crypto: add btcec fallback for sign/recover without cgo (#3680)
* vendor: add github.com/btcsuite/btcd/btcec * crypto: add btcec fallback for sign/recover without cgo This commit adds a non-cgo fallback implementation of secp256k1 operations. * crypto, core/vm: remove wrappers for sha256, ripemd160
This commit is contained in:
		
				
					committed by
					
						 Jeffrey Wilcke
						Jeffrey Wilcke
					
				
			
			
				
	
			
			
			
						parent
						
							bf21549faa
						
					
				
				
					commit
					9b0af51386
				
			| @@ -32,7 +32,6 @@ import ( | |||||||
| 	"github.com/ethereum/go-ethereum/accounts" | 	"github.com/ethereum/go-ethereum/accounts" | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" |  | ||||||
| 	"github.com/pborman/uuid" | 	"github.com/pborman/uuid" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| @@ -157,7 +156,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key { | |||||||
| 		panic("key generation: could not read from random source: " + err.Error()) | 		panic("key generation: could not read from random source: " + err.Error()) | ||||||
| 	} | 	} | ||||||
| 	reader := bytes.NewReader(randBytes) | 	reader := bytes.NewReader(randBytes) | ||||||
| 	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), reader) | 	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), reader) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		panic("key generation: ecdsa.GenerateKey failed: " + err.Error()) | 		panic("key generation: ecdsa.GenerateKey failed: " + err.Error()) | ||||||
| 	} | 	} | ||||||
| @@ -169,7 +168,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key { | |||||||
| } | } | ||||||
|  |  | ||||||
| func newKey(rand io.Reader) (*Key, error) { | func newKey(rand io.Reader) (*Key, error) { | ||||||
| 	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), rand) | 	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), rand) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, err | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -17,11 +17,14 @@ | |||||||
| package vm | package vm | ||||||
|  |  | ||||||
| import ( | import ( | ||||||
|  | 	"crypto/sha256" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
| 	"github.com/ethereum/go-ethereum/logger" | 	"github.com/ethereum/go-ethereum/logger" | ||||||
| 	"github.com/ethereum/go-ethereum/logger/glog" | 	"github.com/ethereum/go-ethereum/logger/glog" | ||||||
| 	"github.com/ethereum/go-ethereum/params" | 	"github.com/ethereum/go-ethereum/params" | ||||||
|  | 	"golang.org/x/crypto/ripemd160" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // Precompiled contract is the basic interface for native Go contracts. The implementation | // Precompiled contract is the basic interface for native Go contracts. The implementation | ||||||
| @@ -35,8 +38,8 @@ type PrecompiledContract interface { | |||||||
| // Precompiled contains the default set of ethereum contracts | // Precompiled contains the default set of ethereum contracts | ||||||
| var PrecompiledContracts = map[common.Address]PrecompiledContract{ | var PrecompiledContracts = map[common.Address]PrecompiledContract{ | ||||||
| 	common.BytesToAddress([]byte{1}): &ecrecover{}, | 	common.BytesToAddress([]byte{1}): &ecrecover{}, | ||||||
| 	common.BytesToAddress([]byte{2}): &sha256{}, | 	common.BytesToAddress([]byte{2}): &sha256hash{}, | ||||||
| 	common.BytesToAddress([]byte{3}): &ripemd160{}, | 	common.BytesToAddress([]byte{3}): &ripemd160hash{}, | ||||||
| 	common.BytesToAddress([]byte{4}): &dataCopy{}, | 	common.BytesToAddress([]byte{4}): &dataCopy{}, | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -88,31 +91,34 @@ func (c *ecrecover) Run(in []byte) []byte { | |||||||
| } | } | ||||||
|  |  | ||||||
| // SHA256 implemented as a native contract | // SHA256 implemented as a native contract | ||||||
| type sha256 struct{} | type sha256hash struct{} | ||||||
|  |  | ||||||
| // RequiredGas returns the gas required to execute the pre-compiled contract. | // RequiredGas returns the gas required to execute the pre-compiled contract. | ||||||
| // | // | ||||||
| // This method does not require any overflow checking as the input size gas costs | // This method does not require any overflow checking as the input size gas costs | ||||||
| // required for anything significant is so high it's impossible to pay for. | // required for anything significant is so high it's impossible to pay for. | ||||||
| func (c *sha256) RequiredGas(inputSize int) uint64 { | func (c *sha256hash) RequiredGas(inputSize int) uint64 { | ||||||
| 	return uint64(inputSize+31)/32*params.Sha256WordGas + params.Sha256Gas | 	return uint64(inputSize+31)/32*params.Sha256WordGas + params.Sha256Gas | ||||||
| } | } | ||||||
| func (c *sha256) Run(in []byte) []byte { | func (c *sha256hash) Run(in []byte) []byte { | ||||||
| 	return crypto.Sha256(in) | 	h := sha256.Sum256(in) | ||||||
|  | 	return h[:] | ||||||
| } | } | ||||||
|  |  | ||||||
| // RIPMED160 implemented as a native contract | // RIPMED160 implemented as a native contract | ||||||
| type ripemd160 struct{} | type ripemd160hash struct{} | ||||||
|  |  | ||||||
| // RequiredGas returns the gas required to execute the pre-compiled contract. | // RequiredGas returns the gas required to execute the pre-compiled contract. | ||||||
| // | // | ||||||
| // This method does not require any overflow checking as the input size gas costs | // This method does not require any overflow checking as the input size gas costs | ||||||
| // required for anything significant is so high it's impossible to pay for. | // required for anything significant is so high it's impossible to pay for. | ||||||
| func (c *ripemd160) RequiredGas(inputSize int) uint64 { | func (c *ripemd160hash) RequiredGas(inputSize int) uint64 { | ||||||
| 	return uint64(inputSize+31)/32*params.Ripemd160WordGas + params.Ripemd160Gas | 	return uint64(inputSize+31)/32*params.Ripemd160WordGas + params.Ripemd160Gas | ||||||
| } | } | ||||||
| func (c *ripemd160) Run(in []byte) []byte { | func (c *ripemd160hash) Run(in []byte) []byte { | ||||||
| 	return common.LeftPadBytes(crypto.Ripemd160(in), 32) | 	ripemd := ripemd160.New() | ||||||
|  | 	ripemd.Write(in) | ||||||
|  | 	return common.LeftPadBytes(ripemd.Sum(nil), 32) | ||||||
| } | } | ||||||
|  |  | ||||||
| // data copy implemented as a native contract | // data copy implemented as a native contract | ||||||
|   | |||||||
| @@ -20,22 +20,21 @@ import ( | |||||||
| 	"crypto/ecdsa" | 	"crypto/ecdsa" | ||||||
| 	"crypto/elliptic" | 	"crypto/elliptic" | ||||||
| 	"crypto/rand" | 	"crypto/rand" | ||||||
| 	"crypto/sha256" | 	"encoding/hex" | ||||||
| 	"fmt" | 	"errors" | ||||||
| 	"io" | 	"io" | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
| 	"math/big" | 	"math/big" | ||||||
| 	"os" | 	"os" | ||||||
|  |  | ||||||
| 	"encoding/hex" |  | ||||||
| 	"errors" |  | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/ecies" |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/sha3" | 	"github.com/ethereum/go-ethereum/crypto/sha3" | ||||||
| 	"github.com/ethereum/go-ethereum/rlp" | 	"github.com/ethereum/go-ethereum/rlp" | ||||||
| 	"golang.org/x/crypto/ripemd160" | ) | ||||||
|  |  | ||||||
|  | var ( | ||||||
|  | 	secp256k1_N, _  = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16) | ||||||
|  | 	secp256k1_halfN = new(big.Int).Div(secp256k1_N, big.NewInt(2)) | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func Keccak256(data ...[]byte) []byte { | func Keccak256(data ...[]byte) []byte { | ||||||
| @@ -56,7 +55,6 @@ func Keccak256Hash(data ...[]byte) (h common.Hash) { | |||||||
| } | } | ||||||
|  |  | ||||||
| // Deprecated: For backward compatibility as other packages depend on these | // Deprecated: For backward compatibility as other packages depend on these | ||||||
| func Sha3(data ...[]byte) []byte          { return Keccak256(data...) } |  | ||||||
| func Sha3Hash(data ...[]byte) common.Hash { return Keccak256Hash(data...) } | func Sha3Hash(data ...[]byte) common.Hash { return Keccak256Hash(data...) } | ||||||
|  |  | ||||||
| // Creates an ethereum address given the bytes and the nonce | // Creates an ethereum address given the bytes and the nonce | ||||||
| @@ -65,39 +63,16 @@ func CreateAddress(b common.Address, nonce uint64) common.Address { | |||||||
| 	return common.BytesToAddress(Keccak256(data)[12:]) | 	return common.BytesToAddress(Keccak256(data)[12:]) | ||||||
| } | } | ||||||
|  |  | ||||||
| func Sha256(data []byte) []byte { | // ToECDSA creates a private key with the given D value. | ||||||
| 	hash := sha256.Sum256(data) |  | ||||||
|  |  | ||||||
| 	return hash[:] |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func Ripemd160(data []byte) []byte { |  | ||||||
| 	ripemd := ripemd160.New() |  | ||||||
| 	ripemd.Write(data) |  | ||||||
|  |  | ||||||
| 	return ripemd.Sum(nil) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Ecrecover returns the public key for the private key that was used to |  | ||||||
| // calculate the signature. |  | ||||||
| // |  | ||||||
| // Note: secp256k1 expects the recover id to be either 0, 1. Ethereum |  | ||||||
| // signatures have a recover id with an offset of 27. Callers must take |  | ||||||
| // this into account and if "recovering" from an Ethereum signature adjust. |  | ||||||
| func Ecrecover(hash, sig []byte) ([]byte, error) { |  | ||||||
| 	return secp256k1.RecoverPubkey(hash, sig) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // New methods using proper ecdsa keys from the stdlib |  | ||||||
| func ToECDSA(prv []byte) *ecdsa.PrivateKey { | func ToECDSA(prv []byte) *ecdsa.PrivateKey { | ||||||
| 	if len(prv) == 0 { | 	if len(prv) == 0 { | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	priv := new(ecdsa.PrivateKey) | 	priv := new(ecdsa.PrivateKey) | ||||||
| 	priv.PublicKey.Curve = secp256k1.S256() | 	priv.PublicKey.Curve = S256() | ||||||
| 	priv.D = common.BigD(prv) | 	priv.D = common.BigD(prv) | ||||||
| 	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(prv) | 	priv.PublicKey.X, priv.PublicKey.Y = priv.PublicKey.Curve.ScalarBaseMult(prv) | ||||||
| 	return priv | 	return priv | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -112,15 +87,15 @@ func ToECDSAPub(pub []byte) *ecdsa.PublicKey { | |||||||
| 	if len(pub) == 0 { | 	if len(pub) == 0 { | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
| 	x, y := elliptic.Unmarshal(secp256k1.S256(), pub) | 	x, y := elliptic.Unmarshal(S256(), pub) | ||||||
| 	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y} | 	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y} | ||||||
| } | } | ||||||
|  |  | ||||||
| func FromECDSAPub(pub *ecdsa.PublicKey) []byte { | func FromECDSAPub(pub *ecdsa.PublicKey) []byte { | ||||||
| 	if pub == nil || pub.X == nil || pub.Y == nil { | 	if pub == nil || pub.X == nil || pub.Y == nil { | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
| 	return elliptic.Marshal(secp256k1.S256(), pub.X, pub.Y) | 	return elliptic.Marshal(S256(), pub.X, pub.Y) | ||||||
| } | } | ||||||
|  |  | ||||||
| // HexToECDSA parses a secp256k1 private key. | // HexToECDSA parses a secp256k1 private key. | ||||||
| @@ -164,7 +139,7 @@ func SaveECDSA(file string, key *ecdsa.PrivateKey) error { | |||||||
| } | } | ||||||
|  |  | ||||||
| func GenerateKey() (*ecdsa.PrivateKey, error) { | func GenerateKey() (*ecdsa.PrivateKey, error) { | ||||||
| 	return ecdsa.GenerateKey(secp256k1.S256(), rand.Reader) | 	return ecdsa.GenerateKey(S256(), rand.Reader) | ||||||
| } | } | ||||||
|  |  | ||||||
| // ValidateSignatureValues verifies whether the signature values are valid with | // ValidateSignatureValues verifies whether the signature values are valid with | ||||||
| @@ -175,49 +150,11 @@ func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool { | |||||||
| 	} | 	} | ||||||
| 	// reject upper range of s values (ECDSA malleability) | 	// reject upper range of s values (ECDSA malleability) | ||||||
| 	// see discussion in secp256k1/libsecp256k1/include/secp256k1.h | 	// see discussion in secp256k1/libsecp256k1/include/secp256k1.h | ||||||
| 	if homestead && s.Cmp(secp256k1.HalfN) > 0 { | 	if homestead && s.Cmp(secp256k1_halfN) > 0 { | ||||||
| 		return false | 		return false | ||||||
| 	} | 	} | ||||||
| 	// Frontier: allow s to be in full N range | 	// Frontier: allow s to be in full N range | ||||||
| 	return r.Cmp(secp256k1.N) < 0 && s.Cmp(secp256k1.N) < 0 && (v == 0 || v == 1) | 	return r.Cmp(secp256k1_N) < 0 && s.Cmp(secp256k1_N) < 0 && (v == 0 || v == 1) | ||||||
| } |  | ||||||
|  |  | ||||||
| func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { |  | ||||||
| 	s, err := Ecrecover(hash, sig) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	x, y := elliptic.Unmarshal(secp256k1.S256(), s) |  | ||||||
| 	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Sign calculates an ECDSA signature. |  | ||||||
| // |  | ||||||
| // This function is susceptible to chosen plaintext attacks that can leak |  | ||||||
| // information about the private key that is used for signing. Callers must |  | ||||||
| // be aware that the given hash cannot be chosen by an adversery. Common |  | ||||||
| // solution is to hash any input before calculating the signature. |  | ||||||
| // |  | ||||||
| // The produced signature is in the [R || S || V] format where V is 0 or 1. |  | ||||||
| func Sign(data []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) { |  | ||||||
| 	if len(data) != 32 { |  | ||||||
| 		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(data)) |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8) |  | ||||||
| 	defer zeroBytes(seckey) |  | ||||||
| 	sig, err = secp256k1.Sign(data, seckey) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func Encrypt(pub *ecdsa.PublicKey, message []byte) ([]byte, error) { |  | ||||||
| 	return ecies.Encrypt(rand.Reader, ecies.ImportECDSAPublic(pub), message, nil, nil) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func Decrypt(prv *ecdsa.PrivateKey, ct []byte) ([]byte, error) { |  | ||||||
| 	key := ecies.ImportECDSA(prv) |  | ||||||
| 	return key.Decrypt(rand.Reader, ct, nil, nil) |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func PubkeyToAddress(p ecdsa.PublicKey) common.Address { | func PubkeyToAddress(p ecdsa.PublicKey) common.Address { | ||||||
|   | |||||||
| @@ -28,7 +28,6 @@ import ( | |||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var testAddrHex = "970e8128ab834e8eac17ab8e3812f010678cf791" | var testAddrHex = "970e8128ab834e8eac17ab8e3812f010678cf791" | ||||||
| @@ -37,30 +36,12 @@ var testPrivHex = "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232 | |||||||
| // These tests are sanity checks. | // These tests are sanity checks. | ||||||
| // They should ensure that we don't e.g. use Sha3-224 instead of Sha3-256 | // They should ensure that we don't e.g. use Sha3-224 instead of Sha3-256 | ||||||
| // and that the sha3 library uses keccak-f permutation. | // and that the sha3 library uses keccak-f permutation. | ||||||
| func TestSha3(t *testing.T) { |  | ||||||
| 	msg := []byte("abc") |  | ||||||
| 	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45") |  | ||||||
| 	checkhash(t, "Sha3-256", func(in []byte) []byte { return Keccak256(in) }, msg, exp) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func TestSha3Hash(t *testing.T) { | func TestSha3Hash(t *testing.T) { | ||||||
| 	msg := []byte("abc") | 	msg := []byte("abc") | ||||||
| 	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45") | 	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45") | ||||||
| 	checkhash(t, "Sha3-256-array", func(in []byte) []byte { h := Keccak256Hash(in); return h[:] }, msg, exp) | 	checkhash(t, "Sha3-256-array", func(in []byte) []byte { h := Keccak256Hash(in); return h[:] }, msg, exp) | ||||||
| } | } | ||||||
|  |  | ||||||
| func TestSha256(t *testing.T) { |  | ||||||
| 	msg := []byte("abc") |  | ||||||
| 	exp, _ := hex.DecodeString("ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad") |  | ||||||
| 	checkhash(t, "Sha256", Sha256, msg, exp) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func TestRipemd160(t *testing.T) { |  | ||||||
| 	msg := []byte("abc") |  | ||||||
| 	exp, _ := hex.DecodeString("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc") |  | ||||||
| 	checkhash(t, "Ripemd160", Ripemd160, msg, exp) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func BenchmarkSha3(b *testing.B) { | func BenchmarkSha3(b *testing.B) { | ||||||
| 	a := []byte("hello world") | 	a := []byte("hello world") | ||||||
| 	amount := 1000000 | 	amount := 1000000 | ||||||
| @@ -170,7 +151,7 @@ func TestValidateSignatureValues(t *testing.T) { | |||||||
| 	minusOne := big.NewInt(-1) | 	minusOne := big.NewInt(-1) | ||||||
| 	one := common.Big1 | 	one := common.Big1 | ||||||
| 	zero := common.Big0 | 	zero := common.Big0 | ||||||
| 	secp256k1nMinus1 := new(big.Int).Sub(secp256k1.N, common.Big1) | 	secp256k1nMinus1 := new(big.Int).Sub(secp256k1_N, common.Big1) | ||||||
|  |  | ||||||
| 	// correct v,r,s | 	// correct v,r,s | ||||||
| 	check(true, 0, one, one) | 	check(true, 0, one, one) | ||||||
| @@ -197,9 +178,9 @@ func TestValidateSignatureValues(t *testing.T) { | |||||||
| 	// correct sig with max r,s | 	// correct sig with max r,s | ||||||
| 	check(true, 0, secp256k1nMinus1, secp256k1nMinus1) | 	check(true, 0, secp256k1nMinus1, secp256k1nMinus1) | ||||||
| 	// correct v, combinations of incorrect r,s at upper limit | 	// correct v, combinations of incorrect r,s at upper limit | ||||||
| 	check(false, 0, secp256k1.N, secp256k1nMinus1) | 	check(false, 0, secp256k1_N, secp256k1nMinus1) | ||||||
| 	check(false, 0, secp256k1nMinus1, secp256k1.N) | 	check(false, 0, secp256k1nMinus1, secp256k1_N) | ||||||
| 	check(false, 0, secp256k1.N, secp256k1.N) | 	check(false, 0, secp256k1_N, secp256k1_N) | ||||||
|  |  | ||||||
| 	// current callers ensures r,s cannot be negative, but let's test for that too | 	// current callers ensures r,s cannot be negative, but let's test for that too | ||||||
| 	// as crypto package could be used stand-alone | 	// as crypto package could be used stand-alone | ||||||
| @@ -225,14 +206,13 @@ func checkAddr(t *testing.T, addr0, addr1 common.Address) { | |||||||
| func TestPythonIntegration(t *testing.T) { | func TestPythonIntegration(t *testing.T) { | ||||||
| 	kh := "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232032" | 	kh := "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232032" | ||||||
| 	k0, _ := HexToECDSA(kh) | 	k0, _ := HexToECDSA(kh) | ||||||
| 	k1 := FromECDSA(k0) |  | ||||||
|  |  | ||||||
| 	msg0 := Keccak256([]byte("foo")) | 	msg0 := Keccak256([]byte("foo")) | ||||||
| 	sig0, _ := secp256k1.Sign(msg0, k1) | 	sig0, _ := Sign(msg0, k0) | ||||||
|  |  | ||||||
| 	msg1 := common.FromHex("00000000000000000000000000000000") | 	msg1 := common.FromHex("00000000000000000000000000000000") | ||||||
| 	sig1, _ := secp256k1.Sign(msg0, k1) | 	sig1, _ := Sign(msg0, k0) | ||||||
|  |  | ||||||
| 	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg0, k1, sig0) | 	t.Logf("msg: %x, privkey: %s sig: %x\n", msg0, kh, sig0) | ||||||
| 	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg1, k1, sig1) | 	t.Logf("msg: %x, privkey: %s sig: %x\n", msg1, kh, sig1) | ||||||
| } | } | ||||||
|   | |||||||
| @@ -42,7 +42,7 @@ import ( | |||||||
| 	"hash" | 	"hash" | ||||||
| 	"math/big" | 	"math/big" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" | 	ethcrypto "github.com/ethereum/go-ethereum/crypto" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| @@ -120,7 +120,7 @@ func (curve secgNamedCurve) Equal(curve2 secgNamedCurve) bool { | |||||||
| func namedCurveFromOID(curve secgNamedCurve) elliptic.Curve { | func namedCurveFromOID(curve secgNamedCurve) elliptic.Curve { | ||||||
| 	switch { | 	switch { | ||||||
| 	case curve.Equal(secgNamedCurveS256): | 	case curve.Equal(secgNamedCurveS256): | ||||||
| 		return secp256k1.S256() | 		return ethcrypto.S256() | ||||||
| 	case curve.Equal(secgNamedCurveP256): | 	case curve.Equal(secgNamedCurveP256): | ||||||
| 		return elliptic.P256() | 		return elliptic.P256() | ||||||
| 	case curve.Equal(secgNamedCurveP384): | 	case curve.Equal(secgNamedCurveP384): | ||||||
| @@ -139,7 +139,7 @@ func oidFromNamedCurve(curve elliptic.Curve) (secgNamedCurve, bool) { | |||||||
| 		return secgNamedCurveP384, true | 		return secgNamedCurveP384, true | ||||||
| 	case elliptic.P521(): | 	case elliptic.P521(): | ||||||
| 		return secgNamedCurveP521, true | 		return secgNamedCurveP521, true | ||||||
| 	case secp256k1.S256(): | 	case ethcrypto.S256(): | ||||||
| 		return secgNamedCurveS256, true | 		return secgNamedCurveS256, true | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -31,7 +31,6 @@ package ecies | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"bytes" | 	"bytes" | ||||||
| 	"crypto/ecdsa" |  | ||||||
| 	"crypto/elliptic" | 	"crypto/elliptic" | ||||||
| 	"crypto/rand" | 	"crypto/rand" | ||||||
| 	"crypto/sha256" | 	"crypto/sha256" | ||||||
| @@ -42,7 +41,7 @@ import ( | |||||||
| 	"math/big" | 	"math/big" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var dumpEnc bool | var dumpEnc bool | ||||||
| @@ -150,7 +149,7 @@ func TestSharedKey(t *testing.T) { | |||||||
| func TestSharedKeyPadding(t *testing.T) { | func TestSharedKeyPadding(t *testing.T) { | ||||||
| 	// sanity checks | 	// sanity checks | ||||||
| 	prv0 := hexKey("1adf5c18167d96a1f9a0b1ef63be8aa27eaf6032c233b2b38f7850cf5b859fd9") | 	prv0 := hexKey("1adf5c18167d96a1f9a0b1ef63be8aa27eaf6032c233b2b38f7850cf5b859fd9") | ||||||
| 	prv1 := hexKey("97a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a") | 	prv1 := hexKey("0097a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a") | ||||||
| 	x0, _ := new(big.Int).SetString("1a8ed022ff7aec59dc1b440446bdda5ff6bcb3509a8b109077282b361efffbd8", 16) | 	x0, _ := new(big.Int).SetString("1a8ed022ff7aec59dc1b440446bdda5ff6bcb3509a8b109077282b361efffbd8", 16) | ||||||
| 	x1, _ := new(big.Int).SetString("6ab3ac374251f638d0abb3ef596d1dc67955b507c104e5f2009724812dc027b8", 16) | 	x1, _ := new(big.Int).SetString("6ab3ac374251f638d0abb3ef596d1dc67955b507c104e5f2009724812dc027b8", 16) | ||||||
| 	y0, _ := new(big.Int).SetString("e040bd480b1deccc3bc40bd5b1fdcb7bfd352500b477cb9471366dbd4493f923", 16) | 	y0, _ := new(big.Int).SetString("e040bd480b1deccc3bc40bd5b1fdcb7bfd352500b477cb9471366dbd4493f923", 16) | ||||||
| @@ -354,7 +353,7 @@ func BenchmarkGenSharedKeyP256(b *testing.B) { | |||||||
|  |  | ||||||
| // Benchmark the generation of S256 shared keys. | // Benchmark the generation of S256 shared keys. | ||||||
| func BenchmarkGenSharedKeyS256(b *testing.B) { | func BenchmarkGenSharedKeyS256(b *testing.B) { | ||||||
| 	prv, err := GenerateKey(rand.Reader, secp256k1.S256(), nil) | 	prv, err := GenerateKey(rand.Reader, crypto.S256(), nil) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		fmt.Println(err.Error()) | 		fmt.Println(err.Error()) | ||||||
| 		b.FailNow() | 		b.FailNow() | ||||||
| @@ -597,6 +596,29 @@ func TestBasicKeyValidation(t *testing.T) { | |||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func TestBox(t *testing.T) { | ||||||
|  | 	prv1 := hexKey("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f") | ||||||
|  | 	prv2 := hexKey("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a") | ||||||
|  | 	pub2 := &prv2.PublicKey | ||||||
|  |  | ||||||
|  | 	message := []byte("Hello, world.") | ||||||
|  | 	ct, err := Encrypt(rand.Reader, pub2, message, nil, nil) | ||||||
|  | 	if err != nil { | ||||||
|  | 		t.Fatal(err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	pt, err := prv2.Decrypt(rand.Reader, ct, nil, nil) | ||||||
|  | 	if err != nil { | ||||||
|  | 		t.Fatal(err) | ||||||
|  | 	} | ||||||
|  | 	if !bytes.Equal(pt, message) { | ||||||
|  | 		t.Fatal("ecies: plaintext doesn't match message") | ||||||
|  | 	} | ||||||
|  | 	if _, err = prv1.Decrypt(rand.Reader, ct, nil, nil); err == nil { | ||||||
|  | 		t.Fatal("ecies: encryption should not have succeeded") | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
| // Verify GenerateShared against static values - useful when | // Verify GenerateShared against static values - useful when | ||||||
| // debugging changes in underlying libs | // debugging changes in underlying libs | ||||||
| func TestSharedKeyStatic(t *testing.T) { | func TestSharedKeyStatic(t *testing.T) { | ||||||
| @@ -628,11 +650,10 @@ func TestSharedKeyStatic(t *testing.T) { | |||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| // TODO: remove after refactoring packages crypto and crypto/ecies |  | ||||||
| func hexKey(prv string) *PrivateKey { | func hexKey(prv string) *PrivateKey { | ||||||
| 	priv := new(ecdsa.PrivateKey) | 	key, err := crypto.HexToECDSA(prv) | ||||||
| 	priv.PublicKey.Curve = secp256k1.S256() | 	if err != nil { | ||||||
| 	priv.D, _ = new(big.Int).SetString(prv, 16) | 		panic(err) | ||||||
| 	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(priv.D.Bytes()) | 	} | ||||||
| 	return ImportECDSA(priv) | 	return ImportECDSA(key) | ||||||
| } | } | ||||||
|   | |||||||
| @@ -42,11 +42,11 @@ import ( | |||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"hash" | 	"hash" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" | 	ethcrypto "github.com/ethereum/go-ethereum/crypto" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| 	DefaultCurve                  = secp256k1.S256() | 	DefaultCurve                  = ethcrypto.S256() | ||||||
| 	ErrUnsupportedECDHAlgorithm   = fmt.Errorf("ecies: unsupported ECDH algorithm") | 	ErrUnsupportedECDHAlgorithm   = fmt.Errorf("ecies: unsupported ECDH algorithm") | ||||||
| 	ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters") | 	ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters") | ||||||
| ) | ) | ||||||
| @@ -100,7 +100,7 @@ var ( | |||||||
| ) | ) | ||||||
|  |  | ||||||
| var paramsFromCurve = map[elliptic.Curve]*ECIESParams{ | var paramsFromCurve = map[elliptic.Curve]*ECIESParams{ | ||||||
| 	secp256k1.S256(): ECIES_AES128_SHA256, | 	ethcrypto.S256(): ECIES_AES128_SHA256, | ||||||
| 	elliptic.P256():  ECIES_AES128_SHA256, | 	elliptic.P256():  ECIES_AES128_SHA256, | ||||||
| 	elliptic.P384():  ECIES_AES256_SHA384, | 	elliptic.P384():  ECIES_AES256_SHA384, | ||||||
| 	elliptic.P521():  ECIES_AES256_SHA512, | 	elliptic.P521():  ECIES_AES256_SHA512, | ||||||
|   | |||||||
| @@ -1,56 +0,0 @@ | |||||||
| // Copyright 2014 The go-ethereum Authors |  | ||||||
| // This file is part of the go-ethereum library. |  | ||||||
| // |  | ||||||
| // The go-ethereum library is free software: you can redistribute it and/or modify |  | ||||||
| // it under the terms of the GNU Lesser General Public License as published by |  | ||||||
| // the Free Software Foundation, either version 3 of the License, or |  | ||||||
| // (at your option) any later version. |  | ||||||
| // |  | ||||||
| // The go-ethereum library is distributed in the hope that it will be useful, |  | ||||||
| // but WITHOUT ANY WARRANTY; without even the implied warranty of |  | ||||||
| // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |  | ||||||
| // GNU Lesser General Public License for more details. |  | ||||||
| // |  | ||||||
| // You should have received a copy of the GNU Lesser General Public License |  | ||||||
| // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. |  | ||||||
|  |  | ||||||
| package crypto |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"bytes" |  | ||||||
| 	"fmt" |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestBox(t *testing.T) { |  | ||||||
| 	prv1 := ToECDSA(common.Hex2Bytes("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f")) |  | ||||||
| 	prv2 := ToECDSA(common.Hex2Bytes("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a")) |  | ||||||
| 	pub2 := ToECDSAPub(common.Hex2Bytes("04bd27a63c91fe3233c5777e6d3d7b39204d398c8f92655947eb5a373d46e1688f022a1632d264725cbc7dc43ee1cfebde42fa0a86d08b55d2acfbb5e9b3b48dc5")) |  | ||||||
|  |  | ||||||
| 	message := []byte("Hello, world.") |  | ||||||
| 	ct, err := Encrypt(pub2, message) |  | ||||||
| 	if err != nil { |  | ||||||
| 		fmt.Println(err.Error()) |  | ||||||
| 		t.FailNow() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	pt, err := Decrypt(prv2, ct) |  | ||||||
| 	if err != nil { |  | ||||||
| 		fmt.Println(err.Error()) |  | ||||||
| 		t.FailNow() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	if !bytes.Equal(pt, message) { |  | ||||||
| 		fmt.Println("ecies: plaintext doesn't match message") |  | ||||||
| 		t.FailNow() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	_, err = Decrypt(prv1, pt) |  | ||||||
| 	if err == nil { |  | ||||||
| 		fmt.Println("ecies: encryption should not have succeeded") |  | ||||||
| 		t.FailNow() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| } |  | ||||||
| @@ -42,17 +42,9 @@ import ( | |||||||
| 	"unsafe" | 	"unsafe" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var context *C.secp256k1_context | ||||||
| 	context *C.secp256k1_context |  | ||||||
| 	N       *big.Int |  | ||||||
| 	HalfN   *big.Int |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func init() { | func init() { | ||||||
| 	N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16) |  | ||||||
| 	// N / 2 == 57896044618658097711785492504343953926418782139537452191302581570759080747168 |  | ||||||
| 	HalfN, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0", 16) |  | ||||||
|  |  | ||||||
| 	// around 20 ms on a modern CPU. | 	// around 20 ms on a modern CPU. | ||||||
| 	context = C.secp256k1_context_create_sign_verify() | 	context = C.secp256k1_context_create_sign_verify() | ||||||
| 	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) | 	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) | ||||||
|   | |||||||
							
