v0.7.0 release

This release now sets 32 null bytes if aux_rand is nil when signing. This change is to comply with BIP340 default signing and libsecp256k1 support.

v0.6.0 release

This release removes the length check for signed message due to changes in BIP340. Allows you to enter any length message when creating/verifying signature.

If a length limit is desired, each caller must check for it.

v0.5.0 release

This release includes the following new features and improvements:

Support MuSig2*

MuSig2* as defined in BIP-327 is now supported.

require 'schnorr'

sk1 = 1 + SecureRandom.random_number(Schnorr::GROUP.order - 1)
pk1 = (Schnorr::GROUP.generator.to_jacobian * sk1).to_affine.encode

sk2 = 1 + SecureRandom.random_number(Schnorr::GROUP.order - 1)
pk2 = (Schnorr::GROUP.generator.to_jacobian * sk2).to_affine.encode

pubkeys = [pk1, pk2]

# Key aggregation.
agg_ctx = Schnorr::MuSig2.aggregate(pubkeys)
# if you have tweak value.
agg_ctx = Schnorr::MuSig2.aggregate_with_tweaks(pubkeys, tweaks, modes)

## Aggregated pubkey is
### Return point:
agg_ctx.q
### Return x-only pubkey string
agg_ctx.x_only_pubkey

msg = SecureRandom.bytes(32)

# Generate secret nonce and public nonce.
sec_nonce1, pub_nonce1 = Schnorr::MuSig2.gen_nonce(
        pk: pk1,
        sk: sk1,  # optional
        agg_pubkey: agg_ctx.x_only_pubkey,  # optional
        msg: msg, # optional
        extra_in: SecureRandom.bytes(4),  # optional
        rand: SecureRandom.bytes(32)  # optional
)

## for stateless signer.
agg_other_nonce = described_class.aggregate_nonce([pub_nonce1])
pub_nonce2, sig2 = described_class.deterministic_sign(
        sk2, agg_other_nonce, pubkeys, msg, 
        tweaks: tweaks, # optional
        modes: modes, # optional
        rand: SecureRandom.bytes(32)  # optional
)

# Nonce aggregation
agg_nonce = Schnorr::MuSig2.aggregate_nonce([pub_nonce1, pub_nonce2])

# Generate partial signature.
session_ctx = Schnorr::MuSig2::SessionContext.new(
        agg_nonce, pubkeys, msg, 
        tweaks, # optional
        modes # optional
)
sig1 = session_ctx.sign(sec_nonce1, sk1)

# Verify partial signature.
signer_index = 0
session_ctx.valid_partial_sig?(sig1, pub_nonce1, signer_index)

# Signature aggregation.
sig = session_ctx.aggregate_partial_sigs([sig1, sig2])

# Verify signature.
Schnorr.valid_sig?(msg, agg_ctx.x_only_pubkey, sig.encode)

Performance improvement

Performance has been improved by performing elliptic curve operations in Jacobian coordinates using the ecdsa_ext gem.

Full Changelog: v0.4.0...v0.5.0

v0.4.0 release

This release changes the nonce derivation method to same libsecp256k1 when aux_rand is not specified.

Previously, if aux_rand argument was not specified in the sign method, SecureRandom was used by default to generate a random value each time.

In this release, if aux_rand is not specified(nil), the tagged hash of the aux_rand and the xor of the private key will not be computed, and the private key will be directly used to generate the nonce.

v0.3.2 release

This release contains one internal logic change.

• When verifying Schnorr signatures, ECDSA::Format::PointOctetString.decode_from_x is now used instead of ECDSA::Format::PointOctetString.decode when decoding a 32-byte public key.

v0.3.1 release

This release fixed a decoding bug for x0only public key(32 bytes) which start with 02, 03, 04, 06, 07.

If use above keys, ECDSA::Format::PointOctetString#decode raise error. The bug has been fixed in this release.

v0.3.0 release

Releases BIP0340-compatible Schnorr signature library for ruby.