Can Alice slightly modify and support non-standard ED25519?

[CodeLion66]

If I change the process of calculating the public key for ed25519 private key from sha512.Sum512(seed) to Blake2b.New512 (nil), does Alice still support signing? At present, I have encountered this issue when docking with nano and xem. They are not the standard ed25519, but the signature curve is still edwards25519. Thank you very much for helping me solve this problem!

[cychuang0924]

Hi, CodeLion66,
If you using the different hash function to generate private key. Our signature will failure.

If you want to solve it. You need to change the the encoding of H(R||A||M) in algorithm ref: https://en.wikipedia.org/wiki/EdDSA

If we have free time, then we will check it. Thanks your suggestion.

[CodeLion66]

Here are examples
Here are examples

There are many types of currencies that have changed the sha512. New algorithm to blake2b. New512, resulting in different public keys generated by seeds with the same EDDSA, resulting in different private keys. Alice, thank you very much for providing synchronous support.

[CodeLion66]

@cychuang0924 At the same time, the verify function also needs to be modified。

// Verify returns true iff sig is a valid signature of message by publicKey.
func verify(publicKey *[ed25519.PublicKeySize]byte, message []byte, sig *[ed25519.SignatureSize]byte) bool {
if sig[63]&224 != 0 {
return false
}

var A edwards25519.ExtendedGroupElement
if !A.FromBytes(publicKey) {
	return false
}
edwards25519.FeNeg(&A.X, &A.X)
edwards25519.FeNeg(&A.T, &A.T)

h, _ := blake2b.New512(nil)
h.Write(sig[:32])
h.Write(publicKey[:])
h.Write(message)
var digest [64]byte
h.Sum(digest[:0])

var hReduced [32]byte
edwards25519.ScReduce(&hReduced, &digest)

var R edwards25519.ProjectiveGroupElement
var b [32]byte
copy(b[:], sig[32:])
edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)

var checkR [32]byte
R.ToBytes(&checkR)
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1

}

// Verify verifies a message 'hash' using the given public keys and signature.
func Verify(pub *edwards.PublicKey, hash []byte, r, s *big.Int) bool {
if pub == nil || hash == nil || r == nil || s == nil {
return false
}

pubBytes := pub.Serialize()
sig := &edwards.Signature{r, s}
sigBytes := sig.Serialize()
pubArray := copyBytes(pubBytes)
sigArray := copyBytes64(sigBytes)
return verify(pubArray, hash, sigArray)

}

[cychuang0924]

Hi CodeLion66,
Now, we support Taproot: BIP340 in #284.
Thanks for your sharing. Would you give us any documents of your mentioned Schnorr Signature?
We can implement these. Thanks for your help!

[CodeLion66]

@cychuang0924 @alanchchen The obtained results cannot be verified by the Schnorr algorithm. Do you know where the problem lies?
result="&{R:(x, y) =(14123604678869218463772961717589779530609742629996561286314841166685446109018, 98477150044618818642748854613165822521744005936126444044287898175506035854788) S:+87502198931566243039417909537359909929807050629333795383691211318535174493133}" err=nil
signature := schnorr.NewSignature(r, s)
bl := signature.Verify(msg, pubKey)

[cychuang0924]

@CodeLion66,

Let us clarify the question.

In this problem, do you generated the Schnorr signature by our library? Or, have you replaced black2b
of Sha512 and then generate this signature?

Thanks for your sharing!

Sincerely,