Fabcoin Core  0.16.2
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #include "include/secp256k1.h"
8 
9 #include "util.h"
10 #include "num_impl.h"
11 #include "field_impl.h"
12 #include "scalar_impl.h"
13 #include "group_impl.h"
14 #include "ecmult_impl.h"
15 #include "ecmult_const_impl.h"
16 #include "ecmult_gen_impl.h"
17 #include "ecdsa_impl.h"
18 #include "eckey_impl.h"
19 #include "hash_impl.h"
20 
21 #define ARG_CHECK(cond) do { \
22  if (EXPECT(!(cond), 0)) { \
23  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
24  return 0; \
25  } \
26 } while(0)
27 
28 static void default_illegal_callback_fn(const char* str, void* data) {
29  (void)data;
30  fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
31  abort();
32 }
33 
34 static const secp256k1_callback default_illegal_callback = {
35  default_illegal_callback_fn,
36  NULL
37 };
38 
39 static void default_error_callback_fn(const char* str, void* data) {
40  (void)data;
41  fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
42  abort();
43 }
44 
45 static const secp256k1_callback default_error_callback = {
46  default_error_callback_fn,
47  NULL
48 };
49 
50 
56 };
57 
59  secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
60  ret->illegal_callback = default_illegal_callback;
61  ret->error_callback = default_error_callback;
62 
64  secp256k1_callback_call(&ret->illegal_callback,
65  "Invalid flags");
66  free(ret);
67  return NULL;
68  }
69 
70  secp256k1_ecmult_context_init(&ret->ecmult_ctx);
71  secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
72 
74  secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
75  }
77  secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
78  }
79 
80  return ret;
81 }
82 
84  secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context));
86  ret->error_callback = ctx->error_callback;
87  secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
88  secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
89  return ret;
90 }
91 
93  if (ctx != NULL) {
94  secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
95  secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
96 
97  free(ctx);
98  }
99 }
100 
101 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
102  if (fun == NULL) {
103  fun = default_illegal_callback_fn;
104  }
105  ctx->illegal_callback.fn = fun;
106  ctx->illegal_callback.data = data;
107 }
108 
109 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
110  if (fun == NULL) {
111  fun = default_error_callback_fn;
112  }
113  ctx->error_callback.fn = fun;
114  ctx->error_callback.data = data;
115 }
116 
117 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
118  if (sizeof(secp256k1_ge_storage) == 64) {
119  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
120  * representation inside secp256k1_pubkey, as conversion is very fast.
121  * Note that secp256k1_pubkey_save must use the same representation. */
123  memcpy(&s, &pubkey->data[0], 64);
124  secp256k1_ge_from_storage(ge, &s);
125  } else {
126  /* Otherwise, fall back to 32-byte big endian for X and Y. */
127  secp256k1_fe x, y;
128  secp256k1_fe_set_b32(&x, pubkey->data);
129  secp256k1_fe_set_b32(&y, pubkey->data + 32);
130  secp256k1_ge_set_xy(ge, &x, &y);
131  }
132  ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
133  return 1;
134 }
135 
136 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
137  if (sizeof(secp256k1_ge_storage) == 64) {
139  secp256k1_ge_to_storage(&s, ge);
140  memcpy(&pubkey->data[0], &s, 64);
141  } else {
142  VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
143  secp256k1_fe_normalize_var(&ge->x);
144  secp256k1_fe_normalize_var(&ge->y);
145  secp256k1_fe_get_b32(pubkey->data, &ge->x);
146  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
147  }
148 }
149 
150 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
151  secp256k1_ge Q;
152 
153  VERIFY_CHECK(ctx != NULL);
154  ARG_CHECK(pubkey != NULL);
155  memset(pubkey, 0, sizeof(*pubkey));
156  ARG_CHECK(input != NULL);
157  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
158  return 0;
159  }
160  secp256k1_pubkey_save(pubkey, &Q);
161  secp256k1_ge_clear(&Q);
162  return 1;
163 }
164 
165 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
166  secp256k1_ge Q;
167  size_t len;
168  int ret = 0;
169 
170  VERIFY_CHECK(ctx != NULL);
171  ARG_CHECK(outputlen != NULL);
