Bitcoin Core  22.99.0
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include "include/secp256k1.h"
8 #include "include/secp256k1_preallocated.h"
9 
10 #include "assumptions.h"
11 #include "util.h"
12 #include "field_impl.h"
13 #include "scalar_impl.h"
14 #include "group_impl.h"
15 #include "ecmult_impl.h"
16 #include "ecmult_const_impl.h"
17 #include "ecmult_gen_impl.h"
18 #include "ecdsa_impl.h"
19 #include "eckey_impl.h"
20 #include "hash_impl.h"
21 #include "scratch_impl.h"
22 #include "selftest.h"
23 
24 #if defined(VALGRIND)
25 # include <valgrind/memcheck.h>
26 #endif
27 
28 #define ARG_CHECK(cond) do { \
29  if (EXPECT(!(cond), 0)) { \
30  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
31  return 0; \
32  } \
33 } while(0)
34 
35 #define ARG_CHECK_NO_RETURN(cond) do { \
36  if (EXPECT(!(cond), 0)) { \
37  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
38  } \
39 } while(0)
40 
41 #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
42 #include <stdlib.h>
43 #include <stdio.h>
44 static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
45  (void)data;
46  fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
47  abort();
48 }
49 static void secp256k1_default_error_callback_fn(const char* str, void* data) {
50  (void)data;
51  fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
52  abort();
53 }
54 #else
55 void secp256k1_default_illegal_callback_fn(const char* str, void* data);
56 void secp256k1_default_error_callback_fn(const char* str, void* data);
57 #endif
58 
59 static const secp256k1_callback default_illegal_callback = {
60  secp256k1_default_illegal_callback_fn,
61  NULL
62 };
63 
64 static const secp256k1_callback default_error_callback = {
65  secp256k1_default_error_callback_fn,
66  NULL
67 };
68 
69 struct secp256k1_context_struct {
70  secp256k1_ecmult_context ecmult_ctx;
71  secp256k1_ecmult_gen_context ecmult_gen_ctx;
72  secp256k1_callback illegal_callback;
73  secp256k1_callback error_callback;
74  int declassify;
75 };
76 
77 static const secp256k1_context secp256k1_context_no_precomp_ = {
78  { 0 },
79  { 0 },
80  { secp256k1_default_illegal_callback_fn, 0 },
81  { secp256k1_default_error_callback_fn, 0 },
82  0
83 };
84 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
85 
86 size_t secp256k1_context_preallocated_size(unsigned int flags) {
87  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
88  /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
89  VERIFY_CHECK(ret != 0);
90 
91  if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
92  secp256k1_callback_call(&default_illegal_callback,
93  "Invalid flags");
94  return 0;
95  }
96 
97  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
98  ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
99  }
100  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
101  ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
102  }
103  return ret;
104 }
105 
106 size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
107  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
108  VERIFY_CHECK(ctx != NULL);
109  if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
110  ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
111  }
112  if (secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)) {
113  ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
114  }
115  return ret;
116 }
117 
118 secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
119  void* const base = prealloc;
120  size_t prealloc_size;
121  secp256k1_context* ret;
122 
123  if (!secp256k1_selftest()) {
124  secp256k1_callback_call(&default_error_callback, "self test failed");
125  }
126 
127  prealloc_size = secp256k1_context_preallocated_size(flags);
128  if (prealloc_size == 0) {
129  return NULL;
130  }
131  VERIFY_CHECK(prealloc != NULL);
132  ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
133  ret->illegal_callback = default_illegal_callback;
134  ret->error_callback = default_error_callback;
135 
136  secp256k1_ecmult_context_init(&ret->ecmult_ctx);
137  secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
138 
139  /* Flags have been checked by secp256k1_context_preallocated_size. */
140  VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
141  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
142  secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc);
143  }
144  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
145  secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
146  }
147  ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
148 
149  return (secp256k1_context*) ret;
150 }
151 
152 secp256k1_context* secp256k1_context_create(unsigned int flags) {
153  size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
