From abe65b8d4a36923aaf5f23b9e90e350d61ec8184 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 10 May 2014 15:24:49 +1000 Subject: [PATCH 1/7] ecdsa: use shamirs trick --- src/ecdsa.js | 37 +++---------------------------------- 1 file changed, 3 insertions(+), 34 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index acf88c3..cb1013c 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -6,32 +6,6 @@ var ecparams = sec("secp256k1") var BigInteger = require('bigi') var ECPointFp = require('./ec').ECPointFp -function implShamirsTrick(P, k, Q, l) { - var m = Math.max(k.bitLength(), l.bitLength()) - var Z = P.add2D(Q) - var R = P.curve.getInfinity() - - for (var i = m - 1; i >= 0; --i) { - R = R.twice2D() - - R.z = BigInteger.ONE - - if (k.testBit(i)) { - if (l.testBit(i)) { - R = R.add2D(Z) - } else { - R = R.add2D(P) - } - } else { - if (l.testBit(i)) { - R = R.add2D(Q) - } - } - } - - return R -} - var ecdsa = { deterministicGenerateK: function(hash, D) { assert(Buffer.isBuffer(hash), 'Hash must be a Buffer') @@ -125,12 +99,7 @@ var ecdsa = { var u1 = e.multiply(c).mod(n) var u2 = r.multiply(c).mod(n) - // TODO(!!!): For some reason Shamir's trick isn't working with - // signed message verification!? Probably an implementation - // error! - //var point = implShamirsTrick(G, u1, Q, u2) - var point = G.multiply(u1).add(Q.multiply(u2)) - + var point = G.multiplyTwo(u1, Q, u2) var v = point.getX().toBigInteger().mod(n) return v.equals(r) @@ -276,11 +245,11 @@ var ecdsa = { // 1.5 Compute e from M var e = BigInteger.fromBuffer(hash) - var eNeg = BigInteger.ZERO.subtract(e).mod(n) + var eNeg = e.negate().mod(n) // 1.6 Compute Q = r^-1 (sR - eG) var rInv = r.modInverse(n) - var Q = implShamirsTrick(R, s, G, eNeg).multiply(rInv) + var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) Q.validate() if (!ecdsa.verifyRaw(e, r, s, Q)) { From 8d7408202f95233dadd90e9b97e4bf574841e8b0 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 10 May 2014 22:30:29 +1000 Subject: [PATCH 2/7] ecdsa: consistent parameter ordering --- src/ecdsa.js | 19 ++++++++++--------- src/message.js | 7 +++++-- test/ecdsa.js | 3 ++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index cb1013c..5303c0b 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -205,7 +205,7 @@ var ecdsa = { * * http://www.secg.org/download/aid-780/sec1-v2.pdf */ - recoverPubKey: function (r, s, hash, i) { + recoverPubKey: function (e, r, s, i) { assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') // A set LSB signifies that the y-coordinate is odd @@ -243,15 +243,16 @@ var ecdsa = { var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) R.validate() - // 1.5 Compute e from M - var e = BigInteger.fromBuffer(hash) + // 1.5 Compute -e from e var eNeg = e.negate().mod(n) - // 1.6 Compute Q = r^-1 (sR - eG) + // 1.6 Compute Q = r^-1 (sR - eG) + // Q = r^-1 (sR + -eG) var rInv = r.modInverse(n) - var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) + var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) Q.validate() + if (!ecdsa.verifyRaw(e, r, s, Q)) { throw new Error("Pubkey recovery unsuccessful") } @@ -270,16 +271,16 @@ var ecdsa = { * This function simply tries all four cases and returns the value * that resulted in a successful pubkey recovery. */ - calcPubKeyRecoveryParam: function (origPubKey, r, s, hash) { + calcPubKeyRecoveryParam: function (e, r, s, Q) { for (var i = 0; i < 4; i++) { - var pubKey = ecdsa.recoverPubKey(r, s, hash, i) + var Qprime = ecdsa.recoverPubKey(e, r, s, i) - if (pubKey.equals(origPubKey)) { + if (Qprime.equals(Q)) { return i } } - throw new Error("Unable to find valid recovery factor") + throw new Error('Unable to find valid recovery factor') } } diff --git a/src/message.js b/src/message.js index b7d545b..1feaa31 100644 --- a/src/message.js +++ b/src/message.js @@ -1,5 +1,6 @@ /// Implements Bitcoin's feature for signing arbitrary messages. var Address = require('./address') +var BigInteger = require('bigi') var bufferutils = require('./bufferutils') var crypto = require('./crypto') var ecdsa = require('./ecdsa') @@ -25,7 +26,8 @@ function sign(key, message, network) { var hash = magicHash(message, network) var sig = ecdsa.parseSig(key.sign(hash)) - var i = ecdsa.calcPubKeyRecoveryParam(key.pub.Q, sig.r, sig.s, hash) + var e = BigInteger.fromBuffer(hash) + var i = ecdsa.calcPubKeyRecoveryParam(e, sig.r, sig.s, key.pub.Q) return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed) } @@ -40,7 +42,8 @@ function verify(address, compactSig, message, network) { var hash = magicHash(message, network) var sig = ecdsa.parseSigCompact(compactSig) - var Q = ecdsa.recoverPubKey(sig.r, sig.s, hash, sig.i) + var e = BigInteger.fromBuffer(hash) + var Q = ecdsa.recoverPubKey(e, sig.r, sig.s, sig.i) var pubKey = new