172  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
173  len = *outputlen;
174  *outputlen = 0;
175  ARG_CHECK(output != NULL);
176  memset(output, 0, len);
177  ARG_CHECK(pubkey != NULL);
179  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
180  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
181  if (ret) {
182  *outputlen = len;
183  }
184  }
185  return ret;
186 }
187 
188 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
189  (void)ctx;
190  if (sizeof(secp256k1_scalar) == 32) {
191  /* When the secp256k1_scalar type is exactly 32 byte, use its
192  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
193  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
194  memcpy(r, &sig->data[0], 32);
195  memcpy(s, &sig->data[32], 32);
196  } else {
197  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
198  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
199  }
200 }
201 
202 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
203  if (sizeof(secp256k1_scalar) == 32) {
204  memcpy(&sig->data[0], r, 32);
205  memcpy(&sig->data[32], s, 32);
206  } else {
207  secp256k1_scalar_get_b32(&sig->data[0], r);
208  secp256k1_scalar_get_b32(&sig->data[32], s);
209  }
210 }
211 
212 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
213  secp256k1_scalar r, s;
214 
215  VERIFY_CHECK(ctx != NULL);
216  ARG_CHECK(sig != NULL);
217  ARG_CHECK(input != NULL);
218 
219  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
220  secp256k1_ecdsa_signature_save(sig, &r, &s);
221  return 1;
222  } else {
223  memset(sig, 0, sizeof(*sig));
224  return 0;
225  }
226 }
227 
228 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
229  secp256k1_scalar r, s;
230  int ret = 1;
231  int overflow = 0;
232 
233  VERIFY_CHECK(ctx != NULL);
234  ARG_CHECK(sig != NULL);
235  ARG_CHECK(input64 != NULL);
236 
237  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
238  ret &= !overflow;
239  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
240  ret &= !overflow;
241  if (ret) {
242  secp256k1_ecdsa_signature_save(sig, &r, &s);
243  } else {
244  memset(sig, 0, sizeof(*sig));
245  }
246  return ret;
247 }
248 
249 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
250  secp256k1_scalar r, s;
251 
252  VERIFY_CHECK(ctx != NULL);
253  ARG_CHECK(output != NULL);
254  ARG_CHECK(outputlen != NULL);
255  ARG_CHECK(sig != NULL);
256 
257  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
258  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
259 }
260 
262  secp256k1_scalar r, s;
263 
264  VERIFY_CHECK(ctx != NULL);
265  ARG_CHECK(output64 != NULL);
266  ARG_CHECK(sig != NULL);
267 
268  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
269  secp256k1_scalar_get_b32(&output64[0], &r);
270  secp256k1_scalar_get_b32(&output64[32], &s);
271  return 1;
272 }
273 
275  secp256k1_scalar r, s;
276  int ret = 0;
277 
278  VERIFY_CHECK(ctx != NULL);
279  ARG_CHECK(sigin != NULL);
280 
281  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
282  ret = secp256k1_scalar_is_high(&s);
283  if (sigout != NULL) {
284  if (ret) {
285  secp256k1_scalar_negate(&s, &s);
286  }
287  secp256k1_ecdsa_signature_save(sigout, &r, &s);
288  }
289 
290  return ret;
291 }
292 
293 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
294  secp256k1_ge q;
295  secp256k1_scalar r, s;
297  VERIFY_CHECK(ctx != NULL);
298  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
299  ARG_CHECK(msg32 != NULL);
300  ARG_CHECK(sig != NULL);
301  ARG_CHECK(pubkey != NULL);
302 
303  secp256k1_scalar_set_b32(&m, msg32, NULL);
304  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
305  return (!secp256k1_scalar_is_high(&s) &&
306  secp256k1_pubkey_load(ctx, &q, pubkey) &&
307  secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
308 }
309 
310 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
311  unsigned char keydata[112];
312  int keylen = 64;
314  unsigned int i;
315  /* We feed a byte array to the PRNG as input, consisting of:
316  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
317  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
318  * - optionally 16 extra bytes with the algorithm name.
319  * Because the arguments have distinct fixed lengths it is not possible for
320  * different argument mixtures to emulate each other and result in the same
321  * nonces.
