Initial QSfera import
This commit is contained in:
+17
@@ -0,0 +1,17 @@
|
||||
ISC License
|
||||
|
||||
Copyright (c) 2013-2017 The btcsuite developers
|
||||
Copyright (c) 2015-2024 The Decred developers
|
||||
Copyright (c) 2017 The Lightning Network Developers
|
||||
|
||||
Permission to use, copy, modify, and distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
copyright notice and this permission notice appear in all copies.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+72
@@ -0,0 +1,72 @@
|
||||
secp256k1
|
||||
=========
|
||||
|
||||
[](https://github.com/decred/dcrd/actions)
|
||||
[](http://copyfree.org)
|
||||
[](https://pkg.go.dev/github.com/decred/dcrd/dcrec/secp256k1/v4)
|
||||
|
||||
Package secp256k1 implements optimized secp256k1 elliptic curve operations.
|
||||
|
||||
This package provides an optimized pure Go implementation of elliptic curve
|
||||
cryptography operations over the secp256k1 curve as well as data structures and
|
||||
functions for working with public and private secp256k1 keys. See
|
||||
https://www.secg.org/sec2-v2.pdf for details on the standard.
|
||||
|
||||
In addition, sub packages are provided to produce, verify, parse, and serialize
|
||||
ECDSA signatures and EC-Schnorr-DCRv0 (a custom Schnorr-based signature scheme
|
||||
specific to Decred) signatures. See the README.md files in the relevant sub
|
||||
packages for more details about those aspects.
|
||||
|
||||
An overview of the features provided by this package are as follows:
|
||||
|
||||
- Private key generation, serialization, and parsing
|
||||
- Public key generation, serialization and parsing per ANSI X9.62-1998
|
||||
- Parses uncompressed, compressed, and hybrid public keys
|
||||
- Serializes uncompressed and compressed public keys
|
||||
- Specialized types for performing optimized and constant time field operations
|
||||
- `FieldVal` type for working modulo the secp256k1 field prime
|
||||
- `ModNScalar` type for working modulo the secp256k1 group order
|
||||
- Elliptic curve operations in Jacobian projective coordinates
|
||||
- Point addition
|
||||
- Point doubling
|
||||
- Scalar multiplication with an arbitrary point
|
||||
- Scalar multiplication with the base point (group generator)
|
||||
- Point decompression from a given x coordinate
|
||||
- Nonce generation via RFC6979 with support for extra data and version
|
||||
information that can be used to prevent nonce reuse between signing algorithms
|
||||
|
||||
It also provides an implementation of the Go standard library `crypto/elliptic`
|
||||
`Curve` interface via the `S256` function so that it may be used with other
|
||||
packages in the standard library such as `crypto/tls`, `crypto/x509`, and
|
||||
`crypto/ecdsa`. However, in the case of ECDSA, it is highly recommended to use
|
||||
the `ecdsa` sub package of this package instead since it is optimized
|
||||
specifically for secp256k1 and is significantly faster as a result.
|
||||
|
||||
Although this package was primarily written for dcrd, it has intentionally been
|
||||
designed so it can be used as a standalone package for any projects needing to
|
||||
use optimized secp256k1 elliptic curve cryptography.
|
||||
|
||||
Finally, a comprehensive suite of tests is provided to provide a high level of
|
||||
quality assurance.
|
||||
|
||||
## secp256k1 use in Decred
|
||||
|
||||
At the time of this writing, the primary public key cryptography in widespread
|
||||
use on the Decred network used to secure coins is based on elliptic curves
|
||||
defined by the secp256k1 domain parameters.
|
||||
|
||||
## Installation and Updating
|
||||
|
||||
This package is part of the `github.com/decred/dcrd/dcrec/secp256k1/v4` module.
|
||||
Use the standard go tooling for working with modules to incorporate it.
|
||||
|
||||
## Examples
|
||||
|
||||
* [Encryption](https://pkg.go.dev/github.com/decred/dcrd/dcrec/secp256k1/v4#example-package-EncryptDecryptMessage)
|
||||
Demonstrates encrypting and decrypting a message using a shared key derived
|
||||
through ECDHE.
|
||||
|
||||
## License
|
||||
|
||||
Package secp256k1 is licensed under the [copyfree](http://copyfree.org) ISC
|
||||
License.
|
||||
+18
File diff suppressed because one or more lines are too long
+1310
File diff suppressed because it is too large
Load Diff
+14
@@ -0,0 +1,14 @@
|
||||
// Copyright (c) 2024 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//go:build tinygo
|
||||
|
||||
package secp256k1
|
||||
|
||||
// This file contains the variants suitable for
|
||||
// memory or storage constrained environments.
|
||||
|
||||
func scalarBaseMultNonConst(k *ModNScalar, result *JacobianPoint) {
|
||||
scalarBaseMultNonConstSlow(k, result)
|
||||
}
|
||||
+14
@@ -0,0 +1,14 @@
|
||||
// Copyright (c) 2024 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//go:build !tinygo
|
||||
|
||||
package secp256k1
|
||||
|
||||
// This file contains the variants that don't fit in
|
||||
// memory or storage constrained environments.
|
||||
|
||||
func scalarBaseMultNonConst(k *ModNScalar, result *JacobianPoint) {
|
||||
scalarBaseMultNonConstFast(k, result)
|
||||
}
|
||||
+59
@@ -0,0 +1,59 @@
|
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Copyright (c) 2015-2022 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
/*
|
||||
Package secp256k1 implements optimized secp256k1 elliptic curve operations in
|
||||
pure Go.
|
||||
|
||||
This package provides an optimized pure Go implementation of elliptic curve
|
||||
cryptography operations over the secp256k1 curve as well as data structures and
|
||||
functions for working with public and private secp256k1 keys. See
|
||||
https://www.secg.org/sec2-v2.pdf for details on the standard.
|
||||
|
||||
In addition, sub packages are provided to produce, verify, parse, and serialize
|
||||
ECDSA signatures and EC-Schnorr-DCRv0 (a custom Schnorr-based signature scheme
|
||||
specific to Decred) signatures. See the README.md files in the relevant sub
|
||||
packages for more details about those aspects.
|
||||
|
||||
An overview of the features provided by this package are as follows:
|
||||
|
||||
- Private key generation, serialization, and parsing
|
||||
- Public key generation, serialization and parsing per ANSI X9.62-1998
|
||||
- Parses uncompressed, compressed, and hybrid public keys
|
||||
- Serializes uncompressed and compressed public keys
|
||||
- Specialized types for performing optimized and constant time field operations
|
||||
- FieldVal type for working modulo the secp256k1 field prime
|
||||
- ModNScalar type for working modulo the secp256k1 group order
|
||||
- Elliptic curve operations in Jacobian projective coordinates
|
||||
- Point addition
|
||||
- Point doubling
|
||||
- Scalar multiplication with an arbitrary point
|
||||
- Scalar multiplication with the base point (group generator)
|
||||
- Point decompression from a given x coordinate
|
||||
- Nonce generation via RFC6979 with support for extra data and version
|
||||
information that can be used to prevent nonce reuse between signing
|
||||
algorithms
|
||||
|
||||
It also provides an implementation of the Go standard library crypto/elliptic
|
||||
Curve interface via the S256 function so that it may be used with other packages
|
||||
in the standard library such as crypto/tls, crypto/x509, and crypto/ecdsa.
