Bitcoin Core 29.99.0
P2P Digital Currency
schnorr.c
Go to the documentation of this file.
1/*************************************************************************
2 * Written in 2020-2022 by Elichai Turkel *
3 * To the extent possible under law, the author(s) have dedicated all *
4 * copyright and related and neighboring rights to the software in this *
5 * file to the public domain worldwide. This software is distributed *
6 * without any warranty. For the CC0 Public Domain Dedication, see *
7 * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
8 *************************************************************************/
9
10#include <stdio.h>
11#include <stdlib.h>
12#include <assert.h>
13#include <string.h>
14
15#include <secp256k1.h>
16#include <secp256k1_extrakeys.h>
18
19#include "examples_util.h"
20
21int main(void) {
22 unsigned char msg[] = {'H', 'e', 'l', 'l', 'o', ' ', 'W', 'o', 'r', 'l', 'd', '!'};
23 unsigned char msg_hash[32];
24 unsigned char tag[] = {'m', 'y', '_', 'f', 'a', 'n', 'c', 'y', '_', 'p', 'r', 'o', 't', 'o', 'c', 'o', 'l'};
25 unsigned char seckey[32];
26 unsigned char randomize[32];
27 unsigned char auxiliary_rand[32];
28 unsigned char serialized_pubkey[32];
29 unsigned char signature[64];
30 int is_signature_valid, is_signature_valid2;
31 int return_val;
33 secp256k1_keypair keypair;
34 /* Before we can call actual API functions, we need to create a "context". */
36 if (!fill_random(randomize, sizeof(randomize))) {
37 printf("Failed to generate randomness\n");
38 return EXIT_FAILURE;
39 }
40 /* Randomizing the context is recommended to protect against side-channel
41 * leakage See `secp256k1_context_randomize` in secp256k1.h for more
42 * information about it. This should never fail. */
43 return_val = secp256k1_context_randomize(ctx, randomize);
44 assert(return_val);
45
46 /*** Key Generation ***/
47 if (!fill_random(seckey, sizeof(seckey))) {
48 printf("Failed to generate randomness\n");
49 return EXIT_FAILURE;
50 }
51 /* Try to create a keypair with a valid context. This only fails if the
52 * secret key is zero or out of range (greater than secp256k1's order). Note
53 * that the probability of this occurring is negligible with a properly
54 * functioning random number generator. */
55 if (!secp256k1_keypair_create(ctx, &keypair, seckey)) {
56 printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
57 return EXIT_FAILURE;
58 }
59
60 /* Extract the X-only public key from the keypair. We pass NULL for
61 * `pk_parity` as the parity isn't needed for signing or verification.
62 * `secp256k1_keypair_xonly_pub` supports returning the parity for
63 * other use cases such as tests or verifying Taproot tweaks.
64 * This should never fail with a valid context and public key. */
65 return_val = secp256k1_keypair_xonly_pub(ctx, &pubkey, NULL, &keypair);
66 assert(return_val);
67
68 /* Serialize the public key. Should always return 1 for a valid public key. */
69 return_val = secp256k1_xonly_pubkey_serialize(ctx, serialized_pubkey, &pubkey);
70 assert(return_val);
71
72 /*** Signing ***/
73
74 /* Instead of signing (possibly very long) messages directly, we sign a
75 * 32-byte hash of the message in this example.
76 *
77 * We use secp256k1_tagged_sha256 to create this hash. This function expects
78 * a context-specific "tag", which restricts the context in which the signed
79 * messages should be considered valid. For example, if protocol A mandates
80 * to use the tag "my_fancy_protocol" and protocol B mandates to use the tag
81 * "my_boring_protocol", then signed messages from protocol A will never be
82 * valid in protocol B (and vice versa), even if keys are reused across
83 * protocols. This implements "domain separation", which is considered good
84 * practice. It avoids attacks in which users are tricked into signing a
85 * message that has intended consequences in the intended context (e.g.,
86 * protocol A) but would have unintended consequences if it were valid in
87 * some other context (e.g., protocol B). */
88 return_val = secp256k1_tagged_sha256(ctx, msg_hash, tag, sizeof(tag), msg, sizeof(msg));
89 assert(return_val);
90
91 /* Generate 32 bytes of randomness to use with BIP-340 schnorr signing. */
92 if (!fill_random(auxiliary_rand, sizeof(auxiliary_rand))) {
93 printf("Failed to generate randomness\n");
94 return EXIT_FAILURE;
95 }
96
97 /* Generate a Schnorr signature.
