Merge pull request bnb-chain#57 from binance-chain/recover_signature

[R4R] fix recover byte calculation
oday0311 · Sep 25, 2019 · d2d8728 · d2d8728
2 parents 8856899 + 9eb0893
commit d2d8728
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 12 deletions.
diff --git a/ecdsa/signing/finalize.go b/ecdsa/signing/finalize.go
@@ -27,19 +27,30 @@ func (round *finalization) Start() *tss.Error {
 		sumS = modN.Add(sumS, round.temp.signRound9SignatureMessage[j].Si)
 	}
 
+	recid := 0
+	// byte v = if(R.X > curve.N) then 2 else 0) | (if R.Y.IsEven then 0 else 1);
+	if round.temp.rx.Cmp(tss.EC().Params().N) > 0 {
+		recid = 2
+	}
+	if round.temp.ry.Bit(0) != 0 {
+		recid |= 1
+	}
+
 	// This is copied from:
 	// https://github.com/btcsuite/btcd/blob/c26ffa870fd817666a857af1bf6498fabba1ffe3/btcec/signature.go#L442-L444
 	// This is needed because of tendermint checks here:
 	// https://github.com/tendermint/tendermint/blob/d9481e3648450cb99e15c6a070c1fb69aa0c255b/crypto/secp256k1/secp256k1_nocgo.go#L43-L47
 	secp256k1halfN := new(big.Int).Rsh(tss.EC().Params().N, 1)
 	if sumS.Cmp(secp256k1halfN) > 0 {
 		sumS.Sub(tss.EC().Params().N, sumS)
+		recid ^= 1
 	}
 
 	// save the signature for final output
-	round.data.R = round.temp.r
+	round.data.R = round.temp.rx
 	round.data.S = sumS
-	round.data.Signature = append(round.temp.r.Bytes(), sumS.Bytes()...)
+	round.data.SignatureRecovery = byte(recid)
+	round.data.Signature = append(round.temp.rx.Bytes(), sumS.Bytes()...)
 
 	return nil
 }

diff --git a/ecdsa/signing/local_party.go b/ecdsa/signing/local_party.go
@@ -72,7 +72,8 @@ type (
 		// round 5
 		li,
 		si,
-		r,
+		rx,
+		ry,
 		roi *big.Int
 		bigR,
 		bigAi,
@@ -89,10 +90,11 @@ type (
 	}
 
 	LocalPartySignData struct {
-		Transaction []byte
-		Signature   []byte
-		R           *big.Int
-		S           *big.Int
+		Transaction       []byte
+		Signature         []byte
+		SignatureRecovery byte
+		R                 *big.Int
+		S                 *big.Int
 	}
 )
 

diff --git a/ecdsa/signing/local_party_test.go b/ecdsa/signing/local_party_test.go
@@ -97,7 +97,7 @@ signing:
 			if atomic.LoadInt32(&ended) == int32(len(signPIDs)) {
 				t.Logf("Done. Received save data from %d participants", ended)
 				R := parties[0].temp.bigR
-				r := parties[0].temp.r
+				r := parties[0].temp.rx
 				fmt.Printf("sign result: R(%s, %s), r=%s\n", R.X().String(), R.Y().String(), r.String())
 
 				modN := common.ModInt(tss.EC().Params().N)

diff --git a/ecdsa/signing/round_5.go b/ecdsa/signing/round_5.go
@@ -48,8 +48,9 @@ func (round *round5) Start() *tss.Error {
 	R = R.ScalarMult(round.temp.thelta_inverse)
 	N := tss.EC().Params().N
 	modN := common.ModInt(N)
-	r := R.X()
-	si := modN.Add(modN.Mul(round.temp.m, round.temp.k), modN.Mul(r, round.temp.sigma))
+	rx := R.X()
+	ry := R.Y()
+	si := modN.Add(modN.Mul(round.temp.m, round.temp.k), modN.Mul(rx, round.temp.sigma))
 	// TODO: clear temp.k, temp.w
 
 	li := random.GetRandomPositiveInt(N)  // li
@@ -73,7 +74,8 @@ func (round *round5) Start() *tss.Error {
 	round.temp.roi = roI
 	round.temp.DPower = cmt.D
 	round.temp.si = si
-	round.temp.r = r
+	round.temp.rx = rx
+	round.temp.ry = ry
 	round.temp.bigR = R
 
 	return nil

diff --git a/ecdsa/signing/round_7.go b/ecdsa/signing/round_7.go
@@ -58,7 +58,7 @@ func (round *round7) Start() *tss.Error {
 	AX, AY := round.temp.bigAi.X(), round.temp.bigAi.Y()
 	minusM := modN.Sub(big.NewInt(0), round.temp.m)
 	gToMInvX, gToMInvY := tss.EC().ScalarBaseMult(minusM.Bytes())
-	minusR := modN.Sub(big.NewInt(0), round.temp.r)
+	minusR := modN.Sub(big.NewInt(0), round.temp.rx)
 	yToRInvX, yToRInvY := tss.EC().ScalarMult(round.key.ECDSAPub.X(), round.key.ECDSAPub.Y(), minusR.Bytes())
 	VX, VY := tss.EC().Add(gToMInvX, gToMInvY, yToRInvX, yToRInvY)
 	VX, VY = tss.EC().Add(VX, VY, round.temp.bigVi.X(), round.temp.bigVi.Y())