highperfocused/bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2025-03-17 21:32:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

make secret key a 32-byte array called sk, introduce pubkey()

Browse Source
This commit is contained in:
Anthony Towns 2019-08-22 11:06:19 +10:00 committed by Pieter Wuille
parent a3f74a204e
commit 4e13ec7301
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bip-schnorr.mediawiki
View File

@ -117,13 +117,16 @@ The following convention is used, with constants as defined for secp256k1:
** The function ''point(x)'', where ''x'' is a 32-byte array, returns the point ''P = lift_x(int(x))''.
** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''.
** The function ''jacobi(x)'', where ''x'' is an integer, returns the [https://en.wikipedia.org/wiki/Jacobi_symbol Jacobi symbol] of ''x / p''. It is equal to ''x<sup>(p-1)/2</sup> mod p'' ([https://en.wikipedia.org/wiki/Euler%27s_criterion Euler's criterion])<ref>For points ''P'' on the secp256k1 curve it holds that ''jacobi(y(P)) &ne; 0''.</ref>.
** The function ''pubkey(x)'', where ''x'' is a 32-byte array, returns ''bytes(dG)'' where ''d = int(x) mod n''.
=== Public Key Generation ===
==== Public Key Generation ====
Input:
* The secret key ''d'': an integer in the range ''1..n-1'' chosen uniformly at random.
* The secret key ''sk'': a 32-byte array, generated uniformly at random
The public key corresponding to secret key ''d'' is ''bytes(dG)''.
To generate the corresponding public key:
* Fail if ''int(sk) = 0'' or ''int(sk) >= n''
* The public key corresponding to secret key ''sk'' is ''pubkey(sk)''.
Alternatively, the public key can be created according to [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP32] which describes the derivation of 33-byte compressed public keys.
In order to translate such public keys into bip-schnorr compatible keys, the first byte must be dropped.
@ -165,11 +168,13 @@ All provided signatures are valid with overwhelming probability if and only if t
==== Signing ====
Input:
* The secret key ''d' '': an integer in the range ''1..n-1''
* The secret key ''sk'': a 32-byte array
* The message ''m'': a 32-byte array
To sign ''m'' for public key ''bytes(dG)'':
* Let ''P = dG''
To sign ''m'' for public key ''pubkey(sk)'':
* Let ''d' = int(sk)''
* Fail if ''d' = 0'' or ''d' >= n''
* Let ''P = d'G''
* Let ''d = d' '' if ''jacobi(y(P)) = 1'', otherwise let ''d = n - d' ''.
* Let ''k' = int(hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m)) mod n''<ref>Note that in general, taking the output of a hash function modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>.
* Fail if ''k' = 0''.