Skip to content

Commit e757665

Browse files
committed
Corrected BIP-340 step numbering in BIP340Signer signing comments, relates to github #2340.
The submitted fix folded the separate rand and k' spec steps into one, over-shifting the R/k and e/sig labels that were already correct; numbering now matches the BIP-340 bullet order.
1 parent f828a0b commit e757665

2 files changed

Lines changed: 4 additions & 3 deletions

File tree

CONTRIBUTORS.html

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -593,6 +593,7 @@
593593
<li>Bernd Pr&uuml;nster (A-SIT Plus) &lt;bernd.pruenster&#064;a-sit.at&gt; - reported lenient ASN.1 UTCTime/GeneralizedTime parsing accepting structurally malformed content, with fuzzing-derived test cases.</li>
594594
<li>rootvector2 &lt;https://github.com/rootvector2&gt; - constant time comparison of membership and confirmation tags in the MLS API. Reported unbounded array allocation in the BKS/UBER keystore load path (OutOfMemoryError DoS from a crafted keystore) and introduction of a capped decompression limit in PGPCompressedData.getDataStream(), both with POC. Original submission creating S/MIME backing temp files with owner-only permissions (PR #2326). Rejecting empty sequences in the X.509 extension parsers whose RFC 5280 syntax is SEQUENCE SIZE (1..MAX) - CRLDistPoint, CertificatePolicies, ExtendedKeyUsage, PolicyMappings, and SubjectDirectoryAttributes (PR #2331).</li>
595595
<li>suraj0208 &lt;https://github.com/suraj0208&gt; - initial work on auto-detecting private key reader (JcaPrivateKeyReader).</li>
596+
<li>liamgilligan &lt;https://github.com/liamgilligan&gt; - noticing the BIP-340 step numbering in the BIP340Signer signing comments was incorrect (PR #2340).</li>
596597
</ul>
597598
</body>
598599
</html>

core/src/main/java/org/bouncycastle/crypto/signers/BIP340Signer.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -206,7 +206,7 @@ private static byte[] sign(ECPrivateKeyParameters privateKey, byte[] m, byte[] a
206206
{
207207
BigInteger n = SECP256K1.getN();
208208

209-
// Step 1: d' = int(sk); fail if d' = 0 or d' >= n.
209+
// Steps 1-2: d' = int(sk); fail if d' = 0 or d' >= n.
210210
BigInteger d = privateKey.getD();
211211
if (d.signum() <= 0 || d.compareTo(n) >= 0)
212212
{
@@ -215,15 +215,15 @@ private static byte[] sign(ECPrivateKeyParameters privateKey, byte[] m, byte[] a
215215

216216
ECMultiplier mult = new FixedPointCombMultiplier();
217217

218-
// Steps 4-5: P = d' * G; d = d' if has_even_y(P) else n - d'.
218+
// Steps 3-4: P = d' * G; d = d' if has_even_y(P) else n - d'.
219219
ECPoint P_pt = mult.multiply(SECP256K1.getG(), d).normalize();
220220
if (!hasEvenY(P_pt))
221221
{
222222
d = n.subtract(d);
223223
}
224224
byte[] pBytes = xBytes(P_pt);
225225

226-
// Steps 6-8: t = bytes(d) XOR H_aux(a); k' = int(H_nonce(t || bytes(P) || m)) mod n; fail if k' = 0.
226+
// Steps 5-8: t = bytes(d) XOR H_aux(a); k' = int(H_nonce(t || bytes(P) || m)) mod n; fail if k' = 0.
227227
byte[] t = BigIntegers.asUnsignedByteArray(X_SIZE, d);
228228
Bytes.xorTo(X_SIZE, taggedHash(TAG_HASH_AUX, auxRand), t);
229229

0 commit comments

Comments
 (0)