Bitcoin Core 31.99.0
P2P Digital Currency
pubkey.h
Go to the documentation of this file.
1// Copyright (c) 2009-2010 Satoshi Nakamoto
2// Copyright (c) 2009-present The Bitcoin Core developers
3// Copyright (c) 2017 The Zcash developers
4// Distributed under the MIT software license, see the accompanying
5// file COPYING or http://www.opensource.org/licenses/mit-license.php.
6
7#ifndef BITCOIN_PUBKEY_H
8#define BITCOIN_PUBKEY_H
9
10#include <hash.h>
11#include <serialize.h>
12#include <span.h>
13#include <uint256.h>
14
15#include <cstring>
16#include <optional>
17#include <vector>
18
19const unsigned int BIP32_EXTKEY_SIZE = 74;
20const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE = 78;
21
23class CKeyID : public uint160
24{
25public:
26 CKeyID() : uint160() {}
27 explicit CKeyID(const uint160& in) : uint160(in) {}
28};
29
31class CPubKey
32{
33public:
37 static constexpr unsigned int SIZE = 65;
38 static constexpr unsigned int COMPRESSED_SIZE = 33;
39 static constexpr unsigned int SIGNATURE_SIZE = 72;
40 static constexpr unsigned int COMPACT_SIGNATURE_SIZE = 65;
45 static_assert(
46 SIZE >= COMPRESSED_SIZE,
47 "COMPRESSED_SIZE is larger than SIZE");
48
49private:
50
55 unsigned char vch[SIZE];
56
58 unsigned int static GetLen(unsigned char chHeader)
59 {
60 if (chHeader == 2 || chHeader == 3)
61 return COMPRESSED_SIZE;
62 if (chHeader == 4 || chHeader == 6 || chHeader == 7)
63 return SIZE;
64 return 0;
65 }
66
68 void Invalidate()
69 {
70 vch[0] = 0xFF;
71 }
72
73public:
74
75 bool static ValidSize(const std::vector<unsigned char> &vch) {
76 return vch.size() > 0 && GetLen(vch[0]) == vch.size();
77 }
78
80 CPubKey()
81 {
82 Invalidate();
83 }
84
86 template <typename T>
87 void Set(const T pbegin, const T pend)
88 {
89 int len = pend == pbegin ? 0 : GetLen(pbegin[0]);
90 if (len && len == (pend - pbegin))
91 memcpy(vch, (unsigned char*)&pbegin[0], len);
92 else
93 Invalidate();
94 }
95
97 template <typename T>
98 CPubKey(const T pbegin, const T pend)
99 {
100 Set(pbegin, pend);
101 }
102
104 explicit CPubKey(std::span<const uint8_t> _vch)
105 {
106 Set(_vch.begin(), _vch.end());
107 }
108
110 unsigned int size() const { return GetLen(vch[0]); }
111 const unsigned char* data() const { return vch; }
112 const unsigned char* begin() const { return vch; }
113 const unsigned char* end() const { return vch + size(); }
114 const unsigned char& operator[](unsigned int pos) const { return vch[pos]; }
115
117 friend bool operator==(const CPubKey& a, const CPubKey& b)
118 {
119 return a.vch[0] == b.vch[0] &&
120 memcmp(a.vch, b.vch, a.size()) == 0;
121 }
122 friend bool operator<(const CPubKey& a, const CPubKey& b)
123 {
124 return a.vch[0] < b.vch[0] ||
125 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) < 0);
126 }
127 friend bool operator>(const CPubKey& a, const CPubKey& b)
128 {
129 return a.vch[0] > b.vch[0] ||
130 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) > 0);
131 }
132
134 template <typename Stream>
135 void Serialize(Stream& s) const
136 {
137 unsigned int len = size();
138 ::WriteCompactSize(s, len);
139 s << std::span{vch, len};
140 }
141 template <typename Stream>
142 void Unserialize(Stream& s)
143 {
144 const unsigned int len(::ReadCompactSize(s));
145 if (len <= SIZE) {
146 s >> std::span{vch, len};
147 if (len != size()) {
148 Invalidate();
149 }
150 } else {
151 // invalid pubkey, skip available data
152 s.ignore(len);
153 Invalidate();
154 }
155 }
156
158 CKeyID GetID() const
159 {
160 return CKeyID(Hash160(std::span{vch}.first(size())));
161 }
162
164 uint256 GetHash() const
165 {
166 return Hash(std::span{vch}.first(size()));
167 }
168
169 /*
170 * Check syntactic correctness.
