Merge pull request #163

bbd5ba7 Use rfc6979 as default nonce generation function (Pieter Wuille) b37fbc2 Implement SHA256 / HMAC-SHA256 / RFC6979. (Pieter Wuille) c6e7f4e [API BREAK] Use a nonce-generation function instead of a nonce (Pieter Wuille)
bitcoin-core · Dec 23, 2014 · b450c34 · b450c34
2 parents d57cae9 + bbd5ba7
commit b450c34
Show file tree

Hide file tree

Showing 8 changed files with 566 additions and 48 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -33,6 +33,8 @@ noinst_HEADERS += src/java/org_bitcoin_NativeSecp256k1.h
 noinst_HEADERS += src/util.h
 noinst_HEADERS += src/testrand.h
 noinst_HEADERS += src/testrand_impl.h
+noinst_HEADERS += src/hash.h
+noinst_HEADERS += src/hash_impl.h
 noinst_HEADERS += src/field.h
 noinst_HEADERS += src/field_impl.h
 noinst_HEADERS += src/bench.h

diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -77,42 +77,73 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
   int pubkeylen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
 
+/** A pointer to a function to deterministically generate a nonce.
+ * Returns: 1 if a nonce was succesfully generated. 0 will cause signing to fail.
+ * In:      msg32:     the 32-byte message hash being verified (will not be NULL)
+ *          key32:     pointer to a 32-byte secret key (will not be NULL)
+ *          attempt:   how many iterations we have tried to find a nonce.
+ *                     This will almost always be 0, but different attempt values
+ *                     are required to result in a different nonce.
+ *          data:      Arbitrary data pointer that is passed through.
+ * Out:     nonce32:   pointer to a 32-byte array to be filled by the function.
+ * Except for test cases, this function should compute some cryptographic hash of
+ * the message, the key and the attempt.
+ */
+typedef int (*secp256k1_nonce_function_t)(
+  unsigned char *nonce32,
+  const unsigned char *msg32,
+  const unsigned char *key32,
+  unsigned int attempt,
+  const void *data
+);
+
+/** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. */
+extern const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979;
+
+/** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */
+extern const secp256k1_nonce_function_t secp256k1_nonce_function_default;
+
+
 /** Create an ECDSA signature.
  *  Returns: 1: signature created
- *           0: nonce invalid, try another one
+ *           0: the nonce generation function failed
  *  In:      msg32:  the 32-byte message hash being signed (cannot be NULL)
  *           seckey: pointer to a 32-byte secret key (cannot be NULL, assumed to be valid)
- *           nonce:  pointer to a 32-byte nonce (cannot be NULL, generated with a cryptographic PRNG)
+ *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
+ *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
  *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
  *  In/Out:  siglen: pointer to an int with the length of sig, which will be updated
  *                   to contain the actual signature length (<=72).
  * Requires starting using SECP256K1_START_SIGN.
  */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_sign(
+int secp256k1_ecdsa_sign(
   const unsigned char *msg32,
   unsigned char *sig,
   int *siglen,
   const unsigned char *seckey,
-  const unsigned char *nonce
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+  secp256k1_nonce_function_t noncefp,
+  const void *ndata
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
 /** Create a compact ECDSA signature (64 byte + recovery id).
  *  Returns: 1: signature created
- *           0: nonce invalid, try another one
+ *           0: the nonce generation function failed
  *  In:      msg32:  the 32-byte message hash being signed (cannot be NULL)
  *           seckey: pointer to a 32-byte secret key (cannot be NULL, assumed to be valid)
- *           nonce:  pointer to a 32-byte nonce (cannot be NULL, generated with a cryptographic PRNG)
+ *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
+ *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
  *  Out:     sig:    pointer to a 64-byte array where the signature will be placed (cannot be NULL)
  *           recid:  pointer to an int, which will be updated to contain the recovery id (can be NULL)
  * Requires starting using SECP256K1_START_SIGN.
  */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_sign_compact(
+int secp256k1_ecdsa_sign_compact(
   const unsigned char *msg32,
   unsigned char *sig64,
   const unsigned char *seckey,
-  const unsigned char *nonce,
+  secp256k1_nonce_function_t noncefp,
+  const void *ndata,
   int *recid
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
 /** Recover an ECDSA public key from a compact signature.
  *  Returns: 1: public key successfully recovered (which guarantees a correct signature).

