Merge pull request #184 from dcousens/ecclean

ECDSA cleanup
2014-05-23 16:16:05 +00:00 · 2014-05-23 16:16:05 +00:00 · c6bc0ebdcb
commit c6bc0ebdcb
parent d9184ba6b8 087ca551f5
7 changed files with 278 additions and 310 deletions
--- a/src/ecdsa.js
+++ b/src/ecdsa.js
@ -1,317 +1,272 @@
 var assert = require('assert')
 var crypto = require('./crypto')
 var sec = require('./sec')
 var ecparams = sec("secp256k1")
 var BigInteger = require('bigi')
 var ECPointFp = require('./ec').ECPointFp
-function implShamirsTrick(P, k, Q, l) {
+function deterministicGenerateK(ecparams, hash, D) {
-  var m = Math.max(k.bitLength(), l.bitLength())
+  assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
-  var Z = P.add2D(Q)
+  assert.equal(hash.length, 32, 'Hash must be 256 bit')
-  var R = P.curve.getInfinity()
+  assert(D instanceof BigInteger, 'Private key must be a BigInteger')
-  for (var i = m - 1; i >= 0; --i) {
+  var x = D.toBuffer(32)
-    R = R.twice2D()
+  var k = new Buffer(32)
  var v = new Buffer(32)
  k.fill(0)
  v.fill(1)
-    R.z = BigInteger.ONE
+  k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
  v = crypto.HmacSHA256(v, k)
-    if (k.testBit(i)) {
+  k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
-      if (l.testBit(i)) {
+  v = crypto.HmacSHA256(v, k)
-        R = R.add2D(Z)
+  v = crypto.HmacSHA256(v, k)
      } else {
        R = R.add2D(P)
      }
    } else {
      if (l.testBit(i)) {
        R = R.add2D(Q)
      }
    }
  }
-  return R
+  var n = ecparams.getN()
  var kB = BigInteger.fromBuffer(v).mod(n)
  assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
  assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
  return kB
 }
-var ecdsa = {
+function sign(ecparams, hash, D) {
-  deterministicGenerateK: function(hash, D) {
+  var k = deterministicGenerateK(ecparams, hash, D)
    assert(Buffer.isBuffer(hash), 'Hash must be a Buffer')
    assert.equal(hash.length, 32, 'Hash must be 256 bit')
    assert(D instanceof BigInteger, 'Private key must be a BigInteger')
-    var x = D.toBuffer(32)
+  var n = ecparams.getN()
-    var k = new Buffer(32)
+  var G = ecparams.getG()
-    var v = new Buffer(32)
+  var Q = G.multiply(k)
-    k.fill(0)
+  var e = BigInteger.fromBuffer(hash)
    v.fill(1)
-    k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
+  var r = Q.getX().toBigInteger().mod(n)
-    v = crypto.HmacSHA256(v, k)
+  assert.notEqual(r.signum(), 0, 'Invalid R value')
-    k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
+  var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
-    v = crypto.HmacSHA256(v, k)
+  assert.notEqual(s.signum(), 0, 'Invalid S value')
    v = crypto.HmacSHA256(v, k)
-    var n = ecparams.getN()
+  var N_OVER_TWO = n.shiftRight(1)
    var kB = BigInteger.fromBuffer(v).mod(n)
    assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
    assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
-    return kB
+  // enforce low S values, see bip62: 'low s values in signatures'
-  },
+  if (s.compareTo(N_OVER_TWO) > 0) {
    s = n.subtract(s)
  }
-  sign: function (hash, D) {
+  return {r: r, s: s}
-    var k = ecdsa.deterministicGenerateK(hash, D)
+}
-    var n = ecparams.getN()
+function verify(ecparams, hash, r, s, Q) {
-    var G = ecparams.getG()
+  var e = BigInteger.fromBuffer(hash)
    var Q = G.multiply(k)
    var e = BigInteger.fromBuffer(hash)
-    var r = Q.getX().toBigInteger().mod(n)
+  return verifyRaw(ecparams, e, r, s, Q)
-    assert.notEqual(r.signum(), 0, 'Invalid R value')
+}
-    var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
+function verifyRaw(ecparams, e, r, s, Q) {
-    assert.notEqual(s.signum(), 0, 'Invalid S value')
+  var n = ecparams.getN()
  var G = ecparams.getG()
-    var N_OVER_TWO = n.shiftRight(1)
+  if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
