README

bchec

Build Status ISC License GoDoc

Package bchec implements elliptic curve cryptography needed for working with Bitcoin (secp256k1 only for now). It is designed so that it may be used with the standard crypto/ecdsa packages provided with go. A comprehensive suite of test is provided to ensure proper functionality. Package bchec was originally based on work from ThePiachu which is licensed under the same terms as Go, but it has signficantly diverged since then. The btcsuite developers original is licensed under the liberal ISC license.

Although this package was primarily written for bchd, it has intentionally been designed so it can be used as a standalone package for any projects needing to use secp256k1 elliptic curve cryptography.

Installation and Updating

$ go get -u github.com/gcash/bchd/bchec

Examples

  • Sign Message
    Demonstrates signing a message with a secp256k1 private key that is first parsed form raw bytes and serializing the generated signature.

  • Verify Signature
    Demonstrates verifying a secp256k1 signature against a public key that is first parsed from raw bytes. The signature is also parsed from raw bytes.

  • Encryption Demonstrates encrypting a message for a public key that is first parsed from raw bytes, then decrypting it using the corresponding private key.

  • Decryption Demonstrates decrypting a message using a private key that is first parsed from raw bytes.

GPG Verification Key

All official release tags are signed by Conformal so users can ensure the code has not been tampered with and is coming from the btcsuite developers. To verify the signature perform the following:

  • Download the public key from the Conformal website at https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt

  • Import the public key into your GPG keyring:

    gpg --import GIT-GPG-KEY-conformal.txt
    
  • Verify the release tag with the following command where TAG_NAME is a placeholder for the specific tag:

    git tag -v TAG_NAME
    

License

Package bchec is licensed under the copyfree ISC License except for bchec.go and bchec_test.go which is under the same license as Go.

Expand ▾ Collapse ▴

Documentation

Overview

    Package bchec implements support for the elliptic curves needed for bitcoin.

    Bitcoin Cash uses elliptic curve cryptography using koblitz curves (specifically secp256k1) for cryptographic functions. See http://www.secg.org/collateral/sec2_final.pdf for details on the standard.

    This package provides the data structures and functions implementing the crypto/elliptic Curve interface in order to permit using these curves with the standard crypto/ecdsa package provided with go. Helper functionality is provided to parse signatures and public keys from standard formats. It was designed for use with bchd, but should be general enough for other uses of elliptic curve crypto. It was originally based on some initial work by ThePiachu, but has significantly diverged since then.

    Example (DecryptMessage)

      This example demonstrates decrypting a message using a private key that is first parsed from raw bytes.

      Output:
      
      test message
      
      Example (EncryptMessage)

        This example demonstrates encrypting a message for a public key that is first parsed from raw bytes, then decrypting it using the corresponding private key.

        Output:
        
        test message
        
        Example (SignMessage)

          This example demonstrates signing a message with a secp256k1 private key that is first parsed form raw bytes and serializing the generated signature.

          Output:
          
          Serialized Signature: 304402201008e236fa8cd0f25df4482dddbb622e8a8b26ef0ba731719458de3ccd93805b022032f8ebe514ba5f672466eba334639282616bb3c2f0ab09998037513d1f9e3d6d
          Signature Verified? true
          
          Example (VerifySignature)

            This example demonstrates verifying a secp256k1 signature against a public key that is first parsed from raw bytes. The signature is also parsed from raw bytes.

            Output:
            
            Signature Verified? true
            

            Index

            Examples

            Constants

            View Source
            const (
            	PubKeyBytesLenCompressed   = 33
            	PubKeyBytesLenUncompressed = 65
            	PubKeyBytesLenHybrid       = 65
            )

              These constants define the lengths of serialized public keys.

              View Source
              const PrivKeyBytesLen = 32

                PrivKeyBytesLen defines the length in bytes of a serialized private key.

