Line data Source code
1 : #include "fd_secp256k1_private.h"
2 :
3 :
4 : /* Given the coordinate X and the odd-ness of the Y coordinate, recovers Y and
5 : returns the affine group element. Returns NULL if there is no valid pair. */
6 : static inline fd_secp256k1_point_t *
7 122 : fd_secp256k1_recovery_y( fd_secp256k1_point_t *r, fd_secp256k1_fp_t const *x, int odd ) {
8 122 : fd_secp256k1_fp_t x2[1], x3[1];
9 :
10 : /* x^3 + b */
11 122 : fd_secp256k1_fp_sqr( x2, x );
12 122 : fd_secp256k1_fp_mul( x3, x2, x );
13 122 : fd_secp256k1_fp_add( x3, x3, fd_secp256k1_const_b_mont );
14 :
15 : /* y^2 = x^3 + b <=> y = sqrt(x^3 + b) */
16 122 : if( FD_UNLIKELY( !fd_secp256k1_fp_sqrt( r->y, x3 ) ) ) {
17 2 : return NULL;
18 2 : }
19 :
20 120 : if( fd_secp256k1_fp_is_odd( r->y ) != odd ) {
21 6 : fd_secp256k1_fp_negate( r->y, r->y );
22 6 : }
23 :
24 120 : fd_secp256k1_fp_set( r->x, x );
25 120 : fd_secp256k1_fp_set( r->z, fd_secp256k1_const_one_mont );
26 120 : return r;
27 122 : }
28 :
29 : uchar *
30 : fd_secp256k1_recover( uchar public_key[64],
31 : uchar const msg_hash[32],
32 : uchar const sig[64],
33 128 : int recovery_id ) {
34 128 : if( FD_UNLIKELY( !( recovery_id>=0 && recovery_id<=3 ) ) ) {
35 : /* COV: the callers do the same check */
36 5 : return NULL;
37 5 : }
38 :
39 123 : fd_secp256k1_scalar_t s[1];
40 123 : fd_secp256k1_scalar_t rs[1];
41 123 : if( FD_UNLIKELY( !fd_secp256k1_scalar_frombytes( rs, &sig[ 0 ] ) ) ) {
42 1 : return NULL;
43 1 : }
44 122 : if( FD_UNLIKELY( !fd_secp256k1_scalar_frombytes( s, &sig[ 32 ] ) ) ) {
45 0 : return NULL;
46 0 : }
47 :
48 122 : fd_secp256k1_fp_t r[1];
49 122 : bignum_tomont_p256k1( r->limbs, rs->limbs );
50 :
51 122 : if( recovery_id & 2 ) {
52 : /* If rs >= p - n, return NULL. Otherwise, add the n to r.
53 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/modules/recovery/main_impl.h#L104-L109 */
54 0 : if( FD_UNLIKELY( fd_uint256_cmp( rs, fd_secp256k1_const_p_minus_n ) >= 0 ) ) {
55 0 : return NULL;
56 0 : }
57 : /* Note that *only* r is incremented, rs is left unchanged. */
58 0 : fd_secp256k1_fp_add( r, r, fd_secp256k1_const_n_mont );
59 0 : }
60 :
61 : /* Recover the full public key group element. */
62 122 : fd_secp256k1_point_t a[1];
63 122 : if( FD_UNLIKELY( !fd_secp256k1_recovery_y( a, r, recovery_id & 1 ) ) ) {
64 2 : return NULL;
65 2 : }
66 :
67 120 : fd_uint256_t msg[1];
68 120 : memcpy( msg, msg_hash, 32 );
69 120 : fd_uint256_bswap( msg, msg );
70 : /* The message scalar is unconditionally reduced to the scalar field.
71 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/scalar_4x64_impl.h#L151 */
72 120 : bignum_mod_n256k1_4( msg->limbs, (ulong *)msg->limbs );
73 120 : fd_secp256k1_scalar_tomont( msg, msg );
74 :
75 120 : fd_secp256k1_scalar_t rn[1], u1[1], u2[1];
76 120 : fd_secp256k1_point_t pubkey[1];
77 :
78 : /* We delay converting rs into montgomery domain since
79 : we may need to perform the comparison against p-n first. */
80 120 : fd_secp256k1_scalar_tomont( s, s );
81 :
82 : /* Unfortunately s2n-bignum has no API for performing
83 : in-montgomery inversion, so we invert and then convert. */
84 120 : fd_secp256k1_scalar_invert( rn, rs );
85 120 : fd_secp256k1_scalar_tomont( rn, rn );
86 :
87 120 : fd_secp256k1_scalar_mul ( u1, rn, msg );
88 120 : fd_secp256k1_scalar_negate( u1, u1 );
89 120 : fd_secp256k1_scalar_mul ( u2, rn, s );
90 :
91 120 : fd_secp256k1_scalar_demont( u2, u2 );
92 120 : fd_secp256k1_scalar_demont( u1, u1 );
93 120 : fd_secp256k1_double_base_mul( pubkey, u1, a, u2 );
94 :
95 : /* If the computed pubkey is the identity point, we return NULL
96 : https://github.com/bitcoin-core/secp256k1/blob/v0.7.1/src/modules/recovery/main_impl.h#L120 */
97 120 : if( FD_UNLIKELY( fd_secp256k1_point_is_identity( pubkey ) ) ) {
98 0 : return NULL;
99 0 : }
100 :
101 : /* Serialize the public key into an uncompressed form.
102 : The output does not have the recovery_id. */
103 120 : fd_secp256k1_point_to_affine( pubkey, pubkey );
104 120 : fd_secp256k1_fp_tobytes( &public_key[ 0 ], pubkey->x );
105 120 : fd_secp256k1_fp_tobytes( &public_key[ 32 ], pubkey->y );
106 120 : return public_key;
107 120 : }
|