98 *
99 * We use the secp256k1_schnorrsig_sign32 function that provides a simple
100 * interface for signing 32-byte messages (which in our case is a hash of
101 * the actual message). BIP-340 recommends passing 32 bytes of randomness
102 * to the signing function to improve security against side-channel attacks.
103 * Signing with a valid context, a 32-byte message, a verified keypair, and
104 * any 32 bytes of auxiliary random data should never fail. */
105 return_val = secp256k1_schnorrsig_sign32(ctx, signature, msg_hash, &keypair, auxiliary_rand);
106 assert(return_val);
107
108 /*** Verification ***/
109
110 /* Deserialize the public key. This will return 0 if the public key can't
111 * be parsed correctly */
112 if (!secp256k1_xonly_pubkey_parse(ctx, &pubkey, serialized_pubkey)) {
113 printf("Failed parsing the public key\n");
114 return EXIT_FAILURE;
115 }
116
117 /* Compute the tagged hash on the received messages using the same tag as the signer. */
118 return_val = secp256k1_tagged_sha256(ctx, msg_hash, tag, sizeof(tag), msg, sizeof(msg));
119 assert(return_val);
120
121 /* Verify a signature. This will return 1 if it's valid and 0 if it's not. */
122 is_signature_valid = secp256k1_schnorrsig_verify(ctx, signature, msg_hash, 32, &pubkey);
123
124
125 printf("Is the signature valid? %s\n", is_signature_valid ? "true" : "false");
126 printf("Secret Key: ");
127 print_hex(seckey, sizeof(seckey));
128 printf("Public Key: ");
129 print_hex(serialized_pubkey, sizeof(serialized_pubkey));
130 printf("Signature: ");
131 print_hex(signature, sizeof(signature));
132
133 /* This will clear everything from the context and free the memory */
135
136 /* Bonus example: if all we need is signature verification (and no key
137 generation or signing), we don't need to use a context created via
138 secp256k1_context_create(). We can simply use the static (i.e., global)
139 context secp256k1_context_static. See its description in
140 include/secp256k1.h for details. */
142 signature, msg_hash, 32, &pubkey);
143 assert(is_signature_valid2 == is_signature_valid);
144
145 /* It's best practice to try to clear secrets from memory after using them.
146 * This is done because some bugs can allow an attacker to leak memory, for
147 * example through "out of bounds" array access (see Heartbleed), or the OS
148 * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
149 *
150 * Here we are preventing these writes from being optimized out, as any good compiler
151 * will remove any writes that aren't used. */
152 secure_erase(seckey, sizeof(seckey));
153 return EXIT_SUCCESS;
154}
return EXIT_SUCCESS
static int fill_random(unsigned char *data, size_t size)
Definition: examples_util.h:43
static void secure_erase(void *ptr, size_t len)
Definition: examples_util.h:86
static void print_hex(unsigned char *data, size_t size)
Definition: examples_util.h:72
void printf(FormatStringCheck< sizeof...(Args)> fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1096
int main(void)
Definition: schnorr.c:21
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:187
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:747
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:141
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:202
SECP256K1_API int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:783
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:233
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
SECP256K1_API int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:199
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:223
Opaque data structure that holds a keypair consisting of a secret and a public key.
Opaque data structure that holds a parsed and valid "x-only" public key.
assert(!tx.IsCoinBase())