Bitcoin ABC 0.33.8
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7/* This is a C project. It should not be compiled with a C++ compiler,
8 * and we error out if we detect one.
9 *
10 * We still want to be able to test the project with a C++ compiler
11 * because it is still good to know if this will lead to real trouble, so
12 * there is a possibility to override the check. But be warned that
13 * compiling with a C++ compiler is not supported. */
14#if defined(__cplusplus) && !defined(SECP256K1_CPLUSPLUS_TEST_OVERRIDE)
15#error Trying to compile a C project with a C++ compiler.
16#endif
17
18#define SECP256K1_BUILD
19
20#include "../include/secp256k1.h"
21#include "../include/secp256k1_preallocated.h"
22
23#include "assumptions.h"
24#include "checkmem.h"
25#include "util.h"
26
27#include "field_impl.h"
28#include "scalar_impl.h"
29#include "group_impl.h"
30#include "ecmult_impl.h"
31#include "ecmult_const_impl.h"
32#include "ecmult_gen_impl.h"
33#include "ecdsa_impl.h"
34#include "eckey_impl.h"
35#include "hash_impl.h"
36#include "int128_impl.h"
37#include "scratch_impl.h"
38#include "selftest.h"
39
40#ifdef SECP256K1_NO_BUILD
41# error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c"
42#endif
43
44#define ARG_CHECK(cond) do { \
45 if (EXPECT(!(cond), 0)) { \
46 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
47 return 0; \
48 } \
49} while(0)
50
51#define ARG_CHECK_VOID(cond) do { \
52 if (EXPECT(!(cond), 0)) { \
53 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
54 return; \
55 } \
56} while(0)
57
58/* Note that whenever you change the context struct, you must also change the
59 * context_eq function. */
65};
66
68 { 0 },
71 0
72};
75
76/* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof.
77 *
78 * This is intended for "context" functions such as secp256k1_context_clone. Function which need specific
79 * features of a context should still check for these features directly. For example, a function that needs
80 * ecmult_gen should directly check for the existence of the ecmult_gen context. */
83}
84
88 }
89}
90
92 size_t ret = sizeof(secp256k1_context);
93 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
94 VERIFY_CHECK(ret != 0);
95
98 "Invalid flags");
99 return 0;
100 }
101
104 "Declassify flag requires running with memory checking");
105 return 0;
106 }
107
108 return ret;
109}
110
112 VERIFY_CHECK(ctx != NULL);
114 return sizeof(secp256k1_context);
115}
116
118 size_t prealloc_size;
120
122
124 if (prealloc_size == 0) {
125 return NULL;
126 }
127 VERIFY_CHECK(prealloc != NULL);
128 ret = (secp256k1_context*)prealloc;
131
132 /* Flags have been checked by secp256k1_context_preallocated_size. */
136
137 return ret;
138}
139
141 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
144 free(ctx);
145 return NULL;
146 }
147
148 return ctx;
149}
150
153 VERIFY_CHECK(ctx != NULL);
154 ARG_CHECK(prealloc != NULL);
156
157 ret = (secp256k1_context*)prealloc;
158 *ret = *ctx;
159 return ret;
160}
161
164 size_t prealloc_size;
165
166 VERIFY_CHECK(ctx != NULL);
168
170 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
172 return ret;
173}
174
177
178 /* Defined as noop */
179 if (ctx == NULL) {
180 return;
181 }
182
184}
185
188
189 /* Defined as noop */
190 if (ctx == NULL) {
191 return;
192 }
193
195 free(ctx);
196}
197
198void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
199 /* We compare pointers instead of checking secp256k1_context_is_proper() here
200 because setting callbacks is allowed on *copies* of the static context:
201 it's harmless and makes testing easier. */
203 if (fun == NULL) {
205 }
206 ctx->illegal_callback.fn = fun;
207 ctx->illegal_callback.data = data;
208}
209
210void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
211 /* We compare pointers instead of checking secp256k1_context_is_proper() here
212 because setting callbacks is allowed on *copies* of the static context:
213 it's harmless and makes testing easier. */
215 if (fun == NULL) {
217 }
218 ctx->error_callback.fn = fun;
219 ctx->error_callback.data = data;
220}
221
223 VERIFY_CHECK(ctx != NULL);
224 return secp256k1_scratch_create(&ctx->error_callback, max_size);
225}
226
228 VERIFY_CHECK(ctx != NULL);
230}
231
232/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
233 * of the software.
