Comments (4)
-
Why does Zengo use
check_sig
to validate the signature?
check_sig
validates the signature with the help of the Rust dependencysecp256k1
, as detailed here: https://docs.rs/secp256k1/latest/secp256k1/. This dependency is a binding to Pieter Wuille’s secp256k1 C library, which finds its use in the Bitcoin network and other related applications. By using a third-party or "official" check, we ensure that the signature is valid in the blockchain afteroutput_signature
. -
Why does the
check_sig
function verify "sig is msg32 || pk[..32]" ?
The code you've pointed to seems to come from thefuzzy_dummy
mod: https://docs.rs/secp256k1-sys/0.4.2/src/secp256k1_sys/lib.rs.html#664. Please note, this module is designed for fuzz testing and isn't used in signing or verification processes. As I mentioned earlier, thesecp256k1
dependency is a binding to a C library, and the verification codes can be found here: https://github.com/rust-bitcoin/rust-secp256k1/blob/7c8270a8506e31731e540fab7ee1abde1f48314e/secp256k1-sys/depend/secp256k1/src/secp256k1.c#L381.
For your demo codes, I think you should adjust thes
to the canonicals
like
let s_tag_bn = Scalar::<Secp256k1>::group_order() - &s_bn;
if s_bn > s_tag_bn {
s = Scalar::<Secp256k1>::from(&s_tag_bn);
}
from multi-party-ecdsa.
I think you might ignore the convention of s
in ECDSA in the cryptocurrency field. Both s
and -s
are valid from the perspective of the algorithm but when s > n/2, where n is the order of the group,
we should adjust s
into -s
i.e. n-s
by convention . This is the Zengo code for your reference:
from multi-party-ecdsa.
I think you might ignore the convention of
s
in ECDSA in the cryptocurrency field. Boths
and-s
are valid from the perspective of the algorithm but whens > n/2, where n is the order of the group,
we should adjusts
into-s
i.e.n-s
by convention . This is the Zengo code for your reference:. Also, these two BIPs are about this issue: https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki#low_s and https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#low-s-values-in-signatures
Thx for the reply, but I am afraid that using low s
by replacing high s
with n-s
is not exactly what I was doubting. As in your reference of ZenGo's code:
Within this function output_signature
, a sub-function verify
is invoked (at
This sub-function verify
is actually the classic verification of ECDSA scheme. This is the code reference:
What I was doubting is the reasons:
(1) Why ZenGo used a second sub-function check_sig
(at
output_signature
(at
)?
This is the code reference for check_sig
:
multi-party-ecdsa/examples/common.rs
Line 192 in 3e711c7
(2) According to my demo, ZenGo's verify
and check_sig
are different in filtering out "invalid" signatures. Apparently, verify
complies with the ECDSA standard while check_sig
doesn't. Digging deeper, I saw that check_sig
invokes this function (https://docs.rs/secp256k1/0.20.0/src/secp256k1/lib.rs.html#813)
#[inline]
pub fn verify(&self, msg: &Message, sig: &Signature, pk: &key::PublicKey) -> Result<(), Error> {
unsafe {
if ffi::secp256k1_ecdsa_verify(self.ctx, sig.as_c_ptr(), msg.as_c_ptr(), pk.as_c_ptr()) == 0 {
Err(Error::IncorrectSignature)
} else {
Ok(())
}
}
}
, which further invokes this one (https://docs.rs/secp256k1-sys/0.4.2/src/secp256k1_sys/lib.rs.html#933):
// ECDSA
/// Verifies that sig is msg32||pk[..32]
pub unsafe fn secp256k1_ecdsa_verify(cx: *const Context,
sig: *const Signature,
msg32: *const c_uchar,
pk: *const PublicKey)
-> c_int {
check_context_flags(cx, SECP256K1_START_VERIFY);
// Actually verify
let sig_sl = slice::from_raw_parts(sig as *const u8, 64);
let msg_sl = slice::from_raw_parts(msg32 as *const u8, 32);
if &sig_sl[..32] == msg_sl && sig_sl[32..] == (*pk).0[0..32] {
1
} else {
0
}
}
As you may see, check_sig
seems to verify "sig is msg32 || pk[..32]". Why?
from multi-party-ecdsa.
- Why does Zengo use
check_sig
to validate the signature?
check_sig
validates the signature with the help of the Rust dependencysecp256k1
, as detailed here: https://docs.rs/secp256k1/latest/secp256k1/. This dependency is a binding to Pieter Wuille’s secp256k1 C library, which finds its use in the Bitcoin network and other related applications. By using a third-party or "official" check, we ensure that the signature is valid in the blockchain afteroutput_signature
.
This does make a lot of sense, considering the wide use of Pieter Wuille’s secp256k1 C library in the Bitcoin network.
- Why does the
check_sig
function verify "sig is msg32 || pk[..32]" ?
The code you've pointed to seems to come from thefuzzy_dummy
mod: https://docs.rs/secp256k1-sys/0.4.2/src/secp256k1_sys/lib.rs.html#664. Please note, this module is designed for fuzz testing and isn't used in signing or verification processes. As I mentioned earlier, thesecp256k1
dependency is a binding to a C library, and the verification codes can be found here: https://github.com/rust-bitcoin/rust-secp256k1/blob/7c8270a8506e31731e540fab7ee1abde1f48314e/secp256k1-sys/depend/secp256k1/src/secp256k1.c#L381.
You are so right about being within the fuzzy_dummy
mod, which I didn't realize previously.
For your demo codes, I think you should adjust the
s
to the canonicals
likelet s_tag_bn = Scalar::<Secp256k1>::group_order() - &s_bn; if s_bn > s_tag_bn { s = Scalar::<Secp256k1>::from(&s_tag_bn); }
This modification from the original s
to the canonical (low) s
in my demo codes has brought a consistent output from all three verifications.
Thank you for your patience and help.
from multi-party-ecdsa.
Related Issues (20)
- No zk proof for N_i HOT 1
- Is there any instructions or examples for verifying the signature (for gg20)? HOT 9
- Is there any instructions or examples for decentralized HD wallet using GG20 ?
- libsecp256k1 allows overflowing signatures HOT 1
- Is it possible and practical to integrate the entire signing role, or `sm_client` to frontend implementation?
- Why did you replace libsecp256k1 with secp256k1?
- Generate PublicKey and sign (ETH,BTC ,...) transactions HOT 3
- Question about the GG20 reference being obsolete
- how to get the final public key from the generated keys HOT 3
- [Feature request] Node.js binding
- How to verify signature generated in blockchain and send transaction using public key generated during key generation process
- how to expand to support starknet curve?
- Is the RFC 6979 can be supported? HOT 2
- Question : How to create "p" and "q" for pailier key pair to satisfy GG18 consideration?
- Question about the limitation of the size of sign message in demo/run.sh
- Public key remains unchanged and the shards are regenerated.
- Error while compiling on Ubuntu and MacOS HOT 2
- GG18 & GG20 Paillier Key Vulnerability
- Build Code Error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multi-party-ecdsa.