In [None]:
import random
import util
from test_framework.key import generate_key_pair, ECKey, ECPubKey, jacobi_symbol, SECP256K1_FIELD_SIZE, SECP256K1_ORDER
from test_framework.messages import sha256

# 1.1 Introduction to Schnorr Signatures

* Part 1: Schnorr Signatures.
* Part 2: Deterministic Nonces.

## Part 1: Schnorr Signatures

[bip-schnorr](https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) defines a signature/verifier scheme, as well as pubkey and signature encodings.

The schnorr signature verification equation is the following:

* `S = R + H(x(R)|P|m) * P`

Signing involves generating a secret nonce first.

* Generate secret scalar `k`

Then computing `s` from:

* `s = k + H(x(R)|P|m) * d`

The resulting signature is:

* `x(R), s`

![test](images/schnorr0.jpg)

### Constraint on the private nonce k

To verify a bip-schnorr signature, the verifier needs the computed `s` scalar and the nonce point `R`. To save 32 bytes in the signature, only the x-value of `R` is provided by the signer, from which the verifier can compute the y-value.

For a given x-coordinate on the secp256k1 curve, there are two possible curve points:

* `y^2 = x^3 + 7` (Two y-coordinate values for a given x-coordinate)
    * For `x`, both `(x, y)` and `(x, -y)` are valid curve points (where `-y` is `SECP256K1_FIELD_SIZE - y` since all arithmetic involving coordinates is modulo `SECP256K1_FIELD_SIZE`).
    * One of the y-coordinates is a quadratic residue (has a square root modulo the field size), and the other is not.

The bip-schnorr proposal constrains `k` such that the y-value of R is a quadratic residue modulo `SECP256K1_FIELD_SIZE`. This means that from the `x` co-ordinate, the verifier can unambigiously determine `y`.

* `k` and `SECP256K1_ORDER - k` have nonce points `R = (x, y)` and `R = (x, -y)` respectively.
* Only one will have a y-coordinate which is a quadratic residue modulo the field size. If a randomly generated nonce `k` does not yield a valid nonce point `R`, then the signer can negate `k` to obtain a valid nonce.
    
Whether a scalar is a quadratic residue modulo the secp256k1 field size can be determined by its [jacobi symbol](http://en.wikipedia.org/wiki/Jacobi_symbol). The Test Framework provides a `jacobi_symbol()` function. If `jacobi_symbol(y, SECP256K1_FIELD_SIZE) == 1`, then `y` is a quadratic residue.

#### 1.1.1 Example: Calculating a valid nonce

In [None]:
# Generate a random value and its associated curve point. We can use the generate_key_pair() convenience function.
k, R = generate_key_pair()

# Find y and -y
y = R.get_y()
minus_y = SECP256K1_FIELD_SIZE - y
print("y = {}".format(y))
print("-y = {}\n".format(minus_y))

# One of y and -y will be a quadratic residue and the other will not
print("y is {}a quadratic residue".format("" if jacobi_symbol(y, SECP256K1_FIELD_SIZE) == 1 else "not "))
print("-y is {}a quadratic residue\n".format("" if jacobi_symbol(minus_y, SECP256K1_FIELD_SIZE) == 1 else "not "))

print("k is {}a valid nonce".format("" if jacobi_symbol(y, SECP256K1_FIELD_SIZE) == 1 else "not "))
print("-k is {}a valid nonce".format("" if jacobi_symbol(minus_y, SECP256K1_FIELD_SIZE) == 1 else "not "))

#### 1.1.2 _Programming Exercise:_ Verify that inverse nonce values `k` and `-k` generate inverse points `R` and `-R`

In [None]:
# Generate a random scalar and its associated curve point
k, R =  # TODO: implement

# Find the x- and y-coordinates from R
# Use the get_x() and get_y() methods
R_x =  # TODO: implement
R_y =  # TODO: implement

print("R_x: {}".format(R_x))
print("R_y: {}\n".format(R_y))

# Find k's inverse (SECP256K1_ORDER - k)
# Extract the secret value from k using .secret
minus_k =  # TODO: implement

# Generate the key pair from minus_k using generate_key_pair() function with minus_k as an argument
minus_k_key, minus_R =  # TODO: implement

# Find the x- and y-coordinates from -R
minus_R_x =  # TODO: implement
minus_R_y =  # TODO: implement

print("minus_R_x: {}".format(minus_R_x))
print("minus_R_y: {}\n".format(minus_R_y))

assert R_x == minus_R_x
assert SECP256K1_FIELD_SIZE - R_y == minus_R_y

print("Success!")

