diff --git a/btcec/bench_test.go b/btcec/bench_test.go index 475a4afd6e..89e2bc2cce 100644 --- a/btcec/bench_test.go +++ b/btcec/bench_test.go @@ -164,35 +164,6 @@ func hexToModNScalar(s string) *ModNScalar { return &scalar } -// BenchmarkSigVerify benchmarks how long it takes the secp256k1 curve to -// verify signatures. -func BenchmarkSigVerify(b *testing.B) { - b.StopTimer() - // Randomly generated keypair. - // Private key: 9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d - pubKey := NewPublicKey( - hexToFieldVal("d2e670a19c6d753d1a6d8b20bd045df8a08fb162cf508956c31268c6d81ffdab"), - hexToFieldVal("ab65528eefbb8057aa85d597258a3fbd481a24633bc9b47a9aa045c91371de52"), - ) - - // Double sha256 of []byte{0x01, 0x02, 0x03, 0x04} - msgHash := fromHex("8de472e2399610baaa7f84840547cd409434e31f5d3bd71e4d947f283874f9c0") - sig := NewSignature( - hexToModNScalar("fef45d2892953aa5bbcdb057b5e98b208f1617a7498af7eb765574e29b5d9c2c"), - hexToModNScalar("d47563f52aac6b04b55de236b7c515eb9311757db01e02cff079c3ca6efb063f"), - ) - - if !sig.Verify(msgHash.Bytes(), pubKey) { - b.Errorf("Signature failed to verify") - return - } - b.StartTimer() - - for i := 0; i < b.N; i++ { - sig.Verify(msgHash.Bytes(), pubKey) - } -} - // BenchmarkFieldNormalize benchmarks how long it takes the internal field // to perform normalization (which includes modular reduction). func BenchmarkFieldNormalize(b *testing.B) { diff --git a/btcec/btcec_test.go b/btcec/btcec_test.go index 5fdd638f22..3113a1b553 100644 --- a/btcec/btcec_test.go +++ b/btcec/btcec_test.go @@ -851,27 +851,6 @@ func TestKeyGeneration(t *testing.T) { testKeyGeneration(t, S256(), "S256") } -func testSignAndVerify(t *testing.T, c *KoblitzCurve, tag string) { - priv, _ := NewPrivateKey() - pub := priv.PubKey() - - hashed := []byte("testing") - sig := Sign(priv, hashed) - - if !sig.Verify(hashed, pub) { - t.Errorf("%s: Verify failed", tag) - } - - hashed[0] ^= 0xff - if sig.Verify(hashed, pub) { - t.Errorf("%s: Verify always works!", tag) - } -} - -func TestSignAndVerify(t *testing.T) { - testSignAndVerify(t, S256(), "S256") -} - // checkNAFEncoding returns an error if the provided positive and negative // portions of an overall NAF encoding do not adhere to the requirements or they // do not sum back to the provided original value. diff --git a/btcec/ecdsa/bench_test.go b/btcec/ecdsa/bench_test.go new file mode 100644 index 0000000000..3e27994cd4 --- /dev/null +++ b/btcec/ecdsa/bench_test.go @@ -0,0 +1,210 @@ +// Copyright 2013-2016 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package ecdsa + +import ( + "encoding/hex" + "math/big" + "testing" + + "github.com/btcsuite/btcd/btcec/v2" + "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// hexToBytes converts the passed hex string into bytes and will panic if there +// is an error. This is only provided for the hard-coded constants so errors in +// the source code can be detected. It will only (and must only) be called with +// hard-coded values. +func hexToBytes(s string) []byte { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + return b +} + +// hexToModNScalar converts the passed hex string into a ModNScalar and will +// panic if there is an error. This is only provided for the hard-coded +// constants so errors in the source code can be detected. It will only (and +// must only) be called with hard-coded values. +func hexToModNScalar(s string) *btcec.ModNScalar { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + var scalar btcec.ModNScalar + if overflow := scalar.SetByteSlice(b); overflow { + panic("hex in source file overflows mod N scalar: " + s) + } + return &scalar +} + +// hexToFieldVal converts the passed hex string into a FieldVal and will panic +// if there is an error. This is only provided for the hard-coded constants so +// errors in the source code can be detected. It will only (and must only) be +// called with hard-coded values. +func hexToFieldVal(s string) *btcec.FieldVal { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + var f btcec.FieldVal + if overflow := f.SetByteSlice(b); overflow { + panic("hex in source file overflows mod P: " + s) + } + return &f +} + +// fromHex converts the passed hex string into a big integer pointer and will +// panic is there is an error. This is only provided for the hard-coded +// constants so errors in the source code can bet detected. It will only (and +// must only) be called for initialization purposes. +func fromHex(s string) *big.Int { + if s == "" { + return big.NewInt(0) + } + r, ok := new(big.Int).SetString(s, 16) + if !ok { + panic("invalid hex in source file: " + s) + } + return r +} + +// BenchmarkSigVerify benchmarks how long it takes the secp256k1 curve to +// verify signatures. +func BenchmarkSigVerify(b *testing.B) { + b.StopTimer() + // Randomly generated keypair. + // Private key: 9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d + pubKey := btcec.NewPublicKey( + hexToFieldVal("d2e670a19c6d753d1a6d8b20bd045df8a08fb162cf508956c31268c6d81ffdab"), + hexToFieldVal("ab65528eefbb8057aa85d597258a3fbd481a24633bc9b47a9aa045c91371de52"), + ) + + // Double sha256 of []byte{0x01, 0x02, 0x03, 0x04} + msgHash := fromHex("8de472e2399610baaa7f84840547cd409434e31f5d3bd71e4d947f283874f9c0") + sig := NewSignature( + hexToModNScalar("fef45d2892953aa5bbcdb057b5e98b208f1617a7498af7eb765574e29b5d9c2c"), + hexToModNScalar("d47563f52aac6b04b55de236b7c515eb9311757db01e02cff079c3ca6efb063f"), + ) + + if !sig.Verify(msgHash.Bytes(), pubKey) { + b.Errorf("Signature failed to verify") + return + } + b.StartTimer() + + for i := 0; i < b.N; i++ { + sig.Verify(msgHash.Bytes(), pubKey) + } +} + +// BenchmarkSign benchmarks how long it takes to sign a message. +func BenchmarkSign(b *testing.B) { + // Randomly generated keypair. + d := hexToModNScalar("9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d") + privKey := secp256k1.NewPrivateKey(d) + + // blake256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + Sign(privKey, msgHash) + } +} + +// BenchmarkSigSerialize benchmarks how long it takes to serialize a typical +// signature with the strict DER encoding. +func BenchmarkSigSerialize(b *testing.B) { + // Randomly generated keypair. + // Private key: 9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d + // Signature for double sha256 of []byte{0x01, 0x02, 0x03, 0x04}. + sig := NewSignature( + hexToModNScalar("fef45d2892953aa5bbcdb057b5e98b208f1617a7498af7eb765574e29b5d9c2c"), + hexToModNScalar("d47563f52aac6b04b55de236b7c515eb9311757db01e02cff079c3ca6efb063f"), + ) + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + sig.Serialize() + } +} + +// BenchmarkNonceRFC6979 benchmarks how long it takes to generate a +// deterministic nonce according to RFC6979. +func BenchmarkNonceRFC6979(b *testing.B) { + // Randomly generated keypair. + // Private key: 9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d + // X: d2e670a19c6d753d1a6d8b20bd045df8a08fb162cf508956c31268c6d81ffdab + // Y: ab65528eefbb8057aa85d597258a3fbd481a24633bc9b47a9aa045c91371de52 + privKeyStr := "9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d" + privKey := hexToBytes(privKeyStr) + + // BLAKE-256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + b.ReportAllocs() + b.ResetTimer() + var noElideNonce *secp256k1.ModNScalar + for i := 0; i < b.N; i++ { + noElideNonce = secp256k1.NonceRFC6979(privKey, msgHash, nil, nil, 0) + } + _ = noElideNonce +} + +// BenchmarkSignCompact benchmarks how long it takes to produce a compact +// signature for a message. +func BenchmarkSignCompact(b *testing.B) { + d := hexToModNScalar("9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d") + privKey := secp256k1.NewPrivateKey(d) + + // blake256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + _, _ = SignCompact(privKey, msgHash, true) + } +} + +// BenchmarkSignCompact benchmarks how long it takes to recover a public key +// given a compact signature and message. +func BenchmarkRecoverCompact(b *testing.B) { + // Private key: 9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d + wantPubKey := secp256k1.NewPublicKey( + hexToFieldVal("d2e670a19c6d753d1a6d8b20bd045df8a08fb162cf508956c31268c6d81ffdab"), + hexToFieldVal("ab65528eefbb8057aa85d597258a3fbd481a24633bc9b47a9aa045c91371de52"), + ) + + compactSig := hexToBytes("205978b7896bc71676ba2e459882a8f52e1299449596c4f" + + "93c59bf1fbfa2f9d3b76ecd0c99406f61a6de2bb5a8937c061c176ecf381d0231e0d" + + "af73b922c8952c7") + + // blake256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + // Ensure a valid compact signature is being benchmarked. + pubKey, wasCompressed, err := RecoverCompact(compactSig, msgHash) + if err != nil { + b.Fatalf("unexpected err: %v", err) + } + if !wasCompressed { + b.Fatal("recover claims uncompressed pubkey") + } + if !pubKey.IsEqual(wantPubKey) { + b.Fatal("recover returned unexpected pubkey") + } + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + _, _, _ = RecoverCompact(compactSig, msgHash) + } +} diff --git a/btcec/ecdsa/error.go b/btcec/ecdsa/error.go new file mode 100644 index 0000000000..a30d63b636 --- /dev/null +++ b/btcec/ecdsa/error.go @@ -0,0 +1,18 @@ +// Copyright (c) 2013-2021 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers + +package ecdsa + +import ( + secp_ecdsa "github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa" +) + +// ErrorKind identifies a kind of error. It has full support for +// errors.Is and errors.As, so the caller can directly check against +// an error kind when determining the reason for an error. +type ErrorKind = secp_ecdsa.ErrorKind + +// Error identifies an error related to an ECDSA signature. It has full +// support for errors.Is and errors.As, so the caller can ascertain the +// specific reason for the error by checking the underlying error. +type Error = secp_ecdsa.ErrorKind diff --git a/btcec/example_test.go b/btcec/ecdsa/example_test.go similarity index 93% rename from btcec/example_test.go rename to btcec/ecdsa/example_test.go index b73f102c32..409a95bd23 100644 --- a/btcec/example_test.go +++ b/btcec/ecdsa/example_test.go @@ -2,13 +2,14 @@ // Use of this source code is governed by an ISC // license that can be found in the LICENSE file. -package btcec_test +package ecdsa_test import ( "encoding/hex" "fmt" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/chaincfg/chainhash" ) @@ -27,7 +28,7 @@ func Example_signMessage() { // Sign a message using the private key. message := "test message" messageHash := chainhash.DoubleHashB([]byte(message)) - signature := btcec.Sign(privKey, messageHash) + signature := ecdsa.Sign(privKey, messageHash) // Serialize and display the signature. fmt.Printf("Serialized Signature: %x\n", signature.Serialize()) @@ -67,7 +68,7 @@ func Example_verifySignature() { fmt.Println(err) return } - signature, err := btcec.ParseSignature(sigBytes) + signature, err := ecdsa.ParseSignature(sigBytes) if err != nil { fmt.Println(err) return diff --git a/btcec/signature.go b/btcec/ecdsa/signature.go similarity index 95% rename from btcec/signature.go rename to btcec/ecdsa/signature.go index ddeb4b052f..092e4ceb1c 100644 --- a/btcec/signature.go +++ b/btcec/ecdsa/signature.go @@ -1,14 +1,16 @@ // Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers // Use of this source code is governed by an ISC // license that can be found in the LICENSE file. -package btcec +package ecdsa import ( "errors" "fmt" "math/big" + "github.com/btcsuite/btcd/btcec/v2" secp_ecdsa "github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa" ) @@ -22,7 +24,7 @@ var ( type Signature = secp_ecdsa.Signature // NewSignature instantiates a new signature given some r and s values. -func NewSignature(r, s *ModNScalar) *Signature { +func NewSignature(r, s *btcec.ModNScalar) *Signature { return secp_ecdsa.NewSignature(r, s) } @@ -122,7 +124,7 @@ func parseSig(sigStr []byte, der bool) (*Signature, error) { // R must be in the range [1, N-1]. Notice the check for the maximum number // of bytes is required because SetByteSlice truncates as noted in its // comment so it could otherwise fail to detect the overflow. - var r ModNScalar + var r btcec.ModNScalar if len(rBytes) > 32 { str := "invalid signature: R is larger than 256 bits" return nil, errors.New(str) @@ -169,7 +171,7 @@ func parseSig(sigStr []byte, der bool) (*Signature, error) { // S must be in the range [1, N-1]. Notice the check for the maximum number // of bytes is required because SetByteSlice truncates as noted in its // comment so it could otherwise fail to detect the overflow. - var s ModNScalar + var s btcec.ModNScalar if len(sBytes) > 32 { str := "invalid signature: S is larger than 256 bits" return nil, errors.New(str) @@ -214,7 +216,7 @@ func ParseDERSignature(sigStr []byte) (*Signature, error) { // returned in the format: // <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R> // where the R and S parameters are padde up to the bitlengh of the curve. -func SignCompact(key *PrivateKey, hash []byte, +func SignCompact(key *btcec.PrivateKey, hash []byte, isCompressedKey bool) ([]byte, error) { return secp_ecdsa.SignCompact(key, hash, isCompressedKey), nil @@ -224,7 +226,7 @@ func SignCompact(key *PrivateKey, hash []byte, // Koblitz curve in "curve". If the signature matches then the recovered public // key will be returned as well as a boolean if the original key was compressed // or not, else an error will be returned. -func RecoverCompact(signature, hash []byte) (*PublicKey, bool, error) { +func RecoverCompact(signature, hash []byte) (*btcec.PublicKey, bool, error) { return secp_ecdsa.RecoverCompact(signature, hash) } @@ -233,6 +235,6 @@ func RecoverCompact(signature, hash []byte) (*PublicKey, bool, error) { // given private key. The produced signature is deterministic (same message and // same key yield the same signature) and canonical in accordance with RFC6979 // and BIP0062. -func Sign(key *PrivateKey, hash []byte) *Signature { +func Sign(key *btcec.PrivateKey, hash []byte) *Signature { return secp_ecdsa.Sign(key, hash) } diff --git a/btcec/signature_test.go b/btcec/ecdsa/signature_test.go similarity index 92% rename from btcec/signature_test.go rename to btcec/ecdsa/signature_test.go index 74ea374784..d2eebdc788 100644 --- a/btcec/signature_test.go +++ b/btcec/ecdsa/signature_test.go @@ -1,8 +1,9 @@ // Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers // Use of this source code is governed by an ISC // license that can be found in the LICENSE file. -package btcec +package ecdsa import ( "bytes" @@ -12,6 +13,8 @@ import ( "fmt" "reflect" "testing" + + "github.com/btcsuite/btcd/btcec/v2" ) type signatureTest struct { @@ -344,9 +347,7 @@ func TestSignatures(t *testing.T) { if test.isValid { t.Errorf("%s signature failed when shouldn't %v", test.name, err) - } /* else { - t.Errorf("%s got error %v", test.name, err) - } */ + } continue } if !test.isValid { @@ -443,7 +444,7 @@ func TestSignatureSerialize(t *testing.T) { }, { "zero signature", - NewSignature(&ModNScalar{}, &ModNScalar{}), + NewSignature(&btcec.ModNScalar{}, &btcec.ModNScalar{}), []byte{0x30, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00}, }, } @@ -458,9 +459,9 @@ func TestSignatureSerialize(t *testing.T) { } } -func testSignCompact(t *testing.T, tag string, curve *KoblitzCurve, +func testSignCompact(t *testing.T, tag string, curve *btcec.KoblitzCurve, data []byte, isCompressed bool) { - priv, _ := NewPrivateKey() + priv, _ := btcec.NewPrivateKey() hashed := []byte("testing") sig, err := SignCompact(priv, hashed, isCompressed) @@ -523,7 +524,7 @@ func TestSignCompact(t *testing.T) { continue } compressed := i%2 != 0 - testSignCompact(t, name, S256(), data, compressed) + testSignCompact(t, name, btcec.S256(), data, compressed) } } @@ -620,7 +621,7 @@ func TestRecoverCompact(t *testing.T) { } // Otherwise, ensure the correct public key was recovered. - exPub, _ := ParsePubKey(decodeHex(test.pub)) + exPub, _ := btcec.ParsePubKey(decodeHex(test.pub)) if !exPub.IsEqual(pub) { t.Errorf("unexpected recovered public key #%d: "+ "want %v, got %v", i, exPub, pub) @@ -679,11 +680,11 @@ func TestRFC6979(t *testing.T) { } for i, test := range tests { - privKey, _ := PrivKeyFromBytes(decodeHex(test.key)) + privKey, _ := btcec.PrivKeyFromBytes(decodeHex(test.key)) hash := sha256.Sum256([]byte(test.msg)) // Ensure deterministically generated nonce is the expected value. - gotNonce := NonceRFC6979(privKey.Serialize(), hash[:], nil, nil, 0).Bytes() + gotNonce := btcec.NonceRFC6979(privKey.Serialize(), hash[:], nil, nil, 0).Bytes() wantNonce := decodeHex(test.nonce) if !bytes.Equal(gotNonce[:], wantNonce) { t.Errorf("NonceRFC6979 #%d (%s): Nonce is incorrect: "+ @@ -726,3 +727,65 @@ func TestSignatureIsEqual(t *testing.T) { "equal to %v", sig1, sig2) } } + +func testSignAndVerify(t *testing.T, c *btcec.KoblitzCurve, tag string) { + priv, _ := btcec.NewPrivateKey() + pub := priv.PubKey() + + hashed := []byte("testing") + sig := Sign(priv, hashed) + + if !sig.Verify(hashed, pub) { + t.Errorf("%s: Verify failed", tag) + } + + hashed[0] ^= 0xff + if sig.Verify(hashed, pub) { + t.Errorf("%s: Verify always works!", tag) + } +} + +func TestSignAndVerify(t *testing.T) { + testSignAndVerify(t, btcec.S256(), "S256") +} + +func TestPrivKeys(t *testing.T) { + tests := []struct { + name string + key []byte + }{ + { + name: "check curve", + key: []byte{ + 0xea, 0xf0, 0x2c, 0xa3, 0x48, 0xc5, 0x24, 0xe6, + 0x39, 0x26, 0x55, 0xba, 0x4d, 0x29, 0x60, 0x3c, + 0xd1, 0xa7, 0x34, 0x7d, 0x9d, 0x65, 0xcf, 0xe9, + 0x3c, 0xe1, 0xeb, 0xff, 0xdc, 0xa2, 0x26, 0x94, + }, + }, + } + + for _, test := range tests { + priv, pub := btcec.PrivKeyFromBytes(test.key) + + _, err := btcec.ParsePubKey(pub.SerializeUncompressed()) + if err != nil { + t.Errorf("%s privkey: %v", test.name, err) + continue + } + + hash := []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9} + sig := Sign(priv, hash) + + if !sig.Verify(hash, pub) { + t.Errorf("%s could not verify: %v", test.name, err) + continue + } + + serializedKey := priv.Serialize() + if !bytes.Equal(serializedKey, test.key) { + t.Errorf("%s unexpected serialized bytes - got: %x, "+ + "want: %x", test.name, serializedKey, test.key) + } + } +} diff --git a/btcec/go.mod b/btcec/go.mod index 8f110664c1..53e4a1f5cb 100644 --- a/btcec/go.mod +++ b/btcec/go.mod @@ -7,3 +7,9 @@ require ( github.com/davecgh/go-spew v1.1.1 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 ) + +require github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect + +// We depend on chainhash as is, so we need to replace to use the version of +// chainhash included in the version of btcd we're building in. +replace github.com/btcsuite/btcd => ../ diff --git a/btcec/go.sum b/btcec/go.sum index f70838a70e..dcbbc98cc5 100644 --- a/btcec/go.sum +++ b/btcec/go.sum @@ -1,18 +1,12 @@ github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII= -github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ= -github.com/btcsuite/btcd v0.22.0-beta.0.20220111032746-97732e52810c h1:lnAMg3ra/Gw4AkRMxrxYs8nrprWsHowg8H9zaYsJOo4= -github.com/btcsuite/btcd v0.22.0-beta.0.20220111032746-97732e52810c/go.mod h1:tjmYdS6MLJ5/s0Fj4DbLgSbDHbEqLJrtnHecBFkdz5M= +github.com/btcsuite/btcd/btcec/v2 v2.0.0/go.mod h1:vu+77Lro3alBlmsmlDnkZtgGiNo6OBwMHSb1XTGDwGo= github.com/btcsuite/btcd/btcutil v1.0.0/go.mod h1:Uoxwv0pqYWhD//tfTiipkxNfdhG9UrLwaeswfjfdF0A= github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA= -github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d/go.mod h1:+5NJ2+qvTyV9exUAL/rxXi3DcLg2Ts+ymUAY5y4NvMg= github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd/go.mod h1:HHNXQzUsZCxOoE+CPiyCTO6x34Zs86zZUiwtpXoGdtg= -github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd/go.mod h1:F+uVaaLLH7j4eDXPRvw78tMflu7Ie2bzYOH4Y8rRKBY= github.com/btcsuite/goleveldb v1.0.0/go.mod h1:QiK9vBlgftBg6rWQIj6wFzbPfRjiykIEhBH4obrXJ/I= -github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc= github.com/btcsuite/snappy-go v1.0.0/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc= github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY= github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs= -github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/decred/dcrd/crypto/blake256 v1.0.0 h1:/8DMNYp9SGi5f0w7uCm6d6M4OU2rGFK09Y2A4Xv7EE0= @@ -20,65 +14,17 @@ github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs= github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ= github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/btcec/privkey_test.go b/btcec/privkey_test.go deleted file mode 100644 index 71a8bceaa1..0000000000 --- a/btcec/privkey_test.go +++ /dev/null @@ -1,51 +0,0 @@ -// Copyright (c) 2013-2016 The btcsuite developers -// Use of this source code is governed by an ISC -// license that can be found in the LICENSE file. - -package btcec - -import ( - "bytes" - "testing" -) - -func TestPrivKeys(t *testing.T) { - tests := []struct { - name string - key []byte - }{ - { - name: "check curve", - key: []byte{ - 0xea, 0xf0, 0x2c, 0xa3, 0x48, 0xc5, 0x24, 0xe6, - 0x39, 0x26, 0x55, 0xba, 0x4d, 0x29, 0x60, 0x3c, - 0xd1, 0xa7, 0x34, 0x7d, 0x9d, 0x65, 0xcf, 0xe9, - 0x3c, 0xe1, 0xeb, 0xff, 0xdc, 0xa2, 0x26, 0x94, - }, - }, - } - - for _, test := range tests { - priv, pub := PrivKeyFromBytes(test.key) - - _, err := ParsePubKey(pub.SerializeUncompressed()) - if err != nil { - t.Errorf("%s privkey: %v", test.name, err) - continue - } - - hash := []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9} - sig := Sign(priv, hash) - - if !sig.Verify(hash, pub) { - t.Errorf("%s could not verify: %v", test.name, err) - continue - } - - serializedKey := priv.Serialize() - if !bytes.Equal(serializedKey, test.key) { - t.Errorf("%s unexpected serialized bytes - got: %x, "+ - "want: %x", test.name, serializedKey, test.key) - } - } -} diff --git a/btcec/schnorr/bench_test.go b/btcec/schnorr/bench_test.go new file mode 100644 index 0000000000..4dadbb1fd6 --- /dev/null +++ b/btcec/schnorr/bench_test.go @@ -0,0 +1,169 @@ +// Copyright 2013-2016 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package schnorr + +import ( + "crypto/sha256" + "encoding/hex" + "math/big" + "testing" + + "github.com/btcsuite/btcd/btcec/v2" + "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// hexToBytes converts the passed hex string into bytes and will panic if there +// is an error. This is only provided for the hard-coded constants so errors in +// the source code can be detected. It will only (and must only) be called with +// hard-coded values. +func hexToBytes(s string) []byte { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + return b +} + +// hexToModNScalar converts the passed hex string into a ModNScalar and will +// panic if there is an error. This is only provided for the hard-coded +// constants so errors in the source code can be detected. It will only (and +// must only) be called with hard-coded values. +func hexToModNScalar(s string) *btcec.ModNScalar { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + var scalar btcec.ModNScalar + if overflow := scalar.SetByteSlice(b); overflow { + panic("hex in source file overflows mod N scalar: " + s) + } + return &scalar +} + +// hexToFieldVal converts the passed hex string into a FieldVal and will panic +// if there is an error. This is only provided for the hard-coded constants so +// errors in the source code can be detected. It will only (and must only) be +// called with hard-coded values. +func hexToFieldVal(s string) *btcec.FieldVal { + b, err := hex.DecodeString(s) + if err != nil { + panic("invalid hex in source file: " + s) + } + var f btcec.FieldVal + if overflow := f.SetByteSlice(b); overflow { + panic("hex in source file overflows mod P: " + s) + } + return &f +} + +// fromHex converts the passed hex string into a big integer pointer and will +// panic is there is an error. This is only provided for the hard-coded +// constants so errors in the source code can bet detected. It will only (and +// must only) be called for initialization purposes. +func fromHex(s string) *big.Int { + if s == "" { + return big.NewInt(0) + } + r, ok := new(big.Int).SetString(s, 16) + if !ok { + panic("invalid hex in source file: " + s) + } + return r +} + +var testOk bool + +// BenchmarkSigVerify benchmarks how long it takes the secp256k1 curve to +// verify signatures. +func BenchmarkSigVerify(b *testing.B) { + // Randomly generated keypair. + d := hexToModNScalar("9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d") + + privKey := secp256k1.NewPrivateKey(d) + pubKey := privKey.PubKey() + + // Double sha256 of []byte{0x01, 0x02, 0x03, 0x04} + msgHash := sha256.Sum256([]byte("benchmark")) + sig, err := Sign(privKey, msgHash[:]) + if err != nil { + b.Fatalf("unable to sign: %v", err) + } + + if !sig.Verify(msgHash[:], pubKey) { + b.Errorf("Signature failed to verify") + return + } + + var ok bool + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + ok = sig.Verify(msgHash[:], pubKey) + } + + testOk = ok +} + +// Used to ensure the compiler doesn't optimize away the benchmark. +var ( + testSig *Signature + testErr error +) + +// BenchmarkSign benchmarks how long it takes to sign a message. +func BenchmarkSign(b *testing.B) { + // Randomly generated keypair. + d := hexToModNScalar("9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d") + privKey := secp256k1.NewPrivateKey(d) + + // blake256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + var auxBytes [32]byte + copy(auxBytes[:], msgHash) + auxBytes[0] ^= 1 + + var ( + sig *Signature + err error + ) + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + sig, err = Sign( + privKey, msgHash, CustomNonce(auxBytes), FastSign(), + ) + } + + testSig = sig + testErr = err +} + +// BenchmarkSignRfc6979 benchmarks how long it takes to sign a message. +func BenchmarkSignRfc6979(b *testing.B) { + // Randomly generated keypair. + d := hexToModNScalar("9e0699c91ca1e3b7e3c9ba71eb71c89890872be97576010fe593fbf3fd57e66d") + privKey := secp256k1.NewPrivateKey(d) + + // blake256 of []byte{0x01, 0x02, 0x03, 0x04}. + msgHash := hexToBytes("c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7") + + var ( + sig *Signature + err error + ) + + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + sig, err = Sign(privKey, msgHash, FastSign()) + } + + testSig = sig + testErr = err +} diff --git a/btcec/schnorr/error.go b/btcec/schnorr/error.go new file mode 100644 index 0000000000..4014339647 --- /dev/null +++ b/btcec/schnorr/error.go @@ -0,0 +1,25 @@ +// Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package schnorr + +import ( + ecdsa_schnorr "github.com/decred/dcrd/dcrec/secp256k1/v4/schnorr" +) + +// ErrorKind identifies a kind of error. It has full support for errors.Is +// and errors.As, so the caller can directly check against an error kind +// when determining the reason for an error. +type ErrorKind = ecdsa_schnorr.ErrorKind + +// Error identifies an error related to a schnorr signature. It has full +// support for errors.Is and errors.As, so the caller can ascertain the +// specific reason for the error by checking the underlying error. +type Error = ecdsa_schnorr.Error + +// signatureError creates an Error given a set of arguments. +func signatureError(kind ErrorKind, desc string) Error { + return Error{Err: kind, Description: desc} +} diff --git a/btcec/schnorr/pubkey.go b/btcec/schnorr/pubkey.go new file mode 100644 index 0000000000..f5d2ca4bd5 --- /dev/null +++ b/btcec/schnorr/pubkey.go @@ -0,0 +1,49 @@ +// Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package schnorr + +import ( + "fmt" + + "github.com/btcsuite/btcd/btcec/v2" + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// These constants define the lengths of serialized public keys. +const ( + PubKeyBytesLen = 32 +) + +// ParsePubKey parses a public key for a koblitz curve from a bytestring into a +// btcec.Publickey, verifying that it is valid. It only supports public keys in +// the BIP-340 32-byte format. +func ParsePubKey(pubKeyStr []byte) (*btcec.PublicKey, error) { + if pubKeyStr == nil { + err := fmt.Errorf("nil pubkey byte string") + return nil, err + } + if len(pubKeyStr) != PubKeyBytesLen { + err := fmt.Errorf("bad pubkey byte string size (want %v, have %v)", + PubKeyBytesLen, len(pubKeyStr)) + return nil, err + } + + // We'll manually prepend the compressed byte so we can re-use the + // existing pubkey parsing routine of the main btcec package. + var keyCompressed [btcec.PubKeyBytesLenCompressed]byte + keyCompressed[0] = secp.PubKeyFormatCompressedEven + copy(keyCompressed[1:], pubKeyStr) + + return btcec.ParsePubKey(keyCompressed[:]) +} + +// SerializePubKey serializes a public key as specified by BIP 340. Public keys +// in this format are 32 bytes in length, and are assumed to have an even y +// coordinate. +func SerializePubKey(pub *btcec.PublicKey) []byte { + pBytes := pub.SerializeCompressed() + return pBytes[1:] +} diff --git a/btcec/schnorr/signature.go b/btcec/schnorr/signature.go new file mode 100644 index 0000000000..ed4b9cb5bf --- /dev/null +++ b/btcec/schnorr/signature.go @@ -0,0 +1,550 @@ +// Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package schnorr + +import ( + "fmt" + + "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/chaincfg/chainhash" + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" + ecdsa_schnorr "github.com/decred/dcrd/dcrec/secp256k1/v4/schnorr" +) + +const ( + // SignatureSize is the size of an encoded Schnorr signature. + SignatureSize = 64 + + // scalarSize is the size of an encoded big endian scalar. + scalarSize = 32 +) + +var ( + // rfc6979ExtraDataV0 is the extra data to feed to RFC6979 when + // generating the deterministic nonce for the BIP-340 scheme. This + // ensures the same nonce is not generated for the same message and key + // as for other signing algorithms such as ECDSA. + // + // It is equal to SHA-256([]byte("BIP-340")). + rfc6979ExtraDataV0 = [32]uint8{ + 0xa3, 0xeb, 0x4c, 0x18, 0x2f, 0xae, 0x7e, 0xf4, + 0xe8, 0x10, 0xc6, 0xee, 0x13, 0xb0, 0xe9, 0x26, + 0x68, 0x6d, 0x71, 0xe8, 0x7f, 0x39, 0x4f, 0x79, + 0x9c, 0x00, 0xa5, 0x21, 0x03, 0xcb, 0x4e, 0x17, + } +) + +// Signature is a type representing a Schnorr signature. +type Signature struct { + r btcec.FieldVal + s btcec.ModNScalar +} + +// NewSignature instantiates a new signature given some r and s values. +func NewSignature(r *btcec.FieldVal, s *btcec.ModNScalar) *Signature { + var sig Signature + sig.r.Set(r).Normalize() + sig.s.Set(s) + return &sig +} + +// Serialize returns the Schnorr signature in the more strict format. +// +// The signatures are encoded as +// sig[0:32] x coordinate of the point R, encoded as a big-endian uint256 +// sig[32:64] s, encoded also as big-endian uint256 +func (sig Signature) Serialize() []byte { + // Total length of returned signature is the length of r and s. + var b [SignatureSize]byte + sig.r.PutBytesUnchecked(b[0:32]) + sig.s.PutBytesUnchecked(b[32:64]) + return b[:] +} + +// ParseSignature parses a signature according to the BIP-340 specification and +// enforces the following additional restrictions specific to secp256k1: +// +// - The r component must be in the valid range for secp256k1 field elements +// - The s component must be in the valid range for secp256k1 scalars +func ParseSignature(sig []byte) (*Signature, error) { + // The signature must be the correct length. + sigLen := len(sig) + if sigLen < SignatureSize { + str := fmt.Sprintf("malformed signature: too short: %d < %d", sigLen, + SignatureSize) + return nil, signatureError(ecdsa_schnorr.ErrSigTooShort, str) + } + if sigLen > SignatureSize { + str := fmt.Sprintf("malformed signature: too long: %d > %d", sigLen, + SignatureSize) + return nil, signatureError(ecdsa_schnorr.ErrSigTooLong, str) + } + + // The signature is validly encoded at this point, however, enforce + // additional restrictions to ensure r is in the range [0, p-1], and s is in + // the range [0, n-1] since valid Schnorr signatures are required to be in + // that range per spec. + var r btcec.FieldVal + if overflow := r.SetByteSlice(sig[0:32]); overflow { + str := "invalid signature: r >= field prime" + return