implement RFC 6979

11 years ago · 603acbd1be
parent 047b30cf2f
commit 603acbd1be
7 changed files with 148 additions and 39 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 *.o
+test-rfc6979
 test-speed
 test-verify
--- a/5
+++ b/5
@ -2,11 +2,14 @@ CC     = gcc
 CFLAGS = -Wall -Os
 OBJS   = aux.o ecdsa.o secp256k1.o sha2.o rand.o hmac.o

-all: test-speed test-verify
+all: test-rfc6979 test-speed test-verify

 %.o: %.c
 	$(CC) $(CFLAGS) -o $@ -c $<

+test-rfc6979: test-rfc6979.o $(OBJS)
+	gcc test-rfc6979.o $(OBJS) -o test-rfc6979
+
 test-speed: test-speed.o $(OBJS)
 	gcc test-speed.o $(OBJS) -o test-speed

--- a/2
+++ b/2
@ -11,6 +11,8 @@ Notes
 a) the signer only understands secp256k1 elliptic curve

 b) there are executables:
+   * test-rfc6979
+     - check RFC 6979 algorithm for generating deterministic K
   * test-speed
     - check signing speed (sign 100x and compute speed from duration)
   * test-verify
--- a/aux.h
+++ b/aux.h
@ -27,12 +27,12 @@
 #include <stdint.h>

 // rotate uint32 right
-inline uint32_t ror(const uint32_t x, const int n);
+uint32_t ror(const uint32_t x, const int n);

 // read 4 big endian bytes into uint32
-inline uint32_t read_be(const uint8_t *data);
+uint32_t read_be(const uint8_t *data);

 // write 4 big endian bytes
-inline void write_be(uint8_t *data, uint32_t x);
+void write_be(uint8_t *data, uint32_t x);

 #endif
--- a/ecdsa.c
+++ b/ecdsa.c
@ -27,8 +27,8 @@

 #include "rand.h"
 #include "sha2.h"
+#include "hmac.h"
 #include "ecdsa.h"
-#include "secp256k1.h"
 #include "aux.h"

 #define INVERSE_FAST 1
@ -471,11 +471,10 @@ void write_der(const bignum256 *x, uint8_t *buf)
 	buf[1] = len;
 }

-void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
+void read_32byte_big_endian(const uint8_t *in_number, bignum256 *out_number)
 {
-	uint32_t i;
-	uint64_t temp;
-	temp = 0;
+	int i;
+	uint64_t temp = 0;
 	for (i = 0; i < 8; i++) {
 		temp += (((uint64_t)read_be(in_number + (7 - i) * 4)) << (2 * i));
 		out_number->val[i]= temp & 0x3FFFFFFF;
@ -484,6 +483,37 @@ void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
 	out_number->val[8] = temp;
 }

+void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number)
+{
+	int i, shift = 30 + 16 - 32;
+	uint64_t temp = in_number->val[8];
+	for (i = 0; i < 8; i++) {
+		temp <<= 30;
+		temp |= in_number->val[7 - i];
+		write_be(out_number + i * 4, temp >> shift);
+		shift -= 2;
+	}
+}
+
+int is_zero(const bignum256 *a)
+{
+	int i;
+	for (i = 0; i < 9; i++) {
+		if (a->val[i] != 0) return 0;
+	}
+	return 1;
+}
+
+int is_less(const bignum256 *a, const bignum256 *b)
+{
+	int i;
+	for (i = 8; i >= 0; i--) {
+		if (a->val[i] < b->val[i]) return 1;
+		if (a->val[i] > b->val[i]) return 0;
+	}
+	return 0;
+}
+
 // generate random K for signing
 void generate_k_random(bignum256 *k) {
 	int i;
@ -501,8 +531,42 @@ void generate_k_random(bignum256 *k) {

 // generate K in a deterministic way, according to RFC6979
 // http://tools.ietf.org/html/rfc6979
-void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
-	// TODO
+void generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t *hash)
+{
+	uint8_t v[32], k[32], bx[2*32], buf[32 + 1 + sizeof(bx)], t[32];
+	bignum256 z1;
+
+	memcpy(bx, priv_key, 32);
+	read_32byte_big_endian(hash, &z1);
+	mod(&z1, &order256k1);
+	write_32byte_big_endian(&z1, bx + 32);
+
+	memset(v, 1, sizeof(v));
+	memset(k, 0, sizeof(k));
+
+	memcpy(buf, v, sizeof(v));
+	buf[sizeof(v)] = 0x00;
+	memcpy(buf + sizeof(v) + 1, bx, 64);
+	hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
+	hmac_sha256(k, sizeof(k), v, sizeof(v), v);
+
+	memcpy(buf, v, sizeof(v));
+	buf[sizeof(v)] = 0x01;
+	memcpy(buf + sizeof(v) + 1, bx, 64);
+	hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
+	hmac_sha256(k, sizeof(k), v, sizeof(k), v);
+
+	for (;;) {
+		hmac_sha256(k, sizeof(k), v, sizeof(v), t);
+		read_32byte_big_endian(t, secret);
+		if ( !is_zero(secret) && is_less(secret, &order256k1) ) {
+			return;
+		}
+		memcpy(buf, v, sizeof(v));
+		buf[sizeof(v)] = 0x00;
+		hmac_sha256(k, sizeof(k), buf, sizeof(v) + 1, k);
+		hmac_sha256(k, sizeof(k), v, sizeof(v), v);
+	}
 }