ECPubKey(Q, sig.compressed) return pubKey.getAddress(address.version).toString() === address.toString() diff --git a/test/ecdsa.js b/test/ecdsa.js index 9decb27..ad9806d 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -32,8 +32,9 @@ describe('ecdsa', function() { var obj = ecdsa.parseSigCompact(signature) var hash = message.magicHash('1111', networks.bitcoin) + var e = BigInteger.fromBuffer(hash) - var pubKey = new ECPubKey(ecdsa.recoverPubKey(obj.r, obj.s, hash, obj.i)) + var pubKey = new ECPubKey(ecdsa.recoverPubKey(e, obj.r, obj.s, obj.i)) assert.equal(pubKey.toHex(), '02e8fcf4d749b35879bc1f3b14b49e67ab7301da3558c5a9b74a54f1e6339c334c') }) From 2dec1375a17f19e36c1eda1e0a6270071ff45a03 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 10 May 2014 22:38:05 +1000 Subject: [PATCH 3/7] ecdsa: use (r, s) values directly --- src/ecdsa.js | 26 ++------------------------ src/ecpubkey.js | 4 ++-- src/message.js | 2 +- src/transaction.js | 22 +++++++++++++++------- test/ecdsa.js | 7 +++---- test/transaction.js | 4 ++-- 6 files changed, 25 insertions(+), 40 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index 5303c0b..bb70c56 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -54,30 +54,10 @@ var ecdsa = { s = n.subtract(s) } - return ecdsa.serializeSig(r, s) + return {r: r, s: s} }, - verify: function (hash, sig, pubkey) { - var r,s - if (Array.isArray(sig) || Buffer.isBuffer(sig)) { - var obj = ecdsa.parseSig(sig) - r = obj.r - s = obj.s - } else if ("object" === typeof sig && sig.r && sig.s) { - r = sig.r - s = sig.s - } else { - throw new Error("Invalid value for signature") - } - - var Q - if (pubkey instanceof ECPointFp) { - Q = pubkey - } else if (Array.isArray(pubkey) || Buffer.isBuffer(pubkey)) { - Q = ECPointFp.decodeFrom(ecparams.getCurve(), pubkey) - } else { - throw new Error("Invalid format for pubkey value, must be byte array or ECPointFp") - } + verify: function (hash, r, s, Q) { var e = BigInteger.fromBuffer(hash) return ecdsa.verifyRaw(e, r, s, Q) @@ -140,8 +120,6 @@ var ecdsa = { * } */ parseSig: function (buffer) { - if (Array.isArray(buffer)) buffer = new Buffer(buffer) // FIXME: transitionary - assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') diff --git a/src/ecpubkey.js b/src/ecpubkey.js index bd2e7e8..a5b86bd 100644 --- a/src/ecpubkey.js +++ b/src/ecpubkey.js @@ -36,8 +36,8 @@ ECPubKey.prototype.getAddress = function(version) { return new Address(crypto.hash160(this.toBuffer()), version) } -ECPubKey.prototype.verify = function(hash, sig) { - return ecdsa.verify(hash, sig, this.Q) +ECPubKey.prototype.verify = function(hash, signature) { + return ecdsa.verify(hash, signature.r, signature.s, this.Q) } // Export functions diff --git a/src/message.js b/src/message.js index 1feaa31..2a72f83 100644 --- a/src/message.js +++ b/src/message.js @@ -25,7 +25,7 @@ function sign(key, message, network) { network = network || networks.bitcoin var hash = magicHash(message, network) - var sig = ecdsa.parseSig(key.sign(hash)) + var sig = key.sign(hash) var e = BigInteger.fromBuffer(hash) var i = ecdsa.calcPubKeyRecoveryParam(e, sig.r, sig.s, key.pub.Q) diff --git a/src/transaction.js b/src/transaction.js index bfbbe0e..09db26d 100644 --- a/src/transaction.js +++ b/src/transaction.js @@ -364,27 +364,35 @@ Transaction.prototype.sign = function(index, key, type) { this.setScriptSig(index, scriptSig) } -Transaction.prototype.signScriptSig = function(index, script, key, type) { +Transaction.prototype.signScriptSig = function(index, scriptPubKey, key, type) { type = type || SIGHASH_ALL assert((index >= 0), 'Invalid vin index') - assert(script instanceof Script, 'Invalid Script object') + assert(scriptPubKey instanceof Script, 'Invalid Script object') assert(key instanceof ECKey, 'Invalid private key') // assert.equal(type & 0x7F, type, 'Invalid type') // TODO - var hash = this.hashForSignature(script, index, type) - return key.sign(hash).concat([type]) + var hash = this.hashForSignature(scriptPubKey, index, type) + var sig = key.sign(hash) + var DERsig = ecdsa.serializeSig(sig.r, sig.s) + + return Buffer.concat([ + new Buffer(DERsig), + new Buffer([type]) + ]) } Transaction.prototype.setScriptSig = function(index, script) { this.ins[index].script = script } -Transaction.prototype.validateSig = function(index, script, pub, sig) { - var type = sig[sig.length - 1] +Transaction.prototype.validateSig = function(index, script, pub, DERsig) { + var type = DERsig.readUInt8(DERsig.length - 1) + DERsig = DERsig.slice(0, -1) + var hash = this.hashForSignature(script, index, type) + var sig = ecdsa.parseSig(DERsig) - sig = sig.slice(0, -1) return pub.verify(hash, sig) } diff --git a/test/ecdsa.js b/test/ecdsa.js index ad9806d..bc9e49d 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -46,7 +46,7 @@ describe('ecdsa', function() { var D = BigInteger.fromHex(f.D) var priv = new ECKey(D) var hash = crypto.sha256(f.message) - var sig = ecdsa.parseSig(priv.sign(hash)) + var sig = priv.sign(hash) assert.equal(sig.r.toString(), f.signature.r) assert.equal(sig.s.toString(), f.signature.s) @@ -56,12 +56,11 @@ describe('ecdsa', function() { it('should sign with low S value', function() { var priv = ECKey.makeRandom() var hash = crypto.sha256('Vires in numeris') - var signature = priv.sign(hash) - var psig = ecdsa.parseSig(signature) + var sig = priv.sign(hash) // See BIP62 for more information var N_OVER_TWO = ecparams.getN().shiftRight(1) - assert(psig.s.compareTo(N_OVER_TWO) <= 0) + assert(sig.s.compareTo(N_OVER_TWO) <= 0) }) }) diff --git a/test/transaction.js b/test/transaction.js index 9f33cc4..e22f7f8 100644 --- a/test/transaction.js +++ b/test/transaction.js @@ -197,7 +197,7 @@ describe('Transaction', function() { tx.sign(0, key) var script = prevTx.outs[0].script - var sig = tx.ins[0].script.chunks[0] + var sig = new Buffer(tx.ins[0].script.chunks[0]) assert.equal(tx.validateSig(0, script, key.pub, sig), true) }) @@ -213,7 +213,7 @@ describe('Transaction', function() { it('returns true for valid signature', function(){ var key = ECKey.fromWIF('L44f7zxJ5Zw4EK9HZtyAnzCYz2vcZ5wiJf9AuwhJakiV4xVkxBeb') var script = prevTx.outs[0].script - var sig = validTx.ins[0].script.chunks[0] + var sig = new Buffer(validTx.ins[0].script.chunks[0]) assert.equal(validTx.validateSig(0, script, key.pub, sig), true) }) From ab2ca395ac08eac8cc50240ccdfcf8ac2383474b Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 17 May 2014 14:39:31 +1000 Subject: [PATCH 4/7] ecdsa: remove ECKey dependency in tests --- test/ecdsa.js | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/test/ecdsa.js b/test/ecdsa.js index bc9e49d..0e9d6e0 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -17,10 +17,10 @@ describe('ecdsa', function() { describe('deterministicGenerateK', function() { it('matches the test vectors', function() { fixtures.valid.forEach(function(f) { - var priv = BigInteger.fromHex(f.D) + var D = BigInteger.fromHex(f.D) var h1 = crypto.sha256(f.message) - var k = ecdsa.deterministicGenerateK(h1, priv) + var k = ecdsa.deterministicGenerateK(h1, D) assert.equal(k.toHex(), f.k) }) }) @@ -28,15 +28,16 @@ describe('ecdsa', function() { describe('recoverPubKey', function() { it('succesfully recovers a public key', function() { - var signature = new Buffer('H0PG6+PUo96UPTJ/DVj8aBU5it+Nuli4YdsLuTMvfJxoHH9Jb7jYTQXCCOX2jrTChD5S1ic3vCrUQHdmB5/sEQY=', 'base64') + var D = BigInteger.ONE + var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64') - var obj = ecdsa.parseSigCompact(signature) + var Q = ecparams.getG().multiply(D) var hash = message.magicHash('1111', networks.bitcoin) var e = BigInteger.fromBuffer(hash) + var psig = ecdsa.parseSigCompact(signature) - var pubKey = new ECPubKey(ecdsa.recoverPubKey(e, obj.r, obj.s, obj.i)) - - assert.equal(pubKey.toHex(), '02e8fcf4d749b35879bc1f3b14b49e67ab7301da3558c5a9b74a54f1e6339c334c') + var Qprime = ecdsa.recoverPubKey(e, psig.r, psig.s, psig.i) + assert(Q.equals(Qprime)) }) }) @@ -44,9 +45,8 @@ describe('ecdsa', function() { it('matches the test vectors', function() { fixtures.valid.forEach(function(f) { var D = BigInteger.fromHex(f.D) - var priv = new ECKey(D) var hash = crypto.sha256(f.message) - var sig = priv.sign(hash) + var sig = ecdsa.sign(hash, D) assert.equal(sig.r.toString(), f.signature.r) assert.equal(sig.s.toString(), f.signature.s) @@ -54,9 +54,8 @@ describe('ecdsa', function() { }) it('should sign with low S value', function() { - var priv = ECKey.makeRandom() var hash = crypto.sha256('Vires in numeris') - var sig = priv.sign(hash) + var sig = ecdsa.sign(hash, BigInteger.ONE) // See BIP62 for more information var N_OVER_TWO = ecparams.getN().shiftRight(1) @@ -68,13 +67,13 @@ describe('ecdsa', function() { it('matches the test vectors', function() { fixtures.valid.forEach(function(f) { var D = BigInteger.fromHex(f.D) - var priv = new ECKey(D) + var Q = ecparams.getG().multiply(D) var r = new BigInteger(f.signature.r) var s = new BigInteger(f.signature.s) var e = BigInteger.fromBuffer(crypto.sha256(f.message)) - assert(ecdsa.verifyRaw(e, r, s, priv.pub.Q)) + assert(ecdsa.verifyRaw(e, r, s, Q)) }) }) }) From bcfd62fdb5586ad63234b157ab1e5b6d0751bdb1 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 17 May 2014 15:06:52 +1000 Subject: [PATCH 5/7] ecdsa: remove implicit ecparams --- src/ecdsa.js | 24 +++++++++++------------- src/eckey.js | 2 +- src/ecpubkey.js | 2 +- src/message.js | 7 +++++-- test/ecdsa.js | 10 +++++----- 5 files changed, 23 insertions(+), 22 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index bb70c56..e5306de 