github.com/klaytn/klaytn@v1.12.1/crypto/secp256k1/libsecp256k1/src/ecdsa_impl.h (about)

     1  /**********************************************************************
     2   * Copyright (c) 2013-2015 Pieter Wuille                              *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  
     8  #ifndef _SECP256K1_ECDSA_IMPL_H_
     9  #define _SECP256K1_ECDSA_IMPL_H_
    10  
    11  #include "scalar.h"
    12  #include "field.h"
    13  #include "group.h"
    14  #include "ecmult.h"
    15  #include "ecmult_gen.h"
    16  #include "ecdsa.h"
    17  
    18  /** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1
    19   *  sage: for t in xrange(1023, -1, -1):
    20   *     ..   p = 2**256 - 2**32 - t
    21   *     ..   if p.is_prime():
    22   *     ..     print '%x'%p
    23   *     ..     break
    24   *   'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'
    25   *  sage: a = 0
    26   *  sage: b = 7
    27   *  sage: F = FiniteField (p)
    28   *  sage: '%x' % (EllipticCurve ([F (a), F (b)]).order())
    29   *   'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
    30   */
    31  static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
    32      0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
    33      0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
    34  );
    35  
    36  /** Difference between field and order, values 'p' and 'n' values defined in
    37   *  "Standards for Efficient Cryptography" (SEC2) 2.7.1.
    38   *  sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
    39   *  sage: a = 0
    40   *  sage: b = 7
    41   *  sage: F = FiniteField (p)
    42   *  sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order())
    43   *   '14551231950b75fc4402da1722fc9baee'
    44   */
    45  static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
    46      0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
    47  );
    48  
    49  static int secp256k1_der_read_len(const unsigned char **sigp, const unsigned char *sigend) {
    50      int lenleft, b1;
    51      size_t ret = 0;
    52      if (*sigp >= sigend) {
    53          return -1;
    54      }
    55      b1 = *((*sigp)++);
    56      if (b1 == 0xFF) {
    57          /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */
    58          return -1;
    59      }
    60      if ((b1 & 0x80) == 0) {
    61          /* X.690-0207 8.1.3.4 short form length octets */
    62          return b1;
    63      }
    64      if (b1 == 0x80) {
    65          /* Indefinite length is not allowed in DER. */
    66          return -1;
    67      }
    68      /* X.690-207 8.1.3.5 long form length octets */
    69      lenleft = b1 & 0x7F;
    70      if (lenleft > sigend - *sigp) {
    71          return -1;
    72      }
    73      if (**sigp == 0) {
    74          /* Not the shortest possible length encoding. */
    75          return -1;
    76      }
    77      if ((size_t)lenleft > sizeof(size_t)) {
    78          /* The resulting length would exceed the range of a size_t, so
    79           * certainly longer than the passed array size.
    80           */
    81          return -1;
    82      }
    83      while (lenleft > 0) {
    84          if ((ret >> ((sizeof(size_t) - 1) * 8)) != 0) {
    85          }
    86          ret = (ret << 8) | **sigp;
    87          if (ret + lenleft > (size_t)(sigend - *sigp)) {
    88              /* Result exceeds the length of the passed array. */
    89              return -1;
    90          }
    91          (*sigp)++;
    92          lenleft--;
    93      }
    94      if (ret < 128) {
    95          /* Not the shortest possible length encoding. */
    96          return -1;
    97      }
    98      return ret;
    99  }
   100  
   101  static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) {
   102      int overflow = 0;
   103      unsigned char ra[32] = {0};
   104      int rlen;
   105  
   106      if (*sig == sigend || **sig != 0x02) {
   107          /* Not a primitive integer (X.690-0207 8.3.1). */
   108          return 0;
   109      }
   110      (*sig)++;
   111      rlen = secp256k1_der_read_len(sig, sigend);
   112      if (rlen <= 0 || (*sig) + rlen > sigend) {
   113          /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1).  */
   114          return 0;
   115      }
   116      if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) {
   117          /* Excessive 0x00 padding. */
   118          return 0;
   119      }
   120      if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) {
   121          /* Excessive 0xFF padding. */
   122          return 0;
   123      }
   124      if ((**sig & 0x80) == 0x80) {
   125          /* Negative. */
   126          overflow = 1;
   127      }
   128      while (rlen > 0 && **sig == 0) {
   129          /* Skip leading zero bytes */
   130          rlen--;
   131          (*sig)++;
   132      }
   133      if (rlen > 32) {
   134          overflow = 1;
   135      }
   136      if (!overflow) {
   137          memcpy(ra + 32 - rlen, *sig, rlen);
   138          secp256k1_scalar_set_b32(r, ra, &overflow);
   139      }
   140      if (overflow) {
   141          secp256k1_scalar_set_int(r, 0);
   142      }
   143      (*sig) += rlen;
   144      return 1;
   145  }
   146  
   147  static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) {
   148      const unsigned char *sigend = sig + size;
   149      int rlen;
   150      if (sig == sigend || *(sig++) != 0x30) {
   151          /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */
   152          return 0;
   153      }
   154      rlen = secp256k1_der_read_len(&sig, sigend);
   155      if (rlen < 0 || sig + rlen > sigend) {
   156          /* Tuple exceeds bounds */
   157          return 0;
   158      }
   159      if (sig + rlen != sigend) {
   160          /* Garbage after tuple. */