|
||||
However, in the case of ECDSA, it is highly recommended to use the ecdsa sub
|
||||
package of this package instead since it is optimized specifically for secp256k1
|
||||
and is significantly faster as a result.
|
||||
|
||||
Although this package was primarily written for dcrd, it has intentionally been
|
||||
designed so it can be used as a standalone package for any projects needing to
|
||||
use optimized secp256k1 elliptic curve cryptography.
|
||||
|
||||
Finally, a comprehensive suite of tests is provided to provide a high level of
|
||||
quality assurance.
|
||||
|
||||
# Use of secp256k1 in Decred
|
||||
|
||||
At the time of this writing, the primary public key cryptography in widespread
|
||||
use on the Decred network used to secure coins is based on elliptic curves
|
||||
defined by the secp256k1 domain parameters.
|
||||
*/
|
||||
package secp256k1
|
||||
+21
@@ -0,0 +1,21 @@
|
||||
// Copyright (c) 2015 The btcsuite developers
|
||||
// Copyright (c) 2015-2023 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
// GenerateSharedSecret generates a shared secret based on a private key and a
|
||||
// public key using Diffie-Hellman key exchange (ECDH) (RFC 5903).
|
||||
// RFC5903 Section 9 states we should only return x.
|
||||
//
|
||||
// It is recommended to securely hash the result before using as a cryptographic
|
||||
// key.
|
||||
func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte {
|
||||
var point, result JacobianPoint
|
||||
pubkey.AsJacobian(&point)
|
||||
ScalarMultNonConst(&privkey.Key, &point, &result)
|
||||
result.ToAffine()
|
||||
xBytes := result.X.Bytes()
|
||||
return xBytes[:]
|
||||
}
|
||||
+255
@@ -0,0 +1,255 @@
|
||||
// Copyright 2020-2022 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
// References:
|
||||
// [SECG]: Recommended Elliptic Curve Domain Parameters
|
||||
// https://www.secg.org/sec2-v2.pdf
|
||||
//
|
||||
// [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"math/big"
|
||||
)
|
||||
|
||||
// CurveParams contains the parameters for the secp256k1 curve.
|
||||
type CurveParams struct {
|
||||
// P is the prime used in the secp256k1 field.
|
||||
P *big.Int
|
||||
|
||||
// N is the order of the secp256k1 curve group generated by the base point.
|
||||
N *big.Int
|
||||
|
||||
// Gx and Gy are the x and y coordinate of the base point, respectively.
|
||||
Gx, Gy *big.Int
|
||||
|
||||
// BitSize is the size of the underlying secp256k1 field in bits.
|
||||
BitSize int
|
||||
|
||||
// H is the cofactor of the secp256k1 curve.
|
||||
H int
|
||||
|
||||
// ByteSize is simply the bit size / 8 and is provided for convenience
|
||||
// since it is calculated repeatedly.
|
||||
ByteSize int
|
||||
}
|
||||
|
||||
// Curve parameters taken from [SECG] section 2.4.1.
|
||||
var curveParams = CurveParams{
|
||||
P: fromHex("fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
|
||||
N: fromHex("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
|
||||
Gx: fromHex("79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
|
||||
Gy: fromHex("483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8"),
|
||||
BitSize: 256,
|
||||
H: 1,
|
||||
ByteSize: 256 / 8,
|
||||
}
|
||||
|
||||
// Params returns the secp256k1 curve parameters for convenience.
|
||||
func Params() *CurveParams {
|
||||
return &curveParams
|
||||
}
|
||||
|
||||
// KoblitzCurve provides an implementation for secp256k1 that fits the ECC Curve
|
||||
// interface from crypto/elliptic.
|
||||
type KoblitzCurve struct {
|
||||
*elliptic.CurveParams
|
||||
}
|
||||
|
||||
// bigAffineToJacobian takes an affine point (x, y) as big integers and converts
|
||||
// it to Jacobian point with Z=1.
|
||||
func bigAffineToJacobian(x, y *big.Int, result *JacobianPoint) {
|
||||
result.X.SetByteSlice(x.Bytes())
|
||||
result.Y.SetByteSlice(y.Bytes())
|
||||
result.Z.SetInt(1)
|
||||
}
|
||||
|
||||
// jacobianToBigAffine takes a Jacobian point (x, y, z) as field values and
|
||||
// converts it to an affine point as big integers.
|
||||
func jacobianToBigAffine(point *JacobianPoint) (*big.Int, *big.Int) {
|
||||
point.ToAffine()
|
||||
|
||||
// Convert the field values for the now affine point to big.Ints.
|
||||
x3, y3 := new(big.Int), new(big.Int)
|
||||
x3.SetBytes(point.X.Bytes()[:])
|
||||
y3.SetBytes(point.Y.Bytes()[:])
|
||||
return x3, y3
|
||||
}
|
||||
|
||||
// Params returns the parameters for the curve.
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation.
|
||||
func (curve *KoblitzCurve) Params() *elliptic.CurveParams {
|
||||
return curve.CurveParams
|
||||
}
|
||||
|
||||
// IsOnCurve returns whether or not the affine point (x,y) is on the curve.
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation. This function
|
||||
// differs from the crypto/elliptic algorithm since a = 0 not -3.
|
||||
func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool {
|
||||
// Convert big ints to a Jacobian point for faster arithmetic.
|
||||
var point JacobianPoint
|
||||
bigAffineToJacobian(x, y, &point)
|
||||
return isOnCurve(&point.X, &point.Y)
|
||||
}
|
||||
|
||||
// Add returns the sum of (x1,y1) and (x2,y2).
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation.
|
||||
func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
|
||||
// The point at infinity is the identity according to the group law for
|
||||
// elliptic curve cryptography. Thus, ∞ + P = P and P + ∞ = P.
|
||||
if x1.Sign() == 0 && y1.Sign() == 0 {
|
||||
return x2, y2
|
||||
}
|
||||
if x2.Sign() == 0 && y2.Sign() == 0 {
|
||||
return x1, y1
|
||||
}
|
||||
|
||||
// Convert the affine coordinates from big integers to Jacobian points,
|
||||
// do the point addition in Jacobian projective space, and convert the
|
||||
// Jacobian point back to affine big.Ints.
|
||||
var p1, p2, result JacobianPoint
|
||||
bigAffineToJacobian(x1, y1, &p1)
|
||||
bigAffineToJacobian(x2, y2, &p2)
|
||||
AddNonConst(&p1, &p2, &result)
|
||||
return jacobianToBigAffine(&result)
|
||||
}
|
||||
|
||||
// Double returns 2*(x1,y1).