                Variables

                View Source
                var (
                	// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails
                	// during decryption. This happens because of either invalid private key or
                	// corrupt ciphertext.
                	ErrInvalidMAC = errors.New("invalid mac hash")
                )

                Functions

                func Decrypt

                func Decrypt(priv *PrivateKey, in []byte) ([]byte, error)

                  Decrypt decrypts data that was encrypted using the Encrypt function.

                  func Encrypt

                  func Encrypt(pubkey *PublicKey, in []byte) ([]byte, error)

                    Encrypt encrypts data for the target public key using AES-256-CBC. It also generates a private key (the pubkey of which is also in the output). The only supported curve is secp256k1. The `structure' that it encodes everything into is:

                    struct {
                    	// Initialization Vector used for AES-256-CBC
                    	IV [16]byte
                    	// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX +
                    	// len_of_pubkeyY(2) + pubkeyY (curve = 714)
                    	PublicKey [70]byte
                    	// Cipher text
                    	Data []byte
                    	// HMAC-SHA-256 Message Authentication Code
                    	HMAC [32]byte
                    }
                    

                    The primary aim is to ensure byte compatibility with Pyelliptic. Also, refer to section 5.8.1 of ANSI X9.63 for rationale on this format.

                    func GenerateSharedSecret

                    func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte

                      GenerateSharedSecret generates a shared secret based on a private key and a public key using Diffie-Hellman key exchange (ECDH) (RFC 4753). RFC5903 Section 9 states we should only return x.

                      func IsCompressedPubKey

                      func IsCompressedPubKey(pubKey []byte) bool

                        IsCompressedPubKey returns true the the passed serialized public key has been encoded in compressed format, and false otherwise.

                        func NAF

                        func NAF(k []byte) ([]byte, []byte)

                          NAF takes a positive integer k and returns the Non-Adjacent Form (NAF) as two byte slices. The first is where 1s will be. The second is where -1s will be. NAF is convenient in that on average, only 1/3rd of its values are non-zero. This is algorithm 3.30 from [GECC].

                          Essentially, this makes it possible to minimize the number of operations since the resulting ints returned will be at least 50% 0s.

                          func PrivKeyFromBytes

                          func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey,
                          	*PublicKey)

                            PrivKeyFromBytes returns a private and public key for `curve' based on the private key passed as an argument as a byte slice.

                            func SignCompact

                            func SignCompact(curve *KoblitzCurve, key *PrivateKey,
                            	hash []byte, isCompressedKey bool) ([]byte, error)

                              SignCompact produces a compact ECDSA signature of the data in hash with the given private key on the given koblitz curve. The isCompressed parameter should be used to detail if the given signature should reference a compressed public key or not. If successful the bytes of the compact signature will be returned in the format: <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S> where the R and S parameters are padde up to the bitlengh of the curve.

                              Types

                              type KoblitzCurve

                              type KoblitzCurve struct {
                              	*elliptic.CurveParams
                              
                              	H int // cofactor of the curve.
                              	// contains filtered or unexported fields
                              }

                                KoblitzCurve supports a koblitz curve implementation that fits the ECC Curve interface from crypto/elliptic.

                                func S256

                                func S256() *KoblitzCurve

                                  S256 returns a Curve which implements secp256k1.

                                  func (*KoblitzCurve) Add

                                  func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

                                    Add returns the sum of (x1,y1) and (x2,y2). Part of the elliptic.Curve interface.

                                    func (*KoblitzCurve) Double

                                    func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

                                      Double returns 2*(x1,y1). Part of the elliptic.Curve interface.

                                      func (*KoblitzCurve) IsOnCurve

                                      func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool

                                        IsOnCurve returns boolean if the point (x,y) is on the curve. Part of the elliptic.Curve interface. This function differs from the crypto/elliptic algorithm since a = 0 not -3.

                                        func (*KoblitzCurve) Params

                                        func (curve *KoblitzCurve) Params() *elliptic.CurveParams

                                          Params returns the parameters for the curve.

