mirror of https://github.com/ethereum/go-ethereum
crypto: add btcec fallback for sign/recover without cgo (#3680)
* vendor: add github.com/btcsuite/btcd/btcec * crypto: add btcec fallback for sign/recover without cgo This commit adds a non-cgo fallback implementation of secp256k1 operations. * crypto, core/vm: remove wrappers for sha256, ripemd160pull/3692/head
Felix Lange
8 years ago
committed by
Jeffrey Wilcke
parent
bf21549faa
commit
9b0af51386
@ -1,56 +0,0 @@ |
||||
// Copyright 2014 The go-ethereum Authors
|
||||
// This file is part of the go-ethereum library.
|
||||
//
|
||||
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Lesser General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Lesser General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Lesser General Public License
|
||||
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
package crypto |
||||
|
||||
import ( |
||||
"bytes" |
||||
"fmt" |
||||
"testing" |
||||
|
||||
"github.com/ethereum/go-ethereum/common" |
||||
) |
||||
|
||||
func TestBox(t *testing.T) { |
||||
prv1 := ToECDSA(common.Hex2Bytes("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f")) |
||||
prv2 := ToECDSA(common.Hex2Bytes("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a")) |
||||
pub2 := ToECDSAPub(common.Hex2Bytes("04bd27a63c91fe3233c5777e6d3d7b39204d398c8f92655947eb5a373d46e1688f022a1632d264725cbc7dc43ee1cfebde42fa0a86d08b55d2acfbb5e9b3b48dc5")) |
||||
|
||||
message := []byte("Hello, world.") |
||||
ct, err := Encrypt(pub2, message) |
||||
if err != nil { |
||||
fmt.Println(err.Error()) |
||||
t.FailNow() |
||||
} |
||||
|
||||
pt, err := Decrypt(prv2, ct) |
||||
if err != nil { |
||||
fmt.Println(err.Error()) |
||||
t.FailNow() |
||||
} |
||||
|
||||
if !bytes.Equal(pt, message) { |
||||
fmt.Println("ecies: plaintext doesn't match message") |
||||
t.FailNow() |
||||
} |
||||
|
||||
_, err = Decrypt(prv1, pt) |
||||
if err == nil { |
||||
fmt.Println("ecies: encryption should not have succeeded") |
||||
t.FailNow() |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,64 @@ |
||||
// Copyright 2016 The go-ethereum Authors
|
||||
// This file is part of the go-ethereum library.
|
||||
//
|
||||
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Lesser General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Lesser General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Lesser General Public License
|
||||
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
// +build !nacl,!js,!nocgo
|
||||
|
||||
package crypto |
||||
|
||||
import ( |
||||
"crypto/ecdsa" |
||||
"crypto/elliptic" |
||||
"fmt" |
||||
|
||||
"github.com/ethereum/go-ethereum/common" |
||||
"github.com/ethereum/go-ethereum/crypto/secp256k1" |
||||
) |
||||
|
||||
func Ecrecover(hash, sig []byte) ([]byte, error) { |
||||
return secp256k1.RecoverPubkey(hash, sig) |
||||
} |
||||
|
||||
func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { |
||||
s, err := Ecrecover(hash, sig) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
|
||||
x, y := elliptic.Unmarshal(S256(), s) |
||||
return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil |
||||
} |
||||
|
||||
// Sign calculates an ECDSA signature.
|
||||
//
|
||||
// This function is susceptible to chosen plaintext attacks that can leak
|
||||
// information about the private key that is used for signing. Callers must
|
||||
// be aware that the given hash cannot be chosen by an adversery. Common
|
||||
// solution is to hash any input before calculating the signature.
|
||||
//
|
||||
// The produced signature is in the [R || S || V] format where V is 0 or 1.
|
||||
func Sign(hash []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) { |
||||
if len(hash) != 32 { |
||||
return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash)) |
||||
} |
||||
seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8) |
||||
defer zeroBytes(seckey) |
||||
return secp256k1.Sign(hash, seckey) |
||||
} |
||||
|
||||
// S256 returns an instance of the secp256k1 curve.
|
||||
func S256() elliptic.Curve { |
||||
return secp256k1.S256() |
||||
} |
||||
@ -0,0 +1,77 @@ |
||||
// Copyright 2016 The go-ethereum Authors
|
||||
// This file is part of the go-ethereum library.
|
||||
//
|
||||
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Lesser General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Lesser General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Lesser General Public License
|
||||
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
// +build nacl js nocgo
|
||||
|
||||
package crypto |
||||
|
||||
import ( |
||||
"crypto/ecdsa" |
||||
"crypto/elliptic" |
||||
"fmt" |
||||
|
||||
"github.com/btcsuite/btcd/btcec" |
||||
) |
||||
|
||||
func Ecrecover(hash, sig []byte) ([]byte, error) { |
||||
pub, err := SigToPub(hash, sig) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
bytes := (*btcec.PublicKey)(pub).SerializeUncompressed() |
||||
return bytes, err |
||||
} |
||||
|
||||
func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { |
||||
// Convert to btcec input format with 'recovery id' v at the beginning.
|
||||
btcsig := make([]byte, 65) |
||||
btcsig[0] = sig[64] + 27 |
||||
copy(btcsig[1:], sig) |
||||
|
||||
pub, _, err := btcec.RecoverCompact(btcec.S256(), btcsig, hash) |
||||
return (*ecdsa.PublicKey)(pub), err |
||||
} |
||||
|
||||
// Sign calculates an ECDSA signature.
|
||||
//
|
||||
// This function is susceptible to chosen plaintext attacks that can leak
|
||||
// information about the private key that is used for signing. Callers must
|
||||
// be aware that the given hash cannot be chosen by an adversery. Common
|
||||
// solution is to hash any input before calculating the signature.
|
||||
//
|
||||
// The produced signature is in the [R || S || V] format where V is 0 or 1.
|
||||
func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) { |
||||
if len(hash) != 32 { |
||||
return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash)) |
||||
} |
||||
if prv.Curve != btcec.S256() { |
||||
return nil, fmt.Errorf("private key curve is not secp256k1") |
||||
} |
||||
sig, err := btcec.SignCompact(btcec.S256(), (*btcec.PrivateKey)(prv), hash, false) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
// Convert to Ethereum signature format with 'recovery id' v at the end.
|
||||
v := sig[0] - 27 |
||||
copy(sig, sig[1:]) |
||||
sig[64] = v |
||||
return sig, nil |
||||
} |
||||
|
||||
// S256 returns an instance of the secp256k1 curve.
|
||||
func S256() elliptic.Curve { |
||||
return btcec.S256() |
||||
} |
||||
@ -0,0 +1,16 @@ |
||||
ISC License |
||||
|
||||
Copyright (c) 2013-2017 The btcsuite developers |
||||
Copyright (c) 2015-2016 The Decred developers |
||||
|
||||
Permission to use, copy, modify, and distribute this software for any |
||||
purpose with or without fee is hereby granted, provided that the above |
||||
copyright notice and this permission notice appear in all copies. |
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
||||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
||||
@ -0,0 +1,74 @@ |
||||
btcec |
||||
===== |
||||
|
||||
[] |
||||
(https://travis-ci.org/btcsuite/btcec) [![ISC License] |
||||
(http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org) |
||||
[] |
||||
(http://godoc.org/github.com/btcsuite/btcd/btcec) |
||||
|
||||
Package btcec implements elliptic curve cryptography needed for working with |
||||
Bitcoin (secp256k1 only for now). It is designed so that it may be used with the |
||||
standard crypto/ecdsa packages provided with go. A comprehensive suite of test |
||||
is provided to ensure proper functionality. Package btcec was originally based |
||||
on work from ThePiachu which is licensed under the same terms as Go, but it has |
||||
signficantly diverged since then. The btcsuite developers original is licensed |
||||
under the liberal ISC license. |
||||
|
||||
Although this package was primarily written for btcd, it has intentionally been |
||||
designed so it can be used as a standalone package for any projects needing to |
||||
use secp256k1 elliptic curve cryptography. |
||||
|
||||
## Installation and Updating |
||||
|
||||
```bash |
||||
$ go get -u github.com/btcsuite/btcd/btcec |
||||
``` |
||||
|
||||
## Examples |
||||
|
||||
* [Sign Message] |
||||
(http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--SignMessage) |
||||
Demonstrates signing a message with a secp256k1 private key that is first |
||||
parsed form raw bytes and serializing the generated signature. |
||||
|
||||
* [Verify Signature] |
||||
(http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--VerifySignature) |
||||
Demonstrates verifying a secp256k1 signature against a public key that is |
||||
first parsed from raw bytes. The signature is also parsed from raw bytes. |
||||
|
||||
* [Encryption] |
||||
(http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--EncryptMessage) |
||||
Demonstrates encrypting a message for a public key that is first parsed from |
||||
raw bytes, then decrypting it using the corresponding private key. |
||||
|
||||
* [Decryption] |
||||
(http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--DecryptMessage) |
||||
Demonstrates decrypting a message using a private key that is first parsed |
||||
from raw bytes. |
||||
|
||||
## GPG Verification Key |
||||
|
||||
All official release tags are signed by Conformal so users can ensure the code |
||||
has not been tampered with and is coming from the btcsuite developers. To |
||||
verify the signature perform the following: |
||||
|
||||
- Download the public key from the Conformal website at |
||||
https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt |
||||
|
||||
- Import the public key into your GPG keyring: |
||||
```bash |
||||
gpg --import GIT-GPG-KEY-conformal.txt |
||||
``` |
||||
|
||||
- Verify the release tag with the following command where `TAG_NAME` is a |
||||
placeholder for the specific tag: |
||||
```bash |
||||
git tag -v TAG_NAME |
||||
``` |
||||
|
||||
## License |
||||
|
||||
Package btcec is licensed under the [copyfree](http://copyfree.org) ISC License |
||||
except for btcec.go and btcec_test.go which is under the same license as Go. |
||||
|
||||
@ -0,0 +1,956 @@ |
||||
// Copyright 2010 The Go Authors. All rights reserved.
|
||||
// Copyright 2011 ThePiachu. All rights reserved.
|
||||
// Copyright 2013-2014 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
// References:
|
||||
// [SECG]: Recommended Elliptic Curve Domain Parameters
|
||||
// http://www.secg.org/sec2-v2.pdf
|
||||
//
|
||||
// [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
|
||||
|
||||
// This package operates, internally, on Jacobian coordinates. For a given
|
||||
// (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1)
|
||||
// where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole
|
||||
// calculation can be performed within the transform (as in ScalarMult and
|
||||
// ScalarBaseMult). But even for Add and Double, it's faster to apply and
|
||||
// reverse the transform than to operate in affine coordinates.
|
||||
|
||||
import ( |
||||
"crypto/elliptic" |
||||
"math/big" |
||||
"sync" |
||||
) |
||||
|
||||
var ( |
||||
// fieldOne is simply the integer 1 in field representation. It is
|
||||
// used to avoid needing to create it multiple times during the internal
|
||||
// arithmetic.
|
||||
fieldOne = new(fieldVal).SetInt(1) |
||||
) |
||||
|
||||
// KoblitzCurve supports a koblitz curve implementation that fits the ECC Curve
|
||||
// interface from crypto/elliptic.
|
||||
type KoblitzCurve struct { |
||||
*elliptic.CurveParams |
||||
q *big.Int |
||||
H int // cofactor of the curve.
|
||||
|
||||
// byteSize is simply the bit size / 8 and is provided for convenience
|
||||
// since it is calculated repeatedly.
|
||||
byteSize int |
||||
|
||||
// bytePoints
|
||||
bytePoints *[32][256][3]fieldVal |
||||
|
||||
// The next 6 values are used specifically for endomorphism
|
||||
// optimizations in ScalarMult.
|
||||
|
||||
// lambda must fulfill lambda^3 = 1 mod N where N is the order of G.
|
||||
lambda *big.Int |
||||
|
||||
// beta must fulfill beta^3 = 1 mod P where P is the prime field of the
|
||||
// curve.
|
||||
beta *fieldVal |
||||
|
||||
// See the EndomorphismVectors in gensecp256k1.go to see how these are
|
||||
// derived.
|
||||
a1 *big.Int |
||||
b1 *big.Int |
||||
a2 *big.Int |
||||
b2 *big.Int |
||||
} |
||||
|
||||
// Params returns the parameters for the curve.
|
||||
func (curve *KoblitzCurve) Params() *elliptic.CurveParams { |
||||
return curve.CurveParams |
||||
} |
||||
|
||||
// bigAffineToField takes an affine point (x, y) as big integers and converts
|
||||
// it to an affine point as field values.
|
||||
func (curve *KoblitzCurve) bigAffineToField(x, y *big.Int) (*fieldVal, *fieldVal) { |
||||
x3, y3 := new(fieldVal), new(fieldVal) |
||||
x3.SetByteSlice(x.Bytes()) |
||||
y3.SetByteSlice(y.Bytes()) |
||||
|
||||
return x3, y3 |
||||
} |
||||
|
||||
// fieldJacobianToBigAffine takes a Jacobian point (x, y, z) as field values and
|
||||
// converts it to an affine point as big integers.
|
||||
func (curve *KoblitzCurve) fieldJacobianToBigAffine(x, y, z *fieldVal) (*big.Int, *big.Int) { |
||||
// Inversions are expensive and both point addition and point doubling
|
||||
// are faster when working with points that have a z value of one. So,
|
||||
// if the point needs to be converted to affine, go ahead and normalize
|
||||
// the point itself at the same time as the calculation is the same.
|
||||
var zInv, tempZ fieldVal |
||||
zInv.Set(z).Inverse() // zInv = Z^-1
|
||||
tempZ.SquareVal(&zInv) // tempZ = Z^-2
|
||||
x.Mul(&tempZ) // X = X/Z^2 (mag: 1)
|
||||
y.Mul(tempZ.Mul(&zInv)) // Y = Y/Z^3 (mag: 1)
|
||||
z.SetInt(1) // Z = 1 (mag: 1)
|
||||
|
||||
// Normalize the x and y values.
|
||||
x.Normalize() |
||||
y.Normalize() |
||||
|
||||
// Convert the field values for the now affine point to big.Ints.
|
||||
x3, y3 := new(big.Int), new(big.Int) |
||||
x3.SetBytes(x.Bytes()[:]) |
||||
y3.SetBytes(y.Bytes()[:]) |
||||
return x3, y3 |
||||
} |
||||
|
||||
// IsOnCurve returns boolean if the point (x,y) is on the curve.
