README
¶
btcec
Package btcec implements elliptic curve cryptography needed for working with Bitcoin (secp256k1 only for now). It is designed so that it may be used with the standard crypto/ecdsa packages provided with go. A comprehensive suite of test is provided to ensure proper functionality. Package btcec was originally based on work from ThePiachu which is licensed under the same terms as Go, but it has signficantly diverged since then. The btcsuite developers original is licensed under the liberal ISC license.
Although this package was primarily written for btcd, it has intentionally been designed so it can be used as a standalone package for any projects needing to use secp256k1 elliptic curve cryptography.
Installation and Updating
$ go get -u github.com/ExpanderNet/btcd/btcec
Examples
-
Sign Message
Demonstrates signing a message with a secp256k1 private key that is first parsed form raw bytes and serializing the generated signature. -
Verify Signature
Demonstrates verifying a secp256k1 signature against a public key that is first parsed from raw bytes. The signature is also parsed from raw bytes. -
Encryption Demonstrates encrypting a message for a public key that is first parsed from raw bytes, then decrypting it using the corresponding private key.
-
Decryption Demonstrates decrypting a message using a private key that is first parsed from raw bytes.
GPG Verification Key
All official release tags are signed by Conformal so users can ensure the code has not been tampered with and is coming from the btcsuite developers. To verify the signature perform the following:
-
Download the public key from the Conformal website at https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt
-
Import the public key into your GPG keyring:
gpg --import GIT-GPG-KEY-conformal.txt -
Verify the release tag with the following command where
TAG_NAMEis a placeholder for the specific tag:git tag -v TAG_NAME
License
Package btcec is licensed under the copyfree ISC License except for btcec.go and btcec_test.go which is under the same license as Go.
Documentation
¶
Overview ¶
Package btcec implements support for the elliptic curves needed for bitcoin.
Bitcoin uses elliptic curve cryptography using koblitz curves (specifically secp256k1) for cryptographic functions. See http://www.secg.org/collateral/sec2_final.pdf for details on the standard.
This package provides the data structures and functions implementing the crypto/elliptic Curve interface in order to permit using these curves with the standard crypto/ecdsa package provided with go. Helper functionality is provided to parse signatures and public keys from standard formats. It was designed for use with xpand, but should be general enough for other uses of elliptic curve crypto. It was originally based on some initial work by ThePiachu, but has significantly diverged since then.
Example (DecryptMessage) ¶
This example demonstrates decrypting a message using a private key that is first parsed from raw bytes.
package main
import (
"fmt"
"github.com/ExpanderNet/btcd/btcec"
"github.com/ExpanderNet/btcd/btcutil/util"
)
func main() {
// Decode the hex-encoded private key.
pkBytes, err := util.DecodeHex("a11b0a4e1a132305652ee7a8eb7848f6ad" +
"5ea381e3ce20a2c086a2e388230811")
if err != nil {
fmt.Println(err)
return
}
privKey, _ := btcec.PrivKeyFromBytes(btcec.S256(), pkBytes)
ciphertext, err := util.DecodeHex("35f644fbfb208bc71e57684c3c8b437402ca" +
"002047a2f1b38aa1a8f1d5121778378414f708fe13ebf7b4a7bb74407288c1958969" +
"00207cf4ac6057406e40f79961c973309a892732ae7a74ee96cd89823913b8b8d650" +
"a44166dc61ea1c419d47077b748a9c06b8d57af72deb2819d98a9d503efc59fc8307" +
"d14174f8b83354fac3ff56075162")
// Try decrypting the message.
plaintext, err := btcec.Decrypt(privKey, ciphertext)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(plaintext))
}
Output: test message
Example (EncryptMessage) ¶
This example demonstrates encrypting a message for a public key that is first parsed from raw bytes, then decrypting it using the corresponding private key.
package main
import (
"fmt"
"github.com/ExpanderNet/btcd/btcec"
"github.com/ExpanderNet/btcd/btcutil/util"
)
func main() {
// Decode the hex-encoded pubkey of the recipient.
pubKeyBytes, err := util.DecodeHex("04115c42e757b2efb7671c578530ec191a1" +
"359381e6a71127a9d37c486fd30dae57e76dc58f693bd7e7010358ce6b165e483a29" +
"21010db67ac11b1b51b651953d2") // uncompressed pubkey
if err != nil {
fmt.Println(err)
return
}
pubKey, err := btcec.ParsePubKey(pubKeyBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Encrypt a message decryptable by the private key corresponding to pubKey
message := "test message"
ciphertext, err := btcec.Encrypt(pubKey, []byte(message))
if err != nil {
fmt.Println(err)
return
}
// Decode the hex-encoded private key.
