Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use sha256(data) instead of plain data in secp256k1 tests #16

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use sha256(data) instead of plain data in secp256k1 tests #16

wants to merge 1 commit into from

Conversation

fivepiece
Copy link

Using secp256k1_rfc6979_test :

./secp256k1_rfc6979_test_unpatched 1000000000000000000000000000000000000000000000000000000000000000 01 | tr [:lower:] [:upper:]

CREATING KEY...DONE.
USING PRIVKEY 1000000000000000000000000000000000000000000000000000000000000000
USING DATA 01
DATA HASH: 4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A
K = 76879C79C13BE69710AAACCCFC31F03C4D35FBC45539AC24C22D8098D0BBEFC4
SIGNING...
SIGNATURE: 3044022028A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9022074A5CB5DFAF8FEC0F9DE36B6B6A68DF4E6CA39621BBB7813380CEADC3BA2A783
VALID: TRUE

Testing in my own implementation

# private key

d1=1000000000000000000000000000000000000000000000000000000000000000
ecmul(d1)

# ecmul
# X : 8EA9666139527A8C1DD94CE4F071FD23C8B350C5A4BB33748C4BA111FACCAE0
# Y : 620EFABBC8EE2782E24E7C0CFB95C5D735B783BE9CF0F8E955AF34A30E62B945

d1x=8EA9666139527A8C1DD94CE4F071FD23C8B350C5A4BB33748C4BA111FACCAE0
d1y=620EFABBC8EE2782E24E7C0CFB95C5D735B783BE9CF0F8E955AF34A30E62B945

# data hash

z1=4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A

# msigna signature

msigr=28A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9
msigs=74A5CB5DFAF8FEC0F9DE36B6B6A68DF4E6CA39621BBB7813380CEADC3BA2A783

verify(z1,d1x,d1y,msigr,msigs)

# verify
# RX : FB0C8D4628DAFA2618A96C645131E1082D053586E98893AC44C0378BE523EFDF
# RY : A389D7CB01AEF26FD23EECB1684710BC27B776E839A3D999042D21942AB88340

(rx == msigr) 

# invalid signature

# k from msigna

msigk=76879C79C13BE69710AAACCCFC31F03C4D35FBC45539AC24C22D8098D0BBEFC4

ecmul(msigk)

# ecmul
# X : 28A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9
# Y : 4CDC0F79E0C0304144C2303EC372C8E8C56213EE44520700CC8991CA56C7FA8D

msigkx=28A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9
msigky=4CDC0F79E0C0304144C2303EC372C8E8C56213EE44520700CC8991CA56C7FA8D

# we see (msigkx == msigr), so something is broken with signing
# let's try to sign ourselves using the values reported by msigna

sign(msigkx,msigk,z1,d1,nn)

# sign
# R : 28A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9
# S : 1B9D22582E067347B3454A472F09B1D5185510B13388BD76FCE781A2F31BF265

# we see (msigs != s) here.
# let's try to gather info from msigna's signature

getk(msigr,msigs,z1,d1,nn)

# K : 87C559960399A021AACB1B6DC97AB657119CA38EC7EBFEF85D3B328C119B11EC

# can't be right.. maybe it's (-k)?

mod(-msigk,nn)
897863863EC41968EF55533303CE0FC26D78E1225A0EF416FDA4DDF3FF7A517D

# not that. our data was '01'.. I wonder..

getk(msigr,msigs,1,d1,nn)

# K : 897863863EC41968EF55533303CE0FC26D78E1225A0EF416FDA4DDF3FF7A517D

# this is the problem.  instead of its hash, the data itself is being used
# let's try to recreate the "invalid" signature

sign(msigr,-msigk,1,d1,nn)

# sign
# R : 28A70449C2F7D05EC19D59C7FFD4F5C0F3E11B18245CA591FC5ABAB5580FB9A9
# S : 74A5CB5DFAF8FEC0F9DE36B6B6A68DF4E6CA39621BBB7813380CEADC3BA2A783

# we see (-msigk) was used, and not the reported (msigk) 
# we see the data (0x01) is used instead of its hash (z1)

After patching the test binary:

./secp256k1_rfc6979_test_patched 1000000000000000000000000000000000000000000000000000000000000000 01 | tr [:lower:] [:upper:]                                                                                     

CREATING KEY...DONE.
USING PRIVKEY 1000000000000000000000000000000000000000000000000000000000000000
USING DATA 01
DATA HASH: 4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A
K = 3153FDDD93AF7D3F71C2233F417F84ED8F6AA9A9B0F267BAEEB1DCC69F6B41A1
SIGNING...
SIGNATURE: 30450221008F04423D49106CFED61349C0763A12ABADDB288D3DE17AE6427F5DB0FC7452F102206EB82D885F320E32ED07C29A344E278F42A013037A978923E48E5F96255B6781
VALID: TRUE

Testing in my own implementation

d1=1000000000000000000000000000000000000000000000000000000000000000
d1x=8EA9666139527A8C1DD94CE4F071FD23C8B350C5A4BB33748C4BA111FACCAE0
d1y=620EFABBC8EE2782E24E7C0CFB95C5D735B783BE9CF0F8E955AF34A30E62B945
z1=4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A
msigk=3153FDDD93AF7D3F71C2233F417F84ED8F6AA9A9B0F267BAEEB1DCC69F6B41A1
msigr=8F04423D49106CFED61349C0763A12ABADDB288D3DE17AE6427F5DB0FC7452F1
msigs=6EB82D885F320E32ED07C29A344E278F42A013037A978923E48E5F96255B6781

verify(z1,d1x,d1y,msigr,msigs)

# verify
# RX : 8F04423D49106CFED61349C0763A12ABADDB288D3DE17AE6427F5DB0FC7452F1
# RY : 345559D0306C342D583A253E5937AD997A32949E1A608B48D62CE3B1C56D159A

gety(msigr)

# gety
# Y1 : CBAAA62FCF93CBD2A7C5DAC1A6C8526685CD6B61E59F74B729D31C4D3A92E695
# Y2 : 345559D0306C342D583A253E5937AD997A32949E1A608B48D62CE3B1C56D159A

# signature is valid

# trying to recreate the valid signature

sign(msigr,msigk,z1,d1,nn)


# sign
# R : 8F04423D49106CFED61349C0763A12ABADDB288D3DE17AE6427F5DB0FC7452F1
# S : 6EB82D885F320E32ED07C29A344E278F42A013037A978923E48E5F96255B6781

# match

same issues were found on secp256k1_test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fivepiece