LBRYCommunity/bitcoinjs-lib
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #184 from dcousens/ecclean

Browse source 
ECDSA cleanup
This commit is contained in:
Wei Lu 2014-05-23 16:16:05 +00:00
commit c6bc0ebdcb
7 changed files with 278 additions and 310 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
src/ecdsa.js
View file

@ -1,40 +1,11 @@
var assert = require('assert') var assert = require('assert')
var crypto = require('./crypto') var crypto = require('./crypto')
var sec = require('./sec')
var ecparams = sec("secp256k1")
var BigInteger = require('bigi') var BigInteger = require('bigi')
var ECPointFp = require('./ec').ECPointFp var ECPointFp = require('./ec').ECPointFp
function implShamirsTrick(P, k, Q, l) { function deterministicGenerateK(ecparams, hash, D) {
var m = Math.max(k.bitLength(), l.bitLength()) assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
var Z = P.add2D(Q)
var R = P.curve.getInfinity()
for (var i = m - 1; i >= 0; --i) {
R = R.twice2D()
R.z = BigInteger.ONE
if (k.testBit(i)) {
if (l.testBit(i)) {
R = R.add2D(Z)
} else {
R = R.add2D(P)
}
} else {
if (l.testBit(i)) {
R = R.add2D(Q)
}
}
}
return R
}
var ecdsa = {
deterministicGenerateK: function(hash, D) {
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer')
assert.equal(hash.length, 32, 'Hash must be 256 bit') assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(D instanceof BigInteger, 'Private key must be a BigInteger') assert(D instanceof BigInteger, 'Private key must be a BigInteger')
@ -57,10 +28,10 @@ var ecdsa = {
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
return kB return kB
}, }
sign: function (hash, D) { function sign(ecparams, hash, D) {
var k = ecdsa.deterministicGenerateK(hash, D) var k = deterministicGenerateK(ecparams, hash, D)
var n = ecparams.getN() var n = ecparams.getN()
var G = ecparams.getG() var G = ecparams.getG()
@ -80,36 +51,16 @@ var ecdsa = {
s = n.subtract(s) s = n.subtract(s)
} }
return ecdsa.serializeSig(r, s) return {r: r, s: s}
}, }
verify: function (hash, sig, pubkey) { function verify(ecparams, hash, r, s, Q) {
var r,s
if (Array.isArray(sig) || Buffer.isBuffer(sig)) {
var obj = ecdsa.parseSig(sig)
r = obj.r
s = obj.s
} else if ("object" === typeof sig && sig.r && sig.s) {
r = sig.r
s = sig.s
} else {
throw new Error("Invalid value for signature")
}
var Q
if (pubkey instanceof ECPointFp) {
Q = pubkey
} else if (Array.isArray(pubkey) || Buffer.isBuffer(pubkey)) {
Q = ECPointFp.decodeFrom(ecparams.getCurve(), pubkey)
} else {
throw new Error("Invalid format for pubkey value, must be byte array or ECPointFp")
}
var e = BigInteger.fromBuffer(hash) var e = BigInteger.fromBuffer(hash)
return ecdsa.verifyRaw(e, r, s, Q) return verifyRaw(ecparams, e, r, s, Q)
}, }
verifyRaw: function (e, r, s, Q) { function verifyRaw(ecparams, e, r, s, Q) {
var n = ecparams.getN() var n = ecparams.getN()
var G = ecparams.getG() var G = ecparams.getG()
@ -125,23 +76,18 @@ var ecdsa = {
var u1 = e.multiply(c).mod(n) var u1 = e.multiply(c).mod(n)
var u2 = r.multiply(c).mod(n) var u2 = r.multiply(c).mod(n)
// TODO(!!!): For some reason Shamir's trick isn't working with var point = G.multiplyTwo(u1, Q, u2)
// signed message verification!? Probably an implementation
// error!
//var point = implShamirsTrick(G, u1, Q, u2)
var point = G.multiply(u1).add(Q.multiply(u2))
var v = point.getX().toBigInteger().mod(n) var v = point.getX().toBigInteger().mod(n)
return v.equals(r) return v.equals(r)
}, }
/** /**
* Serialize a signature into DER format. * Serialize a signature into DER format.
* *
* Takes two BigIntegers representing r and s and returns a byte array. * Takes two BigIntegers representing r and s and returns a byte array.
*/ */
serializeSig: function (r, s) { function serializeSig(r, s) {
var rBa = r.toByteArraySigned() var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned() var sBa = s.toByteArraySigned()
