feat(schnorr): add support for schnorr signatures #189
Conversation
| schnorrVerify (sig, msg32, pubkey) { | ||
| isUint8Array('signature', sig, 64) | ||
| isUint8Array('message', msg32, 32) | ||
| isUint8Array('public key', pubkey, [32, 33, 65]) |
There was a problem hiding this comment.
nit: This will allow an odd-Y DER pubkey to verify true against a schnorr signature when technically xonly pubkeys are always assumed to be even. Currently this is achieved by throwing away the parity bit in the code.
While this is pretty understandable for signing (the C library will automatically negate the private key if Y is odd) verification should be stricter IMO.
I am asking the library "Does this pubkey verify the signature X" and if the Y is odd, we're flipping the pubkey to a different pubkey before returning true... we would need to widen the definition of what "pubkey" means in the context of this function alone to mean "Either the given pubkey or its inverse"
To reduce confusion on this point, I think only the xonly (32 length) pubkey should be accepted.
There was a problem hiding this comment.
Alternatively we could check the DER pubkeys for evenness and return false/throw. (check first byte is 0x02 for 33 length, check that pubkey[64] & 1 === 0 for 65 length)
There was a problem hiding this comment.
That makes sense - test vector 3 requires negation of the seckey therefore I assumed it was fine.
https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.py#L73-L85
There was a problem hiding this comment.
That outputs a 32 byte xonly pubkey hex to the csv.
Like I said, automatically flipping to even when signing is fine. It's during verification that you need to be more strict.
I won't be continuing this work but it's a good base for anyone else.
helps solve #164