Skip to content

Commit 0e5e083

Browse files
mimoomimoo
authored
fix use of tweaked public key
1 parent 6fdd873 commit 0e5e083

File tree

1 file changed

+26
-3
lines changed

1 file changed

+26
-3
lines changed

frost-secp256k1-tr/src/lib.rs

+26-3
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,17 @@ pub fn tweaked_public_key(
228228
ProjectivePoint::GENERATOR * tweak(&pk, merkle_root) + pk
229229
}
230230

231+
/// Creates a real BIP341 tweaked public key by assuming an even y-coordinate.
232+
pub fn real_tweaked_pubkey(
233+
public_key: &<<Secp256K1Sha256 as Ciphersuite>::Group as Group>::Element,
234+
merkle_root: &[u8],
235+
) -> <<Secp256K1Sha256 as Ciphersuite>::Group as Group>::Element {
236+
let tweaked_pubkey = tweaked_public_key(public_key, merkle_root);
237+
AffinePoint::decompact(&tweaked_pubkey.to_affine().x())
238+
.unwrap()
239+
.into()
240+
}
241+
231242
/// Create a BIP341 compliant tweaked secret key
232243
pub fn tweaked_secret_key(
233244
secret: <<<Secp256K1Sha256 as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
@@ -325,7 +336,13 @@ impl Ciphersuite for Secp256K1Sha256 {
325336
verifying_key: &Element<S>,
326337
) -> <<Self::Group as Group>::Field as Field>::Scalar {
327338
let t = tweak(&verifying_key, &[]);
328-
z + t * challenge.clone().to_scalar()
339+
let tc = t * challenge.clone().to_scalar();
340+
let tweaked_pubkey = tweaked_public_key(&verifying_key, &[]);
341+
if tweaked_pubkey.to_affine().y_is_odd().into() {
342+
z - tc
343+
} else {
344+
z + tc
345+
}
329346
}
330347

331348
/// compute tweaked signature_share
@@ -343,7 +360,13 @@ impl Ciphersuite for Secp256K1Sha256 {
343360
}
344361

345362
let mut kp = key_package.clone();
346-
if key_package.verifying_key().y_is_odd() {
363+
let public_key = key_package.verifying_key();
364+
let pubkey_is_odd = public_key.y_is_odd();
365+
let tweaked_pubkey_is_odd = tweaked_public_key(public_key.element(), &[])
366+
.to_affine()
367+
.y_is_odd()
368+
.into();
369+
if pubkey_is_odd != tweaked_pubkey_is_odd {
347370
kp.negate_signing_share();
348371
}
349372

@@ -354,7 +377,7 @@ impl Ciphersuite for Secp256K1Sha256 {
354377
fn tweaked_public_key(
355378
public_key: &<Self::Group as Group>::Element,
356379
) -> <Self::Group as Group>::Element {
357-
tweaked_public_key(public_key, &[])
380+
real_tweaked_pubkey(public_key, &[])
358381
}
359382

360383
/// calculate tweaked R

0 commit comments

Comments
 (0)