                                          func (*KoblitzCurve) QPlus1Div4

                                          func (curve *KoblitzCurve) QPlus1Div4() *big.Int

                                            QPlus1Div4 returns the Q+1/4 constant for the curve for use in calculating square roots via exponention.

                                            func (*KoblitzCurve) ScalarBaseMult

                                            func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

                                              ScalarBaseMult returns k*G where G is the base point of the group and k is a big endian integer. Part of the elliptic.Curve interface.

                                              func (*KoblitzCurve) ScalarMult

                                              func (curve *KoblitzCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int)

                                                ScalarMult returns k*(Bx, By) where k is a big endian integer. Part of the elliptic.Curve interface.

                                                type Multiset

                                                type Multiset struct {
                                                	// contains filtered or unexported fields
                                                }

                                                  Multiset tracks the state of a multiset as used to calculate the ECMH (elliptic curve multiset hash) hash of an unordered set. The state is a point on the curve. New elements are hashed onto a point on the curve and then added to the current state. Hence elements can be added in any order and we can also remove elements to return to a prior hash.

                                                  func NewMultiset

                                                  func NewMultiset(curve *KoblitzCurve) *Multiset

                                                    NewMultiset returns an empty multiset. The hash of an empty set is the 32 byte value of zero.

                                                    func NewMultisetFromPoint

                                                    func NewMultisetFromPoint(curve *KoblitzCurve, x, y *big.Int) *Multiset

                                                      NewMultisetFromPoint initializes a new multiset with the given x, y coordinate.

                                                      func (*Multiset) Add

                                                      func (ms *Multiset) Add(data []byte)

                                                        Add hashes the data onto the curve and updates the state of the multiset.

                                                        func (*Multiset) Hash

                                                        func (ms *Multiset) Hash() chainhash.Hash

                                                          Hash serializes and returns the hash of the multiset. The hash of an empty set is the 32 byte value of zero. The hash of a non-empty multiset is the sha256 hash of the 32 byte x value concatenated with the 32 byte y value.

                                                          func (*Multiset) Merge

                                                          func (ms *Multiset) Merge(otherMultiset *Multiset)

                                                            Merge will add the point of the passed in multiset instance to the point of this multiset and save the new point in this instance.

                                                            func (*Multiset) Point

                                                            func (ms *Multiset) Point() (x *big.Int, y *big.Int)

                                                              Point returns a copy of the x and y coordinates of the current multiset state.

                                                              func (*Multiset) Remove

                                                              func (ms *Multiset) Remove(data []byte)

                                                                Remove hashes the data onto the curve and subtracts the value from the state. This function will execute regardless of whether or not the passed data was previously added to the set. Hence if you remove and element that was never added and also remove all the elements that were added, you will not get back to the point at infinity (empty set).

                                                                type PrivateKey

                                                                type PrivateKey ecdsa.PrivateKey

                                                                  PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing things with the the private key without having to directly import the ecdsa package.

                                                                  func NewPrivateKey

                                                                  func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, error)

                                                                    NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey instead of the normal ecdsa.PrivateKey.

                                                                    func (*PrivateKey) PubKey

                                                                    func (p *PrivateKey) PubKey() *PublicKey

                                                                      PubKey returns the PublicKey corresponding to this private key.

                                                                      func (*PrivateKey) Serialize

                                                                      func (p *PrivateKey) Serialize() []byte

                                                                        Serialize returns the private key number d as a big-endian binary-encoded number, padded to a length of 32 bytes.

                                                                        func (*PrivateKey) SignECDSA

                                                                        func (p *PrivateKey) SignECDSA(hash []byte) (*Signature, error)

                                                                          SignECDSA generates an ECDSA signature for the provided hash (which should be the result of hashing a larger message) using the private key. Produced signature is deterministic (same message and same key yield the same signature) and canonical in accordance with RFC6979 and BIP0062.

