Need examples for:

• decoding an existing key and signing with it
• HDKD once it's merged

also need to make these visible in the godocs.

Add constants for:

• PublicKeySize
• SecretKeySize
• SignatureSize
• ScalarSize

batch verification can be updated to use VarTimeMultiScalarMult instead of constant-time MultiScalarMult. see #40

@ChainSafe/chainsafe-admins thoughts?

create a Keypair type that contains a public and private key. create *Keypair.Sign which uses the public key in the keypair instead of needing to derive it. see #40

this line please double check with go v1.13.7+

github.com/ChainSafe/go-schnorrkel

../../../go/pkg/mod/github.com/!chain!safe/[email protected]/helpers.go:22:18: syntax error: unexpected b00000111 at end of statement
note: module requires Go 1.13

priv, pub, err := schnorrkel.GenerateKeypair()

I use the priv in subkey --inspect --network polkadot priv, but the public key generated by subkey is not the same with the public key generated by code.

Right now, sign and verify won't interoperate with don't fully match the implementation in rust library, since in rust schnorrkel uses the transcript RNG to generate randomness when signing. The Go merlin library we're using doesn't have that yet: see gtank/merlin#2

See:
https://github.com/w3f/schnorrkel/blob/798ab3e0813aa478b520c5cf6dc6e02fd4e07f0a/src/sign.rs#L161
https://github.com/w3f/schnorrkel/blob/798ab3e0813aa478b520c5cf6dc6e02fd4e07f0a/src/context.rs#L153
for the relevant code in schnorrkel.

We are constantly having issues with compiling this lib because of the dependency gopkg.in/yaml.v2
Can we replace it with a github link? The gopkg.in website is always having issues.

#0 12.76 go: gopkg.in/[email protected]: unrecognized import path "gopkg.in/yaml.v2" (parse https://gopkg.in/yaml.v2?go-get=1: no go-import meta tags ())

vendor the dependencies https://golang.org/ref/mod#go-mod-vendor

There are a few issues that currently have "nolint", mostly errcheck and gosec. Address these issues

Implement batch verification of signatures. See https://github.com/w3f/schnorrkel/blob/master/src/batch.rs

the following lines in *PublicKey.Verify can be simplified:

Rp := r255.NewElement()
Rp = Rp.ScalarBaseMult(s.s)
ky := r255.NewElement().ScalarMult(k, p.key)
Rp = Rp.Subtract(Rp, ky)

to:

Rp := r255.NewElement().VarTimeDoubleScalarBaseMult(k, r255.NewElement().Negate(p.key), s.s)

see #40

The code per comments (and manual inspection) uses -B ∑ s_i + ∑ P_i H(R_i || P_i || m_i) + ∑ R_i = 0 as the batch verification equation.

This is wrong and should be -B ∑ z_i s_i + ∑ z_i P_i H(R_i || P_i || m_i) + ∑ z_i R_i = 0, where z_i are uniform random 128-bit scalars.

Need to implement HDKD.
See: https://github.com/w3f/schnorrkel/blob/798ab3e0813aa478b520c5cf6dc6e02fd4e07f0a/src/derive.rs

I've been sitting on these since the last time I filed bugs because they aren't security critical, but I might as well file them so the people that do happen to use this library suffer less.

Annoyances:

• Unlike the Rust implementation, operations that work on merlin transcripts are not side-effect free. Fixing this requires finding a different merlin implementation, or getting the merlin library to implement transcript cloning.
• The documentation for MiniSecretKey.Public should explicitly note that it uses ExpandEd25519, instead of ExpandUniform.

Performance:

• There is a trivial memory/time tradeoff that can be made. Since PublicKey is opaque, there is no reason not to also cache the compressed (byte-encoded) form of the public key, so that further calls to Encode can be omitted (This is why the Rust implementation has a RistrettoBoth type).
• There should be a KeyPair type that contains both the PublicKey and SecretKey. This is both generally more useful, and allows signing without having to do a scalar-basepoint multiply + point compression (The Rust implementation has SecretKey's sign method take a public key, and defines a KeyPair type).
• Verification calculates calculates the R step-by-step using 3 discrete constant time calls (a scalar-basepoint multiply, a scalar multiply, and a subtraction). The ristretto255 library provides VarTimeDoubleScalarBaseMult, use it (Rp := r255.NewElement().VarTimeDoubleScalarBaseMult(k, r255.NewElement().Negate(p.key), s.s) // Rp = -p.key * k + B * s.s).
• When generating random scalars for batch verification, this implementation reads 512-bits from the entropy source, and does a wide reduction for each scalar. It is sufficient to generate 128-bit scalars, reading 128-bits from the entropy source and using FromCanonicalBytes (no reduction).
• Batch verification uses the constant-time MultiScalarMult. VarTimeMultiScalarMult is faster.

// NewMiniSecretKeyFromRaw derives a mini secret key from little-endian encoded raw bytes.
func NewMiniSecretKeyFromRaw(b [32]byte) (*MiniSecretKey, error) {
	s := b
	return &MiniSecretKey{key: s}, nil
}

[snip]

func (s *MiniSecretKey) Decode(in [32]byte) (e error) {
	_, err := NewMiniSecretKeyFromRaw(in)
	return err
}

Unless the intended behavior is to implement a moderately expensive way to obtain a nil error, this should probably be fixed to set the receiver to the decoded mini secret key.

cache compressed (encoded) PublicKey within the struct so *PublicKey.Encode returns the compressed public key, if there is one.

see #40

Need to implement. See: https://github.com/w3f/schnorrkel/blob/798ab3e0813aa478b520c5cf6dc6e02fd4e07f0a/src/vrf.rs
See also: https://eprint.iacr.org/2017/099.pdf