From faae91f3fc39ea788ec5d6aca016c34783f4f266 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Tue, 30 Jun 2015 14:15:13 +0930
Subject: [PATCH] Schnorr signature support.

This variation is used by alpha.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 Makefile            |  4 ++--
 bitcoin/signature.c | 35 ++++++++++++++++++++++++++++-------
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index e72190483..c0381553c 100644
--- a/Makefile
+++ b/Makefile
@@ -3,8 +3,8 @@
 # Needs to have oneof support: Ubuntu vivid's is too old :(
 PROTOCC:=protoc-c
 
-# Alpha has segregated witness, checksequenceverify
-#FEATURES := -DHAS_CSV=1 -DALPHA_TXSTYLE=1
+# Alpha has checksequenceverify, segregated witness+input-amount-in-sig+confidentual-transactions, schnorr
+#FEATURES := -DHAS_CSV=1 -DALPHA_TXSTYLE=1 -DUSE_SCHNORR=1
 
 PROGRAMS := test-cli/open-channel test-cli/open-anchor-scriptsigs test-cli/leak-anchor-sigs test-cli/open-commit-sig test-cli/check-commit-sig test-cli/check-anchor-scriptsigs test-cli/get-anchor-depth test-cli/create-steal-tx test-cli/create-commit-spend-tx test-cli/close-channel test-cli/create-close-tx test-cli/update-channel test-cli/update-channel-accept test-cli/update-channel-signature test-cli/update-channel-complete test-cli/create-commit-tx
 
diff --git a/bitcoin/signature.c b/bitcoin/signature.c
index 9f4fc19fd..0e6ae022b 100644
--- a/bitcoin/signature.c
+++ b/bitcoin/signature.c
@@ -75,9 +75,15 @@ bool sign_hash(const tal_t *ctx, const struct privkey *privkey,
 	if (!secpctx)
 		return false;
 
+#ifdef USE_SCHNORR
+	ok = secp256k1_schnorr_sign(secpctx, h->sha.u.u8,
+				    (unsigned char *)s,
+				    privkey->secret, NULL, NULL);
+#else
 	ok = secp256k1_ecdsa_sign_compact(secpctx, h->sha.u.u8,
 					  (unsigned char *)s,
 					  privkey->secret, NULL, NULL, NULL);
+#endif
 
 	secp256k1_context_destroy(secpctx);
 	return ok;
@@ -132,18 +138,28 @@ static bool check_signed_hash(const struct sha256_double *hash,
 {
 	int ret;
 	secp256k1_context_t *secpctx;
-	u8 der[72];
-	size_t der_len;
-
-	/* FIXME: secp256k1 missing secp256k1_ecdsa_verify_compact */
-	der_len = signature_to_der(der, signature);
 
 	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
 	if (!secpctx)
 		return false;
 
-	ret = secp256k1_ecdsa_verify(secpctx, hash->sha.u.u8, der, der_len,
-				     key->key, pubkey_len(key));
+#ifdef USE_SCHNORR
+	ret = secp256k1_schnorr_verify(secpctx, hash->sha.u.u8,
+				       (unsigned char *)signature,
+				       key->key, pubkey_len(key));
+#else
+	{
+		u8 der[72];
+		size_t der_len;
+
+		/* FIXME: secp256k1 missing secp256k1_ecdsa_verify_compact */
+		der_len = signature_to_der(der, signature);
+
+		ret = secp256k1_ecdsa_verify(secpctx, hash->sha.u.u8,
+					     der, der_len,
+					     key->key, pubkey_len(key));
+	}
+#endif
 
 	secp256k1_context_destroy(secpctx);
 	return ret == 1;
@@ -310,5 +326,10 @@ size_t signature_to_der(u8 der[72], const struct signature *sig)
 /* Signature must have low S value. */
 bool sig_valid(const struct signature *sig)
 {
+#ifdef USE_SCHNORR
+	/* FIXME: Is there some sanity check we can do here? */
+	return true;
+#else
 	return (sig->s[0] & 0x80) == 0;
+#endif
 }