@ -158,9 +104,9 @@ var ecdsa = {
sequence.unshift(0x30); // SEQUENCE sequence.unshift(0x30); // SEQUENCE
return sequence return sequence
}, }
/** /**
* Parses a buffer containing a DER-encoded signature. * Parses a buffer containing a DER-encoded signature.
* *
* This function will return an object of the form: * This function will return an object of the form:
@ -170,9 +116,7 @@ var ecdsa = {
* s: BigInteger * s: BigInteger
* } * }
*/ */
parseSig: function (buffer) { function parseSig(buffer) {
if (Array.isArray(buffer)) buffer = new Buffer(buffer) // FIXME: transitionary
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
@ -189,9 +133,9 @@ var ecdsa = {
r: BigInteger.fromByteArraySigned(rB), r: BigInteger.fromByteArraySigned(rB),
s: BigInteger.fromByteArraySigned(sB) s: BigInteger.fromByteArraySigned(sB)
} }
}, }
serializeSigCompact: function(r, s, i, compressed) { function serializeSigCompact(r, s, i, compressed) {
if (compressed) { if (compressed) {
i += 4 i += 4
} }
@ -204,9 +148,9 @@ var ecdsa = {
s.toBuffer(32).copy(buffer, 33) s.toBuffer(32).copy(buffer, 33)
return buffer return buffer
}, }
parseSigCompact: function (buffer) { function parseSigCompact(buffer) {
assert.equal(buffer.length, 65, 'Invalid signature length') assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27 var i = buffer.readUInt8(0) - 27
@ -226,9 +170,9 @@ var ecdsa = {
i: i, i: i,
compressed: compressed compressed: compressed
} }
}, }
/** /**
* Recover a public key from a signature. * Recover a public key from a signature.
* *
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
@ -236,7 +180,7 @@ var ecdsa = {
* *
* http://www.secg.org/download/aid-780/sec1-v2.pdf * http://www.secg.org/download/aid-780/sec1-v2.pdf
*/ */
recoverPubKey: function (r, s, hash, i) { function recoverPubKey(ecparams, e, r, s, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd // A set LSB signifies that the y-coordinate is odd
@ -274,23 +218,24 @@ var ecdsa = {
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
R.validate() R.validate()
// 1.5 Compute e from M // 1.5 Compute -e from e
var e = BigInteger.fromBuffer(hash) var eNeg = e.negate().mod(n)
var eNeg = BigInteger.ZERO.subtract(e).mod(n)
// 1.6 Compute Q = r^-1 (sR - eG) // 1.6 Compute Q = r^-1 (sR - eG)
// Q = r^-1 (sR + -eG)
var rInv = r.modInverse(n) var rInv = r.modInverse(n)
var Q = implShamirsTrick(R, s, G, eNeg).multiply(rInv)
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
Q.validate() Q.validate()
if (!ecdsa.verifyRaw(e, r, s, Q)) {
if (!verifyRaw(ecparams, e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful") throw new Error("Pubkey recovery unsuccessful")
} }
return Q return Q
}, }
/** /**
* Calculate pubkey extraction parameter. * Calculate pubkey extraction parameter.
* *
* When extracting a pubkey from a signature, we have to * When extracting a pubkey from a signature, we have to
@ -301,17 +246,27 @@ var ecdsa = {
* This function simply tries all four cases and returns the value * This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery. * that resulted in a successful pubkey recovery.
*/ */
calcPubKeyRecoveryParam: function (origPubKey, r, s, hash) { function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) { for (var i = 0; i < 4; i++) {
var pubKey = ecdsa.recoverPubKey(r, s, hash, i) var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (pubKey.equals(origPubKey)) { if (Qprime.equals(Q)) {
return i return i
} }
} }
throw new Error("Unable to find valid recovery factor") throw new Error('Unable to find valid recovery factor')
}
} }
module.exports = ecdsa module.exports = {
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK,
recoverPubKey: recoverPubKey,
sign: sign,
verify: verify,
verifyRaw: verifyRaw,
serializeSig: serializeSig,
parseSig: parseSig,
serializeSigCompact: serializeSigCompact,
parseSigCompact: parseSigCompact
}

