Bitcoin Core 29.99.0
P2P Digital Currency
pubkey.h
Go to the documentation of this file.
1// Copyright (c) 2009-2010 Satoshi Nakamoto
2// Copyright (c) 2009-present The Bitcoin Core developers
3// Copyright (c) 2017 The Zcash developers
4// Distributed under the MIT software license, see the accompanying
5// file COPYING or http://www.opensource.org/licenses/mit-license.php.
6
7#ifndef BITCOIN_PUBKEY_H
8#define BITCOIN_PUBKEY_H
9
10#include <hash.h>
11#include <serialize.h>
12#include <span.h>
13#include <uint256.h>
14
15#include <cstring>
16#include <optional>
17#include <vector>
18
19const unsigned int BIP32_EXTKEY_SIZE = 74;
20const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE = 78;
21
23class CKeyID : public uint160
24{
25public:
26 CKeyID() : uint160() {}
27 explicit CKeyID(const uint160& in) : uint160(in) {}
28};
29
30typedef uint256 ChainCode;
31
33class CPubKey
34{
35public:
39 static constexpr unsigned int SIZE = 65;
40 static constexpr unsigned int COMPRESSED_SIZE = 33;
41 static constexpr unsigned int SIGNATURE_SIZE = 72;
42 static constexpr unsigned int COMPACT_SIGNATURE_SIZE = 65;
47 static_assert(
48 SIZE >= COMPRESSED_SIZE,
49 "COMPRESSED_SIZE is larger than SIZE");
50
51private:
52
57 unsigned char vch[SIZE];
58
60 unsigned int static GetLen(unsigned char chHeader)
61 {
62 if (chHeader == 2 || chHeader == 3)
63 return COMPRESSED_SIZE;
64 if (chHeader == 4 || chHeader == 6 || chHeader == 7)
65 return SIZE;
66 return 0;
67 }
68
70 void Invalidate()
71 {
72 vch[0] = 0xFF;
73 }
74
75public:
76
77 bool static ValidSize(const std::vector<unsigned char> &vch) {
78 return vch.size() > 0 && GetLen(vch[0]) == vch.size();
79 }
80
82 CPubKey()
83 {
84 Invalidate();
85 }
86
88 template <typename T>
89 void Set(const T pbegin, const T pend)
90 {
91 int len = pend == pbegin ? 0 : GetLen(pbegin[0]);
92 if (len && len == (pend - pbegin))
93 memcpy(vch, (unsigned char*)&pbegin[0], len);
94 else
95 Invalidate();
96 }
97
99 template <typename T>
100 CPubKey(const T pbegin, const T pend)
101 {
102 Set(pbegin, pend);
103 }
104
106 explicit CPubKey(std::span<const uint8_t> _vch)
107 {
108 Set(_vch.begin(), _vch.end());
109 }
110
112 unsigned int size() const { return GetLen(vch[0]); }
113 const unsigned char* data() const { return vch; }
114 const unsigned char* begin() const { return vch; }
115 const unsigned char* end() const { return vch + size(); }
116 const unsigned char& operator[](unsigned int pos) const { return vch[pos]; }
117
119 friend bool operator==(const CPubKey& a, const CPubKey& b)
120 {
121 return a.vch[0] == b.vch[0] &&
122 memcmp(a.vch, b.vch, a.size()) == 0;
123 }
124 friend bool operator!=(const CPubKey& a, const CPubKey& b)
125 {
126 return !(a == b);
127 }
128 friend bool operator<(const CPubKey& a, const CPubKey& b)
129 {
130 return a.vch[0] < b.vch[0] ||
131 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) < 0);
132 }
133 friend bool operator>(const CPubKey& a, const CPubKey& b)
134 {
135 return a.vch[0] > b.vch[0] ||
136 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) > 0);
137 }
138
140 template <typename Stream>
141 void Serialize(Stream& s) const
142 {
143 unsigned int len = size();
144 ::WriteCompactSize(s, len);
145 s << std::span{vch, len};
146 }
147 template <typename Stream>
148 void Unserialize(Stream& s)
149 {
150 const unsigned int len(::ReadCompactSize(s));
151 if (len <= SIZE) {
152 s >> std::span{vch, len};
153 if (len != size()) {
154 Invalidate();
155 }
156 } else {
157 // invalid pubkey, skip available data
158 s.ignore(len);
159 Invalidate();
160 }
161 }
162
164 CKeyID GetID() const
165 {
166 return CKeyID(Hash160(std::span{vch}.first(size())));
167 }
168
170 uint256 GetHash() const
171 {
172 return Hash(std::span{vch}.first(size()));
173 }
174
175 /*
176 * Check syntactic correctness.