								
								
									
										64
									
								
								crypto/signature_cgo.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										64
									
								
								crypto/signature_cgo.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,64 @@ | |||||||
|  | // Copyright 2016 The go-ethereum Authors | ||||||
|  | // This file is part of the go-ethereum library. | ||||||
|  | // | ||||||
|  | // The go-ethereum library is free software: you can redistribute it and/or modify | ||||||
|  | // it under the terms of the GNU Lesser General Public License as published by | ||||||
|  | // the Free Software Foundation, either version 3 of the License, or | ||||||
|  | // (at your option) any later version. | ||||||
|  | // | ||||||
|  | // The go-ethereum library is distributed in the hope that it will be useful, | ||||||
|  | // but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||||
|  | // GNU Lesser General Public License for more details. | ||||||
|  | // | ||||||
|  | // You should have received a copy of the GNU Lesser General Public License | ||||||
|  | // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. | ||||||
|  |  | ||||||
|  | // +build !nacl,!js,!nocgo | ||||||
|  |  | ||||||
|  | package crypto | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/ecdsa" | ||||||
|  | 	"crypto/elliptic" | ||||||
|  | 	"fmt" | ||||||
|  |  | ||||||
|  | 	"github.com/ethereum/go-ethereum/common" | ||||||
|  | 	"github.com/ethereum/go-ethereum/crypto/secp256k1" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func Ecrecover(hash, sig []byte) ([]byte, error) { | ||||||
|  | 	return secp256k1.RecoverPubkey(hash, sig) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { | ||||||
|  | 	s, err := Ecrecover(hash, sig) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	x, y := elliptic.Unmarshal(S256(), s) | ||||||
|  | 	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Sign calculates an ECDSA signature. | ||||||
|  | // | ||||||
|  | // This function is susceptible to chosen plaintext attacks that can leak | ||||||
|  | // information about the private key that is used for signing. Callers must | ||||||
|  | // be aware that the given hash cannot be chosen by an adversery. Common | ||||||
|  | // solution is to hash any input before calculating the signature. | ||||||
|  | // | ||||||
|  | // The produced signature is in the [R || S || V] format where V is 0 or 1. | ||||||
|  | func Sign(hash []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) { | ||||||
|  | 	if len(hash) != 32 { | ||||||
|  | 		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash)) | ||||||
|  | 	} | ||||||
|  | 	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8) | ||||||
|  | 	defer zeroBytes(seckey) | ||||||
|  | 	return secp256k1.Sign(hash, seckey) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // S256 returns an instance of the secp256k1 curve. | ||||||
|  | func S256() elliptic.Curve { | ||||||
|  | 	return secp256k1.S256() | ||||||
|  | } | ||||||
							
								
								
									
										77
									
								
								crypto/signature_nocgo.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										77
									
								
								crypto/signature_nocgo.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,77 @@ | |||||||
|  | // Copyright 2016 The go-ethereum Authors | ||||||
|  | // This file is part of the go-ethereum library. | ||||||
|  | // | ||||||
|  | // The go-ethereum library is free software: you can redistribute it and/or modify | ||||||
|  | // it under the terms of the GNU Lesser General Public License as published by | ||||||
|  | // the Free Software Foundation, either version 3 of the License, or | ||||||
|  | // (at your option) any later version. | ||||||
|  | // | ||||||
|  | // The go-ethereum library is distributed in the hope that it will be useful, | ||||||
|  | // but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||||
|  | // GNU Lesser General Public License for more details. | ||||||
|  | // | ||||||
|  | // You should have received a copy of the GNU Lesser General Public License | ||||||
|  | // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. | ||||||
|  |  | ||||||
|  | // +build nacl js nocgo | ||||||
|  |  | ||||||
|  | package crypto | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/ecdsa" | ||||||
|  | 	"crypto/elliptic" | ||||||
|  | 	"fmt" | ||||||
|  |  | ||||||
|  | 	"github.com/btcsuite/btcd/btcec" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func Ecrecover(hash, sig []byte) ([]byte, error) { | ||||||
|  | 	pub, err := SigToPub(hash, sig) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	bytes := (*btcec.PublicKey)(pub).SerializeUncompressed() | ||||||
|  | 	return bytes, err | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { | ||||||
|  | 	// Convert to btcec input format with 'recovery id' v at the beginning. | ||||||
|  | 	btcsig := make([]byte, 65) | ||||||
|  | 	btcsig[0] = sig[64] + 27 | ||||||
|  | 	copy(btcsig[1:], sig) | ||||||
|  |  | ||||||
|  | 	pub, _, err := btcec.RecoverCompact(btcec.S256(), btcsig, hash) | ||||||
|  | 	return (*ecdsa.PublicKey)(pub), err | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Sign calculates an ECDSA signature. | ||||||
|  | // | ||||||
|  | // This function is susceptible to chosen plaintext attacks that can leak | ||||||
|  | // information about the private key that is used for signing. Callers must | ||||||
|  | // be aware that the given hash cannot be chosen by an adversery. Common | ||||||
|  | // solution is to hash any input before calculating the signature. | ||||||
|  | // | ||||||
|  | // The produced signature is in the [R || S || V] format where V is 0 or 1. | ||||||
|  | func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) { | ||||||
|  | 	if len(hash) != 32 { | ||||||
|  | 		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash)) | ||||||
|  | 	} | ||||||
|  | 	if prv.Curve != btcec.S256() { | ||||||
|  | 		return nil, fmt.Errorf("private key curve is not secp256k1") | ||||||
|  | 	} | ||||||
|  | 	sig, err := btcec.SignCompact(btcec.S256(), (*btcec.PrivateKey)(prv), hash, false) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	// Convert to Ethereum signature format with 'recovery id' v at the end. | ||||||
|  | 	v := sig[0] - 27 | ||||||
|  | 	copy(sig, sig[1:]) | ||||||
|  | 	sig[64] = v | ||||||
|  | 	return sig, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // S256 returns an instance of the secp256k1 curve. | ||||||
|  | func S256() elliptic.Curve { | ||||||
|  | 	return btcec.S256() | ||||||
|  | } | ||||||
| @@ -14,18 +14,23 @@ | |||||||
| // You should have received a copy of the GNU Lesser General Public License | // You should have received a copy of the GNU Lesser General Public License | ||||||
| // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. | // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. | ||||||
| 
 | 
 | ||||||
| package discv5 | package crypto | ||||||
| 
 | 
 | ||||||
| import ( | import ( | ||||||
| 	//"github.com/btcsuite/btcd/btcec" | 	"bytes" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" | 	"encoding/hex" | ||||||
|  | 	"testing" | ||||||
| ) | ) | ||||||
| 
 | 
 | ||||||
| func S256() *secp256k1.BitCurve { | func TestRecoverSanity(t *testing.T) { | ||||||
| 	return secp256k1.S256() | 	msg, _ := hex.DecodeString("ce0677bb30baa8cf067c88db9811f4333d131bf8bcf12fe7065d211dce971008") | ||||||
|  | 	sig, _ := hex.DecodeString("90f27b8b488db00b00606796d2987f6a5f59ae62ea05effe84fef5b8b0e549984a691139ad57a3f0b906637673aa2f63d1f55cb1a69199d4009eea23ceaddc9301") | ||||||
|  | 	pubkey1, _ := hex.DecodeString("04e32df42865e97135acfb65f3bae71bdc86f4d49150ad6a440b6f15878109880a0a2b2667f7e725ceea70c673093bf67663e0312623c8e091b13cf2c0f11ef652") | ||||||
|  | 	pubkey2, err := Ecrecover(msg, sig) | ||||||
|  | 	if err != nil { | ||||||
|  | 		t.Fatalf("recover error: %s", err) | ||||||
|  | 	} | ||||||
|  | 	if !bytes.Equal(pubkey1, pubkey2) { | ||||||
|  | 		t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2) | ||||||
|  | 	} | ||||||
| } | } | ||||||
| 
 |  | ||||||
| // This version should be used for NaCl compilation |  | ||||||
| /*func S256() *btcec.KoblitzCurve { |  | ||||||
| 	return S256() |  | ||||||
| }*/ |  | ||||||
| @@ -259,7 +259,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID { | |||||||
| // Pubkey returns the public key represented by the node ID. | // Pubkey returns the public key represented by the node ID. | ||||||
| // It returns an error if the ID is not a point on the curve. | // It returns an error if the ID is not a point on the curve. | ||||||
| func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) { | func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) { | ||||||
| 	p := &ecdsa.PublicKey{Curve: secp256k1.S256(), X: new(big.Int), Y: new(big.Int)} | 	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)} | ||||||
| 	half := len(id) / 2 | 	half := len(id) / 2 | ||||||
| 	p.X.SetBytes(id[:half]) | 	p.X.SetBytes(id[:half]) | ||||||
| 	p.Y.SetBytes(id[half:]) | 	p.Y.SetBytes(id[half:]) | ||||||
|   | |||||||
| @@ -297,7 +297,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID { | |||||||
| // Pubkey returns the public key represented by the node ID. | // Pubkey returns the public key represented by the node ID. | ||||||
| // It returns an error if the ID is not a point on the curve. | // It returns an error if the ID is not a point on the curve. | ||||||
| func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) { | func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) { | ||||||
| 	p := &ecdsa.PublicKey{Curve: S256(), X: new(big.Int), Y: new(big.Int)} | 	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)} | ||||||
| 	half := len(id) / 2 | 	half := len(id) / 2 | ||||||
| 	p.X.SetBytes(id[:half]) | 	p.X.SetBytes(id[:half]) | ||||||
| 	p.Y.SetBytes(id[half:]) | 	p.Y.SetBytes(id[half:]) | ||||||
|   | |||||||
| @@ -303,7 +303,7 @@ func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey, token []byte) (*authMs | |||||||
| 		return nil, err | 		return nil, err | ||||||
| 	} | 	} | ||||||
| 	// Generate random keypair to for ECDH. | 	// Generate random keypair to for ECDH. | ||||||
| 	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil) | 	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, err | ||||||
| 	} | 	} | ||||||
| @@ -381,7 +381,7 @@ func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) erro | |||||||
| 	// Generate random keypair for ECDH. | 	// Generate random keypair for ECDH. | ||||||
| 	// If a private key is already set, use it instead of generating one (for testing). | 	// If a private key is already set, use it instead of generating one (for testing). | ||||||
| 	if h.randomPrivKey == nil { | 	if h.randomPrivKey == nil { | ||||||
| 		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil) | 		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			return err | 			return err | ||||||
| 		} | 		} | ||||||
|   | |||||||
							
								
								
									
										16
									
								
								vendor/github.com/btcsuite/btcd/LICENSE
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								vendor/github.com/btcsuite/btcd/LICENSE
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | |||||||
|  | ISC License | ||||||
|  |  | ||||||
|  | Copyright (c) 2013-2017 The btcsuite developers | ||||||
|  | Copyright (c) 2015-2016 The Decred developers | ||||||
|  |  | ||||||
|  | Permission to use, copy, modify, and distribute this software for any | ||||||
|  | purpose with or without fee is hereby granted, provided that the above | ||||||
|  | copyright notice and this permission notice appear in all copies. | ||||||
|  |  | ||||||
|  | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||||||
|  | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||||||
|  | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||||||
|  | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||||||
|  | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||||||
|  | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||||||
|  | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||||||
							
								
								
