crypto: add btcec fallback for sign/recover without cgo (#3680)

* vendor: add github.com/btcsuite/btcd/btcec

* crypto: add btcec fallback for sign/recover without cgo

This commit adds a non-cgo fallback implementation of secp256k1
operations.

* crypto, core/vm: remove wrappers for sha256, ripemd160

accounts/keystore/key.go

@@ -32,7 +32,6 @@ import (
 	"github.com/ethereum/go-ethereum/accounts"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 	"github.com/pborman/uuid"
 )
 
@@ -157,7 +156,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key {
 		panic("key generation: could not read from random source: " + err.Error())
 	}
 	reader := bytes.NewReader(randBytes)
-	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), reader)
+	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), reader)
 	if err != nil {
 		panic("key generation: ecdsa.GenerateKey failed: " + err.Error())
 	}
@@ -169,7 +168,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key {
 }
 
 func newKey(rand io.Reader) (*Key, error) {
-	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), rand)
+	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), rand)
 	if err != nil {
 		return nil, err
 	}

core/vm/contracts.go

@@ -17,11 +17,14 @@
 package vm
 
 import (
+	"crypto/sha256"
+
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 	"github.com/ethereum/go-ethereum/params"
+	"golang.org/x/crypto/ripemd160"
 )
 
 // Precompiled contract is the basic interface for native Go contracts. The implementation
@@ -35,8 +38,8 @@ type PrecompiledContract interface {
 // Precompiled contains the default set of ethereum contracts
 var PrecompiledContracts = map[common.Address]PrecompiledContract{
 	common.BytesToAddress([]byte{1}): &ecrecover{},
-	common.BytesToAddress([]byte{2}): &sha256{},
-	common.BytesToAddress([]byte{3}): &ripemd160{},
+	common.BytesToAddress([]byte{2}): &sha256hash{},
+	common.BytesToAddress([]byte{3}): &ripemd160hash{},
 	common.BytesToAddress([]byte{4}): &dataCopy{},
 }
 
@@ -88,31 +91,34 @@ func (c *ecrecover) Run(in []byte) []byte {
 }
 
 // SHA256 implemented as a native contract
-type sha256 struct{}
+type sha256hash struct{}
 
 // RequiredGas returns the gas required to execute the pre-compiled contract.
 //
 // This method does not require any overflow checking as the input size gas costs
 // required for anything significant is so high it's impossible to pay for.
-func (c *sha256) RequiredGas(inputSize int) uint64 {
+func (c *sha256hash) RequiredGas(inputSize int) uint64 {
 	return uint64(inputSize+31)/32*params.Sha256WordGas + params.Sha256Gas
 }
-func (c *sha256) Run(in []byte) []byte {
-	return crypto.Sha256(in)
+func (c *sha256hash) Run(in []byte) []byte {
+	h := sha256.Sum256(in)
+	return h[:]
 }
 
 // RIPMED160 implemented as a native contract
-type ripemd160 struct{}
+type ripemd160hash struct{}
 
 // RequiredGas returns the gas required to execute the pre-compiled contract.
 //
 // This method does not require any overflow checking as the input size gas costs
 // required for anything significant is so high it's impossible to pay for.
-func (c *ripemd160) RequiredGas(inputSize int) uint64 {
+func (c *ripemd160hash) RequiredGas(inputSize int) uint64 {
 	return uint64(inputSize+31)/32*params.Ripemd160WordGas + params.Ripemd160Gas
 }
-func (c *ripemd160) Run(in []byte) []byte {
-	return common.LeftPadBytes(crypto.Ripemd160(in), 32)
+func (c *ripemd160hash) Run(in []byte) []byte {
+	ripemd := ripemd160.New()
+	ripemd.Write(in)
+	return common.LeftPadBytes(ripemd.Sum(nil), 32)
 }
 
 // data copy implemented as a native contract

crypto/crypto.go

@@ -20,22 +20,21 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha256"
-	"fmt"
+	"encoding/hex"
+	"errors"
 	"io"
 	"io/ioutil"
 	"math/big"
 	"os"
 
-	"encoding/hex"
-	"errors"
-
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto/ecies"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 	"github.com/ethereum/go-ethereum/crypto/sha3"
 	"github.com/ethereum/go-ethereum/rlp"
-	"golang.org/x/crypto/ripemd160"
+)
+
+var (
+	secp256k1_N, _  = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
+	secp256k1_halfN = new(big.Int).Div(secp256k1_N, big.NewInt(2))
 )
 
 func Keccak256(data ...[]byte) []byte {
@@ -56,7 +55,6 @@ func Keccak256Hash(data ...[]byte) (h common.Hash) {
 }
 
 // Deprecated: For backward compatibility as other packages depend on these
-func Sha3(data ...[]byte) []byte          { return Keccak256(data...) }
 func Sha3Hash(data ...[]byte) common.Hash { return Keccak256Hash(data...) }
 
 // Creates an ethereum address given the bytes and the nonce
@@ -65,39 +63,16 @@ func CreateAddress(b common.Address, nonce uint64) common.Address {
 	return common.BytesToAddress(Keccak256(data)[12:])
 }
 
-func Sha256(data []byte) []byte {
-	hash := sha256.Sum256(data)
-
-	return hash[:]
-}
-
-func Ripemd160(data []byte) []byte {
-	ripemd := ripemd160.New()
-	ripemd.Write(data)
-
-	return ripemd.Sum(nil)
-}
-
-// Ecrecover returns the public key for the private key that was used to
-// calculate the signature.
-//
-// Note: secp256k1 expects the recover id to be either 0, 1. Ethereum
-// signatures have a recover id with an offset of 27. Callers must take
-// this into account and if "recovering" from an Ethereum signature adjust.
-func Ecrecover(hash, sig []byte) ([]byte, error) {
-	return secp256k1.RecoverPubkey(hash, sig)
-}
-
-// New methods using proper ecdsa keys from the stdlib
+// ToECDSA creates a private key with the given D value.
 func ToECDSA(prv []byte) *ecdsa.PrivateKey {
 	if len(prv) == 0 {
 		return nil
 	}
 
 	priv := new(ecdsa.PrivateKey)
-	priv.PublicKey.Curve = secp256k1.S256()
+	priv.PublicKey.Curve = S256()
 	priv.D = common.BigD(prv)
-	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(prv)
+	priv.PublicKey.X, priv.PublicKey.Y = priv.PublicKey.Curve.ScalarBaseMult(prv)
 	return priv
 }
 
@@ -112,15 +87,15 @@ func ToECDSAPub(pub []byte) *ecdsa.PublicKey {
 	if len(pub) == 0 {
 		return nil
 	}
-	x, y := elliptic.Unmarshal(secp256k1.S256(), pub)
-	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}
+	x, y := elliptic.Unmarshal(S256(), pub)
+	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}
 }
 
 func FromECDSAPub(pub *ecdsa.PublicKey) []byte {
 	if pub == nil || pub.X == nil || pub.Y == nil {
 		return nil
 	}
-	return elliptic.Marshal(secp256k1.S256(), pub.X, pub.Y)
+	return elliptic.Marshal(S256(), pub.X, pub.Y)
 }
 
 // HexToECDSA parses a secp256k1 private key.
@@ -164,7 +139,7 @@ func SaveECDSA(file string, key *ecdsa.PrivateKey) error {
 }
 
 func GenerateKey() (*ecdsa.PrivateKey, error) {
-	return ecdsa.GenerateKey(secp256k1.S256(), rand.Reader)
+	return ecdsa.GenerateKey(S256(), rand.Reader)
 }
 