177 *
178 * When setting a pubkey (Set()) or deserializing fails (its header bytes
179 * don't match the length of the data), the size is set to 0. Thus,
180 * by checking size, one can observe whether Set() or deserialization has
181 * failed.
182 *
183 * This does not check for more than that. In particular, it does not verify
184 * that the coordinates correspond to a point on the curve (see IsFullyValid()
185 * for that instead).
186 *
187 * Note that this is consensus critical as CheckECDSASignature() calls it!
188 */
189 bool IsValid() const
190 {
191 return size() > 0;
192 }
193
195 bool IsValidNonHybrid() const noexcept
196 {
197 return size() > 0 && (vch[0] == 0x02 || vch[0] == 0x03 || vch[0] == 0x04);
198 }
199
201 bool IsFullyValid() const;
202
204 bool IsCompressed() const
205 {
206 return size() == COMPRESSED_SIZE;
207 }
208
213 bool Verify(const uint256& hash, const std::vector<unsigned char>& vchSig) const;
214
218 static bool CheckLowS(const std::vector<unsigned char>& vchSig);
219
221 bool RecoverCompact(const uint256& hash, const std::vector<unsigned char>& vchSig);
222
224 bool Decompress();
225
227 [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
228};
229
230class XOnlyPubKey
231{
232private:
233 uint256 m_keydata;
234
235public:
239 static const XOnlyPubKey NUMS_H;
240
242 XOnlyPubKey() = default;
243
244 XOnlyPubKey(const XOnlyPubKey&) = default;
245 XOnlyPubKey& operator=(const XOnlyPubKey&) = default;
246
250 bool IsFullyValid() const;
251
254 bool IsNull() const { return m_keydata.IsNull(); }
255
257 constexpr explicit XOnlyPubKey(std::span<const unsigned char> bytes) : m_keydata{bytes} {}
258
260 explicit XOnlyPubKey(const CPubKey& pubkey) : XOnlyPubKey(std::span{pubkey}.subspan(1, 32)) {}
261
266 bool VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const;
267
276 uint256 ComputeTapTweakHash(const uint256* merkle_root) const;
277
280 bool CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const;
281
283 std::optional<std::pair<XOnlyPubKey, bool>> CreateTapTweak(const uint256* merkle_root) const;
284
288 std::vector<CKeyID> GetKeyIDs() const;
289
290 CPubKey GetEvenCorrespondingCPubKey() const;
291
292 const unsigned char& operator[](int pos) const { return *(m_keydata.begin() + pos); }
293 static constexpr size_t size() { return decltype(m_keydata)::size(); }
294 const unsigned char* data() const { return m_keydata.begin(); }
295 const unsigned char* begin() const { return m_keydata.begin(); }
296 const unsigned char* end() const { return m_keydata.end(); }
297 unsigned char* data() { return m_keydata.begin(); }
298 unsigned char* begin() { return m_keydata.begin(); }
299 unsigned char* end() { return m_keydata.end(); }
300 bool operator==(const XOnlyPubKey& other) const { return m_keydata == other.m_keydata; }
301 bool operator!=(const XOnlyPubKey& other) const { return m_keydata != other.m_keydata; }
302 bool operator<(const XOnlyPubKey& other) const { return m_keydata < other.m_keydata; }
303
305 SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); }
306};
307
309struct EllSwiftPubKey
310{
311private:
312 static constexpr size_t SIZE = 64;
313 std::array<std::byte, SIZE> m_pubkey;
314
315public:
317 EllSwiftPubKey() noexcept = default;
318
320 EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept;
321
323 CPubKey Decode() const;
324
325 // Read-only access for serialization.
326 const std::byte* data() const { return m_pubkey.data(); }
327 static constexpr size_t size() { return SIZE; }
328 auto begin() const { return m_pubkey.cbegin(); }
329 auto end() const { return m_pubkey.cend(); }
330
331 bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
332 {
333 return a.m_pubkey == b.m_pubkey;
334 }
335
336 bool friend operator!=(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
337 {
338 return a.m_pubkey != b.m_pubkey;
339 }
340};
341
342struct CExtPubKey {
343 unsigned char version[4];
344 unsigned char nDepth;
345 unsigned char vchFingerprint[4];
346 unsigned int nChild;
347 ChainCode chaincode;
348 CPubKey pubkey;
349
350 friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
351 {
352 return a.nDepth == b.nDepth &&
353 memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 &&
354 a.nChild == b.nChild &&
355 a.chaincode == b.chaincode &&
356 a.pubkey == b.pubkey;
357 }
358
359 friend bool operator!=(const CExtPubKey &a, const CExtPubKey &b)
360 {
361 return !(a == b);
362 }
363
364 friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
365 {
366 if (a.pubkey < b.pubkey) {
367 return true;
368 } else if (a.pubkey > b.pubkey) {
369 return false;
370 }
371 return a.chaincode < b.chaincode;
372 }
373
374 void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
375 void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
376 void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const;
377 void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]);
378 [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild) const;
379};
380
381#endif // BITCOIN_PUBKEY_H
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:24
CKeyID::CKeyID
CKeyID()
Definition: pubkey.h:26
CKeyID::CKeyID
CKeyID(const uint160 &in)
Definition: pubkey.h:27
CPubKey
An encapsulated public key.