									
										74
									
								
								vendor/github.com/btcsuite/btcd/btcec/README.md
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								vendor/github.com/btcsuite/btcd/btcec/README.md
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | |||||||
|  | btcec | ||||||
|  | ===== | ||||||
|  |  | ||||||
|  | [] | ||||||
|  | (https://travis-ci.org/btcsuite/btcec) [![ISC License] | ||||||
|  | (http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org) | ||||||
|  | [] | ||||||
|  | (http://godoc.org/github.com/btcsuite/btcd/btcec) | ||||||
|  |  | ||||||
|  | Package btcec implements elliptic curve cryptography needed for working with | ||||||
|  | Bitcoin (secp256k1 only for now). It is designed so that it may be used with the | ||||||
|  | standard crypto/ecdsa packages provided with go.  A comprehensive suite of test | ||||||
|  | is provided to ensure proper functionality.  Package btcec was originally based | ||||||
|  | on work from ThePiachu which is licensed under the same terms as Go, but it has | ||||||
|  | signficantly diverged since then.  The btcsuite developers original is licensed | ||||||
|  | under the liberal ISC license. | ||||||
|  |  | ||||||
|  | Although this package was primarily written for btcd, it has intentionally been | ||||||
|  | designed so it can be used as a standalone package for any projects needing to | ||||||
|  | use secp256k1 elliptic curve cryptography. | ||||||
|  |  | ||||||
|  | ## Installation and Updating | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | $ go get -u github.com/btcsuite/btcd/btcec | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ## Examples | ||||||
|  |  | ||||||
|  | * [Sign Message] | ||||||
|  |   (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--SignMessage)   | ||||||
|  |   Demonstrates signing a message with a secp256k1 private key that is first | ||||||
|  |   parsed form raw bytes and serializing the generated signature. | ||||||
|  |  | ||||||
|  | * [Verify Signature] | ||||||
|  |   (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--VerifySignature)   | ||||||
|  |   Demonstrates verifying a secp256k1 signature against a public key that is | ||||||
|  |   first parsed from raw bytes.  The signature is also parsed from raw bytes. | ||||||
|  |  | ||||||
|  | * [Encryption] | ||||||
|  |   (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--EncryptMessage) | ||||||
|  |   Demonstrates encrypting a message for a public key that is first parsed from | ||||||
|  |   raw bytes, then decrypting it using the corresponding private key. | ||||||
|  |  | ||||||
|  | * [Decryption] | ||||||
|  |   (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--DecryptMessage) | ||||||
|  |   Demonstrates decrypting a message using a private key that is first parsed | ||||||
|  |   from raw bytes. | ||||||
|  |  | ||||||
|  | ## GPG Verification Key | ||||||
|  |  | ||||||
|  | All official release tags are signed by Conformal so users can ensure the code | ||||||
|  | has not been tampered with and is coming from the btcsuite developers.  To | ||||||
|  | verify the signature perform the following: | ||||||
|  |  | ||||||
|  | - Download the public key from the Conformal website at | ||||||
|  |   https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt | ||||||
|  |  | ||||||
|  | - Import the public key into your GPG keyring: | ||||||
|  |   ```bash | ||||||
|  |   gpg --import GIT-GPG-KEY-conformal.txt | ||||||
|  |   ``` | ||||||
|  |  | ||||||
|  | - Verify the release tag with the following command where `TAG_NAME` is a | ||||||
|  |   placeholder for the specific tag: | ||||||
|  |   ```bash | ||||||
|  |   git tag -v TAG_NAME | ||||||
|  |   ``` | ||||||
|  |  | ||||||
|  | ## License | ||||||
|  |  | ||||||
|  | Package btcec is licensed under the [copyfree](http://copyfree.org) ISC License | ||||||
|  | except for btcec.go and btcec_test.go which is under the same license as Go. | ||||||
|  |  | ||||||
							
								
								
									
										956
									
								
								vendor/github.com/btcsuite/btcd/btcec/btcec.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										956
									
