crypto: add btcec fallback for sign/recover without cgo (#3680)

* vendor: add github.com/btcsuite/btcd/btcec

* crypto: add btcec fallback for sign/recover without cgo

This commit adds a non-cgo fallback implementation of secp256k1
operations.

* crypto, core/vm: remove wrappers for sha256, ripemd160

accounts/keystore/key.go

@@ -32,7 +32,6 @@ import (
 	"github.com/ethereum/go-ethereum/accounts"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 	"github.com/pborman/uuid"
 )
 
@@ -157,7 +156,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key {
 		panic("key generation: could not read from random source: " + err.Error())
 	}
 	reader := bytes.NewReader(randBytes)
-	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), reader)
+	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), reader)
 	if err != nil {
 		panic("key generation: ecdsa.GenerateKey failed: " + err.Error())
 	}
@@ -169,7 +168,7 @@ func NewKeyForDirectICAP(rand io.Reader) *Key {
 }
 
 func newKey(rand io.Reader) (*Key, error) {
-	privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), rand)
+	privateKeyECDSA, err := ecdsa.GenerateKey(crypto.S256(), rand)
 	if err != nil {
 		return nil, err
 	}

core/vm/contracts.go

@@ -17,11 +17,14 @@
 package vm
 
 import (
+	"crypto/sha256"
+
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 	"github.com/ethereum/go-ethereum/params"
+	"golang.org/x/crypto/ripemd160"
 )
 
 // Precompiled contract is the basic interface for native Go contracts. The implementation
@@ -35,8 +38,8 @@ type PrecompiledContract interface {
 // Precompiled contains the default set of ethereum contracts
 var PrecompiledContracts = map[common.Address]PrecompiledContract{
 	common.BytesToAddress([]byte{1}): &ecrecover{},
-	common.BytesToAddress([]byte{2}): &sha256{},
-	common.BytesToAddress([]byte{3}): &ripemd160{},
+	common.BytesToAddress([]byte{2}): &sha256hash{},
+	common.BytesToAddress([]byte{3}): &ripemd160hash{},
 	common.BytesToAddress([]byte{4}): &dataCopy{},
 }
 
@@ -88,31 +91,34 @@ func (c *ecrecover) Run(in []byte) []byte {
 }
 
 // SHA256 implemented as a native contract
-type sha256 struct{}
+type sha256hash struct{}
 
 // RequiredGas returns the gas required to execute the pre-compiled contract.
 //
 // This method does not require any overflow checking as the input size gas costs
 // required for anything significant is so high it's impossible to pay for.
-func (c *sha256) RequiredGas(inputSize int) uint64 {
+func (c *sha256hash) RequiredGas(inputSize int) uint64 {
 	return uint64(inputSize+31)/32*params.Sha256WordGas + params.Sha256Gas
 }
-func (c *sha256) Run(in []byte) []byte {
-	return crypto.Sha256(in)
+func (c *sha256hash) Run(in []byte) []byte {
+	h := sha256.Sum256(in)
+	return h[:]
 }
 
 // RIPMED160 implemented as a native contract
-type ripemd160 struct{}
+type ripemd160hash struct{}
 
 // RequiredGas returns the gas required to execute the pre-compiled contract.
 //
 // This method does not require any overflow checking as the input size gas costs
 // required for anything significant is so high it's impossible to pay for.
-func (c *ripemd160) RequiredGas(inputSize int) uint64 {
+func (c *ripemd160hash) RequiredGas(inputSize int) uint64 {
 	return uint64(inputSize+31)/32*params.Ripemd160WordGas + params.Ripemd160Gas
 }
-func (c *ripemd160) Run(in []byte) []byte {
-	return common.LeftPadBytes(crypto.Ripemd160(in), 32)
+func (c *ripemd160hash) Run(in []byte) []byte {
+	ripemd := ripemd160.New()
+	ripemd.Write(in)
+	return common.LeftPadBytes(ripemd.Sum(nil), 32)
 }
 
 // data copy implemented as a native contract

crypto/crypto.go

@@ -20,22 +20,21 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha256"
-	"fmt"
+	"encoding/hex"
+	"errors"
 	"io"
 	"io/ioutil"
 	"math/big"
 	"os"
 
-	"encoding/hex"
-	"errors"
-
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto/ecies"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 	"github.com/ethereum/go-ethereum/crypto/sha3"
 	"github.com/ethereum/go-ethereum/rlp"
-	"golang.org/x/crypto/ripemd160"
+)
+
+var (
+	secp256k1_N, _  = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
+	secp256k1_halfN = new(big.Int).Div(secp256k1_N, big.NewInt(2))
 )
 
 func Keccak256(data ...[]byte) []byte {
@@ -56,7 +55,6 @@ func Keccak256Hash(data ...[]byte) (h common.Hash) {
 }
 
 // Deprecated: For backward compatibility as other packages depend on these
-func Sha3(data ...[]byte) []byte          { return Keccak256(data...) }
 func Sha3Hash(data ...[]byte) common.Hash { return Keccak256Hash(data...) }
 
 // Creates an ethereum address given the bytes and the nonce
@@ -65,39 +63,16 @@ func CreateAddress(b common.Address, nonce uint64) common.Address {
 	return common.BytesToAddress(Keccak256(data)[12:])
 }
 
-func Sha256(data []byte) []byte {
-	hash := sha256.Sum256(data)
-
-	return hash[:]
-}
-
-func Ripemd160(data []byte) []byte {
-	ripemd := ripemd160.New()
-	ripemd.Write(data)
-
-	return ripemd.Sum(nil)
-}
-
-// Ecrecover returns the public key for the private key that was used to
-// calculate the signature.
-//
-// Note: secp256k1 expects the recover id to be either 0, 1. Ethereum
-// signatures have a recover id with an offset of 27. Callers must take
-// this into account and if "recovering" from an Ethereum signature adjust.
-func Ecrecover(hash, sig []byte) ([]byte, error) {
-	return secp256k1.RecoverPubkey(hash, sig)
-}
-
-// New methods using proper ecdsa keys from the stdlib
+// ToECDSA creates a private key with the given D value.
 func ToECDSA(prv []byte) *ecdsa.PrivateKey {
 	if len(prv) == 0 {
 		return nil
 	}
 
 	priv := new(ecdsa.PrivateKey)
-	priv.PublicKey.Curve = secp256k1.S256()
+	priv.PublicKey.Curve = S256()
 	priv.D = common.BigD(prv)
-	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(prv)
+	priv.PublicKey.X, priv.PublicKey.Y = priv.PublicKey.Curve.ScalarBaseMult(prv)
 	return priv
 }
 
@@ -112,15 +87,15 @@ func ToECDSAPub(pub []byte) *ecdsa.PublicKey {
 	if len(pub) == 0 {
 		return nil
 	}
-	x, y := elliptic.Unmarshal(secp256k1.S256(), pub)
-	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}
+	x, y := elliptic.Unmarshal(S256(), pub)
+	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}
 }
 
 func FromECDSAPub(pub *ecdsa.PublicKey) []byte {
 	if pub == nil || pub.X == nil || pub.Y == nil {
 		return nil
 	}
-	return elliptic.Marshal(secp256k1.S256(), pub.X, pub.Y)
+	return elliptic.Marshal(S256(), pub.X, pub.Y)
 }
 
 // HexToECDSA parses a secp256k1 private key.
@@ -164,7 +139,7 @@ func SaveECDSA(file string, key *ecdsa.PrivateKey) error {
 }
 
 func GenerateKey() (*ecdsa.PrivateKey, error) {
-	return ecdsa.GenerateKey(secp256k1.S256(), rand.Reader)
+	return ecdsa.GenerateKey(S256(), rand.Reader)
 }
 
 // ValidateSignatureValues verifies whether the signature values are valid with
@@ -175,49 +150,11 @@ func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool {
 	}
 	// reject upper range of s values (ECDSA malleability)
 	// see discussion in secp256k1/libsecp256k1/include/secp256k1.h
-	if homestead && s.Cmp(secp256k1.HalfN) > 0 {
+	if homestead && s.Cmp(secp256k1_halfN) > 0 {
 		return false
 	}
 	// Frontier: allow s to be in full N range
-	return r.Cmp(secp256k1.N) < 0 && s.Cmp(secp256k1.N) < 0 && (v == 0 || v == 1)
-}
-
-func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
-	s, err := Ecrecover(hash, sig)
-	if err != nil {
-		return nil, err
-	}
-
-	x, y := elliptic.Unmarshal(secp256k1.S256(), s)
-	return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}, nil
-}
-
-// Sign calculates an ECDSA signature.
-//
-// This function is susceptible to chosen plaintext attacks that can leak
-// information about the private key that is used for signing. Callers must
-// be aware that the given hash cannot be chosen by an adversery. Common
-// solution is to hash any input before calculating the signature.
-//
-// The produced signature is in the [R || S || V] format where V is 0 or 1.
-func Sign(data []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) {
-	if len(data) != 32 {
-		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(data))
-	}
-
-	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8)
-	defer zeroBytes(seckey)
-	sig, err = secp256k1.Sign(data, seckey)
-	return
-}
-
-func Encrypt(pub *ecdsa.PublicKey, message []byte) ([]byte, error) {
-	return ecies.Encrypt(rand.Reader, ecies.ImportECDSAPublic(pub), message, nil, nil)
-}
-
-func Decrypt(prv *ecdsa.PrivateKey, ct []byte) ([]byte, error) {
-	key := ecies.ImportECDSA(prv)
-	return key.Decrypt(rand.Reader, ct, nil, nil)
+	return r.Cmp(secp256k1_N) < 0 && s.Cmp(secp256k1_N) < 0 && (v == 0 || v == 1)
 }
 
 func PubkeyToAddress(p ecdsa.PublicKey) common.Address {

crypto/crypto_test.go

@@ -28,7 +28,6 @@ import (
 	"time"
 
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 )
 
 var testAddrHex = "970e8128ab834e8eac17ab8e3812f010678cf791"
@@ -37,30 +36,12 @@ var testPrivHex = "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232
 // These tests are sanity checks.
 // They should ensure that we don't e.g. use Sha3-224 instead of Sha3-256
 // and that the sha3 library uses keccak-f permutation.
-func TestSha3(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45")
-	checkhash(t, "Sha3-256", func(in []byte) []byte { return Keccak256(in) }, msg, exp)
-}
-
 func TestSha3Hash(t *testing.T) {
 	msg := []byte("abc")
 	exp, _ := hex.DecodeString("4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45")
 	checkhash(t, "Sha3-256-array", func(in []byte) []byte { h := Keccak256Hash(in); return h[:] }, msg, exp)
 }
 
-func TestSha256(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad")
-	checkhash(t, "Sha256", Sha256, msg, exp)
-}
-
-func TestRipemd160(t *testing.T) {
-	msg := []byte("abc")
-	exp, _ := hex.DecodeString("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")
-	checkhash(t, "Ripemd160", Ripemd160, msg, exp)
-}
-
 func BenchmarkSha3(b *testing.B) {
 	a := []byte("hello world")
 	amount := 1000000
@@ -170,7 +151,7 @@ func TestValidateSignatureValues(t *testing.T) {
 	minusOne := big.NewInt(-1)
 	one := common.Big1
 	zero := common.Big0
-	secp256k1nMinus1 := new(big.Int).Sub(secp256k1.N, common.Big1)
+	secp256k1nMinus1 := new(big.Int).Sub(secp256k1_N, common.Big1)
 
 	// correct v,r,s
 	check(true, 0, one, one)
@@ -197,9 +178,9 @@ func TestValidateSignatureValues(t *testing.T) {
 	// correct sig with max r,s
 	check(true, 0, secp256k1nMinus1, secp256k1nMinus1)
 	// correct v, combinations of incorrect r,s at upper limit
-	check(false, 0, secp256k1.N, secp256k1nMinus1)
-	check(false, 0, secp256k1nMinus1, secp256k1.N)
-	check(false, 0, secp256k1.N, secp256k1.N)
+	check(false, 0, secp256k1_N, secp256k1nMinus1)
+	check(false, 0, secp256k1nMinus1, secp256k1_N)
+	check(false, 0, secp256k1_N, secp256k1_N)
 
 	// current callers ensures r,s cannot be negative, but let's test for that too
 	// as crypto package could be used stand-alone
@@ -225,14 +206,13 @@ func checkAddr(t *testing.T, addr0, addr1 common.Address) {
 func TestPythonIntegration(t *testing.T) {
 	kh := "289c2857d4598e37fb9647507e47a309d6133539bf21a8b9cb6df88fd5232032"
 	k0, _ := HexToECDSA(kh)
-	k1 := FromECDSA(k0)
 
 	msg0 := Keccak256([]byte("foo"))
-	sig0, _ := secp256k1.Sign(msg0, k1)
+	sig0, _ := Sign(msg0, k0)
 
 	msg1 := common.FromHex("00000000000000000000000000000000")
-	sig1, _ := secp256k1.Sign(msg0, k1)
+	sig1, _ := Sign(msg0, k0)
 
-	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg0, k1, sig0)
-	fmt.Printf("msg: %x, privkey: %x sig: %x\n", msg1, k1, sig1)
+	t.Logf("msg: %x, privkey: %s sig: %x\n", msg0, kh, sig0)
+	t.Logf("msg: %x, privkey: %s sig: %x\n", msg1, kh, sig1)
 }

crypto/ecies/asn1.go

@@ -42,7 +42,7 @@ import (
 	"hash"
 	"math/big"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 )
 
 var (
@@ -120,7 +120,7 @@ func (curve secgNamedCurve) Equal(curve2 secgNamedCurve) bool {
 func namedCurveFromOID(curve secgNamedCurve) elliptic.Curve {
 	switch {
 	case curve.Equal(secgNamedCurveS256):
-		return secp256k1.S256()
+		return ethcrypto.S256()
 	case curve.Equal(secgNamedCurveP256):
 		return elliptic.P256()
 	case curve.Equal(secgNamedCurveP384):
@@ -139,7 +139,7 @@ func oidFromNamedCurve(curve elliptic.Curve) (secgNamedCurve, bool) {
 		return secgNamedCurveP384, true
 	case elliptic.P521():
 		return secgNamedCurveP521, true
-	case secp256k1.S256():
+	case ethcrypto.S256():
 		return secgNamedCurveS256, true
 	}
 

crypto/ecies/ecies_test.go

@@ -31,7 +31,6 @@ package ecies
 
 import (
 	"bytes"
-	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
@@ -42,7 +41,7 @@ import (
 	"math/big"
 	"testing"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	"github.com/ethereum/go-ethereum/crypto"
 )
 
 var dumpEnc bool
@@ -150,7 +149,7 @@ func TestSharedKey(t *testing.T) {
 func TestSharedKeyPadding(t *testing.T) {
 	// sanity checks
 	prv0 := hexKey("1adf5c18167d96a1f9a0b1ef63be8aa27eaf6032c233b2b38f7850cf5b859fd9")
-	prv1 := hexKey("97a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a")
+	prv1 := hexKey("0097a076fc7fcd9208240668e31c9abee952cbb6e375d1b8febc7499d6e16f1a")
 	x0, _ := new(big.Int).SetString("1a8ed022ff7aec59dc1b440446bdda5ff6bcb3509a8b109077282b361efffbd8", 16)
 	x1, _ := new(big.Int).SetString("6ab3ac374251f638d0abb3ef596d1dc67955b507c104e5f2009724812dc027b8", 16)
 	y0, _ := new(big.Int).SetString("e040bd480b1deccc3bc40bd5b1fdcb7bfd352500b477cb9471366dbd4493f923", 16)
@@ -354,7 +353,7 @@ func BenchmarkGenSharedKeyP256(b *testing.B) {
 
 // Benchmark the generation of S256 shared keys.
 func BenchmarkGenSharedKeyS256(b *testing.B) {
-	prv, err := GenerateKey(rand.Reader, secp256k1.S256(), nil)
+	prv, err := GenerateKey(rand.Reader, crypto.S256(), nil)
 	if err != nil {
 		fmt.Println(err.Error())
 		b.FailNow()
@@ -597,6 +596,29 @@ func TestBasicKeyValidation(t *testing.T) {
 	}
 }
 
+func TestBox(t *testing.T) {
+	prv1 := hexKey("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f")
+	prv2 := hexKey("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a")
+	pub2 := &prv2.PublicKey
+
+	message := []byte("Hello, world.")
+	ct, err := Encrypt(rand.Reader, pub2, message, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pt, err := prv2.Decrypt(rand.Reader, ct, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(pt, message) {
+		t.Fatal("ecies: plaintext doesn't match message")
+	}
+	if _, err = prv1.Decrypt(rand.Reader, ct, nil, nil); err == nil {
+		t.Fatal("ecies: encryption should not have succeeded")
+	}
+}
+
 // Verify GenerateShared against static values - useful when
 // debugging changes in underlying libs
 func TestSharedKeyStatic(t *testing.T) {
@@ -628,11 +650,10 @@ func TestSharedKeyStatic(t *testing.T) {
 	}
 }
 
-// TODO: remove after refactoring packages crypto and crypto/ecies
 func hexKey(prv string) *PrivateKey {
-	priv := new(ecdsa.PrivateKey)
-	priv.PublicKey.Curve = secp256k1.S256()
-	priv.D, _ = new(big.Int).SetString(prv, 16)
-	priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(priv.D.Bytes())
-	return ImportECDSA(priv)
+	key, err := crypto.HexToECDSA(prv)
+	if err != nil {
+		panic(err)
+	}
+	return ImportECDSA(key)
 }

crypto/ecies/params.go

@@ -42,11 +42,11 @@ import (
 	"fmt"
 	"hash"
 
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 )
 
 var (
-	DefaultCurve                  = secp256k1.S256()
+	DefaultCurve                  = ethcrypto.S256()
 	ErrUnsupportedECDHAlgorithm   = fmt.Errorf("ecies: unsupported ECDH algorithm")
 	ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters")
 )
@@ -100,7 +100,7 @@ var (
 )
 
 var paramsFromCurve = map[elliptic.Curve]*ECIESParams{
-	secp256k1.S256(): ECIES_AES128_SHA256,
+	ethcrypto.S256(): ECIES_AES128_SHA256,
 	elliptic.P256():  ECIES_AES128_SHA256,
 	elliptic.P384():  ECIES_AES256_SHA384,
 	elliptic.P521():  ECIES_AES256_SHA512,

crypto/encrypt_decrypt_test.go

@@ -1,56 +0,0 @@
-// Copyright 2014 The go-ethereum Authors
-// This file is part of the go-ethereum library.
-//
-// The go-ethereum library is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Lesser General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// The go-ethereum library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public License
-// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
-
-package crypto
-
-import (
-	"bytes"
-	"fmt"
-	"testing"
-
-	"github.com/ethereum/go-ethereum/common"
-)
-
-func TestBox(t *testing.T) {
-	prv1 := ToECDSA(common.Hex2Bytes("4b50fa71f5c3eeb8fdc452224b2395af2fcc3d125e06c32c82e048c0559db03f"))
-	prv2 := ToECDSA(common.Hex2Bytes("d0b043b4c5d657670778242d82d68a29d25d7d711127d17b8e299f156dad361a"))
-	pub2 := ToECDSAPub(common.Hex2Bytes("04bd27a63c91fe3233c5777e6d3d7b39204d398c8f92655947eb5a373d46e1688f022a1632d264725cbc7dc43ee1cfebde42fa0a86d08b55d2acfbb5e9b3b48dc5"))
-
-	message := []byte("Hello, world.")
-	ct, err := Encrypt(pub2, message)
-	if err != nil {
-		fmt.Println(err.Error())
-		t.FailNow()
-	}
-
-	pt, err := Decrypt(prv2, ct)
-	if err != nil {
-		fmt.Println(err.Error())
-		t.FailNow()
-	}
-
-	if !bytes.Equal(pt, message) {
-		fmt.Println("ecies: plaintext doesn't match message")
-		t.FailNow()
-	}
-
-	_, err = Decrypt(prv1, pt)
-	if err == nil {
-		fmt.Println("ecies: encryption should not have succeeded")
-		t.FailNow()
-	}
-
-}

crypto/secp256k1/secp256.go

@@ -42,17 +42,9 @@ import (
 	"unsafe"
 )
 
-var (
-	context *C.secp256k1_context
-	N       *big.Int
-	HalfN   *big.Int
-)
+var context *C.secp256k1_context
 
 func init() {
-	N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
-	// N / 2 == 57896044618658097711785492504343953926418782139537452191302581570759080747168
-	HalfN, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0", 16)
-
 	// around 20 ms on a modern CPU.
 	context = C.secp256k1_context_create_sign_verify()
 	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)

crypto/signature_cgo.go

@@ -0,0 +1,64 @@
+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+// +build !nacl,!js,!nocgo
+
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"fmt"
+
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+)
+
+func Ecrecover(hash, sig []byte) ([]byte, error) {
+	return secp256k1.RecoverPubkey(hash, sig)
+}
+
+func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
+	s, err := Ecrecover(hash, sig)
+	if err != nil {
+		return nil, err
+	}
+
+	x, y := elliptic.Unmarshal(S256(), s)
+	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
+}
+
+// Sign calculates an ECDSA signature.
+//
+// This function is susceptible to chosen plaintext attacks that can leak
+// information about the private key that is used for signing. Callers must
+// be aware that the given hash cannot be chosen by an adversery. Common
+// solution is to hash any input before calculating the signature.
+//
+// The produced signature is in the [R || S || V] format where V is 0 or 1.
+func Sign(hash []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) {
+	if len(hash) != 32 {
+		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
+	}
+	seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8)
+	defer zeroBytes(seckey)
+	return secp256k1.Sign(hash, seckey)
+}
+
+// S256 returns an instance of the secp256k1 curve.
+func S256() elliptic.Curve {
+	return secp256k1.S256()
+}

crypto/signature_nocgo.go

@@ -0,0 +1,77 @@
+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+// +build nacl js nocgo
+
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"fmt"
+
+	"github.com/btcsuite/btcd/btcec"
+)
+
+func Ecrecover(hash, sig []byte) ([]byte, error) {
+	pub, err := SigToPub(hash, sig)
+	if err != nil {
+		return nil, err
+	}
+	bytes := (*btcec.PublicKey)(pub).SerializeUncompressed()
+	return bytes, err
+}
+
+func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
+	// Convert to btcec input format with 'recovery id' v at the beginning.
+	btcsig := make([]byte, 65)
+	btcsig[0] = sig[64] + 27
+	copy(btcsig[1:], sig)
+
+	pub, _, err := btcec.RecoverCompact(btcec.S256(), btcsig, hash)
+	return (*ecdsa.PublicKey)(pub), err
+}
+
+// Sign calculates an ECDSA signature.
+//
+// This function is susceptible to chosen plaintext attacks that can leak
+// information about the private key that is used for signing. Callers must
+// be aware that the given hash cannot be chosen by an adversery. Common
+// solution is to hash any input before calculating the signature.
+//
+// The produced signature is in the [R || S || V] format where V is 0 or 1.
+func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) {
+	if len(hash) != 32 {
+		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
+	}
+	if prv.Curve != btcec.S256() {
+		return nil, fmt.Errorf("private key curve is not secp256k1")
+	}
+	sig, err := btcec.SignCompact(btcec.S256(), (*btcec.PrivateKey)(prv), hash, false)
+	if err != nil {
+		return nil, err
+	}
+	// Convert to Ethereum signature format with 'recovery id' v at the end.
+	v := sig[0] - 27
+	copy(sig, sig[1:])
+	sig[64] = v
+	return sig, nil
+}
+
+// S256 returns an instance of the secp256k1 curve.
+func S256() elliptic.Curve {
+	return btcec.S256()
+}

p2p/discv5/crypto.go → crypto/signature_test.go

@@ -14,18 +14,23 @@
 // You should have received a copy of the GNU Lesser General Public License
 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
 
