diff --git a/src/ecdsa.js b/src/ecdsa.js index 103095d..ae4a369 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -154,93 +154,8 @@ function verify (hash, signature, Q) { return v.equals(r) } -/** - * Recover a public key from a signature. - * - * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public - * Key Recovery Operation". - * - * http://www.secg.org/download/aid-780/sec1-v2.pdf - */ -function recoverPubKey (e, signature, i) { - typeforce(types.tuple( - types.BigInt, - types.ECSignature, - types.UInt2 - ), arguments) - - var n = secp256k1.n - var G = secp256k1.G - var r = signature.r - var s = signature.s - - if (r.signum() <= 0 || r.compareTo(n) >= 0) throw new Error('Invalid r value') - if (s.signum() <= 0 || s.compareTo(n) >= 0) throw new Error('Invalid s value') - - // A set LSB signifies that the y-coordinate is odd - var isYOdd = i & 1 - - // The more significant bit specifies whether we should use the - // first or second candidate key. - var isSecondKey = i >> 1 - - // 1.1 Let x = r + jn - var x = isSecondKey ? r.add(n) : r - var R = secp256k1.pointFromX(isYOdd, x) - - // 1.4 Check that nR is at infinity - var nR = R.multiply(n) - if (!secp256k1.isInfinity(nR)) throw new Error('nR is not a valid curve point') - - // Compute r^-1 - var rInv = r.modInverse(n) - - // Compute -e from e - var eNeg = e.negate().mod(n) - - // 1.6.1 Compute Q = r^-1 (sR - eG) - // Q = r^-1 (sR + -eG) - var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) - - secp256k1.validate(Q) - - return Q -} - -/** - * Calculate pubkey extraction parameter. - * - * When extracting a pubkey from a signature, we have to - * distinguish four different cases. Rather than putting this - * burden on the verifier, Bitcoin includes a 2-bit value with the - * signature. - * - * This function simply tries all four cases and returns the value - * that resulted in a successful pubkey recovery. - */ -function calcPubKeyRecoveryParam (e, signature, Q) { - typeforce(types.tuple( - types.BigInt, - types.ECSignature, - types.ECPoint - ), arguments) - - for (var i = 0; i < 4; i++) { - var Qprime = recoverPubKey(e, signature, i) - - // 1.6.2 Verify Q - if (Qprime.equals(Q)) { - return i - } - } - - throw new Error('Unable to find valid recovery factor') -} - module.exports = { - calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, deterministicGenerateK: deterministicGenerateK, - recoverPubKey: recoverPubKey, sign: sign, verify: verify, diff --git a/test/ecdsa.js b/test/ecdsa.js index 971f0d3..f6e1410 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -81,55 +81,6 @@ describe('ecdsa', function () { }) }) - describe('recoverPubKey', function () { - fixtures.valid.ecdsa.forEach(function (f) { - it('recovers the pubKey for ' + f.d, function () { - var d = BigInteger.fromHex(f.d) - var Q = curve.G.multiply(d) - var signature = ECSignature.fromDER(new Buffer(f.signature, 'hex')) - var h1 = bcrypto.sha256(f.message) - var e = BigInteger.fromBuffer(h1) - var Qprime = ecdsa.recoverPubKey(e, signature, f.i) - - assert(Qprime.equals(Q)) - }) - }) - - describe('with i ∈ {0,1,2,3}', function () { - var hash = new Buffer('feef89995d7575f12d65ccc9d28ccaf7ab224c2e59dad4cc7f6a2b0708d24696', 'hex') - var e = BigInteger.fromBuffer(hash) - - var signatureBuffer = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64') - var signature = ECSignature.parseCompact(signatureBuffer).signature - var points = [ - '03e3a8c44a8bf712f1fbacee274fb19c0239b1a9e877eff0075ea335f2be8ff380', - '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798', - '03d49e765f0bc27525c51a1b98fb1c99dacd59abe85a203af90f758260550b56c5', - '027eea09d46ac7fb6aa2e96f9c576677214ffdc238eb167734a9b39d1eb4c3d30d' - ] - - points.forEach(function (expectedHex, i) { - it('recovers an expected point for i of ' + i, function () { - var Qprime = ecdsa.recoverPubKey(e, signature, i) - var QprimeHex = Qprime.getEncoded().toString('hex') - - assert.strictEqual(QprimeHex, expectedHex) - }) - }) - }) - - fixtures.invalid.recoverPubKey.forEach(function (f) { - it('throws on ' + f.description + ' (' + f.exception + ')', function () { - var e = BigInteger.fromHex(f.e) - var signature = new ECSignature(new BigInteger(f.signatureRaw.r, 16), new BigInteger(f.signatureRaw.s, 16)) - - assert.throws(function () { - ecdsa.recoverPubKey(e, signature, f.i) - }, new RegExp(f.exception)) - }) - }) - }) - describe('sign', function () { fixtures.valid.ecdsa.forEach(function (f) { it('produces a deterministic signature for "' + f.message + '"', function () { diff --git a/test/fixtures/ecdsa.json b/test/fixtures/ecdsa.json index 404759d..bd2fc3c 100644 --- a/test/fixtures/ecdsa.json +++ b/test/fixtures/ecdsa.json @@ -125,78 +125,6 @@ ] }, "invalid": { - "recoverPubKey": [ - { - "description": "Invalid r value (< 0)", - "exception": "Invalid r value", - "e": "01", - "signatureRaw": { - "r": "-01", - "s": "02" - }, - "i": 0 - }, - { - "description": "Invalid r value (== 0)", - "exception": "Invalid r value", - "e": "01", - "signatureRaw": { - "r": "00", - "s": "02" - }, - "i": 0 - }, - { - "description": "Invalid s value (< 0)", - "exception": "Invalid s value", - "e": "01", - "signatureRaw": { - "r": "02", - "s": "-01" - }, - "i": 0 - }, - { - "description": "Invalid s value (== 0)", - "exception": "Invalid s value", - "e": "01", - "signatureRaw": { - "r": "02", - "s": "00" - }, - "i": 0 - }, - { - "description": "Invalid r value (nR is infinity)", - "exception": "nR is not a valid curve point", - "e": "01", - "signatureRaw": { - "r": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", - "s": "01" - }, - "i": 0 - }, - { - "description": "Invalid curve point", - "exception": "Point is not on the curve", - "e": "01", - "signatureRaw": { - "r": "4b3b4ca85a86c47a098a223fffffffff", - "s": "01" - }, - "i": 0 - }, - { - "description": "Invalid i value (> 3)", - "exception": "Expected property \"2\" of type UInt2, got Number 4", - "e": "01", - "signatureRaw": { - "r": "00", - "s": "02" - }, - "i": 4 - } - ], "verify": [ { "description": "The wrong signature",