154  secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
155  if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
156  free(ctx);
157  return NULL;
158  }
159 
160  return ctx;
161 }
162 
163 secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
164  size_t prealloc_size;
165  secp256k1_context* ret;
166  VERIFY_CHECK(ctx != NULL);
167  ARG_CHECK(prealloc != NULL);
168 
169  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
170  ret = (secp256k1_context*)prealloc;
171  memcpy(ret, ctx, prealloc_size);
172  secp256k1_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx);
173  secp256k1_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx);
174  return ret;
175 }
176 
177 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
178  secp256k1_context* ret;
179  size_t prealloc_size;
180 
181  VERIFY_CHECK(ctx != NULL);
182  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
183  ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
184  ret = secp256k1_context_preallocated_clone(ctx, ret);
185  return ret;
186 }
187 
188 void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
189  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
190  if (ctx != NULL) {
191  secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
192  secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
193  }
194 }
195 
196 void secp256k1_context_destroy(secp256k1_context* ctx) {
197  if (ctx != NULL) {
198  secp256k1_context_preallocated_destroy(ctx);
199  free(ctx);
200  }
201 }
202 
203 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
204  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
205  if (fun == NULL) {
206  fun = secp256k1_default_illegal_callback_fn;
207  }
208  ctx->illegal_callback.fn = fun;
209  ctx->illegal_callback.data = data;
210 }
211 
212 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
213  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
214  if (fun == NULL) {
215  fun = secp256k1_default_error_callback_fn;
216  }
217  ctx->error_callback.fn = fun;
218  ctx->error_callback.data = data;
219 }
220 
221 secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
222  VERIFY_CHECK(ctx != NULL);
223  return secp256k1_scratch_create(&ctx->error_callback, max_size);
224 }
225 
226 void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
227  VERIFY_CHECK(ctx != NULL);
228  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
229 }
230 
231 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
232  * of the software. This is setup for use with valgrind but could be substituted with
233  * the appropriate instrumentation for other analysis tools.
234  */
235 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
236 #if defined(VALGRIND)
237  if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
238 #else
239  (void)ctx;
240  (void)p;
241  (void)len;
242 #endif
243 }
244 
245 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
246  if (sizeof(secp256k1_ge_storage) == 64) {
247  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
248  * representation inside secp256k1_pubkey, as conversion is very fast.
249  * Note that secp256k1_pubkey_save must use the same representation. */
250  secp256k1_ge_storage s;
251  memcpy(&s, &pubkey->data[0], sizeof(s));
252  secp256k1_ge_from_storage(ge, &s);
253  } else {
254  /* Otherwise, fall back to 32-byte big endian for X and Y. */
255  secp256k1_fe x, y;
256  secp256k1_fe_set_b32(&x, pubkey->data);
257  secp256k1_fe_set_b32(&y, pubkey->data + 32);
258  secp256k1_ge_set_xy(ge, &x, &y);
259  }
260  ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
261  return 1;
262 }
263 
264 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
265  if (sizeof(secp256k1_ge_storage) == 64) {
266  secp256k1_ge_storage s;
267  secp256k1_ge_to_storage(&s, ge);
268  memcpy(&pubkey->data[0], &s, sizeof(s));
269  } else {
270  VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
271  secp256k1_fe_normalize_var(&ge->x);
272  secp256k1_fe_normalize_var(&ge->y);
273  secp256k1_fe_get_b32(pubkey->data, &ge->x);
274  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
275  }
276 }
277 
278 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
279  secp256k1_ge Q;
280 
281  VERIFY_CHECK(ctx != NULL);
282  ARG_CHECK(pubkey != NULL);
283  memset(pubkey, 0, sizeof(*pubkey));
284  ARG_CHECK(input != NULL);
285  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
286  return 0;
287  }
288  if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
289  return 0;
290  }
291  secp256k1_pubkey_save(pubkey, &Q);
292  secp256k1_ge_clear(&Q);
293  return 1;
294 }
295 
296 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
297  secp256k1_ge Q;
298  size_t len;
299  int ret = 0;
300 
301  VERIFY_CHECK(ctx != NULL);
302  ARG_CHECK(outputlen != NULL);
