Skip to content

Commit 87af00b

Browse files
sipasipa
committed
Abstract out challenge computation in schnorrsig
1 parent 63e1b2a commit 87af00b

File tree

1 file changed

+19
-18
lines changed

1 file changed

+19
-18
lines changed

src/modules/schnorrsig/main_impl.h

Lines changed: 19 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -108,14 +108,29 @@ static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha) {
108108
sha->bytes = 64;
109109
}
110110

111+
static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32)
112+
{
113+
unsigned char buf[32];
114+
secp256k1_sha256 sha;
115+
116+
/* tagged hash(r.x, pk.x, msg32) */
117+
secp256k1_schnorrsig_sha256_tagged(&sha);
118+
secp256k1_sha256_write(&sha, r32, 32);
119+
secp256k1_sha256_write(&sha, pubkey32, 32);
120+
secp256k1_sha256_write(&sha, msg32, 32);
121+
secp256k1_sha256_finalize(&sha, buf);
122+
/* Set scalar e to the challenge hash modulo the curve order as per
123+
* BIP340. */
124+
secp256k1_scalar_set_b32(e, buf, NULL);
125+
}
126+
111127
int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
112128
secp256k1_scalar sk;
113129
secp256k1_scalar e;
114130
secp256k1_scalar k;
115131
secp256k1_gej rj;
116132
secp256k1_ge pk;
117133
secp256k1_ge r;
118-
secp256k1_sha256 sha;
119134
unsigned char buf[32] = { 0 };
120135
unsigned char pk_buf[32];
121136
unsigned char seckey[32];
@@ -159,16 +174,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64
159174
secp256k1_fe_normalize_var(&r.x);
160175
secp256k1_fe_get_b32(&sig64[0], &r.x);
161176

162-
/* tagged hash(r.x, pk.x, msg32) */
163-
secp256k1_schnorrsig_sha256_tagged(&sha);
164-
secp256k1_sha256_write(&sha, &sig64[0], 32);
165-
secp256k1_sha256_write(&sha, pk_buf, sizeof(pk_buf));
166-
secp256k1_sha256_write(&sha, msg32, 32);
167-
secp256k1_sha256_finalize(&sha, buf);
168-
169-
/* Set scalar e to the challenge hash modulo the curve order as per
170-
* BIP340. */
171-
secp256k1_scalar_set_b32(&e, buf, NULL);
177+
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf);
172178
secp256k1_scalar_mul(&e, &e, &sk);
173179
secp256k1_scalar_add(&e, &e, &k);
174180
secp256k1_scalar_get_b32(&sig64[32], &e);
@@ -189,7 +195,6 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned cha
189195
secp256k1_gej pkj;
190196
secp256k1_fe rx;
191197
secp256k1_ge r;
192-
secp256k1_sha256 sha;
193198
unsigned char buf[32];
194199
int overflow;
195200

@@ -212,13 +217,9 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned cha
212217
return 0;
213218
}
214219

215-
secp256k1_schnorrsig_sha256_tagged(&sha);
216-
secp256k1_sha256_write(&sha, &sig64[0], 32);
220+
/* Compute e. */
217221
secp256k1_fe_get_b32(buf, &pk.x);
218-
secp256k1_sha256_write(&sha, buf, sizeof(buf));
219-
secp256k1_sha256_write(&sha, msg32, 32);
220-
secp256k1_sha256_finalize(&sha, buf);
221-
secp256k1_scalar_set_b32(&e, buf, NULL);
222+
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, buf);
222223

223224
/* Compute rj = s*G + (-e)*pkj */
224225
secp256k1_scalar_negate(&e, &e);

0 commit comments

Comments
 (0)