Bitcoin ABC 0.32.6
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#define SECP256K1_BUILD
8
9#include "include/secp256k1.h"
10#include "include/secp256k1_preallocated.h"
11
12#include "assumptions.h"
13#include "util.h"
14#include "field_impl.h"
15#include "scalar_impl.h"
16#include "group_impl.h"
17#include "ecmult_impl.h"
18#include "ecmult_const_impl.h"
19#include "ecmult_gen_impl.h"
20#include "ecdsa_impl.h"
21#include "eckey_impl.h"
22#include "hash_impl.h"
23#include "scratch_impl.h"
24#include "selftest.h"
25
26#ifdef SECP256K1_NO_BUILD
27# error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c"
28#endif
29
30#if defined(VALGRIND)
31# include <valgrind/memcheck.h>
32#endif
33
34#define ARG_CHECK(cond) do { \
35 if (EXPECT(!(cond), 0)) { \
36 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
37 return 0; \
38 } \
39} while(0)
40
41#define ARG_CHECK_NO_RETURN(cond) do { \
42 if (EXPECT(!(cond), 0)) { \
43 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
44 } \
45} while(0)
46
47#ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
48#include <stdlib.h>
49#include <stdio.h>
50static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
51 (void)data;
52 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
53 abort();
54}
55static void secp256k1_default_error_callback_fn(const char* str, void* data) {
56 (void)data;
57 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
58 abort();
59}
60#else
61void secp256k1_default_illegal_callback_fn(const char* str, void* data);
62void secp256k1_default_error_callback_fn(const char* str, void* data);
63#endif
64
65static const secp256k1_callback default_illegal_callback = {
66 secp256k1_default_illegal_callback_fn,
67 NULL
68};
69
70static const secp256k1_callback default_error_callback = {
71 secp256k1_default_error_callback_fn,
72 NULL
73};
74
75struct secp256k1_context_struct {
76 secp256k1_ecmult_gen_context ecmult_gen_ctx;
77 secp256k1_callback illegal_callback;
78 secp256k1_callback error_callback;
79 int declassify;
80};
81
82static const secp256k1_context secp256k1_context_no_precomp_ = {
83 { 0 },
84 { secp256k1_default_illegal_callback_fn, 0 },
85 { secp256k1_default_error_callback_fn, 0 },
86 0
87};
88const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
89
90size_t secp256k1_context_preallocated_size(unsigned int flags) {
91 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
92 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
93 VERIFY_CHECK(ret != 0);
94
95 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
96 secp256k1_callback_call(&default_illegal_callback,
97 "Invalid flags");
98 return 0;
99 }
100
101 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
102 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
103 }
104 return ret;
105}
106
107size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
108 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
109 VERIFY_CHECK(ctx != NULL);
110 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
111 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
112 }
113 return ret;
114}
115
116secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
117 void* const base = prealloc;
118 size_t prealloc_size;
119 secp256k1_context* ret;
120
121 if (!secp256k1_selftest()) {
122 secp256k1_callback_call(&default_error_callback, "self test failed");
123 }
124
125 prealloc_size = secp256k1_context_preallocated_size(flags);
126 if (prealloc_size == 0) {
127 return NULL;
128 }
129 VERIFY_CHECK(prealloc != NULL);
130 ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
131 ret->illegal_callback = default_illegal_callback;
132 ret->error_callback = default_error_callback;
133
134 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
135
136 /* Flags have been checked by secp256k1_context_preallocated_size. */
137 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
138 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
139 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc);
140 }
141 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
142
143 return (secp256k1_context*) ret;
144}
145
146secp256k1_context* secp256k1_context_create(unsigned int flags) {
147 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
148 secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
149 if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
150 free(ctx);
151 return NULL;
152 }
153
154 return ctx;
155}
156
157secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
158 size_t prealloc_size;
159 secp256k1_context* ret;
160 VERIFY_CHECK(ctx != NULL);
161 ARG_CHECK(prealloc != NULL);
162
163 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
164 ret = (secp256k1_context*)prealloc;
