bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

"additional data" in HMacDSAKCalculator

Open schildbach opened this issue 3 years ago • 4 comments

This is a feature request.

In HMacDSAKCalculator, allow for the "additional data" field as per https://datatracker.ietf.org/doc/html/rfc6979#section-3.6

It's needed to grind for low R values, and probably other usecases as well, see https://github.com/bitcoin/bitcoin/pull/13666

schildbach avatar Jan 26 '22 21:01 schildbach

I've added an overridable method HMacDSAKCalculator#initAdditionalInput0 in which the HMac may be updated with additional input at the relevant point. Please note that a signer may be used for multiple signatures and therefore a single instance of HMacDSAKCalculator may perform several calculations.

peterdettman avatar Jan 27 '22 08:01 peterdettman

For the records, I just found another adaption of the class here: https://github.com/bitcoin-s/bitcoin-s/blob/master/crypto/.jvm/src/main/scala/org/bitcoins/crypto/HMacDSAKCalculatorWithEntropy.scala

schildbach avatar Jan 27 '22 10:01 schildbach

Have you pushed your PR / commit already? I can't find it.

schildbach avatar Jan 27 '22 10:01 schildbach

It takes time to mirror. At a quick glance it should let you avoid duplicating most of that class, and subclass instead.

peterdettman avatar Jan 27 '22 12:01 peterdettman

Hey @peterdettman, I noticed that this additional data is only added to the first call of HMac_K, whereas other implementations (e.g. bitcoin-s and secp256k1) append it to the second call as well. This is resulting in divergent signatures when providing the same additional data across bouncy-castle vs. other impls.

Re-reading the spec, the correct behavior is ambiguous :/

zpv avatar Nov 20 '23 20:11 zpv

I've now added a second overridable method HMacDSAKCalculator#initAdditionalInput1 to make this more flexible.

peterdettman avatar Nov 21 '23 11:11 peterdettman