pubkey_8cpp_source.html

// Copyright (c) 2009-present The Bitcoin Core developers

// Copyright (c) 2017 The Zcash developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <pubkey.h>


#include <hash.h>

#include <secp256k1.h>

#include <secp256k1_ellswift.h>

#include <secp256k1_extrakeys.h>

#include <secp256k1_recovery.h>

#include <secp256k1_schnorrsig.h>

#include <span.h>

#include <uint256.h>

#include <util/strencodings.h>


#include <algorithm>

#include <cassert>


using namespace util::hex_literals;


namespace {


struct Secp256k1SelfTester

{

    Secp256k1SelfTester() {

        /* Run libsecp256k1 self-test before using the secp256k1_context_static. */

        secp256k1_selftest();

    }

} SECP256K1_SELFTESTER;


} // namespace


int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {

    size_t rpos, rlen, spos, slen;

    size_t pos = 0;

    size_t lenbyte;

    unsigned char tmpsig[64] = {0};

    int overflow = 0;


    /* Hack to initialize sig with a correctly-parsed but invalid signature. */

    secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);


    /* Sequence tag byte */

    if (pos == inputlen || input[pos] != 0x30) {

        return 0;

    }

    pos++;


    /* Sequence length bytes */

    if (pos == inputlen) {

        return 0;

    }

    lenbyte = input[pos++];

    if (lenbyte & 0x80) {

        lenbyte -= 0x80;

        if (lenbyte > inputlen - pos) {

            return 0;

        }

        pos += lenbyte;

    }


    /* Integer tag byte for R */

    if (pos == inputlen || input[pos] != 0x02) {

        return 0;

    }

    pos++;


    /* Integer length for R */

    if (pos == inputlen) {

        return 0;

    }

    lenbyte = input[pos++];

    if (lenbyte & 0x80) {

        lenbyte -= 0x80;

        if (lenbyte > inputlen - pos) {

            return 0;

        }

        while (lenbyte > 0 && input[pos] == 0) {

            pos++;

            lenbyte--;

        }

        static_assert(sizeof(size_t) >= 4, "size_t too small");

        if (lenbyte >= 4) {

            return 0;

        }

        rlen = 0;

        while (lenbyte > 0) {

            rlen = (rlen << 8) + input[pos];

            pos++;

            lenbyte--;

        }

    } else {

        rlen = lenbyte;

    }

    if (rlen > inputlen - pos) {

        return 0;

    }

    rpos = pos;

    pos += rlen;


    /* Integer tag byte for S */

    if (pos == inputlen || input[pos] != 0x02) {

        return 0;

    }

    pos++;


    /* Integer length for S */

    if (pos == inputlen) {

        return 0;

    }

    lenbyte = input[pos++];

    if (lenbyte & 0x80) {

        lenbyte -= 0x80;

        if (lenbyte > inputlen - pos) {

            return 0;

        }

        while (lenbyte > 0 && input[pos] == 0) {

            pos++;

            lenbyte--;

        }

        static_assert(sizeof(size_t) >= 4, "size_t too small");

        if (lenbyte >= 4) {

            return 0;

        }

        slen = 0;

        while (lenbyte > 0) {

            slen = (slen << 8) + input[pos];

            pos++;

            lenbyte--;

        }

    } else {

        slen = lenbyte;

    }

    if (slen > inputlen - pos) {

        return 0;

    }

    spos = pos;


    /* Ignore leading zeroes in R */

    while (rlen > 0 && input[rpos] == 0) {

        rlen--;

        rpos++;

    }

    /* Copy R value */

    if (rlen > 32) {

        overflow = 1;

    } else {

        memcpy(tmpsig + 32 - rlen, input + rpos, rlen);

    }


    /* Ignore leading zeroes in S */

    while (slen > 0 && input[spos] == 0) {

        slen--;

        spos++;

    }

    /* Copy S value */

    if (slen > 32) {

        overflow = 1;