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation.
|
||||
func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
|
||||
if y1.Sign() == 0 {
|
||||
return new(big.Int), new(big.Int)
|
||||
}
|
||||
|
||||
// Convert the affine coordinates from big integers to Jacobian points,
|
||||
// do the point doubling in Jacobian projective space, and convert the
|
||||
// Jacobian point back to affine big.Ints.
|
||||
var point, result JacobianPoint
|
||||
bigAffineToJacobian(x1, y1, &point)
|
||||
DoubleNonConst(&point, &result)
|
||||
return jacobianToBigAffine(&result)
|
||||
}
|
||||
|
||||
// moduloReduce reduces k from more than 32 bytes to 32 bytes and under. This
|
||||
// is done by doing a simple modulo curve.N. We can do this since G^N = 1 and
|
||||
// thus any other valid point on the elliptic curve has the same order.
|
||||
func moduloReduce(k []byte) []byte {
|
||||
// Since the order of G is curve.N, we can use a much smaller number by
|
||||
// doing modulo curve.N
|
||||
if len(k) > curveParams.ByteSize {
|
||||
tmpK := new(big.Int).SetBytes(k)
|
||||
tmpK.Mod(tmpK, curveParams.N)
|
||||
return tmpK.Bytes()
|
||||
}
|
||||
|
||||
return k
|
||||
}
|
||||
|
||||
// ScalarMult returns k*(bx, by) where k is a big endian integer.
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation.
|
||||
func (curve *KoblitzCurve) ScalarMult(bx, by *big.Int, k []byte) (*big.Int, *big.Int) {
|
||||
// Convert the affine coordinates from big integers to Jacobian points,
|
||||
// do the multiplication in Jacobian projective space, and convert the
|
||||
// Jacobian point back to affine big.Ints.
|
||||
var kModN ModNScalar
|
||||
kModN.SetByteSlice(moduloReduce(k))
|
||||
var point, result JacobianPoint
|
||||
bigAffineToJacobian(bx, by, &point)
|
||||
ScalarMultNonConst(&kModN, &point, &result)
|
||||
return jacobianToBigAffine(&result)
|
||||
}
|
||||
|
||||
// ScalarBaseMult returns k*G where G is the base point of the group and k is a
|
||||
// big endian integer.
|
||||
//
|
||||
// This is part of the elliptic.Curve interface implementation.
|
||||
func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {
|
||||
// Perform the multiplication and convert the Jacobian point back to affine
|
||||
// big.Ints.
|
||||
var kModN ModNScalar
|
||||
kModN.SetByteSlice(moduloReduce(k))
|
||||
var result JacobianPoint
|
||||
ScalarBaseMultNonConst(&kModN, &result)
|
||||
return jacobianToBigAffine(&result)
|
||||
}
|
||||
|
||||
// X returns the x coordinate of the public key.
|
||||
func (p *PublicKey) X() *big.Int {
|
||||
return new(big.Int).SetBytes(p.x.Bytes()[:])
|
||||
}
|
||||
|
||||
// Y returns the y coordinate of the public key.
|
||||
func (p *PublicKey) Y() *big.Int {
|
||||
return new(big.Int).SetBytes(p.y.Bytes()[:])
|
||||
}
|
||||
|
||||
// ToECDSA returns the public key as a *ecdsa.PublicKey.
|
||||
func (p *PublicKey) ToECDSA() *ecdsa.PublicKey {
|
||||
return &ecdsa.PublicKey{
|
||||
Curve: S256(),
|
||||
X: p.X(),
|
||||
Y: p.Y(),
|
||||
}
|
||||
}
|
||||
|
||||
// ToECDSA returns the private key as a *ecdsa.PrivateKey.
|
||||
func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey {
|
||||
var privKeyBytes [PrivKeyBytesLen]byte
|
||||
p.Key.PutBytes(&privKeyBytes)
|
||||
var result JacobianPoint
|
||||
ScalarBaseMultNonConst(&p.Key, &result)
|
||||
x, y := jacobianToBigAffine(&result)
|
||||
newPrivKey := &ecdsa.PrivateKey{
|
||||
PublicKey: ecdsa.PublicKey{
|
||||
Curve: S256(),
|
||||
X: x,
|
||||
Y: y,
|
||||
},
|
||||
D: new(big.Int).SetBytes(privKeyBytes[:]),
|
||||
}
|
||||
zeroArray32(&privKeyBytes)
|
||||
return newPrivKey
|
||||
}
|
||||
|
||||
// fromHex converts the passed hex string into a big integer pointer and will
|
||||
// panic is there is an error. This is only provided for the hard-coded
|
||||
// constants so errors in the source code can bet detected. It will only (and
|
||||
// must only) be called for initialization purposes.
|
||||
func fromHex(s string) *big.Int {
|
||||
if s == "" {
|
||||
return big.NewInt(0)
|
||||
}
|
||||
r, ok := new(big.Int).SetString(s, 16)
|
||||
if !ok {
|
||||
panic("invalid hex in source file: " + s)
|
||||
}
|
||||
return r
|
||||
}
|
||||
|
||||
// secp256k1 is a global instance of the KoblitzCurve implementation which in
|
||||
// turn embeds and implements elliptic.CurveParams.
|
||||
var secp256k1 = &KoblitzCurve{
|
||||
CurveParams: &elliptic.CurveParams{
|
||||
P: curveParams.P,
|
||||
N: curveParams.N,
|
||||
B: fromHex("0000000000000000000000000000000000000000000000000000000000000007"),
|
||||
Gx: curveParams.Gx,
|
||||
Gy: curveParams.Gy,
|
||||
BitSize: curveParams.BitSize,
|
||||
Name: "secp256k1",
|
||||
},
|
||||
}
|
||||
|
||||
// S256 returns an elliptic.Curve which implements secp256k1.
|
||||
func S256() *KoblitzCurve {
|
||||
return secp256k1
|
||||
}
|
||||
+67
@@ -0,0 +1,67 @@
|
||||
// Copyright (c) 2020 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
// ErrorKind identifies a kind of error. It has full support for errors.Is and
|
||||
// errors.As, so the caller can directly check against an error kind when
|
||||
// determining the reason for an error.
|
||||
type ErrorKind string
|
||||
|
||||
// These constants are used to identify a specific RuleError.
|
||||
const (
|
||||
// ErrPubKeyInvalidLen indicates that the length of a serialized public
|
||||
// key is not one of the allowed lengths.