   161          return 0;
   162      }
   163  
   164      if (!secp256k1_der_parse_integer(rr, &sig, sigend)) {
   165          return 0;
   166      }
   167      if (!secp256k1_der_parse_integer(rs, &sig, sigend)) {
   168          return 0;
   169      }
   170  
   171      if (sig != sigend) {
   172          /* Trailing garbage inside tuple. */
   173          return 0;
   174      }
   175  
   176      return 1;
   177  }
   178  
   179  static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) {
   180      unsigned char r[33] = {0}, s[33] = {0};
   181      unsigned char *rp = r, *sp = s;
   182      size_t lenR = 33, lenS = 33;
   183      secp256k1_scalar_get_b32(&r[1], ar);
   184      secp256k1_scalar_get_b32(&s[1], as);
   185      while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
   186      while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
   187      if (*size < 6+lenS+lenR) {
   188          *size = 6 + lenS + lenR;
   189          return 0;
   190      }
   191      *size = 6 + lenS + lenR;
   192      sig[0] = 0x30;
   193      sig[1] = 4 + lenS + lenR;
   194      sig[2] = 0x02;
   195      sig[3] = lenR;
   196      memcpy(sig+4, rp, lenR);
   197      sig[4+lenR] = 0x02;
   198      sig[5+lenR] = lenS;
   199      memcpy(sig+lenR+6, sp, lenS);
   200      return 1;
   201  }
   202  
   203  static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) {
   204      unsigned char c[32];
   205      secp256k1_scalar sn, u1, u2;
   206  #if !defined(EXHAUSTIVE_TEST_ORDER)
   207      secp256k1_fe xr;
   208  #endif
   209      secp256k1_gej pubkeyj;
   210      secp256k1_gej pr;
   211  
   212      if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
   213          return 0;
   214      }
   215  
   216      secp256k1_scalar_inverse_var(&sn, sigs);
   217      secp256k1_scalar_mul(&u1, &sn, message);
   218      secp256k1_scalar_mul(&u2, &sn, sigr);
   219      secp256k1_gej_set_ge(&pubkeyj, pubkey);
   220      secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1);
   221      if (secp256k1_gej_is_infinity(&pr)) {
   222          return 0;
   223      }
   224  
   225  #if defined(EXHAUSTIVE_TEST_ORDER)
   226  {
   227      secp256k1_scalar computed_r;
   228      secp256k1_ge pr_ge;
   229      secp256k1_ge_set_gej(&pr_ge, &pr);
   230      secp256k1_fe_normalize(&pr_ge.x);
   231  
   232      secp256k1_fe_get_b32(c, &pr_ge.x);
   233      secp256k1_scalar_set_b32(&computed_r, c, NULL);
   234      return secp256k1_scalar_eq(sigr, &computed_r);
   235  }
   236  #else
   237      secp256k1_scalar_get_b32(c, sigr);
   238      secp256k1_fe_set_b32(&xr, c);
   239  
   240      /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
   241       *  in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),
   242       *  compute the remainder modulo n, and compare it to xr. However:
   243       *
   244       *        xr == X(pr) mod n
   245       *    <=> exists h. (xr + h * n < p && xr + h * n == X(pr))
   246       *    [Since 2 * n > p, h can only be 0 or 1]
   247       *    <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr))
   248       *    [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p]
   249       *    <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p)
   250       *    [Multiplying both sides of the equations by pr.z^2 mod p]
   251       *    <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
   252       *
   253       *  Thus, we can avoid the inversion, but we have to check both cases separately.
   254       *  secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
   255       */
   256      if (secp256k1_gej_eq_x_var(&xr, &pr)) {
   257          /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */
   258          return 1;
   259      }
   260      if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
   261          /* xr + n >= p, so we can skip testing the second case. */
   262          return 0;
   263      }
   264      secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe);
   265      if (secp256k1_gej_eq_x_var(&xr, &pr)) {
   266          /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */
   267          return 1;
   268      }
   269      return 0;
   270  #endif
   271  }
   272  
   273  static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) {
   274      unsigned char b[32];
   275      secp256k1_gej rp;
   276      secp256k1_ge r;
   277      secp256k1_scalar n;
   278      int overflow = 0;
   279  
   280      secp256k1_ecmult_gen(ctx, &rp, nonce);
   281      secp256k1_ge_set_gej(&r, &rp);
   282      secp256k1_fe_normalize(&r.x);
   283      secp256k1_fe_normalize(&r.y);
   284      secp256k1_fe_get_b32(b, &r.x);
   285      secp256k1_scalar_set_b32(sigr, b, &overflow);
   286      /* These two conditions should be checked before calling */
   287      VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
   288      VERIFY_CHECK(overflow == 0);
   289  
   290      if (recid) {
   291          /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
   292           * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
   293           */
   294          *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
   295      }
   296      secp256k1_scalar_mul(&n, sigr, seckey);
   297      secp256k1_scalar_add(&n, &n, message);
   298      secp256k1_scalar_inverse(sigs, nonce);
   299      secp256k1_scalar_mul(sigs, sigs, &n);
   300      secp256k1_scalar_clear(&n);
   301      secp256k1_gej_clear(&rp);
   302      secp256k1_ge_clear(&r);
   303      if (secp256k1_scalar_is_zero(sigs)) {
   304          return 0;
   305      }
   306      if (secp256k1_scalar_is_high(sigs)) {
   307          secp256k1_scalar_negate(sigs, sigs);
   308          if (recid) {
   309              *recid ^= 1;
   310          }
   311      }
   312      return 1;
   313  }
   314  
   315  #endif