ecdsa_get_public_key and ecdsa_verify methods

11 years ago · 3f737896a4
parent 1f75cd031b
commit 3f737896a4
4 changed files with 190 additions and 35 deletions
--- a/ecdsa.c
+++ b/ecdsa.c
@ -31,6 +31,8 @@
 #include "secp256k1.h"
 #include "aux.h"

+#define INVERSE_FAST 1
+
 // assumes x < 2*prime
 void mod(bignum256 *x, bignum256 const *prime)
 {
@ -123,7 +125,40 @@ void fast_mod(bignum256 *x, bignum256 const *prime)
 	}
 }

-// in field G_prime
+#ifndef INVERSE_FAST
+
+#ifdef USE_PRECOMPUTED_IV
+#warning USE_PRECOMPUTED_IV will not be used, please undef
+#endif
+// in field G_prime, small but slow
+void inverse(bignum256 *x, bignum256 const *prime)
+{
+	uint32_t i, j, limb;
+	bignum256 res;
+	res.val[0] = 1;
+	for (i = 1; i < 9;i++) {
+		res.val[i] = 0;
+	}
+	for (i = 0; i < 9;i++) {
+		limb = prime->val[i];
+		// this is not enough in general but fine for secp256k1 because prime->val[0] > 1
+		if (i == 0) limb -= 2;
+		for (j = 0;j < 30; j++) {
+			if (i == 8 && limb == 0) break;
+			if (limb & 1) {
+				multiply(x, &res, prime);
+			}
+			limb >>= 1;
+			multiply(x, x, prime);
+		}
+	}
+	mod(&res, prime);
+	memcpy(x, &res, sizeof(bignum256));
+}
+
+#else
+
+// in field G_prime, big but fast
 void inverse(bignum256 *x, bignum256 const *prime)
 {
 	int i, j, k, len1, len2, mask;
@ -294,6 +329,7 @@ void inverse(bignum256 *x, bignum256 const *prime)
 		}
 	}
 }
+#endif

 // res = a - b
 // b < 2*prime; result not normalized
@ -337,7 +373,6 @@ void point_add(const curve_point *cp1, curve_point *cp2)
 	memcpy(&(cp2->y), &yr, sizeof(bignum256));
 }

-#ifndef USE_PRECOMPUTED_CP
 // cp = cp + cp
 void point_double(curve_point *cp)
 {
@ -368,7 +403,6 @@ void point_double(curve_point *cp)
 	memcpy(&(cp->x), &xr, sizeof(bignum256));
 	memcpy(&(cp->y), &yr, sizeof(bignum256));
 }
-#endif

 // res = k * G
 void scalar_multiply(bignum256 *k, curve_point *res)
@ -437,6 +471,19 @@ void write_der(const bignum256 *x, uint8_t *buf)
 	buf[1] = len;
 }

+void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
+{
+	uint32_t i;
+	uint64_t temp;
+	temp = 0;
+	for (i = 0; i < 8; i++) {
+		temp += (((uint64_t)read_be(in_number + (7 - i) * 4)) << (2 * i));
+		out_number->val[i]= temp & 0x3FFFFFFF;
+		temp >>= 30;
+	}
+	out_number->val[8] = temp;
+}
+
 // uses secp256k1 curve
 // priv_key is a 32 byte big endian stored number
 // msg is a data to be signed
@ -446,7 +493,6 @@ void write_der(const bignum256 *x, uint8_t *buf)
 void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
 {
 	uint32_t i;
-	uint64_t temp;
 	uint8_t hash[32];
 	curve_point R;
 	bignum256 k, z;
@ -456,13 +502,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
 	// if double hash is required uncomment the following line:
 	// sha256(hash, 32, hash);

