From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id AE169B78 for ; Sat, 7 Jul 2018 02:47:43 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1B79C70B for ; Sat, 7 Jul 2018 02:47:43 +0000 (UTC) Received: by mail-lj1-f173.google.com with SMTP id p10-v6so5004939ljg.2 for ; Fri, 06 Jul 2018 19:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=KWs55nK0f44WyB7BEDIuFLpv0zrVEBT3QNTO5K2oGSU=; b=bXa4LNW30iQhXA/lmJi1Zo6dyT2+CFXPaJ/aZZhevEewPC9Yg0uCQB7pXZQhACpWN7 FAwV7kq2CobJH2gi/OqxRL1/gO0vgN1ZuMWIQyIVOFlt1ARlKDY9WPlaqKf8le5uYaPy BMn/4hJXRwHksKnBuebj0Fq95ov588HjOyQIt3G/xiPY+nzZO2djRgiofPbC2RkBb9PU aNoCvaC7891a/EBBr7te7SXECAiqkGRh03Xu7LajGyqDGg6lwXEc2v78B8h//SnuotR5 BBI0GlausuOjHwhhNwMDjKzB+pqynUFyRfvMWSeK+heVqknSHuipn6KvenU8UJLe9o1w zc6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=KWs55nK0f44WyB7BEDIuFLpv0zrVEBT3QNTO5K2oGSU=; b=TXz3Gl2tmQOuBmiIJLHZCgRvecz8cGLoQFXzlg5Lu0bAx/RCkq7tCFpGTmPXvTt0+Z iXQHv/nqR1OBlxTcbn+JN6RhyGe6/YvR1Rf75A5cYqUwRJJzwtor5IU1Th1rYXxygEsc vpkXZzbM48Oa2ZOh3xeQnRG3tNztMcn9eXhhxLFfp3UVMu6lY3b7ffG/2EEpsvEal4cv M4sM0bcJEi3+LN0LpHJFIIgw8LzHr3CovaWwL9l2QfMBzM05THtxg//VwpKeULEa3cjt cdMS0HGzkrM6LJzdWNZPZfYV4vLHRro5atd1OVtMjCXQK5eBVd1dCldB+NZqksEg2PJj C8HQ== X-Gm-Message-State: APt69E25WQuCbAFgNe6eznk1Vx9h1s3KwZBis/OUapbaw6gAgK6rJbbI ZtS4uU9si8V7g9r6rqaZ2DvG0ex3XZ1DfvIOPJzWzg== X-Google-Smtp-Source: AAOMgpeVKhLugghpxLFwMiOxbbbCoG9NADpIlrVtllidnQNDOeDQfBK3dGxAjezdr+9pPpp4HdYUIBeFaFFvOmSPRsw= X-Received: by 2002:a2e:c52:: with SMTP id o18-v6mr8000496ljd.72.1530931661293; Fri, 06 Jul 2018 19:47:41 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:65cb:0:0:0:0:0 with HTTP; Fri, 6 Jul 2018 19:47:40 -0700 (PDT) From: =?UTF-8?B?0JDRgNGC0ZHQvCDQm9C40YLQstC40L3QvtCy0LjRhw==?= Date: Sat, 7 Jul 2018 05:47:40 +0300 Message-ID: To: bitcoin-dev@lists.linuxfoundation.org Content-Type: multipart/alternative; boundary="000000000000d8ce4305705fcdf9" X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_EXCESS_BASE64, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 07 Jul 2018 12:08:50 +0000 Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2018 02:47:43 -0000 --000000000000d8ce4305705fcdf9 Content-Type: text/plain; charset="UTF-8" Neat. Some minor notes as an outsider who just spent an hour implementing and playing with this: -In several places you have things like "Let k = int(hash(bytes(d) || m)) mod n", but reference code says things like "e = sha256(R[0].to_bytes(32, byteorder="big") + bytes_point(point_mul(G, seckey)) + msg)", no modulo. Confusing. -x is not defined in "The signature is *bytes(x(R)) || bytes(k + ex mod n)*", apparently it's the private key. -jacobi function is great at exposing bugs in divmod implementations, due to the full 256 bit exponent. Add a line about it being something to watch for? -"bytes" notation is defined as "turn to bytes" for an integer, but the same for a point is "take X with prefix and turn to bytes". Confusing, might be a good idea to name it differently? -Finally, it would have been nice to have a larger set of test vectors in a JSON or CSV file, covering all the edge cases. Artem --000000000000d8ce4305705fcdf9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Neat.

Some minor notes as an= outsider who just spent an hour implementing and playing with this:
<= div>
-In several places you have things like "Let k =3D = int(hash(bytes(d) || m)) mod n", but reference code says things like &= quot;e =3D sha256(R[0].to_bytes(32, byteorder=3D"big") + bytes_po= int(point_mul(G, seckey)) + msg)", no modulo. Confusing.

-x is not defined in "The signature is bytes(x(R)) = || bytes(k + ex mod n)", apparently it's the private key.

-jacobi function is great at exposing bugs in divmod i= mplementations, due to the full 256 bit exponent. Add a line about it being= something to watch for?

-"bytes" notati= on is defined as "turn to bytes" for an integer, but the same for= a point is "take X with prefix and turn to bytes". Confusing, mi= ght be a good idea to name it differently?

-Fi= nally, it would have been nice to have a larger set of test vectors in a JS= ON or CSV file, covering all the edge cases.

<= br>
Artem
--000000000000d8ce4305705fcdf9--