Bitcoin Core  22.99.0
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #define SECP256K1_BUILD
8 
9 #include "../include/secp256k1.h"
10 #include "../include/secp256k1_preallocated.h"
11 
12 #include "assumptions.h"
13 #include "util.h"
14 #include "field_impl.h"
15 #include "scalar_impl.h"
16 #include "group_impl.h"
17 #include "ecmult_impl.h"
18 #include "ecmult_const_impl.h"
19 #include "ecmult_gen_impl.h"
20 #include "ecdsa_impl.h"
21 #include "eckey_impl.h"
22 #include "hash_impl.h"
23 #include "scratch_impl.h"
24 #include "selftest.h"
25 
26 #ifdef SECP256K1_NO_BUILD
27 # error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c"
28 #endif
29 
30 #if defined(VALGRIND)
31 # include <valgrind/memcheck.h>
32 #endif
33 
34 #define ARG_CHECK(cond) do { \
35  if (EXPECT(!(cond), 0)) { \
36  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
37  return 0; \
38  } \
39 } while(0)
40 
41 #define ARG_CHECK_NO_RETURN(cond) do { \
42  if (EXPECT(!(cond), 0)) { \
43  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
44  } \
45 } while(0)
46 
47 struct secp256k1_context_struct {
48  secp256k1_ecmult_gen_context ecmult_gen_ctx;
49  secp256k1_callback illegal_callback;
50  secp256k1_callback error_callback;
51  int declassify;
52 };
53 
54 static const secp256k1_context secp256k1_context_no_precomp_ = {
55  { 0 },
56  { secp256k1_default_illegal_callback_fn, 0 },
57  { secp256k1_default_error_callback_fn, 0 },
58  0
59 };
60 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
61 
62 size_t secp256k1_context_preallocated_size(unsigned int flags) {
63  size_t ret = sizeof(secp256k1_context);
64  /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
65  VERIFY_CHECK(ret != 0);
66 
67  if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
68  secp256k1_callback_call(&default_illegal_callback,
69  "Invalid flags");
70  return 0;
71  }
72 
73  return ret;
74 }
75 
76 size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
77  size_t ret = sizeof(secp256k1_context);
78  VERIFY_CHECK(ctx != NULL);
79  return ret;
80 }
81 
82 secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
83  size_t prealloc_size;
84  secp256k1_context* ret;
85 
86  if (!secp256k1_selftest()) {
87  secp256k1_callback_call(&default_error_callback, "self test failed");
88  }
89 
90  prealloc_size = secp256k1_context_preallocated_size(flags);
91  if (prealloc_size == 0) {
92  return NULL;
93  }
94  VERIFY_CHECK(prealloc != NULL);
95  ret = (secp256k1_context*)prealloc;
96  ret->illegal_callback = default_illegal_callback;
97  ret->error_callback = default_error_callback;
98 
99  /* Flags have been checked by secp256k1_context_preallocated_size. */
100  VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
101  secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx);
102  ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
103 
104  return ret;
105 }
106 
107 secp256k1_context* secp256k1_context_create(unsigned int flags) {
108  size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
109  secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
110  if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
111  free(ctx);
112  return NULL;
113  }
114 
115  return ctx;
116 }
117 
118 secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
119  secp256k1_context* ret;
120  VERIFY_CHECK(ctx != NULL);
121  ARG_CHECK(prealloc != NULL);
122 
123  ret = (secp256k1_context*)prealloc;
124  *ret = *ctx;
125  return ret;
126 }
127 
128 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
129  secp256k1_context* ret;
130  size_t prealloc_size;
131 
132  VERIFY_CHECK(ctx != NULL);
133  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
134  ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
135  ret = secp256k1_context_preallocated_clone(ctx, ret);
136  return ret;
137 }
138 
139 void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
140  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
141  if (ctx != NULL) {
142  secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
143  }
144 }
145 
146 void secp256k1_context_destroy(secp256k1_context* ctx) {
147  if (ctx != NULL) {
148  secp256k1_context_preallocated_destroy(ctx);
149  free(ctx);
150  }
151 }
152 
153 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
154  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
155  if (fun == NULL) {
156  fun = secp256k1_default_illegal_callback_fn;
157  }
158  ctx->illegal_callback.fn = fun;
159  ctx->illegal_callback.data = data;
160 }
161 
162 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
163  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
164  if (fun == NULL) {
165  fun = secp256k1_default_error_callback_fn;
166  }
167  ctx->error_callback.fn = fun;
168  ctx->error_callback.data = data;
169 }
170 
171 secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
172  VERIFY_CHECK(ctx != NULL);
173  return secp256k1_scratch_create(&ctx->error_callback, max_size);
174 }
175 
176 void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
177  VERIFY_CHECK(ctx != NULL);
178  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
179 }
180 
181 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
182  * of the software. This is setup for use with valgrind but could be substituted with
183  * the appropriate instrumentation for other analysis tools.
