Merge branch '28-crypto-add-ecdsa-signature-and-recovery-support'

steven-varga · steven-varga · commit 680908c003c7 · 2025-07-10T22:10:42.000-04:00
diff --git a/README.md b/README.md
@@ -90,8 +90,17 @@ is_point_on_curve(curve.G, curve)      # true, G generator point defines the cyc
 H("byte size hash of a string")        # hashes string to a byte, given the abelian group is byte size
 H₁₆("16 bit hash")                     # in case you need more hash space
 H₈("is same") == H("is same")          # true, it is just a alias, smae as H8 
+
+## ECDSA Signature and Public Key Recovery Example
+priv, pub = genkey(curve)                     # Key generation
+msg = "hello ethereum"                        # Message to sign
+signature = sign(curve, priv, msg)            # returns a NamedTuple (r = ..., s = ..., v = ...)
+is_valid = verify(curve, pub, signature, msg) # Signature verification true
+recovered = ecrecover(curve, msg, signature)  # Public key recovery from signature
+@assert pub == recovered                      # Check if recovered public key matches original
 ```
 
+
 ## Installation
 ```
 using Pkg
diff --git a/examples/ecdsa.jl b/examples/ecdsa.jl
@@ -0,0 +1,60 @@
+
+using TinyCrypto
+
+# ─────────────────────────────────────────────────────────────────────────────
+# ECDSA Signature and Public Key Recovery Example
+# ─────────────────────────────────────────────────────────────────────────────
+
+priv, pub = genkey(curve)                     # Key generation
+msg = "hello ethereum"                        # Message to sign
+signature = sign(curve, priv, msg)            # returns a NamedTuple (r = ..., s = ..., v = ...)
+is_valid = verify(curve, pub, signature, msg) # Signature verification true
+recovered = ecrecover(curve, msg, signature)  # Public key recovery from signature
+@assert pub == recovered                      # Check if recovered public key matches originald
+
+# ─────────────────────────────────────────────────────────────────────────────
+# The following steps (0–7) manually walk through the ECDSA signing and verification 
+# process to illustrate what happens under the hood. The goal is to help understand 
+# the mathematical structure behind the cryptographic operations shown above.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# 1. Define a toy Weierstrass curve over 𝔽₃₁ with G of order 37
+curve = Weierstrass(31, 6, 9, 37, 1, (0, 3))
+# Weierstrass{𝔽₃₁}: y² = x³ + 6x + 9 | G = (0,3), order = 37, cofactor = 1
+
+# 2. Create a mock blockchain transaction
+tx = "hello ethereum"
+
+# 3. Hash it (you fake Keccak256 with H₈ → SHA256 first 8 bytes)
+z = Int(H₈(tx)) % curve.order  # H₈ returns UInt8; convert to Int for modular arithmetic
+
+# 4. Generate keypair
+priv = rand(1:curve.order - 1)          # private key is a uniformly random integer in [1, curve order − 1]
+pub  = priv * curve.G                   # public key is the scalar multiple of the generator: pub = priv · G
+
+r,s,v = 0,0,0
+# 5. Sign: create ephemeral scalar `k` and calculate signature (r, s)
+while true
+    k = rand(1:curve.order - 1)             # draw a random ephemeral scalar used once per signature
+    R = k * curve.G                         # then construct an ephemeral public point R = k·G on the curve
+    v = isodd(R.point.y.val) ? 1 : 0        # and compute the parity (Ethereum) bit from LSB of y which is used for ECrecover
+
+    r = mod(R.point.x, curve.order)         # use x-coordinate of R as first signature component
+    k_inv = invmod(k, curve.order)          # compute modular inverse of ephemeral scalar
+    s = mod(k_inv * (z + r * priv), curve.order)  # second signature component s = k⁻¹(z + r·priv) mod n
+
+    if r ≠ 0 && s ≠ 0 break end             # loop until suitable `k` is found
+end
+
+# 6. The signature is (r, s, v + 27)   `27` roots back to early Bitcoin compact signatures, parity bit is used on Ethereum
+# whereas Bitcoin uses recovery ID : = {0,1,2,3}  
+println("Signature: (r = $r, s = $s, v = $(v + 27))")
+
+# 7. Verification
+s_inv = invmod(s, curve.order)               # compute inverse of signature scalar s⁻¹ mod n
+u₁ = z * s_inv % curve.order                 # u₁ = z · s⁻¹ mod n
+u₂ = r * s_inv % curve.order                 # u₂ = r · s⁻¹ mod n
+P = u₁ * curve.G + u₂ * pub                  # recover point P = u₁·G + u₂·Q (should equal R)
+
+is_valid = mod(P.point.x, curve.order) == r  # check if recovered R.x matches r component
+println("Signature valid? ", is_valid)
diff --git a/src/TinyCrypto.jl b/src/TinyCrypto.jl
@@ -14,13 +14,17 @@ include("core/ecpoint.jl")
 include("curves/weierstrass.jl")
 include("curves/montgomery.jl")
 include("curves/edwards.jl")
-    # Re-export core symbols for public API
-    export @define, @attach
-    export H, H₈, H₁₆, H8, H16
-    export Fp, 𝔽ₚ
-    export is_prime, primes, mod_inverse
-    export Point, ∞, Curve, ECPoint, Infinity
