Bitcoin Core 28.99.0
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2020 Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_EXTRAKEYS_MAIN_H
8#define SECP256K1_MODULE_EXTRAKEYS_MAIN_H
9
10#include "../../../include/secp256k1.h"
11#include "../../../include/secp256k1_extrakeys.h"
12#include "../../util.h"
13
14static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context* ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey) {
15 return secp256k1_pubkey_load(ctx, ge, (const secp256k1_pubkey *) pubkey);
16}
17
18static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge) {
19 secp256k1_pubkey_save((secp256k1_pubkey *) pubkey, ge);
20}
21
22int secp256k1_xonly_pubkey_parse(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) {
23 secp256k1_ge pk;
24 secp256k1_fe x;
25
26 VERIFY_CHECK(ctx != NULL);
27 ARG_CHECK(pubkey != NULL);
28 memset(pubkey, 0, sizeof(*pubkey));
29 ARG_CHECK(input32 != NULL);
30
31 if (!secp256k1_fe_set_b32_limit(&x, input32)) {
32 return 0;
33 }
34 if (!secp256k1_ge_set_xo_var(&pk, &x, 0)) {
35 return 0;
36 }
37 if (!secp256k1_ge_is_in_correct_subgroup(&pk)) {
38 return 0;
39 }
40 secp256k1_xonly_pubkey_save(pubkey, &pk);
41 return 1;
42}
43
44int secp256k1_xonly_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) {
45 secp256k1_ge pk;
46
47 VERIFY_CHECK(ctx != NULL);
48 ARG_CHECK(output32 != NULL);
49 memset(output32, 0, 32);
50 ARG_CHECK(pubkey != NULL);
51
52 if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
53 return 0;
54 }
55 secp256k1_fe_get_b32(output32, &pk.x);
56 return 1;
57}
58
59int secp256k1_xonly_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_xonly_pubkey* pk0, const secp256k1_xonly_pubkey* pk1) {
60 unsigned char out[2][32];
61 const secp256k1_xonly_pubkey* pk[2];
62 int i;
63
64 VERIFY_CHECK(ctx != NULL);
65 pk[0] = pk0; pk[1] = pk1;
66 for (i = 0; i < 2; i++) {
67 /* If the public key is NULL or invalid, xonly_pubkey_serialize will
68 * call the illegal_callback and return 0. In that case we will
69 * serialize the key as all zeros which is less than any valid public
70 * key. This results in consistent comparisons even if NULL or invalid
71 * pubkeys are involved and prevents edge cases such as sorting
72 * algorithms that use this function and do not terminate as a
73 * result. */
74 if (!secp256k1_xonly_pubkey_serialize(ctx, out[i], pk[i])) {
75 /* Note that xonly_pubkey_serialize should already set the output to
76 * zero in that case, but it's not guaranteed by the API, we can't
77 * test it and writing a VERIFY_CHECK is more complex than
78 * explicitly memsetting (again). */
79 memset(out[i], 0, sizeof(out[i]));
80 }
81 }
82 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[1]));
83}
84
88static int secp256k1_extrakeys_ge_even_y(secp256k1_ge *r) {
89 int y_parity = 0;
90 VERIFY_CHECK(!secp256k1_ge_is_infinity(r));
91
92 if (secp256k1_fe_is_odd(&r->y)) {
93 secp256k1_fe_negate(&r->y, &r->y, 1);
94 y_parity = 1;
95 }
96 return y_parity;
97}
98
99int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context* ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) {
100 secp256k1_ge pk;
101 int tmp;
102
103 VERIFY_CHECK(ctx != NULL);
104 ARG_CHECK(xonly_pubkey != NULL);
105 ARG_CHECK(pubkey != NULL);
106
107 if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {
108 return 0;
109 }
110 tmp = secp256k1_extrakeys_ge_even_y(&pk);
111 if (pk_parity != NULL) {
112 *pk_parity = tmp;
113 }
114 secp256k1_xonly_pubkey_save(xonly_pubkey, &pk);
115 return 1;
116}
117
118int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
119 secp256k1_ge pk;
120
121 VERIFY_CHECK(ctx != NULL);
122 ARG_CHECK(output_pubkey != NULL);
123 memset(output_pubkey, 0, sizeof(*output_pubkey));
124 ARG_CHECK(internal_pubkey != NULL);
125 ARG_CHECK(tweak32 != NULL);
126
127 if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
128 || !secp256k1_ec_pubkey_tweak_add_helper(&pk, tweak32)) {
129 return 0;
130 }
131 secp256k1_pubkey_save(output_pubkey, &pk);
132 return 1;
133}
134
135int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
136 secp256k1_ge pk;
137 unsigned char pk_expected32[32];
