Bitcoin ABC 0.30.7
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include "include/secp256k1.h"
9
10#include "assumptions.h"
11#include "util.h"
12#include "field_impl.h"
13#include "scalar_impl.h"
14#include "group_impl.h"
15#include "ecmult_impl.h"
16#include "ecmult_const_impl.h"
17#include "ecmult_gen_impl.h"
18#include "ecdsa_impl.h"
19#include "eckey_impl.h"
20#include "hash_impl.h"
21#include "scratch_impl.h"
22#include "selftest.h"
23
24#if defined(VALGRIND)
25# include <valgrind/memcheck.h>
26#endif
27
28#define ARG_CHECK(cond) do { \
29 if (EXPECT(!(cond), 0)) { \
30 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
31 return 0; \
32 } \
33} while(0)
34
35#define ARG_CHECK_NO_RETURN(cond) do { \
36 if (EXPECT(!(cond), 0)) { \
37 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
38 } \
39} while(0)
40
41#ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
42#include <stdlib.h>
43#include <stdio.h>
44static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
45 (void)data;
46 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
47 abort();
48}
49static void secp256k1_default_error_callback_fn(const char* str, void* data) {
50 (void)data;
51 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
52 abort();
53}
54#else
55void secp256k1_default_illegal_callback_fn(const char* str, void* data);
56void secp256k1_default_error_callback_fn(const char* str, void* data);
57#endif
58
61 NULL
62};
63
66 NULL
67};
68
75};
76
78 { 0 },
79 { 0 },
82 0
83};
85
87 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
88 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
89 VERIFY_CHECK(ret != 0);
90
93 "Invalid flags");
94 return 0;
95 }
96
99 }
102 }
103 return ret;
104}
105
107 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
108 VERIFY_CHECK(ctx != NULL);
111 }
114 }
115 return ret;
116}
117
119 void* const base = prealloc;
120 size_t prealloc_size;
122
123 if (!secp256k1_selftest()) {
125 }
126
128 if (prealloc_size == 0) {
129 return NULL;
130 }
131 VERIFY_CHECK(prealloc != NULL);
132 ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
135
138
139 /* Flags have been checked by secp256k1_context_preallocated_size. */
143 }
146 }
148
149 return (secp256k1_context*) ret;
150}
151
153 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
156 free(ctx);
157 return NULL;
158 }
159
160 return ctx;
161}
162
164 size_t prealloc_size;
166 VERIFY_CHECK(ctx != NULL);
167 ARG_CHECK(prealloc != NULL);
168
170 ret = (secp256k1_context*)prealloc;
171 memcpy(ret, ctx, prealloc_size);
174 return ret;
175}
176
179 size_t prealloc_size;
180
181 VERIFY_CHECK(ctx != NULL);
183 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
185 return ret;
186}
187
190 if (ctx != NULL) {
193 }
194}
195
197 if (ctx != NULL) {
199 free(ctx);
200 }
201}
202
203void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
205 if (fun == NULL) {
207 }
208 ctx->illegal_callback.fn = fun;
209 ctx->illegal_callback.data = data;
210}
211
212void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
214 if (fun == NULL) {
216 }
217 ctx->error_callback.fn = fun;
218 ctx->error_callback.data = data;
219}
220
222 VERIFY_CHECK(ctx != NULL);
223 return secp256k1_scratch_create(&ctx->error_callback, max_size);
224}
225
227 VERIFY_CHECK(ctx != NULL);
229}
230
231/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
232 * of the software. This is setup for use with valgrind but could be substituted with
233 * the appropriate instrumentation for other analysis tools.
234 */
235static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
236#if defined(VALGRIND)
237 if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
238#else
239 (void)ctx;
240 (void)p;
241 (void)len;
242#endif
243}
244
246 if (sizeof(secp256k1_ge_storage) == 64) {
247 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
248 * representation inside secp256k1_pubkey, as conversion is very fast.
