|
@ -451,95 +451,6 @@ int32_t bitcoin_rangeproof(void *ctx,uint8_t *proof,uint8_t *commit,bits256 blin |
|
|
return(retval); |
|
|
return(retval); |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
* The intended procedure for creating a multiparty signature is: |
|
|
|
|
|
* - Each signer S[i] with private key x[i] and public key Q[i] runs |
|
|
|
|
|
* secp256k1_schnorr_generate_nonce_pair to produce a pair (k[i],R[i]) of private/public nonces. |
|
|
|
|
|
* - All signers communicate their public nonces to each other (revealing your |
|
|
|
|
|
* private nonce can lead to discovery of your private key, so it should be considered secret). |
|
|
|
|
|
* - All signers combine all the public nonces they received (excluding their |
|
|
|
|
|
* own) using secp256k1_ec_pubkey_combine to obtain an Rall[i] = sum(R[0..i-1,i+1..n]). |
|
|
|
|
|
* - All signers produce a partial signature using |
|
|
|
|
|
* secp256k1_schnorr_partial_sign, passing in their own private key x[i], |
|
|
|
|
|
* their own private nonce k[i], and the sum of the others' public nonces Rall[i]. |
|
|
|
|
|
* - All signers communicate their partial signatures to each other. |
|
|
|
|
|
* - Someone combines all partial signatures using secp256k1_schnorr_partial_combine, to obtain a full signature. |
|
|
|
|
|
* - The resulting signature is validatable using secp256k1_schnorr_verify, with |
|
|
|
|
|
* public key equal to the result of secp256k1_ec_pubkey_combine of the signers' public keys (sum(Q[0..n])). |
|
|
|
|
|
* |
|
|
|
|
|
* Note that secp256k1_schnorr_partial_combine and secp256k1_ec_pubkey_combine |
|
|
|
|
|
* function take their arguments in any order, and it is possible to |
|
|
|
|
|
* pre-combine several inputs already with one call, and add more inputs later |
|
|
|
|
|
* by calling the function again (they are commutative and associative). |
|
|
|
|
|
*/ |
|
|
|
|
|
|
|
|
|
|
|
#ifdef test_schnorr |
|
|
|
|
|
#include "secp256k1/src/util.h" |
|
|
|
|
|
#include "secp256k1/src/hash_impl.h" |
|
|
|
|
|
#include "secp256k1/src/testrand_impl.h" |
|
|
|
|
|
|
|
|
|
|
|
void test_schnorr_threshold(void *ctx) { |
|
|
|
|
|
unsigned char msg[32]; |
|
|
|
|
|
unsigned char sec[5][32]; |
|
|
|
|
|
secp256k1_pubkey pub[5]; |
|
|
|
|
|
unsigned char nonce[5][32]; |
|
|
|
|
|
secp256k1_pubkey pubnonce[5]; |
|
|
|
|
|
unsigned char sig[5][64]; |
|
|
|
|
|
const unsigned char* sigs[5]; |
|
|
|
|
|
unsigned char allsig[64]; |
|
|
|
|
|
const secp256k1_pubkey* pubs[5]; |
|
|
|
|
|
secp256k1_pubkey allpub; |
|
|
|
|
|
int n, i; |
|
|
|
|
|
int damage; |
|
|
|
|
|
int ret = 0; |
|
|
|
|
|
|
|
|
|
|
|
damage = secp256k1_rand_bits(1) ? (1 + secp256k1_rand_int(4)) : 0; |
|
|
|
|
|