    return false
  }
-    // enforce low S values, see bip62: 'low s values in signatures'
+  if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
-    if (s.compareTo(N_OVER_TWO) > 0) {
+    return false
-      s = n.subtract(s)
+  }
    }
-    return ecdsa.serializeSig(r, s)
+  var c = s.modInverse(n)
-  },
+  var u1 = e.multiply(c).mod(n)
  var u2 = r.multiply(c).mod(n)
-  verify: function (hash, sig, pubkey) {
+  var point = G.multiplyTwo(u1, Q, u2)
-    var r,s
+  var v = point.getX().toBigInteger().mod(n)
    if (Array.isArray(sig) || Buffer.isBuffer(sig)) {
      var obj = ecdsa.parseSig(sig)
      r = obj.r
      s = obj.s
    } else if ("object" === typeof sig && sig.r && sig.s) {
      r = sig.r
      s = sig.s
    } else {
      throw new Error("Invalid value for signature")
    }
-    var Q
+  return v.equals(r)
-    if (pubkey instanceof ECPointFp) {
+}
      Q = pubkey
    } else if (Array.isArray(pubkey) || Buffer.isBuffer(pubkey)) {
      Q = ECPointFp.decodeFrom(ecparams.getCurve(), pubkey)
    } else {
      throw new Error("Invalid format for pubkey value, must be byte array or ECPointFp")
    }
    var e = BigInteger.fromBuffer(hash)
-    return ecdsa.verifyRaw(e, r, s, Q)
+/**
-  },
+  * Serialize a signature into DER format.
  *
  * Takes two BigIntegers representing r and s and returns a byte array.
  */
 function serializeSig(r, s) {
  var rBa = r.toByteArraySigned()
  var sBa = s.toByteArraySigned()
-  verifyRaw: function (e, r, s, Q) {
+  var sequence = []
-    var n = ecparams.getN()
+  sequence.push(0x02); // INTEGER
-    var G = ecparams.getG()
+  sequence.push(rBa.length)
  sequence = sequence.concat(rBa)
-    if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
+  sequence.push(0x02); // INTEGER
-      return false
+  sequence.push(sBa.length)
-    }
+  sequence = sequence.concat(sBa)
-    if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
+  sequence.unshift(sequence.length)
-      return false
+  sequence.unshift(0x30); // SEQUENCE
    }
-    var c = s.modInverse(n)
+  return sequence
-    var u1 = e.multiply(c).mod(n)
+}
    var u2 = r.multiply(c).mod(n)
-    // TODO(!!!): For some reason Shamir's trick isn't working with
+/**
-    // signed message verification!? Probably an implementation
+  * Parses a buffer containing a DER-encoded signature.
-    // error!
+  *
-    //var point = implShamirsTrick(G, u1, Q, u2)
+  * This function will return an object of the form:
-    var point = G.multiply(u1).add(Q.multiply(u2))
+  *
  * {
  *   r: BigInteger,
  *   s: BigInteger
  * }
  */
 function parseSig(buffer) {
  assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
  assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
-    var v = point.getX().toBigInteger().mod(n)
+  assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
  var rLen = buffer.readUInt8(3)
  var rB = buffer.slice(4, 4 + rLen)
-    return v.equals(r)
+  var offset = 4 + rLen
-  },
+  assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
  var sLen = buffer.readUInt8(1 + offset)
  var sB = buffer.slice(2 + offset)
-  /**
+  return {
-   * Serialize a signature into DER format.
+    r: BigInteger.fromByteArraySigned(rB),
-   *
+    s: BigInteger.fromByteArraySigned(sB)
   * Takes two BigIntegers representing r and s and returns a byte array.
   */
  serializeSig: function (r, s) {
    var rBa = r.toByteArraySigned()
    var sBa = s.toByteArraySigned()
    var sequence = []
    sequence.push(0x02); // INTEGER
    sequence.push(rBa.length)
    sequence = sequence.concat(rBa)
    sequence.push(0x02); // INTEGER
    sequence.push(sBa.length)
    sequence = sequence.concat(sBa)
    sequence.unshift(sequence.length)
    sequence.unshift(0x30); // SEQUENCE
    return sequence
  },
  /**
   * Parses a buffer containing a DER-encoded signature.