2
src/eckey.js
View file

@ -63,7 +63,7 @@ ECKey.prototype.toWIF = function(version) {
// Operations // Operations
ECKey.prototype.sign = function(hash) { ECKey.prototype.sign = function(hash) {
return ecdsa.sign(hash, this.D) return ecdsa.sign(ecparams, hash, this.D)
} }
module.exports = ECKey module.exports = ECKey

4
src/ecpubkey.js
View file

@ -36,8 +36,8 @@ ECPubKey.prototype.getAddress = function(version) {
return new Address(crypto.hash160(this.toBuffer()), version) return new Address(crypto.hash160(this.toBuffer()), version)
} }
ECPubKey.prototype.verify = function(hash, sig) { ECPubKey.prototype.verify = function(hash, signature) {
return ecdsa.verify(hash, sig, this.Q) return ecdsa.verify(ecparams, hash, signature.r, signature.s, this.Q)
} }
// Export functions // Export functions

12
src/message.js
View file

@ -1,5 +1,6 @@
/// Implements Bitcoin's feature for signing arbitrary messages. /// Implements Bitcoin's feature for signing arbitrary messages.
var Address = require('./address') var Address = require('./address')
var BigInteger = require('bigi')
var bufferutils = require('./bufferutils') var bufferutils = require('./bufferutils')
var crypto = require('./crypto') var crypto = require('./crypto')
var ecdsa = require('./ecdsa') var ecdsa = require('./ecdsa')
@ -8,6 +9,9 @@ var networks = require('./networks')
var Address = require('./address') var Address = require('./address')
var ECPubKey = require('./ecpubkey') var ECPubKey = require('./ecpubkey')
var sec = require('./sec')
var ecparams = sec('secp256k1')
function magicHash(message, network) { function magicHash(message, network) {
var magicPrefix = new Buffer(network.magicPrefix) var magicPrefix = new Buffer(network.magicPrefix)
var messageBuffer = new Buffer(message) var messageBuffer = new Buffer(message)
@ -24,8 +28,9 @@ function sign(key, message, network) {
network = network || networks.bitcoin network = network || networks.bitcoin
var hash = magicHash(message, network) var hash = magicHash(message, network)
var sig = ecdsa.parseSig(key.sign(hash)) var sig = key.sign(hash)
var i = ecdsa.calcPubKeyRecoveryParam(key.pub.Q, sig.r, sig.s, hash) var e = BigInteger.fromBuffer(hash)
var i = ecdsa.calcPubKeyRecoveryParam(ecparams, e, sig.r, sig.s, key.pub.Q)
return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed) return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed)
} }
@ -40,7 +45,8 @@ function verify(address, compactSig, message, network) {
var hash = magicHash(message, network) var hash = magicHash(message, network)
var sig = ecdsa.parseSigCompact(compactSig) var sig = ecdsa.parseSigCompact(compactSig)
var Q = ecdsa.recoverPubKey(sig.r, sig.s, hash, sig.i) var e = BigInteger.fromBuffer(hash)
var Q = ecdsa.recoverPubKey(ecparams, e, sig.r, sig.s, sig.i)
var pubKey = new ECPubKey(Q, sig.compressed) var pubKey = new ECPubKey(Q, sig.compressed)
return pubKey.getAddress(address.version).toString() === address.toString() return pubKey.getAddress(address.version).toString() === address.toString()