								
								vendor/github.com/btcsuite/btcd/btcec/btcec.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,956 @@ | |||||||
|  | // Copyright 2010 The Go Authors. All rights reserved. | ||||||
|  | // Copyright 2011 ThePiachu. All rights reserved. | ||||||
|  | // Copyright 2013-2014 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | // References: | ||||||
|  | //   [SECG]: Recommended Elliptic Curve Domain Parameters | ||||||
|  | //     http://www.secg.org/sec2-v2.pdf | ||||||
|  | // | ||||||
|  | //   [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone) | ||||||
|  |  | ||||||
|  | // This package operates, internally, on Jacobian coordinates. For a given | ||||||
|  | // (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1) | ||||||
|  | // where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole | ||||||
|  | // calculation can be performed within the transform (as in ScalarMult and | ||||||
|  | // ScalarBaseMult). But even for Add and Double, it's faster to apply and | ||||||
|  | // reverse the transform than to operate in affine coordinates. | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/elliptic" | ||||||
|  | 	"math/big" | ||||||
|  | 	"sync" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | var ( | ||||||
|  | 	// fieldOne is simply the integer 1 in field representation.  It is | ||||||
|  | 	// used to avoid needing to create it multiple times during the internal | ||||||
|  | 	// arithmetic. | ||||||
|  | 	fieldOne = new(fieldVal).SetInt(1) | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // KoblitzCurve supports a koblitz curve implementation that fits the ECC Curve | ||||||
|  | // interface from crypto/elliptic. | ||||||
|  | type KoblitzCurve struct { | ||||||
|  | 	*elliptic.CurveParams | ||||||
|  | 	q *big.Int | ||||||
|  | 	H int // cofactor of the curve. | ||||||
|  |  | ||||||
|  | 	// byteSize is simply the bit size / 8 and is provided for convenience | ||||||
|  | 	// since it is calculated repeatedly. | ||||||
|  | 	byteSize int | ||||||
|  |  | ||||||
|  | 	// bytePoints | ||||||
|  | 	bytePoints *[32][256][3]fieldVal | ||||||
|  |  | ||||||
|  | 	// The next 6 values are used specifically for endomorphism | ||||||
|  | 	// optimizations in ScalarMult. | ||||||
|  |  | ||||||
|  | 	// lambda must fulfill lambda^3 = 1 mod N where N is the order of G. | ||||||
|  | 	lambda *big.Int | ||||||
|  |  | ||||||
|  | 	// beta must fulfill beta^3 = 1 mod P where P is the prime field of the | ||||||
|  | 	// curve. | ||||||
|  | 	beta *fieldVal | ||||||
|  |  | ||||||
|  | 	// See the EndomorphismVectors in gensecp256k1.go to see how these are | ||||||
|  | 	// derived. | ||||||
|  | 	a1 *big.Int | ||||||
|  | 	b1 *big.Int | ||||||
|  | 	a2 *big.Int | ||||||
|  | 	b2 *big.Int | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Params returns the parameters for the curve. | ||||||
|  | func (curve *KoblitzCurve) Params() *elliptic.CurveParams { | ||||||
|  | 	return curve.CurveParams | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // bigAffineToField takes an affine point (x, y) as big integers and converts | ||||||
|  | // it to an affine point as field values. | ||||||
|  | func (curve *KoblitzCurve) bigAffineToField(x, y *big.Int) (*fieldVal, *fieldVal) { | ||||||
|  | 	x3, y3 := new(fieldVal), new(fieldVal) | ||||||
|  | 	x3.SetByteSlice(x.Bytes()) | ||||||
|  | 	y3.SetByteSlice(y.Bytes()) | ||||||
|  |  | ||||||
|  | 	return x3, y3 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // fieldJacobianToBigAffine takes a Jacobian point (x, y, z) as field values and | ||||||
|  | // converts it to an affine point as big integers. | ||||||
|  | func (curve *KoblitzCurve) fieldJacobianToBigAffine(x, y, z *fieldVal) (*big.Int, *big.Int) { | ||||||
|  | 	// Inversions are expensive and both point addition and point doubling | ||||||
|  | 	// are faster when working with points that have a z value of one.  So, | ||||||
|  | 	// if the point needs to be converted to affine, go ahead and normalize | ||||||
|  | 	// the point itself at the same time as the calculation is the same. | ||||||
|  | 	var zInv, tempZ fieldVal | ||||||
|  | 	zInv.Set(z).Inverse()   // zInv = Z^-1 | ||||||
|  | 	tempZ.SquareVal(&zInv)  // tempZ = Z^-2 | ||||||
|  | 	x.Mul(&tempZ)           // X = X/Z^2 (mag: 1) | ||||||
|  | 	y.Mul(tempZ.Mul(&zInv)) // Y = Y/Z^3 (mag: 1) | ||||||
|  | 	z.SetInt(1)             // Z = 1 (mag: 1) | ||||||
|  |  | ||||||
|  | 	// Normalize the x and y values. | ||||||
|  | 	x.Normalize() | ||||||
|  | 	y.Normalize() | ||||||
|  |  | ||||||
|  | 	// Convert the field values for the now affine point to big.Ints. | ||||||
|  | 	x3, y3 := new(big.Int), new(big.Int) | ||||||
|  | 	x3.SetBytes(x.Bytes()[:]) | ||||||
|  | 	y3.SetBytes(y.Bytes()[:]) | ||||||
|  | 	return x3, y3 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // IsOnCurve returns boolean if the point (x,y) is on the curve. | ||||||
|  | // Part of the elliptic.Curve interface. This function differs from the | ||||||
|  | // crypto/elliptic algorithm since a = 0 not -3. | ||||||
|  | func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool { | ||||||
|  | 	// Convert big ints to field values for faster arithmetic. | ||||||
|  | 	fx, fy := curve.bigAffineToField(x, y) | ||||||
|  |  | ||||||
|  | 	// Elliptic curve equation for secp256k1 is: y^2 = x^3 + 7 | ||||||
|  | 	y2 := new(fieldVal).SquareVal(fy).Normalize() | ||||||
|  | 	result := new(fieldVal).SquareVal(fx).Mul(fx).AddInt(7).Normalize() | ||||||
|  | 	return y2.Equals(result) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // addZ1AndZ2EqualsOne adds two Jacobian points that are already known to have | ||||||
|  | // z values of 1 and stores the result in (x3, y3, z3).  That is to say | ||||||
|  | // (x1, y1, 1) + (x2, y2, 1) = (x3, y3, z3).  It performs faster addition than | ||||||
|  | // the generic add routine since less arithmetic is needed due to the ability to | ||||||
|  | // avoid the z value multiplications. | ||||||
|  | func (curve *KoblitzCurve) addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// To compute the point addition efficiently, this implementation splits | ||||||
|  | 	// the equation into intermediate elements which are used to minimize | ||||||
|  | 	// the number of field multiplications using the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// H = X2-X1, HH = H^2, I = 4*HH, J = H*I, r = 2*(Y2-Y1), V = X1*I | ||||||
|  | 	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = 2*H | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 4 field multiplications, 2 field squarings, | ||||||
|  | 	// 6 field additions, and 5 integer multiplications. | ||||||
|  |  | ||||||
|  | 	// When the x coordinates are the same for two points on the curve, the | ||||||
|  | 	// y coordinates either must be the same, in which case it is point | ||||||
|  | 	// doubling, or they are opposite and the result is the point at | ||||||
|  | 	// infinity per the group law for elliptic curve cryptography. | ||||||
|  | 	x1.Normalize() | ||||||
|  | 	y1.Normalize() | ||||||
|  | 	x2.Normalize() | ||||||
|  | 	y2.Normalize() | ||||||
|  | 	if x1.Equals(x2) { | ||||||
|  | 		if y1.Equals(y2) { | ||||||
|  | 			// Since x1 == x2 and y1 == y2, point doubling must be | ||||||
|  | 			// done, otherwise the addition would end up dividing | ||||||
|  | 			// by zero. | ||||||
|  | 			curve.doubleJacobian(x1, y1, z1, x3, y3, z3) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Since x1 == x2 and y1 == -y2, the sum is the point at | ||||||
|  | 		// infinity per the group law. | ||||||
|  | 		x3.SetInt(0) | ||||||
|  | 		y3.SetInt(0) | ||||||
|  | 		z3.SetInt(0) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Calculate X3, Y3, and Z3 according to the intermediate elements | ||||||
|  | 	// breakdown above. | ||||||
|  | 	var h, i, j, r, v fieldVal | ||||||
|  | 	var negJ, neg2V, negX3 fieldVal | ||||||
|  | 	h.Set(x1).Negate(1).Add(x2)                // H = X2-X1 (mag: 3) | ||||||
|  | 	i.SquareVal(&h).MulInt(4)                  // I = 4*H^2 (mag: 4) | ||||||
|  | 	j.Mul2(&h, &i)                             // J = H*I (mag: 1) | ||||||
|  | 	r.Set(y1).Negate(1).Add(y2).MulInt(2)      // r = 2*(Y2-Y1) (mag: 6) | ||||||
|  | 	v.Mul2(x1, &i)                             // V = X1*I (mag: 1) | ||||||
|  | 	negJ.Set(&j).Negate(1)                     // negJ = -J (mag: 2) | ||||||
|  | 	neg2V.Set(&v).MulInt(2).Negate(2)          // neg2V = -(2*V) (mag: 3) | ||||||
|  | 	x3.Set(&r).Square().Add(&negJ).Add(&neg2V) // X3 = r^2-J-2*V (mag: 6) | ||||||
|  | 	negX3.Set(x3).Negate(6)                    // negX3 = -X3 (mag: 7) | ||||||
|  | 	j.Mul(y1).MulInt(2).Negate(2)              // J = -(2*Y1*J) (mag: 3) | ||||||
|  | 	y3.Set(&v).Add(&negX3).Mul(&r).Add(&j)     // Y3 = r*(V-X3)-2*Y1*J (mag: 4) | ||||||
|  | 	z3.Set(&h).MulInt(2)                       // Z3 = 2*H (mag: 6) | ||||||
|  |  | ||||||
|  | 	// Normalize the resulting field values to a magnitude of 1 as needed. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | 	z3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // addZ1EqualsZ2 adds two Jacobian points that are already known to have the | ||||||
|  | // same z value and stores the result in (x3, y3, z3).  That is to say | ||||||
|  | // (x1, y1, z1) + (x2, y2, z1) = (x3, y3, z3).  It performs faster addition than | ||||||
|  | // the generic add routine since less arithmetic is needed due to the known | ||||||
|  | // equivalence. | ||||||
|  | func (curve *KoblitzCurve) addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// To compute the point addition efficiently, this implementation splits | ||||||
|  | 	// the equation into intermediate elements which are used to minimize | ||||||
|  | 	// the number of field multiplications using a slightly modified version | ||||||
|  | 	// of the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// A = X2-X1, B = A^2, C=Y2-Y1, D = C^2, E = X1*B, F = X2*B | ||||||
|  | 	// X3 = D-E-F, Y3 = C*(E-X3)-Y1*(F-E), Z3 = Z1*A | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 5 field multiplications, 2 field squarings, | ||||||
|  | 	// 9 field additions, and 0 integer multiplications. | ||||||
|  |  | ||||||
|  | 	// When the x coordinates are the same for two points on the curve, the | ||||||
|  | 	// y coordinates either must be the same, in which case it is point | ||||||
|  | 	// doubling, or they are opposite and the result is the point at | ||||||
|  | 	// infinity per the group law for elliptic curve cryptography. | ||||||
|  | 	x1.Normalize() | ||||||
|  | 	y1.Normalize() | ||||||
|  | 	x2.Normalize() | ||||||
|  | 	y2.Normalize() | ||||||
|  | 	if x1.Equals(x2) { | ||||||
|  | 		if y1.Equals(y2) { | ||||||
|  | 			// Since x1 == x2 and y1 == y2, point doubling must be | ||||||
|  | 			// done, otherwise the addition would end up dividing | ||||||
|  | 			// by zero. | ||||||
|  | 			curve.doubleJacobian(x1, y1, z1, x3, y3, z3) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Since x1 == x2 and y1 == -y2, the sum is the point at | ||||||
|  | 		// infinity per the group law. | ||||||
|  | 		x3.SetInt(0) | ||||||
|  | 		y3.SetInt(0) | ||||||
|  | 		z3.SetInt(0) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Calculate X3, Y3, and Z3 according to the intermediate elements | ||||||
|  | 	// breakdown above. | ||||||
|  | 	var a, b, c, d, e, f fieldVal | ||||||
|  | 	var negX1, negY1, negE, negX3 fieldVal | ||||||
|  | 	negX1.Set(x1).Negate(1)                // negX1 = -X1 (mag: 2) | ||||||
|  | 	negY1.Set(y1).Negate(1)                // negY1 = -Y1 (mag: 2) | ||||||
|  | 	a.Set(&negX1).Add(x2)                  // A = X2-X1 (mag: 3) | ||||||
|  | 	b.SquareVal(&a)                        // B = A^2 (mag: 1) | ||||||
|  | 	c.Set(&negY1).Add(y2)                  // C = Y2-Y1 (mag: 3) | ||||||
|  | 	d.SquareVal(&c)                        // D = C^2 (mag: 1) | ||||||
|  | 	e.Mul2(x1, &b)                         // E = X1*B (mag: 1) | ||||||
|  | 	negE.Set(&e).Negate(1)                 // negE = -E (mag: 2) | ||||||
|  | 	f.Mul2(x2, &b)                         // F = X2*B (mag: 1) | ||||||
|  | 	x3.Add2(&e, &f).Negate(3).Add(&d)      // X3 = D-E-F (mag: 5) | ||||||
|  | 	negX3.Set(x3).Negate(5).Normalize()    // negX3 = -X3 (mag: 1) | ||||||
|  | 	y3.Set(y1).Mul(f.Add(&negE)).Negate(3) // Y3 = -(Y1*(F-E)) (mag: 4) | ||||||
|  | 	y3.Add(e.Add(&negX3).Mul(&c))          // Y3 = C*(E-X3)+Y3 (mag: 5) | ||||||
|  | 	z3.Mul2(z1, &a)                        // Z3 = Z1*A (mag: 1) | ||||||
|  |  | ||||||
|  | 	// Normalize the resulting field values to a magnitude of 1 as needed. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // addZ2EqualsOne adds two Jacobian points when the second point is already | ||||||
|  | // known to have a z value of 1 (and the z value for the first point is not 1) | ||||||
|  | // and stores the result in (x3, y3, z3).  That is to say (x1, y1, z1) + | ||||||
|  | // (x2, y2, 1) = (x3, y3, z3).  It performs faster addition than the generic | ||||||
|  | // add routine since less arithmetic is needed due to the ability to avoid | ||||||
|  | // multiplications by the second point's z value. | ||||||
|  | func (curve *KoblitzCurve) addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// To compute the point addition efficiently, this implementation splits | ||||||
|  | 	// the equation into intermediate elements which are used to minimize | ||||||
|  | 	// the number of field multiplications using the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// Z1Z1 = Z1^2, U2 = X2*Z1Z1, S2 = Y2*Z1*Z1Z1, H = U2-X1, HH = H^2, | ||||||
|  | 	// I = 4*HH, J = H*I, r = 2*(S2-Y1), V = X1*I | ||||||
|  | 	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = (Z1+H)^2-Z1Z1-HH | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 7 field multiplications, 4 field squarings, | ||||||
|  | 	// 9 field additions, and 4 integer multiplications. | ||||||
|  |  | ||||||
|  | 	// When the x coordinates are the same for two points on the curve, the | ||||||
|  | 	// y coordinates either must be the same, in which case it is point | ||||||
|  | 	// doubling, or they are opposite and the result is the point at | ||||||
|  | 	// infinity per the group law for elliptic curve cryptography.  Since | ||||||
|  | 	// any number of Jacobian coordinates can represent the same affine | ||||||
|  | 	// point, the x and y values need to be converted to like terms.  Due to | ||||||
|  | 	// the assumption made for this function that the second point has a z | ||||||
|  | 	// value of 1 (z2=1), the first point is already "converted". | ||||||
|  | 	var z1z1, u2, s2 fieldVal | ||||||
|  | 	x1.Normalize() | ||||||
|  | 	y1.Normalize() | ||||||
|  | 	z1z1.SquareVal(z1)                        // Z1Z1 = Z1^2 (mag: 1) | ||||||
|  | 	u2.Set(x2).Mul(&z1z1).Normalize()         // U2 = X2*Z1Z1 (mag: 1) | ||||||
|  | 	s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1) | ||||||
|  | 	if x1.Equals(&u2) { | ||||||
|  | 		if y1.Equals(&s2) { | ||||||
|  | 			// Since x1 == x2 and y1 == y2, point doubling must be | ||||||
|  | 			// done, otherwise the addition would end up dividing | ||||||
|  | 			// by zero. | ||||||
|  | 			curve.doubleJacobian(x1, y1, z1, x3, y3, z3) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Since x1 == x2 and y1 == -y2, the sum is the point at | ||||||
|  | 		// infinity per the group law. | ||||||
|  | 		x3.SetInt(0) | ||||||
|  | 		y3.SetInt(0) | ||||||
|  | 		z3.SetInt(0) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Calculate X3, Y3, and Z3 according to the intermediate elements | ||||||
|  | 	// breakdown above. | ||||||
|  | 	var h, hh, i, j, r, rr, v fieldVal | ||||||
|  | 	var negX1, negY1, negX3 fieldVal | ||||||
|  | 	negX1.Set(x1).Negate(1)                // negX1 = -X1 (mag: 2) | ||||||
|  | 	h.Add2(&u2, &negX1)                    // H = U2-X1 (mag: 3) | ||||||
|  | 	hh.SquareVal(&h)                       // HH = H^2 (mag: 1) | ||||||
|  | 	i.Set(&hh).MulInt(4)                   // I = 4 * HH (mag: 4) | ||||||
|  | 	j.Mul2(&h, &i)                         // J = H*I (mag: 1) | ||||||
|  | 	negY1.Set(y1).Negate(1)                // negY1 = -Y1 (mag: 2) | ||||||
|  | 	r.Set(&s2).Add(&negY1).MulInt(2)       // r = 2*(S2-Y1) (mag: 6) | ||||||
|  | 	rr.SquareVal(&r)                       // rr = r^2 (mag: 1) | ||||||
|  | 	v.Mul2(x1, &i)                         // V = X1*I (mag: 1) | ||||||
|  | 	x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4) | ||||||
|  | 	x3.Add(&rr)                            // X3 = r^2+X3 (mag: 5) | ||||||
|  | 	negX3.Set(x3).Negate(5)                // negX3 = -X3 (mag: 6) | ||||||
|  | 	y3.Set(y1).Mul(&j).MulInt(2).Negate(2) // Y3 = -(2*Y1*J) (mag: 3) | ||||||
|  | 	y3.Add(v.Add(&negX3).Mul(&r))          // Y3 = r*(V-X3)+Y3 (mag: 4) | ||||||
|  | 	z3.Add2(z1, &h).Square()               // Z3 = (Z1+H)^2 (mag: 1) | ||||||
|  | 	z3.Add(z1z1.Add(&hh).Negate(2))        // Z3 = Z3-(Z1Z1+HH) (mag: 4) | ||||||
|  |  | ||||||
|  | 	// Normalize the resulting field values to a magnitude of 1 as needed. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | 	z3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // addGeneric adds two Jacobian points (x1, y1, z1) and (x2, y2, z2) without any | ||||||
|  | // assumptions about the z values of the two points and stores the result in | ||||||
|  | // (x3, y3, z3).  That is to say (x1, y1, z1) + (x2, y2, z2) = (x3, y3, z3).  It | ||||||
|  | // is the slowest of the add routines due to requiring the most arithmetic. | ||||||
|  | func (curve *KoblitzCurve) addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// To compute the point addition efficiently, this implementation splits | ||||||
|  | 	// the equation into intermediate elements which are used to minimize | ||||||
|  | 	// the number of field multiplications using the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// Z1Z1 = Z1^2, Z2Z2 = Z2^2, U1 = X1*Z2Z2, U2 = X2*Z1Z1, S1 = Y1*Z2*Z2Z2 | ||||||
|  | 	// S2 = Y2*Z1*Z1Z1, H = U2-U1, I = (2*H)^2, J = H*I, r = 2*(S2-S1) | ||||||
|  | 	// V = U1*I | ||||||
|  | 	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*S1*J, Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 11 field multiplications, 5 field squarings, | ||||||
|  | 	// 9 field additions, and 4 integer multiplications. | ||||||
|  |  | ||||||
|  | 	// When the x coordinates are the same for two points on the curve, the | ||||||
|  | 	// y coordinates either must be the same, in which case it is point | ||||||
|  | 	// doubling, or they are opposite and the result is the point at | ||||||
|  | 	// infinity.  Since any number of Jacobian coordinates can represent the | ||||||
|  | 	// same affine point, the x and y values need to be converted to like | ||||||
|  | 	// terms. | ||||||
|  | 	var z1z1, z2z2, u1, u2, s1, s2 fieldVal | ||||||
|  | 	z1z1.SquareVal(z1)                        // Z1Z1 = Z1^2 (mag: 1) | ||||||
|  | 	z2z2.SquareVal(z2)                        // Z2Z2 = Z2^2 (mag: 1) | ||||||
|  | 	u1.Set(x1).Mul(&z2z2).Normalize()         // U1 = X1*Z2Z2 (mag: 1) | ||||||
|  | 	u2.Set(x2).Mul(&z1z1).Normalize()         // U2 = X2*Z1Z1 (mag: 1) | ||||||
|  | 	s1.Set(y1).Mul(&z2z2).Mul(z2).Normalize() // S1 = Y1*Z2*Z2Z2 (mag: 1) | ||||||
|  | 	s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1) | ||||||
|  | 	if u1.Equals(&u2) { | ||||||
|  | 		if s1.Equals(&s2) { | ||||||
|  | 			// Since x1 == x2 and y1 == y2, point doubling must be | ||||||
|  | 			// done, otherwise the addition would end up dividing | ||||||
|  | 			// by zero. | ||||||
|  | 			curve.doubleJacobian(x1, y1, z1, x3, y3, z3) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Since x1 == x2 and y1 == -y2, the sum is the point at | ||||||
|  | 		// infinity per the group law. | ||||||
|  | 		x3.SetInt(0) | ||||||
|  | 		y3.SetInt(0) | ||||||
|  | 		z3.SetInt(0) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Calculate X3, Y3, and Z3 according to the intermediate elements | ||||||
|  | 	// breakdown above. | ||||||
|  | 	var h, i, j, r, rr, v fieldVal | ||||||
|  | 	var negU1, negS1, negX3 fieldVal | ||||||
|  | 	negU1.Set(&u1).Negate(1)               // negU1 = -U1 (mag: 2) | ||||||
|  | 	h.Add2(&u2, &negU1)                    // H = U2-U1 (mag: 3) | ||||||
|  | 	i.Set(&h).MulInt(2).Square()           // I = (2*H)^2 (mag: 2) | ||||||
|  | 	j.Mul2(&h, &i)                         // J = H*I (mag: 1) | ||||||
|  | 	negS1.Set(&s1).Negate(1)               // negS1 = -S1 (mag: 2) | ||||||
|  | 	r.Set(&s2).Add(&negS1).MulInt(2)       // r = 2*(S2-S1) (mag: 6) | ||||||
|  | 	rr.SquareVal(&r)                       // rr = r^2 (mag: 1) | ||||||
|  | 	v.Mul2(&u1, &i)                        // V = U1*I (mag: 1) | ||||||
|  | 	x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4) | ||||||
|  | 	x3.Add(&rr)                            // X3 = r^2+X3 (mag: 5) | ||||||
|  | 	negX3.Set(x3).Negate(5)                // negX3 = -X3 (mag: 6) | ||||||
|  | 	y3.Mul2(&s1, &j).MulInt(2).Negate(2)   // Y3 = -(2*S1*J) (mag: 3) | ||||||
|  | 	y3.Add(v.Add(&negX3).Mul(&r))          // Y3 = r*(V-X3)+Y3 (mag: 4) | ||||||
|  | 	z3.Add2(z1, z2).Square()               // Z3 = (Z1+Z2)^2 (mag: 1) | ||||||
|  | 	z3.Add(z1z1.Add(&z2z2).Negate(2))      // Z3 = Z3-(Z1Z1+Z2Z2) (mag: 4) | ||||||
|  | 	z3.Mul(&h)                             // Z3 = Z3*H (mag: 1) | ||||||
|  |  | ||||||
|  | 	// Normalize the resulting field values to a magnitude of 1 as needed. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // addJacobian adds the passed Jacobian points (x1, y1, z1) and (x2, y2, z2) | ||||||
|  | // together and stores the result in (x3, y3, z3). | ||||||
|  | func (curve *KoblitzCurve) addJacobian(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// A point at infinity is the identity according to the group law for | ||||||
|  | 	// elliptic curve cryptography.  Thus, ∞ + P = P and P + ∞ = P. | ||||||
|  | 	if (x1.IsZero() && y1.IsZero()) || z1.IsZero() { | ||||||
|  | 		x3.Set(x2) | ||||||
|  | 		y3.Set(y2) | ||||||
|  | 		z3.Set(z2) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  | 	if (x2.IsZero() && y2.IsZero()) || z2.IsZero() { | ||||||
|  | 		x3.Set(x1) | ||||||
|  | 		y3.Set(y1) | ||||||
|  | 		z3.Set(z1) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Faster point addition can be achieved when certain assumptions are | ||||||
|  | 	// met.  For example, when both points have the same z value, arithmetic | ||||||
|  | 	// on the z values can be avoided.  This section thus checks for these | ||||||
|  | 	// conditions and calls an appropriate add function which is accelerated | ||||||
|  | 	// by using those assumptions. | ||||||
|  | 	z1.Normalize() | ||||||
|  | 	z2.Normalize() | ||||||
|  | 	isZ1One := z1.Equals(fieldOne) | ||||||
|  | 	isZ2One := z2.Equals(fieldOne) | ||||||
|  | 	switch { | ||||||
|  | 	case isZ1One && isZ2One: | ||||||
|  | 		curve.addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3) | ||||||
|  | 		return | ||||||
|  | 	case z1.Equals(z2): | ||||||
|  | 		curve.addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3) | ||||||
|  | 		return | ||||||
|  | 	case isZ2One: | ||||||
|  | 		curve.addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// None of the above assumptions are true, so fall back to generic | ||||||
|  | 	// point addition. | ||||||
|  | 	curve.addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Add returns the sum of (x1,y1) and (x2,y2). Part of the elliptic.Curve | ||||||
|  | // interface. | ||||||
|  | func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) { | ||||||
|  | 	// A point at infinity is the identity according to the group law for | ||||||
|  | 	// elliptic curve cryptography.  Thus, ∞ + P = P and P + ∞ = P. | ||||||
|  | 	if x1.Sign() == 0 && y1.Sign() == 0 { | ||||||
|  | 		return x2, y2 | ||||||
|  | 	} | ||||||
|  | 	if x2.Sign() == 0 && y2.Sign() == 0 { | ||||||
|  | 		return x1, y1 | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Convert the affine coordinates from big integers to field values | ||||||
|  | 	// and do the point addition in Jacobian projective space. | ||||||
|  | 	fx1, fy1 := curve.bigAffineToField(x1, y1) | ||||||
|  | 	fx2, fy2 := curve.bigAffineToField(x2, y2) | ||||||
|  | 	fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal) | ||||||
|  | 	fOne := new(fieldVal).SetInt(1) | ||||||
|  | 	curve.addJacobian(fx1, fy1, fOne, fx2, fy2, fOne, fx3, fy3, fz3) | ||||||
|  |  | ||||||
|  | 	// Convert the Jacobian coordinate field values back to affine big | ||||||
|  | 	// integers. | ||||||
|  | 	return curve.fieldJacobianToBigAffine(fx3, fy3, fz3) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // doubleZ1EqualsOne performs point doubling on the passed Jacobian point | ||||||
|  | // when the point is already known to have a z value of 1 and stores | ||||||
|  | // the result in (x3, y3, z3).  That is to say (x3, y3, z3) = 2*(x1, y1, 1).  It | ||||||
|  | // performs faster point doubling than the generic routine since less arithmetic | ||||||
|  | // is needed due to the ability to avoid multiplication by the z value. | ||||||
|  | func (curve *KoblitzCurve) doubleZ1EqualsOne(x1, y1, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// This function uses the assumptions that z1 is 1, thus the point | ||||||
|  | 	// doubling formulas reduce to: | ||||||
|  | 	// | ||||||
|  | 	// X3 = (3*X1^2)^2 - 8*X1*Y1^2 | ||||||
|  | 	// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4 | ||||||
|  | 	// Z3 = 2*Y1 | ||||||
|  | 	// | ||||||
|  | 	// To compute the above efficiently, this implementation splits the | ||||||
|  | 	// equation into intermediate elements which are used to minimize the | ||||||
|  | 	// number of field multiplications in favor of field squarings which | ||||||
|  | 	// are roughly 35% faster than field multiplications with the current | ||||||
|  | 	// implementation at the time this was written. | ||||||
|  | 	// | ||||||
|  | 	// This uses a slightly modified version of the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C) | ||||||
|  | 	// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C | ||||||
|  | 	// Z3 = 2*Y1 | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 1 field multiplication, 5 field squarings, | ||||||
|  | 	// 6 field additions, and 5 integer multiplications. | ||||||
|  | 	var a, b, c, d, e, f fieldVal | ||||||
|  | 	z3.Set(y1).MulInt(2)                     // Z3 = 2*Y1 (mag: 2) | ||||||
|  | 	a.SquareVal(x1)                          // A = X1^2 (mag: 1) | ||||||
|  | 	b.SquareVal(y1)                          // B = Y1^2 (mag: 1) | ||||||
|  | 	c.SquareVal(&b)                          // C = B^2 (mag: 1) | ||||||
|  | 	b.Add(x1).Square()                       // B = (X1+B)^2 (mag: 1) | ||||||
|  | 	d.Set(&a).Add(&c).Negate(2)              // D = -(A+C) (mag: 3) | ||||||
|  | 	d.Add(&b).MulInt(2)                      // D = 2*(B+D)(mag: 8) | ||||||
|  | 	e.Set(&a).MulInt(3)                      // E = 3*A (mag: 3) | ||||||
|  | 	f.SquareVal(&e)                          // F = E^2 (mag: 1) | ||||||
|  | 	x3.Set(&d).MulInt(2).Negate(16)          // X3 = -(2*D) (mag: 17) | ||||||
|  | 	x3.Add(&f)                               // X3 = F+X3 (mag: 18) | ||||||
|  | 	f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1) | ||||||
|  | 	y3.Set(&c).MulInt(8).Negate(8)           // Y3 = -(8*C) (mag: 9) | ||||||
|  | 	y3.Add(f.Mul(&e))                        // Y3 = E*F+Y3 (mag: 10) | ||||||
|  |  | ||||||
|  | 	// Normalize the field values back to a magnitude of 1. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | 	z3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // doubleGeneric performs point doubling on the passed Jacobian point without | ||||||
|  | // any assumptions about the z value and stores the result in (x3, y3, z3). | ||||||
|  | // That is to say (x3, y3, z3) = 2*(x1, y1, z1).  It is the slowest of the point | ||||||
|  | // doubling routines due to requiring the most arithmetic. | ||||||
|  | func (curve *KoblitzCurve) doubleGeneric(x1, y1, z1, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// Point doubling formula for Jacobian coordinates for the secp256k1 | ||||||
|  | 	// curve: | ||||||
|  | 	// X3 = (3*X1^2)^2 - 8*X1*Y1^2 | ||||||
|  | 	// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4 | ||||||
|  | 	// Z3 = 2*Y1*Z1 | ||||||
|  | 	// | ||||||
|  | 	// To compute the above efficiently, this implementation splits the | ||||||
|  | 	// equation into intermediate elements which are used to minimize the | ||||||
|  | 	// number of field multiplications in favor of field squarings which | ||||||
|  | 	// are roughly 35% faster than field multiplications with the current | ||||||
|  | 	// implementation at the time this was written. | ||||||
|  | 	// | ||||||
|  | 	// This uses a slightly modified version of the method shown at: | ||||||
|  | 	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l | ||||||
|  | 	// | ||||||
|  | 	// In particular it performs the calculations using the following: | ||||||
|  | 	// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C) | ||||||
|  | 	// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C | ||||||
|  | 	// Z3 = 2*Y1*Z1 | ||||||
|  | 	// | ||||||
|  | 	// This results in a cost of 1 field multiplication, 5 field squarings, | ||||||
|  | 	// 6 field additions, and 5 integer multiplications. | ||||||
|  | 	var a, b, c, d, e, f fieldVal | ||||||
|  | 	z3.Mul2(y1, z1).MulInt(2)                // Z3 = 2*Y1*Z1 (mag: 2) | ||||||
|  | 	a.SquareVal(x1)                          // A = X1^2 (mag: 1) | ||||||
|  | 	b.SquareVal(y1)                          // B = Y1^2 (mag: 1) | ||||||
|  | 	c.SquareVal(&b)                          // C = B^2 (mag: 1) | ||||||
|  | 	b.Add(x1).Square()                       // B = (X1+B)^2 (mag: 1) | ||||||
|  | 	d.Set(&a).Add(&c).Negate(2)              // D = -(A+C) (mag: 3) | ||||||
|  | 	d.Add(&b).MulInt(2)                      // D = 2*(B+D)(mag: 8) | ||||||
|  | 	e.Set(&a).MulInt(3)                      // E = 3*A (mag: 3) | ||||||
|  | 	f.SquareVal(&e)                          // F = E^2 (mag: 1) | ||||||
|  | 	x3.Set(&d).MulInt(2).Negate(16)          // X3 = -(2*D) (mag: 17) | ||||||
|  | 	x3.Add(&f)                               // X3 = F+X3 (mag: 18) | ||||||
|  | 	f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1) | ||||||
|  | 	y3.Set(&c).MulInt(8).Negate(8)           // Y3 = -(8*C) (mag: 9) | ||||||
|  | 	y3.Add(f.Mul(&e))                        // Y3 = E*F+Y3 (mag: 10) | ||||||
|  |  | ||||||
|  | 	// Normalize the field values back to a magnitude of 1. | ||||||
|  | 	x3.Normalize() | ||||||
|  | 	y3.Normalize() | ||||||
|  | 	z3.Normalize() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // doubleJacobian doubles the passed Jacobian point (x1, y1, z1) and stores the | ||||||
|  | // result in (x3, y3, z3). | ||||||
|  | func (curve *KoblitzCurve) doubleJacobian(x1, y1, z1, x3, y3, z3 *fieldVal) { | ||||||
|  | 	// Doubling a point at infinity is still infinity. | ||||||
|  | 	if y1.IsZero() || z1.IsZero() { | ||||||
|  | 		x3.SetInt(0) | ||||||
|  | 		y3.SetInt(0) | ||||||
|  | 		z3.SetInt(0) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Slightly faster point doubling can be achieved when the z value is 1 | ||||||
|  | 	// by avoiding the multiplication on the z value.  This section calls | ||||||
|  | 	// a point doubling function which is accelerated by using that | ||||||
|  | 	// assumption when possible. | ||||||
|  | 	if z1.Normalize().Equals(fieldOne) { | ||||||
|  | 		curve.doubleZ1EqualsOne(x1, y1, x3, y3, z3) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Fall back to generic point doubling which works with arbitrary z | ||||||
|  | 	// values. | ||||||
|  | 	curve.doubleGeneric(x1, y1, z1, x3, y3, z3) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Double returns 2*(x1,y1). Part of the elliptic.Curve interface. | ||||||
|  | func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) { | ||||||
|  | 	if y1.Sign() == 0 { | ||||||
|  | 		return new(big.Int), new(big.Int) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Convert the affine coordinates from big integers to field values | ||||||
|  | 	// and do the point doubling in Jacobian projective space. | ||||||
|  | 	fx1, fy1 := curve.bigAffineToField(x1, y1) | ||||||
|  | 	fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal) | ||||||
|  | 	fOne := new(fieldVal).SetInt(1) | ||||||
|  | 	curve.doubleJacobian(fx1, fy1, fOne, fx3, fy3, fz3) | ||||||
|  |  | ||||||
|  | 	// Convert the Jacobian coordinate field values back to affine big | ||||||
|  | 	// integers. | ||||||
|  | 	return curve.fieldJacobianToBigAffine(fx3, fy3, fz3) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // splitK returns a balanced length-two representation of k and their signs. | ||||||
|  | // This is algorithm 3.74 from [GECC]. | ||||||
|  | // | ||||||
|  | // One thing of note about this algorithm is that no matter what c1 and c2 are, | ||||||
|  | // the final equation of k = k1 + k2 * lambda (mod n) will hold.  This is | ||||||
|  | // provable mathematically due to how a1/b1/a2/b2 are computed. | ||||||
|  | // | ||||||
|  | // c1 and c2 are chosen to minimize the max(k1,k2). | ||||||
|  | func (curve *KoblitzCurve) splitK(k []byte) ([]byte, []byte, int, int) { | ||||||
|  | 	// All math here is done with big.Int, which is slow. | ||||||
|  | 	// At some point, it might be useful to write something similar to | ||||||
|  | 	// fieldVal but for N instead of P as the prime field if this ends up | ||||||
|  | 	// being a bottleneck. | ||||||
|  | 	bigIntK := new(big.Int) | ||||||
|  | 	c1, c2 := new(big.Int), new(big.Int) | ||||||
|  | 	tmp1, tmp2 := new(big.Int), new(big.Int) | ||||||
|  | 	k1, k2 := new(big.Int), new(big.Int) | ||||||
|  |  | ||||||
|  | 	bigIntK.SetBytes(k) | ||||||
|  | 	// c1 = round(b2 * k / n) from step 4. | ||||||
|  | 	// Rounding isn't really necessary and costs too much, hence skipped | ||||||
|  | 	c1.Mul(curve.b2, bigIntK) | ||||||
|  | 	c1.Div(c1, curve.N) | ||||||
|  | 	// c2 = round(b1 * k / n) from step 4 (sign reversed to optimize one step) | ||||||
|  | 	// Rounding isn't really necessary and costs too much, hence skipped | ||||||
|  | 	c2.Mul(curve.b1, bigIntK) | ||||||
|  | 	c2.Div(c2, curve.N) | ||||||
|  | 	// k1 = k - c1 * a1 - c2 * a2 from step 5 (note c2's sign is reversed) | ||||||
|  | 	tmp1.Mul(c1, curve.a1) | ||||||
|  | 	tmp2.Mul(c2, curve.a2) | ||||||
|  | 	k1.Sub(bigIntK, tmp1) | ||||||
|  | 	k1.Add(k1, tmp2) | ||||||
|  | 	// k2 = - c1 * b1 - c2 * b2 from step 5 (note c2's sign is reversed) | ||||||
|  | 	tmp1.Mul(c1, curve.b1) | ||||||
|  | 	tmp2.Mul(c2, curve.b2) | ||||||
|  | 	k2.Sub(tmp2, tmp1) | ||||||
|  |  | ||||||
|  | 	// Note Bytes() throws out the sign of k1 and k2. This matters | ||||||
|  | 	// since k1 and/or k2 can be negative. Hence, we pass that | ||||||
|  | 	// back separately. | ||||||
|  | 	return k1.Bytes(), k2.Bytes(), k1.Sign(), k2.Sign() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // moduloReduce reduces k from more than 32 bytes to 32 bytes and under.  This | ||||||
|  | // is done by doing a simple modulo curve.N.  We can do this since G^N = 1 and | ||||||
|  | // thus any other valid point on the elliptic curve has the same order. | ||||||
|  | func (curve *KoblitzCurve) moduloReduce(k []byte) []byte { | ||||||
|  | 	// Since the order of G is curve.N, we can use a much smaller number | ||||||
|  | 	// by doing modulo curve.N | ||||||
|  | 	if len(k) > curve.byteSize { | ||||||
|  | 		// Reduce k by performing modulo curve.N. | ||||||
|  | 		tmpK := new(big.Int).SetBytes(k) | ||||||
|  | 		tmpK.Mod(tmpK, curve.N) | ||||||
|  | 		return tmpK.Bytes() | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return k | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // NAF takes a positive integer k and returns the Non-Adjacent Form (NAF) as two | ||||||
|  | // byte slices.  The first is where 1s will be.  The second is where -1s will | ||||||
|  | // be.  NAF is convenient in that on average, only 1/3rd of its values are | ||||||
|  | // non-zero.  This is algorithm 3.30 from [GECC]. | ||||||
|  | // | ||||||
|  | // Essentially, this makes it possible to minimize the number of operations | ||||||
|  | // since the resulting ints returned will be at least 50% 0s. | ||||||
|  | func NAF(k []byte) ([]byte, []byte) { | ||||||
|  | 	// The essence of this algorithm is that whenever we have consecutive 1s | ||||||
|  | 	// in the binary, we want to put a -1 in the lowest bit and get a bunch | ||||||
|  | 	// of 0s up to the highest bit of consecutive 1s.  This is due to this | ||||||
|  | 	// identity: | ||||||
|  | 	// 2^n + 2^(n-1) + 2^(n-2) + ... + 2^(n-k) = 2^(n+1) - 2^(n-k) | ||||||
|  | 	// | ||||||
|  | 	// The algorithm thus may need to go 1 more bit than the length of the | ||||||
|  | 	// bits we actually have, hence bits being 1 bit longer than was | ||||||
|  | 	// necessary.  Since we need to know whether adding will cause a carry, | ||||||
|  | 	// we go from right-to-left in this addition. | ||||||
|  | 	var carry, curIsOne, nextIsOne bool | ||||||
|  | 	// these default to zero | ||||||
|  | 	retPos := make([]byte, len(k)+1) | ||||||
|  | 	retNeg := make([]byte, len(k)+1) | ||||||
|  | 	for i := len(k) - 1; i >= 0; i-- { | ||||||
|  | 		curByte := k[i] | ||||||
|  | 		for j := uint(0); j < 8; j++ { | ||||||
|  | 			curIsOne = curByte&1 == 1 | ||||||
|  | 			if j == 7 { | ||||||
|  | 				if i == 0 { | ||||||
|  | 					nextIsOne = false | ||||||
|  | 				} else { | ||||||
|  | 					nextIsOne = k[i-1]&1 == 1 | ||||||
|  | 				} | ||||||
|  | 			} else { | ||||||
|  | 				nextIsOne = curByte&2 == 2 | ||||||
|  | 			} | ||||||
|  | 			if carry { | ||||||
|  | 				if curIsOne { | ||||||
|  | 					// This bit is 1, so continue to carry | ||||||
|  | 					// and don't need to do anything. | ||||||
|  | 				} else { | ||||||
|  | 					// We've hit a 0 after some number of | ||||||
|  | 					// 1s. | ||||||
|  | 					if nextIsOne { | ||||||
|  | 						// Start carrying again since | ||||||
|  | 						// a new sequence of 1s is | ||||||
|  | 						// starting. | ||||||
|  | 						retNeg[i+1] += 1 << j | ||||||
|  | 					} else { | ||||||
|  | 						// Stop carrying since 1s have | ||||||
|  | 						// stopped. | ||||||
|  | 						carry = false | ||||||
|  | 						retPos[i+1] += 1 << j | ||||||
|  | 					} | ||||||
|  | 				} | ||||||
|  | 			} else if curIsOne { | ||||||
|  | 				if nextIsOne { | ||||||
|  | 					// If this is the start of at least 2 | ||||||
|  | 					// consecutive 1s, set the current one | ||||||
|  | 					// to -1 and start carrying. | ||||||
|  | 					retNeg[i+1] += 1 << j | ||||||
|  | 					carry = true | ||||||
|  | 				} else { | ||||||
|  | 					// This is a singleton, not consecutive | ||||||
|  | 					// 1s. | ||||||
|  | 					retPos[i+1] += 1 << j | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			curByte >>= 1 | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	if carry { | ||||||
|  | 		retPos[0] = 1 | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return retPos, retNeg | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ScalarMult returns k*(Bx, By) where k is a big endian integer. | ||||||
|  | // Part of the elliptic.Curve interface. | ||||||
|  | func (curve *KoblitzCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) { | ||||||
|  | 	// Point Q = ∞ (point at infinity). | ||||||
|  | 	qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal) | ||||||
|  |  | ||||||
|  | 	// Decompose K into k1 and k2 in order to halve the number of EC ops. | ||||||
|  | 	// See Algorithm 3.74 in [GECC]. | ||||||
|  | 	k1, k2, signK1, signK2 := curve.splitK(curve.moduloReduce(k)) | ||||||
|  |  | ||||||
|  | 	// The main equation here to remember is: | ||||||
|  | 	//   k * P = k1 * P + k2 * ϕ(P) | ||||||
|  | 	// | ||||||
|  | 	// P1 below is P in the equation, P2 below is ϕ(P) in the equation | ||||||
|  | 	p1x, p1y := curve.bigAffineToField(Bx, By) | ||||||
|  | 	p1yNeg := new(fieldVal).NegateVal(p1y, 1) | ||||||
|  | 	p1z := new(fieldVal).SetInt(1) | ||||||
|  |  | ||||||
|  | 	// NOTE: ϕ(x,y) = (βx,y).  The Jacobian z coordinate is 1, so this math | ||||||
|  | 	// goes through. | ||||||
|  | 	p2x := new(fieldVal).Mul2(p1x, curve.beta) | ||||||
|  | 	p2y := new(fieldVal).Set(p1y) | ||||||
|  | 	p2yNeg := new(fieldVal).NegateVal(p2y, 1) | ||||||
|  | 	p2z := new(fieldVal).SetInt(1) | ||||||
|  |  | ||||||
|  | 	// Flip the positive and negative values of the points as needed | ||||||
|  | 	// depending on the signs of k1 and k2.  As mentioned in the equation | ||||||
|  | 	// above, each of k1 and k2 are multiplied by the respective point. | ||||||
|  | 	// Since -k * P is the same thing as k * -P, and the group law for | ||||||
|  | 	// elliptic curves states that P(x, y) = -P(x, -y), it's faster and | ||||||
|  | 	// simplifies the code to just make the point negative. | ||||||
|  | 	if signK1 == -1 { | ||||||
|  | 		p1y, p1yNeg = p1yNeg, p1y | ||||||
|  | 	} | ||||||
|  | 	if signK2 == -1 { | ||||||
|  | 		p2y, p2yNeg = p2yNeg, p2y | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// NAF versions of k1 and k2 should have a lot more zeros. | ||||||
|  | 	// | ||||||
|  | 	// The Pos version of the bytes contain the +1s and the Neg versions | ||||||
|  | 	// contain the -1s. | ||||||
|  | 	k1PosNAF, k1NegNAF := NAF(k1) | ||||||
|  | 	k2PosNAF, k2NegNAF := NAF(k2) | ||||||
|  | 	k1Len := len(k1PosNAF) | ||||||
|  | 	k2Len := len(k2PosNAF) | ||||||
|  |  | ||||||
|  | 	m := k1Len | ||||||
|  | 	if m < k2Len { | ||||||
|  | 		m = k2Len | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Add left-to-right using the NAF optimization.  See algorithm 3.77 | ||||||
|  | 	// from [GECC].  This should be faster overall since there will be a lot | ||||||
|  | 	// more instances of 0, hence reducing the number of Jacobian additions | ||||||
|  | 	// at the cost of 1 possible extra doubling. | ||||||
|  | 	var k1BytePos, k1ByteNeg, k2BytePos, k2ByteNeg byte | ||||||
|  | 	for i := 0; i < m; i++ { | ||||||
|  | 		// Since we're going left-to-right, pad the front with 0s. | ||||||
|  | 		if i < m-k1Len { | ||||||
|  | 			k1BytePos = 0 | ||||||
|  | 			k1ByteNeg = 0 | ||||||
|  | 		} else { | ||||||
|  | 			k1BytePos = k1PosNAF[i-(m-k1Len)] | ||||||
|  | 			k1ByteNeg = k1NegNAF[i-(m-k1Len)] | ||||||
|  | 		} | ||||||
|  | 		if i < m-k2Len { | ||||||
|  | 			k2BytePos = 0 | ||||||
|  | 			k2ByteNeg = 0 | ||||||
|  | 		} else { | ||||||
|  | 			k2BytePos = k2PosNAF[i-(m-k2Len)] | ||||||
|  | 			k2ByteNeg = k2NegNAF[i-(m-k2Len)] | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		for j := 7; j >= 0; j-- { | ||||||
|  | 			// Q = 2 * Q | ||||||
|  | 			curve.doubleJacobian(qx, qy, qz, qx, qy, qz) | ||||||
|  |  | ||||||
|  | 			if k1BytePos&0x80 == 0x80 { | ||||||
|  | 				curve.addJacobian(qx, qy, qz, p1x, p1y, p1z, | ||||||
|  | 					qx, qy, qz) | ||||||
|  | 			} else if k1ByteNeg&0x80 == 0x80 { | ||||||
|  | 				curve.addJacobian(qx, qy, qz, p1x, p1yNeg, p1z, | ||||||
|  | 					qx, qy, qz) | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  | 			if k2BytePos&0x80 == 0x80 { | ||||||
|  | 				curve.addJacobian(qx, qy, qz, p2x, p2y, p2z, | ||||||
|  | 					qx, qy, qz) | ||||||
|  | 			} else if k2ByteNeg&0x80 == 0x80 { | ||||||
|  | 				curve.addJacobian(qx, qy, qz, p2x, p2yNeg, p2z, | ||||||
|  | 					qx, qy, qz) | ||||||
|  | 			} | ||||||
|  | 			k1BytePos <<= 1 | ||||||
|  | 			k1ByteNeg <<= 1 | ||||||
|  | 			k2BytePos <<= 1 | ||||||
|  | 			k2ByteNeg <<= 1 | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Convert the Jacobian coordinate field values back to affine big.Ints. | ||||||
|  | 	return curve.fieldJacobianToBigAffine(qx, qy, qz) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ScalarBaseMult returns k*G where G is the base point of the group and k is a | ||||||
|  | // big endian integer. | ||||||
|  | // Part of the elliptic.Curve interface. | ||||||
|  | func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) { | ||||||
|  | 	newK := curve.moduloReduce(k) | ||||||
|  | 	diff := len(curve.bytePoints) - len(newK) | ||||||
|  |  | ||||||
|  | 	// Point Q = ∞ (point at infinity). | ||||||
|  | 	qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal) | ||||||
|  |  | ||||||
|  | 	// curve.bytePoints has all 256 byte points for each 8-bit window. The | ||||||
|  | 	// strategy is to add up the byte points. This is best understood by | ||||||
|  | 	// expressing k in base-256 which it already sort of is. | ||||||
|  | 	// Each "digit" in the 8-bit window can be looked up using bytePoints | ||||||
|  | 	// and added together. | ||||||
|  | 	for i, byteVal := range newK { | ||||||
|  | 		p := curve.bytePoints[diff+i][byteVal] | ||||||
|  | 		curve.addJacobian(qx, qy, qz, &p[0], &p[1], &p[2], qx, qy, qz) | ||||||
|  | 	} | ||||||
|  | 	return curve.fieldJacobianToBigAffine(qx, qy, qz) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // QPlus1Div4 returns the Q+1/4 constant for the curve for use in calculating | ||||||
|  | // square roots via exponention. | ||||||
|  | func (curve *KoblitzCurve) QPlus1Div4() *big.Int { | ||||||
|  | 	return curve.q | ||||||
|  | } | ||||||
|  |  | ||||||
|  | var initonce sync.Once | ||||||
|  | var secp256k1 KoblitzCurve | ||||||
|  |  | ||||||
|  | func initAll() { | ||||||
|  | 	initS256() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // fromHex converts the passed hex string into a big integer pointer and will | ||||||
|  | // panic is there is an error.  This is only provided for the hard-coded | ||||||
|  | // constants so errors in the source code can bet detected. It will only (and | ||||||
|  | // must only) be called for initialization purposes. | ||||||
|  | func fromHex(s string) *big.Int { | ||||||
|  | 	r, ok := new(big.Int).SetString(s, 16) | ||||||
|  | 	if !ok { | ||||||
|  | 		panic("invalid hex in source file: " + s) | ||||||
|  | 	} | ||||||
|  | 	return r | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func initS256() { | ||||||
|  | 	// Curve parameters taken from [SECG] section 2.4.1. | ||||||
|  | 	secp256k1.CurveParams = new(elliptic.CurveParams) | ||||||
|  | 	secp256k1.P = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F") | ||||||
|  | 	secp256k1.N = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141") | ||||||
|  | 	secp256k1.B = fromHex("0000000000000000000000000000000000000000000000000000000000000007") | ||||||
|  | 	secp256k1.Gx = fromHex("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798") | ||||||
|  | 	secp256k1.Gy = fromHex("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8") | ||||||
|  | 	secp256k1.BitSize = 256 | ||||||
|  | 	secp256k1.H = 1 | ||||||
|  | 	secp256k1.q = new(big.Int).Div(new(big.Int).Add(secp256k1.P, | ||||||
|  | 		big.NewInt(1)), big.NewInt(4)) | ||||||
|  |  | ||||||
|  | 	// Provided for convenience since this gets computed repeatedly. | ||||||
|  | 	secp256k1.byteSize = secp256k1.BitSize / 8 | ||||||
|  |  | ||||||
|  | 	// Deserialize and set the pre-computed table used to accelerate scalar | ||||||
|  | 	// base multiplication.  This is hard-coded data, so any errors are | ||||||
|  | 	// panics because it means something is wrong in the source code. | ||||||
|  | 	if err := loadS256BytePoints(); err != nil { | ||||||
|  | 		panic(err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Next 6 constants are from Hal Finney's bitcointalk.org post: | ||||||
|  | 	// https://bitcointalk.org/index.php?topic=3238.msg45565#msg45565 | ||||||
|  | 	// May he rest in peace. | ||||||
|  | 	// | ||||||
|  | 	// They have also been independently derived from the code in the | ||||||
|  | 	// EndomorphismVectors function in gensecp256k1.go. | ||||||
|  | 	secp256k1.lambda = fromHex("5363AD4CC05C30E0A5261C028812645A122E22EA20816678DF02967C1B23BD72") | ||||||
|  | 	secp256k1.beta = new(fieldVal).SetHex("7AE96A2B657C07106E64479EAC3434E99CF0497512F58995C1396C28719501EE") | ||||||
|  | 	secp256k1.a1 = fromHex("3086D221A7D46BCDE86C90E49284EB15") | ||||||
|  | 	secp256k1.b1 = fromHex("-E4437ED6010E88286F547FA90ABFE4C3") | ||||||
|  | 	secp256k1.a2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8") | ||||||
|  | 	secp256k1.b2 = fromHex("3086D221A7D46BCDE86C90E49284EB15") | ||||||
|  |  | ||||||
|  | 	// Alternatively, we can use the parameters below, however, they seem | ||||||
|  | 	//  to be about 8% slower. | ||||||
|  | 	// secp256k1.lambda = fromHex("AC9C52B33FA3CF1F5AD9E3FD77ED9BA4A880B9FC8EC739C2E0CFC810B51283CE") | ||||||
|  | 	// secp256k1.beta = new(fieldVal).SetHex("851695D49A83F8EF919BB86153CBCB16630FB68AED0A766A3EC693D68E6AFA40") | ||||||
|  | 	// secp256k1.a1 = fromHex("E4437ED6010E88286F547FA90ABFE4C3") | ||||||
|  | 	// secp256k1.b1 = fromHex("-3086D221A7D46BCDE86C90E49284EB15") | ||||||
|  | 	// secp256k1.a2 = fromHex("3086D221A7D46BCDE86C90E49284EB15") | ||||||
|  | 	// secp256k1.b2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // S256 returns a Curve which implements secp256k1. | ||||||
|  | func S256() *KoblitzCurve { | ||||||
|  | 	initonce.Do(initAll) | ||||||
|  | 	return &secp256k1 | ||||||
|  | } | ||||||
							
