Serializing Signature not compatible with other lib

Question

Serializing Signature not compatible with other lib

filefilegoadmin opened this issue a year ago · comments

Hey,

I have a situation where I am using a javascript module (https://github.com/paulmillr/noble-curves) to sign data using secp256k1.
The sig is sent to backend which is written in go and uses your lib to verify data but returns false without any error.

Seems like one of these 2 libs are wrong

Ref:
paulmillr/noble-curves#30

filefilegoadmin · Answer 1 · Fri Apr 14 2023 03:05:22 GMT+0800 (China Standard Time)

I tried to compare the signature output of both libs, and they are different. both are in DER format

Paul Miller · Answer 2 · Fri Apr 14 2023 03:07:06 GMT+0800 (China Standard Time)

Can you provide signature output from both libraries? Use a random private key, message for that.

filefilegoadmin · Answer 3 · Fri Apr 14 2023 03:11:57 GMT+0800 (China Standard Time)

Sure,

Privkey hex: "0x47cbcbdb60923dcb2d401fc8ea5c5cdb95d50999337a7f4a324f7690db688265"

data, _ := hexutil.Decode("0x01")

with dcrd:
0x3045022100891a5f7262c55b49eadcf354f01d7f9b7959ae6b04bf766ef94fba740399dfa20220687021ca4ca4283fa3aff6de1949345fd613458a8c6139e3a0137ad64bed31a6

with noble:

0x304402201004b8c479934967c830750d3c22835c5adfcba9cb62247b39090b89ee236b86022032761afe89dc96e4239fb655b70e5c43c199518d6cad596cf214a182fd4dab61

Josh Rickmar · Answer 4 · Fri Apr 14 2023 03:16:13 GMT+0800 (China Standard Time)

the message being signed is to be cryptographically hashed to a 32-byte value. ecdsa.Sign takes this hash as a parameter.

What hash function are you using?

Paul Miller · Answer 5 · Fri Apr 14 2023 03:19:38 GMT+0800 (China Standard Time)

@filefilegoadmin yeah, outputs match with noble option {prehash: true}. Default secp input is NOT hashed.

Josh Rickmar · Answer 6 · Fri Apr 14 2023 03:28:40 GMT+0800 (China Standard Time)

func TestSign3099(t *testing.T) {
        privkeyBytes, err := hex.DecodeString("47cbcbdb60923dcb2d401fc8ea5c5cdb95d50999337a7f4a324f7690db688265")
        if err != nil {
                t.Fatal(err)
        }
        privkey := secp256k1.PrivKeyFromBytes(privkeyBytes)
        message := []byte{01}

        // bad bad bad
        sig := Sign(privkey, message)
        t.Logf("%x", sig.Serialize())

        // better
        messageHash := sha256.Sum256(message)
        sig = Sign(privkey, messageHash[:])
        t.Logf("%x", sig.Serialize())
}

$ go test -v -run TestSign3099
=== RUN   TestSign3099
    signature_test.go:1084: 304402201004b8c479934967c830750d3c22835c5adfcba9cb62247b39090b89ee236b86022032761afe89dc96e4239fb655b70e5c43c199518d6cad596cf214a182fd4dab61
    signature_test.go:1089: 3045022100891a5f7262c55b49eadcf354f01d7f9b7959ae6b04bf766ef94fba740399dfa20220687021ca4ca4283fa3aff6de1949345fd613458a8c6139e3a0137ad64bed31a6
--- PASS: TestSign3099 (0.01s)
PASS
ok  	github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa	0.021s

I'm surprised we don't panic or error or something when the input is not a 32-byte value.

Paul Miller · Answer 7 · Fri Apr 14 2023 03:32:10 GMT+0800 (China Standard Time)

By rfc6979 it's not required for an input to be 32-byte value. Any hash function can be used, such as sha256/192 - which is not 32-byte. Setting some arbitrary length limit also doesn't make sense.

If you only target Bitcoin, then yes, it must always be 32-byte. Ethereum, for example, uses keccak256.

Dave Collins · Answer 8 · Fri Apr 14 2023 03:32:53 GMT+0800 (China Standard Time)

I'm surprised we don't panic or error or something when the input is not a 32-byte value.

There is nothing in the ecdsa specification nor RFC6979 that requires the input to be a hash of a specific size nor for it to even be a hash at all. It is highly recommended to hash the data however.

Josh Rickmar · Answer 9 · Fri Apr 14 2023 03:33:08 GMT+0800 (China Standard Time)

That makes sense, thanks both.

Dave Collins · Answer 10 · Fri Apr 14 2023 03:37:09 GMT+0800 (China Standard Time)

Closing this since it does not appear to be an issue (with either lib).