github.com/platonnetwork/platon-go@v0.7.6/crypto/rfc6979/rfc6979.go (about) 1 package rfc6979 2 3 import ( 4 "bytes" 5 "crypto/hmac" 6 "hash" 7 "math/big" 8 "crypto/sha256" 9 "github.com/PlatONnetwork/PlatON-Go/crypto/secp256k1" 10 "crypto/ecdsa" 11 ) 12 13 const ( 14 tryLimit = 10000 15 ) 16 // mac returns an HMAC of the given key and message. 17 func hmac_k(alg func() hash.Hash, k, m[]byte) []byte { 18 h := hmac.New(alg, k) 19 h.Write(m) 20 return h.Sum(nil) 21 } 22 23 // https://tools.ietf.org/html/rfc6979#section-2.3.2 24 func bits2int(in []byte, qlen int) *big.Int { 25 vlen := len(in) * 8 26 v := new(big.Int).SetBytes(in) 27 if vlen > qlen { 28 v = new(big.Int).Rsh(v, uint(vlen-qlen)) 29 } 30 return v 31 } 32 33 // https://tools.ietf.org/html/rfc6979#section-2.3.3 34 func int2octets(v *big.Int, rlen int) []byte { 35 out := v.Bytes() 36 37 // pad with zeros if it's too short 38 if len(out) < rlen { 39 out2 := make([]byte, rlen) 40 copy(out2[rlen-len(out):], out) 41 return out2 42 } 43 // drop most significant bytes if it's too long 44 if len(out) > rlen { 45 out2 := make([]byte, rlen) 46 copy(out2, out[len(out)-rlen:]) 47 return out2 48 } 49 50 return out 51 } 52 53 // https://tools.ietf.org/html/rfc6979#section-2.3.4 54 func bits2octets(in []byte, q *big.Int, qlen, rlen int) []byte { 55 z1 := bits2int(in, qlen) 56 z2 := new(big.Int).Sub(z1, q) 57 if z2.Sign() < 0 { 58 return int2octets(z1, rlen) 59 } 60 return int2octets(z2, rlen) 61 } 62 63 var one = big.NewInt(1) 64 65 // https://tools.ietf.org/html/rfc6979#section-3.2 66 func generate_k(q, x *big.Int, alg func() hash.Hash, hash []byte, test func(*big.Int) bool) { 67 qlen := q.BitLen() 68 hlen := alg().Size() 69 rlen := (qlen + 7) >> 3 70 bx := append(int2octets(x, rlen), bits2octets(hash, q, qlen, rlen)...) 71 // Step B 72 v := bytes.Repeat([]byte{0x01}, hlen) 73 // Step C 74 k := bytes.Repeat([]byte{0x00}, hlen) 75 // Step D 76 k = hmac_k(alg, k, append(append(v, 0x00), bx...)) 77 // Step E 78 v = hmac_k(alg, k, v) 79 // Step F 80 k = hmac_k(alg, k, append(append(v, 0x01), bx...)) 81 // Step G 82 v = hmac_k(alg, k, v) 83 // Step H 84 for i := int64(0); i < tryLimit; i++ { 85 // Step H1 86 var t []byte 87 // Step H2 88 for len(t) < qlen/8 { 89 v = hmac_k(alg, k, v) 90 t = append(t, v...) 91 } 92 // Step H3 93 secret := bits2int(t, qlen) 94 if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 && test(secret) { 95 return 96 } 97 k = hmac_k(alg, k, append(v, 0x00)) 98 v = hmac_k(alg, k, v) 99 } 100 panic("generate_k: couldn't generate a new k") 101 } 102 103 func ECVRF_nonce_generation(sk []byte,m []byte)(*ecdsa.PrivateKey, error){ 104 curve := secp256k1.S256() 105 106 hash := sha256.New() 107 hash.Write(m) 108 h := hash.Sum(nil) 109 110 var sec *big.Int 111 generate_k(curve.N,new(big.Int).SetBytes(sk), sha256.New, h, func(k *big.Int) bool { 112 sec = k 113 return true 114 }) 115 priv := new(ecdsa.PrivateKey) 116 priv.PublicKey.Curve = curve 117 priv.D = sec 118 priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(sec.Bytes()) 119 120 return priv,nil 121 } 122