1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-12 18:49:07 +00:00

use canonical signatures (if S > Order/2: S = Order - S)

This commit is contained in:
Pavol Rusnak 2013-10-08 14:01:20 +02:00
parent 7e41c2a568
commit 9205c0d952
6 changed files with 29 additions and 4 deletions

View File

@ -510,7 +510,7 @@ void bn_divmod58(bignum256 *a, uint32_t *r)
*r = rem;
}
#if 0
#if BN_PRINT
void bn_print(const bignum256 *a)
{
printf("%04x", a->val[8] & 0x0000FFFF);
@ -523,4 +523,12 @@ void bn_print(const bignum256 *a)
printf("%08x", (a->val[1] << 2) | ((a->val[0] & 0x30000000) >> 28));
printf("%07x", a->val[0] & 0x0FFFFFFF);
}
void bn_print_raw(const bignum256 *a)
{
int i;
for (i = 0; i <= 8; i++) {
printf("0x%08x, ", a->val[i]);
}
}
#endif

View File

@ -91,8 +91,9 @@ void bn_substract_noprime(const bignum256 *a, const bignum256 *b, bignum256 *res
void bn_divmod58(bignum256 *a, uint32_t *r);
#if 0
#if BN_PRINT
void bn_print(const bignum256 *a);
void bn_print_raw(const bignum256 *a);
#endif
#endif

View File

@ -256,6 +256,11 @@ int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, ui
return 3;
}
// if S > order/2 => S = -S
if (bn_is_less(&order256k1_half, &k)) {
bn_substract_noprime(&order256k1, &k, &k);
}
// we are done, R.x and k is the result signature
bn_write_be(&R.x, sig);
bn_write_be(&k, sig + 32);

View File

@ -24,8 +24,7 @@
#include "secp256k1.h"
const bignum256 prime256k1 = {
.val = {0x3ffffc2f, 0x3ffffffb, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}
};
.val = {0x3ffffc2f, 0x3ffffffb, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}};
const curve_point G256k1 = {
.x = { .val = {0x16f81798, 0x27ca056c, 0x1ce28d95, 0x26ff36cb, 0x70b0702, 0x18a573a, 0xbbac55a, 0x199fbe77, 0x79be}},
@ -34,6 +33,9 @@ const curve_point G256k1 = {
const bignum256 order256k1 = {
.val = {0x10364141, 0x3f497a33, 0x348a03bb, 0x2bb739ab, 0x3ffffeba, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}};
const bignum256 order256k1_half = {
.val = {0x281b20a0, 0x3fa4bd19, 0x3a4501dd, 0x15db9cd5, 0x3fffff5d, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x00007fff}};
const bignum256 three_over_two256k1 = {
.val = {0x3ffffe19, 0x3ffffffd, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x7fff}};

View File

@ -42,6 +42,9 @@ extern const curve_point G256k1;
// secp256k1 order of G
extern const bignum256 order256k1;
// secp256k1 order of G / 2
extern const bignum256 order256k1_half;
// 3/2 in G_p
extern const bignum256 three_over_two256k1;

View File

@ -208,6 +208,12 @@ START_TEST(test_rfc6979)
ck_assert_int_eq(res, 0);
bn_write_be(&k, buf);
ck_assert_mem_eq(buf, fromhex("38aa22d72376b4dbc472e06c3ba403ee0a394da63fc58d88686c611aba98d6b3"), 32);
SHA256_Raw((uint8_t *)"There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", 207, buf);
res = generate_k_rfc6979(&k, fromhex("e91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2"), buf);
ck_assert_int_eq(res, 0);
bn_write_be(&k, buf);
ck_assert_mem_eq(buf, fromhex("1f4b84c23a86a221d233f2521be018d9318639d5b8bbd6374a8a59232d16ad3d"), 32);
}
END_TEST