171 *
172 * When setting a pubkey (Set()) or deserializing fails (its header bytes
173 * don't match the length of the data), the size is set to 0. Thus,
174 * by checking size, one can observe whether Set() or deserialization has
175 * failed.
176 *
177 * This does not check for more than that. In particular, it does not verify
178 * that the coordinates correspond to a point on the curve (see IsFullyValid()
179 * for that instead).
180 *
181 * Note that this is consensus critical as CheckECDSASignature() calls it!
182 */
183 bool IsValid() const
184 {
185 return size() > 0;
186 }
187
189 bool IsValidNonHybrid() const noexcept
190 {
191 return size() > 0 && (vch[0] == 0x02 || vch[0] == 0x03 || vch[0] == 0x04);
192 }
193
195 bool IsFullyValid() const;
196
198 bool IsCompressed() const
199 {
200 return size() == COMPRESSED_SIZE;
201 }
202
207 bool Verify(const uint256& hash, const std::vector<unsigned char>& vchSig) const;
208
212 static bool CheckLowS(const std::vector<unsigned char>& vchSig);
213
215 bool RecoverCompact(const uint256& hash, const std::vector<unsigned char>& vchSig);
216
218 bool Decompress();
219
221 [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out = nullptr) const;
222};
223
224class XOnlyPubKey
225{
226private:
227 uint256 m_keydata;
228
229public:
233 static const XOnlyPubKey NUMS_H;
234
236 XOnlyPubKey() = default;
237
238 XOnlyPubKey(const XOnlyPubKey&) = default;
239 XOnlyPubKey& operator=(const XOnlyPubKey&) = default;
240
244 bool IsFullyValid() const;
245
248 bool IsNull() const { return m_keydata.IsNull(); }
249
251 constexpr explicit XOnlyPubKey(std::span<const unsigned char> bytes) : m_keydata{bytes} {}
252
254 explicit XOnlyPubKey(const CPubKey& pubkey) : XOnlyPubKey(std::span{pubkey}.subspan(1, 32)) {}
255
260 bool VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const;
261
270 uint256 ComputeTapTweakHash(const uint256* merkle_root) const;
271
274 bool CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const;
275
277 std::optional<std::pair<XOnlyPubKey, bool>> CreateTapTweak(const uint256* merkle_root) const;
278
284 std::vector<CKeyID> GetKeyIDs() const;
286 std::vector<CPubKey> GetCPubKeys() const;
287
288 CPubKey GetEvenCorrespondingCPubKey() const;
289
290 const unsigned char& operator[](int pos) const { return *(m_keydata.begin() + pos); }
291 static constexpr size_t size() { return decltype(m_keydata)::size(); }
292 const unsigned char* data() const { return m_keydata.begin(); }
293 const unsigned char* begin() const { return m_keydata.begin(); }
294 const unsigned char* end() const { return m_keydata.end(); }
295 unsigned char* data() { return m_keydata.begin(); }
296 unsigned char* begin() { return m_keydata.begin(); }
297 unsigned char* end() { return m_keydata.end(); }
298 bool operator==(const XOnlyPubKey& other) const { return m_keydata == other.m_keydata; }
299 bool operator<(const XOnlyPubKey& other) const { return m_keydata < other.m_keydata; }
300
302 SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); }
303};
304
306struct EllSwiftPubKey
307{
308private:
309 static constexpr size_t SIZE = 64;
310 std::array<std::byte, SIZE> m_pubkey;
311
312public:
314 EllSwiftPubKey() noexcept = default;
315
317 EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept;
318
320 CPubKey Decode() const;
321
322 // Read-only access for serialization.
323 const std::byte* data() const { return m_pubkey.data(); }
324 static constexpr size_t size() { return SIZE; }
325 auto begin() const { return m_pubkey.cbegin(); }
326 auto end() const { return m_pubkey.cend(); }
327
328 bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
329 {
330 return a.m_pubkey == b.m_pubkey;
331 }
332};
333
334struct CExtPubKey {
335 unsigned char version[4];
336 unsigned char nDepth;
337 unsigned char vchFingerprint[4];
338 unsigned int nChild;
339 ChainCode chaincode;
340 CPubKey pubkey;
341
342 friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
343 {
344 return a.nDepth == b.nDepth &&
345 memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 &&
346 a.nChild == b.nChild &&
347 a.chaincode == b.chaincode &&
348 a.pubkey == b.pubkey;
349 }
350
351 friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
352 {
353 if (a.pubkey < b.pubkey) {
354 return true;
355 } else if (a.pubkey > b.pubkey) {
356 return false;
357 }
358 return a.chaincode < b.chaincode;
359 }
360
361 void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
362 void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
363 void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const;
364 void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]);
365 [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild, uint256* bip32_tweak_out = nullptr) const;
366};
367
368#endif // BITCOIN_PUBKEY_H
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:24
CKeyID::CKeyID
CKeyID()
Definition: pubkey.h:26
CKeyID::CKeyID
CKeyID(const uint160 &in)
Definition: pubkey.h:27
CPubKey
An encapsulated public key.