322  */
323  memcpy(keydata, key32, 32);
324  memcpy(keydata + 32, msg32, 32);
325  if (data != NULL) {
326  memcpy(keydata + 64, data, 32);
327  keylen = 96;
328  }
329  if (algo16 != NULL) {
330  memcpy(keydata + keylen, algo16, 16);
331  keylen += 16;
332  }
333  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen);
334  memset(keydata, 0, sizeof(keydata));
335  for (i = 0; i <= counter; i++) {
336  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
337  }
338  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
339  return 1;
340 }
341 
344 
345 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
346  secp256k1_scalar r, s;
347  secp256k1_scalar sec, non, msg;
348  int ret = 0;
349  int overflow = 0;
350  VERIFY_CHECK(ctx != NULL);
351  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
352  ARG_CHECK(msg32 != NULL);
353  ARG_CHECK(signature != NULL);
354  ARG_CHECK(seckey != NULL);
355  if (noncefp == NULL) {
357  }
358 
359  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
360  /* Fail if the secret key is invalid. */
361  if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
362  unsigned char nonce32[32];
363  unsigned int count = 0;
364  secp256k1_scalar_set_b32(&msg, msg32, NULL);
365  while (1) {
366  ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
367  if (!ret) {
368  break;
369  }
370  secp256k1_scalar_set_b32(&non, nonce32, &overflow);
371  if (!overflow && !secp256k1_scalar_is_zero(&non)) {
372  if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
373  break;
374  }
375  }
376  count++;
377  }
378  memset(nonce32, 0, 32);
379  secp256k1_scalar_clear(&msg);
380  secp256k1_scalar_clear(&non);
381  secp256k1_scalar_clear(&sec);
382  }
383  if (ret) {
384  secp256k1_ecdsa_signature_save(signature, &r, &s);
385  } else {
386  memset(signature, 0, sizeof(*signature));
387  }
388  return ret;
389 }
390 
391 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
392  secp256k1_scalar sec;
393  int ret;
394  int overflow;
395  VERIFY_CHECK(ctx != NULL);
396  ARG_CHECK(seckey != NULL);
397 
398  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
399  ret = !overflow && !secp256k1_scalar_is_zero(&sec);
400  secp256k1_scalar_clear(&sec);
401  return ret;
402 }
403 
404 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
405  secp256k1_gej pj;
406  secp256k1_ge p;
407  secp256k1_scalar sec;
408  int overflow;
409  int ret = 0;
410  VERIFY_CHECK(ctx != NULL);
411  ARG_CHECK(pubkey != NULL);
412  memset(pubkey, 0, sizeof(*pubkey));
413  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
414  ARG_CHECK(seckey != NULL);
415 
416  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
417  ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec));
418  if (ret) {
419  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
420  secp256k1_ge_set_gej(&p, &pj);
421  secp256k1_pubkey_save(pubkey, &p);
422  }
423  secp256k1_scalar_clear(&sec);
424  return ret;
425 }
426 
427 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
428  secp256k1_scalar sec;
429  VERIFY_CHECK(ctx != NULL);
430  ARG_CHECK(seckey != NULL);
431 
432  secp256k1_scalar_set_b32(&sec, seckey, NULL);
433  secp256k1_scalar_negate(&sec, &sec);
434  secp256k1_scalar_get_b32(seckey, &sec);
435 
436  return 1;
437 }
438 
440  int ret = 0;
441  secp256k1_ge p;
442  VERIFY_CHECK(ctx != NULL);
443  ARG_CHECK(pubkey != NULL);
444 
445  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
446  memset(pubkey, 0, sizeof(*pubkey));
447  if (ret) {
448  secp256k1_ge_neg(&p, &p);
449  secp256k1_pubkey_save(pubkey, &p);
450  }
451  return ret;
452 }
453 
454 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
455  secp256k1_scalar term;
456  secp256k1_scalar sec;
457  int ret = 0;
458  int overflow = 0;
459  VERIFY_CHECK(ctx != NULL);
460  ARG_CHECK(seckey != NULL);
461  ARG_CHECK(tweak != NULL);
462 
463  secp256k1_scalar_set_b32(&term, tweak, &overflow);
464  secp256k1_scalar_set_b32(&sec, seckey, NULL);
465 
466  ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
467  memset(seckey, 0, 32);
468  if (ret) {
469  secp256k1_scalar_get_b32(seckey, &sec);
470  }
471 
472  secp256k1_scalar_clear(&sec);
473  secp256k1_scalar_clear(&term);
474  return ret;
475 }
476 
477 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
478  secp256k1_ge p;
479  secp256k1_scalar term;
480  int ret = 0;
481  int overflow = 0;
482  VERIFY_CHECK(ctx != NULL);
483  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
484  ARG_CHECK(pubkey != NULL);
485  ARG_CHECK(tweak != NULL);
486 
487  secp256k1_scalar_set_b32(&term, tweak, &overflow);
488  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
489  memset(pubkey, 0, sizeof(*pubkey));
490  if (ret) {
491  if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
492  secp256k1_pubkey_save(pubkey, &p);
493  } else {
494  ret = 0;
495  }
496  }
497 
498  return ret;
499 }
500 
501 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
502  secp256k1_scalar factor;
503  secp256k1_scalar sec;
504  int ret = 0;
505  int overflow = 0;
506  VERIFY_CHECK(ctx != NULL);
507  ARG_CHECK(seckey != NULL);
508  ARG_CHECK(tweak != NULL);
509 
510  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
