Ecdsa-sign-deterministic-prehashed
Sign a prehashed message using SHA-256.
The call
(ecdsa-sign-deterministic-prehashed mh privkey small-x? small-s?)
signs the already-hashed message mh
using SHA-256 when
applying HMAC.
Arguments:
- mh -- the already-hashed message to be signed, a list of bits.
- privkey -- the signer's private key, which is a positive integer
less than the elliptic curve order.
- small-x? -- a boolean flag that, when true, restricts the
ephemeral public key x coordinate
to be to be less than the elliptic curve order.
- small-s? -- a boolean flag that, when true, restricts the returned
s value to be less than q/2, where q is the elliptic
curve order.
Return values (using mv):
- error? -- a flag indicating any sort of error was detected.
Please report errors, but do not send a private key that is in use.
- x-index -- an index from 0 to the curve cofactor h,
which can be used to recover the x coordinate of the ephemeral public
key from r. If the argument small-x? is true, x-index will be 0.
- y-even? -- a flag indicating whether the y coordinate of the
ephemeral public key was even or odd. This, along with r and
x-index, can be used to recover the y coordinate of the ephemeral
public key.
- r -- the x coordinate of the ephemeral public key, modulo the
elliptic curve group order, considered the first part of the signature.
- s -- the second part of the signature.
Definitions and Theorems
Function: ecdsa-sign-deterministic-prehashed
(defun ecdsa-sign-deterministic-prehashed
(mh privkey small-x? small-s?)
(declare (xargs :guard (and (true-listp mh)
(all-unsigned-byte-p 1 mh)
(posp privkey)
(< privkey *q*)
(booleanp small-x?))))
(b* (((mv error? x-index y-even? r s)
(ecdsa-sign-deterministic-prehashed-aux mh privkey small-x?))
((when error?) (mv error? 0 nil 0 0)))
(if small-s?
(b* (((mv x-index y-even? r s)
(ecdsa-ensure-s-below-q/2 x-index y-even? r s)))
(mv nil x-index y-even? r s))
(mv nil x-index y-even? r s))))
