Bitcoin Core  0.19.99
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #include "include/secp256k1.h"
8 
9 #include "util.h"
10 #include "num_impl.h"
11 #include "field_impl.h"
12 #include "scalar_impl.h"
13 #include "group_impl.h"
14 #include "ecmult_impl.h"
15 #include "ecmult_const_impl.h"
16 #include "ecmult_gen_impl.h"
17 #include "ecdsa_impl.h"
18 #include "eckey_impl.h"
19 #include "hash_impl.h"
20 #include "scratch_impl.h"
21 
22 #define ARG_CHECK(cond) do { \
23  if (EXPECT(!(cond), 0)) { \
24  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
25  return 0; \
26  } \
27 } while(0)
28 
29 static void default_illegal_callback_fn(const char* str, void* data) {
30  (void)data;
31  fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
32  abort();
33 }
34 
35 static const secp256k1_callback default_illegal_callback = {
36  default_illegal_callback_fn,
37  NULL
38 };
39 
40 static void default_error_callback_fn(const char* str, void* data) {
41  (void)data;
42  fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
43  abort();
44 }
45 
46 static const secp256k1_callback default_error_callback = {
47  default_error_callback_fn,
48  NULL
49 };
50 
51 
52 struct secp256k1_context_struct {
53  secp256k1_ecmult_context ecmult_ctx;
54  secp256k1_ecmult_gen_context ecmult_gen_ctx;
55  secp256k1_callback illegal_callback;
56  secp256k1_callback error_callback;
57 };
58 
59 static const secp256k1_context secp256k1_context_no_precomp_ = {
60  { 0 },
61  { 0 },
62  { default_illegal_callback_fn, 0 },
63  { default_error_callback_fn, 0 }
64 };
65 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
66 
67 secp256k1_context* secp256k1_context_create(unsigned int flags) {
68  secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
69  ret->illegal_callback = default_illegal_callback;
70  ret->error_callback = default_error_callback;
71 
72  if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
73  secp256k1_callback_call(&ret->illegal_callback,
74  "Invalid flags");
75  free(ret);
76  return NULL;
77  }
78 
79  secp256k1_ecmult_context_init(&ret->ecmult_ctx);
80  secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
81 
82  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
83  secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
84  }
85  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
86  secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
87  }
88 
89  return ret;
90 }
91 
92 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
93  secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context));
94  ret->illegal_callback = ctx->illegal_callback;
95  ret->error_callback = ctx->error_callback;
96  secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
97  secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
98  return ret;
99 }
100 
101 void secp256k1_context_destroy(secp256k1_context* ctx) {
102  CHECK(ctx != secp256k1_context_no_precomp);
103  if (ctx != NULL) {
104  secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
105  secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
106 
107  free(ctx);
108  }
109 }
110 
111 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
112  CHECK(ctx != secp256k1_context_no_precomp);
113  if (fun == NULL) {
114  fun = default_illegal_callback_fn;
115  }
116  ctx->illegal_callback.fn = fun;
117  ctx->illegal_callback.data = data;
118 }
119 
120 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
121  CHECK(ctx != secp256k1_context_no_precomp);
122  if (fun == NULL) {
123  fun = default_error_callback_fn;
124  }
125  ctx->error_callback.fn = fun;
126  ctx->error_callback.data = data;
127 }
128 
129 secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
130  VERIFY_CHECK(ctx != NULL);
131  return secp256k1_scratch_create(&ctx->error_callback, max_size);
132 }
133 
134 void secp256k1_scratch_space_destroy(secp256k1_scratch_space* scratch) {
135  secp256k1_scratch_destroy(scratch);
136 }
137 
138 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
139  if (sizeof(secp256k1_ge_storage) == 64) {
140  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
141  * representation inside secp256k1_pubkey, as conversion is very fast.