165 memcpy(ret, ctx, prealloc_size);
166 secp256k1_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx);
167 return ret;
168}
169
170secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
171 secp256k1_context* ret;
172 size_t prealloc_size;
173
174 VERIFY_CHECK(ctx != NULL);
175 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
176 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
177 ret = secp256k1_context_preallocated_clone(ctx, ret);
178 return ret;
179}
180
181void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
182 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
183 if (ctx != NULL) {
184 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
185 }
186}
187
188void secp256k1_context_destroy(secp256k1_context* ctx) {
189 if (ctx != NULL) {
190 secp256k1_context_preallocated_destroy(ctx);
191 free(ctx);
192 }
193}
194
195void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
196 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
197 if (fun == NULL) {
198 fun = secp256k1_default_illegal_callback_fn;
199 }
200 ctx->illegal_callback.fn = fun;
201 ctx->illegal_callback.data = data;
202}
203
204void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
205 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
206 if (fun == NULL) {
207 fun = secp256k1_default_error_callback_fn;
208 }
209 ctx->error_callback.fn = fun;
210 ctx->error_callback.data = data;
211}
212
213secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
214 VERIFY_CHECK(ctx != NULL);
215 return secp256k1_scratch_create(&ctx->error_callback, max_size);
216}
217
218void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
219 VERIFY_CHECK(ctx != NULL);
220 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
221}
222
223/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
224 * of the software. This is setup for use with valgrind but could be substituted with
225 * the appropriate instrumentation for other analysis tools.
226 */
227static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
228#if defined(VALGRIND)
229 if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
230#else
231 (void)ctx;
232 (void)p;
233 (void)len;
234#endif
235}
236
237static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
238 if (sizeof(secp256k1_ge_storage) == 64) {
239 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
240 * representation inside secp256k1_pubkey, as conversion is very fast.
241 * Note that secp256k1_pubkey_save must use the same representation. */
242 secp256k1_ge_storage s;
243 memcpy(&s, &pubkey->data[0], sizeof(s));
244 secp256k1_ge_from_storage(ge, &s);
245 } else {
246 /* Otherwise, fall back to 32-byte big endian for X and Y. */
247 secp256k1_fe x, y;
248 secp256k1_fe_set_b32(&x, pubkey->data);
249 secp256k1_fe_set_b32(&y, pubkey->data + 32);
250 secp256k1_ge_set_xy(ge, &x, &y);
251 }
252 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
253 return 1;
254}
255
256static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
257 if (sizeof(secp256k1_ge_storage) == 64) {
258 secp256k1_ge_storage s;
259 secp256k1_ge_to_storage(&s, ge);
260 memcpy(&pubkey->data[0], &s, sizeof(s));
261 } else {
262 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
263 secp256k1_fe_normalize_var(&ge->x);
264 secp256k1_fe_normalize_var(&ge->y);
265 secp256k1_fe_get_b32(pubkey->data, &ge->x);
266 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
267 }
268}
269
270int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
271 secp256k1_ge Q;
272
273 VERIFY_CHECK(ctx != NULL);
274 ARG_CHECK(pubkey != NULL);
275 memset(pubkey, 0, sizeof(*pubkey));
276 ARG_CHECK(input != NULL);
277 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
278 return 0;
279 }
280 if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
281 return 0;
282 }
283 secp256k1_pubkey_save(pubkey, &Q);
284 secp256k1_ge_clear(&Q);
285 return 1;
286}
287
288int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
289 secp256k1_ge Q;
290 size_t len;
291 int ret = 0;
292
293 VERIFY_CHECK(ctx != NULL);
294 ARG_CHECK(outputlen != NULL);
295 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
296 len = *outputlen;
297 *outputlen = 0;
298 ARG_CHECK(output != NULL);
299 memset(output, 0, len);
300 ARG_CHECK(pubkey != NULL);
301 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
302 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
303 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
304 if (ret) {
305 *outputlen = len;
306 }
307 }
308 return ret;
309}
310
311int secp256k1_ec_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey0, const secp256k1_pubkey* pubkey1) {
312 unsigned char out[2][33];
313 const secp256k1_pubkey* pk[2];
314 int i;
315
