dash/blackcoin-more
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Squashed 'src/secp256k1/' changes from bccaf86..50cc6ab

Browse Source 
50cc6ab Merge pull request #178
941e221 Add tests for handling of the nonce function in signing.
10c81ff Merge pull request #177
7688e34 Add magnitude limits to secp256k1_fe_verify to ensure that it's own tests function correctly.
4ee4f7a Merge pull request #176
70ae0d2 Use secp256k1_fe_equal_var in secp256k1_fe_sqrt_var.
7767b4d Merge pull request #175
9ab9335 Add a reference consistency test to ge_tests.
60571c6 Rework group tests
d26e26f Avoid constructing an invalid signature with probability 1:2^256.
b450c34 Merge pull request #163
d57cae9 Merge pull request #154
49ee0db Add _normalizes_to_zero_var variant
eed599d Add _fe_normalizes_to_zero method
d7174ed Weak normalization for secp256k1_fe_equal
0295f0a weak normalization
bbd5ba7 Use rfc6979 as default nonce generation function
b37fbc2 Implement SHA256 / HMAC-SHA256 / RFC6979.
c6e7f4e [API BREAK] Use a nonce-generation function instead of a nonce
cf0c48b Merge pull request #169
603c33b Make signing fail if a too small buffer is passed.
6d16606 Merge pull request #168
7277fd7 Remove GMP field implementation
e99c4c4 Merge pull request #123
13278f6 Add explanation about how inversion can be avoided
ce7eb6f Optimize verification: avoid field inverse
a098f78 Merge pull request #160
38acd01 Merge pull request #165
6a59012 Make git ignore bench_recover when configured with benchmark enabled
1ba4a60 Configure options reorganization
3c0f246 Merge pull request #157
808dd9b Merge pull request #156
8dc75e9 Merge pull request #158
28ade27 build: nuke bashisms
5190079 build: use subdir-objects for automake
8336040 build: disable benchmark by default

git-subtree-dir: src/secp256k1
git-subtree-split: 50cc6ab0625efda6dddf1dc86c1e2671f069b0d8
This commit is contained in:
Pieter Wuille
2015-01-06 00:28:47 +01:00
parent ecae2acb06
commit 7873633b57
23 changed files with 1167 additions and 524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
src/ecdsa_impl.h
View File

@@ -109,25 +109,53 @@ static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const se
return 1;
}
static int secp256k1_ecdsa_sig_recompute(secp256k1_scalar_t *r2, const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s))
return 0;
int ret = 0;
secp256k1_scalar_t sn, u1, u2;
secp256k1_scalar_inverse_var(&sn, &sig->s);
secp256k1_scalar_mul(&u1, &sn, message);
secp256k1_scalar_mul(&u2, &sn, &sig->r);
secp256k1_gej_t pubkeyj; secp256k1_gej_set_ge(&pubkeyj, pubkey);
secp256k1_gej_t pr; secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
if (!secp256k1_gej_is_infinity(&pr)) {
secp256k1_fe_t xr; secp256k1_gej_get_x_var(&xr, &pr);
secp256k1_fe_normalize_var(&xr);
unsigned char xrb[32]; secp256k1_fe_get_b32(xrb, &xr);
secp256k1_scalar_set_b32(r2, xrb, NULL);
ret = 1;
if (secp256k1_gej_is_infinity(&pr)) {
return 0;
}
return ret;
unsigned char c[32];
secp256k1_scalar_get_b32(c, &sig->r);
secp256k1_fe_t xr;
secp256k1_fe_set_b32(&xr, c);
// We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
// in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),
// compute the remainder modulo n, and compare it to xr. However:
//
// xr == X(pr) mod n
// <=> exists h. (xr + h * n < p && xr + h * n == X(pr))
// [Since 2 * n > p, h can only be 0 or 1]
// <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr))
// [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p]
// <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p)
// [Multiplying both sides of the equations by pr.z^2 mod p]
// <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
//
// Thus, we can avoid the inversion, but we have to check both cases separately.
// secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
if (secp256k1_gej_eq_x_var(&xr, &pr)) {
// xr.x == xr * xr.z^2 mod p, so the signature is valid.
return 1;
}
if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_consts->p_minus_order) >= 0) {
// xr + p >= n, so we can skip testing the second case.
return 0;
}
secp256k1_fe_add(&xr, &secp256k1_ecdsa_consts->order_as_fe);
if (secp256k1_gej_eq_x_var(&xr, &pr)) {
// (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid.
return 1;
}
return 0;
}
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid) {
@@ -159,13 +187,6 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256
return !secp256k1_gej_is_infinity(&qj);
}
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
secp256k1_scalar_t r2;
int ret = 0;
ret = secp256k1_ecdsa_sig_recompute(&r2, sig, pubkey, message) && secp256k1_scalar_eq(&sig->r, &r2);
return ret;
}
static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid) {
secp256k1_gej_t rp;
secp256k1_ecmult_gen(&rp, nonce);
@@ -177,6 +198,12 @@ static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
secp256k1_fe_get_b32(b, &r.x);
int overflow = 0;
secp256k1_scalar_set_b32(&sig->r, b, &overflow);
if (secp256k1_scalar_is_zero(&sig->r)) {
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
secp256k1_gej_clear(&rp);
secp256k1_ge_clear(&r);
return 0;
}
if (recid)
*recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
secp256k1_scalar_t n;