]> Git Repo - secp256k1.git/blame - src/ecdsa_impl.h
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
group_impl.h: remove unused `secp256k1_ge_set_infinity` function
[secp256k1.git] / src / ecdsa_impl.h
CommitLineData
71712b27 1/**********************************************************************
fea19e7b 2 * Copyright (c) 2013-2015 Pieter Wuille *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
0a433ea2 7
7a4b7691
PW		 8#ifndef _SECP256K1_ECDSA_IMPL_H_
9#define _SECP256K1_ECDSA_IMPL_H_
10
f24041d6 11#include "scalar.h"
11ab5622
PW		 12#include "field.h"
13#include "group.h"
14#include "ecmult.h"
949c1ebb 15#include "ecmult_gen.h"
11ab5622 16#include "ecdsa.h"
607884fc 17
6efd6e77
GM		 18/** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1
19 * sage: for t in xrange(1023, -1, -1):
20 * .. p = 2**256 - 2**32 - t
21 * .. if p.is_prime():
22 * .. print '%x'%p
23 * .. break
24 * 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'
25 * sage: a = 0
26 * sage: b = 7
27 * sage: F = FiniteField (p)
28 * sage: '%x' % (EllipticCurve ([F (a), F (b)]).order())
29 * 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
30 */
dd891e0e 31static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
4732d260
PW		 32 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
33 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
34);
f24041d6 35
6efd6e77
GM		 36/** Difference between field and order, values 'p' and 'n' values defined in
37 * "Standards for Efficient Cryptography" (SEC2) 2.7.1.
38 * sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
39 * sage: a = 0
40 * sage: b = 7
41 * sage: F = FiniteField (p)
42 * sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order())
43 * '14551231950b75fc4402da1722fc9baee'
44 */
dd891e0e 45static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
4732d260
PW		 46 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
47);
f24041d6 48
3bb9c447
PW		 49static int secp256k1_der_read_len(const unsigned char **sigp, const unsigned char *sigend) {
50 int lenleft, b1;
51 size_t ret = 0;
52 if (*sigp >= sigend) {
53 return -1;
26320197 54 }
3bb9c447
PW		 55 b1 = *((*sigp)++);
56 if (b1 == 0xFF) {
57 /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */
58 return -1;
26320197 59 }
3bb9c447
PW		 60 if ((b1 & 0x80) == 0) {
61 /* X.690-0207 8.1.3.4 short form length octets */
62 return b1;
26320197 63 }
3bb9c447
PW		 64 if (b1 == 0x80) {
65 /* Indefinite length is not allowed in DER. */
66 return -1;
67 }
68 /* X.690-207 8.1.3.5 long form length octets */
69 lenleft = b1 & 0x7F;
70 if (lenleft > sigend - *sigp) {
71 return -1;
72 }
73 if (**sigp == 0) {
74 /* Not the shortest possible length encoding. */
75 return -1;
76 }
77 if ((size_t)lenleft > sizeof(size_t)) {
269d4227
GM		 78 /* The resulting length would exceed the range of a size_t, so
79 * certainly longer than the passed array size.