 // ValidateSignatureValues verifies whether the signature values are valid with
@@ -175,49 +150,11 @@ func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool {
 	}
 	// reject upper range of s values (ECDSA malleability)
 	// see discussion in secp256k1/libsecp256k1/include/secp256k1.h
-	if homestead && s.Cmp(secp256k1.HalfN) > 0 {
+	if homestead && s.Cmp(secp256k1_halfN) > 0 {
 		return false
 	}
 	// Frontier: allow s to be in full N range
-	return r.Cmp(secp256k1.N) < 0 && s.Cmp(secp256k1.N) < 0 && (v == 0 || v == 1)
-}
-
-func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
-	s, err := Ecrecover(hash, sig)
-	if err != nil {
-		return nil, err
-	}
-
-	x, y := elliptic.Unmarshal(secp256k1.S256(), s)
-	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}, nil
-}
-
-// Sign calculates an ECDSA signature.
-//
-// This function is susceptible to chosen plaintext attacks that can leak
-// information about the private key that is used for signing. Callers must
-// be aware that the given hash cannot be chosen by an adversery. Common
-// solution is to hash any input before calculating the signature.
-//
-// The produced signature is in the [R || S || V] format where V is 0 or 1.
-func Sign(data []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) {
-	if len(data) != 32 {
-		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(data))
-	}
-
-	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8)
-	defer zeroBytes(seckey)
-	sig, err = secp256k1.Sign(data, seckey)
-	return
-}
-
-func Encrypt(pub *ecdsa.PublicKey, message []byte) ([]byte, error) {
-	return ecies.Encrypt(rand.Reader, ecies.ImportECDSAPublic(pub), message, nil, nil)
-}
-
-func Decrypt(prv *ecdsa.PrivateKey, ct []byte) ([]byte, error) {
-	key := ecies.ImportECDSA(prv)
-	return key.Decrypt(rand.Reader, ct, nil, nil)
+	return r.Cmp(secp256k1_N) < 0 && s.Cmp(secp256k1_N) < 0 && (v == 0 || v == 1)
 }
 
 func PubkeyToAddress(p ecdsa.PublicKey) common.Address {

crypto/crypto_test.go

@@ -28,7 +28,6 @@ import (
 	"time"
 
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 )
 
 var testAddrHex = "970e8128ab834e8eac17ab8e3812f010678cf791"
@@ -37,30 +36,12 @@ var testPrivHex = "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232
 // These tests are sanity checks.
 // They should ensure that we don't e.g. use Sha3-224 instead of Sha3-256
 // and that the sha3 library uses keccak-f permutation.
-func TestSha3(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45")
-	checkhash(t, "Sha3-256", func(in []byte) []byte { return Keccak256(in) }, msg, exp)
-}
-
 func TestSha3Hash(t *testing.T) {
 	msg := []byte("abc")
 	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45")
 	checkhash(t, "Sha3-256-array", func(in []byte) []byte { h := Keccak256Hash(in); return h[:] }, msg, exp)
 }
 
-func TestSha256(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad")
-	checkhash(t, "Sha256", Sha256, msg, exp)
-}
-
-func TestRipemd160(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")
-	checkhash(t, "Ripemd160", Ripemd160, msg, exp)
-}
-
 func BenchmarkSha3(b *testing.B) {
 	a := []byte("hello world")
 	amount := 1000000
@@ -170,7 +151,7 @@ func TestValidateSignatureValues(t *testing.T) {
 	minusOne := big.NewInt(-1)
 	one := common.Big1
 	zero := common.Big0
-	secp256k1nMinus1 := new(big.Int).Sub(secp256k1.N, common.Big1)
+	secp256k1nMinus1 := new(big.Int).Sub(secp256k1_N, common.Big1)
 
 	// correct v,r,s
 	check(true, 0, one, one)
@@ -197,9 +178,9 @@ func TestValidateSignatureValues(t *testing.T) {
 	// correct sig with max r,s
 	check(true, 0, secp256k1nMinus1, secp256k1nMinus1)
 	// correct v, combinations of incorrect r,s at upper limit
-	check(false, 0, secp256k1.N, secp256k1nMinus1)
-	check(false, 0, secp256k1nMinus1, secp256k1.N)
-	check(false, 0, secp256k1.N, secp256k1.N)
+	check(false, 0, secp256k1_N, secp256k1nMinus1)
+	check(false, 0, secp256k1nMinus1, secp256k1_N)
+	check(false, 0, secp256k1_N, secp256k1_N)
 
 	// current callers ensures r,s cannot be negative, but let's test for that too
 	// as crypto package could be used stand-alone
@@ -225,14 +206,13 @@ func checkAddr(t *testing.T, addr0, addr1 common.Address) {
 func TestPythonIntegration(t *testing.T) {
 	kh := "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232032"
 	k0, _ := HexToECDSA(kh)
-	k1 := FromECDSA(k0)
 
 	msg0 := Keccak256([]byte("foo"))
-	sig0, _ := secp256k1.Sign(msg0, k1)
+	sig0, _ := Sign(msg0, k0)
 
 	msg1 := common.FromHex("00000000000000000000000000000000")
-	sig1, _ := secp256k1.Sign(msg0, k1)
+	sig1, _ := Sign(msg0, k0)
 
-	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg0, k1, sig0)
-	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg1, k1, sig1)
+	t.Logf("msg: %x, privkey: %s sig: %x\n", msg0, kh, sig0)
+	t.Logf("msg: %x, privkey: %s sig: %x\n", msg1, kh, sig1)
 }

crypto/ecies/asn1.go

@@ -42,7 +42,7 @@ import (
 	"hash"
 	"math/big"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 )
 
 var (
@@ -120,7 +120,7 @@ func (curve secgNamedCurve) Equal(curve2 secgNamedCurve) bool {
 func namedCurveFromOID(curve secgNamedCurve) elliptic.Curve {
 	switch {
 	case curve.Equal(secgNamedCurveS256):
-		return secp256k1.S256()
+		return ethcrypto.S256()
 	case curve.Equal(secgNamedCurveP256):
 		return elliptic.P256()
 	case curve.Equal(secgNamedCurveP384):
@@ -139,7 +139,7 @@ func oidFromNamedCurve(curve elliptic.Curve) (secgNamedCurve, bool) {
 		return secgNamedCurveP384, true
 	case elliptic.P521():
 		return secgNamedCurveP521, true
-	case secp256k1.S256():
+	case ethcrypto.S256():
 		return secgNamedCurveS256, true
 	}
 

crypto/ecies/ecies_test.go

@@ -31,7 +31,6 @@ package ecies
 
 import (
 	"bytes"
-	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
@@ -42,7 +41,7 @@ import (
 	"math/big"
 	"testing"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	"github.com/ethereum/go-ethereum/crypto"
 )
 
 var dumpEnc bool
@@ -150,7 +149,7 @@ func TestSharedKey(t *testing.T) {
 func TestSharedKeyPadding(t *testing.T) {
 	// sanity checks
 	prv0 := hexKey("1adf5c18167d96a1f9a0b1ef63be8aa27eaf6032c233b2b38f7850cf5b859fd9")
-	prv1 := hexKey("97a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a")
+	prv1 := hexKey("0097a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a")
 	x0, _ := new(big.Int).SetString("1a8ed022ff7aec59dc1b440446bdda5ff6bcb3509a8b109077282b361efffbd8", 16)
 	x1, _ := new(big.Int).SetString("6ab3ac374251f638d0abb3ef596d1dc67955b507c104e5f2009724812dc027b8", 16)
 	y0, _ := new(big.Int).SetString("e040bd480b1deccc3bc40bd5b1fdcb7bfd352500b477cb9471366dbd4493f923", 16)
@@ -354,7 +353,7 @@ func BenchmarkGenSharedKeyP256(b *testing.B) {
 