secp256k1_rand256_test(msg); |
|
|
|
|
|
n = 2 + secp256k1_rand_int(4); |
|
|
|
|
|
for (i = 0; i < n; i++) { |
|
|
|
|
|
do { |
|
|
|
|
|
secp256k1_rand256_test(sec[i]); |
|
|
|
|
|
} while (!secp256k1_ec_seckey_verify(ctx, sec[i])); |
|
|
|
|
|
CHECK(secp256k1_ec_pubkey_create(ctx, &pub[i], sec[i])); |
|
|
|
|
|
CHECK(secp256k1_schnorr_generate_nonce_pair(ctx, &pubnonce[i], nonce[i], msg, sec[i], NULL, NULL)); |
|
|
|
|
|
pubs[i] = &pub[i]; |
|
|
|
|
|
} |
|
|
|
|
|
if (damage == 1) { |
|
|
|
|
|
nonce[secp256k1_rand_int(n)][secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
|
|
|
|
} else if (damage == 2) { |
|
|
|
|
|
sec[secp256k1_rand_int(n)][secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
|
|
|
|
} |
|
|
|
|
|
for (i = 0; i < n; i++) { |
|
|
|
|
|
secp256k1_pubkey allpubnonce; |
|
|
|
|
|
const secp256k1_pubkey *pubnonces[4]; |
|
|
|
|
|
int j; |
|
|
|
|
|
for (j = 0; j < i; j++) { |
|
|
|
|
|
pubnonces[j] = &pubnonce[j]; |
|
|
|
|
|
} |
|
|
|
|
|
for (j = i + 1; j < n; j++) { |
|
|
|
|
|
pubnonces[j - 1] = &pubnonce[j]; |
|
|
|
|
|
} |
|
|
|
|
|
CHECK(secp256k1_ec_pubkey_combine(ctx, &allpubnonce, pubnonces, n - 1)); |
|
|
|
|
|
ret |= (secp256k1_schnorr_partial_sign(ctx, sig[i], msg, sec[i], &allpubnonce, nonce[i]) != 1) * 1; |
|
|
|
|
|
sigs[i] = sig[i]; |
|
|
|
|
|
} |
|
|
|
|
|
if (damage == 3) { |
|
|
|
|
|
sig[secp256k1_rand_int(n)][secp256k1_rand_bits(6)] ^= 1 + secp256k1_rand_int(255); |
|
|
|
|
|
} |
|
|
|
|
|
ret |= (secp256k1_ec_pubkey_combine(ctx, &allpub, pubs, n) != 1) * 2; |
|
|
|
|
|
if ((ret & 1) == 0) { |
|
|
|
|
|
ret |= (secp256k1_schnorr_partial_combine(ctx, allsig, sigs, n) != 1) * 4; |
|
|
|
|
|
} |
|
|
|
|
|
if (damage == 4) { |
|
|
|
|
|
allsig[secp256k1_rand_int(32)] ^= 1 + secp256k1_rand_int(255); |
|
|
|
|
|
} |
|
|
|
|
|
if ((ret & 7) == 0) { |
|
|
|
|
|
ret |= (secp256k1_schnorr_verify(ctx, allsig, msg, &allpub) != 1) * 8; |
|
|
|
|
|
} |
|
|
|
|
|
CHECK((ret == 0) == (damage == 0)); |
|
|
|
|
|
} |
|
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
|
|
int32_t iguana_pederson_test(void *ctx) |
|
|
int32_t iguana_pederson_test(void *ctx) |
|
|
{ |
|
|
{ |
|
|
uint8_t commits[100][33],*commitptrs[100],proofs[100][5138]; uint16_t vouts[100]; int64_t min_value,values[100],totalpos,totalneg; bits256 txids[100],nonces[100],blinds[100],*blindptrs[100],blindsum; int32_t prooflens[100],i,r,pos,neg,numpos,exponent,min_bits,n,N = 100; |
|
|
uint8_t commits[100][33],*commitptrs[100],proofs[100][5138]; uint16_t vouts[100]; int64_t min_value,values[100],totalpos,totalneg; bits256 txids[100],nonces[100],blinds[100],*blindptrs[100],blindsum; int32_t prooflens[100],i,r,pos,neg,numpos,exponent,min_bits,n,N = 100; |
|
|