316 VERIFY_CHECK(ctx != NULL);
317 pk[0] = pubkey0; pk[1] = pubkey1;
318 for (i = 0; i < 2; i++) {
319 size_t out_size = sizeof(out[i]);
320 /* If the public key is NULL or invalid, ec_pubkey_serialize will call
321 * the illegal_callback and return 0. In that case we will serialize the
322 * key as all zeros which is less than any valid public key. This
323 * results in consistent comparisons even if NULL or invalid pubkeys are
324 * involved and prevents edge cases such as sorting algorithms that use
325 * this function and do not terminate as a result. */
326 if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) {
327 /* Note that ec_pubkey_serialize should already set the output to
328 * zero in that case, but it's not guaranteed by the API, we can't
329 * test it and writing a VERIFY_CHECK is more complex than
330 * explicitly memsetting (again). */
331 memset(out[i], 0, sizeof(out[i]));
332 }
333 }
334 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
335}
336
337static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
338 (void)ctx;
339 if (sizeof(secp256k1_scalar) == 32) {
340 /* When the secp256k1_scalar type is exactly 32 byte, use its
341 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
342 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
343 memcpy(r, &sig->data[0], 32);
344 memcpy(s, &sig->data[32], 32);
345 } else {
346 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
347 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
348 }
349}
350
351static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
352 if (sizeof(secp256k1_scalar) == 32) {
353 memcpy(&sig->data[0], r, 32);
354 memcpy(&sig->data[32], s, 32);
355 } else {
356 secp256k1_scalar_get_b32(&sig->data[0], r);
357 secp256k1_scalar_get_b32(&sig->data[32], s);
358 }
359}
360
361int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
362 secp256k1_scalar r, s;
363
364 VERIFY_CHECK(ctx != NULL);
365 ARG_CHECK(sig != NULL);
366 ARG_CHECK(input != NULL);
367
368 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
369 secp256k1_ecdsa_signature_save(sig, &r, &s);
370 return 1;
371 } else {
372 memset(sig, 0, sizeof(*sig));
373 return 0;
374 }
375}
376
377int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
378 secp256k1_scalar r, s;
379 int ret = 1;
380 int overflow = 0;
381
382 VERIFY_CHECK(ctx != NULL);
383 ARG_CHECK(sig != NULL);
384 ARG_CHECK(input64 != NULL);
385
386 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
387 ret &= !overflow;
388 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
389 ret &= !overflow;
390 if (ret) {
391 secp256k1_ecdsa_signature_save(sig, &r, &s);
392 } else {
393 memset(sig, 0, sizeof(*sig));
394 }
395 return ret;
396}
397
398int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
399 secp256k1_scalar r, s;
400
401 VERIFY_CHECK(ctx != NULL);
402 ARG_CHECK(output != NULL);
403 ARG_CHECK(outputlen != NULL);
404 ARG_CHECK(sig != NULL);
405
406 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
407 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
408}
409
410int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
411 secp256k1_scalar r, s;
412
413 VERIFY_CHECK(ctx != NULL);
414 ARG_CHECK(output64 != NULL);
415 ARG_CHECK(sig != NULL);
416
417 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
418 secp256k1_scalar_get_b32(&output64[0], &r);
419 secp256k1_scalar_get_b32(&output64[32], &s);
420 return 1;
421}
422
423int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
424 secp256k1_scalar r, s;
425 int ret = 0;
426
427 VERIFY_CHECK(ctx != NULL);
428 ARG_CHECK(sigin != NULL);
429
430 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
431 ret = secp256k1_scalar_is_high(&s);
432 if (sigout != NULL) {
433 if (ret) {
434 secp256k1_scalar_negate(&s, &s);
435 }
436 secp256k1_ecdsa_signature_save(sigout, &r, &s);
437 }
438
439 return ret;
440}
441
442int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
443 secp256k1_ge q;
444 secp256k1_scalar r, s;
445 secp256k1_scalar m;
446 VERIFY_CHECK(ctx != NULL);
447 ARG_CHECK(msghash32 != NULL);
448 ARG_CHECK(sig != NULL);
449 ARG_CHECK(pubkey != NULL);
450
451 secp256k1_scalar_set_b32(&m, msghash32, NULL);
452 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
453 return (!secp256k1_scalar_is_high(&s) &&
454 secp256k1_pubkey_load(ctx, &q, pubkey) &&
455 secp256k1_ecdsa_sig_verify(&r, &s, &q, &m));
456}
457
458static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
459 memcpy(buf + *offset, data, len);
460 *offset += len;
461}
462
463static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
464 unsigned char keydata[112];
465 unsigned int offset = 0;
466 secp256k1_rfc6979_hmac_sha256 rng;
467 unsigned int i;