-package discv5
+package crypto
 
 import (
-	//"github.com/btcsuite/btcd/btcec"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
+	"bytes"
+	"encoding/hex"
+	"testing"
 )
 
-func S256() *secp256k1.BitCurve {
-	return secp256k1.S256()
+func TestRecoverSanity(t *testing.T) {
+	msg, _ := hex.DecodeString("ce0677bb30baa8cf067c88db9811f4333d131bf8bcf12fe7065d211dce971008")
+	sig, _ := hex.DecodeString("90f27b8b488db00b00606796d2987f6a5f59ae62ea05effe84fef5b8b0e549984a691139ad57a3f0b906637673aa2f63d1f55cb1a69199d4009eea23ceaddc9301")
+	pubkey1, _ := hex.DecodeString("04e32df42865e97135acfb65f3bae71bdc86f4d49150ad6a440b6f15878109880a0a2b2667f7e725ceea70c673093bf67663e0312623c8e091b13cf2c0f11ef652")
+	pubkey2, err := Ecrecover(msg, sig)
+	if err != nil {
+		t.Fatalf("recover error: %s", err)
+	}
+	if !bytes.Equal(pubkey1, pubkey2) {
+		t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2)
+	}
 }
-
-// This version should be used for NaCl compilation
-/*func S256() *btcec.KoblitzCurve {
-	return S256()
-}*/

p2p/discover/node.go

@@ -259,7 +259,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID {
 // Pubkey returns the public key represented by the node ID.
 // It returns an error if the ID is not a point on the curve.
 func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) {
-	p := &ecdsa.PublicKey{Curve: secp256k1.S256(), X: new(big.Int), Y: new(big.Int)}
+	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)}
 	half := len(id) / 2
 	p.X.SetBytes(id[:half])
 	p.Y.SetBytes(id[half:])

p2p/discv5/node.go

@@ -297,7 +297,7 @@ func PubkeyID(pub *ecdsa.PublicKey) NodeID {
 // Pubkey returns the public key represented by the node ID.
 // It returns an error if the ID is not a point on the curve.
 func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) {
-	p := &ecdsa.PublicKey{Curve: S256(), X: new(big.Int), Y: new(big.Int)}
+	p := &ecdsa.PublicKey{Curve: crypto.S256(), X: new(big.Int), Y: new(big.Int)}
 	half := len(id) / 2
 	p.X.SetBytes(id[:half])
 	p.Y.SetBytes(id[half:])

p2p/rlpx.go

@@ -303,7 +303,7 @@ func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey, token []byte) (*authMs
 		return nil, err
 	}
 	// Generate random keypair to for ECDH.
-	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil)
+	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -381,7 +381,7 @@ func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) erro
 	// Generate random keypair for ECDH.
 	// If a private key is already set, use it instead of generating one (for testing).
 	if h.randomPrivKey == nil {
-		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil)
+		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
 		if err != nil {
 			return err
 		}

vendor/github.com/btcsuite/btcd/LICENSE

@@ -0,0 +1,16 @@
+ISC License
+
+Copyright (c) 2013-2017 The btcsuite developers
+Copyright (c) 2015-2016 The Decred developers
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

vendor/github.com/btcsuite/btcd/btcec/README.md

@@ -0,0 +1,74 @@
+btcec
+=====
+
+[![Build Status](https://travis-ci.org/btcsuite/btcd.png?branch=master)]
+(https://travis-ci.org/btcsuite/btcec) [![ISC License]
+(http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org)
+[![GoDoc](https://godoc.org/github.com/btcsuite/btcd/btcec?status.png)]
+(http://godoc.org/github.com/btcsuite/btcd/btcec)
+
+Package btcec implements elliptic curve cryptography needed for working with
+Bitcoin (secp256k1 only for now). It is designed so that it may be used with the
+standard crypto/ecdsa packages provided with go.  A comprehensive suite of test
+is provided to ensure proper functionality.  Package btcec was originally based
+on work from ThePiachu which is licensed under the same terms as Go, but it has
+signficantly diverged since then.  The btcsuite developers original is licensed
+under the liberal ISC license.
+
+Although this package was primarily written for btcd, it has intentionally been
+designed so it can be used as a standalone package for any projects needing to
+use secp256k1 elliptic curve cryptography.
+
+## Installation and Updating
+
+```bash
+$ go get -u github.com/btcsuite/btcd/btcec
+```
+
+## Examples
+
+* [Sign Message]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--SignMessage)  
+  Demonstrates signing a message with a secp256k1 private key that is first
+  parsed form raw bytes and serializing the generated signature.
+
+* [Verify Signature]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--VerifySignature)  
+  Demonstrates verifying a secp256k1 signature against a public key that is
+  first parsed from raw bytes.  The signature is also parsed from raw bytes.
+
+* [Encryption]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--EncryptMessage)
+  Demonstrates encrypting a message for a public key that is first parsed from
+  raw bytes, then decrypting it using the corresponding private key.
+
+* [Decryption]
+  (http://godoc.org/github.com/btcsuite/btcd/btcec#example-package--DecryptMessage)
+  Demonstrates decrypting a message using a private key that is first parsed
+  from raw bytes.
+
+## GPG Verification Key
+
+All official release tags are signed by Conformal so users can ensure the code
+has not been tampered with and is coming from the btcsuite developers.  To
+verify the signature perform the following:
+
+- Download the public key from the Conformal website at
+  https://opensource.conformal.com/GIT-GPG-KEY-conformal.txt
+
+- Import the public key into your GPG keyring:
+  ```bash
+  gpg --import GIT-GPG-KEY-conformal.txt
+  ```
+
+- Verify the release tag with the following command where `TAG_NAME` is a
+  placeholder for the specific tag:
+  ```bash
+  git tag -v TAG_NAME
+  ```
+
+## License
+
+Package btcec is licensed under the [copyfree](http://copyfree.org) ISC License
+except for btcec.go and btcec_test.go which is under the same license as Go.
+