184  */
185 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
186 #if defined(VALGRIND)
187  if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
188 #else
189  (void)ctx;
190  (void)p;
191  (void)len;
192 #endif
193 }
194 
195 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
196  if (sizeof(secp256k1_ge_storage) == 64) {
197  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
198  * representation inside secp256k1_pubkey, as conversion is very fast.
199  * Note that secp256k1_pubkey_save must use the same representation. */
200  secp256k1_ge_storage s;
201  memcpy(&s, &pubkey->data[0], sizeof(s));
202  secp256k1_ge_from_storage(ge, &s);
203  } else {
204  /* Otherwise, fall back to 32-byte big endian for X and Y. */
205  secp256k1_fe x, y;
206  secp256k1_fe_set_b32(&x, pubkey->data);
207  secp256k1_fe_set_b32(&y, pubkey->data + 32);
208  secp256k1_ge_set_xy(ge, &x, &y);
209  }
210  ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
211  return 1;
212 }
213 
214 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
215  if (sizeof(secp256k1_ge_storage) == 64) {
216  secp256k1_ge_storage s;
217  secp256k1_ge_to_storage(&s, ge);
218  memcpy(&pubkey->data[0], &s, sizeof(s));
219  } else {
220  VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
221  secp256k1_fe_normalize_var(&ge->x);
222  secp256k1_fe_normalize_var(&ge->y);
223  secp256k1_fe_get_b32(pubkey->data, &ge->x);
224  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
225  }
226 }
227 
228 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
229  secp256k1_ge Q;
230 
231  VERIFY_CHECK(ctx != NULL);
232  ARG_CHECK(pubkey != NULL);
233  memset(pubkey, 0, sizeof(*pubkey));
234  ARG_CHECK(input != NULL);
235  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
236  return 0;
237  }
238  if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
239  return 0;
240  }
241  secp256k1_pubkey_save(pubkey, &Q);
242  secp256k1_ge_clear(&Q);
243  return 1;
244 }
245 
246 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
247  secp256k1_ge Q;
248  size_t len;
249  int ret = 0;
250 
251  VERIFY_CHECK(ctx != NULL);
252  ARG_CHECK(outputlen != NULL);
253  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
254  len = *outputlen;
255  *outputlen = 0;
256  ARG_CHECK(output != NULL);
257  memset(output, 0, len);
258  ARG_CHECK(pubkey != NULL);
259  ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
260  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
261  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
262  if (ret) {
263  *outputlen = len;
264  }
265  }
266  return ret;
267 }
268 
269 int secp256k1_ec_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey0, const secp256k1_pubkey* pubkey1) {
270  unsigned char out[2][33];
271  const secp256k1_pubkey* pk[2];
272  int i;
273 
274  VERIFY_CHECK(ctx != NULL);
275  pk[0] = pubkey0; pk[1] = pubkey1;
276  for (i = 0; i < 2; i++) {
277  size_t out_size = sizeof(out[i]);
278  /* If the public key is NULL or invalid, ec_pubkey_serialize will call
279  * the illegal_callback and return 0. In that case we will serialize the
280  * key as all zeros which is less than any valid public key. This
281  * results in consistent comparisons even if NULL or invalid pubkeys are
282  * involved and prevents edge cases such as sorting algorithms that use
283  * this function and do not terminate as a result. */
284  if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) {
285  /* Note that ec_pubkey_serialize should already set the output to
286  * zero in that case, but it's not guaranteed by the API, we can't
287  * test it and writing a VERIFY_CHECK is more complex than
288  * explicitly memsetting (again). */
289  memset(out[i], 0, sizeof(out[i]));
290  }
291  }
292  return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
293 }
294 
295 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
296  (void)ctx;
297  if (sizeof(secp256k1_scalar) == 32) {
298  /* When the secp256k1_scalar type is exactly 32 byte, use its
