BIP-340 signature verification #10
Merged
Commits on Jan 8, 2024
-
Draft implementation of BIP-340 signature verification
This is a draft implementation. The remaining BIP-340 test vectors need to be added, TODOs need to be addressed, and one failing test needs to be fixed. The VerifySignature verifies the provided BIP-340 signature for the message against the group public key. The function returns true and nil error when the signature is valid. The function returns false and an error when the signature is invalid. The error provides a detailed explanation on why the signature verification failed. VerifySignature implements Verify(pk, m, sig) function as defined in BIP-340. One important design decision is to accept *Signature and *Point into Verify function instead of bytes, as in the prototype. This has the implication. To ensure consistency and that we'll not return positive verification result for (x,y) that is not on the curve, we need to verify y coordinate even though BIP-340 verification is not really interested in it. I think this is acceptable given the complexity of byte operations is hidden behind a ciphersuite and inside the protocol code, we'll operate on known domain objects.
-
Improved BIP340 sig verification in ciphersuite
Added missing test vectors with one test vector failing - this requires further investigation. Explained why we accept public key's Y coordinate in parameters as opposed to what is proposed in BIP-340. tl;dr; support for other ciphersuites and in FROST it does not matter where we strip Y coordinate information: after aggregate and before the verification or inside the verification.
-
EncodePoint function moved to Hashing interface
EncodePoint is important for hashing, especially H2. It is not important for the signature verification calls (in our current model) or for the curve operations.
-
Fixed the expected error message in BIP340 verification test
This test was previously failing. The signature verification algorithm in BIP-340 does not check that the 32 public key bytes in the signature match a valid point on the curve. This check is effectively implicit in the algorithm later, because G and P are known valid curve points, so the point R that is calculated is also a valid point. Thus, if r is not a valid point's X-coordinate, R.X != r.
-
-
EcSub for Bip340 should keep the Y coordinate in the field order
This does not make any difference to the result but it is preferable to stay in the field order for the clarity's sake.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.