138
139 VERIFY_CHECK(ctx != NULL);
140 ARG_CHECK(internal_pubkey != NULL);
141 ARG_CHECK(tweaked_pubkey32 != NULL);
142 ARG_CHECK(tweak32 != NULL);
143
144 if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
145 || !secp256k1_ec_pubkey_tweak_add_helper(&pk, tweak32)) {
146 return 0;
147 }
148 secp256k1_fe_normalize_var(&pk.x);
149 secp256k1_fe_normalize_var(&pk.y);
150 secp256k1_fe_get_b32(pk_expected32, &pk.x);
151
152 return secp256k1_memcmp_var(&pk_expected32, tweaked_pubkey32, 32) == 0
153 && secp256k1_fe_is_odd(&pk.y) == tweaked_pk_parity;
154}
155
156static void secp256k1_keypair_save(secp256k1_keypair *keypair, const secp256k1_scalar *sk, secp256k1_ge *pk) {
157 secp256k1_scalar_get_b32(&keypair->data[0], sk);
158 secp256k1_pubkey_save((secp256k1_pubkey *)&keypair->data[32], pk);
159}
160
161
162static int secp256k1_keypair_seckey_load(const secp256k1_context* ctx, secp256k1_scalar *sk, const secp256k1_keypair *keypair) {
163 int ret;
164
165 ret = secp256k1_scalar_set_b32_seckey(sk, &keypair->data[0]);
166 /* We can declassify ret here because sk is only zero if a keypair function
167 * failed (which zeroes the keypair) and its return value is ignored. */
168 secp256k1_declassify(ctx, &ret, sizeof(ret));
169 ARG_CHECK(ret);
170 return ret;
171}
172
173/* Load a keypair into pk and sk (if non-NULL). This function declassifies pk
174 * and ARG_CHECKs that the keypair is not invalid. It always initializes sk and
175 * pk with dummy values. */
176static int secp256k1_keypair_load(const secp256k1_context* ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair) {
177 int ret;
178 const secp256k1_pubkey *pubkey = (const secp256k1_pubkey *)&keypair->data[32];
179
180 /* Need to declassify the pubkey because pubkey_load ARG_CHECKs if it's
181 * invalid. */
182 secp256k1_declassify(ctx, pubkey, sizeof(*pubkey));
183 ret = secp256k1_pubkey_load(ctx, pk, pubkey);
184 if (sk != NULL) {
185 ret = ret && secp256k1_keypair_seckey_load(ctx, sk, keypair);
186 }
187 if (!ret) {
188 *pk = secp256k1_ge_const_g;
189 if (sk != NULL) {
190 *sk = secp256k1_scalar_one;
191 }
192 }
193 return ret;
194}
195
196int secp256k1_keypair_create(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *seckey32) {
197 secp256k1_scalar sk;
198 secp256k1_ge pk;
199 int ret = 0;
200 VERIFY_CHECK(ctx != NULL);
201 ARG_CHECK(keypair != NULL);
202 memset(keypair, 0, sizeof(*keypair));
203 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
204 ARG_CHECK(seckey32 != NULL);
205
206 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &sk, &pk, seckey32);
207 secp256k1_keypair_save(keypair, &sk, &pk);
208 secp256k1_memczero(keypair, sizeof(*keypair), !ret);
209
210 secp256k1_scalar_clear(&sk);
211 return ret;
212}
213
214int secp256k1_keypair_sec(const secp256k1_context* ctx, unsigned char *seckey, const secp256k1_keypair *keypair) {
215 VERIFY_CHECK(ctx != NULL);
216 ARG_CHECK(seckey != NULL);
217 memset(seckey, 0, 32);
218 ARG_CHECK(keypair != NULL);
219
220 memcpy(seckey, &keypair->data[0], 32);
221 return 1;
222}
223
224int secp256k1_keypair_pub(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) {
225 VERIFY_CHECK(ctx != NULL);
226 ARG_CHECK(pubkey != NULL);
227 memset(pubkey, 0, sizeof(*pubkey));
228 ARG_CHECK(keypair != NULL);
229
230 memcpy(pubkey->data, &keypair->data[32], sizeof(*pubkey));
231 return 1;
232}
233
234int secp256k1_keypair_xonly_pub(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) {
235 secp256k1_ge pk;
236 int tmp;
237
238 VERIFY_CHECK(ctx != NULL);
239 ARG_CHECK(pubkey != NULL);
240 memset(pubkey, 0, sizeof(*pubkey));
241 ARG_CHECK(keypair != NULL);
242
243 if (!secp256k1_keypair_load(ctx, NULL, &pk, keypair)) {
244 return 0;
245 }
246 tmp = secp256k1_extrakeys_ge_even_y(&pk);
247 if (pk_parity != NULL) {
248 *pk_parity = tmp;
249 }
250 secp256k1_xonly_pubkey_save(pubkey, &pk);
251
252 return 1;
253}
254
255int secp256k1_keypair_xonly_tweak_add(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) {
256 secp256k1_ge pk;
257 secp256k1_scalar sk;
258 int y_parity;
259 int ret;
260
261 VERIFY_CHECK(ctx != NULL);
