更新

deatil · Dec 12, 2024 · 9d3eeca · 9d3eeca
1 parent 6af1931
commit 9d3eeca
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 212 deletions.
diff --git a/pubkey/bip0340/bip0340.go b/pubkey/bip0340/bip0340.go
@@ -7,10 +7,8 @@ import (
     "math/big"
     "crypto"
     "crypto/rand"
-    "crypto/sha256"
     "crypto/elliptic"
 
-    "golang.org/x/crypto/chacha20"
     "golang.org/x/crypto/cryptobyte"
     "golang.org/x/crypto/cryptobyte/asn1"
 )
@@ -446,133 +444,6 @@ func VerifyWithRS(pub *PublicKey, hashFunc Hasher, data []byte, r, s *big.Int) b
     return r.Cmp(x2) == 0
 }
 
-/*
- * BIP0340 batch verification functions.
- */
-func BatchVerify(pub []*PublicKey, m, sig [][]byte) bool {
-    u := len(pub)
-
-    if len(m) < u || len(sig) < u {
-        return false
-    }
-
-    a := make([]*big.Int, u)
-    Px := make([]*big.Int, u)
-    Py := make([]*big.Int, u)
-    r := make([]*big.Int, u)
-    s := make([]*big.Int, u)
-    e := make([]*big.Int, u)
-    Rx := make([]*big.Int, u)
-    Ry := make([]*big.Int, u)
-
-    a[0] = big.NewInt(1)
-
-    var seed []byte
-    for i := 0; i < u; i++ {
-        pk := elliptic.MarshalCompressed(pub[i].Curve, pub[i].X, pub[i].Y)
-
-        seed = append(seed, pk[1:]...)
-        seed = append(seed, m[i]...)
-        seed = append(seed, sig[i]...)
-    }
-
-    seedFixed := sha256.Sum256(seed)
-    seed = seedFixed[:]
-
-    for i := 1; i < u; i++ {
-        // a[i] = big.NewInt(int64(i + 1))
-        bytes, _ := chacha20.HChaCha20(seed, pad(big.NewInt(0).Bytes(), 16))
-        a[i] = new(big.Int).SetBytes(bytes)
-
-        curve := pub[i].Curve.Params()
-
-        if a[i].Cmp(big.NewInt(0)) <= 0 || a[i].Cmp(curve.N) >= 0 {
-            i--
-        }
-    }
-
-    for i := 0; i < u; i++ {
-        curve := pub[i].Curve
-        curveParams := curve.Params()
-
-        var err error
-        Px[i], Py[i], err = lift_x_even_y(curve, pub[i].X, pub[i].Y)
-        if err != nil {
-            return false
-        }
-
-        r[i] = new(big.Int).SetBytes(sig[i][:32])
-        if r[i].Cmp(curveParams.P) >= 0 {
-            return false
-        }
-
-        s[i] = new(big.Int).SetBytes(sig[i][32:])
-        if s[i].Cmp(curveParams.N) >= 0 {
-            return false
-        }
-
-        toHash := bytes32(r[i])
-        toHash = append(toHash, bytes32(Px[i])...)
-        toHash = append(toHash, m[i]...)
-
-        e[i] = new(big.Int).SetBytes(hashTag("BIP340/challenge", toHash))
-        e[i].Mod(e[i], curveParams.N)
-
-        rBytes := append([]byte{byte(3)}, pad(r[i].Bytes(), 32)...)
-        Rx[i], Ry[i] = elliptic.UnmarshalCompressed(curve, rBytes)
-
-        if Rx[i] == nil || Ry[i] == nil {
-            rBytes = append([]byte{byte(2)}, pad(r[i].Bytes(), 32)...)
-            Rx[i], Ry[i] = elliptic.UnmarshalCompressed(curve, rBytes)
-
-            if Rx[i] == nil || Ry[i] == nil {
-                return false
-            }
-        }
-    }
-
-    var temp1, temp2x, temp2y, res1x, res1y, res2x, res2y *big.Int
-    temp1 = big.NewInt(0)
-    for i := 0; i < u; i++ {
-        curve := pub[i].Curve
-
-        x := new(big.Int).Mul(a[i], s[i])
-
-        temp1.Add(temp1, x)
-        temp1.Mod(temp1, curve.Params().N)
-
-        res1x, res1y = curve.ScalarBaseMult(temp1.Bytes())
-    }
-
-    temp2x = Rx[0]
-    temp2y = Ry[0]
-
-    for i := 1; i < u; i++ {
-        curve := pub[i].Curve
-
-        x, y := curve.ScalarMult(Rx[i], Ry[i], a[i].Bytes())
-        temp2x, temp2y = curve.Add(temp2x, temp2y, x, y)
-    }
-
-    for i := 0; i < u; i++ {
-        curve := pub[i].Curve
-
-        s := new(big.Int).Mul(a[i], e[i])
-        s.Mod(s, curve.Params().N)
-        x, y := curve.ScalarMult(Px[i], Py[i], s.Bytes())
-        temp2x, temp2y = curve.Add(temp2x, temp2y, x, y)
-    }
-
-    res2x = temp2x
-    res2y = temp2y
-
-    if res2x.Cmp(res1x) != 0 || res2y.Cmp(res1y) != 0 {
-        return false
-    }
-
-    return true
-}
-
 // randFieldElement returns a random element of the order of the given
 // curve using the procedure given in FIPS 186-4, Appendix B.5.2.
 func randFieldElement(rand io.Reader, c elliptic.Curve) (k *big.Int, err error) {