303  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
304  len = *outputlen;
305  *outputlen = 0;
306  ARG_CHECK(output != NULL);
307  memset(output, 0, len);
308  ARG_CHECK(pubkey != NULL);
309  ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
310  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
311  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
312  if (ret) {
313  *outputlen = len;
314  }
315  }
316  return ret;
317 }
318 
319 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
320  (void)ctx;
321  if (sizeof(secp256k1_scalar) == 32) {
322  /* When the secp256k1_scalar type is exactly 32 byte, use its
323  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
324  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
325  memcpy(r, &sig->data[0], 32);
326  memcpy(s, &sig->data[32], 32);
327  } else {
328  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
329  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
330  }
331 }
332 
333 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
334  if (sizeof(secp256k1_scalar) == 32) {
335  memcpy(&sig->data[0], r, 32);
336  memcpy(&sig->data[32], s, 32);
337  } else {
338  secp256k1_scalar_get_b32(&sig->data[0], r);
339  secp256k1_scalar_get_b32(&sig->data[32], s);
340  }
341 }
342 
343 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
344  secp256k1_scalar r, s;
345 
346  VERIFY_CHECK(ctx != NULL);
347  ARG_CHECK(sig != NULL);
348  ARG_CHECK(input != NULL);
349 
350  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
351  secp256k1_ecdsa_signature_save(sig, &r, &s);
352  return 1;
353  } else {
354  memset(sig, 0, sizeof(*sig));
355  return 0;
356  }
357 }
358 
359 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
360  secp256k1_scalar r, s;
361  int ret = 1;
362  int overflow = 0;
363 
364  VERIFY_CHECK(ctx != NULL);
365  ARG_CHECK(sig != NULL);
366  ARG_CHECK(input64 != NULL);
367 
368  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
369  ret &= !overflow;
370  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
371  ret &= !overflow;
372  if (ret) {
373  secp256k1_ecdsa_signature_save(sig, &r, &s);
374  } else {
375  memset(sig, 0, sizeof(*sig));
376  }
377  return ret;
378 }
379 
380 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
381  secp256k1_scalar r, s;
382 
383  VERIFY_CHECK(ctx != NULL);
384  ARG_CHECK(output != NULL);
385  ARG_CHECK(outputlen != NULL);
386  ARG_CHECK(sig != NULL);
387 
388  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
389  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
390 }
391 
392 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
393  secp256k1_scalar r, s;
394 
395  VERIFY_CHECK(ctx != NULL);
396  ARG_CHECK(output64 != NULL);
397  ARG_CHECK(sig != NULL);
398 
399  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
400  secp256k1_scalar_get_b32(&output64[0], &r);
401  secp256k1_scalar_get_b32(&output64[32], &s);
402  return 1;
403 }
404 
405 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
406  secp256k1_scalar r, s;
407  int ret = 0;
408 
409  VERIFY_CHECK(ctx != NULL);
410  ARG_CHECK(sigin != NULL);
411 
412  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
413  ret = secp256k1_scalar_is_high(&s);
414  if (sigout != NULL) {
415  if (ret) {
416  secp256k1_scalar_negate(&s, &s);
417  }
418  secp256k1_ecdsa_signature_save(sigout, &r, &s);
419  }
420 
421  return ret;
422 }
423 
424 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
425  secp256k1_ge q;
426  secp256k1_scalar r, s;
427  secp256k1_scalar m;
428  VERIFY_CHECK(ctx != NULL);
429  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
430  ARG_CHECK(msghash32 != NULL);
431  ARG_CHECK(sig != NULL);
432  ARG_CHECK(pubkey != NULL);
433 
434  secp256k1_scalar_set_b32(&m, msghash32, NULL);
435  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
436  return (!secp256k1_scalar_is_high(&s) &&
437  secp256k1_pubkey_load(ctx, &q, pubkey) &&
438  secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
439 }
440 
441 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
442  memcpy(buf + *offset, data, len);
443  *offset += len;
444 }
445 
446 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
447  unsigned char keydata[112];
448  unsigned int offset = 0;
449  secp256k1_rfc6979_hmac_sha256 rng;
450  unsigned int i;
451  /* We feed a byte array to the PRNG as input, consisting of:
452  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
453  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
454  * - optionally 16 extra bytes with the algorithm name.
455  * Because the arguments have distinct fixed lengths it is not possible for
456  * different argument mixtures to emulate each other and result in the same
457  * nonces.
