From c3e9d568c58c743a9fbaebe0a56c05f4e6280194 Mon Sep 17 00:00:00 2001 From: Daniel Cousens Date: Thu, 24 Apr 2014 07:45:28 +1000 Subject: [PATCH] Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK --- src/ecdsa.js | 85 +++++++++++++++++++++++------------------- test/ecdsa.js | 83 ++++++++++++++++++----------------------- test/eckey.js | 15 ++++---- test/fixtures/ecdsa.js | 51 +++++++++++++++++++++++++ 4 files changed, 141 insertions(+), 93 deletions(-) create mode 100644 test/fixtures/ecdsa.js diff --git a/src/ecdsa.js b/src/ecdsa.js index 4b66d9a..ebc5194 100644 --- a/src/ecdsa.js +++ b/src/ecdsa.js @@ -1,13 +1,11 @@ var assert = require('assert') -var BigInteger = require('./bigi') -var ECPointFp = require('./ec').ECPointFp - -var convert = require('./convert') -var HmacSHA256 = require('crypto-js/hmac-sha256') - +var crypto = require('crypto') var sec = require('./sec') var ecparams = sec("secp256k1") +var BigInteger = require('./bigi') +var ECPointFp = require('./ec').ECPointFp + var P_OVER_FOUR = null function implShamirsTrick(P, k, Q, l) { @@ -36,47 +34,56 @@ function implShamirsTrick(P, k, Q, l) { return R } -function deterministicGenerateK(hash, secret) { - assert(Array.isArray(hash), 'hash must be array') - assert(Array.isArray(secret), 'secret must be array') - - var vArr = [] - var kArr = [] - for (var i = 0;i < 32;i++) vArr.push(1) - for (var i = 0;i < 32;i++) kArr.push(0) - var v = convert.bytesToWordArray(vArr) - var k = convert.bytesToWordArray(kArr) - - k = HmacSHA256(convert.bytesToWordArray(vArr.concat([0]).concat(secret).concat(hash)), k) - v = HmacSHA256(v, k) - vArr = convert.wordArrayToBytes(v) - k = HmacSHA256(convert.bytesToWordArray(vArr.concat([1]).concat(secret).concat(hash)), k) - v = HmacSHA256(v,k) - v = HmacSHA256(v,k) - vArr = convert.wordArrayToBytes(v) - return BigInteger.fromBuffer(vArr) -} - var ecdsa = { - deterministicGenerateK: deterministicGenerateK, - sign: function (hash, priv) { - if (Buffer.isBuffer(hash)) hash = Array.prototype.slice.call(hash) - if (Buffer.isBuffer(priv)) priv = Array.prototype.slice.call(priv) + deterministicGenerateK: function(hash, D) { + function HmacSHA256(buffer, secret) { + return crypto.createHmac('sha256', secret).update(buffer).digest() + } + + assert(Buffer.isBuffer(hash)) + assert.equal(hash.length, 32) + + assert(D instanceof BigInteger) + var x = D.toBuffer(32) + + var k = new Buffer(32) + var v = new Buffer(32) + k.fill(0) + v.fill(1) + + k = HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k) + v = HmacSHA256(v, k) + + k = HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k) + v = HmacSHA256(v, k) + v = HmacSHA256(v, k) + + var kBN = BigInteger.fromBuffer(v) + assert(kBN.compareTo(BigInteger.ONE) > 0) + assert(kBN.compareTo(ecparams.getN()) < 0) + + return kBN + }, + + sign: function (hash, D) { + var k = ecdsa.deterministicGenerateK(hash, D) - var d = priv var n = ecparams.getN() - var e = BigInteger.fromBuffer(hash) - - var k = deterministicGenerateK(hash,priv.toByteArrayUnsigned()) var G = ecparams.getG() var Q = G.multiply(k) + var e = BigInteger.fromBuffer(hash) + var r = Q.getX().toBigInteger().mod(n) + assert.notEqual(r.signum(), 0) - var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n) + var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n) + assert.notEqual(s.signum(), 0) - if (s.compareTo(n.divide(BigInteger.valueOf(2))) > 0) { - // Make 's' value 'low', as per https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#low-s-values-in-signatures - s = n.subtract(s); + var N_OVER_TWO = n.divide(BigInteger.valueOf(2)) + + // Make 's' value 'low' as per bip62 + if (s.compareTo(N_OVER_TWO) > 0) { + s = n.subtract(s) } return ecdsa.serializeSig(r, s) diff --git a/test/ecdsa.js b/test/ecdsa.js index f31e841..1516087 100644 --- a/test/ecdsa.js +++ b/test/ecdsa.js @@ -9,16 +9,18 @@ var ECKey = require('..').ECKey var ECPubKey = require('..').ECPubKey var Message = require('..').Message +var fixtures = require('./fixtures/ecdsa.js') + describe('ecdsa', function() { - // FIXME: needs much better