@bsv/sdk 1.9.29 → 1.9.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.9.29",
+  "version": "1.9.30",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/primitives/ECDSA.ts

@@ -39,6 +39,15 @@ function truncateToN (
   }
 }
 
+function bnToBigInt (bn: BigNumber): bigint {
+  const bytes = bn.toArray('be')
+  let x = 0n
+  for (let i = 0; i < bytes.length; i++) {
+    x = (x << 8n) | BigInt(bytes[i])
+  }
+  return x
+}
+
 const curve = new Curve()
 const bytes = curve.n.byteLength()
 const ns1 = curve.n.subn(1)
@@ -65,18 +74,15 @@ export const sign = (
   forceLowS: boolean = false,
   customK?: BigNumber | ((iter: number) => BigNumber)
 ): Signature => {
-  // —— prepare inputs ────────────────────────────────────────────────────────
   msg = truncateToN(msg)
-  const msgBig = BigInt('0x' + msg.toString(16))
-  const keyBig = BigInt('0x' + key.toString(16))
+  const msgBig = bnToBigInt(msg)
+  const keyBig = bnToBigInt(key)
 
-  // DRBG seeding identical to previous implementation
   const bkey = key.toArray('be', bytes)
   const nonce = msg.toArray('be', bytes)
   const drbg = new DRBG(bkey, nonce)
 
   for (let iter = 0; ; iter++) {
-    // —— k generation & basic validity checks ───────────────────────────────
     let kBN =
       typeof customK === 'function'
         ? customK(iter)
@@ -84,31 +90,29 @@ export const sign = (
           ? customK
           : new BigNumber(drbg.generate(bytes), 16)
 
-    if (kBN == null) throw new Error('k is undefined')
+    if (kBN == null) {
+      throw new Error('k is undefined')
+    }
+
     kBN = truncateToN(kBN, true)
 
     if (kBN.cmpn(1) < 0 || kBN.cmp(ns1) > 0) {
       if (BigNumber.isBN(customK)) {
-        throw new Error('Invalid fixed custom K value (must be >1 and <N‑1)')
+        throw new Error('Invalid fixed custom K value (must be >1 and <N-1)')
       }
       continue
     }
 
-    const kBig = BigInt('0x' + kBN.toString(16))
+    const R = curve.g.mulCT(kBN)
 
-    // —— R = k·G (Jacobian, window‑NAF) ──────────────────────────────────────
-    const R = scalarMultiplyWNAF(kBig, { x: GX_BIGINT, y: GY_BIGINT })
-    if (R.Z === 0n) { // point at infinity – should never happen for valid k
+    if (R.isInfinity()) {
       if (BigNumber.isBN(customK)) {
         throw new Error('Invalid fixed custom K value (k·G at infinity)')
       }
       continue
     }
 
-    // affine X coordinate of R
-    const zInv = biModInv(R.Z)
-    const zInv2 = biModMul(zInv, zInv)
-    const xAff = biModMul(R.X, zInv2)
+    const xAff = BigInt('0x' + R.getX().toString(16))
     const rBig = modN(xAff)
 
     if (rBig === 0n) {
@@ -118,7 +122,7 @@ export const sign = (
       continue
     }
 
-    // —— s = k⁻¹ · (msg + r·key)  mod n ─────────────────────────────────────
+    const kBig = BigInt('0x' + kBN.toString(16))
     const kInv = modInvN(kBig)
     const rTimesKey = modMulN(rBig, keyBig)
     const sum = modN(msgBig + rTimesKey)
@@ -131,12 +135,10 @@ export const sign = (
       continue
     }
 
-    // low‑S mitigation (BIP‑62/BIP‑340 style)
     if (forceLowS && sBig > halfN) {
       sBig = N_BIGINT - sBig
     }
 
