Fix generating wrong e value when the message bytes start with "00" b…

…yte. The sha256 hash function which is used in schnorr signature generation receives inputs as BigInt value. But the BigInt value eliminate head bytes if it is zero. So that, the output of hash function was wrong. This commit changes the message into BigInt array for each byte of the message. fix ZenGo-X#35
rantan · Feb 20, 2020 · 55d9376 · 55d9376
1 parent 8a3e0a1
commit 55d9376
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 18 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,4 +20,5 @@ tag = "v0.2.3"
 
 [dev-dependencies]
 hex = "0.3.2"
+sha2 = "0.8.1"
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -18,6 +18,9 @@
 extern crate serde_derive;
 extern crate serde;
 
+#[cfg(test)]
+extern crate sha2;
+
 extern crate centipede;
 extern crate curv;
 pub mod protocols;

diff --git a/src/protocols/thresholdsig/bitcoin_schnorr.rs b/src/protocols/thresholdsig/bitcoin_schnorr.rs
@@ -182,18 +182,7 @@ impl LocalSig {
         let beta_i = local_ephemeral_key.x_i.clone();
         let alpha_i = local_private_key.x_i.clone();
 
-        let message_len_bits = message.len() * 8;
-        let R = local_ephemeral_key.y.bytes_compressed_to_big_int();
-        let X = local_private_key.y.bytes_compressed_to_big_int();
-        let X_vec = BigInt::to_vec(&X);
-        let X_vec_len_bits = X_vec.len() * 8;
-        let e_bn = HSha256::create_hash_from_slice(
-            &BigInt::to_vec(
-                &((((R << X_vec_len_bits) + X) << message_len_bits) + BigInt::from(message)),
-            )[..],
-        );
-
-        let e: FE = ECScalar::from(&e_bn);
+        let e = compute_e(&local_ephemeral_key.y, &local_private_key.y, message);
         let gamma_i = beta_i + e.clone() * alpha_i;
 
         LocalSig { gamma_i, e }
@@ -278,12 +267,7 @@ impl Signature {
     }
 
     pub fn verify(&self, message: &[u8], pubkey_y: &GE) -> Result<(), Error> {
-        let e_bn = HSha256::create_hash(&[
-            &self.v.bytes_compressed_to_big_int(),
-            &pubkey_y.bytes_compressed_to_big_int(),
-            &BigInt::from(message),
-        ]);
-        let e: FE = ECScalar::from(&e_bn);
+        let e = compute_e(&self.v, pubkey_y, message);
 
         let g: GE = GE::generator();
         let sigma_g = g * &self.sigma;
@@ -297,3 +281,50 @@ impl Signature {
         }
     }
 }
+
+/// Compute e = h(V || Y || message)
+fn compute_e(v: &GE, y: &GE, message: &[u8]) -> FE {
+    let message_len_bits = message.len() * 8;
+    let R = v.bytes_compressed_to_big_int();
+    let X = y.bytes_compressed_to_big_int();
+    let X_vec = BigInt::to_vec(&X);
+    let X_vec_len_bits = X_vec.len() * 8;
+    let e_bn = HSha256::create_hash_from_slice(
+        &BigInt::to_vec(
+            &((((R << X_vec_len_bits) + X) << message_len_bits) + BigInt::from(message)),
+        )[..],
+    );
+    ECScalar::from(&e_bn)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::compute_e;
+    use curv::elliptic::curves::secp256_k1::Secp256k1Scalar;
+    use curv::elliptic::curves::traits::{ECPoint, ECScalar};
+    use curv::{BigInt, FE, GE};
+    use sha2::Digest;
+
+    #[test]
+    fn test_compute_e() {
+        let g: GE = ECPoint::generator();
+        let v: GE = g * Secp256k1Scalar::new_random();
+        let y: GE = g * Secp256k1Scalar::new_random();
+
+        // It should be equal to expected when the message started with "00" byte.
+        let message =
+            hex::decode("000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f")
+                .unwrap();
+
+        let expected: FE = {
+            let mut hasher = sha2::Sha256::new();
+            hasher.input(&v.get_element().serialize()[..]);
+            hasher.input(&y.get_element().serialize()[..]);
+            hasher.input(&message[..]);
+            let bn = BigInt::from(&hasher.result()[..]);
+            ECScalar::from(&bn)
+        };
+
+        assert_eq!(expected, compute_e(&v, &y, &message[..]));
+    }
+}