                                                                          func (*PrivateKey) SignSchnorr

                                                                          func (p *PrivateKey) SignSchnorr(hash []byte) (*Signature, error)

                                                                            SignSchnorr generates a schnorr signature for the provided hash (which should be the result of hashing a larger message) using the private key. Produced signature is deterministic (same message and same key yield the same signature) and canonical in accordance with RFC6979 and BIP0062.

                                                                            func (*PrivateKey) ToECDSA

                                                                            func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey

                                                                              ToECDSA returns the private key as a *ecdsa.PrivateKey.

                                                                              type PublicKey

                                                                              type PublicKey ecdsa.PublicKey

                                                                                PublicKey is an ecdsa.PublicKey with additional functions to serialize in uncompressed, compressed, and hybrid formats.

                                                                                func AggregatePublicKeys

                                                                                func AggregatePublicKeys(keys ...*PublicKey) (*PublicKey, error)

                                                                                  AggregatePublicKeys aggregates the given public keys using the MuSig aggregating protocol.

                                                                                  func ParsePubKey

                                                                                  func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error)

                                                                                    ParsePubKey parses a public key for a koblitz curve from a bytestring into a ecdsa.Publickey, verifying that it is valid. It supports compressed, uncompressed and hybrid signature formats.

                                                                                    func RecoverCompact

                                                                                    func RecoverCompact(curve *KoblitzCurve, signature,
                                                                                    	hash []byte) (*PublicKey, bool, error)

                                                                                      RecoverCompact verifies the compact ECDSA signature "signature" of "hash" for the Koblitz curve in "curve". If the signature matches then the recovered public key will be returned as well as a boolen if the original key was compressed or not, else an error will be returned.

                                                                                      func (*PublicKey) IsEqual

                                                                                      func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool

                                                                                        IsEqual compares this PublicKey instance to the one passed, returning true if both PublicKeys are equivalent. A PublicKey is equivalent to another, if they both have the same X and Y coordinate.

                                                                                        func (*PublicKey) SerializeCompressed

                                                                                        func (p *PublicKey) SerializeCompressed() []byte

                                                                                          SerializeCompressed serializes a public key in a 33-byte compressed format.

                                                                                          func (*PublicKey) SerializeHybrid

                                                                                          func (p *PublicKey) SerializeHybrid() []byte

                                                                                            SerializeHybrid serializes a public key in a 65-byte hybrid format.

                                                                                            func (*PublicKey) SerializeUncompressed

                                                                                            func (p *PublicKey) SerializeUncompressed() []byte

                                                                                              SerializeUncompressed serializes a public key in a 65-byte uncompressed format.

                                                                                              func (*PublicKey) ToECDSA

                                                                                              func (p *PublicKey) ToECDSA() *ecdsa.PublicKey

                                                                                                ToECDSA returns the public key as a *ecdsa.PublicKey.

                                                                                                type Session

                                                                                                type Session struct {
                                                                                                	// contains filtered or unexported fields
                                                                                                }

                                                                                                  Session represents a MuSig signing session. Each party to the singing needs one of these objects.

                                                                                                  func NewMuSession

                                                                                                  func NewMuSession(pubKeys []*PublicKey, privKey *PrivateKey, sessionID [32]byte) (*Session, error)

                                                                                                    NewMuSession gets instantiated with the public keys of each participant and the private key of this specific user. The session ID must either be purely random or a counter that is incremented for every session using the same private key. The choice is left up to the user.

                                                                                                    func (*Session) AggregatePublicKey

                                                                                                    func (sess *Session) AggregatePublicKey() *PublicKey

                                                                                                      AggregatePublicKey returns the aggregate public key for this session.

                                                                                                      func (*Session) AggregateSignature

                                                                                                      func (sess *Session) AggregateSignature(svals ...*big.Int) *Signature

                                                                                                        AggregateSignature aggregates the S and R values and returns a signature that is value for the aggregate public key.

                                                                                                        func (*Session) Nonce

                                                                                                        func (sess *Session) Nonce() (*PublicKey, error)

                                                                                                          Nonce returns the nonce public key for this session.