 // Benchmark the generation of S256 shared keys.
 func BenchmarkGenSharedKeyS256(b *testing.B) {
-	prv, err := GenerateKey(rand.Reader, secp256k1.S256(), nil)
+	prv, err := GenerateKey(rand.Reader, crypto.S256(), nil)
 	if err != nil {
 		fmt.Println(err.Error())
 		b.FailNow()
@@ -597,6 +596,29 @@ func TestBasicKeyValidation(t *testing.T) {
 	}
 }
 
+func TestBox(t *testing.T) {
+	prv1 := hexKey("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f")
+	prv2 := hexKey("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a")
+	pub2 := &prv2.PublicKey
+
+	message := []byte("Hello, world.")
+	ct, err := Encrypt(rand.Reader, pub2, message, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pt, err := prv2.Decrypt(rand.Reader, ct, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(pt, message) {
+		t.Fatal("ecies: plaintext doesn't match message")
+	}
+	if _, err = prv1.Decrypt(rand.Reader, ct, nil, nil); err == nil {
+		t.Fatal("ecies: encryption should not have succeeded")
+	}
+}
+
 // Verify GenerateShared against static values - useful when
 // debugging changes in underlying libs
 func TestSharedKeyStatic(t *testing.T) {
@@ -628,11 +650,10 @@ func TestSharedKeyStatic(t *testing.T) {
 	}
 }
 
-// TODO: remove after refactoring packages crypto and crypto/ecies
 func hexKey(prv string) *PrivateKey {
-	priv := new(ecdsa.PrivateKey)
-	priv.PublicKey.Curve = secp256k1.S256()
-	priv.D, _ = new(big.Int).SetString(prv, 16)
-	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(priv.D.Bytes())
-	return ImportECDSA(priv)
+	key, err := crypto.HexToECDSA(prv)
+	if err != nil {
+		panic(err)
+	}
+	return ImportECDSA(key)
 }

crypto/ecies/params.go

@@ -42,11 +42,11 @@ import (
 	"fmt"
 	"hash"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 )
 
 var (
-	DefaultCurve                  = secp256k1.S256()
+	DefaultCurve                  = ethcrypto.S256()
 	ErrUnsupportedECDHAlgorithm   = fmt.Errorf("ecies: unsupported ECDH algorithm")
 	ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters")
 )
@@ -100,7 +100,7 @@ var (
 )
 
 var paramsFromCurve = map[elliptic.Curve]*ECIESParams{
-	secp256k1.S256(): ECIES_AES128_SHA256,
+	ethcrypto.S256(): ECIES_AES128_SHA256,
 	elliptic.P256():  ECIES_AES128_SHA256,
 	elliptic.P384():  ECIES_AES256_SHA384,
 	elliptic.P521():  ECIES_AES256_SHA512,

crypto/secp256k1/secp256.go

@@ -42,17 +42,9 @@ import (
 	"unsafe"
 )
 
-var (
-	context *C.secp256k1_context
-	N       *big.Int
-	HalfN   *big.Int
-)
+var context *C.secp256k1_context
 
 func init() {
-	N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
-	// N / 2 == 57896044618658097711785492504343953926418782139537452191302581570759080747168
-	HalfN, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0", 16)
-
 	// around 20 ms on a modern CPU.
 	context = C.secp256k1_context_create_sign_verify()
 	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)

crypto/encrypt_decrypt_test.go → crypto/signature_cgo.go

-// Copyright 2014 The go-ethereum Authors
+// Copyright 2016 The go-ethereum Authors
 // This file is part of the go-ethereum library.
 //
 // The go-ethereum library is free software: you can redistribute it and/or modify
@@ -14,43 +14,51 @@
 // You should have received a copy of the GNU Lesser General Public License
 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
 
+// +build !nacl,!js,!nocgo
+
 package crypto
 
 import (
-	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"fmt"
-	"testing"
 
 	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 )
 
-func TestBox(t *testing.T) {
-	prv1 := ToECDSA(common.Hex2Bytes("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f"))
-	prv2 := ToECDSA(common.Hex2Bytes("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a"))
-	pub2 := ToECDSAPub(common.Hex2Bytes("04bd27a63c91fe3233c5777e6d3d7b39204d398c8f92655947eb5a373d46e1688f022a1632d264725cbc7dc43ee1cfebde42fa0a86d08b55d2acfbb5e9b3b48dc5"))
-
-	message := []byte("Hello, world.")
-	ct, err := Encrypt(pub2, message)
-	if err != nil {
-		fmt.Println(err.Error())
-		t.FailNow()
-	}
+func Ecrecover(hash, sig []byte) ([]byte, error) {
+	return secp256k1.RecoverPubkey(hash, sig)
+}
 
-	pt, err := Decrypt(prv2, ct)
+func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
+	s, err := Ecrecover(hash, sig)
 	if err != nil {
-		fmt.Println(err.Error())
-		t.FailNow()
+		return nil, err
 	}
 
-	if !bytes.Equal(pt, message) {
-		fmt.Println("ecies: plaintext doesn't match message")
-		t.FailNow()
-	}
+	x, y := elliptic.Unmarshal(S256(), s)
+	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
+}
 
-	_, err = Decrypt(prv1, pt)
-	if err == nil {
-		fmt.Println("ecies: encryption should not have succeeded")
-		t.FailNow()
+// Sign calculates an ECDSA signature.
+//
+// This function is susceptible to chosen plaintext attacks that can leak
+// information about the private key that is used for signing. Callers must
+// be aware that the given hash cannot be chosen by an adversery. Common
+// solution is to hash any input before calculating the signature.
+//
+// The produced signature is in the [R || S || V] format where V is 0 or 1.
+func Sign(hash []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) {
+	if len(hash) != 32 {
+		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
 	}
+	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8)
+	defer zeroBytes(seckey)
+	return secp256k1.Sign(hash, seckey)
+}
 
+// S256 returns an instance of the secp256k1 curve.
+func S256() elliptic.Curve {
+	return secp256k1.S256()
 }

crypto/signature_nocgo.go

+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+// +build nacl js nocgo
+
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"fmt"
+
+	"github.com/btcsuite/btcd/btcec"
+)
+
+func Ecrecover(hash, sig []byte) ([]byte, error) {
+	pub, err := SigToPub(hash, sig)
+	if err != nil {
+		return nil, err
+	}
+	bytes := (*btcec.PublicKey)(pub).SerializeUncompressed()
+	return bytes, err
+}
+
+func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
+	// Convert to btcec input format with 'recovery id' v at the beginning.
+	btcsig := make([]byte, 65)
+	btcsig[0] = sig[64] + 27
+	copy(btcsig[1:], sig)
+
+	pub, _, err := btcec.RecoverCompact(btcec.S256(), btcsig, hash)
+	return (*ecdsa.PublicKey)(pub), err
+}
+
+// Sign calculates an ECDSA signature.
+//
+// This function is susceptible to chosen plaintext attacks that can leak
+// information about the private key that is used for signing. Callers must
+// be aware that the given hash cannot be chosen by an adversery. Common
+// solution is to hash any input before calculating the signature.
+//
+// The produced signature is in the [R || S || V] format where V is 0 or 1.
+func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) {
+	if len(hash) != 32 {
+		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
+	}
+	if prv.Curve != btcec.S256() {
+		return nil, fmt.Errorf("private key curve is not secp256k1")
+	}
+	sig, err := btcec.SignCompact(btcec.S256(), (*btcec.PrivateKey)(prv), hash, false)
+	if err != nil {
+		return nil, err
+	}
+	// Convert to Ethereum signature format with 'recovery id' v at the end.
+	v := sig[0] - 27
+	copy(sig, sig[1:])
+	sig[64] = v
+	return sig, nil
+}
+
+// S256 returns an instance of the secp256k1 curve.
+func S256() elliptic.Curve {
+	return btcec.S256()
+}

p2p/discv5/crypto.go → crypto/signature_test.go

@@ -14,18 +14,23 @@
 // You should have received a copy of the GNU Lesser General Public License
 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
 
