1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-22 07:28:10 +00:00

implement RFC 6979

This commit is contained in:
Pavol Rusnak 2013-09-11 19:02:22 +02:00
parent 047b30cf2f
commit 603acbd1be
7 changed files with 148 additions and 39 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
*.o *.o
test-rfc6979
test-speed test-speed
test-verify test-verify

View File

@ -2,11 +2,14 @@ CC = gcc
CFLAGS = -Wall -Os CFLAGS = -Wall -Os
OBJS = aux.o ecdsa.o secp256k1.o sha2.o rand.o hmac.o OBJS = aux.o ecdsa.o secp256k1.o sha2.o rand.o hmac.o
all: test-speed test-verify all: test-rfc6979 test-speed test-verify
%.o: %.c %.o: %.c
$(CC) $(CFLAGS) -o $@ -c $< $(CC) $(CFLAGS) -o $@ -c $<
test-rfc6979: test-rfc6979.o $(OBJS)
gcc test-rfc6979.o $(OBJS) -o test-rfc6979
test-speed: test-speed.o $(OBJS) test-speed: test-speed.o $(OBJS)
gcc test-speed.o $(OBJS) -o test-speed gcc test-speed.o $(OBJS) -o test-speed

2
README
View File

@ -11,6 +11,8 @@ Notes
a) the signer only understands secp256k1 elliptic curve a) the signer only understands secp256k1 elliptic curve
b) there are executables: b) there are executables:
* test-rfc6979
- check RFC 6979 algorithm for generating deterministic K
* test-speed * test-speed
- check signing speed (sign 100x and compute speed from duration) - check signing speed (sign 100x and compute speed from duration)
* test-verify * test-verify

6
aux.h
View File

@ -27,12 +27,12 @@
#include <stdint.h> #include <stdint.h>
// rotate uint32 right // rotate uint32 right
inline uint32_t ror(const uint32_t x, const int n); uint32_t ror(const uint32_t x, const int n);
// read 4 big endian bytes into uint32 // read 4 big endian bytes into uint32
inline uint32_t read_be(const uint8_t *data); uint32_t read_be(const uint8_t *data);
// write 4 big endian bytes // write 4 big endian bytes
inline void write_be(uint8_t *data, uint32_t x); void write_be(uint8_t *data, uint32_t x);
#endif #endif