299  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
300  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
301  memcpy(r, &sig->data[0], 32);
302  memcpy(s, &sig->data[32], 32);
303  } else {
304  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
305  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
306  }
307 }
308 
309 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
310  if (sizeof(secp256k1_scalar) == 32) {
311  memcpy(&sig->data[0], r, 32);
312  memcpy(&sig->data[32], s, 32);
313  } else {
314  secp256k1_scalar_get_b32(&sig->data[0], r);
315  secp256k1_scalar_get_b32(&sig->data[32], s);
316  }
317 }
318 
319 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
320  secp256k1_scalar r, s;
321 
322  VERIFY_CHECK(ctx != NULL);
323  ARG_CHECK(sig != NULL);
324  ARG_CHECK(input != NULL);
325 
326  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
327  secp256k1_ecdsa_signature_save(sig, &r, &s);
328  return 1;
329  } else {
330  memset(sig, 0, sizeof(*sig));
331  return 0;
332  }
333 }
334 
335 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
336  secp256k1_scalar r, s;
337  int ret = 1;
338  int overflow = 0;
339 
340  VERIFY_CHECK(ctx != NULL);
341  ARG_CHECK(sig != NULL);
342  ARG_CHECK(input64 != NULL);
343 
344  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
345  ret &= !overflow;
346  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
347  ret &= !overflow;
348  if (ret) {
349  secp256k1_ecdsa_signature_save(sig, &r, &s);
350  } else {
351  memset(sig, 0, sizeof(*sig));
352  }
353  return ret;
354 }
355 
356 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
357  secp256k1_scalar r, s;
358 
359  VERIFY_CHECK(ctx != NULL);
360  ARG_CHECK(output != NULL);
361  ARG_CHECK(outputlen != NULL);
362  ARG_CHECK(sig != NULL);
363 
364  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
365  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
366 }
367 
368 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
369  secp256k1_scalar r, s;
370 
371  VERIFY_CHECK(ctx != NULL);
372  ARG_CHECK(output64 != NULL);
373  ARG_CHECK(sig != NULL);
374 
375  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
376  secp256k1_scalar_get_b32(&output64[0], &r);
377  secp256k1_scalar_get_b32(&output64[32], &s);
378  return 1;
379 }
380 
381 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
382  secp256k1_scalar r, s;
383  int ret = 0;
384 
385  VERIFY_CHECK(ctx != NULL);
386  ARG_CHECK(sigin != NULL);
387 
388  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
389  ret = secp256k1_scalar_is_high(&s);
390  if (sigout != NULL) {
391  if (ret) {
392  secp256k1_scalar_negate(&s, &s);
393  }
394  secp256k1_ecdsa_signature_save(sigout, &r, &s);
395  }
396 
397  return ret;
398 }
399 
400 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
401  secp256k1_ge q;
402  secp256k1_scalar r, s;
403  secp256k1_scalar m;
404  VERIFY_CHECK(ctx != NULL);
405  ARG_CHECK(msghash32 != NULL);
406  ARG_CHECK(sig != NULL);
407  ARG_CHECK(pubkey != NULL);
408 
409  secp256k1_scalar_set_b32(&m, msghash32, NULL);
410  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
411  return (!secp256k1_scalar_is_high(&s) &&
412  secp256k1_pubkey_load(ctx, &q, pubkey) &&
413  secp256k1_ecdsa_sig_verify(&r, &s, &q, &m));
414 }
415 
416 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
417  memcpy(buf + *offset, data, len);
418  *offset += len;
419 }
420 
421 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
422  unsigned char keydata[112];
423  unsigned int offset = 0;
424  secp256k1_rfc6979_hmac_sha256 rng;
425  unsigned int i;
426  /* We feed a byte array to the PRNG as input, consisting of:
427  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
428  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
429  * - optionally 16 extra bytes with the algorithm name.
430  * Because the arguments have distinct fixed lengths it is not possible for
431  * different argument mixtures to emulate each other and result in the same
432  * nonces.