vendor/github.com/btcsuite/btcd/btcec/btcec.go

@@ -0,0 +1,956 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Copyright 2011 ThePiachu. All rights reserved.
+// Copyright 2013-2014 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+// References:
+//   [SECG]: Recommended Elliptic Curve Domain Parameters
+//     http://www.secg.org/sec2-v2.pdf
+//
+//   [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
+
+// This package operates, internally, on Jacobian coordinates. For a given
+// (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1)
+// where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole
+// calculation can be performed within the transform (as in ScalarMult and
+// ScalarBaseMult). But even for Add and Double, it's faster to apply and
+// reverse the transform than to operate in affine coordinates.
+
+import (
+	"crypto/elliptic"
+	"math/big"
+	"sync"
+)
+
+var (
+	// fieldOne is simply the integer 1 in field representation.  It is
+	// used to avoid needing to create it multiple times during the internal
+	// arithmetic.
+	fieldOne = new(fieldVal).SetInt(1)
+)
+
+// KoblitzCurve supports a koblitz curve implementation that fits the ECC Curve
+// interface from crypto/elliptic.
+type KoblitzCurve struct {
+	*elliptic.CurveParams
+	q *big.Int
+	H int // cofactor of the curve.
+
+	// byteSize is simply the bit size / 8 and is provided for convenience
+	// since it is calculated repeatedly.
+	byteSize int
+
+	// bytePoints
+	bytePoints *[32][256][3]fieldVal
+
+	// The next 6 values are used specifically for endomorphism
+	// optimizations in ScalarMult.
+
+	// lambda must fulfill lambda^3 = 1 mod N where N is the order of G.
+	lambda *big.Int
+
+	// beta must fulfill beta^3 = 1 mod P where P is the prime field of the
+	// curve.
+	beta *fieldVal
+
+	// See the EndomorphismVectors in gensecp256k1.go to see how these are
+	// derived.
+	a1 *big.Int
+	b1 *big.Int
+	a2 *big.Int
+	b2 *big.Int
+}
+
+// Params returns the parameters for the curve.
+func (curve *KoblitzCurve) Params() *elliptic.CurveParams {
+	return curve.CurveParams
+}
+
+// bigAffineToField takes an affine point (x, y) as big integers and converts
+// it to an affine point as field values.
+func (curve *KoblitzCurve) bigAffineToField(x, y *big.Int) (*fieldVal, *fieldVal) {
+	x3, y3 := new(fieldVal), new(fieldVal)
+	x3.SetByteSlice(x.Bytes())
+	y3.SetByteSlice(y.Bytes())
+
+	return x3, y3
+}
+
+// fieldJacobianToBigAffine takes a Jacobian point (x, y, z) as field values and
+// converts it to an affine point as big integers.
+func (curve *KoblitzCurve) fieldJacobianToBigAffine(x, y, z *fieldVal) (*big.Int, *big.Int) {
+	// Inversions are expensive and both point addition and point doubling
+	// are faster when working with points that have a z value of one.  So,
+	// if the point needs to be converted to affine, go ahead and normalize
+	// the point itself at the same time as the calculation is the same.
+	var zInv, tempZ fieldVal
+	zInv.Set(z).Inverse()   // zInv = Z^-1
+	tempZ.SquareVal(&zInv)  // tempZ = Z^-2
+	x.Mul(&tempZ)           // X = X/Z^2 (mag: 1)
+	y.Mul(tempZ.Mul(&zInv)) // Y = Y/Z^3 (mag: 1)
+	z.SetInt(1)             // Z = 1 (mag: 1)
+
+	// Normalize the x and y values.
+	x.Normalize()
+	y.Normalize()
+
+	// Convert the field values for the now affine point to big.Ints.
+	x3, y3 := new(big.Int), new(big.Int)
+	x3.SetBytes(x.Bytes()[:])
+	y3.SetBytes(y.Bytes()[:])
+	return x3, y3
+}
+
+// IsOnCurve returns boolean if the point (x,y) is on the curve.
+// Part of the elliptic.Curve interface. This function differs from the
+// crypto/elliptic algorithm since a = 0 not -3.
+func (curve *KoblitzCurve) IsOnCurve(x, y *big.Int) bool {
+	// Convert big ints to field values for faster arithmetic.
+	fx, fy := curve.bigAffineToField(x, y)
+
+	// Elliptic curve equation for secp256k1 is: y^2 = x^3 + 7
+	y2 := new(fieldVal).SquareVal(fy).Normalize()
+	result := new(fieldVal).SquareVal(fx).Mul(fx).AddInt(7).Normalize()
+	return y2.Equals(result)
+}
+
+// addZ1AndZ2EqualsOne adds two Jacobian points that are already known to have
+// z values of 1 and stores the result in (x3, y3, z3).  That is to say
+// (x1, y1, 1) + (x2, y2, 1) = (x3, y3, z3).  It performs faster addition than
+// the generic add routine since less arithmetic is needed due to the ability to
+// avoid the z value multiplications.
+func (curve *KoblitzCurve) addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) {
+	// To compute the point addition efficiently, this implementation splits
+	// the equation into intermediate elements which are used to minimize
+	// the number of field multiplications using the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl
+	//
+	// In particular it performs the calculations using the following:
+	// H = X2-X1, HH = H^2, I = 4*HH, J = H*I, r = 2*(Y2-Y1), V = X1*I
+	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = 2*H
+	//
+	// This results in a cost of 4 field multiplications, 2 field squarings,
+	// 6 field additions, and 5 integer multiplications.
+
+	// When the x coordinates are the same for two points on the curve, the
+	// y coordinates either must be the same, in which case it is point
+	// doubling, or they are opposite and the result is the point at
+	// infinity per the group law for elliptic curve cryptography.
+	x1.Normalize()
+	y1.Normalize()
+	x2.Normalize()
+	y2.Normalize()
+	if x1.Equals(x2) {
+		if y1.Equals(y2) {
+			// Since x1 == x2 and y1 == y2, point doubling must be
+			// done, otherwise the addition would end up dividing
+			// by zero.
+			curve.doubleJacobian(x1, y1, z1, x3, y3, z3)
+			return
+		}
+
+		// Since x1 == x2 and y1 == -y2, the sum is the point at
+		// infinity per the group law.
+		x3.SetInt(0)
+		y3.SetInt(0)
+		z3.SetInt(0)
+		return
+	}
+
+	// Calculate X3, Y3, and Z3 according to the intermediate elements
+	// breakdown above.
+	var h, i, j, r, v fieldVal
+	var negJ, neg2V, negX3 fieldVal
+	h.Set(x1).Negate(1).Add(x2)                // H = X2-X1 (mag: 3)
+	i.SquareVal(&h).MulInt(4)                  // I = 4*H^2 (mag: 4)
+	j.Mul2(&h, &i)                             // J = H*I (mag: 1)
+	r.Set(y1).Negate(1).Add(y2).MulInt(2)      // r = 2*(Y2-Y1) (mag: 6)
+	v.Mul2(x1, &i)                             // V = X1*I (mag: 1)
+	negJ.Set(&j).Negate(1)                     // negJ = -J (mag: 2)
+	neg2V.Set(&v).MulInt(2).Negate(2)          // neg2V = -(2*V) (mag: 3)
+	x3.Set(&r).Square().Add(&negJ).Add(&neg2V) // X3 = r^2-J-2*V (mag: 6)
+	negX3.Set(x3).Negate(6)                    // negX3 = -X3 (mag: 7)
+	j.Mul(y1).MulInt(2).Negate(2)              // J = -(2*Y1*J) (mag: 3)
+	y3.Set(&v).Add(&negX3).Mul(&r).Add(&j)     // Y3 = r*(V-X3)-2*Y1*J (mag: 4)
+	z3.Set(&h).MulInt(2)                       // Z3 = 2*H (mag: 6)
+
+	// Normalize the resulting field values to a magnitude of 1 as needed.
+	x3.Normalize()
+	y3.Normalize()
+	z3.Normalize()
+}
+
+// addZ1EqualsZ2 adds two Jacobian points that are already known to have the
+// same z value and stores the result in (x3, y3, z3).  That is to say
+// (x1, y1, z1) + (x2, y2, z1) = (x3, y3, z3).  It performs faster addition than
+// the generic add routine since less arithmetic is needed due to the known
+// equivalence.
+func (curve *KoblitzCurve) addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) {
+	// To compute the point addition efficiently, this implementation splits
+	// the equation into intermediate elements which are used to minimize
+	// the number of field multiplications using a slightly modified version
+	// of the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl
+	//
+	// In particular it performs the calculations using the following:
+	// A = X2-X1, B = A^2, C=Y2-Y1, D = C^2, E = X1*B, F = X2*B
+	// X3 = D-E-F, Y3 = C*(E-X3)-Y1*(F-E), Z3 = Z1*A
+	//
+	// This results in a cost of 5 field multiplications, 2 field squarings,
+	// 9 field additions, and 0 integer multiplications.
+
+	// When the x coordinates are the same for two points on the curve, the
+	// y coordinates either must be the same, in which case it is point
+	// doubling, or they are opposite and the result is the point at
+	// infinity per the group law for elliptic curve cryptography.
+	x1.Normalize()
+	y1.Normalize()
+	x2.Normalize()
+	y2.Normalize()
+	if x1.Equals(x2) {
+		if y1.Equals(y2) {
+			// Since x1 == x2 and y1 == y2, point doubling must be
+			// done, otherwise the addition would end up dividing
+			// by zero.
+			curve.doubleJacobian(x1, y1, z1, x3, y3, z3)
+			return
+		}
+
+		// Since x1 == x2 and y1 == -y2, the sum is the point at
+		// infinity per the group law.
+		x3.SetInt(0)
+		y3.SetInt(0)
+		z3.SetInt(0)
+		return
+	}
+
+	// Calculate X3, Y3, and Z3 according to the intermediate elements
+	// breakdown above.
+	var a, b, c, d, e, f fieldVal
+	var negX1, negY1, negE, negX3 fieldVal
+	negX1.Set(x1).Negate(1)                // negX1 = -X1 (mag: 2)
+	negY1.Set(y1).Negate(1)                // negY1 = -Y1 (mag: 2)
+	a.Set(&negX1).Add(x2)                  // A = X2-X1 (mag: 3)
+	b.SquareVal(&a)                        // B = A^2 (mag: 1)
+	c.Set(&negY1).Add(y2)                  // C = Y2-Y1 (mag: 3)
+	d.SquareVal(&c)                        // D = C^2 (mag: 1)
+	e.Mul2(x1, &b)                         // E = X1*B (mag: 1)
+	negE.Set(&e).Negate(1)                 // negE = -E (mag: 2)
+	f.Mul2(x2, &b)                         // F = X2*B (mag: 1)
+	x3.Add2(&e, &f).Negate(3).Add(&d)      // X3 = D-E-F (mag: 5)
+	negX3.Set(x3).Negate(5).Normalize()    // negX3 = -X3 (mag: 1)
+	y3.Set(y1).Mul(f.Add(&negE)).Negate(3) // Y3 = -(Y1*(F-E)) (mag: 4)
+	y3.Add(e.Add(&negX3).Mul(&c))          // Y3 = C*(E-X3)+Y3 (mag: 5)
+	z3.Mul2(z1, &a)                        // Z3 = Z1*A (mag: 1)
+
+	// Normalize the resulting field values to a magnitude of 1 as needed.
+	x3.Normalize()
+	y3.Normalize()
+}
+
+// addZ2EqualsOne adds two Jacobian points when the second point is already
+// known to have a z value of 1 (and the z value for the first point is not 1)
+// and stores the result in (x3, y3, z3).  That is to say (x1, y1, z1) +
+// (x2, y2, 1) = (x3, y3, z3).  It performs faster addition than the generic
+// add routine since less arithmetic is needed due to the ability to avoid
+// multiplications by the second point's z value.
+func (curve *KoblitzCurve) addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3 *fieldVal) {
+	// To compute the point addition efficiently, this implementation splits
+	// the equation into intermediate elements which are used to minimize
+	// the number of field multiplications using the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
+	//
+	// In particular it performs the calculations using the following:
+	// Z1Z1 = Z1^2, U2 = X2*Z1Z1, S2 = Y2*Z1*Z1Z1, H = U2-X1, HH = H^2,
+	// I = 4*HH, J = H*I, r = 2*(S2-Y1), V = X1*I
+	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*Y1*J, Z3 = (Z1+H)^2-Z1Z1-HH
+	//
+	// This results in a cost of 7 field multiplications, 4 field squarings,
+	// 9 field additions, and 4 integer multiplications.
+
+	// When the x coordinates are the same for two points on the curve, the
+	// y coordinates either must be the same, in which case it is point
+	// doubling, or they are opposite and the result is the point at
+	// infinity per the group law for elliptic curve cryptography.  Since
+	// any number of Jacobian coordinates can represent the same affine
+	// point, the x and y values need to be converted to like terms.  Due to
+	// the assumption made for this function that the second point has a z
+	// value of 1 (z2=1), the first point is already "converted".
+	var z1z1, u2, s2 fieldVal
+	x1.Normalize()
+	y1.Normalize()
+	z1z1.SquareVal(z1)                        // Z1Z1 = Z1^2 (mag: 1)
+	u2.Set(x2).Mul(&z1z1).Normalize()         // U2 = X2*Z1Z1 (mag: 1)
+	s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1)
+	if x1.Equals(&u2) {
+		if y1.Equals(&s2) {
+			// Since x1 == x2 and y1 == y2, point doubling must be
+			// done, otherwise the addition would end up dividing
+			// by zero.
+			curve.doubleJacobian(x1, y1, z1, x3, y3, z3)
+			return
+		}
+
+		// Since x1 == x2 and y1 == -y2, the sum is the point at
+		// infinity per the group law.
+		x3.SetInt(0)
+		y3.SetInt(0)
+		z3.SetInt(0)
+		return
+	}
+
+	// Calculate X3, Y3, and Z3 according to the intermediate elements
+	// breakdown above.
+	var h, hh, i, j, r, rr, v fieldVal
+	var negX1, negY1, negX3 fieldVal
+	negX1.Set(x1).Negate(1)                // negX1 = -X1 (mag: 2)
+	h.Add2(&u2, &negX1)                    // H = U2-X1 (mag: 3)
+	hh.SquareVal(&h)                       // HH = H^2 (mag: 1)
+	i.Set(&hh).MulInt(4)                   // I = 4 * HH (mag: 4)
+	j.Mul2(&h, &i)                         // J = H*I (mag: 1)
+	negY1.Set(y1).Negate(1)                // negY1 = -Y1 (mag: 2)
+	r.Set(&s2).Add(&negY1).MulInt(2)       // r = 2*(S2-Y1) (mag: 6)
+	rr.SquareVal(&r)                       // rr = r^2 (mag: 1)
+	v.Mul2(x1, &i)                         // V = X1*I (mag: 1)
+	x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4)
+	x3.Add(&rr)                            // X3 = r^2+X3 (mag: 5)
+	negX3.Set(x3).Negate(5)                // negX3 = -X3 (mag: 6)
+	y3.Set(y1).Mul(&j).MulInt(2).Negate(2) // Y3 = -(2*Y1*J) (mag: 3)
+	y3.Add(v.Add(&negX3).Mul(&r))          // Y3 = r*(V-X3)+Y3 (mag: 4)
+	z3.Add2(z1, &h).Square()               // Z3 = (Z1+H)^2 (mag: 1)
+	z3.Add(z1z1.Add(&hh).Negate(2))        // Z3 = Z3-(Z1Z1+HH) (mag: 4)
+
+	// Normalize the resulting field values to a magnitude of 1 as needed.
+	x3.Normalize()
+	y3.Normalize()
+	z3.Normalize()
+}
+
+// addGeneric adds two Jacobian points (x1, y1, z1) and (x2, y2, z2) without any
+// assumptions about the z values of the two points and stores the result in
+// (x3, y3, z3).  That is to say (x1, y1, z1) + (x2, y2, z2) = (x3, y3, z3).  It
+// is the slowest of the add routines due to requiring the most arithmetic.
+func (curve *KoblitzCurve) addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) {
+	// To compute the point addition efficiently, this implementation splits
+	// the equation into intermediate elements which are used to minimize
+	// the number of field multiplications using the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
+	//
+	// In particular it performs the calculations using the following:
+	// Z1Z1 = Z1^2, Z2Z2 = Z2^2, U1 = X1*Z2Z2, U2 = X2*Z1Z1, S1 = Y1*Z2*Z2Z2
+	// S2 = Y2*Z1*Z1Z1, H = U2-U1, I = (2*H)^2, J = H*I, r = 2*(S2-S1)
+	// V = U1*I
+	// X3 = r^2-J-2*V, Y3 = r*(V-X3)-2*S1*J, Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H
+	//
+	// This results in a cost of 11 field multiplications, 5 field squarings,
+	// 9 field additions, and 4 integer multiplications.
+
+	// When the x coordinates are the same for two points on the curve, the
+	// y coordinates either must be the same, in which case it is point
+	// doubling, or they are opposite and the result is the point at
+	// infinity.  Since any number of Jacobian coordinates can represent the
+	// same affine point, the x and y values need to be converted to like
+	// terms.
+	var z1z1, z2z2, u1, u2, s1, s2 fieldVal
+	z1z1.SquareVal(z1)                        // Z1Z1 = Z1^2 (mag: 1)
+	z2z2.SquareVal(z2)                        // Z2Z2 = Z2^2 (mag: 1)
+	u1.Set(x1).Mul(&z2z2).Normalize()         // U1 = X1*Z2Z2 (mag: 1)
+	u2.Set(x2).Mul(&z1z1).Normalize()         // U2 = X2*Z1Z1 (mag: 1)
+	s1.Set(y1).Mul(&z2z2).Mul(z2).Normalize() // S1 = Y1*Z2*Z2Z2 (mag: 1)
+	s2.Set(y2).Mul(&z1z1).Mul(z1).Normalize() // S2 = Y2*Z1*Z1Z1 (mag: 1)
+	if u1.Equals(&u2) {
+		if s1.Equals(&s2) {
+			// Since x1 == x2 and y1 == y2, point doubling must be
+			// done, otherwise the addition would end up dividing
+			// by zero.
+			curve.doubleJacobian(x1, y1, z1, x3, y3, z3)
+			return
+		}
+
+		// Since x1 == x2 and y1 == -y2, the sum is the point at
+		// infinity per the group law.
+		x3.SetInt(0)
+		y3.SetInt(0)
+		z3.SetInt(0)
+		return
+	}
+
+	// Calculate X3, Y3, and Z3 according to the intermediate elements
+	// breakdown above.
+	var h, i, j, r, rr, v fieldVal
+	var negU1, negS1, negX3 fieldVal
+	negU1.Set(&u1).Negate(1)               // negU1 = -U1 (mag: 2)
+	h.Add2(&u2, &negU1)                    // H = U2-U1 (mag: 3)
+	i.Set(&h).MulInt(2).Square()           // I = (2*H)^2 (mag: 2)
+	j.Mul2(&h, &i)                         // J = H*I (mag: 1)
+	negS1.Set(&s1).Negate(1)               // negS1 = -S1 (mag: 2)
+	r.Set(&s2).Add(&negS1).MulInt(2)       // r = 2*(S2-S1) (mag: 6)
+	rr.SquareVal(&r)                       // rr = r^2 (mag: 1)
+	v.Mul2(&u1, &i)                        // V = U1*I (mag: 1)
+	x3.Set(&v).MulInt(2).Add(&j).Negate(3) // X3 = -(J+2*V) (mag: 4)
+	x3.Add(&rr)                            // X3 = r^2+X3 (mag: 5)
+	negX3.Set(x3).Negate(5)                // negX3 = -X3 (mag: 6)
+	y3.Mul2(&s1, &j).MulInt(2).Negate(2)   // Y3 = -(2*S1*J) (mag: 3)
+	y3.Add(v.Add(&negX3).Mul(&r))          // Y3 = r*(V-X3)+Y3 (mag: 4)
+	z3.Add2(z1, z2).Square()               // Z3 = (Z1+Z2)^2 (mag: 1)
+	z3.Add(z1z1.Add(&z2z2).Negate(2))      // Z3 = Z3-(Z1Z1+Z2Z2) (mag: 4)
+	z3.Mul(&h)                             // Z3 = Z3*H (mag: 1)
+
+	// Normalize the resulting field values to a magnitude of 1 as needed.
+	x3.Normalize()
+	y3.Normalize()
+}
+
+// addJacobian adds the passed Jacobian points (x1, y1, z1) and (x2, y2, z2)
+// together and stores the result in (x3, y3, z3).
+func (curve *KoblitzCurve) addJacobian(x1, y1, z1, x2, y2, z2, x3, y3, z3 *fieldVal) {
+	// A point at infinity is the identity according to the group law for
+	// elliptic curve cryptography.  Thus, ∞ + P = P and P + ∞ = P.
+	if (x1.IsZero() && y1.IsZero()) || z1.IsZero() {
+		x3.Set(x2)
+		y3.Set(y2)
+		z3.Set(z2)
+		return
+	}
+	if (x2.IsZero() && y2.IsZero()) || z2.IsZero() {
+		x3.Set(x1)
+		y3.Set(y1)
+		z3.Set(z1)
+		return
+	}
+
+	// Faster point addition can be achieved when certain assumptions are
+	// met.  For example, when both points have the same z value, arithmetic
+	// on the z values can be avoided.  This section thus checks for these
+	// conditions and calls an appropriate add function which is accelerated
+	// by using those assumptions.
+	z1.Normalize()
+	z2.Normalize()
+	isZ1One := z1.Equals(fieldOne)
+	isZ2One := z2.Equals(fieldOne)
+	switch {
+	case isZ1One && isZ2One:
+		curve.addZ1AndZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3)
+		return
+	case z1.Equals(z2):
+		curve.addZ1EqualsZ2(x1, y1, z1, x2, y2, x3, y3, z3)
+		return
+	case isZ2One:
+		curve.addZ2EqualsOne(x1, y1, z1, x2, y2, x3, y3, z3)
+		return
+	}
+
+	// None of the above assumptions are true, so fall back to generic
+	// point addition.
+	curve.addGeneric(x1, y1, z1, x2, y2, z2, x3, y3, z3)
+}
+
+// Add returns the sum of (x1,y1) and (x2,y2). Part of the elliptic.Curve
+// interface.
+func (curve *KoblitzCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
+	// A point at infinity is the identity according to the group law for
+	// elliptic curve cryptography.  Thus, ∞ + P = P and P + ∞ = P.
+	if x1.Sign() == 0 && y1.Sign() == 0 {
+		return x2, y2
+	}
+	if x2.Sign() == 0 && y2.Sign() == 0 {
+		return x1, y1
+	}
+
+	// Convert the affine coordinates from big integers to field values
+	// and do the point addition in Jacobian projective space.
+	fx1, fy1 := curve.bigAffineToField(x1, y1)
+	fx2, fy2 := curve.bigAffineToField(x2, y2)
+	fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal)
+	fOne := new(fieldVal).SetInt(1)
+	curve.addJacobian(fx1, fy1, fOne, fx2, fy2, fOne, fx3, fy3, fz3)
+
+	// Convert the Jacobian coordinate field values back to affine big
+	// integers.
+	return curve.fieldJacobianToBigAffine(fx3, fy3, fz3)
+}
+
+// doubleZ1EqualsOne performs point doubling on the passed Jacobian point
+// when the point is already known to have a z value of 1 and stores
+// the result in (x3, y3, z3).  That is to say (x3, y3, z3) = 2*(x1, y1, 1).  It
+// performs faster point doubling than the generic routine since less arithmetic
+// is needed due to the ability to avoid multiplication by the z value.
+func (curve *KoblitzCurve) doubleZ1EqualsOne(x1, y1, x3, y3, z3 *fieldVal) {
+	// This function uses the assumptions that z1 is 1, thus the point
+	// doubling formulas reduce to:
+	//
+	// X3 = (3*X1^2)^2 - 8*X1*Y1^2
+	// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4
+	// Z3 = 2*Y1
+	//
+	// To compute the above efficiently, this implementation splits the
+	// equation into intermediate elements which are used to minimize the
+	// number of field multiplications in favor of field squarings which
+	// are roughly 35% faster than field multiplications with the current
+	// implementation at the time this was written.
+	//
+	// This uses a slightly modified version of the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl
+	//
+	// In particular it performs the calculations using the following:
+	// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C)
+	// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C
+	// Z3 = 2*Y1
+	//
+	// This results in a cost of 1 field multiplication, 5 field squarings,
+	// 6 field additions, and 5 integer multiplications.
+	var a, b, c, d, e, f fieldVal
+	z3.Set(y1).MulInt(2)                     // Z3 = 2*Y1 (mag: 2)
+	a.SquareVal(x1)                          // A = X1^2 (mag: 1)
+	b.SquareVal(y1)                          // B = Y1^2 (mag: 1)
+	c.SquareVal(&b)                          // C = B^2 (mag: 1)
+	b.Add(x1).Square()                       // B = (X1+B)^2 (mag: 1)
+	d.Set(&a).Add(&c).Negate(2)              // D = -(A+C) (mag: 3)
+	d.Add(&b).MulInt(2)                      // D = 2*(B+D)(mag: 8)
+	e.Set(&a).MulInt(3)                      // E = 3*A (mag: 3)
+	f.SquareVal(&e)                          // F = E^2 (mag: 1)
+	x3.Set(&d).MulInt(2).Negate(16)          // X3 = -(2*D) (mag: 17)
+	x3.Add(&f)                               // X3 = F+X3 (mag: 18)
+	f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1)
+	y3.Set(&c).MulInt(8).Negate(8)           // Y3 = -(8*C) (mag: 9)
+	y3.Add(f.Mul(&e))                        // Y3 = E*F+Y3 (mag: 10)
+
+	// Normalize the field values back to a magnitude of 1.
+	x3.Normalize()
+	y3.Normalize()
+	z3.Normalize()
+}
+
+// doubleGeneric performs point doubling on the passed Jacobian point without
+// any assumptions about the z value and stores the result in (x3, y3, z3).
+// That is to say (x3, y3, z3) = 2*(x1, y1, z1).  It is the slowest of the point
+// doubling routines due to requiring the most arithmetic.
+func (curve *KoblitzCurve) doubleGeneric(x1, y1, z1, x3, y3, z3 *fieldVal) {
+	// Point doubling formula for Jacobian coordinates for the secp256k1
+	// curve:
+	// X3 = (3*X1^2)^2 - 8*X1*Y1^2
+	// Y3 = (3*X1^2)*(4*X1*Y1^2 - X3) - 8*Y1^4
+	// Z3 = 2*Y1*Z1
+	//
+	// To compute the above efficiently, this implementation splits the
+	// equation into intermediate elements which are used to minimize the
+	// number of field multiplications in favor of field squarings which
+	// are roughly 35% faster than field multiplications with the current
+	// implementation at the time this was written.
+	//
+	// This uses a slightly modified version of the method shown at:
+	// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
+	//
+	// In particular it performs the calculations using the following:
+	// A = X1^2, B = Y1^2, C = B^2, D = 2*((X1+B)^2-A-C)
+	// E = 3*A, F = E^2, X3 = F-2*D, Y3 = E*(D-X3)-8*C
+	// Z3 = 2*Y1*Z1
+	//
+	// This results in a cost of 1 field multiplication, 5 field squarings,
+	// 6 field additions, and 5 integer multiplications.
+	var a, b, c, d, e, f fieldVal
+	z3.Mul2(y1, z1).MulInt(2)                // Z3 = 2*Y1*Z1 (mag: 2)
+	a.SquareVal(x1)                          // A = X1^2 (mag: 1)
+	b.SquareVal(y1)                          // B = Y1^2 (mag: 1)
+	c.SquareVal(&b)                          // C = B^2 (mag: 1)
+	b.Add(x1).Square()                       // B = (X1+B)^2 (mag: 1)
+	d.Set(&a).Add(&c).Negate(2)              // D = -(A+C) (mag: 3)
+	d.Add(&b).MulInt(2)                      // D = 2*(B+D)(mag: 8)
+	e.Set(&a).MulInt(3)                      // E = 3*A (mag: 3)
+	f.SquareVal(&e)                          // F = E^2 (mag: 1)
+	x3.Set(&d).MulInt(2).Negate(16)          // X3 = -(2*D) (mag: 17)
+	x3.Add(&f)                               // X3 = F+X3 (mag: 18)
+	f.Set(x3).Negate(18).Add(&d).Normalize() // F = D-X3 (mag: 1)
+	y3.Set(&c).MulInt(8).Negate(8)           // Y3 = -(8*C) (mag: 9)
+	y3.Add(f.Mul(&e))                        // Y3 = E*F+Y3 (mag: 10)
+
+	// Normalize the field values back to a magnitude of 1.
+	x3.Normalize()
+	y3.Normalize()
+	z3.Normalize()
+}
+
+// doubleJacobian doubles the passed Jacobian point (x1, y1, z1) and stores the
+// result in (x3, y3, z3).
+func (curve *KoblitzCurve) doubleJacobian(x1, y1, z1, x3, y3, z3 *fieldVal) {
+	// Doubling a point at infinity is still infinity.
+	if y1.IsZero() || z1.IsZero() {
+		x3.SetInt(0)
+		y3.SetInt(0)
+		z3.SetInt(0)
+		return
+	}
+
+	// Slightly faster point doubling can be achieved when the z value is 1
+	// by avoiding the multiplication on the z value.  This section calls
+	// a point doubling function which is accelerated by using that
+	// assumption when possible.
+	if z1.Normalize().Equals(fieldOne) {
+		curve.doubleZ1EqualsOne(x1, y1, x3, y3, z3)
+		return
+	}
+
+	// Fall back to generic point doubling which works with arbitrary z
+	// values.
+	curve.doubleGeneric(x1, y1, z1, x3, y3, z3)
+}
+
+// Double returns 2*(x1,y1). Part of the elliptic.Curve interface.
+func (curve *KoblitzCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
+	if y1.Sign() == 0 {
+		return new(big.Int), new(big.Int)
+	}
+
+	// Convert the affine coordinates from big integers to field values
+	// and do the point doubling in Jacobian projective space.
+	fx1, fy1 := curve.bigAffineToField(x1, y1)
+	fx3, fy3, fz3 := new(fieldVal), new(fieldVal), new(fieldVal)
+	fOne := new(fieldVal).SetInt(1)
+	curve.doubleJacobian(fx1, fy1, fOne, fx3, fy3, fz3)
+
+	// Convert the Jacobian coordinate field values back to affine big
+	// integers.
+	return curve.fieldJacobianToBigAffine(fx3, fy3, fz3)
+}
+
+// splitK returns a balanced length-two representation of k and their signs.
+// This is algorithm 3.74 from [GECC].
+//
+// One thing of note about this algorithm is that no matter what c1 and c2 are,
+// the final equation of k = k1 + k2 * lambda (mod n) will hold.  This is
+// provable mathematically due to how a1/b1/a2/b2 are computed.
+//
+// c1 and c2 are chosen to minimize the max(k1,k2).
+func (curve *KoblitzCurve) splitK(k []byte) ([]byte, []byte, int, int) {
+	// All math here is done with big.Int, which is slow.
+	// At some point, it might be useful to write something similar to
+	// fieldVal but for N instead of P as the prime field if this ends up
+	// being a bottleneck.
+	bigIntK := new(big.Int)
+	c1, c2 := new(big.Int), new(big.Int)
+	tmp1, tmp2 := new(big.Int), new(big.Int)
+	k1, k2 := new(big.Int), new(big.Int)
+
+	bigIntK.SetBytes(k)
+	// c1 = round(b2 * k / n) from step 4.
+	// Rounding isn't really necessary and costs too much, hence skipped
+	c1.Mul(curve.b2, bigIntK)
+	c1.Div(c1, curve.N)
+	// c2 = round(b1 * k / n) from step 4 (sign reversed to optimize one step)
+	// Rounding isn't really necessary and costs too much, hence skipped
+	c2.Mul(curve.b1, bigIntK)
+	c2.Div(c2, curve.N)
+	// k1 = k - c1 * a1 - c2 * a2 from step 5 (note c2's sign is reversed)
+	tmp1.Mul(c1, curve.a1)
+	tmp2.Mul(c2, curve.a2)
+	k1.Sub(bigIntK, tmp1)
+	k1.Add(k1, tmp2)
+	// k2 = - c1 * b1 - c2 * b2 from step 5 (note c2's sign is reversed)
+	tmp1.Mul(c1, curve.b1)
+	tmp2.Mul(c2, curve.b2)
+	k2.Sub(tmp2, tmp1)
+
+	// Note Bytes() throws out the sign of k1 and k2. This matters
+	// since k1 and/or k2 can be negative. Hence, we pass that
+	// back separately.
+	return k1.Bytes(), k2.Bytes(), k1.Sign(), k2.Sign()
+}
+
+// moduloReduce reduces k from more than 32 bytes to 32 bytes and under.  This
+// is done by doing a simple modulo curve.N.  We can do this since G^N = 1 and
+// thus any other valid point on the elliptic curve has the same order.
+func (curve *KoblitzCurve) moduloReduce(k []byte) []byte {
+	// Since the order of G is curve.N, we can use a much smaller number
+	// by doing modulo curve.N
+	if len(k) > curve.byteSize {
+		// Reduce k by performing modulo curve.N.
+		tmpK := new(big.Int).SetBytes(k)
+		tmpK.Mod(tmpK, curve.N)
+		return tmpK.Bytes()
+	}
+
+	return k
+}
+
+// NAF takes a positive integer k and returns the Non-Adjacent Form (NAF) as two
+// byte slices.  The first is where 1s will be.  The second is where -1s will
+// be.  NAF is convenient in that on average, only 1/3rd of its values are
+// non-zero.  This is algorithm 3.30 from [GECC].
+//
+// Essentially, this makes it possible to minimize the number of operations
+// since the resulting ints returned will be at least 50% 0s.
+func NAF(k []byte) ([]byte, []byte) {
+	// The essence of this algorithm is that whenever we have consecutive 1s
+	// in the binary, we want to put a -1 in the lowest bit and get a bunch
+	// of 0s up to the highest bit of consecutive 1s.  This is due to this
+	// identity:
+	// 2^n + 2^(n-1) + 2^(n-2) + ... + 2^(n-k) = 2^(n+1) - 2^(n-k)
+	//
+	// The algorithm thus may need to go 1 more bit than the length of the
+	// bits we actually have, hence bits being 1 bit longer than was
+	// necessary.  Since we need to know whether adding will cause a carry,
+	// we go from right-to-left in this addition.
+	var carry, curIsOne, nextIsOne bool
+	// these default to zero
+	retPos := make([]byte, len(k)+1)
+	retNeg := make([]byte, len(k)+1)
+	for i := len(k) - 1; i >= 0; i-- {
+		curByte := k[i]
+		for j := uint(0); j < 8; j++ {
+			curIsOne = curByte&1 == 1
+			if j == 7 {
+				if i == 0 {
+					nextIsOne = false
+				} else {
+					nextIsOne = k[i-1]&1 == 1
+				}
+			} else {
+				nextIsOne = curByte&2 == 2
+			}
+			if carry {
+				if curIsOne {
+					// This bit is 1, so continue to carry
+					// and don't need to do anything.
+				} else {
+					// We've hit a 0 after some number of
+					// 1s.
+					if nextIsOne {
+						// Start carrying again since
+						// a new sequence of 1s is
+						// starting.
+						retNeg[i+1] += 1 << j
+					} else {
+						// Stop carrying since 1s have
+						// stopped.
+						carry = false
+						retPos[i+1] += 1 << j
+					}
+				}
+			} else if curIsOne {
+				if nextIsOne {
+					// If this is the start of at least 2
+					// consecutive 1s, set the current one
+					// to -1 and start carrying.
+					retNeg[i+1] += 1 << j
+					carry = true
+				} else {
+					// This is a singleton, not consecutive
+					// 1s.
+					retPos[i+1] += 1 << j
+				}
+			}
+			curByte >>= 1
+		}
+	}
+	if carry {
+		retPos[0] = 1
+	}
+
+	return retPos, retNeg
+}
+
+// ScalarMult returns k*(Bx, By) where k is a big endian integer.
+// Part of the elliptic.Curve interface.
+func (curve *KoblitzCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) {
+	// Point Q = ∞ (point at infinity).
+	qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal)
+
+	// Decompose K into k1 and k2 in order to halve the number of EC ops.
+	// See Algorithm 3.74 in [GECC].
+	k1, k2, signK1, signK2 := curve.splitK(curve.moduloReduce(k))
+
+	// The main equation here to remember is:
+	//   k * P = k1 * P + k2 * ϕ(P)
+	//
+	// P1 below is P in the equation, P2 below is ϕ(P) in the equation
+	p1x, p1y := curve.bigAffineToField(Bx, By)
+	p1yNeg := new(fieldVal).NegateVal(p1y, 1)
+	p1z := new(fieldVal).SetInt(1)
+
+	// NOTE: ϕ(x,y) = (βx,y).  The Jacobian z coordinate is 1, so this math
+	// goes through.
+	p2x := new(fieldVal).Mul2(p1x, curve.beta)
+	p2y := new(fieldVal).Set(p1y)
+	p2yNeg := new(fieldVal).NegateVal(p2y, 1)
+	p2z := new(fieldVal).SetInt(1)
+
+	// Flip the positive and negative values of the points as needed
+	// depending on the signs of k1 and k2.  As mentioned in the equation
+	// above, each of k1 and k2 are multiplied by the respective point.
+	// Since -k * P is the same thing as k * -P, and the group law for
+	// elliptic curves states that P(x, y) = -P(x, -y), it's faster and
+	// simplifies the code to just make the point negative.
+	if signK1 == -1 {
+		p1y, p1yNeg = p1yNeg, p1y
+	}
+	if signK2 == -1 {
+		p2y, p2yNeg = p2yNeg, p2y
+	}
+
+	// NAF versions of k1 and k2 should have a lot more zeros.
+	//
+	// The Pos version of the bytes contain the +1s and the Neg versions
+	// contain the -1s.
+	k1PosNAF, k1NegNAF := NAF(k1)
+	k2PosNAF, k2NegNAF := NAF(k2)
+	k1Len := len(k1PosNAF)
+	k2Len := len(k2PosNAF)
+
+	m := k1Len
+	if m < k2Len {
+		m = k2Len
+	}
+
+	// Add left-to-right using the NAF optimization.  See algorithm 3.77
+	// from [GECC].  This should be faster overall since there will be a lot
+	// more instances of 0, hence reducing the number of Jacobian additions
+	// at the cost of 1 possible extra doubling.
+	var k1BytePos, k1ByteNeg, k2BytePos, k2ByteNeg byte
+	for i := 0; i < m; i++ {
+		// Since we're going left-to-right, pad the front with 0s.
+		if i < m-k1Len {
+			k1BytePos = 0
+			k1ByteNeg = 0
+		} else {
+			k1BytePos = k1PosNAF[i-(m-k1Len)]
+			k1ByteNeg = k1NegNAF[i-(m-k1Len)]
+		}
+		if i < m-k2Len {
+			k2BytePos = 0
+			k2ByteNeg = 0
+		} else {
+			k2BytePos = k2PosNAF[i-(m-k2Len)]
+			k2ByteNeg = k2NegNAF[i-(m-k2Len)]
+		}
+
+		for j := 7; j >= 0; j-- {
+			// Q = 2 * Q
+			curve.doubleJacobian(qx, qy, qz, qx, qy, qz)
+
+			if k1BytePos&0x80 == 0x80 {
+				curve.addJacobian(qx, qy, qz, p1x, p1y, p1z,
+					qx, qy, qz)
+			} else if k1ByteNeg&0x80 == 0x80 {
+				curve.addJacobian(qx, qy, qz, p1x, p1yNeg, p1z,
+					qx, qy, qz)
+			}
+
+			if k2BytePos&0x80 == 0x80 {
+				curve.addJacobian(qx, qy, qz, p2x, p2y, p2z,
+					qx, qy, qz)
+			} else if k2ByteNeg&0x80 == 0x80 {
+				curve.addJacobian(qx, qy, qz, p2x, p2yNeg, p2z,
+					qx, qy, qz)
+			}
+			k1BytePos <<= 1
+			k1ByteNeg <<= 1
+			k2BytePos <<= 1
+			k2ByteNeg <<= 1
+		}
+	}
+
+	// Convert the Jacobian coordinate field values back to affine big.Ints.
+	return curve.fieldJacobianToBigAffine(qx, qy, qz)
+}
+
+// ScalarBaseMult returns k*G where G is the base point of the group and k is a
+// big endian integer.
+// Part of the elliptic.Curve interface.
+func (curve *KoblitzCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {
+	newK := curve.moduloReduce(k)
+	diff := len(curve.bytePoints) - len(newK)
+
+	// Point Q = ∞ (point at infinity).
+	qx, qy, qz := new(fieldVal), new(fieldVal), new(fieldVal)
+
+	// curve.bytePoints has all 256 byte points for each 8-bit window. The
+	// strategy is to add up the byte points. This is best understood by
+	// expressing k in base-256 which it already sort of is.
+	// Each "digit" in the 8-bit window can be looked up using bytePoints
+	// and added together.
+	for i, byteVal := range newK {
+		p := curve.bytePoints[diff+i][byteVal]
+		curve.addJacobian(qx, qy, qz, &p[0], &p[1], &p[2], qx, qy, qz)
+	}
+	return curve.fieldJacobianToBigAffine(qx, qy, qz)
+}
+
+// QPlus1Div4 returns the Q+1/4 constant for the curve for use in calculating
+// square roots via exponention.
+func (curve *KoblitzCurve) QPlus1Div4() *big.Int {
+	return curve.q
+}
+
+var initonce sync.Once
+var secp256k1 KoblitzCurve
+
+func initAll() {
+	initS256()
+}
+
+// fromHex converts the passed hex string into a big integer pointer and will
+// panic is there is an error.  This is only provided for the hard-coded
+// constants so errors in the source code can bet detected. It will only (and
+// must only) be called for initialization purposes.
+func fromHex(s string) *big.Int {
+	r, ok := new(big.Int).SetString(s, 16)
+	if !ok {
+		panic("invalid hex in source file: " + s)
+	}
+	return r
+}
+
+func initS256() {
+	// Curve parameters taken from [SECG] section 2.4.1.
+	secp256k1.CurveParams = new(elliptic.CurveParams)
+	secp256k1.P = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F")
+	secp256k1.N = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141")
+	secp256k1.B = fromHex("0000000000000000000000000000000000000000000000000000000000000007")
+	secp256k1.Gx = fromHex("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798")
+	secp256k1.Gy = fromHex("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8")
+	secp256k1.BitSize = 256
+	secp256k1.H = 1
+	secp256k1.q = new(big.Int).Div(new(big.Int).Add(secp256k1.P,
+		big.NewInt(1)), big.NewInt(4))
+
+	// Provided for convenience since this gets computed repeatedly.
+	secp256k1.byteSize = secp256k1.BitSize / 8
+
+	// Deserialize and set the pre-computed table used to accelerate scalar
+	// base multiplication.  This is hard-coded data, so any errors are
+	// panics because it means something is wrong in the source code.
+	if err := loadS256BytePoints(); err != nil {
+		panic(err)
+	}
+
+	// Next 6 constants are from Hal Finney's bitcointalk.org post:
+	// https://bitcointalk.org/index.php?topic=3238.msg45565#msg45565
+	// May he rest in peace.
+	//
+	// They have also been independently derived from the code in the
+	// EndomorphismVectors function in gensecp256k1.go.
+	secp256k1.lambda = fromHex("5363AD4CC05C30E0A5261C028812645A122E22EA20816678DF02967C1B23BD72")
+	secp256k1.beta = new(fieldVal).SetHex("7AE96A2B657C07106E64479EAC3434E99CF0497512F58995C1396C28719501EE")
+	secp256k1.a1 = fromHex("3086D221A7D46BCDE86C90E49284EB15")
+	secp256k1.b1 = fromHex("-E4437ED6010E88286F547FA90ABFE4C3")
+	secp256k1.a2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8")
+	secp256k1.b2 = fromHex("3086D221A7D46BCDE86C90E49284EB15")
+
+	// Alternatively, we can use the parameters below, however, they seem
+	//  to be about 8% slower.
+	// secp256k1.lambda = fromHex("AC9C52B33FA3CF1F5AD9E3FD77ED9BA4A880B9FC8EC739C2E0CFC810B51283CE")
+	// secp256k1.beta = new(fieldVal).SetHex("851695D49A83F8EF919BB86153CBCB16630FB68AED0A766A3EC693D68E6AFA40")
+	// secp256k1.a1 = fromHex("E4437ED6010E88286F547FA90ABFE4C3")
+	// secp256k1.b1 = fromHex("-3086D221A7D46BCDE86C90E49284EB15")
+	// secp256k1.a2 = fromHex("3086D221A7D46BCDE86C90E49284EB15")
+	// secp256k1.b2 = fromHex("114CA50F7A8E2F3F657C1108D9D44CFD8")
+}
+
+// S256 returns a Curve which implements secp256k1.
+func S256() *KoblitzCurve {
+	initonce.Do(initAll)
+	return &secp256k1
+}