diff --git a/src/bench_sign.c b/src/bench_sign.c
@@ -10,15 +10,13 @@
 
 typedef struct {
     unsigned char msg[32];
-    unsigned char nonce[32];
     unsigned char key[32];
 } bench_sign_t;
 
 static void bench_sign_setup(void* arg) {
     bench_sign_t *data = (bench_sign_t*)arg;
 
     for (int i = 0; i < 32; i++) data->msg[i] = i + 1;
-    for (int i = 0; i < 32; i++) data->nonce[i] = i + 33;
     for (int i = 0; i < 32; i++) data->key[i] = i + 65;
 }
 
@@ -28,9 +26,8 @@ static void bench_sign(void* arg) {
     unsigned char sig[64];
     for (int i=0; i<20000; i++) {
         int recid = 0;
-        CHECK(secp256k1_ecdsa_sign_compact(data->msg, sig, data->key, data->nonce, &recid));
+        secp256k1_ecdsa_sign_compact(data->msg, sig, data->key, NULL, NULL, &recid);
         for (int j = 0; j < 32; j++) {
-            data->nonce[j] = data->key[j];     /* Move former key to nonce  */
             data->msg[j] = sig[j];             /* Move former R to message. */
             data->key[j] = sig[j + 32];        /* Move former S to key.     */
         }

diff --git a/src/bench_verify.c b/src/bench_verify.c
@@ -14,7 +14,6 @@
 typedef struct {
     unsigned char msg[32];
     unsigned char key[32];
-    unsigned char nonce[32];
     unsigned char sig[72];
     int siglen;
     unsigned char pubkey[33];
@@ -42,9 +41,8 @@ int main(void) {
 
     for (int i = 0; i < 32; i++) data.msg[i] = 1 + i;
     for (int i = 0; i < 32; i++) data.key[i] = 33 + i;
-    for (int i = 0; i < 32; i++) data.nonce[i] = 65 + i;
     data.siglen = 72;
-    CHECK(secp256k1_ecdsa_sign(data.msg, data.sig, &data.siglen, data.key, data.nonce));
+    secp256k1_ecdsa_sign(data.msg, data.sig, &data.siglen, data.key, NULL, NULL);
     data.pubkeylen = 33;
     CHECK(secp256k1_ec_pubkey_create(data.pubkey, &data.pubkeylen, data.key, 1));
 

diff --git a/src/hash.h b/src/hash.h
@@ -0,0 +1,41 @@
+/**********************************************************************
+ * Copyright (c) 2014 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_HASH_
+#define _SECP256K1_HASH_
+
+#include <stdlib.h>
+#include <stdint.h>
+
+typedef struct {
+    uint32_t s[32];
+    unsigned char buf[64];
+    size_t bytes;
+} secp256k1_sha256_t;
+
+static void secp256k1_sha256_initialize(secp256k1_sha256_t *hash);
+static void secp256k1_sha256_write(secp256k1_sha256_t *hash, const unsigned char *data, size_t size);
+static void secp256k1_sha256_finalize(secp256k1_sha256_t *hash, unsigned char *out32);
+
+typedef struct {
+    secp256k1_sha256_t inner, outer;
+} secp256k1_hmac_sha256_t;
+
+static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256_t *hash, const unsigned char *key, size_t size);
+static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256_t *hash, const unsigned char *data, size_t size);
+static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256_t *hash, unsigned char *out32);
+
+typedef struct {
+    unsigned char v[32];
+    unsigned char k[32];
+    int retry;
+} secp256k1_rfc6979_hmac_sha256_t;
+
+static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen, const unsigned char *msg, size_t msglen);
+static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256_t *rng, unsigned char *out, size_t outlen);
+static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256_t *rng);
+
+#endif