249 * Note that secp256k1_pubkey_save must use the same representation. */
251 memcpy(&s, &pubkey->data[0], sizeof(s));
253 } else {
254 /* Otherwise, fall back to 32-byte big endian for X and Y. */
255 secp256k1_fe x, y;
256 secp256k1_fe_set_b32(&x, pubkey->data);
257 secp256k1_fe_set_b32(&y, pubkey->data + 32);
258 secp256k1_ge_set_xy(ge, &x, &y);
259 }
261 return 1;
262}
263
265 if (sizeof(secp256k1_ge_storage) == 64) {
268 memcpy(&pubkey->data[0], &s, sizeof(s));
269 } else {
273 secp256k1_fe_get_b32(pubkey->data, &ge->x);
274 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
275 }
276}
277
278int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
279 secp256k1_ge Q;
280
281 VERIFY_CHECK(ctx != NULL);
282 ARG_CHECK(pubkey != NULL);
283 memset(pubkey, 0, sizeof(*pubkey));
284 ARG_CHECK(input != NULL);
285 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
286 return 0;
287 }
289 return 0;
290 }
291 secp256k1_pubkey_save(pubkey, &Q);
293 return 1;
294}
295
296int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
297 secp256k1_ge Q;
298 size_t len;
299 int ret = 0;
300
301 VERIFY_CHECK(ctx != NULL);
302 ARG_CHECK(outputlen != NULL);
303 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
304 len = *outputlen;
305 *outputlen = 0;
306 ARG_CHECK(output != NULL);
307 memset(output, 0, len);
308 ARG_CHECK(pubkey != NULL);
310 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
312 if (ret) {
313 *outputlen = len;
314 }
315 }
316 return ret;
317}
318
320 unsigned char out[2][33];
321 const secp256k1_pubkey* pk[2];
322 int i;
323
324 VERIFY_CHECK(ctx != NULL);
325 pk[0] = pubkey0; pk[1] = pubkey1;
326 for (i = 0; i < 2; i++) {
327 size_t out_size = sizeof(out[i]);
328 /* If the public key is NULL or invalid, ec_pubkey_serialize will call
329 * the illegal_callback and return 0. In that case we will serialize the
330 * key as all zeros which is less than any valid public key. This
331 * results in consistent comparisons even if NULL or invalid pubkeys are
332 * involved and prevents edge cases such as sorting algorithms that use
333 * this function and do not terminate as a result. */
334 if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) {
335 /* Note that ec_pubkey_serialize should already set the output to
336 * zero in that case, but it's not guaranteed by the API, we can't
337 * test it and writing a VERIFY_CHECK is more complex than
338 * explicitly memsetting (again). */
339 memset(out[i], 0, sizeof(out[i]));
340 }
341 }
342 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
343}
344
346 (void)ctx;
347 if (sizeof(secp256k1_scalar) == 32) {
348 /* When the secp256k1_scalar type is exactly 32 byte, use its
349 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
350 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
351 memcpy(r, &sig->data[0], 32);
352 memcpy(s, &sig->data[32], 32);
353 } else {
354 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
355 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
356 }
357}
358
360 if (sizeof(secp256k1_scalar) == 32) {
361 memcpy(&sig->data[0], r, 32);
362 memcpy(&sig->data[32], s, 32);
363 } else {
364 secp256k1_scalar_get_b32(&sig->data[0], r);
365 secp256k1_scalar_get_b32(&sig->data[32], s);
366 }
367}
368
369int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
370 secp256k1_scalar r, s;
371
372 VERIFY_CHECK(ctx != NULL);
373 ARG_CHECK(sig != NULL);
374 ARG_CHECK(input != NULL);
375
376 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
378 return 1;
379 } else {
380 memset(sig, 0, sizeof(*sig));
381 return 0;
382 }
383}
384
386 secp256k1_scalar r, s;
387 int ret = 1;
388 int overflow = 0;
389
390 VERIFY_CHECK(ctx != NULL);
391 ARG_CHECK(sig != NULL);
392 ARG_CHECK(input64 != NULL);
393
394 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
395 ret &= !overflow;
396 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
397 ret &= !overflow;
398 if (ret) {
400 } else {
401 memset(sig, 0, sizeof(*sig));
402 }
403 return ret;
404}
405
406int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
407 secp256k1_scalar r, s;
408
409 VERIFY_CHECK(ctx != NULL);
410 ARG_CHECK(output != NULL);
411 ARG_CHECK(outputlen != NULL);
412 ARG_CHECK(sig != NULL);
413
415 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
416}
417
419 secp256k1_scalar r, s;
420
421 VERIFY_CHECK(ctx != NULL);
422 ARG_CHECK(output64 != NULL);
423 ARG_CHECK(sig != NULL);
424
426 secp256k1_scalar_get_b32(&output64[0], &r);
427 secp256k1_scalar_get_b32(&output64[32], &s);
428 return 1;
429}
430
432 secp256k1_scalar r, s;
433 int ret = 0;
434
435 VERIFY_CHECK(ctx != NULL);
436 ARG_CHECK(sigin != NULL);
437
438 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