-    export Weierstrass, Montgomery, Edwards, TwistedEdwards
-    export infinity, is_infinity, is_identity
-    export point_add, scalar_mult, curve_points, subgroup_points, is_generator, is_point_on_curve, inverse, is_singular
+# Re-export core symbols for public API
+export @define, @attach
+export H, H₈, H₁₆, H8, H16
+export Fp, 𝔽ₚ
+export is_prime, primes, mod_inverse
+export Point, ∞, Curve, ECPoint, Infinity
+export Weierstrass, Montgomery, Edwards, TwistedEdwards
+export infinity, is_infinity, is_identity
+export point_add, scalar_mult, curve_points, subgroup_points, is_generator, is_point_on_curve, inverse, is_singular
+
+include("core/ecdsa.jl")
+    import .ECDSA: sign, verify, genkey, ecrecover
+    export genkey, sign, verify, ecrecover
 end
diff --git a/src/core/ecdsa.jl b/src/core/ecdsa.jl
@@ -0,0 +1,71 @@
+module ECDSA
+    import Base: sign    
+    using ..TinyCrypto: H₈, invmod, isodd
+    using ..TinyCrypto: Weierstrass, Point, ECPoint
+
+    export genkey, sign, verify
+
+    function genkey(curve::Weierstrass)
+        priv = rand(1:curve.order - 1)
+        pub  = priv * curve.G
+        return priv, pub
+    end
+
+    function sign(curve::Weierstrass, priv, msg::AbstractString)
+        z = Int(H₈(msg)) % curve.order  # hash message to scalar mod curve order
+
+        while true
+            k = rand(1:curve.order - 1)
+            R = k * curve.G
+            r = mod(R.point.x, curve.order)
+            if r == 0 continue end  # Ensure r ≠ 0
+            k_inv = invmod(k, curve.order)
+            s = mod(k_inv * (z + r * priv), curve.order)
+            if s ≠ 0
+                parity = isodd(R.point.y.val) ? 1 : 0
+                return (r = r, s = s, v = parity)
+            end
+        end
+    end
+
+    function verify(curve::Weierstrass, pub, sig, msg::AbstractString)
+        r, s = sig.r, sig.s
+        if !(1 <= r < curve.order && 1 <= s < curve.order) return false end
+        #if !is_point_on_curve(pub, curve) return false end
+        z = Int(H₈(msg)) % curve.order
+        s_inv = invmod(s, curve.order)
+        u₁ = z * s_inv % curve.order
+        u₂ = r * s_inv % curve.order
+        P = u₁ * curve.G + u₂ * pub
+        return mod(P.point.x, curve.order) == r
+    end
+    function ecrecover(curve::Weierstrass, msg::AbstractString, r::Int, s::Int, v::Int)
+        n, π = curve.order, curve.π
+        z = Int(H₈(msg)) % n
+        x_candidates = [r + k*n for k in 0:div(π,n) if r + k*n < π]
+    
+        for x in x_candidates
+            α = mod(x^3 + curve.a * x + curve.b, π)
+            y_candidates = [y for y in 0:π-1 if y^2 % π == α]
+            for y in y_candidates
+                if isodd(y) == v
+                    R = ECPoint(x, y, curve)
+                    r_inv = invmod(r, n)
+                    sR = s * R
+                    zG = z * curve.G
+                    neg_zG = ECPoint(zG.point.x, -zG.point.y, curve)  # handle point negation properly
+                    pub = r_inv * (sR + neg_zG)
+                    return pub
+                end
+            end
+        end
+        return nothing
+    end
+    function ecrecover(curve::Weierstrass, msg::AbstractString, signature::NTuple{3,Int})
+        r,s,v = signature
+        return ecrecover(curve, msg, r,s,v)
+    end
+    function ecrecover(curve::Weierstrass, msg::AbstractString, signature::NamedTuple{(:r, :s, :v), <:Tuple{<:Integer, <:Integer, <:Integer}})
+        return ecrecover(curve, msg, signature.r, signature.s, signature.v)
+    end
+end
diff --git a/src/core/ecpoint.jl b/src/core/ecpoint.jl
@@ -24,6 +24,19 @@ struct ECPoint{T,C<:Curve}
     curve::C
 end
 ECPoint(curve::C) where {C<:Curve} = ECPoint(typeof(curve.G.point.x), curve)
+function ECPoint(x::T, y::T, curve::C) where {T<:Fp, C<:Curve}
+    return ECPoint(Point{T}(x, y), curve)
+end
+function ECPoint(x::Integer, y::Integer, curve::C) where {C<:Curve}
+    T = typeof(curve.G.point.x)
+    P = Point{T}(T(x), T(y))
+    if !is_point_on_curve(P, curve)
+        throw(ArgumentError("Point ($(x), $(y)) is not on the given curve."))
+    end
+    return ECPoint(P, curve)
+end
+
+
 
 # Infinity
 is_infinity(P::Point) = P.x === nothing && P.y === nothing
@@ -43,6 +56,9 @@ Base.:*(k::Integer, A::ECPoint{T,C}) where {T,C<:Curve} = is_infinity(A) || is_i
 Base.:-(A::ECPoint{T,C}, B::ECPoint{T,C}) where {T,C<:Curve} = A + (-B)
 point_neg(P::Point{T}, curve::C) where {T<:Fp, C<:Curve} = error("point_neg not implemented for curve $(typeof(curve))")
 Base.:-(A::ECPoint{T,C}) where {T<:Fp, C<:Curve} = is_infinity(A) ? A : ECPoint(point_neg(A.point, A.curve), A.curve)
+Base.:(∈)(curve::Curve, P::ECPoint) = in(P, curve)
+Base.in(P::ECPoint, curve::Curve) = is_point_on_curve(P.point, curve)
+Base.:∉(P::ECPoint, curve::Curve) = !in(P, curve)
 
 is_infinity(P::ECPoint) = is_infinity(P.point)
 is_identity(P::Point{F}, curve::C) where {F<:Fp, C<:Curve} = P == identity(curve)
