Bitcoin Core  0.20.99
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_RECOVERY_MAIN_H
8 #define SECP256K1_MODULE_RECOVERY_MAIN_H
9 
11 
13  (void)ctx;
14  if (sizeof(secp256k1_scalar) == 32) {
15  /* When the secp256k1_scalar type is exactly 32 byte, use its
16  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
17  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
18  memcpy(r, &sig->data[0], 32);
19  memcpy(s, &sig->data[32], 32);
20  } else {
21  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
22  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
23  }
24  *recid = sig->data[64];
25 }
26 
28  if (sizeof(secp256k1_scalar) == 32) {
29  memcpy(&sig->data[0], r, 32);
30  memcpy(&sig->data[32], s, 32);
31  } else {
32  secp256k1_scalar_get_b32(&sig->data[0], r);
33  secp256k1_scalar_get_b32(&sig->data[32], s);
34  }
35  sig->data[64] = recid;
36 }
37 
39  secp256k1_scalar r, s;
40  int ret = 1;
41  int overflow = 0;
42 
43  (void)ctx;
44  ARG_CHECK(sig != NULL);
45  ARG_CHECK(input64 != NULL);
46  ARG_CHECK(recid >= 0 && recid <= 3);
47 
48  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
49  ret &= !overflow;
50  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
51  ret &= !overflow;
52  if (ret) {
54  } else {
55  memset(sig, 0, sizeof(*sig));
56  }
57  return ret;
58 }
59 
61  secp256k1_scalar r, s;
62 
63  (void)ctx;
64  ARG_CHECK(output64 != NULL);
65  ARG_CHECK(sig != NULL);
66  ARG_CHECK(recid != NULL);
67 
68  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);
69  secp256k1_scalar_get_b32(&output64[0], &r);
70  secp256k1_scalar_get_b32(&output64[32], &s);
71  return 1;
72 }
73 
75  secp256k1_scalar r, s;
76  int recid;
77 
78  (void)ctx;
79  ARG_CHECK(sig != NULL);
80  ARG_CHECK(sigin != NULL);
81 
82  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);
83  secp256k1_ecdsa_signature_save(sig, &r, &s);
84  return 1;
85 }
86 
87 static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar* sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid) {
88  unsigned char brx[32];
89  secp256k1_fe fx;
90  secp256k1_ge x;
91  secp256k1_gej xj;
92  secp256k1_scalar rn, u1, u2;
93  secp256k1_gej qj;
94  int r;
95 
97  return 0;
98  }
99 
100  secp256k1_scalar_get_b32(brx, sigr);
101  r = secp256k1_fe_set_b32(&fx, brx);
102  (void)r;
103  VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */
104  if (recid & 2) {
106  return 0;
107  }
109  }
110  if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1)) {
111  return 0;
112  }
113  secp256k1_gej_set_ge(&xj, &x);
114  secp256k1_scalar_inverse_var(&rn, sigr);
115  secp256k1_scalar_mul(&u1, &rn, message);
116  secp256k1_scalar_negate(&u1, &u1);
117  secp256k1_scalar_mul(&u2, &rn, sigs);
118  secp256k1_ecmult(ctx, &qj, &xj, &u2, &u1);
119  secp256k1_ge_set_gej_var(pubkey, &qj);
120  return !secp256k1_gej_is_infinity(&qj);
121 }
122 
123 int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
124  secp256k1_scalar r, s;
125  int ret, recid;
126  VERIFY_CHECK(ctx != NULL);
128  ARG_CHECK(msg32 != NULL);
129  ARG_CHECK(signature != NULL);
130  ARG_CHECK(seckey != NULL);
131 
132  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msg32, seckey, noncefp, noncedata);
133  secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
134  return ret;
135 }
136 
137 int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
138  secp256k1_ge q;
139  secp256k1_scalar r, s;
141  int recid;
142  VERIFY_CHECK(ctx != NULL);
144  ARG_CHECK(msg32 != NULL);
145  ARG_CHECK(signature != NULL);
146  ARG_CHECK(pubkey != NULL);
147 
148  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
149  VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
150  secp256k1_scalar_set_b32(&m, msg32, NULL);
151  if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
152  secp256k1_pubkey_save(pubkey, &q);
153  return 1;
154  } else {
155  memset(pubkey, 0, sizeof(*pubkey));
156  return 0;
157  }
158 }
159 
160 #endif /* SECP256K1_MODULE_RECOVERY_MAIN_H */
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
#define VERIFY_CHECK(cond)
Definition: util.h:68
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:475
static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Definition: main_impl.h:12
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:113
int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:263
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe
Group order for secp256k1 defined as &#39;n&#39; in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: ecdsa_impl.h:31
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:329
int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:72
#define ARG_CHECK(cond)
Definition: secp256k1.c:29
static secp256k1_context * ctx
Definition: tests.c:36
int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:71
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:100
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
void * memcpy(void *a, const void *b, size_t c)
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid)
Definition: main_impl.h:87
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s, int recid)
Definition: main_impl.h:27
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order
Difference between field and order, values &#39;p&#39; and &#39;n&#39; values defined in "Standards for Efficient Cry...
Definition: ecdsa_impl.h:45
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67