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -1,14 +1,12 @@ var assert = require('assert') var crypto = require('./crypto') -var sec = require('./sec') -var ecparams = sec("secp256k1") var BigInteger = require('bigi') var ECPointFp = require('./ec').ECPointFp var ecdsa = { - deterministicGenerateK: function(hash, D) { - assert(Buffer.isBuffer(hash), 'Hash must be a Buffer') + deterministicGenerateK: function(ecparams, hash, D) { + assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) assert.equal(hash.length, 32, 'Hash must be 256 bit') assert(D instanceof BigInteger, 'Private key must be a BigInteger') @@ -33,8 +31,8 @@ var ecdsa = { return kB }, - sign: function (hash, D) { - var k = ecdsa.deterministicGenerateK(hash, D) + sign: function (ecparams, hash, D) { + var k = ecdsa.deterministicGenerateK(ecparams, hash, D) var n = ecparams.getN() var G = ecparams.getG() @@ -57,13 +55,13 @@ var ecdsa = { return {r: r, s: s} }, - verify: function (hash, r, s, Q) { + verify: function (ecparams, hash, r, s, Q) { var e = BigInteger.fromBuffer(hash) - return ecdsa.verifyRaw(e, r, s, Q) + return ecdsa.verifyRaw(ecparams, e, r, s, Q) }, - verifyRaw: function (e, r, s, Q) { + verifyRaw: function (ecparams, e, r, s, Q) { var n = ecparams.getN() var G = ecparams.getG() @@ -183,7 +181,7 @@ var ecdsa = { * * http://www.secg.org/download/aid-780/sec1-v2.pdf */ - recoverPubKey: function (e, r, s, i) { + recoverPubKey: function (ecparams, e, r, s, i) { assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') // A set LSB signifies that the y-coordinate is odd @@ -231,7 +229,7 @@ var ecdsa = { var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) Q.validate() - if (!ecdsa.verifyRaw(e, r, s, Q)) { + if (!ecdsa.verifyRaw(ecparams, e, r, s, Q)) { throw new Error("Pubkey recovery unsuccessful") } @@ -249,9 +247,9 @@ var ecdsa = { * This function simply tries all four cases and returns the value * that resulted in a successful pubkey recovery. */ - calcPubKeyRecoveryParam: function (e, r, s, Q) { + calcPubKeyRecoveryParam: function (ecparams, e, r, s, Q) { for (var i = 0; i < 4; i++) { - var Qprime = ecdsa.recoverPubKey(e, r, s, i) + var Qprime = ecdsa.recoverPubKey(ecparams, e, r, s, i) if (Qprime.equals(Q)) { return i diff --git a/src/eckey.js b/src/eckey.js index e59e140..0cb1d45 100644 --- a/src/eckey.js +++ b/src/eckey.js @@ -63,7 +63,7 @@ ECKey.prototype.toWIF = function(version) { // Operations ECKey.prototype.sign = function(hash) { - return ecdsa.sign(hash, this.D) + return ecdsa.sign(ecparams, hash, this.D) } module.exports = ECKey diff --git a/src/ecpubkey.js b/src/ecpubkey.js index a5b86bd..730bf5a 100644 --- a/src/ecpubkey.js +++ b/src/ecpubkey.js @@ -37,7 +37,7 @@ ECPubKey.prototype.getAddress = function(version) { } ECPubKey.prototype.verify = function(hash, signature) { - return ecdsa.verify(hash, signature.r, signature.s, this.Q) + return ecdsa.verify(ecparams, hash, signature.r, signature.s, this.Q) } // Export functions diff --git a/src/message.js b/src/message.js index 2a72f83..e931fea 100644 --- a/src/message.js +++ b/src/message.js @@ -9,6 +9,9 @@ var networks = require('./networks') var Address = require('./address') var ECPubKey = require('./ecpubkey') +var sec = require('./sec') +var ecparams = sec('secp256k1') + function magicHash(message, network) { var magicPrefix = new Buffer(network.magicPrefix) var messageBuffer = new Buffer(message) @@ -27,7 +30,7 @@ function sign(key, message, network) { var hash = magicHash(message, network) var sig = key.sign(hash) var e = BigInteger.fromBuffer(hash) - var i = ecdsa.calcPubKeyRecoveryParam(e, sig.r, sig.s, key.pub.Q) + var i = ecdsa.calcPubKeyRecoveryParam(ecparams, e, sig.r, sig.s, key.pub.Q) return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed) } @@ -43,7 +46,7 @@ function verify(address, compactSig, message, network) { var hash = magicHash(message, network) var sig = ecdsa.parseSigCompact(compactSig) var e = BigInteger.fromBuffer(hash) - var Q = ecdsa.recoverPubKey(e, sig.r, sig.s, sig.i) + var Q = ecdsa.recoverPubKey(ecparams, e, sig.r, sig.s, sig.i) var pubKey = new ECPubKey(Q, sig.compressed) return pubKey.getAddress(address.version).toString() === address.toString() diff --git a/test/ecdsa.js b/test/ecdsa.js index 0e9d6e0..48ed5b8 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -20,7 +20,7 @@ describe('ecdsa', function() { var D = BigInteger.fromHex(f.D) var h1 = crypto.sha256(f.message) - var k = ecdsa.deterministicGenerateK(h1, D) + var k = ecdsa.deterministicGenerateK(ecparams, h1, D) assert.equal(k.toHex(), f.k) }) }) @@ -36,7 +36,7 @@ describe('ecdsa', function() { var e = BigInteger.fromBuffer(hash) var psig = ecdsa.parseSigCompact(signature) - var Qprime = ecdsa.recoverPubKey(e, psig.r, psig.s, psig.i) + var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i) assert(Q.equals(Qprime)) }) }) @@ -46,7 +46,7 @@ describe('ecdsa', function() { fixtures.valid.forEach(function(f) { var D = BigInteger.fromHex(f.D) var hash = crypto.sha256(f.message) - var sig = ecdsa.sign(hash, D) + var sig = ecdsa.sign(ecparams, hash, D) assert.equal(sig.r.toString(), f.signature.r) assert.equal(sig.s.toString(), f.signature.s) @@ -55,7 +55,7 @@ describe('ecdsa', function() { it('should sign with low S value', function() { var hash = crypto.sha256('Vires in numeris') - var sig = ecdsa.sign(hash, BigInteger.ONE) + var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE) // See BIP62 for more information var N_OVER_TWO = ecparams.getN().shiftRight(1) @@ -73,7 +73,7 @@ describe('ecdsa', function() { var s = new BigInteger(f.signature.s) var e = BigInteger.fromBuffer(crypto.sha256(f.message)) - assert(ecdsa.verifyRaw(e, r, s, Q)) + assert(ecdsa.verifyRaw(ecparams, e, r, s, Q)) }) }) }) From d05d661aeadaf440b53d8d213ad384abf90e6165 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Sat, 17 May 2014 15:11:43 +1000 Subject: [PATCH 6/7] ecdsa: use standard declarative notation for functions --- src/ecdsa.js | 61 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 26 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index e5306de..aba1828 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -4,8 +4,7 @@ var crypto = require('./crypto') var BigInteger = require('bigi') var ECPointFp = require('./ec').ECPointFp -var ecdsa = { - deterministicGenerateK: function(ecparams, hash, D) { + function deterministicGenerateK(ecparams, hash, D) { assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) assert.equal(hash.length, 32, 'Hash must be 256 bit') assert(D instanceof BigInteger, 'Private key must be a BigInteger') @@ -29,10 +28,10 @@ var ecdsa = { assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') return kB - }, + } - sign: function (ecparams, hash, D) { - var k = ecdsa.deterministicGenerateK(ecparams, hash, D) + function sign(ecparams, hash, D) { + var k = deterministicGenerateK(ecparams, hash, D) var n = ecparams.getN() var G = ecparams.getG() @@ -53,15 +52,15 @@ var ecdsa = { } return {r: r, s: s} - }, + } - verify: function (ecparams, hash, r, s, Q) { + function verify(ecparams, hash, r, s, Q) { var e = BigInteger.fromBuffer(hash) - return ecdsa.verifyRaw(ecparams, e, r, s, Q) - }, + return verifyRaw(ecparams, e, r, s, Q) + } - verifyRaw: function (ecparams, e, r, s, Q) { + function verifyRaw(ecparams, e, r, s, Q) { var n = ecparams.getN() var G = ecparams.getG() @@ -81,14 +80,14 @@ var ecdsa = { var v = point.getX().toBigInteger().mod(n) return v.equals(r) - }, + } /** * Serialize a signature into DER format. * * Takes two BigIntegers representing r and s and returns a byte array. */ - serializeSig: function (r, s) { + function serializeSig(r, s) { var rBa = r.toByteArraySigned() var sBa = s.toByteArraySigned() @@ -105,7 +104,7 @@ var ecdsa = { sequence.unshift(0x30); // SEQUENCE return sequence - }, + } /** * Parses a buffer containing a DER-encoded signature. @@ -117,7 +116,7 @@ var ecdsa = { * s: BigInteger * } */ - parseSig: function (buffer) { + function parseSig(buffer) { assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') @@ -134,9 +133,9 @@ var ecdsa = { r: BigInteger.fromByteArraySigned(rB), s: BigInteger.fromByteArraySigned(sB) } - }, + } - serializeSigCompact: function(r, s, i, compressed) { + function serializeSigCompact(r, s, i, compressed) { if (compressed) { i += 4 } @@ -149,9 +148,9 @@ var ecdsa = { s.toBuffer(32).copy(buffer, 33) return buffer - }, + } - parseSigCompact: function (buffer) { + function parseSigCompact(buffer) { assert.equal(buffer.length, 65, 'Invalid signature length') var i = buffer.readUInt8(0) - 27 @@ -171,7 +170,7 @@ var ecdsa = { i: i, compressed: compressed } - }, + } /** * Recover a public key from a signature. @@ -181,7 +180,7 @@ var ecdsa = { * * http://www.secg.org/download/aid-780/sec1-v2.pdf */ - recoverPubKey: function (ecparams, e, r, s, i) { + function recoverPubKey(ecparams, e, r, s, i) { assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') // A set LSB signifies that the y-coordinate is odd @@ -229,12 +228,12 @@ var ecdsa = { var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) Q.validate() - if (!ecdsa.verifyRaw(ecparams, e, r, s, Q)) { + if (!verifyRaw(ecparams, e, r, s, Q)) { throw new Error("Pubkey recovery unsuccessful") } return Q - }, + } /** * Calculate pubkey extraction parameter. @@ -247,9 +246,9 @@ var ecdsa = { * This function simply tries all four cases and returns the value * that resulted in a successful pubkey recovery. */ - calcPubKeyRecoveryParam: function (ecparams, e, r, s, Q) { + function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) { for (var i = 0; i < 