doc/dev/schnorr__impl_8h_source.html

/***********************************************************************

 * Copyright (c) 2017 Amaury SÉCHET                                    *

 * Distributed under the MIT software license, see the accompanying    *

 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*

 ***********************************************************************/


#ifndef SECP256K1_MODULE_SCHNORR_IMPL_H

#define SECP256K1_MODULE_SCHNORR_IMPL_H


#include <string.h>


#include "schnorr.h"

#include "field.h"

#include "group.h"

#include "hash.h"

#include "ecmult.h"

#include "ecmult_gen.h"


static int secp256k1_schnorr_sig_verify(

    const secp256k1_ecmult_context* ctx,

    const unsigned char *sig64,

    secp256k1_ge *pubkey,

    const unsigned char *msg32

) {

    secp256k1_gej Pj, Rj;

    secp256k1_fe Rx;

    secp256k1_scalar e, s;

    int overflow;


    VERIFY_CHECK(!secp256k1_ge_is_infinity(pubkey));


    /* Extract s */

    overflow = 0;

    secp256k1_scalar_set_b32(&s, sig64 + 32, &overflow);

    if (overflow) {

        return 0;

    }


    /* Extract R.x */

    if (!secp256k1_fe_set_b32(&Rx, sig64)) {

        return 0;

    }


    /* Compute e */

    secp256k1_schnorr_compute_e(&e, sig64, pubkey, msg32);


    /* Verify the signature */

    secp256k1_scalar_negate(&e, &e);

    secp256k1_gej_set_ge(&Pj, pubkey);

    secp256k1_ecmult(ctx, &Rj, &Pj, &e, &s);

    if (secp256k1_gej_is_infinity(&Rj)) {

        return 0;

    }


    /* Check that R.x is what we expect */

    if (!secp256k1_gej_eq_x_var(&Rx, &Rj)) {

        return 0;

    }


    /* Check that jacobi(R.y) is 1 */

    if (!secp256k1_gej_has_quad_y_var(&Rj)) {

        return 0;

    }


    /* All good, we have a valid signature. */

    return 1;

}


static int secp256k1_schnorr_compute_e(

    secp256k1_scalar* e,

    const unsigned char *r,

    secp256k1_ge *p,

    const unsigned char *msg32

) {

    int overflow = 0;

    size_t size = 0;

    secp256k1_sha256 sha;

    unsigned char buf[33];

    secp256k1_sha256_initialize(&sha);


    /* R.x */

    secp256k1_sha256_write(&sha, r, 32);


    /* compressed P */

    secp256k1_eckey_pubkey_serialize(p, buf, &size, 1);

    VERIFY_CHECK(size == 33);

    secp256k1_sha256_write(&sha, buf, 33);


    /* msg */

    secp256k1_sha256_write(&sha, msg32, 32);


    /* compute e */

    secp256k1_sha256_finalize(&sha, buf);

    secp256k1_scalar_set_b32(e, buf, &overflow);

    return !overflow & !secp256k1_scalar_is_zero(e);

}


static int secp256k1_schnorr_sig_sign(

    const secp256k1_context* ctx,

    unsigned char *sig64,

    const unsigned char *msg32,

    const secp256k1_scalar *privkey,

    secp256k1_ge *pubkey,

    secp256k1_nonce_function noncefp,

    const void *ndata

) {

    secp256k1_ge R;

    secp256k1_gej Rj;

    secp256k1_scalar k, e, s;

    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));


    VERIFY_CHECK(!secp256k1_scalar_is_zero(privkey));

    VERIFY_CHECK(!secp256k1_ge_is_infinity(pubkey));


    if (!secp256k1_schnorr_sig_generate_k(ctx, &k, msg32, privkey, noncefp, ndata)) {

        return 0;

    }


    /* Compute R */

    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Rj, &k);

    secp256k1_ge_set_gej(&R, &Rj);


    /*

     * We declassify R to allow using it as a branch point.

     * This is fine because R is not a secret.