458  */
459  buffer_append(keydata, &offset, key32, 32);
460  buffer_append(keydata, &offset, msg32, 32);
461  if (data != NULL) {
462  buffer_append(keydata, &offset, data, 32);
463  }
464  if (algo16 != NULL) {
465  buffer_append(keydata, &offset, algo16, 16);
466  }
467  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
468  memset(keydata, 0, sizeof(keydata));
469  for (i = 0; i <= counter; i++) {
470  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
471  }
472  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
473  return 1;
474 }
475 
476 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
477 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
478 
479 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
480  secp256k1_scalar sec, non, msg;
481  int ret = 0;
482  int is_sec_valid;
483  unsigned char nonce32[32];
484  unsigned int count = 0;
485  /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
486  *r = secp256k1_scalar_zero;
487  *s = secp256k1_scalar_zero;
488  if (recid) {
489  *recid = 0;
490  }
491  if (noncefp == NULL) {
492  noncefp = secp256k1_nonce_function_default;
493  }
494 
495  /* Fail if the secret key is invalid. */
496  is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
497  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
498  secp256k1_scalar_set_b32(&msg, msg32, NULL);
499  while (1) {
500  int is_nonce_valid;
501  ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
502  if (!ret) {
503  break;
504  }
505  is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
506  /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
507  secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
508  if (is_nonce_valid) {
509  ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
510  /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
511  secp256k1_declassify(ctx, &ret, sizeof(ret));
512  if (ret) {
513  break;
514  }
515  }
516  count++;
517  }
518  /* We don't want to declassify is_sec_valid and therefore the range of
519  * seckey. As a result is_sec_valid is included in ret only after ret was
520  * used as a branching variable. */
521  ret &= is_sec_valid;
522  memset(nonce32, 0, 32);
523  secp256k1_scalar_clear(&msg);
524  secp256k1_scalar_clear(&non);
525  secp256k1_scalar_clear(&sec);
526  secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
527  secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
528  if (recid) {
529  const int zero = 0;
530  secp256k1_int_cmov(recid, &zero, !ret);
531  }
532  return ret;
533 }
534 
535 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
536  secp256k1_scalar r, s;
537  int ret;
538  VERIFY_CHECK(ctx != NULL);
539  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
540  ARG_CHECK(msghash32 != NULL);
541  ARG_CHECK(signature != NULL);
542  ARG_CHECK(seckey != NULL);
543 
544  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
545  secp256k1_ecdsa_signature_save(signature, &r, &s);
546  return ret;
547 }
548 
549 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
550  secp256k1_scalar sec;
551  int ret;
552  VERIFY_CHECK(ctx != NULL);
553  ARG_CHECK(seckey != NULL);
554 
555  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
556  secp256k1_scalar_clear(&sec);
557  return ret;
558 }
559 
560 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
561  secp256k1_gej pj;
562  int ret;
563 
564  ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
565  secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
566 
567  secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
568  secp256k1_ge_set_gej(p, &pj);
569  return ret;
570 }
571 
572 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
573  secp256k1_ge p;
574  secp256k1_scalar seckey_scalar;
575  int ret = 0;
576  VERIFY_CHECK(ctx != NULL);
577  ARG_CHECK(pubkey != NULL);
578  memset(pubkey, 0, sizeof(*pubkey));
579  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
580  ARG_CHECK(seckey != NULL);
581 
582  ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
583  secp256k1_pubkey_save(pubkey, &p);
584  secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
585 
586  secp256k1_scalar_clear(&seckey_scalar);
587  return ret;
588 }
589 
590 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
591  secp256k1_scalar sec;
592  int ret = 0;
593  VERIFY_CHECK(ctx != NULL);
594  ARG_CHECK(seckey != NULL);
595 
596  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
597  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
598  secp256k1_scalar_negate(&sec, &sec);
599  secp256k1_scalar_get_b32(seckey, &sec);
600 
601  secp256k1_scalar_clear(&sec);
602  return ret;
603 }
604 
605 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
606  return secp256k1_ec_seckey_negate(ctx, seckey);
607 }
608 
609 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
610  int ret = 0;
611  secp256k1_ge p;
612  VERIFY_CHECK(ctx != NULL);
613  ARG_CHECK(pubkey != NULL);
614 
615  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
616  memset(pubkey, 0, sizeof(*pubkey));
617  if (ret) {
618  secp256k1_ge_neg(&p, &p);
619  secp256k1_pubkey_save(pubkey, &p);
620  }
621  return ret;
622 }
623 
624 
625 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
626  secp256k1_scalar term;
627  int overflow = 0;
628  int ret = 0;
629 
630  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
631  ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
632  secp256k1_scalar_clear(&term);
633  return ret;
634 }
635 
636 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
637  secp256k1_scalar sec;
638  int ret = 0;
639  VERIFY_CHECK(ctx != NULL);
640  ARG_CHECK(seckey != NULL);
641  ARG_CHECK(tweak32 != NULL);
642 
643  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
644  ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
645  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
646  secp256k1_scalar_get_b32(seckey, &sec);
647 
648  secp256k1_scalar_clear(&sec);
649  return ret;
650 }
651 
652 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
653  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
654 }
655 
656 static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32) {