Definition: pubkey.h:32
CPubKey::data
const unsigned char * data() const
Definition: pubkey.h:111
CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:300
CPubKey::IsCompressed
bool IsCompressed() const
Check whether this is a compressed public key.
Definition: pubkey.h:198
CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:158
CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:38
CPubKey::CPubKey
CPubKey()
Construct an invalid public key.
Definition: pubkey.h:80
CPubKey::CheckLowS
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:424
CPubKey::CPubKey
CPubKey(std::span< const uint8_t > _vch)
Construct a public key from a byte vector.
Definition: pubkey.h:104
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:183
CPubKey::operator>
friend bool operator>(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:127
CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:327
CPubKey::end
const unsigned char * end() const
Definition: pubkey.h:113
CPubKey::Verify
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:283
CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:37
CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:320
CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:110
CPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:112
CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc, uint256 *bip32_tweak_out=nullptr) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:341
CPubKey::ValidSize
static bool ValidSize(const std::vector< unsigned char > &vch)
Definition: pubkey.h:75
CPubKey::GetLen
unsigned static int GetLen(unsigned char chHeader)
Compute the length of a pubkey with a given first byte.
Definition: pubkey.h:58
CPubKey::operator==
friend bool operator==(const CPubKey &a, const CPubKey &b)
Comparator implementation.
Definition: pubkey.h:117
CPubKey::Serialize
void Serialize(Stream &s) const
Implement serialization, as if this was a byte vector.
Definition: pubkey.h:135
CPubKey::vch
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:55
CPubKey::CPubKey
CPubKey(const T pbegin, const T pend)
Construct a public key using begin/end iterators to byte data.
Definition: pubkey.h:98
CPubKey::Invalidate
void Invalidate()
Set this key data to be invalid.
Definition: pubkey.h:68
CPubKey::Unserialize
void Unserialize(Stream &s)
Definition: pubkey.h:142
CPubKey::GetHash
uint256 GetHash() const
Get the 256-bit hash of this public key.
Definition: pubkey.h:164
CPubKey::operator[]
const unsigned char & operator[](unsigned int pos) const
Definition: pubkey.h:114
CPubKey::SIGNATURE_SIZE
static constexpr unsigned int SIGNATURE_SIZE
Definition: pubkey.h:39
CPubKey::IsValidNonHybrid
bool IsValidNonHybrid() const noexcept
Check if a public key is a syntactically valid compressed or uncompressed key.
Definition: pubkey.h:189
CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:40
CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:87
CPubKey::operator<
friend bool operator<(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:122
ChainCode
A BIP32 chain code.
Definition: hash.h:23
XOnlyPubKey::end
unsigned char * end()
Definition: pubkey.h:297
XOnlyPubKey::begin
unsigned char * begin()
Definition: pubkey.h:296
XOnlyPubKey::operator=
XOnlyPubKey & operator=(const XOnlyPubKey &)=default
XOnlyPubKey::end
const unsigned char * end() const
Definition: pubkey.h:294
XOnlyPubKey::GetCPubKeys
std::vector< CPubKey > GetCPubKeys() const
Returns this XOnlyPubKey with 0x02 and 0x03 prefixes.
Definition: pubkey.cpp:200
XOnlyPubKey::IsNull
bool IsNull() const
Test whether this is the 0 key (the result of default construction).
Definition: pubkey.h:248
XOnlyPubKey::data
unsigned char * data()
Definition: pubkey.h:295
XOnlyPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:293
XOnlyPubKey::CreateTapTweak
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:265
XOnlyPubKey::CheckTapTweak
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:257
XOnlyPubKey::NUMS_H
static const XOnlyPubKey NUMS_H
Nothing Up My Sleeve point H Used as an internal key for provably disabling the key path spend see BI...
Definition: pubkey.h:233
XOnlyPubKey::size
static constexpr size_t size()
Definition: pubkey.h:291
XOnlyPubKey::XOnlyPubKey
constexpr XOnlyPubKey(std::span< const unsigned char > bytes)
Construct an x-only pubkey from exactly 32 bytes.