   *
   * This function will return an object of the form:
   *
   * {
   *   r: BigInteger,
   *   s: BigInteger
   * }
   */
  parseSig: function (buffer) {
    if (Array.isArray(buffer)) buffer = new Buffer(buffer) // FIXME: transitionary
    assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
    assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
    assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
    var rLen = buffer.readUInt8(3)
    var rB = buffer.slice(4, 4 + rLen)
    var offset = 4 + rLen
    assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
    var sLen = buffer.readUInt8(1 + offset)
    var sB = buffer.slice(2 + offset)
    return {
      r: BigInteger.fromByteArraySigned(rB),
      s: BigInteger.fromByteArraySigned(sB)
    }
  },
  serializeSigCompact: function(r, s, i, compressed) {
    if (compressed) {
      i += 4
    }
    i += 27
    var buffer = new Buffer(65)
    buffer.writeUInt8(i, 0)
    r.toBuffer(32).copy(buffer, 1)
    s.toBuffer(32).copy(buffer, 33)
    return buffer
  },
  parseSigCompact: function (buffer) {
    assert.equal(buffer.length, 65, 'Invalid signature length')
    var i = buffer.readUInt8(0) - 27
    // At most 3 bits
    assert.equal(i, i & 7, 'Invalid signature type')
    var compressed = !!(i & 4)
    // Recovery param only
    i = i & 3
    var r = BigInteger.fromBuffer(buffer.slice(1, 33))
    var s = BigInteger.fromBuffer(buffer.slice(33))
    return {
      r: r,
      s: s,
      i: i,
      compressed: compressed
    }
  },
  /**
   * Recover a public key from a signature.
   *
   * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
   * Key Recovery Operation".
   *
   * http://www.secg.org/download/aid-780/sec1-v2.pdf
   */
  recoverPubKey: function (r, s, hash, i) {
    assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
    // A set LSB signifies that the y-coordinate is odd
    // By reduction, the y-coordinate is even if it is clear
    var isYEven = !(i & 1)
    // The more significant bit specifies whether we should use the
    // first or second candidate key.
    var isSecondKey = i >> 1
    var n = ecparams.getN()
    var G = ecparams.getG()
    var curve = ecparams.getCurve()
    var p = curve.getQ()
    var a = curve.getA().toBigInteger()
    var b = curve.getB().toBigInteger()
    // We precalculate (p + 1) / 4 where p is the field order
    if (!curve.P_OVER_FOUR) {
      curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
    }
    // 1.1 Compute x
    var x = isSecondKey ? r.add(n) : r
    // 1.3 Convert x to point
    var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
    var beta = alpha.modPow(curve.P_OVER_FOUR, p)
    // If beta is even, but y isn't, or vice versa, then convert it,
    // otherwise we're done and y == beta.
    var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
    // 1.4 Check that nR isn't at infinity
    var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
    R.validate()
    // 1.5 Compute e from M
    var e = BigInteger.fromBuffer(hash)
    var eNeg = BigInteger.ZERO.subtract(e).mod(n)
    // 1.6 Compute Q = r^-1 (sR - eG)
    var rInv = r.modInverse(n)
    var Q = implShamirsTrick(R, s, G, eNeg).multiply(rInv)
    Q.validate()
    if (!ecdsa.verifyRaw(e, r, s, Q)) {
      throw new Error("Pubkey recovery unsuccessful")
    }
    return Q
  },
  /**
   * Calculate pubkey extraction parameter.
   *
   * When extracting a pubkey from a signature, we have to
   * distinguish four different cases. Rather than putting this
   * burden on the verifier, Bitcoin includes a 2-bit value with the
   * signature.
   *
   * This function simply tries all four cases and returns the value
   * that resulted in a successful pubkey recovery.