-package discv5
+package crypto
 
 import (
-	//"github.com/btcsuite/btcd/btcec"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	"bytes"
+	"encoding/hex"
+	"testing"
 )
 
-func S256() *secp256k1.BitCurve {
-	return secp256k1.S256()
+func TestRecoverSanity(t *testing.T) {
+	msg, _ := hex.DecodeString("ce0677bb30baa8cf067c88db9811f4333d131bf8bcf12fe7065d211dce971008")
+	sig, _ := hex.DecodeString("90f27b8b488db00b00606796d2987f6a5f59ae62ea05effe84fef5b8b0e549984a691139ad57a3f0b906637673aa2f63d1f55cb1a69199d4009eea23ceaddc9301")
+	pubkey1, _ := hex.DecodeString("04e32df42865e97135acfb65f3bae71bdc86f4d49150ad6a440b6f15878109880a0a2b2667f7e725ceea70c673093bf67663e0312623c8e091b13cf2c0f11ef652")
+	pubkey2, err := Ecrecover(msg, sig)
+	if err != nil {
+		t.Fatalf("recover error: %s", err)
+	}
+	if !bytes.Equal(pubkey1, pubkey2) {
+		t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2)
+	}
 }
-
-// This version should be used for NaCl compilation
-/*func S256() *btcec.KoblitzCurve {
-	return S256()
-}*/

p2p/discover/node.go

@@ -259,7 +259,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID {
 // Pubkey returns the public key represented by the node ID.
 // It returns an error if the ID is not a point on the curve.
 func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) {
-	p := &ecdsa.PublicKey{Curve: secp256k1.S256(), X: new(big.Int), Y: new(big.Int)}
+	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)}
 	half := len(id) / 2
 	p.X.SetBytes(id[:half])
 	p.Y.SetBytes(id[half:])

p2p/discv5/node.go

@@ -297,7 +297,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID {
 // Pubkey returns the public key represented by the node ID.
 // It returns an error if the ID is not a point on the curve.
 func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) {
-	p := &ecdsa.PublicKey{Curve: S256(), X: new(big.Int), Y: new(big.Int)}
+	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)}
 	half := len(id) / 2
 	p.X.SetBytes(id[:half])
 	p.Y.SetBytes(id[half:])

p2p/rlpx.go

@@ -303,7 +303,7 @@ func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey, token []byte) (*authMs
 		return nil, err
 	}
 	// Generate random keypair to for ECDH.
-	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil)
+	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -381,7 +381,7 @@ func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) erro
 	// Generate random keypair for ECDH.
 	// If a private key is already set, use it instead of generating one (for testing).
 	if h.randomPrivKey == nil {
-		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil)
+		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
 		if err != nil {
 			return err
 		}

vendor/github.com/btcsuite/btcd/LICENSE

+ISC License
+
+Copyright (c) 2013-2017 The btcsuite developers
+Copyright (c) 2015-2016 The Decred developers
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

vendor/github.com/btcsuite/btcd/btcec/README.md

+btcec
+=====
+
+[![Build Status](https://travis-ci.org/btcsuite/btcd.png?branch=master)]
+(https://travis-ci.org/btcsuite/btcec) [![ISC License]
+(http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org)
+[![GoDoc](https://godoc.org/github.com/btcsuite/btcd/btcec?status.png)]
+(http://godoc.org/github.com/btcsuite/btcd/btcec)
+
+Package btcec implements elliptic curve cryptography needed for working with
+Bitcoin (secp256k1 only for now). It is designed so that it may be used with the
+standard crypto/ecdsa packages provided with go.  A comprehensive suite of test
+is provided to ensure proper functionality.  Package btcec was originally based
+on work from ThePiachu which is licensed under the same terms as Go, but it has
+signficantly diverged since then.  The btcsuite developers original is licensed
+under the liberal ISC license.
+
+Although this package was primarily written for btcd, it has intentionally been
+designed so it can be used as a standalone package for any projects needing to
+use secp256k1 elliptic curve cryptography.
+
+## Installation and Updating
+
+```bash
+$ go get -u github.com/btcsuite/btcd/btcec
+```
+
+## Examples
+
+* [Sign Message]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--SignMessage)  
+  Demonstrates signing a message with a secp256k1 private key that is first
+  parsed form raw bytes and serializing the generated signature.
+
+* [Verify Signature]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--VerifySignature)  
+  Demonstrates verifying a secp256k1 signature against a public key that is
+  first parsed from raw bytes.  The signature is also parsed from raw bytes.
+
+* [Encryption]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--EncryptMessage)
+  Demonstrates encrypting a message for a public key that is first parsed from
+  raw bytes, then decrypting it using the corresponding private key.
+
+* [Decryption]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--DecryptMessage)
+  Demonstrates decrypting a message using a private key that is first parsed
+  from raw bytes.
+
+## GPG Verification Key
+
+All official release tags are signed by Conformal so users can ensure the code
+has not been tampered with and is coming from the btcsuite developers.  To
+verify the signature perform the following:
+
+- Download the public key from the Conformal website at
+  https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt
+
+- Import the public key into your GPG keyring:
+  ```bash
+  gpg --import GIT-GPG-KEY-conformal.txt
+  ```
+
+- Verify the release tag with the following command where `TAG_NAME` is a
+  placeholder for the specific tag:
+  ```bash
+  git tag -v TAG_NAME
+  ```
+
+## License
+
+Package btcec is licensed under the [copyfree](http://copyfree.org) ISC License
+except for btcec.go and btcec_test.go which is under the same license as Go.
+

