Bitcoin Core  22.99.0
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_MAIN_H
8 #define SECP256K1_MODULE_SCHNORRSIG_MAIN_H
9 
10 #include "../../../include/secp256k1.h"
11 #include "../../../include/secp256k1_schnorrsig.h"
12 #include "../../hash.h"
13 
14 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
15  * SHA256 to SHA256("BIP0340/nonce")||SHA256("BIP0340/nonce"). */
18  sha->s[0] = 0x46615b35ul;
19  sha->s[1] = 0xf4bfbff7ul;
20  sha->s[2] = 0x9f8dc671ul;
21  sha->s[3] = 0x83627ab3ul;
22  sha->s[4] = 0x60217180ul;
23  sha->s[5] = 0x57358661ul;
24  sha->s[6] = 0x21a29e54ul;
25  sha->s[7] = 0x68b07b4cul;
26 
27  sha->bytes = 64;
28 }
29 
30 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
31  * SHA256 to SHA256("BIP0340/aux")||SHA256("BIP0340/aux"). */
34  sha->s[0] = 0x24dd3219ul;
35  sha->s[1] = 0x4eba7e70ul;
36  sha->s[2] = 0xca0fabb9ul;
37  sha->s[3] = 0x0fa3166dul;
38  sha->s[4] = 0x3afbe4b1ul;
39  sha->s[5] = 0x4c44df97ul;
40  sha->s[6] = 0x4aac2739ul;
41  sha->s[7] = 0x249e850aul;
42 
43  sha->bytes = 64;
44 }
45 
46 /* algo argument for nonce_function_bip340 to derive the nonce exactly as stated in BIP-340
47  * by using the correct tagged hash function. */
48 static const unsigned char bip340_algo[13] = "BIP0340/nonce";
49 
51 
52 static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
53  secp256k1_sha256 sha;
54  unsigned char masked_key[32];
55  int i;
56 
57  if (algo == NULL) {
58  return 0;
59  }
60 
61  if (data != NULL) {
63  secp256k1_sha256_write(&sha, data, 32);
64  secp256k1_sha256_finalize(&sha, masked_key);
65  for (i = 0; i < 32; i++) {
66  masked_key[i] ^= key32[i];
67  }
68  }
69 
70  /* Tag the hash with algo which is important to avoid nonce reuse across
71  * algorithms. If this nonce function is used in BIP-340 signing as defined
72  * in the spec, an optimized tagging implementation is used. */
73  if (algolen == sizeof(bip340_algo)
74  && secp256k1_memcmp_var(algo, bip340_algo, algolen) == 0) {
76  } else {
77  secp256k1_sha256_initialize_tagged(&sha, algo, algolen);
78  }
79 
80  /* Hash (masked-)key||pk||msg using the tagged hash as per the spec */
81  if (data != NULL) {
82  secp256k1_sha256_write(&sha, masked_key, 32);
83  } else {
84  secp256k1_sha256_write(&sha, key32, 32);
85  }
86  secp256k1_sha256_write(&sha, xonly_pk32, 32);
87  secp256k1_sha256_write(&sha, msg, msglen);
88  secp256k1_sha256_finalize(&sha, nonce32);
89  return 1;
90 }
91 
93 
94 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
95  * SHA256 to SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge"). */
98  sha->s[0] = 0x9cecba11ul;
99  sha->s[1] = 0x23925381ul;
100  sha->s[2] = 0x11679112ul;
101  sha->s[3] = 0xd1627e0ful;
102  sha->s[4] = 0x97c87550ul;
103  sha->s[5] = 0x003cc765ul;
104  sha->s[6] = 0x90f61164ul;
105  sha->s[7] = 0x33e9b66aul;
106  sha->bytes = 64;
107 }
108 
109 static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg, size_t msglen, const unsigned char *pubkey32)
110 {
111  unsigned char buf[32];
112  secp256k1_sha256 sha;
113 
114  /* tagged hash(r.x, pk.x, msg) */
116  secp256k1_sha256_write(&sha, r32, 32);
117  secp256k1_sha256_write(&sha, pubkey32, 32);
118  secp256k1_sha256_write(&sha, msg, msglen);
119  secp256k1_sha256_finalize(&sha, buf);
120  /* Set scalar e to the challenge hash modulo the curve order as per
121  * BIP340. */
122  secp256k1_scalar_set_b32(e, buf, NULL);
123 }
124 
125 int secp256k1_schnorrsig_sign_internal(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
126  secp256k1_scalar sk;
129  secp256k1_gej rj;
130  secp256k1_ge pk;
131  secp256k1_ge r;
132  unsigned char buf[32] = { 0 };
133  unsigned char pk_buf[32];
134  unsigned char seckey[32];
135  int ret = 1;
136 
137  VERIFY_CHECK(ctx != NULL);
139  ARG_CHECK(sig64 != NULL);
140  ARG_CHECK(msg != NULL || msglen == 0);
141  ARG_CHECK(keypair != NULL);
142 
143  if (noncefp == NULL) {
145  }
146 
147  ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair);
148  /* Because we are signing for a x-only pubkey, the secret key is negated
149  * before signing if the point corresponding to the secret key does not
150  * have an even Y. */
151  if (secp256k1_fe_is_odd(&pk.y)) {
152  secp256k1_scalar_negate(&sk, &sk);
153  }
154 
155  secp256k1_scalar_get_b32(seckey, &sk);
156  secp256k1_fe_get_b32(pk_buf, &pk.x);
157  ret &= !!noncefp(buf, msg, msglen, seckey, pk_buf, bip340_algo, sizeof(bip340_algo), ndata);
158  secp256k1_scalar_set_b32(&k, buf, NULL);
159  ret &= !secp256k1_scalar_is_zero(&k);
161 
163  secp256k1_ge_set_gej(&r, &rj);
164 
165  /* We declassify r to allow using it as a branch point. This is fine
166  * because r is not a secret. */
167  secp256k1_declassify(ctx, &r, sizeof(r));
169  if (secp256k1_fe_is_odd(&r.y)) {
170  secp256k1_scalar_negate(&k, &k);
171  }
173  secp256k1_fe_get_b32(&sig64[0], &r.x);
174 
175  secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, pk_buf);
176  secp256k1_scalar_mul(&e, &e, &sk);
177  secp256k1_scalar_add(&e, &e, &k);
178  secp256k1_scalar_get_b32(&sig64[32], &e);
179 
