# **Schnorr Digital Signature Algorithm (EC SSA)**

# Setup

btclib is needed: let's install/update it and import straight away some of its functions

In [9]:
!pip install --upgrade btclib

from hashlib import sha256 as hf

from btclib.numbertheory import mod_inv
from btclib.curve import mult
from btclib.curve import secp256k1 as ec

Requirement already up-to-date: btclib in /Users/ferdi/Git/upstream/btclib (2020.9)


For this exercise we use secp256k1 as elliptic curve and SHA256 as hash function:

In [10]:
print(ec)

Curve
 p   = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
 a   = 0
 b   = 7
 x_G = 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
 y_G = 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
 n   = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
 h = 1


Normally, hf is chosen such that its output size is roughly equal to the size of ec.n, since the overall security of the signature scheme will depend on the smallest of the two; however, the ECDSA standard support all combinations of sizes

In [12]:
print(hf().digest_size)
print(ec.nsize)

32
32


# **Digital Signature Protocol**

## 1. Key generation

Private key (generated elsewhere, a fixed value here):

In [None]:
q = 0x18E14A7B6A307F426A94F8114701E7C8E774E7F9A47E2C2035DB29A206321725
assert 0 < q < ec.n, "Invalid private key"
print("q:", q)
print("Hex(q):", hex(q))

Corresponding Public Key:

In [None]:
Q = mult(ec, q, ec.G)
print("PubKey:", "02" if (Q[1] % 2 == 0) else "03", hex(Q[0]))



##Signature (DSA)

###Message
Message to be signed and its hash value:

In [None]:
msg = "Paolo is afraid of ephemeral random numbers"

h_bytes = hf(msg.encode()).digest()
# hash(msg) must be transformed into an integer modulo ec.n:
h = int.from_bytes(h_bytes, 'big') % ec.n
assert h != 0
print("h:", hex(h))

### Deterministic Ephemeral key
The Ephemeral key k must be kept secret and never reused
A good choice is to use a deterministic key: 

`k = hf(q||msghd)` 

different for each msg, private because of q

In [None]:
k_bytes = hf(q.to_bytes(32, 'big') + msg.encode()).digest()
k = int.from_bytes(k_bytes, 'big') % ec.n
assert k != 0
print("eph k:", hex(k))

###Signature Algorithm

In [None]:
K = mult(ec, k, ec.G)

r = K[0] % ec.n
# if r == 0 (extremely unlikely for large ec.n) go back to a different ephemeral key
assert r != 0

s = ((h + r*q)*mod_inv(k, ec.n)) % ec.n
# if s1 == 0 (extremely unlikely for large ec.n) go back to a different ephemeral key
assert s != 0

print("r:", hex(r))
print("s:", hex(s))

## Signature verification (DSA)

In [None]:
w = mod_inv(s, ec.n)
u = (h*w) %ec.n
v = (r*w) %ec.n
assert u != 0
assert v != 0
U = mult(ec, u, ec.G)
V = mult(ec, v, Q)
x, y = ec.add(U, V)
print(r == x %ec.n)


## Malleated Signature

In [None]:
sm = ec.n - s
print("     r:", hex(r))
print("   *sm:", hex(sm))

Malleated Signature verification:

In [None]:
w = mod_inv(sm, ec.n)
u = (h*w) %ec.n
v = (r*w) %ec.n
assert u != 0
assert v != 0
U = mult(ec, u, ec.G)
V = mult(ec, v, Q)
x, y = ec.add(U, V)
print(r == x %ec.n)

##Humongous mistake

### Message
Message to be signed and its hash value:

In [None]:
msg2 = "and Paolo is right to be afraid"

h_bytes = hf(msg2.encode()).digest()
# hash(msg) must be transformed into an integer modulo ec.n:
h2 = int.from_bytes(h_bytes, 'big') % ec.n
assert h2 != 0
print("h2:", hex(h2))

### The mistake 
Reuse the same ephemeral deterministic key as the previous message:

In [None]:
k2 = k #very bad! Never reuse the same ephemeral key!!!
print("eph k :", hex(k))
print("eph k2:", hex(k2))

###Signature Algorithm

In [None]:
K2 = mult(ec, k2, ec.G)

r = K2[0] % ec.n
# if r == 0 (extremely unlikely for large ec.n) go back to a different ephemeral key
assert r != 0

s2 = ((h2 + r*q)*mod_inv(k2, ec.n)) %ec.n
# if s2 == 0 (extremely unlikely for large ec.n) go back to a different ephemeral key
assert s2 != 0

# bitcoin canonical 'low-s' encoding
if s2 > ec.n/2: s2 = ec.n - s2

print(" r:", hex(r))
print("s2:", hex(s2))

### Signature verification

In [None]:
w = mod_inv(s2, ec.n)
u = (h2*w) %ec.n
v = (r*w) %ec.n
assert u != 0
assert v != 0
U = mult(ec, u, ec.G)
V = mult(ec, v, Q)
x, y = ec.add(U, V)
print(r == x %ec.n)


### Exercise
Because of this mistake is now possible to calculate the private key from the 2 signatures. 