|
||||
// Part of the elliptic.Curve interface. This function differs from the
|
||||
// crypto/elliptic algorithm since a = 0 not -3.
|
||||
func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool { |
||||
// Convert big ints to field values for faster arithmetic.
|
||||
fx, fy := curve.bigAffineToField(x, y) |
||||
|
||||
// Elliptic curve equation for secp256k1 is: y^2 = x^3 + 7
|
||||
y2 := new(fieldVal).SquareVal(fy).Normalize() |
||||
result := new(fieldVal).SquareVal(fx).Mul(fx).AddInt(7).Normalize() |
||||
return y2.Equals(result) |
||||
} |
||||
|
||||
// addZ1AndZ2EqualsOne adds two Jacobian points that are already known to have
|
||||
// z values of 1 and stores the result in (x3, y3, z3). That is to say
|
||||
// (x1, y1, 1) + (x2, y2, 1) = (x3, y3, z3). It performs faster addition than
|
||||
// the generic add routine since less arithmetic is needed due to the ability to
|
||||
// avoid the z value multiplications.
|
||||
func (curve *KoblitzCurve) addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { |
||||
// To compute the point addition efficiently, this implementation splits
|
||||
// the equation into intermediate elements which are used to minimize
|
||||
// the number of field multiplications using the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// H = X2-X1, HH = H^2, I = 4*HH, J = H*I, r = 2*(Y2-Y1), V = X1*I
|
||||
// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = 2*H
|
||||
//
|
||||
// This results in a cost of 4 field multiplications, 2 field squarings,
|
||||
// 6 field additions, and 5 integer multiplications.
|
||||
|
||||
// When the x coordinates are the same for two points on the curve, the
|
||||
// y coordinates either must be the same, in which case it is point
|
||||
// doubling, or they are opposite and the result is the point at
|
||||
// infinity per the group law for elliptic curve cryptography.
|
||||
x1.Normalize() |
||||
y1.Normalize() |
||||
x2.Normalize() |
||||
y2.Normalize() |
||||
if x1.Equals(x2) { |
||||
if y1.Equals(y2) { |
||||
// Since x1 == x2 and y1 == y2, point doubling must be
|
||||
// done, otherwise the addition would end up dividing
|
||||
// by zero.
|
||||
curve.doubleJacobian(x1, y1, z1, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// Since x1 == x2 and y1 == -y2, the sum is the point at
|
||||
// infinity per the group law.
|
||||
x3.SetInt(0) |
||||
y3.SetInt(0) |
||||
z3.SetInt(0) |
||||
return |
||||
} |
||||
|
||||
// Calculate X3, Y3, and Z3 according to the intermediate elements
|
||||
// breakdown above.
|
||||
var h, i, j, r, v fieldVal |
||||
var negJ, neg2V, negX3 fieldVal |
||||
h.Set(x1).Negate(1).Add(x2) // H = X2-X1 (mag: 3)
|
||||
i.SquareVal(&h).MulInt(4) // I = 4*H^2 (mag: 4)
|
||||
j.Mul2(&h, &i) // J = H*I (mag: 1)
|
||||
r.Set(y1).Negate(1).Add(y2).MulInt(2) // r = 2*(Y2-Y1) (mag: 6)
|
||||
v.Mul2(x1, &i) // V = X1*I (mag: 1)
|
||||
negJ.Set(&j).Negate(1) // negJ = -J (mag: 2)
|
||||
neg2V.Set(&v).MulInt(2).Negate(2) // neg2V = -(2*V) (mag: 3)
|
||||
x3.Set(&r).Square().Add(&negJ).Add(&neg2V) // X3 = r^2-J-2*V (mag: 6)
|
||||
negX3.Set(x3).Negate(6) // negX3 = -X3 (mag: 7)
|
||||
j.Mul(y1).MulInt(2).Negate(2) // J = -(2*Y1*J) (mag: 3)
|
||||
y3.Set(&v).Add(&negX3).Mul(&r).Add(&j) // Y3 = r*(V-X3)-2*Y1*J (mag: 4)
|
||||
z3.Set(&h).MulInt(2) // Z3 = 2*H (mag: 6)
|
||||
|
||||
// Normalize the resulting field values to a magnitude of 1 as needed.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
z3.Normalize() |
||||
} |
||||
|
||||
// addZ1EqualsZ2 adds two Jacobian points that are already known to have the
|
||||
// same z value and stores the result in (x3, y3, z3). That is to say
|
||||
// (x1, y1, z1) + (x2, y2, z1) = (x3, y3, z3). It performs faster addition than
|
||||
// the generic add routine since less arithmetic is needed due to the known
|
||||
// equivalence.
|
||||
func (curve *KoblitzCurve) addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { |
||||
// To compute the point addition efficiently, this implementation splits
|
||||
// the equation into intermediate elements which are used to minimize
|
||||
// the number of field multiplications using a slightly modified version
|
||||
// of the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// A = X2-X1, B = A^2, C=Y2-Y1, D = C^2, E = X1*B, F = X2*B
|
||||
// X3 = D-E-F, Y3 = C*(E-X3)-Y1*(F-E), Z3 = Z1*A
|
||||
//
|
||||
// This results in a cost of 5 field multiplications, 2 field squarings,
|
||||
// 9 field additions, and 0 integer multiplications.
|
||||
|
||||
// When the x coordinates are the same for two points on the curve, the
|
||||
// y coordinates either must be the same, in which case it is point
|
||||
// doubling, or they are opposite and the result is the point at
|
||||
// infinity per the group law for elliptic curve cryptography.
|
||||
x1.Normalize() |
||||
y1.Normalize() |
||||
x2.Normalize() |
||||
y2.Normalize() |
||||
if x1.Equals(x2) { |
||||
if y1.Equals(y2) { |
||||
// Since x1 == x2 and y1 == y2, point doubling must be
|
||||
// done, otherwise the addition would end up dividing
|
||||
// by zero.
|
||||
curve.doubleJacobian(x1, y1, z1, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// Since x1 == x2 and y1 == -y2, the sum is the point at
|
||||
// infinity per the group law.
|
||||
x3.SetInt(0) |
||||
y3.SetInt(0) |
||||
z3.SetInt(0) |
||||
return |
||||
} |
||||
|
||||
// Calculate X3, Y3, and Z3 according to the intermediate elements
|
||||
// breakdown above.
|
||||
var a, b, c, d, e, f fieldVal |
||||
var negX1, negY1, negE, negX3 fieldVal |
||||
negX1.Set(x1).Negate(1) // negX1 = -X1 (mag: 2)
|
||||
negY1.Set(y1).Negate(1) // negY1 = -Y1 (mag: 2)
|
||||
a.Set(&negX1).Add(x2) // A = X2-X1 (mag: 3)
|
||||
b.SquareVal(&a) // B = A^2 (mag: 1)
|
||||
c.Set(&negY1).Add(y2) // C = Y2-Y1 (mag: 3)
|
||||
d.SquareVal(&c) // D = C^2 (mag: 1)
|
||||
e.Mul2(x1, &b) // E = X1*B (mag: 1)
|
||||
negE.Set(&e).Negate(1) // negE = -E (mag: 2)
|
||||
f.Mul2(x2, &b) // F = X2*B (mag: 1)
|
||||
x3.Add2(&e, &f).Negate(3).Add(&d) // X3 = D-E-F (mag: 5)
|
||||
negX3.Set(x3).Negate(5).Normalize() // negX3 = -X3 (mag: 1)
|
||||
y3.Set(y1).Mul(f.Add(&negE)).Negate(3) // Y3 = -(Y1*(F-E)) (mag: 4)
|
||||
y3.Add(e.Add(&negX3).Mul(&c)) // Y3 = C*(E-X3)+Y3 (mag: 5)
|
||||
z3.Mul2(z1, &a) // Z3 = Z1*A (mag: 1)
|
||||
|
||||
// Normalize the resulting field values to a magnitude of 1 as needed.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
} |
||||
|
||||
// addZ2EqualsOne adds two Jacobian points when the second point is already
|
||||
// known to have a z value of 1 (and the z value for the first point is not 1)
|
||||
// and stores the result in (x3, y3, z3). That is to say (x1, y1, z1) +
|
||||
// (x2, y2, 1) = (x3, y3, z3). It performs faster addition than the generic
|
||||
// add routine since less arithmetic is needed due to the ability to avoid
|
||||
// multiplications by the second point's z value.
|
||||
func (curve *KoblitzCurve) addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { |
||||
// To compute the point addition efficiently, this implementation splits
|
||||
// the equation into intermediate elements which are used to minimize
|
||||
// the number of field multiplications using the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// Z1Z1 = Z1^2, U2 = X2*Z1Z1, S2 = Y2*Z1*Z1Z1, H = U2-X1, HH = H^2,
|
||||
// I = 4*HH, J = H*I, r = 2*(S2-Y1), V = X1*I
|
||||
// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = (Z1+H)^2-Z1Z1-HH
|
||||
//
|
||||
// This results in a cost of 7 field multiplications, 4 field squarings,
|
||||
// 9 field additions, and 4 integer multiplications.
|
||||
|
||||
// When the x coordinates are the same for two points on the curve, the
|
||||
// y coordinates either must be the same, in which case it is point
|
||||
// doubling, or they are opposite and the result is the point at
|
||||
// infinity per the group law for elliptic curve cryptography. Since
|
||||
// any number of Jacobian coordinates can represent the same affine
|
||||
// point, the x and y values need to be converted to like terms. Due to
|
||||
// the assumption made for this function that the second point has a z
|
||||
// value of 1 (z2=1), the first point is already "converted".
|
||||
var z1z1, u2, s2 fieldVal |
||||
x1.Normalize() |
||||
y1.Normalize() |
||||
z1z1.SquareVal(z1) // Z1Z1 = Z1^2 (mag: 1)
|
||||
u2.Set(x2).Mul(&z1z1).Normalize() // U2 = X2*Z1Z1 (mag: 1)
|
||||
s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1)
|
||||
if x1.Equals(&u2) { |
||||
if y1.Equals(&s2) { |
||||
// Since x1 == x2 and y1 == y2, point doubling must be
|
||||
// done, otherwise the addition would end up dividing
|
||||
// by zero.
|
||||
curve.doubleJacobian(x1, y1, z1, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// Since x1 == x2 and y1 == -y2, the sum is the point at
|
||||
// infinity per the group law.
|
||||
x3.SetInt(0) |
||||
y3.SetInt(0) |
||||
z3.SetInt(0) |
||||
return |
||||
} |
||||
|
||||
// Calculate X3, Y3, and Z3 according to the intermediate elements
|
||||
// breakdown above.
|
||||
var h, hh, i, j, r, rr, v fieldVal |
||||
var negX1, negY1, negX3 fieldVal |
||||
negX1.Set(x1).Negate(1) // negX1 = -X1 (mag: 2)
|
||||
h.Add2(&u2, &negX1) // H = U2-X1 (mag: 3)
|
||||
hh.SquareVal(&h) // HH = H^2 (mag: 1)
|
||||
i.Set(&hh).MulInt(4) // I = 4 * HH (mag: 4)
|
||||
j.Mul2(&h, &i) // J = H*I (mag: 1)
|
||||
negY1.Set(y1).Negate(1) // negY1 = -Y1 (mag: 2)
|
||||
r.Set(&s2).Add(&negY1).MulInt(2) // r = 2*(S2-Y1) (mag: 6)
|
||||
rr.SquareVal(&r) // rr = r^2 (mag: 1)
|
||||
v.Mul2(x1, &i) // V = X1*I (mag: 1)
|
||||
x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4)
|
||||
x3.Add(&rr) // X3 = r^2+X3 (mag: 5)
|
||||
negX3.Set(x3).Negate(5) // negX3 = -X3 (mag: 6)
|
||||
y3.Set(y1).Mul(&j).MulInt(2).Negate(2) // Y3 = -(2*Y1*J) (mag: 3)
|
||||
y3.Add(v.Add(&negX3).Mul(&r)) // Y3 = r*(V-X3)+Y3 (mag: 4)
|
||||
z3.Add2(z1, &h).Square() // Z3 = (Z1+H)^2 (mag: 1)
|
||||
z3.Add(z1z1.Add(&hh).Negate(2)) // Z3 = Z3-(Z1Z1+HH) (mag: 4)
|
||||
|
||||
// Normalize the resulting field values to a magnitude of 1 as needed.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
z3.Normalize() |
||||
} |
||||
|
||||
// addGeneric adds two Jacobian points (x1, y1, z1) and (x2, y2, z2) without any
|
||||
// assumptions about the z values of the two points and stores the result in
|
||||
// (x3, y3, z3). That is to say (x1, y1, z1) + (x2, y2, z2) = (x3, y3, z3). It
|
||||
// is the slowest of the add routines due to requiring the most arithmetic.
|
||||
func (curve *KoblitzCurve) addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) { |
||||
// To compute the point addition efficiently, this implementation splits
|
||||
// the equation into intermediate elements which are used to minimize
|
||||
// the number of field multiplications using the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// Z1Z1 = Z1^2, Z2Z2 = Z2^2, U1 = X1*Z2Z2, U2 = X2*Z1Z1, S1 = Y1*Z2*Z2Z2
|
||||
// S2 = Y2*Z1*Z1Z1, H = U2-U1, I = (2*H)^2, J = H*I, r = 2*(S2-S1)
|
||||
// V = U1*I
|
||||
// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*S1*J, Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H
|
||||
//
|
||||
// This results in a cost of 11 field multiplications, 5 field squarings,
|
||||
// 9 field additions, and 4 integer multiplications.
|
||||
|
||||
// When the x coordinates are the same for two points on the curve, the
|
||||
// y coordinates either must be the same, in which case it is point
|
||||
// doubling, or they are opposite and the result is the point at
|
||||
// infinity. Since any number of Jacobian coordinates can represent the
|
||||
// same affine point, the x and y values need to be converted to like
|
||||
// terms.
|
||||
var z1z1, z2z2, u1, u2, s1, s2 fieldVal |
||||
z1z1.SquareVal(z1) // Z1Z1 = Z1^2 (mag: 1)
|
||||
z2z2.SquareVal(z2) // Z2Z2 = Z2^2 (mag: 1)
|
||||
u1.Set(x1).Mul(&z2z2).Normalize() // U1 = X1*Z2Z2 (mag: 1)
|
||||
u2.Set(x2).Mul(&z1z1).Normalize() // U2 = X2*Z1Z1 (mag: 1)
|
||||
s1.Set(y1).Mul(&z2z2).Mul(z2).Normalize() // S1 = Y1*Z2*Z2Z2 (mag: 1)
|
||||
s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1)
|
||||
if u1.Equals(&u2) { |
||||
if s1.Equals(&s2) { |
||||
// Since x1 == x2 and y1 == y2, point doubling must be
|
||||
// done, otherwise the addition would end up dividing
|
||||
// by zero.
