[cryptopp-users] Re: Public Key Recovery Operation

[Ricardo Alex]

I am trying to follow the instructions in  https://www.secg.org/sec1-v2.pdf 
section  
4.1.6
  Output: An elliptic curve public key Q for which (r, s) is a valid 
signature on message M. 
Actions: Find public key Q as follows. 
1. For j from 0 to h do the following. 1.1. Let x = r + jn. 
1.2. Convert the integer x to an octet string X of length mlen using the 
conversion routine specified in Section 2.3.7, where mlen = d(log2 p)/8e or 
mlen = dm/8e. 
1.3. Convert the octet string 0216kX to an elliptic curve point R using the 
conversion routine specified in Section 2.3.4. If this conversion routine 
outputs “invalid”, then do another iteration of Step 1. 
1.4. If nR 6= O, then do another iteration of Step 1. 1.5. Compute e from M 
using Steps 2 and 3 of ECDSA signature verification. 1.6. For k from 1 to 2 
do the following. 1.6.1. Compute a candidate public key as: Q = r −1 (sR − 
eG).

The code so far:

 DL_GroupParameters_EC<ECP> params = ASN1::secp256k1();

Integer 
r("eefd86d83fd068cf979cfb11bf0696c66fc568ee342319a733ac9e804d6ea88d");
Integer 
s("0c12365ddc49f1b631c4c4a80764f8938afdd05563e00cff367da7cb715fccf1");

std::string message = 
"e9128504a817c80082520894787945765ac5a4f186a13e702664d6ecb78f57b68203e880830138818080";
byte hash[CryptoPP::SHA256::DIGESTSIZE];
SHA256().CalculateDigest(hash, (const byte*)message.data(), message.size());

Integer e(hash, CryptoPP::SHA256::DIGESTSIZE);

for (int j = 0; j <= params.GetCofactor(); ++j)
{
Integer x = r + j * params.GetSubgroupOrder();

SecByteBlock xBytes(x.MinEncodedSize());
x.Encode(xBytes.BytePtr(), xBytes.SizeInBytes());

ECP::Point R;
if (!params.GetCurve().DecodePoint(R, xBytes, xBytes.SizeInBytes()))
{
std::cout << "Invalid point. Trying another iteration." << std::endl;
continue;
}

if (!params.GetCurve().Multiply(e, R).identity)
{
std::cout << "nR is not the point at infinity. Trying another iteration." 
<< std::endl;
continue;
}

for (int k = 1; k <= 2; ++k)
{ 
// Compute a candidate public key ...

}
} 

Any Idea how to compute a candidate public key  considering according to 
manual it is  Q = r −1 (sR − eG)?
Em quinta-feira, 9 de novembro de 2023 às 08:54:44 UTC-3, Ricardo Alex 
escreveu:

> According to https://www.secg.org/sec1-v2.pdf
>
>   In section 4.1.6  Public Key Recovery Operation it' s possible to 
> recover the public Key Q, at least to within a small number of choices,  
> given an ECDSA signature (r, s) and EC domain parameters.
>
>   Input: The public key recovery operations takes as input: 
>
> 1. Elliptic curve domain parameters T = (p, a, b, G, n, h) or T = (m, 
> f(x), a, b, G, n, h) at the desired security level.
> 2. A message M. 
> 3. An ECDSA signature value (r, s) that is valid on message M for some 
> public key to be determined.  
>
> Is it possible to achieve that using the crypto++ library? 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/cryptopp-users/6dc529f2-9adc-4894-9134-b52b705bfef6n%40googlegroups.com.