ecdh_2main__impl_8h_source.html

/***********************************************************************

 * Copyright (c) 2015 Andrew Poelstra                                  *

 * Distributed under the MIT software license, see the accompanying    *

 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*

 ***********************************************************************/


#ifndef SECP256K1_MODULE_ECDH_MAIN_H

#define SECP256K1_MODULE_ECDH_MAIN_H


#include "../../../include/secp256k1_ecdh.h"

#include "../../ecmult_const_impl.h"


static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {

    unsigned char version = (y32[31] & 0x01) | 0x02;

    secp256k1_sha256 sha;

    (void)data;


    secp256k1_sha256_initialize(&sha);

    secp256k1_sha256_write(&sha, &version, 1);

    secp256k1_sha256_write(&sha, x32, 32);

    secp256k1_sha256_finalize(&sha, output);

    secp256k1_sha256_clear(&sha);


    return 1;

}


const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256 = ecdh_hash_function_sha256;

const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default = ecdh_hash_function_sha256;


int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const secp256k1_pubkey *point, const unsigned char *scalar, secp256k1_ecdh_hash_function hashfp, void *data) {

    int ret = 0;

    int overflow = 0;

    secp256k1_gej res;

    secp256k1_ge pt;

    secp256k1_scalar s;

    unsigned char x[32];

    unsigned char y[32];


    VERIFY_CHECK(ctx != NULL);

    ARG_CHECK(output != NULL);

    ARG_CHECK(point != NULL);

    ARG_CHECK(scalar != NULL);


    if (hashfp == NULL) {

        hashfp = secp256k1_ecdh_hash_function_default;

    }


    secp256k1_pubkey_load(ctx, &pt, point);

    secp256k1_scalar_set_b32(&s, scalar, &overflow);


    overflow |= secp256k1_scalar_is_zero(&s);

    secp256k1_scalar_cmov(&s, &secp256k1_scalar_one, overflow);


    secp256k1_ecmult_const(&res, &pt, &s);

    secp256k1_ge_set_gej(&pt, &res);


    /* Compute a hash of the point */

    secp256k1_fe_normalize(&pt.x);

    secp256k1_fe_normalize(&pt.y);

    secp256k1_fe_get_b32(x, &pt.x);

    secp256k1_fe_get_b32(y, &pt.y);


    ret = hashfp(output, x, y, data);


    secp256k1_memclear(x, sizeof(x));

    secp256k1_memclear(y, sizeof(y));

    secp256k1_scalar_clear(&s);

    secp256k1_ge_clear(&pt);

    secp256k1_gej_clear(&res);


    return !!ret & !overflow;

}


#endif /* SECP256K1_MODULE_ECDH_MAIN_H */

ret
int ret
Definition: bitcoin-cli.cpp:1354

secp256k1_ecdh_hash_function_sha256
const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256
Definition: main_impl.h:27

ecdh_hash_function_sha256
static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data)
Definition: main_impl.h:13

secp256k1_ecdh
int secp256k1_ecdh(const secp256k1_context *ctx, unsigned char *output, const secp256k1_pubkey *point, const unsigned char *scalar, secp256k1_ecdh_hash_function hashfp, void *data)
Compute an EC Diffie-Hellman secret in constant time.
Definition: main_impl.h:30

secp256k1_ecdh_hash_function_default
const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default
Definition: main_impl.h:28

secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)

secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:89

secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78

secp256k1_gej_clear
static void secp256k1_gej_clear(secp256k1_gej *r)
Clear a secp256k1_gej to prevent leaking sensitive information.

secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.

secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.

test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72

test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98

secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.

secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.

secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.

secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.

secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27

secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)

secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)

secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)

secp256k1_sha256_clear
static void secp256k1_sha256_clear(secp256k1_sha256 *hash)

secp256k1_memclear
static SECP256K1_INLINE void secp256k1_memclear(void *ptr, size_t len)
Definition: util.h:223

VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:159

ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:45

secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240

secp256k1_ecdh_hash_function
int(* secp256k1_ecdh_hash_function)(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data)
A pointer to a function that hashes an EC point to obtain an ECDH secret.
Definition: secp256k1_ecdh.h:21

secp256k1_context_struct
Definition: secp256k1.c:61

secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16

secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17

secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_sha256
Definition: hash.h:13