|
||||
curve.doubleJacobian(x1, y1, z1, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// Since x1 == x2 and y1 == -y2, the sum is the point at
|
||||
// infinity per the group law.
|
||||
x3.SetInt(0) |
||||
y3.SetInt(0) |
||||
z3.SetInt(0) |
||||
return |
||||
} |
||||
|
||||
// Calculate X3, Y3, and Z3 according to the intermediate elements
|
||||
// breakdown above.
|
||||
var h, i, j, r, rr, v fieldVal |
||||
var negU1, negS1, negX3 fieldVal |
||||
negU1.Set(&u1).Negate(1) // negU1 = -U1 (mag: 2)
|
||||
h.Add2(&u2, &negU1) // H = U2-U1 (mag: 3)
|
||||
i.Set(&h).MulInt(2).Square() // I = (2*H)^2 (mag: 2)
|
||||
j.Mul2(&h, &i) // J = H*I (mag: 1)
|
||||
negS1.Set(&s1).Negate(1) // negS1 = -S1 (mag: 2)
|
||||
r.Set(&s2).Add(&negS1).MulInt(2) // r = 2*(S2-S1) (mag: 6)
|
||||
rr.SquareVal(&r) // rr = r^2 (mag: 1)
|
||||
v.Mul2(&u1, &i) // V = U1*I (mag: 1)
|
||||
x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4)
|
||||
x3.Add(&rr) // X3 = r^2+X3 (mag: 5)
|
||||
negX3.Set(x3).Negate(5) // negX3 = -X3 (mag: 6)
|
||||
y3.Mul2(&s1, &j).MulInt(2).Negate(2) // Y3 = -(2*S1*J) (mag: 3)
|
||||
y3.Add(v.Add(&negX3).Mul(&r)) // Y3 = r*(V-X3)+Y3 (mag: 4)
|
||||
z3.Add2(z1, z2).Square() // Z3 = (Z1+Z2)^2 (mag: 1)
|
||||
z3.Add(z1z1.Add(&z2z2).Negate(2)) // Z3 = Z3-(Z1Z1+Z2Z2) (mag: 4)
|
||||
z3.Mul(&h) // Z3 = Z3*H (mag: 1)
|
||||
|
||||
// Normalize the resulting field values to a magnitude of 1 as needed.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
} |
||||
|
||||
// addJacobian adds the passed Jacobian points (x1, y1, z1) and (x2, y2, z2)
|
||||
// together and stores the result in (x3, y3, z3).
|
||||
func (curve *KoblitzCurve) addJacobian(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) { |
||||
// A point at infinity is the identity according to the group law for
|
||||
// elliptic curve cryptography. Thus, ∞ + P = P and P + ∞ = P.
|
||||
if (x1.IsZero() && y1.IsZero()) || z1.IsZero() { |
||||
x3.Set(x2) |
||||
y3.Set(y2) |
||||
z3.Set(z2) |
||||
return |
||||
} |
||||
if (x2.IsZero() && y2.IsZero()) || z2.IsZero() { |
||||
x3.Set(x1) |
||||
y3.Set(y1) |
||||
z3.Set(z1) |
||||
return |
||||
} |
||||
|
||||
// Faster point addition can be achieved when certain assumptions are
|
||||
// met. For example, when both points have the same z value, arithmetic
|
||||
// on the z values can be avoided. This section thus checks for these
|
||||
// conditions and calls an appropriate add function which is accelerated
|
||||
// by using those assumptions.
|
||||
z1.Normalize() |
||||
z2.Normalize() |
||||
isZ1One := z1.Equals(fieldOne) |
||||
isZ2One := z2.Equals(fieldOne) |
||||
switch { |
||||
case isZ1One && isZ2One: |
||||
curve.addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3) |
||||
return |
||||
case z1.Equals(z2): |
||||
curve.addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3) |
||||
return |
||||
case isZ2One: |
||||
curve.addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// None of the above assumptions are true, so fall back to generic
|
||||
// point addition.
|
||||
curve.addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3) |
||||
} |
||||
|
||||
// Add returns the sum of (x1,y1) and (x2,y2). Part of the elliptic.Curve
|
||||
// interface.
|
||||
func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) { |
||||
// A point at infinity is the identity according to the group law for
|
||||
// elliptic curve cryptography. Thus, ∞ + P = P and P + ∞ = P.
|
||||
if x1.Sign() == 0 && y1.Sign() == 0 { |
||||
return x2, y2 |
||||
} |
||||
if x2.Sign() == 0 && y2.Sign() == 0 { |
||||
return x1, y1 |
||||
} |
||||
|
||||
// Convert the affine coordinates from big integers to field values
|
||||
// and do the point addition in Jacobian projective space.
|
||||
fx1, fy1 := curve.bigAffineToField(x1, y1) |
||||
fx2, fy2 := curve.bigAffineToField(x2, y2) |
||||
fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal) |
||||
fOne := new(fieldVal).SetInt(1) |
||||
curve.addJacobian(fx1, fy1, fOne, fx2, fy2, fOne, fx3, fy3, fz3) |
||||
|
||||
// Convert the Jacobian coordinate field values back to affine big
|
||||
// integers.
|
||||
return curve.fieldJacobianToBigAffine(fx3, fy3, fz3) |
||||
} |
||||
|
||||
// doubleZ1EqualsOne performs point doubling on the passed Jacobian point
|
||||
// when the point is already known to have a z value of 1 and stores
|
||||
// the result in (x3, y3, z3). That is to say (x3, y3, z3) = 2*(x1, y1, 1). It
|
||||
// performs faster point doubling than the generic routine since less arithmetic
|
||||
// is needed due to the ability to avoid multiplication by the z value.
|
||||
func (curve *KoblitzCurve) doubleZ1EqualsOne(x1, y1, x3, y3, z3 *fieldVal) { |
||||
// This function uses the assumptions that z1 is 1, thus the point
|
||||
// doubling formulas reduce to:
|
||||
//
|
||||
// X3 = (3*X1^2)^2 - 8*X1*Y1^2
|
||||
// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4
|
||||
// Z3 = 2*Y1
|
||||
//
|
||||
// To compute the above efficiently, this implementation splits the
|
||||
// equation into intermediate elements which are used to minimize the
|
||||
// number of field multiplications in favor of field squarings which
|
||||
// are roughly 35% faster than field multiplications with the current
|
||||
// implementation at the time this was written.
|
||||
//
|
||||
// This uses a slightly modified version of the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C)
|
||||
// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C
|
||||
// Z3 = 2*Y1
|
||||
//
|
||||
// This results in a cost of 1 field multiplication, 5 field squarings,
|
||||
// 6 field additions, and 5 integer multiplications.
|
||||
var a, b, c, d, e, f fieldVal |
||||
z3.Set(y1).MulInt(2) // Z3 = 2*Y1 (mag: 2)
|
||||
a.SquareVal(x1) // A = X1^2 (mag: 1)
|
||||
b.SquareVal(y1) // B = Y1^2 (mag: 1)
|
||||
c.SquareVal(&b) // C = B^2 (mag: 1)
|
||||
b.Add(x1).Square() // B = (X1+B)^2 (mag: 1)
|
||||
d.Set(&a).Add(&c).Negate(2) // D = -(A+C) (mag: 3)
|
||||
d.Add(&b).MulInt(2) // D = 2*(B+D)(mag: 8)
|
||||
e.Set(&a).MulInt(3) // E = 3*A (mag: 3)
|
||||
f.SquareVal(&e) // F = E^2 (mag: 1)
|
||||
x3.Set(&d).MulInt(2).Negate(16) // X3 = -(2*D) (mag: 17)
|
||||
x3.Add(&f) // X3 = F+X3 (mag: 18)
|
||||
f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1)
|
||||
y3.Set(&c).MulInt(8).Negate(8) // Y3 = -(8*C) (mag: 9)
|
||||
y3.Add(f.Mul(&e)) // Y3 = E*F+Y3 (mag: 10)
|
||||
|
||||
// Normalize the field values back to a magnitude of 1.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
z3.Normalize() |
||||
} |
||||
|
||||
// doubleGeneric performs point doubling on the passed Jacobian point without
|
||||
// any assumptions about the z value and stores the result in (x3, y3, z3).
|
||||
// That is to say (x3, y3, z3) = 2*(x1, y1, z1). It is the slowest of the point
|
||||
// doubling routines due to requiring the most arithmetic.
|
||||
func (curve *KoblitzCurve) doubleGeneric(x1, y1, z1, x3, y3, z3 *fieldVal) { |
||||
// Point doubling formula for Jacobian coordinates for the secp256k1
|
||||
// curve:
|
||||
// X3 = (3*X1^2)^2 - 8*X1*Y1^2
|
||||
// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4
|
||||
// Z3 = 2*Y1*Z1
|
||||
//
|
||||
// To compute the above efficiently, this implementation splits the
|
||||
// equation into intermediate elements which are used to minimize the
|
||||
// number of field multiplications in favor of field squarings which
|
||||
// are roughly 35% faster than field multiplications with the current
|
||||
// implementation at the time this was written.
|
||||
//
|
||||
// This uses a slightly modified version of the method shown at:
|
||||
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
|
||||
//
|
||||
// In particular it performs the calculations using the following:
|
||||
// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C)
|
||||
// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C
|
||||
// Z3 = 2*Y1*Z1
|
||||
//
|
||||
// This results in a cost of 1 field multiplication, 5 field squarings,
|
||||
// 6 field additions, and 5 integer multiplications.
|
||||
var a, b, c, d, e, f fieldVal |
||||
z3.Mul2(y1, z1).MulInt(2) // Z3 = 2*Y1*Z1 (mag: 2)
|
||||
a.SquareVal(x1) // A = X1^2 (mag: 1)
|
||||
b.SquareVal(y1) // B = Y1^2 (mag: 1)
|
||||
c.SquareVal(&b) // C = B^2 (mag: 1)
|
||||
b.Add(x1).Square() // B = (X1+B)^2 (mag: 1)
|
||||
d.Set(&a).Add(&c).Negate(2) // D = -(A+C) (mag: 3)
|
||||
d.Add(&b).MulInt(2) // D = 2*(B+D)(mag: 8)
|
||||
e.Set(&a).MulInt(3) // E = 3*A (mag: 3)
|
||||
f.SquareVal(&e) // F = E^2 (mag: 1)
|
||||
x3.Set(&d).MulInt(2).Negate(16) // X3 = -(2*D) (mag: 17)
|
||||
x3.Add(&f) // X3 = F+X3 (mag: 18)
|
||||
f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1)
|
||||
y3.Set(&c).MulInt(8).Negate(8) // Y3 = -(8*C) (mag: 9)
|
||||
y3.Add(f.Mul(&e)) // Y3 = E*F+Y3 (mag: 10)
|
||||
|
||||
// Normalize the field values back to a magnitude of 1.
|
||||
x3.Normalize() |
||||
y3.Normalize() |
||||
z3.Normalize() |
||||
} |
||||
|
||||
// doubleJacobian doubles the passed Jacobian point (x1, y1, z1) and stores the
|
||||
// result in (x3, y3, z3).
|
||||
func (curve *KoblitzCurve) doubleJacobian(x1, y1, z1, x3, y3, z3 *fieldVal) { |
||||
// Doubling a point at infinity is still infinity.
|
||||
if y1.IsZero() || z1.IsZero() { |
||||
x3.SetInt(0) |
||||
y3.SetInt(0) |
||||
z3.SetInt(0) |
||||
return |
||||
} |
||||
|
||||
// Slightly faster point doubling can be achieved when the z value is 1
|
||||
// by avoiding the multiplication on the z value. This section calls
|
||||
// a point doubling function which is accelerated by using that
|
||||
// assumption when possible.
|
||||
if z1.Normalize().Equals(fieldOne) { |
||||
curve.doubleZ1EqualsOne(x1, y1, x3, y3, z3) |
||||
return |
||||
} |
||||
|
||||
// Fall back to generic point doubling which works with arbitrary z
|
||||
// values.
|
||||
curve.doubleGeneric(x1, y1, z1, x3, y3, z3) |
||||
} |
||||
|
||||
// Double returns 2*(x1,y1). Part of the elliptic.Curve interface.
|
||||
func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) { |
||||
if y1.Sign() == 0 { |
||||
return new(big.Int), new(big.Int) |
||||
} |
||||
|
||||
// Convert the affine coordinates from big integers to field values
|
||||
// and do the point doubling in Jacobian projective space.
|
||||
fx1, fy1 := curve.bigAffineToField(x1, y1) |
||||
fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal) |
||||
fOne := new(fieldVal).SetInt(1) |
||||
curve.doubleJacobian(fx1, fy1, fOne, fx3, fy3, fz3) |
||||
|
||||
// Convert the Jacobian coordinate field values back to affine big
|
||||
// integers.
|
||||
return curve.fieldJacobianToBigAffine(fx3, fy3, fz3) |
||||
} |
||||
|
||||
// splitK returns a balanced length-two representation of k and their signs.
|
||||
// This is algorithm 3.74 from [GECC].
|
||||
//
|
||||
// One thing of note about this algorithm is that no matter what c1 and c2 are,
|
||||
// the final equation of k = k1 + k2 * lambda (mod n) will hold. This is
|
||||
// provable mathematically due to how a1/b1/a2/b2 are computed.
|
||||
//
|
||||
// c1 and c2 are chosen to minimize the max(k1,k2).
|
||||
func (curve *KoblitzCurve) splitK(k []byte) ([]byte, []byte, int, int) { |
||||
// All math here is done with big.Int, which is slow.
|
||||
// At some point, it might be useful to write something similar to
|
||||
// fieldVal but for N instead of P as the prime field if this ends up
|
||||
// being a bottleneck.
|
||||
bigIntK := new(big.Int) |
||||
c1, c2 := new(big.Int), new(big.Int) |
||||
tmp1, tmp2 := new(big.Int), new(big.Int) |
||||
k1, k2 := new(big.Int), new(big.Int) |
||||
|
||||
bigIntK.SetBytes(k) |
||||
// c1 = round(b2 * k / n) from step 4.