pkBytes, err := util.DecodeHex("a11b0a4e1a132305652ee7a8eb7848f6ad" +
"5ea381e3ce20a2c086a2e388230811")
if err != nil {
fmt.Println(err)
return
}
// note that we already have corresponding pubKey
privKey, _ := btcec.PrivKeyFromBytes(btcec.S256(), pkBytes)
// Try decrypting and verify if it's the same message.
plaintext, err := btcec.Decrypt(privKey, ciphertext)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(plaintext))
}
Output: test message
Example (SignMessage) ¶
This example demonstrates signing a message with a secp256k1 private key that is first parsed form raw bytes and serializing the generated signature.
package main
import (
"fmt"
"github.com/ExpanderNet/btcd/btcec"
"github.com/ExpanderNet/btcd/btcutil/util"
"github.com/ExpanderNet/btcd/chaincfg/chainhash"
)
func main() {
// Decode a hex-encoded private key.
pkBytes, err := util.DecodeHex("22a47fa09a223f2aa079edf85a7c2d4f87" +
"20ee63e502ee2869afab7de234b80c")
if err != nil {
fmt.Println(err)
return
}
privKey, pubKey := btcec.PrivKeyFromBytes(btcec.S256(), pkBytes)
// Sign a message using the private key.
message := "test message"
messageHash := chainhash.DoubleHashB([]byte(message))
signature, err := privKey.Sign(messageHash)
if err != nil {
fmt.Println(err)
return
}
// Serialize and display the signature.
fmt.Printf("Serialized Signature: %x\n", signature.Serialize())
// Verify the signature for the message using the public key.
verified := signature.Verify(messageHash, pubKey)
fmt.Printf("Signature Verified? %v\n", verified)
}
Output: Serialized Signature: 304402201008e236fa8cd0f25df4482dddbb622e8a8b26ef0ba731719458de3ccd93805b022032f8ebe514ba5f672466eba334639282616bb3c2f0ab09998037513d1f9e3d6d Signature Verified? true
Example (VerifySignature) ¶
This example demonstrates verifying a secp256k1 signature against a public key that is first parsed from raw bytes. The signature is also parsed from raw bytes.
package main
import (
"fmt"
"github.com/ExpanderNet/btcd/btcec"
"github.com/ExpanderNet/btcd/btcutil/util"
"github.com/ExpanderNet/btcd/chaincfg/chainhash"
)
func main() {
// Decode hex-encoded serialized public key.
pubKeyBytes, err := util.DecodeHex("02a673638cb9587cb68ea08dbef685c" +
"6f2d2a751a8b3c6f2a7e9a4999e6e4bfaf5")
if err != nil {
fmt.Println(err)
return
}
pubKey, err := btcec.ParsePubKey(pubKeyBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Decode hex-encoded serialized signature.
sigBytes, err := util.DecodeHex("30450220090ebfb3690a0ff115bb1b38b" +
"8b323a667b7653454f1bccb06d4bbdca42c2079022100ec95778b51e707" +
"1cb1205f8bde9af6592fc978b0452dafe599481c46d6b2e479")
if err != nil {
fmt.Println(err)
return
}
signature, err := btcec.ParseSignature(sigBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Verify the signature for the message using the public key.