468 /* We feed a byte array to the PRNG as input, consisting of:
469 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
470 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
471 * - optionally 16 extra bytes with the algorithm name.
472 * Because the arguments have distinct fixed lengths it is not possible for
473 * different argument mixtures to emulate each other and result in the same
474 * nonces.
475 */
476 buffer_append(keydata, &offset, key32, 32);
477 buffer_append(keydata, &offset, msg32, 32);
478 if (data != NULL) {
479 buffer_append(keydata, &offset, data, 32);
480 }
481 if (algo16 != NULL) {
482 buffer_append(keydata, &offset, algo16, 16);
483 }
484 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
485 memset(keydata, 0, sizeof(keydata));
486 for (i = 0; i <= counter; i++) {
487 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
488 }
489 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
490 return 1;
491}
492
493const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
494const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
495
496static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void* noncedata) {
497 secp256k1_scalar sec, non, msg;
498 int ret = 0;
499 int is_sec_valid;
500 unsigned char nonce32[32];
501 unsigned int count = 0;
502 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
503 *r = secp256k1_scalar_zero;
504 *s = secp256k1_scalar_zero;
505 if (recid) {
506 *recid = 0;
507 }
508 if (noncefp == NULL) {
509 noncefp = secp256k1_nonce_function_default;
510 }
511
512 /* Fail if the secret key is invalid. */
513 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
514 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
515 secp256k1_scalar_set_b32(&msg, msg32, NULL);
516 while (1) {
517 int is_nonce_valid;
518 ret = !!noncefp(nonce32, msg32, seckey, algo16, (void*)noncedata, count);
519 if (!ret) {
520 break;
521 }
522 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
523 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
524 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
525 if (is_nonce_valid) {
526 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
527 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
528 secp256k1_declassify(ctx, &ret, sizeof(ret));
529 if (ret) {
530 break;
531 }
532 }
533 count++;
534 }
535 /* We don't want to declassify is_sec_valid and therefore the range of
536 * seckey. As a result is_sec_valid is included in ret only after ret was
537 * used as a branching variable. */
538 ret &= is_sec_valid;
539 memset(nonce32, 0, 32);
540 secp256k1_scalar_clear(&msg);
541 secp256k1_scalar_clear(&non);
542 secp256k1_scalar_clear(&sec);
543 secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
544 secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
545 if (recid) {
546 const int zero = 0;
547 secp256k1_int_cmov(recid, &zero, !ret);
548 }
549 return ret;
550}
551
552int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
553 secp256k1_scalar r, s;
554 int ret;
555 const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER ";
556 VERIFY_CHECK(ctx != NULL);
557 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
558 ARG_CHECK(msghash32 != NULL);
559 ARG_CHECK(signature != NULL);
560 ARG_CHECK(seckey != NULL);
561
562 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, secp256k1_ecdsa_der_algo16, noncedata);
563 secp256k1_ecdsa_signature_save(signature, &r, &s);
564 return ret;
565}
566
567int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
568 secp256k1_scalar sec;
569 int ret;
570 VERIFY_CHECK(ctx != NULL);
571 ARG_CHECK(seckey != NULL);
572
573 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
574 secp256k1_scalar_clear(&sec);
575 return ret;
576}
577
578static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
579 secp256k1_gej pj;
580 int ret;
581
582 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
583 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
584
585 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
586 secp256k1_ge_set_gej(p, &pj);
587 return ret;
588}
589
590int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
591 secp256k1_ge p;
592 secp256k1_scalar seckey_scalar;
593 int ret = 0;
594 VERIFY_CHECK(ctx != NULL);
595 ARG_CHECK(pubkey != NULL);
596 memset(pubkey, 0, sizeof(*pubkey));
597 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
598 ARG_CHECK(seckey != NULL);
599
600 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
601 secp256k1_pubkey_save(pubkey, &p);
602 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
603
604 secp256k1_scalar_clear(&seckey_scalar);
605 return ret;
606}
607
608int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
609 secp256k1_scalar sec;
610 int ret = 0;