-    // —— convert back to BigNumber & return ─────────────────────────────────
     const r = new BigNumber(rBig.toString(16), 16)
     const s = new BigNumber(sBig.toString(16), 16)
     return new Signature(r, s)
@@ -163,18 +165,18 @@ export const sign = (
  */
 export const verify = (msg: BigNumber, sig: Signature, key: Point): boolean => {
 // Convert inputs to BigInt
-  const hash = BigInt('0x' + msg.toString(16))
+  const hash = bnToBigInt(msg)
   if ((key.x == null) || (key.y == null)) {
     throw new Error('Invalid public key: missing coordinates.')
   }
 
   const publicKey = {
-    x: BigInt('0x' + key.x.toString(16)),
-    y: BigInt('0x' + key.y.toString(16))
+    x: bnToBigInt(key.x),
+    y: bnToBigInt(key.y)
   }
   const signature = {
-    r: BigInt('0x' + sig.r.toString(16)),
-    s: BigInt('0x' + sig.s.toString(16))
+    r: bnToBigInt(sig.r),
+    s: bnToBigInt(sig.s)
   }
 
   const { r, s } = signature

package/src/primitives/Point.ts

@@ -3,6 +3,21 @@ import JPoint from './JacobianPoint.js'
 import BigNumber from './BigNumber.js'
 import { toArray, toHex } from './utils.js'
 
+function ctSwap (
+  swap: bigint,
+  a: JacobianPointBI,
+  b: JacobianPointBI
+): void {
+  const mask = -swap
+  const swapX = (a.X ^ b.X) & mask
+  const swapY = (a.Y ^ b.Y) & mask
+  const swapZ = (a.Z ^ b.Z) & mask
+
+  a.X ^= swapX; b.X ^= swapX
+  a.Y ^= swapY; b.Y ^= swapY
+  a.Z ^= swapZ; b.Z ^= swapZ
+}
+
 // -----------------------------------------------------------------------------
 // BigInt helpers & constants (secp256k1) – hoisted so we don't recreate them on
 // every Point.mul() call.
@@ -102,6 +117,10 @@ export const jpDouble = (P: JacobianPointBI): JacobianPointBI => {
   return { X: X3, Y: Y3, Z: Z3 }
 }
 
+// NOTE:
+// jpAdd contains conditional branches.
+// In mulCT, jpAdd and jpDouble are executed in a fixed pattern
+// independent of scalar bits, satisfying TOB-4 constant-time requirements.
 export const jpAdd = (P: JacobianPointBI, Q: JacobianPointBI): JacobianPointBI => {
   if (P.Z === BI_ZERO) return Q
   if (Q.Z === BI_ZERO) return P
@@ -734,13 +753,17 @@ export default class Point extends BasePoint {
       return this
     }
 
-    let kBig = BigInt('0x' + k.toString(16))
-    const isNeg = kBig < BI_ZERO
-    if (isNeg) kBig = -kBig
+    const isNeg = k.isNeg()
+    const kAbs = isNeg ? k.neg() : k
+    let kBig = BigInt('0x' + kAbs.toString(16))
+
     kBig = biMod(kBig)
     if (kBig === BI_ZERO) {
       return new Point(null, null)
     }
+    if (kBig === BI_ZERO) {
+      return new Point(null, null)
+    }
 
     if (this.x === null || this.y === null) {
       throw new Error('Point coordinates cannot be null')
@@ -774,6 +797,55 @@ export default class Point extends BasePoint {
     return result
   }
 
+  mulCT (k: BigNumber | number | number[] | string): Point {
+    if (!BigNumber.isBN(k)) {
+      k = new BigNumber(k as any, 16)
+    }
+    k = k as BigNumber
+
+    if (this.inf) return new Point(null, null)
+
+    // ✅ SAFE sign handling (this is the fix)
+    const isNeg = k.isNeg()
+    const kAbs = isNeg ? k.neg() : k
+    let kBig = BigInt('0x' + kAbs.toString(16))
+
+    kBig = biMod(kBig)
+    if (kBig === 0n) return new Point(null, null)
+
+    const Px =
+      this === this.curve.g
+        ? GX_BIGINT
+        : BigInt('0x' + this.getX().toString(16))
+
+    const Py =
+      this === this.curve.g
+        ? GY_BIGINT
+        : BigInt('0x' + this.getY().toString(16))
+
+    let R0: JacobianPointBI = { X: 0n, Y: 1n, Z: 0n }
+    let R1: JacobianPointBI = { X: Px, Y: Py, Z: 1n }
+
+    const bits = kBig.toString(2)
+    for (let i = 0; i < bits.length; i++) {
+      const bit = bits[i] === '1' ? 1n : 0n
+      ctSwap(bit, R0, R1)
+      R1 = jpAdd(R0, R1)
+      R0 = jpDouble(R0)
+      ctSwap(bit, R0, R1)
+    }
+
+    if (R0.Z === 0n) return new Point(null, null)
+
+    const zInv = biModInv(R0.Z)
+    const zInv2 = biModMul(zInv, zInv)
+    const x = biModMul(R0.X, zInv2)
+    const y = biModMul(R0.Y, biModMul(zInv2, zInv))
+
+    const result = new Point(x.toString(16), y.toString(16))
+    return isNeg ? result.neg() : result
+  }
+
   /**
    * Performs a multiplication and addition operation in a single step.
    * Multiplies this Point by k1, adds the resulting Point to the result of p2 multiplied by k2.

