Line data Source code
1 : #include "fd_secp256k1_private.h"
2 :
3 :
4 : /* Given the coordinate X and the odd-ness of the Y coordinate, recovers Y and
5 : returns the affine group element. Returns NULL if there is no valid pair. */
6 : static inline fd_secp256k1_point_t *
7 60084 : fd_secp256k1_recovery_y( fd_secp256k1_point_t *r, fd_secp256k1_fp_t const *x, int odd ) {
8 60084 : fd_secp256k1_fp_t x2[1], x3[1];
9 :
10 : /* x^3 + b */
11 60084 : fd_secp256k1_fp_sqr( x2, x );
12 60084 : fd_secp256k1_fp_mul( x3, x2, x );
13 60084 : fd_secp256k1_fp_add( x3, x3, fd_secp256k1_const_b_mont );
14 :
15 : /* y^2 = x^3 + b <=> y = sqrt(x^3 + b) */
16 60084 : if( FD_UNLIKELY( !fd_secp256k1_fp_sqrt( r->y, x3 ) ) ) {
17 30024 : return NULL;
18 30024 : }
19 :
20 30060 : if( fd_secp256k1_fp_is_odd( r->y ) != odd ) {
21 30 : fd_secp256k1_fp_negate( r->y, r->y );
22 30 : }
23 :
24 30060 : fd_secp256k1_fp_set( r->x, x );
25 30060 : fd_secp256k1_fp_set( r->z, fd_secp256k1_const_one_mont );
26 30060 : return r;
27 60084 : }
28 :
29 : uchar *
30 : fd_secp256k1_recover( uchar public_key[64],
31 : uchar const msg_hash[32],
32 : uchar const sig[64],
33 60153 : int recovery_id ) {
34 60153 : if( FD_UNLIKELY( !( recovery_id>=0 && recovery_id<=3 ) ) ) {
35 : /* COV: the callers do the same check */
36 27 : return NULL;
37 27 : }
38 :
39 60126 : fd_secp256k1_scalar_t s[1];
40 60126 : fd_secp256k1_scalar_t rs[1];
41 60126 : if( FD_UNLIKELY( !fd_secp256k1_scalar_frombytes( rs, &sig[ 0 ] ) ) ) {
42 21 : return NULL;
43 21 : }
44 60105 : if( FD_UNLIKELY( !fd_secp256k1_scalar_frombytes( s, &sig[ 32 ] ) ) ) {
45 12 : return NULL;
46 12 : }
47 :
48 60093 : fd_secp256k1_fp_t r[1];
49 60093 : bignum_tomont_p256k1( r->limbs, rs->limbs );
50 :
51 60093 : if( recovery_id & 2 ) {
52 : /* If rs >= p - n, return NULL. Otherwise, add the n to r.
53 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/modules/recovery/main_impl.h#L104-L109 */
54 21 : if( FD_UNLIKELY( fd_uint256_cmp( rs, fd_secp256k1_const_p_minus_n ) >= 0 ) ) {
55 9 : return NULL;
56 9 : }
57 : /* Note that *only* r is incremented, rs is left unchanged. */
58 12 : fd_secp256k1_fp_add( r, r, fd_secp256k1_const_n_mont );
59 12 : }
60 :
61 : /* Recover the full public key group element. */
62 60084 : fd_secp256k1_point_t a[1];
63 60084 : if( FD_UNLIKELY( !fd_secp256k1_recovery_y( a, r, recovery_id & 1 ) ) ) {
64 30024 : return NULL;
65 30024 : }
66 :
67 30060 : fd_uint256_t msg[1];
68 30060 : memcpy( msg, msg_hash, 32 );
69 30060 : fd_uint256_bswap( msg, msg );
70 : /* The message scalar is unconditionally reduced to the scalar field.
71 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/scalar_4x64_impl.h#L151 */
72 30060 : bignum_mod_n256k1_4( msg->limbs, (ulong *)msg->limbs );
73 30060 : fd_secp256k1_scalar_tomont( msg, msg );
74 :
75 30060 : fd_secp256k1_scalar_t rn[1], u1[1], u2[1];
76 30060 : fd_secp256k1_point_t pubkey[1];
77 :
78 : /* We delay converting rs into montgomery domain since
79 : we may need to perform the comparison against p-n first. */
80 30060 : fd_secp256k1_scalar_tomont( s, s );
81 :
82 : /* Unfortunately s2n-bignum has no API for performing
83 : in-montgomery inversion, so we invert and then convert. */
84 30060 : fd_secp256k1_scalar_invert( rn, rs );
85 30060 : fd_secp256k1_scalar_tomont( rn, rn );
86 :
87 30060 : fd_secp256k1_scalar_mul ( u1, rn, msg );
88 30060 : fd_secp256k1_scalar_negate( u1, u1 );
89 30060 : fd_secp256k1_scalar_mul ( u2, rn, s );
90 :
91 30060 : fd_secp256k1_scalar_demont( u2, u2 );
92 30060 : fd_secp256k1_scalar_demont( u1, u1 );
93 30060 : fd_secp256k1_double_base_mul( pubkey, u1, a, u2 );
94 :
95 : /* If the computed pubkey is the identity point, we return NULL
96 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/modules/recovery/main_impl.h#L120 */
97 30060 : if( FD_UNLIKELY( fd_secp256k1_point_is_identity( pubkey ) ) ) {
98 0 : return NULL;
99 0 : }
100 :
101 : /* Serialize the public key into an uncompressed form.
102 : The output does not have the recovery_id. */
103 30060 : fd_secp256k1_point_to_affine( pubkey, pubkey );
104 30060 : fd_secp256k1_fp_tobytes( &public_key[ 0 ], pubkey->x );
105 30060 : fd_secp256k1_fp_tobytes( &public_key[ 32 ], pubkey->y );
106 30060 : return public_key;
107 30060 : }
|