								
								
									
										216
									
								
								vendor/github.com/btcsuite/btcd/btcec/ciphering.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										216
									
								
								vendor/github.com/btcsuite/btcd/btcec/ciphering.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,216 @@ | |||||||
|  | // Copyright (c) 2015-2016 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"bytes" | ||||||
|  | 	"crypto/aes" | ||||||
|  | 	"crypto/cipher" | ||||||
|  | 	"crypto/hmac" | ||||||
|  | 	"crypto/rand" | ||||||
|  | 	"crypto/sha256" | ||||||
|  | 	"crypto/sha512" | ||||||
|  | 	"errors" | ||||||
|  | 	"io" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | var ( | ||||||
|  | 	// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails | ||||||
|  | 	// during decryption. This happens because of either invalid private key or | ||||||
|  | 	// corrupt ciphertext. | ||||||
|  | 	ErrInvalidMAC = errors.New("invalid mac hash") | ||||||
|  |  | ||||||
|  | 	// errInputTooShort occurs when the input ciphertext to the Decrypt | ||||||
|  | 	// function is less than 134 bytes long. | ||||||
|  | 	errInputTooShort = errors.New("ciphertext too short") | ||||||
|  |  | ||||||
|  | 	// errUnsupportedCurve occurs when the first two bytes of the encrypted | ||||||
|  | 	// text aren't 0x02CA (= 712 = secp256k1, from OpenSSL). | ||||||
|  | 	errUnsupportedCurve = errors.New("unsupported curve") | ||||||
|  |  | ||||||
|  | 	errInvalidXLength = errors.New("invalid X length, must be 32") | ||||||
|  | 	errInvalidYLength = errors.New("invalid Y length, must be 32") | ||||||
|  | 	errInvalidPadding = errors.New("invalid PKCS#7 padding") | ||||||
|  |  | ||||||
|  | 	// 0x02CA = 714 | ||||||
|  | 	ciphCurveBytes = [2]byte{0x02, 0xCA} | ||||||
|  | 	// 0x20 = 32 | ||||||
|  | 	ciphCoordLength = [2]byte{0x00, 0x20} | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // GenerateSharedSecret generates a shared secret based on a private key and a | ||||||
|  | // public key using Diffie-Hellman key exchange (ECDH) (RFC 4753). | ||||||
|  | // RFC5903 Section 9 states we should only return x. | ||||||
|  | func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte { | ||||||
|  | 	x, _ := pubkey.Curve.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes()) | ||||||
|  | 	return x.Bytes() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Encrypt encrypts data for the target public key using AES-256-CBC. It also | ||||||
|  | // generates a private key (the pubkey of which is also in the output). The only | ||||||
|  | // supported curve is secp256k1. The `structure' that it encodes everything into | ||||||
|  | // is: | ||||||
|  | // | ||||||
|  | //	struct { | ||||||
|  | //		// Initialization Vector used for AES-256-CBC | ||||||
|  | //		IV [16]byte | ||||||
|  | //		// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX + | ||||||
|  | //		// len_of_pubkeyY(2) + pubkeyY (curve = 714) | ||||||
|  | //		PublicKey [70]byte | ||||||
|  | //		// Cipher text | ||||||
|  | //		Data []byte | ||||||
|  | //		// HMAC-SHA-256 Message Authentication Code | ||||||
|  | //		HMAC [32]byte | ||||||
|  | //	} | ||||||
|  | // | ||||||
|  | // The primary aim is to ensure byte compatibility with Pyelliptic.  Also, refer | ||||||
|  | // to section 5.8.1 of ANSI X9.63 for rationale on this format. | ||||||
|  | func Encrypt(pubkey *PublicKey, in []byte) ([]byte, error) { | ||||||
|  | 	ephemeral, err := NewPrivateKey(S256()) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	ecdhKey := GenerateSharedSecret(ephemeral, pubkey) | ||||||
|  | 	derivedKey := sha512.Sum512(ecdhKey) | ||||||
|  | 	keyE := derivedKey[:32] | ||||||
|  | 	keyM := derivedKey[32:] | ||||||
|  |  | ||||||
|  | 	paddedIn := addPKCSPadding(in) | ||||||
|  | 	// IV + Curve params/X/Y + padded plaintext/ciphertext + HMAC-256 | ||||||
|  | 	out := make([]byte, aes.BlockSize+70+len(paddedIn)+sha256.Size) | ||||||
|  | 	iv := out[:aes.BlockSize] | ||||||
|  | 	if _, err = io.ReadFull(rand.Reader, iv); err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	// start writing public key | ||||||
|  | 	pb := ephemeral.PubKey().SerializeUncompressed() | ||||||
|  | 	offset := aes.BlockSize | ||||||
|  |  | ||||||
|  | 	// curve and X length | ||||||
|  | 	copy(out[offset:offset+4], append(ciphCurveBytes[:], ciphCoordLength[:]...)) | ||||||
|  | 	offset += 4 | ||||||
|  | 	// X | ||||||
|  | 	copy(out[offset:offset+32], pb[1:33]) | ||||||
|  | 	offset += 32 | ||||||
|  | 	// Y length | ||||||
|  | 	copy(out[offset:offset+2], ciphCoordLength[:]) | ||||||
|  | 	offset += 2 | ||||||
|  | 	// Y | ||||||
|  | 	copy(out[offset:offset+32], pb[33:]) | ||||||
|  | 	offset += 32 | ||||||
|  |  | ||||||
|  | 	// start encryption | ||||||
|  | 	block, err := aes.NewCipher(keyE) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	mode := cipher.NewCBCEncrypter(block, iv) | ||||||
|  | 	mode.CryptBlocks(out[offset:len(out)-sha256.Size], paddedIn) | ||||||
|  |  | ||||||
|  | 	// start HMAC-SHA-256 | ||||||
|  | 	hm := hmac.New(sha256.New, keyM) | ||||||
|  | 	hm.Write(out[:len(out)-sha256.Size])          // everything is hashed | ||||||
|  | 	copy(out[len(out)-sha256.Size:], hm.Sum(nil)) // write checksum | ||||||
|  |  | ||||||
|  | 	return out, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Decrypt decrypts data that was encrypted using the Encrypt function. | ||||||
|  | func Decrypt(priv *PrivateKey, in []byte) ([]byte, error) { | ||||||
|  | 	// IV + Curve params/X/Y + 1 block + HMAC-256 | ||||||
|  | 	if len(in) < aes.BlockSize+70+aes.BlockSize+sha256.Size { | ||||||
|  | 		return nil, errInputTooShort | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// read iv | ||||||
|  | 	iv := in[:aes.BlockSize] | ||||||
|  | 	offset := aes.BlockSize | ||||||
|  |  | ||||||
|  | 	// start reading pubkey | ||||||
|  | 	if !bytes.Equal(in[offset:offset+2], ciphCurveBytes[:]) { | ||||||
|  | 		return nil, errUnsupportedCurve | ||||||
|  | 	} | ||||||
|  | 	offset += 2 | ||||||
|  |  | ||||||
|  | 	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) { | ||||||
|  | 		return nil, errInvalidXLength | ||||||
|  | 	} | ||||||
|  | 	offset += 2 | ||||||
|  |  | ||||||
|  | 	xBytes := in[offset : offset+32] | ||||||
|  | 	offset += 32 | ||||||
|  |  | ||||||
|  | 	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) { | ||||||
|  | 		return nil, errInvalidYLength | ||||||
|  | 	} | ||||||
|  | 	offset += 2 | ||||||
|  |  | ||||||
|  | 	yBytes := in[offset : offset+32] | ||||||
|  | 	offset += 32 | ||||||
|  |  | ||||||
|  | 	pb := make([]byte, 65) | ||||||
|  | 	pb[0] = byte(0x04) // uncompressed | ||||||
|  | 	copy(pb[1:33], xBytes) | ||||||
|  | 	copy(pb[33:], yBytes) | ||||||
|  | 	// check if (X, Y) lies on the curve and create a Pubkey if it does | ||||||
|  | 	pubkey, err := ParsePubKey(pb, S256()) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// check for cipher text length | ||||||
|  | 	if (len(in)-aes.BlockSize-offset-sha256.Size)%aes.BlockSize != 0 { | ||||||
|  | 		return nil, errInvalidPadding // not padded to 16 bytes | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// read hmac | ||||||
|  | 	messageMAC := in[len(in)-sha256.Size:] | ||||||
|  |  | ||||||
|  | 	// generate shared secret | ||||||
|  | 	ecdhKey := GenerateSharedSecret(priv, pubkey) | ||||||
|  | 	derivedKey := sha512.Sum512(ecdhKey) | ||||||
|  | 	keyE := derivedKey[:32] | ||||||
|  | 	keyM := derivedKey[32:] | ||||||
|  |  | ||||||
|  | 	// verify mac | ||||||
|  | 	hm := hmac.New(sha256.New, keyM) | ||||||
|  | 	hm.Write(in[:len(in)-sha256.Size]) // everything is hashed | ||||||
|  | 	expectedMAC := hm.Sum(nil) | ||||||
|  | 	if !hmac.Equal(messageMAC, expectedMAC) { | ||||||
|  | 		return nil, ErrInvalidMAC | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// start decryption | ||||||
|  | 	block, err := aes.NewCipher(keyE) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	mode := cipher.NewCBCDecrypter(block, iv) | ||||||
|  | 	// same length as ciphertext | ||||||
|  | 	plaintext := make([]byte, len(in)-offset-sha256.Size) | ||||||
|  | 	mode.CryptBlocks(plaintext, in[offset:len(in)-sha256.Size]) | ||||||
|  |  | ||||||
|  | 	return removePKCSPadding(plaintext) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Implement PKCS#7 padding with block size of 16 (AES block size). | ||||||
|  |  | ||||||
|  | // addPKCSPadding adds padding to a block of data | ||||||
|  | func addPKCSPadding(src []byte) []byte { | ||||||
|  | 	padding := aes.BlockSize - len(src)%aes.BlockSize | ||||||
|  | 	padtext := bytes.Repeat([]byte{byte(padding)}, padding) | ||||||
|  | 	return append(src, padtext...) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // removePKCSPadding removes padding from data that was added with addPKCSPadding | ||||||
|  | func removePKCSPadding(src []byte) ([]byte, error) { | ||||||
|  | 	length := len(src) | ||||||
|  | 	padLength := int(src[length-1]) | ||||||
|  | 	if padLength > aes.BlockSize || length < aes.BlockSize { | ||||||
|  | 		return nil, errInvalidPadding | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return src[:length-padLength], nil | ||||||
|  | } | ||||||
							
