github.com/ethereumproject/go-ethereum@v5.5.2+incompatible/crypto/secp256k1/notes.go (about) 1 // Copyright 2015 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package secp256k1 18 19 /* 20 <HaltingState> sipa, int secp256k1_ecdsa_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsigned char *seckey, int compressed); 21 <HaltingState> is that how i generate private/public keys? 22 <sipa> HaltingState: you pass in a random 32-byte string as seckey 23 <sipa> HaltingState: if it is valid, the corresponding pubkey is put in pubkey 24 <sipa> and true is returned 25 <sipa> otherwise, false is returned 26 <sipa> around 1 in 2^128 32-byte strings are invalid, so the odds of even ever seeing one is extremely rare 27 28 <sipa> private keys are mathematically numbers 29 <sipa> each has a corresponding point on the curve as public key 30 <sipa> a private key is just a number 31 <sipa> a public key is a point with x/y coordinates 32 <sipa> almost every 256-bit number is a valid private key (one with a point on the curve corresponding to it) 33 <sipa> HaltingState: ok? 34 35 <sipa> more than half of random points are not on the curve 36 <sipa> and actually, it is less than the square root, not less than half, sorry :) 37 !!! 38 <sipa> a private key is a NUMBER 39 <sipa> a public key is a POINT 40 <gmaxwell> half the x,y values in the field are not on the curve, a private key is an integer. 41 42 <sipa> HaltingState: yes, n,q = private keys; N,Q = corresponding public keys (N=n*G, Q=q*G); then it follows that n*Q = n*q*G = q*n*G = q*N 43 <sipa> that's the reason ECDH works 44 <sipa> multiplication is associative and commutativ 45 */ 46 47 /* 48 <HaltingState> sipa, ok; i am doing compact signatures and I want to know; can someone change the signature to get another valid signature for same message without the private key 49 <HaltingState> because i know they can do that for the normal 72 byte signatures that openssl was putting out 50 <sipa> HaltingState: if you don't enforce non-malleability, yes 51 <sipa> HaltingState: if you force the highest bit of t 52 53 <sipa> it _creates_ signatures that already satisfy that condition 54 <sipa> but it will accept ones that don't 55 <sipa> maybe i should change that, and be strict 56 <HaltingState> yes; i want some way to know signature is valid but fails malleability 57 <sipa> well if the highest bit of S is 1, you can take its complement 58 <sipa> and end up with a valid signature 59 <sipa> that is canonical 60 */ 61 62 /* 63 64 <HaltingState> sipa, I am signing messages and highest bit of the compact signature is 1!!! 65 <HaltingState> if (b & 0x80) == 0x80 { 66 <HaltingState> log.Panic("b= %v b2= %v \n", b, b&0x80) 67 <HaltingState> } 68 <sipa> what bit? 69 * Pengoo has quit (Ping timeout: 272 seconds) 70 <HaltingState> the highest bit of the first byte of signature 71 <sipa> it's the highest bit of S 72 <sipa> so the 32nd byte 73 <HaltingState> wtf 74 75 */ 76 77 /* 78 For instance, nonces are used in HTTP digest access authentication to calculate an MD5 digest 79 of the password. The nonces are different each time the 401 authentication challenge 80 response code is presented, thus making replay attacks virtually impossible. 81 82 can verify client/server match without sending password over network 83 */ 84 85 /* 86 <hanihani> one thing I dont get about armory for instance, 87 is how the hot-wallet can generate new addresses without 88 knowing the master key 89 */ 90 91 /* 92 <HaltingState> i am yelling at the telehash people for using secp256r1 93 instead of secp256k1; they thing r1 is "more secure" despite fact that 94 there is no implementation that works and wrapping it is now taking 95 up massive time, lol 96 <gmaxwell> ... 97 98 <gmaxwell> You know that the *r curves are selected via an undisclosed 99 secret process, right? 100 <gmaxwell> HaltingState: telehash is offtopic for this channel. 101 */ 102 /* 103 For instance, nonces are used in HTTP digest access authentication to calculate an MD5 digest 104 of the password. The nonces are different each time the 401 authentication challenge 105 response code is presented, thus making replay attacks virtually impossible. 