bitcoinjs-lib/src/ecdsa.js

var assert = require('assert')
var crypto = require('./crypto')

var BigInteger = require('bigi')
var ECSignature = require('./ecsignature')

// https://tools.ietf.org/html/rfc6979#section-3.2
function deterministicGenerateK(curve, hash, d) {
  assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
  assert.equal(hash.length, 32, 'Hash must be 256 bit')
  assert(d instanceof BigInteger, 'Private key must be a BigInteger')

  var x = d.toBuffer(32)
  var k = new Buffer(32)
  var v = new Buffer(32)

  // Step B
  v.fill(1)

  // Step C
  k.fill(0)

  // Step D
  k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)

  // Step E
  v = crypto.HmacSHA256(v, k)

  // Step F
  k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)

  // Step G
  v = crypto.HmacSHA256(v, k)

  // Step H1/H2a, ignored as tlen === qlen (256 bit)
  // Step H2b
  v = crypto.HmacSHA256(v, k)

  var T = BigInteger.fromBuffer(v)

  // Step H3, repeat until T is within the interval [1, n - 1]
  while ((T.signum() <= 0) || (T.compareTo(curve.n) >= 0)) {
    k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0])]), k)
    v = crypto.HmacSHA256(v, k)

    T = BigInteger.fromBuffer(v)
  }

  return T
}

function sign(curve, hash, d) {
  var k = deterministicGenerateK(curve, hash, d)

  var n = curve.n
  var G = curve.G
  var Q = G.multiply(k)
  var e = BigInteger.fromBuffer(hash)

  var r = Q.affineX.mod(n)
  assert.notEqual(r.signum(), 0, 'Invalid R value')

  var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)
  assert.notEqual(s.signum(), 0, 'Invalid S value')

  var N_OVER_TWO = n.shiftRight(1)

  // enforce low S values, see bip62: 'low s values in signatures'
  if (s.compareTo(N_OVER_TWO) > 0) {
    s = n.subtract(s)
  }

  return new ECSignature(r, s)
}

function verify(curve, hash, signature, Q) {
  var e = BigInteger.fromBuffer(hash)

  return verifyRaw(curve, e, signature, Q)
}

function verifyRaw(curve, e, signature, Q) {
  var n = curve.n
  var G = curve.G

  var r = signature.r
  var s = signature.s

  if (r.signum() <= 0 || r.compareTo(n) >= 0) return false
  if (s.signum() <= 0 || s.compareTo(n) >= 0) return false

  var c = s.modInverse(n)

  var u1 = e.multiply(c).mod(n)
  var u2 = r.multiply(c).mod(n)

  var point = G.multiplyTwo(u1, Q, u2)
  var v = point.affineX.mod(n)

  return v.equals(r)
}

/**
  * Recover a public key from a signature.
  *
  * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
  * Key Recovery Operation".
  *
  * http://www.secg.org/download/aid-780/sec1-v2.pdf
  */
function recoverPubKey(curve, e, signature, i) {
  assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')

  var n = curve.n
  var G = curve.G

  var r = signature.r
  var s = signature.s

  assert(r.signum() > 0 && r.compareTo(n) < 0, 'Invalid r value')
  assert(s.signum() > 0 && s.compareTo(n) < 0, 'Invalid s value')

  // A set LSB signifies that the y-coordinate is odd
  var isYOdd = i & 1

  // The more significant bit specifies whether we should use the
  // first or second candidate key.
  var isSecondKey = i >> 1

  // 1.1 Let x = r + jn
  var x = isSecondKey ? r.add(n) : r
  var R = curve.pointFromX(isYOdd, x)

  // 1.4 Check that nR is at infinity
  var nR = R.multiply(n)
  assert(curve.isInfinity(nR), 'nR is not a valid curve point')

  // Compute -e from e
  var eNeg = e.negate().mod(n)

  // 1.6.1 Compute Q = r^-1 (sR -  eG)
  //               Q = r^-1 (sR + -eG)
  var rInv = r.modInverse(n)

  var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
  curve.validate(Q)

  return Q
}

/**
  * Calculate pubkey extraction parameter.
  *
  * When extracting a pubkey from a signature, we have to
  * distinguish four different cases. Rather than putting this
  * burden on the verifier, Bitcoin includes a 2-bit value with the
  * signature.
  *
  * This function simply tries all four cases and returns the value
  * that resulted in a successful pubkey recovery.
  */
function calcPubKeyRecoveryParam(curve, e, signature, Q) {
  for (var i = 0; i < 4; i++) {
    var Qprime = recoverPubKey(curve, e, signature, i)

