Nonce usage in ECDSA signing algorithm

Nonce usage in ECDSA signing algorithm

I'm trying to understand the signing function secp256k1_ecdsa_sig_sign(), and I'm curious about the nonce usage here.

static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) {
  unsigned char b[32];
  secp256k1_gej rp;
  secp256k1_ge r;
  secp256k1_scalar n;
  int overflow = 0;

  secp256k1_ecmult_gen(ctx, &rp, nonce);
  secp256k1_ge_set_gej(&r, &rp);
  secp256k1_fe_normalize(&r.x);
  secp256k1_fe_normalize(&r.y);
  secp256k1_fe_get_b32(b, &r.x);
  secp256k1_scalar_set_b32(sigr, b, &overflow);
  /* These two conditions should be checked before calling */
  VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
  VERIFY_CHECK(overflow == 0);

  if (recid) {
    /* The overflow condition is cryptographically unreachable as hitting   it requires finding the discrete log
     * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
     */
     *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
  }
  secp256k1_scalar_mul(&n, sigr, seckey);
  secp256k1_scalar_add(&n, &n, message);
  secp256k1_scalar_inverse(sigs, nonce);
  secp256k1_scalar_mul(sigs, sigs, &n);
  secp256k1_scalar_clear(&n);
  secp256k1_gej_clear(&rp);
  secp256k1_ge_clear(&r);

  if (secp256k1_scalar_is_zero(sigs)) {
    return 0;
  }

  if (secp256k1_scalar_is_high(sigs)) {
    secp256k1_scalar_negate(sigs, sigs);

    if (recid) {
      *recid ^= 1;
    }

  }

  return 1;
}

I'm familiar with the standard ECDSA, but what exactly is being done with the nonce here and why?

Thanks!

http://bit.ly/2RVYzX4

Comments

Post a Comment

Popular posts from this blog

bitcoin node: what is the difference between simnet and regtest?

bitcoin node: what is the difference between simnet and regtest? btcd, and presumably other bitcoin node implementations, seem to have 4 network options: mainnet testnet regtest simnet. I get that mainnet and testnet both are "public" in that your node will communicate with other nodes and that both have an existing blockchain and genesis block. However, from what I can tell, both simenet and regtest both create a local only blockchain, and both will create a new genesis block. I this case, what is the difference, and which is better (easier) for developing bitcoin applications? This is what the documentation has to say: --regtest Use the regression test network --simnet Use the simulation test network https://ift.tt/2TAMkwe
Read more

How to check if Electrum is masking my IP with the Tor proxy?

How to check if Electrum is masking my IP with the Tor proxy? When i start Electrum from the command line i see this mensage: (python3:7069): dbind-WARNING **: 14:09:58.452: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken What does it mean? I just installed Electrum following this tutorial: http://docs.electrum.org/en/latest/tor.html I followed the instructions from this topic " Option 2: Multiple servers but Tor Main ". I installed Electrum using the command line on Ubuntu, check the " Installation from Python sources " on this link https://electrum.org/#download if you want to see the codes. And i used this code bellow to download the Signatue keys: $ gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6 I checked the both checkbox: 1)...
Read more

Need help to recover blpckchain.info wallet, my wife forgot her password and the brute force with btcrecover is not catching the password

Need help to recover blpckchain.info wallet, my wife forgot her password and the brute force with btcrecover is not catching the password I used btcrecover to extract the wallet file (wallet.aes.json) from a blockchain account and I have been running btcrecover with dictionaries of my making but it has been going on for weeks and I am running out of ideas on how to permutate what my wife and I think the password could have been. Is there a way to just manually transfer the btc from the old wallet into a new wallet we do have access to or is there any way to extract the password or private keys directly from the wallet file? We have: the phone with the original wallet app installed, the wallet file pulled using btcrecover, access to the email to allow authorization to access, the wallet identifier that was sent to her email when she first signed up, the phone which has the wallet, the pin that was used for the wallet, and we know how much btc is in the account. We do not have: The pri...
Read more