3[i] * pow(2, i)) % ec.n alpha32_prime += (f3_prime[i] * pow(2, i)) % ec.n # signer one verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(1, i), commits3[i])) t = double_mult(alpha31_prime, H, alpha31, ec.G) assert t == RHS, "signer three is cheating" # signer two verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(2, i), commits3[i])) t = double_mult(alpha32_prime, H, alpha32, ec.G) assert t == RHS, "signer three is cheating" # shares of the secret key q = q1 + q2 + q3 alpha1 = (alpha21 + alpha31) % ec.n alpha2 = (alpha12 + alpha32) % ec.n alpha3 = (alpha13 + alpha23) % ec.n for i in range(m): alpha1 += (f1[i] * pow(1, i)) % ec.n alpha2 += (f2[i] * pow(2, i)) % ec.n alpha3 += (f3[i] * pow(3, i)) % ec.n # 1.4 it's time to recover the public key # each participant i = 1, 2, 3 shares Qi as follows # Q = Q1 + Q2 + Q3 = (q1 + q2 + q3) G A1: List[Point] = [] A2: List[Point] = [] A3: List[Point] = [] for i in range(m): A1.append(mult(f1[i])) A2.append(mult(f2[i])) A3.append(mult(f3[i])) # signer one checks others' values RHS2 = INF RHS3 = INF for i in range(m): RHS2 = ec.add(RHS2, mult(pow(1, i), A2[i])) RHS3 = ec.add(RHS3, mult(pow(1, i), A3[i])) assert mult(alpha21) == RHS2, "signer two is cheating" assert mult(alpha31) == RHS3, "signer three is cheating" # signer two checks others' values RHS1 = INF RHS3 = INF for i in range(m): RHS1 = ec.add(RHS1, mult(pow(2, i), A1[i])) RHS3 = ec.add(RHS3, mult(pow(2, i), A3[i])) assert mult(alpha12) == RHS1, "signer one is cheating" assert mult(alpha32) == RHS3, "signer three is cheating" # signer three checks others' values RHS1 = INF RHS2 = INF for i in range(m): RHS1 = ec.add(RHS1, mult(pow(3, i), A1[i])) RHS2 = ec.add(RHS2, mult(pow(3, i), A2[i])) assert mult(alpha13) == RHS1, "signer one is cheating" assert mult(alpha23) == RHS2, "signer two is cheating" # commitment at the global sharing polynomial A: List[Point] = [] for i in range(m): A.append(ec.add(A1[i], ec.add(A2[i], A3[i]))) # aggregated public key Q = A[0] if Q[1] % 2: # print('Q has been negated') A[1] = ec.negate(A[1]) # pragma: no cover alpha1 = ec.n - alpha1 # pragma: no cover alpha2 = ec.n - alpha2 # pragma: no cover alpha3 = ec.n - alpha3 # pragma: no cover Q = ec.negate(Q) # pragma: no cover # SECOND PHASE: generation of the nonces' pair ###################### # Assume signer one and three want to sign msg = "message to sign" # 2.1 signer one acting as the dealer commits1 = [] k1 = ssa.det_nonce(msg, q1, ec, hf) k1_prime = ssa.det_nonce(msg, q1_prime, ec, hf) commits1.append(double_mult(k1_prime, H, k1, ec.G)) # sharing polynomials f1 = [k1] f1_prime = [k1_prime] for i in range(1, m): f1.append(ssa.gen_keys()[0]) f1_prime.append(ssa.gen_keys()[0]) commits1.append(double_mult(f1_prime[i], H, f1[i], ec.G)) # shares of the secret beta13 = 0 # share of k1 belonging to signer three beta13_prime = 0 for i in range(m): beta13 += (f1[i] * pow(3, i)) % ec.n beta13_prime += (f1_prime[i] * pow(3, i)) % ec.n # signer three verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(3, i), commits1[i])) t = double_mult(beta13_prime, H, beta13, ec.G) assert t == RHS, "signer one is cheating" # 2.2 signer three acting as the dealer commits3 = [] k3 = ssa.det_nonce(msg, q3, ec, hf) k3_prime = ssa.det_nonce(msg, q3_prime, ec, hf) commits3.append(double_mult(k3_prime, H, k3, ec.G)) # sharing polynomials f3 = [k3] f3_prime = [k3_prime] for i in range(1, m): f3.append(ssa.gen_keys()[0]) f3_prime.append(ssa.gen_keys()[0]) commits3.append(double_mult(f3_prime[i], H, f3[i], ec.G)) # shares of the secret beta31 = 0 # share of k3 belonging to signer one beta31_prime = 0 for i in range(m): beta31 += (f3[i] * pow(1, i)) % ec.n beta31_prime += (f3_prime[i] * pow(1, i)) % ec.n # signer one verifies consistency of his share RHS = INF for i in range(m): RHS = ec.add(RHS, mult(pow(1, i), commits3[i])) t = double_mult(beta31_prime, H, beta31, ec.G) assert t == RHS, "signer three is cheating" # 2.3 shares of the secret nonce beta1 = beta31 % ec.n beta3 = beta13 % ec.n for i in range(m): beta1 += (f1[i] * pow(1, i)) % ec.n beta3 += (f3[i] * pow(3, i)) % ec.n # 2.4 it's time to recover the public nonce # each participant i = 1, 3 shares Qi as follows B1: List[Point] = [] B3: List[Point] = [] for i in range(m): B1.append(mult(f1[i])) B3.append(mult(f3[i])) # signer one checks values from signer three RHS3 = INF for i in range(m): RHS3 = ec.add(RHS3, mult(pow(1, i), B3[i])) assert mult(beta31) == RHS3, "signer three is cheating" # signer three checks values from signer one RHS1 = INF for i in range(m): RHS1 = ec.add(RHS1, mult(pow(3, i), B1[i])) assert mult(beta13) == RHS1, "signer one is cheating" # commitment at the global sharing polynomial B: List[Point] = [] for i in range(m): B.append(ec.add(B1[i], B3[i])) # aggregated public nonce K = B[0] if K[1] % 2: # print('K has been negated') B[1] = ec.negate(B[1]) # pragma: no cover beta1 = ec.n - beta1 # pragma: no cover beta3 = ec.n - beta3 # pragma: no cover K = ec.negate(K) # pragma: no cover # PHASE THREE: signature generation ### # partial signatures e = ssa.challenge(msg, Q[0], K[0], ec, hf) gamma1 = (beta1 + e * alpha1) % ec.n gamma3 = (beta3 + e * alpha3) % ec.n # each participant verifies the other partial signatures # signer one RHS3 = ec.add(K, mult(e, Q)) for i in range(1, m): temp = double_mult(pow(3, i), B[i], e * pow(3, i), A[i]) RHS3 = ec.add(RHS3, temp) assert mult(gamma3) == RHS3, "signer three is cheating" # signer three RHS1 = ec.add(K, mult(e, Q)) for i in range(1, m): temp = double_mult(pow(1, i), B[i], e * pow(1, i), A[i]) RHS1 = ec.add(RHS1, temp) assert mult(gamma1) == RHS1, "signer one is cheating" # PHASE FOUR: aggregating the signature ### omega1 = 3 * mod_inv(3 - 1, ec.n) % ec.n omega3 = 1 * mod_inv(1 - 3, ec.n) % ec.n sigma = (gamma1 * omega1 + gamma3 * omega3) % ec.n sig = K[0], sigma assert ssa.verify(msg, Q[0], sig) # ADDITIONAL PHASE: reconstruction of the private key ### secret = (omega1 * alpha1 + omega3 * alpha3) % ec.n assert (q1 + q2 + q3) % ec.n in (secret, ec.n - secret)
def test_musig(self): """testing 3-of-3 MuSig https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md https://blockstream.com/2019/02/18/musig-a-new-multisignature-standard/ https://eprint.iacr.org/2018/068 https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html https://medium.com/@snigirev.stepan/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744 """ mhd = hf(b'message to sign').digest() # the signers private and public keys, # including both the curve Point and the BIP340-Schnorr public key q1, x_Q1 = ssa.gen_keys() x_Q1 = x_Q1.to_bytes(ec.psize, 'big') q2, x_Q2 = ssa.gen_keys() x_Q2 = x_Q2.to_bytes(ec.psize, 'big') q3, x_Q3 = ssa.gen_keys() x_Q3 = x_Q3.to_bytes(ec.psize, 'big') # (non interactive) key setup # this is MuSig core: the rest is just Schnorr signature additivity # 1. lexicographic sorting of public keys keys: List[bytes] = list() keys.append(x_Q1) keys.append(x_Q2) keys.append(x_Q3) keys.sort() # 2. coefficients prefix = b''.join(keys) a1 = int_from_bits(hf(prefix + x_Q1).digest(), ec.nlen) % ec.n a2 = int_from_bits(hf(prefix + x_Q2).digest(), ec.nlen) % ec.n a3 = int_from_bits(hf(prefix + x_Q3).digest(), ec.nlen) % ec.n # 3. aggregated public key Q1 = mult(q1) Q2 = mult(q2) Q3 = mult(q3) Q = ec.add(double_mult(a1, Q1, a2, Q2), mult(a3, Q3)) if not ec.has_square_y(Q): # print("Q has been negated") a1 = ec.n - a1 # pragma: no cover a2 = ec.n - a2 # pragma: no cover a3 = ec.n - a3 # pragma: no cover # ready to sign: nonces and nonce commitments k1, _ = ssa.gen_keys() K1 = mult(k1) k2, _ = ssa.gen_keys() K2 = mult(k2) k3, _ = ssa.gen_keys() K3 = mult(k3) # exchange {K_i} (interactive) # computes s_i (non interactive) # WARNING: signers must exchange the nonces commitments {K_i} # before sharing {s_i} # same for all signers K = ec.add(ec.add(K1, K2), K3) if not ec.has_square_y(K): k1 = ec.n - k1 # pragma: no cover k2 = ec.n - k2 # pragma: no cover k3 = ec.n - k3 # pragma: no cover r = K[0] e = ssa._challenge(r, Q[0], mhd, ec, hf) s1 = (k1 + e * a1 * q1) % ec.n s2 = (k2 + e * a2 * q2) % ec.n s3 = (k3 + e * a3 * q3) % ec.n # exchange s_i (interactive) # finalize signature (non interactive) s = (s1 + s2 + s3) % ec.n sig = r, s # check signature is valid ssa._verify(mhd, Q, sig, ec, hf) self.assertTrue(ssa.verify(mhd, Q, sig))