    // 1.6.2 Verify Q
    if (Qprime.equals(Q)) {
      return i
    }
  }

  throw new Error('Unable to find valid recovery factor')
}

module.exports = {
  calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
  deterministicGenerateK: deterministicGenerateK,
  recoverPubKey: recoverPubKey,
  sign: sign,
  verify: verify,
  verifyRaw: verifyRaw
}
Enforces Array input for deterministicGenerateK 2014-04-22 22:18:38 +02:00			`var assert = require('assert')`
crypto/ecdsa: moves HmacSHA256 to crypto 2014-05-16 04:36:09 +02:00			`var crypto = require('./crypto')`
Replacse JSBN with bigi 2014-04-21 18:19:30 +02:00
upgrade bigi & remove monkey patching 2014-05-03 04:04:54 +02:00			`var BigInteger = require('bigi')`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var ECSignature = require('./ecsignature')`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`// https://tools.ietf.org/html/rfc6979#section-3.2`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function deterministicGenerateK(curve, hash, d) {`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)`
			`assert.equal(hash.length, 32, 'Hash must be 256 bit')`
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`assert(d instanceof BigInteger, 'Private key must be a BigInteger')`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var x = d.toBuffer(32)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var k = new Buffer(32)`
			`var v = new Buffer(32)`
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00
			`// Step B`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`v.fill(1)`

ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`// Step C`
			`k.fill(0)`

			`// Step D`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)`
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00
			`// Step E`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`v = crypto.HmacSHA256(v, k)`

ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`// Step F`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)`
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00
			`// Step G`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`v = crypto.HmacSHA256(v, k)`
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00
			`// Step H1/H2a, ignored as tlen === qlen (256 bit)`
			`// Step H2b`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`v = crypto.HmacSHA256(v, k)`

ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`var T = BigInteger.fromBuffer(v)`

ecdsa: fix interval comment Actual range as per the RFC is [1, q - 1], the code adheres to this. 2014-06-25 17:50:37 +02:00			`// Step H3, repeat until T is within the interval [1, n - 1]`
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`while ((T.signum() <= 0) \|\| (T.compareTo(curve.n) >= 0)) {`
			`k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0])]), k)`
			`v = crypto.HmacSHA256(v, k)`

			`T = BigInteger.fromBuffer(v)`
			`}`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
ecdsa: adhere strictly to RFC6979 The previous impl. was in breach of the following section: > Please note that when k is generated from T, the result of bits2int is > compared to q, not reduced modulo q. If the value is not between 1 and > q-1, the process loops. > Performing a simple modular reduction would induce biases that would be > detrimental to signature security. 2014-06-21 14:25:09 +02:00			`return T`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`}`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function sign(curve, hash, d) {`
			`var k = deterministicGenerateK(curve, hash, d)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var n = curve.n`
			`var G = curve.G`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var Q = G.multiply(k)`
			`var e = BigInteger.fromBuffer(hash)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var r = Q.affineX.mod(n)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`assert.notEqual(r.signum(), 0, 'Invalid R value')`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`assert.notEqual(s.signum(), 0, 'Invalid S value')`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var N_OVER_TWO = n.shiftRight(1)`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`// enforce low S values, see bip62: 'low s values in signatures'`
			`if (s.compareTo(N_OVER_TWO) > 0) {`
			`s = n.subtract(s)`
ecdsa: use standard declarative notation for functions 2014-05-17 07:11:43 +02:00			`}`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`return new ECSignature(r, s)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`}`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function verify(curve, hash, signature, Q) {`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var e = BigInteger.fromBuffer(hash)`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`return verifyRaw(curve, e, signature, Q)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`}`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function verifyRaw(curve, e, signature, Q) {`
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var n = curve.n`
			`var G = curve.G`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: always use signature object 2014-05-24 08:25:38 +02:00			`var r = signature.r`
			`var s = signature.s`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
ecdsa: enforce positive integers 2014-07-29 15:45:10 +02:00			`if (r.signum() <= 0 \|\| r.compareTo(n) >= 0) return false`
			`if (s.signum() <= 0 \|\| s.compareTo(n) >= 0) return false`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var c = s.modInverse(n)`
ecdsa: use signum() over compareTo 2014-05-24 06:33:02 +02:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var u1 = e.multiply(c).mod(n)`
			`var u2 = r.multiply(c).mod(n)`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var point = G.multiplyTwo(u1, Q, u2)`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var v = point.affineX.mod(n)`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`return v.equals(r)`
			`}`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`/**`
			`* Recover a public key from a signature.`
			`*`
			`* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public`
			`* Key Recovery Operation".`
			`*`
			`* http://www.secg.org/download/aid-780/sec1-v2.pdf`
			`*/`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function recoverPubKey(curve, e, signature, i) {`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00			`assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
ecdsa: enforce positive integers 2014-07-29 15:45:10 +02:00			`var n = curve.n`
			`var G = curve.G`

