bitcoin/bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2025-05-19 12:08:05 +00:00
Code Issues Releases Wiki Activity

Merge pull request #200 from real-or-random/prints

Browse Source 
Add debug print for intermediate values
This commit is contained in:
Pieter Wuille 2020-04-02 16:34:24 -07:00 committed by GitHub
commit 038615b7c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 74 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bip-0340.mediawiki
View File

@ -136,9 +136,9 @@ Input:
* The secret key ''sk'': a 32-byte array, freshly generated uniformly at random * The secret key ''sk'': a 32-byte array, freshly generated uniformly at random
The algorithm ''PubKey(sk)'' is defined as: The algorithm ''PubKey(sk)'' is defined as:
* Let ''d = int(sk)''. * Let ''d' = int(sk)''.
* Fail if ''d = 0'' or ''d ≥ n''. * Fail if ''d' = 0'' or ''d' ≥ n''.
* Return ''bytes(d⋅G)''. * Return ''bytes(d'⋅G)''.
Note that we use a very different public key format (32 bytes) than the ones used by existing systems (which typically use elliptic curve points as public keys, or 33-byte or 65-byte encodings of them). A side effect is that ''PubKey(sk) = PubKey(bytes(n - int(sk))'', so every public key has two corresponding secret keys. Note that we use a very different public key format (32 bytes) than the ones used by existing systems (which typically use elliptic curve points as public keys, or 33-byte or 65-byte encodings of them). A side effect is that ''PubKey(sk) = PubKey(bytes(n - int(sk))'', so every public key has two corresponding secret keys.