106 107 can verify client/server match without sending password over network 108 */ 109 110 /* 111 void secp256k1_start(void); 112 void secp256k1_stop(void); 113 114 * Verify an ECDSA signature. 115 * Returns: 1: correct signature 116 * 0: incorrect signature 117 * -1: invalid public key 118 * -2: invalid signature 119 * 120 int secp256k1_ecdsa_verify(const unsigned char *msg, int msglen, 121 const unsigned char *sig, int siglen, 122 const unsigned char *pubkey, int pubkeylen); 123 124 http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html 125 126 Why did this work? ECDSA requires a random number for each signature. If this random 127 number is ever used twice with the same private key it can be recovered. 128 This transaction was generated by a hardware bitcoin wallet using a pseudo-random number 129 generator that was returning the same “random” number every time. 130 131 Nonce is 32 bytes? 132 133 * Create an ECDSA signature. 134 * Returns: 1: signature created 135 * 0: nonce invalid, try another one 136 * In: msg: the message being signed 137 * msglen: the length of the message being signed 138 * seckey: pointer to a 32-byte secret key (assumed to be valid) 139 * nonce: pointer to a 32-byte nonce (generated with a cryptographic PRNG) 140 * Out: sig: pointer to a 72-byte array where the signature will be placed. 141 * siglen: pointer to an int, which will be updated to the signature length (<=72). 142 * 143 int secp256k1_ecdsa_sign(const unsigned char *msg, int msglen, 144 unsigned char *sig, int *siglen, 145 const unsigned char *seckey, 146 const unsigned char *nonce); 147 148 149 * Create a compact ECDSA signature (64 byte + recovery id). 150 * Returns: 1: signature created 151 * 0: nonce invalid, try another one 152 * In: msg: the message being signed 153 * msglen: the length of the message being signed 154 * seckey: pointer to a 32-byte secret key (assumed to be valid) 155 * nonce: pointer to a 32-byte nonce (generated with a cryptographic PRNG) 156 * Out: sig: pointer to a 64-byte array where the signature will be placed. 157 * recid: pointer to an int, which will be updated to contain the recovery id. 158 * 159 int secp256k1_ecdsa_sign_compact(const unsigned char *msg, int msglen, 160 unsigned char *sig64, 161 const unsigned char *seckey, 162 const unsigned char *nonce, 163 int *recid); 164 165 * Recover an ECDSA public key from a compact signature. 166 * Returns: 1: public key succesfully recovered (which guarantees a correct signature). 167 * 0: otherwise. 168 * In: msg: the message assumed to be signed 169 * msglen: the length of the message 170 * compressed: whether to recover a compressed or uncompressed pubkey 171 * recid: the recovery id (as returned by ecdsa_sign_compact) 172 * Out: pubkey: pointer to a 33 or 65 byte array to put the pubkey. 173 * pubkeylen: pointer to an int that will contain the pubkey length. 174 * 175 176 recovery id is between 0 and 3 177 178 int secp256k1_ecdsa_recover_compact(const unsigned char *msg, int msglen, 179 const unsigned char *sig64, 180 unsigned char *pubkey, int *pubkeylen, 181 int compressed, int recid); 182 183 184 * Verify an ECDSA secret key. 185 * Returns: 1: secret key is valid 186 * 0: secret key is invalid 187 * In: seckey: pointer to a 32-byte secret key 188 * 189 int secp256k1_ecdsa_seckey_verify(const unsigned char *seckey); 190 191 ** Just validate a public key. 192 * Returns: 1: valid public key 193 * 0: invalid public key 194 * 195 int secp256k1_ecdsa_pubkey_verify(const unsigned char *pubkey, int pubkeylen); 196 197 ** Compute the public key for a secret key. 198 * In: compressed: whether the computed public key should be compressed 199 * seckey: pointer to a 32-byte private key. 200 * Out: pubkey: pointer to a 33-byte (if compressed) or 65-byte (if uncompressed) 201 * area to store the public key. 202 * pubkeylen: pointer to int that will be updated to contains the pubkey's 203 * length. 204 * Returns: 1: secret was valid, public key stores 205 * 0: secret was invalid, try again. 206 * 207 int secp256k1_ecdsa_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsigned char *seckey, int compressed); 208 */