Jochen Hoenicke
2c38929d03
Make scalar_multiply timing attack safe.
...
This should make side-channel attacks much more difficult. However,
1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
However point_add is always a straight addition, never double or some
other special case.
In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation. The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102
"More" constant time point multiplication
...
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
eb6e74f361
Improve speed of scalar_multiply.
...
We also allow for substracting values to be able to do 3 bits at a time.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd
Added modulus to bn_subtractmod
2015-03-17 19:17:56 +01:00
Pavol Rusnak
e37ba822e6
bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
...
remove dead code
2015-03-17 14:19:50 +01:00
Jochen Hoenicke
e2dd0b8e8d
Always check for validity in ecdsa_read_pubkey.
...
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).
Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.
To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
2015-03-08 21:09:21 +01:00
Jochen Hoenicke
ed9d8c1ebb
Fix RFC6979 generation of k.
...
The standard says:
step h:
Set T to the empty sequence.
while tlen < qlen
V = HMAC_K(V)
T = T || V
k = bits2int(T)
in this case (HMAC-SHA256, qlen=256bit) this simplifies to
V = HMAC_K(V)
T = V
k = bits2int(T)
and T can be omitted.
The old code (wrong) did:
T = HMAC_K(V)
k = bits2int(T)
Note that V will only be used again if the first k is out of range.
Thus, the old code produced the right result with a very high probability.
2015-01-30 22:34:37 +01:00
Pavol Rusnak
795579cbac
invert pby when normalizing S during signing
2014-12-23 18:13:33 +01:00
Pavol Rusnak
89a7d7797b
replace base58 implementation
2014-12-23 03:11:58 +01:00
Pavol Rusnak
b4cdba8489
export pby from ecdsa_sign functions
2014-12-08 21:08:49 +01:00
Pavol Rusnak
9469a64a0a
use bn_is_zero and bn_is_equal where possible
2014-11-17 17:17:14 +01:00
Pavol Rusnak
df3606dd5e
introduce ecdsa_get_address_raw
2014-11-16 21:17:39 +01:00
Pavol Rusnak
0fe1857513
normalize y^2 in pubkey validation
...
fix last commit
2014-07-07 21:11:25 +02:00
Pavol Rusnak
b9d5896174
make pubkey validation optional, extract options to separate header
2014-07-07 20:14:36 +02:00
Ondrej Mikle
b34516bc49
Removed unnessary point copy.
2014-07-07 16:35:53 +02:00
Ondrej Mikle
03fee34550
Validating of public key curve point.
2014-07-07 15:11:40 +02:00
Ondrej Mikle
7fd81a1e0c
Removed superfluous bn_mod, it's done now in point_add and point_double.
2014-07-06 14:50:12 +02:00
Ondrej Mikle
323da2d434
Keep results after point_add() and point_double() inside the finite field. Simplified point_is_negative_of().
2014-07-05 22:07:03 +02:00
Ondrej Mikle
d827b2c862
Account for case when point.y == 0 when doubling.
2014-07-04 17:40:35 +02:00
Ondrej Mikle
6d61cefdb3
Removed test for point equality in ecdsa_verify_digest, point_add() already handles that.
2014-07-04 15:50:29 +02:00
Ondrej Mikle
da6a09880d
Handling of special cases in EC arithmetic.
2014-07-04 15:30:15 +02:00
Pavol Rusnak
82ed3f31db
fix comparison of points
2014-07-04 15:07:02 +02:00
Pavol Rusnak
eec5f7df15
fix bug in unoptimized branch of code
2014-07-03 10:16:19 +02:00
Pavol Rusnak
019d779a94
Revert "Revert "add more precomputation to ecdsa signing""
...
This reverts commit 3747ba4323
.
2014-07-03 10:09:45 +02:00
Pavol Rusnak
3747ba4323
Revert "add more precomputation to ecdsa signing"
...
This reverts commit 06dd166a82
.
2014-07-03 01:18:00 +02:00
Ondrej Mikle
0ad302ea4e
Hashing of secp256k1 pubkey recognizes point at infinity.