611 VERIFY_CHECK(ctx != NULL);
612 ARG_CHECK(seckey != NULL);
613
614 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
615 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
616 secp256k1_scalar_negate(&sec, &sec);
617 secp256k1_scalar_get_b32(seckey, &sec);
618
619 secp256k1_scalar_clear(&sec);
620 return ret;
621}
622
623int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
624 return secp256k1_ec_seckey_negate(ctx, seckey);
625}
626
627int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
628 int ret = 0;
629 secp256k1_ge p;
630 VERIFY_CHECK(ctx != NULL);
631 ARG_CHECK(pubkey != NULL);
632
633 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
634 memset(pubkey, 0, sizeof(*pubkey));
635 if (ret) {
636 secp256k1_ge_neg(&p, &p);
637 secp256k1_pubkey_save(pubkey, &p);
638 }
639 return ret;
640}
641
642
643static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
644 secp256k1_scalar term;
645 int overflow = 0;
646 int ret = 0;
647
648 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
649 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
650 secp256k1_scalar_clear(&term);
651 return ret;
652}
653
654int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
655 secp256k1_scalar sec;
656 int ret = 0;
657 VERIFY_CHECK(ctx != NULL);
658 ARG_CHECK(seckey != NULL);
659 ARG_CHECK(tweak32 != NULL);
660
661 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
662 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
663 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
664 secp256k1_scalar_get_b32(seckey, &sec);
665
666 secp256k1_scalar_clear(&sec);
667 return ret;
668}
669
670int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
671 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
672}
673
674static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) {
675 secp256k1_scalar term;
676 int overflow = 0;
677 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
678 return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term);
679}
680
681int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
682 secp256k1_ge p;
683 int ret = 0;
684 VERIFY_CHECK(ctx != NULL);
685 ARG_CHECK(pubkey != NULL);
686 ARG_CHECK(tweak32 != NULL);
687
688 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
689 memset(pubkey, 0, sizeof(*pubkey));
690 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32);
691 if (ret) {
692 secp256k1_pubkey_save(pubkey, &p);
693 }
694
695 return ret;
696}
697
698int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
699 secp256k1_scalar factor;
700 secp256k1_scalar sec;
701 int ret = 0;
702 int overflow = 0;
703 VERIFY_CHECK(ctx != NULL);
704 ARG_CHECK(seckey != NULL);
705 ARG_CHECK(tweak32 != NULL);
706
707 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
708 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
709 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
710 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
711 secp256k1_scalar_get_b32(seckey, &sec);
712
713 secp256k1_scalar_clear(&sec);
714 secp256k1_scalar_clear(&factor);
715 return ret;
716}
717
718int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
719 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
720}
721
722int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
723 secp256k1_ge p;
724 secp256k1_scalar factor;
725 int ret = 0;
726 int overflow = 0;
727 VERIFY_CHECK(ctx != NULL);
728 ARG_CHECK(pubkey != NULL);
729 ARG_CHECK(tweak32 != NULL);
730
731 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
732 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
733 memset(pubkey, 0, sizeof(*pubkey));
734 if (ret) {
735 if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) {
736 secp256k1_pubkey_save(pubkey, &p);
737 } else {
738 ret = 0;
739 }
740 }
741
742 return ret;
743}
744
745int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
746 VERIFY_CHECK(ctx != NULL);
747 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
748 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
749 }
750 return 1;
751}
752
753int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
754 size_t i;
755 secp256k1_gej Qj;
756 secp256k1_ge Q;
757
758 VERIFY_CHECK(ctx != NULL);
759 ARG_CHECK(pubnonce != NULL);
760 memset(pubnonce, 0, sizeof(*pubnonce));
761 ARG_CHECK(n >= 1);
762 ARG_CHECK(pubnonces != NULL);
763
764 secp256k1_gej_set_infinity(&Qj);
765
766 for (i = 0; i < n; i++) {
767 ARG_CHECK(pubnonces[i] != NULL);
768 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
769 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
770 }
771 if (secp256k1_gej_is_infinity(&Qj)) {
772 return 0;
773 }
774 secp256k1_ge_set_gej(&Q, &Qj);
775 secp256k1_pubkey_save(pubnonce, &Q);
776 return 1;