433  */
434  buffer_append(keydata, &offset, key32, 32);
435  buffer_append(keydata, &offset, msg32, 32);
436  if (data != NULL) {
437  buffer_append(keydata, &offset, data, 32);
438  }
439  if (algo16 != NULL) {
440  buffer_append(keydata, &offset, algo16, 16);
441  }
442  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
443  memset(keydata, 0, sizeof(keydata));
444  for (i = 0; i <= counter; i++) {
445  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
446  }
447  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
448  return 1;
449 }
450 
451 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
452 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
453 
454 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
455  secp256k1_scalar sec, non, msg;
456  int ret = 0;
457  int is_sec_valid;
458  unsigned char nonce32[32];
459  unsigned int count = 0;
460  /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
461  *r = secp256k1_scalar_zero;
462  *s = secp256k1_scalar_zero;
463  if (recid) {
464  *recid = 0;
465  }
466  if (noncefp == NULL) {
467  noncefp = secp256k1_nonce_function_default;
468  }
469 
470  /* Fail if the secret key is invalid. */
471  is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
472  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
473  secp256k1_scalar_set_b32(&msg, msg32, NULL);
474  while (1) {
475  int is_nonce_valid;
476  ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
477  if (!ret) {
478  break;
479  }
480  is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
481  /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
482  secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
483  if (is_nonce_valid) {
484  ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
485  /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
486  secp256k1_declassify(ctx, &ret, sizeof(ret));
487  if (ret) {
488  break;
489  }
490  }
491  count++;
492  }
493  /* We don't want to declassify is_sec_valid and therefore the range of
494  * seckey. As a result is_sec_valid is included in ret only after ret was
495  * used as a branching variable. */
496  ret &= is_sec_valid;
497  memset(nonce32, 0, 32);
498  secp256k1_scalar_clear(&msg);
499  secp256k1_scalar_clear(&non);
500  secp256k1_scalar_clear(&sec);
501  secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
502  secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
503  if (recid) {
504  const int zero = 0;
505  secp256k1_int_cmov(recid, &zero, !ret);
506  }
507  return ret;
508 }
509 
510 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
511  secp256k1_scalar r, s;
512  int ret;
513  VERIFY_CHECK(ctx != NULL);
514  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
515  ARG_CHECK(msghash32 != NULL);
516  ARG_CHECK(signature != NULL);
517  ARG_CHECK(seckey != NULL);
518 
519  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
520  secp256k1_ecdsa_signature_save(signature, &r, &s);
521  return ret;
522 }
523 
524 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
525  secp256k1_scalar sec;
526  int ret;
527  VERIFY_CHECK(ctx != NULL);
528  ARG_CHECK(seckey != NULL);
529 
530  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
531  secp256k1_scalar_clear(&sec);
532  return ret;
533 }
534 
535 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
536  secp256k1_gej pj;
537  int ret;
538 
539  ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
540  secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
541 
542  secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
543  secp256k1_ge_set_gej(p, &pj);
544  return ret;
545 }
546 
547 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
548  secp256k1_ge p;
549  secp256k1_scalar seckey_scalar;
550  int ret = 0;
551  VERIFY_CHECK(ctx != NULL);
552  ARG_CHECK(pubkey != NULL);
553  memset(pubkey, 0, sizeof(*pubkey));
554  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
555  ARG_CHECK(seckey != NULL);
556 
557  ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
558  secp256k1_pubkey_save(pubkey, &p);
559  secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
560 
561  secp256k1_scalar_clear(&seckey_scalar);
562  return ret;
563 }
564 
565 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
566  secp256k1_scalar sec;
567  int ret = 0;
568  VERIFY_CHECK(ctx != NULL);
569  ARG_CHECK(seckey != NULL);
570 
571  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
572  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
573  secp256k1_scalar_negate(&sec, &sec);
574  secp256k1_scalar_get_b32(seckey, &sec);
575 
576  secp256k1_scalar_clear(&sec);
577  return ret;
578 }
579 
580 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
581  return secp256k1_ec_seckey_negate(ctx, seckey);
582 }
583 
584 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
585  int ret = 0;
586  secp256k1_ge p;
587  VERIFY_CHECK(ctx != NULL);
588  ARG_CHECK(pubkey != NULL);
589 
590  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
591  memset(pubkey, 0, sizeof(*pubkey));
592  if (ret) {
593  secp256k1_ge_neg(&p, &p);
594  secp256k1_pubkey_save(pubkey, &p);
595  }
596  return ret;
597 }
598 
599 
600 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
601  secp256k1_scalar term;
602  int overflow = 0;
603  int ret = 0;
604 
605  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
606  ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
607  secp256k1_scalar_clear(&term);
608  return ret;
609 }
610 
611 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
612  secp256k1_scalar sec;
613  int ret = 0;
614  VERIFY_CHECK(ctx != NULL);
615  ARG_CHECK(seckey != NULL);
616  ARG_CHECK(tweak32 != NULL);
617 
618  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
619  ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
620  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
621  secp256k1_scalar_get_b32(seckey, &sec);
622 
623  secp256k1_scalar_clear(&sec);
624  return ret;
625 }
626 
627 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
628  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
629 }
630 
631 static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) {
632  secp256k1_scalar term;
633  int overflow = 0;