142  * Note that secp256k1_pubkey_save must use the same representation. */
143  secp256k1_ge_storage s;
144  memcpy(&s, &pubkey->data[0], sizeof(s));
145  secp256k1_ge_from_storage(ge, &s);
146  } else {
147  /* Otherwise, fall back to 32-byte big endian for X and Y. */
148  secp256k1_fe x, y;
149  secp256k1_fe_set_b32(&x, pubkey->data);
150  secp256k1_fe_set_b32(&y, pubkey->data + 32);
151  secp256k1_ge_set_xy(ge, &x, &y);
152  }
153  ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
154  return 1;
155 }
156 
157 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
158  if (sizeof(secp256k1_ge_storage) == 64) {
159  secp256k1_ge_storage s;
160  secp256k1_ge_to_storage(&s, ge);
161  memcpy(&pubkey->data[0], &s, sizeof(s));
162  } else {
163  VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
164  secp256k1_fe_normalize_var(&ge->x);
165  secp256k1_fe_normalize_var(&ge->y);
166  secp256k1_fe_get_b32(pubkey->data, &ge->x);
167  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
168  }
169 }
170 
171 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
172  secp256k1_ge Q;
173 
174  VERIFY_CHECK(ctx != NULL);
175  ARG_CHECK(pubkey != NULL);
176  memset(pubkey, 0, sizeof(*pubkey));
177  ARG_CHECK(input != NULL);
178  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
179  return 0;
180  }
181  secp256k1_pubkey_save(pubkey, &Q);
182  secp256k1_ge_clear(&Q);
183  return 1;
184 }
185 
186 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
187  secp256k1_ge Q;
188  size_t len;
189  int ret = 0;
190 
191  VERIFY_CHECK(ctx != NULL);
192  ARG_CHECK(outputlen != NULL);
193  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
194  len = *outputlen;
195  *outputlen = 0;
196  ARG_CHECK(output != NULL);
197  memset(output, 0, len);
198  ARG_CHECK(pubkey != NULL);
199  ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
200  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
201  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
202  if (ret) {
203  *outputlen = len;
204  }
205  }
206  return ret;
207 }
208 
209 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
210  (void)ctx;
211  if (sizeof(secp256k1_scalar) == 32) {
212  /* When the secp256k1_scalar type is exactly 32 byte, use its
213  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
214  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
215  memcpy(r, &sig->data[0], 32);
216  memcpy(s, &sig->data[32], 32);
217  } else {
218  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
219  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
220  }
221 }
222 
223 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
224  if (sizeof(secp256k1_scalar) == 32) {
225  memcpy(&sig->data[0], r, 32);
226  memcpy(&sig->data[32], s, 32);
227  } else {
228  secp256k1_scalar_get_b32(&sig->data[0], r);
229  secp256k1_scalar_get_b32(&sig->data[32], s);
230  }
231 }
232 
233 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
234  secp256k1_scalar r, s;
235 
236  VERIFY_CHECK(ctx != NULL);
237  ARG_CHECK(sig != NULL);
238  ARG_CHECK(input != NULL);
239 
240  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
241  secp256k1_ecdsa_signature_save(sig, &r, &s);
242  return 1;
243  } else {
244  memset(sig, 0, sizeof(*sig));
245  return 0;
246  }
247 }
248 
249 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
250  secp256k1_scalar r, s;
251  int ret = 1;
252  int overflow = 0;
253 
254  VERIFY_CHECK(ctx != NULL);
255  ARG_CHECK(sig != NULL);
256  ARG_CHECK(input64 != NULL);
257 
258  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
259  ret &= !overflow;
260  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
261  ret &= !overflow;
262  if (ret) {
263  secp256k1_ecdsa_signature_save(sig, &r, &s);
264  } else {
265  memset(sig, 0, sizeof(*sig));
266  }
267  return ret;
268 }
269 
270 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
271  secp256k1_scalar r, s;
272 
273  VERIFY_CHECK(ctx != NULL);
274  ARG_CHECK(output != NULL);
275  ARG_CHECK(outputlen != NULL);
276  ARG_CHECK(sig != NULL);
277 
278  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
279  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
280 }
281 
282 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
283  secp256k1_scalar r, s;
284 
285  VERIFY_CHECK(ctx != NULL);
286  ARG_CHECK(output64 != NULL);
287  ARG_CHECK(sig != NULL);
288 