vendor/github.com/btcsuite/btcd/btcec/ciphering.go

@@ -0,0 +1,216 @@
+// Copyright (c) 2015-2016 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+	"errors"
+	"io"
+)
+
+var (
+	// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails
+	// during decryption. This happens because of either invalid private key or
+	// corrupt ciphertext.
+	ErrInvalidMAC = errors.New("invalid mac hash")
+
+	// errInputTooShort occurs when the input ciphertext to the Decrypt
+	// function is less than 134 bytes long.
+	errInputTooShort = errors.New("ciphertext too short")
+
+	// errUnsupportedCurve occurs when the first two bytes of the encrypted
+	// text aren't 0x02CA (= 712 = secp256k1, from OpenSSL).
+	errUnsupportedCurve = errors.New("unsupported curve")
+
+	errInvalidXLength = errors.New("invalid X length, must be 32")
+	errInvalidYLength = errors.New("invalid Y length, must be 32")
+	errInvalidPadding = errors.New("invalid PKCS#7 padding")
+
+	// 0x02CA = 714
+	ciphCurveBytes = [2]byte{0x02, 0xCA}
+	// 0x20 = 32
+	ciphCoordLength = [2]byte{0x00, 0x20}
+)
+
+// GenerateSharedSecret generates a shared secret based on a private key and a
+// public key using Diffie-Hellman key exchange (ECDH) (RFC 4753).
+// RFC5903 Section 9 states we should only return x.
+func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte {
+	x, _ := pubkey.Curve.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes())
+	return x.Bytes()
+}
+
+// Encrypt encrypts data for the target public key using AES-256-CBC. It also
+// generates a private key (the pubkey of which is also in the output). The only
+// supported curve is secp256k1. The `structure' that it encodes everything into
+// is:
+//
+//	struct {
+//		// Initialization Vector used for AES-256-CBC
+//		IV [16]byte
+//		// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyX +
+//		// len_of_pubkeyY(2) + pubkeyY (curve = 714)
+//		PublicKey [70]byte
+//		// Cipher text
+//		Data []byte
+//		// HMAC-SHA-256 Message Authentication Code
+//		HMAC [32]byte
+//	}
+//
+// The primary aim is to ensure byte compatibility with Pyelliptic.  Also, refer
+// to section 5.8.1 of ANSI X9.63 for rationale on this format.
+func Encrypt(pubkey *PublicKey, in []byte) ([]byte, error) {
+	ephemeral, err := NewPrivateKey(S256())
+	if err != nil {
+		return nil, err
+	}
+	ecdhKey := GenerateSharedSecret(ephemeral, pubkey)
+	derivedKey := sha512.Sum512(ecdhKey)
+	keyE := derivedKey[:32]
+	keyM := derivedKey[32:]
+
+	paddedIn := addPKCSPadding(in)
+	// IV + Curve params/X/Y + padded plaintext/ciphertext + HMAC-256
+	out := make([]byte, aes.BlockSize+70+len(paddedIn)+sha256.Size)
+	iv := out[:aes.BlockSize]
+	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	// start writing public key
+	pb := ephemeral.PubKey().SerializeUncompressed()
+	offset := aes.BlockSize
+
+	// curve and X length
+	copy(out[offset:offset+4], append(ciphCurveBytes[:], ciphCoordLength[:]...))
+	offset += 4
+	// X
+	copy(out[offset:offset+32], pb[1:33])
+	offset += 32
+	// Y length
+	copy(out[offset:offset+2], ciphCoordLength[:])
+	offset += 2
+	// Y
+	copy(out[offset:offset+32], pb[33:])
+	offset += 32
+
+	// start encryption
+	block, err := aes.NewCipher(keyE)
+	if err != nil {
+		return nil, err
+	}
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(out[offset:len(out)-sha256.Size], paddedIn)
+
+	// start HMAC-SHA-256
+	hm := hmac.New(sha256.New, keyM)
+	hm.Write(out[:len(out)-sha256.Size])          // everything is hashed
+	copy(out[len(out)-sha256.Size:], hm.Sum(nil)) // write checksum
+
+	return out, nil
+}
+
+// Decrypt decrypts data that was encrypted using the Encrypt function.
+func Decrypt(priv *PrivateKey, in []byte) ([]byte, error) {
+	// IV + Curve params/X/Y + 1 block + HMAC-256
+	if len(in) < aes.BlockSize+70+aes.BlockSize+sha256.Size {
+		return nil, errInputTooShort
+	}
+
+	// read iv
+	iv := in[:aes.BlockSize]
+	offset := aes.BlockSize
+
+	// start reading pubkey
+	if !bytes.Equal(in[offset:offset+2], ciphCurveBytes[:]) {
+		return nil, errUnsupportedCurve
+	}
+	offset += 2
+
+	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) {
+		return nil, errInvalidXLength
+	}
+	offset += 2
+
+	xBytes := in[offset : offset+32]
+	offset += 32
+
+	if !bytes.Equal(in[offset:offset+2], ciphCoordLength[:]) {
+		return nil, errInvalidYLength
+	}
+	offset += 2
+
+	yBytes := in[offset : offset+32]
+	offset += 32
+
+	pb := make([]byte, 65)
+	pb[0] = byte(0x04) // uncompressed
+	copy(pb[1:33], xBytes)
+	copy(pb[33:], yBytes)
+	// check if (X, Y) lies on the curve and create a Pubkey if it does
+	pubkey, err := ParsePubKey(pb, S256())
+	if err != nil {
+		return nil, err
+	}
+
+	// check for cipher text length
+	if (len(in)-aes.BlockSize-offset-sha256.Size)%aes.BlockSize != 0 {
+		return nil, errInvalidPadding // not padded to 16 bytes
+	}
+
+	// read hmac
+	messageMAC := in[len(in)-sha256.Size:]
+
+	// generate shared secret
+	ecdhKey := GenerateSharedSecret(priv, pubkey)
+	derivedKey := sha512.Sum512(ecdhKey)
+	keyE := derivedKey[:32]
+	keyM := derivedKey[32:]
+
+	// verify mac
+	hm := hmac.New(sha256.New, keyM)
+	hm.Write(in[:len(in)-sha256.Size]) // everything is hashed
+	expectedMAC := hm.Sum(nil)
+	if !hmac.Equal(messageMAC, expectedMAC) {
+		return nil, ErrInvalidMAC
+	}
+
+	// start decryption
+	block, err := aes.NewCipher(keyE)
+	if err != nil {
+		return nil, err
+	}
+	mode := cipher.NewCBCDecrypter(block, iv)
+	// same length as ciphertext
+	plaintext := make([]byte, len(in)-offset-sha256.Size)
+	mode.CryptBlocks(plaintext, in[offset:len(in)-sha256.Size])
+
+	return removePKCSPadding(plaintext)
+}
+
+// Implement PKCS#7 padding with block size of 16 (AES block size).
+
+// addPKCSPadding adds padding to a block of data
+func addPKCSPadding(src []byte) []byte {
+	padding := aes.BlockSize - len(src)%aes.BlockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(src, padtext...)
+}
+
+// removePKCSPadding removes padding from data that was added with addPKCSPadding
+func removePKCSPadding(src []byte) ([]byte, error) {
+	length := len(src)
+	padLength := int(src[length-1])
+	if padLength > aes.BlockSize || length < aes.BlockSize {
+		return nil, errInvalidPadding
+	}
+
+	return src[:length-padLength], nil
+}

vendor/github.com/btcsuite/btcd/btcec/doc.go

@@ -0,0 +1,21 @@
+// Copyright (c) 2013-2014 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+/*
+Package btcec implements support for the elliptic curves needed for bitcoin.
+
+Bitcoin uses elliptic curve cryptography using koblitz curves
+(specifically secp256k1) for cryptographic functions.  See
+http://www.secg.org/collateral/sec2_final.pdf for details on the
+standard.
+
+This package provides the data structures and functions implementing the
+crypto/elliptic Curve interface in order to permit using these curves
+with the standard crypto/ecdsa package provided with go. Helper
+functionality is provided to parse signatures and public keys from
+standard formats.  It was designed for use with btcd, but should be
+general enough for other uses of elliptic curve crypto.  It was originally based
+on some initial work by ThePiachu, but has significantly diverged since then.
+*/
+package btcec

