ddn.crypto.signature.ecdsa

ECDSA (Elliptic Curve Digital Signature Algorithm) Implementation (FIPS 186-4).

Constant-Time Implementation: This module uses constant-time

scalar multiplication to prevent timing side-channel attacks. The point multiplication executes in constant time regardless of the scalar value.

alias HashFactory

struct JPoint

class DeterministicECDSASigner ECDSASigner ECDSAVerifier

fn affineFromJacobian bigEndianToBigInt bigIntToBigEndian ctSelectJPoint curveFieldByteLength curveOrderBitLength jacobianAdd jacobianDouble modInverse pointAdd pointDouble pointMul posMod rfc6979Nonce toJacobian

Types 5

aliasHashFactory = Hash delegate()

Delegate to create a new Hash instance

structJPoint

Fields

BigInt X

bool atInfinity

Methods

JPoint infinity()

classECDSASigner : Signer

Fields

private ECDSAPrivateKey _key

private Hash _hash

private HashFactory _hashFactory

private Random _rng

private CurveDescriptor _curve

private size_t _coordBytes

Methods

void init(PrivateKey key)

void update(const(ubyte)[] input)

ubyte[] sign()

private BigInt bitsToInt(ubyte[] digest)

Constructors

this(HashFactory hashFactory, Random rng)

classECDSAVerifier : Verifier

Fields

private ECDSAPublicKey _key

private Hash _hash

private HashFactory _hashFactory

private CurveDescriptor _curve

private size_t _coordBytes

Methods

void init(PublicKey key)

void update(const(ubyte)[] input)

bool verify(const(ubyte)[] signature)

private BigInt bitsToInt(ubyte[] digest)

Constructors

this(HashFactory hashFactory)

classDeterministicECDSASigner : Signer

Deterministic ECDSA signer using RFC 6979 nonce generation.

This signer produces reproducible signatures without requiring a random number generator. The nonce k is derived deterministically from the private key and the message hash using HMAC-DRBG as specified in RFC 6979.

This is useful for:

Test reproducibility and known-answer verification
Environments where RNG quality is uncertain
Avoiding catastrophic nonce-reuse failures

Fields

private ECDSAPrivateKey _key

private Hash _hash

private HashFactory _hashFactory

private CurveDescriptor _curve

private size_t _coordBytes

Methods

void init(PrivateKey key)

void update(const(ubyte)[] input)

ubyte[] sign()Signs the accumulated message using RFC 6979 deterministic nonce.

private BigInt bitsToInt(ubyte[] digest)

Constructors

this(HashFactory hashFactory)Constructs a deterministic ECDSA signer.

Functions 15

fnBigInt posMod(BigInt x, BigInt m)

fnJPoint jacobianDouble(JPoint P, BigInt mod, BigInt a)

fnJPoint jacobianAdd(JPoint P, JPoint Q, BigInt mod, BigInt a)

fnPoint affineFromJacobian(JPoint P, BigInt mod)

fnJPoint toJacobian(Point P)

fnPoint pointMul(Point P, BigInt k, BigInt mod, BigInt a)Constant-time scalar multiplication using double-and-add-always.

fnJPoint ctSelectJPoint(uint condition, JPoint a, JPoint b) pure nothrow @safeConstant-time Jacobian point selection.

private fnPoint pointAdd(Point P, Point Q, BigInt mod, BigInt a)

private fnPoint pointDouble(Point P, BigInt mod, BigInt a)

private fnBigInt modInverse(BigInt a, BigInt n)

private fnBigInt bigEndianToBigInt(const(ubyte)[] bytes)

private fnubyte[] bigIntToBigEndian(BigInt x, size_t len)

private fnsize_t curveFieldByteLength(string curveName) pureReturns the byte length of a field element for the given curve.

private fnsize_t curveOrderBitLength(string curveName) pureReturns the bit length of the curve order n.

private fn

BigInt rfc6979Nonce(BigInt x,  const(ubyte)[]  digest,
       BigInt q,  size_t qLen,  size_t qBitLen,  HashFactory hashFactory)

Generates a deterministic ECDSA nonce k per RFC 6979 Section 3.2.