     */

    secp256k1_declassify(ctx, &R, sizeof(R));

    secp256k1_scalar_cond_negate(&k, !secp256k1_fe_is_quad_var(&R.y));


    /* Compute the signature. */

    secp256k1_fe_normalize(&R.x);

    secp256k1_fe_get_b32(sig64, &R.x);

    secp256k1_schnorr_compute_e(&e, sig64, pubkey, msg32);

    secp256k1_scalar_mul(&s, &e, privkey);

    secp256k1_scalar_add(&s, &s, &k);

    secp256k1_scalar_get_b32(sig64 + 32, &s);


    /* Cleanup locals that may contain private data. */

    secp256k1_scalar_clear(&k);

    return 1;

}


static int secp256k1_schnorr_sig_generate_k(

    const secp256k1_context* ctx,

    secp256k1_scalar *k,

    const unsigned char *msg32,

    const secp256k1_scalar *privkey,

    secp256k1_nonce_function noncefp,

    const void *ndata

) {

    int ret = 0;

    unsigned int count = 0;

    unsigned char nonce32[32], seckey[32];


    /* Seed used to make sure we generate different values of k for schnorr */

    const unsigned char secp256k1_schnorr_algo16[17] = "Schnorr+SHA256  ";


    if (noncefp == NULL) {

        noncefp = secp256k1_nonce_function_default;

    }


    secp256k1_scalar_get_b32(seckey, privkey);

    while (1) {

        int overflow;

        ret = noncefp(nonce32, msg32, seckey, secp256k1_schnorr_algo16, (void*)ndata, count++);

        if (!ret) {

            break;

        }


        secp256k1_scalar_set_b32(k, nonce32, &overflow);

        overflow |= secp256k1_scalar_is_zero(k);

        /* The nonce is still secret here, but it overflowing or being zero is is less likely than 1:2^255. */

        secp256k1_declassify(ctx, &overflow, sizeof(overflow));

        if (!overflow) {

            break;

        }


        secp256k1_scalar_clear(k);

    }


    /* Cleanup locals that may contain private data. */

    memset(seckey, 0, 32);

    memset(nonce32, 0, 32);

    return ret;

}


#endif

ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12

secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)

ecmult.h

secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.

ecmult_gen.h

secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.

secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)

field.h

secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.

secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.

secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.

secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.

group.h

secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.

secp256k1_gej_eq_x_var
static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a)
Compare the X coordinate of a group element (jacobian).

secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.

secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.

secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.

secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.

secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.

secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.

secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.

secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.

secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).

secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).

secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).

secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.

schnorr.h

secp256k1_schnorr_sig_verify
static int secp256k1_schnorr_sig_verify(const secp256k1_ecmult_context *ctx, const unsigned char *sig64, secp256k1_ge *pubkey, const unsigned char *msg32)
Custom Schnorr-based signature scheme.
Definition: schnorr_impl.h:51

secp256k1_schnorr_compute_e
static int secp256k1_schnorr_compute_e(secp256k1_scalar *e, const unsigned char *r, secp256k1_ge *p, const unsigned char *msg32)
Definition: schnorr_impl.h:101

secp256k1_schnorr_sig_sign
static int secp256k1_schnorr_sig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_scalar *privkey, secp256k1_ge *pubkey, secp256k1_nonce_function noncefp, const void *ndata)
Definition: schnorr_impl.h:130

secp256k1_schnorr_sig_generate_k
static int secp256k1_schnorr_sig_generate_k(const secp256k1_context *ctx, secp256k1_scalar *k, const unsigned char *msg32, const secp256k1_scalar *privkey, secp256k1_nonce_function noncefp, const void *ndata)
Definition: schnorr_impl.h:176

secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)

secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)

secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)

VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68

ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:28

secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235

secp256k1_nonce_function_default
SECP256K1_API const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:503

secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:103

string.h

secp256k1_context_struct
Definition: secp256k1.c:69

secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71

secp256k1_ecmult_context
Definition: ecmult.h:14

secp256k1_fe
Definition: field_10x26.h:12

secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13

secp256k1_ge::x
secp256k1_fe x
Definition: group.h:14

secp256k1_ge::y
secp256k1_fe y
Definition: group.h:15

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_sha256
Definition: hash.h:13

count
static int count
Definition: tests.c:31