777}
778
779int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
780 secp256k1_sha256 sha;
781 VERIFY_CHECK(ctx != NULL);
782 ARG_CHECK(hash32 != NULL);
783 ARG_CHECK(tag != NULL);
784 ARG_CHECK(msg != NULL);
785
786 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
787 secp256k1_sha256_write(&sha, msg, msglen);
788 secp256k1_sha256_finalize(&sha, hash32);
789 return 1;
790}
791
792#ifdef ENABLE_MODULE_ECDH
793# include "modules/ecdh/main_impl.h"
794#endif
795
796#ifdef ENABLE_MODULE_MULTISET
797# include "modules/multiset/main_impl.h"
798#endif
799
800#ifdef ENABLE_MODULE_RECOVERY
801# include "modules/recovery/main_impl.h"
802#endif
803
804#ifdef ENABLE_MODULE_SCHNORR
805# include "modules/schnorr/main_impl.h"
806#endif
807
808#ifdef ENABLE_MODULE_EXTRAKEYS
809# include "modules/extrakeys/main_impl.h"
810#endif
811
812#ifdef ENABLE_MODULE_SCHNORRSIG
813# include "modules/schnorrsig/main_impl.h"
814#endif
ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12
flags
int flags
Definition: bitcoin-tx.cpp:542
main_impl.h
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_impl.h
secp256k1_eckey_privkey_tweak_add
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
secp256k1_eckey_pubkey_tweak_mul
static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_eckey_pubkey_tweak_add
static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_eckey_privkey_tweak_mul
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
eckey_impl.h
ecmult_const_impl.h
secp256k1_ecmult_gen_context_clear
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_ecmult_gen_context_init
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
secp256k1_ecmult_gen_context_finalize_memcpy
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
ecmult_gen_impl.h
SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult_gen_impl.h:20
ecmult_impl.h
main_impl.h
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
field_impl.h
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_is_in_correct_subgroup
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
group_impl.h
hash_impl.h
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
main_impl.h
sig
SchnorrSig sig
Definition: processor.cpp:523
main_impl.h
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
scalar_impl.h
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
main_impl.h
main_impl.h
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
scratch_impl.h
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:226
manual_alloc
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
Definition: util.h:134
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:240
EXPECT
#define EXPECT(x, c)
Definition: util.h:43
ROUND_TO_ALIGN
#define ROUND_TO_ALIGN(size)
Definition: util.h:116
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:207
secp256k1_callback_call
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
secp256k1_ec_privkey_tweak_add
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:670
secp256k1_ec_privkey_negate
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:623
secp256k1_nonce_function_default
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:494
secp256k1_context_preallocated_clone
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:157
secp256k1_nonce_function_rfc6979
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:493
secp256k1_tagged_sha256
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:779
secp256k1_ec_pubkey_tweak_add
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:681
secp256k1_ec_pubkey_serialize
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:288
secp256k1_ecdsa_signature_serialize_der
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:398
secp256k1_ec_seckey_tweak_add_helper
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:643
secp256k1_ec_seckey_tweak_mul
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:698
secp256k1_ec_pubkey_parse
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:270
secp256k1_context_preallocated_clone_size
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:107
secp256k1_ecdsa_sign_inner
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void *noncedata)
Definition: secp256k1.c:496
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:55
secp256k1_ec_seckey_verify
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:567
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:88
secp256k1_ec_seckey_tweak_add
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:654
secp256k1_context_preallocated_destroy
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:181
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:34
secp256k1_ec_pubkey_create_helper
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:578