|
||||
ErrPubKeyInvalidLen = ErrorKind("ErrPubKeyInvalidLen")
|
||||
|
||||
// ErrPubKeyInvalidFormat indicates an attempt was made to parse a public
|
||||
// key that does not specify one of the supported formats.
|
||||
ErrPubKeyInvalidFormat = ErrorKind("ErrPubKeyInvalidFormat")
|
||||
|
||||
// ErrPubKeyXTooBig indicates that the x coordinate for a public key
|
||||
// is greater than or equal to the prime of the field underlying the group.
|
||||
ErrPubKeyXTooBig = ErrorKind("ErrPubKeyXTooBig")
|
||||
|
||||
// ErrPubKeyYTooBig indicates that the y coordinate for a public key is
|
||||
// greater than or equal to the prime of the field underlying the group.
|
||||
ErrPubKeyYTooBig = ErrorKind("ErrPubKeyYTooBig")
|
||||
|
||||
// ErrPubKeyNotOnCurve indicates that a public key is not a point on the
|
||||
// secp256k1 curve.
|
||||
ErrPubKeyNotOnCurve = ErrorKind("ErrPubKeyNotOnCurve")
|
||||
|
||||
// ErrPubKeyMismatchedOddness indicates that a hybrid public key specified
|
||||
// an oddness of the y coordinate that does not match the actual oddness of
|
||||
// the provided y coordinate.
|
||||
ErrPubKeyMismatchedOddness = ErrorKind("ErrPubKeyMismatchedOddness")
|
||||
)
|
||||
|
||||
// Error satisfies the error interface and prints human-readable errors.
|
||||
func (e ErrorKind) Error() string {
|
||||
return string(e)
|
||||
}
|
||||
|
||||
// Error identifies an error related to public key cryptography using a
|
||||
// sec256k1 curve. It has full support for errors.Is and errors.As, so the
|
||||
// caller can ascertain the specific reason for the error by checking
|
||||
// the underlying error.
|
||||
type Error struct {
|
||||
Err error
|
||||
Description string
|
||||
}
|
||||
|
||||
// Error satisfies the error interface and prints human-readable errors.
|
||||
func (e Error) Error() string {
|
||||
return e.Description
|
||||
}
|
||||
|
||||
// Unwrap returns the underlying wrapped error.
|
||||
func (e Error) Unwrap() error {
|
||||
return e.Err
|
||||
}
|
||||
|
||||
// makeError creates an Error given a set of arguments.
|
||||
func makeError(kind ErrorKind, desc string) Error {
|
||||
return Error{Err: kind, Description: desc}
|
||||
}
|
||||
+1696
File diff suppressed because it is too large
Load Diff
+91
@@ -0,0 +1,91 @@
|
||||
// Copyright 2015 The btcsuite developers
|
||||
// Copyright (c) 2015-2022 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
import (
|
||||
"compress/zlib"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
"strings"
|
||||
"sync"
|
||||
)
|
||||
|
||||
//go:generate go run genprecomps.go
|
||||
|
||||
// bytePointTable describes a table used to house pre-computed values for
|
||||
// accelerating scalar base multiplication.
|
||||
type bytePointTable [32][256]JacobianPoint
|
||||
|
||||
// compressedBytePointsFn is set to a real function by the code generation to
|
||||
// return the compressed pre-computed values for accelerating scalar base
|
||||
// multiplication.
|
||||
var compressedBytePointsFn func() string
|
||||
|
||||
// s256BytePoints houses pre-computed values used to accelerate scalar base
|
||||
// multiplication such that they are only loaded on first use.
|
||||
var s256BytePoints = func() func() *bytePointTable {
|
||||
// mustLoadBytePoints decompresses and deserializes the pre-computed byte
|
||||
// points used to accelerate scalar base multiplication for the secp256k1
|
||||
// curve.
|
||||
//
|
||||
// This approach is used since it allows the compile to use significantly
|
||||
// less ram and be performed much faster than it is with hard-coding the
|
||||
// final in-memory data structure. At the same time, it is quite fast to
|
||||
// generate the in-memory data structure on first use with this approach
|
||||
// versus computing the table.
|
||||
//
|
||||
// It will panic on any errors because the data is hard coded and thus any
|
||||
// errors means something is wrong in the source code.
|
||||
var data *bytePointTable
|
||||
mustLoadBytePoints := func() {
|
||||
// There will be no byte points to load when generating them.
|
||||
if compressedBytePointsFn == nil {
|
||||
return
|
||||
}
|
||||
bp := compressedBytePointsFn()
|
||||
|
||||
// Decompress the pre-computed table used to accelerate scalar base
|
||||
// multiplication.
|
||||
decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(bp))
|
||||
r, err := zlib.NewReader(decoder)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
serialized, err := io.ReadAll(r)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
// Deserialize the precomputed byte points and set the memory table to
|
||||
// them.
|
||||
offset := 0
|
||||
var bytePoints bytePointTable
|
||||
for byteNum := 0; byteNum < len(bytePoints); byteNum++ {
|
||||
// All points in this window.
|
||||
for i := 0; i < len(bytePoints[byteNum]); i++ {
|
||||
p := &bytePoints[byteNum][i]
|
||||
p.X.SetByteSlice(serialized[offset:])
|
||||
offset += 32
|
||||
p.Y.SetByteSlice(serialized[offset:])
|
||||
offset += 32
|
||||
p.Z.SetInt(1)
|
||||
}
|
||||
}
|
||||
data = &bytePoints
|
||||
}
|
||||
|
||||
// Return a closure that initializes the data on first access. This is done
|
||||
// because the table takes a non-trivial amount of memory and initializing
|
||||
// it unconditionally would cause anything that imports the package, either
|
||||
// directly, or indirectly via transitive deps, to use that memory even if
|
||||
// the caller never accesses any parts of the package that actually needs
|
||||
// access to it.
|
||||
var loadBytePointsOnce sync.Once
|
||||
return func() *bytePointTable {
|
||||
loadBytePointsOnce.Do(mustLoadBytePoints)
|
||||
return data
|
||||
}
|
||||
}()
|
||||
+1105
File diff suppressed because it is too large
Load Diff
+263
@@ -0,0 +1,263 @@
|
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Copyright (c) 2015-2024 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/sha256"
|
||||
"hash"
|
||||
)
|
||||
|
||||
// References:
|
||||
// [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
|
||||
//
|
||||
// [ISO/IEC 8825-1]: Information technology — ASN.1 encoding rules:
|
||||
// Specification of Basic Encoding Rules (BER), Canonical Encoding Rules
|
||||
// (CER) and Distinguished Encoding Rules (DER)
|
||||
//
|
||||
// [SEC1]: Elliptic Curve Cryptography (May 31, 2009, Version 2.0)
|
||||
// https://www.secg.org/sec1-v2.pdf
|
||||
|
||||
var (
|
||||
// singleZero is used during RFC6979 nonce generation. It is provided
|
||||
// here to avoid the need to create it multiple times.