    } else {

        memcpy(tmpsig + 64 - slen, input + spos, slen);

    }


    if (!overflow) {

        overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);

    }

    if (overflow) {

        /* Overwrite the result again with a correctly-parsed but invalid

           signature if parsing failed. */

        memset(tmpsig, 0, 64);

        secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);

    }

    return 1;

}


constexpr XOnlyPubKey XOnlyPubKey::NUMS_H{

    // Use immediate lambda to work around GCC-14 bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117966

    []() consteval { return XOnlyPubKey{"50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0"_hex_u8}; }(),

};


std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const

{

    std::vector<CKeyID> out;

    // For now, use the old full pubkey-based key derivation logic. As it is indexed by

    // Hash160(full pubkey), we need to return both a version prefixed with 0x02, and one

    // with 0x03.

    unsigned char b[33] = {0x02};

    std::copy(m_keydata.begin(), m_keydata.end(), b + 1);

    CPubKey fullpubkey;

    fullpubkey.Set(b, b + 33);

    out.push_back(fullpubkey.GetID());

    b[0] = 0x03;

    fullpubkey.Set(b, b + 33);

    out.push_back(fullpubkey.GetID());

    return out;

}


CPubKey XOnlyPubKey::GetEvenCorrespondingCPubKey() const

{

    unsigned char full_key[CPubKey::COMPRESSED_SIZE] = {0x02};

    std::copy(begin(), end(), full_key + 1);

    return CPubKey{full_key};

}


bool XOnlyPubKey::IsFullyValid() const

{

    secp256k1_xonly_pubkey pubkey;

    return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data());

}


bool XOnlyPubKey::VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const

{

    assert(sigbytes.size() == 64);

    secp256k1_xonly_pubkey pubkey;

    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false;

    return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey);

}


static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")};


uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const

{

    if (merkle_root == nullptr) {

        // We have no scripts. The actual tweak does not matter, but follow BIP341 here to

        // allow for reproducible tweaking.

        return (HashWriter{HASHER_TAPTWEAK} << m_keydata).GetSHA256();

    } else {

        return (HashWriter{HASHER_TAPTWEAK} << m_keydata << *merkle_root).GetSHA256();

    }

}


bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const

{

    secp256k1_xonly_pubkey internal_key;

    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_key, internal.data())) return false;

    uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);

    return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_static, m_keydata.begin(), parity, &internal_key, tweak.begin());

}


std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const

{

    secp256k1_xonly_pubkey base_point;

    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &base_point, data())) return std::nullopt;

    secp256k1_pubkey out;

    uint256 tweak = ComputeTapTweakHash(merkle_root);

    if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &out, &base_point, tweak.data())) return std::nullopt;

    int parity = -1;

    std::pair<XOnlyPubKey, bool> ret;

    secp256k1_xonly_pubkey out_xonly;

    if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &out_xonly, &parity, &out)) return std::nullopt;

    secp256k1_xonly_pubkey_serialize(secp256k1_context_static, ret.first.begin(), &out_xonly);

    assert(parity == 0 || parity == 1);

    ret.second = parity;

    return ret;

}


bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {

    if (!IsValid())

        return false;

    secp256k1_pubkey pubkey;

    secp256k1_ecdsa_signature sig;

    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {

        return false;

    }

    if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {

        return false;

    }

    /* libsecp256k1's ECDSA verification requires lower-S signatures, which have

     * not historically been enforced in Bitcoin, so normalize them first. */

    secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);

    return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);

}


bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {

    if (vchSig.size() != COMPACT_SIGNATURE_SIZE)

        return false;

    int recid = (vchSig[0] - 27) & 3;

    bool fComp = ((vchSig[0] - 27) & 4) != 0;

    secp256k1_pubkey pubkey;

    secp256k1_ecdsa_recoverable_signature sig;

    if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) {

        return false;