80 */
3bb9c447 81 return -1;
26320197 82 }
3bb9c447
PW		 83 while (lenleft > 0) {
84 if ((ret >> ((sizeof(size_t) - 1) * 8)) != 0) {
85 }
86 ret = (ret << 8) | **sigp;
87 if (ret + lenleft > (size_t)(sigend - *sigp)) {
88 /* Result exceeds the length of the passed array. */
89 return -1;
90 }
91 (*sigp)++;
92 lenleft--;
93 }
94 if (ret < 128) {
95 /* Not the shortest possible length encoding. */
96 return -1;
97 }
98 return ret;
99}
100
101static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) {
102 int overflow = 0;
103 unsigned char ra[32] = {0};
104 int rlen;
105
106 if (*sig == sigend || **sig != 0x02) {
107 /* Not a primitive integer (X.690-0207 8.3.1). */
26320197
GM		 108 return 0;
109 }
3bb9c447
PW		 110 (*sig)++;
111 rlen = secp256k1_der_read_len(sig, sigend);
112 if (rlen <= 0 || (*sig) + rlen > sigend) {
113 /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */
26320197
GM		 114 return 0;
115 }
3bb9c447
PW		 116 if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) {
117 /* Excessive 0x00 padding. */
26320197
GM		 118 return 0;
119 }
3bb9c447
PW		 120 if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) {
121 /* Excessive 0xFF padding. */
26320197
GM		 122 return 0;
123 }
3bb9c447
PW		 124 if ((**sig & 0x80) == 0x80) {
125 /* Negative. */
126 overflow = 1;
127 }
128 while (rlen > 0 && **sig == 0) {
129 /* Skip leading zero bytes */
130 rlen--;
131 (*sig)++;
132 }
133 if (rlen > 32) {
134 overflow = 1;
f24041d6 135 }
3bb9c447
PW		 136 if (!overflow) {
137 memcpy(ra + 32 - rlen, *sig, rlen);
138 secp256k1_scalar_set_b32(r, ra, &overflow);
139 }
140 if (overflow) {
141 secp256k1_scalar_set_int(r, 0);
142 }
143 (*sig) += rlen;
144 return 1;
145}
146
147static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) {
148 const unsigned char *sigend = sig + size;
149 int rlen;
150 if (sig == sigend || *(sig++) != 0x30) {
151 /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */
26320197
GM		 152 return 0;
153 }
3bb9c447
PW		 154 rlen = secp256k1_der_read_len(&sig, sigend);
155 if (rlen < 0 || sig + rlen > sigend) {
156 /* Tuple exceeds bounds */
157 return 0;
f24041d6 158 }
3bb9c447
PW		 159 if (sig + rlen != sigend) {
160 /* Garbage after tuple. */
26320197
GM		 161 return 0;
162 }
3bb9c447
PW		 163
164 if (!secp256k1_der_parse_integer(rr, &sig, sigend)) {
26320197
GM		 165 return 0;
166 }
3bb9c447 167 if (!secp256k1_der_parse_integer(rs, &sig, sigend)) {
26320197
GM		 168 return 0;
169 }
3bb9c447
PW		 170
171 if (sig != sigend) {
172 /* Trailing garbage inside tuple. */
173 return 0;
174 }
175
d41e93a5 176 return 1;
607884fc
PW		 177}
178
dd891e0e 179static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) {
f24041d6 180 unsigned char r[33] = {0}, s[33] = {0};
f24041d6 181 unsigned char *rp = r, *sp = s;
788038d3 182 size_t lenR = 33, lenS = 33;
18c329c5
PW		 183 secp256k1_scalar_get_b32(&r[1], ar);
184 secp256k1_scalar_get_b32(&s[1], as);
f24041d6
PW		 185 while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
186 while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
26320197 187 if (*size < 6+lenS+lenR) {
74a2acdb 188 *size = 6 + lenS + lenR;
d41e93a5 189 return 0;
26320197 190 }
0a07e62f
PW		 191 *size = 6 + lenS + lenR;
192 sig[0] = 0x30;
193 sig[1] = 4 + lenS + lenR;
194 sig[2] = 0x02;
195 sig[3] = lenR;
f24041d6 196 memcpy(sig+4, rp, lenR);
0a07e62f
PW		 197 sig[4+lenR] = 0x02;
198 sig[5+lenR] = lenS;
f24041d6 199 memcpy(sig+lenR+6, sp, lenS);
d41e93a5 200 return 1;
0a07e62f
PW		 201}
202
dd891e0e 203static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) {
792bcdb0 204 unsigned char c[32];
dd891e0e 205 secp256k1_scalar sn, u1, u2;
b4ceedf1 206#if !defined(EXHAUSTIVE_TEST_ORDER)
dd891e0e 207 secp256k1_fe xr;
b4ceedf1 208#endif
dd891e0e
PW		 209 secp256k1_gej pubkeyj;
210 secp256k1_gej pr;
792bcdb0 211
18c329c5 212 if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
d41e93a5 213 return 0;
26320197 214 }
607884fc 215
