Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/modules/schnorr/schnorr_impl.h
| Show All 31 Lines | |||||
| * The signature is (R.x, s). | * The signature is (R.x, s). | ||||
| * | * | ||||
| * Verification: | * Verification: | ||||
| * Inputs: | * Inputs: | ||||
| * 32-byte message m, | * 32-byte message m, | ||||
| * public key point P, | * public key point P, | ||||
| * signature: (32-byte r, scalar s) | * signature: (32-byte r, scalar s) | ||||
| * | * | ||||
| * Signature is invalid if s >= order or r >= p. | * Signature is invalid if s >= n or r >= p. | ||||
| * Compute scalar e = Hash(r || compressed(P) || m) mod n. | * Compute scalar e = Hash(r || compressed(P) || m) mod n. | ||||
| * Option 1 (faster for single verification): | * Option 1 (faster for single verification): | ||||
| * Compute point R = s * G - e * P. | * Compute point R = s * G - e * P. | ||||
| * Reject if R is infinity or R.y is not a quadratic residue. | * Reject if R is infinity or R.y is not a quadratic residue. | ||||
| * Signature is valid if the serialization of R.x equals r. | * Signature is valid if the serialization of R.x equals r. | ||||
| * Option 2 (allows batch validation): | * Option 2 (allows batch validation): | ||||
| * Decompress x coordinate r into point R, with R.y a quadratic residue. | * Decompress x coordinate r into point R, with R.y a quadratic residue. | ||||
| * Reject if R is not on the curve. | * Reject if R is not on the curve. | ||||
| ▲ Show 20 Lines • Show All 156 Lines • Show Last 20 Lines | |||||