   */
  calcPubKeyRecoveryParam: function (origPubKey, r, s, hash) {
    for (var i = 0; i < 4; i++) {
      var pubKey = ecdsa.recoverPubKey(r, s, hash, i)
      if (pubKey.equals(origPubKey)) {
        return i
      }
    }
    throw new Error("Unable to find valid recovery factor")
  }
 }
-module.exports = ecdsa
+function serializeSigCompact(r, s, i, compressed) {
  if (compressed) {
    i += 4
  }
  i += 27
  var buffer = new Buffer(65)
  buffer.writeUInt8(i, 0)
  r.toBuffer(32).copy(buffer, 1)
  s.toBuffer(32).copy(buffer, 33)
  return buffer
 }
 function parseSigCompact(buffer) {
  assert.equal(buffer.length, 65, 'Invalid signature length')
  var i = buffer.readUInt8(0) - 27
  // At most 3 bits
  assert.equal(i, i & 7, 'Invalid signature type')
  var compressed = !!(i & 4)
  // Recovery param only
  i = i & 3
  var r = BigInteger.fromBuffer(buffer.slice(1, 33))
  var s = BigInteger.fromBuffer(buffer.slice(33))
  return {
    r: r,
    s: s,
    i: i,
    compressed: compressed
  }
 }
 /**
  * Recover a public key from a signature.
  *
  * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
  * Key Recovery Operation".
  *
  * http://www.secg.org/download/aid-780/sec1-v2.pdf
  */
 function recoverPubKey(ecparams, e, r, s, i) {
  assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
  // A set LSB signifies that the y-coordinate is odd
  // By reduction, the y-coordinate is even if it is clear
  var isYEven = !(i & 1)
  // The more significant bit specifies whether we should use the
  // first or second candidate key.
  var isSecondKey = i >> 1
  var n = ecparams.getN()
  var G = ecparams.getG()
  var curve = ecparams.getCurve()
  var p = curve.getQ()
  var a = curve.getA().toBigInteger()
  var b = curve.getB().toBigInteger()
  // We precalculate (p + 1) / 4 where p is the field order
  if (!curve.P_OVER_FOUR) {
    curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
  }
  // 1.1 Compute x
  var x = isSecondKey ? r.add(n) : r
  // 1.3 Convert x to point
  var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
  var beta = alpha.modPow(curve.P_OVER_FOUR, p)
  // If beta is even, but y isn't, or vice versa, then convert it,
  // otherwise we're done and y == beta.
  var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
  // 1.4 Check that nR isn't at infinity
  var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
  R.validate()
  // 1.5 Compute -e from e
  var eNeg = e.negate().mod(n)
  // 1.6 Compute Q = r^-1 (sR -  eG)
  //             Q = r^-1 (sR + -eG)
  var rInv = r.modInverse(n)
  var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
  Q.validate()
  if (!verifyRaw(ecparams, e, r, s, Q)) {
    throw new Error("Pubkey recovery unsuccessful")
  }
  return Q
 }
 /**
  * Calculate pubkey extraction parameter.
  *
  * When extracting a pubkey from a signature, we have to
  * distinguish four different cases. Rather than putting this
  * burden on the verifier, Bitcoin includes a 2-bit value with the
  * signature.
  *
  * This function simply tries all four cases and returns the value
  * that resulted in a successful pubkey recovery.
  */
 function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
  for (var i = 0; i < 4; i++) {
    var Qprime = recoverPubKey(ecparams, e, r, s, i)
    if (Qprime.equals(Q)) {
      return i
    }
  }
  throw new Error('Unable to find valid recovery factor')
 }
 module.exports = {
 calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
 deterministicGenerateK: deterministicGenerateK,
 recoverPubKey: recoverPubKey,
 sign: sign,
 verify: verify,
 verifyRaw: verifyRaw,
 serializeSig: serializeSig,
 parseSig: parseSig,
 serializeSigCompact: serializeSigCompact,
 parseSigCompact: parseSigCompact
 }
--- a/src/eckey.js
+++ b/src/eckey.js
@ -63,7 +63,7 @@ ECKey.prototype.toWIF = function(version) {
 // Operations
 ECKey.prototype.sign = function(hash) {
-  return ecdsa.sign(hash, this.D)
+  return ecdsa.sign(ecparams, hash, this.D)
 }
 module.exports = ECKey
--- a/src/ecpubkey.js
+++ b/src/ecpubkey.js
@ -36,8 +36,8 @@ ECPubKey.prototype.getAddress = function(version) {
  return new Address(crypto.hash160(this.toBuffer()), version)
 }
-ECPubKey.prototype.verify = function(hash, sig) {
+ECPubKey.prototype.verify = function(hash, signature) {
-  return ecdsa.verify(hash, sig, this.Q)
+  return ecdsa.verify(ecparams, hash, signature.r, signature.s, this.Q)
 }
 // Export functions
--- a/src/message.js
+++ b/src/message.js
@ -1,5 +1,6 @@
 /// Implements Bitcoin's feature for signing arbitrary messages.