vendor/github.com/btcsuite/btcd/btcec/ciphering.go

+// Copyright (c) 2015-2016 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+	"errors"
+	"io"
+)
+
+var (
+	// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails
+	// during decryption. This happens because of either invalid private key or
+	// corrupt ciphertext.
+	ErrInvalidMAC = errors.New("invalid mac hash")
+
+	// errInputTooShort occurs when the input ciphertext to the Decrypt
+	// function is less than 134 bytes long.
+	errInputTooShort = errors.New("ciphertext too short")
+
+	// errUnsupportedCurve occurs when the first two bytes of the encrypted
+	// text aren't 0x02CA (= 712 = secp256k1, from OpenSSL).
+	errUnsupportedCurve = errors.New("unsupported curve")
+
+	errInvalidXLength = errors.New("invalid X length, must be 32")
+	errInvalidYLength = errors.New("invalid Y length, must be 32")
+	errInvalidPadding = errors.New("invalid PKCS#7 padding")
+
+	// 0x02CA = 714
+	ciphCurveBytes = [2]byte{0x02, 0xCA}
+	// 0x20 = 32
+	ciphCoordLength = [2]byte{0x00, 0x20}
+)
+
+// GenerateSharedSecret generates a shared secret based on a private key and a
+// public key using Diffie-Hellman key exchange (ECDH) (RFC 4753).
+// RFC5903 Section 9 states we should only return x.
+func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte {
+	x, _ := pubkey.Curve.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes())
+	return x.Bytes()
+}
+
+// Encrypt encrypts data for the target public key using AES-256-CBC. It also
+// generates a private key (the pubkey of which is also in the output). The only
+// supported curve is secp256k1. The `structure' that it encodes everything into
+// is:
+//
+//	struct {
+//		// Initialization Vector used for AES-256-CBC
+//		IV [16]byte
+//		// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX +
+//		// len_of_pubkeyY(2) + pubkeyY (curve = 714)
+//		PublicKey [70]byte
+//		// Cipher text
+//		Data []byte
+//		// HMAC-SHA-256 Message Authentication Code
+//		HMAC [32]byte
+//	}
+//
+// The primary aim is to ensure byte compatibility with Pyelliptic.  Also, refer
+// to section 5.8.1 of ANSI X9.63 for rationale on this format.
+func Encrypt(pubkey *PublicKey, in []byte) ([]byte, error) {
+	ephemeral, err := NewPrivateKey(S256())
+	if err != nil {
+		return nil, err
+	}
+	ecdhKey := GenerateSharedSecret(ephemeral, pubkey)
+	derivedKey := sha512.Sum512(ecdhKey)
+	keyE := derivedKey[:32]
+	keyM := derivedKey[32:]
+
+	paddedIn := addPKCSPadding(in)
+	// IV + Curve params/X/Y + padded plaintext/ciphertext + HMAC-256
+	out := make([]byte, aes.BlockSize+70+len(paddedIn)+sha256.Size)
+	iv := out[:aes.BlockSize]
+	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	// start writing public key
+	pb := ephemeral.PubKey().SerializeUncompressed()
+	offset := aes.BlockSize
+
+	// curve and X length
+	copy(out[offset:offset+4], append(ciphCurveBytes[:], ciphCoordLength[:]...))
+	offset += 4
+	// X
+	copy(out[offset:offset+32], pb[1:33])
+	offset += 32
+	// Y length
+	copy(out[offset:offset+2], ciphCoordLength[:])
+	offset += 2
+	// Y
+	copy(out[offset:offset+32], pb[33:])
+	offset += 32
+
+	// start encryption
+	block, err := aes.NewCipher(keyE)
+	if err != nil {
+		return nil, err
+	}
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(out[offset:len(out)-sha256.Size], paddedIn)
+
+	// start HMAC-SHA-256
+	hm := hmac.New(sha256.New, keyM)
+	hm.Write(out[:len(out)-sha256.Size])          // everything is hashed
+	copy(out[len(out)-sha256.Size:], hm.Sum(nil)) // write checksum
+
+	return out, nil
+}
+
+// Decrypt decrypts data that was encrypted using the Encrypt function.
+func Decrypt(priv *PrivateKey, in []byte) ([]byte, error) {
+	// IV + Curve params/X/Y + 1 block + HMAC-256
+	if len(in) < aes.BlockSize+70+aes.BlockSize+sha256.Size {
+		return nil, errInputTooShort
+	}
+
+	// read iv
+	iv := in[:aes.BlockSize]
+	offset := aes.BlockSize
+
+	// start reading pubkey
+	if !bytes.Equal(in[offset:offset+2], ciphCurveBytes[:]) {
+		return nil, errUnsupportedCurve
+	}
+	offset += 2
+
+	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) {
+		return nil, errInvalidXLength
+	}
+	offset += 2
+
+	xBytes := in[offset : offset+32]
+	offset += 32
+
+	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) {
+		return nil, errInvalidYLength
+	}
+	offset += 2
+
+	yBytes := in[offset : offset+32]
+	offset += 32
+
+	pb := make([]byte, 65)
+	pb[0] = byte(0x04) // uncompressed
+	copy(pb[1:33], xBytes)
+	copy(pb[33:], yBytes)
+	// check if (X, Y) lies on the curve and create a Pubkey if it does
+	pubkey, err := ParsePubKey(pb, S256())
+	if err != nil {
+		return nil, err
+	}
+
+	// check for cipher text length
+	if (len(in)-aes.BlockSize-offset-sha256.Size)%aes.BlockSize != 0 {
+		return nil, errInvalidPadding // not padded to 16 bytes
+	}
+
+	// read hmac
+	messageMAC := in[len(in)-sha256.Size:]
+
+	// generate shared secret
+	ecdhKey := GenerateSharedSecret(priv, pubkey)
+	derivedKey := sha512.Sum512(ecdhKey)
+	keyE := derivedKey[:32]
+	keyM := derivedKey[32:]
+
+	// verify mac
+	hm := hmac.New(sha256.New, keyM)
+	hm.Write(in[:len(in)-sha256.Size]) // everything is hashed
+	expectedMAC := hm.Sum(nil)
+	if !hmac.Equal(messageMAC, expectedMAC) {
+		return nil, ErrInvalidMAC
+	}
+
+	// start decryption
+	block, err := aes.NewCipher(keyE)
+	if err != nil {
+		return nil, err
+	}
+	mode := cipher.NewCBCDecrypter(block, iv)
+	// same length as ciphertext
+	plaintext := make([]byte, len(in)-offset-sha256.Size)
+	mode.CryptBlocks(plaintext, in[offset:len(in)-sha256.Size])
+
+	return removePKCSPadding(plaintext)
+}
+
+// Implement PKCS#7 padding with block size of 16 (AES block size).
+
+// addPKCSPadding adds padding to a block of data
+func addPKCSPadding(src []byte) []byte {
+	padding := aes.BlockSize - len(src)%aes.BlockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(src, padtext...)
+}
+
+// removePKCSPadding removes padding from data that was added with addPKCSPadding
+func removePKCSPadding(src []byte) ([]byte, error) {
+	length := len(src)
+	padLength := int(src[length-1])
+	if padLength > aes.BlockSize || length < aes.BlockSize {
+		return nil, errInvalidPadding
+	}
+
+	return src[:length-padLength], nil
+}

vendor/github.com/btcsuite/btcd/btcec/doc.go

+// Copyright (c) 2013-2014 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+/*
+Package btcec implements support for the elliptic curves needed for bitcoin.
+
+Bitcoin uses elliptic curve cryptography using koblitz curves
+(specifically secp256k1) for cryptographic functions.  See
+http://www.secg.org/collateral/sec2_final.pdf for details on the
+standard.
+
+This package provides the data structures and functions implementing the
+crypto/elliptic Curve interface in order to permit using these curves
+with the standard crypto/ecdsa package provided with go. Helper
+functionality is provided to parse signatures and public keys from
+standard formats.  It was designed for use with btcd, but should be
+general enough for other uses of elliptic curve crypto.  It was originally based
+on some initial work by ThePiachu, but has significantly diverged since then.
+*/
+package btcec