657  secp256k1_scalar term;
658  int overflow = 0;
659  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
660  return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
661 }
662 
663 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
664  secp256k1_ge p;
665  int ret = 0;
666  VERIFY_CHECK(ctx != NULL);
667  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
668  ARG_CHECK(pubkey != NULL);
669  ARG_CHECK(tweak32 != NULL);
670 
671  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
672  memset(pubkey, 0, sizeof(*pubkey));
673  ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32);
674  if (ret) {
675  secp256k1_pubkey_save(pubkey, &p);
676  }
677 
678  return ret;
679 }
680 
681 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
682  secp256k1_scalar factor;
683  secp256k1_scalar sec;
684  int ret = 0;
685  int overflow = 0;
686  VERIFY_CHECK(ctx != NULL);
687  ARG_CHECK(seckey != NULL);
688  ARG_CHECK(tweak32 != NULL);
689 
690  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
691  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
692  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
693  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
694  secp256k1_scalar_get_b32(seckey, &sec);
695 
696  secp256k1_scalar_clear(&sec);
697  secp256k1_scalar_clear(&factor);
698  return ret;
699 }
700 
701 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
702  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
703 }
704 
705 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
706  secp256k1_ge p;
707  secp256k1_scalar factor;
708  int ret = 0;
709  int overflow = 0;
710  VERIFY_CHECK(ctx != NULL);
711  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
712  ARG_CHECK(pubkey != NULL);
713  ARG_CHECK(tweak32 != NULL);
714 
715  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
716  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
717  memset(pubkey, 0, sizeof(*pubkey));
718  if (ret) {
719  if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
720  secp256k1_pubkey_save(pubkey, &p);
721  } else {
722  ret = 0;
723  }
724  }
725 
726  return ret;
727 }
728 
729 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
730  VERIFY_CHECK(ctx != NULL);
731  if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
732  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
733  }
734  return 1;
735 }
736 
737 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
738  size_t i;
739  secp256k1_gej Qj;
740  secp256k1_ge Q;
741 
742  ARG_CHECK(pubnonce != NULL);
743  memset(pubnonce, 0, sizeof(*pubnonce));
744  ARG_CHECK(n >= 1);
745  ARG_CHECK(pubnonces != NULL);
746 
747  secp256k1_gej_set_infinity(&Qj);
748 
749  for (i = 0; i < n; i++) {
750  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
751  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
752  }
753  if (secp256k1_gej_is_infinity(&Qj)) {
754  return 0;
755  }
756  secp256k1_ge_set_gej(&Q, &Qj);
757  secp256k1_pubkey_save(pubnonce, &Q);
758  return 1;
759 }
760 
761 #ifdef ENABLE_MODULE_ECDH
762 # include "modules/ecdh/main_impl.h"
763 #endif
764 
765 #ifdef ENABLE_MODULE_RECOVERY
766 # include "modules/recovery/main_impl.h"
767 #endif
768 
769 #ifdef ENABLE_MODULE_EXTRAKEYS
770 # include "modules/extrakeys/main_impl.h"
771 #endif
772 
773 #ifdef ENABLE_MODULE_SCHNORRSIG
774 # include "modules/schnorrsig/main_impl.h"
775 #endif
secp256k1_context_preallocated_clone
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:163
secp256k1_context_randomize
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:729
secp256k1_ec_pubkey_parse
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
selftest.h
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_ecmult_context_is_built
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
secp256k1_ec_pubkey_serialize
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
secp256k1_context_set_error_callback
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68
secp256k1_ecmult_context_build
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc)
main_impl.h
count
static int count
Definition: tests.c:41
secp256k1_context_set_illegal_callback
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
secp256k1_ge_is_in_correct_subgroup
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
secp256k1_ecmult_context_clear
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
secp256k1_context_destroy
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:19
field_impl.h
secp256k1_ec_pubkey_tweak_mul
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:705
SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:163
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_ecdsa_signature_normalize
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:405
flags
int flags
Definition: bitcoin-tx.cpp:512
secp256k1_ec_seckey_tweak_add
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:636
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:245
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:319
secp256k1_ec_pubkey_negate
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:609
secp256k1_context_clone
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:177
eckey_impl.h
default_illegal_callback
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:59
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:84
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_ec_seckey_negate
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:590
secp256k1_eckey_pubkey_tweak_mul
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_ec_pubkey_tweak_add_helper
static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context *ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:656
group_impl.h
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:28
secp256k1_ecdsa_sign_inner
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:479
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
ecmult_impl.h
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_ec_pubkey_create
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:572
main_impl.h
util.h
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
ecmult_const_impl.h