|
||||
singleZero = []byte{0x00}
|
||||
|
||||
// zeroInitializer is used during RFC6979 nonce generation. It is provided
|
||||
// here to avoid the need to create it multiple times.
|
||||
zeroInitializer = bytes.Repeat([]byte{0x00}, sha256.BlockSize)
|
||||
|
||||
// singleOne is used during RFC6979 nonce generation. It is provided
|
||||
// here to avoid the need to create it multiple times.
|
||||
singleOne = []byte{0x01}
|
||||
|
||||
// oneInitializer is used during RFC6979 nonce generation. It is provided
|
||||
// here to avoid the need to create it multiple times.
|
||||
oneInitializer = bytes.Repeat([]byte{0x01}, sha256.Size)
|
||||
)
|
||||
|
||||
// hmacsha256 implements a resettable version of HMAC-SHA256.
|
||||
type hmacsha256 struct {
|
||||
inner, outer hash.Hash
|
||||
ipad, opad [sha256.BlockSize]byte
|
||||
}
|
||||
|
||||
// Write adds data to the running hash.
|
||||
func (h *hmacsha256) Write(p []byte) {
|
||||
h.inner.Write(p)
|
||||
}
|
||||
|
||||
// initKey initializes the HMAC-SHA256 instance to the provided key.
|
||||
func (h *hmacsha256) initKey(key []byte) {
|
||||
// Hash the key if it is too large.
|
||||
if len(key) > sha256.BlockSize {
|
||||
h.outer.Write(key)
|
||||
key = h.outer.Sum(nil)
|
||||
}
|
||||
copy(h.ipad[:], key)
|
||||
copy(h.opad[:], key)
|
||||
for i := range h.ipad {
|
||||
h.ipad[i] ^= 0x36
|
||||
}
|
||||
for i := range h.opad {
|
||||
h.opad[i] ^= 0x5c
|
||||
}
|
||||
h.inner.Write(h.ipad[:])
|
||||
}
|
||||
|
||||
// ResetKey resets the HMAC-SHA256 to its initial state and then initializes it
|
||||
// with the provided key. It is equivalent to creating a new instance with the
|
||||
// provided key without allocating more memory.
|
||||
func (h *hmacsha256) ResetKey(key []byte) {
|
||||
h.inner.Reset()
|
||||
h.outer.Reset()
|
||||
copy(h.ipad[:], zeroInitializer)
|
||||
copy(h.opad[:], zeroInitializer)
|
||||
h.initKey(key)
|
||||
}
|
||||
|
||||
// Resets the HMAC-SHA256 to its initial state using the current key.
|
||||
func (h *hmacsha256) Reset() {
|
||||
h.inner.Reset()
|
||||
h.inner.Write(h.ipad[:])
|
||||
}
|
||||
|
||||
// Sum returns the hash of the written data.
|
||||
func (h *hmacsha256) Sum() []byte {
|
||||
h.outer.Reset()
|
||||
h.outer.Write(h.opad[:])
|
||||
h.outer.Write(h.inner.Sum(nil))
|
||||
return h.outer.Sum(nil)
|
||||
}
|
||||
|
||||
// newHMACSHA256 returns a new HMAC-SHA256 hasher using the provided key.
|
||||
func newHMACSHA256(key []byte) *hmacsha256 {
|
||||
h := new(hmacsha256)
|
||||
h.inner = sha256.New()
|
||||
h.outer = sha256.New()
|
||||
h.initKey(key)
|
||||
return h
|
||||
}
|
||||
|
||||
// NonceRFC6979 generates a nonce deterministically according to RFC 6979 using
|
||||
// HMAC-SHA256 for the hashing function. It takes a 32-byte hash as an input
|
||||
// and returns a 32-byte nonce to be used for deterministic signing. The extra
|
||||
// and version arguments are optional, but allow additional data to be added to
|
||||
// the input of the HMAC. When provided, the extra data must be 32-bytes and
|
||||
// version must be 16 bytes or they will be ignored.
|
||||
//
|
||||
// Finally, the extraIterations parameter provides a method to produce a stream
|
||||
// of deterministic nonces to ensure the signing code is able to produce a nonce
|
||||
// that results in a valid signature in the extremely unlikely event the
|
||||
// original nonce produced results in an invalid signature (e.g. R == 0).
|
||||
// Signing code should start with 0 and increment it if necessary.
|
||||
func NonceRFC6979(privKey []byte, hash []byte, extra []byte, version []byte, extraIterations uint32) *ModNScalar {
|
||||
// Input to HMAC is the 32-byte private key and the 32-byte hash. In
|
||||
// addition, it may include the optional 32-byte extra data and 16-byte
|
||||
// version. Create a fixed-size array to avoid extra allocs and slice it
|
||||
// properly.
|
||||
const (
|
||||
privKeyLen = 32
|
||||
hashLen = 32
|
||||
extraLen = 32
|
||||
versionLen = 16
|
||||
)
|
||||
var keyBuf [privKeyLen + hashLen + extraLen + versionLen]byte
|
||||
|
||||
// Truncate rightmost bytes of private key and hash if they are too long and
|
||||
// leave left padding of zeros when they're too short.
|
||||
if len(privKey) > privKeyLen {
|
||||
privKey = privKey[:privKeyLen]
|
||||
}
|
||||
if len(hash) > hashLen {
|
||||
hash = hash[:hashLen]
|
||||
}
|
||||
offset := privKeyLen - len(privKey) // Zero left padding if needed.
|
||||
offset += copy(keyBuf[offset:], privKey)
|
||||
offset += hashLen - len(hash) // Zero left padding if needed.
|
||||
offset += copy(keyBuf[offset:], hash)
|
||||
if len(extra) == extraLen {
|
||||
offset += copy(keyBuf[offset:], extra)
|
||||
if len(version) == versionLen {
|
||||
offset += copy(keyBuf[offset:], version)
|
||||
}
|
||||
} else if len(version) == versionLen {
|
||||
// When the version was specified, but not the extra data, leave the
|
||||
// extra data portion all zero.
|
||||
offset += privKeyLen
|
||||
offset += copy(keyBuf[offset:], version)
|
||||
}
|
||||
key := keyBuf[:offset]
|
||||
|
||||
// Step B.
|
||||
//
|
||||
// V = 0x01 0x01 0x01 ... 0x01 such that the length of V, in bits, is
|
||||
// equal to 8*ceil(hashLen/8).
|
||||
//
|
||||
// Note that since the hash length is a multiple of 8 for the chosen hash
|
||||
// function in this optimized implementation, the result is just the hash
|
||||
// length, so avoid the extra calculations. Also, since it isn't modified,
|
||||
// start with a global value.
