ecdsa_8c_source.html

/*************************************************************************

 * Written in 2020-2022 by Elichai Turkel                                *

 * To the extent possible under law, the author(s) have dedicated all    *

 * copyright and related and neighboring rights to the software in this  *

 * file to the public domain worldwide. This software is distributed     *

 * without any warranty. For the CC0 Public Domain Dedication, see       *

 * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *

 *************************************************************************/


#include <stdio.h>

#include <stdlib.h>

#include <assert.h>

#include <string.h>


#include <secp256k1.h>


#include "examples_util.h"


int main(void) {

    /* Instead of signing the message directly, we must sign a 32-byte hash.

     * Here the message is "Hello, world!" and the hash function was SHA-256.

     * An actual implementation should just call SHA-256, but this example

     * hardcodes the output to avoid depending on an additional library.

     * See https://bitcoin.stackexchange.com/questions/81115/if-someone-wanted-to-pretend-to-be-satoshi-by-posting-a-fake-signature-to-defrau/81116#81116 */

    unsigned char msg_hash[32] = {

        0x31, 0x5F, 0x5B, 0xDB, 0x76, 0xD0, 0x78, 0xC4,

        0x3B, 0x8A, 0xC0, 0x06, 0x4E, 0x4A, 0x01, 0x64,

        0x61, 0x2B, 0x1F, 0xCE, 0x77, 0xC8, 0x69, 0x34,

        0x5B, 0xFC, 0x94, 0xC7, 0x58, 0x94, 0xED, 0xD3,

    };

    unsigned char seckey[32];

    unsigned char randomize[32];

    unsigned char compressed_pubkey[33];

    unsigned char serialized_signature[64];

    size_t len;

    int is_signature_valid, is_signature_valid2;

    int return_val;

    secp256k1_pubkey pubkey;

    secp256k1_ecdsa_signature sig;

    /* Before we can call actual API functions, we need to create a "context". */

    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);

    if (!fill_random(randomize, sizeof(randomize))) {

        printf("Failed to generate randomness\n");

        return EXIT_FAILURE;

    }

    /* Randomizing the context is recommended to protect against side-channel

     * leakage See `secp256k1_context_randomize` in secp256k1.h for more

     * information about it. This should never fail. */

    return_val = secp256k1_context_randomize(ctx, randomize);

    assert(return_val);


    /*** Key Generation ***/

    if (!fill_random(seckey, sizeof(seckey))) {

        printf("Failed to generate randomness\n");

        return EXIT_FAILURE;

    }

    /* If the secret key is zero or out of range (greater than secp256k1's

    * order), we fail. Note that the probability of this occurring is negligible

    * with a properly functioning random number generator. */

    if (!secp256k1_ec_seckey_verify(ctx, seckey)) {

        printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");

        return EXIT_FAILURE;

    }


    /* Public key creation using a valid context with a verified secret key should never fail */

    return_val = secp256k1_ec_pubkey_create(ctx, &pubkey, seckey);

    assert(return_val);


    /* Serialize the pubkey in a compressed form(33 bytes). Should always return 1. */

    len = sizeof(compressed_pubkey);

    return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey, &len, &pubkey, SECP256K1_EC_COMPRESSED);

    assert(return_val);

    /* Should be the same size as the size of the output, because we passed a 33 byte array. */

    assert(len == sizeof(compressed_pubkey));


    /*** Signing ***/


    /* Generate an ECDSA signature `noncefp` and `ndata` allows you to pass a

     * custom nonce function, passing `NULL` will use the RFC-6979 safe default.

     * Signing with a valid context, verified secret key

     * and the default nonce function should never fail. */

    return_val = secp256k1_ecdsa_sign(ctx, &sig, msg_hash, seckey, NULL, NULL);

    assert(return_val);


    /* Serialize the signature in a compact form. Should always return 1

     * according to the documentation in secp256k1.h. */

    return_val = secp256k1_ecdsa_signature_serialize_compact(ctx, serialized_signature, &sig);

    assert(return_val);


    /*** Verification ***/


    /* Deserialize the signature. This will return 0 if the signature can't be parsed correctly. */

    if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, serialized_signature)) {

        printf("Failed parsing the signature\n");

        return EXIT_FAILURE;

    }


    /* Deserialize the public key. This will return 0 if the public key can't be parsed correctly. */

    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, compressed_pubkey, sizeof(compressed_pubkey))) {

        printf("Failed parsing the public key\n");

        return EXIT_FAILURE;

    }


    /* Verify a signature. This will return 1 if it's valid and 0 if it's not. */

    is_signature_valid = secp256k1_ecdsa_verify(ctx, &sig, msg_hash, &pubkey);


    printf("Is the signature valid? %s\n", is_signature_valid ? "true" : "false");

    printf("Secret Key: ");

    print_hex(seckey, sizeof(seckey));

    printf("Public Key: ");

    print_hex(compressed_pubkey, sizeof(compressed_pubkey));

    printf("Signature: ");

    print_hex(serialized_signature, sizeof(serialized_signature));


    /* This will clear everything from the context and free the memory */

    secp256k1_context_destroy(ctx);


    /* Bonus example: if all we need is signature verification (and no key

       generation or signing), we don't need to use a context created via

       secp256k1_context_create(). We can simply use the static (i.e., global)

       context secp256k1_context_static. See its description in

       include/secp256k1.h for details. */

    is_signature_valid2 = secp256k1_ecdsa_verify(secp256k1_context_static,

                                                 &sig, msg_hash, &pubkey);

    assert(is_signature_valid2 == is_signature_valid);


    /* It's best practice to try to clear secrets from memory after using them.

     * This is done because some bugs can allow an attacker to leak memory, for

     * example through "out of bounds" array access (see Heartbleed), or the OS

     * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.

     *

     * Here we are preventing these writes from being optimized out, as any good compiler

     * will remove any writes that aren't used. */

    secure_erase(seckey, sizeof(seckey));


    return EXIT_SUCCESS;

}

EXIT_SUCCESS
return EXIT_SUCCESS
Definition: bitcoin-wallet.cpp:134

main
int main(void)
Definition: ecdsa.c:19

examples_util.h

fill_random
static int fill_random(unsigned char *data, size_t size)
Definition: examples_util.h:43

secure_erase
static void secure_erase(void *ptr, size_t len)
Definition: examples_util.h:86

print_hex
static void print_hex(unsigned char *data, size_t size)
Definition: examples_util.h:72

tinyformat::printf
void printf(FormatStringCheck< sizeof...(Args)> fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1096

secp256k1.h

secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:187

secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:747

secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385

secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268

secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:580

secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:141

secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:566

secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250

SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:202

secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:604

SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:212

secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450

secp256k1_context_static
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:233

secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418

string.h

secp256k1_context_struct
Definition: secp256k1.c:61

secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61

assert
assert(!tx.IsCoinBase())