Add ECDSA public key recovery

Added algorithm for recovering public key from ECDSA signature.

Author: smlu

include/ack/ec.hpp

@@ -614,7 +614,7 @@ namespace ack {
     template<typename CurveT>
     struct ec_point_fp_proj : ec_point_base<ec_point_fp_proj<CurveT>, CurveT>
     {
-        static_assert( is_ec_curve_fp<CurveT> );
+        static_assert( is_ec_curve_fp<std::remove_cv_t<CurveT>> );
 
         using base_type          = ec_point_base<ec_point_fp_proj<CurveT>, CurveT>;
         using int_type           = typename CurveT::int_type;
@@ -969,7 +969,7 @@ namespace ack {
     template<typename CurveT>
     struct ec_point_fp_jacobi : ec_point_base<ec_point_fp_jacobi<CurveT>, CurveT>
     {
-        static_assert( is_ec_curve_fp<CurveT> );
+        static_assert( is_ec_curve_fp<std::remove_cv_t<CurveT>> );
 
         using base_type          = ec_point_base<ec_point_fp_jacobi<CurveT>, CurveT>;
         using int_type           = typename CurveT::int_type;
@@ -1528,6 +1528,7 @@ namespace ack {
                                  //     #E(Fp) - number of points on the curve
         const bool a_is_minus_3; // cached a == p - 3
         const bool a_is_zero;    // cached a == 0
+        const IntT p_minus_n;    // cached p - n; used for checking the maximum negative point coordinate
 
         /**
          * Creates a curve from the given parameters.
@@ -1546,7 +1547,8 @@ namespace ack {
             n( std::move(n) ),
             h( h ),
             a_is_minus_3( this->a == ( this->p - 3) ),
-            a_is_zero( this->a.is_zero() )
+            a_is_zero( this->a.is_zero() ),
+            p_minus_n( this->p - this->n )
         {}
 
         /**

include/ack/ecdsa.hpp

@@ -16,10 +16,10 @@ namespace ack{
      * @tparam CurveT - elliptic curve type. Required to be a curve over prime field.
      * @tparam IntT   - integer type, default is curve integer type
      *
-     * @param q     - public key point. Note: point validity should be checked before calling this function.
-     * @param msg   - message to verify. Note: msg is truncated to curve.n byte length.
-     * @param r     - signature r value
-     * @param s     - signature s value
+     * @param q   - public key point. Note: point validity should be checked before calling this function.
+     * @param msg - message to verify. Note: msg is truncated to curve.n byte length.
+     * @param r   - signature r value
+     * @param s   - signature s value
      * @return true if signature is valid, false otherwise.
     */
     template<typename CurveT, typename IntT = typename CurveT::int_type>
@@ -42,18 +42,18 @@ namespace ack{
         const IntT w  = s.modinv( curve.n );
         const auto u1 = ( e * w ) % curve.n;
         const auto u2 = ( r * w ) % curve.n;
-        auto rr = ec_mul_add_fast( u1, ec_point_fp_jacobi( curve.g ), u2, ec_point_fp_jacobi( q ) )
+        auto R = ec_mul_add_fast( u1, ec_point_fp_jacobi( curve.g ), u2, ec_point_fp_jacobi( q ) )
             .to_affine();
 
-        if ( rr.is_identity() ) {
+        if ( R.is_identity() ) {
             return false;
         }
 
-        if ( rr.x >= curve.n ) {
-            rr.x -= curve.n;
+        if ( R.x >= curve.n ) {
+            R.x -= curve.n;
         }
 