package/src/primitives/PrivateKey.ts

@@ -260,7 +260,7 @@ export default class PrivateKey extends BigNumber {
    */
   toPublicKey (): PublicKey {
     const c = new Curve()
-    const p = c.g.mul(this)
+    const p = c.g.mulCT(this)
     return new PublicKey(p.x, p.y)
   }
 
@@ -352,7 +352,7 @@ export default class PrivateKey extends BigNumber {
     if (!key.validate()) {
       throw new Error('Public key not valid for ECDH secret derivation')
     }
-    return key.mul(this)
+    return key.mulCT(this)
   }
 
   /**

package/src/primitives/PublicKey.ts

@@ -114,7 +114,7 @@ export default class PublicKey extends Point {
     if (!this.validate()) {
       throw new Error('Public key not valid for ECDH secret derivation')
     }
-    return this.mul(priv)
+    return this.mulCT(priv)
   }
 
   /**

package/src/primitives/__tests/ECDSA.test.ts

@@ -117,4 +117,16 @@ describe('ECDSA', () => {
       ECDSA.verify(msg, signature, infinityPub)
     ).toThrow()
   })
+
+  it('sign/verify works with large private key (mulCT stress)', () => {
+    const bigKey = new BigNumber(
+      'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd036413f',
+      16
+    )
+
+    const sig = ECDSA.sign(msg, bigKey)
+    const pub = curve.g.mul(bigKey)
+
+    expect(ECDSA.verify(msg, sig, pub)).toBe(true)
+  })
 })

package/src/primitives/__tests/Point.test.ts

@@ -1,4 +1,5 @@
 import Point from '../../primitives/Point'
+import BigNumber from '../../primitives/BigNumber'
 
 describe('Point.fromJSON / fromDER / fromX curve validation (TOB-24)', () => {
   it('rejects clearly off-curve coordinates', () => {
@@ -50,3 +51,62 @@ describe('Point.fromJSON / fromDER / fromX curve validation (TOB-24)', () => {
     expect(() => Point.fromX(badX, true)).toThrow(/Invalid point/)
     })
 })
+
+describe('Point.mulCT (constant-time scalar multiplication)', () => {
+  const G = Point.fromString(
+    '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'
+  )
+
+  it('returns point at infinity for scalar = 0', () => {
+    const r = G.mulCT(0)
+    expect(r.isInfinity()).toBe(true)
+  })
+
+  it('matches regular mul for small scalar', () => {
+    const k = 5
+    const r1 = G.mul(k)
+    const r2 = G.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('matches regular mul for large scalar', () => {
+    const k =
+      'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
+
+    const r1 = G.mul(k)
+    const r2 = G.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('works with non-generator base point', () => {
+    const base = G.mul(3)
+    const k = 11
+
+    const r1 = base.mul(k)
+    const r2 = base.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('handles alternating bit patterns (ctSwap exercised)', () => {
+    // 101010... pattern forces both swap paths
+    const k = BigInt(
+      '0b101010101010101010101010101010101010101010101010101010101010101'
+    )
+
+    const r1 = G.mul(k.toString(10))
+    const r2 = G.mulCT(k.toString(10))
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('handles negative scalars correctly', () => {
+    const k = new BigNumber('123456', 16)
+    const r1 = G.mul(k.neg())
+    const r2 = G.mulCT(k.neg())
+    expect(r2.eq(r1)).toBe(true)
+  })
+})
+