|
||||
// Rounding isn't really necessary and costs too much, hence skipped
|
||||
c1.Mul(curve.b2, bigIntK) |
||||
c1.Div(c1, curve.N) |
||||
// c2 = round(b1 * k / n) from step 4 (sign reversed to optimize one step)
|
||||
// Rounding isn't really necessary and costs too much, hence skipped
|
||||
c2.Mul(curve.b1, bigIntK) |
||||
c2.Div(c2, curve.N) |
||||
// k1 = k - c1 * a1 - c2 * a2 from step 5 (note c2's sign is reversed)
|
||||
tmp1.Mul(c1, curve.a1) |
||||
tmp2.Mul(c2, curve.a2) |
||||
k1.Sub(bigIntK, tmp1) |
||||
k1.Add(k1, tmp2) |
||||
// k2 = - c1 * b1 - c2 * b2 from step 5 (note c2's sign is reversed)
|
||||
tmp1.Mul(c1, curve.b1) |
||||
tmp2.Mul(c2, curve.b2) |
||||
k2.Sub(tmp2, tmp1) |
||||
|
||||
// Note Bytes() throws out the sign of k1 and k2. This matters
|
||||
// since k1 and/or k2 can be negative. Hence, we pass that
|
||||
// back separately.
|
||||
return k1.Bytes(), k2.Bytes(), k1.Sign(), k2.Sign() |
||||
} |
||||
|
||||
// moduloReduce reduces k from more than 32 bytes to 32 bytes and under. This
|
||||
// is done by doing a simple modulo curve.N. We can do this since G^N = 1 and
|
||||
// thus any other valid point on the elliptic curve has the same order.
|
||||
func (curve *KoblitzCurve) moduloReduce(k []byte) []byte { |
||||
// Since the order of G is curve.N, we can use a much smaller number
|
||||
// by doing modulo curve.N
|
||||
if len(k) > curve.byteSize { |
||||
// Reduce k by performing modulo curve.N.
|
||||
tmpK := new(big.Int).SetBytes(k) |
||||
tmpK.Mod(tmpK, curve.N) |
||||
return tmpK.Bytes() |
||||
} |
||||
|
||||
return k |
||||
} |
||||
|
||||
// NAF takes a positive integer k and returns the Non-Adjacent Form (NAF) as two
|
||||
// byte slices. The first is where 1s will be. The second is where -1s will
|
||||
// be. NAF is convenient in that on average, only 1/3rd of its values are
|
||||
// non-zero. This is algorithm 3.30 from [GECC].
|
||||
//
|
||||
// Essentially, this makes it possible to minimize the number of operations
|
||||
// since the resulting ints returned will be at least 50% 0s.
|
||||
func NAF(k []byte) ([]byte, []byte) { |
||||
// The essence of this algorithm is that whenever we have consecutive 1s
|
||||
// in the binary, we want to put a -1 in the lowest bit and get a bunch
|
||||
// of 0s up to the highest bit of consecutive 1s. This is due to this
|
||||
// identity:
|
||||
// 2^n + 2^(n-1) + 2^(n-2) + ... + 2^(n-k) = 2^(n+1) - 2^(n-k)
|
||||
//
|
||||
// The algorithm thus may need to go 1 more bit than the length of the
|
||||
// bits we actually have, hence bits being 1 bit longer than was
|
||||
// necessary. Since we need to know whether adding will cause a carry,
|
||||
// we go from right-to-left in this addition.
|
||||
var carry, curIsOne, nextIsOne bool |
||||
// these default to zero
|
||||
retPos := make([]byte, len(k)+1) |
||||
retNeg := make([]byte, len(k)+1) |
||||
for i := len(k) - 1; i >= 0; i-- { |
||||
curByte := k[i] |
||||
for j := uint(0); j < 8; j++ { |
||||
curIsOne = curByte&1 == 1 |
||||
if j == 7 { |
||||
if i == 0 { |
||||
nextIsOne = false |
||||
} else { |
||||
nextIsOne = k[i-1]&1 == 1 |
||||
} |
||||
} else { |
||||
nextIsOne = curByte&2 == 2 |
||||
} |
||||
if carry { |
||||
if curIsOne { |
||||
// This bit is 1, so continue to carry
|
||||
// and don't need to do anything.
|
||||
} else { |
||||
// We've hit a 0 after some number of
|
||||
// 1s.
|
||||
if nextIsOne { |
||||
// Start carrying again since
|
||||
// a new sequence of 1s is
|
||||
// starting.
|
||||
retNeg[i+1] += 1 << j |
||||
} else { |
||||
// Stop carrying since 1s have
|
||||
// stopped.
|
||||
carry = false |
||||
retPos[i+1] += 1 << j |
||||
} |
||||
} |
||||
} else if curIsOne { |
||||
if nextIsOne { |
||||
// If this is the start of at least 2
|
||||
// consecutive 1s, set the current one
|
||||
// to -1 and start carrying.
|
||||
retNeg[i+1] += 1 << j |
||||
carry = true |
||||
} else { |
||||
// This is a singleton, not consecutive
|
||||
// 1s.
|
||||
retPos[i+1] += 1 << j |
||||
} |
||||
} |
||||
curByte >>= 1 |
||||
} |
||||
} |
||||
if carry { |
||||
retPos[0] = 1 |
||||
} |
||||
|
||||
return retPos, retNeg |
||||
} |
||||
|
||||
// ScalarMult returns k*(Bx, By) where k is a big endian integer.
|
||||
// Part of the elliptic.Curve interface.
|
||||
func (curve *KoblitzCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) { |
||||
// Point Q = ∞ (point at infinity).
|
||||
qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal) |
||||
|
||||
// Decompose K into k1 and k2 in order to halve the number of EC ops.
|
||||
// See Algorithm 3.74 in [GECC].
|
||||
k1, k2, signK1, signK2 := curve.splitK(curve.moduloReduce(k)) |
||||
|
||||
// The main equation here to remember is:
|
||||
// k * P = k1 * P + k2 * ϕ(P)
|
||||
//
|
||||
// P1 below is P in the equation, P2 below is ϕ(P) in the equation
|
||||
p1x, p1y := curve.bigAffineToField(Bx, By) |
||||
p1yNeg := new(fieldVal).NegateVal(p1y, 1) |
||||
p1z := new(fieldVal).SetInt(1) |
||||
|
||||
// NOTE: ϕ(x,y) = (βx,y). The Jacobian z coordinate is 1, so this math
|
||||
// goes through.
|
||||
p2x := new(fieldVal).Mul2(p1x, curve.beta) |
||||
p2y := new(fieldVal).Set(p1y) |
||||
p2yNeg := new(fieldVal).NegateVal(p2y, 1) |
||||
p2z := new(fieldVal).SetInt(1) |
||||
|
||||
// Flip the positive and negative values of the points as needed
|
||||
// depending on the signs of k1 and k2. As mentioned in the equation
|
||||
// above, each of k1 and k2 are multiplied by the respective point.
|
||||
// Since -k * P is the same thing as k * -P, and the group law for
|
||||
// elliptic curves states that P(x, y) = -P(x, -y), it's faster and
|
||||
// simplifies the code to just make the point negative.
|
||||
if signK1 == -1 { |
||||
p1y, p1yNeg = p1yNeg, p1y |
||||
} |
||||
if signK2 == -1 { |
||||
p2y, p2yNeg = p2yNeg, p2y |
||||
} |
||||
|
||||
// NAF versions of k1 and k2 should have a lot more zeros.
|
||||
//
|
||||
// The Pos version of the bytes contain the +1s and the Neg versions
|
||||
// contain the -1s.
|
||||
k1PosNAF, k1NegNAF := NAF(k1) |
||||
k2PosNAF, k2NegNAF := NAF(k2) |
||||
k1Len := len(k1PosNAF) |
||||
k2Len := len(k2PosNAF) |
||||
|
||||
m := k1Len |
||||
if m < k2Len { |
||||
m = k2Len |
||||
} |
||||
|
||||
// Add left-to-right using the NAF optimization. See algorithm 3.77
|
||||
// from [GECC]. This should be faster overall since there will be a lot
|
||||
// more instances of 0, hence reducing the number of Jacobian additions
|
||||
// at the cost of 1 possible extra doubling.
|
||||
var k1BytePos, k1ByteNeg, k2BytePos, k2ByteNeg byte |
||||
for i := 0; i < m; i++ { |
||||
// Since we're going left-to-right, pad the front with 0s.
|
||||
if i < m-k1Len { |
||||
k1BytePos = 0 |
||||
k1ByteNeg = 0 |
||||
} else { |
||||
k1BytePos = k1PosNAF[i-(m-k1Len)] |
||||
k1ByteNeg = k1NegNAF[i-(m-k1Len)] |
||||
} |
||||
if i < m-k2Len { |
||||
k2BytePos = 0 |
||||
k2ByteNeg = 0 |
||||
} else { |
||||
k2BytePos = k2PosNAF[i-(m-k2Len)] |
||||
k2ByteNeg = k2NegNAF[i-(m-k2Len)] |
||||
} |
||||
|
||||
for j := 7; j >= 0; j-- { |
||||
// Q = 2 * Q
|
||||
curve.doubleJacobian(qx, qy, qz, qx, qy, qz) |
||||
|
||||
if k1BytePos&0x80 == 0x80 { |
||||
curve.addJacobian(qx, qy, qz, p1x, p1y, p1z, |
||||
qx, qy, qz) |
||||
} else if k1ByteNeg&0x80 == 0x80 { |
||||
curve.addJacobian(qx, qy, qz, p1x, p1yNeg, p1z, |
||||
qx, qy, qz) |
||||
} |
||||
|
||||
if k2BytePos&0x80 == 0x80 { |
||||
curve.addJacobian(qx, qy, qz, p2x, p2y, p2z, |
||||
qx, qy, qz) |
||||
} else if k2ByteNeg&0x80 == 0x80 { |
||||
curve.addJacobian(qx, qy, qz, p2x, p2yNeg, p2z, |
||||
qx, qy, qz) |
||||
} |
||||
k1BytePos <<= 1 |
||||
k1ByteNeg <<= 1 |
||||
k2BytePos <<= 1 |
||||
k2ByteNeg <<= 1 |
||||
} |
||||
} |
||||
|
||||
// Convert the Jacobian coordinate field values back to affine big.Ints.
|
||||
return curve.fieldJacobianToBigAffine(qx, qy, qz) |
||||
} |
||||
|
||||
// ScalarBaseMult returns k*G where G is the base point of the group and k is a
|
||||
// big endian integer.
|
||||
// Part of the elliptic.Curve interface.
|
||||
func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) { |
||||
newK := curve.moduloReduce(k) |
||||
diff := len(curve.bytePoints) - len(newK) |
||||
|
||||
// Point Q = ∞ (point at infinity).
|
||||
qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal) |
||||
|
||||
// curve.bytePoints has all 256 byte points for each 8-bit window. The
|
||||
// strategy is to add up the byte points. This is best understood by
|
||||
// expressing k in base-256 which it already sort of is.
|
||||
// Each "digit" in the 8-bit window can be looked up using bytePoints
|
||||
// and added together.
|
||||
for i, byteVal := range newK { |
||||
p := curve.bytePoints[diff+i][byteVal] |
||||
curve.addJacobian(qx, qy, qz, &p[0], &p[1], &p[2], qx, qy, qz) |
||||
} |
||||
return curve.fieldJacobianToBigAffine(qx, qy, qz) |
||||
} |
||||
|
||||
// QPlus1Div4 returns the Q+1/4 constant for the curve for use in calculating
|
||||
// square roots via exponention.
|
||||
func (curve *KoblitzCurve) QPlus1Div4() *big.Int { |
||||
return curve.q |
||||
} |
||||
|
||||
var initonce sync.Once |
||||
var secp256k1 KoblitzCurve |
||||
|
||||
func initAll() { |
||||
initS256() |
||||
} |
||||
|
||||
// fromHex converts the passed hex string into a big integer pointer and will
|
||||
// panic is there is an error. This is only provided for the hard-coded
|
||||
// constants so errors in the source code can bet detected. It will only (and
|
||||
// must only) be called for initialization purposes.
|
||||
func fromHex(s string) *big.Int { |
||||
r, ok := new(big.Int).SetString(s, 16) |
||||
if !ok { |
||||
panic("invalid hex in source file: " + s) |
||||
} |
||||
return r |
||||
} |
||||
|
||||
func initS256() { |
||||
// Curve parameters taken from [SECG] section 2.4.1.
|
||||
secp256k1.CurveParams = new(elliptic.CurveParams) |
||||
secp256k1.P = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F") |
||||
secp256k1.N = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141") |
||||
secp256k1.B = fromHex("0000000000000000000000000000000000000000000000000000000000000007") |
||||
secp256k1.Gx = fromHex("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798") |
||||
secp256k1.Gy = fromHex("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8") |
||||
secp256k1.BitSize = 256 |
||||
secp256k1.H = 1 |
||||
secp256k1.q = new(big.Int).Div(new(big.Int).Add(secp256k1.P, |
||||
big.NewInt(1)), big.NewInt(4)) |
||||
|
||||
// Provided for convenience since this gets computed repeatedly.
|
||||
secp256k1.byteSize = secp256k1.BitSize / 8 |
||||
|
||||
// Deserialize and set the pre-computed table used to accelerate scalar
|
||||
// base multiplication. This is hard-coded data, so any errors are
|
||||
// panics because it means something is wrong in the source code.
|
||||
if err := loadS256BytePoints(); err != nil { |
||||
panic(err) |
||||
} |
||||
|
||||
// Next 6 constants are from Hal Finney's bitcointalk.org post:
|
||||
// https://bitcointalk.org/index.php?topic=3238.msg45565#msg45565
|
||||
// May he rest in peace.
|
||||
//
|
||||
// They have also been independently derived from the code in the
|
||||
// EndomorphismVectors function in gensecp256k1.go.
|
||||
secp256k1.lambda = fromHex("5363AD4CC05C30E0A5261C028812645A122E22EA20816678DF02967C1B23BD72") |
||||
secp256k1.beta = new(fieldVal).SetHex("7AE96A2B657C07106E64479EAC3434E99CF0497512F58995C1396C28719501EE") |
||||
secp256k1.a1 = fromHex("3086D221A7D46BCDE86C90E49284EB15") |
||||
secp256k1.b1 = fromHex("-E4437ED6010E88286F547FA90ABFE4C3") |
||||
secp256k1.a2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8") |
||||
secp256k1.b2 = fromHex("3086D221A7D46BCDE86C90E49284EB15") |
||||
|
||||
// Alternatively, we can use the parameters below, however, they seem
|
||||
// to be about 8% slower.