#### 1.1.3 _Programming Exercise:_ Sign a message with Schnorr

* Sign the message with the provided key pair below.

In [None]:
msg = sha256(b'message')

# Generate a private/public key pair
d, P = generate_key_pair()

# Generate a nonce scalar and associated nonce point
k, R = generate_key_pair()

# Check that nonce is quadratic residue modulo the field size
# If not, negate k
# Method: jacobi_symbol(R.get_y(), SECP256K1_FIELD_SIZE)
if  # TODO: implement
    k.negate()
# Note that there is no need to negate R, since we only use the x value of R below

# Generate s = k + sha256(R_x|P|msg) * d
# Method: sha256(bytes) will give you the byte digest of the SHA256 of some bytes
# Turn that digest into a ECKey object called h, and then set s = k + h * d
R_x_bytes = R.get_x().to_bytes(32, 'big')
P_bytes = P.get_bytes()
h_bytes =  # TODO: implement
h = ECKey().set(h_bytes)
s = k + h * d

print("R: {}".format(R))
print("s: {}\n".format(s.get_bytes()))

# Generate sig = R_x|s
# Method: get the x bytes from R and concatenate with the secret bytes from s
sig =  # TODO: implement

print("Signature: {}\n".format(sig.hex()))

# Verify the signature
assert P.verify_schnorr(sig, msg)

print("Success!")

## Part 2: Deterministic Nonces for schnorr signatures

So far we have used a random secret nonce for creating schnorr signatures. This has the disadvantage that the the user must rely on the robustness of the random generator for each signing rounds. If the nonce generator is compromised or even biased, the private key can be derived for a given signature and known nonce.

For **single signer schnorr signatures**, bip-schnorr proposes a deterministic nonce generation scheme.

* `k = sha256(d|msg)`

#### 1.1.4 _Programming Exercise:_ Signing schnorr with deterministic nonce

* Create a Schnorr signature with bip-schnorr's deterministic nonce scheme
* Compare this signature to the private key class method `ECKey.sign_schnorr(msg)`

In [None]:
msg = sha256(b'message')
d, P = generate_key_pair()
print("message = {}".format(msg.hex()))
print("pubkey = {}\n".format(P.get_bytes().hex()))

# Generate the nonce value k deterministically and get the nonce point R
# Method: use sha256(bytes) on the private key and message
k_bytes =  # TODO: implement
k, R =  # TODO: implement

# Check that nonce is quadratic residue modulo the field size
# If not, negate k
# Method: jacobi_symbol(int(y(R)), SECP256K1_FIELD_SIZE)
if  # TODO: implement
    k.negate()

print("nonce: {}".format(k))
print("nonce point: {}\n".format(R))

# Generate s = k + sha256(R_x|P|msg) * d
# Method: sha256(bytes) will give you the byte digest of the SHA256 of some bytes
# Turn that digest into a ECKey object called h, and then set s = k + h * d
R_x_bytes = R.get_x().to_bytes(32, 'big')
P_bytes = P.get_bytes()
h_bytes =  # TODO: implement
h = ECKey().set(h_bytes)
s = k + h * d

print("R: {}".format(R))
print("s: {}\n".format(s.get_bytes()))

# Generate sig = R_x|s
# Method: get the x bytes from R and concatenate with the secret bytes from s
sig =  # TODO: implement

print("Signature: {}\n".format(sig.hex()))

# Generate a signature using the ECKey.sign_schnorr(msg) method
# This generates the nonce deterministically, so should return the same signature
sig2 = d.sign_schnorr(msg)

# Verify and compare signature(s)
assert P.verify_schnorr(sig, msg)
assert P.verify_schnorr(sig2, msg)
assert sig == sig2

print("Success!")

**Congratulations!** In this chapter, you have:

- Used jacobi_symbol() to determine if a random scalar is a valid bip-schnorr nonce
- Created and verified a valid schnorr signature for a public key P and message m
- Generated a deterministic nonce using a hash digest of the private key and message