[−][src]Module ecdsa_fun::adaptor
Algorithms for ECDSA "adaptor signature" signature encryption.
Adaptor signatures are a kind of signature encryption. Just as you would expect this means you can't get the signature from the encrypted signature unless you know the decryption key. As you might not necessarily expect, this encryption is one-time in that anyone who knows the encrypted signature can recover the decryption key from the decrypted signature.
This weird leaking of the decryption key is incredibly useful has numerous applications in Bitcoin and cryptography more generally.
Synopsis
use ecdsa_fun::{ adaptor::{Adaptor, EncryptedSignature, HashTranscript}, fun::{digest::Digest, g, marker::*, nonce, Scalar, G}, }; use rand::rngs::ThreadRng; use rand_chacha::ChaCha20Rng; use sha2::Sha256; // use synthetic nonce generation (preferred) type NonceGen = nonce::Synthetic<Sha256, nonce::GlobalRng<ThreadRng>>; // needed internally to create/verify the DLEQ proof type Transcript = HashTranscript<Sha256, ChaCha20Rng>; let adaptor = Adaptor::<Transcript, NonceGen>::default(); let secret_signing_key = Scalar::random(&mut rand::thread_rng()); let verification_key = adaptor.ecdsa.verification_key_for(&secret_signing_key); let decryption_key = Scalar::random(&mut rand::thread_rng()); let encryption_key = adaptor.encryption_key_for(&decryption_key); let message_hash = { let message = "send 1 BTC to Bob"; let mut message_hash = [0u8; 32]; let hash = Sha256::default().chain(message); message_hash.copy_from_slice(hash.finalize().as_ref()); message_hash }; // Alice knows: secret_signing_key, encryption_key // Bob knows: decryption_key, verification_key // ALice creates and encrypted signature and sends it to Bob let encrypted_signature = adaptor.encrypted_sign(&secret_signing_key, &encryption_key, &message_hash); // Bob verifies it and decrypts it assert!(adaptor.verify_encrypted_signature( &verification_key, &encryption_key, &message_hash, &encrypted_signature )); let signature = adaptor.decrypt_signature(&decryption_key, encrypted_signature.clone()); // Alice recovers the decryption key from the signature // Note there is no need to call .verify before doing this; // successful recovery implies it was a valid signature. match adaptor.recover_decryption_key(&encryption_key, &signature, &encrypted_signature) { Some(decryption_key) => println!("Alice got the decryption key {}", decryption_key), None => panic!("signature is not the decryption of our original encrypted signature"), }
Structs
| Adaptor | |
| EncryptedSignature | An "encrypted" ECDSA signature A.K.A. adaptor signature. |
| HashTranscript | A transcript which consists of a hash with fixed length output and a seedable RNG. |
Type Definitions
| DLEQ |