message := "test message"
messageHash := chainhash.DoubleHashB([]byte(message))
verified := signature.Verify(messageHash, pubKey)
fmt.Println("Signature Verified?", verified)
}
Output: Signature Verified? true
Index ¶
- Constants
- Variables
- func AddNonConst(p1, p2, result *JacobianPoint)
- func DecompressY(x *FieldVal, odd bool, resultY *FieldVal) bool
- func Decrypt(priv *PrivateKey, in []byte) ([]byte, er.R)
- func DoubleNonConst(p, result *JacobianPoint)
- func Encrypt(pubkey *PublicKey, in []byte) ([]byte, er.R)
- func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte
- func GeneratorJacobian(jacobian *JacobianPoint)
- func IsCompressedPubKey(pubKey []byte) bool
- func JacobianToByteSlice(point JacobianPoint) []byte
- func NAF(k []byte) ([]byte, []byte)
- func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey, *PublicKey)
- func ScalarBaseMultNonConst(k *ModNScalar, result *JacobianPoint)
- func ScalarMultNonConst(k *ModNScalar, point, result *JacobianPoint)
- func SignCompact(curve *KoblitzCurve, key *PrivateKey, hash []byte, isCompressedKey bool) ([]byte, er.R)
- type Error
- type ErrorKind
- type JacobianPoint
- type KoblitzCurve
- func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)
- func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)
- func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool
- func (curve *KoblitzCurve) Params() *elliptic.CurveParams
- func (curve *KoblitzCurve) QPlus1Div4() *big.Int
- func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int)
- func (curve *KoblitzCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int)
- type ModNScalar
- type PrivateKey
- type PublicKey
- type Signature
Examples ¶
Constants ¶
const ( PubKeyBytesLenCompressed = 33 PubKeyBytesLenUncompressed = 65 PubKeyBytesLenHybrid = 65 )
These constants define the lengths of serialized public keys.
const MinSigLen = 8
MinSigLen is the minimum length of a DER encoded signature and is when both R and S are 1 byte each. 0x30 + <1-byte> + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte>
const PrivKeyBytesLen = 32
PrivKeyBytesLen defines the length in bytes of a serialized private key.
Variables ¶
var ( // ErrInvalidMAC occurs when Message Authentication Check (MAC) fails // during decryption. This happens because of either invalid private key or // corrupt ciphertext. ErrInvalidMAC = errors.New("invalid mac hash") )
Functions ¶
func AddNonConst ¶
func AddNonConst(p1, p2, result *JacobianPoint)
AddNonConst adds the passed Jacobian points together and stores the result in the provided result param in *non-constant* time.
func DecompressY ¶
DecompressY attempts to calculate the Y coordinate for the given X coordinate such that the result pair is a point on the secp256k1 curve. It adjusts Y based on the desired oddness and returns whether or not it was successful since not all X coordinates are valid.
The magnitude of the provided X coordinate field val must be a max of 8 for a correct result. The resulting Y field val will have a max magnitude of 2.
func Decrypt ¶
func Decrypt(priv *PrivateKey, in []byte) ([]byte, er.R)
Decrypt decrypts data that was encrypted using the Encrypt function.
func DoubleNonConst ¶
func DoubleNonConst(p, result *JacobianPoint)
DoubleNonConst doubles the passed Jacobian point and stores the result in the provided result parameter in *non-constant* time.
NOTE: The point must be normalized for this function to return the correct result. The resulting point will be normalized.
func Encrypt ¶
Encrypt encrypts data for the target public key using AES-256-CBC. It also generates a private key (the pubkey of which is also in the output). The only supported curve is secp256k1. The `structure' that it encodes everything into is:
struct {
// Initialization Vector used for AES-256-CBC
IV [16]byte
// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX +
// len_of_pubkeyY(2) + pubkeyY (curve = 714)
PublicKey [70]byte
// Cipher text
Data []byte
// HMAC-SHA-256 Message Authentication Code
HMAC [32]byte
}
The primary aim is to ensure byte compatibility with Pyelliptic. Also, refer to section 5.8.1 of ANSI X9.63 for rationale on this format.
func GenerateSharedSecret ¶
func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte
GenerateSharedSecret generates a shared secret based on a private key and a public key using Diffie-Hellman key exchange (ECDH) (RFC 4753). RFC5903 Section 9 states we should only return x.
func GeneratorJacobian ¶
func GeneratorJacobian(jacobian *JacobianPoint)
GeneratorJacobian sets the passed JacobianPoint to the Generator Point.
func IsCompressedPubKey ¶
IsCompressedPubKey returns true the the passed serialized public key has been encoded in compressed format, and false otherwise.
func JacobianToByteSlice ¶
func JacobianToByteSlice(point JacobianPoint) []byte
JacobianToByteSlice converts the passed JacobianPoint to a Pubkey and serializes that to a byte slice. If the JacobianPoint is the infinity point, a zero slice is returned.
func NAF ¶
NAF takes a positive integer k and returns the Non-Adjacent Form (NAF) as two byte slices. The first is where 1s will be. The second is where -1s will be. NAF is convenient in that on average, only 1/3rd of its values are non-zero. This is algorithm 3.30 from [GECC].
