Add sign/verify schnorr using bouncy castle (#404)

Author: dangershony

src/Blockcore/NBitcoin/BouncyCastle/math/BigInteger.cs

@@ -1523,47 +1523,41 @@ internal bool RabinMillerTest(int certainty, Random random, bool randomlySelecte
         //            return true;
         //        }
         //
-        //        private static int Jacobi(
-        //            BigInteger    a,
-        //            BigInteger    b)
-        //        {
-        //            Debug.Assert(a.sign >= 0);
-        //            Debug.Assert(b.sign > 0);
-        //            Debug.Assert(b.TestBit(0));
-        //            Debug.Assert(a.CompareTo(b) < 0);
-        //
-        //            int totalS = 1;
-        //            for (;;)
-        //            {
-        //                if (a.sign == 0)
-        //                    return 0;
-        //
-        //                if (a.Equals(One))
-        //                    break;
-        //
-        //                int e = a.GetLowestSetBit();
-        //
-        //                int bLsw = b.magnitude[b.magnitude.Length - 1];
-        //                if ((e & 1) != 0 && ((bLsw & 7) == 3 || (bLsw & 7) == 5))
-        //                    totalS = -totalS;
-        //
-        //                // TODO Confirm this is faster than later a1.Equals(One) test
-        //                if (a.BitLength == e + 1)
-        //                    break;
-        //                BigInteger a1 = a.ShiftRight(e);
-        ////                if (a1.Equals(One))
-        ////                    break;
-        //
-        //                int a1Lsw = a1.magnitude[a1.magnitude.Length - 1];
-        //                if ((bLsw & 3) == 3 && (a1Lsw & 3) == 3)
-        //                    totalS = -totalS;
-        //
-        ////                a = b.Mod(a1);
-        //                a = b.Remainder(a1);
-        //                b = a1;
-        //            }
-        //            return totalS;
-        //        }
+        public static int Jacobi(BigInteger a, BigInteger b)
+        {
+            Debug.Assert(a.sign >= 0);
+            Debug.Assert(b.sign > 0);
+            Debug.Assert(b.TestBit(0));
+            Debug.Assert(a.CompareTo(b) < 0);
+
+            int totalS = 1;
+            for (; ; )
+            {
+                if (a.sign == 0)
+                    return 0;
+
+                if (a.Equals(One))
+                    break;
+
+                int e = a.GetLowestSetBit();
+
+                int bLsw = b.magnitude[b.magnitude.Length - 1];
+                if ((e & 1) != 0 && ((bLsw & 7) == 3 || (bLsw & 7) == 5))
+                    totalS = -totalS;
+
+                if (a.BitLength == e + 1)
+                    break;
+                BigInteger a1 = a.ShiftRight(e);
+
+                int a1Lsw = a1.magnitude[a1.magnitude.Length - 1];
+                if ((bLsw & 3) == 3 && (a1Lsw & 3) == 3)
+                    totalS = -totalS;
+
+                a = b.Remainder(a1);
+                b = a1;
+            }
+            return totalS;
+        }
 