4; i++) { - var Qprime = ecdsa.recoverPubKey(ecparams, e, r, s, i) + var Qprime = recoverPubKey(ecparams, e, r, s, i) if (Qprime.equals(Q)) { return i @@ -258,6 +257,16 @@ var ecdsa = { throw new Error('Unable to find valid recovery factor') } -} -module.exports = ecdsa +module.exports = { + calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, + deterministicGenerateK: deterministicGenerateK, + recoverPubKey: recoverPubKey, + sign: sign, + verify: verify, + verifyRaw: verifyRaw, + serializeSig: serializeSig, + parseSig: parseSig, + serializeSigCompact: serializeSigCompact, + parseSigCompact: parseSigCompact +} From 087ca551f5b201cf71038d55a2b099a020e2a2b8 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Fri, 23 May 2014 17:18:32 +1000 Subject: [PATCH 7/7] ecdsa: fix indentation --- src/ecdsa.js | 436 +++++++++++++++++++++++++-------------------------- 1 file changed, 218 insertions(+), 218 deletions(-) diff --git a/src/ecdsa.js b/src/ecdsa.js index aba1828..1536918 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -4,269 +4,269 @@ var crypto = require('./crypto') var BigInteger = require('bigi') var ECPointFp = require('./ec').ECPointFp - function deterministicGenerateK(ecparams, hash, D) { - assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) - assert.equal(hash.length, 32, 'Hash must be 256 bit') - assert(D instanceof BigInteger, 'Private key must be a BigInteger') - - var x = D.toBuffer(32) - var k = new Buffer(32) - var v = new Buffer(32) - k.fill(0) - v.fill(1) - - k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k) - v = crypto.HmacSHA256(v, k) - - k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k) - v = crypto.HmacSHA256(v, k) - v = crypto.HmacSHA256(v, k) - - var n = ecparams.getN() - var kB = BigInteger.fromBuffer(v).mod(n) - assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value') - assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') - - return kB - } +function deterministicGenerateK(ecparams, hash, D) { + assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) + assert.equal(hash.length, 32, 'Hash must be 256 bit') + assert(D instanceof BigInteger, 'Private key must be a BigInteger') + + var x = D.toBuffer(32) + var k = new Buffer(32) + var v = new Buffer(32) + k.fill(0) + v.fill(1) + + k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k) + v = crypto.HmacSHA256(v, k) + + k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k) + v = crypto.HmacSHA256(v, k) + v = crypto.HmacSHA256(v, k) + + var n = ecparams.getN() + var kB = BigInteger.fromBuffer(v).mod(n) + assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value') + assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') + + return kB +} - function sign(ecparams, hash, D) { - var k = deterministicGenerateK(ecparams, hash, D) +function sign(ecparams, hash, D) { + var k = deterministicGenerateK(ecparams, hash, D) - var n = ecparams.getN() - var G = ecparams.getG() - var Q = G.multiply(k) - var e = BigInteger.fromBuffer(hash) + var n = ecparams.getN() + var G = ecparams.getG() + var Q = G.multiply(k) + var e = BigInteger.fromBuffer(hash) - var r = Q.getX().toBigInteger().mod(n) - assert.notEqual(r.signum(), 0, 'Invalid R value') + var r = Q.getX().toBigInteger().mod(n) + assert.notEqual(r.signum(), 0, 'Invalid R value') - var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n) - assert.notEqual(s.signum(), 0, 'Invalid S value') + var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n) + assert.notEqual(s.signum(), 0, 'Invalid S value') - var N_OVER_TWO = n.shiftRight(1) + var N_OVER_TWO = n.shiftRight(1) - // enforce low S values, see bip62: 'low s values in signatures' - if (s.compareTo(N_OVER_TWO) > 0) { - s = n.subtract(s) - } - - return {r: r, s: s} + // enforce low S values, see bip62: 'low s values in signatures' + if (s.compareTo(N_OVER_TWO) > 0) { + s = n.subtract(s) } - function verify(ecparams, hash, r, s, Q) { - var e = BigInteger.fromBuffer(hash) + return {r: r, s: s} +} - return verifyRaw(ecparams, e, r, s, Q) - } +function verify(ecparams, hash, r, s, Q) { + var e = BigInteger.fromBuffer(hash) - function verifyRaw(ecparams, e, r, s, Q) { - var n = ecparams.getN() - var G = ecparams.getG() + return verifyRaw(ecparams, e, r, s, Q) +} - if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) { - return false - } +function verifyRaw(ecparams, e, r, s, Q) { + var n = ecparams.getN() + var G = ecparams.getG() - if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) { - return false - } + if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) { + return false + } + + if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) { + return false + } - var c = s.modInverse(n) - var u1 = e.multiply(c).mod(n) - var u2 = r.multiply(c).mod(n) + var c = s.modInverse(n) + var u1 = e.multiply(c).mod(n) + var u2 = r.multiply(c).mod(n) - var point = G.multiplyTwo(u1, Q, u2) - var v = point.getX().toBigInteger().mod(n) + var point = G.multiplyTwo(u1, Q, u2) + var v = point.getX().toBigInteger().mod(n) - return v.equals(r) - } + return v.equals(r) +} - /** - * Serialize a signature into DER format. - * - * Takes two BigIntegers representing r and s and returns a byte array. - */ - function serializeSig(r, s) { - var rBa = r.toByteArraySigned() - var sBa = s.toByteArraySigned() +/** + * Serialize a signature into DER format. + * + * Takes two BigIntegers representing r and s and returns a byte array. + */ +function serializeSig(r, s) { + var rBa = r.toByteArraySigned() + var sBa = s.toByteArraySigned() - var sequence = [] - sequence.push(0x02); // INTEGER - sequence.push(rBa.length) - sequence = sequence.concat(rBa) + var sequence = [] + sequence.push(0x02); // INTEGER + sequence.push(rBa.length) + sequence = sequence.concat(rBa) - sequence.push(0x02); // INTEGER - sequence.push(sBa.length) - sequence = sequence.concat(sBa) + sequence.push(0x02); // INTEGER + sequence.push(sBa.length) + sequence = sequence.concat(sBa) - sequence.unshift(sequence.length) - sequence.unshift(0x30); // SEQUENCE + sequence.unshift(sequence.length) + sequence.unshift(0x30); // SEQUENCE - return sequence - } + return sequence +} - /** - * Parses a buffer containing a DER-encoded signature. - * - * This function will return an object of the form: - * - * { - * r: BigInteger, - * s: BigInteger - * } - */ - function parseSig(buffer) { - assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') - assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') - - assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer') - var rLen = buffer.readUInt8(3) - var rB = buffer.slice(4, 4 + rLen) - - var offset = 4 + rLen - assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer') - var sLen = buffer.readUInt8(1 + offset) - var sB = buffer.slice(2 + offset) - - return { - r: BigInteger.fromByteArraySigned(rB), - s: BigInteger.fromByteArraySigned(sB) - } +/** + * Parses a buffer containing a DER-encoded signature. + * + * This function will return an object of the form: + * + * { + * r: BigInteger, + * s: BigInteger + * } + */ +function parseSig(buffer) { + assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') + assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') + + assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer') + var rLen = buffer.readUInt8(3) + var rB = buffer.slice(4, 4 + rLen) + + var offset = 4 + rLen + assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer') + var sLen = buffer.readUInt8(1 + offset) + var sB = buffer.slice(2 + offset) + + return { + r: BigInteger.fromByteArraySigned(rB), + s: BigInteger.fromByteArraySigned(sB) } +} - function serializeSigCompact(r, s, i, compressed) { - if (compressed) { - i += 4 - } +function serializeSigCompact(r, s, i, compressed) { + if (compressed) { + i += 4 + } - i += 27 + i += 27 - var buffer = new Buffer(65) - buffer.writeUInt8(i, 0) - r.toBuffer(32).copy(buffer, 1) - s.toBuffer(32).copy(buffer, 33) + var buffer = new Buffer(65) + buffer.writeUInt8(i, 0) + r.toBuffer(32).copy(buffer, 1) + s.toBuffer(32).copy(buffer, 33) - return buffer - } + return buffer +} - function parseSigCompact(buffer) { - assert.equal(buffer.length, 65, 'Invalid signature length') - var i = buffer.readUInt8(0) - 27 +function parseSigCompact(buffer) { + assert.equal(buffer.length, 65, 'Invalid signature length') + var i = buffer.readUInt8(0) - 27 - // At most 3 bits - assert.equal(i, i & 7, 'Invalid signature type') - var compressed = !!(i & 4) + // At most 3 bits + assert.equal(i, i & 7, 'Invalid signature type') + var compressed = !!(i & 4) - // Recovery param only - i = i & 3 + // Recovery param only + i = i & 3 - var r = BigInteger.fromBuffer(buffer.slice(1, 33)) - var s = BigInteger.fromBuffer(buffer.slice(33)) + var r = BigInteger.fromBuffer(buffer.slice(1, 33)) + var s = BigInteger.fromBuffer(buffer.slice(33)) - return { - r: r, - s: s, - i: i, - compressed: compressed - } + return { + r: r, + s: s, + i: i, + compressed: compressed } +} - /** - * Recover a public key from a signature. - * - * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public - * Key Recovery Operation". - * - * http://www.secg.org/download/aid-780/sec1-v2.pdf - */ - function recoverPubKey(ecparams, e, r, s, i) { - assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') - - // A set LSB signifies that the y-coordinate is odd - // By reduction, the y-coordinate is even if it is clear - var isYEven = !