github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/src/ecdsa_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 8 #ifndef SECP256K1_ECDSA_IMPL_H 9 #define SECP256K1_ECDSA_IMPL_H 10 11 #include "scalar.h" 12 #include "field.h" 13 #include "group.h" 14 #include "ecmult.h" 15 #include "ecmult_gen.h" 16 #include "ecdsa.h" 17 18 /** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1 19 * sage: for t in xrange(1023, -1, -1): 20 * .. p = 2**256 - 2**32 - t 21 * .. if p.is_prime(): 22 * .. print '%x'%p 23 * .. break 24 * 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f' 25 * sage: a = 0 26 * sage: b = 7 27 * sage: F = FiniteField (p) 28 * sage: '%x' % (EllipticCurve ([F (a), F (b)]).order()) 29 * 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141' 30 */ 31 static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( 32 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 33 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL 34 ); 35 36 /** Difference between field and order, values 'p' and 'n' values defined in 37 * "Standards for Efficient Cryptography" (SEC2) 2.7.1. 38 * sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F 39 * sage: a = 0 40 * sage: b = 7 41 * sage: F = FiniteField (p) 42 * sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order()) 43 * '14551231950b75fc4402da1722fc9baee' 44 */ 45 static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( 46 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL 47 ); 48 49 static int secp256k1_der_read_len(const unsigned char **sigp, const unsigned char *sigend) { 50 int lenleft, b1; 51 size_t ret = 0; 52 if (*sigp >= sigend) { 53 return -1; 54 } 55 b1 = *((*sigp)++); 56 if (b1 == 0xFF) { 57 /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */ 58 return -1; 59 } 60 if ((b1 & 0x80) == 0) { 61 /* X.690-0207 8.1.3.4 short form length octets */ 62 return b1; 63 } 64 if (b1 == 0x80) { 65 /* Indefinite length is not allowed in DER. */ 66 return -1; 67 } 68 /* X.690-207 8.1.3.5 long form length octets */ 69 lenleft = b1 & 0x7F; 70 if (lenleft > sigend - *sigp) { 71 return -1; 72 } 73 if (**sigp == 0) { 74 /* Not the shortest possible length encoding. */ 75 return -1; 76 } 77 if ((size_t)lenleft > sizeof(size_t)) { 78 /* The resulting length would exceed the range of a size_t, so 79 * certainly longer than the passed array size. 80 */ 81 return -1; 82 } 83 while (lenleft > 0) { 84 ret = (ret << 8) | **sigp; 85 if (ret + lenleft > (size_t)(sigend - *sigp)) { 86 /* Result exceeds the length of the passed array. */ 87 return -1; 88 } 89 (*sigp)++; 90 lenleft--; 91 } 92 if (ret < 128) { 93 /* Not the shortest possible length encoding. */ 94 return -1; 95 } 96 return ret; 97 } 98 99 static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) { 100 int overflow = 0; 101 unsigned char ra[32] = {0}; 102 int rlen; 103 104 if (*sig == sigend || **sig != 0x02) { 105 /* Not a primitive integer (X.690-0207 8.3.1). */ 106 return 0; 107 } 108 (*sig)++; 109 rlen = secp256k1_der_read_len(sig, sigend); 110 if (rlen <= 0 || (*sig) + rlen > sigend) { 111 /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */ 112 return 0; 113 } 114 if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) { 115 /* Excessive 0x00 padding. */ 116 return 0; 117 } 118 if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) { 119 /* Excessive 0xFF padding. */ 120 return 0; 121 } 122 if ((**sig & 0x80) == 0x80) { 123 /* Negative. */ 124 overflow = 1; 125 } 126 while (rlen > 0 && **sig == 0) { 127 /* Skip leading zero bytes */ 128 rlen--; 129 (*sig)++; 130 } 131 if (rlen > 32) { 132 overflow = 1; 133 } 134 if (!overflow) { 135 memcpy(ra + 32 - rlen, *sig, rlen); 136 secp256k1_scalar_set_b32(r, ra, &overflow); 137 } 138 if (overflow) { 139 secp256k1_scalar_set_int(r, 0); 140 } 141 (*sig) += rlen; 142 return 1; 143 } 144 145 static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) { 146 const unsigned char *sigend = sig + size; 147 int rlen; 148 if (sig == sigend || *(sig++) != 0x30) { 149 /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */ 150 return 0; 151 } 152 rlen = secp256k1_der_read_len(&sig, sigend); 153 if (rlen < 0 || sig + rlen > sigend) { 154 /* Tuple exceeds bounds */ 155 return 0; 156 } 157 if (sig + rlen != sigend) { 158 /* Garbage after tuple. */ 159 return 0; 160 } 161 162 if (!secp256k1_der_parse_integer(rr, &sig, sigend)) { 163 return 0; 164 } 165 if (!secp256k1_der_parse_integer(rs, &sig, sigend)) { 166 return 0; 167 } 168 169 if (sig != sigend) { 170 /* Trailing garbage inside tuple. */ 171 return 0; 172 } 173 174 return 1; 175 } 176 177 static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) { 178 unsigned char r[33] = {0}, s[33] = {0}; 179 unsigned char *rp = r, *sp = s; 180 size_t lenR = 33, lenS = 33; 181 secp256k1_scalar_get_b32(&r[1], ar); 182 secp256k1_scalar_get_b32(&s[1], as); 183 while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; } 184 while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; } 185 if (*size < 6+lenS+lenR) { 186 *size = 6 + lenS + lenR; 187 return 0; 188 } 189 *size = 6 + lenS + lenR; 190 sig[0] = 0x30; 191 sig[1] = 4 + lenS + lenR; 192 sig[2] = 0x02; 193 sig[3] = lenR; 194 memcpy(sig+4, rp, lenR); 195 sig[4+lenR] = 0x02; 196 sig[5+lenR] = lenS; 197 memcpy(sig+lenR+6, sp, lenS); 198 return 1; 199 } 200 201 static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) { 202 unsigned char c[32]; 203 secp256k1_scalar sn, u1, u2; 204 #if !defined(EXHAUSTIVE_TEST_ORDER) 205 secp256k1_fe xr; 206 #endif 207 secp256k1_gej pubkeyj; 208 secp256k1_gej pr; 209 210 if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) { 211 return 0; 212 } 213 214 secp256k1_scalar_inverse_var(&sn, sigs); 215 secp256k1_scalar_mul(&u1, &sn, message); 216 secp256k1_scalar_mul(&u2, &sn, sigr); 217 secp256k1_gej_set_ge(&pubkeyj, pubkey); 218 secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); 219 if (secp256k1_gej_is_infinity(&pr)) { 220 return 0; 221 } 222 223 #if defined(EXHAUSTIVE_TEST_ORDER) 224 { 225 secp256k1_scalar computed_r; 226 secp256k1_ge pr_ge; 227 secp256k1_ge_set_gej(&pr_ge, &pr); 228 secp256k1_fe_normalize(&pr_ge.x); 229 230 secp256k1_fe_get_b32(c, &pr_ge.x); 231 secp256k1_scalar_set_b32(&computed_r, c, NULL); 232 return secp256k1_scalar_eq(sigr, &computed_r); 233 } 234 #else 235 secp256k1_scalar_get_b32(c, sigr); 236 secp256k1_fe_set_b32(&xr, c); 237 238 /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) 239 * in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), 240 * compute the remainder modulo n, and compare it to xr. However: 241 * 242 * xr == X(pr) mod n 243 * <=> exists h. (xr + h * n < p && xr + h * n == X(pr)) 244 * [Since 2 * n > p, h can only be 0 or 1] 245 * <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr)) 246 * [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p] 247 * <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p) 248 * [Multiplying both sides of the equations by pr.z^2 mod p] 249 * <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x) 250 * 251 * Thus, we can avoid the inversion, but we have to check both cases separately. 252 * secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. 253 */ 254 if (secp256k1_gej_eq_x_var(&xr, &pr)) { 255 /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */ 256 return 1; 257 } 258 if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) { 259 /* xr + n >= p, so we can skip testing the second case. */ 260 return 0; 261 } 262 secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe); 263 if (secp256k1_gej_eq_x_var(&xr, &pr)) { 264 /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */ 265 return 1; 266 } 267 return 0; 268 #endif 269 } 270 271 static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) { 272 unsigned char b[32]; 273 secp256k1_gej rp; 274 secp256k1_ge r; 275 secp256k1_scalar n; 276 int overflow = 0; 277 278 secp256k1_ecmult_gen(ctx, &rp, nonce); 279 secp256k1_ge_set_gej(&r, &rp); 280 secp256k1_fe_normalize(&r.x); 281 secp256k1_fe_normalize(&r.y); 282 secp256k1_fe_get_b32(b, &r.x); 283 secp256k1_scalar_set_b32(sigr, b, &overflow); 284 /* These two conditions should be checked before calling */ 285 VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr)); 286 VERIFY_CHECK(overflow == 0); 287 288 if (recid) { 289 /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log 290 * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. 291 */ 292 *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0); 293 } 294 secp256k1_scalar_mul(&n, sigr, seckey); 295 secp256k1_scalar_add(&n, &n, message); 296 secp256k1_scalar_inverse(sigs, nonce); 297 secp256k1_scalar_mul(sigs, sigs, &n); 298 secp256k1_scalar_clear(&n); 299 secp256k1_gej_clear(&rp); 300 secp256k1_ge_clear(&r); 301 if (secp256k1_scalar_is_zero(sigs)) { 302 return 0; 303 } 304 if (secp256k1_scalar_is_high(sigs)) { 305 secp256k1_scalar_negate(sigs, sigs); 306 if (recid) { 307 *recid ^= 1; 308 } 309 } 310 return 1; 311 } 312 313 #endif /* SECP256K1_ECDSA_IMPL_H */