|
||||
// secp256k1.lambda = fromHex("AC9C52B33FA3CF1F5AD9E3FD77ED9BA4A880B9FC8EC739C2E0CFC810B51283CE")
|
||||
// secp256k1.beta = new(fieldVal).SetHex("851695D49A83F8EF919BB86153CBCB16630FB68AED0A766A3EC693D68E6AFA40")
|
||||
// secp256k1.a1 = fromHex("E4437ED6010E88286F547FA90ABFE4C3")
|
||||
// secp256k1.b1 = fromHex("-3086D221A7D46BCDE86C90E49284EB15")
|
||||
// secp256k1.a2 = fromHex("3086D221A7D46BCDE86C90E49284EB15")
|
||||
// secp256k1.b2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8")
|
||||
} |
||||
|
||||
// S256 returns a Curve which implements secp256k1.
|
||||
func S256() *KoblitzCurve { |
||||
initonce.Do(initAll) |
||||
return &secp256k1 |
||||
} |
||||
@ -0,0 +1,216 @@ |
||||
// Copyright (c) 2015-2016 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
import ( |
||||
"bytes" |
||||
"crypto/aes" |
||||
"crypto/cipher" |
||||
"crypto/hmac" |
||||
"crypto/rand" |
||||
"crypto/sha256" |
||||
"crypto/sha512" |
||||
"errors" |
||||
"io" |
||||
) |
||||
|
||||
var ( |
||||
// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails
|
||||
// during decryption. This happens because of either invalid private key or
|
||||
// corrupt ciphertext.
|
||||
ErrInvalidMAC = errors.New("invalid mac hash") |
||||
|
||||
// errInputTooShort occurs when the input ciphertext to the Decrypt
|
||||
// function is less than 134 bytes long.
|
||||
errInputTooShort = errors.New("ciphertext too short") |
||||
|
||||
// errUnsupportedCurve occurs when the first two bytes of the encrypted
|
||||
// text aren't 0x02CA (= 712 = secp256k1, from OpenSSL).
|
||||
errUnsupportedCurve = errors.New("unsupported curve") |
||||
|
||||
errInvalidXLength = errors.New("invalid X length, must be 32") |
||||
errInvalidYLength = errors.New("invalid Y length, must be 32") |
||||
errInvalidPadding = errors.New("invalid PKCS#7 padding") |
||||
|
||||
// 0x02CA = 714
|
||||
ciphCurveBytes = [2]byte{0x02, 0xCA} |
||||
// 0x20 = 32
|
||||
ciphCoordLength = [2]byte{0x00, 0x20} |
||||
) |
||||
|
||||
// GenerateSharedSecret generates a shared secret based on a private key and a
|
||||
// public key using Diffie-Hellman key exchange (ECDH) (RFC 4753).
|
||||
// RFC5903 Section 9 states we should only return x.
|
||||
func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte { |
||||
x, _ := pubkey.Curve.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes()) |
||||
return x.Bytes() |
||||
} |
||||
|
||||
// Encrypt encrypts data for the target public key using AES-256-CBC. It also
|
||||
// generates a private key (the pubkey of which is also in the output). The only
|
||||
// supported curve is secp256k1. The `structure' that it encodes everything into
|
||||
// is:
|
||||
//
|
||||
// struct {
|
||||
// // Initialization Vector used for AES-256-CBC
|
||||
// IV [16]byte
|
||||
// // Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX +
|
||||
// // len_of_pubkeyY(2) + pubkeyY (curve = 714)
|
||||
// PublicKey [70]byte
|
||||
// // Cipher text
|
||||
// Data []byte
|
||||
// // HMAC-SHA-256 Message Authentication Code
|
||||
// HMAC [32]byte
|
||||
// }
|
||||
//
|
||||
// The primary aim is to ensure byte compatibility with Pyelliptic. Also, refer
|
||||
// to section 5.8.1 of ANSI X9.63 for rationale on this format.
|
||||
func Encrypt(pubkey *PublicKey, in []byte) ([]byte, error) { |
||||
ephemeral, err := NewPrivateKey(S256()) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
ecdhKey := GenerateSharedSecret(ephemeral, pubkey) |
||||
derivedKey := sha512.Sum512(ecdhKey) |
||||
keyE := derivedKey[:32] |
||||
keyM := derivedKey[32:] |
||||
|
||||
paddedIn := addPKCSPadding(in) |
||||
// IV + Curve params/X/Y + padded plaintext/ciphertext + HMAC-256
|
||||
out := make([]byte, aes.BlockSize+70+len(paddedIn)+sha256.Size) |
||||
iv := out[:aes.BlockSize] |
||||
if _, err = io.ReadFull(rand.Reader, iv); err != nil { |
||||
return nil, err |
||||
} |
||||
// start writing public key
|
||||
pb := ephemeral.PubKey().SerializeUncompressed() |
||||
offset := aes.BlockSize |
||||
|
||||
// curve and X length
|
||||
copy(out[offset:offset+4], append(ciphCurveBytes[:], ciphCoordLength[:]...)) |
||||
offset += 4 |
||||
// X
|
||||
copy(out[offset:offset+32], pb[1:33]) |
||||
offset += 32 |
||||
// Y length
|
||||
copy(out[offset:offset+2], ciphCoordLength[:]) |
||||
offset += 2 |
||||
// Y
|
||||
copy(out[offset:offset+32], pb[33:]) |
||||
offset += 32 |
||||
|
||||
// start encryption
|
||||
block, err := aes.NewCipher(keyE) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
mode := cipher.NewCBCEncrypter(block, iv) |
||||
mode.CryptBlocks(out[offset:len(out)-sha256.Size], paddedIn) |
||||
|
||||
// start HMAC-SHA-256
|
||||
hm := hmac.New(sha256.New, keyM) |
||||
hm.Write(out[:len(out)-sha256.Size]) // everything is hashed
|
||||
copy(out[len(out)-sha256.Size:], hm.Sum(nil)) // write checksum
|
||||
|
||||
return out, nil |
||||
} |
||||
|
||||
// Decrypt decrypts data that was encrypted using the Encrypt function.
|
||||
func Decrypt(priv *PrivateKey, in []byte) ([]byte, error) { |
||||
// IV + Curve params/X/Y + 1 block + HMAC-256
|
||||
if len(in) < aes.BlockSize+70+aes.BlockSize+sha256.Size { |
||||
return nil, errInputTooShort |
||||
} |
||||
|
||||
// read iv
|
||||
iv := in[:aes.BlockSize] |
||||
offset := aes.BlockSize |
||||
|
||||
// start reading pubkey
|
||||
if !bytes.Equal(in[offset:offset+2], ciphCurveBytes[:]) { |
||||
return nil, errUnsupportedCurve |
||||
} |
||||
offset += 2 |
||||
|
||||
if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) { |
||||
return nil, errInvalidXLength |
||||
} |
||||
offset += 2 |
||||
|
||||
xBytes := in[offset : offset+32] |
||||
offset += 32 |
||||
|
||||
if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) { |
||||
return nil, errInvalidYLength |
||||
} |
||||
offset += 2 |
||||
|
||||
yBytes := in[offset : offset+32] |
||||
offset += 32 |
||||
|
||||
pb := make([]byte, 65) |
||||
pb[0] = byte(0x04) // uncompressed
|
||||
copy(pb[1:33], xBytes) |
||||
copy(pb[33:], yBytes) |
||||
// check if (X, Y) lies on the curve and create a Pubkey if it does
|
||||
pubkey, err := ParsePubKey(pb, S256()) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
|
||||
// check for cipher text length
|
||||
if (len(in)-aes.BlockSize-offset-sha256.Size)%aes.BlockSize != 0 { |
||||
return nil, errInvalidPadding // not padded to 16 bytes
|
||||
} |
||||
|
||||
// read hmac
|
||||
messageMAC := in[len(in)-sha256.Size:] |
||||
|
||||
// generate shared secret
|
||||
ecdhKey := GenerateSharedSecret(priv, pubkey) |
||||
derivedKey := sha512.Sum512(ecdhKey) |
||||
keyE := derivedKey[:32] |
||||
keyM := derivedKey[32:] |
||||
|
||||
// verify mac
|
||||
hm := hmac.New(sha256.New, keyM) |
||||
hm.Write(in[:len(in)-sha256.Size]) // everything is hashed
|
||||
expectedMAC := hm.Sum(nil) |
||||
if !hmac.Equal(messageMAC, expectedMAC) { |
||||
return nil, ErrInvalidMAC |
||||
} |
||||
|
||||
// start decryption
|
||||
block, err := aes.NewCipher(keyE) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
mode := cipher.NewCBCDecrypter(block, iv) |
||||
// same length as ciphertext
|
||||
plaintext := make([]byte, len(in)-offset-sha256.Size) |
||||
mode.CryptBlocks(plaintext, in[offset:len(in)-sha256.Size]) |
||||
|
||||
return removePKCSPadding(plaintext) |
||||
} |
||||
|
||||
// Implement PKCS#7 padding with block size of 16 (AES block size).
|
||||
|
||||
// addPKCSPadding adds padding to a block of data
|
||||
func addPKCSPadding(src []byte) []byte { |
||||
padding := aes.BlockSize - len(src)%aes.BlockSize |
||||
padtext := bytes.Repeat([]byte{byte(padding)}, padding) |
||||
return append(src, padtext...) |
||||
} |
||||
|
||||
// removePKCSPadding removes padding from data that was added with addPKCSPadding
|
||||
func removePKCSPadding(src []byte) ([]byte, error) { |
||||
length := len(src) |
||||
padLength := int(src[length-1]) |
||||
if padLength > aes.BlockSize || length < aes.BlockSize { |
||||
return nil, errInvalidPadding |
||||
} |
||||
|
||||
return src[:length-padLength], nil |
||||
} |
||||
@ -0,0 +1,21 @@ |
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
/* |
||||
Package btcec implements support for the elliptic curves needed for bitcoin. |
||||
|
||||
Bitcoin uses elliptic curve cryptography using koblitz curves |
||||
(specifically secp256k1) for cryptographic functions. See |
||||
http://www.secg.org/collateral/sec2_final.pdf for details on the
|
||||
standard. |
||||
|
||||
This package provides the data structures and functions implementing the |
||||
crypto/elliptic Curve interface in order to permit using these curves |
||||
with the standard crypto/ecdsa package provided with go. Helper |
||||
functionality is provided to parse signatures and public keys from |
||||
standard formats. It was designed for use with btcd, but should be |
||||
general enough for other uses of elliptic curve crypto. It was originally based |
||||
on some initial work by ThePiachu, but has significantly diverged since then. |
||||
*/ |
||||
package btcec |
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,63 @@ |
||||
// Copyright 2015 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// This file is ignored during the regular build due to the following build tag.
|
||||
// It is called by go generate and used to automatically generate pre-computed
|
||||
// tables used to accelerate operations.
|
||||
// +build ignore
|
||||
|
||||
package main |
||||
|
||||
import ( |
||||
"bytes" |
||||
"compress/zlib" |
||||
"encoding/base64" |
||||
"fmt" |
||||
"log" |
||||
"os" |
||||
|
||||
"github.com/btcsuite/btcd/btcec" |
||||
) |
||||
|
||||
func main() { |
||||
fi, err := os.Create("secp256k1.go") |
||||
if err != nil { |
||||
log.Fatal(err) |
||||
} |
||||
defer fi.Close() |
||||
|
||||
// Compress the serialized byte points.
|
||||
serialized := btcec.S256().SerializedBytePoints() |
||||
var compressed bytes.Buffer |
||||
w := zlib.NewWriter(&compressed) |
||||
if _, err := w.Write(serialized); err != nil { |
||||
fmt.Println(err) |
||||
os.Exit(1) |
||||
} |
||||
w.Close() |
||||
|
||||
// Encode the compressed byte points with base64.
|
||||
encoded := make([]byte, base64.StdEncoding.EncodedLen(compressed.Len())) |
||||
base64.StdEncoding.Encode(encoded, compressed.Bytes()) |
||||
|
||||
fmt.Fprintln(fi, "// Copyright (c) 2015 The btcsuite developers") |
||||
fmt.Fprintln(fi, "// Use of this source code is governed by an ISC") |
||||
fmt.Fprintln(fi, "// license that can be found in the LICENSE file.") |
||||
fmt.Fprintln(fi) |
||||
fmt.Fprintln(fi, "package btcec") |
||||
fmt.Fprintln(fi) |
||||
fmt.Fprintln(fi, "// Auto-generated file (see genprecomps.go)") |
||||
fmt.Fprintln(fi, "// DO NOT EDIT") |
||||
fmt.Fprintln(fi) |
||||
fmt.Fprintf(fi, "var secp256k1BytePoints = %q\n", string(encoded)) |
||||
|
||||
a1, b1, a2, b2 := btcec.S256().EndomorphismVectors() |
||||
fmt.Println("The following values are the computed linearly " + |
||||
"independent vectors needed to make use of the secp256k1 " + |
||||
"endomorphism:") |
||||
fmt.Printf("a1: %x\n", a1) |
||||
fmt.Printf("b1: %x\n", b1) |
||||
fmt.Printf("a2: %x\n", a2) |
||||
fmt.Printf("b2: %x\n", b2) |
||||
} |
||||
@ -0,0 +1,203 @@ |
||||
// Copyright (c) 2014-2015 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// This file is ignored during the regular build due to the following build tag.
|
||||
// This build tag is set during go generate.
|
||||
// +build gensecp256k1
|
||||
|
||||
package btcec |
||||
|
||||
// References:
|
||||
// [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
|
||||
|
||||
import ( |
||||
"encoding/binary" |
||||
"math/big" |
||||
) |
||||
|
||||
// secp256k1BytePoints are dummy points used so the code which generates the
|
||||
// real values can compile.
|
||||
var secp256k1BytePoints = "" |
||||
|
||||
// getDoublingPoints returns all the possible G^(2^i) for i in
|
||||
// 0..n-1 where n is the curve's bit size (256 in the case of secp256k1)
|
||||
// the coordinates are recorded as Jacobian coordinates.