24
src/transaction.js
View file

@ -364,27 +364,35 @@ Transaction.prototype.sign = function(index, key, type) {
this.setScriptSig(index, scriptSig) this.setScriptSig(index, scriptSig)
} }
Transaction.prototype.signScriptSig = function(index, script, key, type) { Transaction.prototype.signScriptSig = function(index, scriptPubKey, key, type) {
type = type || SIGHASH_ALL type = type || SIGHASH_ALL
assert((index >= 0), 'Invalid vin index') assert((index >= 0), 'Invalid vin index')
assert(script instanceof Script, 'Invalid Script object') assert(scriptPubKey instanceof Script, 'Invalid Script object')
assert(key instanceof ECKey, 'Invalid private key') assert(key instanceof ECKey, 'Invalid private key')
// assert.equal(type & 0x7F, type, 'Invalid type') // TODO // assert.equal(type & 0x7F, type, 'Invalid type') // TODO
var hash = this.hashForSignature(script, index, type) var hash = this.hashForSignature(scriptPubKey, index, type)
return key.sign(hash).concat([type]) var sig = key.sign(hash)
var DERsig = ecdsa.serializeSig(sig.r, sig.s)
return Buffer.concat([
new Buffer(DERsig),
new Buffer([type])
])
} }
Transaction.prototype.setScriptSig = function(index, script) { Transaction.prototype.setScriptSig = function(index, script) {
this.ins[index].script = script this.ins[index].script = script
} }
Transaction.prototype.validateSig = function(index, script, pub, sig) { Transaction.prototype.validateSig = function(index, script, pub, DERsig) {
var type = sig[sig.length - 1] var type = DERsig.readUInt8(DERsig.length - 1)
var hash = this.hashForSignature(script, index, type) DERsig = DERsig.slice(0, -1)
var hash = this.hashForSignature(script, index, type)
var sig = ecdsa.parseSig(DERsig)
sig = sig.slice(0, -1)
return pub.verify(hash, sig) return pub.verify(hash, sig)
} }