262 ARG_CHECK(keypair != NULL);
263 ARG_CHECK(tweak32 != NULL);
264
265 ret = secp256k1_keypair_load(ctx, &sk, &pk, keypair);
266 memset(keypair, 0, sizeof(*keypair));
267
268 y_parity = secp256k1_extrakeys_ge_even_y(&pk);
269 if (y_parity == 1) {
270 secp256k1_scalar_negate(&sk, &sk);
271 }
272
273 ret &= secp256k1_ec_seckey_tweak_add_helper(&sk, tweak32);
274 ret &= secp256k1_ec_pubkey_tweak_add_helper(&pk, tweak32);
275
276 secp256k1_declassify(ctx, &ret, sizeof(ret));
277 if (ret) {
278 secp256k1_keypair_save(keypair, &sk, &pk);
279 }
280
281 secp256k1_scalar_clear(&sk);
282 return ret;
283}
284
285#endif
ret
int ret
Definition: bitcoin-cli.cpp:1354
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
Definition: ecmult_gen_impl.h:22
secp256k1_keypair_load
static int secp256k1_keypair_load(const secp256k1_context *ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair)
Definition: main_impl.h:176
secp256k1_keypair_create
int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey32)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_keypair_save
static void secp256k1_keypair_save(secp256k1_keypair *keypair, const secp256k1_scalar *sk, secp256k1_ge *pk)
Definition: main_impl.h:156
secp256k1_keypair_xonly_tweak_add
int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_xonly_pubkey_tweak_add_check
int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_xonly_pubkey_tweak_add
int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:118
secp256k1_xonly_pubkey_serialize
int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_keypair_sec
int secp256k1_keypair_sec(const secp256k1_context *ctx, unsigned char *seckey, const secp256k1_keypair *keypair)
Get the secret key from a keypair.
Definition: main_impl.h:214
secp256k1_keypair_xonly_pub
int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_keypair_seckey_load
static int secp256k1_keypair_seckey_load(const secp256k1_context *ctx, secp256k1_scalar *sk, const secp256k1_keypair *keypair)
Definition: main_impl.h:162
secp256k1_xonly_pubkey_from_pubkey
int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
secp256k1_keypair_pub
int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair)
Get the public key from a keypair.
Definition: main_impl.h:224
secp256k1_xonly_pubkey_parse
int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_xonly_pubkey_save
static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge)
Definition: main_impl.h:18
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
secp256k1_extrakeys_ge_even_y
static int secp256k1_extrakeys_ge_even_y(secp256k1_ge *r)
Keeps a group element as is if it has an even Y and otherwise negates it.
Definition: main_impl.h:88
secp256k1_xonly_pubkey_cmp
int secp256k1_xonly_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_xonly_pubkey *pk0, const secp256k1_xonly_pubkey *pk1)
Compare two x-only public keys using lexicographic order.
Definition: main_impl.h:59
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:211
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:85
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:89
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_is_in_correct_subgroup
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: util.h:54
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:159
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:208
secp256k1_ec_seckey_tweak_add_helper
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:657
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:45
secp256k1_ec_pubkey_create_helper
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:591
secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:236
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:246
secp256k1_ec_pubkey_tweak_add_helper
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:688
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_keypair::data
unsigned char data[96]
Definition: secp256k1_extrakeys.h:34
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:62
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
Generated on Fri Jan 17 2025 20:00:11 for Bitcoin Core by doxygen 1.9.4