         public long LongValue
         {

src/Blockcore/NBitcoin/Crypto/SchnorrSignature.cs

@@ -0,0 +1,130 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using NBitcoin.BouncyCastle.Asn1.X9;
+using NBitcoin.BouncyCastle.Math.EC.Custom.Sec;
+using NBitcoin.BouncyCastle.Math.EC;
+using NBitcoin.BouncyCastle.Asn1;
+using NBitcoin.BouncyCastle.Math;
+using NBitcoin.DataEncoders;
+
+namespace NBitcoin.Crypto
+{
+	/// <summary>
+	/// Schnorr Signatures using Bouncy Castle
+	/// Implementation taken from NBitcoin
+	/// </summary>
+	public class SchnorrSignature
+	{
+		public BigInteger R { get; }
+		public BigInteger S { get; }
+
+		public static SchnorrSignature Parse(string hex)
+		{
+			var bytes = Encoders.Hex.DecodeData(hex);
+			return new SchnorrSignature(bytes);
+		}
+
+		public SchnorrSignature(byte[] bytes)
+		{
+			if (bytes.Length != 64)
+				throw new ArgumentException(paramName: nameof(bytes), message:"Invalid schnorr signature length.");
+
+			R = new BigInteger(1, bytes, 0, 32);
+			S = new BigInteger(1, bytes, 32, 32);
+
+		}
+
+		public SchnorrSignature(BigInteger r, BigInteger s)
+		{
+			R = r;
+			S = s;
+		}
+		public byte[] ToBytes()
+		{
+			return Utils.BigIntegerToBytes(R, 32).Concat(Utils.BigIntegerToBytes(S, 32));
+		}
+	}
+
+	public class SchnorrSigner
+	{
+		private static X9ECParameters Secp256k1 = NBitcoin.BouncyCastle.Crypto.EC.CustomNamedCurves.Secp256k1;
+		private static BigInteger PP = ((SecP256K1Curve)Secp256k1.Curve).QQ;
+
+		public SchnorrSignature Sign(uint256 m, Key secret)
+		{
+			return Sign(m, new BigInteger(1, secret.ToBytes()));
+		}
+
+		public SchnorrSignature Sign(uint256 m, BigInteger secret)
+		{
+			var k = new BigInteger(1, Hashes.SHA256(Utils.BigIntegerToBytes(secret, 32).Concat(m.ToBytes())));
+			var R = Secp256k1.G.Multiply(k).Normalize();
+			var Xr = R.XCoord.ToBigInteger();
+			var Yr = R.YCoord.ToBigInteger();
+			if (BigInteger.Jacobi(Yr, PP) != 1)
+				k = Secp256k1.N.Subtract(k);
+
+			var P = Secp256k1.G.Multiply(secret);
+			var keyPrefixedM = Utils.BigIntegerToBytes(Xr, 32).Concat(P.GetEncoded(true), m.ToBytes());
+			var e = new BigInteger(1, Hashes.SHA256(keyPrefixedM));
+
+			var s = k.Add(e.Multiply(secret)).Mod(Secp256k1.N);
+			return new SchnorrSignature(Xr, s);
+		}
+
+		public bool Verify(uint256 m, PubKey pubkey, SchnorrSignature sig)
+		{
+			if (sig.R.CompareTo(PP) >= 0 || sig.S.CompareTo(Secp256k1.N) >= 0)
+				return false;
+			var e = new BigInteger(1, Hashes.SHA256(Utils.BigIntegerToBytes(sig.R, 32).Concat(pubkey.ToBytes(), m.ToBytes()))).Mod(Secp256k1.N);
+			var q = pubkey.ECKey.GetPublicKeyParameters().Q.Normalize();
+			var P = Secp256k1.Curve.CreatePoint(q.XCoord.ToBigInteger(), q.YCoord.ToBigInteger());
+
+			var R = Secp256k1.G.Multiply(sig.S).Add(P.Multiply(Secp256k1.N.Subtract(e))).Normalize();
+
+			if (R.IsInfinity
+				|| R.XCoord.ToBigInteger().CompareTo(sig.R) != 0
+				|| BigInteger.Jacobi(R.YCoord.ToBigInteger(), PP) != 1)
+				return false;
+
+			return true;
+		}
+
+		public static bool BatchVerify(uint256[] m, PubKey[] pubkeys, SchnorrSignature[] sigs, BigInteger[] rnds)
+		{
+			if (m.Length != pubkeys.Length || pubkeys.Length != sigs.Length || sigs.Length != rnds.Length + 1)
+				throw new ArgumentException("Invalid array lengths");
+			if (rnds.Any(r => r.CompareTo(BigInteger.Zero) <= 0 || r.CompareTo(Secp256k1.N) >= 0))
+				throw new ArgumentException("Random numbers are out of range");
+			var s = BigInteger.Zero;
+			var r1 = Secp256k1.Curve.Infinity;
+			var r2 = Secp256k1.Curve.Infinity;
+			for (var i = 0; i < sigs.Count(); i++)
+			{
+				var sig = sigs[i];
+				if (sig.R.CompareTo(PP) >= 0 || sig.S.CompareTo(Secp256k1.N) >= 0)
+					return false;
+
+				var e = new BigInteger(1, Hashes.SHA256(Utils.BigIntegerToBytes(sig.R, 32).Concat(pubkeys[i].ToBytes(), m[i].ToBytes()))).Mod(Secp256k1.N);
+				var c = sig.R.Pow(3).Add(BigInteger.ValueOf(7)).Mod(PP);
+				var y = c.ModPow(PP.Add(BigInteger.One).Divide(BigInteger.ValueOf(4)), PP);
+				if (!y.ModPow(BigInteger.Two, PP).Equals(c))
+					return false;
+
+				var a = i == 0 ? BigInteger.One : rnds[i - 1];
+				s = s.Add(sig.S.Multiply(a)).Mod(Secp256k1.N);
+
+				var R = Secp256k1.Curve.CreatePoint(sig.R, y);
+				r1 = r1.Add(R.Multiply(a));
+
+				var P = pubkeys[i].ECKey.GetPublicKeyParameters().Q.Normalize();
+				r2 = r2.Add(P.Multiply(e.Multiply(a)));
+			}
+			return Secp256k1.G.Multiply(s).Equals(r1.Add(r2));
+		}
+	}
+}