|
||||
v := oneInitializer
|
||||
|
||||
// Step C (Go zeroes all allocated memory).
|
||||
//
|
||||
// K = 0x00 0x00 0x00 ... 0x00 such that the length of K, in bits, is
|
||||
// equal to 8*ceil(hashLen/8).
|
||||
//
|
||||
// As above, since the hash length is a multiple of 8 for the chosen hash
|
||||
// function in this optimized implementation, the result is just the hash
|
||||
// length, so avoid the extra calculations.
|
||||
k := zeroInitializer[:hashLen]
|
||||
|
||||
// Step D.
|
||||
//
|
||||
// K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))
|
||||
//
|
||||
// Note that key is the "int2octets(x) || bits2octets(h1)" portion along
|
||||
// with potential additional data as described by section 3.6 of the RFC.
|
||||
hasher := newHMACSHA256(k)
|
||||
hasher.Write(oneInitializer)
|
||||
hasher.Write(singleZero)
|
||||
hasher.Write(key)
|
||||
k = hasher.Sum()
|
||||
|
||||
// Step E.
|
||||
//
|
||||
// V = HMAC_K(V)
|
||||
hasher.ResetKey(k)
|
||||
hasher.Write(v)
|
||||
v = hasher.Sum()
|
||||
|
||||
// Step F.
|
||||
//
|
||||
// K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1))
|
||||
//
|
||||
// Note that key is the "int2octets(x) || bits2octets(h1)" portion along
|
||||
// with potential additional data as described by section 3.6 of the RFC.
|
||||
hasher.Reset()
|
||||
hasher.Write(v)
|
||||
hasher.Write(singleOne)
|
||||
hasher.Write(key)
|
||||
k = hasher.Sum()
|
||||
|
||||
// Step G.
|
||||
//
|
||||
// V = HMAC_K(V)
|
||||
hasher.ResetKey(k)
|
||||
hasher.Write(v)
|
||||
v = hasher.Sum()
|
||||
|
||||
// Step H.
|
||||
//
|
||||
// Repeat until the value is nonzero and less than the curve order.
|
||||
var generated uint32
|
||||
for {
|
||||
// Step H1 and H2.
|
||||
//
|
||||
// Set T to the empty sequence. The length of T (in bits) is denoted
|
||||
// tlen; thus, at that point, tlen = 0.
|
||||
//
|
||||
// While tlen < qlen, do the following:
|
||||
// V = HMAC_K(V)
|
||||
// T = T || V
|
||||
//
|
||||
// Note that because the hash function output is the same length as the
|
||||
// private key in this optimized implementation, there is no need to
|
||||
// loop or create an intermediate T.
|
||||
hasher.Reset()
|
||||
hasher.Write(v)
|
||||
v = hasher.Sum()
|
||||
|
||||
// Step H3.
|
||||
//
|
||||
// k = bits2int(T)
|
||||
// If k is within the range [1,q-1], return it.
|
||||
//
|
||||
// Otherwise, compute:
|
||||
// K = HMAC_K(V || 0x00)
|
||||
// V = HMAC_K(V)
|
||||
var secret ModNScalar
|
||||
overflow := secret.SetByteSlice(v)
|
||||
if !overflow && !secret.IsZero() {
|
||||
generated++
|
||||
if generated > extraIterations {
|
||||
return &secret
|
||||
}
|
||||
}
|
||||
|
||||
// K = HMAC_K(V || 0x00)
|
||||
hasher.Reset()
|
||||
hasher.Write(v)
|
||||
hasher.Write(singleZero)
|
||||
k = hasher.Sum()
|
||||
|
||||
// V = HMAC_K(V)
|
||||
hasher.ResetKey(k)
|
||||
hasher.Write(v)
|
||||
v = hasher.Sum()
|
||||
}
|
||||
}
|
||||
+111
@@ -0,0 +1,111 @@
|
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Copyright (c) 2015-2024 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
import (
|
||||
cryptorand "crypto/rand"
|
||||
"io"
|
||||
)
|
||||
|
||||
// PrivateKey provides facilities for working with secp256k1 private keys within
|
||||
// this package and includes functionality such as serializing and parsing them
|
||||
// as well as computing their associated public key.
|
||||
type PrivateKey struct {
|
||||
Key ModNScalar
|
||||
}
|
||||
|
||||
// NewPrivateKey instantiates a new private key from a scalar encoded as a
|
||||
// big integer.
|
||||
func NewPrivateKey(key *ModNScalar) *PrivateKey {
|
||||
return &PrivateKey{Key: *key}
|
||||
}
|
||||
|
||||
// PrivKeyFromBytes returns a private based on the provided byte slice which is
|
||||
// interpreted as an unsigned 256-bit big-endian integer in the range [0, N-1],
|
||||
// where N is the order of the curve.
|
||||
//
|
||||
// WARNING: This means passing a slice with more than 32 bytes is truncated and
|
||||
// that truncated value is reduced modulo N. Further, 0 is not a valid private
|
||||
// key. It is up to the caller to provide a value in the appropriate range of
|
||||
// [1, N-1]. Failure to do so will either result in an invalid private key or
|
||||
// potentially weak private keys that have bias that could be exploited.
|
||||
//
|
||||
// This function primarily exists to provide a mechanism for converting
|
||||
// serialized private keys that are already known to be good.
|
||||
//
|
||||
// Typically callers should make use of GeneratePrivateKey or
|
||||
// GeneratePrivateKeyFromRand when creating private keys since they properly
|
||||
// handle generation of appropriate values.
|
||||
func PrivKeyFromBytes(privKeyBytes []byte) *PrivateKey {
|
||||
var privKey PrivateKey
|
||||
privKey.Key.SetByteSlice(privKeyBytes)
|
||||
return &privKey
|
||||
}
|
||||
|
||||
// generatePrivateKey generates and returns a new private key that is suitable
|
||||
// for use with secp256k1 using the provided reader as a source of entropy. The
|
||||
// provided reader must be a source of cryptographically secure randomness to
|
||||
// avoid weak private keys.
|
||||
func generatePrivateKey(rand io.Reader) (*PrivateKey, error) {
|
||||
// The group order is close enough to 2^256 that there is only roughly a 1
|
||||
// in 2^128 chance of generating an invalid private key, so this loop will
|
||||
// virtually never run more than a single iteration in practice.
|
||||
var key PrivateKey
|
||||
var b32 [32]byte
|
||||
for valid := false; !valid; {
|
||||
if _, err := io.ReadFull(rand, b32[:]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// The private key is only valid when it is in the range [1, N-1], where
|
||||
// N is the order of the curve.
|
||||
overflow := key.Key.SetBytes(&b32)
|
||||
valid = (key.Key.IsZeroBit() | overflow) == 0
|
||||
}
|
||||
zeroArray32(&b32)
|
||||
|
||||
return &key, nil
|
||||
}
|
||||
|
||||
// GeneratePrivateKey generates and returns a new cryptographically secure
|
||||
// private key that is suitable for use with secp256k1.