180  secp256k1_memczero(sig64, 64, !ret);
183  memset(seckey, 0, sizeof(seckey));
184 
185  return ret;
186 }
187 
188 int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, unsigned char *aux_rand32) {
189  return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg32, 32, keypair, secp256k1_nonce_function_bip340, aux_rand32);
190 }
191 
192 int secp256k1_schnorrsig_sign_custom(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) {
193  secp256k1_nonce_function_hardened noncefp = NULL;
194  void *ndata = NULL;
195  VERIFY_CHECK(ctx != NULL);
196 
197  if (extraparams != NULL) {
198  ARG_CHECK(secp256k1_memcmp_var(extraparams->magic,
200  sizeof(extraparams->magic)) == 0);
201  noncefp = extraparams->noncefp;
202  ndata = extraparams->ndata;
203  }
204  return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg, msglen, keypair, noncefp, ndata);
205 }
206 
207 int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) {
210  secp256k1_gej rj;
211  secp256k1_ge pk;
212  secp256k1_gej pkj;
213  secp256k1_fe rx;
214  secp256k1_ge r;
215  unsigned char buf[32];
216  int overflow;
217 
218  VERIFY_CHECK(ctx != NULL);
220  ARG_CHECK(sig64 != NULL);
221  ARG_CHECK(msg != NULL || msglen == 0);
222  ARG_CHECK(pubkey != NULL);
223 
224  if (!secp256k1_fe_set_b32(&rx, &sig64[0])) {
225  return 0;
226  }
227 
228  secp256k1_scalar_set_b32(&s, &sig64[32], &overflow);
229  if (overflow) {
230  return 0;
231  }
232 
233  if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
234  return 0;
235  }
236 
237  /* Compute e. */
238  secp256k1_fe_get_b32(buf, &pk.x);
239  secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, buf);
240 
241  /* Compute rj = s*G + (-e)*pkj */
242  secp256k1_scalar_negate(&e, &e);
243  secp256k1_gej_set_ge(&pkj, &pk);
244  secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s);
245 
246  secp256k1_ge_set_gej_var(&r, &rj);
247  if (secp256k1_ge_is_infinity(&r)) {
248  return 0;
249  }
250 
252  return !secp256k1_fe_is_odd(&r.y) &&
253  secp256k1_fe_equal_var(&rx, &r.x);
254 }
255 
256 #endif
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:18
secp256k1_ecmult_context_is_built
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_keypair_load
static int secp256k1_keypair_load(const secp256k1_context *ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair)
Definition: main_impl.h:177
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:19
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_context_struct
Definition: secp256k1.c:75
secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:241
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:34
secp256k1_schnorrsig_sign_internal
int secp256k1_schnorrsig_sign_internal(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata)
Definition: main_impl.h:125
secp256k1_sha256
Definition: hash.h:13
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
schnorrsig_extraparams_magic
static const unsigned char schnorrsig_extraparams_magic[4]
Definition: main_impl.h:50
secp256k1_nonce_function_bip340
const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340
An implementation of the nonce generation function as defined in Bitcoin Improvement Proposal 340 "Sc...
Definition: main_impl.h:92
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:77
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:76
secp256k1_schnorrsig_sign_custom
int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:192
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:13
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:96
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:205
bip340_algo
static const unsigned char bip340_algo[13]
Definition: main_impl.h:48
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_schnorrsig_challenge
static void secp256k1_schnorrsig_challenge(secp256k1_scalar *e, const unsigned char *r32, const unsigned char *msg, size_t msglen, const unsigned char *pubkey32)
Definition: main_impl.h:109
secp256k1_nonce_function_hardened
int(* secp256k1_nonce_function_hardened)(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
This module implements a variant of Schnorr signatures compliant with Bitcoin Improvement Proposal 34...
Definition: secp256k1_schnorrsig.h:41
secp256k1_schnorrsig_sign
int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, unsigned char *aux_rand32)
Create a Schnorr signature.
Definition: main_impl.h:188
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_schnorrsig_extraparams::magic
unsigned char magic[4]
Definition: secp256k1_schnorrsig.h:83
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_schnorrsig_verify
int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey)
Verify a Schnorr signature.
Definition: main_impl.h:207
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:18
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC
Definition: secp256k1_schnorrsig.h:88
ctx
static secp256k1_context * ctx
Definition: tests.c:42
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_sha256::bytes
size_t bytes
Definition: hash.h:20
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82