234 */
235static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
237}
238
241
242 /* We require that the secp256k1_ge_storage type is exactly 64 bytes.
243 * This is formally not guaranteed by the C standard, but should hold on any
244 * sane compiler in the real world. */
245 STATIC_ASSERT(sizeof(secp256k1_ge_storage) == 64);
246 memcpy(&s, &pubkey->data[0], 64);
249 return 1;
250}
251
254
255 STATIC_ASSERT(sizeof(secp256k1_ge_storage) == 64);
258 memcpy(&pubkey->data[0], &s, 64);
259}
260
261int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
262 secp256k1_ge Q;
263
264 VERIFY_CHECK(ctx != NULL);
265 ARG_CHECK(pubkey != NULL);
266 memset(pubkey, 0, sizeof(*pubkey));
267 ARG_CHECK(input != NULL);
268 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
269 return 0;
270 }
272 return 0;
273 }
274 secp256k1_pubkey_save(pubkey, &Q);
276 return 1;
277}
278
279int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
280 secp256k1_ge Q;
281 size_t len;
282 int ret = 0;
283
284 VERIFY_CHECK(ctx != NULL);
285 ARG_CHECK(outputlen != NULL);
286 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
287 len = *outputlen;
288 *outputlen = 0;
289 ARG_CHECK(output != NULL);
290 memset(output, 0, len);
291 ARG_CHECK(pubkey != NULL);
293 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
295 if (ret) {
296 *outputlen = len;
297 }
298 }
299 return ret;
300}
301
303 unsigned char out[2][33];
304 const secp256k1_pubkey* pk[2];
305 int i;
306
307 VERIFY_CHECK(ctx != NULL);
308 pk[0] = pubkey0; pk[1] = pubkey1;
309 for (i = 0; i < 2; i++) {
310 size_t out_size = sizeof(out[i]);
311 /* If the public key is NULL or invalid, ec_pubkey_serialize will call
312 * the illegal_callback and return 0. In that case we will serialize the
313 * key as all zeros which is less than any valid public key. This
314 * results in consistent comparisons even if NULL or invalid pubkeys are
315 * involved and prevents edge cases such as sorting algorithms that use
316 * this function and do not terminate as a result. */
318 /* Note that ec_pubkey_serialize should already set the output to
319 * zero in that case, but it's not guaranteed by the API, we can't
320 * test it and writing a VERIFY_CHECK is more complex than
321 * explicitly memsetting (again). */
322 memset(out[i], 0, sizeof(out[i]));
323 }
324 }
325 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
326}
327
329 (void)ctx;
330 if (sizeof(secp256k1_scalar) == 32) {
331 /* When the secp256k1_scalar type is exactly 32 byte, use its
332 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
333 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
334 memcpy(r, &sig->data[0], 32);
335 memcpy(s, &sig->data[32], 32);
336 } else {
337 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
338 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
339 }
340}
341
343 if (sizeof(secp256k1_scalar) == 32) {
344 memcpy(&sig->data[0], r, 32);
345 memcpy(&sig->data[32], s, 32);
346 } else {
347 secp256k1_scalar_get_b32(&sig->data[0], r);
348 secp256k1_scalar_get_b32(&sig->data[32], s);
349 }
350}
351
352int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
353 secp256k1_scalar r, s;
354
355 VERIFY_CHECK(ctx != NULL);
356 ARG_CHECK(sig != NULL);
357 ARG_CHECK(input != NULL);
358
359 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
361 return 1;
362 } else {
363 memset(sig, 0, sizeof(*sig));
364 return 0;
365 }
366}
367
369 secp256k1_scalar r, s;
370 int ret = 1;
371 int overflow = 0;
372
373 VERIFY_CHECK(ctx != NULL);
374 ARG_CHECK(sig != NULL);
375 ARG_CHECK(input64 != NULL);
376
377 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
378 ret &= !overflow;
379 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
380 ret &= !overflow;
381 if (ret) {
383 } else {
384 memset(sig, 0, sizeof(*sig));
385 }
386 return ret;
387}
388
389int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
390 secp256k1_scalar r, s;
391
392 VERIFY_CHECK(ctx != NULL);
393 ARG_CHECK(output != NULL);
394 ARG_CHECK(outputlen != NULL);
395 ARG_CHECK(sig != NULL);
396
398 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
399}
400
402 secp256k1_scalar r, s;
403
404 VERIFY_CHECK(ctx != NULL);
405 ARG_CHECK(output64 != NULL);
406 ARG_CHECK(sig != NULL);
407
409 secp256k1_scalar_get_b32(&output64[0], &r);
410 secp256k1_scalar_get_b32(&output64[32], &s);
411 return 1;
412}
413
415 secp256k1_scalar r, s;
416 int ret = 0;
417
418 VERIFY_CHECK(ctx != NULL);
419 ARG_CHECK(sigin != NULL);
420
421 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
422 ret = secp256k1_scalar_is_high(&s);
423 if (sigout != NULL) {
424 if (ret) {
426 }
427 secp256k1_ecdsa_signature_save(sigout, &r, &s);
428 }
429
430 return ret;
431}
432
433int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