 var Address = require('./address')
 var BigInteger = require('bigi')
 var bufferutils = require('./bufferutils')
 var crypto = require('./crypto')
 var ecdsa = require('./ecdsa')
@ -8,6 +9,9 @@ var networks = require('./networks')
 var Address = require('./address')
 var ECPubKey = require('./ecpubkey')
 var sec = require('./sec')
 var ecparams = sec('secp256k1')
 function magicHash(message, network) {
  var magicPrefix = new Buffer(network.magicPrefix)
  var messageBuffer = new Buffer(message)
@ -24,8 +28,9 @@ function sign(key, message, network) {
  network = network || networks.bitcoin
  var hash = magicHash(message, network)
-  var sig = ecdsa.parseSig(key.sign(hash))
+  var sig = key.sign(hash)
-  var i = ecdsa.calcPubKeyRecoveryParam(key.pub.Q, sig.r, sig.s, hash)
+  var e = BigInteger.fromBuffer(hash)
  var i = ecdsa.calcPubKeyRecoveryParam(ecparams, e, sig.r, sig.s, key.pub.Q)
  return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed)
 }
@ -40,7 +45,8 @@ function verify(address, compactSig, message, network) {
  var hash = magicHash(message, network)
  var sig = ecdsa.parseSigCompact(compactSig)
-  var Q = ecdsa.recoverPubKey(sig.r, sig.s, hash, sig.i)
+  var e = BigInteger.fromBuffer(hash)
  var Q = ecdsa.recoverPubKey(ecparams, e, sig.r, sig.s, sig.i)
  var pubKey = new ECPubKey(Q, sig.compressed)
  return pubKey.getAddress(address.version).toString() === address.toString()
--- a/src/transaction.js
+++ b/src/transaction.js
@ -364,27 +364,35 @@ Transaction.prototype.sign = function(index, key, type) {
  this.setScriptSig(index, scriptSig)
 }
-Transaction.prototype.signScriptSig = function(index, script, key, type) {
+Transaction.prototype.signScriptSig = function(index, scriptPubKey, key, type) {
  type = type || SIGHASH_ALL
  assert((index >= 0), 'Invalid vin index')
-  assert(script instanceof Script, 'Invalid Script object')
+  assert(scriptPubKey instanceof Script, 'Invalid Script object')
  assert(key instanceof ECKey, 'Invalid private key')
 //  assert.equal(type & 0x7F, type, 'Invalid type') // TODO
-  var hash = this.hashForSignature(script, index, type)
+  var hash = this.hashForSignature(scriptPubKey, index, type)
-  return key.sign(hash).concat([type])
+  var sig = key.sign(hash)
  var DERsig = ecdsa.serializeSig(sig.r, sig.s)
  return Buffer.concat([
    new Buffer(DERsig),
    new Buffer([type])
  ])
 }
 Transaction.prototype.setScriptSig = function(index, script) {
  this.ins[index].script = script
 }
-Transaction.prototype.validateSig = function(index, script, pub, sig) {
+Transaction.prototype.validateSig = function(index, script, pub, DERsig) {
-  var type = sig[sig.length - 1]
+  var type = DERsig.readUInt8(DERsig.length - 1)
-  var hash = this.hashForSignature(script, index, type)
+  DERsig = DERsig.slice(0, -1)
  var hash = this.hashForSignature(script, index, type)
  var sig = ecdsa.parseSig(DERsig)
  sig = sig.slice(0, -1)
  return pub.verify(hash, sig)
 }
--- a/test/ecdsa.js
+++ b/test/ecdsa.js
@ -17,10 +17,10 @@ describe('ecdsa', function() {
  describe('deterministicGenerateK', function() {
    it('matches the test vectors', function() {
      fixtures.valid.forEach(function(f) {
-        var priv = BigInteger.fromHex(f.D)
+        var D = BigInteger.fromHex(f.D)
        var h1 = crypto.sha256(f.message)
-        var k = ecdsa.deterministicGenerateK(h1, priv)
