use canonical signatures (if S > Order/2: S = Order - S)

11 years ago · 9205c0d952
parent 7e41c2a568
commit 9205c0d952
6 changed files with 29 additions and 4 deletions
--- a/bignum.c
+++ b/bignum.c
@ -510,7 +510,7 @@ void bn_divmod58(bignum256 *a, uint32_t *r)
 	*r = rem;
 }

-#if 0
+#if BN_PRINT
 void bn_print(const bignum256 *a)
 {
 	printf("%04x", a->val[8] & 0x0000FFFF);
@ -523,4 +523,12 @@ void bn_print(const bignum256 *a)
 	printf("%08x", (a->val[1] << 2) | ((a->val[0] & 0x30000000) >> 28));
 	printf("%07x", a->val[0] & 0x0FFFFFFF);
 }
+
+void bn_print_raw(const bignum256 *a)
+{
+	int i;
+	for (i = 0; i <= 8; i++) {
+		printf("0x%08x, ", a->val[i]);
+	}
+}
 #endif
--- a/bignum.h
+++ b/bignum.h
@ -91,8 +91,9 @@ void bn_substract_noprime(const bignum256 *a, const bignum256 *b, bignum256 *res

 void bn_divmod58(bignum256 *a, uint32_t *r);

-#if 0
+#if BN_PRINT
 void bn_print(const bignum256 *a);
+void bn_print_raw(const bignum256 *a);
 #endif

 #endif
--- a/ecdsa.c
+++ b/ecdsa.c
@ -256,6 +256,11 @@ int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, ui
 		return 3;
 	}

+	// if S > order/2 => S = -S
+	if (bn_is_less(&order256k1_half, &k)) {
+		bn_substract_noprime(&order256k1, &k, &k);
+	}
+
 	// we are done, R.x and k is the result signature
 	bn_write_be(&R.x, sig);
 	bn_write_be(&k, sig + 32);
--- a/secp256k1.c
+++ b/secp256k1.c
@ -24,8 +24,7 @@
 #include "secp256k1.h"

 const bignum256 prime256k1 = {
-.val = {0x3ffffc2f, 0x3ffffffb, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}
-};
+.val = {0x3ffffc2f, 0x3ffffffb, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}};

 const curve_point G256k1 = {
 .x = { .val = {0x16f81798, 0x27ca056c, 0x1ce28d95, 0x26ff36cb, 0x70b0702, 0x18a573a, 0xbbac55a, 0x199fbe77, 0x79be}},
@ -34,6 +33,9 @@ const curve_point G256k1 = {
 const bignum256 order256k1 = {
 .val = {0x10364141, 0x3f497a33, 0x348a03bb, 0x2bb739ab, 0x3ffffeba, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}};

+const bignum256 order256k1_half = {
+.val = {0x281b20a0, 0x3fa4bd19, 0x3a4501dd, 0x15db9cd5, 0x3fffff5d, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x00007fff}};
+
 const bignum256 three_over_two256k1 = {
 .val = {0x3ffffe19, 0x3ffffffd, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x7fff}};

--- a/secp256k1.h
+++ b/secp256k1.h
@ -42,6 +42,9 @@ extern const curve_point G256k1;
 // secp256k1 order of G
 extern const bignum256 order256k1;

+// secp256k1 order of G / 2
+extern const bignum256 order256k1_half;
+
 // 3/2 in G_p
 extern const bignum256 three_over_two256k1;

--- a/tests.c
+++ b/tests.c
@ -208,6 +208,12 @@ START_TEST(test_rfc6979)
 	ck_assert_int_eq(res, 0);
 	bn_write_be(&k, buf);
 	ck_assert_mem_eq(buf, fromhex("38aa22d72376b4dbc472e06c3ba403ee0a394da63fc58d88686c611aba98d6b3"), 32);
+
+	SHA256_Raw((uint8_t *)"There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", 207, buf);
+	res = generate_k_rfc6979(&k, fromhex("e91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2"), buf);
+	ck_assert_int_eq(res, 0);
+	bn_write_be(&k, buf);
+	ck_assert_mem_eq(buf, fromhex("1f4b84c23a86a221d233f2521be018d9318639d5b8bbd6374a8a59232d16ad3d"), 32);
 }
 END_TEST