Essentially, this makes it possible to minimize the number of operations since the resulting ints returned will be at least 50% 0s.
func PrivKeyFromBytes ¶
func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey, *PublicKey)
PrivKeyFromBytes returns a private and public key for `curve' based on the private key passed as an argument as a byte slice.
func ScalarBaseMultNonConst ¶
func ScalarBaseMultNonConst(k *ModNScalar, result *JacobianPoint)
ScalarBaseMultNonConst multiplies k*G where G is the base point of the group and k is a big endian integer. The result is stored in Jacobian coordinates (x1, y1, z1).
NOTE: The resulting point will be normalized.
func ScalarMultNonConst ¶
func ScalarMultNonConst(k *ModNScalar, point, result *JacobianPoint)
ScalarMultNonConst multiplies k*P where k is a big endian integer modulo the curve order and P is a point in Jacobian projective coordinates and stores the result in the provided Jacobian point.
NOTE: The point must be normalized for this function to return the correct result. The resulting point will be normalized.
func SignCompact ¶
func SignCompact(curve *KoblitzCurve, key *PrivateKey, hash []byte, isCompressedKey bool) ([]byte, er.R)
SignCompact produces a compact signature of the data in hash with the given private key on the given koblitz curve. The isCompressed parameter should be used to detail if the given signature should reference a compressed public key or not. If successful the bytes of the compact signature will be returned in the format: <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S> where the R and S parameters are padde up to the bitlengh of the curve.
Types ¶
type Error ¶
Error identifies an error related to public key cryptography using a sec256k1 curve. It has full support for errors.Is and errors.As, so the caller can ascertain the specific reason for the error by checking the underlying error.
type ErrorKind ¶
ErrorKind identifies a kind of error. It has full support for errors.Is and errors.As, so the caller can directly check against an error kind when determining the reason for an error.
type JacobianPoint ¶
type JacobianPoint = secp.JacobianPoint
JacobianPoint is an element of the group formed by the secp256k1 curve in Jacobian projective coordinates and thus represents a point on the curve.
func MakeJacobianPoint ¶
func MakeJacobianPoint(x, y, z *FieldVal) JacobianPoint
MakeJacobianPoint returns a Jacobian point with the provided X, Y, and Z coordinates.
func ParseJacobian ¶
func ParseJacobian(point []byte) (JacobianPoint, error)
ParseJacobian parses a byte slice point as a secp.Publickey and returns the pubkey as a JacobianPoint. If the nonce is a zero slice, the infinityPoint is returned.
type KoblitzCurve ¶
type KoblitzCurve struct {
*elliptic.CurveParams
H int // cofactor of the curve.
// contains filtered or unexported fields
}
KoblitzCurve supports a koblitz curve implementation that fits the ECC Curve interface from crypto/elliptic.
func (*KoblitzCurve) Add ¶
Add returns the sum of (x1,y1) and (x2,y2). Part of the elliptic.Curve interface.
func (*KoblitzCurve) IsOnCurve ¶
func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool
IsOnCurve returns boolean if the point (x,y) is on the curve. Part of the elliptic.Curve interface. This function differs from the crypto/elliptic algorithm since a = 0 not -3.
func (*KoblitzCurve) Params ¶
func (curve *KoblitzCurve) Params() *elliptic.CurveParams
Params returns the parameters for the curve.
func (*KoblitzCurve) QPlus1Div4 ¶
func (curve *KoblitzCurve) QPlus1Div4() *big.Int
QPlus1Div4 returns the Q+1/4 constant for the curve for use in calculating square roots via exponention.
func (*KoblitzCurve) ScalarBaseMult ¶
ScalarBaseMult returns k*G where G is the base point of the group and k is a big endian integer. Part of the elliptic.Curve interface.
func (*KoblitzCurve) ScalarMult ¶
ScalarMult returns k*(Bx, By) where k is a big endian integer. Part of the elliptic.Curve interface.
type ModNScalar ¶
type ModNScalar = secp.ModNScalar
ModNScalar implements optimized 256-bit constant-time fixed-precision arithmetic over the secp256k1 group order. This means all arithmetic is performed modulo:
0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
It only implements the arithmetic needed for elliptic curve operations, however, the operations that are not implemented can typically be worked around if absolutely needed. For example, subtraction can be performed by adding the negation.