    }

    if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) {

        return false;

    }

    unsigned char pub[SIZE];

    size_t publen = SIZE;

    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);

    Set(pub, pub + publen);

    return true;

}


bool CPubKey::IsFullyValid() const {

    if (!IsValid())

        return false;

    secp256k1_pubkey pubkey;

    return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size());

}


bool CPubKey::Decompress() {

    if (!IsValid())

        return false;

    secp256k1_pubkey pubkey;

    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {

        return false;

    }

    unsigned char pub[SIZE];

    size_t publen = SIZE;

    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);

    Set(pub, pub + publen);

    return true;

}


bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {

    assert(IsValid());

    assert((nChild >> 31) == 0);

    assert(size() == COMPRESSED_SIZE);

    unsigned char out[64];

    BIP32Hash(cc, nChild, *begin(), begin()+1, out);

    memcpy(ccChild.begin(), out+32, 32);

    secp256k1_pubkey pubkey;

    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {

        return false;

    }

    if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) {

        return false;

    }

    unsigned char pub[COMPRESSED_SIZE];

    size_t publen = COMPRESSED_SIZE;

    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);

    pubkeyChild.Set(pub, pub + publen);

    return true;

}


EllSwiftPubKey::EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept

{

    assert(ellswift.size() == SIZE);

    std::copy(ellswift.begin(), ellswift.end(), m_pubkey.begin());

}


CPubKey EllSwiftPubKey::Decode() const

{

    secp256k1_pubkey pubkey;

    secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));


    size_t sz = CPubKey::COMPRESSED_SIZE;

    std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;


    secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);

    assert(sz == vch_bytes.size());


    return CPubKey{vch_bytes.begin(), vch_bytes.end()};

}


void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {

    code[0] = nDepth;

    memcpy(code+1, vchFingerprint, 4);

    WriteBE32(code+5, nChild);

    memcpy(code+9, chaincode.begin(), 32);

    assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);

    memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);

}


void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {

    nDepth = code[0];

    memcpy(vchFingerprint, code+1, 4);

    nChild = ReadBE32(code+5);

    memcpy(chaincode.begin(), code+9, 32);

    pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);

    if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || !pubkey.IsFullyValid()) pubkey = CPubKey();

}


void CExtPubKey::EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const

{

    memcpy(code, version, 4);

    Encode(&code[4]);

}


void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])

{

    memcpy(version, code, 4);

    Decode(&code[4]);

}


bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {

    if (nDepth == std::numeric_limits<unsigned char>::max()) return false;

    out.nDepth = nDepth + 1;

    CKeyID id = pubkey.GetID();

    memcpy(out.vchFingerprint, &id, 4);

    out.nChild = _nChild;

    return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);

}


/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {

    secp256k1_ecdsa_signature sig;

    if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {

        return false;

    }

    return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig));

}

ret
int ret
Definition: bitcoin-cli.cpp:1340

CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:24

CPubKey
An encapsulated public key.
Definition: pubkey.h:34

CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:294

CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:164

CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40

CPubKey::CheckLowS
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:415

CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:189

CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:321

CPubKey::Verify
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:277

CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:39

CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:314

CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:112

CPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:114

CPubKey::vch
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:57

CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:335

CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:42

CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:89

HashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:101

XOnlyPubKey
Definition: pubkey.h:231

XOnlyPubKey::end
const unsigned char * end() const
Definition: pubkey.h:296

XOnlyPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:295

XOnlyPubKey::CreateTapTweak
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:259

XOnlyPubKey::CheckTapTweak
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:251

XOnlyPubKey::NUMS_H
static const XOnlyPubKey NUMS_H
Nothing Up My Sleeve point H Used as an internal key for provably disabling the key path spend see BI...
Definition: pubkey.h:239

XOnlyPubKey::data
const unsigned char * data() const
Definition: pubkey.h:294

XOnlyPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &msg, std::span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:230