 // uses secp256k1 curve
@ -511,7 +575,7 @@ void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
 // msg_len is the message length
 // sig is at least 70 bytes long array for the signature
 // sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2)
-void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
+void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
 {
 	int i;
 	uint8_t hash[32];
@ -525,8 +589,13 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,

 	read_32byte_big_endian(hash, &z);
 	for (;;) {
+
 		// generate random number k
-		generate_k_random(&k);
+		//generate_k_random(&k);
+
+		// generate K deterministically
+		generate_k_rfc6979(&k, priv_key, hash);
+
 		// compute k*G
 		scalar_multiply(&k, &R);
 		// r = (rx mod n)
@ -566,7 +635,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
 // uses secp256k1 curve
 // priv_key is a 32 byte big endian stored number
 // pub_key is at least 70 bytes long array for the public key
-void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
+void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
 {
 	uint32_t i;
 	curve_point R;
@ -586,7 +655,7 @@ void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key

 // does not validate that this is valid der encoding
 // assumes it is der encoding containing 1 number
-void read_der_single(uint8_t *der, bignum256 *elem)
+void read_der_single(const uint8_t *der, bignum256 *elem)
 {
 	int i, j;
 	uint8_t val[32];
@ -605,38 +674,19 @@ void read_der_single(uint8_t *der, bignum256 *elem)

 // does not validate that this is valid der encoding
 // assumes it is der encoding containing 2 numbers (either public key or ecdsa signature)
-void read_der_pair(uint8_t *der, bignum256 *elem1, bignum256 *elem2)
+void read_der_pair(const uint8_t *der, bignum256 *elem1, bignum256 *elem2)
 {
 	read_der_single(der + 2, elem1);
 	read_der_single(der + 4 + der[3], elem2);
 }

-int is_zero(const bignum256 *a)
-{
-	int i;
-	for (i = 0; i < 9; i++) {
-		if (a->val[i] != 0) return 0;
-	}
-	return 1;
-}
-
-int is_less(const bignum256 *a, const bignum256 *b)
-{
-	int i;
-	for (i = 8; i >= 0; i--) {
-		if (a->val[i] < b->val[i]) return 1;
-		if (a->val[i] > b->val[i]) return 0;
-	}
-	return 0;
-}
-
 // uses secp256k1 curve
 // pub_key and signature are DER encoded
 // msg is a data that was signed
 // msg_len is the message length
 // returns 0 if verification succeeded
 // it is assumed that public key is valid otherwise calling this does not make much sense
-int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len)
+int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len)
 {
 	int i, j;
 	uint8_t hash[32];
--- a/ecdsa.h
+++ b/ecdsa.h
@ -26,9 +26,11 @@

 #include <stdint.h>

+#include "secp256k1.h"
+
 // uses secp256k1 curve
-void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
-void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
-int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len);
+void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
+void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
+int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len);

 #endif
--- a/test-rfc6979.c
+++ b/test-rfc6979.c
@ -0,0 +1,51 @@
+/**
+ * Copyright (c) 2013 Pavol Rusnak
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
+ * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+#include <stdio.h>
+#include "ecdsa.h"
+#include "sha2.h"
+
+bignum256 k;
+uint8_t kb[32];
+uint8_t priv[32] = {0xcc, 0xa9, 0xfb, 0xcc, 0x1b, 0x41, 0xe5, 0xa9, 0x5d, 0x36, 0x9e, 0xaa, 0x6d, 0xdc, 0xff, 0x73, 0xb6, 0x1a, 0x4e, 0xfa, 0xa2, 0x79, 0xcf, 0xc6, 0x56, 0x7e, 0x8d, 0xaa, 0x39, 0xcb, 0xaf, 0x50};
+uint8_t hash[32];
+
+void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number);
+void generate_k_rfc6979(bignum256 *k, const uint8_t *priv_key, const uint8_t *hash);
+
+int main()
+{
+	int i;
+
+	SHA256_Raw((uint8_t *)"sample", 6, hash);
+	printf("hash     : ");
+	for (i = 0; i < 32; i++) printf("%02x", hash[i]); printf("\n");
+	generate_k_rfc6979(&k, priv, hash);
+	write_32byte_big_endian(&k, kb);
+
+	printf("expected : 2df40ca70e639d89528a6b670d9d48d9165fdc0febc0974056bdce192b8e16a3\n");
+	printf("got      : ");
+	for (i = 0; i < 32; i++) printf("%02x", kb[i]);
+	printf("\n");
+
+	return 0;
+}