SECP256K1_FLAGS_BIT_CONTEXT_SIGN
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:164
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:264
secp256k1_context_preallocated_create
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1.h
manual_alloc
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
Definition: util.h:134
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_context_preallocated_size
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:86
secp256k1_ecmult_gen_context_init
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
secp256k1_eckey_privkey_tweak_add
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:165
assumptions.h
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:446
secp256k1_callback::data
const void * data
Definition: util.h:25
secp256k1_ecdsa_signature_parse_compact
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:359
secp256k1_context_preallocated_destroy
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:188
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:74
secp256k1_context_create
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
secp256k1_preallocated.h
secp256k1_eckey_privkey_tweak_mul
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
secp256k1_ecmult_context_init
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge_storage
Definition: group.h:33
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:70
secp256k1_ecmult_gen_context_finalize_memcpy
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
secp256k1_context_preallocated_clone_size
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:106
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
secp256k1_selftest
static int secp256k1_selftest(void)
Definition: selftest.h:28
hash_impl.h
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:20
secp256k1_ec_pubkey_tweak_add
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:663
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_ec_privkey_tweak_add
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:652
secp256k1_ec_seckey_verify
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:549
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
SECP256K1_FLAGS_TYPE_MASK
#define SECP256K1_FLAGS_TYPE_MASK
All flags' lower 8 bits indicate what they're for.
Definition: secp256k1.h:159
main_impl.h
ROUND_TO_ALIGN
#define ROUND_TO_ALIGN(size)
Definition: util.h:116
secp256k1_context_no_precomp_
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:77
secp256k1_ecmult_context_finalize_memcpy
static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src)
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
SECP256K1_FLAGS_TYPE_COMPRESSION
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:161
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:72
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:73
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_ecdsa_sign
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:535
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:205
ARG_CHECK_NO_RETURN
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:35
ecmult_gen_impl.h
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:49
secp256k1_nonce_function_default
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:477
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:24
secp256k1_ecdsa_signature_parse_der
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:343
secp256k1_ec_privkey_tweak_mul
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:701
SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:160
secp256k1_callback
Definition: util.h:19
main_impl.h
EXPECT
#define EXPECT(x, c)
Definition: util.h:43
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:81
scalar_impl.h
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult.h:20
secp256k1_ec_privkey_negate
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:605
secp256k1_ec_pubkey_combine
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:737
scratch_impl.h
default_error_callback
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:64
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:44
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_ecmult_gen_context_clear
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
secp256k1_eckey_pubkey_tweak_add
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
secp256k1_scratch_space_create
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:221
buffer_append
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:441
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:333
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:124
secp256k1_ecdsa_verify
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:424
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:166
secp256k1_nonce_function_rfc6979
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:476
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:18
secp256k1_ecmult_context
Definition: ecmult.h:14
secp256k1_ecdsa_signature_serialize_der
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:380
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_ecdsa_signature_serialize_compact
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:392
ecdsa_impl.h
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ec_seckey_tweak_mul
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:681
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:68
SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult_gen.h:38
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_ec_seckey_tweak_add_helper
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:625
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67
secp256k1_scratch_space_destroy
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:226
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:100
ctx
static secp256k1_context * ctx
Definition: tests.c:42
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_callback_call
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
secp256k1_ec_pubkey_create_helper
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:560
Generated on Sat Jul 31 2021 20:04:02 for Bitcoin Core by   doxygen 1.8.17