-        return rr.x == r;
+        return R.x == r;
     }
 
     /**
@@ -116,4 +116,105 @@ namespace ack{
     {
         check( ecdsa_verify( q, digest, r, s ), error );
     }
+
+    /**
+     * Function recovers public key from given message and ECDSA signature.
+     * Implementation is modified version of SEC 1 v2.0, section 4.1.6 'Public Key Recovery Operation':
+     * https://www.secg.org/sec1-v2.pdf#page=53
+     *
+     * @note This function currently works only for curve.h == 1.
+     *
+     * @tparam CurveT - elliptic curve type. Required to be a curve over prime field.
+     * @tparam IntT   - integer type, default is curve integer type
+     *
+     * @param curve  - Elliptic curve
+     * @param msg    - message
+     * @param r      - signature r value
+     * @param s      - signature s value
+     * @param recid  - recovery id of the public key Q. (recid  <= 3)
+     * @param verify - Performs additional verifications
+     *
+     * @return recovered EC public key point Q, or point at infinity if Q can't be calculated.
+    */
+    template<typename CurveT, typename IntT = typename CurveT::int_type>
+    [[nodiscard]]
+    static ec_point_fp<CurveT> ecdsa_recover(const CurveT& curve, const bytes_view msg, const IntT& r, const IntT& s,
+                                             const std::size_t recid, const bool verify = false)
+    {
+        if ( r < 1 || r >= curve.n || s < 1 || s >= curve.n || ( recid & 3 ) != recid ) {
+            return ec_point_fp<CurveT>();
+        }
+
+        const auto yodd       = recid  & 1;
+        const auto second_key = recid >> 1;
+
+        // Sanity check, the second key is expected to be negative
+        if ( second_key && r >= curve.p_minus_n ) {
+            return ec_point_fp<CurveT>();
+        }
+
+        auto e = IntT( msg.subspan( 0, std::min( curve.n.byte_length(), msg.size() )));
+        if ( e > curve.n ) {
+            e -= curve.n;
+        }
+
+        // Calculate R, 1.1 - 1.3
+        // 1.1. Let x = r + jn.
+        const auto R = (second_key)
+            ? curve.decompress_point( r + curve.n, yodd )
+            : curve.decompress_point( r, yodd );
+
+        if ( R.is_identity() ) {
+            return R;
+        }
+
+        if ( verify ) {
+            // 1.4 nR == O
+            if ( !( R * curve.n ).is_identity() ) {
+                return ec_point_fp<CurveT>();
+            }
+        }
+
+        // 1.6.1 Compute Q = r^-1 (sR -  eG)
+        //               Q = r^-1 (sR + -eG)
+        //
+        // We precompute w = r^-1, ew = -ew and sw = sw
+        // so that we can then efficiently compute: Q = ew * G + sw * R
+        const IntT w  = r.modinv( curve.n );
+        const auto ew = (( curve.n - e ) * w ) % curve.n;
+        const auto sw = ( s * w ) % curve.n;
+        return ec_mul_add_fast( ew, ec_point_fp_jacobi( curve.g ), sw, ec_point_fp_jacobi( R ) )
+            .to_affine();
+    }
+
+    /**
+     * Function recovers public key from given message and ECDSA signature.
+     * Implementation is modified version of SEC 1 v2.0, section 4.1.6 'Public Key Recovery Operation':
+     * https://www.secg.org/sec1-v2.pdf#page=53
+     *
+     * @note function works currently only for curve.h = 1
+     *
+     * @tparam HLen   - digest length
+     * @tparam CurveT - elliptic curve type. Required to be a curve over prime field.
+     * @tparam IntT   - integer type, default is curve integer type
+     *
+     * @param curve  - Elliptic curve
+     * @param digest - message digest. Note: digest is truncated to curve.n byte length.
+     * @param r      - signature r value
+     * @param s      - signature s value
+     * @param recid  - recovery id of the public key Q. (recid  <= 3)
+     * @param verify - Performs additional verifications
+     *
+     * @return recovered EC public key point Q, or point at infinity if Q can't be calculated.
+    */
+    template<std::size_t HLen, typename CurveT, typename IntT = typename CurveT::int_type>
+    [[nodiscard]]
+    static ec_point_fp<CurveT> ecdsa_recover(const CurveT& curve, const hash_t<HLen>& digest,
+                                             const IntT& r, const IntT& s,
+                                             const std::size_t recid, const bool verify = false)
+    {
+        const auto bd = digest.extract_as_byte_array();
+        const auto m  = bytes_view( reinterpret_cast<const byte_t*>( bd.data() ), HLen );
+        return ecdsa_recover( curve, m, r, s, recid, verify );
+    }
 }