634  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
635  return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term);
636 }
637 
638 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
639  secp256k1_ge p;
640  int ret = 0;
641  VERIFY_CHECK(ctx != NULL);
642  ARG_CHECK(pubkey != NULL);
643  ARG_CHECK(tweak32 != NULL);
644 
645  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
646  memset(pubkey, 0, sizeof(*pubkey));
647  ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32);
648  if (ret) {
649  secp256k1_pubkey_save(pubkey, &p);
650  }
651 
652  return ret;
653 }
654 
655 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
656  secp256k1_scalar factor;
657  secp256k1_scalar sec;
658  int ret = 0;
659  int overflow = 0;
660  VERIFY_CHECK(ctx != NULL);
661  ARG_CHECK(seckey != NULL);
662  ARG_CHECK(tweak32 != NULL);
663 
664  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
665  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
666  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
667  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
668  secp256k1_scalar_get_b32(seckey, &sec);
669 
670  secp256k1_scalar_clear(&sec);
671  secp256k1_scalar_clear(&factor);
672  return ret;
673 }
674 
675 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
676  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
677 }
678 
679 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
680  secp256k1_ge p;
681  secp256k1_scalar factor;
682  int ret = 0;
683  int overflow = 0;
684  VERIFY_CHECK(ctx != NULL);
685  ARG_CHECK(pubkey != NULL);
686  ARG_CHECK(tweak32 != NULL);
687 
688  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
689  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
690  memset(pubkey, 0, sizeof(*pubkey));
691  if (ret) {
692  if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) {
693  secp256k1_pubkey_save(pubkey, &p);
694  } else {
695  ret = 0;
696  }
697  }
698 
699  return ret;
700 }
701 
702 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
703  VERIFY_CHECK(ctx != NULL);
704  if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
705  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
706  }
707  return 1;
708 }
709 
710 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
711  size_t i;
712  secp256k1_gej Qj;
713  secp256k1_ge Q;
714 
715  VERIFY_CHECK(ctx != NULL);
716  ARG_CHECK(pubnonce != NULL);
717  memset(pubnonce, 0, sizeof(*pubnonce));
718  ARG_CHECK(n >= 1);
719  ARG_CHECK(pubnonces != NULL);
720 
721  secp256k1_gej_set_infinity(&Qj);
722 
723  for (i = 0; i < n; i++) {
724  ARG_CHECK(pubnonces[i] != NULL);
725  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
726  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
727  }
728  if (secp256k1_gej_is_infinity(&Qj)) {
729  return 0;
730  }
731  secp256k1_ge_set_gej(&Q, &Qj);
732  secp256k1_pubkey_save(pubnonce, &Q);
733  return 1;
734 }
735 
736 int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
737  secp256k1_sha256 sha;
738  VERIFY_CHECK(ctx != NULL);
739  ARG_CHECK(hash32 != NULL);
740  ARG_CHECK(tag != NULL);
741  ARG_CHECK(msg != NULL);
742 
743  secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
744  secp256k1_sha256_write(&sha, msg, msglen);
745  secp256k1_sha256_finalize(&sha, hash32);
746  return 1;
747 }
748 
749 #ifdef ENABLE_MODULE_ECDH
750 # include "modules/ecdh/main_impl.h"
751 #endif
752 
753 #ifdef ENABLE_MODULE_RECOVERY
754 # include "modules/recovery/main_impl.h"
755 #endif
756 
757 #ifdef ENABLE_MODULE_EXTRAKEYS
758 # include "modules/extrakeys/main_impl.h"
759 #endif
760 
761 #ifdef ENABLE_MODULE_SCHNORRSIG
762 # include "modules/schnorrsig/main_impl.h"
763 #endif
secp256k1_context_preallocated_clone
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:118
secp256k1_context_randomize
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:702
secp256k1_ec_pubkey_parse
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:228
selftest.h
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_ec_pubkey_serialize
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:246
secp256k1_context_set_error_callback
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:95
main_impl.h
count
static int count
Definition: tests.c:31
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_context_set_illegal_callback
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:153
secp256k1_ge_is_in_correct_subgroup
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
secp256k1_eckey_pubkey_tweak_mul
static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_context_destroy
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:19
field_impl.h
secp256k1_ec_pubkey_tweak_mul
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:679
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_ecdsa_signature_normalize
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:381
flags
int flags
Definition: bitcoin-tx.cpp:525
secp256k1_ec_seckey_tweak_add
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:611
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:195
secp256k1_context_struct
Definition: secp256k1.c:47
secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:185
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:295
secp256k1_ec_pubkey_negate
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:584
secp256k1_context_clone
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
eckey_impl.h
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:221
secp256k1_ec_seckey_negate
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:565
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
group_impl.h
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:34
secp256k1_context
struct secp256k1_context_struct secp256k1_context
Definition: pubkey.h:341
secp256k1_ecdsa_sign_inner
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:454
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
ecmult_impl.h
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_ec_pubkey_create
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:547
main_impl.h
util.h
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_sha256
Definition: hash.h:13
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
