bitcoinjs-lib/src/ecdsa.js

179 lines
4.6 KiB
JavaScript
Raw Normal View History

var assert = require('assert')
var crypto = require('./crypto')
2014-04-21 18:19:30 +02:00
2014-05-03 04:04:54 +02:00
var BigInteger = require('bigi')
var ECSignature = require('./ecsignature')
2014-06-07 08:24:27 +02:00
var Point = require('ecurve').Point
2014-06-07 08:24:27 +02:00
function deterministicGenerateK(curve, hash, d) {
2014-05-23 09:18:32 +02:00
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(d instanceof BigInteger, 'Private key must be a BigInteger')
2014-05-23 09:18:32 +02:00
var x = d.toBuffer(32)
2014-05-23 09:18:32 +02:00
var k = new Buffer(32)
var v = new Buffer(32)
k.fill(0)
v.fill(1)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k)
2014-06-15 17:36:05 +02:00
var n = curve.n
2014-05-23 09:18:32 +02:00
var kB = BigInteger.fromBuffer(v).mod(n)
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
2014-06-07 08:24:27 +02:00
assert(kB.compareTo(n) < 0, 'Invalid k value')
2014-05-23 09:18:32 +02:00
return kB
}
2014-06-07 08:24:27 +02:00
function sign(curve, hash, d) {
var k = deterministicGenerateK(curve, hash, d)
2014-06-15 17:36:05 +02:00
var n = curve.n
var G = curve.G
2014-05-23 09:18:32 +02:00
var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash)
2014-06-07 08:24:27 +02:00
var r = Q.affineX.mod(n)
2014-05-23 09:18:32 +02:00
assert.notEqual(r.signum(), 0, 'Invalid R value')
var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)
2014-05-23 09:18:32 +02:00
assert.notEqual(s.signum(), 0, 'Invalid S value')
2014-05-23 09:18:32 +02:00
var N_OVER_TWO = n.shiftRight(1)
2014-05-23 09:18:32 +02:00
// enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s)
}
return new ECSignature(r, s)
2014-05-23 09:18:32 +02:00
}
2014-06-07 08:24:27 +02:00
function verify(curve, hash, signature, Q) {
2014-05-23 09:18:32 +02:00
var e = BigInteger.fromBuffer(hash)
2014-06-07 08:24:27 +02:00
return verifyRaw(curve, e, signature, Q)
2014-05-23 09:18:32 +02:00
}
2014-06-07 08:24:27 +02:00
function verifyRaw(curve, e, signature, Q) {
2014-06-15 17:36:05 +02:00
var n = curve.n
var G = curve.G
2014-05-24 08:25:38 +02:00
var r = signature.r
var s = signature.s
2014-05-23 09:18:32 +02:00
2014-05-24 08:25:38 +02:00
if (r.signum() === 0 || r.compareTo(n) >= 0) return false
if (s.signum() === 0 || s.compareTo(n) >= 0) return false
2014-05-23 09:18:32 +02:00
var c = s.modInverse(n)
2014-05-24 06:33:02 +02:00
2014-05-23 09:18:32 +02:00
var u1 = e.multiply(c).mod(n)
var u2 = r.multiply(c).mod(n)
2014-05-23 09:18:32 +02:00
var point = G.multiplyTwo(u1, Q, u2)
2014-06-07 08:24:27 +02:00
var v = point.affineX.mod(n)
2014-05-23 09:18:32 +02:00
return v.equals(r)
}
2014-05-23 09:18:32 +02:00
/**
* Recover a public key from a signature.
*
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation".
*
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
2014-06-07 08:24:27 +02:00
function recoverPubKey(curve, e, signature, i) {
assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')
2014-05-23 09:18:32 +02:00
2014-05-24 08:25:38 +02:00
var r = signature.r
var s = signature.s
2014-05-23 09:18:32 +02:00
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
var isSecondKey = i >> 1
2014-06-15 17:36:05 +02:00
var n = curve.n
var G = curve.G
2014-06-07 08:24:27 +02:00
var p = curve.p
var a = curve.a
var b = curve.b
2014-05-23 09:18:32 +02:00
// We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
}
// 1.1 Let x = r + jn
2014-05-23 09:18:32 +02:00
var x = isSecondKey ? r.add(n) : r
// 1.2, 1.3 Convert x to a point R using routine specified in Section 2.3.4
2014-05-23 09:18:32 +02:00
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
2014-05-23 09:18:32 +02:00
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
2011-05-04 18:02:56 +02:00
// 1.4 Check that nR is at infinity
2014-06-07 08:24:27 +02:00
var R = Point.fromAffine(curve, x, y)
var nR = R.multiply(n)
assert(curve.isInfinity(nR), 'nR is not a valid curve point')
2011-05-04 18:02:56 +02:00
// Compute -e from e
2014-05-23 09:18:32 +02:00
var eNeg = e.negate().mod(n)
2012-01-11 02:40:45 +01:00
// 1.6.1 Compute Q = r^-1 (sR - eG)
// Q = r^-1 (sR + -eG)
2014-05-23 09:18:32 +02:00
var rInv = r.modInverse(n)
2014-05-10 14:30:29 +02:00
2014-05-23 09:18:32 +02:00
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
2014-06-07 08:24:27 +02:00
curve.validate(Q)
2014-05-23 09:18:32 +02:00
return Q
}
2014-05-23 09:18:32 +02:00
/**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
2014-06-07 08:24:27 +02:00
function calcPubKeyRecoveryParam(curve, e, signature, Q) {
2014-05-23 09:18:32 +02:00
for (var i = 0; i < 4; i++) {
2014-06-07 08:24:27 +02:00
var Qprime = recoverPubKey(curve, e, signature, i)
2014-05-23 09:18:32 +02:00
// 1.6.2 Verify Q
2014-05-23 09:18:32 +02:00
if (Qprime.equals(Q)) {
return i
}
}
2012-01-11 02:40:45 +01:00
2014-05-23 09:18:32 +02:00
throw new Error('Unable to find valid recovery factor')
}
module.exports = {
2014-05-24 08:25:38 +02:00
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK,
recoverPubKey: recoverPubKey,
sign: sign,
verify: verify,
verifyRaw: verifyRaw
}