XOnlyPubKey::GetEvenCorrespondingCPubKey
CPubKey GetEvenCorrespondingCPubKey() const
Definition: pubkey.cpp:217

XOnlyPubKey::m_keydata
uint256 m_keydata
Definition: pubkey.h:233

XOnlyPubKey::IsFullyValid
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:224

XOnlyPubKey::GetKeyIDs
std::vector< CKeyID > GetKeyIDs() const
Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
Definition: pubkey.cpp:200

XOnlyPubKey::ComputeTapTweakHash
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:240

base_blob::end
constexpr unsigned char * end()
Definition: uint256.h:102

base_blob::begin
constexpr unsigned char * begin()
Definition: uint256.h:101

base_blob::data
constexpr const unsigned char * data() const
Definition: uint256.h:98

uint256
256-bit opaque blob.
Definition: uint256.h:196

ReadLE32
uint32_t ReadLE32(const B *ptr)
Definition: common.h:27

WriteBE32
void WriteBE32(B *ptr, uint32_t x)
Definition: common.h:95

ReadBE32
uint32_t ReadBE32(const B *ptr)
Definition: common.h:72

BIP32Hash
void BIP32Hash(const ChainCode &chainCode, unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64])
Definition: hash.cpp:71

TaggedHash
HashWriter TaggedHash(const std::string &tag)
Return a HashWriter primed for tagged hashes (as specified in BIP 340).
Definition: hash.cpp:85

tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64

tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52

tests_wycheproof_generate_ecdsa.out
string out
Definition: tests_wycheproof_generate_ecdsa.py:24

util::hex_literals
""_hex is a compile-time user-defined literal returning a std::array<std::byte>, equivalent to ParseH...
Definition: strencodings.h:384

HASHER_TAPTWEAK
static const HashWriter HASHER_TAPTWEAK
Definition: pubkey.cpp:238

ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:45

pubkey.h

BIP32_EXTKEY_WITH_VERSION_SIZE
const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE
Definition: pubkey.h:20

BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19

hash.h

secp256k1.h

secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385

secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268

secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250

secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:86

SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:212

secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450

secp256k1_context_static
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:233

secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431

secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687

SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:213

secp256k1_ellswift.h

secp256k1_ellswift_decode
SECP256K1_API int secp256k1_ellswift_decode(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *ell64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Decode a 64-bytes ElligatorSwift encoded public key.
Definition: main_impl.h:489

secp256k1_extrakeys.h

secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99

secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44

secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135

secp256k1_xonly_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:118

secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22

secp256k1_recovery.h

secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38

secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137

secp256k1_schnorrsig.h

secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:223

span.h

UCharCast
unsigned char * UCharCast(char *c)
Definition: span.h:95

strencodings.h

CExtPubKey
Definition: pubkey.h:342

CExtPubKey::version
unsigned char version[4]
Definition: pubkey.h:343

CExtPubKey::Encode
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:376

CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:347

CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:406

CExtPubKey::DecodeWithVersion
void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
Definition: pubkey.cpp:400

CExtPubKey::EncodeWithVersion
void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
Definition: pubkey.cpp:394

CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:345

CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:344

CExtPubKey::Decode
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:385

CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:348

CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:346

EllSwiftPubKey::m_pubkey
std::array< std::byte, SIZE > m_pubkey
Definition: pubkey.h:313

EllSwiftPubKey::Decode
CPubKey Decode() const
Decode to normal compressed CPubKey (for debugging purposes).
Definition: pubkey.cpp:362

EllSwiftPubKey::EllSwiftPubKey
EllSwiftPubKey() noexcept=default
Default constructor creates all-zero pubkey (which is valid).

secp256k1_ecdsa_recoverable_signature
Opaque data structure that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24

secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74

secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:75

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61

secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22

uint256.h

assert
assert(!tx.IsCoinBase())