|
28 | 28 | //! |
29 | 29 | //! let schnorr = Schnorr::<Sha256, Deterministic<Sha256>>::new(Deterministic::<Sha256>::default()); |
30 | 30 | //! // Generate a secret & public key for the party that will blindly sign a message |
31 | | -//! let secret = Scalar::random(&mut rand::thread_rng()); |
32 | | -//! let public_key = g!(secret * G).normalize(); |
| 31 | +//! let mut secret = Scalar::random(&mut rand::thread_rng()); |
| 32 | +//! let (public_key, secret_needs_negation) = g!(secret * G).normalize().into_point_with_even_y(); |
| 33 | +//! secret.conditional_negate(secret_needs_negation); |
33 | 34 | //! |
34 | 35 | //! // The user wants a single blind signature but must initiate two signing sessions where one will fail. |
35 | 36 | //! // This is to prevent Wagner attacks where many parallel signing sessions can allow forgery. |
@@ -119,11 +120,11 @@ use std::vec::Vec; |
119 | 120 | /// The [`BlindingTweaks`] values (alpha, beta, t) may be negated to ensure even y values. |
120 | 121 | pub fn create_blinded_values<'a, H: Digest<OutputSize = U32> + Clone, NG>( |
121 | 122 | nonce: Point<EvenY>, |
122 | | - public_key: Point, |
| 123 | + public_key: Point<EvenY>, |
123 | 124 | message: Message, |
124 | 125 | schnorr: Schnorr<H, NG>, |
125 | 126 | blinding_tweaks: &mut BlindingTweaks, |
126 | | -) -> (Point, Point, Scalar, bool, bool) { |
| 127 | +) -> (Point, Point, Scalar, bool) { |
127 | 128 | let tweaked_pubkey = g!(public_key + blinding_tweaks.t * G) |
128 | 129 | .normalize() |
129 | 130 | .mark::<NonZero>() |
@@ -155,7 +156,6 @@ pub fn create_blinded_values<'a, H: Digest<OutputSize = U32> + Clone, NG>( |
155 | 156 | tweaked_pubkey, |
156 | 157 | blinded_nonce, |
157 | 158 | blinded_challenge, |
158 | | - tweaked_pubkey_needs_negation, |
159 | 159 | blinded_nonce_needs_negation, |
160 | 160 | ) |
161 | 161 | } |
@@ -223,26 +223,21 @@ impl Blinder { |
223 | 223 | R: RngCore + CryptoRng, |
224 | 224 | >( |
225 | 225 | pubnonce: Point<EvenY>, |
226 | | - public_key: Point, |
| 226 | + public_key: Point<EvenY>, |
227 | 227 | message: Message, |
228 | 228 | schnorr: Schnorr<H, NG>, |
229 | 229 | rng: &mut R, |
230 | 230 | ) -> Self { |
231 | 231 | loop { |
232 | 232 | let mut blinding_tweaks = BlindingTweaks::new(rng); |
233 | | - let ( |
234 | | - tweaked_pubkey, |
235 | | - blinded_nonce, |
236 | | - blinded_challenge, |
237 | | - _pubkey_needs_negation, |
238 | | - nonce_needs_negation, |
239 | | - ) = create_blinded_values( |
240 | | - pubnonce, |
241 | | - public_key, |
242 | | - message, |
243 | | - schnorr.clone(), |
244 | | - &mut blinding_tweaks, |
245 | | - ); |
| 233 | + let (tweaked_pubkey, blinded_nonce, blinded_challenge, nonce_needs_negation) = |
| 234 | + create_blinded_values( |
| 235 | + pubnonce, |
| 236 | + public_key, |
| 237 | + message, |
| 238 | + schnorr.clone(), |
| 239 | + &mut blinding_tweaks, |
| 240 | + ); |
246 | 241 |
|
247 | 242 | if !nonce_needs_negation { |
248 | 243 | break Blinder { |
@@ -351,8 +346,10 @@ mod test { |
351 | 346 | let schnorr = |
352 | 347 | Schnorr::<Sha256, Deterministic<Sha256>>::new(Deterministic::<Sha256>::default()); |
353 | 348 | // Generate a secret & public key for the server that will blindly sign a message |
354 | | - let secret = Scalar::random(&mut rand::thread_rng()); |
355 | | - let public_key = g!(secret * G).normalize(); |
| 349 | + let mut secret = Scalar::random(&mut rand::thread_rng()); |
| 350 | + let (public_key, secret_needs_negation) = |
| 351 | + g!(secret * G).normalize().into_point_with_even_y(); |
| 352 | + secret.conditional_negate(secret_needs_negation); |
356 | 353 |
|
357 | 354 | // The user wants a single blind signature but must initiate two signing sessions where one will fail. |
358 | 355 | // This is to prevent Wagner attacks where many parallel signing sessions can allow forgery. |
@@ -431,10 +428,12 @@ mod test { |
431 | 428 |
|
432 | 429 | proptest! { |
433 | 430 | #[test] |
434 | | - fn blind_sig_prop_test(secret in any::<Scalar>(), mut nonce in any::<Scalar>()) { |
| 431 | + fn blind_sig_prop_test(mut secret in any::<Scalar>(), mut nonce in any::<Scalar>()) { |
435 | 432 | let schnorr = Schnorr::<Sha256, Deterministic<Sha256>>::new(Deterministic::<Sha256>::default()); |
436 | 433 |
|
437 | | - let public_key = g!(secret * G).normalize(); |
| 434 | + let (public_key, secret_needs_negation) = |
| 435 | + g!(secret * G).normalize().into_point_with_even_y(); |
| 436 | + secret.conditional_negate(secret_needs_negation); |
438 | 437 |
|
439 | 438 | let (pub_nonce, nonce_negated) = g!(nonce * G).normalize().into_point_with_even_y(); |
440 | 439 | nonce.conditional_negate(nonce_negated); |
|
0 commit comments