-	temp = 0;
-	for (i = 0; i < 8; i++) {
-		temp += (((uint64_t)read_be(hash + (7 - i) * 4)) << (2 * i));
-		z.val[i]= temp & 0x3FFFFFFF;
-		temp >>= 30;
-	}
-	z.val[8] = temp;
+	read_32byte_big_endian(hash, &z);
 	for (;;) {
 		// generate random number k
 		for (i = 0; i < 8; i++) {
@ -482,13 +522,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
 		}
 		if (i == 9) continue;
 		inverse(&k, &order256k1);
-		temp = 0;
-		for (i = 0; i < 8; i++) {
-			temp += (((uint64_t)read_be(priv_key + (7 - i) * 4)) << (2 * i));
-			da->val[i] = temp & 0x3FFFFFFF;
-			temp >>= 30;
-		}
-		da->val[8] = temp;
+		read_32byte_big_endian(priv_key, da);
 		multiply(&R.x, da, &order256k1);
 		for (i = 0; i < 8; i++) {
 			da->val[i] += z.val[i];
@ -514,22 +548,130 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
 	*sig_len = i + 2;
 }

-void ecdsa_pubkey(uint8_t *priv_key, uint8_t *public_key_x, uint8_t *public_key_y)
+// uses secp256k1 curve
+// priv_key is a 32 byte big endian stored number
+// pub_key is at least 70 bytes long array for the public key
+void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
 {
 	uint32_t i;
-	uint64_t temp;
-	curve_point G;
-	bignum256 da;
-	temp = 0;
+	curve_point R;
+	bignum256 k;

-	for (i = 0; i < 8; i++) {
-		temp += (((uint64_t)read_be(priv_key + (7 - i) * 4)) << (2 * i));
-		da.val[i] = temp & 0x3FFFFFFF;
-		temp >>= 30;
+	read_32byte_big_endian(priv_key, &k);
+	// compute k*G
+	scalar_multiply(&k, &R);
+	write_der(&R.x, pub_key + 2);
+	i = pub_key[3] + 2;
+	write_der(&R.y, pub_key + 2 + i);
+	i += pub_key[3+i] + 2;
+	pub_key[0] = 0x30;
+	pub_key[1] = i;
+	*pub_key_len = i + 2;
+}
+
+// does not validate that this is valid der encoding
+// assumes it is der encoding containing 1 number
+void read_der_single(uint8_t *der, bignum256 *elem)
+{
+	int i, j;
+	uint8_t val[32];
+	i = 1 + der[1];
+	j = 31;
+	// we ignore all bytes after 32nd. if there are any, those are either zero or invalid for secp256k1
+	while (i > 1 && j >= 0) {
+		val[j] = der[i];
+		i--; j--;
 	}
-	da.val[8] = temp;
-	scalar_multiply(&da, &G);
-	write_der(&G.x, public_key_x);
-	write_der(&G.y, public_key_y);
+	for (i = 0;i <= j; i++) {
+		val[i] = 0;
+	}
+	read_32byte_big_endian(val, elem);
 }