|
||||
func (curve *KoblitzCurve) getDoublingPoints() [][3]fieldVal { |
||||
doublingPoints := make([][3]fieldVal, curve.BitSize) |
||||
|
||||
// initialize px, py, pz to the Jacobian coordinates for the base point
|
||||
px, py := curve.bigAffineToField(curve.Gx, curve.Gy) |
||||
pz := new(fieldVal).SetInt(1) |
||||
for i := 0; i < curve.BitSize; i++ { |
||||
doublingPoints[i] = [3]fieldVal{*px, *py, *pz} |
||||
// P = 2*P
|
||||
curve.doubleJacobian(px, py, pz, px, py, pz) |
||||
} |
||||
return doublingPoints |
||||
} |
||||
|
||||
// SerializedBytePoints returns a serialized byte slice which contains all of
|
||||
// the possible points per 8-bit window. This is used to when generating
|
||||
// secp256k1.go.
|
||||
func (curve *KoblitzCurve) SerializedBytePoints() []byte { |
||||
doublingPoints := curve.getDoublingPoints() |
||||
|
||||
// Segregate the bits into byte-sized windows
|
||||
serialized := make([]byte, curve.byteSize*256*3*10*4) |
||||
offset := 0 |
||||
for byteNum := 0; byteNum < curve.byteSize; byteNum++ { |
||||
// Grab the 8 bits that make up this byte from doublingPoints.
|
||||
startingBit := 8 * (curve.byteSize - byteNum - 1) |
||||
computingPoints := doublingPoints[startingBit : startingBit+8] |
||||
|
||||
// Compute all points in this window and serialize them.
|
||||
for i := 0; i < 256; i++ { |
||||
px, py, pz := new(fieldVal), new(fieldVal), new(fieldVal) |
||||
for j := 0; j < 8; j++ { |
||||
if i>>uint(j)&1 == 1 { |
||||
curve.addJacobian(px, py, pz, &computingPoints[j][0], |
||||
&computingPoints[j][1], &computingPoints[j][2], px, py, pz) |
||||
} |
||||
} |
||||
for i := 0; i < 10; i++ { |
||||
binary.LittleEndian.PutUint32(serialized[offset:], px.n[i]) |
||||
offset += 4 |
||||
} |
||||
for i := 0; i < 10; i++ { |
||||
binary.LittleEndian.PutUint32(serialized[offset:], py.n[i]) |
||||
offset += 4 |
||||
} |
||||
for i := 0; i < 10; i++ { |
||||
binary.LittleEndian.PutUint32(serialized[offset:], pz.n[i]) |
||||
offset += 4 |
||||
} |
||||
} |
||||
} |
||||
|
||||
return serialized |
||||
} |
||||
|
||||
// sqrt returns the square root of the provided big integer using Newton's
|
||||
// method. It's only compiled and used during generation of pre-computed
|
||||
// values, so speed is not a huge concern.
|
||||
func sqrt(n *big.Int) *big.Int { |
||||
// Initial guess = 2^(log_2(n)/2)
|
||||
guess := big.NewInt(2) |
||||
guess.Exp(guess, big.NewInt(int64(n.BitLen()/2)), nil) |
||||
|
||||
// Now refine using Newton's method.
|
||||
big2 := big.NewInt(2) |
||||
prevGuess := big.NewInt(0) |
||||
for { |
||||
prevGuess.Set(guess) |
||||
guess.Add(guess, new(big.Int).Div(n, guess)) |
||||
guess.Div(guess, big2) |
||||
if guess.Cmp(prevGuess) == 0 { |
||||
break |
||||
} |
||||
} |
||||
return guess |
||||
} |
||||
|
||||
// EndomorphismVectors runs the first 3 steps of algorithm 3.74 from [GECC] to
|
||||
// generate the linearly independent vectors needed to generate a balanced
|
||||
// length-two representation of a multiplier such that k = k1 + k2λ (mod N) and
|
||||
// returns them. Since the values will always be the same given the fact that N
|
||||
// and λ are fixed, the final results can be accelerated by storing the
|
||||
// precomputed values with the curve.
|
||||
func (curve *KoblitzCurve) EndomorphismVectors() (a1, b1, a2, b2 *big.Int) { |
||||
bigMinus1 := big.NewInt(-1) |
||||
|
||||
// This section uses an extended Euclidean algorithm to generate a
|
||||
// sequence of equations:
|
||||
// s[i] * N + t[i] * λ = r[i]
|
||||
|
||||
nSqrt := sqrt(curve.N) |
||||
u, v := new(big.Int).Set(curve.N), new(big.Int).Set(curve.lambda) |
||||
x1, y1 := big.NewInt(1), big.NewInt(0) |
||||
x2, y2 := big.NewInt(0), big.NewInt(1) |
||||
q, r := new(big.Int), new(big.Int) |
||||
qu, qx1, qy1 := new(big.Int), new(big.Int), new(big.Int) |
||||
s, t := new(big.Int), new(big.Int) |
||||
ri, ti := new(big.Int), new(big.Int) |
||||
a1, b1, a2, b2 = new(big.Int), new(big.Int), new(big.Int), new(big.Int) |
||||
found, oneMore := false, false |
||||
for u.Sign() != 0 { |
||||
// q = v/u
|
||||
q.Div(v, u) |
||||
|
||||
// r = v - q*u
|
||||
qu.Mul(q, u) |
||||
r.Sub(v, qu) |
||||
|
||||
// s = x2 - q*x1
|
||||
qx1.Mul(q, x1) |
||||
s.Sub(x2, qx1) |
||||
|
||||
// t = y2 - q*y1
|
||||
qy1.Mul(q, y1) |
||||
t.Sub(y2, qy1) |
||||
|
||||
// v = u, u = r, x2 = x1, x1 = s, y2 = y1, y1 = t
|
||||
v.Set(u) |
||||
u.Set(r) |
||||
x2.Set(x1) |
||||
x1.Set(s) |
||||
y2.Set(y1) |
||||
y1.Set(t) |
||||
|
||||
// As soon as the remainder is less than the sqrt of n, the
|
||||
// values of a1 and b1 are known.
|
||||
if !found && r.Cmp(nSqrt) < 0 { |
||||
// When this condition executes ri and ti represent the
|
||||
// r[i] and t[i] values such that i is the greatest
|
||||
// index for which r >= sqrt(n). Meanwhile, the current
|
||||
// r and t values are r[i+1] and t[i+1], respectively.
|
||||
|
||||
// a1 = r[i+1], b1 = -t[i+1]
|
||||
a1.Set(r) |
||||
b1.Mul(t, bigMinus1) |
||||
found = true |
||||
oneMore = true |
||||
|
||||
// Skip to the next iteration so ri and ti are not
|
||||
// modified.
|
||||
continue |
||||
|
||||
} else if oneMore { |
||||
// When this condition executes ri and ti still
|
||||
// represent the r[i] and t[i] values while the current
|
||||
// r and t are r[i+2] and t[i+2], respectively.
|
||||
|
||||
// sum1 = r[i]^2 + t[i]^2
|
||||
rSquared := new(big.Int).Mul(ri, ri) |
||||
tSquared := new(big.Int).Mul(ti, ti) |
||||
sum1 := new(big.Int).Add(rSquared, tSquared) |
||||
|
||||
// sum2 = r[i+2]^2 + t[i+2]^2
|
||||
r2Squared := new(big.Int).Mul(r, r) |
||||
t2Squared := new(big.Int).Mul(t, t) |
||||
sum2 := new(big.Int).Add(r2Squared, t2Squared) |
||||
|
||||
// if (r[i]^2 + t[i]^2) <= (r[i+2]^2 + t[i+2]^2)
|
||||
if sum1.Cmp(sum2) <= 0 { |
||||
// a2 = r[i], b2 = -t[i]
|
||||
a2.Set(ri) |
||||
b2.Mul(ti, bigMinus1) |
||||
} else { |
||||
// a2 = r[i+2], b2 = -t[i+2]
|
||||
a2.Set(r) |
||||
b2.Mul(t, bigMinus1) |
||||
} |
||||
|
||||
// All done.
|
||||
break |
||||
} |
||||
|
||||
ri.Set(r) |
||||
ti.Set(t) |
||||
} |
||||
|
||||
return a1, b1, a2, b2 |
||||
} |
||||
@ -0,0 +1,67 @@ |
||||
// Copyright 2015 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
import ( |
||||
"compress/zlib" |
||||
"encoding/base64" |
||||
"encoding/binary" |
||||
"io/ioutil" |
||||
"strings" |
||||
) |
||||
|
||||
//go:generate go run -tags gensecp256k1 genprecomps.go
|
||||
|
||||
// loadS256BytePoints decompresses and deserializes the pre-computed byte points
|
||||
// used to accelerate scalar base multiplication for the secp256k1 curve. This
|
||||
// approach is used since it allows the compile to use significantly less ram
|
||||
// and be performed much faster than it is with hard-coding the final in-memory
|
||||
// data structure. At the same time, it is quite fast to generate the in-memory
|
||||
// data structure at init time with this approach versus computing the table.
|
||||
func loadS256BytePoints() error { |
||||
// There will be no byte points to load when generating them.
|
||||
bp := secp256k1BytePoints |
||||
if len(bp) == 0 { |
||||
return nil |
||||
} |
||||
|
||||
// Decompress the pre-computed table used to accelerate scalar base
|
||||
// multiplication.
|
||||
decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(bp)) |
||||
r, err := zlib.NewReader(decoder) |
||||
if err != nil { |
||||
return err |
||||
} |
||||
serialized, err := ioutil.ReadAll(r) |
||||
if err != nil { |
||||
return err |
||||
} |
||||
|
||||
// Deserialize the precomputed byte points and set the curve to them.
|
||||
offset := 0 |
||||
var bytePoints [32][256][3]fieldVal |
||||
for byteNum := 0; byteNum < 32; byteNum++ { |
||||
// All points in this window.
|
||||
for i := 0; i < 256; i++ { |
||||
px := &bytePoints[byteNum][i][0] |
||||
py := &bytePoints[byteNum][i][1] |
||||
pz := &bytePoints[byteNum][i][2] |
||||
for i := 0; i < 10; i++ { |
||||
px.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) |
||||
offset += 4 |
||||
} |
||||
for i := 0; i < 10; i++ { |
||||
py.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) |
||||
offset += 4 |
||||
} |
||||
for i := 0; i < 10; i++ { |
||||
pz.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) |
||||
offset += 4 |
||||
} |
||||
} |
||||
} |
||||
secp256k1.bytePoints = &bytePoints |
||||
return nil |
||||
} |
||||
@ -0,0 +1,73 @@ |
||||
// Copyright (c) 2013-2016 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
import ( |
||||
"crypto/ecdsa" |
||||
"crypto/elliptic" |
||||
"crypto/rand" |
||||
"math/big" |
||||
) |
||||
|
||||
// PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing
|
||||
// things with the the private key without having to directly import the ecdsa
|
||||
// package.
|
||||
type PrivateKey ecdsa.PrivateKey |
||||
|
||||
// PrivKeyFromBytes returns a private and public key for `curve' based on the
|
||||
// private key passed as an argument as a byte slice.
|
||||
func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey, |
||||
*PublicKey) { |
||||
x, y := curve.ScalarBaseMult(pk) |
||||
|
||||
priv := &ecdsa.PrivateKey{ |
||||
PublicKey: ecdsa.PublicKey{ |
||||
Curve: curve, |
||||
X: x, |
||||
Y: y, |
||||
}, |
||||
D: new(big.Int).SetBytes(pk), |
||||
} |
||||
|
||||
return (*PrivateKey)(priv), (*PublicKey)(&priv.PublicKey) |
||||
} |
||||
|
||||
// NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey
|
||||
// instead of the normal ecdsa.PrivateKey.
|
||||
func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, error) { |
||||
key, err := ecdsa.GenerateKey(curve, rand.Reader) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
return (*PrivateKey)(key), nil |
||||
} |
||||
|
||||
// PubKey returns the PublicKey corresponding to this private key.
|
||||
func (p *PrivateKey) PubKey() *PublicKey { |
||||
return (*PublicKey)(&p.PublicKey) |
||||
} |
||||
|
||||
// ToECDSA returns the private key as a *ecdsa.PrivateKey.
|
||||
func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey { |
||||
return (*ecdsa.PrivateKey)(p) |
||||
} |
||||
|
||||
// Sign generates an ECDSA signature for the provided hash (which should be the result
|
||||
// of hashing a larger message) using the private key. Produced signature
|
||||
// is deterministic (same message and same key yield the same signature) and canonical
|
||||
// in accordance with RFC6979 and BIP0062.
|
||||
func (p *PrivateKey) Sign(hash []byte) (*Signature, error) { |
||||
return signRFC6979(p, hash) |
||||
} |
||||
|
||||
// PrivKeyBytesLen defines the length in bytes of a serialized private key.
|
||||
const PrivKeyBytesLen = 32 |
||||
|
||||
// Serialize returns the private key number d as a big-endian binary-encoded
|
||||
// number, padded to a length of 32 bytes.
|
||||
func (p *PrivateKey) Serialize() []byte { |
||||
b := make([]byte, 0, PrivKeyBytesLen) |
||||
return paddedAppend(PrivKeyBytesLen, b, p.ToECDSA().D.Bytes()) |
||||
} |
||||
@ -0,0 +1,172 @@ |
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
import ( |
||||
"crypto/ecdsa" |
||||
"errors" |
||||
"fmt" |
||||
"math/big" |
||||
) |
||||
|
||||
// These constants define the lengths of serialized public keys.
|
||||
const ( |
||||
PubKeyBytesLenCompressed = 33 |
||||
PubKeyBytesLenUncompressed = 65 |
||||
PubKeyBytesLenHybrid = 65 |
||||
) |
||||
|
||||
func isOdd(a *big.Int) bool { |
||||
return a.Bit(0) == 1 |
||||
} |
||||
|
||||
// decompressPoint decompresses a point on the given curve given the X point and
|
||||
// the solution to use.
|
||||
func decompressPoint(curve *KoblitzCurve, x *big.Int, ybit bool) (*big.Int, error) { |
||||
// TODO: This will probably only work for secp256k1 due to
|
||||
// optimizations.