nil, signatureError(ecdsa_schnorr.ErrSigRTooBig, str) + } + var s btcec.ModNScalar + if overflow := s.SetByteSlice(sig[32:64]); overflow { + str := "invalid signature: s >= group order" + return nil, signatureError(ecdsa_schnorr.ErrSigSTooBig, str) + } + + // Return the signature. + return NewSignature(&r, &s), nil +} + +// IsEqual compares this Signature instance to the one passed, returning true +// if both Signatures are equivalent. A signature is equivalent to another, if +// they both have the same scalar value for R and S. +func (sig Signature) IsEqual(otherSig *Signature) bool { + return sig.r.Equals(&otherSig.r) && sig.s.Equals(&otherSig.s) +} + +// schnorrVerify attempt to verify the signature for the provided hash and +// secp256k1 public key and either returns nil if successful or a specific error +// indicating why it failed if not successful. +// +// This differs from the exported Verify method in that it returns a specific +// error to support better testing while the exported method simply returns a +// bool indicating success or failure. +func schnorrVerify(sig *Signature, hash []byte, pubKeyBytes []byte) error { + // The algorithm for producing a BIP-340 signature is described in + // README.md and is reproduced here for reference: + // + // 1. Fail if m is not 32 bytes + // 2. P = lift_x(int(pk)). + // 3. r = int(sig[0:32]); fail is r >= p. + // 4. s = int(sig[32:64]); fail if s >= n. + // 5. e = int(tagged_hash("BIP0340/challenge", bytes(r) || bytes(P) || M)) mod n. + // 6. R = s*G - e*P + // 7. Fail if is_infinite(R) + // 8. Fail if not hash_even_y(R) + // 9. Fail is x(R) != r. + // 10. Return success iff not failure occured before reachign this + // point. + + // Step 1. + // + // Fail if m is not 32 bytes + if len(hash) != scalarSize { + str := fmt.Sprintf("wrong size for message (got %v, want %v)", + len(hash), scalarSize) + return signatureError(ecdsa_schnorr.ErrInvalidHashLen, str) + } + + // Step 2. + // + // P = lift_x(int(pk)) + // + // Fail if P is not a point on the curve + pubKey, err := ParsePubKey(pubKeyBytes) + if err != nil { + return err + } + if !pubKey.IsOnCurve() { + str := "pubkey point is not on curve" + return signatureError(ecdsa_schnorr.ErrPubKeyNotOnCurve, str) + } + + // Step 3. + // + // Fail if r >= p + // + // Note this is already handled by the fact r is a field element. + + // Step 4. + // + // Fail if s >= n + // + // Note this is already handled by the fact s is a mod n scalar. + + // Step 5. + // + // e = int(tagged_hash("BIP0340/challenge", bytes(r) || bytes(P) || M)) mod n. + var rBytes [32]byte + sig.r.PutBytesUnchecked(rBytes[:]) + pBytes := SerializePubKey(pubKey) + + commitment := chainhash.TaggedHash( + chainhash.TagBIP0340Challenge, rBytes[:], pBytes, hash, + ) + + var e btcec.ModNScalar + if overflow := e.SetBytes((*[32]byte)(commitment)); overflow != 0 { + str := "hash of (r || P || m) too big" + return signatureError(ecdsa_schnorr.ErrSchnorrHashValue, str) + } + + // Negate e here so we can use AddNonConst below to subtract the s*G + // point from e*P. + e.Negate() + + // Step 6. + // + // R = s*G - e*P + var P, R, sG, eP btcec.JacobianPoint + pubKey.AsJacobian(&P) + btcec.ScalarBaseMultNonConst(&sig.s, &sG) + btcec.ScalarMultNonConst(&e, &P, &eP) + btcec.AddNonConst(&sG, &eP, &R) + + // Step 7. + // + // Fail if R is the point at infinity + if (R.X.IsZero() && R.Y.IsZero()) || R.Z.IsZero() { + str := "calculated R point is the point at infinity" + return signatureError(ecdsa_schnorr.ErrSigRNotOnCurve, str) + } + + // Step 8. + // + // Fail if R.y is odd + // + // Note that R must be in affine coordinates for this check. + R.ToAffine() + if R.Y.IsOdd() { + str := "calculated R y-value is odd" + return signatureError(ecdsa_schnorr.ErrSigRYIsOdd, str) + } + + // Step 9. + // + // Verified if R.x == r + // + // Note that R must be in affine coordinates for this check. + if !sig.r.Equals(&R.X) { + str := "calculated R point was not given R" + return signatureError(ecdsa_schnorr.ErrUnequalRValues, str) + } + + // Step 10. + // + // Return success iff not failure occured before reachign this + return nil +} + +// Verify returns whether or not the signature is valid for the provided hash +// and secp256k1 public key. +func (sig *Signature) Verify(hash []byte, pubKey *btcec.PublicKey) bool { + pubkeyBytes := SerializePubKey(pubKey) + return schnorrVerify(sig, hash, pubkeyBytes) == nil +} + +// zeroArray zeroes the memory of a scalar array. +func zeroArray(a *[scalarSize]byte) { + for i := 0; i < scalarSize; i++ { + a[i] = 0x00 + } +} + +// schnorrSign generates an BIP-340 signature over the secp256k1 curve for the +// provided hash (which should be the result of hashing a larger message) using +// the given nonce and private key. The produced signature is deterministic +// (same message, nonce, and key yield the same signature) and canonical. +// +// WARNING: The hash MUST be 32 bytes and both the nonce and private keys must +// NOT be 0. Since this is an internal use function, these preconditions MUST +// be satisified by the caller. +func schnorrSign(privKey, nonce *btcec.ModNScalar, pubKey *btcec.PublicKey, hash []byte, + opts *signOptions) (*Signature, error) { + + // The algorithm for producing a BIP-340 signature is described in + // README.md and is reproduced here for reference: + // + // G = curve generator + // n = curve order + // d = private key + // m = message + // a = input randmoness + // r, s = signature + // + // 1. d' = int(d) + // 2. Fail if m is not 32 bytes + // 3. Fail if d = 0 or d >= n + // 4. P = d'*G + // 5. Negate d if P.y is odd + // 6. t = bytes(d) xor tagged_hash("BIP0340/aux", t || bytes(P) || m) + // 7. rand = tagged_hash("BIP0340/nonce", a) + // 8. k' = int(rand) mod n + // 9. Fail if k' = 0 + // 10. R = 'k*G + // 11. Negate k if R.y id odd + // 12. e = tagged_hash("BIP0340/challenge", bytes(R) || bytes(P) || m) mod n + // 13. sig = bytes(R) || bytes((k + e*d)) mod n + // 14. If Verify(bytes(P), m, sig) fails, abort. + // 15. return sig. + // + // Note that the set of functional options passed in may modify the + // above algorithm. Namely if CustomNonce is used, then steps 6-8 are + // replaced with a process that generates the nonce using rfc6679. If + // FastSign is passed, then we skip set 14. + + // NOTE: Steps 1-9 are performed by the caller. + + // + // Step 10. + // + // R = kG + var R btcec.JacobianPoint + k := *nonce + btcec.ScalarBaseMultNonConst(&k, &R) + + // Step 11. + // + // Negate nonce k if R.y is odd (R.y is the y coordinate of the point R) + // + // Note that R must be in affine coordinates for this check. + R.ToAffine() + if R.Y.IsOdd() { + k.Negate() + } + + // Step 12. + // + // e = tagged_hash("BIP0340/challenge", bytes(R) || bytes(P) || m) mod n + var rBytes [32]byte + r := &R.X + r.PutBytesUnchecked(rBytes[:]) + pBytes := SerializePubKey(pubKey) + + commitment := chainhash.TaggedHash( + chainhash.TagBIP0340Challenge, rBytes[:], pBytes, hash, + ) + + var e btcec.ModNScalar + if overflow := e.SetBytes((*[32]byte)(commitment)); overflow != 0 { + k.Zero() + str := "hash of (r || P || m) too big" + return nil, signatureError(ecdsa_schnorr.ErrSchnorrHashValue, str) + } + + // Step 13. + // + // s = k + e*d mod n + s := new(btcec.ModNScalar).Mul2(&e, privKey).Add(&k) + k.Zero() + + sig := NewSignature(r, s) + + // Step 14. + // + // If Verify(bytes(P), m, sig) fails, abort. + if !opts.fastSign { + if err := schnorrVerify(sig, hash, pBytes); err != nil { + return nil, err + } + } + + // Step 15. + // + // Return (r, s) + return sig, nil +} + +// SignOption is a functional option arguemnt that allows callers to modify the +// way we generate BIP-340 schnorr signatues. +type SignOption func(*signOptions) + +// signOptions houses the set of functional options that can be used to modify +// the method used to generate the BIP-340 signature. +type signOptions struct { + // fastSign determines if we'll skip the check at the end of the routine + // where we attempt to verify the produced