LBRYCommunity/bitcoinjs-lib
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ec/dsa: recovery param now used consistently

Browse source 
Also added an assertion rather than massaging the input.
This commit is contained in:
Daniel Cousens 2014-05-22 12:28:14 +10:00
parent 24371425f9
commit d14b08efd1
2 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/ec.js
View file

@ -339,7 +339,7 @@ ECPointFp.decodeFrom = function (curve, buffer) {
assert.equal(buffer.length, 33, 'Invalid sequence length')
assert(type === 0x02 || type === 0x03, 'Invalid sequence tag')
var isYEven = type === 0x03
var isYEven = (type === 0x02)
var p = curve.getQ()
// We precalculate (p + 1) / 4 where p is the field order
@ -349,7 +349,9 @@ ECPointFp.decodeFrom = function (curve, buffer) {
var alpha = x.square().multiply(x).add(SEVEN).mod(p)
var beta = alpha.modPow(P_OVER_FOUR, p)
y = (beta.isEven() ? !isYEven : isYEven) ? beta : p.subtract(beta)
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
} else {
assert.equal(buffer.length, 65, 'Invalid sequence length')

14
src/ecdsa.js
View file

@ -240,12 +240,11 @@ var ecdsa = {
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
recoverPubKey: function (r, s, hash, i) {
// The recovery parameter i has two bits.
i = i & 3
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// The less significant bit specifies whether the y coordinate
// of the compressed point is even or not.
var isYEven = i & 1
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
@ -270,10 +269,9 @@ var ecdsa = {
var alpha = x.multiply(x).multiply(x).add(a.multiply(x)).add(b).mod(p)
var beta = alpha.modPow(P_OVER_FOUR, p)
// var xorOdd = beta.isEven() ? (i % 2) : ((i+1) % 2)
// If beta is even, but y isn't or vice versa, then convert it,
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
var y = (beta.isEven() ? !isYEven : isYEven) ? beta : p.subtract(beta)
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
// 1.4 Check that nR is at infinity
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))