2014-07-01 16:16:06 +02:00
Pavol Rusnak
5e9cd15527
use new base58 code for address functions, add function for obtaining wif
2014-05-22 22:29:53 +02:00
Pavol Rusnak
612f5ab050
fix copyright headers
2014-05-22 20:54:58 +02:00
Pavol Rusnak
06dd166a82
add more precomputation to ecdsa signing
2014-05-15 17:11:26 +02:00
Pavol Rusnak
94d4a3733e
fix typos
2014-04-11 15:33:29 +02:00
Pavol Rusnak
b5ceb14f8d
extract ecdsa_get_pubkeyhash
2014-02-21 23:33:14 +01:00
Pavol Rusnak
d0e152a088
replace SHA256/SHA512 prefix with sha256/sha512 (OpenSSL clash)
2014-02-19 21:26:42 +01:00
Pavol Rusnak
50fb43127f
use -Wextra
2014-02-08 19:12:07 +01:00
Pavol Rusnak
d433bcfa10
fix ecdsa_sig_to_der
2014-02-08 15:55:03 +01:00
Pavol Rusnak
6a856479a8
introduce point_multiply
2014-02-05 23:38:37 +01:00
Pavol Rusnak
fc144587e6
introduce ecdsa_verify_digest
2014-02-04 19:12:43 +01:00
Pavol Rusnak
8aaebe761b
introduce uncompress_coords
2014-02-04 18:55:17 +01:00
Pavol Rusnak
81f462a5c5
add ecdsa_sig_to_der
2014-02-02 22:01:43 +01:00
Pavol Rusnak
73489fbd33
split signing into ecdsa_sign_digest and ecdsa_sign/ecdsa_sign_double
2014-02-02 20:36:03 +01:00
Pavol Rusnak
a40a077613
rework ecdsa_address_to_hash160 into ecdsa_address_decode
2014-01-31 15:26:51 +01:00
Pavol Rusnak
2e4ec7fe0a
introduce ecdsa_address_to_hash160
2014-01-30 20:34:05 +01:00
Pavol Rusnak
7dc057c903
add testcases for address generation
...
fix bug for version != 0
process uncompressed pubkeys as well
2014-01-27 19:57:44 +01:00
Pavol Rusnak
ed7e2e5058
implement public child key derivation
2014-01-14 14:35:13 +01:00
Pavol Rusnak
8423c7abfd
add check that pub.y != res.y
2014-01-04 17:39:37 +01:00
Pavol Rusnak
9da3b35962
extract xprv_fill_public method
2013-11-08 16:02:48 +01:00
Pavol Rusnak
a439d8674d
small cosmetic changes
2013-10-24 19:44:54 +02:00
Pavol Rusnak
9205c0d952
use canonical signatures (if S > Order/2: S = Order - S)
2013-10-08 14:06:48 +02:00
Pavol Rusnak
f87e706407
add define for RFC6979
2013-10-03 18:19:30 +02:00
Pavol Rusnak
678e5b1af2
use #if instead of #ifdef for conditional macros
2013-10-03 17:32:27 +02:00
Pavol Rusnak
1691d5cc8c
small cleanup
2013-10-01 18:08:33 +02:00
Pavol Rusnak
71ff1c5124
replace infinite loops with loops with counters
2013-09-27 15:55:55 +02:00
Pavol Rusnak
f4f246f3d7
optimize computations
2013-09-27 15:42:52 +02:00
Pavol Rusnak
7ed18947ba
simplify divmod58
2013-09-25 12:39:23 +02:00
Pavol Rusnak
74a5b04b81
verify now supports compressed keys
2013-09-24 18:48:46 +02:00
Pavol Rusnak
896905c5c8
remove der encoding, introduce 33/65 bytes pubkeys, 64 bytes signature
2013-09-23 21:13:44 +02:00
Pavol Rusnak
58a65d9cd7
move speed tests to unit testing suite
2013-09-22 15:05:59 +02:00
Pavol Rusnak
92f070498f
add function for computing addresses
2013-09-20 17:13:24 +02:00
Pavol Rusnak
afc9bcfe30
implement bip32 - https://en.bitcoin.it/wiki/BIP_0032
2013-09-12 21:20:03 +02:00
Pavol Rusnak
07d1c22730
refactor code -> bignum.c/h
2013-09-12 03:18:35 +02:00
Pavol Rusnak
603acbd1be
implement RFC 6979
2013-09-11 19:02:22 +02:00
Pavol Rusnak
40fa3f52e4
use sha2 implementation by Aaron D. Gifford
2013-09-10 21:10:07 +02:00
Pavol Rusnak
d958d8a90e
cleanup
2013-09-10 01:41:10 +02:00
Pavol Rusnak
df79a330e6
pave the way for RFC6979
2013-09-10 01:03:24 +02:00
Pavol Rusnak
3f737896a4
ecdsa_get_public_key and ecdsa_verify methods
2013-09-09 17:52:25 +02:00
mog
c87691205b
added support for getting public key from a private key.
2013-09-05 03:57:26 -05:00
Pavol Rusnak
ee09a6a7b2
param names cleanup
2013-08-19 12:40:58 +02:00
Pavol Rusnak
1bd0592c26
fix for formatting
2013-08-17 14:32:25 +02:00
Pavol Rusnak
ccbc219b29
import sources
2013-08-17 14:20:15 +02:00