Bitcoin Core 28.99.0
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_MAIN_H
8#define SECP256K1_MODULE_RECOVERY_MAIN_H
9
10#include "../../../include/secp256k1_recovery.h"
11
13 (void)ctx;
14 if (sizeof(secp256k1_scalar) == 32) {
15 /* When the secp256k1_scalar type is exactly 32 byte, use its
16 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
17 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
18 memcpy(r, &sig->data[0], 32);
19 memcpy(s, &sig->data[32], 32);
20 } else {
21 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
22 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
23 }
24 *recid = sig->data[64];
25}
26
28 if (sizeof(secp256k1_scalar) == 32) {
29 memcpy(&sig->data[0], r, 32);
30 memcpy(&sig->data[32], s, 32);
31 } else {
32 secp256k1_scalar_get_b32(&sig->data[0], r);
34 }
35 sig->data[64] = recid;
36}
37
40 int ret = 1;
41 int overflow = 0;
42
43 VERIFY_CHECK(ctx != NULL);
44 ARG_CHECK(sig != NULL);
45 ARG_CHECK(input64 != NULL);
46 ARG_CHECK(recid >= 0 && recid <= 3);
47
48 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
49 ret &= !overflow;
50 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
51 ret &= !overflow;
52 if (ret) {
54 } else {
55 memset(sig, 0, sizeof(*sig));
56 }
57 return ret;
58}
59
62
63 VERIFY_CHECK(ctx != NULL);
64 ARG_CHECK(output64 != NULL);
65 ARG_CHECK(sig != NULL);
66 ARG_CHECK(recid != NULL);
67
68 secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);
69 secp256k1_scalar_get_b32(&output64[0], &r);
70 secp256k1_scalar_get_b32(&output64[32], &s);
71 return 1;
72}
73
76 int recid;
77
78 VERIFY_CHECK(ctx != NULL);
79 ARG_CHECK(sig != NULL);
80 ARG_CHECK(sigin != NULL);
81
82 secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);
84 return 1;
85}
86
87static int secp256k1_ecdsa_sig_recover(const secp256k1_scalar *sigr, const secp256k1_scalar* sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid) {
88 unsigned char brx[32];
89 secp256k1_fe fx;
92 secp256k1_scalar rn, u1, u2;
94 int r;
95
97 return 0;
98 }
99
100 secp256k1_scalar_get_b32(brx, sigr);
101 r = secp256k1_fe_set_b32_limit(&fx, brx);
102 (void)r;
103 VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */
104 if (recid & 2) {
106 return 0;
107 }
109 }
110 if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1)) {
111 return 0;
112 }
113 secp256k1_gej_set_ge(&xj, &x);
115 secp256k1_scalar_mul(&u1, &rn, message);
116 secp256k1_scalar_negate(&u1, &u1);
117 secp256k1_scalar_mul(&u2, &rn, sigs);
118 secp256k1_ecmult(&qj, &xj, &u2, &u1);
119 secp256k1_ge_set_gej_var(pubkey, &qj);
120 return !secp256k1_gej_is_infinity(&qj);
121}
122
123int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
125 int ret, recid;
126 VERIFY_CHECK(ctx != NULL);
128 ARG_CHECK(msghash32 != NULL);
129 ARG_CHECK(signature != NULL);
130 ARG_CHECK(seckey != NULL);
131
132 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msghash32, seckey, noncefp, noncedata);
133 secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
134 return ret;
135}
136
137int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) {
138 secp256k1_ge q;
141 int recid;
142 VERIFY_CHECK(ctx != NULL);
143 ARG_CHECK(msghash32 != NULL);
144 ARG_CHECK(signature != NULL);
145 ARG_CHECK(pubkey != NULL);
146
147 secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
148 VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
149 secp256k1_scalar_set_b32(&m, msghash32, NULL);
150 if (secp256k1_ecdsa_sig_recover(&r, &s, &q, &m, recid)) {
151 secp256k1_pubkey_save(pubkey, &q);
152 return 1;
153 } else {
154 memset(pubkey, 0, sizeof(*pubkey));
155 return 0;
156 }
157}
158
159#endif /* SECP256K1_MODULE_RECOVERY_MAIN_H */
int ret
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order
Difference between field and order, values 'p' and 'n' values defined in "Standards for Efficient Cry...
Definition: ecdsa_impl.h:32
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe
Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2....
Definition: ecdsa_impl.h:22
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
#define secp256k1_fe_cmp_var
Definition: field.h:86
#define secp256k1_fe_add
Definition: field.h:92
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s, int recid)
Definition: main_impl.h:27
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Definition: main_impl.h:12
int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
static int secp256k1_ecdsa_sig_recover(const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid)
Definition: main_impl.h:87
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
#define VERIFY_CHECK(cond)
Definition: util.h:159
#define ARG_CHECK(cond)
Definition: secp256k1.c:45
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:246
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:510
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:94
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
Opaque data structure that holds a parsed ECDSA signature, supporting pubkey recovery.
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13