439 ret = secp256k1_scalar_is_high(&s);
440 if (sigout != NULL) {
441 if (ret) {
443 }
444 secp256k1_ecdsa_signature_save(sigout, &r, &s);
445 }
446
447 return ret;
448}
449
450int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
451 secp256k1_ge q;
452 secp256k1_scalar r, s;
454 VERIFY_CHECK(ctx != NULL);
456 ARG_CHECK(msghash32 != NULL);
457 ARG_CHECK(sig != NULL);
458 ARG_CHECK(pubkey != NULL);
459
460 secp256k1_scalar_set_b32(&m, msghash32, NULL);
462 return (!secp256k1_scalar_is_high(&s) &&
463 secp256k1_pubkey_load(ctx, &q, pubkey) &&
464 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
465}
466
467static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
468 memcpy(buf + *offset, data, len);
469 *offset += len;
470}
471
472static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
473 unsigned char keydata[112];
474 unsigned int offset = 0;
476 unsigned int i;
477 /* We feed a byte array to the PRNG as input, consisting of:
478 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
479 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
480 * - optionally 16 extra bytes with the algorithm name.
481 * Because the arguments have distinct fixed lengths it is not possible for
482 * different argument mixtures to emulate each other and result in the same
483 * nonces.
484 */
485 buffer_append(keydata, &offset, key32, 32);
486 buffer_append(keydata, &offset, msg32, 32);
487 if (data != NULL) {
488 buffer_append(keydata, &offset, data, 32);
489 }
490 if (algo16 != NULL) {
491 buffer_append(keydata, &offset, algo16, 16);
492 }
493 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
494 memset(keydata, 0, sizeof(keydata));
495 for (i = 0; i <= counter; i++) {
497 }
499 return 1;
500}
501
504
505static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void* noncedata) {
506 secp256k1_scalar sec, non, msg;
507 int ret = 0;
508 int is_sec_valid;
509 unsigned char nonce32[32];
510 unsigned int count = 0;
511 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
514 if (recid) {
515 *recid = 0;
516 }
517 if (noncefp == NULL) {
519 }
520
521 /* Fail if the secret key is invalid. */
522 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
523 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
524 secp256k1_scalar_set_b32(&msg, msg32, NULL);
525 while (1) {
526 int is_nonce_valid;
527 ret = !!noncefp(nonce32, msg32, seckey, algo16, (void*)noncedata, count);
528 if (!ret) {
529 break;
530 }
531 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
532 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
533 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
534 if (is_nonce_valid) {
535 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
536 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
537 secp256k1_declassify(ctx, &ret, sizeof(ret));
538 if (ret) {
539 break;
540 }
541 }
542 count++;
543 }
544 /* We don't want to declassify is_sec_valid and therefore the range of
545 * seckey. As a result is_sec_valid is included in ret only after ret was
546 * used as a branching variable. */
547 ret &= is_sec_valid;
548 memset(nonce32, 0, 32);
554 if (recid) {
555 const int zero = 0;
556 secp256k1_int_cmov(recid, &zero, !ret);
557 }
558 return ret;
559}
560
561int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
562 secp256k1_scalar r, s;
563 int ret;
564 const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER ";
565 VERIFY_CHECK(ctx != NULL);
567 ARG_CHECK(msghash32 != NULL);
568 ARG_CHECK(signature != NULL);
569 ARG_CHECK(seckey != NULL);
570
571 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, secp256k1_ecdsa_der_algo16, noncedata);
572 secp256k1_ecdsa_signature_save(signature, &r, &s);
573 return ret;
574}
575
576int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
578 int ret;
579 VERIFY_CHECK(ctx != NULL);
580 ARG_CHECK(seckey != NULL);
581
582 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
584 return ret;
585}
586
587static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
588 secp256k1_gej pj;
589 int ret;
590
591 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
592 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
593
594 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
595 secp256k1_ge_set_gej(p, &pj);
596 return ret;
597}
598
599int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
600 secp256k1_ge p;
601 secp256k1_scalar seckey_scalar;
602 int ret = 0;
603 VERIFY_CHECK(ctx != NULL);
604 ARG_CHECK(pubkey != NULL);
605 memset(pubkey, 0, sizeof(*pubkey));
607 ARG_CHECK(seckey != NULL);
608
609 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
610 secp256k1_pubkey_save(pubkey, &p);
611 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
612
