Open james-ray opened 1 year ago
Here is the code in btcec/schnorr/signature.go:
// Step 12.
//
// e = tagged_hash("BIP0340/challenge", bytes(R) || bytes(P) || m) mod n
var rBytes [32]byte
r := &R.X
r.PutBytesUnchecked(rBytes[:]) //rBytes是R的x坐标
pBytes := SerializePubKey(pubKey) //pBytes是公钥序列化
commitment := chainhash.TaggedHash(
chainhash.TagBIP0340Challenge, rBytes[:], pBytes, hash, // TagBIP0340Challenge是一个固定常数字符串, hash是消息摘要. commitment就是e
)
var e btcec.ModNScalar
if overflow := e.SetBytes((*[32]byte)(commitment)); overflow != 0 {
k.Zero()
str := "hash of (r || P || m) too big"
return nil, signatureError(ecdsa_schnorr.ErrSchnorrHashValue, str)
}
// Step 13.
//
// s = k + e*d mod n
s := new(btcec.ModNScalar).Mul2(&e, privKey).Add(&k)
k.Zero()
sig := NewSignature(r, s)
So, e= Hash(challenge||r||P||m).
Hi, thanks for the open of this brilliant project, I really learnt a lot from both the thesis and the code. But I got a little question about the implementation of the schnorr signature part. Would you please help me clarify it?
The signature part:
And the verification part:
While I find the schnorr signature should use e=H(m||R), where || stands for a concatenate function. And s=r+ke. If we use msg m directly as the e here, the sig that generated will not get verified. Am I understanding wrong?