You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
k = pabtc.secp256k1.Fr(max(1, secrets.randbelow(pabtc.secp256k1.N)))
37
37
R = pabtc.secp256k1.G * k
38
-
r = pabtc.secp256k1.Fr(R.x.x)
39
-
if r.x==0:
38
+
r = pabtc.secp256k1.Fr(R.x.n)
39
+
if r.n==0:
40
40
continue
41
41
s = (m + prikey * r) / k
42
-
if s.x==0:
42
+
if s.n==0:
43
43
continue
44
44
v =0
45
-
if R.y.x&1==1:
45
+
if R.y.n&1==1:
46
46
v |=1
47
-
if R.x.x>= pabtc.secp256k1.N:
47
+
if R.x.n>= pabtc.secp256k1.N:
48
48
v |=2
49
49
return r, s, v
50
+
raiseException('unreachable')
50
51
```
51
52
52
53
You may notice in the code implementation that the signature function not only returns (r, s), but also returns an additional v value. This is the recovery identifier used to determine the signer's public key from the signature. It uses two bits, the lowest bit marks the parity of the y-axis coordinate of c, so that we can uniquely recover the actual value of c based on r in the signature (elliptic curves are symmetric with respect to the x-axis, and each x corresponds to two possible y-values). Another bit is used to verify that the r value has not overflowed, because the range of coordinates of points on the elliptic curve is 0 to P, but in the signature operation we convert the x-coordinate of c to a scalar, which reduces the range to 0 to N, and therefore overflow truncation may occur.
k = pabtc.secp256k1.Fr(max(1, secrets.randbelow(pabtc.secp256k1.N)))
37
37
R = pabtc.secp256k1.G * k
38
-
r = pabtc.secp256k1.Fr(R.x.x)
39
-
if r.x==0:
38
+
r = pabtc.secp256k1.Fr(R.x.n)
39
+
if r.n==0:
40
40
continue
41
41
s = (m + prikey * r) / k
42
-
if s.x==0:
42
+
if s.n==0:
43
43
continue
44
44
v =0
45
-
if R.y.x&1==1:
45
+
if R.y.n&1==1:
46
46
v |=1
47
-
if R.x.x>= pabtc.secp256k1.N:
47
+
if R.x.n>= pabtc.secp256k1.N:
48
48
v |=2
49
49
return r, s, v
50
+
raiseException('unreachable')
50
51
```
51
52
52
53
您可能发现在代码实现上, 签名函数不但返回了 (r, s), 还额外返回了一个 v 值. 这是恢复标识符, 用于从签名中确定签名者的公钥. 它使用了两个标志位, 最低标识位标志 c 的 y 轴坐标的奇偶位, 以便我们可以根据签名中的 r 来唯一还原 c 的实际值(椭圆曲线是关于 x 轴对称的曲线, 每一个 x 都对应两个可能的 y 值). 另一个比特位用于确认 r 值是否发生过溢出, 因为椭圆曲线上的点的坐标范围是 0 到 P, 但在签名运算中我们会将 c 的 x 坐标转换为一个标量, 范围将缩小到 0 到 N, 因此可能会发生溢出截断.
0 commit comments