ecmult_const_impl.h
secp256k1_ec_pubkey_cmp
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:269
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:214
secp256k1_context_preallocated_create
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:82
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_context_preallocated_size
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:62
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:190
secp256k1_eckey_privkey_tweak_add
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:179
assumptions.h
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:421
secp256k1_callback::data
const void * data
Definition: util.h:25
secp256k1_ecdsa_signature_parse_compact
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:335
secp256k1_context_preallocated_destroy
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:139
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:51
secp256k1_context_create
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_eckey_privkey_tweak_mul
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
Definition: ecmult_gen_impl.h:22
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_eckey_pubkey_tweak_add
static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak)
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:118
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge_storage
Definition: group.h:33
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:48
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
EXPECT
#define EXPECT(x, c)
Definition: util.h:26
secp256k1_context_preallocated_clone_size
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:76
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_selftest
static int secp256k1_selftest(void)
Definition: selftest.h:28
hash_impl.h
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:19
secp256k1_ec_pubkey_tweak_add
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:638
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_ec_privkey_tweak_add
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:627
secp256k1_ec_pubkey_tweak_add_helper
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:631
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx)
secp256k1_ec_seckey_verify
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:524
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
SECP256K1_FLAGS_TYPE_MASK
#define SECP256K1_FLAGS_TYPE_MASK
All flags' lower 8 bits indicate what they're for.
Definition: secp256k1.h:173
main_impl.h
secp256k1_context_no_precomp_
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:54
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:235
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
SECP256K1_FLAGS_TYPE_COMPRESSION
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:175
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:49
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:50
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_ecdsa_sign
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:510
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:202
ARG_CHECK_NO_RETURN
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:41
ecmult_gen_impl.h
secp256k1_nonce_function_default
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:452
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:24
secp256k1_ecdsa_signature_parse_der
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:319
secp256k1_ec_privkey_tweak_mul
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:675
SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:174
secp256k1_callback
Definition: util.h:19
main_impl.h
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:84
scalar_impl.h
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_ec_privkey_negate
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:580
secp256k1_ec_pubkey_combine
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:710
scratch_impl.h
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_ecmult_gen_context_clear
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
secp256k1_scratch_space_create
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:171
buffer_append
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:416
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:309
secp256k1_tagged_sha256
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:736
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:29
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:127
secp256k1_ecdsa_verify
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:400
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:180
secp256k1_nonce_function_rfc6979
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:451
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:18
default_illegal_callback
static const secp256k1_callback default_illegal_callback
Definition: util.h:44
secp256k1_ecdsa_signature_serialize_der
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:356
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_ecdsa_signature_serialize_compact
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:368
ecdsa_impl.h
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
ByteUnit::m
@ m
secp256k1_ec_seckey_tweak_mul
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:655
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:71
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_ec_seckey_tweak_add_helper
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:600
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
secp256k1_scratch_space_destroy
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:176
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:34
secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:103
ctx
static secp256k1_context * ctx
Definition: tests.c:32
default_error_callback
static const secp256k1_callback default_error_callback
Definition: util.h:49
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_callback_call
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
secp256k1_ec_pubkey_create_helper
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:535
Generated on Thu Jan 20 2022 20:04:10 for Bitcoin Core by   doxygen 1.8.17