secp256k1_ecdsa_signature_normalize
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:423
secp256k1_context_set_error_callback
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:204
default_error_callback
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:70
secp256k1_ecdsa_signature_parse_der
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:361
secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:227
secp256k1_context_create
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:146
secp256k1_ec_seckey_negate
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:608
secp256k1_ec_pubkey_cmp
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:311
secp256k1_ec_pubkey_combine
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:753
secp256k1_ecdsa_signature_parse_compact
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:377
secp256k1_context_set_illegal_callback
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:195
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:351
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:237
secp256k1_context_preallocated_size
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:90
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:256
buffer_append
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:458
secp256k1_ec_pubkey_tweak_add_helper
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:674
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:50
ARG_CHECK_NO_RETURN
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:41
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:463
secp256k1_context_no_precomp_
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:82
secp256k1_context_randomize
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:745
secp256k1_scratch_space_create
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:213
secp256k1_ecdsa_verify
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:442
secp256k1_ecdsa_signature_serialize_compact
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:410
secp256k1_ec_pubkey_create
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:590
secp256k1_context_destroy
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:188
secp256k1_context_clone
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:170
secp256k1_scratch_space_destroy
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:218
secp256k1_ec_pubkey_tweak_mul
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:722
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:337
secp256k1_context_preallocated_create
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:116
secp256k1_ecdsa_sign
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:552
default_illegal_callback
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:65
secp256k1_ec_pubkey_negate
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:627
secp256k1_ec_privkey_tweak_mul
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:718
SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:179
secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:103
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:190
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:127
SECP256K1_FLAGS_TYPE_MASK
#define SECP256K1_FLAGS_TYPE_MASK
All flags' lower 8 bits indicate what they're for.
Definition: secp256k1.h:173
SECP256K1_FLAGS_BIT_CONTEXT_SIGN
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:178
SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:180
SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:174
SECP256K1_FLAGS_TYPE_COMPRESSION
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:175
secp256k1_preallocated.h
secp256k1_selftest
static int secp256k1_selftest(void)
Definition: selftest.h:28
secp256k1_callback
Definition: util.h:19
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:20
secp256k1_callback::data
const void * data
Definition: util.h:21
secp256k1_context_struct
Definition: secp256k1.c:75
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:77
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:79
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:78
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:76
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:20
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge_storage
Definition: group.h:33
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:14
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:15
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:71
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_sha256
Definition: hash.h:13
count
static int count
Definition: tests.c:31
Generated on Tue Jan 13 2026 23:28:52 for Bitcoin ABC by doxygen 1.9.4