434 secp256k1_ge q;
435 secp256k1_scalar r, s;
437 VERIFY_CHECK(ctx != NULL);
438 ARG_CHECK(msghash32 != NULL);
439 ARG_CHECK(sig != NULL);
440 ARG_CHECK(pubkey != NULL);
441
442 secp256k1_scalar_set_b32(&m, msghash32, NULL);
444 return (!secp256k1_scalar_is_high(&s) &&
445 secp256k1_pubkey_load(ctx, &q, pubkey) &&
446 secp256k1_ecdsa_sig_verify(&r, &s, &q, &m));
447}
448
449static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
450 memcpy(buf + *offset, data, len);
451 *offset += len;
452}
453
454static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
455 unsigned char keydata[112];
456 unsigned int offset = 0;
458 unsigned int i;
460 unsigned char msgmod32[32];
461 secp256k1_scalar_set_b32(&msg, msg32, NULL);
462 secp256k1_scalar_get_b32(msgmod32, &msg);
463 /* We feed a byte array to the PRNG as input, consisting of:
464 * - the private key (32 bytes) and reduced message (32 bytes), see RFC 6979 3.2d.
465 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
466 * - optionally 16 extra bytes with the algorithm name.
467 * Because the arguments have distinct fixed lengths it is not possible for
468 * different argument mixtures to emulate each other and result in the same
469 * nonces.
470 */
471 buffer_append(keydata, &offset, key32, 32);
472 buffer_append(keydata, &offset, msgmod32, 32);
473 if (data != NULL) {
474 buffer_append(keydata, &offset, data, 32);
475 }
476 if (algo16 != NULL) {
477 buffer_append(keydata, &offset, algo16, 16);
478 }
479 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
480 memset(keydata, 0, sizeof(keydata));
481 for (i = 0; i <= counter; i++) {
483 }
485 return 1;
486}
487
490
491static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void* noncedata) {
492 secp256k1_scalar sec, non, msg;
493 int ret = 0;
494 int is_sec_valid;
495 unsigned char nonce32[32];
496 unsigned int count = 0;
497 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
500 if (recid) {
501 *recid = 0;
502 }
503 if (noncefp == NULL) {
505 }
506
507 /* Fail if the secret key is invalid. */
508 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
509 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
510 secp256k1_scalar_set_b32(&msg, msg32, NULL);
511 while (1) {
512 int is_nonce_valid;
513 ret = !!noncefp(nonce32, msg32, seckey, algo16, (void*)noncedata, count);
514 if (!ret) {
515 break;
516 }
517 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
518 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
519 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
520 if (is_nonce_valid) {
521 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
522 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
523 secp256k1_declassify(ctx, &ret, sizeof(ret));
524 if (ret) {
525 break;
526 }
527 }
528 count++;
529 }
530 /* We don't want to declassify is_sec_valid and therefore the range of
531 * seckey. As a result is_sec_valid is included in ret only after ret was
532 * used as a branching variable. */
533 ret &= is_sec_valid;
534 memset(nonce32, 0, 32);
540 if (recid) {
541 const int zero = 0;
542 secp256k1_int_cmov(recid, &zero, !ret);
543 }
544 return ret;
545}
546
547int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
548 secp256k1_scalar r, s;
549 int ret;
550 const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER ";
551 VERIFY_CHECK(ctx != NULL);
553 ARG_CHECK(msghash32 != NULL);
554 ARG_CHECK(signature != NULL);
555 ARG_CHECK(seckey != NULL);
556
557 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, secp256k1_ecdsa_der_algo16, noncedata);
558 secp256k1_ecdsa_signature_save(signature, &r, &s);
559 return ret;
560}
561
562int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
564 int ret;
565 VERIFY_CHECK(ctx != NULL);
566 ARG_CHECK(seckey != NULL);
567
568 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
570 return ret;
571}
572
573static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
574 secp256k1_gej pj;
575 int ret;
576
577 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
578 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
579
580 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
581 secp256k1_ge_set_gej(p, &pj);
582 return ret;
583}
584
585int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
586 secp256k1_ge p;
587 secp256k1_scalar seckey_scalar;
588 int ret = 0;
589 VERIFY_CHECK(ctx != NULL);
590 ARG_CHECK(pubkey != NULL);
591 memset(pubkey, 0, sizeof(*pubkey));
593 ARG_CHECK(seckey != NULL);
594
595 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
596 secp256k1_pubkey_save(pubkey, &p);
597 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
598
599 secp256k1_scalar_clear(&seckey_scalar);
600 return ret;
601}
602
603int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
605 int ret = 0;