vendor/github.com/btcsuite/btcd/btcec/field.go

@@ -0,0 +1,1262 @@
+// Copyright (c) 2013-2016 The btcsuite developers
+// Copyright (c) 2013-2016 Dave Collins
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+// References:
+//   [HAC]: Handbook of Applied Cryptography Menezes, van Oorschot, Vanstone.
+//     http://cacr.uwaterloo.ca/hac/
+
+// All elliptic curve operations for secp256k1 are done in a finite field
+// characterized by a 256-bit prime.  Given this precision is larger than the
+// biggest available native type, obviously some form of bignum math is needed.
+// This package implements specialized fixed-precision field arithmetic rather
+// than relying on an arbitrary-precision arithmetic package such as math/big
+// for dealing with the field math since the size is known.  As a result, rather
+// large performance gains are achieved by taking advantage of many
+// optimizations not available to arbitrary-precision arithmetic and generic
+// modular arithmetic algorithms.
+//
+// There are various ways to internally represent each finite field element.
+// For example, the most obvious representation would be to use an array of 4
+// uint64s (64 bits * 4 = 256 bits).  However, that representation suffers from
+// a couple of issues.  First, there is no native Go type large enough to handle
+// the intermediate results while adding or multiplying two 64-bit numbers, and
+// second there is no space left for overflows when performing the intermediate
+// arithmetic between each array element which would lead to expensive carry
+// propagation.
+//
+// Given the above, this implementation represents the the field elements as
+// 10 uint32s with each word (array entry) treated as base 2^26.  This was
+// chosen for the following reasons:
+// 1) Most systems at the current time are 64-bit (or at least have 64-bit
+//    registers available for specialized purposes such as MMX) so the
+//    intermediate results can typically be done using a native register (and
+//    using uint64s to avoid the need for additional half-word arithmetic)
+// 2) In order to allow addition of the internal words without having to
+//    propagate the the carry, the max normalized value for each register must
+//    be less than the number of bits available in the register
+// 3) Since we're dealing with 32-bit values, 64-bits of overflow is a
+//    reasonable choice for #2
+// 4) Given the need for 256-bits of precision and the properties stated in #1,
+//    #2, and #3, the representation which best accommodates this is 10 uint32s
+//    with base 2^26 (26 bits * 10 = 260 bits, so the final word only needs 22
+//    bits) which leaves the desired 64 bits (32 * 10 = 320, 320 - 256 = 64) for
+//    overflow
+//
+// Since it is so important that the field arithmetic is extremely fast for
+// high performance crypto, this package does not perform any validation where
+// it ordinarily would.  For example, some functions only give the correct
+// result is the field is normalized and there is no checking to ensure it is.
+// While I typically prefer to ensure all state and input is valid for most
+// packages, this code is really only used internally and every extra check
+// counts.
+
+import (
+	"encoding/hex"
+)
+
+// Constants used to make the code more readable.
+const (
+	twoBitsMask   = 0x3
+	fourBitsMask  = 0xf
+	sixBitsMask   = 0x3f
+	eightBitsMask = 0xff
+)
+
+// Constants related to the field representation.
+const (
+	// fieldWords is the number of words used to internally represent the
+	// 256-bit value.
+	fieldWords = 10
+
+	// fieldBase is the exponent used to form the numeric base of each word.
+	// 2^(fieldBase*i) where i is the word position.
+	fieldBase = 26
+
+	// fieldOverflowBits is the minimum number of "overflow" bits for each
+	// word in the field value.
+	fieldOverflowBits = 32 - fieldBase
+
+	// fieldBaseMask is the mask for the bits in each word needed to
+	// represent the numeric base of each word (except the most significant
+	// word).
+	fieldBaseMask = (1 << fieldBase) - 1
+
+	// fieldMSBBits is the number of bits in the most significant word used
+	// to represent the value.
+	fieldMSBBits = 256 - (fieldBase * (fieldWords - 1))
+
+	// fieldMSBMask is the mask for the bits in the most significant word
+	// needed to represent the value.
+	fieldMSBMask = (1 << fieldMSBBits) - 1
+
+	// fieldPrimeWordZero is word zero of the secp256k1 prime in the
+	// internal field representation.  It is used during negation.
+	fieldPrimeWordZero = 0x3fffc2f
+
+	// fieldPrimeWordOne is word one of the secp256k1 prime in the
+	// internal field representation.  It is used during negation.
+	fieldPrimeWordOne = 0x3ffffbf
+
+	// primeLowBits is the lower 2*fieldBase bits of the secp256k1 prime in
+	// its standard normalized form.  It is used during modular reduction.
+	primeLowBits = 0xffffefffffc2f
+)
+
+// fieldVal implements optimized fixed-precision arithmetic over the
+// secp256k1 finite field.  This means all arithmetic is performed modulo
+// 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f.  It
+// represents each 256-bit value as 10 32-bit integers in base 2^26.  This
+// provides 6 bits of overflow in each word (10 bits in the most significant
+// word) for a total of 64 bits of overflow (9*6 + 10 = 64).  It only implements
+// the arithmetic needed for elliptic curve operations.
+//
+// The following depicts the internal representation:
+// 	 -----------------------------------------------------------------
+// 	|        n[9]       |        n[8]       | ... |        n[0]       |
+// 	| 32 bits available | 32 bits available | ... | 32 bits available |
+// 	| 22 bits for value | 26 bits for value | ... | 26 bits for value |
+// 	| 10 bits overflow  |  6 bits overflow  | ... |  6 bits overflow  |
+// 	| Mult: 2^(26*9)    | Mult: 2^(26*8)    | ... | Mult: 2^(26*0)    |
+// 	 -----------------------------------------------------------------
+//
+// For example, consider the number 2^49 + 1.  It would be represented as:
+// 	n[0] = 1
+// 	n[1] = 2^23
+// 	n[2..9] = 0
+//
+// The full 256-bit value is then calculated by looping i from 9..0 and
+// doing sum(n[i] * 2^(26i)) like so:
+// 	n[9] * 2^(26*9) = 0    * 2^234 = 0
+// 	n[8] * 2^(26*8) = 0    * 2^208 = 0
+// 	...
+// 	n[1] * 2^(26*1) = 2^23 * 2^26  = 2^49
+// 	n[0] * 2^(26*0) = 1    * 2^0   = 1
+// 	Sum: 0 + 0 + ... + 2^49 + 1 = 2^49 + 1
+type fieldVal struct {
+	n [10]uint32
+}
+
+// String returns the field value as a human-readable hex string.
+func (f fieldVal) String() string {
+	t := new(fieldVal).Set(&f).Normalize()
+	return hex.EncodeToString(t.Bytes()[:])
+}
+
+// Zero sets the field value to zero.  A newly created field value is already
+// set to zero.  This function can be useful to clear an existing field value
+// for reuse.
+func (f *fieldVal) Zero() {
+	f.n[0] = 0
+	f.n[1] = 0
+	f.n[2] = 0
+	f.n[3] = 0
+	f.n[4] = 0
+	f.n[5] = 0
+	f.n[6] = 0
+	f.n[7] = 0
+	f.n[8] = 0
+	f.n[9] = 0
+}
+
+// Set sets the field value equal to the passed value.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f := new(fieldVal).Set(f2).Add(1) so that f = f2 + 1 where f2 is not
+// modified.
+func (f *fieldVal) Set(val *fieldVal) *fieldVal {
+	*f = *val
+	return f
+}
+
+// SetInt sets the field value to the passed integer.  This is a convenience
+// function since it is fairly common to perform some arithemetic with small
+// native integers.
+//
+// The field value is returned to support chaining.  This enables syntax such
+// as f := new(fieldVal).SetInt(2).Mul(f2) so that f = 2 * f2.
+func (f *fieldVal) SetInt(ui uint) *fieldVal {
+	f.Zero()
+	f.n[0] = uint32(ui)
+	return f
+}
+
+// SetBytes packs the passed 32-byte big-endian value into the internal field
+// value representation.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f := new(fieldVal).SetBytes(byteArray).Mul(f2) so that f = ba * f2.
+func (f *fieldVal) SetBytes(b *[32]byte) *fieldVal {
+	// Pack the 256 total bits across the 10 uint32 words with a max of
+	// 26-bits per word.  This could be done with a couple of for loops,
+	// but this unrolled version is significantly faster.  Benchmarks show
+	// this is about 34 times faster than the variant which uses loops.
+	f.n[0] = uint32(b[31]) | uint32(b[30])<<8 | uint32(b[29])<<16 |
+		(uint32(b[28])&twoBitsMask)<<24
+	f.n[1] = uint32(b[28])>>2 | uint32(b[27])<<6 | uint32(b[26])<<14 |
+		(uint32(b[25])&fourBitsMask)<<22
+	f.n[2] = uint32(b[25])>>4 | uint32(b[24])<<4 | uint32(b[23])<<12 |
+		(uint32(b[22])&sixBitsMask)<<20
+	f.n[3] = uint32(b[22])>>6 | uint32(b[21])<<2 | uint32(b[20])<<10 |
+		uint32(b[19])<<18
+	f.n[4] = uint32(b[18]) | uint32(b[17])<<8 | uint32(b[16])<<16 |
+		(uint32(b[15])&twoBitsMask)<<24
+	f.n[5] = uint32(b[15])>>2 | uint32(b[14])<<6 | uint32(b[13])<<14 |
+		(uint32(b[12])&fourBitsMask)<<22
+	f.n[6] = uint32(b[12])>>4 | uint32(b[11])<<4 | uint32(b[10])<<12 |
+		(uint32(b[9])&sixBitsMask)<<20
+	f.n[7] = uint32(b[9])>>6 | uint32(b[8])<<2 | uint32(b[7])<<10 |
+		uint32(b[6])<<18
+	f.n[8] = uint32(b[5]) | uint32(b[4])<<8 | uint32(b[3])<<16 |
+		(uint32(b[2])&twoBitsMask)<<24
+	f.n[9] = uint32(b[2])>>2 | uint32(b[1])<<6 | uint32(b[0])<<14
+	return f
+}
+
+// SetByteSlice packs the passed big-endian value into the internal field value
+// representation.  Only the first 32-bytes are used.  As a result, it is up to
+// the caller to ensure numbers of the appropriate size are used or the value
+// will be truncated.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f := new(fieldVal).SetByteSlice(byteSlice)
+func (f *fieldVal) SetByteSlice(b []byte) *fieldVal {
+	var b32 [32]byte
+	for i := 0; i < len(b); i++ {
+		if i < 32 {
+			b32[i+(32-len(b))] = b[i]
+		}
+	}
+	return f.SetBytes(&b32)
+}
+
+// SetHex decodes the passed big-endian hex string into the internal field value
+// representation.  Only the first 32-bytes are used.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f := new(fieldVal).SetHex("0abc").Add(1) so that f = 0x0abc + 1
+func (f *fieldVal) SetHex(hexString string) *fieldVal {
+	if len(hexString)%2 != 0 {
+		hexString = "0" + hexString
+	}
+	bytes, _ := hex.DecodeString(hexString)
+	return f.SetByteSlice(bytes)
+}
+
+// Normalize normalizes the internal field words into the desired range and
+// performs fast modular reduction over the secp256k1 prime by making use of the
+// special form of the prime.
+func (f *fieldVal) Normalize() *fieldVal {
+	// The field representation leaves 6 bits of overflow in each
+	// word so intermediate calculations can be performed without needing
+	// to propagate the carry to each higher word during the calculations.
+	// In order to normalize, first we need to "compact" the full 256-bit
+	// value to the right and treat the additional 64 leftmost bits as
+	// the magnitude.
+	m := f.n[0]
+	t0 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[1]
+	t1 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[2]
+	t2 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[3]
+	t3 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[4]
+	t4 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[5]
+	t5 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[6]
+	t6 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[7]
+	t7 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[8]
+	t8 := m & fieldBaseMask
+	m = (m >> fieldBase) + f.n[9]
+	t9 := m & fieldMSBMask
+	m = m >> fieldMSBBits
+
+	// At this point, if the magnitude is greater than 0, the overall value
+	// is greater than the max possible 256-bit value.  In particular, it is
+	// "how many times larger" than the max value it is.  Since this field
+	// is doing arithmetic modulo the secp256k1 prime, we need to perform
+	// modular reduction over the prime.
+	//
+	// Per [HAC] section 14.3.4: Reduction method of moduli of special form,
+	// when the modulus is of the special form m = b^t - c, highly efficient
+	// reduction can be achieved.
+	//
+	// The secp256k1 prime is equivalent to 2^256 - 4294968273, so it fits
+	// this criteria.
+	//
+	// 4294968273 in field representation (base 2^26) is:
+	// n[0] = 977
+	// n[1] = 64
+	// That is to say (2^26 * 64) + 977 = 4294968273
+	//
+	// The algorithm presented in the referenced section typically repeats
+	// until the quotient is zero.  However, due to our field representation
+	// we already know at least how many times we would need to repeat as
+	// it's the value currently in m.  Thus we can simply multiply the
+	// magnitude by the field representation of the prime and do a single
+	// iteration.  Notice that nothing will be changed when the magnitude is
+	// zero, so we could skip this in that case, however always running
+	// regardless allows it to run in constant time.
+	r := t0 + m*977
+	t0 = r & fieldBaseMask
+	r = (r >> fieldBase) + t1 + m*64
+	t1 = r & fieldBaseMask
+	r = (r >> fieldBase) + t2
+	t2 = r & fieldBaseMask
+	r = (r >> fieldBase) + t3
+	t3 = r & fieldBaseMask
+	r = (r >> fieldBase) + t4
+	t4 = r & fieldBaseMask
+	r = (r >> fieldBase) + t5
+	t5 = r & fieldBaseMask
+	r = (r >> fieldBase) + t6
+	t6 = r & fieldBaseMask
+	r = (r >> fieldBase) + t7
+	t7 = r & fieldBaseMask
+	r = (r >> fieldBase) + t8
+	t8 = r & fieldBaseMask
+	r = (r >> fieldBase) + t9
+	t9 = r & fieldMSBMask
+
+	// At this point, the result will be in the range 0 <= result <=
+	// prime + (2^64 - c).  Therefore, one more subtraction of the prime
+	// might be needed if the current result is greater than or equal to the
+	// prime.  The following does the final reduction in constant time.
+	// Note that the if/else here intentionally does the bitwise OR with
+	// zero even though it won't change the value to ensure constant time
+	// between the branches.
+	var mask int32
+	lowBits := uint64(t1)<<fieldBase | uint64(t0)
+	if lowBits < primeLowBits {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t2 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t3 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t4 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t5 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t6 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t7 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t8 < fieldBaseMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	if t9 < fieldMSBMask {
+		mask |= -1
+	} else {
+		mask |= 0
+	}
+	lowBits -= ^uint64(mask) & primeLowBits
+	t0 = uint32(lowBits & fieldBaseMask)
+	t1 = uint32((lowBits >> fieldBase) & fieldBaseMask)
+	t2 = t2 & uint32(mask)
+	t3 = t3 & uint32(mask)
+	t4 = t4 & uint32(mask)
+	t5 = t5 & uint32(mask)
+	t6 = t6 & uint32(mask)
+	t7 = t7 & uint32(mask)
+	t8 = t8 & uint32(mask)
+	t9 = t9 & uint32(mask)
+
+	// Finally, set the normalized and reduced words.
+	f.n[0] = t0
+	f.n[1] = t1
+	f.n[2] = t2
+	f.n[3] = t3
+	f.n[4] = t4
+	f.n[5] = t5
+	f.n[6] = t6
+	f.n[7] = t7
+	f.n[8] = t8
+	f.n[9] = t9
+	return f
+}
+
+// PutBytes unpacks the field value to a 32-byte big-endian value using the
+// passed byte array.  There is a similar function, Bytes, which unpacks the
+// field value into a new array and returns that.  This version is provided
+// since it can be useful to cut down on the number of allocations by allowing
+// the caller to reuse a buffer.
+//
+// The field value must be normalized for this function to return the correct
+// result.
+func (f *fieldVal) PutBytes(b *[32]byte) {
+	// Unpack the 256 total bits from the 10 uint32 words with a max of
+	// 26-bits per word.  This could be done with a couple of for loops,
+	// but this unrolled version is a bit faster.  Benchmarks show this is
+	// about 10 times faster than the variant which uses loops.
+	b[31] = byte(f.n[0] & eightBitsMask)
+	b[30] = byte((f.n[0] >> 8) & eightBitsMask)
+	b[29] = byte((f.n[0] >> 16) & eightBitsMask)
+	b[28] = byte((f.n[0]>>24)&twoBitsMask | (f.n[1]&sixBitsMask)<<2)
+	b[27] = byte((f.n[1] >> 6) & eightBitsMask)
+	b[26] = byte((f.n[1] >> 14) & eightBitsMask)
+	b[25] = byte((f.n[1]>>22)&fourBitsMask | (f.n[2]&fourBitsMask)<<4)
+	b[24] = byte((f.n[2] >> 4) & eightBitsMask)
+	b[23] = byte((f.n[2] >> 12) & eightBitsMask)
+	b[22] = byte((f.n[2]>>20)&sixBitsMask | (f.n[3]&twoBitsMask)<<6)
+	b[21] = byte((f.n[3] >> 2) & eightBitsMask)
+	b[20] = byte((f.n[3] >> 10) & eightBitsMask)
+	b[19] = byte((f.n[3] >> 18) & eightBitsMask)
+	b[18] = byte(f.n[4] & eightBitsMask)
+	b[17] = byte((f.n[4] >> 8) & eightBitsMask)
+	b[16] = byte((f.n[4] >> 16) & eightBitsMask)
+	b[15] = byte((f.n[4]>>24)&twoBitsMask | (f.n[5]&sixBitsMask)<<2)
+	b[14] = byte((f.n[5] >> 6) & eightBitsMask)
+	b[13] = byte((f.n[5] >> 14) & eightBitsMask)
+	b[12] = byte((f.n[5]>>22)&fourBitsMask | (f.n[6]&fourBitsMask)<<4)
+	b[11] = byte((f.n[6] >> 4) & eightBitsMask)
+	b[10] = byte((f.n[6] >> 12) & eightBitsMask)
+	b[9] = byte((f.n[6]>>20)&sixBitsMask | (f.n[7]&twoBitsMask)<<6)
+	b[8] = byte((f.n[7] >> 2) & eightBitsMask)
+	b[7] = byte((f.n[7] >> 10) & eightBitsMask)
+	b[6] = byte((f.n[7] >> 18) & eightBitsMask)
+	b[5] = byte(f.n[8] & eightBitsMask)
+	b[4] = byte((f.n[8] >> 8) & eightBitsMask)
+	b[3] = byte((f.n[8] >> 16) & eightBitsMask)
+	b[2] = byte((f.n[8]>>24)&twoBitsMask | (f.n[9]&sixBitsMask)<<2)
+	b[1] = byte((f.n[9] >> 6) & eightBitsMask)
+	b[0] = byte((f.n[9] >> 14) & eightBitsMask)
+}
+
+// Bytes unpacks the field value to a 32-byte big-endian value.  See PutBytes
+// for a variant that allows the a buffer to be passed which can be useful to
+// to cut down on the number of allocations by allowing the caller to reuse a
+// buffer.
+//
+// The field value must be normalized for this function to return correct
+// result.
+func (f *fieldVal) Bytes() *[32]byte {
+	b := new([32]byte)
+	f.PutBytes(b)
+	return b
+}
+
+// IsZero returns whether or not the field value is equal to zero.
+func (f *fieldVal) IsZero() bool {
+	// The value can only be zero if no bits are set in any of the words.
+	// This is a constant time implementation.
+	bits := f.n[0] | f.n[1] | f.n[2] | f.n[3] | f.n[4] |
+		f.n[5] | f.n[6] | f.n[7] | f.n[8] | f.n[9]
+
+	return bits == 0
+}
+
+// IsOdd returns whether or not the field value is an odd number.
+//
+// The field value must be normalized for this function to return correct
+// result.
+func (f *fieldVal) IsOdd() bool {
+	// Only odd numbers have the bottom bit set.
+	return f.n[0]&1 == 1
+}
+
+// Equals returns whether or not the two field values are the same.  Both
+// field values being compared must be normalized for this function to return
+// the correct result.
+func (f *fieldVal) Equals(val *fieldVal) bool {
+	// Xor only sets bits when they are different, so the two field values
+	// can only be the same if no bits are set after xoring each word.
+	// This is a constant time implementation.
+	bits := (f.n[0] ^ val.n[0]) | (f.n[1] ^ val.n[1]) | (f.n[2] ^ val.n[2]) |
+		(f.n[3] ^ val.n[3]) | (f.n[4] ^ val.n[4]) | (f.n[5] ^ val.n[5]) |
+		(f.n[6] ^ val.n[6]) | (f.n[7] ^ val.n[7]) | (f.n[8] ^ val.n[8]) |
+		(f.n[9] ^ val.n[9])
+
+	return bits == 0
+}
+
+// NegateVal negates the passed value and stores the result in f.  The caller
+// must provide the magnitude of the passed value for a correct result.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.NegateVal(f2).AddInt(1) so that f = -f2 + 1.
+func (f *fieldVal) NegateVal(val *fieldVal, magnitude uint32) *fieldVal {
+	// Negation in the field is just the prime minus the value.  However,
+	// in order to allow negation against a field value without having to
+	// normalize/reduce it first, multiply by the magnitude (that is how
+	// "far" away it is from the normalized value) to adjust.  Also, since
+	// negating a value pushes it one more order of magnitude away from the
+	// normalized range, add 1 to compensate.
+	//
+	// For some intuition here, imagine you're performing mod 12 arithmetic
+	// (picture a clock) and you are negating the number 7.  So you start at
+	// 12 (which is of course 0 under mod 12) and count backwards (left on
+	// the clock) 7 times to arrive at 5.  Notice this is just 12-7 = 5.
+	// Now, assume you're starting with 19, which is a number that is
+	// already larger than the modulus and congruent to 7 (mod 12).  When a
+	// value is already in the desired range, its magnitude is 1.  Since 19
+	// is an additional "step", its magnitude (mod 12) is 2.  Since any
+	// multiple of the modulus is conguent to zero (mod m), the answer can
+	// be shortcut by simply mulplying the magnitude by the modulus and
+	// subtracting.  Keeping with the example, this would be (2*12)-19 = 5.
+	f.n[0] = (magnitude+1)*fieldPrimeWordZero - val.n[0]
+	f.n[1] = (magnitude+1)*fieldPrimeWordOne - val.n[1]
+	f.n[2] = (magnitude+1)*fieldBaseMask - val.n[2]
+	f.n[3] = (magnitude+1)*fieldBaseMask - val.n[3]
+	f.n[4] = (magnitude+1)*fieldBaseMask - val.n[4]
+	f.n[5] = (magnitude+1)*fieldBaseMask - val.n[5]
+	f.n[6] = (magnitude+1)*fieldBaseMask - val.n[6]
+	f.n[7] = (magnitude+1)*fieldBaseMask - val.n[7]
+	f.n[8] = (magnitude+1)*fieldBaseMask - val.n[8]
+	f.n[9] = (magnitude+1)*fieldMSBMask - val.n[9]
+
+	return f
+}
+
+// Negate negates the field value.  The existing field value is modified.  The
+// caller must provide the magnitude of the field value for a correct result.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.Negate().AddInt(1) so that f = -f + 1.
+func (f *fieldVal) Negate(magnitude uint32) *fieldVal {
+	return f.NegateVal(f, magnitude)
+}
+
+// AddInt adds the passed integer to the existing field value and stores the
+// result in f.  This is a convenience function since it is fairly common to
+// perform some arithemetic with small native integers.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.AddInt(1).Add(f2) so that f = f + 1 + f2.
+func (f *fieldVal) AddInt(ui uint) *fieldVal {
+	// Since the field representation intentionally provides overflow bits,
+	// it's ok to use carryless addition as the carry bit is safely part of
+	// the word and will be normalized out.
+	f.n[0] += uint32(ui)
+
+	return f
+}
+
+// Add adds the passed value to the existing field value and stores the result
+// in f.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.Add(f2).AddInt(1) so that f = f + f2 + 1.
+func (f *fieldVal) Add(val *fieldVal) *fieldVal {
+	// Since the field representation intentionally provides overflow bits,
+	// it's ok to use carryless addition as the carry bit is safely part of
+	// each word and will be normalized out.  This could obviously be done
+	// in a loop, but the unrolled version is faster.
+	f.n[0] += val.n[0]
+	f.n[1] += val.n[1]
+	f.n[2] += val.n[2]
+	f.n[3] += val.n[3]
+	f.n[4] += val.n[4]
+	f.n[5] += val.n[5]
+	f.n[6] += val.n[6]
+	f.n[7] += val.n[7]
+	f.n[8] += val.n[8]
+	f.n[9] += val.n[9]
+
+	return f
+}
+
+// Add2 adds the passed two field values together and stores the result in f.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f3.Add2(f, f2).AddInt(1) so that f3 = f + f2 + 1.
+func (f *fieldVal) Add2(val *fieldVal, val2 *fieldVal) *fieldVal {
+	// Since the field representation intentionally provides overflow bits,
+	// it's ok to use carryless addition as the carry bit is safely part of
+	// each word and will be normalized out.  This could obviously be done
+	// in a loop, but the unrolled version is faster.
+	f.n[0] = val.n[0] + val2.n[0]
+	f.n[1] = val.n[1] + val2.n[1]
+	f.n[2] = val.n[2] + val2.n[2]
+	f.n[3] = val.n[3] + val2.n[3]
+	f.n[4] = val.n[4] + val2.n[4]
+	f.n[5] = val.n[5] + val2.n[5]
+	f.n[6] = val.n[6] + val2.n[6]
+	f.n[7] = val.n[7] + val2.n[7]
+	f.n[8] = val.n[8] + val2.n[8]
+	f.n[9] = val.n[9] + val2.n[9]
+
+	return f
+}
+
+// MulInt multiplies the field value by the passed int and stores the result in
+// f.  Note that this function can overflow if multiplying the value by any of
+// the individual words exceeds a max uint32.  Therefore it is important that
+// the caller ensures no overflows will occur before using this function.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.MulInt(2).Add(f2) so that f = 2 * f + f2.
+func (f *fieldVal) MulInt(val uint) *fieldVal {
+	// Since each word of the field representation can hold up to
+	// fieldOverflowBits extra bits which will be normalized out, it's safe
+	// to multiply each word without using a larger type or carry
+	// propagation so long as the values won't overflow a uint32.  This
+	// could obviously be done in a loop, but the unrolled version is
+	// faster.
+	ui := uint32(val)
+	f.n[0] *= ui
+	f.n[1] *= ui
+	f.n[2] *= ui
+	f.n[3] *= ui
+	f.n[4] *= ui
+	f.n[5] *= ui
+	f.n[6] *= ui
+	f.n[7] *= ui
+	f.n[8] *= ui
+	f.n[9] *= ui
+
+	return f
+}
+
+// Mul multiplies the passed value to the existing field value and stores the
+// result in f.  Note that this function can overflow if multiplying any
+// of the individual words exceeds a max uint32.  In practice, this means the
+// magnitude of either value involved in the multiplication must be a max of
+// 8.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.Mul(f2).AddInt(1) so that f = (f * f2) + 1.
+func (f *fieldVal) Mul(val *fieldVal) *fieldVal {
+	return f.Mul2(f, val)
+}
+
+// Mul2 multiplies the passed two field values together and stores the result
+// result in f.  Note that this function can overflow if multiplying any of
+// the individual words exceeds a max uint32.  In practice, this means the
+// magnitude of either value involved in the multiplication must be a max of
+// 8.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f3.Mul2(f, f2).AddInt(1) so that f3 = (f * f2) + 1.
+func (f *fieldVal) Mul2(val *fieldVal, val2 *fieldVal) *fieldVal {
+	// This could be done with a couple of for loops and an array to store
+	// the intermediate terms, but this unrolled version is significantly
+	// faster.
+
+	// Terms for 2^(fieldBase*0).
+	m := uint64(val.n[0]) * uint64(val2.n[0])
+	t0 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*1).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[1]) +
+		uint64(val.n[1])*uint64(val2.n[0])
+	t1 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*2).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[2]) +
+		uint64(val.n[1])*uint64(val2.n[1]) +
+		uint64(val.n[2])*uint64(val2.n[0])
+	t2 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*3).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[3]) +
+		uint64(val.n[1])*uint64(val2.n[2]) +
+		uint64(val.n[2])*uint64(val2.n[1]) +
+		uint64(val.n[3])*uint64(val2.n[0])
+	t3 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*4).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[4]) +
+		uint64(val.n[1])*uint64(val2.n[3]) +
+		uint64(val.n[2])*uint64(val2.n[2]) +
+		uint64(val.n[3])*uint64(val2.n[1]) +
+		uint64(val.n[4])*uint64(val2.n[0])
+	t4 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*5).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[5]) +
+		uint64(val.n[1])*uint64(val2.n[4]) +
+		uint64(val.n[2])*uint64(val2.n[3]) +
+		uint64(val.n[3])*uint64(val2.n[2]) +
+		uint64(val.n[4])*uint64(val2.n[1]) +
+		uint64(val.n[5])*uint64(val2.n[0])
+	t5 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*6).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[6]) +
+		uint64(val.n[1])*uint64(val2.n[5]) +
+		uint64(val.n[2])*uint64(val2.n[4]) +
+		uint64(val.n[3])*uint64(val2.n[3]) +
+		uint64(val.n[4])*uint64(val2.n[2]) +
+		uint64(val.n[5])*uint64(val2.n[1]) +
+		uint64(val.n[6])*uint64(val2.n[0])
+	t6 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*7).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[7]) +
+		uint64(val.n[1])*uint64(val2.n[6]) +
+		uint64(val.n[2])*uint64(val2.n[5]) +
+		uint64(val.n[3])*uint64(val2.n[4]) +
+		uint64(val.n[4])*uint64(val2.n[3]) +
+		uint64(val.n[5])*uint64(val2.n[2]) +
+		uint64(val.n[6])*uint64(val2.n[1]) +
+		uint64(val.n[7])*uint64(val2.n[0])
+	t7 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*8).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[8]) +
+		uint64(val.n[1])*uint64(val2.n[7]) +
+		uint64(val.n[2])*uint64(val2.n[6]) +
+		uint64(val.n[3])*uint64(val2.n[5]) +
+		uint64(val.n[4])*uint64(val2.n[4]) +
+		uint64(val.n[5])*uint64(val2.n[3]) +
+		uint64(val.n[6])*uint64(val2.n[2]) +
+		uint64(val.n[7])*uint64(val2.n[1]) +
+		uint64(val.n[8])*uint64(val2.n[0])
+	t8 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*9).
+	m = (m >> fieldBase) +
+		uint64(val.n[0])*uint64(val2.n[9]) +
+		uint64(val.n[1])*uint64(val2.n[8]) +
+		uint64(val.n[2])*uint64(val2.n[7]) +
+		uint64(val.n[3])*uint64(val2.n[6]) +
+		uint64(val.n[4])*uint64(val2.n[5]) +
+		uint64(val.n[5])*uint64(val2.n[4]) +
+		uint64(val.n[6])*uint64(val2.n[3]) +
+		uint64(val.n[7])*uint64(val2.n[2]) +
+		uint64(val.n[8])*uint64(val2.n[1]) +
+		uint64(val.n[9])*uint64(val2.n[0])
+	t9 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*10).
+	m = (m >> fieldBase) +
+		uint64(val.n[1])*uint64(val2.n[9]) +
+		uint64(val.n[2])*uint64(val2.n[8]) +
+		uint64(val.n[3])*uint64(val2.n[7]) +
+		uint64(val.n[4])*uint64(val2.n[6]) +
+		uint64(val.n[5])*uint64(val2.n[5]) +
+		uint64(val.n[6])*uint64(val2.n[4]) +
+		uint64(val.n[7])*uint64(val2.n[3]) +
+		uint64(val.n[8])*uint64(val2.n[2]) +
+		uint64(val.n[9])*uint64(val2.n[1])
+	t10 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*11).
+	m = (m >> fieldBase) +
+		uint64(val.n[2])*uint64(val2.n[9]) +
+		uint64(val.n[3])*uint64(val2.n[8]) +
+		uint64(val.n[4])*uint64(val2.n[7]) +
+		uint64(val.n[5])*uint64(val2.n[6]) +
+		uint64(val.n[6])*uint64(val2.n[5]) +
+		uint64(val.n[7])*uint64(val2.n[4]) +
+		uint64(val.n[8])*uint64(val2.n[3]) +
+		uint64(val.n[9])*uint64(val2.n[2])
+	t11 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*12).
+	m = (m >> fieldBase) +
+		uint64(val.n[3])*uint64(val2.n[9]) +
+		uint64(val.n[4])*uint64(val2.n[8]) +
+		uint64(val.n[5])*uint64(val2.n[7]) +
+		uint64(val.n[6])*uint64(val2.n[6]) +
+		uint64(val.n[7])*uint64(val2.n[5]) +
+		uint64(val.n[8])*uint64(val2.n[4]) +
+		uint64(val.n[9])*uint64(val2.n[3])
+	t12 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*13).
+	m = (m >> fieldBase) +
+		uint64(val.n[4])*uint64(val2.n[9]) +
+		uint64(val.n[5])*uint64(val2.n[8]) +
+		uint64(val.n[6])*uint64(val2.n[7]) +
+		uint64(val.n[7])*uint64(val2.n[6]) +
+		uint64(val.n[8])*uint64(val2.n[5]) +
+		uint64(val.n[9])*uint64(val2.n[4])
+	t13 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*14).
+	m = (m >> fieldBase) +
+		uint64(val.n[5])*uint64(val2.n[9]) +
+		uint64(val.n[6])*uint64(val2.n[8]) +
+		uint64(val.n[7])*uint64(val2.n[7]) +
+		uint64(val.n[8])*uint64(val2.n[6]) +
+		uint64(val.n[9])*uint64(val2.n[5])
+	t14 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*15).
+	m = (m >> fieldBase) +
+		uint64(val.n[6])*uint64(val2.n[9]) +
+		uint64(val.n[7])*uint64(val2.n[8]) +
+		uint64(val.n[8])*uint64(val2.n[7]) +
+		uint64(val.n[9])*uint64(val2.n[6])
+	t15 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*16).
+	m = (m >> fieldBase) +
+		uint64(val.n[7])*uint64(val2.n[9]) +
+		uint64(val.n[8])*uint64(val2.n[8]) +
+		uint64(val.n[9])*uint64(val2.n[7])
+	t16 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*17).
+	m = (m >> fieldBase) +
+		uint64(val.n[8])*uint64(val2.n[9]) +
+		uint64(val.n[9])*uint64(val2.n[8])
+	t17 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*18).
+	m = (m >> fieldBase) + uint64(val.n[9])*uint64(val2.n[9])
+	t18 := m & fieldBaseMask
+
+	// What's left is for 2^(fieldBase*19).
+	t19 := m >> fieldBase
+
+	// At this point, all of the terms are grouped into their respective
+	// base.
+	//
+	// Per [HAC] section 14.3.4: Reduction method of moduli of special form,
+	// when the modulus is of the special form m = b^t - c, highly efficient
+	// reduction can be achieved per the provided algorithm.
+	//
+	// The secp256k1 prime is equivalent to 2^256 - 4294968273, so it fits
+	// this criteria.
+	//
+	// 4294968273 in field representation (base 2^26) is:
+	// n[0] = 977
+	// n[1] = 64
+	// That is to say (2^26 * 64) + 977 = 4294968273
+	//
+	// Since each word is in base 26, the upper terms (t10 and up) start
+	// at 260 bits (versus the final desired range of 256 bits), so the
+	// field representation of 'c' from above needs to be adjusted for the
+	// extra 4 bits by multiplying it by 2^4 = 16.  4294968273 * 16 =
+	// 68719492368.  Thus, the adjusted field representation of 'c' is:
+	// n[0] = 977 * 16 = 15632
+	// n[1] = 64 * 16 = 1024
+	// That is to say (2^26 * 1024) + 15632 = 68719492368
+	//
+	// To reduce the final term, t19, the entire 'c' value is needed instead
+	// of only n[0] because there are no more terms left to handle n[1].
+	// This means there might be some magnitude left in the upper bits that
+	// is handled below.
+	m = t0 + t10*15632
+	t0 = m & fieldBaseMask
+	m = (m >> fieldBase) + t1 + t10*1024 + t11*15632
+	t1 = m & fieldBaseMask
+	m = (m >> fieldBase) + t2 + t11*1024 + t12*15632
+	t2 = m & fieldBaseMask
+	m = (m >> fieldBase) + t3 + t12*1024 + t13*15632
+	t3 = m & fieldBaseMask
+	m = (m >> fieldBase) + t4 + t13*1024 + t14*15632
+	t4 = m & fieldBaseMask
+	m = (m >> fieldBase) + t5 + t14*1024 + t15*15632
+	t5 = m & fieldBaseMask
+	m = (m >> fieldBase) + t6 + t15*1024 + t16*15632
+	t6 = m & fieldBaseMask
+	m = (m >> fieldBase) + t7 + t16*1024 + t17*15632
+	t7 = m & fieldBaseMask
+	m = (m >> fieldBase) + t8 + t17*1024 + t18*15632
+	t8 = m & fieldBaseMask
+	m = (m >> fieldBase) + t9 + t18*1024 + t19*68719492368
+	t9 = m & fieldMSBMask
+	m = m >> fieldMSBBits
+
+	// At this point, if the magnitude is greater than 0, the overall value
+	// is greater than the max possible 256-bit value.  In particular, it is
+	// "how many times larger" than the max value it is.
+	//
+	// The algorithm presented in [HAC] section 14.3.4 repeats until the
+	// quotient is zero.  However, due to the above, we already know at
+	// least how many times we would need to repeat as it's the value
+	// currently in m.  Thus we can simply multiply the magnitude by the
+	// field representation of the prime and do a single iteration.  Notice
+	// that nothing will be changed when the magnitude is zero, so we could
+	// skip this in that case, however always running regardless allows it
+	// to run in constant time.  The final result will be in the range
+	// 0 <= result <= prime + (2^64 - c), so it is guaranteed to have a
+	// magnitude of 1, but it is denormalized.
+	d := t0 + m*977
+	f.n[0] = uint32(d & fieldBaseMask)
+	d = (d >> fieldBase) + t1 + m*64
+	f.n[1] = uint32(d & fieldBaseMask)
+	f.n[2] = uint32((d >> fieldBase) + t2)
+	f.n[3] = uint32(t3)
+	f.n[4] = uint32(t4)
+	f.n[5] = uint32(t5)
+	f.n[6] = uint32(t6)
+	f.n[7] = uint32(t7)
+	f.n[8] = uint32(t8)
+	f.n[9] = uint32(t9)
+
+	return f
+}
+
+// Square squares the field value.  The existing field value is modified.  Note
+// that this function can overflow if multiplying any of the individual words
+// exceeds a max uint32.  In practice, this means the magnitude of the field
+// must be a max of 8 to prevent overflow.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.Square().Mul(f2) so that f = f^2 * f2.
+func (f *fieldVal) Square() *fieldVal {
+	return f.SquareVal(f)
+}
+
+// SquareVal squares the passed value and stores the result in f.  Note that
+// this function can overflow if multiplying any of the individual words
+// exceeds a max uint32.  In practice, this means the magnitude of the field
+// being squred must be a max of 8 to prevent overflow.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f3.SquareVal(f).Mul(f) so that f3 = f^2 * f = f^3.
+func (f *fieldVal) SquareVal(val *fieldVal) *fieldVal {
+	// This could be done with a couple of for loops and an array to store
+	// the intermediate terms, but this unrolled version is significantly
+	// faster.
+
+	// Terms for 2^(fieldBase*0).
+	m := uint64(val.n[0]) * uint64(val.n[0])
+	t0 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*1).
+	m = (m >> fieldBase) + 2*uint64(val.n[0])*uint64(val.n[1])
+	t1 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*2).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[2]) +
+		uint64(val.n[1])*uint64(val.n[1])
+	t2 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*3).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[3]) +
+		2*uint64(val.n[1])*uint64(val.n[2])
+	t3 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*4).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[4]) +
+		2*uint64(val.n[1])*uint64(val.n[3]) +
+		uint64(val.n[2])*uint64(val.n[2])
+	t4 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*5).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[5]) +
+		2*uint64(val.n[1])*uint64(val.n[4]) +
+		2*uint64(val.n[2])*uint64(val.n[3])
+	t5 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*6).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[6]) +
+		2*uint64(val.n[1])*uint64(val.n[5]) +
+		2*uint64(val.n[2])*uint64(val.n[4]) +
+		uint64(val.n[3])*uint64(val.n[3])
+	t6 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*7).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[7]) +
+		2*uint64(val.n[1])*uint64(val.n[6]) +
+		2*uint64(val.n[2])*uint64(val.n[5]) +
+		2*uint64(val.n[3])*uint64(val.n[4])
+	t7 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*8).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[8]) +
+		2*uint64(val.n[1])*uint64(val.n[7]) +
+		2*uint64(val.n[2])*uint64(val.n[6]) +
+		2*uint64(val.n[3])*uint64(val.n[5]) +
+		uint64(val.n[4])*uint64(val.n[4])
+	t8 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*9).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[0])*uint64(val.n[9]) +
+		2*uint64(val.n[1])*uint64(val.n[8]) +
+		2*uint64(val.n[2])*uint64(val.n[7]) +
+		2*uint64(val.n[3])*uint64(val.n[6]) +
+		2*uint64(val.n[4])*uint64(val.n[5])
+	t9 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*10).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[1])*uint64(val.n[9]) +
+		2*uint64(val.n[2])*uint64(val.n[8]) +
+		2*uint64(val.n[3])*uint64(val.n[7]) +
+		2*uint64(val.n[4])*uint64(val.n[6]) +
+		uint64(val.n[5])*uint64(val.n[5])
+	t10 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*11).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[2])*uint64(val.n[9]) +
+		2*uint64(val.n[3])*uint64(val.n[8]) +
+		2*uint64(val.n[4])*uint64(val.n[7]) +
+		2*uint64(val.n[5])*uint64(val.n[6])
+	t11 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*12).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[3])*uint64(val.n[9]) +
+		2*uint64(val.n[4])*uint64(val.n[8]) +
+		2*uint64(val.n[5])*uint64(val.n[7]) +
+		uint64(val.n[6])*uint64(val.n[6])
+	t12 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*13).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[4])*uint64(val.n[9]) +
+		2*uint64(val.n[5])*uint64(val.n[8]) +
+		2*uint64(val.n[6])*uint64(val.n[7])
+	t13 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*14).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[5])*uint64(val.n[9]) +
+		2*uint64(val.n[6])*uint64(val.n[8]) +
+		uint64(val.n[7])*uint64(val.n[7])
+	t14 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*15).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[6])*uint64(val.n[9]) +
+		2*uint64(val.n[7])*uint64(val.n[8])
+	t15 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*16).
+	m = (m >> fieldBase) +
+		2*uint64(val.n[7])*uint64(val.n[9]) +
+		uint64(val.n[8])*uint64(val.n[8])
+	t16 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*17).
+	m = (m >> fieldBase) + 2*uint64(val.n[8])*uint64(val.n[9])
+	t17 := m & fieldBaseMask
+
+	// Terms for 2^(fieldBase*18).
+	m = (m >> fieldBase) + uint64(val.n[9])*uint64(val.n[9])
+	t18 := m & fieldBaseMask
+
+	// What's left is for 2^(fieldBase*19).
+	t19 := m >> fieldBase
+
+	// At this point, all of the terms are grouped into their respective
+	// base.
+	//
+	// Per [HAC] section 14.3.4: Reduction method of moduli of special form,
+	// when the modulus is of the special form m = b^t - c, highly efficient
+	// reduction can be achieved per the provided algorithm.
+	//
+	// The secp256k1 prime is equivalent to 2^256 - 4294968273, so it fits
+	// this criteria.
+	//
+	// 4294968273 in field representation (base 2^26) is:
+	// n[0] = 977
+	// n[1] = 64
+	// That is to say (2^26 * 64) + 977 = 4294968273
+	//
+	// Since each word is in base 26, the upper terms (t10 and up) start
+	// at 260 bits (versus the final desired range of 256 bits), so the
+	// field representation of 'c' from above needs to be adjusted for the
+	// extra 4 bits by multiplying it by 2^4 = 16.  4294968273 * 16 =
+	// 68719492368.  Thus, the adjusted field representation of 'c' is:
+	// n[0] = 977 * 16 = 15632
+	// n[1] = 64 * 16 = 1024
+	// That is to say (2^26 * 1024) + 15632 = 68719492368
+	//
+	// To reduce the final term, t19, the entire 'c' value is needed instead
+	// of only n[0] because there are no more terms left to handle n[1].
+	// This means there might be some magnitude left in the upper bits that
+	// is handled below.
+	m = t0 + t10*15632
+	t0 = m & fieldBaseMask
+	m = (m >> fieldBase) + t1 + t10*1024 + t11*15632
+	t1 = m & fieldBaseMask
+	m = (m >> fieldBase) + t2 + t11*1024 + t12*15632
+	t2 = m & fieldBaseMask
+	m = (m >> fieldBase) + t3 + t12*1024 + t13*15632
+	t3 = m & fieldBaseMask
+	m = (m >> fieldBase) + t4 + t13*1024 + t14*15632
+	t4 = m & fieldBaseMask
+	m = (m >> fieldBase) + t5 + t14*1024 + t15*15632
+	t5 = m & fieldBaseMask
+	m = (m >> fieldBase) + t6 + t15*1024 + t16*15632
+	t6 = m & fieldBaseMask
+	m = (m >> fieldBase) + t7 + t16*1024 + t17*15632
+	t7 = m & fieldBaseMask
+	m = (m >> fieldBase) + t8 + t17*1024 + t18*15632
+	t8 = m & fieldBaseMask
+	m = (m >> fieldBase) + t9 + t18*1024 + t19*68719492368
+	t9 = m & fieldMSBMask
+	m = m >> fieldMSBBits
+
+	// At this point, if the magnitude is greater than 0, the overall value
+	// is greater than the max possible 256-bit value.  In particular, it is
+	// "how many times larger" than the max value it is.
+	//
+	// The algorithm presented in [HAC] section 14.3.4 repeats until the
+	// quotient is zero.  However, due to the above, we already know at
+	// least how many times we would need to repeat as it's the value
+	// currently in m.  Thus we can simply multiply the magnitude by the
+	// field representation of the prime and do a single iteration.  Notice
+	// that nothing will be changed when the magnitude is zero, so we could
+	// skip this in that case, however always running regardless allows it
+	// to run in constant time.  The final result will be in the range
+	// 0 <= result <= prime + (2^64 - c), so it is guaranteed to have a
+	// magnitude of 1, but it is denormalized.
+	n := t0 + m*977
+	f.n[0] = uint32(n & fieldBaseMask)
+	n = (n >> fieldBase) + t1 + m*64
+	f.n[1] = uint32(n & fieldBaseMask)
+	f.n[2] = uint32((n >> fieldBase) + t2)
+	f.n[3] = uint32(t3)
+	f.n[4] = uint32(t4)
+	f.n[5] = uint32(t5)
+	f.n[6] = uint32(t6)
+	f.n[7] = uint32(t7)
+	f.n[8] = uint32(t8)
+	f.n[9] = uint32(t9)
+
+	return f
+}
+
+// Inverse finds the modular multiplicative inverse of the field value.  The
+// existing field value is modified.
+//
+// The field value is returned to support chaining.  This enables syntax like:
+// f.Inverse().Mul(f2) so that f = f^-1 * f2.
+func (f *fieldVal) Inverse() *fieldVal {
+	// Fermat's little theorem states that for a nonzero number a and prime
+	// prime p, a^(p-1) = 1 (mod p).  Since the multipliciative inverse is
+	// a*b = 1 (mod p), it follows that b = a*a^(p-2) = a^(p-1) = 1 (mod p).
+	// Thus, a^(p-2) is the multiplicative inverse.
+	//
+	// In order to efficiently compute a^(p-2), p-2 needs to be split into
+	// a sequence of squares and multipications that minimizes the number of
+	// multiplications needed (since they are more costly than squarings).
+	// Intermediate results are saved and reused as well.
+	//
+	// The secp256k1 prime - 2 is 2^256 - 4294968275.
+	//
+	// This has a cost of 258 field squarings and 33 field multiplications.
+	var a2, a3, a4, a10, a11, a21, a42, a45, a63, a1019, a1023 fieldVal
+	a2.SquareVal(f)
+	a3.Mul2(&a2, f)
+	a4.SquareVal(&a2)
+	a10.SquareVal(&a4).Mul(&a2)
+	a11.Mul2(&a10, f)
+	a21.Mul2(&a10, &a11)
+	a42.SquareVal(&a21)
+	a45.Mul2(&a42, &a3)
+	a63.Mul2(&a42, &a21)
+	a1019.SquareVal(&a63).Square().Square().Square().Mul(&a11)
+	a1023.Mul2(&a1019, &a4)
+	f.Set(&a63)                                    // f = a^(2^6 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^11 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^16 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^16 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^21 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^26 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^26 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^31 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^36 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^36 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^41 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^46 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^46 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^51 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^56 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^56 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^61 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^66 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^66 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^71 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^76 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^76 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^81 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^86 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^86 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^91 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^96 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^96 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^101 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^106 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^106 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^111 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^116 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^116 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^121 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^126 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^126 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^131 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^136 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^136 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^141 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^146 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^146 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^151 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^156 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^156 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^161 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^166 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^166 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^171 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^176 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^176 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^181 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^186 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^186 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^191 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^196 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^196 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^201 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^206 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^206 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^211 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^216 - 1024)
+	f.Mul(&a1023)                                  // f = a^(2^216 - 1)
+	f.Square().Square().Square().Square().Square() // f = a^(2^221 - 32)
+	f.Square().Square().Square().Square().Square() // f = a^(2^226 - 1024)
+	f.Mul(&a1019)                                  // f = a^(2^226 - 5)
+	f.Square().Square().Square().Square().Square() // f = a^(2^231 - 160)
+	f.Square().Square().Square().Square().Square() // f = a^(2^236 - 5120)
+	f.Mul(&a1023)                                  // f = a^(2^236 - 4097)
+	f.Square().Square().Square().Square().Square() // f = a^(2^241 - 131104)
+	f.Square().Square().Square().Square().Square() // f = a^(2^246 - 4195328)
+	f.Mul(&a1023)                                  // f = a^(2^246 - 4194305)
+	f.Square().Square().Square().Square().Square() // f = a^(2^251 - 134217760)
+	f.Square().Square().Square().Square().Square() // f = a^(2^256 - 4294968320)
+	return f.Mul(&a45)                             // f = a^(2^256 - 4294968275) = a^(p-2)
+}