29
test/ecdsa.js
View file

@ -17,10 +17,10 @@ describe('ecdsa', function() {
describe('deterministicGenerateK', function() { describe('deterministicGenerateK', function() {
it('matches the test vectors', function() { it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) { fixtures.valid.forEach(function(f) {
var priv = BigInteger.fromHex(f.D) var D = BigInteger.fromHex(f.D)
var h1 = crypto.sha256(f.message) var h1 = crypto.sha256(f.message)
var k = ecdsa.deterministicGenerateK(h1, priv) var k = ecdsa.deterministicGenerateK(ecparams, h1, D)
assert.equal(k.toHex(), f.k) assert.equal(k.toHex(), f.k)
}) })
}) })
@ -28,14 +28,16 @@ describe('ecdsa', function() {
describe('recoverPubKey', function() { describe('recoverPubKey', function() {
it('succesfully recovers a public key', function() { it('succesfully recovers a public key', function() {
var signature = new Buffer('H0PG6+PUo96UPTJ/DVj8aBU5it+Nuli4YdsLuTMvfJxoHH9Jb7jYTQXCCOX2jrTChD5S1ic3vCrUQHdmB5/sEQY=', 'base64') var D = BigInteger.ONE
var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')
var obj = ecdsa.parseSigCompact(signature) var Q = ecparams.getG().multiply(D)
var hash = message.magicHash('1111', networks.bitcoin) var hash = message.magicHash('1111', networks.bitcoin)
var e = BigInteger.fromBuffer(hash)
var psig = ecdsa.parseSigCompact(signature)
var pubKey = new ECPubKey(ecdsa.recoverPubKey(obj.r, obj.s, hash, obj.i)) var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i)
assert(Q.equals(Qprime))
assert.equal(pubKey.toHex(), '02e8fcf4d749b35879bc1f3b14b49e67ab7301da3558c5a9b74a54f1e6339c334c')
}) })
}) })
@ -43,9 +45,8 @@ describe('ecdsa', function() {
it('matches the test vectors', function() { it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) { fixtures.valid.forEach(function(f) {
var D = BigInteger.fromHex(f.D) var D = BigInteger.fromHex(f.D)
var priv = new ECKey(D)
var hash = crypto.sha256(f.message) var hash = crypto.sha256(f.message)
var sig = ecdsa.parseSig(priv.sign(hash)) var sig = ecdsa.sign(ecparams, hash, D)
assert.equal(sig.r.toString(), f.signature.r) assert.equal(sig.r.toString(), f.signature.r)
assert.equal(sig.s.toString(), f.signature.s) assert.equal(sig.s.toString(), f.signature.s)
@ -53,14 +54,12 @@ describe('ecdsa', function() {
}) })
it('should sign with low S value', function() { it('should sign with low S value', function() {
var priv = ECKey.makeRandom()
var hash = crypto.sha256('Vires in numeris') var hash = crypto.sha256('Vires in numeris')
var signature = priv.sign(hash) var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE)
var psig = ecdsa.parseSig(signature)
// See BIP62 for more information // See BIP62 for more information
var N_OVER_TWO = ecparams.getN().shiftRight(1) var N_OVER_TWO = ecparams.getN().shiftRight(1)
assert(psig.s.compareTo(N_OVER_TWO) <= 0) assert(sig.s.compareTo(N_OVER_TWO) <= 0)
}) })
}) })
@ -68,13 +67,13 @@ describe('ecdsa', function() {
it('matches the test vectors', function() { it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) { fixtures.valid.forEach(function(f) {
var D = BigInteger.fromHex(f.D) var D = BigInteger.fromHex(f.D)
var priv = new ECKey(D) var Q = ecparams.getG().multiply(D)
var r = new BigInteger(f.signature.r) var r = new BigInteger(f.signature.r)
var s = new BigInteger(f.signature.s) var s = new BigInteger(f.signature.s)
var e = BigInteger.fromBuffer(crypto.sha256(f.message)) var e = BigInteger.fromBuffer(crypto.sha256(f.message))
assert(ecdsa.verifyRaw(e, r, s, priv.pub.Q)) assert(ecdsa.verifyRaw(ecparams, e, r, s, Q))
}) })
}) })
}) })

4
test/transaction.js
View file

@ -197,7 +197,7 @@ describe('Transaction', function() {
tx.sign(0, key) tx.sign(0, key)
var script = prevTx.outs[0].script var script = prevTx.outs[0].script
var sig = tx.ins[0].script.chunks[0] var sig = new Buffer(tx.ins[0].script.chunks[0])
assert.equal(tx.validateSig(0, script, key.pub, sig), true) assert.equal(tx.validateSig(0, script, key.pub, sig), true)
}) })
@ -213,7 +213,7 @@ describe('Transaction', function() {
it('returns true for valid signature', function(){ it('returns true for valid signature', function(){
var key = ECKey.fromWIF('L44f7zxJ5Zw4EK9HZtyAnzCYz2vcZ5wiJf9AuwhJakiV4xVkxBeb') var key = ECKey.fromWIF('L44f7zxJ5Zw4EK9HZtyAnzCYz2vcZ5wiJf9AuwhJakiV4xVkxBeb')
var script = prevTx.outs[0].script var script = prevTx.outs[0].script
var sig = validTx.ins[0].script.chunks[0] var sig = new Buffer(validTx.ins[0].script.chunks[0])
assert.equal(validTx.validateSig(0, script, key.pub, sig), true) assert.equal(validTx.validateSig(0, script, key.pub, sig), true)
}) })