								
								
									
										21
									
								
								vendor/github.com/btcsuite/btcd/btcec/doc.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								vendor/github.com/btcsuite/btcd/btcec/doc.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | |||||||
|  | // Copyright (c) 2013-2014 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | /* | ||||||
|  | Package btcec implements support for the elliptic curves needed for bitcoin. | ||||||
|  |  | ||||||
|  | Bitcoin uses elliptic curve cryptography using koblitz curves | ||||||
|  | (specifically secp256k1) for cryptographic functions.  See | ||||||
|  | http://www.secg.org/collateral/sec2_final.pdf for details on the | ||||||
|  | standard. | ||||||
|  |  | ||||||
|  | This package provides the data structures and functions implementing the | ||||||
|  | crypto/elliptic Curve interface in order to permit using these curves | ||||||
|  | with the standard crypto/ecdsa package provided with go. Helper | ||||||
|  | functionality is provided to parse signatures and public keys from | ||||||
|  | standard formats.  It was designed for use with btcd, but should be | ||||||
|  | general enough for other uses of elliptic curve crypto.  It was originally based | ||||||
|  | on some initial work by ThePiachu, but has significantly diverged since then. | ||||||
|  | */ | ||||||
|  | package btcec | ||||||
							
								
								
									
										1262
									
								
								vendor/github.com/btcsuite/btcd/btcec/field.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1262
									
								
								vendor/github.com/btcsuite/btcd/btcec/field.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										63
									
								
								vendor/github.com/btcsuite/btcd/btcec/genprecomps.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								vendor/github.com/btcsuite/btcd/btcec/genprecomps.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,63 @@ | |||||||
|  | // Copyright 2015 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | // This file is ignored during the regular build due to the following build tag. | ||||||
|  | // It is called by go generate and used to automatically generate pre-computed | ||||||
|  | // tables used to accelerate operations. | ||||||
|  | // +build ignore | ||||||
|  |  | ||||||
|  | package main | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"bytes" | ||||||
|  | 	"compress/zlib" | ||||||
|  | 	"encoding/base64" | ||||||
|  | 	"fmt" | ||||||
|  | 	"log" | ||||||
|  | 	"os" | ||||||
|  |  | ||||||
|  | 	"github.com/btcsuite/btcd/btcec" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func main() { | ||||||
|  | 	fi, err := os.Create("secp256k1.go") | ||||||
|  | 	if err != nil { | ||||||
|  | 		log.Fatal(err) | ||||||
|  | 	} | ||||||
|  | 	defer fi.Close() | ||||||
|  |  | ||||||
|  | 	// Compress the serialized byte points. | ||||||
|  | 	serialized := btcec.S256().SerializedBytePoints() | ||||||
|  | 	var compressed bytes.Buffer | ||||||
|  | 	w := zlib.NewWriter(&compressed) | ||||||
|  | 	if _, err := w.Write(serialized); err != nil { | ||||||
|  | 		fmt.Println(err) | ||||||
|  | 		os.Exit(1) | ||||||
|  | 	} | ||||||
|  | 	w.Close() | ||||||
|  |  | ||||||
|  | 	// Encode the compressed byte points with base64. | ||||||
|  | 	encoded := make([]byte, base64.StdEncoding.EncodedLen(compressed.Len())) | ||||||
|  | 	base64.StdEncoding.Encode(encoded, compressed.Bytes()) | ||||||
|  |  | ||||||
|  | 	fmt.Fprintln(fi, "// Copyright (c) 2015 The btcsuite developers") | ||||||
|  | 	fmt.Fprintln(fi, "// Use of this source code is governed by an ISC") | ||||||
|  | 	fmt.Fprintln(fi, "// license that can be found in the LICENSE file.") | ||||||
|  | 	fmt.Fprintln(fi) | ||||||
|  | 	fmt.Fprintln(fi, "package btcec") | ||||||
|  | 	fmt.Fprintln(fi) | ||||||
|  | 	fmt.Fprintln(fi, "// Auto-generated file (see genprecomps.go)") | ||||||
|  | 	fmt.Fprintln(fi, "// DO NOT EDIT") | ||||||
|  | 	fmt.Fprintln(fi) | ||||||
|  | 	fmt.Fprintf(fi, "var secp256k1BytePoints = %q\n", string(encoded)) | ||||||
|  |  | ||||||
|  | 	a1, b1, a2, b2 := btcec.S256().EndomorphismVectors() | ||||||
|  | 	fmt.Println("The following values are the computed linearly " + | ||||||
|  | 		"independent vectors needed to make use of the secp256k1 " + | ||||||
|  | 		"endomorphism:") | ||||||
|  | 	fmt.Printf("a1: %x\n", a1) | ||||||
|  | 	fmt.Printf("b1: %x\n", b1) | ||||||
|  | 	fmt.Printf("a2: %x\n", a2) | ||||||
|  | 	fmt.Printf("b2: %x\n", b2) | ||||||
|  | } | ||||||
							
								
								
									
										203
									
								
								vendor/github.com/btcsuite/btcd/btcec/gensecp256k1.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										203
									
								
								vendor/github.com/btcsuite/btcd/btcec/gensecp256k1.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,203 @@ | |||||||
|  | // Copyright (c) 2014-2015 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | // This file is ignored during the regular build due to the following build tag. | ||||||
|  | // This build tag is set during go generate. | ||||||
|  | // +build gensecp256k1 | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | // References: | ||||||
|  | //   [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone) | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"encoding/binary" | ||||||
|  | 	"math/big" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // secp256k1BytePoints are dummy points used so the code which generates the | ||||||
|  | // real values can compile. | ||||||
|  | var secp256k1BytePoints = "" | ||||||
|  |  | ||||||
|  | // getDoublingPoints returns all the possible G^(2^i) for i in | ||||||
|  | // 0..n-1 where n is the curve's bit size (256 in the case of secp256k1) | ||||||
|  | // the coordinates are recorded as Jacobian coordinates. | ||||||
|  | func (curve *KoblitzCurve) getDoublingPoints() [][3]fieldVal { | ||||||
|  | 	doublingPoints := make([][3]fieldVal, curve.BitSize) | ||||||
|  |  | ||||||
|  | 	// initialize px, py, pz to the Jacobian coordinates for the base point | ||||||
|  | 	px, py := curve.bigAffineToField(curve.Gx, curve.Gy) | ||||||
|  | 	pz := new(fieldVal).SetInt(1) | ||||||
|  | 	for i := 0; i < curve.BitSize; i++ { | ||||||
|  | 		doublingPoints[i] = [3]fieldVal{*px, *py, *pz} | ||||||
|  | 		// P = 2*P | ||||||
|  | 		curve.doubleJacobian(px, py, pz, px, py, pz) | ||||||
|  | 	} | ||||||
|  | 	return doublingPoints | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // SerializedBytePoints returns a serialized byte slice which contains all of | ||||||
|  | // the possible points per 8-bit window.  This is used to when generating | ||||||
|  | // secp256k1.go. | ||||||
|  | func (curve *KoblitzCurve) SerializedBytePoints() []byte { | ||||||
|  | 	doublingPoints := curve.getDoublingPoints() | ||||||
|  |  | ||||||
|  | 	// Segregate the bits into byte-sized windows | ||||||
|  | 	serialized := make([]byte, curve.byteSize*256*3*10*4) | ||||||
|  | 	offset := 0 | ||||||
|  | 	for byteNum := 0; byteNum < curve.byteSize; byteNum++ { | ||||||
|  | 		// Grab the 8 bits that make up this byte from doublingPoints. | ||||||
|  | 		startingBit := 8 * (curve.byteSize - byteNum - 1) | ||||||
|  | 		computingPoints := doublingPoints[startingBit : startingBit+8] | ||||||
|  |  | ||||||
|  | 		// Compute all points in this window and serialize them. | ||||||
|  | 		for i := 0; i < 256; i++ { | ||||||
|  | 			px, py, pz := new(fieldVal), new(fieldVal), new(fieldVal) | ||||||
|  | 			for j := 0; j < 8; j++ { | ||||||
|  | 				if i>>uint(j)&1 == 1 { | ||||||
|  | 					curve.addJacobian(px, py, pz, &computingPoints[j][0], | ||||||
|  | 						&computingPoints[j][1], &computingPoints[j][2], px, py, pz) | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				binary.LittleEndian.PutUint32(serialized[offset:], px.n[i]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				binary.LittleEndian.PutUint32(serialized[offset:], py.n[i]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				binary.LittleEndian.PutUint32(serialized[offset:], pz.n[i]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return serialized | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // sqrt returns the square root of the provided big integer using Newton's | ||||||
|  | // method.  It's only compiled and used during generation of pre-computed | ||||||
|  | // values, so speed is not a huge concern. | ||||||
|  | func sqrt(n *big.Int) *big.Int { | ||||||
|  | 	// Initial guess = 2^(log_2(n)/2) | ||||||
|  | 	guess := big.NewInt(2) | ||||||
|  | 	guess.Exp(guess, big.NewInt(int64(n.BitLen()/2)), nil) | ||||||
|  |  | ||||||
|  | 	// Now refine using Newton's method. | ||||||
|  | 	big2 := big.NewInt(2) | ||||||
|  | 	prevGuess := big.NewInt(0) | ||||||
|  | 	for { | ||||||
|  | 		prevGuess.Set(guess) | ||||||
|  | 		guess.Add(guess, new(big.Int).Div(n, guess)) | ||||||
|  | 		guess.Div(guess, big2) | ||||||
|  | 		if guess.Cmp(prevGuess) == 0 { | ||||||
|  | 			break | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	return guess | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // EndomorphismVectors runs the first 3 steps of algorithm 3.74 from [GECC] to | ||||||
|  | // generate the linearly independent vectors needed to generate a balanced | ||||||
|  | // length-two representation of a multiplier such that k = k1 + k2λ (mod N) and | ||||||
|  | // returns them.  Since the values will always be the same given the fact that N | ||||||
|  | // and λ are fixed, the final results can be accelerated by storing the | ||||||
|  | // precomputed values with the curve. | ||||||
|  | func (curve *KoblitzCurve) EndomorphismVectors() (a1, b1, a2, b2 *big.Int) { | ||||||
|  | 	bigMinus1 := big.NewInt(-1) | ||||||
|  |  | ||||||
|  | 	// This section uses an extended Euclidean algorithm to generate a | ||||||
|  | 	// sequence of equations: | ||||||
|  | 	//  s[i] * N + t[i] * λ = r[i] | ||||||
|  |  | ||||||
|  | 	nSqrt := sqrt(curve.N) | ||||||
|  | 	u, v := new(big.Int).Set(curve.N), new(big.Int).Set(curve.lambda) | ||||||
|  | 	x1, y1 := big.NewInt(1), big.NewInt(0) | ||||||
|  | 	x2, y2 := big.NewInt(0), big.NewInt(1) | ||||||
|  | 	q, r := new(big.Int), new(big.Int) | ||||||
|  | 	qu, qx1, qy1 := new(big.Int), new(big.Int), new(big.Int) | ||||||
|  | 	s, t := new(big.Int), new(big.Int) | ||||||
|  | 	ri, ti := new(big.Int), new(big.Int) | ||||||
|  | 	a1, b1, a2, b2 = new(big.Int), new(big.Int), new(big.Int), new(big.Int) | ||||||
|  | 	found, oneMore := false, false | ||||||
|  | 	for u.Sign() != 0 { | ||||||
|  | 		// q = v/u | ||||||
|  | 		q.Div(v, u) | ||||||
|  |  | ||||||
|  | 		// r = v - q*u | ||||||
|  | 		qu.Mul(q, u) | ||||||
|  | 		r.Sub(v, qu) | ||||||
|  |  | ||||||
|  | 		// s = x2 - q*x1 | ||||||
|  | 		qx1.Mul(q, x1) | ||||||
|  | 		s.Sub(x2, qx1) | ||||||
|  |  | ||||||
|  | 		// t = y2 - q*y1 | ||||||
|  | 		qy1.Mul(q, y1) | ||||||
|  | 		t.Sub(y2, qy1) | ||||||
|  |  | ||||||
|  | 		// v = u, u = r, x2 = x1, x1 = s, y2 = y1, y1 = t | ||||||
|  | 		v.Set(u) | ||||||
|  | 		u.Set(r) | ||||||
|  | 		x2.Set(x1) | ||||||
|  | 		x1.Set(s) | ||||||
|  | 		y2.Set(y1) | ||||||
|  | 		y1.Set(t) | ||||||
|  |  | ||||||
|  | 		// As soon as the remainder is less than the sqrt of n, the | ||||||
|  | 		// values of a1 and b1 are known. | ||||||
|  | 		if !found && r.Cmp(nSqrt) < 0 { | ||||||
|  | 			// When this condition executes ri and ti represent the | ||||||
|  | 			// r[i] and t[i] values such that i is the greatest | ||||||
|  | 			// index for which r >= sqrt(n).  Meanwhile, the current | ||||||
|  | 			// r and t values are r[i+1] and t[i+1], respectively. | ||||||
|  |  | ||||||
|  | 			// a1 = r[i+1], b1 = -t[i+1] | ||||||
|  | 			a1.Set(r) | ||||||
|  | 			b1.Mul(t, bigMinus1) | ||||||
|  | 			found = true | ||||||
|  | 			oneMore = true | ||||||
|  |  | ||||||
|  | 			// Skip to the next iteration so ri and ti are not | ||||||
|  | 			// modified. | ||||||
|  | 			continue | ||||||
|  |  | ||||||
|  | 		} else if oneMore { | ||||||
|  | 			// When this condition executes ri and ti still | ||||||
|  | 			// represent the r[i] and t[i] values while the current | ||||||
|  | 			// r and t are r[i+2] and t[i+2], respectively. | ||||||
|  |  | ||||||
|  | 			// sum1 = r[i]^2 + t[i]^2 | ||||||
|  | 			rSquared := new(big.Int).Mul(ri, ri) | ||||||
|  | 			tSquared := new(big.Int).Mul(ti, ti) | ||||||
|  | 			sum1 := new(big.Int).Add(rSquared, tSquared) | ||||||
|  |  | ||||||
|  | 			// sum2 = r[i+2]^2 + t[i+2]^2 | ||||||
|  | 			r2Squared := new(big.Int).Mul(r, r) | ||||||
|  | 			t2Squared := new(big.Int).Mul(t, t) | ||||||
|  | 			sum2 := new(big.Int).Add(r2Squared, t2Squared) | ||||||
|  |  | ||||||
|  | 			// if (r[i]^2 + t[i]^2) <= (r[i+2]^2 + t[i+2]^2) | ||||||
|  | 			if sum1.Cmp(sum2) <= 0 { | ||||||
|  | 				// a2 = r[i], b2 = -t[i] | ||||||
|  | 				a2.Set(ri) | ||||||
|  | 				b2.Mul(ti, bigMinus1) | ||||||
|  | 			} else { | ||||||
|  | 				// a2 = r[i+2], b2 = -t[i+2] | ||||||
|  | 				a2.Set(r) | ||||||
|  | 				b2.Mul(t, bigMinus1) | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  | 			// All done. | ||||||
|  | 			break | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		ri.Set(r) | ||||||
|  | 		ti.Set(t) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return a1, b1, a2, b2 | ||||||
|  | } | ||||||
							
								
								
									
										67
									
								
								vendor/github.com/btcsuite/btcd/btcec/precompute.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										67
									
								
								vendor/github.com/btcsuite/btcd/btcec/precompute.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,67 @@ | |||||||
|  | // Copyright 2015 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"compress/zlib" | ||||||
|  | 	"encoding/base64" | ||||||
|  | 	"encoding/binary" | ||||||
|  | 	"io/ioutil" | ||||||
|  | 	"strings" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | //go:generate go run -tags gensecp256k1 genprecomps.go | ||||||
|  |  | ||||||
|  | // loadS256BytePoints decompresses and deserializes the pre-computed byte points | ||||||
|  | // used to accelerate scalar base multiplication for the secp256k1 curve.  This | ||||||
|  | // approach is used since it allows the compile to use significantly less ram | ||||||
|  | // and be performed much faster than it is with hard-coding the final in-memory | ||||||
|  | // data structure.  At the same time, it is quite fast to generate the in-memory | ||||||
|  | // data structure at init time with this approach versus computing the table. | ||||||
|  | func loadS256BytePoints() error { | ||||||
|  | 	// There will be no byte points to load when generating them. | ||||||
|  | 	bp := secp256k1BytePoints | ||||||
|  | 	if len(bp) == 0 { | ||||||
|  | 		return nil | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Decompress the pre-computed table used to accelerate scalar base | ||||||
|  | 	// multiplication. | ||||||
|  | 	decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(bp)) | ||||||
|  | 	r, err := zlib.NewReader(decoder) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return err | ||||||
|  | 	} | ||||||
|  | 	serialized, err := ioutil.ReadAll(r) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Deserialize the precomputed byte points and set the curve to them. | ||||||
|  | 	offset := 0 | ||||||
|  | 	var bytePoints [32][256][3]fieldVal | ||||||
|  | 	for byteNum := 0; byteNum < 32; byteNum++ { | ||||||
|  | 		// All points in this window. | ||||||
|  | 		for i := 0; i < 256; i++ { | ||||||
|  | 			px := &bytePoints[byteNum][i][0] | ||||||
|  | 			py := &bytePoints[byteNum][i][1] | ||||||
|  | 			pz := &bytePoints[byteNum][i][2] | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				px.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				py.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 			for i := 0; i < 10; i++ { | ||||||
|  | 				pz.n[i] = binary.LittleEndian.Uint32(serialized[offset:]) | ||||||
|  | 				offset += 4 | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	secp256k1.bytePoints = &bytePoints | ||||||
|  | 	return nil | ||||||
|  | } | ||||||
							
								
								
									
										73
									
								
								vendor/github.com/btcsuite/btcd/btcec/privkey.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										73
									
								
								vendor/github.com/btcsuite/btcd/btcec/privkey.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,73 @@ | |||||||
|  | // Copyright (c) 2013-2016 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/ecdsa" | ||||||
|  | 	"crypto/elliptic" | ||||||
|  | 	"crypto/rand" | ||||||
|  | 	"math/big" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing | ||||||
|  | // things with the the private key without having to directly import the ecdsa | ||||||
|  | // package. | ||||||
|  | type PrivateKey ecdsa.PrivateKey | ||||||
|  |  | ||||||
|  | // PrivKeyFromBytes returns a private and public key for `curve' based on the | ||||||
|  | // private key passed as an argument as a byte slice. | ||||||
|  | func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey, | ||||||
|  | 	*PublicKey) { | ||||||
|  | 	x, y := curve.ScalarBaseMult(pk) | ||||||
|  |  | ||||||
|  | 	priv := &ecdsa.PrivateKey{ | ||||||
|  | 		PublicKey: ecdsa.PublicKey{ | ||||||
|  | 			Curve: curve, | ||||||
|  | 			X:     x, | ||||||
|  | 			Y:     y, | ||||||
|  | 		}, | ||||||
|  | 		D: new(big.Int).SetBytes(pk), | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return (*PrivateKey)(priv), (*PublicKey)(&priv.PublicKey) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey | ||||||
|  | // instead of the normal ecdsa.PrivateKey. | ||||||
|  | func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, error) { | ||||||
|  | 	key, err := ecdsa.GenerateKey(curve, rand.Reader) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	return (*PrivateKey)(key), nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // PubKey returns the PublicKey corresponding to this private key. | ||||||
|  | func (p *PrivateKey) PubKey() *PublicKey { | ||||||
|  | 	return (*PublicKey)(&p.PublicKey) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ToECDSA returns the private key as a *ecdsa.PrivateKey. | ||||||
|  | func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey { | ||||||
|  | 	return (*ecdsa.PrivateKey)(p) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Sign generates an ECDSA signature for the provided hash (which should be the result | ||||||
|  | // of hashing a larger message) using the private key. Produced signature | ||||||
|  | // is deterministic (same message and same key yield the same signature) and canonical | ||||||
|  | // in accordance with RFC6979 and BIP0062. | ||||||
|  | func (p *PrivateKey) Sign(hash []byte) (*Signature, error) { | ||||||
|  | 	return signRFC6979(p, hash) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // PrivKeyBytesLen defines the length in bytes of a serialized private key. | ||||||
|  | const PrivKeyBytesLen = 32 | ||||||
|  |  | ||||||
|  | // Serialize returns the private key number d as a big-endian binary-encoded | ||||||
|  | // number, padded to a length of 32 bytes. | ||||||
|  | func (p *PrivateKey) Serialize() []byte { | ||||||
|  | 	b := make([]byte, 0, PrivKeyBytesLen) | ||||||
|  | 	return paddedAppend(PrivKeyBytesLen, b, p.ToECDSA().D.Bytes()) | ||||||
|  | } | ||||||
							
