diff --git a/src/ecdsa.js b/src/ecdsa.js
index 103095d..ae4a369 100644
--- a/src/ecdsa.js
+++ b/src/ecdsa.js
@@ -154,93 +154,8 @@ function verify (hash, signature, Q) {
return v.equals(r)
}
-/**
- * Recover a public key from a signature.
- *
- * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
- * Key Recovery Operation".
- *
- * http://www.secg.org/download/aid-780/sec1-v2.pdf
- */
-function recoverPubKey (e, signature, i) {
- typeforce(types.tuple(
- types.BigInt,
- types.ECSignature,
- types.UInt2
- ), arguments)
-
- var n = secp256k1.n
- var G = secp256k1.G
- var r = signature.r
- var s = signature.s
-
- if (r.signum() <= 0 || r.compareTo(n) >= 0) throw new Error('Invalid r value')
- if (s.signum() <= 0 || s.compareTo(n) >= 0) throw new Error('Invalid s value')
-
- // A set LSB signifies that the y-coordinate is odd
- var isYOdd = i & 1
-
- // The more significant bit specifies whether we should use the
- // first or second candidate key.
- var isSecondKey = i >> 1
-
- // 1.1 Let x = r + jn
- var x = isSecondKey ? r.add(n) : r
- var R = secp256k1.pointFromX(isYOdd, x)
-
- // 1.4 Check that nR is at infinity
- var nR = R.multiply(n)
- if (!secp256k1.isInfinity(nR)) throw new Error('nR is not a valid curve point')
-
- // Compute r^-1
- var rInv = r.modInverse(n)
-
- // Compute -e from e
- var eNeg = e.negate().mod(n)
-
- // 1.6.1 Compute Q = r^-1 (sR - eG)
- // Q = r^-1 (sR + -eG)
- var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
-
- secp256k1.validate(Q)
-
- return Q
-}
-
-/**
- * Calculate pubkey extraction parameter.
- *
- * When extracting a pubkey from a signature, we have to
- * distinguish four different cases. Rather than putting this
- * burden on the verifier, Bitcoin includes a 2-bit value with the
- * signature.
- *
- * This function simply tries all four cases and returns the value
- * that resulted in a successful pubkey recovery.
- */
-function calcPubKeyRecoveryParam (e, signature, Q) {
- typeforce(types.tuple(
- types.BigInt,
- types.ECSignature,
- types.ECPoint
- ), arguments)
-
- for (var i = 0; i < 4; i++) {
- var Qprime = recoverPubKey(e, signature, i)
-
- // 1.6.2 Verify Q
- if (Qprime.equals(Q)) {
- return i
- }
- }
-
- throw new Error('Unable to find valid recovery factor')
-}
-
module.exports = {
- calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK,
- recoverPubKey: recoverPubKey,
sign: sign,
verify: verify,
diff --git a/test/ecdsa.js b/test/ecdsa.js
index 971f0d3..f6e1410 100644
--- a/test/ecdsa.js
+++ b/test/ecdsa.js
@@ -81,55 +81,6 @@ describe('ecdsa', function () {
})
})
- describe('recoverPubKey', function () {
- fixtures.valid.ecdsa.forEach(function (f) {
- it('recovers the pubKey for ' + f.d, function () {
- var d = BigInteger.fromHex(f.d)
- var Q = curve.G.multiply(d)
- var signature = ECSignature.fromDER(new Buffer(f.signature, 'hex'))
- var h1 = bcrypto.sha256(f.message)
- var e = BigInteger.fromBuffer(h1)
- var Qprime = ecdsa.recoverPubKey(e, signature, f.i)
-
- assert(Qprime.equals(Q))
- })
- })
-
- describe('with i ∈ {0,1,2,3}', function () {
- var hash = new Buffer('feef89995d7575f12d65ccc9d28ccaf7ab224c2e59dad4cc7f6a2b0708d24696', 'hex')
- var e = BigInteger.fromBuffer(hash)
-
- var signatureBuffer = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')
- var signature = ECSignature.parseCompact(signatureBuffer).signature
- var points = [
- '03e3a8c44a8bf712f1fbacee274fb19c0239b1a9e877eff0075ea335f2be8ff380',
- '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798',
- '03d49e765f0bc27525c51a1b98fb1c99dacd59abe85a203af90f758260550b56c5',
- '027eea09d46ac7fb6aa2e96f9c576677214ffdc238eb167734a9b39d1eb4c3d30d'
- ]
-
- points.forEach(function (expectedHex, i) {
- it('recovers an expected point for i of ' + i, function () {
- var Qprime = ecdsa.recoverPubKey(e, signature, i)
- var QprimeHex = Qprime.getEncoded().toString('hex')
-
- assert.strictEqual(QprimeHex, expectedHex)
- })
- })
- })
-
- fixtures.invalid.recoverPubKey.forEach(function (f) {
- it('throws on ' + f.description + ' (' + f.exception + ')', function () {
- var e = BigInteger.fromHex(f.e)
- var signature = new ECSignature(new BigInteger(f.signatureRaw.r, 16), new BigInteger(f.signatureRaw.s, 16))
-
- assert.throws(function () {
- ecdsa.recoverPubKey(e, signature, f.i)
- }, new RegExp(f.exception))
- })
- })
- })
-
describe('sign', function () {
fixtures.valid.ecdsa.forEach(function (f) {
it('produces a deterministic signature for "' + f.message + '"', function () {
diff --git a/test/fixtures/ecdsa.json b/test/fixtures/ecdsa.json
index 404759d..bd2fc3c 100644
--- a/test/fixtures/ecdsa.json
+++ b/test/fixtures/ecdsa.json
@@ -125,78 +125,6 @@
]
},
"invalid": {
- "recoverPubKey": [
- {
- "description": "Invalid r value (< 0)",
- "exception": "Invalid r value",
- "e": "01",
- "signatureRaw": {
- "r": "-01",
- "s": "02"
- },
- "i": 0
- },
- {
- "description": "Invalid r value (== 0)",
- "exception": "Invalid r value",
- "e": "01",
- "signatureRaw": {
- "r": "00",
- "s": "02"
- },
- "i": 0
- },
- {
- "description": "Invalid s value (< 0)",
- "exception": "Invalid s value",
- "e": "01",
- "signatureRaw": {
- "r": "02",
- "s": "-01"
- },
- "i": 0
- },
- {
- "description": "Invalid s value (== 0)",
- "exception": "Invalid s value",
- "e": "01",
- "signatureRaw": {
- "r": "02",
- "s": "00"
- },
- "i": 0
- },
- {
- "description": "Invalid r value (nR is infinity)",
- "exception": "nR is not a valid curve point",
- "e": "01",
- "signatureRaw": {
- "r": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140",
- "s": "01"
- },
- "i": 0
- },
- {
- "description": "Invalid curve point",
- "exception": "Point is not on the curve",
- "e": "01",
- "signatureRaw": {
- "r": "4b3b4ca85a86c47a098a223fffffffff",
- "s": "01"
- },
- "i": 0
- },
- {
- "description": "Invalid i value (> 3)",
- "exception": "Expected property \"2\" of type UInt2, got Number 4",
- "e": "01",
- "signatureRaw": {
- "r": "00",
- "s": "02"
- },
- "i": 4
- }
- ],
"verify": [
{
"description": "The wrong signature",