606 VERIFY_CHECK(ctx != NULL);
607 ARG_CHECK(seckey != NULL);
608
609 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
611 secp256k1_scalar_negate(&sec, &sec);
612 secp256k1_scalar_get_b32(seckey, &sec);
613
615 return ret;
616}
617
618int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
619 return secp256k1_ec_seckey_negate(ctx, seckey);
620}
621
623 int ret = 0;
624 secp256k1_ge p;
625 VERIFY_CHECK(ctx != NULL);
626 ARG_CHECK(pubkey != NULL);
627
628 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
629 memset(pubkey, 0, sizeof(*pubkey));
630 if (ret) {
631 secp256k1_ge_neg(&p, &p);
632 secp256k1_pubkey_save(pubkey, &p);
633 }
634 return ret;
635}
636
637
638static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
639 secp256k1_scalar term;
640 int overflow = 0;
641 int ret = 0;
642
643 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
644 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
646 return ret;
647}
648
649int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
651 int ret = 0;
652 VERIFY_CHECK(ctx != NULL);
653 ARG_CHECK(seckey != NULL);
654 ARG_CHECK(tweak32 != NULL);
655
656 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
657 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
659 secp256k1_scalar_get_b32(seckey, &sec);
660
662 return ret;
663}
664
665int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
666 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
667}
668
669static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) {
670 secp256k1_scalar term;
671 int overflow = 0;
672 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
673 return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term);
674}
675
676int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
677 secp256k1_ge p;
678 int ret = 0;
679 VERIFY_CHECK(ctx != NULL);
680 ARG_CHECK(pubkey != NULL);
681 ARG_CHECK(tweak32 != NULL);
682
683 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
684 memset(pubkey, 0, sizeof(*pubkey));
685 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32);
686 if (ret) {
687 secp256k1_pubkey_save(pubkey, &p);
688 }
689
690 return ret;
691}
692
693int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
694 secp256k1_scalar factor;
696 int ret = 0;
697 int overflow = 0;
698 VERIFY_CHECK(ctx != NULL);
699 ARG_CHECK(seckey != NULL);
700 ARG_CHECK(tweak32 != NULL);
701
702 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
703 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
704 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
706 secp256k1_scalar_get_b32(seckey, &sec);
707
709 secp256k1_scalar_clear(&factor);
710 return ret;
711}
712
713int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
714 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
715}
716
717int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
718 secp256k1_ge p;
719 secp256k1_scalar factor;
720 int ret = 0;
721 int overflow = 0;
722 VERIFY_CHECK(ctx != NULL);
723 ARG_CHECK(pubkey != NULL);
724 ARG_CHECK(tweak32 != NULL);
725
726 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
727 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
728 memset(pubkey, 0, sizeof(*pubkey));
729 if (ret) {
730 if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) {
731 secp256k1_pubkey_save(pubkey, &p);
732 } else {
733 ret = 0;
734 }
735 }
736
737 return ret;
738}
739
740int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
741 VERIFY_CHECK(ctx != NULL);
743
746 }
747 return 1;
748}
749
750int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
751 size_t i;
752 secp256k1_gej Qj;
753 secp256k1_ge Q;
754
755 VERIFY_CHECK(ctx != NULL);
756 ARG_CHECK(pubnonce != NULL);
757 memset(pubnonce, 0, sizeof(*pubnonce));
758 ARG_CHECK(n >= 1);
759 ARG_CHECK(pubnonces != NULL);
760
762
763 for (i = 0; i < n; i++) {
764 ARG_CHECK(pubnonces[i] != NULL);
765 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
766 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
767 }
768 if (secp256k1_gej_is_infinity(&Qj)) {
769 return 0;
770 }
771 secp256k1_ge_set_gej(&Q, &Qj);
772 secp256k1_pubkey_save(pubnonce, &Q);
773 return 1;
774}
775
776int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
778 VERIFY_CHECK(ctx != NULL);
779 ARG_CHECK(hash32 != NULL);
780 ARG_CHECK(tag != NULL);
781 ARG_CHECK(msg != NULL);
782
783 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
784 secp256k1_sha256_write(&sha, msg, msglen);
785 secp256k1_sha256_finalize(&sha, hash32);
786 return 1;
787}
788
789#ifdef ENABLE_MODULE_ECDH
790# include "modules/ecdh/main_impl.h"
791#endif
792
793#ifdef ENABLE_MODULE_MULTISET
795#endif
796
797#ifdef ENABLE_MODULE_RECOVERY
799#endif
800
801#ifdef ENABLE_MODULE_SCHNORR
803#endif
804
805#ifdef ENABLE_MODULE_EXTRAKEYS
807#endif
808
809#ifdef ENABLE_MODULE_SCHNORRSIG
