Uses low 's' values for signatures

11 years ago · d7c2e4d5a5
2 changed files with 22 additions and 0 deletions
--- a/src/ecdsa.js
+++ b/src/ecdsa.js
@ -69,6 +69,11 @@ var ecdsa = {

    var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)

+    if (s.compareTo(n.divide(BigInteger.valueOf(2))) > 0) {
+      // Make 's' value 'low', as per https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#low-s-values-in-signatures
+      s = n.subtract(s);
+    }
+
    return ecdsa.serializeSig(r, s)
  },

--- a/test/eckey.js
+++ b/test/eckey.js
@ -1,4 +1,8 @@
 var assert = require('assert')
+var ecdsa = require('../src/ecdsa.js')
+var sec = require('../src/jsbn/sec.js')
+var BigInteger = require('../src/jsbn/jsbn.js')
+var ecparams = sec("secp256k1")
 var ECKey = require('../src/eckey.js').ECKey
 var ECPubKey = require('../src/eckey.js').ECPubKey
 var convert = require('../src/convert.js')
@ -148,6 +152,19 @@ describe('ECKey', function() {
      assert(priv.verify(message, signature))
    })

+    it('should sign with low S value', function() {
+      var priv = new ECKey(hpriv)
+      var signature = priv.sign(message)
+      var parsed = ecdsa.parseSig(signature)
+
+      // Check that the 's' value is 'low', to prevent possible transaction malleability as per
+      // https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#low-s-values-in-signatures
+      assert(parsed.s.compareTo(ecparams.getN().divide(BigInteger.valueOf(2))) <= 0)
+
+      assert(priv.verify(message, signature))
+    })
+
+
    it('should verify against the public key', function() {
      var priv = new ECKey(hpriv)
      var pub = new ECPubKey(hcpub, true)