tests than this describe('deterministicGenerateK', function() { - it('produces deterministic K values', function() { - var secret = [4] + it('matches the test vectors', function() { + fixtures.forEach(function(f) { + var priv = BigInteger.fromHex(f.privateKey) + var h1 = crypto.sha256(f.message) - var k1 = ecdsa.deterministicGenerateK([1], secret) - var k2 = ecdsa.deterministicGenerateK([2], secret) - - assert.notDeepEqual(k1, k2) + var k = ecdsa.deterministicGenerateK(h1, priv) + assert.deepEqual(k.toHex(), f.k) + }) }) }) @@ -33,53 +35,40 @@ describe('ecdsa', function() { }) }) - describe('sign/verify', function() { - it('Signing and Verifying', function () { - var s1 = ECKey.makeRandom() - var sig_a = s1.sign([0]) + describe('sign', function() { + it('matches the test vectors', function() { + fixtures.forEach(function(f) { + var priv = ECKey.fromHex(f.privateKey) + var hash = crypto.sha256(f.message) + var sig = ecdsa.parseSig(priv.sign(hash)) - assert.ok(sig_a, 'Sign null') - assert.ok(s1.pub.verify([0], sig_a)) - - var message = new Buffer(1024) // More or less random :P - var hash = crypto.sha256(message) - var sig_b = s1.sign(hash) - assert.ok(sig_b, 'Sign random string') - assert.ok(s1.pub.verify(hash, sig_b)) - - var message2 = new Buffer( - '12dce2c169986b3346827ffb2305cf393984627f5f9722a1b1368e933c8d' + - 'd296653fbe5d7ac031c4962ad0eb1c4298c3b91d244e1116b4a76a130c13' + - '1e7aec7fa70184a71a2e66797052831511b93c6e8d72ae58a1980eaacb66' + - '8a33f50d7cefb96a5dab897b5efcb99cbafb0d777cb83fc9b2115b69c0fa' + - '3d82507b932b84e4', 'hex') - - var hash2 = crypto.sha256(message2) - - var sig_c = new Buffer( - '3044022038d9b8dd5c9fbf330565c1f51d72a59ba869aeb2c2001be959d3' + - '79e861ec71960220a73945f32cf90d03127d2c3410d16cee120fa1a4b4c3' + - 'f273ab082801a95506c4', 'hex') - - var s2 = new Buffer( - '045a1594316e433fb91f35ef4874610d22177c3f1a1060f6c1e70a609d51' + - 'b20be5795cd2a5eae0d6b872ba42db95e9afaeea3fbb89e98099575b6828' + - '609a978528', 'hex') - - assert.ok(ecdsa.verify(hash2, sig_c, s2), 'Verify constant signature') + assert.equal(sig.r.toHex(), f.signature.slice(0, 64)) + assert.equal(sig.s.toHex(), f.signature.slice(64)) + }) }) it('should sign with low S value', function() { var priv = ECKey.fromHex('ca48ec9783cf3ad0dfeff1fc254395a2e403cbbc666477b61b45e31d3b8ab458') - var message = new Buffer('Vires in numeris') - var signature = priv.sign(message) - var parsed = ecdsa.parseSig(signature) + var hash = crypto.sha256('Vires in numeris') + var signature = priv.sign(hash) + var psig = ecdsa.parseSig(signature) - // Check that the 's' value is 'low', to prevent possible transaction malleability as per - // https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#low-s-values-in-signatures - assert.ok(parsed.s.compareTo(ecparams.getN().divide(BigInteger.valueOf(2))) <= 0) + // See BIP62 for more information + assert(psig.s.compareTo(ecparams.getN().divide(BigInteger.valueOf(2))) <= 0) + }) + }) - assert.ok(priv.pub.verify(message, signature)) + describe('verifyRaw', function() { + it('matches the test vectors', function() { + fixtures.forEach(function(f) { + var priv = ECKey.fromHex(f.privateKey) + + var r = BigInteger.fromHex(f.signature.slice(0, 64)) + var s = BigInteger.fromHex(f.signature.slice(64)) + var e = BigInteger.fromBuffer(crypto.sha256(f.message)) + + assert(ecdsa.verifyRaw(e, r, s, priv.pub.Q)) + }) }) }) }) diff --git a/test/eckey.js b/test/eckey.js index 2549cfc..76a7d32 100644 --- a/test/eckey.js +++ b/test/eckey.js @@ -1,5 +1,6 @@ var assert = require('assert') +var crypto = require('..').crypto var ECKey = require('../src/eckey.js').ECKey var ECPubKey = require('../src/eckey.js').ECPubKey @@ -124,30 +125,30 @@ describe('ECKey', function() { describe('signing', function() { var hpriv = 'ca48ec9783cf3ad0dfeff1fc254395a2e403cbbc666477b61b45e31d3b8ab458' var hcpub = '024b12d9d7c77db68388b6ff7c89046174c871546436806bcd80d07c28ea811992' - var message = new Buffer('Vires in numeris') + var hash = crypto.sha256('Vires in numeris') it('should verify against the private key', function() { var