								
								
									
										172
									
								
								vendor/github.com/btcsuite/btcd/btcec/pubkey.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										172
									
								
								vendor/github.com/btcsuite/btcd/btcec/pubkey.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,172 @@ | |||||||
|  | // Copyright (c) 2013-2014 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/ecdsa" | ||||||
|  | 	"errors" | ||||||
|  | 	"fmt" | ||||||
|  | 	"math/big" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // These constants define the lengths of serialized public keys. | ||||||
|  | const ( | ||||||
|  | 	PubKeyBytesLenCompressed   = 33 | ||||||
|  | 	PubKeyBytesLenUncompressed = 65 | ||||||
|  | 	PubKeyBytesLenHybrid       = 65 | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func isOdd(a *big.Int) bool { | ||||||
|  | 	return a.Bit(0) == 1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // decompressPoint decompresses a point on the given curve given the X point and | ||||||
|  | // the solution to use. | ||||||
|  | func decompressPoint(curve *KoblitzCurve, x *big.Int, ybit bool) (*big.Int, error) { | ||||||
|  | 	// TODO: This will probably only work for secp256k1 due to | ||||||
|  | 	// optimizations. | ||||||
|  |  | ||||||
|  | 	// Y = +-sqrt(x^3 + B) | ||||||
|  | 	x3 := new(big.Int).Mul(x, x) | ||||||
|  | 	x3.Mul(x3, x) | ||||||
|  | 	x3.Add(x3, curve.Params().B) | ||||||
|  |  | ||||||
|  | 	// now calculate sqrt mod p of x2 + B | ||||||
|  | 	// This code used to do a full sqrt based on tonelli/shanks, | ||||||
|  | 	// but this was replaced by the algorithms referenced in | ||||||
|  | 	// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294 | ||||||
|  | 	y := new(big.Int).Exp(x3, curve.QPlus1Div4(), curve.Params().P) | ||||||
|  |  | ||||||
|  | 	if ybit != isOdd(y) { | ||||||
|  | 		y.Sub(curve.Params().P, y) | ||||||
|  | 	} | ||||||
|  | 	if ybit != isOdd(y) { | ||||||
|  | 		return nil, fmt.Errorf("ybit doesn't match oddness") | ||||||
|  | 	} | ||||||
|  | 	return y, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | const ( | ||||||
|  | 	pubkeyCompressed   byte = 0x2 // y_bit + x coord | ||||||
|  | 	pubkeyUncompressed byte = 0x4 // x coord + y coord | ||||||
|  | 	pubkeyHybrid       byte = 0x6 // y_bit + x coord + y coord | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // ParsePubKey parses a public key for a koblitz curve from a bytestring into a | ||||||
|  | // ecdsa.Publickey, verifying that it is valid. It supports compressed, | ||||||
|  | // uncompressed and hybrid signature formats. | ||||||
|  | func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error) { | ||||||
|  | 	pubkey := PublicKey{} | ||||||
|  | 	pubkey.Curve = curve | ||||||
|  |  | ||||||
|  | 	if len(pubKeyStr) == 0 { | ||||||
|  | 		return nil, errors.New("pubkey string is empty") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	format := pubKeyStr[0] | ||||||
|  | 	ybit := (format & 0x1) == 0x1 | ||||||
|  | 	format &= ^byte(0x1) | ||||||
|  |  | ||||||
|  | 	switch len(pubKeyStr) { | ||||||
|  | 	case PubKeyBytesLenUncompressed: | ||||||
|  | 		if format != pubkeyUncompressed && format != pubkeyHybrid { | ||||||
|  | 			return nil, fmt.Errorf("invalid magic in pubkey str: "+ | ||||||
|  | 				"%d", pubKeyStr[0]) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) | ||||||
|  | 		pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:]) | ||||||
|  | 		// hybrid keys have extra information, make use of it. | ||||||
|  | 		if format == pubkeyHybrid && ybit != isOdd(pubkey.Y) { | ||||||
|  | 			return nil, fmt.Errorf("ybit doesn't match oddness") | ||||||
|  | 		} | ||||||
|  | 	case PubKeyBytesLenCompressed: | ||||||
|  | 		// format is 0x2 | solution, <X coordinate> | ||||||
|  | 		// solution determines which solution of the curve we use. | ||||||
|  | 		/// y^2 = x^3 + Curve.B | ||||||
|  | 		if format != pubkeyCompressed { | ||||||
|  | 			return nil, fmt.Errorf("invalid magic in compressed "+ | ||||||
|  | 				"pubkey string: %d", pubKeyStr[0]) | ||||||
|  | 		} | ||||||
|  | 		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) | ||||||
|  | 		pubkey.Y, err = decompressPoint(curve, pubkey.X, ybit) | ||||||
|  | 		if err != nil { | ||||||
|  | 			return nil, err | ||||||
|  | 		} | ||||||
|  | 	default: // wrong! | ||||||
|  | 		return nil, fmt.Errorf("invalid pub key length %d", | ||||||
|  | 			len(pubKeyStr)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 { | ||||||
|  | 		return nil, fmt.Errorf("pubkey X parameter is >= to P") | ||||||
|  | 	} | ||||||
|  | 	if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 { | ||||||
|  | 		return nil, fmt.Errorf("pubkey Y parameter is >= to P") | ||||||
|  | 	} | ||||||
|  | 	if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) { | ||||||
|  | 		return nil, fmt.Errorf("pubkey isn't on secp256k1 curve") | ||||||
|  | 	} | ||||||
|  | 	return &pubkey, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // PublicKey is an ecdsa.PublicKey with additional functions to | ||||||
|  | // serialize in uncompressed, compressed, and hybrid formats. | ||||||
|  | type PublicKey ecdsa.PublicKey | ||||||
|  |  | ||||||
|  | // ToECDSA returns the public key as a *ecdsa.PublicKey. | ||||||
|  | func (p *PublicKey) ToECDSA() *ecdsa.PublicKey { | ||||||
|  | 	return (*ecdsa.PublicKey)(p) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // SerializeUncompressed serializes a public key in a 65-byte uncompressed | ||||||
|  | // format. | ||||||
|  | func (p *PublicKey) SerializeUncompressed() []byte { | ||||||
|  | 	b := make([]byte, 0, PubKeyBytesLenUncompressed) | ||||||
|  | 	b = append(b, pubkeyUncompressed) | ||||||
|  | 	b = paddedAppend(32, b, p.X.Bytes()) | ||||||
|  | 	return paddedAppend(32, b, p.Y.Bytes()) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // SerializeCompressed serializes a public key in a 33-byte compressed format. | ||||||
|  | func (p *PublicKey) SerializeCompressed() []byte { | ||||||
|  | 	b := make([]byte, 0, PubKeyBytesLenCompressed) | ||||||
|  | 	format := pubkeyCompressed | ||||||
|  | 	if isOdd(p.Y) { | ||||||
|  | 		format |= 0x1 | ||||||
|  | 	} | ||||||
|  | 	b = append(b, format) | ||||||
|  | 	return paddedAppend(32, b, p.X.Bytes()) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // SerializeHybrid serializes a public key in a 65-byte hybrid format. | ||||||
|  | func (p *PublicKey) SerializeHybrid() []byte { | ||||||
|  | 	b := make([]byte, 0, PubKeyBytesLenHybrid) | ||||||
|  | 	format := pubkeyHybrid | ||||||
|  | 	if isOdd(p.Y) { | ||||||
|  | 		format |= 0x1 | ||||||
|  | 	} | ||||||
|  | 	b = append(b, format) | ||||||
|  | 	b = paddedAppend(32, b, p.X.Bytes()) | ||||||
|  | 	return paddedAppend(32, b, p.Y.Bytes()) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // IsEqual compares this PublicKey instance to the one passed, returning true if | ||||||
|  | // both PublicKeys are equivalent. A PublicKey is equivalent to another, if they | ||||||
|  | // both have the same X and Y coordinate. | ||||||
|  | func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool { | ||||||
|  | 	return p.X.Cmp(otherPubKey.X) == 0 && | ||||||
|  | 		p.Y.Cmp(otherPubKey.Y) == 0 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // paddedAppend appends the src byte slice to dst, returning the new slice. | ||||||
|  | // If the length of the source is smaller than the passed size, leading zero | ||||||
|  | // bytes are appended to the dst slice before appending src. | ||||||
|  | func paddedAppend(size uint, dst, src []byte) []byte { | ||||||
|  | 	for i := 0; i < int(size)-len(src); i++ { | ||||||
|  | 		dst = append(dst, 0) | ||||||
|  | 	} | ||||||
|  | 	return append(dst, src...) | ||||||
|  | } | ||||||
							
								
								
									
										10
									
								
								vendor/github.com/btcsuite/btcd/btcec/secp256k1.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								vendor/github.com/btcsuite/btcd/btcec/secp256k1.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
							
								
								
									
										539
									
								
								vendor/github.com/btcsuite/btcd/btcec/signature.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										539
									