18c329c5 216 secp256k1_scalar_inverse_var(&sn, sigs);
f24041d6 217 secp256k1_scalar_mul(&u1, &sn, message);
18c329c5 218 secp256k1_scalar_mul(&u2, &sn, sigr);
792bcdb0 219 secp256k1_gej_set_ge(&pubkeyj, pubkey);
a9b6595e 220 secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1);
ce7eb6fb
PW		 221 if (secp256k1_gej_is_infinity(&pr)) {
222 return 0;
223 }
b4ceedf1
AP		 224
225#if defined(EXHAUSTIVE_TEST_ORDER)
226{
227 secp256k1_scalar computed_r;
228 int overflow = 0;
229 secp256k1_ge pr_ge;
230 secp256k1_ge_set_gej(&pr_ge, &pr);
231 secp256k1_fe_normalize(&pr_ge.x);
232
233 secp256k1_fe_get_b32(c, &pr_ge.x);
234 secp256k1_scalar_set_b32(&computed_r, c, &overflow);
235 /* we fully expect overflow */
236 return secp256k1_scalar_eq(sigr, &computed_r);
237}
238#else
18c329c5 239 secp256k1_scalar_get_b32(c, sigr);
ce7eb6fb 240 secp256k1_fe_set_b32(&xr, c);
13278f64 241
3627437d
GM		 242 /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
243 * in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),
244 * compute the remainder modulo n, and compare it to xr. However:
245 *
246 * xr == X(pr) mod n
247 * <=> exists h. (xr + h * n < p && xr + h * n == X(pr))
248 * [Since 2 * n > p, h can only be 0 or 1]
249 * <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr))
250 * [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p]
251 * <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p)
252 * [Multiplying both sides of the equations by pr.z^2 mod p]
253 * <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
254 *
255 * Thus, we can avoid the inversion, but we have to check both cases separately.
256 * secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
257 */
ce7eb6fb 258 if (secp256k1_gej_eq_x_var(&xr, &pr)) {
6c476a8a 259 /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */
ce7eb6fb
PW		 260 return 1;
261 }
4732d260 262 if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
6c476a8a 263 /* xr + n >= p, so we can skip testing the second case. */
ce7eb6fb 264 return 0;
4adf6b2a 265 }
4732d260 266 secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe);
ce7eb6fb 267 if (secp256k1_gej_eq_x_var(&xr, &pr)) {
3627437d 268 /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */
ce7eb6fb
PW		 269 return 1;
270 }
271 return 0;
b4ceedf1 272#endif
607884fc
PW		 273}
274
dd891e0e 275static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) {
792bcdb0 276 unsigned char b[32];
dd891e0e
PW		 277 secp256k1_gej rp;
278 secp256k1_ge r;
279 secp256k1_scalar n;
792bcdb0
GM		 280 int overflow = 0;
281
a9b6595e 282 secp256k1_ecmult_gen(ctx, &rp, nonce);
50eb498e 283 secp256k1_ge_set_gej(&r, &rp);
50eb498e
PW		 284 secp256k1_fe_normalize(&r.x);
285 secp256k1_fe_normalize(&r.y);
286 secp256k1_fe_get_b32(b, &r.x);
18c329c5 287 secp256k1_scalar_set_b32(sigr, b, &overflow);
25e3cfbf
AP		 288 /* These two conditions should be checked before calling */
289 VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
290 VERIFY_CHECK(overflow == 0);
291
26320197 292 if (recid) {
269d4227
GM		 293 /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
294 * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
295 */
a9f5c8b8 296 *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
26320197 297 }
18c329c5 298 secp256k1_scalar_mul(&n, sigr, seckey);
a9f5c8b8 299 secp256k1_scalar_add(&n, &n, message);
18c329c5
PW		 300 secp256k1_scalar_inverse(sigs, nonce);
301 secp256k1_scalar_mul(sigs, sigs, &n);
a9f5c8b8 302 secp256k1_scalar_clear(&n);
2f6c8019
GM		 303 secp256k1_gej_clear(&rp);
304 secp256k1_ge_clear(&r);
18c329c5 305 if (secp256k1_scalar_is_zero(sigs)) {
d41e93a5 306 return 0;
26320197 307 }
18c329c5
PW		 308 if (secp256k1_scalar_is_high(sigs)) {
309 secp256k1_scalar_negate(sigs, sigs);
26320197 310 if (recid) {
50eb498e 311 *recid ^= 1;
26320197 312 }
50eb498e 313 }
eb0be8ee 314 return 1;
0a07e62f
PW		 315}
316
7a4b7691 317#endif
Empty description
This page took 0.080603 seconds and 4 git commands to generate.