Different S in elliptic and secp256k1

[Kagami]

Hi.
That's probably not an issue with elliptic but maybe you will give a hint or some help.

I compare signatures for the same message and private key generated with elliptic and secp256k1-node. Sometimes I get the same result (output in DER format), sometimes not.

Example code:

#!/usr/bin/env node

var crypto = require("crypto");
var secp256k1 = require("secp256k1");
var EC = require("elliptic").ec;

var ec = new EC("secp256k1");
var privateKey = new Buffer(32);
privateKey.fill(1);
var publicKey = secp256k1.createPublicKey(privateKey);

function signWithSecp256k1(msg) {
  return secp256k1.sign(privateKey, msg);
}

function verifyWithSecp256k1(msg, sig) {
  return secp256k1.verify(publicKey, msg, sig) === 1;
}

function signWithElliptic(msg) {
  return new Buffer(ec.sign(msg, privateKey).toDER());
}

function verifyWithElliptic(msg, sig) {
  return ec.verify(msg, sig, publicKey);
}

function start() {
  var msg = process.argv[2];
  if (!msg) {
    console.log("No message provided");
    process.exit(1);
  }
  msg = crypto.createHash("sha256").update(msg).digest();
  console.log("Message:", msg.toString("hex"));

  var sigFromSecp256k1 = signWithSecp256k1(msg);
  var hsigFromSecp256k1 = sigFromSecp256k1.toString("hex");
  var sigFromElliptic = signWithElliptic(msg);
  var hsigFromElliptic = sigFromElliptic.toString("hex");

  console.log("Signature from secp256k1:", hsigFromSecp256k1);
  console.log("Signature from elliptic:", hsigFromElliptic);
  console.log(
    "\nSignatures are",
    hsigFromSecp256k1 === hsigFromElliptic ? "equal" : "NON equal");

  var verified = (
      verifyWithSecp256k1(msg, sigFromSecp256k1) &&
      verifyWithSecp256k1(msg, sigFromElliptic) &&
      verifyWithElliptic(msg, sigFromSecp256k1) &&
      verifyWithElliptic(msg, sigFromElliptic));
  console.log("Verify is", verified ? "ok" : "NOT ok");
}

start();

Output:

$ ./1.js 1
Message: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
@@@ k: 1e2a72fa3c78004111a6cabc6984f71e33aac85d04b2cdb621632fcf352a76e6
@@@ k: 1e2a72fa3c78004111a6cabc6984f71e33aac85d04b2cdb621632fcf352a76e6
Signature from secp256k1: 304402201009b15ce8943b846fb3d3bdc47c50ead4ad4da98f588935c0df5cd117069c24022026bcb6dc37d21ede4873941cfb8d744badc312d5c24750b9b00cd7901e9687b6
Signature from elliptic: 304402201009b15ce8943b846fb3d3bdc47c50ead4ad4da98f588935c0df5cd117069c24022026bcb6dc37d21ede4873941cfb8d744badc312d5c24750b9b00cd7901e9687b6

Signatures are equal
Verify is ok
$ ./1.js 12
Message: 6b51d431df5d7f141cbececcf79edf3dd861c3b4069f0b11661a3eefacbba918
@@@ k: 26c9d570e5558bb38fcd7c8960347fffdf4e04d884fc039f98b47318b931fc4e
@@@ k: 26c9d570e5558bb38fcd7c8960347fffdf4e04d884fc039f98b47318b931fc4e
Signature from secp256k1: 3044022062b919656b48d771948a04f77e2acb750eb0ae4aaa77e9d4e7a5b04160f5836c02203e1fcf65916209c0f15189bf727793729ed527ddbd31a3237c08a25f8714108d
Signature from elliptic: 3044022062b919656b48d771948a04f77e2acb750eb0ae4aaa77e9d4e7a5b04160f5836c02203e1fcf65916209c0f15189bf727793729ed527ddbd31a3237c08a25f8714108d

Signatures are equal
Verify is ok
$ ./1.js 123
Message: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
@@@ k: cd00933e1156db3a772853dca9abd5cd38760e31b6388edb0d0c58394f9c9a16
@@@ k: cd00933e1156db3a772853dca9abd5cd38760e31b6388edb0d0c58394f9c9a16
Signature from secp256k1: 3045022100b15edd98a0e296327a9350837fa8d8e8744802e0e2fad8db63882265ba5bd5ee0220115ce8dcbae2c66d929a9b4fb54f479fbadb99ed733fe56ecc0324aa9e65eaf4
Signature from elliptic: 3046022100b15edd98a0e296327a9350837fa8d8e8744802e0e2fad8db63882265ba5bd5ee022100eea31723451d39926d6564b04ab0b85effd342f93c08baccf3cf39e231d0564d

Signatures are NON equal
Verify is ok
$ ./1.js 1234
Message: 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
@@@ k: f9f2b01c16b8f37b637676743fd0262ee1bbacc4b8108b95e5c34cc3a7e496c7
@@@ k: f9f2b01c16b8f37b637676743fd0262ee1bbacc4b8108b95e5c34cc3a7e496c7
Signature from secp256k1: 304402206f5a5383a059039d1c7f1bfe260797296845285e99a7ca192ec6fa2135d58a1c02200ebd17c140715c51e3b708f474a0b9a59e094b85d10542257efd01bbc810a527
Signature from elliptic: 304402206f5a5383a059039d1c7f1bfe260797296845285e99a7ca192ec6fa2135d58a1c02200ebd17c140715c51e3b708f474a0b9a59e094b85d10542257efd01bbc810a527

Signatures are equal
Verify is ok

(I also added k output for both implementations.)

So, curves are the same, keys are the same, messages are the same, k are the same, R are the same and sometimes S are not the same. Verifycation is passed everytime for all 4 variants (secp256k1 against two sigs and elliptic against two sigs).

Do you have any ideas why this might happen? Thanks.

[indutny]

This is because options.canonical was not true. See https://github.com/indutny/elliptic/blob/master/lib/elliptic/ec/index.js#L134-L135 for details.

Gosh this project needs documentation! What does it's author spend his time on?!

[Kagami]

Oh, thanks!