Definition: pubkey.h:34
CPubKey::data
const unsigned char * data() const
Definition: pubkey.h:113
CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:294
CPubKey::IsCompressed
bool IsCompressed() const
Check whether this is a compressed public key.
Definition: pubkey.h:204
CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:164
CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40
CPubKey::CPubKey
CPubKey()
Construct an invalid public key.
Definition: pubkey.h:82
CPubKey::CheckLowS
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:415
CPubKey::CPubKey
CPubKey(std::span< const uint8_t > _vch)
Construct a public key from a byte vector.
Definition: pubkey.h:106
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:189
CPubKey::operator>
friend bool operator>(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:133
CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:321
CPubKey::end
const unsigned char * end() const
Definition: pubkey.h:115
CPubKey::Verify
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:277
CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:39
CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:314
CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:112
CPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:114
CPubKey::ValidSize
static bool ValidSize(const std::vector< unsigned char > &vch)
Definition: pubkey.h:77
CPubKey::GetLen
unsigned static int GetLen(unsigned char chHeader)
Compute the length of a pubkey with a given first byte.
Definition: pubkey.h:60
CPubKey::operator==
friend bool operator==(const CPubKey &a, const CPubKey &b)
Comparator implementation.
Definition: pubkey.h:119
CPubKey::Serialize
void Serialize(Stream &s) const
Implement serialization, as if this was a byte vector.
Definition: pubkey.h:141
CPubKey::vch
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:57
CPubKey::CPubKey
CPubKey(const T pbegin, const T pend)
Construct a public key using begin/end iterators to byte data.
Definition: pubkey.h:100
CPubKey::Invalidate
void Invalidate()
Set this key data to be invalid.
Definition: pubkey.h:70
CPubKey::Unserialize
void Unserialize(Stream &s)
Definition: pubkey.h:148
CPubKey::GetHash
uint256 GetHash() const
Get the 256-bit hash of this public key.
Definition: pubkey.h:170
CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:335
CPubKey::operator[]
const unsigned char & operator[](unsigned int pos) const
Definition: pubkey.h:116
CPubKey::SIGNATURE_SIZE
static constexpr unsigned int SIGNATURE_SIZE
Definition: pubkey.h:41
CPubKey::IsValidNonHybrid
bool IsValidNonHybrid() const noexcept
Check if a public key is a syntactically valid compressed or uncompressed key.
Definition: pubkey.h:195
CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:42
CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:89
CPubKey::operator!=
friend bool operator!=(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:124
CPubKey::operator<
friend bool operator<(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:128
XOnlyPubKey::end
unsigned char * end()
Definition: pubkey.h:299
XOnlyPubKey::begin
unsigned char * begin()
Definition: pubkey.h:298
XOnlyPubKey::operator=
XOnlyPubKey & operator=(const XOnlyPubKey &)=default
XOnlyPubKey::end
const unsigned char * end() const
Definition: pubkey.h:296
XOnlyPubKey::IsNull
bool IsNull() const
Test whether this is the 0 key (the result of default construction).
Definition: pubkey.h:254
XOnlyPubKey::data
unsigned char * data()
Definition: pubkey.h:297
XOnlyPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:295
XOnlyPubKey::CreateTapTweak
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:259
XOnlyPubKey::CheckTapTweak
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:251
XOnlyPubKey::NUMS_H
static const XOnlyPubKey NUMS_H
Nothing Up My Sleeve point H Used as an internal key for provably disabling the key path spend see BI...
Definition: pubkey.h:239
XOnlyPubKey::size
static constexpr size_t size()
Definition: pubkey.h:293
XOnlyPubKey::XOnlyPubKey
constexpr XOnlyPubKey(std::span< const unsigned char > bytes)
Construct an x-only pubkey from exactly 32 bytes.
Definition: pubkey.h:257
XOnlyPubKey::data
const unsigned char * data() const
Definition: pubkey.h:294
XOnlyPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &msg, std::span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:230
XOnlyPubKey::SERIALIZE_METHODS
SERIALIZE_METHODS(XOnlyPubKey, obj)
Implement serialization without length prefixes since it is a fixed length.