88
bip-0340/reference.py
View File

@ -1,6 +1,15 @@
import hashlib import hashlib
import binascii import binascii
# Set DEBUG to True to get a detailed debug output including
# intermediate values during key generation, signing, and
# verification. This is implemented via calls to the
# debug_print_vars() function.
#
# If you want to print values on an individual basis, use
# the pretty() function, e.g., print(pretty(foo)).
DEBUG = False
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
@ -24,13 +33,13 @@ def y(P):
return P[1] return P[1]
def point_add(P1, P2): def point_add(P1, P2):
if (P1 is None): if P1 is None:
return P2 return P2
if (P2 is None): if P2 is None:
return P1 return P1
if (x(P1) == x(P2) and y(P1) != y(P2)): if (x(P1) == x(P2)) and (y(P1) != y(P2)):
return None return None
if (P1 == P2): if P1 == P2:
lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p
else: else:
lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p
@ -40,7 +49,7 @@ def point_add(P1, P2):
def point_mul(P, n): def point_mul(P, n):
R = None R = None
for i in range(256): for i in range(256):
if ((n >> i) & 1): if (n >> i) & 1:
R = point_add(R, P) R = point_add(R, P)
P = point_add(P, P) P = point_add(P, P)
return R return R
@ -62,14 +71,14 @@ def lift_x_square_y(b):
y = pow(y_sq, (p + 1) // 4, p) y = pow(y_sq, (p + 1) // 4, p)
if pow(y, 2, p) != y_sq: if pow(y, 2, p) != y_sq:
return None return None
return [x, y] return (x, y)
def lift_x_even_y(b): def lift_x_even_y(b):
P = lift_x_square_y(b) P = lift_x_square_y(b)
if P is None: if P is None:
return None return None
else: else:
return [x(P), y(P) if y(P) % 2 == 0 else p - y(P)] return (x(P), y(P) if y(P) % 2 == 0 else p - y(P))
def int_from_bytes(b): def int_from_bytes(b):
return int.from_bytes(b, byteorder="big") return int.from_bytes(b, byteorder="big")
@ -81,38 +90,39 @@ def is_square(x):
return pow(x, (p - 1) // 2, p) == 1 return pow(x, (p - 1) // 2, p) == 1
def has_square_y(P): def has_square_y(P):
return not is_infinity(P) and is_square(y(P)) return (not is_infinity(P)) and is_square(y(P))
def has_even_y(P): def has_even_y(P):
return y(P) % 2 == 0 return y(P) % 2 == 0
def pubkey_gen(seckey): def pubkey_gen(seckey):
x = int_from_bytes(seckey) d0 = int_from_bytes(seckey)
if not (1 <= x <= n - 1): if not (1 <= d0 <= n - 1):
raise ValueError('The secret key must be an integer in the range 1..n-1.') raise ValueError('The secret key must be an integer in the range 1..n-1.')
P = point_mul(G, x) P = point_mul(G, d0)
return bytes_from_point(P) return bytes_from_point(P)
def schnorr_sign(msg, seckey0, aux_rand): def schnorr_sign(msg, seckey, aux_rand):
if len(msg) != 32: if len(msg) != 32:
raise ValueError('The message must be a 32-byte array.') raise ValueError('The message must be a 32-byte array.')
seckey0 = int_from_bytes(seckey0) d0 = int_from_bytes(seckey)
if not (1 <= seckey0 <= n - 1): if not (1 <= d0 <= n - 1):
raise ValueError('The secret key must be an integer in the range 1..n-1.') raise ValueError('The secret key must be an integer in the range 1..n-1.')
if len(aux_rand) != 32: if len(aux_rand) != 32:
raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand)) raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand))
P = point_mul(G, seckey0) P = point_mul(G, d0)
seckey = seckey0 if has_even_y(P) else n - seckey0 d = d0 if has_even_y(P) else n - d0
t = xor_bytes(bytes_from_int(seckey), tagged_hash("BIP340/aux", aux_rand)) t = xor_bytes(bytes_from_int(d), tagged_hash("BIP340/aux", aux_rand))
k0 = int_from_bytes(tagged_hash("BIP340/nonce", t + bytes_from_point(P) + msg)) % n k0 = int_from_bytes(tagged_hash("BIP340/nonce", t + bytes_from_point(P) + msg)) % n
if k0 == 0: if k0 == 0:
raise RuntimeError('Failure. This happens only with negligible probability.') raise RuntimeError('Failure. This happens only with negligible probability.')
R = point_mul(G, k0) R = point_mul(G, k0)
k = n - k0 if not has_square_y(R) else k0 k = n - k0 if not has_square_y(R) else k0
e = int_from_bytes(tagged_hash("BIP340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n e = int_from_bytes(tagged_hash("BIP340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
sig = bytes_from_point(R) + bytes_from_int((k + e * seckey) % n) sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n)
debug_print_vars()
if not schnorr_verify(msg, bytes_from_point(P), sig): if not schnorr_verify(msg, bytes_from_point(P), sig):
raise RuntimeError('The signature does not pass verification.') raise RuntimeError('The created signature does not pass verification.')
return sig return sig
