var createHmac = require('create-hmac') var typeforce = require('typeforce') var types = require('./types') var BigInteger = require('bigi') var ECSignature = require('./ecsignature') var ZERO = new Buffer([0]) var ONE = new Buffer([1]) var ecurve = require('ecurve') var secp256k1 = ecurve.getCurveByName('secp256k1') // https://tools.ietf.org/html/rfc6979#section-3.2 function deterministicGenerateK (hash, x, checkSig) { typeforce(types.tuple( types.Hash256bit, types.Buffer256bit, types.Function ), arguments) var k = new Buffer(32) var v = new Buffer(32) // Step A, ignored as hash already provided // Step B v.fill(1) // Step C k.fill(0) // Step D k = createHmac('sha256', k) .update(v) .update(ZERO) .update(x) .update(hash) .digest() // Step E v = createHmac('sha256', k).update(v).digest() // Step F k = createHmac('sha256', k) .update(v) .update(ONE) .update(x) .update(hash) .digest() // Step G v = createHmac('sha256', k).update(v).digest() // Step H1/H2a, ignored as tlen === qlen (256 bit) // Step H2b v = createHmac('sha256', k).update(v).digest() var T = BigInteger.fromBuffer(v) // Step H3, repeat until T is within the interval [1, n - 1] and is suitable for ECDSA while (T.signum() <= 0 || T.compareTo(secp256k1.n) >= 0 || !checkSig(T)) { k = createHmac('sha256', k) .update(v) .update(ZERO) .digest() v = createHmac('sha256', k).update(v).digest() // Step H1/H2a, again, ignored as tlen === qlen (256 bit) // Step H2b again v = createHmac('sha256', k).update(v).digest() T = BigInteger.fromBuffer(v) } return T } var N_OVER_TWO = secp256k1.n.shiftRight(1) function sign (hash, d) { typeforce(types.tuple(types.Hash256bit, types.BigInt), arguments) var x = d.toBuffer(32) var e = BigInteger.fromBuffer(hash) var n = secp256k1.n var G = secp256k1.G var r, s deterministicGenerateK(hash, x, function (k) { var Q = G.multiply(k) if (secp256k1.isInfinity(Q)) return false r = Q.affineX.mod(n) if (r.signum() === 0) return false s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n) if (s.signum() === 0) return false return true }) // enforce low S values, see bip62: 'low s values in signatures' if (s.compareTo(N_OVER_TWO) > 0) { s = n.subtract(s) } return new ECSignature(r, s) } function verify (hash, signature, Q) { typeforce(types.tuple( types.Hash256bit, types.ECSignature, types.ECPoint ), arguments) var n = secp256k1.n var G = secp256k1.G var r = signature.r var s = signature.s // 1.4.1 Enforce r and s are both integers in the interval [1, n − 1] if (r.signum() <= 0 || r.compareTo(n) >= 0) return false if (s.signum() <= 0 || s.compareTo(n) >= 0) return false // 1.4.2 H = Hash(M), already done by the user // 1.4.3 e = H var e = BigInteger.fromBuffer(hash) // Compute s^-1 var sInv = s.modInverse(n) // 1.4.4 Compute u1 = es^−1 mod n // u2 = rs^−1 mod n var u1 = e.multiply(sInv).mod(n) var u2 = r.multiply(sInv).mod(n) // 1.4.5 Compute R = (xR, yR) // R = u1G + u2Q var R = G.multiplyTwo(u1, Q, u2) // 1.4.5 (cont.) Enforce R is not at infinity if (secp256k1.isInfinity(R)) return false // 1.4.6 Convert the field element R.x to an integer var xR = R.affineX // 1.4.7 Set v = xR mod n var v = xR.mod(n) // 1.4.8 If v = r, output "valid", and if v != r, output "invalid" return v.equals(r) } /** * Recover a public key from a signature. * * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public * Key Recovery Operation". * * http://www.secg.org/download/aid-780/sec1-v2.pdf */ function recoverPubKey (e, signature, i) { typeforce(types.tuple( types.BigInt, types.ECSignature, types.UInt2 ), arguments) var n = secp256k1.n var G = secp256k1.G var r = signature.r var s = signature.s if (r.signum() <= 0 || r.compareTo(n) >= 0) throw new Error('Invalid r value') if (s.signum() <= 0 || s.compareTo(n) >= 0) throw new Error('Invalid s value') // A set LSB signifies that the y-coordinate is odd var isYOdd = i & 1 // The more significant bit specifies whether we should use the // first or second candidate key. var isSecondKey = i >> 1 // 1.1 Let x = r + jn var x = isSecondKey ? r.add(n) : r var R = secp256k1.pointFromX(isYOdd, x) // 1.4 Check that nR is at infinity var nR = R.multiply(n) if (!secp256k1.isInfinity(nR)) throw new Error('nR is not a valid curve point') // Compute r^-1 var rInv = r.modInverse(n) // Compute -e from e var eNeg = e.negate().mod(n) // 1.6.1 Compute Q = r^-1 (sR - eG) // Q = r^-1 (sR + -eG) var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) secp256k1.validate(Q) return Q } /** * Calculate pubkey extraction parameter. * * When extracting a pubkey from a signature, we have to * distinguish four different cases. Rather than putting this * burden on the verifier, Bitcoin includes a 2-bit value with the * signature. * * This function simply tries all four cases and returns the value * that resulted in a successful pubkey recovery. */ function calcPubKeyRecoveryParam (e, signature, Q) { typeforce(types.tuple( types.BigInt, types.ECSignature, types.ECPoint ), arguments) for (var i = 0; i < 4; i++) { var Qprime = recoverPubKey(e, signature, i) // 1.6.2 Verify Q if (Qprime.equals(Q)) { return i } } throw new Error('Unable to find valid recovery factor') } module.exports = { calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, deterministicGenerateK: deterministicGenerateK, recoverPubKey: recoverPubKey, sign: sign, verify: verify, // TODO: remove __curve: secp256k1 }