811#endif
812
813#ifdef ENABLE_MODULE_ELLSWIFT
815#endif
int flags
Definition: bitcoin-tx.cpp:546
#define SECP256K1_CHECKMEM_DEFINE(p, len)
Definition: checkmem.h:77
#define SECP256K1_CHECKMEM_RUNNING()
Definition: checkmem.h:79
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
#define secp256k1_fe_is_zero
Definition: field.h:85
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
secp256k1_context * ctx
Definition: bench_impl.h:13
SchnorrSig sig
Definition: processor.cpp:537
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:226
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:240
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:96
#define EXPECT(x, c)
Definition: util.h:132
static const secp256k1_callback default_error_callback
Definition: util.h:111
#define SECP256K1_INLINE
Definition: util.h:48
#define STATIC_ASSERT(expr)
Assert statically that expr is true.
Definition: util.h:58
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:91
#define VERIFY_CHECK(cond)
Definition: util.h:153
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:156
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:207
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:86
static const secp256k1_callback default_illegal_callback
Definition: util.h:106
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:665
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:618
const secp256k1_nonce_function secp256k1_nonce_function_default
Definition: secp256k1.c:489
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
Definition: secp256k1.c:488
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:776
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:676
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:279
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:389
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:638
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:693
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:261
const secp256k1_context * secp256k1_context_static
Definition: secp256k1.c:73
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void *noncedata)
Definition: secp256k1.c:491
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:562
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:649
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
#define ARG_CHECK(cond)
Definition: secp256k1.c:44
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:573
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:414
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:352
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:603
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:302
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:750
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:368
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:342
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:252
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:449
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:669
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:454
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:740
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:433
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:401
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:585
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
static const secp256k1_context secp256k1_context_static_
Definition: secp256k1.c:67
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:717
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:328
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:547
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:622
#define ARG_CHECK_VOID(cond)
Definition: secp256k1.c:51
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:713
struct secp256k1_context_struct secp256k1_context
Unless explicitly stated all pointer arguments must not be NULL.
Definition: secp256k1.h:50
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:187
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:94
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:202
#define SECP256K1_FLAGS_TYPE_MASK
Definition: secp256k1.h:181
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:188
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:182
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:183
static int secp256k1_selftest_passes(void)
Definition: selftest.h:28
void(* fn)(const char *text, void *data)
Definition: util.h:82
const void * data
Definition: util.h:83
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_fe x
Definition: group.h:17
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
unsigned char data[64]
Definition: secp256k1.h:62
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static int count