src/Blockcore/NBitcoin/Key.cs

@@ -98,6 +98,13 @@ public ECDSASignature Sign(uint256 hash)
             return this._ECKey.Sign(hash);
         }
 
+        public SchnorrSignature SignSchnorr(uint256 hash)
+        {
+            var signer = new SchnorrSigner();
+            return signer.Sign(hash, this);
+
+        }
+
         /// <summary>
         /// Hashes and signs a message, returning the signature.
         /// </summary>

src/Blockcore/NBitcoin/PubKey.cs

@@ -61,7 +61,7 @@ public PubKey(byte[] bytes, bool @unsafe)
 
         private ECKey _ECKey;
 
-        private ECKey ECKey
+        internal ECKey ECKey
         {
             get
             {
@@ -167,6 +167,17 @@ public BitcoinScriptAddress GetScriptAddress(Network network)
             return new BitcoinScriptAddress(redeem.Hash, network);
         }
 
+        public bool Verify(uint256 hash, SchnorrSignature sig)
+        {
+            if (sig == null)
+                throw new ArgumentNullException(nameof(sig));
+            if (hash == null)
+                throw new ArgumentNullException(nameof(hash));
+
+            SchnorrSigner signer = new SchnorrSigner();
+            return signer.Verify(hash, this, sig);
+        }
+
         public bool Verify(uint256 hash, ECDSASignature sig)
         {
             return this.ECKey.Verify(hash, sig);

src/Blockcore/NBitcoin/Utils.cs

@@ -366,7 +366,7 @@ private static void Write(MemoryStream ms, byte[] bytes)
             ms.Write(bytes, 0, bytes.Length);
         }
 
-        internal static Array BigIntegerToBytes(BigInteger b, int numBytes)
+        internal static byte[] BigIntegerToBytes(BigInteger b, int numBytes)
         {
             if (b == null)
             {