+// does not validate that this is valid der encoding
+// assumes it is der encoding containing 2 numbers (either public key or ecdsa signature)
+void read_der_pair(uint8_t *der, bignum256 *elem1, bignum256 *elem2)
+{
+	read_der_single(der + 2, elem1);
+	read_der_single(der + 4 + der[3], elem2);
+}
+
+int is_zero(const bignum256 *a)
+{
+	int i;
+	for (i = 0;i < 9; i++) {
+		if (a->val[i] != 0) return 0;
+	}
+	return 1;
+}
+
+int bignum256_less(const bignum256 *a, const bignum256 *b)
+{
+	int i;
+	for (i = 8;i >= 0; i--) {
+		if (a->val[i] < b->val[i]) return 1;
+		if (a->val[i] > b->val[i]) return 0;
+	}
+	return 0;
+}
+
+// uses secp256k1 curve
+// pub_key and signature are DER encoded
+// msg is a data that was signed
+// msg_len is the message length
+// returns 0 if verification succeeded
+// it is assumed that public key is valid otherwise calling this does not make much sense
+int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len)
+{
+	int i, j;
+	uint8_t hash[32];
+	curve_point pub,res;
+	bignum256 r, s, z;
+	int res_is_zero = 0;
+	// compute hash function of message
+	sha256(msg, msg_len, hash);
+	// if double hash is required uncomment the following line:
+	// sha256(hash, 32, hash);
+
+	read_32byte_big_endian(hash, &z);
+	read_der_pair(pub_key, &pub.x, &pub.y);
+	read_der_pair(signature, &r, &s);
+
+	if (is_zero(&r) ||
+	    is_zero(&s) ||
+	    (!bignum256_less(&r,&order256k1)) ||
+	    (!bignum256_less(&s,&order256k1))) return 1;
+
+	inverse(&s, &order256k1); // s^-1
+	multiply(&s, &z, &order256k1); // z*s^-1
+	mod(&z, &order256k1);
+	multiply(&r, &s, &order256k1); // r*s^-1
+	mod(&s, &order256k1);
+	if (is_zero(&z)) {
+		// our message hashes to zero
+		// I don't expect this to happen any time soon
+		res_is_zero = 1;
+	} else {
+		scalar_multiply(&z, &res);
+	}
+
+	// TODO both pub and res can be infinity, can have y = 0 OR can be equal
+	for (i = 0; i < 9; i++) {
+		for (j = 0; j < 30; j++) {
+			if (i == 8 && (s.val[i] >> j) == 0) break;
+			if (s.val[i] & (1u << j)) {
+				point_add(&pub, &res);
+			}
+			point_double(&pub);
+		}
+	}
+
+	mod(&(res.x), &prime256k1);
+	mod(&(res.x), &order256k1);
+	for (i = 0;i < 9; i++) {
+		if (res.x.val[i] != r.val[i]) {
+			return 1;
+		}
+	}
+	return 0;
+}
--- a/ecdsa.h
+++ b/ecdsa.h
@ -28,6 +28,7 @@

 // uses secp256k1 curve
 void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
-void ecdsa_pubkey(uint8_t *priv_key, uint8_t *public_key_x, uint8_t *public_key_y);
+void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
+int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len);

 #endif
--- a/secp256k1.h
+++ b/secp256k1.h
@ -26,7 +26,10 @@

 #include <stdint.h>

+// use precomputed Inverse Values of powers of two
 #define USE_PRECOMPUTED_IV 1
+
+// use precomputed Curve Points (some scalar multiples of curve base point G)
 #define USE_PRECOMPUTED_CP 1

 // bignum256 are 256 bits stored as 8*30 bit + 1*16 bit
--- a/test-verify.c
+++ b/test-verify.c
@ -32,8 +32,8 @@

 int main()
 {
-	uint8_t sig[70], priv_key[32], msg[256], buffer[1000], hash[32], *p;
-	uint32_t sig_len, i, j, msg_len;
+	uint8_t sig[70], pub_key[70], priv_key[32], msg[256], buffer[1000], hash[32], *p;
+	uint32_t sig_len, pub_key_len, i, j, msg_len;
 	SHA256_CTX sha256;
 	EC_GROUP *ecgroup;
 	int cnt = 0;
@ -77,6 +77,15 @@ int main()
 		// use our ECDSA signer to sign the message with the key
 		ecdsa_sign(priv_key, msg, msg_len, sig, &sig_len);

+		// generate public key from private key
+		ecdsa_get_public_key(priv_key, pub_key, &pub_key_len);
+
+		// use our ECDSA verifier to verify the message signature
+		if (ecdsa_verify(pub_key, sig, msg, msg_len) != 0) {
+			printf("MicroECDSA verification failed\n");
+			break;
+		}
+
 		// copy signature to the OpenSSL struct
 		p = sig;
 		ECDSA_SIG *signature = d2i_ECDSA_SIG(NULL, (const uint8_t **)&p, sig_len);
@ -88,7 +97,7 @@ int main()

 		// verify all went well, i.e. we can decrypt our signature with OpenSSL
 		if (ECDSA_do_verify(hash, 32, signature, eckey) != 1) {
-			printf("Verification failed\n");
+			printf("OpenSSL verification failed\n");
 			break;
 		}
 		ECDSA_SIG_free(signature);