|
||||
func GeneratePrivateKey() (*PrivateKey, error) {
|
||||
return generatePrivateKey(cryptorand.Reader)
|
||||
}
|
||||
|
||||
// GeneratePrivateKeyFromRand generates a private key that is suitable for use
|
||||
// with secp256k1 using the provided reader as a source of entropy. The
|
||||
// provided reader must be a source of cryptographically secure randomness, such
|
||||
// as [crypto/rand.Reader], to avoid weak private keys.
|
||||
func GeneratePrivateKeyFromRand(rand io.Reader) (*PrivateKey, error) {
|
||||
return generatePrivateKey(rand)
|
||||
}
|
||||
|
||||
// PubKey computes and returns the public key corresponding to this private key.
|
||||
func (p *PrivateKey) PubKey() *PublicKey {
|
||||
var result JacobianPoint
|
||||
ScalarBaseMultNonConst(&p.Key, &result)
|
||||
result.ToAffine()
|
||||
return NewPublicKey(&result.X, &result.Y)
|
||||
}
|
||||
|
||||
// Zero manually clears the memory associated with the private key. This can be
|
||||
// used to explicitly clear key material from memory for enhanced security
|
||||
// against memory scraping.
|
||||
func (p *PrivateKey) Zero() {
|
||||
p.Key.Zero()
|
||||
}
|
||||
|
||||
// PrivKeyBytesLen defines the length in bytes of a serialized private key.
|
||||
const PrivKeyBytesLen = 32
|
||||
|
||||
// Serialize returns the private key as a 256-bit big-endian binary-encoded
|
||||
// number, padded to a length of 32 bytes.
|
||||
func (p PrivateKey) Serialize() []byte {
|
||||
var privKeyBytes [PrivKeyBytesLen]byte
|
||||
p.Key.PutBytes(&privKeyBytes)
|
||||
return privKeyBytes[:]
|
||||
}
|
||||
+236
@@ -0,0 +1,236 @@
|
||||
// Copyright (c) 2013-2014 The btcsuite developers
|
||||
// Copyright (c) 2015-2024 The Decred developers
|
||||
// Use of this source code is governed by an ISC
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package secp256k1
|
||||
|
||||
// References:
|
||||
// [SEC1] Elliptic Curve Cryptography
|
||||
// https://www.secg.org/sec1-v2.pdf
|
||||
//
|
||||
// [SEC2] Recommended Elliptic Curve Domain Parameters
|
||||
// https://www.secg.org/sec2-v2.pdf
|
||||
//
|
||||
// [ANSI X9.62-1998] Public Key Cryptography For The Financial Services
|
||||
// Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
const (
|
||||
// PubKeyBytesLenCompressed is the number of bytes of a serialized
|
||||
// compressed public key.
|
||||
PubKeyBytesLenCompressed = 33
|
||||
|
||||
// PubKeyBytesLenUncompressed is the number of bytes of a serialized
|
||||
// uncompressed public key.
|
||||
PubKeyBytesLenUncompressed = 65
|
||||
|
||||
// PubKeyFormatCompressedEven is the identifier prefix byte for a public key
|
||||
// whose Y coordinate is even when serialized in the compressed format per
|
||||
// section 2.3.4 of [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.4).
|
||||
PubKeyFormatCompressedEven byte = 0x02
|
||||
|
||||
// PubKeyFormatCompressedOdd is the identifier prefix byte for a public key
|
||||
// whose Y coordinate is odd when serialized in the compressed format per
|
||||
// section 2.3.4 of [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.4).
|
||||
PubKeyFormatCompressedOdd byte = 0x03
|
||||
|
||||
// PubKeyFormatUncompressed is the identifier prefix byte for a public key
|
||||
// when serialized according in the uncompressed format per section 2.3.3 of
|
||||
// [SEC1](https://secg.org/sec1-v2.pdf#subsubsection.2.3.3).
|
||||
PubKeyFormatUncompressed byte = 0x04
|
||||
|
||||
// PubKeyFormatHybridEven is the identifier prefix byte for a public key
|
||||
// whose Y coordinate is even when serialized according to the hybrid format
|
||||
// per section 4.3.6 of [ANSI X9.62-1998].
|
||||
//
|
||||
// NOTE: This format makes little sense in practice an therefore this
|
||||
// package will not produce public keys serialized in this format. However,
|
||||
// it will parse them since they exist in the wild.
|
||||
PubKeyFormatHybridEven byte = 0x06
|
||||
|
||||
// PubKeyFormatHybridOdd is the identifier prefix byte for a public key
|
||||
// whose Y coordingate is odd when serialized according to the hybrid format
|
||||
// per section 4.3.6 of [ANSI X9.62-1998].
|
||||
//
|
||||
// NOTE: This format makes little sense in practice an therefore this
|
||||
// package will not produce public keys serialized in this format. However,
|
||||
// it will parse them since they exist in the wild.
|
||||
PubKeyFormatHybridOdd byte = 0x07
|
||||
)
|
||||
|
||||
// PublicKey provides facilities for efficiently working with secp256k1 public
|
||||
// keys within this package and includes functions to serialize in both
|
||||
// uncompressed and compressed SEC (Standards for Efficient Cryptography)
|
||||
// formats.
|
||||
type PublicKey struct {
|
||||
x FieldVal
|
||||
y FieldVal
|
||||
}
|
||||
|
||||
// NewPublicKey instantiates a new public key with the given x and y
|
||||
// coordinates.
|
||||
//
|
||||
// It should be noted that, unlike ParsePubKey, since this accepts arbitrary x
|
||||
// and y coordinates, it allows creation of public keys that are not valid
|
||||
// points on the secp256k1 curve. The IsOnCurve method of the returned instance
|
||||
// can be used to determine validity.
|
||||
func NewPublicKey(x, y *FieldVal) *PublicKey {
|
||||
var pubKey PublicKey
|
||||
pubKey.x.Set(x)
|
||||
pubKey.y.Set(y)
|
||||
return &pubKey
|
||||
}
|
||||
|
||||
// ParsePubKey parses a secp256k1 public key encoded according to the format
|
||||
// specified by ANSI X9.62-1998, which means it is also compatible with the
|
||||
// SEC (Standards for Efficient Cryptography) specification which is a subset of
|
||||
// the former. In other words, it supports the uncompressed, compressed, and
|
||||
// hybrid formats as follows:
|
||||
//
|
||||
// Compressed:
|
||||
//
|
||||
// <format byte = 0x02/0x03><32-byte X coordinate>
|
||||
//
|
||||
// Uncompressed:
|
||||
//
|
||||
// <format byte = 0x04><32-byte X coordinate><32-byte Y coordinate>
|
||||
//
|
||||
// Hybrid:
|
||||
//
|
||||
// <format byte = 0x05/0x06><32-byte X coordinate><32-byte Y coordinate>
|
||||
//
|
||||
// NOTE: The hybrid format makes little sense in practice an therefore this
|
||||
// package will not produce public keys serialized in this format. However,
|
||||
// this function will properly parse them since they exist in the wild.