                                                                                                          func (*Session) NonceCommitment

                                                                                                          func (sess *Session) NonceCommitment(message []byte) []byte

                                                                                                            NonceCommitment deterministically generates the nonce and returns the hash. The nonce private key is derived from the private key, each public key in the session, the message, and the session ID.

                                                                                                            func (*Session) SetNonceCommitments

                                                                                                            func (sess *Session) SetNonceCommitments(nonceCommitments ...[]byte)

                                                                                                              SetNonceCommitments saves the nonce commitments in the session. We use them to check the hash of the nonce against the these commitments when SetNonces is called.

                                                                                                              func (*Session) SetNonces

                                                                                                              func (sess *Session) SetNonces(noncePubkeys ...*PublicKey) error

                                                                                                                SetNonces saves the nonces for each peer. This should be called by each participant after the nonces have been shared.

                                                                                                                func (*Session) Sign

                                                                                                                func (sess *Session) Sign(hash []byte) (*big.Int, error)

                                                                                                                  Sign returns the S value for this node. Technically we don't need to return the R value as it's calculated by each node using the nonce public keys.

                                                                                                                  type Signature

                                                                                                                  type Signature struct {
                                                                                                                  	R *big.Int
                                                                                                                  	S *big.Int
                                                                                                                  	// contains filtered or unexported fields
                                                                                                                  }

                                                                                                                    Signature is a type representing either an ecdsa or schnorr signature.

                                                                                                                    func ParseBERSignature

                                                                                                                    func ParseBERSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error)

                                                                                                                      ParseBERSignature parses an ECDSA signature in BER format for the curve type `curve' into a Signature type, perfoming some basic sanity checks. If parsing according to the more strict DER format is needed, use ParseDERSignature.

                                                                                                                      func ParseDERSignature

                                                                                                                      func ParseDERSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error)

                                                                                                                        ParseDERSignature parses a signature in DER format for the curve type `curve` into a Signature type. If parsing according to the less strict BER format is needed, use ParseBERSignature.

                                                                                                                        func ParseSchnorrSignature

                                                                                                                        func ParseSchnorrSignature(sigStr []byte) (*Signature, error)

                                                                                                                          ParseSchnorrSignature parses a 64 byte schnorr signature into a Signature type.

                                                                                                                          func (*Signature) IsEqual

                                                                                                                          func (sig *Signature) IsEqual(otherSig *Signature) bool

                                                                                                                            IsEqual compares this Signature instance to the one passed, returning true if both Signatures are equivalent. A signature is equivalent to another, if they both have the same scalar value for R and S.

                                                                                                                            func (*Signature) Serialize

                                                                                                                            func (sig *Signature) Serialize() []byte

                                                                                                                              Serialize returns the a serialized signature depending on the SignatureType. Note that the serialized bytes returned do not include the appended hash type used in Bitcoin signature scripts.

                                                                                                                              ECDSA signature in the more strict DER format.

                                                                                                                              encoding/asn1 is broken so we hand roll this output:

                                                                                                                              0x30 <length> 0x02 <length r> r 0x02 <length s> s

                                                                                                                              func (*Signature) Verify

                                                                                                                              func (sig *Signature) Verify(hash []byte, pubKey *PublicKey) bool

                                                                                                                                Verify verifies either an ECDSA or Schnorr signature depending on the SignatureType of the signature. It returns true if the signature is valid, false otherwise.

                                                                                                                                type SignatureType

                                                                                                                                type SignatureType uint8

                                                                                                                                  SignatureType enumerates the type of signature. Either ECDSA or Schnorr

                                                                                                                                  const (
                                                                                                                                  	// SignatureTypeECDSA defines an ecdsa signature
                                                                                                                                  	SignatureTypeECDSA SignatureType = iota
                                                                                                                                  
                                                                                                                                  	// SignatureTypeSchnorr defines a schnorr signature
                                                                                                                                  	SignatureTypeSchnorr
                                                                                                                                  )