vendor/github.com/btcsuite/btcd/btcec/genprecomps.go

+// Copyright 2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+// This file is ignored during the regular build due to the following build tag.
+// It is called by go generate and used to automatically generate pre-computed
+// tables used to accelerate operations.
+// +build ignore
+
+package main
+
+import (
+	"bytes"
+	"compress/zlib"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/btcsuite/btcd/btcec"
+)
+
+func main() {
+	fi, err := os.Create("secp256k1.go")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer fi.Close()
+
+	// Compress the serialized byte points.
+	serialized := btcec.S256().SerializedBytePoints()
+	var compressed bytes.Buffer
+	w := zlib.NewWriter(&compressed)
+	if _, err := w.Write(serialized); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	w.Close()
+
+	// Encode the compressed byte points with base64.
+	encoded := make([]byte, base64.StdEncoding.EncodedLen(compressed.Len()))
+	base64.StdEncoding.Encode(encoded, compressed.Bytes())
+
+	fmt.Fprintln(fi, "// Copyright (c) 2015 The btcsuite developers")
+	fmt.Fprintln(fi, "// Use of this source code is governed by an ISC")
+	fmt.Fprintln(fi, "// license that can be found in the LICENSE file.")
+	fmt.Fprintln(fi)
+	fmt.Fprintln(fi, "package btcec")
+	fmt.Fprintln(fi)
+	fmt.Fprintln(fi, "// Auto-generated file (see genprecomps.go)")
+	fmt.Fprintln(fi, "// DO NOT EDIT")
+	fmt.Fprintln(fi)
+	fmt.Fprintf(fi, "var secp256k1BytePoints = %q\n", string(encoded))
+
+	a1, b1, a2, b2 := btcec.S256().EndomorphismVectors()
+	fmt.Println("The following values are the computed linearly " +
+		"independent vectors needed to make use of the secp256k1 " +
+		"endomorphism:")
+	fmt.Printf("a1: %x\n", a1)
+	fmt.Printf("b1: %x\n", b1)
+	fmt.Printf("a2: %x\n", a2)
+	fmt.Printf("b2: %x\n", b2)
+}

vendor/github.com/btcsuite/btcd/btcec/gensecp256k1.go

+// Copyright (c) 2014-2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+// This file is ignored during the regular build due to the following build tag.
+// This build tag is set during go generate.
+// +build gensecp256k1
+
+package btcec
+
+// References:
+//   [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
+
+import (
+	"encoding/binary"
+	"math/big"
+)
+
+// secp256k1BytePoints are dummy points used so the code which generates the
+// real values can compile.
+var secp256k1BytePoints = ""
+
+// getDoublingPoints returns all the possible G^(2^i) for i in
+// 0..n-1 where n is the curve's bit size (256 in the case of secp256k1)
+// the coordinates are recorded as Jacobian coordinates.
+func (curve *KoblitzCurve) getDoublingPoints() [][3]fieldVal {
+	doublingPoints := make([][3]fieldVal, curve.BitSize)
+
+	// initialize px, py, pz to the Jacobian coordinates for the base point
+	px, py := curve.bigAffineToField(curve.Gx, curve.Gy)
+	pz := new(fieldVal).SetInt(1)
+	for i := 0; i < curve.BitSize; i++ {
+		doublingPoints[i] = [3]fieldVal{*px, *py, *pz}
+		// P = 2*P
+		curve.doubleJacobian(px, py, pz, px, py, pz)
+	}
+	return doublingPoints
+}
+
+// SerializedBytePoints returns a serialized byte slice which contains all of
+// the possible points per 8-bit window.  This is used to when generating
+// secp256k1.go.
+func (curve *KoblitzCurve) SerializedBytePoints() []byte {
+	doublingPoints := curve.getDoublingPoints()
+
+	// Segregate the bits into byte-sized windows
+	serialized := make([]byte, curve.byteSize*256*3*10*4)
+	offset := 0
+	for byteNum := 0; byteNum < curve.byteSize; byteNum++ {
+		// Grab the 8 bits that make up this byte from doublingPoints.
+		startingBit := 8 * (curve.byteSize - byteNum - 1)
+		computingPoints := doublingPoints[startingBit : startingBit+8]
+
+		// Compute all points in this window and serialize them.
+		for i := 0; i < 256; i++ {
+			px, py, pz := new(fieldVal), new(fieldVal), new(fieldVal)
+			for j := 0; j < 8; j++ {
+				if i>>uint(j)&1 == 1 {
+					curve.addJacobian(px, py, pz, &computingPoints[j][0],
+						&computingPoints[j][1], &computingPoints[j][2], px, py, pz)
+				}
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], px.n[i])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], py.n[i])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], pz.n[i])
+				offset += 4
+			}
+		}
+	}
+
+	return serialized
+}
+
+// sqrt returns the square root of the provided big integer using Newton's
+// method.  It's only compiled and used during generation of pre-computed
+// values, so speed is not a huge concern.
+func sqrt(n *big.Int) *big.Int {
+	// Initial guess = 2^(log_2(n)/2)
+	guess := big.NewInt(2)
+	guess.Exp(guess, big.NewInt(int64(n.BitLen()/2)), nil)
+
+	// Now refine using Newton's method.
+	big2 := big.NewInt(2)
+	prevGuess := big.NewInt(0)
+	for {
+		prevGuess.Set(guess)
+		guess.Add(guess, new(big.Int).Div(n, guess))
+		guess.Div(guess, big2)
+		if guess.Cmp(prevGuess) == 0 {
+			break
+		}
+	}
+	return guess
+}
+
+// EndomorphismVectors runs the first 3 steps of algorithm 3.74 from [GECC] to
+// generate the linearly independent vectors needed to generate a balanced
+// length-two representation of a multiplier such that k = k1 + k2λ (mod N) and
+// returns them.  Since the values will always be the same given the fact that N
+// and λ are fixed, the final results can be accelerated by storing the
+// precomputed values with the curve.
+func (curve *KoblitzCurve) EndomorphismVectors() (a1, b1, a2, b2 *big.Int) {
+	bigMinus1 := big.NewInt(-1)
+
+	// This section uses an extended Euclidean algorithm to generate a
+	// sequence of equations:
+	//  s[i] * N + t[i] * λ = r[i]
+
+	nSqrt := sqrt(curve.N)
+	u, v := new(big.Int).Set(curve.N), new(big.Int).Set(curve.lambda)
+	x1, y1 := big.NewInt(1), big.NewInt(0)
+	x2, y2 := big.NewInt(0), big.NewInt(1)
+	q, r := new(big.Int), new(big.Int)
+	qu, qx1, qy1 := new(big.Int), new(big.Int), new(big.Int)
+	s, t := new(big.Int), new(big.Int)
+	ri, ti := new(big.Int), new(big.Int)
+	a1, b1, a2, b2 = new(big.Int), new(big.Int), new(big.Int), new(big.Int)
+	found, oneMore := false, false
+	for u.Sign() != 0 {
+		// q = v/u
+		q.Div(v, u)
+
+		// r = v - q*u
+		qu.Mul(q, u)
+		r.Sub(v, qu)
+
+		// s = x2 - q*x1
+		qx1.Mul(q, x1)
+		s.Sub(x2, qx1)
+
+		// t = y2 - q*y1
+		qy1.Mul(q, y1)
+		t.Sub(y2, qy1)
+
+		// v = u, u = r, x2 = x1, x1 = s, y2 = y1, y1 = t
+		v.Set(u)
+		u.Set(r)
+		x2.Set(x1)
+		x1.Set(s)
+		y2.Set(y1)
+		y1.Set(t)
+
+		// As soon as the remainder is less than the sqrt of n, the
+		// values of a1 and b1 are known.
+		if !found && r.Cmp(nSqrt) < 0 {
+			// When this condition executes ri and ti represent the
+			// r[i] and t[i] values such that i is the greatest
+			// index for which r >= sqrt(n).  Meanwhile, the current
+			// r and t values are r[i+1] and t[i+1], respectively.
+
+			// a1 = r[i+1], b1 = -t[i+1]
+			a1.Set(r)
+			b1.Mul(t, bigMinus1)
+			found = true
+			oneMore = true
+
+			// Skip to the next iteration so ri and ti are not
+			// modified.
+			continue
+
+		} else if oneMore {
+			// When this condition executes ri and ti still
+			// represent the r[i] and t[i] values while the current
+			// r and t are r[i+2] and t[i+2], respectively.
+
+			// sum1 = r[i]^2 + t[i]^2
+			rSquared := new(big.Int).Mul(ri, ri)
+			tSquared := new(big.Int).Mul(ti, ti)
+			sum1 := new(big.Int).Add(rSquared, tSquared)
+
+			// sum2 = r[i+2]^2 + t[i+2]^2
+			r2Squared := new(big.Int).Mul(r, r)
+			t2Squared := new(big.Int).Mul(t, t)
+			sum2 := new(big.Int).Add(r2Squared, t2Squared)
+
+			// if (r[i]^2 + t[i]^2) <= (r[i+2]^2 + t[i+2]^2)
+			if sum1.Cmp(sum2) <= 0 {
+				// a2 = r[i], b2 = -t[i]
+				a2.Set(ri)
+				b2.Mul(ti, bigMinus1)
+			} else {
+				// a2 = r[i+2], b2 = -t[i+2]
+				a2.Set(r)
+				b2.Mul(t, bigMinus1)
+			}
+
+			// All done.
+			break
+		}
+
+		ri.Set(r)
+		ti.Set(t)
+	}
+
+	return a1, b1, a2, b2
+}