dsa_valid = dsa.verify(msg, dsa_pub, dsa_sig) print("valid ECDSA sig:", dsa_valid) # ECSSA print("\n ECSSA") ssa_prv, ssa_pub = ssa.gen_keys() print("prv", hex(ssa_prv)) print("pub", hex(ssa_pub)) ssa_sig = ssa.sign(msg, ssa_prv) print("r:", hex(ssa_sig[0])) print("s:", hex(ssa_sig[1])) ssa_valid = ssa.verify(msg, ssa_pub, ssa_sig) print("valid ECSSA sig:", ssa_valid) # ECBMS print("\n ECBMS") bms_prv, bms_pub = bms.gen_keys() print("prv", bms_prv) print("pub", bms_pub) bms_sig = bms.sign(msg, bms_prv) print("rf:", hex(bms_sig[0])) print("r:", hex(bms_sig[1])) print("s:", hex(bms_sig[2])) bms_valid = bms.verify(msg, bms_pub, bms_sig)
def test_signature(): """Basic tests""" ec = secp256k1 q, x_Q = ssa.gen_keys(0x1) mhd = hf(b"Satoshi Nakamoto").digest() sig = ssa.sign(mhd, q, None) ssa.assert_as_valid(mhd, x_Q, sig, ec, hf) assert ssa.verify(mhd, x_Q, sig) assert sig == ssa.deserialize(sig) fmhd = hf(b"Craig Wright").digest() assert not ssa.verify(fmhd, x_Q, sig, ec, hf) err_msg = "signature verification failed" with pytest.raises(AssertionError, match=err_msg): ssa.assert_as_valid(fmhd, x_Q, sig, ec, hf) _, x_fQ = ssa.gen_keys(0x2) assert not ssa.verify(mhd, x_fQ, sig, ec, hf) err_msg = "y_K is not a quadratic residue" with pytest.raises(RuntimeError, match=err_msg): ssa.assert_as_valid(mhd, x_fQ, sig, ec, hf) _, x_fQ = ssa.gen_keys(0x4) assert not ssa.verify(mhd, x_fQ, sig, ec, hf) err_msg = "signature verification failed" with pytest.raises(AssertionError, match=err_msg): ssa.assert_as_valid(mhd, x_fQ, sig, ec, hf) err_msg = "not a BIP340 public key" with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(mhd, INF, sig, ec, hf) assert not ssa.verify(mhd, x_Q, sig, secp224k1, hf) err_msg = "field prime is not equal to 3 mod 4: " with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(mhd, x_Q, sig, secp224k1, hf) wrongmhd = mhd[:-1] assert not ssa.verify(wrongmhd, x_Q, sig, ec, hf) err_msg = "invalid size: 31 bytes instead of 32" with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(wrongmhd, x_Q, sig, ec, hf) fssasig = (sig[0], sig[1], sig[1]) assert not ssa.verify(mhd, x_fQ, fssasig, ec, hf) err_msg = "too many values to unpack " with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(mhd, x_Q, fssasig, ec, hf) invalid_sig = ec.p, sig[1] assert not ssa.verify(mhd, x_Q, invalid_sig) err_msg = "x-coordinate not in 0..p-1: " with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(mhd, x_Q, invalid_sig, ec, hf) invalid_sig = sig[0], ec.p assert not ssa.verify(mhd, x_Q, invalid_sig) err_msg = "scalar s not in 0..n-1: " with pytest.raises(ValueError, match=err_msg): ssa.assert_as_valid(mhd, x_Q, invalid_sig, ec, hf) err_msg = "invalid size: 31 bytes instead of 32" with pytest.raises(ValueError, match=err_msg): ssa.sign(wrongmhd, q, None) err_msg = "private key not in 1..n-1: " with pytest.raises(ValueError, match=err_msg): ssa.sign(mhd, 0) # ephemeral key not in 1..n-1 err_msg = "private key not in 1..n-1: " with pytest.raises(ValueError, match=err_msg): ssa.sign(mhd, 1, 0) err_msg = "invalid zero challenge" with pytest.raises(ValueError, match=err_msg): ssa._recover_pubkey(0, sig[0], sig[1], ec) err_msg = "not a BIP340 public key" with pytest.raises(ValueError, match=err_msg): ssa._to_bip340_point(["not", "a BIP340", "public key"])