vendor/github.com/btcsuite/btcd/btcec/genprecomps.go

@@ -0,0 +1,63 @@
+// Copyright 2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+// This file is ignored during the regular build due to the following build tag.
+// It is called by go generate and used to automatically generate pre-computed
+// tables used to accelerate operations.
+// +build ignore
+
+package main
+
+import (
+	"bytes"
+	"compress/zlib"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/btcsuite/btcd/btcec"
+)
+
+func main() {
+	fi, err := os.Create("secp256k1.go")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer fi.Close()
+
+	// Compress the serialized byte points.
+	serialized := btcec.S256().SerializedBytePoints()
+	var compressed bytes.Buffer
+	w := zlib.NewWriter(&compressed)
+	if _, err := w.Write(serialized); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	w.Close()
+
+	// Encode the compressed byte points with base64.
+	encoded := make([]byte, base64.StdEncoding.EncodedLen(compressed.Len()))
+	base64.StdEncoding.Encode(encoded, compressed.Bytes())
+
+	fmt.Fprintln(fi, "// Copyright (c) 2015 The btcsuite developers")
+	fmt.Fprintln(fi, "// Use of this source code is governed by an ISC")
+	fmt.Fprintln(fi, "// license that can be found in the LICENSE file.")
+	fmt.Fprintln(fi)
+	fmt.Fprintln(fi, "package btcec")
+	fmt.Fprintln(fi)
+	fmt.Fprintln(fi, "// Auto-generated file (see genprecomps.go)")
+	fmt.Fprintln(fi, "// DO NOT EDIT")
+	fmt.Fprintln(fi)
+	fmt.Fprintf(fi, "var secp256k1BytePoints = %q\n", string(encoded))
+
+	a1, b1, a2, b2 := btcec.S256().EndomorphismVectors()
+	fmt.Println("The following values are the computed linearly " +
+		"independent vectors needed to make use of the secp256k1 " +
+		"endomorphism:")
+	fmt.Printf("a1: %x\n", a1)
+	fmt.Printf("b1: %x\n", b1)
+	fmt.Printf("a2: %x\n", a2)
+	fmt.Printf("b2: %x\n", b2)
+}