613 secp256k1_scalar_clear(&seckey_scalar);
614 return ret;
615}
616
617int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
619 int ret = 0;
620 VERIFY_CHECK(ctx != NULL);
621 ARG_CHECK(seckey != NULL);
622
623 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
625 secp256k1_scalar_negate(&sec, &sec);
626 secp256k1_scalar_get_b32(seckey, &sec);
627
629 return ret;
630}
631
632int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
633 return secp256k1_ec_seckey_negate(ctx, seckey);
634}
635
637 int ret = 0;
638 secp256k1_ge p;
639 VERIFY_CHECK(ctx != NULL);
640 ARG_CHECK(pubkey != NULL);
641
642 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
643 memset(pubkey, 0, sizeof(*pubkey));
644 if (ret) {
645 secp256k1_ge_neg(&p, &p);
646 secp256k1_pubkey_save(pubkey, &p);
647 }
648 return ret;
649}
650
651
652static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
653 secp256k1_scalar term;
654 int overflow = 0;
655 int ret = 0;
656
657 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
658 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
660 return ret;
661}
662
663int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
665 int ret = 0;
666 VERIFY_CHECK(ctx != NULL);
667 ARG_CHECK(seckey != NULL);
668 ARG_CHECK(tweak32 != NULL);
669
670 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
671 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
673 secp256k1_scalar_get_b32(seckey, &sec);
674
676 return ret;
677}
678
679int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
680 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
681}
682
683static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32) {
684 secp256k1_scalar term;
685 int overflow = 0;
686 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
687 return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
688}
689
690int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
691 secp256k1_ge p;
692 int ret = 0;
693 VERIFY_CHECK(ctx != NULL);
695 ARG_CHECK(pubkey != NULL);
696 ARG_CHECK(tweak32 != NULL);
697
698 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
699 memset(pubkey, 0, sizeof(*pubkey));
700 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32);
701 if (ret) {
702 secp256k1_pubkey_save(pubkey, &p);
703 }
704
705 return ret;
706}
707
708int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
709 secp256k1_scalar factor;
711 int ret = 0;
712 int overflow = 0;
713 VERIFY_CHECK(ctx != NULL);
714 ARG_CHECK(seckey != NULL);
715 ARG_CHECK(tweak32 != NULL);
716
717 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
718 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
719 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
721 secp256k1_scalar_get_b32(seckey, &sec);
722
724 secp256k1_scalar_clear(&factor);
725 return ret;
726}
727
728int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
729 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
730}
731
732int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
733 secp256k1_ge p;
734 secp256k1_scalar factor;
735 int ret = 0;
736 int overflow = 0;
737 VERIFY_CHECK(ctx != NULL);
739 ARG_CHECK(pubkey != NULL);
740 ARG_CHECK(tweak32 != NULL);
741
742 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
743 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
744 memset(pubkey, 0, sizeof(*pubkey));
745 if (ret) {
746 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
747 secp256k1_pubkey_save(pubkey, &p);
748 } else {
749 ret = 0;
750 }
751 }
752
753 return ret;
754}
755
756int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
757 VERIFY_CHECK(ctx != NULL);
760 }
761 return 1;
762}
763
764int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
765 size_t i;
766 secp256k1_gej Qj;
767 secp256k1_ge Q;
768
769 ARG_CHECK(pubnonce != NULL);
770 memset(pubnonce, 0, sizeof(*pubnonce));
771 ARG_CHECK(n >= 1);
772 ARG_CHECK(pubnonces != NULL);
773
775
776 for (i = 0; i < n; i++) {
777 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
778 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
779 }
780 if (secp256k1_gej_is_infinity(&Qj)) {
781 return 0;
782 }
783 secp256k1_ge_set_gej(&Q, &Qj);
784 secp256k1_pubkey_save(pubnonce, &Q);
785 return 1;
786}
787
788int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
790 VERIFY_CHECK(ctx != NULL);
791 ARG_CHECK(hash32 != NULL);
792 ARG_CHECK(tag != NULL);
793 ARG_CHECK(msg != NULL);
794
795 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
796 secp256k1_sha256_write(&sha, msg, msglen);
797 secp256k1_sha256_finalize(&sha, hash32);
798 return 1;
799}
800
801#ifdef ENABLE_MODULE_ECDH
802# include "modules/ecdh/main_impl.h"
803#endif
804
805#ifdef ENABLE_MODULE_MULTISET
807#endif
808
809#ifdef ENABLE_MODULE_RECOVERY
811#endif
