Merge pull request bitcoin#291

9f443be Move pubkey recovery code to separate module (Pieter Wuille)
d49abbd Separate ECDSA recovery tests (Pieter Wuille)
439d34a Separate recoverable and normal signatures (Pieter Wuille)

.travis.yml

@@ -8,20 +8,20 @@ compiler:
   - gcc
 env:
   global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  schnorr=NO
+    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  schnorr=NO  RECOVERY=NO
   matrix:
-    - SCALAR=32bit
+    - SCALAR=32bit    RECOVERY=yes
     - SCALAR=32bit    FIELD=32bit       ECDH=yes
     - SCALAR=64bit
-    - FIELD=64bit
+    - FIELD=64bit     RECOVERY=yes
     - FIELD=64bit     ENDOMORPHISM=yes
     - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes
     - FIELD=64bit                       ASM=x86_64
     - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
     - FIELD=32bit     SCHNORR=yes
     - FIELD=32bit     ENDOMORPHISM=yes
     - BIGNUM=no
-    - BIGNUM=no       ENDOMORPHISM=yes SCHNORR=yes
+    - BIGNUM=no       ENDOMORPHISM=yes SCHNORR=yes  RECOVERY=yes
     - BIGNUM=no       STATICPRECOMPUTATION=no
     - BUILD=distcheck
     - EXTRAFLAGS=CFLAGS=-DDETERMINISTIC

Makefile.am

@@ -51,13 +51,10 @@ libsecp256k1_la_LIBADD = $(SECP_LIBS)
 
 noinst_PROGRAMS =
 if USE_BENCHMARK
-noinst_PROGRAMS += bench_verify bench_recover bench_sign bench_internal
+noinst_PROGRAMS += bench_verify bench_sign bench_internal
 bench_verify_SOURCES = src/bench_verify.c
 bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS)
 bench_verify_LDFLAGS = -static
-bench_recover_SOURCES = src/bench_recover.c
-bench_recover_LDADD = libsecp256k1.la $(SECP_LIBS)
-bench_recover_LDFLAGS = -static
 bench_sign_SOURCES = src/bench_sign.c
 bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS)
 bench_sign_LDFLAGS = -static
@@ -106,3 +103,7 @@ endif
 if ENABLE_MODULE_SCHNORR
 include src/modules/schnorr/Makefile.am.include
 endif
+
+if ENABLE_MODULE_RECOVERY
+include src/modules/recovery/Makefile.am.include
+endif

configure.ac

@@ -114,6 +114,11 @@ AC_ARG_ENABLE(module_schnorr,
     [enable_module_schnorr=$enableval],
     [enable_module_schnorr=no])
 
+AC_ARG_ENABLE(module_recovery,
+    AS_HELP_STRING([--enable-module-recovery],[enable ECDSA pubkey recovery module (default is no)]),
+    [enable_module_recovery=$enableval],
+    [enable_module_recovery=no])
+
 AC_ARG_WITH([field], [AS_HELP_STRING([--with-field=64bit|32bit|auto],
 [Specify Field Implementation. Default is auto])],[req_field=$withval], [req_field=auto])
 
@@ -335,6 +340,10 @@ if test x"$enable_module_schnorr" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_SCHNORR, 1, [Define this symbol to enable the Schnorr signature module])
 fi
 
+if test x"$enable_module_recovery" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
+fi
+
 AC_C_BIGENDIAN()
 
 AC_MSG_NOTICE([Using assembly optimizations: $set_asm])
@@ -345,6 +354,7 @@ AC_MSG_NOTICE([Using endomorphism optimizations: $use_endomorphism])
 AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
 
 AC_MSG_NOTICE([Building Schnorr signatures module: $enable_module_schnorr])
+AC_MSG_NOTICE([Building ECDSA pubkey recovery module: $enable_module_recovery])
 