vendor/github.com/btcsuite/btcd/btcec/gensecp256k1.go

@@ -0,0 +1,203 @@
+// Copyright (c) 2014-2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+// This file is ignored during the regular build due to the following build tag.
+// This build tag is set during go generate.
+// +build gensecp256k1
+
+package btcec
+
+// References:
+//   [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
+
+import (
+	"encoding/binary"
+	"math/big"
+)
+
+// secp256k1BytePoints are dummy points used so the code which generates the
+// real values can compile.
+var secp256k1BytePoints = ""
+
+// getDoublingPoints returns all the possible G^(2^i) for i in
+// 0..n-1 where n is the curve's bit size (256 in the case of secp256k1)
+// the coordinates are recorded as Jacobian coordinates.
+func (curve *KoblitzCurve) getDoublingPoints() [][3]fieldVal {
+	doublingPoints := make([][3]fieldVal, curve.BitSize)
+
+	// initialize px, py, pz to the Jacobian coordinates for the base point
+	px, py := curve.bigAffineToField(curve.Gx, curve.Gy)
+	pz := new(fieldVal).SetInt(1)
+	for i := 0; i < curve.BitSize; i++ {
+		doublingPoints[i] = [3]fieldVal{*px, *py, *pz}
+		// P = 2*P
+		curve.doubleJacobian(px, py, pz, px, py, pz)
+	}
+	return doublingPoints
+}
+
+// SerializedBytePoints returns a serialized byte slice which contains all of
+// the possible points per 8-bit window.  This is used to when generating
+// secp256k1.go.
+func (curve *KoblitzCurve) SerializedBytePoints() []byte {
+	doublingPoints := curve.getDoublingPoints()
+
+	// Segregate the bits into byte-sized windows
+	serialized := make([]byte, curve.byteSize*256*3*10*4)
+	offset := 0
+	for byteNum := 0; byteNum < curve.byteSize; byteNum++ {
+		// Grab the 8 bits that make up this byte from doublingPoints.
+		startingBit := 8 * (curve.byteSize - byteNum - 1)
+		computingPoints := doublingPoints[startingBit : startingBit+8]
+
+		// Compute all points in this window and serialize them.
+		for i := 0; i < 256; i++ {
+			px, py, pz := new(fieldVal), new(fieldVal), new(fieldVal)
+			for j := 0; j < 8; j++ {
+				if i>>uint(j)&1 == 1 {
+					curve.addJacobian(px, py, pz, &computingPoints[j][0],
+						&computingPoints[j][1], &computingPoints[j][2], px, py, pz)
+				}
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], px.n[i])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], py.n[i])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				binary.LittleEndian.PutUint32(serialized[offset:], pz.n[i])
+				offset += 4
+			}
+		}
+	}
+
+	return serialized
+}
+
+// sqrt returns the square root of the provided big integer using Newton's
+// method.  It's only compiled and used during generation of pre-computed
+// values, so speed is not a huge concern.
+func sqrt(n *big.Int) *big.Int {
+	// Initial guess = 2^(log_2(n)/2)
+	guess := big.NewInt(2)
+	guess.Exp(guess, big.NewInt(int64(n.BitLen()/2)), nil)
+
+	// Now refine using Newton's method.
+	big2 := big.NewInt(2)
+	prevGuess := big.NewInt(0)
+	for {
+		prevGuess.Set(guess)
+		guess.Add(guess, new(big.Int).Div(n, guess))
+		guess.Div(guess, big2)
+		if guess.Cmp(prevGuess) == 0 {
+			break
+		}
+	}
+	return guess
+}
+
+// EndomorphismVectors runs the first 3 steps of algorithm 3.74 from [GECC] to
+// generate the linearly independent vectors needed to generate a balanced
+// length-two representation of a multiplier such that k = k1 + k2λ (mod N) and
+// returns them.  Since the values will always be the same given the fact that N
+// and λ are fixed, the final results can be accelerated by storing the
+// precomputed values with the curve.
+func (curve *KoblitzCurve) EndomorphismVectors() (a1, b1, a2, b2 *big.Int) {
+	bigMinus1 := big.NewInt(-1)
+
+	// This section uses an extended Euclidean algorithm to generate a
+	// sequence of equations:
+	//  s[i] * N + t[i] * λ = r[i]
+
+	nSqrt := sqrt(curve.N)
+	u, v := new(big.Int).Set(curve.N), new(big.Int).Set(curve.lambda)
+	x1, y1 := big.NewInt(1), big.NewInt(0)
+	x2, y2 := big.NewInt(0), big.NewInt(1)
+	q, r := new(big.Int), new(big.Int)
+	qu, qx1, qy1 := new(big.Int), new(big.Int), new(big.Int)
+	s, t := new(big.Int), new(big.Int)
+	ri, ti := new(big.Int), new(big.Int)
+	a1, b1, a2, b2 = new(big.Int), new(big.Int), new(big.Int), new(big.Int)
+	found, oneMore := false, false
+	for u.Sign() != 0 {
+		// q = v/u
+		q.Div(v, u)
+
+		// r = v - q*u
+		qu.Mul(q, u)
+		r.Sub(v, qu)
+
+		// s = x2 - q*x1
+		qx1.Mul(q, x1)
+		s.Sub(x2, qx1)
+
+		// t = y2 - q*y1
+		qy1.Mul(q, y1)
+		t.Sub(y2, qy1)
+
+		// v = u, u = r, x2 = x1, x1 = s, y2 = y1, y1 = t
+		v.Set(u)
+		u.Set(r)
+		x2.Set(x1)
+		x1.Set(s)
+		y2.Set(y1)
+		y1.Set(t)
+
+		// As soon as the remainder is less than the sqrt of n, the
+		// values of a1 and b1 are known.
+		if !found && r.Cmp(nSqrt) < 0 {
+			// When this condition executes ri and ti represent the
+			// r[i] and t[i] values such that i is the greatest
+			// index for which r >= sqrt(n).  Meanwhile, the current
+			// r and t values are r[i+1] and t[i+1], respectively.
+
+			// a1 = r[i+1], b1 = -t[i+1]
+			a1.Set(r)
+			b1.Mul(t, bigMinus1)
+			found = true
+			oneMore = true
+
+			// Skip to the next iteration so ri and ti are not
+			// modified.
+			continue
+
+		} else if oneMore {
+			// When this condition executes ri and ti still
+			// represent the r[i] and t[i] values while the current
+			// r and t are r[i+2] and t[i+2], respectively.
+
+			// sum1 = r[i]^2 + t[i]^2
+			rSquared := new(big.Int).Mul(ri, ri)
+			tSquared := new(big.Int).Mul(ti, ti)
+			sum1 := new(big.Int).Add(rSquared, tSquared)
+
+			// sum2 = r[i+2]^2 + t[i+2]^2
+			r2Squared := new(big.Int).Mul(r, r)
+			t2Squared := new(big.Int).Mul(t, t)
+			sum2 := new(big.Int).Add(r2Squared, t2Squared)
+
+			// if (r[i]^2 + t[i]^2) <= (r[i+2]^2 + t[i+2]^2)
+			if sum1.Cmp(sum2) <= 0 {
+				// a2 = r[i], b2 = -t[i]
+				a2.Set(ri)
+				b2.Mul(ti, bigMinus1)
+			} else {
+				// a2 = r[i+2], b2 = -t[i+2]
+				a2.Set(r)
+				b2.Mul(t, bigMinus1)
+			}
+
+			// All done.
+			break
+		}
+
+		ri.Set(r)
+		ti.Set(t)
+	}
+
+	return a1, b1, a2, b2
+}

vendor/github.com/btcsuite/btcd/btcec/precompute.go

@@ -0,0 +1,67 @@
+// Copyright 2015 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"compress/zlib"
+	"encoding/base64"
+	"encoding/binary"
+	"io/ioutil"
+	"strings"
+)
+
+//go:generate go run -tags gensecp256k1 genprecomps.go
+
+// loadS256BytePoints decompresses and deserializes the pre-computed byte points
+// used to accelerate scalar base multiplication for the secp256k1 curve.  This
+// approach is used since it allows the compile to use significantly less ram
+// and be performed much faster than it is with hard-coding the final in-memory
+// data structure.  At the same time, it is quite fast to generate the in-memory
+// data structure at init time with this approach versus computing the table.
+func loadS256BytePoints() error {
+	// There will be no byte points to load when generating them.
+	bp := secp256k1BytePoints
+	if len(bp) == 0 {
+		return nil
+	}
+
+	// Decompress the pre-computed table used to accelerate scalar base
+	// multiplication.
+	decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(bp))
+	r, err := zlib.NewReader(decoder)
+	if err != nil {
+		return err
+	}
+	serialized, err := ioutil.ReadAll(r)
+	if err != nil {
+		return err
+	}
+
+	// Deserialize the precomputed byte points and set the curve to them.
+	offset := 0
+	var bytePoints [32][256][3]fieldVal
+	for byteNum := 0; byteNum < 32; byteNum++ {
+		// All points in this window.
+		for i := 0; i < 256; i++ {
+			px := &bytePoints[byteNum][i][0]
+			py := &bytePoints[byteNum][i][1]
+			pz := &bytePoints[byteNum][i][2]
+			for i := 0; i < 10; i++ {
+				px.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				py.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+			for i := 0; i < 10; i++ {
+				pz.n[i] = binary.LittleEndian.Uint32(serialized[offset:])
+				offset += 4
+			}
+		}
+	}
+	secp256k1.bytePoints = &bytePoints
+	return nil
+}

vendor/github.com/btcsuite/btcd/btcec/privkey.go

@@ -0,0 +1,73 @@
+// Copyright (c) 2013-2016 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"math/big"
+)
+
+// PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing
+// things with the the private key without having to directly import the ecdsa
+// package.
+type PrivateKey ecdsa.PrivateKey
+
+// PrivKeyFromBytes returns a private and public key for `curve' based on the
+// private key passed as an argument as a byte slice.
+func PrivKeyFromBytes(curve elliptic.Curve, pk []byte) (*PrivateKey,
+	*PublicKey) {
+	x, y := curve.ScalarBaseMult(pk)
+
+	priv := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: new(big.Int).SetBytes(pk),
+	}
+
+	return (*PrivateKey)(priv), (*PublicKey)(&priv.PublicKey)
+}
+
+// NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey
+// instead of the normal ecdsa.PrivateKey.
+func NewPrivateKey(curve elliptic.Curve) (*PrivateKey, error) {
+	key, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return (*PrivateKey)(key), nil
+}
+
+// PubKey returns the PublicKey corresponding to this private key.
+func (p *PrivateKey) PubKey() *PublicKey {
+	return (*PublicKey)(&p.PublicKey)
+}
+
+// ToECDSA returns the private key as a *ecdsa.PrivateKey.
+func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey {
+	return (*ecdsa.PrivateKey)(p)
+}
+
+// Sign generates an ECDSA signature for the provided hash (which should be the result
+// of hashing a larger message) using the private key. Produced signature
+// is deterministic (same message and same key yield the same signature) and canonical
+// in accordance with RFC6979 and BIP0062.
+func (p *PrivateKey) Sign(hash []byte) (*Signature, error) {
+	return signRFC6979(p, hash)
+}
+
+// PrivKeyBytesLen defines the length in bytes of a serialized private key.
+const PrivKeyBytesLen = 32
+
+// Serialize returns the private key number d as a big-endian binary-encoded
+// number, padded to a length of 32 bytes.
+func (p *PrivateKey) Serialize() []byte {
+	b := make([]byte, 0, PrivKeyBytesLen)
+	return paddedAppend(PrivKeyBytesLen, b, p.ToECDSA().D.Bytes())
+}

vendor/github.com/btcsuite/btcd/btcec/pubkey.go

@@ -0,0 +1,172 @@
+// Copyright (c) 2013-2014 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"crypto/ecdsa"
+	"errors"
+	"fmt"
+	"math/big"
+)
+
+// These constants define the lengths of serialized public keys.
+const (
+	PubKeyBytesLenCompressed   = 33
+	PubKeyBytesLenUncompressed = 65
+	PubKeyBytesLenHybrid       = 65
+)
+
+func isOdd(a *big.Int) bool {
+	return a.Bit(0) == 1
+}
+
+// decompressPoint decompresses a point on the given curve given the X point and
+// the solution to use.
+func decompressPoint(curve *KoblitzCurve, x *big.Int, ybit bool) (*big.Int, error) {
+	// TODO: This will probably only work for secp256k1 due to
+	// optimizations.
+
+	// Y = +-sqrt(x^3 + B)
+	x3 := new(big.Int).Mul(x, x)
+	x3.Mul(x3, x)
+	x3.Add(x3, curve.Params().B)
+
+	// now calculate sqrt mod p of x2 + B
+	// This code used to do a full sqrt based on tonelli/shanks,
+	// but this was replaced by the algorithms referenced in
+	// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
+	y := new(big.Int).Exp(x3, curve.QPlus1Div4(), curve.Params().P)
+
+	if ybit != isOdd(y) {
+		y.Sub(curve.Params().P, y)
+	}
+	if ybit != isOdd(y) {
+		return nil, fmt.Errorf("ybit doesn't match oddness")
+	}
+	return y, nil
+}
+
+const (
+	pubkeyCompressed   byte = 0x2 // y_bit + x coord
+	pubkeyUncompressed byte = 0x4 // x coord + y coord
+	pubkeyHybrid       byte = 0x6 // y_bit + x coord + y coord
+)
+
+// ParsePubKey parses a public key for a koblitz curve from a bytestring into a
+// ecdsa.Publickey, verifying that it is valid. It supports compressed,
+// uncompressed and hybrid signature formats.
+func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error) {
+	pubkey := PublicKey{}
+	pubkey.Curve = curve
+
+	if len(pubKeyStr) == 0 {
+		return nil, errors.New("pubkey string is empty")
+	}
+
+	format := pubKeyStr[0]
+	ybit := (format & 0x1) == 0x1
+	format &= ^byte(0x1)
+
+	switch len(pubKeyStr) {
+	case PubKeyBytesLenUncompressed:
+		if format != pubkeyUncompressed && format != pubkeyHybrid {
+			return nil, fmt.Errorf("invalid magic in pubkey str: "+
+				"%d", pubKeyStr[0])
+		}
+
+		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33])
+		pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:])
+		// hybrid keys have extra information, make use of it.
+		if format == pubkeyHybrid && ybit != isOdd(pubkey.Y) {
+			return nil, fmt.Errorf("ybit doesn't match oddness")
+		}
+	case PubKeyBytesLenCompressed:
+		// format is 0x2 | solution, <X coordinate>
+		// solution determines which solution of the curve we use.
+		/// y^2 = x^3 + Curve.B
+		if format != pubkeyCompressed {
+			return nil, fmt.Errorf("invalid magic in compressed "+
+				"pubkey string: %d", pubKeyStr[0])
+		}
+		pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33])
+		pubkey.Y, err = decompressPoint(curve, pubkey.X, ybit)
+		if err != nil {
+			return nil, err
+		}
+	default: // wrong!
+		return nil, fmt.Errorf("invalid pub key length %d",
+			len(pubKeyStr))
+	}
+
+	if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey X parameter is >= to P")
+	}
+	if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey Y parameter is >= to P")
+	}
+	if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) {
+		return nil, fmt.Errorf("pubkey isn't on secp256k1 curve")
+	}
+	return &pubkey, nil
+}
+
+// PublicKey is an ecdsa.PublicKey with additional functions to
+// serialize in uncompressed, compressed, and hybrid formats.
+type PublicKey ecdsa.PublicKey
+
+// ToECDSA returns the public key as a *ecdsa.PublicKey.
+func (p *PublicKey) ToECDSA() *ecdsa.PublicKey {
+	return (*ecdsa.PublicKey)(p)
+}
+
+// SerializeUncompressed serializes a public key in a 65-byte uncompressed
+// format.
+func (p *PublicKey) SerializeUncompressed() []byte {
+	b := make([]byte, 0, PubKeyBytesLenUncompressed)
+	b = append(b, pubkeyUncompressed)
+	b = paddedAppend(32, b, p.X.Bytes())
+	return paddedAppend(32, b, p.Y.Bytes())
+}
+
+// SerializeCompressed serializes a public key in a 33-byte compressed format.
+func (p *PublicKey) SerializeCompressed() []byte {
+	b := make([]byte, 0, PubKeyBytesLenCompressed)
+	format := pubkeyCompressed
+	if isOdd(p.Y) {
+		format |= 0x1
+	}
+	b = append(b, format)
+	return paddedAppend(32, b, p.X.Bytes())
+}
+
+// SerializeHybrid serializes a public key in a 65-byte hybrid format.
+func (p *PublicKey) SerializeHybrid() []byte {
+	b := make([]byte, 0, PubKeyBytesLenHybrid)
+	format := pubkeyHybrid
+	if isOdd(p.Y) {
+		format |= 0x1
+	}
+	b = append(b, format)
+	b = paddedAppend(32, b, p.X.Bytes())
+	return paddedAppend(32, b, p.Y.Bytes())
+}
+
+// IsEqual compares this PublicKey instance to the one passed, returning true if
+// both PublicKeys are equivalent. A PublicKey is equivalent to another, if they
+// both have the same X and Y coordinate.
+func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool {
+	return p.X.Cmp(otherPubKey.X) == 0 &&
+		p.Y.Cmp(otherPubKey.Y) == 0
+}
+
+// paddedAppend appends the src byte slice to dst, returning the new slice.
+// If the length of the source is smaller than the passed size, leading zero
+// bytes are appended to the dst slice before appending src.
+func paddedAppend(size uint, dst, src []byte) []byte {
+	for i := 0; i < int(size)-len(src); i++ {
+		dst = append(dst, 0)
+	}
+	return append(dst, src...)
+}