def schnorr_verify(msg, pubkey, sig): def schnorr_verify(msg, pubkey, sig):
@ -123,26 +133,29 @@ def schnorr_verify(msg, pubkey, sig):
if len(sig) != 64: if len(sig) != 64:
raise ValueError('The signature must be a 64-byte array.') raise ValueError('The signature must be a 64-byte array.')
P = lift_x_even_y(pubkey) P = lift_x_even_y(pubkey)
if (P is None):
return False
r = int_from_bytes(sig[0:32]) r = int_from_bytes(sig[0:32])
s = int_from_bytes(sig[32:64]) s = int_from_bytes(sig[32:64])
if (r >= p or s >= n): if (P is None) or (r >= p) or (s >= n):
debug_print_vars()
return False return False
e = int_from_bytes(tagged_hash("BIP340/challenge", sig[0:32] + pubkey + msg)) % n e = int_from_bytes(tagged_hash("BIP340/challenge", sig[0:32] + pubkey + msg)) % n
R = point_add(point_mul(G, s), point_mul(P, n - e)) R = point_add(point_mul(G, s), point_mul(P, n - e))
if R is None or not has_square_y(R) or x(R) != r: if (R is None) or (not has_square_y(R)) or (x(R) != r):
debug_print_vars()
return False return False
debug_print_vars()
return True return True
# #
# The following code is only used to verify the test vectors. # The following code is only used to verify the test vectors.
# #
import csv import csv
import os
import sys
def test_vectors(): def test_vectors():
all_passed = True all_passed = True
with open('test-vectors.csv', newline='') as csvfile: with open(os.path.join(sys.path[0], 'test-vectors.csv'), newline='') as csvfile:
reader = csv.reader(csvfile) reader = csv.reader(csvfile)
reader.__next__() reader.__next__()
for row in reader: for row in reader:
@ -151,7 +164,7 @@ def test_vectors():
msg = bytes.fromhex(msg) msg = bytes.fromhex(msg)
sig = bytes.fromhex(sig) sig = bytes.fromhex(sig)
result = result == 'TRUE' result = result == 'TRUE'
print('\nTest vector #%-3i: ' % int(index)) print('\nTest vector', ('#' + index).rjust(3, ' ') + ':')
if seckey != '': if seckey != '':
seckey = bytes.fromhex(seckey) seckey = bytes.fromhex(seckey)
pubkey_actual = pubkey_gen(seckey) pubkey_actual = pubkey_gen(seckey)
@ -160,6 +173,7 @@ def test_vectors():
print(' Expected key:', pubkey.hex().upper()) print(' Expected key:', pubkey.hex().upper())
print(' Actual key:', pubkey_actual.hex().upper()) print(' Actual key:', pubkey_actual.hex().upper())
aux_rand = bytes.fromhex(aux_rand) aux_rand = bytes.fromhex(aux_rand)
try:
sig_actual = schnorr_sign(msg, seckey, aux_rand) sig_actual = schnorr_sign(msg, seckey, aux_rand)
if sig == sig_actual: if sig == sig_actual:
print(' * Passed signing test.') print(' * Passed signing test.')
@ -168,6 +182,9 @@ def test_vectors():
print(' Expected signature:', sig.hex().upper()) print(' Expected signature:', sig.hex().upper())
print(' Actual signature:', sig_actual.hex().upper()) print(' Actual signature:', sig_actual.hex().upper())
all_passed = False all_passed = False
except RuntimeError as e:
print(' * Signing test raised exception:', e)
all_passed = False
result_actual = schnorr_verify(msg, pubkey, sig) result_actual = schnorr_verify(msg, pubkey, sig)
if result == result_actual: if result == result_actual:
print(' * Passed verification test.') print(' * Passed verification test.')
@ -185,5 +202,26 @@ def test_vectors():
print('Some test vectors failed.') print('Some test vectors failed.')
return all_passed return all_passed
#
# The following code is only used for debugging
#
import inspect
def pretty(v):
if isinstance(v, bytes):
return '0x' + v.hex()
if isinstance(v, int):
return pretty(bytes_from_int(v))
if isinstance(v, tuple):
return tuple(map(pretty, v))
return v
def debug_print_vars():
if DEBUG:
frame = inspect.currentframe().f_back
print(' Variables in function ', frame.f_code.co_name, ' at line ', frame.f_lineno, ':', sep='')
for var_name, var_val in frame.f_locals.items():
print(' ' + var_name.rjust(11, ' '), '==', pretty(var_val))
if __name__ == '__main__': if __name__ == '__main__':
test_vectors() test_vectors()

2
bip-0340/test-vectors.py
View File

@ -15,7 +15,7 @@ def vector0():
P = point_mul(G, x) P = point_mul(G, x)
assert(y(P) % 2 == 0) assert(y(P) % 2 == 0)
# For historic reasons (pubkey tiebreaker was squareness and not evenness) # For historical reasons (pubkey tiebreaker was squareness and not evenness)
# we should have at least one test vector where the the point reconstructed # we should have at least one test vector where the the point reconstructed
# from the public key has a square and one where it has a non-square Y # from the public key has a square and one where it has a non-square Y
# coordinate. In this one Y is non-square. # coordinate. In this one Y is non-square.