812
813#ifdef ENABLE_MODULE_SCHNORR
815#endif
816
817#ifdef ENABLE_MODULE_EXTRAKEYS
819#endif
820
821#ifdef ENABLE_MODULE_SCHNORRSIG
823#endif
secp256k1_context * ctx
int flags
Definition: bitcoin-tx.cpp:541
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src)
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult_impl.h:302
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
SchnorrSig sig
Definition: processor.cpp:498
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
Definition: util.h:134
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
#define EXPECT(x, c)
Definition: util.h:43
#define ROUND_TO_ALIGN(size)
Definition: util.h:116
#define VERIFY_CHECK(cond)
Definition: util.h:68
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:205
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:679
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:632
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:503
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:163
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:502
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:788
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:690
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:406
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:652
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:708
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:106
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void *noncedata)
Definition: secp256k1.c:505
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:49
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:576
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:84
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:663
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:188
#define ARG_CHECK(cond)
Definition: secp256k1.c:28
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:587
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:64
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context *ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:683
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:617
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:319
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:764
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:245
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:86
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:264
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:467
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:44
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:35
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:472
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:77
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:756
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:221
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:450
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:599
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:177
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:226
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:732
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:345
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:561
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:59
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:636
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:728
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:168
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:103
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:179
#define SECP256K1_INLINE
Definition: secp256k1.h:127
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:166
#define SECP256K1_FLAGS_TYPE_MASK
All flags' lower 8 bits indicate what they're for.
Definition: secp256k1.h:162
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:167
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:169
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:163
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:164
static int secp256k1_selftest(void)
Definition: selftest.h:28
void(* fn)(const char *text, void *data)
Definition: util.h:20
const void * data
Definition: util.h:21
secp256k1_callback illegal_callback
Definition: secp256k1.c:72
secp256k1_callback error_callback
Definition: secp256k1.c:73
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:70
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
secp256k1_fe x
Definition: group.h:14
secp256k1_fe y
Definition: group.h:15
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
unsigned char data[64]
Definition: secp256k1.h:71
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static int count
Definition: tests.c:31