511  secp256k1_scalar_set_b32(&sec, seckey, NULL);
512  ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
513  memset(seckey, 0, 32);
514  if (ret) {
515  secp256k1_scalar_get_b32(seckey, &sec);
516  }
517 
518  secp256k1_scalar_clear(&sec);
519  secp256k1_scalar_clear(&factor);
520  return ret;
521 }
522 
523 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
524  secp256k1_ge p;
525  secp256k1_scalar factor;
526  int ret = 0;
527  int overflow = 0;
528  VERIFY_CHECK(ctx != NULL);
529  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
530  ARG_CHECK(pubkey != NULL);
531  ARG_CHECK(tweak != NULL);
532 
533  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
534  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
535  memset(pubkey, 0, sizeof(*pubkey));
536  if (ret) {
537  if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
538  secp256k1_pubkey_save(pubkey, &p);
539  } else {
540  ret = 0;
541  }
542  }
543 
544  return ret;
545 }
546 
547 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
548  VERIFY_CHECK(ctx != NULL);
549  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
550  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
551  return 1;
552 }
553 
554 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
555  size_t i;
556  secp256k1_gej Qj;
557  secp256k1_ge Q;
558 
559  ARG_CHECK(pubnonce != NULL);
560  memset(pubnonce, 0, sizeof(*pubnonce));
561  ARG_CHECK(n >= 1);
562  ARG_CHECK(pubnonces != NULL);
563 
564  secp256k1_gej_set_infinity(&Qj);
565 
566  for (i = 0; i < n; i++) {
567  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
568  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
569  }
570  if (secp256k1_gej_is_infinity(&Qj)) {
571  return 0;
572  }
573  secp256k1_ge_set_gej(&Q, &Qj);
574  secp256k1_pubkey_save(pubnonce, &Q);
575  return 1;
576 }
577 
578 #ifdef ENABLE_MODULE_ECDH
579 # include "modules/ecdh/main_impl.h"
580 #endif
581 
582 #ifdef ENABLE_MODULE_RECOVERY
584 #endif
#define VERIFY_CHECK(cond)
Definition: util.h:67
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:249
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a private key in place.
Definition: secp256k1.c:427
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:165
#define Q(i)
Definition: cast.cpp:199
size_t count
Definition: ExecStats.cpp:37
unsigned char data[64]
Definition: secp256k1.h:67
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:212
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:391
void(* fn)(const char *text, void *data)
Definition: util.h:19
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:146
#define SECP256K1_FLAGS_TYPE_MASK
All flags&#39; lower 8 bits indicate what they&#39;re for.
Definition: secp256k1.h:145
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:342
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:345
#define x(i)
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copies a secp256k1 context object.
Definition: secp256k1.c:83
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:523
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:554
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:53
#define ARG_CHECK(cond)
Definition: secp256k1.c:21
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:293
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:404
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:109
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:101
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:52
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:66
secp256k1_fe x
Definition: group.h:15
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:343
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_callback illegal_callback
Definition: secp256k1.c:54
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:150
#define EXPECT(x, c)
Definition: util.h:42
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:439
unsigned char data[64]
Definition: secp256k1.h:54
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:150
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:149
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:86
void * memcpy(void *a, const void *b, size_t c)
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:92
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:261
secp256k1_callback error_callback
Definition: secp256k1.c:55
const void * data
Definition: util.h:20
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:477
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:547
secp256k1_fe y
Definition: group.h:16
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:454
uint8_t const * data
Definition: sha3.h:19
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:147
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:228
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object.
Definition: secp256k1.c:58
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a private key by multiplying it by a tweak.
Definition: secp256k1.c:501
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:53
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:151
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:274