289  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
290  secp256k1_scalar_get_b32(&output64[0], &r);
291  secp256k1_scalar_get_b32(&output64[32], &s);
292  return 1;
293 }
294 
295 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
296  secp256k1_scalar r, s;
297  int ret = 0;
298 
299  VERIFY_CHECK(ctx != NULL);
300  ARG_CHECK(sigin != NULL);
301 
302  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
303  ret = secp256k1_scalar_is_high(&s);
304  if (sigout != NULL) {
305  if (ret) {
306  secp256k1_scalar_negate(&s, &s);
307  }
308  secp256k1_ecdsa_signature_save(sigout, &r, &s);
309  }
310 
311  return ret;
312 }
313 
314 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
315  secp256k1_ge q;
316  secp256k1_scalar r, s;
317  secp256k1_scalar m;
318  VERIFY_CHECK(ctx != NULL);
319  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
320  ARG_CHECK(msg32 != NULL);
321  ARG_CHECK(sig != NULL);
322  ARG_CHECK(pubkey != NULL);
323 
324  secp256k1_scalar_set_b32(&m, msg32, NULL);
325  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
326  return (!secp256k1_scalar_is_high(&s) &&
327  secp256k1_pubkey_load(ctx, &q, pubkey) &&
328  secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
329 }
330 
331 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
332  memcpy(buf + *offset, data, len);
333  *offset += len;
334 }
335 
336 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
337  unsigned char keydata[112];
338  unsigned int offset = 0;
339  secp256k1_rfc6979_hmac_sha256 rng;
340  unsigned int i;
341  /* We feed a byte array to the PRNG as input, consisting of:
342  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
343  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
344  * - optionally 16 extra bytes with the algorithm name.
345  * Because the arguments have distinct fixed lengths it is not possible for
346  * different argument mixtures to emulate each other and result in the same
347  * nonces.
348  */
349  buffer_append(keydata, &offset, key32, 32);
350  buffer_append(keydata, &offset, msg32, 32);
351  if (data != NULL) {
352  buffer_append(keydata, &offset, data, 32);
353  }
354  if (algo16 != NULL) {
355  buffer_append(keydata, &offset, algo16, 16);
356  }
357  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
358  memset(keydata, 0, sizeof(keydata));
359  for (i = 0; i <= counter; i++) {
360  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
361  }
362  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
363  return 1;
364 }
365 
366 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
367 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
368 
369 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
370  secp256k1_scalar r, s;
371  secp256k1_scalar sec, non, msg;
372  int ret = 0;
373  int overflow = 0;
374  VERIFY_CHECK(ctx != NULL);
375  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
376  ARG_CHECK(msg32 != NULL);
377  ARG_CHECK(signature != NULL);
378  ARG_CHECK(seckey != NULL);
379  if (noncefp == NULL) {
380  noncefp = secp256k1_nonce_function_default;
381  }
382 
383  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
384  /* Fail if the secret key is invalid. */
385  if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
386  unsigned char nonce32[32];
387  unsigned int count = 0;
388  secp256k1_scalar_set_b32(&msg, msg32, NULL);
389  while (1) {
390  ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
391  if (!ret) {
392  break;
393  }
394  secp256k1_scalar_set_b32(&non, nonce32, &overflow);
395  if (!overflow && !secp256k1_scalar_is_zero(&non)) {
396  if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
397  break;
398  }
399  }
400  count++;
401  }
402  memset(nonce32, 0, 32);
403  secp256k1_scalar_clear(&msg);
404  secp256k1_scalar_clear(&non);
405  secp256k1_scalar_clear(&sec);
406  }
407  if (ret) {
408  secp256k1_ecdsa_signature_save(signature, &r, &s);
409  } else {
410  memset(signature, 0, sizeof(*signature));
411  }
412  return ret;
413 }
414 
415 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
416  secp256k1_scalar sec;
417  int ret;
418  int overflow;
419  VERIFY_CHECK(ctx != NULL);
420  ARG_CHECK(seckey != NULL);
421 
422  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
423  ret = !overflow && !secp256k1_scalar_is_zero(&sec);
424  secp256k1_scalar_clear(&sec);
425  return ret;
426 }
427 
428 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