								
								vendor/github.com/btcsuite/btcd/btcec/signature.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,539 @@ | |||||||
|  | // Copyright (c) 2013-2017 The btcsuite developers | ||||||
|  | // Use of this source code is governed by an ISC | ||||||
|  | // license that can be found in the LICENSE file. | ||||||
|  |  | ||||||
|  | package btcec | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"bytes" | ||||||
|  | 	"crypto/ecdsa" | ||||||
|  | 	"crypto/elliptic" | ||||||
|  | 	"crypto/hmac" | ||||||
|  | 	"crypto/sha256" | ||||||
|  | 	"errors" | ||||||
|  | 	"fmt" | ||||||
|  | 	"hash" | ||||||
|  | 	"math/big" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // Errors returned by canonicalPadding. | ||||||
|  | var ( | ||||||
|  | 	errNegativeValue          = errors.New("value may be interpreted as negative") | ||||||
|  | 	errExcessivelyPaddedValue = errors.New("value is excessively padded") | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // Signature is a type representing an ecdsa signature. | ||||||
|  | type Signature struct { | ||||||
|  | 	R *big.Int | ||||||
|  | 	S *big.Int | ||||||
|  | } | ||||||
|  |  | ||||||
|  | var ( | ||||||
|  | 	// Curve order and halforder, used to tame ECDSA malleability (see BIP-0062) | ||||||
|  | 	order     = new(big.Int).Set(S256().N) | ||||||
|  | 	halforder = new(big.Int).Rsh(order, 1) | ||||||
|  |  | ||||||
|  | 	// Used in RFC6979 implementation when testing the nonce for correctness | ||||||
|  | 	one = big.NewInt(1) | ||||||
|  |  | ||||||
|  | 	// oneInitializer is used to fill a byte slice with byte 0x01.  It is provided | ||||||
|  | 	// here to avoid the need to create it multiple times. | ||||||
|  | 	oneInitializer = []byte{0x01} | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // Serialize returns the ECDSA signature in the more strict DER format.  Note | ||||||
|  | // that the serialized bytes returned do not include the appended hash type | ||||||
|  | // used in Bitcoin signature scripts. | ||||||
|  | // | ||||||
|  | // encoding/asn1 is broken so we hand roll this output: | ||||||
|  | // | ||||||
|  | // 0x30 <length> 0x02 <length r> r 0x02 <length s> s | ||||||
|  | func (sig *Signature) Serialize() []byte { | ||||||
|  | 	// low 'S' malleability breaker | ||||||
|  | 	sigS := sig.S | ||||||
|  | 	if sigS.Cmp(halforder) == 1 { | ||||||
|  | 		sigS = new(big.Int).Sub(order, sigS) | ||||||
|  | 	} | ||||||
|  | 	// Ensure the encoded bytes for the r and s values are canonical and | ||||||
|  | 	// thus suitable for DER encoding. | ||||||
|  | 	rb := canonicalizeInt(sig.R) | ||||||
|  | 	sb := canonicalizeInt(sigS) | ||||||
|  |  | ||||||
|  | 	// total length of returned signature is 1 byte for each magic and | ||||||
|  | 	// length (6 total), plus lengths of r and s | ||||||
|  | 	length := 6 + len(rb) + len(sb) | ||||||
|  | 	b := make([]byte, length, length) | ||||||
|  |  | ||||||
|  | 	b[0] = 0x30 | ||||||
|  | 	b[1] = byte(length - 2) | ||||||
|  | 	b[2] = 0x02 | ||||||
|  | 	b[3] = byte(len(rb)) | ||||||
|  | 	offset := copy(b[4:], rb) + 4 | ||||||
|  | 	b[offset] = 0x02 | ||||||
|  | 	b[offset+1] = byte(len(sb)) | ||||||
|  | 	copy(b[offset+2:], sb) | ||||||
|  | 	return b | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Verify calls ecdsa.Verify to verify the signature of hash using the public | ||||||
|  | // key.  It returns true if the signature is valid, false otherwise. | ||||||
|  | func (sig *Signature) Verify(hash []byte, pubKey *PublicKey) bool { | ||||||
|  | 	return ecdsa.Verify(pubKey.ToECDSA(), hash, sig.R, sig.S) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // IsEqual compares this Signature instance to the one passed, returning true | ||||||
|  | // if both Signatures are equivalent. A signature is equivalent to another, if | ||||||
|  | // they both have the same scalar value for R and S. | ||||||
|  | func (sig *Signature) IsEqual(otherSig *Signature) bool { | ||||||
|  | 	return sig.R.Cmp(otherSig.R) == 0 && | ||||||
|  | 		sig.S.Cmp(otherSig.S) == 0 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func parseSig(sigStr []byte, curve elliptic.Curve, der bool) (*Signature, error) { | ||||||
|  | 	// Originally this code used encoding/asn1 in order to parse the | ||||||
|  | 	// signature, but a number of problems were found with this approach. | ||||||
|  | 	// Despite the fact that signatures are stored as DER, the difference | ||||||
|  | 	// between go's idea of a bignum (and that they have sign) doesn't agree | ||||||
|  | 	// with the openssl one (where they do not). The above is true as of | ||||||
|  | 	// Go 1.1. In the end it was simpler to rewrite the code to explicitly | ||||||
|  | 	// understand the format which is this: | ||||||
|  | 	// 0x30 <length of whole message> <0x02> <length of R> <R> 0x2 | ||||||
|  | 	// <length of S> <S>. | ||||||
|  |  | ||||||
|  | 	signature := &Signature{} | ||||||
|  |  | ||||||
|  | 	// minimal message is when both numbers are 1 bytes. adding up to: | ||||||
|  | 	// 0x30 + len + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte> | ||||||
|  | 	if len(sigStr) < 8 { | ||||||
|  | 		return nil, errors.New("malformed signature: too short") | ||||||
|  | 	} | ||||||
|  | 	// 0x30 | ||||||
|  | 	index := 0 | ||||||
|  | 	if sigStr[index] != 0x30 { | ||||||
|  | 		return nil, errors.New("malformed signature: no header magic") | ||||||
|  | 	} | ||||||
|  | 	index++ | ||||||
|  | 	// length of remaining message | ||||||
|  | 	siglen := sigStr[index] | ||||||
|  | 	index++ | ||||||
|  | 	if int(siglen+2) > len(sigStr) { | ||||||
|  | 		return nil, errors.New("malformed signature: bad length") | ||||||
|  | 	} | ||||||
|  | 	// trim the slice we're working on so we only look at what matters. | ||||||
|  | 	sigStr = sigStr[:siglen+2] | ||||||
|  |  | ||||||
|  | 	// 0x02 | ||||||
|  | 	if sigStr[index] != 0x02 { | ||||||
|  | 		return nil, | ||||||
|  | 			errors.New("malformed signature: no 1st int marker") | ||||||
|  | 	} | ||||||
|  | 	index++ | ||||||
|  |  | ||||||
|  | 	// Length of signature R. | ||||||
|  | 	rLen := int(sigStr[index]) | ||||||
|  | 	// must be positive, must be able to fit in another 0x2, <len> <s> | ||||||
|  | 	// hence the -3. We assume that the length must be at least one byte. | ||||||
|  | 	index++ | ||||||
|  | 	if rLen <= 0 || rLen > len(sigStr)-index-3 { | ||||||
|  | 		return nil, errors.New("malformed signature: bogus R length") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Then R itself. | ||||||
|  | 	rBytes := sigStr[index : index+rLen] | ||||||
|  | 	if der { | ||||||
|  | 		switch err := canonicalPadding(rBytes); err { | ||||||
|  | 		case errNegativeValue: | ||||||
|  | 			return nil, errors.New("signature R is negative") | ||||||
|  | 		case errExcessivelyPaddedValue: | ||||||
|  | 			return nil, errors.New("signature R is excessively padded") | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	signature.R = new(big.Int).SetBytes(rBytes) | ||||||
|  | 	index += rLen | ||||||
|  | 	// 0x02. length already checked in previous if. | ||||||
|  | 	if sigStr[index] != 0x02 { | ||||||
|  | 		return nil, errors.New("malformed signature: no 2nd int marker") | ||||||
|  | 	} | ||||||
|  | 	index++ | ||||||
|  |  | ||||||
|  | 	// Length of signature S. | ||||||
|  | 	sLen := int(sigStr[index]) | ||||||
|  | 	index++ | ||||||
|  | 	// S should be the rest of the string. | ||||||
|  | 	if sLen <= 0 || sLen > len(sigStr)-index { | ||||||
|  | 		return nil, errors.New("malformed signature: bogus S length") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Then S itself. | ||||||
|  | 	sBytes := sigStr[index : index+sLen] | ||||||
|  | 	if der { | ||||||
|  | 		switch err := canonicalPadding(sBytes); err { | ||||||
|  | 		case errNegativeValue: | ||||||
|  | 			return nil, errors.New("signature S is negative") | ||||||
|  | 		case errExcessivelyPaddedValue: | ||||||
|  | 			return nil, errors.New("signature S is excessively padded") | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	signature.S = new(big.Int).SetBytes(sBytes) | ||||||
|  | 	index += sLen | ||||||
|  |  | ||||||
|  | 	// sanity check length parsing | ||||||
|  | 	if index != len(sigStr) { | ||||||
|  | 		return nil, fmt.Errorf("malformed signature: bad final length %v != %v", | ||||||
|  | 			index, len(sigStr)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Verify also checks this, but we can be more sure that we parsed | ||||||
|  | 	// correctly if we verify here too. | ||||||
|  | 	// FWIW the ecdsa spec states that R and S must be | 1, N - 1 | | ||||||
|  | 	// but crypto/ecdsa only checks for Sign != 0. Mirror that. | ||||||
|  | 	if signature.R.Sign() != 1 { | ||||||
|  | 		return nil, errors.New("signature R isn't 1 or more") | ||||||
|  | 	} | ||||||
|  | 	if signature.S.Sign() != 1 { | ||||||
|  | 		return nil, errors.New("signature S isn't 1 or more") | ||||||
|  | 	} | ||||||
|  | 	if signature.R.Cmp(curve.Params().N) >= 0 { | ||||||
|  | 		return nil, errors.New("signature R is >= curve.N") | ||||||
|  | 	} | ||||||
|  | 	if signature.S.Cmp(curve.Params().N) >= 0 { | ||||||
|  | 		return nil, errors.New("signature S is >= curve.N") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return signature, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ParseSignature parses a signature in BER format for the curve type `curve' | ||||||
|  | // into a Signature type, perfoming some basic sanity checks.  If parsing | ||||||
|  | // according to the more strict DER format is needed, use ParseDERSignature. | ||||||
|  | func ParseSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) { | ||||||
|  | 	return parseSig(sigStr, curve, false) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ParseDERSignature parses a signature in DER format for the curve type | ||||||
|  | // `curve` into a Signature type.  If parsing according to the less strict | ||||||
|  | // BER format is needed, use ParseSignature. | ||||||
|  | func ParseDERSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) { | ||||||
|  | 	return parseSig(sigStr, curve, true) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // canonicalizeInt returns the bytes for the passed big integer adjusted as | ||||||
|  | // necessary to ensure that a big-endian encoded integer can't possibly be | ||||||
|  | // misinterpreted as a negative number.  This can happen when the most | ||||||
|  | // significant bit is set, so it is padded by a leading zero byte in this case. | ||||||
|  | // Also, the returned bytes will have at least a single byte when the passed | ||||||
|  | // value is 0.  This is required for DER encoding. | ||||||
|  | func canonicalizeInt(val *big.Int) []byte { | ||||||
|  | 	b := val.Bytes() | ||||||
|  | 	if len(b) == 0 { | ||||||
|  | 		b = []byte{0x00} | ||||||
|  | 	} | ||||||
|  | 	if b[0]&0x80 != 0 { | ||||||
|  | 		paddedBytes := make([]byte, len(b)+1) | ||||||
|  | 		copy(paddedBytes[1:], b) | ||||||
|  | 		b = paddedBytes | ||||||
|  | 	} | ||||||
|  | 	return b | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // canonicalPadding checks whether a big-endian encoded integer could | ||||||
|  | // possibly be misinterpreted as a negative number (even though OpenSSL | ||||||
|  | // treats all numbers as unsigned), or if there is any unnecessary | ||||||
|  | // leading zero padding. | ||||||
|  | func canonicalPadding(b []byte) error { | ||||||
|  | 	switch { | ||||||
|  | 	case b[0]&0x80 == 0x80: | ||||||
|  | 		return errNegativeValue | ||||||
|  | 	case len(b) > 1 && b[0] == 0x00 && b[1]&0x80 != 0x80: | ||||||
|  | 		return errExcessivelyPaddedValue | ||||||
|  | 	default: | ||||||
|  | 		return nil | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // hashToInt converts a hash value to an integer. There is some disagreement | ||||||
|  | // about how this is done. [NSA] suggests that this is done in the obvious | ||||||
|  | // manner, but [SECG] truncates the hash to the bit-length of the curve order | ||||||
|  | // first. We follow [SECG] because that's what OpenSSL does. Additionally, | ||||||
|  | // OpenSSL right shifts excess bits from the number if the hash is too large | ||||||
|  | // and we mirror that too. | ||||||
|  | // This is borrowed from crypto/ecdsa. | ||||||
|  | func hashToInt(hash []byte, c elliptic.Curve) *big.Int { | ||||||
|  | 	orderBits := c.Params().N.BitLen() | ||||||
|  | 	orderBytes := (orderBits + 7) / 8 | ||||||
|  | 	if len(hash) > orderBytes { | ||||||
|  | 		hash = hash[:orderBytes] | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	ret := new(big.Int).SetBytes(hash) | ||||||
|  | 	excess := len(hash)*8 - orderBits | ||||||
|  | 	if excess > 0 { | ||||||
|  | 		ret.Rsh(ret, uint(excess)) | ||||||
|  | 	} | ||||||
|  | 	return ret | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // recoverKeyFromSignature recoves a public key from the signature "sig" on the | ||||||
|  | // given message hash "msg". Based on the algorithm found in section 5.1.5 of | ||||||
|  | // SEC 1 Ver 2.0, page 47-48 (53 and 54 in the pdf). This performs the details | ||||||
|  | // in the inner loop in Step 1. The counter provided is actually the j parameter | ||||||
|  | // of the loop * 2 - on the first iteration of j we do the R case, else the -R | ||||||
|  | // case in step 1.6. This counter is used in the bitcoin compressed signature | ||||||
|  | // format and thus we match bitcoind's behaviour here. | ||||||
|  | func recoverKeyFromSignature(curve *KoblitzCurve, sig *Signature, msg []byte, | ||||||
|  | 	iter int, doChecks bool) (*PublicKey, error) { | ||||||
|  | 	// 1.1 x = (n * i) + r | ||||||
|  | 	Rx := new(big.Int).Mul(curve.Params().N, | ||||||
|  | 		new(big.Int).SetInt64(int64(iter/2))) | ||||||
|  | 	Rx.Add(Rx, sig.R) | ||||||
|  | 	if Rx.Cmp(curve.Params().P) != -1 { | ||||||
|  | 		return nil, errors.New("calculated Rx is larger than curve P") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// convert 02<Rx> to point R. (step 1.2 and 1.3). If we are on an odd | ||||||
|  | 	// iteration then 1.6 will be done with -R, so we calculate the other | ||||||
|  | 	// term when uncompressing the point. | ||||||
|  | 	Ry, err := decompressPoint(curve, Rx, iter%2 == 1) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// 1.4 Check n*R is point at infinity | ||||||
|  | 	if doChecks { | ||||||
|  | 		nRx, nRy := curve.ScalarMult(Rx, Ry, curve.Params().N.Bytes()) | ||||||
|  | 		if nRx.Sign() != 0 || nRy.Sign() != 0 { | ||||||
|  | 			return nil, errors.New("n*R does not equal the point at infinity") | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// 1.5 calculate e from message using the same algorithm as ecdsa | ||||||
|  | 	// signature calculation. | ||||||
|  | 	e := hashToInt(msg, curve) | ||||||
|  |  | ||||||
|  | 	// Step 1.6.1: | ||||||
|  | 	// We calculate the two terms sR and eG separately multiplied by the | ||||||
|  | 	// inverse of r (from the signature). We then add them to calculate | ||||||
|  | 	// Q = r^-1(sR-eG) | ||||||
|  | 	invr := new(big.Int).ModInverse(sig.R, curve.Params().N) | ||||||
|  |  | ||||||
|  | 	// first term. | ||||||
|  | 	invrS := new(big.Int).Mul(invr, sig.S) | ||||||
|  | 	invrS.Mod(invrS, curve.Params().N) | ||||||
|  | 	sRx, sRy := curve.ScalarMult(Rx, Ry, invrS.Bytes()) | ||||||
|  |  | ||||||
|  | 	// second term. | ||||||
|  | 	e.Neg(e) | ||||||
|  | 	e.Mod(e, curve.Params().N) | ||||||
|  | 	e.Mul(e, invr) | ||||||
|  | 	e.Mod(e, curve.Params().N) | ||||||
|  | 	minuseGx, minuseGy := curve.ScalarBaseMult(e.Bytes()) | ||||||
|  |  | ||||||
|  | 	// TODO: this would be faster if we did a mult and add in one | ||||||
|  | 	// step to prevent the jacobian conversion back and forth. | ||||||
|  | 	Qx, Qy := curve.Add(sRx, sRy, minuseGx, minuseGy) | ||||||
|  |  | ||||||
|  | 	return &PublicKey{ | ||||||
|  | 		Curve: curve, | ||||||
|  | 		X:     Qx, | ||||||
|  | 		Y:     Qy, | ||||||
|  | 	}, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // SignCompact produces a compact signature of the data in hash with the given | ||||||
|  | // private key on the given koblitz curve. The isCompressed  parameter should | ||||||
|  | // be used to detail if the given signature should reference a compressed | ||||||
|  | // public key or not. If successful the bytes of the compact signature will be | ||||||
|  | // returned in the format: | ||||||
|  | // <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S> | ||||||
|  | // where the R and S parameters are padde up to the bitlengh of the curve. | ||||||
|  | func SignCompact(curve *KoblitzCurve, key *PrivateKey, | ||||||
|  | 	hash []byte, isCompressedKey bool) ([]byte, error) { | ||||||
|  | 	sig, err := key.Sign(hash) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// bitcoind checks the bit length of R and S here. The ecdsa signature | ||||||
|  | 	// algorithm returns R and S mod N therefore they will be the bitsize of | ||||||
|  | 	// the curve, and thus correctly sized. | ||||||
|  | 	for i := 0; i < (curve.H+1)*2; i++ { | ||||||
|  | 		pk, err := recoverKeyFromSignature(curve, sig, hash, i, true) | ||||||
|  | 		if err == nil && pk.X.Cmp(key.X) == 0 && pk.Y.Cmp(key.Y) == 0 { | ||||||
|  | 			result := make([]byte, 1, 2*curve.byteSize+1) | ||||||
|  | 			result[0] = 27 + byte(i) | ||||||
|  | 			if isCompressedKey { | ||||||
|  | 				result[0] += 4 | ||||||
|  | 			} | ||||||
|  | 			// Not sure this needs rounding but safer to do so. | ||||||
|  | 			curvelen := (curve.BitSize + 7) / 8 | ||||||
|  |  | ||||||
|  | 			// Pad R and S to curvelen if needed. | ||||||
|  | 			bytelen := (sig.R.BitLen() + 7) / 8 | ||||||
|  | 			if bytelen < curvelen { | ||||||
|  | 				result = append(result, | ||||||
|  | 					make([]byte, curvelen-bytelen)...) | ||||||
|  | 			} | ||||||
|  | 			result = append(result, sig.R.Bytes()...) | ||||||
|  |  | ||||||
|  | 			bytelen = (sig.S.BitLen() + 7) / 8 | ||||||
|  | 			if bytelen < curvelen { | ||||||
|  | 				result = append(result, | ||||||
|  | 					make([]byte, curvelen-bytelen)...) | ||||||
|  | 			} | ||||||
|  | 			result = append(result, sig.S.Bytes()...) | ||||||
|  |  | ||||||
|  | 			return result, nil | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return nil, errors.New("no valid solution for pubkey found") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // RecoverCompact verifies the compact signature "signature" of "hash" for the | ||||||
|  | // Koblitz curve in "curve". If the signature matches then the recovered public | ||||||
|  | // key will be returned as well as a boolen if the original key was compressed | ||||||
|  | // or not, else an error will be returned. | ||||||
|  | func RecoverCompact(curve *KoblitzCurve, signature, | ||||||
|  | 	hash []byte) (*PublicKey, bool, error) { | ||||||
|  | 	bitlen := (curve.BitSize + 7) / 8 | ||||||
|  | 	if len(signature) != 1+bitlen*2 { | ||||||
|  | 		return nil, false, errors.New("invalid compact signature size") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	iteration := int((signature[0] - 27) & ^byte(4)) | ||||||
|  |  | ||||||
|  | 	// format is <header byte><bitlen R><bitlen S> | ||||||
|  | 	sig := &Signature{ | ||||||
|  | 		R: new(big.Int).SetBytes(signature[1 : bitlen+1]), | ||||||
|  | 		S: new(big.Int).SetBytes(signature[bitlen+1:]), | ||||||
|  | 	} | ||||||
|  | 	// The iteration used here was encoded | ||||||
|  | 	key, err := recoverKeyFromSignature(curve, sig, hash, iteration, false) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, false, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return key, ((signature[0] - 27) & 4) == 4, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // signRFC6979 generates a deterministic ECDSA signature according to RFC 6979 and BIP 62. | ||||||
|  | func signRFC6979(privateKey *PrivateKey, hash []byte) (*Signature, error) { | ||||||
|  |  | ||||||
|  | 	privkey := privateKey.ToECDSA() | ||||||
|  | 	N := order | ||||||
|  | 	k := nonceRFC6979(privkey.D, hash) | ||||||
|  | 	inv := new(big.Int).ModInverse(k, N) | ||||||
|  | 	r, _ := privkey.Curve.ScalarBaseMult(k.Bytes()) | ||||||
|  | 	if r.Cmp(N) == 1 { | ||||||
|  | 		r.Sub(r, N) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if r.Sign() == 0 { | ||||||
|  | 		return nil, errors.New("calculated R is zero") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	e := hashToInt(hash, privkey.Curve) | ||||||
|  | 	s := new(big.Int).Mul(privkey.D, r) | ||||||
|  | 	s.Add(s, e) | ||||||
|  | 	s.Mul(s, inv) | ||||||
|  | 	s.Mod(s, N) | ||||||
|  |  | ||||||
|  | 	if s.Cmp(halforder) == 1 { | ||||||
|  | 		s.Sub(N, s) | ||||||
|  | 	} | ||||||
|  | 	if s.Sign() == 0 { | ||||||
|  | 		return nil, errors.New("calculated S is zero") | ||||||
|  | 	} | ||||||
|  | 	return &Signature{R: r, S: s}, nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // nonceRFC6979 generates an ECDSA nonce (`k`) deterministically according to RFC 6979. | ||||||
|  | // It takes a 32-byte hash as an input and returns 32-byte nonce to be used in ECDSA algorithm. | ||||||
|  | func nonceRFC6979(privkey *big.Int, hash []byte) *big.Int { | ||||||
|  |  | ||||||
|  | 	curve := S256() | ||||||
|  | 	q := curve.Params().N | ||||||
|  | 	x := privkey | ||||||
|  | 	alg := sha256.New | ||||||
|  |  | ||||||
|  | 	qlen := q.BitLen() | ||||||
|  | 	holen := alg().Size() | ||||||
|  | 	rolen := (qlen + 7) >> 3 | ||||||
|  | 	bx := append(int2octets(x, rolen), bits2octets(hash, curve, rolen)...) | ||||||
|  |  | ||||||
|  | 	// Step B | ||||||
|  | 	v := bytes.Repeat(oneInitializer, holen) | ||||||
|  |  | ||||||
|  | 	// Step C (Go zeroes the all allocated memory) | ||||||
|  | 	k := make([]byte, holen) | ||||||
|  |  | ||||||
|  | 	// Step D | ||||||
|  | 	k = mac(alg, k, append(append(v, 0x00), bx...)) | ||||||
|  |  | ||||||
|  | 	// Step E | ||||||
|  | 	v = mac(alg, k, v) | ||||||
|  |  | ||||||
|  | 	// Step F | ||||||
|  | 	k = mac(alg, k, append(append(v, 0x01), bx...)) | ||||||
|  |  | ||||||
|  | 	// Step G | ||||||
|  | 	v = mac(alg, k, v) | ||||||
|  |  | ||||||
|  | 	// Step H | ||||||
|  | 	for { | ||||||
|  | 		// Step H1 | ||||||
|  | 		var t []byte | ||||||
|  |  | ||||||
|  | 		// Step H2 | ||||||
|  | 		for len(t)*8 < qlen { | ||||||
|  | 			v = mac(alg, k, v) | ||||||
|  | 			t = append(t, v...) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Step H3 | ||||||
|  | 		secret := hashToInt(t, curve) | ||||||
|  | 		if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 { | ||||||
|  | 			return secret | ||||||
|  | 		} | ||||||
|  | 		k = mac(alg, k, append(v, 0x00)) | ||||||
|  | 		v = mac(alg, k, v) | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // mac returns an HMAC of the given key and message. | ||||||
|  | func mac(alg func() hash.Hash, k, m []byte) []byte { | ||||||
|  | 	h := hmac.New(alg, k) | ||||||
|  | 	h.Write(m) | ||||||
|  | 	return h.Sum(nil) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // https://tools.ietf.org/html/rfc6979#section-2.3.3 | ||||||
|  | func int2octets(v *big.Int, rolen int) []byte { | ||||||
|  | 	out := v.Bytes() | ||||||
|  |  | ||||||
|  | 	// left pad with zeros if it's too short | ||||||
|  | 	if len(out) < rolen { | ||||||
|  | 		out2 := make([]byte, rolen) | ||||||
|  | 		copy(out2[rolen-len(out):], out) | ||||||
|  | 		return out2 | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// drop most significant bytes if it's too long | ||||||
|  | 	if len(out) > rolen { | ||||||
|  | 		out2 := make([]byte, rolen) | ||||||
|  | 		copy(out2, out[len(out)-rolen:]) | ||||||
|  | 		return out2 | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return out | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // https://tools.ietf.org/html/rfc6979#section-2.3.4 | ||||||
|  | func bits2octets(in []byte, curve elliptic.Curve, rolen int) []byte { | ||||||
|  | 	z1 := hashToInt(in, curve) | ||||||
|  | 	z2 := new(big.Int).Sub(z1, curve.Params().N) | ||||||
|  | 	if z2.Sign() < 0 { | ||||||
|  | 		return int2octets(z1, rolen) | ||||||
|  | 	} | ||||||
|  | 	return int2octets(z2, rolen) | ||||||
|  | } | ||||||
							
								
								
									
										6
									
								
								vendor/vendor.json
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										6
									
								
								vendor/vendor.json
									
									
									
									
										vendored
									
									
								
							| @@ -16,6 +16,12 @@ | |||||||
| 			"revision": "ea17b1a17847fb6e4c0a91de0b674704693469b0", | 			"revision": "ea17b1a17847fb6e4c0a91de0b674704693469b0", | ||||||
| 			"revisionTime": "2017-02-10T01:56:32Z" | 			"revisionTime": "2017-02-10T01:56:32Z" | ||||||
| 		}, | 		}, | ||||||
|  | 		{ | ||||||
|  | 			"checksumSHA1": "fIpm6Vr5a8kgr22gWkQx7vKUTyU=", | ||||||
|  | 			"path": "github.com/btcsuite/btcd/btcec", | ||||||
|  | 			"revision": "d06c0bb181529331be8f8d9350288c420d9e60e4", | ||||||
|  | 			"revisionTime": "2017-02-01T21:25:25Z" | ||||||
|  | 		}, | ||||||
| 		{ | 		{ | ||||||
| 			"checksumSHA1": "cDMtzKmdTx4CcIpP4broa+16X9g=", | 			"checksumSHA1": "cDMtzKmdTx4CcIpP4broa+16X9g=", | ||||||
| 			"path": "github.com/cespare/cp", | 			"path": "github.com/cespare/cp", | ||||||
|   | |||||||
| @@ -21,11 +21,13 @@ package whisperv2 | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"crypto/ecdsa" | 	"crypto/ecdsa" | ||||||
|  | 	crand "crypto/rand" | ||||||
| 	"math/rand" | 	"math/rand" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
|  | 	"github.com/ethereum/go-ethereum/crypto/ecies" | ||||||
| 	"github.com/ethereum/go-ethereum/logger" | 	"github.com/ethereum/go-ethereum/logger" | ||||||
| 	"github.com/ethereum/go-ethereum/logger/glog" | 	"github.com/ethereum/go-ethereum/logger/glog" | ||||||
| ) | ) | ||||||
| @@ -131,13 +133,13 @@ func (self *Message) Recover() *ecdsa.PublicKey { | |||||||
|  |  | ||||||
| // encrypt encrypts a message payload with a public key. | // encrypt encrypts a message payload with a public key. | ||||||
| func (self *Message) encrypt(key *ecdsa.PublicKey) (err error) { | func (self *Message) encrypt(key *ecdsa.PublicKey) (err error) { | ||||||
| 	self.Payload, err = crypto.Encrypt(key, self.Payload) | 	self.Payload, err = ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), self.Payload, nil, nil) | ||||||
| 	return | 	return | ||||||
| } | } | ||||||
|  |  | ||||||
| // decrypt decrypts an encrypted payload with a private key. | // decrypt decrypts an encrypted payload with a private key. | ||||||
| func (self *Message) decrypt(key *ecdsa.PrivateKey) error { | func (self *Message) decrypt(key *ecdsa.PrivateKey) error { | ||||||
| 	cleartext, err := crypto.Decrypt(key, self.Payload) | 	cleartext, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, self.Payload, nil, nil) | ||||||
| 	if err == nil { | 	if err == nil { | ||||||
| 		self.Payload = cleartext | 		self.Payload = cleartext | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -23,7 +23,6 @@ import ( | |||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/crypto" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto/secp256k1" |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // Tests whether a message can be wrapped without any identity or encryption. | // Tests whether a message can be wrapped without any identity or encryption. | ||||||
| @@ -73,8 +72,8 @@ func TestMessageCleartextSignRecover(t *testing.T) { | |||||||
| 	if pubKey == nil { | 	if pubKey == nil { | ||||||
| 		t.Fatalf("failed to recover public key") | 		t.Fatalf("failed to recover public key") | ||||||
| 	} | 	} | ||||||
| 	p1 := elliptic.Marshal(secp256k1.S256(), key.PublicKey.X, key.PublicKey.Y) | 	p1 := elliptic.Marshal(crypto.S256(), key.PublicKey.X, key.PublicKey.Y) | ||||||
| 	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y) | 	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y) | ||||||
| 	if !bytes.Equal(p1, p2) { | 	if !bytes.Equal(p1, p2) { | ||||||
| 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) | 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) | ||||||
| 	} | 	} | ||||||
| @@ -151,8 +150,8 @@ func TestMessageFullCrypto(t *testing.T) { | |||||||
| 	if pubKey == nil { | 	if pubKey == nil { | ||||||
| 		t.Fatalf("failed to recover public key") | 		t.Fatalf("failed to recover public key") | ||||||
| 	} | 	} | ||||||
| 	p1 := elliptic.Marshal(secp256k1.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y) | 	p1 := elliptic.Marshal(crypto.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y) | ||||||
| 	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y) | 	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y) | ||||||
| 	if !bytes.Equal(p1, p2) { | 	if !bytes.Equal(p1, p2) { | ||||||
| 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) | 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -30,6 +30,7 @@ import ( | |||||||
|  |  | ||||||
| 	"github.com/ethereum/go-ethereum/common" | 	"github.com/ethereum/go-ethereum/common" | ||||||
| 	"github.com/ethereum/go-ethereum/crypto" | 	"github.com/ethereum/go-ethereum/crypto" | ||||||
|  | 	"github.com/ethereum/go-ethereum/crypto/ecies" | ||||||
| 	"github.com/ethereum/go-ethereum/logger" | 	"github.com/ethereum/go-ethereum/logger" | ||||||
| 	"github.com/ethereum/go-ethereum/logger/glog" | 	"github.com/ethereum/go-ethereum/logger/glog" | ||||||
| 	"golang.org/x/crypto/pbkdf2" | 	"golang.org/x/crypto/pbkdf2" | ||||||
| @@ -163,7 +164,7 @@ func (msg *SentMessage) encryptAsymmetric(key *ecdsa.PublicKey) error { | |||||||
| 	if !ValidatePublicKey(key) { | 	if !ValidatePublicKey(key) { | ||||||
| 		return fmt.Errorf("Invalid public key provided for asymmetric encryption") | 		return fmt.Errorf("Invalid public key provided for asymmetric encryption") | ||||||
| 	} | 	} | ||||||
| 	encrypted, err := crypto.Encrypt(key, msg.Raw) | 	encrypted, err := ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), msg.Raw, nil, nil) | ||||||
| 	if err == nil { | 	if err == nil { | ||||||
| 		msg.Raw = encrypted | 		msg.Raw = encrypted | ||||||
| 	} | 	} | ||||||
| @@ -293,7 +294,7 @@ func (msg *ReceivedMessage) decryptSymmetric(key []byte, salt []byte, nonce []by | |||||||
|  |  | ||||||
| // decryptAsymmetric decrypts an encrypted payload with a private key. | // decryptAsymmetric decrypts an encrypted payload with a private key. | ||||||
| func (msg *ReceivedMessage) decryptAsymmetric(key *ecdsa.PrivateKey) error { | func (msg *ReceivedMessage) decryptAsymmetric(key *ecdsa.PrivateKey) error { | ||||||
| 	decrypted, err := crypto.Decrypt(key, msg.Raw) | 	decrypted, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, msg.Raw, nil, nil) | ||||||
| 	if err == nil { | 	if err == nil { | ||||||
| 		msg.Raw = decrypted | 		msg.Raw = decrypted | ||||||
| 	} | 	} | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user