diff --git a/pubkey/bip0340/bip0340_test.go b/pubkey/bip0340/bip0340_test.go
@@ -1,23 +1,17 @@
 package bip0340
 
 import (
-    "io"
-    "os"
-    "log"
     "fmt"
-    "bufio"
     "bytes"
     "crypto"
     "strings"
     "testing"
-    "strconv"
     "math/big"
     "crypto/rand"
     "crypto/sha256"
     "crypto/sha512"
     "crypto/elliptic"
     "encoding/hex"
-    "encoding/csv"
     "encoding/pem"
     "encoding/base64"
 
@@ -231,67 +225,6 @@ func test_SignBytes(t *testing.T, c elliptic.Curve, h Hasher) {
 
 }
 
-func Test_Batch(t *testing.T) {
-    u := 0
-
-    var pks []*PublicKey
-    var ms, sigs [][]byte
-    f, _ := os.Open("testdata/test-vectors-multi.csv")
-
-    reader := csv.NewReader(bufio.NewReader(f))
-    for {
-        record, err := reader.Read()
-        if err == io.EOF {
-            break
-        } else if err != nil {
-            log.Fatal(err)
-        }
-
-        _, err = strconv.ParseInt(record[0], 0, 0)
-        if err != nil {
-            continue
-        }
-
-        pkint, _ := new(big.Int).SetString(record[2], 16)
-        pk := pad(pkint.Bytes(), 32)
-
-        mint, _ := new(big.Int).SetString(record[4], 16)
-        m := pad(mint.Bytes(), 32)
-
-        sigint, _ := new(big.Int).SetString(record[5], 16)
-        sig := bytes64(sigint)
-
-        expected, _ := strconv.ParseBool(record[6])
-        if !expected {
-            continue
-        }
-
-        u += 1
-
-        pubBytes := append([]byte{byte(3)}, pk...)
-
-        x, y := elliptic.UnmarshalCompressed(secp256k1.S256(), pubBytes)
-        if x == nil || y == nil {
-            t.Fatal("publicKey error")
-        }
-
-        pubkey := &PublicKey{
-            Curve: secp256k1.S256(),
-            X: x,
-            Y: y,
-        }
-
-        pks = append(pks, pubkey)
-        ms = append(ms, m)
-        sigs = append(sigs, sig)
-    }
-
-    res := BatchVerify(pks, ms, sigs)
-    if !res {
-        t.Errorf("Batch verify failed")
-    }
-}
-
 func Test_bigintIsodd(t *testing.T) {
     if !bigintIsodd(big.NewInt(1)) {
         t.Error("one is odd")

diff --git a/pubkey/bip0340/testdata/test-vectors-multi.csv b/pubkey/bip0340/testdata/test-vectors-multi.csv
diff --git a/pubkey/bip0340/utils.go b/pubkey/bip0340/utils.go
@@ -4,7 +4,6 @@ import (
     "hash"
     "math/big"
     "math/bits"
-    "crypto/sha256"
     "crypto/subtle"
     "crypto/elliptic"
     "encoding/binary"
@@ -14,6 +13,8 @@ const BIP0340_AUX       = "BIP0340/aux"
 const BIP0340_NONCE	    = "BIP0340/nonce"
 const BIP0340_CHALLENGE = "BIP0340/challenge"
 
+const CHACHA20_MAX_ASKED_LEN = 64
+
 var (
     zero = big.NewInt(0)
     one  = big.NewInt(1)
@@ -45,7 +46,10 @@ func bytes64(x *big.Int) []byte {
     return pad(x.Bytes(), 64)
 }
 
-func lift_x_even_y(curve elliptic.Curve, Px, Py *big.Int) (*big.Int, *big.Int, error) {
+func liftXEvenY(curve elliptic.Curve, x, y *big.Int) (*big.Int, *big.Int, error) {
+    Px := new(big.Int).Set(x)
+    Py := new(big.Int).Set(y)
+
     if new(big.Int).Mod(Py, big.NewInt(2)).Cmp(big.NewInt(0)) == 0 {
         return Px, Py, nil
     } else {
@@ -54,15 +58,6 @@ func lift_x_even_y(curve elliptic.Curve, Px, Py *big.Int) (*big.Int, *big.Int, e
     }
 }
 
-func hashTag(tag string, x []byte) []byte {
-    tagHash := sha256.Sum256([]byte(tag))
-    toHash := tagHash[:]
-    toHash = append(toHash, tagHash[:]...)
-    toHash = append(toHash, x...)
-    hashed := sha256.Sum256(toHash)
-    return pad(hashed[:], 32)
-}
-
 func bitsToBytes(bits int) int {
     return (bits + 7) / 8
 }