Definition: pubkey.h:251
XOnlyPubKey::data
const unsigned char * data() const
Definition: pubkey.h:292
XOnlyPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &msg, std::span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:236
XOnlyPubKey::SERIALIZE_METHODS
SERIALIZE_METHODS(XOnlyPubKey, obj)
Implement serialization without length prefixes since it is a fixed length.
Definition: pubkey.h:302
XOnlyPubKey::GetEvenCorrespondingCPubKey
CPubKey GetEvenCorrespondingCPubKey() const
Definition: pubkey.cpp:223
XOnlyPubKey::m_keydata
uint256 m_keydata
Definition: pubkey.h:227
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey(const XOnlyPubKey &)=default
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey(const CPubKey &pubkey)
Construct an x-only pubkey from a normal pubkey.
Definition: pubkey.h:254
XOnlyPubKey::operator<
bool operator<(const XOnlyPubKey &other) const
Definition: pubkey.h:299
XOnlyPubKey::IsFullyValid
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:230
XOnlyPubKey::GetKeyIDs
std::vector< CKeyID > GetKeyIDs() const
Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
Definition: pubkey.cpp:214
XOnlyPubKey::ComputeTapTweakHash
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:246
XOnlyPubKey::operator[]
const unsigned char & operator[](int pos) const
Definition: pubkey.h:290
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey()=default
Construct an empty x-only pubkey.
XOnlyPubKey::operator==
bool operator==(const XOnlyPubKey &other) const
Definition: pubkey.h:298
base_blob::IsNull
constexpr bool IsNull() const
Definition: uint256.h:49
base_blob::end
constexpr unsigned char * end()
Definition: uint256.h:102
base_blob::begin
constexpr unsigned char * begin()
Definition: uint256.h:101
uint160
160-bit opaque blob.
Definition: uint256.h:184
uint256
256-bit opaque blob.
Definition: uint256.h:196
Hash160
uint160 Hash160(const T1 &in1)
Compute the 160-bit hash an object.
Definition: hash.h:100
Hash
uint256 Hash(const T &in1)
Compute the 256-bit hash of an object.
Definition: hash.h:83
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
tests_wycheproof_generate_ecdsa.out
string out
Definition: tests_wycheproof_generate_ecdsa.py:24
BIP32_EXTKEY_WITH_VERSION_SIZE
const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE
Definition: pubkey.h:20
BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
WriteCompactSize
void WriteCompactSize(SizeComputer &os, uint64_t nSize)
Definition: serialize.h:1151
ReadCompactSize
uint64_t ReadCompactSize(Stream &is, bool range_check=true)
Decode a CompactSize-encoded variable-length integer.
Definition: serialize.h:333
READWRITE
#define READWRITE(...)
Definition: serialize.h:148
CExtPubKey::operator==
friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:342
CExtPubKey::version
unsigned char version[4]
Definition: pubkey.h:335
CExtPubKey::Encode
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:385
CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:339
CExtPubKey::DecodeWithVersion
void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
Definition: pubkey.cpp:409
CExtPubKey::EncodeWithVersion
void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
Definition: pubkey.cpp:403
CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:337
CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:336
CExtPubKey::Decode
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:394
CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:340
CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:338
CExtPubKey::operator<
friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:351
CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild, uint256 *bip32_tweak_out=nullptr) const
Definition: pubkey.cpp:415
EllSwiftPubKey
An ElligatorSwift-encoded public key.
Definition: pubkey.h:307
EllSwiftPubKey::begin
auto begin() const
Definition: pubkey.h:325
EllSwiftPubKey::operator==
bool friend operator==(const EllSwiftPubKey &a, const EllSwiftPubKey &b)
Definition: pubkey.h:328
EllSwiftPubKey::m_pubkey
std::array< std::byte, SIZE > m_pubkey
Definition: pubkey.h:310
EllSwiftPubKey::Decode
CPubKey Decode() const
Decode to normal compressed CPubKey (for debugging purposes).
Definition: pubkey.cpp:371
EllSwiftPubKey::SIZE
static constexpr size_t SIZE
Definition: pubkey.h:309
EllSwiftPubKey::size
static constexpr size_t size()
Definition: pubkey.h:324
EllSwiftPubKey::data
const std::byte * data() const
Definition: pubkey.h:323
EllSwiftPubKey::EllSwiftPubKey
EllSwiftPubKey() noexcept=default
Default constructor creates all-zero pubkey (which is valid).
EllSwiftPubKey::end
auto end() const
Definition: pubkey.h:326
Generated on Sun Jun 14 2026 20:00:31 for Bitcoin Core by doxygen 1.9.4