signature. + fastSign bool + + // authNonce allows the user to pass in their own nonce information, which + // is useful for schemes like mu-sig. + authNonce *[32]byte +} + +// defaultSignOptions returns the default set of signing operations. +func defaultSignOptions() *signOptions { + return &signOptions{} +} + +// FastSign forces signing to skip the extra verification step at the end. +// Peformance sensitive applications may opt to use this option to speed up the +// signing operation. +func FastSign() SignOption { + return func(o *signOptions) { + o.fastSign = true + } +} + +// CustomNonce allows users to pass in a custom set of auxData that's used as +// input randomness to generate the nonce used during signing. Users may want +// to specify this custom value when using multi-signatures schemes such as +// Mu-Sig2. If this option isn't set, then rfc6979 will be used to generate the +// nonce material. +func CustomNonce(auxData [32]byte) SignOption { + return func(o *signOptions) { + o.authNonce = &auxData + } +} + +// Sign generates an BIP-340 signature over the secp256k1 curve for the +// provided hash (which should be the result of hashing a larger message) using +// the given private key. The produced signature is deterministic (same +// message and same key yield the same signature) and canonical. +// +// Note that the current signing implementation has a few remaining variable +// time aspects which make use of the private key and the generated nonce, +// which can expose the signer to constant time attacks. As a result, this +// function should not be used in situations where there is the possibility of +// someone having EM field/cache/etc access. +func Sign(privKey *btcec.PrivateKey, hash []byte, + signOpts ...SignOption) (*Signature, error) { + + // First, parse the set of optional signing options. + opts := defaultSignOptions() + for _, option := range signOpts { + option(opts) + } + + // The algorithm for producing a BIP-340 signature is described in + // README.md and is reproduced here for reference: + // + // G = curve generator + // n = curve order + // d = private key + // m = message + // a = input randmoness + // r, s = signature + // + // 1. d' = int(d) + // 2. Fail if m is not 32 bytes + // 3. Fail if d = 0 or d >= n + // 4. P = d'*G + // 5. Negate d if P.y is odd + // 6. t = bytes(d) xor tagged_hash("BIP0340/aux", t || bytes(P) || m) + // 7. rand = tagged_hash("BIP0340/nonce", a) + // 8. k' = int(rand) mod n + // 9. Fail if k' = 0 + // 10. R = 'k*G + // 11. Negate k if R.y id odd + // 12. e = tagged_hash("BIP0340/challenge", bytes(R) || bytes(P) || mod) mod n + // 13. sig = bytes(R) || bytes((k + e*d)) mod n + // 14. If Verify(bytes(P), m, sig) fails, abort. + // 15. return sig. + // + // Note that the set of functional options passed in may modify the + // above algorithm. Namely if CustomNonce is used, then steps 6-8 are + // replaced with a process that generates the nonce using rfc6679. If + // FastSign is passed, then we skip set 14. + + // Step 1. + // + // d' = int(d) + privKeyScalar := &privKey.Key + + // Step 2. + // + // Fail if m is not 32 bytes + if len(hash) != scalarSize { + str := fmt.Sprintf("wrong size for message hash (got %v, want %v)", + len(hash), scalarSize) + return nil, signatureError(ecdsa_schnorr.ErrInvalidHashLen, str) + } + + // Step 3. + // + // Fail if d = 0 or d >= n + if privKeyScalar.IsZero() { + str := "private key is zero" + return nil, signatureError(ecdsa_schnorr.ErrPrivateKeyIsZero, str) + } + + // Step 4. + // + // P = 'd*G + pub := privKey.PubKey() + + // Step 5. + // + // Negate d if P.y is odd. + pubKeyBytes := pub.SerializeCompressed() + if pubKeyBytes[0] == secp.PubKeyFormatCompressedOdd { + privKeyScalar.Negate() + } + + // At this point, we check to see if a CustomNonce has been passed in, + // and if so, then we'll deviate from the main routine here by + // generating the nonce value as specifid by BIP-0340. + if opts.authNonce != nil { + // Step 6. + // + // t = bytes(d) xor tagged_hash("BIP0340/aux", a) + privBytes := privKeyScalar.Bytes() + t := chainhash.TaggedHash( + chainhash.TagBIP0340Aux, (*opts.authNonce)[:], + ) + for i := 0; i < len(t); i++ { + t[i] ^= privBytes[i] + } + + // Step 7. + // + // rand = tagged_hash("BIP0340/nonce", t || bytes(P) || m) + // + // We snip off the first byte of the serialized pubkey, as we + // only need the x coordinate and not the market byte. + rand := chainhash.TaggedHash( + chainhash.TagBIP0340Nonce, t[:], pubKeyBytes[1:], hash, + ) + + // Step 8. + // + // k'= int(rand) mod n + var kPrime btcec.ModNScalar + kPrime.SetBytes((*[32]byte)(rand)) + + // Step 9. + // + // Fail if k' = 0 + if kPrime.IsZero() { + str := fmt.Sprintf("generated nonce is zero") + return nil, signatureError(ecdsa_schnorr.ErrSchnorrHashValue, str) + } + + sig, err := schnorrSign(privKeyScalar, &kPrime, pub, hash, opts) + kPrime.Zero() + if err != nil { + return nil, err + } + + return sig, nil + } + + var privKeyBytes [scalarSize]byte + privKeyScalar.PutBytes(&privKeyBytes) + defer zeroArray(&privKeyBytes) + for iteration := uint32(0); ; iteration++ { + // Step 6-9. + // + // Use RFC6979 to generate a deterministic nonce k in [1, n-1] + // parameterized by the private key, message being signed, extra data + // that identifies the scheme, and an iteration count + k := btcec.NonceRFC6979( + privKeyBytes[:], hash, rfc6979ExtraDataV0[:], nil, iteration, + ) + + // Steps 10-15. + sig, err := schnorrSign(privKeyScalar, k, pub, hash, opts) + k.Zero() + if err != nil { + // Try again with a new nonce. + continue + } + + return sig, nil + } +} diff --git a/btcec/schnorr/signature_test.go b/btcec/schnorr/signature_test.go new file mode 100644 index 0000000000..b99614ff6c --- /dev/null +++ b/btcec/schnorr/signature_test.go @@ -0,0 +1,256 @@ +// Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package schnorr + +import ( + "encoding/hex" + "errors" + "strings" + "testing" + + "github.com/btcsuite/btcd/btcec/v2" + secp_ecdsa "github.com/decred/dcrd/dcrec/secp256k1/v4" + ecdsa_schnorr "github.com/decred/dcrd/dcrec/secp256k1/v4/schnorr" +) + +type bip340Test struct { + secretKey string + publicKey string + auxRand string + message string + signature string + verifyResult bool + validPubKey bool + expectErr error + rfc6979 bool +} + +var bip340TestVectors = []bip340Test{ + { + secretKey: "0000000000000000000000000000000000000000000000000000000000000003", + publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9", + auxRand: "0000000000000000000000000000000000000000000000000000000000000000", + message: "0000000000000000000000000000000000000000000000000000000000000000", + signature: "04E7F9037658A92AFEB4F25BAE5339E3DDCA81A353493827D26F16D92308E49E2A25E92208678A2DF86970DA91B03A8AF8815A8A60498B358DAF560B347AA557", + verifyResult: true, + validPubKey: true, + rfc6979: true, + }, + { + secretKey: "0000000000000000000000000000000000000000000000000000000000000003", + publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9", + auxRand: "0000000000000000000000000000000000000000000000000000000000000000", + message: "0000000000000000000000000000000000000000000000000000000000000000", + signature: "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0", + verifyResult: true, + validPubKey: true, + }, + { + secretKey: "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF", + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + auxRand: "0000000000000000000000000000000000000000000000000000000000000001", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A", + verifyResult: true, + validPubKey: true, + }, + { + secretKey: "C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9", + publicKey: "DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8", + auxRand: "C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906", + message: "7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C", + signature: "5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7", + verifyResult: true, + validPubKey: true, + }, + { + secretKey: "0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710", + publicKey: "25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517", + auxRand: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + message: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + signature: "7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3", + verifyResult: true, + validPubKey: true, + }, + { + publicKey: "D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9", + message: "4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703", + signature: "00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4", + verifyResult: true, + validPubKey: true, + }, + { + publicKey: "EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B", + verifyResult: false, + validPubKey: false, + expectErr: secp_ecdsa.ErrPubKeyNotOnCurve, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrSigRYIsOdd, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrSigRYIsOdd, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrUnequalRValues, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrSigRNotOnCurve, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrSigRNotOnCurve, + }, + { + publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B", + verifyResult: false, + validPubKey: true, + expectErr: ecdsa_schnorr.ErrUnequalRValues, + }, + { + publicKey: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30", + message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89", + signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B", + verifyResult: false, + validPubKey: false, + expectErr: secp_ecdsa.ErrPubKeyXTooBig, + }, +} + +// decodeHex decodes the passed hex string and returns the resulting bytes. It +// panics if an error occurs. This is only used in the tests as a helper since +// the only way it can fail is if there is an error in the test source code. +func decodeHex(hexStr string) []byte { + b, err := hex.DecodeString(hexStr) + if err != nil { + panic("invalid hex string in test source: err " + err.Error() + + ", hex: " + hexStr) + } + + return b +} + +func TestSchnorrSign(t *testing.T) { + t.Parallel() + + for i, test := range bip340TestVectors { + if len(test.secretKey) == 0 { + continue + } + + d := decodeHex(test.secretKey) + privKey, _ := btcec.PrivKeyFromBytes(d) + + var auxBytes [32]byte + aux := decodeHex(test.auxRand) + copy(auxBytes[:], aux) + + msg := decodeHex(test.message) + + var signOpts []SignOption + if !test.rfc6979 { + signOpts = []SignOption{CustomNonce(auxBytes)} + } + + sig, err := Sign(privKey, msg, signOpts...) + if err != nil { + t.Fatalf("test #%v: sig generation failed: %v", i, err) + } + + if strings.ToUpper(hex.EncodeToString(sig.Serialize())) != test.signature { + t.Fatalf("test #%v: got signature %x : "+ + "want %s", i, sig.Serialize(), test.signature) + } + + pubKeyBytes := decodeHex(test.publicKey) + err = schnorrVerify(sig, msg, pubKeyBytes) + if err != nil { + t.Fail() + } + + verify := err == nil + if test.verifyResult != verify { + t.Fatalf("test #%v: verification mismatch: "+ + "expected %v, got %v", i, test.verifyResult, verify) + } + } +} + +func TestSchnorrVerify(t *testing.T) { + t.Parallel() + + for i, test := range bip340TestVectors { + + pubKeyBytes := decodeHex(test.publicKey) + + _, err := ParsePubKey(pubKeyBytes) + switch { + case !test.validPubKey && err != nil: + if !errors.Is(err, test.expectErr) { + t.Fatalf("test #%v: pubkey validation should "+ + "have failed, expected %v, got %v", i, + test.expectErr, err) + } + + continue + + case err != nil: + t.Fatalf("test #%v: unable to parse pubkey: %v", i, err) + } + + msg := decodeHex(test.message) + + sig, err := ParseSignature(decodeHex(test.signature)) + if err != nil { + t.Fatalf("unable to parse sig: %v", err) + } + + err = schnorrVerify(sig, msg, pubKeyBytes) + if err != nil && test.verifyResult { + t.Fatalf("test #%v: verification shouldn't have failed: %v", i, err) + } + + verify := err == nil + if test.verifyResult != verify { + t.Fatalf("test #%v: verificaiton mismatch: expected "+ + "%v, got %v", i, test.verifyResult, verify) + } + + if !test.verifyResult && test.expectErr != nil { + if !errors.Is(err, test.expectErr) { + t.Fatalf("test #%v: expect error %v : got %v", i, test.expectErr, err) + } + } + } +} diff --git a/btcutil/psbt/partialsig.go b/btcutil/psbt/partialsig.go index 26a6dc2d61..71cb63cdbf 100644 --- a/btcutil/psbt/partialsig.go +++ b/btcutil/psbt/partialsig.go @@ -4,6 +4,7 @@ import ( "bytes" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" ) // PartialSig encapsulate a (BTC public key, ECDSA signature) @@ -38,7 +39,7 @@ func validatePubkey(pubKey []byte) bool { // ECDSA signature, including the sighash flag. It does *not* of course // validate the signature against any message or public key. func validateSignature(sig []byte) bool { - _, err := btcec.ParseDERSignature(sig) + _, err := ecdsa.ParseDERSignature(sig) return err == nil } diff --git a/chaincfg/chainhash/hash.go b/chaincfg/chainhash/hash.go index 2b1cec022b..b7a2d8a7f8 100644 --- a/chaincfg/chainhash/hash.go +++ b/chaincfg/chainhash/hash.go @@ -6,6 +6,7 @@ package chainhash import ( + "crypto/sha256" "encoding/hex" "fmt" ) @@ -16,6 +17,25 @@ const HashSize = 32 // MaxHashStringSize is the maximum length of a Hash hash string. const MaxHashStringSize = HashSize * 2 +var ( + // TagBIP0340Challenge is the BIP-0340 tag for challenges. + TagBIP0340Challenge = []byte("BIP0340/challenge") + + // TagBIP0340Aux is the BIP-0340 tag for aux data. + TagBIP0340Aux = []byte("BIP0340/aux") + + // TagBIP0340Nonce is the BIP-0340 tag for nonces. + TagBIP0340Nonce = []byte("BIP0340/nonce") + + // precomputedTags is a map containing the SHA-256 hash of the BIP-0340 + // tags. + precomputedTags = map[string]Hash{ + string(TagBIP0340Challenge): sha256.Sum256(TagBIP0340Challenge), + string(TagBIP0340Aux): sha256.Sum256(TagBIP0340Aux), + string(TagBIP0340Nonce): sha256.Sum256(TagBIP0340Nonce), + } +) + // ErrHashStrSize describes an error that indicates the caller specified a hash // string that has too many characters. var ErrHashStrSize = fmt.Errorf("max hash string length is %v bytes", MaxHashStringSize) @@ -80,6 +100,35 @@ func NewHash(newHash []byte) (*Hash, error) { return &sh, err } +// TaggedHash implements the tagged hash scheme described in BIP-340. We use +// sha-256 to bind a message hash to a specific context using a tag: +// sha256(sha256(tag) || sha256(tag) || msg). +func TaggedHash(tag []byte, msgs ...[]byte) *Hash { + // Check to see if we've already pre-computed the hash of the tag. If + // so then this'll save us an extra sha256 hash. + shaTag, ok := precomputedTags[string(tag)] + if !ok { + shaTag = sha256.Sum256(tag) + } + + // h = sha256(sha256(tag) || sha256(tag) || msg) + h := sha256.New() + h.Write(shaTag[:]) + h.Write(shaTag[:]) + + for _, msg := range msgs { + h.Write(msg) + } + + taggedHash := h.Sum(nil) + + // The function can't error out since the above hash is guaranteed to + // be 32 bytes. + hash, _ := NewHash(taggedHash) + + return hash +} + // NewHashFromStr creates a Hash from a hash string. The string should be // the hexadecimal string of a byte-reversed hash, but any missing characters // result in zero padding at the end of the Hash. diff --git a/rpcserver.go b/rpcserver.go index b26074b33b..b8012b2b01 100644 --- a/rpcserver.go +++ b/rpcserver.go @@ -29,7 +29,7 @@ import ( "github.com/btcsuite/btcd/blockchain" "github.com/btcsuite/btcd/blockchain/indexers" - "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/btcjson" "github.com/btcsuite/btcd/btcutil" "github.com/btcsuite/btcd/chaincfg" @@ -3520,7 +3520,7 @@ func handleSignMessageWithPrivKey(s *rpcServer, cmd interface{}, closeChan <-cha wire.WriteVarString(&buf, 0, c.Message) messageHash := chainhash.DoubleHashB(buf.Bytes()) - sig, err := btcec.SignCompact(wif.PrivKey, + sig, err := ecdsa.SignCompact(wif.PrivKey, messageHash, wif.CompressPubKey) if err != nil { return nil, &btcjson.RPCError{ @@ -3715,7 +3715,7 @@ func handleVerifyMessage(s *rpcServer, cmd