|
||||
|
||||
// Y = +-sqrt(x^3 + B)
|
||||
x3 := new(big.Int).Mul(x, x) |
||||
x3.Mul(x3, x) |
||||
x3.Add(x3, curve.Params().B) |
||||
|
||||
// now calculate sqrt mod p of x2 + B
|
||||
// This code used to do a full sqrt based on tonelli/shanks,
|
||||
// but this was replaced by the algorithms referenced in
|
||||
// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
|
||||
y := new(big.Int).Exp(x3, curve.QPlus1Div4(), curve.Params().P) |
||||
|
||||
if ybit != isOdd(y) { |
||||
y.Sub(curve.Params().P, y) |
||||
} |
||||
if ybit != isOdd(y) { |
||||
return nil, fmt.Errorf("ybit doesn't match oddness") |
||||
} |
||||
return y, nil |
||||
} |
||||
|
||||
const ( |
||||
pubkeyCompressed byte = 0x2 // y_bit + x coord
|
||||
pubkeyUncompressed byte = 0x4 // x coord + y coord
|
||||
pubkeyHybrid byte = 0x6 // y_bit + x coord + y coord
|
||||
) |
||||
|
||||
// ParsePubKey parses a public key for a koblitz curve from a bytestring into a
|
||||
// ecdsa.Publickey, verifying that it is valid. It supports compressed,
|
||||
// uncompressed and hybrid signature formats.
|
||||
func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error) { |
||||
pubkey := PublicKey{} |
||||
pubkey.Curve = curve |
||||
|
||||
if len(pubKeyStr) == 0 { |
||||
return nil, errors.New("pubkey string is empty") |
||||
} |
||||
|
||||
format := pubKeyStr[0] |
||||
ybit := (format & 0x1) == 0x1 |
||||
format &= ^byte(0x1) |
||||
|
||||
switch len(pubKeyStr) { |
||||
case PubKeyBytesLenUncompressed: |
||||
if format != pubkeyUncompressed && format != pubkeyHybrid { |
||||
return nil, fmt.Errorf("invalid magic in pubkey str: "+ |
||||
"%d", pubKeyStr[0]) |
||||
} |
||||
|
||||
pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) |
||||
pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:]) |
||||
// hybrid keys have extra information, make use of it.
|
||||
if format == pubkeyHybrid && ybit != isOdd(pubkey.Y) { |
||||
return nil, fmt.Errorf("ybit doesn't match oddness") |
||||
} |
||||
case PubKeyBytesLenCompressed: |
||||
// format is 0x2 | solution, <X coordinate>
|
||||
// solution determines which solution of the curve we use.
|
||||
/// y^2 = x^3 + Curve.B
|
||||
if format != pubkeyCompressed { |
||||
return nil, fmt.Errorf("invalid magic in compressed "+ |
||||
"pubkey string: %d", pubKeyStr[0]) |
||||
} |
||||
pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) |
||||
pubkey.Y, err = decompressPoint(curve, pubkey.X, ybit) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
default: // wrong!
|
||||
return nil, fmt.Errorf("invalid pub key length %d", |
||||
len(pubKeyStr)) |
||||
} |
||||
|
||||
if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 { |
||||
return nil, fmt.Errorf("pubkey X parameter is >= to P") |
||||
} |
||||
if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 { |
||||
return nil, fmt.Errorf("pubkey Y parameter is >= to P") |
||||
} |
||||
if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) { |
||||
return nil, fmt.Errorf("pubkey isn't on secp256k1 curve") |
||||
} |
||||
return &pubkey, nil |
||||
} |
||||
|
||||
// PublicKey is an ecdsa.PublicKey with additional functions to
|
||||
// serialize in uncompressed, compressed, and hybrid formats.
|
||||
type PublicKey ecdsa.PublicKey |
||||
|
||||
// ToECDSA returns the public key as a *ecdsa.PublicKey.
|
||||
func (p *PublicKey) ToECDSA() *ecdsa.PublicKey { |
||||
return (*ecdsa.PublicKey)(p) |
||||
} |
||||
|
||||
// SerializeUncompressed serializes a public key in a 65-byte uncompressed
|
||||
// format.
|
||||
func (p *PublicKey) SerializeUncompressed() []byte { |
||||
b := make([]byte, 0, PubKeyBytesLenUncompressed) |
||||
b = append(b, pubkeyUncompressed) |
||||
b = paddedAppend(32, b, p.X.Bytes()) |
||||
return paddedAppend(32, b, p.Y.Bytes()) |
||||
} |
||||
|
||||
// SerializeCompressed serializes a public key in a 33-byte compressed format.
|
||||
func (p *PublicKey) SerializeCompressed() []byte { |
||||
b := make([]byte, 0, PubKeyBytesLenCompressed) |
||||
format := pubkeyCompressed |
||||
if isOdd(p.Y) { |
||||
format |= 0x1 |
||||
} |
||||
b = append(b, format) |
||||
return paddedAppend(32, b, p.X.Bytes()) |
||||
} |
||||
|
||||
// SerializeHybrid serializes a public key in a 65-byte hybrid format.
|
||||
func (p *PublicKey) SerializeHybrid() []byte { |
||||
b := make([]byte, 0, PubKeyBytesLenHybrid) |
||||
format := pubkeyHybrid |
||||
if isOdd(p.Y) { |
||||
format |= 0x1 |
||||
} |
||||
b = append(b, format) |
||||
b = paddedAppend(32, b, p.X.Bytes()) |
||||
return paddedAppend(32, b, p.Y.Bytes()) |
||||
} |
||||
|
||||
// IsEqual compares this PublicKey instance to the one passed, returning true if
|
||||
// both PublicKeys are equivalent. A PublicKey is equivalent to another, if they
|
||||
// both have the same X and Y coordinate.
|
||||
func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool { |
||||
return p.X.Cmp(otherPubKey.X) == 0 && |
||||
p.Y.Cmp(otherPubKey.Y) == 0 |
||||
} |
||||
|
||||
// paddedAppend appends the src byte slice to dst, returning the new slice.
|
||||
// If the length of the source is smaller than the passed size, leading zero
|
||||
// bytes are appended to the dst slice before appending src.
|
||||
func paddedAppend(size uint, dst, src []byte) []byte { |
||||
for i := 0; i < int(size)-len(src); i++ { |
||||
dst = append(dst, 0) |
||||
} |
||||
return append(dst, src...) |
||||
} |
||||
File diff suppressed because one or more lines are too long
@ -0,0 +1,539 @@ |
||||
// Copyright (c) 2013-2017 The btcsuite developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package btcec |
||||
|
||||
import ( |
||||
"bytes" |
||||
"crypto/ecdsa" |
||||
"crypto/elliptic" |
||||
"crypto/hmac" |
||||
"crypto/sha256" |
||||
"errors" |
||||
"fmt" |
||||
"hash" |
||||
"math/big" |
||||
) |
||||
|
||||
// Errors returned by canonicalPadding.
|
||||
var ( |
||||
errNegativeValue = errors.New("value may be interpreted as negative") |
||||
errExcessivelyPaddedValue = errors.New("value is excessively padded") |
||||
) |
||||
|
||||
// Signature is a type representing an ecdsa signature.
|
||||
type Signature struct { |
||||
R *big.Int |
||||
S *big.Int |
||||
} |
||||
|
||||
var ( |
||||
// Curve order and halforder, used to tame ECDSA malleability (see BIP-0062)
|
||||
order = new(big.Int).Set(S256().N) |
||||
halforder = new(big.Int).Rsh(order, 1) |
||||
|
||||
// Used in RFC6979 implementation when testing the nonce for correctness
|
||||
one = big.NewInt(1) |
||||
|
||||
// oneInitializer is used to fill a byte slice with byte 0x01. It is provided
|
||||
// here to avoid the need to create it multiple times.
|
||||
oneInitializer = []byte{0x01} |
||||
) |
||||
|
||||
// Serialize returns the ECDSA signature in the more strict DER format. Note
|
||||
// that the serialized bytes returned do not include the appended hash type
|
||||
// used in Bitcoin signature scripts.
|
||||
//
|
||||
// encoding/asn1 is broken so we hand roll this output:
|
||||
//
|
||||
// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
|
||||
func (sig *Signature) Serialize() []byte { |
||||
// low 'S' malleability breaker
|
||||
sigS := sig.S |
||||
if sigS.Cmp(halforder) == 1 { |
||||
sigS = new(big.Int).Sub(order, sigS) |
||||
} |
||||
// Ensure the encoded bytes for the r and s values are canonical and
|
||||
// thus suitable for DER encoding.
|
||||
rb := canonicalizeInt(sig.R) |
||||
sb := canonicalizeInt(sigS) |
||||
|
||||
// total length of returned signature is 1 byte for each magic and
|
||||
// length (6 total), plus lengths of r and s
|
||||
length := 6 + len(rb) + len(sb) |
||||
b := make([]byte, length, length) |
||||
|
||||
b[0] = 0x30 |
||||
b[1] = byte(length - 2) |
||||
b[2] = 0x02 |
||||
b[3] = byte(len(rb)) |
||||
offset := copy(b[4:], rb) + 4 |
||||
b[offset] = 0x02 |
||||
b[offset+1] = byte(len(sb)) |
||||
copy(b[offset+2:], sb) |
||||
return b |
||||
} |
||||
|
||||
// Verify calls ecdsa.Verify to verify the signature of hash using the public
|
||||
// key. It returns true if the signature is valid, false otherwise.
|
||||
func (sig *Signature) Verify(hash []byte, pubKey *PublicKey) bool { |
||||
return ecdsa.Verify(pubKey.ToECDSA(), hash, sig.R, sig.S) |
||||
} |
||||
|
||||
// IsEqual compares this Signature instance to the one passed, returning true
|
||||
// if both Signatures are equivalent. A signature is equivalent to another, if
|
||||
// they both have the same scalar value for R and S.
|
||||
func (sig *Signature) IsEqual(otherSig *Signature) bool { |
||||
return sig.R.Cmp(otherSig.R) == 0 && |
||||
sig.S.Cmp(otherSig.S) == 0 |
||||
} |
||||
|
||||
func parseSig(sigStr []byte, curve elliptic.Curve, der bool) (*Signature, error) { |
||||
// Originally this code used encoding/asn1 in order to parse the
|
||||
// signature, but a number of problems were found with this approach.
|
||||
// Despite the fact that signatures are stored as DER, the difference
|
||||
// between go's idea of a bignum (and that they have sign) doesn't agree
|
||||
// with the openssl one (where they do not). The above is true as of
|
||||
// Go 1.1. In the end it was simpler to rewrite the code to explicitly
|
||||
// understand the format which is this:
|
||||
// 0x30 <length of whole message> <0x02> <length of R> <R> 0x2
|
||||
// <length of S> <S>.
|
||||
|
||||
signature := &Signature{} |
||||
|
||||
// minimal message is when both numbers are 1 bytes. adding up to:
|
||||
// 0x30 + len + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte>
|
||||
if len(sigStr) < 8 { |
||||
return nil, errors.New("malformed signature: too short") |
||||
} |
||||
// 0x30
|
||||
index := 0 |
||||
if sigStr[index] != 0x30 { |
||||
return nil, errors.New("malformed signature: no header magic") |
||||
} |
||||
index++ |
||||
// length of remaining message
|
||||
siglen := sigStr[index] |
||||
index++ |
||||
if int(siglen+2) > len(sigStr) { |
||||
return nil, errors.New("malformed signature: bad length") |
||||
} |
||||
// trim the slice we're working on so we only look at what matters.
|
||||
sigStr = sigStr[:siglen+2] |
||||
|
||||
// 0x02
|
||||
if sigStr[index] != 0x02 { |
||||
return nil, |
||||
errors.New("malformed signature: no 1st int marker") |
||||
} |
||||
index++ |
||||
|
||||
// Length of signature R.
|
||||
rLen := int(sigStr[index]) |
||||
// must be positive, must be able to fit in another 0x2, <len> <s>
|
||||
// hence the -3. We assume that the length must be at least one byte.
|
||||
index++ |
||||
if rLen <= 0 || rLen > len(sigStr)-index-3 { |
||||
return nil, errors.New("malformed signature: bogus R length") |
||||
} |
||||
|
||||
// Then R itself.
|
||||
rBytes := sigStr[index : index+rLen] |
||||
if der { |
||||
switch err := canonicalPadding(rBytes); err { |
||||
case errNegativeValue: |
||||
return nil, errors.New("signature R is negative") |
||||
case errExcessivelyPaddedValue: |
||||
return nil, errors.New("signature R is excessively padded") |
||||
} |
||||
} |
||||
signature.R = new(big.Int).SetBytes(rBytes) |
||||
index += rLen |
||||
// 0x02. length already checked in previous if.
|
||||
if sigStr[index] != 0x02 { |
||||
return nil, errors.New("malformed signature: no 2nd int marker") |
||||
} |
||||
index++ |
||||
|
||||
// Length of signature S.
|
||||
sLen := int(sigStr[index]) |
||||
index++ |
||||
// S should be the rest of the string.
|
||||
if sLen <= 0 || sLen > len(sigStr)-index { |
||||
return nil, errors.New("malformed signature: bogus S length") |
||||
} |
||||
|
||||
// Then S itself.
|
||||
sBytes := sigStr[index : index+sLen] |
||||
if der { |
||||
switch err := canonicalPadding(sBytes); err { |
||||
case errNegativeValue: |
||||
return nil, errors.New("signature S is negative") |
||||
case errExcessivelyPaddedValue: |
||||
return nil, errors.New("signature S is excessively padded") |
||||
} |
||||
} |
||||
signature.S = new(big.Int).SetBytes(sBytes) |
||||
index += sLen |
||||
|
||||
// sanity check length parsing
|
||||
if index != len(sigStr) { |
||||
return nil, fmt.Errorf("malformed signature: bad final length %v != %v", |
||||
index, len(sigStr)) |
||||
} |
||||
|
||||
// Verify also checks this, but we can be more sure that we parsed
|
||||
// correctly if we verify here too.
|
||||
// FWIW the ecdsa spec states that R and S must be | 1, N - 1 |
|
||||
// but crypto/ecdsa only checks for Sign != 0. Mirror that.
|
||||
if signature.R.Sign() != 1 { |
||||
return nil, errors.New("signature R isn't 1 or more") |
||||
} |
||||
if signature.S.Sign() != 1 { |
||||
return nil, errors.New("signature S isn't 1 or more") |
||||
} |
||||
if signature.R.Cmp(curve.Params().N) >= 0 { |
||||
return nil, errors.New("signature R is >= curve.N") |
||||
} |
||||
if signature.S.Cmp(curve.Params().N) >= 0 { |
||||
return nil, errors.New("signature S is >= curve.N") |
||||
} |
||||
|
||||
return signature, nil |
||||
} |
||||
|
||||
// ParseSignature parses a signature in BER format for the curve type `curve'
|
||||
// into a Signature type, perfoming some basic sanity checks. If parsing
|
||||
// according to the more strict DER format is needed, use ParseDERSignature.