(i & 1) - - // The more significant bit specifies whether we should use the - // first or second candidate key. - var isSecondKey = i >> 1 - - var n = ecparams.getN() - var G = ecparams.getG() - var curve = ecparams.getCurve() - var p = curve.getQ() - var a = curve.getA().toBigInteger() - var b = curve.getB().toBigInteger() - - // We precalculate (p + 1) / 4 where p is the field order - if (!curve.P_OVER_FOUR) { - curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2) - } - - // 1.1 Compute x - var x = isSecondKey ? r.add(n) : r +/** + * Recover a public key from a signature. + * + * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public + * Key Recovery Operation". + * + * http://www.secg.org/download/aid-780/sec1-v2.pdf + */ +function recoverPubKey(ecparams, e, r, s, i) { + assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') + + // A set LSB signifies that the y-coordinate is odd + // By reduction, the y-coordinate is even if it is clear + var isYEven = !(i & 1) + + // The more significant bit specifies whether we should use the + // first or second candidate key. + var isSecondKey = i >> 1 + + var n = ecparams.getN() + var G = ecparams.getG() + var curve = ecparams.getCurve() + var p = curve.getQ() + var a = curve.getA().toBigInteger() + var b = curve.getB().toBigInteger() + + // We precalculate (p + 1) / 4 where p is the field order + if (!curve.P_OVER_FOUR) { + curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2) + } - // 1.3 Convert x to point - var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p) - var beta = alpha.modPow(curve.P_OVER_FOUR, p) + // 1.1 Compute x + var x = isSecondKey ? r.add(n) : r - // If beta is even, but y isn't, or vice versa, then convert it, - // otherwise we're done and y == beta. - var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta + // 1.3 Convert x to point + var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p) + var beta = alpha.modPow(curve.P_OVER_FOUR, p) - // 1.4 Check that nR isn't at infinity - var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) - R.validate() + // If beta is even, but y isn't, or vice versa, then convert it, + // otherwise we're done and y == beta. + var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta - // 1.5 Compute -e from e - var eNeg = e.negate().mod(n) + // 1.4 Check that nR isn't at infinity + var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) + R.validate() - // 1.6 Compute Q = r^-1 (sR - eG) - // Q = r^-1 (sR + -eG) - var rInv = r.modInverse(n) + // 1.5 Compute -e from e + var eNeg = e.negate().mod(n) - var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) - Q.validate() + // 1.6 Compute Q = r^-1 (sR - eG) + // Q = r^-1 (sR + -eG) + var rInv = r.modInverse(n) - if (!verifyRaw(ecparams, e, r, s, Q)) { - throw new Error("Pubkey recovery unsuccessful") - } + var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) + Q.validate() - return Q + if (!verifyRaw(ecparams, e, r, s, Q)) { + throw new Error("Pubkey recovery unsuccessful") } - /** - * Calculate pubkey extraction parameter. - * - * When extracting a pubkey from a signature, we have to - * distinguish four different cases. Rather than putting this - * burden on the verifier, Bitcoin includes a 2-bit value with the - * signature. - * - * This function simply tries all four cases and returns the value - * that resulted in a successful pubkey recovery. - */ - function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) { - for (var i = 0; i < 4; i++) { - var Qprime = recoverPubKey(ecparams, e, r, s, i) - - if (Qprime.equals(Q)) { - return i - } - } + return Q +} - throw new Error('Unable to find valid recovery factor') +/** + * Calculate pubkey extraction parameter. + * + * When extracting a pubkey from a signature, we have to + * distinguish four different cases. Rather than putting this + * burden on the verifier, Bitcoin includes a 2-bit value with the + * signature. + * + * This function simply tries all four cases and returns the value + * that resulted in a successful pubkey recovery. + */ +function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) { + for (var i = 0; i < 4; i++) { + var Qprime = recoverPubKey(ecparams, e, r, s, i) + + if (Qprime.equals(Q)) { + return i + } } + throw new Error('Unable to find valid recovery factor') +} + module.exports = { - calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, - deterministicGenerateK: deterministicGenerateK, - recoverPubKey: recoverPubKey, - sign: sign, - verify: verify, - verifyRaw: verifyRaw, - serializeSig: serializeSig, - parseSig: parseSig, - serializeSigCompact: serializeSigCompact, - parseSigCompact: parseSigCompact +calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, +deterministicGenerateK: deterministicGenerateK, +recoverPubKey: recoverPubKey, +sign: sign, +verify: verify, +verifyRaw: verifyRaw, +serializeSig: serializeSig, +parseSig: parseSig, +serializeSigCompact: serializeSigCompact, +parseSigCompact: parseSigCompact }