如何在Medtls库中使用ECDSA函数

时间:2018-12-25 18:42:13

标签: bitcoin ecdsa mbedtls

我正在使用ARM微控制器(Ambiq)上的mbedtls库(https://github.com/ARMmbed/mbedtls)。

我需要使用mbedtls_ecdsa_sign_det()函数来签署比特币交易。

实际上,我不确定这是否是正确的功能。

以下是该功能的文档:

Compute ECDSA signature of a previously hashed message, deterministic version (RFC 6979).

Parameters:
grp ECP group
r   First output integer
s   Second output integer
d   Private signing key
buf Message hash
blen    Length of buf
md_alg  MD algorithm used to hash the message
Returns:
0 if successful, or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code

The header file includes the following description:
/**
 * \brief           This function computes the ECDSA signature of a
 *                  previously-hashed message, deterministic version.
 *
 *                  For more information, see <em>RFC-6979: Deterministic
 *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
 *                  Curve Digital Signature Algorithm (ECDSA)</em>.
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
 *                  defined in <em>Standards for Efficient Cryptography Group
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
 * \see             ecp.h
 *
 * \param grp       The context for the elliptic curve to use.
 *                  This must be initialized and have group parameters
 *                  set, for example through mbedtls_ecp_group_load().
 * \param r         The MPI context in which to store the first part
 *                  the signature. This must be initialized.
 * \param s         The MPI context in which to store the second part
 *                  the signature. This must be initialized.
 * \param d         The private signing key. This must be initialized
 *                  and setup, for example through mbedtls_ecp_gen_privkey().
 * \param buf       The hashed content to be signed. This must be a readable
 *                  buffer of length \p blen Bytes. It may be \c NULL if
 *                  \p blen is zero.
 * \param blen      The length of \p buf in Bytes.
 * \param md_alg    The hash algorithm used to hash the original data.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
 *                  error code on failure.
 */
int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
                            mbedtls_mpi *s, const mbedtls_mpi *d,
                            const unsigned char *buf, size_t blen,
                            mbedtls_md_type_t md_alg );

此外,我没有找到如何使用此功能的示例。

我不知道如何初始化传递的指针grp,r,s和d。

1 个答案:

答案 0 :(得分:1)

从数学上讲,ECDSA signature是一对两个整数( r s )。函数mbedtls_ecdsa_sign_det为您提供两个整数rs作为输出,由您决定如何输出这些整数。 ECDSA签名有两种常见表示形式:以 r s 的固定大小表示形式并将它们放在一起,或以ASN.1序列的形式进行组合,通常采用DER格式(ASN.1允许使用多种表示形式,例如带有或不带有前导零,而DER是一种特定的ASN.1表示形式,不带有前导零)。 Bitcoin uses the DER representation。对您来说幸运的是,Mbed TLS具有直接输出此DER表示形式的功能:mbedtls_ecdsa_write_signature

ECDSA有两种变体:随机和确定性。无论如何,它们都会产生兼容的签名(确定性变体对随机参数使用特定的选择)。如果构建支持,mbedtls_ecdsa_write_signature使用确定性变量,否则使用随机变量。

这是对此函数的调用的样子。它接受以下输入:

unsigned char signature[2 * 32 + 9]; // "at least twice as large as the size of the curve used, plus 9"
size_t signature_length;
ret = mbedtls_ecdsa_write_signature(key, MBEDTLS_MD_SHA256, hash, 32,
                                    signature, &signature_length,
                                    mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret == 0) {
    // The signature is in the signature array. It is signature_length bytes long. 
} else ERROR();
相关问题
最新问题