 AC_CONFIG_HEADERS([src/libsecp256k1-config.h])
 AC_CONFIG_FILES([Makefile libsecp256k1.pc])
@@ -357,6 +367,7 @@ AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$use_ecmult_static_precomputation" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORR], [test x"$enable_module_schnorr" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
 
 dnl make sure nothing new is exported so that we don't break the cache
 PKGCONFIG_PATH_TEMP="$PKG_CONFIG_PATH"

include/secp256k1.h

@@ -40,22 +40,20 @@ typedef struct {
     unsigned char data[64];
 } secp256k1_pubkey_t;
 
-/** Opaque data structured that holds a parsed ECDSA signature, optionally
- *  supporting pubkey recovery.
+/** Opaque data structured that holds a parsed ECDSA signature.
  *
  *  The exact representation of data inside is implementation defined and not
  *  guaranteed to be portable between different platforms or versions. It is
- *  however guaranteed to be 65 bytes in size, and can be safely copied/moved.
+ *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
  *  If you need to convert to a format suitable for storage or transmission, use
  *  the secp256k1_ecdsa_signature_serialize_* and
  *  secp256k1_ecdsa_signature_serialize_* functions.
  *
- *  Furthermore, it is guaranteed to identical signatures (including their
- *  recoverability) will have identical representation, so they can be
- *  memcmp'ed.
+ *  Furthermore, it is guaranteed to identical signatures will have identical
+ *  representation, so they can be memcmp'ed.
  */
 typedef struct {
-    unsigned char data[65];
+    unsigned char data[64];
 } secp256k1_ecdsa_signature_t;
 
 /** A pointer to a function to deterministically generate a nonce.
@@ -246,8 +244,6 @@ int secp256k1_ec_pubkey_serialize(
  *  Out: sig:      a pointer to a signature object
  *
  *  Note that this function also supports some violations of DER and even BER.
- *
- *  The resulting signature object will not support pubkey recovery.
  */
 int secp256k1_ecdsa_signature_parse_der(
     const secp256k1_context_t* ctx,
@@ -256,24 +252,6 @@ int secp256k1_ecdsa_signature_parse_der(
     int inputlen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
-/** Parse a compact ECDSA signature (64 bytes + recovery id).
- *
- *  Returns: 1 when the signature could be parsed, 0 otherwise
- *  In:  ctx:     a secp256k1 context object
- *       input64: a pointer to a 64-byte compact signature
- *       recid:   the recovery id (0, 1, 2 or 3, or -1 for unknown)
- *  Out: sig:     a pointer to a signature object
- *
- *  If recid is not -1, the resulting signature object will support pubkey
- *  recovery.
- */
-int secp256k1_ecdsa_signature_parse_compact(
-    const secp256k1_context_t* ctx,
-    secp256k1_ecdsa_signature_t* sig,
-    const unsigned char *input64,
-    int recid
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
-
 /** Serialize an ECDSA signature in DER format.
  *
  *  Returns: 1 if enough space was available to serialize, 0 otherwise
@@ -292,23 +270,6 @@ int secp256k1_ecdsa_signature_serialize_der(
     const secp256k1_ecdsa_signature_t* sig
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
-/** Serialize an ECDSA signature in compact format (64 bytes + recovery id).
- *
- *  Returns: 1
- *  In: ctx:       a secp256k1 context object
- *      sig:       a pointer to an initialized signature object (cannot be NULL)
- *  Out: output64: a pointer to a 64-byte array of the compact signature (cannot be NULL)
- *       recid:    a pointer to an integer to hold the recovery id (can be NULL).
- *
- *  If recid is not NULL, the signature must support pubkey recovery.
- */
-int secp256k1_ecdsa_signature_serialize_compact(
-    const secp256k1_context_t* ctx,
-    unsigned char *output64,
-    int *recid,
-    const secp256k1_ecdsa_signature_t* sig
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
-
 /** Verify an ECDSA signature.
  *
  *  Returns: 1: correct signature
@@ -345,8 +306,6 @@ extern const secp256k1_nonce_function_t secp256k1_nonce_function_default;
  *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
  *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
  *
- * The resulting signature will support pubkey recovery.
- *
  * The sig always has an s value in the lower half of the range (From 0x1
  * to 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
  * inclusive), unlike many other implementations.
@@ -383,22 +342,6 @@ int secp256k1_ecdsa_sign(
     const void *ndata
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
-/** Recover an ECDSA public key from a signature.
- *
- *  Returns: 1: public key successfully recovered (which guarantees a correct signature).
- *           0: otherwise.
- *  In:      ctx:        pointer to a context object, initialized for verification (cannot be NULL)
- *           msg32:      the 32-byte message hash assumed to be signed (cannot be NULL)
- *           sig:        pointer to initialized signature that supports pubkey recovery (cannot be NULL)
- *  Out:     pubkey:     pointer to the recoved public key (cannot be NULL)
- */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
-    const secp256k1_context_t* ctx,
-    const unsigned char *msg32,
-    const secp256k1_ecdsa_signature_t *sig,
-    secp256k1_pubkey_t *pubkey
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
-
 /** Verify an ECDSA secret key.
  *
  *  Returns: 1: secret key is valid