+        var k = ecdsa.deterministicGenerateK(ecparams, h1, D)
        assert.equal(k.toHex(), f.k)
      })
    })
@ -28,14 +28,16 @@ describe('ecdsa', function() {
  describe('recoverPubKey', function() {
    it('succesfully recovers a public key', function() {
-      var signature = new Buffer('H0PG6+PUo96UPTJ/DVj8aBU5it+Nuli4YdsLuTMvfJxoHH9Jb7jYTQXCCOX2jrTChD5S1ic3vCrUQHdmB5/sEQY=', 'base64')
+      var D = BigInteger.ONE
      var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')
-      var obj = ecdsa.parseSigCompact(signature)
+      var Q = ecparams.getG().multiply(D)
      var hash = message.magicHash('1111', networks.bitcoin)
      var e = BigInteger.fromBuffer(hash)
      var psig = ecdsa.parseSigCompact(signature)
-      var pubKey = new ECPubKey(ecdsa.recoverPubKey(obj.r, obj.s, hash, obj.i))
+      var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i)
-
+      assert(Q.equals(Qprime))
      assert.equal(pubKey.toHex(), '02e8fcf4d749b35879bc1f3b14b49e67ab7301da3558c5a9b74a54f1e6339c334c')
    })
  })
@ -43,9 +45,8 @@ describe('ecdsa', function() {
    it('matches the test vectors', function() {
      fixtures.valid.forEach(function(f) {
        var D = BigInteger.fromHex(f.D)
        var priv = new ECKey(D)
        var hash = crypto.sha256(f.message)
-        var sig = ecdsa.parseSig(priv.sign(hash))
+        var sig = ecdsa.sign(ecparams, hash, D)
        assert.equal(sig.r.toString(), f.signature.r)
        assert.equal(sig.s.toString(), f.signature.s)
@ -53,14 +54,12 @@ describe('ecdsa', function() {
    })
    it('should sign with low S value', function() {
      var priv = ECKey.makeRandom()
      var hash = crypto.sha256('Vires in numeris')
-      var signature = priv.sign(hash)
+      var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE)
      var psig = ecdsa.parseSig(signature)
      // See BIP62 for more information
      var N_OVER_TWO = ecparams.getN().shiftRight(1)
-      assert(psig.s.compareTo(N_OVER_TWO) <= 0)
+      assert(sig.s.compareTo(N_OVER_TWO) <= 0)
    })
  })
@ -68,13 +67,13 @@ describe('ecdsa', function() {
    it('matches the test vectors', function() {
      fixtures.valid.forEach(function(f) {
        var D = BigInteger.fromHex(f.D)
-        var priv = new ECKey(D)
+        var Q = ecparams.getG().multiply(D)
        var r = new BigInteger(f.signature.r)
        var s = new BigInteger(f.signature.s)
        var e = BigInteger.fromBuffer(crypto.sha256(f.message))
-        assert(ecdsa.verifyRaw(e, r, s, priv.pub.Q))
+        assert(ecdsa.verifyRaw(ecparams, e, r, s, Q))
      })
    })
  })
--- a/test/transaction.js
+++ b/test/transaction.js
@ -197,7 +197,7 @@ describe('Transaction', function() {
        tx.sign(0, key)
        var script = prevTx.outs[0].script
-        var sig = tx.ins[0].script.chunks[0]
+        var sig = new Buffer(tx.ins[0].script.chunks[0])
        assert.equal(tx.validateSig(0, script, key.pub, sig), true)
      })
@ -213,7 +213,7 @@ describe('Transaction', function() {
      it('returns true for valid signature', function(){
        var key = ECKey.fromWIF('L44f7zxJ5Zw4EK9HZtyAnzCYz2vcZ5wiJf9AuwhJakiV4xVkxBeb')
        var script = prevTx.outs[0].script
-        var sig = validTx.ins[0].script.chunks[0]
+        var sig = new Buffer(validTx.ins[0].script.chunks[0])
        assert.equal(validTx.validateSig(0, script, key.pub, sig), true)
      })