vendor/github.com/btcsuite/btcd/btcec/signature.go

@@ -0,0 +1,539 @@
+// Copyright (c) 2013-2017 The btcsuite developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package btcec
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/hmac"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"hash"
+	"math/big"
+)
+
+// Errors returned by canonicalPadding.
+var (
+	errNegativeValue          = errors.New("value may be interpreted as negative")
+	errExcessivelyPaddedValue = errors.New("value is excessively padded")
+)
+
+// Signature is a type representing an ecdsa signature.
+type Signature struct {
+	R *big.Int
+	S *big.Int
+}
+
+var (
+	// Curve order and halforder, used to tame ECDSA malleability (see BIP-0062)
+	order     = new(big.Int).Set(S256().N)
+	halforder = new(big.Int).Rsh(order, 1)
+
+	// Used in RFC6979 implementation when testing the nonce for correctness
+	one = big.NewInt(1)
+
+	// oneInitializer is used to fill a byte slice with byte 0x01.  It is provided
+	// here to avoid the need to create it multiple times.
+	oneInitializer = []byte{0x01}
+)
+
+// Serialize returns the ECDSA signature in the more strict DER format.  Note
+// that the serialized bytes returned do not include the appended hash type
+// used in Bitcoin signature scripts.
+//
+// encoding/asn1 is broken so we hand roll this output:
+//
+// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
+func (sig *Signature) Serialize() []byte {
+	// low 'S' malleability breaker
+	sigS := sig.S
+	if sigS.Cmp(halforder) == 1 {
+		sigS = new(big.Int).Sub(order, sigS)
+	}
+	// Ensure the encoded bytes for the r and s values are canonical and
+	// thus suitable for DER encoding.
+	rb := canonicalizeInt(sig.R)
+	sb := canonicalizeInt(sigS)
+
+	// total length of returned signature is 1 byte for each magic and
+	// length (6 total), plus lengths of r and s
+	length := 6 + len(rb) + len(sb)
+	b := make([]byte, length, length)
+
+	b[0] = 0x30
+	b[1] = byte(length - 2)
+	b[2] = 0x02
+	b[3] = byte(len(rb))
+	offset := copy(b[4:], rb) + 4
+	b[offset] = 0x02
+	b[offset+1] = byte(len(sb))
+	copy(b[offset+2:], sb)
+	return b
+}
+
+// Verify calls ecdsa.Verify to verify the signature of hash using the public
+// key.  It returns true if the signature is valid, false otherwise.
+func (sig *Signature) Verify(hash []byte, pubKey *PublicKey) bool {
+	return ecdsa.Verify(pubKey.ToECDSA(), hash, sig.R, sig.S)
+}
+
+// IsEqual compares this Signature instance to the one passed, returning true
+// if both Signatures are equivalent. A signature is equivalent to another, if
+// they both have the same scalar value for R and S.
+func (sig *Signature) IsEqual(otherSig *Signature) bool {
+	return sig.R.Cmp(otherSig.R) == 0 &&
+		sig.S.Cmp(otherSig.S) == 0
+}
+
+func parseSig(sigStr []byte, curve elliptic.Curve, der bool) (*Signature, error) {
+	// Originally this code used encoding/asn1 in order to parse the
+	// signature, but a number of problems were found with this approach.
+	// Despite the fact that signatures are stored as DER, the difference
+	// between go's idea of a bignum (and that they have sign) doesn't agree
+	// with the openssl one (where they do not). The above is true as of
+	// Go 1.1. In the end it was simpler to rewrite the code to explicitly
+	// understand the format which is this:
+	// 0x30 <length of whole message> <0x02> <length of R> <R> 0x2
+	// <length of S> <S>.
+
+	signature := &Signature{}
+
+	// minimal message is when both numbers are 1 bytes. adding up to:
+	// 0x30 + len + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte>
+	if len(sigStr) < 8 {
+		return nil, errors.New("malformed signature: too short")
+	}
+	// 0x30
+	index := 0
+	if sigStr[index] != 0x30 {
+		return nil, errors.New("malformed signature: no header magic")
+	}
+	index++
+	// length of remaining message
+	siglen := sigStr[index]
+	index++
+	if int(siglen+2) > len(sigStr) {
+		return nil, errors.New("malformed signature: bad length")
+	}
+	// trim the slice we're working on so we only look at what matters.
+	sigStr = sigStr[:siglen+2]
+
+	// 0x02
+	if sigStr[index] != 0x02 {
+		return nil,
+			errors.New("malformed signature: no 1st int marker")
+	}
+	index++
+
+	// Length of signature R.
+	rLen := int(sigStr[index])
+	// must be positive, must be able to fit in another 0x2, <len> <s>
+	// hence the -3. We assume that the length must be at least one byte.
+	index++
+	if rLen <= 0 || rLen > len(sigStr)-index-3 {
+		return nil, errors.New("malformed signature: bogus R length")
+	}
+
+	// Then R itself.
+	rBytes := sigStr[index : index+rLen]
+	if der {
+		switch err := canonicalPadding(rBytes); err {
+		case errNegativeValue:
+			return nil, errors.New("signature R is negative")
+		case errExcessivelyPaddedValue:
+			return nil, errors.New("signature R is excessively padded")
+		}
+	}
+	signature.R = new(big.Int).SetBytes(rBytes)
+	index += rLen
+	// 0x02. length already checked in previous if.
+	if sigStr[index] != 0x02 {
+		return nil, errors.New("malformed signature: no 2nd int marker")
+	}
+	index++
+
+	// Length of signature S.
+	sLen := int(sigStr[index])
+	index++
+	// S should be the rest of the string.
+	if sLen <= 0 || sLen > len(sigStr)-index {
+		return nil, errors.New("malformed signature: bogus S length")
+	}
+
+	// Then S itself.
+	sBytes := sigStr[index : index+sLen]
+	if der {
+		switch err := canonicalPadding(sBytes); err {
+		case errNegativeValue:
+			return nil, errors.New("signature S is negative")
+		case errExcessivelyPaddedValue:
+			return nil, errors.New("signature S is excessively padded")
+		}
+	}
+	signature.S = new(big.Int).SetBytes(sBytes)
+	index += sLen
+
+	// sanity check length parsing
+	if index != len(sigStr) {
+		return nil, fmt.Errorf("malformed signature: bad final length %v != %v",
+			index, len(sigStr))
+	}
+
+	// Verify also checks this, but we can be more sure that we parsed
+	// correctly if we verify here too.
+	// FWIW the ecdsa spec states that R and S must be | 1, N - 1 |
+	// but crypto/ecdsa only checks for Sign != 0. Mirror that.
+	if signature.R.Sign() != 1 {
+		return nil, errors.New("signature R isn't 1 or more")
+	}
+	if signature.S.Sign() != 1 {
+		return nil, errors.New("signature S isn't 1 or more")
+	}
+	if signature.R.Cmp(curve.Params().N) >= 0 {
+		return nil, errors.New("signature R is >= curve.N")
+	}
+	if signature.S.Cmp(curve.Params().N) >= 0 {
+		return nil, errors.New("signature S is >= curve.N")
+	}
+
+	return signature, nil
+}
+
+// ParseSignature parses a signature in BER format for the curve type `curve'
+// into a Signature type, perfoming some basic sanity checks.  If parsing
+// according to the more strict DER format is needed, use ParseDERSignature.
+func ParseSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) {
+	return parseSig(sigStr, curve, false)
+}
+
+// ParseDERSignature parses a signature in DER format for the curve type
+// `curve` into a Signature type.  If parsing according to the less strict
+// BER format is needed, use ParseSignature.
+func ParseDERSignature(sigStr []byte, curve elliptic.Curve) (*Signature, error) {
+	return parseSig(sigStr, curve, true)
+}
+
+// canonicalizeInt returns the bytes for the passed big integer adjusted as
+// necessary to ensure that a big-endian encoded integer can't possibly be
+// misinterpreted as a negative number.  This can happen when the most
+// significant bit is set, so it is padded by a leading zero byte in this case.
+// Also, the returned bytes will have at least a single byte when the passed
+// value is 0.  This is required for DER encoding.
+func canonicalizeInt(val *big.Int) []byte {
+	b := val.Bytes()
+	if len(b) == 0 {
+		b = []byte{0x00}
+	}
+	if b[0]&0x80 != 0 {
+		paddedBytes := make([]byte, len(b)+1)
+		copy(paddedBytes[1:], b)
+		b = paddedBytes
+	}
+	return b
+}
+
+// canonicalPadding checks whether a big-endian encoded integer could
+// possibly be misinterpreted as a negative number (even though OpenSSL
+// treats all numbers as unsigned), or if there is any unnecessary
+// leading zero padding.
+func canonicalPadding(b []byte) error {
+	switch {
+	case b[0]&0x80 == 0x80:
+		return errNegativeValue
+	case len(b) > 1 && b[0] == 0x00 && b[1]&0x80 != 0x80:
+		return errExcessivelyPaddedValue
+	default:
+		return nil
+	}
+}
+
+// hashToInt converts a hash value to an integer. There is some disagreement
+// about how this is done. [NSA] suggests that this is done in the obvious
+// manner, but [SECG] truncates the hash to the bit-length of the curve order
+// first. We follow [SECG] because that's what OpenSSL does. Additionally,
+// OpenSSL right shifts excess bits from the number if the hash is too large
+// and we mirror that too.
+// This is borrowed from crypto/ecdsa.
+func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
+	orderBits := c.Params().N.BitLen()
+	orderBytes := (orderBits + 7) / 8
+	if len(hash) > orderBytes {
+		hash = hash[:orderBytes]
+	}
+
+	ret := new(big.Int).SetBytes(hash)
+	excess := len(hash)*8 - orderBits
+	if excess > 0 {
+		ret.Rsh(ret, uint(excess))
+	}
+	return ret
+}
+
+// recoverKeyFromSignature recoves a public key from the signature "sig" on the
+// given message hash "msg". Based on the algorithm found in section 5.1.5 of
+// SEC 1 Ver 2.0, page 47-48 (53 and 54 in the pdf). This performs the details
+// in the inner loop in Step 1. The counter provided is actually the j parameter
+// of the loop * 2 - on the first iteration of j we do the R case, else the -R
+// case in step 1.6. This counter is used in the bitcoin compressed signature
+// format and thus we match bitcoind's behaviour here.
+func recoverKeyFromSignature(curve *KoblitzCurve, sig *Signature, msg []byte,
+	iter int, doChecks bool) (*PublicKey, error) {
+	// 1.1 x = (n * i) + r
+	Rx := new(big.Int).Mul(curve.Params().N,
+		new(big.Int).SetInt64(int64(iter/2)))
+	Rx.Add(Rx, sig.R)
+	if Rx.Cmp(curve.Params().P) != -1 {
+		return nil, errors.New("calculated Rx is larger than curve P")
+	}
+
+	// convert 02<Rx> to point R. (step 1.2 and 1.3). If we are on an odd
+	// iteration then 1.6 will be done with -R, so we calculate the other
+	// term when uncompressing the point.
+	Ry, err := decompressPoint(curve, Rx, iter%2 == 1)
+	if err != nil {
+		return nil, err
+	}
+
+	// 1.4 Check n*R is point at infinity
+	if doChecks {
+		nRx, nRy := curve.ScalarMult(Rx, Ry, curve.Params().N.Bytes())
+		if nRx.Sign() != 0 || nRy.Sign() != 0 {
+			return nil, errors.New("n*R does not equal the point at infinity")
+		}
+	}
+
+	// 1.5 calculate e from message using the same algorithm as ecdsa
+	// signature calculation.
+	e := hashToInt(msg, curve)
+
+	// Step 1.6.1:
+	// We calculate the two terms sR and eG separately multiplied by the
+	// inverse of r (from the signature). We then add them to calculate
+	// Q = r^-1(sR-eG)
+	invr := new(big.Int).ModInverse(sig.R, curve.Params().N)
+
+	// first term.
+	invrS := new(big.Int).Mul(invr, sig.S)
+	invrS.Mod(invrS, curve.Params().N)
+	sRx, sRy := curve.ScalarMult(Rx, Ry, invrS.Bytes())
+
+	// second term.
+	e.Neg(e)
+	e.Mod(e, curve.Params().N)
+	e.Mul(e, invr)
+	e.Mod(e, curve.Params().N)
+	minuseGx, minuseGy := curve.ScalarBaseMult(e.Bytes())
+
+	// TODO: this would be faster if we did a mult and add in one
+	// step to prevent the jacobian conversion back and forth.
+	Qx, Qy := curve.Add(sRx, sRy, minuseGx, minuseGy)
+
+	return &PublicKey{
+		Curve: curve,
+		X:     Qx,
+		Y:     Qy,
+	}, nil
+}
+
+// SignCompact produces a compact signature of the data in hash with the given
+// private key on the given koblitz curve. The isCompressed  parameter should
+// be used to detail if the given signature should reference a compressed
+// public key or not. If successful the bytes of the compact signature will be
+// returned in the format:
+// <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S>
+// where the R and S parameters are padde up to the bitlengh of the curve.
+func SignCompact(curve *KoblitzCurve, key *PrivateKey,
+	hash []byte, isCompressedKey bool) ([]byte, error) {
+	sig, err := key.Sign(hash)
+	if err != nil {
+		return nil, err
+	}
+
+	// bitcoind checks the bit length of R and S here. The ecdsa signature
+	// algorithm returns R and S mod N therefore they will be the bitsize of
+	// the curve, and thus correctly sized.
+	for i := 0; i < (curve.H+1)*2; i++ {
+		pk, err := recoverKeyFromSignature(curve, sig, hash, i, true)
+		if err == nil && pk.X.Cmp(key.X) == 0 && pk.Y.Cmp(key.Y) == 0 {
+			result := make([]byte, 1, 2*curve.byteSize+1)
+			result[0] = 27 + byte(i)
+			if isCompressedKey {
+				result[0] += 4
+			}
+			// Not sure this needs rounding but safer to do so.
+			curvelen := (curve.BitSize + 7) / 8
+
+			// Pad R and S to curvelen if needed.
+			bytelen := (sig.R.BitLen() + 7) / 8
+			if bytelen < curvelen {
+				result = append(result,
+					make([]byte, curvelen-bytelen)...)
+			}
+			result = append(result, sig.R.Bytes()...)
+
+			bytelen = (sig.S.BitLen() + 7) / 8
+			if bytelen < curvelen {
+				result = append(result,
+					make([]byte, curvelen-bytelen)...)
+			}
+			result = append(result, sig.S.Bytes()...)
+
+			return result, nil
+		}
+	}
+
+	return nil, errors.New("no valid solution for pubkey found")
+}
+
+// RecoverCompact verifies the compact signature "signature" of "hash" for the
+// Koblitz curve in "curve". If the signature matches then the recovered public
+// key will be returned as well as a boolen if the original key was compressed
+// or not, else an error will be returned.
+func RecoverCompact(curve *KoblitzCurve, signature,
+	hash []byte) (*PublicKey, bool, error) {
+	bitlen := (curve.BitSize + 7) / 8
+	if len(signature) != 1+bitlen*2 {
+		return nil, false, errors.New("invalid compact signature size")
+	}
+
+	iteration := int((signature[0] - 27) & ^byte(4))
+
+	// format is <header byte><bitlen R><bitlen S>
+	sig := &Signature{
+		R: new(big.Int).SetBytes(signature[1 : bitlen+1]),
+		S: new(big.Int).SetBytes(signature[bitlen+1:]),
+	}
+	// The iteration used here was encoded
+	key, err := recoverKeyFromSignature(curve, sig, hash, iteration, false)
+	if err != nil {
+		return nil, false, err
+	}
+
+	return key, ((signature[0] - 27) & 4) == 4, nil
+}
+
+// signRFC6979 generates a deterministic ECDSA signature according to RFC 6979 and BIP 62.
+func signRFC6979(privateKey *PrivateKey, hash []byte) (*Signature, error) {
+
+	privkey := privateKey.ToECDSA()
+	N := order
+	k := nonceRFC6979(privkey.D, hash)
+	inv := new(big.Int).ModInverse(k, N)
+	r, _ := privkey.Curve.ScalarBaseMult(k.Bytes())
+	if r.Cmp(N) == 1 {
+		r.Sub(r, N)
+	}
+
+	if r.Sign() == 0 {
+		return nil, errors.New("calculated R is zero")
+	}
+
+	e := hashToInt(hash, privkey.Curve)
+	s := new(big.Int).Mul(privkey.D, r)
+	s.Add(s, e)
+	s.Mul(s, inv)
+	s.Mod(s, N)
+
+	if s.Cmp(halforder) == 1 {
+		s.Sub(N, s)
+	}
+	if s.Sign() == 0 {
+		return nil, errors.New("calculated S is zero")
+	}
+	return &Signature{R: r, S: s}, nil
+}
+
+// nonceRFC6979 generates an ECDSA nonce (`k`) deterministically according to RFC 6979.
+// It takes a 32-byte hash as an input and returns 32-byte nonce to be used in ECDSA algorithm.
+func nonceRFC6979(privkey *big.Int, hash []byte) *big.Int {
+
+	curve := S256()
+	q := curve.Params().N
+	x := privkey
+	alg := sha256.New
+
+	qlen := q.BitLen()
+	holen := alg().Size()
+	rolen := (qlen + 7) >> 3
+	bx := append(int2octets(x, rolen), bits2octets(hash, curve, rolen)...)
+
+	// Step B
+	v := bytes.Repeat(oneInitializer, holen)
+
+	// Step C (Go zeroes the all allocated memory)
+	k := make([]byte, holen)
+
+	// Step D
+	k = mac(alg, k, append(append(v, 0x00), bx...))
+
+	// Step E
+	v = mac(alg, k, v)
+
+	// Step F
+	k = mac(alg, k, append(append(v, 0x01), bx...))
+
+	// Step G
+	v = mac(alg, k, v)
+
+	// Step H
+	for {
+		// Step H1
+		var t []byte
+
+		// Step H2
+		for len(t)*8 < qlen {
+			v = mac(alg, k, v)
+			t = append(t, v...)
+		}
+
+		// Step H3
+		secret := hashToInt(t, curve)
+		if secret.Cmp(one) >= 0 && secret.Cmp(q) < 0 {
+			return secret
+		}
+		k = mac(alg, k, append(v, 0x00))
+		v = mac(alg, k, v)
+	}
+}
+
+// mac returns an HMAC of the given key and message.
+func mac(alg func() hash.Hash, k, m []byte) []byte {
+	h := hmac.New(alg, k)
+	h.Write(m)
+	return h.Sum(nil)
+}
+
+// https://tools.ietf.org/html/rfc6979#section-2.3.3
+func int2octets(v *big.Int, rolen int) []byte {
+	out := v.Bytes()
+
+	// left pad with zeros if it's too short
+	if len(out) < rolen {
+		out2 := make([]byte, rolen)
+		copy(out2[rolen-len(out):], out)
+		return out2
+	}
+
+	// drop most significant bytes if it's too long
+	if len(out) > rolen {
+		out2 := make([]byte, rolen)
+		copy(out2, out[len(out)-rolen:])
+		return out2
+	}
+
+	return out
+}
+
+// https://tools.ietf.org/html/rfc6979#section-2.3.4
+func bits2octets(in []byte, curve elliptic.Curve, rolen int) []byte {
+	z1 := hashToInt(in, curve)
+	z2 := new(big.Int).Sub(z1, curve.Params().N)
+	if z2.Sign() < 0 {
+		return int2octets(z1, rolen)
+	}
+	return int2octets(z2, rolen)
+}

vendor/vendor.json

@@ -16,6 +16,12 @@
 			"revision": "ea17b1a17847fb6e4c0a91de0b674704693469b0",
 			"revisionTime": "2017-02-10T01:56:32Z"
 		},
+		{
+			"checksumSHA1": "fIpm6Vr5a8kgr22gWkQx7vKUTyU=",
+			"path": "github.com/btcsuite/btcd/btcec",
+			"revision": "d06c0bb181529331be8f8d9350288c420d9e60e4",
+			"revisionTime": "2017-02-01T21:25:25Z"
+		},
 		{
 			"checksumSHA1": "cDMtzKmdTx4CcIpP4broa+16X9g=",
 			"path": "github.com/cespare/cp",

whisper/whisperv2/message.go

@@ -21,11 +21,13 @@ package whisperv2
 
 import (
 	"crypto/ecdsa"
+	crand "crypto/rand"
 	"math/rand"
 	"time"
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/crypto/ecies"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 )
@@ -131,13 +133,13 @@ func (self *Message) Recover() *ecdsa.PublicKey {
 
 // encrypt encrypts a message payload with a public key.
 func (self *Message) encrypt(key *ecdsa.PublicKey) (err error) {
-	self.Payload, err = crypto.Encrypt(key, self.Payload)
+	self.Payload, err = ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), self.Payload, nil, nil)
 	return
 }
 
 // decrypt decrypts an encrypted payload with a private key.
 func (self *Message) decrypt(key *ecdsa.PrivateKey) error {
-	cleartext, err := crypto.Decrypt(key, self.Payload)
+	cleartext, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, self.Payload, nil, nil)
 	if err == nil {
 		self.Payload = cleartext
 	}

whisper/whisperv2/message_test.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 )
 
 // Tests whether a message can be wrapped without any identity or encryption.
@@ -73,8 +72,8 @@ func TestMessageCleartextSignRecover(t *testing.T) {
 	if pubKey == nil {
 		t.Fatalf("failed to recover public key")
 	}
-	p1 := elliptic.Marshal(secp256k1.S256(), key.PublicKey.X, key.PublicKey.Y)
-	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y)
+	p1 := elliptic.Marshal(crypto.S256(), key.PublicKey.X, key.PublicKey.Y)
+	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y)
 	if !bytes.Equal(p1, p2) {
 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1)
 	}
@@ -151,8 +150,8 @@ func TestMessageFullCrypto(t *testing.T) {
 	if pubKey == nil {
 		t.Fatalf("failed to recover public key")
 	}
-	p1 := elliptic.Marshal(secp256k1.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y)
-	p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y)
+	p1 := elliptic.Marshal(crypto.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y)
+	p2 := elliptic.Marshal(crypto.S256(), pubKey.X, pubKey.Y)
 	if !bytes.Equal(p1, p2) {
 		t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1)
 	}

whisper/whisperv5/message.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/crypto/ecies"
 	"github.com/ethereum/go-ethereum/logger"
 	"github.com/ethereum/go-ethereum/logger/glog"
 	"golang.org/x/crypto/pbkdf2"
@@ -163,7 +164,7 @@ func (msg *SentMessage) encryptAsymmetric(key *ecdsa.PublicKey) error {
 	if !ValidatePublicKey(key) {
 		return fmt.Errorf("Invalid public key provided for asymmetric encryption")
 	}
-	encrypted, err := crypto.Encrypt(key, msg.Raw)
+	encrypted, err := ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), msg.Raw, nil, nil)
 	if err == nil {
 		msg.Raw = encrypted
 	}
@@ -293,7 +294,7 @@ func (msg *ReceivedMessage) decryptSymmetric(key []byte, salt []byte, nonce []by
 
 // decryptAsymmetric decrypts an encrypted payload with a private key.
 func (msg *ReceivedMessage) decryptAsymmetric(key *ecdsa.PrivateKey) error {
-	decrypted, err := crypto.Decrypt(key, msg.Raw)
+	decrypted, err := ecies.ImportECDSA(key).Decrypt(crand.Reader, msg.Raw, nil, nil)
 	if err == nil {
 		msg.Raw = decrypted
 	}