aggsig: signature with (s,r) instead of (r,s)

garyyu commented 6 years ago

https://github.com/mimblewimble/secp256k1-zkp/blob/master/src/modules/aggsig/main_impl.h#L278-L282

    /* finalize */
    secp256k1_scalar_get_b32(sig64, &sec);
    secp256k1_ge_set_gej(&final, &pubnonce_j);
    secp256k1_fe_normalize_var(&final.x);
    secp256k1_fe_get_b32(sig64 + 32, &final.x);

Mark here: we're using (s,r) format for signature, which is not the convention. @yeastplume @jaspervdm Please confirm whether or not we need to correct this?

Conventionally, people stick to (r,s) format for signature. For example:

For ECDSA: https://github.com/bitcoin/bitcoin/blob/master/src/secp256k1/src/ecdsa_impl.h#L194-L197

bip-schnorr: https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

def schnorr_sign(msg, seckey):
k = sha256(seckey.to_bytes(32, byteorder="big") + msg) % n
R = point_mul(G, k)
if jacobi(R[1]) != 1:
    k = n - k
e = sha256(R[0].to_bytes(32, byteorder="big") + bytes_point(point_mul(G, seckey)) + msg) % n
return R[0].to_bytes(32, byteorder="big") + ((k + e * seckey) % n).to_bytes(32, byteorder="big")

Wiki: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
```
7. The signature is the pair (r,s).
```

jaspervdm commented 6 years ago

Sure, sounds good to me. I think we should do this before T4. Will you prepare the PR or do you want me to do it?

garyyu commented 6 years ago

@jaspervdm 😄 very appreciated if you can help to do this. I'm still reading other parts, to make sure we don't need change some consensus breaking things after T4.

garyyu commented 6 years ago

Closed by #31

mimblewimble / secp256k1-zkp

aggsig: signature with (s,r) instead of (r,s) #28