114
ecdsa.c
View File

@ -27,8 +27,8 @@
#include "rand.h" #include "rand.h"
#include "sha2.h" #include "sha2.h"
#include "hmac.h"
#include "ecdsa.h" #include "ecdsa.h"
#include "secp256k1.h"
#include "aux.h" #include "aux.h"
#define INVERSE_FAST 1 #define INVERSE_FAST 1
@ -471,11 +471,10 @@ void write_der(const bignum256 *x, uint8_t *buf)
buf[1] = len; buf[1] = len;
} }
void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number) void read_32byte_big_endian(const uint8_t *in_number, bignum256 *out_number)
{ {
uint32_t i; int i;
uint64_t temp; uint64_t temp = 0;
temp = 0;
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
temp += (((uint64_t)read_be(in_number + (7 - i) * 4)) << (2 * i)); temp += (((uint64_t)read_be(in_number + (7 - i) * 4)) << (2 * i));
out_number->val[i]= temp & 0x3FFFFFFF; out_number->val[i]= temp & 0x3FFFFFFF;
@ -484,6 +483,37 @@ void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
out_number->val[8] = temp; out_number->val[8] = temp;
} }
void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number)
{
int i, shift = 30 + 16 - 32;
uint64_t temp = in_number->val[8];
for (i = 0; i < 8; i++) {
temp <<= 30;
temp |= in_number->val[7 - i];
write_be(out_number + i * 4, temp >> shift);
shift -= 2;
}
}
int is_zero(const bignum256 *a)
{
int i;
for (i = 0; i < 9; i++) {
if (a->val[i] != 0) return 0;
}
return 1;
}
int is_less(const bignum256 *a, const bignum256 *b)
{
int i;
for (i = 8; i >= 0; i--) {
if (a->val[i] < b->val[i]) return 1;
if (a->val[i] > b->val[i]) return 0;
}
return 0;
}
// generate random K for signing // generate random K for signing
void generate_k_random(bignum256 *k) { void generate_k_random(bignum256 *k) {
int i; int i;
@ -501,8 +531,42 @@ void generate_k_random(bignum256 *k) {
// generate K in a deterministic way, according to RFC6979 // generate K in a deterministic way, according to RFC6979
// http://tools.ietf.org/html/rfc6979 // http://tools.ietf.org/html/rfc6979
void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) { void generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t *hash)
// TODO {
uint8_t v[32], k[32], bx[2*32], buf[32 + 1 + sizeof(bx)], t[32];
bignum256 z1;
memcpy(bx, priv_key, 32);
read_32byte_big_endian(hash, &z1);
mod(&z1, &order256k1);
write_32byte_big_endian(&z1, bx + 32);
memset(v, 1, sizeof(v));
memset(k, 0, sizeof(k));
memcpy(buf, v, sizeof(v));
buf[sizeof(v)] = 0x00;
memcpy(buf + sizeof(v) + 1, bx, 64);
hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
hmac_sha256(k, sizeof(k), v, sizeof(v), v);
memcpy(buf, v, sizeof(v));
buf[sizeof(v)] = 0x01;
memcpy(buf + sizeof(v) + 1, bx, 64);
hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
hmac_sha256(k, sizeof(k), v, sizeof(k), v);
for (;;) {
hmac_sha256(k, sizeof(k), v, sizeof(v), t);
read_32byte_big_endian(t, secret);
if ( !is_zero(secret) && is_less(secret, &order256k1) ) {
return;
}
memcpy(buf, v, sizeof(v));
buf[sizeof(v)] = 0x00;
hmac_sha256(k, sizeof(k), buf, sizeof(v) + 1, k);
hmac_sha256(k, sizeof(k), v, sizeof(v), v);
}
} }
// uses secp256k1 curve // uses secp256k1 curve
@ -511,7 +575,7 @@ void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
// msg_len is the message length // msg_len is the message length
// sig is at least 70 bytes long array for the signature // sig is at least 70 bytes long array for the signature
// sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2) // sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2)
void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len) void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
{ {
int i; int i;
uint8_t hash[32]; uint8_t hash[32];
@ -525,8 +589,13 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
read_32byte_big_endian(hash, &z); read_32byte_big_endian(hash, &z);
for (;;) { for (;;) {
// generate random number k // generate random number k
generate_k_random(&k); //generate_k_random(&k);
// generate K deterministically
generate_k_rfc6979(&k, priv_key, hash);
// compute k*G // compute k*G
scalar_multiply(&k, &R); scalar_multiply(&k, &R);
// r = (rx mod n) // r = (rx mod n)
@ -566,7 +635,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
// uses secp256k1 curve // uses secp256k1 curve
// priv_key is a 32 byte big endian stored number // priv_key is a 32 byte big endian stored number
// pub_key is at least 70 bytes long array for the public key // pub_key is at least 70 bytes long array for the public key
void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len) void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len)
{ {
uint32_t i; uint32_t i;
curve_point R; curve_point R;
@ -586,7 +655,7 @@ void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key
// does not validate that this is valid der encoding // does not validate that this is valid der encoding
// assumes it is der encoding containing 1 number // assumes it is der encoding containing 1 number
void read_der_single(uint8_t *der, bignum256 *elem) void read_der_single(const uint8_t *der, bignum256 *elem)
{ {
int i, j; int i, j;
uint8_t val[32]; uint8_t val[32];
@ -605,38 +674,19 @@ void read_der_single(uint8_t *der, bignum256 *elem)
// does not validate that this is valid der encoding // does not validate that this is valid der encoding
// assumes it is der encoding containing 2 numbers (either public key or ecdsa signature) // assumes it is der encoding containing 2 numbers (either public key or ecdsa signature)
void read_der_pair(uint8_t *der, bignum256 *elem1, bignum256 *elem2) void read_der_pair(const uint8_t *der, bignum256 *elem1, bignum256 *elem2)
{ {
read_der_single(der + 2, elem1); read_der_single(der + 2, elem1);
read_der_single(der + 4 + der[3], elem2); read_der_single(der + 4 + der[3], elem2);
} }
int is_zero(const bignum256 *a)
{
int i;
for (i = 0; i < 9; i++) {
if (a->val[i] != 0) return 0;
}
return 1;
}
int is_less(const bignum256 *a, const bignum256 *b)
{
int i;
for (i = 8; i >= 0; i--) {
if (a->val[i] < b->val[i]) return 1;
if (a->val[i] > b->val[i]) return 0;
}
return 0;
}
// uses secp256k1 curve // uses secp256k1 curve
// pub_key and signature are DER encoded // pub_key and signature are DER encoded
// msg is a data that was signed // msg is a data that was signed
// msg_len is the message length // msg_len is the message length
// returns 0 if verification succeeded // returns 0 if verification succeeded
// it is assumed that public key is valid otherwise calling this does not make much sense // it is assumed that public key is valid otherwise calling this does not make much sense
int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len) int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len)
{ {
int i, j; int i, j;
uint8_t hash[32]; uint8_t hash[32];

View File

@ -26,9 +26,11 @@
#include <stdint.h> #include <stdint.h>
#include "secp256k1.h"
// uses secp256k1 curve // uses secp256k1 curve
void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len); void ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len);
void ecdsa_get_public_key(uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len); void ecdsa_get_public_key(const uint8_t *priv_key, uint8_t *pub_key, uint32_t *pub_key_len);
int ecdsa_verify(uint8_t *pub_key, uint8_t *signature, uint8_t *msg, uint32_t msg_len); int ecdsa_verify(const uint8_t *pub_key, const uint8_t *signature, const uint8_t *msg, uint32_t msg_len);
#endif #endif

51
test-rfc6979.c Normal file
View File

@ -0,0 +1,51 @@
/**
* Copyright (c) 2013 Pavol Rusnak
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
#include <stdio.h>
#include "ecdsa.h"
#include "sha2.h"
bignum256 k;
uint8_t kb[32];
uint8_t priv[32] = {0xcc, 0xa9, 0xfb, 0xcc, 0x1b, 0x41, 0xe5, 0xa9, 0x5d, 0x36, 0x9e, 0xaa, 0x6d, 0xdc, 0xff, 0x73, 0xb6, 0x1a, 0x4e, 0xfa, 0xa2, 0x79, 0xcf, 0xc6, 0x56, 0x7e, 0x8d, 0xaa, 0x39, 0xcb, 0xaf, 0x50};
uint8_t hash[32];
void write_32byte_big_endian(const bignum256 *in_number, uint8_t *out_number);
void generate_k_rfc6979(bignum256 *k, const uint8_t *priv_key, const uint8_t *hash);
int main()
{
int i;
SHA256_Raw((uint8_t *)"sample", 6, hash);
printf("hash : ");
for (i = 0; i < 32; i++) printf("%02x", hash[i]); printf("\n");
generate_k_rfc6979(&k, priv, hash);
write_32byte_big_endian(&k, kb);
printf("expected : 2df40ca70e639d89528a6b670d9d48d9165fdc0febc0974056bdce192b8e16a3\n");
printf("got : ");
for (i = 0; i < 32; i++) printf("%02x", kb[i]);
printf("\n");
return 0;
}