vendor/github.com/btcsuite/btcd/btcec/precompute.go

+// Copyright 2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"compress/zlib"
+	"encoding/base64"
+	"encoding/binary"
+	"io/ioutil"
+	"strings"
+)
+
+//go:generate go run -tags gensecp256k1 genprecomps.go
+
+// loadS256BytePoints decompresses and deserializes the pre-computed byte points
+// used to accelerate scalar base multiplication for the secp256k1 curve.  This
+// approach is used since it allows the compile to use significantly less ram
+// and be performed much faster than it is with hard-coding the final in-memory
+// data structure.  At the same time, it is quite fast to generate the in-memory
+// data structure at init time with this approach versus computing the table.
+func loadS256BytePoints() error {
+	// There will be no byte points to load when generating them.
+	bp := secp256k1BytePoints
+	if len(bp) == 0 {
+		return nil
+	}
+
+	// Decompress the pre-computed table used to accelerate scalar base
+	// multiplication.
+	decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(bp))
+	r, err := zlib.NewReader(decoder)
+	if err != nil {
+		return err
+	}
+	serialized, err := ioutil.ReadAll(r)
+	if err != nil {
+		return err
+	}
+
+	// Deserialize the precomputed byte points and set the curve to them.
+	offset := 0
+	var bytePoints [32][256][3]fieldVal
+	for byteNum := 0; byteNum < 32; byteNum++ {
+		// All points in this window.
+		for i := 0; i < 256; i++ {
+			px := &bytePoints[byteNum][i][0]
+			py := &bytePoints[byteNum][i][1]
+			pz := &bytePoints[byteNum][i][2]
+			for i := 0; i < 10; i++ {
+				px.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				py.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				pz.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+		}
+	}
+	secp256k1.bytePoints = &bytePoints
+	return nil
+}

vendor/github.com/btcsuite/btcd/btcec/privkey.go

+// Copyright (c) 2013-2016 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"math/big"
+)
+
+// PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing
+// things with the the private key without having to directly import the ecdsa
+// package.
+type PrivateKey ecdsa.PrivateKey
+
+// PrivKeyFromBytes returns a private and public key for `curve' based on the
+// private key passed as an argument as a byte slice.
+func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey,
+	*PublicKey) {
+	x, y := curve.ScalarBaseMult(pk)
+
+	priv := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: new(big.Int).SetBytes(pk),
+	}
+
+	return (*PrivateKey)(priv), (*PublicKey)(&priv.PublicKey)
+}
+
+// NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey
+// instead of the normal ecdsa.PrivateKey.
+func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, error) {
+	key, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return (*PrivateKey)(key), nil
+}
+
+// PubKey returns the PublicKey corresponding to this private key.
+func (p *PrivateKey) PubKey() *PublicKey {
+	return (*PublicKey)(&p.PublicKey)
+}
+
+// ToECDSA returns the private key as a *ecdsa.PrivateKey.
+func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey {
+	return (*ecdsa.PrivateKey)(p)
+}
+
+// Sign generates an ECDSA signature for the provided hash (which should be the result
+// of hashing a larger message) using the private key. Produced signature
+// is deterministic (same message and same key yield the same signature) and canonical
+// in accordance with RFC6979 and BIP0062.
+func (p *PrivateKey) Sign(hash []byte) (*Signature, error) {
+	return signRFC6979(p, hash)
+}
+
+// PrivKeyBytesLen defines the length in bytes of a serialized private key.
+const PrivKeyBytesLen = 32
+
+// Serialize returns the private key number d as a big-endian binary-encoded
+// number, padded to a length of 32 bytes.
+func (p *PrivateKey) Serialize() []byte {
+	b := make([]byte, 0, PrivKeyBytesLen)
+	return paddedAppend(PrivKeyBytesLen, b, p.ToECDSA().D.Bytes())
+}