priv = ECKey.fromHex(hpriv) - var signature = priv.sign(message) + var signature = priv.sign(hash) - assert(priv.pub.verify(message, signature)) + assert(priv.pub.verify(hash, signature)) }) it('should verify against the public key', function() { var priv = ECKey.fromHex(hpriv) var pub = ECPubKey.fromHex(hcpub, true) - var signature = priv.sign(message) + var signature = priv.sign(hash) - assert(pub.verify(message, signature)) + assert(pub.verify(hash, signature)) }) it('should not verify against the wrong private key', function() { var priv1 = ECKey.fromHex(hpriv) var priv2 = ECKey.fromHex('1111111111111111111111111111111111111111111111111111111111111111') - var signature = priv1.sign(message) + var signature = priv1.sign(hash) - assert(!priv2.pub.verify(message, signature)) + assert(!priv2.pub.verify(hash, signature)) }) }) diff --git a/test/fixtures/ecdsa.js b/test/fixtures/ecdsa.js new file mode 100644 index 0000000..94e278a --- /dev/null +++ b/test/fixtures/ecdsa.js @@ -0,0 +1,51 @@ +// Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256 +module.exports = [ + { + "privateKey": "0000000000000000000000000000000000000000000000000000000000000001", + "k": "8f8a276c19f4149656b280621e358cce24f5f52542772691ee69063b74f15d15", + "message": "Satoshi Nakamoto", + "signature": "934b1ea10a4b3c1757e2b0c017d0b6143ce3c9a7e6a4a49860d7a6ab210ee3d82442ce9d2b916064108014783e923ec36b49743e2ffa1c4496f01a512aafd9e5" + }, + { + "privateKey": "0000000000000000000000000000000000000000000000000000000000000001", + "k": "38aa22d72376b4dbc472e06c3ba403ee0a394da63fc58d88686c611aba98d6b3", + "message": "All those moments will be lost in time, like tears in rain. Time to die...", + "signature": "8600dbd41e348fe5c9465ab92d23e3db8b98b873beecd930736488696438cb6b547fe64427496db33bf66019dacbf0039c04199abb0122918601db38a72cfc21" + }, + { + "privateKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140", + "k": "33a19b60e25fb6f4435af53a3d42d493644827367e6453928554f43e49aa6f90", + "message": "Satoshi Nakamoto", + "signature": "fd567d121db66e382991534ada77a6bd3106f0a1098c231e47993447cd6af2d06b39cd0eb1bc8603e159ef5c20a5c8ad685a45b06ce9bebed3f153d10d93bed5" + }, + { + "privateKey": "f8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181", + "k": "525a82b70e67874398067543fd84c83d30c175fdc45fdeee082fe13b1d7cfdf1", + "message": "Alan Turing", + "signature": "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15c58dfcc1e00a35e1572f366ffe34ba0fc47db1e7189759b9fb233c5b05ab388ea" + }, + { + "privateKey": "e91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2", + "k": "1f4b84c23a86a221d233f2521be018d9318639d5b8bbd6374a8a59232d16ad3d", + "message": "There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", + "signature": "b552edd27580141f3b2a5463048cb7cd3e047b97c9f98076c32dbdf85a68718b279fa72dd19bfae05577e06c7c0c1900c371fcd5893f7e1d56a37d30174671f6" + }, + { + "privateKey": "0000000000000000000000000000000000000000000000000000000000000001", + "k": "ec633bd56a5774a0940cb97e27a9e4e51dc94af737596a0c5cbb3d30332d92a5", + "message": "Everything should be made as simple as possible, but not simpler.", + "signature": "33a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c96f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262" + }, + { + "privateKey": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", + "k": "9dc74cbfd383980fb4ae5d2680acddac9dac956dca65a28c80ac9c847c2374e4", + "message": "Equations are more important to me, because politics is for the present, but an equation is something for eternity.", + "signature": "54c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed07082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5" + }, + { + "privateKey": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", + "k": "fd27071f01648ebbdd3e1cfbae48facc9fa97edc43bbbc9a7fdc28eae13296f5", + "message": "Not only is the Universe stranger than we think, it is stranger than we can think.", + "signature": "ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd06fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283" + } +]