libsecp256k1_core/
ecdsa.rs1use crate::{
2 ecmult::{ECMultContext, ECMultGenContext},
3 field::Field,
4 group::{Affine, Jacobian},
5 scalar::Scalar,
6 Error,
7};
8
9const P_MINUS_ORDER: Field = Field::new(0, 0, 0, 1, 0x45512319, 0x50B75FC4, 0x402DA172, 0x2FC9BAEE);
10
11const ORDER_AS_FE: Field = Field::new(
12 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364141,
13);
14
15impl ECMultContext {
16 pub fn verify_raw(
17 &self,
18 sigr: &Scalar,
19 sigs: &Scalar,
20 pubkey: &Affine,
21 message: &Scalar,
22 ) -> bool {
23 let c;
24 let (sn, u1, u2): (Scalar, Scalar, Scalar);
25
26 if sigr.is_zero() || sigs.is_zero() {
27 return false;
28 }
29
30 sn = sigs.inv_var();
31 u1 = &sn * message;
32 u2 = &sn * sigr;
33 let mut pubkeyj: Jacobian = Jacobian::default();
34 pubkeyj.set_ge(pubkey);
35 let mut pr: Jacobian = Jacobian::default();
36 self.ecmult(&mut pr, &pubkeyj, &u2, &u1);
37 if pr.is_infinity() {
38 return false;
39 }
40
41 c = sigr.b32();
42 let mut xr: Field = Default::default();
43 let _ = xr.set_b32(&c);
44
45 if pr.eq_x_var(&xr) {
46 return true;
47 }
48 if xr >= P_MINUS_ORDER {
49 return false;
50 }
51 xr += ORDER_AS_FE;
52 if pr.eq_x_var(&xr) {
53 return true;
54 }
55 false
56 }
57
58 pub fn recover_raw(
59 &self,
60 sigr: &Scalar,
61 sigs: &Scalar,
62 rec_id: u8,
63 message: &Scalar,
64 ) -> Result<Affine, Error> {
65 debug_assert!(rec_id < 4);
66
67 if sigr.is_zero() || sigs.is_zero() {
68 return Err(Error::InvalidSignature);
69 }
70
71 let brx = sigr.b32();
72 let mut fx = Field::default();
73 let overflow = fx.set_b32(&brx);
74 debug_assert!(overflow);
75
76 if rec_id & 2 > 0 {
77 if fx >= P_MINUS_ORDER {
78 return Err(Error::InvalidSignature);
79 }
80 fx += ORDER_AS_FE;
81 }
82 let mut x = Affine::default();
83 if !x.set_xo_var(&fx, rec_id & 1 > 0) {
84 return Err(Error::InvalidSignature);
85 }
86 let mut xj = Jacobian::default();
87 xj.set_ge(&x);
88 let rn = sigr.inv();
89 let mut u1 = &rn * message;
90 u1 = -u1;
91 let u2 = &rn * sigs;
92 let mut qj = Jacobian::default();
93 self.ecmult(&mut qj, &xj, &u2, &u1);
94
95 let mut pubkey = Affine::default();
96 pubkey.set_gej_var(&qj);
97
98 if pubkey.is_infinity() {
99 Err(Error::InvalidSignature)
100 } else {
101 Ok(pubkey)
102 }
103 }
104}
105
106impl ECMultGenContext {
107 pub fn sign_raw(
108 &self,
109 seckey: &Scalar,
110 message: &Scalar,
111 nonce: &Scalar,
112 ) -> Result<(Scalar, Scalar, u8), Error> {
113 let mut rp = Jacobian::default();
114 self.ecmult_gen(&mut rp, nonce);
115 let mut r = Affine::default();
116 r.set_gej(&rp);
117 r.x.normalize();
118 r.y.normalize();
119 let b = r.x.b32();
120 let mut sigr = Scalar::default();
121 let overflow = bool::from(sigr.set_b32(&b));
122 debug_assert!(!sigr.is_zero());
123 debug_assert!(!overflow);
124
125 let mut recid = (if overflow { 2 } else { 0 }) | (if r.y.is_odd() { 1 } else { 0 });
126 let mut n = &sigr * seckey;
127 n += message;
128 let mut sigs = nonce.inv();
129 sigs *= &n;
130 n.clear();
131 rp.clear();
132 r.clear();
133 if sigs.is_zero() {
134 return Err(Error::InvalidMessage);
135 }
136 if sigs.is_high() {
137 sigs = -sigs;
138 recid ^= 1;
139 }
140 Ok((sigr, sigs, recid))
141 }
142}