interface{}, closeChan <-chan struct{ wire.WriteVarString(&buf, 0, messageSignatureHeader) wire.WriteVarString(&buf, 0, c.Message) expectedMessageHash := chainhash.DoubleHashB(buf.Bytes()) - pk, wasCompressed, err := btcec.RecoverCompact(sig, + pk, wasCompressed, err := ecdsa.RecoverCompact(sig, expectedMessageHash) if err != nil { // Mirror Bitcoin Core behavior, which treats error in diff --git a/txscript/opcode.go b/txscript/opcode.go index 708bb2370b..64e46fbf74 100644 --- a/txscript/opcode.go +++ b/txscript/opcode.go @@ -16,6 +16,7 @@ import ( "golang.org/x/crypto/ripemd160" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/chaincfg/chainhash" "github.com/btcsuite/btcd/wire" ) @@ -1935,13 +1936,13 @@ func opcodeCheckSig(op *opcode, data []byte, vm *Engine) error { return nil } - var signature *btcec.Signature + var signature *ecdsa.Signature if vm.hasFlag(ScriptVerifyStrictEncoding) || vm.hasFlag(ScriptVerifyDERSignatures) { - signature, err = btcec.ParseDERSignature(sigBytes) + signature, err = ecdsa.ParseDERSignature(sigBytes) } else { - signature, err = btcec.ParseSignature(sigBytes) + signature, err = ecdsa.ParseSignature(sigBytes) } if err != nil { vm.dstack.PushBool(false) @@ -1989,7 +1990,7 @@ func opcodeCheckSigVerify(op *opcode, data []byte, vm *Engine) error { // the same signature multiple times when verifying a multisig. type parsedSigInfo struct { signature []byte - parsedSignature *btcec.Signature + parsedSignature *ecdsa.Signature parsed bool } @@ -2134,7 +2135,7 @@ func opcodeCheckMultiSig(op *opcode, data []byte, vm *Engine) error { signature := rawSig[:len(rawSig)-1] // Only parse and check the signature encoding once. - var parsedSig *btcec.Signature + var parsedSig *ecdsa.Signature if !sigInfo.parsed { if err := vm.checkHashTypeEncoding(hashType); err != nil { return err @@ -2148,9 +2149,9 @@ func opcodeCheckMultiSig(op *opcode, data []byte, vm *Engine) error { if vm.hasFlag(ScriptVerifyStrictEncoding) || vm.hasFlag(ScriptVerifyDERSignatures) { - parsedSig, err = btcec.ParseDERSignature(signature) + parsedSig, err = ecdsa.ParseDERSignature(signature) } else { - parsedSig, err = btcec.ParseSignature(signature) + parsedSig, err = ecdsa.ParseSignature(signature) } sigInfo.parsed = true if err != nil { diff --git a/txscript/pkscript.go b/txscript/pkscript.go index c5dd2a12a2..d89c244e41 100644 --- a/txscript/pkscript.go +++ b/txscript/pkscript.go @@ -6,6 +6,7 @@ import ( "fmt" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/chaincfg" "github.com/btcsuite/btcd/wire" "github.com/btcsuite/btcd/btcutil" @@ -20,7 +21,7 @@ const ( // Signature hash type (1 byte) // Public key length (1 byte) // Public key (33 byte) - minPubKeyHashSigScriptLen = 1 + btcec.MinSigLen + 1 + 1 + 33 + minPubKeyHashSigScriptLen = 1 + ecdsa.MinSigLen + 1 + 1 + 33 // maxPubKeyHashSigScriptLen is the maximum length of a signature script // that spends a P2PKH output. The length is composed of the following: diff --git a/txscript/sigcache.go b/txscript/sigcache.go index 959240c04d..fc9f627127 100644 --- a/txscript/sigcache.go +++ b/txscript/sigcache.go @@ -8,6 +8,7 @@ import ( "sync" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/chaincfg/chainhash" ) @@ -18,7 +19,7 @@ import ( // match. In the occasion that two sigHashes collide, the newer sigHash will // simply overwrite the existing entry. type sigCacheEntry struct { - sig *btcec.Signature + sig *ecdsa.Signature pubKey *btcec.PublicKey } @@ -55,7 +56,7 @@ func NewSigCache(maxEntries uint) *SigCache { // // NOTE: This function is safe for concurrent access. Readers won't be blocked // unless there exists a writer, adding an entry to the SigCache. -func (s *SigCache) Exists(sigHash chainhash.Hash, sig *btcec.Signature, pubKey *btcec.PublicKey) bool { +func (s *SigCache) Exists(sigHash chainhash.Hash, sig *ecdsa.Signature, pubKey *btcec.PublicKey) bool { s.RLock() entry, ok := s.validSigs[sigHash] s.RUnlock() @@ -70,7 +71,7 @@ func (s *SigCache) Exists(sigHash chainhash.Hash, sig *btcec.Signature, pubKey * // // NOTE: This function is safe for concurrent access. Writers will block // simultaneous readers until function execution has concluded. -func (s *SigCache) Add(sigHash chainhash.Hash, sig *btcec.Signature, pubKey *btcec.PublicKey) { +func (s *SigCache) Add(sigHash chainhash.Hash, sig *ecdsa.Signature, pubKey *btcec.PublicKey) { s.Lock() defer s.Unlock() diff --git a/txscript/sigcache_test.go b/txscript/sigcache_test.go index f9e9f270ef..d0a3c4b973 100644 --- a/txscript/sigcache_test.go +++ b/txscript/sigcache_test.go @@ -9,13 +9,14 @@ import ( "testing" "github.com/btcsuite/btcd/btcec/v2" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" "github.com/btcsuite/btcd/chaincfg/chainhash" ) // genRandomSig returns a random message, a signature of the message under the // public key and the public key. This function is used to generate randomized // test data. -func genRandomSig() (*chainhash.Hash, *btcec.Signature, *btcec.PublicKey, error) { +func genRandomSig() (*chainhash.Hash, *ecdsa.Signature, *btcec.PublicKey, error) { privKey, err := btcec.NewPrivateKey() if err != nil { return nil, nil, nil, err @@ -26,7 +27,7 @@ func genRandomSig() (*chainhash.Hash, *btcec.Signature, *btcec.PublicKey, error) return nil, nil, nil, err } - sig := btcec.Sign(privKey, msgHash[:]) + sig := ecdsa.Sign(privKey, msgHash[:]) return &msgHash, sig, privKey.PubKey(), nil } @@ -46,7 +47,7 @@ func TestSigCacheAddExists(t *testing.T) { sigCache.Add(*msg1, sig1, key1) // The previously added triplet should now be found within the sigcache. - sig1Copy, _ := btcec.ParseSignature(sig1.Serialize()) + sig1Copy, _ := ecdsa.ParseSignature(sig1.Serialize()) key1Copy, _ := btcec.ParsePubKey(key1.SerializeCompressed()) if !sigCache.Exists(*msg1, sig1Copy, key1Copy) { t.Errorf("previously added item not found in signature cache") @@ -70,7 +71,7 @@ func TestSigCacheAddEvictEntry(t *testing.T) { sigCache.Add(*msg, sig, key) - sigCopy, err := btcec.ParseSignature(sig.Serialize()) + sigCopy, err := ecdsa.ParseSignature(sig.Serialize()) if err != nil { t.Fatalf("unable to parse sig: %v", err) } @@ -105,7 +106,7 @@ func TestSigCacheAddEvictEntry(t *testing.T) { } // The entry added above should be found within the sigcache. - sigNewCopy, _ := btcec.ParseSignature(sigNew.Serialize()) + sigNewCopy, _ := ecdsa.ParseSignature(sigNew.Serialize()) keyNewCopy, _ := btcec.ParsePubKey(keyNew.SerializeCompressed()) if !sigCache.Exists(*msgNew, sigNewCopy, keyNewCopy) { t.Fatalf("previously added item not found in signature cache") @@ -128,7 +129,7 @@ func TestSigCacheAddMaxEntriesZeroOrNegative(t *testing.T) { sigCache.Add(*msg1, sig1, key1) // The generated triplet should not be found. - sig1Copy, _ := btcec.ParseSignature(sig1.Serialize()) + sig1Copy, _ := ecdsa.ParseSignature(sig1.Serialize()) key1Copy, _ := btcec.ParsePubKey(key1.SerializeCompressed()) if sigCache.Exists(*msg1, sig1Copy, key1Copy) { t.Errorf("previously added signature found in sigcache, but" + diff --git a/txscript/sign.go b/txscript/sign.go index e5335ce366..f52214f371 100644 --- a/txscript/sign.go +++ b/txscript/sign.go @@ -7,6 +7,8 @@ package txscript import ( "errors" + "github.com/btcsuite/btcd/btcec/v2/ecdsa" + "github.com/btcsuite/btcd/btcec/v2" "github.com/btcsuite/btcd/btcutil" "github.com/btcsuite/btcd/chaincfg" @@ -27,7 +29,7 @@ func RawTxInWitnessSignature(tx *wire.MsgTx, sigHashes *TxSigHashes, idx int, return nil, err } - signature := btcec.Sign(key, hash) + signature := ecdsa.Sign(key, hash) return append(signature.Serialize(), byte(hashType)), nil } @@ -69,7 +71,7 @@ func RawTxInSignature(tx *wire.MsgTx, idx int, subScript []byte, if err != nil { return nil, err } - signature := btcec.Sign(key, hash) + signature := ecdsa.Sign(key, hash) return append(signature.Serialize(), byte(hashType)), nil } @@ -263,7 +265,7 @@ sigLoop: tSig := sig[:len(sig)-1] hashType := SigHashType(sig[len(sig)-1]) - pSig, err := btcec.ParseDERSignature(tSig) + pSig, err := ecdsa.ParseDERSignature(tSig) if err != nil { continue }