Definition: pubkey.h:305
XOnlyPubKey::GetEvenCorrespondingCPubKey
CPubKey GetEvenCorrespondingCPubKey() const
Definition: pubkey.cpp:217
XOnlyPubKey::m_keydata
uint256 m_keydata
Definition: pubkey.h:233
XOnlyPubKey::operator!=
bool operator!=(const XOnlyPubKey &other) const
Definition: pubkey.h:301
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey(const XOnlyPubKey &)=default
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey(const CPubKey &pubkey)
Construct an x-only pubkey from a normal pubkey.
Definition: pubkey.h:260
XOnlyPubKey::operator<
bool operator<(const XOnlyPubKey &other) const
Definition: pubkey.h:302
XOnlyPubKey::IsFullyValid
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:224
XOnlyPubKey::GetKeyIDs
std::vector< CKeyID > GetKeyIDs() const
Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
Definition: pubkey.cpp:200
XOnlyPubKey::ComputeTapTweakHash
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:240
XOnlyPubKey::operator[]
const unsigned char & operator[](int pos) const
Definition: pubkey.h:292
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey()=default
Construct an empty x-only pubkey.
XOnlyPubKey::operator==
bool operator==(const XOnlyPubKey &other) const
Definition: pubkey.h:300
base_blob::IsNull
constexpr bool IsNull() const
Definition: uint256.h:48
base_blob::end
constexpr unsigned char * end()
Definition: uint256.h:102
base_blob::begin
constexpr unsigned char * begin()
Definition: uint256.h:101
uint160
160-bit opaque blob.
Definition: uint256.h:184
uint256
256-bit opaque blob.
Definition: uint256.h:196
Hash160
uint160 Hash160(const T1 &in1)
Compute the 160-bit hash an object.
Definition: hash.h:92
Hash
uint256 Hash(const T &in1)
Compute the 256-bit hash of an object.
Definition: hash.h:75
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
tests_wycheproof_generate_ecdsa.out
string out
Definition: tests_wycheproof_generate_ecdsa.py:24
BIP32_EXTKEY_WITH_VERSION_SIZE
const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE
Definition: pubkey.h:20
BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
ChainCode
uint256 ChainCode
Definition: pubkey.h:30
WriteCompactSize
void WriteCompactSize(SizeComputer &os, uint64_t nSize)
Definition: serialize.h:1099
ReadCompactSize
uint64_t ReadCompactSize(Stream &is, bool range_check=true)
Decode a CompactSize-encoded variable-length integer.
Definition: serialize.h:341
READWRITE
#define READWRITE(...)
Definition: serialize.h:156
CExtPubKey::operator==
friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:350
CExtPubKey::version
unsigned char version[4]
Definition: pubkey.h:343
CExtPubKey::Encode
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:376
CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:347
CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:406
CExtPubKey::DecodeWithVersion
void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
Definition: pubkey.cpp:400
CExtPubKey::EncodeWithVersion
void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
Definition: pubkey.cpp:394
CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:345
CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:344
CExtPubKey::operator!=
friend bool operator!=(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:359
CExtPubKey::Decode
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:385
CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:348
CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:346
CExtPubKey::operator<
friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:364
EllSwiftPubKey
An ElligatorSwift-encoded public key.
Definition: pubkey.h:310
EllSwiftPubKey::begin
auto begin() const
Definition: pubkey.h:328
EllSwiftPubKey::operator==
bool friend operator==(const EllSwiftPubKey &a, const EllSwiftPubKey &b)
Definition: pubkey.h:331
EllSwiftPubKey::m_pubkey
std::array< std::byte, SIZE > m_pubkey
Definition: pubkey.h:313
EllSwiftPubKey::Decode
CPubKey Decode() const
Decode to normal compressed CPubKey (for debugging purposes).
Definition: pubkey.cpp:362
EllSwiftPubKey::SIZE
static constexpr size_t SIZE
Definition: pubkey.h:312
EllSwiftPubKey::operator!=
bool friend operator!=(const EllSwiftPubKey &a, const EllSwiftPubKey &b)
Definition: pubkey.h:336
EllSwiftPubKey::size
static constexpr size_t size()
Definition: pubkey.h:327
EllSwiftPubKey::data
const std::byte * data() const
Definition: pubkey.h:326
EllSwiftPubKey::EllSwiftPubKey
EllSwiftPubKey() noexcept=default
Default constructor creates all-zero pubkey (which is valid).
EllSwiftPubKey::end
auto end() const
Definition: pubkey.h:329
Generated on Thu Jun 26 2025 20:00:10 for Bitcoin Core by doxygen 1.9.4