|
||||
func ParsePubKey(serialized []byte) (key *PublicKey, err error) {
|
||||
var x, y FieldVal
|
||||
switch len(serialized) {
|
||||
case PubKeyBytesLenUncompressed:
|
||||
// Reject unsupported public key formats for the given length.
|
||||
format := serialized[0]
|
||||
switch format {
|
||||
case PubKeyFormatUncompressed:
|
||||
case PubKeyFormatHybridEven, PubKeyFormatHybridOdd:
|
||||
default:
|
||||
str := fmt.Sprintf("invalid public key: unsupported format: %x",
|
||||
format)
|
||||
return nil, makeError(ErrPubKeyInvalidFormat, str)
|
||||
}
|
||||
|
||||
// Parse the x and y coordinates while ensuring that they are in the
|
||||
// allowed range.
|
||||
if overflow := x.SetByteSlice(serialized[1:33]); overflow {
|
||||
str := "invalid public key: x >= field prime"
|
||||
return nil, makeError(ErrPubKeyXTooBig, str)
|
||||
}
|
||||
if overflow := y.SetByteSlice(serialized[33:]); overflow {
|
||||
str := "invalid public key: y >= field prime"
|
||||
return nil, makeError(ErrPubKeyYTooBig, str)
|
||||
}
|
||||
|
||||
// Ensure the oddness of the y coordinate matches the specified format
|
||||
// for hybrid public keys.
|
||||
if format == PubKeyFormatHybridEven || format == PubKeyFormatHybridOdd {
|
||||
wantOddY := format == PubKeyFormatHybridOdd
|
||||
if y.IsOdd() != wantOddY {
|
||||
str := fmt.Sprintf("invalid public key: y oddness does not "+
|
||||
"match specified value of %v", wantOddY)
|
||||
return nil, makeError(ErrPubKeyMismatchedOddness, str)
|
||||
}
|
||||
}
|
||||
|
||||
// Reject public keys that are not on the secp256k1 curve.
|
||||
if !isOnCurve(&x, &y) {
|
||||
str := fmt.Sprintf("invalid public key: [%v,%v] not on secp256k1 "+
|
||||
"curve", x, y)
|
||||
return nil, makeError(ErrPubKeyNotOnCurve, str)
|
||||
}
|
||||
|
||||
case PubKeyBytesLenCompressed:
|
||||
// Reject unsupported public key formats for the given length.
|
||||
format := serialized[0]
|
||||
switch format {
|
||||
case PubKeyFormatCompressedEven, PubKeyFormatCompressedOdd:
|
||||
default:
|
||||
str := fmt.Sprintf("invalid public key: unsupported format: %x",
|
||||
format)
|
||||
return nil, makeError(ErrPubKeyInvalidFormat, str)
|
||||
}
|
||||
|
||||
// Parse the x coordinate while ensuring that it is in the allowed
|
||||
// range.
|
||||
if overflow := x.SetByteSlice(serialized[1:33]); overflow {
|
||||
str := "invalid public key: x >= field prime"
|
||||
return nil, makeError(ErrPubKeyXTooBig, str)
|
||||
}
|
||||
|
||||
// Attempt to calculate the y coordinate for the given x coordinate such
|
||||
// that the result pair is a point on the secp256k1 curve and the
|
||||
// solution with desired oddness is chosen.
|
||||
wantOddY := format == PubKeyFormatCompressedOdd
|
||||
if !DecompressY(&x, wantOddY, &y) {
|
||||
str := fmt.Sprintf("invalid public key: x coordinate %v is not on "+
|
||||
"the secp256k1 curve", x)
|
||||
return nil, makeError(ErrPubKeyNotOnCurve, str)
|
||||
}
|
||||
|
||||
default:
|
||||
str := fmt.Sprintf("malformed public key: invalid length: %d",
|
||||
len(serialized))
|
||||
return nil, makeError(ErrPubKeyInvalidLen, str)
|
||||
}
|
||||
|
||||
return NewPublicKey(&x, &y), nil
|
||||
}
|
||||
|
||||
// SerializeUncompressed serializes a public key in the 65-byte uncompressed
|
||||
// format.
|
||||
func (p PublicKey) SerializeUncompressed() []byte {
|
||||
// 0x04 || 32-byte x coordinate || 32-byte y coordinate
|
||||
var b [PubKeyBytesLenUncompressed]byte
|
||||
b[0] = PubKeyFormatUncompressed
|
||||
p.x.PutBytesUnchecked(b[1:33])
|
||||
p.y.PutBytesUnchecked(b[33:65])
|
||||
return b[:]
|
||||
}
|
||||
|
||||
// SerializeCompressed serializes a public key in the 33-byte compressed format.
|
||||
func (p PublicKey) SerializeCompressed() []byte {
|
||||
// Choose the format byte depending on the oddness of the Y coordinate.
|
||||
format := PubKeyFormatCompressedEven
|
||||
if p.y.IsOdd() {
|
||||
format = PubKeyFormatCompressedOdd
|
||||
}
|
||||
|
||||
// 0x02 or 0x03 || 32-byte x coordinate
|
||||
var b [PubKeyBytesLenCompressed]byte
|
||||
b[0] = format
|
||||
p.x.PutBytesUnchecked(b[1:33])
|
||||
return b[:]
|
||||
}
|
||||
|
||||
// IsEqual compares this public key instance to the one passed, returning true
|
||||
// if both public keys are equivalent. A public key is equivalent to another,
|
||||
// if they both have the same X and Y coordinates.
|
||||
func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool {
|
||||
return p.x.Equals(&otherPubKey.x) && p.y.Equals(&otherPubKey.y)
|
||||
}
|
||||
|
||||
// AsJacobian converts the public key into a Jacobian point with Z=1 and stores
|
||||
// the result in the provided result param. This allows the public key to be
|
||||
// treated a Jacobian point in the secp256k1 group in calculations.
|
||||
func (p *PublicKey) AsJacobian(result *JacobianPoint) {
|
||||
result.X.Set(&p.x)
|
||||
result.Y.Set(&p.y)
|
||||
result.Z.SetInt(1)
|
||||
}
|
||||
|
||||
// IsOnCurve returns whether or not the public key represents a point on the
|
||||
// secp256k1 curve.
|
||||
func (p *PublicKey) IsOnCurve() bool {
|
||||
return isOnCurve(&p.x, &p.y)
|
||||
}
|
||||
Reference in New Issue
Block a user