tests/include/ack/tests/ecdsa_misc_test.hpp

@@ -0,0 +1,180 @@
+// Copyright © 2023 ZeroPass <[email protected]>
+// Author: Crt Vavros
+#pragma once
+#include <ack/ec.hpp>
+#include <ack/ec_curve.hpp>
+#include <ack/ecdsa.hpp>
+#include <ack/keccak.hpp>
+#include <ack/sha.hpp>
+#include <ack/utils.hpp>
+#include <ack/tests/ecdsa_test_utils.hpp>
+#include <ack/tests/utils.hpp>
+
+#include <eosio/crypto.hpp>
+#include <eosio/tester.hpp>
+
+
+namespace ack::tests {
+    EOSIO_TEST_BEGIN( ecdsa_misc_test )
+        constexpr auto& curve = ack::ec_curve::secp256r1;
+        using point_type = std::remove_cvref_t<decltype(curve)>::point_type;
+        using int_type = std::remove_cvref_t<decltype(curve)>::int_type;
+
+        constexpr auto q = curve.make_point(
+            "e424dc61d4bb3cb7ef4344a7f8957a0c5134e16f7a67c074f82e6e12f49abf3c",
+            "970eed7aa2bc48651545949de1dddaf0127e5965ac85d1243d6f60e7dfaee927"
+        );
+
+        constexpr auto     h     = from_hex( "d1b8ef21eb4182ee270638061063a3f3c16c114e33937f69fb232cc833965a94" );
+        auto               md    = hash256( h );
+        constexpr int_type r     = "bf96b99aa49c705c910be33142017c642ff540c76349b9dab72f981fd9347f4f";
+        constexpr int_type s     = "17c55095819089c2e03b9cd415abdf12444e323075d98f31920b9e0f57ec871c";
+        constexpr size_t   recid = 1;
+
+        // Misc ECDSA key recovery tests
+        {
+            // Test recovery succeeds
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h, r, s, recid, /*verify=*/true ), q )
+
+            // Test passing too big recid results in  point at infinity
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h, r, s, /*recid=*/4, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, r, s, /*recid=*/4, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h, r, s, /*recid=*/0xff, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, r, s, /*recid=*/0xff, /*verify=*/true ).is_identity(), true )
+
+            // Test passing too small and too big r
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  int_type( 0 ), s, recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, int_type( 0 ), s, recid, /*verify=*/true ).is_identity(), true )
+
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  curve.n, s, recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, curve.n, s, recid, /*verify=*/true ).is_identity(), true )
+
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  curve.n + 1, s, recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, curve.n + 1, s, recid, /*verify=*/true ).is_identity(), true )
+
+            // Test passing too small and too big s
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  r, int_type( 0 ), recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, r, int_type( 0 ), recid, /*verify=*/true ).is_identity(), true )
+
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  r, curve.n, recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, r, curve.n, recid, /*verify=*/true ).is_identity(), true )
+
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  r, curve.n + 1, recid, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, r, curve.n + 1, recid, /*verify=*/true ).is_identity(), true )
+
+            // Test passing too big r when recovering second key
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  curve.p_minus_n, s, 2, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, curve.p_minus_n, s, 2, /*verify=*/true ).is_identity(), true )
+
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), h,  curve.p_minus_n + 1, s, 2, /*verify=*/true ).is_identity(), true )
+            REQUIRE_EQUAL( ecdsa_recover( q.curve(), md, curve.p_minus_n + 1, s, 2, /*verify=*/true ).is_identity(), true )
+        }
+
+        // Misc ECDSA sigver tests
+        {
+            // Test verification ECDSA signature succeeds
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  r, s ), true )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, r, s ), true )
+            assert_ecdsa( q, h, r, s,
+                "ECDSA signature verification failed"
+            );
+            assert_ecdsa( q, md, r, s,
+                "ECDSA signature verification failed"
+            );
+
+            // Test verification fails when passing identity q
+            REQUIRE_EQUAL( ecdsa_verify( point_type{}, h,  r, s ), false )
+            REQUIRE_EQUAL( ecdsa_verify( point_type{}, md, r, s ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( point_type{}, h, r, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( point_type{}, md, r, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            // Test passing too small and too big r
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  int_type( 0 ), s ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, int_type( 0 ), s ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, int_type( 0 ), s,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, int_type( 0 ), s,
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  curve.n, s ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, curve.n, s ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, curve.n, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, curve.n, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  curve.n + 1, s ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, curve.n + 1, s ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, curve.n + 1, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, curve.n + 1, s,
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            // Test passing too small and too big s
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  r, int_type( 0 ) ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, r, int_type( 0 ) ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, r, int_type( 0 ),
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, r, int_type( 0 ),
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  r, curve.n ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, r, curve.n ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, r, curve.n,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, r, curve.n,
+                    "ECDSA signature verification failed"
+                );
+            })
+
+            REQUIRE_EQUAL( ecdsa_verify( q, h,  r, curve.n + 1 ), false )
+            REQUIRE_EQUAL( ecdsa_verify( q, md, r, curve.n + 1 ), false )
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, h, r, curve.n + 1,
+                    "ECDSA signature verification failed"
+                );
+            })
+            REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {
+                assert_ecdsa( q, md, r, curve.n + 1,
+                    "ECDSA signature verification failed"
+                );
+            })
+        }
+    EOSIO_TEST_END
+}

tests/include/ack/tests/ecdsa_test.hpp

@@ -5,6 +5,7 @@
 #include <ack/tests/ecdsa_brainpoolP320r1_test.hpp>
 #include <ack/tests/ecdsa_brainpoolP384r1_test.hpp>
 #include <ack/tests/ecdsa_brainpoolP512r1_test.hpp>
+#include <ack/tests/ecdsa_misc_test.hpp>
 #include <ack/tests/ecdsa_secp256k1_test.hpp>
 #include <ack/tests/ecdsa_secp256r1_test.hpp>
 #include <ack/tests/ecdsa_secp384r1_test.hpp>
@@ -14,6 +15,7 @@
 
 namespace ack::tests {
     EOSIO_TEST_BEGIN( ecdsa_test )
+        EOSIO_TEST( ecdsa_misc_test            )
         EOSIO_TEST( ecdsa_brainpoolP256r1_test )
         EOSIO_TEST( ecdsa_brainpoolP320r1_test )
         EOSIO_TEST( ecdsa_brainpoolP384r1_test )

tests/include/ack/tests/ecdsa_test_utils.hpp

@@ -35,6 +35,18 @@ namespace ack::tests {
                     "ECDSA signature verification failed"
                 );
             })
+
+            // test recovery
+            bool recovered = false;
+            for (std::size_t i = 0; i < 4; i ++) {
+                if ( ecdsa_recover( q.curve(), hb, r, s, i, /*verify=*/true ) == q ) {
+                    REQUIRE_EQUAL( ecdsa_recover( q.curve(), digest, r, s, i, /*verify=*/true ), q )
+                    recovered = true;
+                    break;
+                }
+            }
+
+            REQUIRE_EQUAL( recovered, true )
         }
         else {
             REQUIRE_ASSERT( "ECDSA signature verification failed", [&]() {