src/Tests/Blockcore.Tests/NBitcoin/SchnorrSignerTests.cs

@@ -0,0 +1,132 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using NBitcoin.BouncyCastle.Math;
+using NBitcoin.Crypto;
+using NBitcoin.DataEncoders;
+#if HAS_SPAN
+using NBitcoin.Secp256k1;
+#endif
+using Xunit;
+
+namespace NBitcoin.Tests
+{
+	public class SchnorrSignerTests
+	{
+		[Fact]
+		public void SingningTest()
+		{
+			var vectors = new string[][]{
+				new []{"Test vector 1",
+					"0000000000000000000000000000000000000000000000000000000000000001",
+					"0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+					"0000000000000000000000000000000000000000000000000000000000000000",
+					"787A848E71043D280C50470E8E1532B2DD5D20EE912A45DBDD2BD1DFBF187EF67031A98831859DC34DFFEEDDA86831842CCD0079E1F92AF177F7F22CC1DCED05"},
+				new []{"Test vector 2",
+					"B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
+					"02DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+					"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+					"2A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D1E51A22CCEC35599B8F266912281F8365FFC2D035A230434A1A64DC59F7013FD"},
+				new []{"Test vector 3",
+					"C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C7",
+					"03FAC2114C2FBB091527EB7C64ECB11F8021CB45E8E7809D3C0938E4B8C0E5F84B",
+					"5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
+					"00DA9B08172A9B6F0466A2DEFD817F2D7AB437E0D253CB5395A963866B3574BE00880371D01766935B92D2AB4CD5C8A2A5837EC57FED7660773A05F0DE142380"}
+			};
+
+			foreach (var vector in vectors)
+			{
+				var privatekey = new Key(Encoders.Hex.DecodeData(vector[1]));
+				var publicKey = new PubKey(Encoders.Hex.DecodeData(vector[2]));
+				var message = Parseuint256(vector[3]);
+				var expectedSignature = SchnorrSignature.Parse(vector[4]);
+
+				var signature = privatekey.SignSchnorr(message);
+				Assert.Equal(expectedSignature.ToBytes(), signature.ToBytes());
+
+				Assert.True(publicKey.Verify(message, expectedSignature));
+				Assert.True(privatekey.PubKey.Verify(message, expectedSignature));
+			}
+		}
+
+		[Fact]
+		public void ShouldPassVerifycation()
+		{
+			var publicKey = new PubKey(Encoders.Hex.DecodeData("03DEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34"));
+			var message = Parseuint256("4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703");
+			var signature = SchnorrSignature.Parse("00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6302A8DC32E64E86A333F20EF56EAC9BA30B7246D6D25E22ADB8C6BE1AEB08D49D");
+			Assert.True(publicKey.Verify(message, signature));
+		}
+
+		private uint256 Parseuint256(string hex)
+		{
+			var message = uint256.Parse(hex);
+			return new uint256(message.ToBytes(false));
+		}
+
+		[Fact]
+		public void ShouldFailVerifycation()
+		{
+			var vectors = new string[][]{
+				new []{"Test vector 5",
+					"02DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+					"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+					"2A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1DFA16AEE06609280A19B67A24E1977E4697712B5FD2943914ECD5F730901B4AB7",
+					"incorrect R residuosity"},
+				new []{"Test vector 6",
+					"03FAC2114C2FBB091527EB7C64ECB11F8021CB45E8E7809D3C0938E4B8C0E5F84B",
+					"5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
+					"00DA9B08172A9B6F0466A2DEFD817F2D7AB437E0D253CB5395A963866B3574BED092F9D860F1776A1F7412AD8A1EB50DACCC222BC8C0E26B2056DF2F273EFDEC",
+					"negated message hash"},
+				new []{"Test vector 7",
+					"0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+					"0000000000000000000000000000000000000000000000000000000000000000",
+					"787A848E71043D280C50470E8E1532B2DD5D20EE912A45DBDD2BD1DFBF187EF68FCE5677CE7A623CB20011225797CE7A8DE1DC6CCD4F754A47DA6C600E59543C",
+					"negated s value"},
+				new []{"Test vector 8",
+					"03DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+					"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+					"2A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D1E51A22CCEC35599B8F266912281F8365FFC2D035A230434A1A64DC59F7013FD",
+					"negated public key"}
+			};
+
+			foreach (var vector in vectors)
+			{
+				var publicKey = new PubKey(Encoders.Hex.DecodeData(vector[1]));
+				var message = uint256.Parse(vector[2]);
+				var expectedSignature = SchnorrSignature.Parse(vector[3]);
+				var reason = vector[4];
+
+				Assert.False(publicKey.Verify(message, expectedSignature), reason);
+			}
+		}
+
+		[Fact]
+		public void ShouldPassBatchVerifycation()
+		{
+			var vectors = new string[][]{
+				new []{
+					"0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+					"0000000000000000000000000000000000000000000000000000000000000000",
+					"787A848E71043D280C50470E8E1532B2DD5D20EE912A45DBDD2BD1DFBF187EF67031A98831859DC34DFFEEDDA86831842CCD0079E1F92AF177F7F22CC1DCED05"},
+				new []{
+					"02DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+					"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+					"2A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D1E51A22CCEC35599B8F266912281F8365FFC2D035A230434A1A64DC59F7013FD"},
+				new []{
+					"03FAC2114C2FBB091527EB7C64ECB11F8021CB45E8E7809D3C0938E4B8C0E5F84B",
+					"5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
+					"00DA9B08172A9B6F0466A2DEFD817F2D7AB437E0D253CB5395A963866B3574BE00880371D01766935B92D2AB4CD5C8A2A5837EC57FED7660773A05F0DE142380"}
+			};
+
+			var messages = vectors.Select(v => Parseuint256(v[1])).ToArray();
+			var pubkeys = vectors.Select(v => new PubKey(Encoders.Hex.DecodeData(v[0]))).ToArray();
+			var signatures = vectors.Select(v => SchnorrSignature.Parse(v[2])).ToArray();
+
+			var randoms = Enumerable.Range(0, 2).Select(x => BigInteger.Arbitrary(256)).ToArray();
+			var ok = SchnorrSigner.BatchVerify(messages, pubkeys, signatures, randoms);
+			Assert.True(ok);
+		}
+	}
+}