UNPKG

3.71 kBJavaScriptView Raw
1var createHmac = require('create-hmac')
2var typeforce = require('typeforce')
3var types = require('./types')
4
5var BigInteger = require('bigi')
6var ECSignature = require('./ecsignature')
7
8var ZERO = new Buffer([0])
9var ONE = new Buffer([1])
10
11var ecurve = require('ecurve')
12var secp256k1 = ecurve.getCurveByName('secp256k1')
13
14// https://tools.ietf.org/html/rfc6979#section-3.2
15function deterministicGenerateK (hash, x, checkSig) {
16 typeforce(types.tuple(
17 types.Hash256bit,
18 types.Buffer256bit,
19 types.Function
20 ), arguments)
21
22 var k = new Buffer(32)
23 var v = new Buffer(32)
24
25 // Step A, ignored as hash already provided
26 // Step B
27 v.fill(1)
28
29 // Step C
30 k.fill(0)
31
32 // Step D
33 k = createHmac('sha256', k)
34 .update(v)
35 .update(ZERO)
36 .update(x)
37 .update(hash)
38 .digest()
39
40 // Step E
41 v = createHmac('sha256', k).update(v).digest()
42
43 // Step F
44 k = createHmac('sha256', k)
45 .update(v)
46 .update(ONE)
47 .update(x)
48 .update(hash)
49 .digest()
50
51 // Step G
52 v = createHmac('sha256', k).update(v).digest()
53
54 // Step H1/H2a, ignored as tlen === qlen (256 bit)
55 // Step H2b
56 v = createHmac('sha256', k).update(v).digest()
57
58 var T = BigInteger.fromBuffer(v)
59
60 // Step H3, repeat until T is within the interval [1, n - 1] and is suitable for ECDSA
61 while (T.signum() <= 0 || T.compareTo(secp256k1.n) >= 0 || !checkSig(T)) {
62 k = createHmac('sha256', k)
63 .update(v)
64 .update(ZERO)
65 .digest()
66
67 v = createHmac('sha256', k).update(v).digest()
68
69 // Step H1/H2a, again, ignored as tlen === qlen (256 bit)
70 // Step H2b again
71 v = createHmac('sha256', k).update(v).digest()
72 T = BigInteger.fromBuffer(v)
73 }
74
75 return T
76}
77
78var N_OVER_TWO = secp256k1.n.shiftRight(1)
79
80function sign (hash, d) {
81 typeforce(types.tuple(types.Hash256bit, types.BigInt), arguments)
82
83 var x = d.toBuffer(32)
84 var e = BigInteger.fromBuffer(hash)
85 var n = secp256k1.n
86 var G = secp256k1.G
87
88 var r, s
89 deterministicGenerateK(hash, x, function (k) {
90 var Q = G.multiply(k)
91
92 if (secp256k1.isInfinity(Q)) return false
93
94 r = Q.affineX.mod(n)
95 if (r.signum() === 0) return false
96
97 s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)
98 if (s.signum() === 0) return false
99
100 return true
101 })
102
103 // enforce low S values, see bip62: 'low s values in signatures'
104 if (s.compareTo(N_OVER_TWO) > 0) {
105 s = n.subtract(s)
106 }
107
108 return new ECSignature(r, s)
109}
110
111function verify (hash, signature, Q) {
112 typeforce(types.tuple(
113 types.Hash256bit,
114 types.ECSignature,
115 types.ECPoint
116 ), arguments)
117
118 var n = secp256k1.n
119 var G = secp256k1.G
120
121 var r = signature.r
122 var s = signature.s
123
124 // 1.4.1 Enforce r and s are both integers in the interval [1, n − 1]
125 if (r.signum() <= 0 || r.compareTo(n) >= 0) return false
126 if (s.signum() <= 0 || s.compareTo(n) >= 0) return false
127
128 // 1.4.2 H = Hash(M), already done by the user
129 // 1.4.3 e = H
130 var e = BigInteger.fromBuffer(hash)
131
132 // Compute s^-1
133 var sInv = s.modInverse(n)
134
135 // 1.4.4 Compute u1 = es^−1 mod n
136 // u2 = rs^−1 mod n
137 var u1 = e.multiply(sInv).mod(n)
138 var u2 = r.multiply(sInv).mod(n)
139
140 // 1.4.5 Compute R = (xR, yR)
141 // R = u1G + u2Q
142 var R = G.multiplyTwo(u1, Q, u2)
143
144 // 1.4.5 (cont.) Enforce R is not at infinity
145 if (secp256k1.isInfinity(R)) return false
146
147 // 1.4.6 Convert the field element R.x to an integer
148 var xR = R.affineX
149
150 // 1.4.7 Set v = xR mod n
151 var v = xR.mod(n)
152
153 // 1.4.8 If v = r, output "valid", and if v != r, output "invalid"
154 return v.equals(r)
155}
156
157module.exports = {
158 deterministicGenerateK: deterministicGenerateK,
159 sign: sign,
160 verify: verify,
161
162 // TODO: remove
163 __curve: secp256k1
164}