vendor/github.com/btcsuite/btcd/btcec/pubkey.go

+// Copyright (c) 2013-2014 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"crypto/ecdsa"
+	"errors"
+	"fmt"
+	"math/big"
+)
+
+// These constants define the lengths of serialized public keys.
+const (
+	PubKeyBytesLenCompressed   = 33
+	PubKeyBytesLenUncompressed = 65
+	PubKeyBytesLenHybrid       = 65
+)
+
+func isOdd(a *big.Int) bool {
+	return a.Bit(0) == 1
+}
+
+// decompressPoint decompresses a point on the given curve given the X point and
+// the solution to use.
+func decompressPoint(curve *KoblitzCurve, x *big.Int, ybit bool) (*big.Int, error) {
+	// TODO: This will probably only work for secp256k1 due to
+	// optimizations.
+
+	// Y = +-sqrt(x^3 + B)
+	x3 := new(big.Int).Mul(x, x)
+	x3.Mul(x3, x)
+	x3.Add(x3, curve.Params().B)
+
+	// now calculate sqrt mod p of x2 + B
+	// This code used to do a full sqrt based on tonelli/shanks,
+	// but this was replaced by the algorithms referenced in
+	// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
+	y := new(big.Int).Exp(x3, curve.QPlus1Div4(), curve.Params().P)
+
+	if ybit != isOdd(y) {
+		y.Sub(curve.Params().P, y)
+	}
+	if ybit != isOdd(y) {
+		return nil, fmt.Errorf("ybit doesn't match oddness")
+	}
+	return y, nil
+}
+
+const (
+	pubkeyCompressed   byte = 0x2 // y_bit + x coord
+	pubkeyUncompressed byte = 0x4 // x coord + y coord
+	pubkeyHybrid       byte = 0x6 // y_bit + x coord + y coord
+)
+
+// ParsePubKey parses a public key for a koblitz curve from a bytestring into a
+// ecdsa.Publickey, verifying that it is valid. It supports compressed,
+// uncompressed and hybrid signature formats.
+func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error) {
+	pubkey := PublicKey{}
+	pubkey.Curve = curve
+
+	if len(pubKeyStr) == 0 {
+		return nil, errors.New("pubkey string is empty")
+	}
+
+	format := pubKeyStr[0]
+	ybit := (format & 0x1) == 0x1
+	format &= ^byte(0x1)
+
+	switch len(pubKeyStr) {
+	case PubKeyBytesLenUncompressed:
+		if format != pubkeyUncompressed && format != pubkeyHybrid {
+			return nil, fmt.Errorf("invalid magic in pubkey str: "+
+				"%d", pubKeyStr[0])
+		}
+
+		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33])
+		pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:])
+		// hybrid keys have extra information, make use of it.
+		if format == pubkeyHybrid && ybit != isOdd(pubkey.Y) {
+			return nil, fmt.Errorf("ybit doesn't match oddness")
+		}
+	case PubKeyBytesLenCompressed:
+		// format is 0x2 | solution, <X coordinate>
+		// solution determines which solution of the curve we use.
+		/// y^2 = x^3 + Curve.B
+		if format != pubkeyCompressed {
+			return nil, fmt.Errorf("invalid magic in compressed "+
+				"pubkey string: %d", pubKeyStr[0])
+		}
+		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33])
+		pubkey.Y, err = decompressPoint(curve, pubkey.X, ybit)
+		if err != nil {
+			return nil, err
+		}
+	default: // wrong!
+		return nil, fmt.Errorf("invalid pub key length %d",
+			len(pubKeyStr))
+	}
+
+	if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey X parameter is >= to P")
+	}
+	if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey Y parameter is >= to P")
+	}
+	if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) {
+		return nil, fmt.Errorf("pubkey isn't on secp256k1 curve")
+	}
+	return &pubkey, nil
+}
+
+// PublicKey is an ecdsa.PublicKey with additional functions to
+// serialize in uncompressed, compressed, and hybrid formats.
+type PublicKey ecdsa.PublicKey
+
+// ToECDSA returns the public key as a *ecdsa.PublicKey.
+func (p *PublicKey) ToECDSA() *ecdsa.PublicKey {
+	return (*ecdsa.PublicKey)(p)
+}
+
+// SerializeUncompressed serializes a public key in a 65-byte uncompressed
+// format.
+func (p *PublicKey) SerializeUncompressed() []byte {
+	b := make([]byte, 0, PubKeyBytesLenUncompressed)
+	b = append(b, pubkeyUncompressed)
+	b = paddedAppend(32, b, p.X.Bytes())
+	return paddedAppend(32, b, p.Y.Bytes())
+}
+
+// SerializeCompressed serializes a public key in a 33-byte compressed format.
+func (p *PublicKey) SerializeCompressed() []byte {
+	b := make([]byte, 0, PubKeyBytesLenCompressed)
+	format := pubkeyCompressed
+	if isOdd(p.Y) {
+		format |= 0x1
+	}
+	b = append(b, format)
+	return paddedAppend(32, b, p.X.Bytes())
+}
+
+// SerializeHybrid serializes a public key in a 65-byte hybrid format.
+func (p *PublicKey) SerializeHybrid() []byte {
+	b := make([]byte, 0, PubKeyBytesLenHybrid)
+	format := pubkeyHybrid
+	if isOdd(p.Y) {
+		format |= 0x1
+	}
+	b = append(b, format)
+	b = paddedAppend(32, b, p.X.Bytes())
+	return paddedAppend(32, b, p.Y.Bytes())
+}
+
+// IsEqual compares this PublicKey instance to the one passed, returning true if
+// both PublicKeys are equivalent. A PublicKey is equivalent to another, if they
+// both have the same X and Y coordinate.
+func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool {
+	return p.X.Cmp(otherPubKey.X) == 0 &&
+		p.Y.Cmp(otherPubKey.Y) == 0
+}
+
+// paddedAppend appends the src byte slice to dst, returning the new slice.
+// If the length of the source is smaller than the passed size, leading zero
+// bytes are appended to the dst slice before appending src.
+func paddedAppend(size uint, dst, src []byte) []byte {
+	for i := 0; i < int(size)-len(src); i++ {
+		dst = append(dst, 0)
+	}
+	return append(dst, src...)
+}

vendor/vendor.json

@@ -16,6 +16,12 @@
 			"revision": "ea17b1a17847fb6e4c0a91de0b674704693469b0",
 			"revisionTime": "2017-02-10T01:56:32Z"
 		},
+		{
+			"checksumSHA1": "fIpm6Vr5a8kgr22gWkQx7vKUTyU=",
+			"path": "github.com/btcsuite/btcd/btcec",
+			"revision": "d06c0bb181529331be8f8d9350288c420d9e60e4",
+			"revisionTime": "2017-02-01T21:25:25Z"
+		},
 		{
 			"checksumSHA1": "cDMtzKmdTx4CcIpP4broa+16X9g=",
 			"path": "github.com/cespare/cp",

whisper/whisperv2/message.go

@@ -21,11 +21,13 @@ package whisperv2
 
 import (
 	"crypto/ecdsa"
+	crand "crypto/rand"
 	"math/rand"
 	"time"
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/crypto/ecies"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 )
@@ -131,13 +133,13 @@ func (self *Message) Recover() *ecdsa.PublicKey {
 
 // encrypt encrypts a message payload with a public key.
 func (self *Message) encrypt(key *ecdsa.PublicKey) (err error) {
-	self.Payload, err = crypto.Encrypt(key, self.Payload)
+	self.Payload, err = ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), self.Payload, nil, nil)
 	return
 }
 
 // decrypt decrypts an encrypted payload with a private key.
 func (self *Message) decrypt(key *ecdsa.PrivateKey) error {
-	cleartext, err := crypto.Decrypt(key, self.Payload)
+	cleartext, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, self.Payload, nil, nil)
 	if err == nil {
 		self.Payload = cleartext
 	}

whisper/whisperv2/message_test.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 )
 
 // Tests whether a message can be wrapped without any identity or encryption.
@@ -73,8 +72,8 @@ func TestMessageCleartextSignRecover(t *testing.T) {
 	if pubKey == nil {
 		t.Fatalf("failed to recover public key")
 	}
-	p1 := elliptic.Marshal(secp256k1.S256(), key.PublicKey.X, key.PublicKey.Y)
-	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y)
+	p1 := elliptic.Marshal(crypto.S256(), key.PublicKey.X, key.PublicKey.Y)
+	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y)
 	if !bytes.Equal(p1, p2) {
 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1)
 	}
@@ -151,8 +150,8 @@ func TestMessageFullCrypto(t *testing.T) {
 	if pubKey == nil {
 		t.Fatalf("failed to recover public key")
 	}
-	p1 := elliptic.Marshal(secp256k1.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y)
-	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y)
+	p1 := elliptic.Marshal(crypto.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y)
+	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y)
 	if !bytes.Equal(p1, p2) {
 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1)
 	}

whisper/whisperv5/message.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/crypto/ecies"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 	"golang.org/x/crypto/pbkdf2"
@@ -163,7 +164,7 @@ func (msg *SentMessage) encryptAsymmetric(key *ecdsa.PublicKey) error {
 	if !ValidatePublicKey(key) {
 		return fmt.Errorf("Invalid public key provided for asymmetric encryption")
 	}
-	encrypted, err := crypto.Encrypt(key, msg.Raw)
+	encrypted, err := ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), msg.Raw, nil, nil)
 	if err == nil {
 		msg.Raw = encrypted
 	}
@@ -293,7 +294,7 @@ func (msg *ReceivedMessage) decryptSymmetric(key []byte, salt []byte, nonce []by
 
 // decryptAsymmetric decrypts an encrypted payload with a private key.
 func (msg *ReceivedMessage) decryptAsymmetric(key *ecdsa.PrivateKey) error {
-	decrypted, err := crypto.Decrypt(key, msg.Raw)
+	decrypted, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, msg.Raw, nil, nil)
 	if err == nil {
 		msg.Raw = decrypted
 	}