Bitcoin Core  0.20.99
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_RECOVERY_MAIN_H
8 #define SECP256K1_MODULE_RECOVERY_MAIN_H
9 
11 
13  (void)ctx;
14  if (sizeof(secp256k1_scalar) == 32) {
15  /* When the secp256k1_scalar type is exactly 32 byte, use its
16  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
17  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
18  memcpy(r, &sig->data[0], 32);
19  memcpy(s, &sig->data[32], 32);
20  } else {
21  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
22  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
23  }
24  *recid = sig->data[64];
25 }
26 
28  if (sizeof(secp256k1_scalar) == 32) {
29  memcpy(&sig->data[0], r, 32);
30  memcpy(&sig->data[32], s, 32);
31  } else {
32  secp256k1_scalar_get_b32(&sig->data[0], r);
33  secp256k1_scalar_get_b32(&sig->data[32], s);
34  }
35  sig->data[64] = recid;
36 }
37 
39  secp256k1_scalar r, s;
40  int ret = 1;
41  int overflow = 0;
42 
43  (void)ctx;
44  ARG_CHECK(sig != NULL);
45  ARG_CHECK(input64 != NULL);
46  ARG_CHECK(recid >= 0 && recid <= 3);
47 
48  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
49  ret &= !overflow;
50  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
51  ret &= !overflow;
52  if (ret) {
54  } else {
55  memset(sig, 0, sizeof(*sig));
56  }
57  return ret;
58 }
59 
61  secp256k1_scalar r, s;
62 
63  (void)ctx;
64  ARG_CHECK(output64 != NULL);
65  ARG_CHECK(sig != NULL);
66  ARG_CHECK(recid != NULL);
67 
68  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);
69  secp256k1_scalar_get_b32(&output64[0], &r);
70  secp256k1_scalar_get_b32(&output64[32], &s);
71  return 1;
72 }
73 
75  secp256k1_scalar r, s;
76  int recid;
77 
78  (void)ctx;
79  ARG_CHECK(sig != NULL);
80  ARG_CHECK(sigin != NULL);
81 
82  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);
83  secp256k1_ecdsa_signature_save(sig, &r, &s);
84  return 1;
85 }
86 
87 static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar* sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid) {
88  unsigned char brx[32];
89  secp256k1_fe fx;
90  secp256k1_ge x;
91  secp256k1_gej xj;
92  secp256k1_scalar rn, u1, u2;
93  secp256k1_gej qj;
94  int r;
95 
97  return 0;
98  }
99 
100  secp256k1_scalar_get_b32(brx, sigr);
101  r = secp256k1_fe_set_b32(&fx, brx);
102  (void)r;
103  VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */
104  if (recid & 2) {
106  return 0;
107  }
109  }
110  if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1)) {
111  return 0;
112  }
113  secp256k1_gej_set_ge(&xj, &x);
114  secp256k1_scalar_inverse_var(&rn, sigr);
115  secp256k1_scalar_mul(&u1, &rn, message);
116  secp256k1_scalar_negate(&u1, &u1);
117  secp256k1_scalar_mul(&u2, &rn, sigs);
118  secp256k1_ecmult(ctx, &qj, &xj, &u2, &u1);
119  secp256k1_ge_set_gej_var(pubkey, &qj);
120  return !secp256k1_gej_is_infinity(&qj);
121 }
122 
123 int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
124  secp256k1_scalar r, s;
125  secp256k1_scalar sec, non, msg;
126  int recid;
127  int ret = 0;
128  int overflow = 0;
129  VERIFY_CHECK(ctx != NULL);
131  ARG_CHECK(msg32 != NULL);
132  ARG_CHECK(signature != NULL);
133  ARG_CHECK(seckey != NULL);
134  if (noncefp == NULL) {
136  }
137 
138  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
139  /* Fail if the secret key is invalid. */
140  if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
141  unsigned char nonce32[32];
142  unsigned int count = 0;
143  secp256k1_scalar_set_b32(&msg, msg32, NULL);
144  while (1) {
145  ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
146  if (!ret) {
147  break;
148  }
149  secp256k1_scalar_set_b32(&non, nonce32, &overflow);
150  if (!secp256k1_scalar_is_zero(&non) && !overflow) {
151  if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
152  break;
153  }
154  }
155  count++;
156  }
157  memset(nonce32, 0, 32);
161  }
162  if (ret) {
163  secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
164  } else {
165  memset(signature, 0, sizeof(*signature));
166  }
167  return ret;
168 }
169 
170 int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
171  secp256k1_ge q;
172  secp256k1_scalar r, s;
174  int recid;
175  VERIFY_CHECK(ctx != NULL);
177  ARG_CHECK(msg32 != NULL);
178  ARG_CHECK(signature != NULL);
179  ARG_CHECK(pubkey != NULL);
180 
181  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
182  VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
183  secp256k1_scalar_set_b32(&m, msg32, NULL);
184  if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
185  secp256k1_pubkey_save(pubkey, &q);
186  return 1;
187  } else {
188  memset(pubkey, 0, sizeof(*pubkey));
189  return 0;
190  }
191 }
192 
193 #endif /* SECP256K1_MODULE_RECOVERY_MAIN_H */
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
#define VERIFY_CHECK(cond)
Definition: util.h:67
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
SECP256K1_API const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:367
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Definition: main_impl.h:12
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:113
int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:157
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe
Group order for secp256k1 defined as &#39;n&#39; in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: ecdsa_impl.h:31
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:223
int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:54
#define ARG_CHECK(cond)
Definition: secp256k1.c:22
static secp256k1_context * ctx
Definition: tests.c:46
int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:170
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:53
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:99
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
void * memcpy(void *a, const void *b, size_t c)
static int count
Definition: tests.c:45
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid)
Definition: main_impl.h:87
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s, int recid)
Definition: main_impl.h:27
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order
Difference between field and order, values &#39;p&#39; and &#39;n&#39; values defined in "Standards for Efficient Cry...
Definition: ecdsa_impl.h:45
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:66