|
||||
func ParseSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) { |
||||
return parseSig(sigStr, curve, false) |
||||
} |
||||
|
||||
// ParseDERSignature parses a signature in DER format for the curve type
|
||||
// `curve` into a Signature type. If parsing according to the less strict
|
||||
// BER format is needed, use ParseSignature.
|
||||
func ParseDERSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) { |
||||
return parseSig(sigStr, curve, true) |
||||
} |
||||
|
||||
// canonicalizeInt returns the bytes for the passed big integer adjusted as
|
||||
// necessary to ensure that a big-endian encoded integer can't possibly be
|
||||
// misinterpreted as a negative number. This can happen when the most
|
||||
// significant bit is set, so it is padded by a leading zero byte in this case.
|
||||
// Also, the returned bytes will have at least a single byte when the passed
|
||||
// value is 0. This is required for DER encoding.
|
||||
func canonicalizeInt(val *big.Int) []byte { |
||||
b := val.Bytes() |
||||
if len(b) == 0 { |
||||
b = []byte{0x00} |
||||
} |
||||
if b[0]&0x80 != 0 { |
||||
paddedBytes := make([]byte, len(b)+1) |
||||
copy(paddedBytes[1:], b) |
||||
b = paddedBytes |
||||
} |
||||
return b |
||||
} |
||||
|
||||
// canonicalPadding checks whether a big-endian encoded integer could
|
||||
// possibly be misinterpreted as a negative number (even though OpenSSL
|
||||
// treats all numbers as unsigned), or if there is any unnecessary
|
||||
// leading zero padding.
|
||||
func canonicalPadding(b []byte) error { |
||||
switch { |
||||
case b[0]&0x80 == 0x80: |
||||
return errNegativeValue |
||||
case len(b) > 1 && b[0] == 0x00 && b[1]&0x80 != 0x80: |
||||
return errExcessivelyPaddedValue |
||||
default: |
||||
return nil |
||||
} |
||||
} |
||||
|
||||
// hashToInt converts a hash value to an integer. There is some disagreement
|
||||
// about how this is done. [NSA] suggests that this is done in the obvious
|
||||
// manner, but [SECG] truncates the hash to the bit-length of the curve order
|
||||
// first. We follow [SECG] because that's what OpenSSL does. Additionally,
|
||||
// OpenSSL right shifts excess bits from the number if the hash is too large
|
||||
// and we mirror that too.
|
||||
// This is borrowed from crypto/ecdsa.
|
||||
func hashToInt(hash []byte, c elliptic.Curve) *big.Int { |
||||
orderBits := c.Params().N.BitLen() |
||||
orderBytes := (orderBits + 7) / 8 |
||||
if len(hash) > orderBytes { |
||||
hash = hash[:orderBytes] |
||||
} |
||||
|
||||
ret := new(big.Int).SetBytes(hash) |
||||
excess := len(hash)*8 - orderBits |
||||
if excess > 0 { |
||||
ret.Rsh(ret, uint(excess)) |
||||
} |
||||
return ret |
||||
} |
||||
|
||||
// recoverKeyFromSignature recoves a public key from the signature "sig" on the
|
||||
// given message hash "msg". Based on the algorithm found in section 5.1.5 of
|
||||
// SEC 1 Ver 2.0, page 47-48 (53 and 54 in the pdf). This performs the details
|
||||
// in the inner loop in Step 1. The counter provided is actually the j parameter
|
||||
// of the loop * 2 - on the first iteration of j we do the R case, else the -R
|
||||
// case in step 1.6. This counter is used in the bitcoin compressed signature
|
||||
// format and thus we match bitcoind's behaviour here.
|
||||
func recoverKeyFromSignature(curve *KoblitzCurve, sig *Signature, msg []byte, |
||||
iter int, doChecks bool) (*PublicKey, error) { |
||||
// 1.1 x = (n * i) + r
|
||||
Rx := new(big.Int).Mul(curve.Params().N, |
||||
new(big.Int).SetInt64(int64(iter/2))) |
||||
Rx.Add(Rx, sig.R) |
||||
if Rx.Cmp(curve.Params().P) != -1 { |
||||
return nil, errors.New("calculated Rx is larger than curve P") |
||||
} |
||||
|
||||
// convert 02<Rx> to point R. (step 1.2 and 1.3). If we are on an odd
|
||||
// iteration then 1.6 will be done with -R, so we calculate the other
|
||||
// term when uncompressing the point.
|
||||
Ry, err := decompressPoint(curve, Rx, iter%2 == 1) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
|
||||
// 1.4 Check n*R is point at infinity
|
||||
if doChecks { |
||||
nRx, nRy := curve.ScalarMult(Rx, Ry, curve.Params().N.Bytes()) |
||||
if nRx.Sign() != 0 || nRy.Sign() != 0 { |
||||
return nil, errors.New("n*R does not equal the point at infinity") |
||||
} |
||||
} |
||||
|
||||
// 1.5 calculate e from message using the same algorithm as ecdsa
|
||||
// signature calculation.
|
||||
e := hashToInt(msg, curve) |
||||
|
||||
// Step 1.6.1:
|
||||
// We calculate the two terms sR and eG separately multiplied by the
|
||||
// inverse of r (from the signature). We then add them to calculate
|
||||
// Q = r^-1(sR-eG)
|
||||
invr := new(big.Int).ModInverse(sig.R, curve.Params().N) |
||||
|
||||
// first term.
|
||||
invrS := new(big.Int).Mul(invr, sig.S) |
||||
invrS.Mod(invrS, curve.Params().N) |
||||
sRx, sRy := curve.ScalarMult(Rx, Ry, invrS.Bytes()) |
||||
|
||||
// second term.
|
||||
e.Neg(e) |
||||
e.Mod(e, curve.Params().N) |
||||
e.Mul(e, invr) |
||||
e.Mod(e, curve.Params().N) |
||||
minuseGx, minuseGy := curve.ScalarBaseMult(e.Bytes()) |
||||
|
||||
// TODO: this would be faster if we did a mult and add in one
|
||||
// step to prevent the jacobian conversion back and forth.
|
||||
Qx, Qy := curve.Add(sRx, sRy, minuseGx, minuseGy) |
||||
|
||||
return &PublicKey{ |
||||
Curve: curve, |
||||
X: Qx, |
||||
Y: Qy, |
||||
}, nil |
||||
} |
||||
|
||||
// SignCompact produces a compact signature of the data in hash with the given
|
||||
// private key on the given koblitz curve. The isCompressed parameter should
|
||||
// be used to detail if the given signature should reference a compressed
|
||||
// public key or not. If successful the bytes of the compact signature will be
|
||||
// returned in the format:
|
||||
// <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S>
|
||||
// where the R and S parameters are padde up to the bitlengh of the curve.
|
||||
func SignCompact(curve *KoblitzCurve, key *PrivateKey, |
||||
hash []byte, isCompressedKey bool) ([]byte, error) { |
||||
sig, err := key.Sign(hash) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
|
||||
// bitcoind checks the bit length of R and S here. The ecdsa signature
|
||||
// algorithm returns R and S mod N therefore they will be the bitsize of
|
||||
// the curve, and thus correctly sized.
|
||||
for i := 0; i < (curve.H+1)*2; i++ { |
||||
pk, err := recoverKeyFromSignature(curve, sig, hash, i, true) |
||||
if err == nil && pk.X.Cmp(key.X) == 0 && pk.Y.Cmp(key.Y) == 0 { |
||||
result := make([]byte, 1, 2*curve.byteSize+1) |
||||
result[0] = 27 + byte(i) |
||||
if isCompressedKey { |
||||
result[0] += 4 |
||||
} |
||||
// Not sure this needs rounding but safer to do so.
|
||||
curvelen := (curve.BitSize + 7) / 8 |
||||
|
||||
// Pad R and S to curvelen if needed.
|
||||
bytelen := (sig.R.BitLen() + 7) / 8 |
||||
if bytelen < curvelen { |
||||
result = append(result, |
||||
make([]byte, curvelen-bytelen)...) |
||||
} |
||||
result = append(result, sig.R.Bytes()...) |
||||
|
||||
bytelen = (sig.S.BitLen() + 7) / 8 |
||||
if bytelen < curvelen { |
||||
result = append(result, |
||||
make([]byte, curvelen-bytelen)...) |
||||
} |
||||
result = append(result, sig.S.Bytes()...) |
||||
|
||||
return result, nil |
||||
} |
||||
} |
||||
|
||||
return nil, errors.New("no valid solution for pubkey found") |
||||
} |
||||
|
||||
// RecoverCompact verifies the compact signature "signature" of "hash" for the
|
||||
// Koblitz curve in "curve". If the signature matches then the recovered public
|
||||
// key will be returned as well as a boolen if the original key was compressed
|
||||
// or not, else an error will be returned.
|
||||
func RecoverCompact(curve *KoblitzCurve, signature, |
||||
hash []byte) (*PublicKey, bool, error) { |
||||
bitlen := (curve.BitSize + 7) / 8 |
||||
if len(signature) != 1+bitlen*2 { |
||||
return nil, false, errors.New("invalid compact signature size") |
||||
} |
||||
|
||||
iteration := int((signature[0] - 27) & ^byte(4)) |
||||
|
||||
// format is <header byte><bitlen R><bitlen S>
|
||||
sig := &Signature{ |
||||
R: new(big.Int).SetBytes(signature[1 : bitlen+1]), |
||||
S: new(big.Int).SetBytes(signature[bitlen+1:]), |
||||
} |
||||
// The iteration used here was encoded
|
||||
key, err := recoverKeyFromSignature(curve, sig, hash, iteration, false) |
||||
if err != nil { |
||||
return nil, false, err |
||||
} |
||||
|
||||
return key, ((signature[0] - 27) & 4) == 4, nil |
||||
} |
||||
|
||||
// signRFC6979 generates a deterministic ECDSA signature according to RFC 6979 and BIP 62.
|
||||
func signRFC6979(privateKey *PrivateKey, hash []byte) (*Signature, error) { |
||||
|
||||
privkey := privateKey.ToECDSA() |
||||
N := order |
||||
k := nonceRFC6979(privkey.D, hash) |
||||
inv := new(big.Int).ModInverse(k, N) |
||||
r, _ := privkey.Curve.ScalarBaseMult(k.Bytes()) |
||||
if r.Cmp(N) == 1 { |
||||
r.Sub(r, N) |
||||
} |
||||
|
||||
if r.Sign() == 0 { |
||||
return nil, errors.New("calculated R is zero") |
||||
} |
||||
|
||||
e := hashToInt(hash, privkey.Curve) |
||||
s := new(big.Int).Mul(privkey.D, r) |
||||
s.Add(s, e) |
||||
s.Mul(s, inv) |
||||
s.Mod(s, N) |
||||
|
||||
if s.Cmp(halforder) == 1 { |
||||
s.Sub(N, s) |
||||
} |
||||
if s.Sign() == 0 { |
||||
return nil, errors.New("calculated S is zero") |
||||
} |
||||
return &Signature{R: r, S: s}, nil |
||||
} |
||||
|
||||
// nonceRFC6979 generates an ECDSA nonce (`k`) deterministically according to RFC 6979.
|
||||
// It takes a 32-byte hash as an input and returns 32-byte nonce to be used in ECDSA algorithm.
|
||||
func nonceRFC6979(privkey *big.Int, hash []byte) *big.Int { |
||||
|
||||
curve := S256() |
||||
q := curve.Params().N |
||||
x := privkey |
||||
alg := sha256.New |
||||
|
||||
qlen := q.BitLen() |
||||
holen := alg().Size() |
||||
rolen := (qlen + 7) >> 3 |
||||
bx := append(int2octets(x, rolen), bits2octets(hash, curve, rolen)...) |
||||
|
||||
// Step B
|
||||
v := bytes.Repeat(oneInitializer, holen) |
||||
|
||||
// Step C (Go zeroes the all allocated memory)
|
||||
k := make([]byte, holen) |
||||
|
||||
// Step D
|
||||
k = mac(alg, k, append(append(v, 0x00), bx...)) |
||||
|
||||
// Step E
|
||||
v = mac(alg, k, v) |
||||
|
||||
// Step F
|
||||
k = mac(alg, k, append(append(v, 0x01), bx...)) |
||||
|
||||
// Step G
|
||||
v = mac(alg, k, v) |
||||
|
||||
// Step H
|
||||
for { |
||||
// Step H1
|
||||
var t []byte |
||||
|
||||
// Step H2
|
||||
for len(t)*8 < qlen { |
||||
v = mac(alg, k, v) |
||||
t = append(t, v...) |
||||
} |
||||
|
||||
// Step H3
|
||||
secret := hashToInt(t, curve) |
||||
if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 { |
||||
return secret |
||||
} |
||||
k = mac(alg, k, append(v, 0x00)) |
||||
v = mac(alg, k, v) |
||||
} |
||||
} |
||||
|
||||
// mac returns an HMAC of the given key and message.
|
||||
func mac(alg func() hash.Hash, k, m []byte) []byte { |
||||
h := hmac.New(alg, k) |
||||
h.Write(m) |
||||
return h.Sum(nil) |
||||
} |
||||
|
||||
// https://tools.ietf.org/html/rfc6979#section-2.3.3
|
||||
func int2octets(v *big.Int, rolen int) []byte { |
||||
out := v.Bytes() |
||||
|
||||
// left pad with zeros if it's too short
|
||||
if len(out) < rolen { |
||||
out2 := make([]byte, rolen) |
||||
copy(out2[rolen-len(out):], out) |
||||
return out2 |
||||
} |
||||
|
||||
// drop most significant bytes if it's too long
|
||||
if len(out) > rolen { |
||||
out2 := make([]byte, rolen) |
||||
copy(out2, out[len(out)-rolen:]) |
||||
return out2 |
||||
} |
||||
|
||||
return out |
||||
} |
||||
|
||||
// https://tools.ietf.org/html/rfc6979#section-2.3.4
|
||||
func bits2octets(in []byte, curve elliptic.Curve, rolen int) []byte { |
||||
z1 := hashToInt(in, curve) |
||||
z2 := new(big.Int).Sub(z1, curve.Params().N) |
||||
if z2.Sign() < 0 { |
||||
return int2octets(z1, rolen) |
||||
} |
||||
return int2octets(z2, rolen) |
||||
} |
||||
Loading…
Reference in new issue