ecdsa: always use signature object 2014-05-24 08:25:38 +02:00			`var r = signature.r`
			`var s = signature.s`

ecdsa: enforce positive integers 2014-07-29 15:45:10 +02:00			`assert(r.signum() > 0 && r.compareTo(n) < 0, 'Invalid r value')`
			`assert(s.signum() > 0 && s.compareTo(n) < 0, 'Invalid s value')`

ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`// A set LSB signifies that the y-coordinate is odd`
ecdsa: ecurve 0.10.0 2014-06-21 14:33:26 +02:00			`var isYOdd = i & 1`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
			`// The more significant bit specifies whether we should use the`
			`// first or second candidate key.`
			`var isSecondKey = i >> 1`

ecdsa: amend recoverPubKey SEC comments 2014-06-14 03:47:22 +02:00			`// 1.1 Let x = r + jn`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var x = isSecondKey ? r.add(n) : r`
ecdsa: ecurve 0.10.0 2014-06-21 14:33:26 +02:00			`var R = curve.pointFromX(isYOdd, x)`
Initial import 2011-05-04 18:02:56 +02:00
ecdsa: amend recoverPubKey SEC comments 2014-06-14 03:47:22 +02:00			`// 1.4 Check that nR is at infinity`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00			`var nR = R.multiply(n)`
			`assert(curve.isInfinity(nR), 'nR is not a valid curve point')`
Initial import 2011-05-04 18:02:56 +02:00
ecdsa: amend recoverPubKey SEC comments 2014-06-14 03:47:22 +02:00			`// Compute -e from e`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var eNeg = e.negate().mod(n)`
Fixed indents. 2012-01-11 02:40:45 +01:00
ecdsa: amend recoverPubKey SEC comments 2014-06-14 03:47:22 +02:00			`// 1.6.1 Compute Q = r^-1 (sR - eG)`
			`// Q = r^-1 (sR + -eG)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var rInv = r.modInverse(n)`
ecdsa: consistent parameter ordering 2014-05-10 14:30:29 +02:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`curve.validate(Q)`
Removed modSqrt. All credit to Joric! Derp. Well that sure simplifies things, doesn't it... :) 2012-08-17 01:38:29 +02:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`return Q`
			`}`
port message to common.js style and add tests 2013-03-02 18:28:13 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`/**`
			`* Calculate pubkey extraction parameter.`
			`*`
			`* When extracting a pubkey from a signature, we have to`
			`* distinguish four different cases. Rather than putting this`
			`* burden on the verifier, Bitcoin includes a 2-bit value with the`
			`* signature.`
			`*`
			`* This function simply tries all four cases and returns the value`
			`* that resulted in a successful pubkey recovery.`
			`*/`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`function calcPubKeyRecoveryParam(curve, e, signature, Q) {`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`for (var i = 0; i < 4; i++) {`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var Qprime = recoverPubKey(curve, e, signature, i)`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00
ecdsa: amend recoverPubKey SEC comments 2014-06-14 03:47:22 +02:00			`// 1.6.2 Verify Q`
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`if (Qprime.equals(Q)) {`
			`return i`
			`}`
start to split into node commonjs style modules - no longer is the global Bitcoin used for modules - cleaner and more maintainable code - add more tests 2013-02-17 06:39:15 +01:00			`}`
Fixed indents. 2012-01-11 02:40:45 +01:00
ecdsa: fix indentation 2014-05-23 09:18:32 +02:00			`throw new Error('Unable to find valid recovery factor')`
			`}`

ecdsa: use standard declarative notation for functions 2014-05-17 07:11:43 +02:00			`module.exports = {`
ecdsa: always use signature object 2014-05-24 08:25:38 +02:00			`calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,`
			`deterministicGenerateK: deterministicGenerateK,`
			`recoverPubKey: recoverPubKey,`
			`sign: sign,`
			`verify: verify,`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`verifyRaw: verifyRaw`
ecdsa: use standard declarative notation for functions 2014-05-17 07:11:43 +02:00			`}`