include/secp256k1_recovery.h

@@ -0,0 +1,110 @@
+#ifndef _SECP256K1_RECOVERY_
+# define _SECP256K1_RECOVERY_
+
+# include "secp256k1.h"
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+/** Opaque data structured that holds a parsed ECDSA signature,
+ *  supporting pubkey recovery.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 65 bytes in size, and can be safely copied/moved.
+ *  If you need to convert to a format suitable for storage or transmission, use
+ *  the secp256k1_ecdsa_signature_serialize_* and
+ *  secp256k1_ecdsa_signature_serialize_* functions.
+ *
+ *  Furthermore, it is guaranteed to identical signatures (including their
+ *  recoverability) will have identical representation, so they can be
+ *  memcmp'ed.
+ */
+typedef struct {
+    unsigned char data[65];
+} secp256k1_ecdsa_recoverable_signature_t;
+
+/** Parse a compact ECDSA signature (64 bytes + recovery id).
+ *
+ *  Returns: 1 when the signature could be parsed, 0 otherwise
+ *  In:  ctx:     a secp256k1 context object
+ *       input64: a pointer to a 64-byte compact signature
+ *       recid:   the recovery id (0, 1, 2 or 3)
+ *  Out: sig:     a pointer to a signature object
+ */
+int secp256k1_ecdsa_recoverable_signature_parse_compact(
+    const secp256k1_context_t* ctx,
+    secp256k1_ecdsa_recoverable_signature_t* sig,
+    const unsigned char *input64,
+    int recid
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Convert a recoverable signature into a normal signature.
+ *
+ *  Returns: 1
+ *  In:  sigin:  a pointer to a recoverable signature (cannot be NULL).
+ *  Out: sig:    a pointer to a normal signature (cannot be NULL).
+ */
+int secp256k1_ecdsa_recoverable_signature_convert(
+    const secp256k1_context_t* ctx,
+    secp256k1_ecdsa_signature_t* sig,
+    const secp256k1_ecdsa_recoverable_signature_t* sigin
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize an ECDSA signature in compact format (64 bytes + recovery id).
+ *
+ *  Returns: 1
+ *  In: ctx:       a secp256k1 context object
+ *      sig:       a pointer to an initialized signature object (cannot be NULL)
+ *  Out: output64: a pointer to a 64-byte array of the compact signature (cannot be NULL)
+ *       recid:    a pointer to an integer to hold the recovery id (can be NULL).
+ */
+int secp256k1_ecdsa_recoverable_signature_serialize_compact(
+    const secp256k1_context_t* ctx,
+    unsigned char *output64,
+    int *recid,
+    const secp256k1_ecdsa_recoverable_signature_t* sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
+/** Create a recoverable ECDSA signature.
+ *
+ *  Returns: 1: signature created
+ *           0: the nonce generation function failed, or the private key was invalid.
+ *  In:      ctx:    pointer to a context object, initialized for signing (cannot be NULL)
+ *           msg32:  the 32-byte message hash being signed (cannot be NULL)
+ *           seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
+ *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
+ *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
+ */
+int secp256k1_ecdsa_sign_recoverable(
+    const secp256k1_context_t* ctx,
+    const unsigned char *msg32,
+    secp256k1_ecdsa_recoverable_signature_t *sig,
+    const unsigned char *seckey,
+    secp256k1_nonce_function_t noncefp,
+    const void *ndata
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Recover an ECDSA public key from a signature.
+ *
+ *  Returns: 1: public key successfully recovered (which guarantees a correct signature).
+ *           0: otherwise.
+ *  In:      ctx:        pointer to a context object, initialized for verification (cannot be NULL)
+ *           msg32:      the 32-byte message hash assumed to be signed (cannot be NULL)
+ *           sig:        pointer to initialized signature that supports pubkey recovery (cannot be NULL)
+ *  Out:     pubkey:     pointer to the recoved public key (cannot be NULL)
+ */
+SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
+    const secp256k1_context_t* ctx,
+    const unsigned char *msg32,
+    const secp256k1_ecdsa_recoverable_signature_t *sig,
+    secp256k1_pubkey_t *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif

src/bench_recover.c

@@ -1,10 +1,11 @@
 /**********************************************************************
- * Copyright (c) 2014 Pieter Wuille                                   *
+ * Copyright (c) 2014-2015 Pieter Wuille                              *
  * Distributed under the MIT software license, see the accompanying   *
  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
  **********************************************************************/
 
 #include "include/secp256k1.h"
+#include "include/secp256k1_recovery.h"
 #include "util.h"
 #include "bench.h"
 
@@ -23,8 +24,8 @@ void bench_recover(void* arg) {
     for (i = 0; i < 20000; i++) {
         int j;
         int pubkeylen = 33;
-        secp256k1_ecdsa_signature_t sig;
-        CHECK(secp256k1_ecdsa_signature_parse_compact(data->ctx, &sig, data->sig, i % 2));
+        secp256k1_ecdsa_recoverable_signature_t sig;
+        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(data->ctx, &sig, data->sig, i % 2));
         CHECK(secp256k1_ecdsa_recover(data->ctx, data->msg, &sig, &pubkey));
         CHECK(secp256k1_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, 1));
         for (j = 0; j < 32; j++) {

src/bench_sign.c

@@ -26,16 +26,16 @@ static void bench_sign(void* arg) {
     int i;
     bench_sign_t *data = (bench_sign_t*)arg;
 
-    unsigned char sig[64];
+    unsigned char sig[74];
+    int siglen = 74;
     for (i = 0; i < 20000; i++) {
         int j;
-        int recid = 0;
         secp256k1_ecdsa_signature_t signature;
         CHECK(secp256k1_ecdsa_sign(data->ctx, data->msg, &signature, data->key, NULL, NULL));
-        CHECK(secp256k1_ecdsa_signature_serialize_compact(data->ctx, sig, &recid, &signature));
+        CHECK(secp256k1_ecdsa_signature_serialize_der(data->ctx, sig, &siglen, &signature));
         for (j = 0; j < 32; j++) {
-            data->msg[j] = sig[j];             /* Move former R to message. */
-            data->key[j] = sig[j + 32];        /* Move former S to key.     */
+            data->msg[j] = sig[j];
+            data->key[j] = sig[j + 32];
         }
     }
 }

src/modules/recovery/Makefile.am.include

@@ -0,0 +1,9 @@
+include_HEADERS += include/secp256k1_recovery.h
+noinst_HEADERS += src/modules/recovery/main_impl.h
+noinst_HEADERS += src/modules/recovery/tests_impl.h
+if USE_BENCHMARK
+noinst_PROGRAMS += bench_recover
+bench_recover_SOURCES = src/bench_recover.c
+bench_recover_LDADD = libsecp256k1.la $(SECP_LIBS)
+bench_recover_LDFLAGS = -static
+endif