Should it be absolutely necessary, conversion to the standard library math/big.Int can be accomplished by using the Bytes method, slicing the resulting fixed-size array, and feeding it to big.Int.SetBytes. However, that should typically be avoided when possible as conversion to big.Ints requires allocations, is not constant time, and is slower when working modulo the group order.
func NonceRFC6979 ¶
func NonceRFC6979(privKey []byte, hash []byte, extra []byte, version []byte, extraIterations uint32) *ModNScalar
NonceRFC6979 generates a nonce deterministically according to RFC 6979 using HMAC-SHA256 for the hashing function. It takes a 32-byte hash as an input and returns a 32-byte nonce to be used for deterministic signing. The extra and version arguments are optional, but allow additional data to be added to the input of the HMAC. When provided, the extra data must be 32-bytes and version must be 16 bytes or they will be ignored.
Finally, the extraIterations parameter provides a method to produce a stream of deterministic nonces to ensure the signing code is able to produce a nonce that results in a valid signature in the extremely unlikely event the original nonce produced results in an invalid signature (e.g. R == 0). Signing code should start with 0 and increment it if necessary.
type PrivateKey ¶
type PrivateKey ecdsa.PrivateKey
PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing things with the the private key without having to directly import the ecdsa package.
func NewPrivateKey ¶
func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, er.R)
NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey instead of the normal ecdsa.PrivateKey.
func (*PrivateKey) PubKey ¶
func (p *PrivateKey) PubKey() *PublicKey
PubKey returns the PublicKey corresponding to this private key.
func (*PrivateKey) Serialize ¶
func (p *PrivateKey) Serialize() []byte
Serialize returns the private key number d as a big-endian binary-encoded number, padded to a length of 32 bytes.
func (*PrivateKey) Sign ¶
func (p *PrivateKey) Sign(hash []byte) (*Signature, er.R)
Sign generates an ECDSA signature for the provided hash (which should be the result of hashing a larger message) using the private key. Produced signature is deterministic (same message and same key yield the same signature) and canonical in accordance with RFC6979 and BIP0062.
func (*PrivateKey) ToECDSA ¶
func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey
ToECDSA returns the private key as a *ecdsa.PrivateKey.
type PublicKey ¶
PublicKey is an ecdsa.PublicKey with additional functions to serialize in uncompressed, compressed, and hybrid formats.
func ParsePubKey ¶
func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err er.R)
ParsePubKey parses a public key for a koblitz curve from a bytestring into a ecdsa.Publickey, verifying that it is valid. It supports compressed, uncompressed and hybrid signature formats.
func RecoverCompact ¶
RecoverCompact verifies the compact signature "signature" of "hash" for the Koblitz curve in "curve". If the signature matches then the recovered public key will be returned as well as a boolen if the original key was compressed or not, else an error will be returned.
func (*PublicKey) IsEqual ¶
IsEqual compares this PublicKey instance to the one passed, returning true if both PublicKeys are equivalent. A PublicKey is equivalent to another, if they both have the same X and Y coordinate.
func (*PublicKey) SerializeCompressed ¶
SerializeCompressed serializes a public key in a 33-byte compressed format.
func (*PublicKey) SerializeHybrid ¶
SerializeHybrid serializes a public key in a 65-byte hybrid format.
func (*PublicKey) SerializeUncompressed ¶
SerializeUncompressed serializes a public key in a 65-byte uncompressed format.
type Signature ¶
Signature is a type representing an ecdsa signature.
func ParseDERSignature ¶
ParseDERSignature parses a signature in DER format for the curve type `curve` into a Signature type. If parsing according to the less strict BER format is needed, use ParseSignature.
func ParseSignature ¶
ParseSignature parses a signature in BER format for the curve type `curve' into a Signature type, perfoming some basic sanity checks. If parsing according to the more strict DER format is needed, use ParseDERSignature.
func (*Signature) IsEqual ¶
IsEqual compares this Signature instance to the one passed, returning true if both Signatures are equivalent. A signature is equivalent to another, if they both have the same scalar value for R and S.
func (*Signature) Serialize ¶
Serialize returns the ECDSA signature in the more strict DER format. Note that the serialized bytes returned do not include the appended hash type used in Bitcoin signature scripts.
encoding/asn1 is broken so we hand roll this output:
0x30 <length> 0x02 <length r> r 0x02 <length s> s
Source Files
Directories