429  secp256k1_gej pj;
430  secp256k1_ge p;
431  secp256k1_scalar sec;
432  int overflow;
433  int ret = 0;
434  VERIFY_CHECK(ctx != NULL);
435  ARG_CHECK(pubkey != NULL);
436  memset(pubkey, 0, sizeof(*pubkey));
437  ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
438  ARG_CHECK(seckey != NULL);
439 
440  secp256k1_scalar_set_b32(&sec, seckey, &overflow);
441  ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec));
442  if (ret) {
443  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
444  secp256k1_ge_set_gej(&p, &pj);
445  secp256k1_pubkey_save(pubkey, &p);
446  }
447  secp256k1_scalar_clear(&sec);
448  return ret;
449 }
450 
451 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
452  secp256k1_scalar sec;
453  VERIFY_CHECK(ctx != NULL);
454  ARG_CHECK(seckey != NULL);
455 
456  secp256k1_scalar_set_b32(&sec, seckey, NULL);
457  secp256k1_scalar_negate(&sec, &sec);
458  secp256k1_scalar_get_b32(seckey, &sec);
459 
460  return 1;
461 }
462 
463 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
464  int ret = 0;
465  secp256k1_ge p;
466  VERIFY_CHECK(ctx != NULL);
467  ARG_CHECK(pubkey != NULL);
468 
469  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
470  memset(pubkey, 0, sizeof(*pubkey));
471  if (ret) {
472  secp256k1_ge_neg(&p, &p);
473  secp256k1_pubkey_save(pubkey, &p);
474  }
475  return ret;
476 }
477 
478 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
479  secp256k1_scalar term;
480  secp256k1_scalar sec;
481  int ret = 0;
482  int overflow = 0;
483  VERIFY_CHECK(ctx != NULL);
484  ARG_CHECK(seckey != NULL);
485  ARG_CHECK(tweak != NULL);
486 
487  secp256k1_scalar_set_b32(&term, tweak, &overflow);
488  secp256k1_scalar_set_b32(&sec, seckey, NULL);
489 
490  ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
491  memset(seckey, 0, 32);
492  if (ret) {
493  secp256k1_scalar_get_b32(seckey, &sec);
494  }
495 
496  secp256k1_scalar_clear(&sec);
497  secp256k1_scalar_clear(&term);
498  return ret;
499 }
500 
501 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
502  secp256k1_ge p;
503  secp256k1_scalar term;
504  int ret = 0;
505  int overflow = 0;
506  VERIFY_CHECK(ctx != NULL);
507  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
508  ARG_CHECK(pubkey != NULL);
509  ARG_CHECK(tweak != NULL);
510 
511  secp256k1_scalar_set_b32(&term, tweak, &overflow);
512  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
513  memset(pubkey, 0, sizeof(*pubkey));
514  if (ret) {
515  if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
516  secp256k1_pubkey_save(pubkey, &p);
517  } else {
518  ret = 0;
519  }
520  }
521 
522  return ret;
523 }
524 
525 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
526  secp256k1_scalar factor;
527  secp256k1_scalar sec;
528  int ret = 0;
529  int overflow = 0;
530  VERIFY_CHECK(ctx != NULL);
531  ARG_CHECK(seckey != NULL);
532  ARG_CHECK(tweak != NULL);
533 
534  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
535  secp256k1_scalar_set_b32(&sec, seckey, NULL);
536  ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
537  memset(seckey, 0, 32);
538  if (ret) {
539  secp256k1_scalar_get_b32(seckey, &sec);
540  }
541 
542  secp256k1_scalar_clear(&sec);
543  secp256k1_scalar_clear(&factor);
544  return ret;
545 }
546 
547 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
548  secp256k1_ge p;
549  secp256k1_scalar factor;
550  int ret = 0;
551  int overflow = 0;
552  VERIFY_CHECK(ctx != NULL);
553  ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
554  ARG_CHECK(pubkey != NULL);
555  ARG_CHECK(tweak != NULL);
556 
557  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
558  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
559  memset(pubkey, 0, sizeof(*pubkey));
560  if (ret) {
561  if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
562  secp256k1_pubkey_save(pubkey, &p);
563  } else {
564  ret = 0;
565  }
566  }
567 
568  return ret;
569 }
570 
571 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
572  VERIFY_CHECK(ctx != NULL);
573  if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
574  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
575  }
576  return 1;
577 }
578 
579 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
580  size_t i;
581  secp256k1_gej Qj;
582  secp256k1_ge Q;
583 
584  ARG_CHECK(pubnonce != NULL);
585  memset(pubnonce, 0, sizeof(*pubnonce));
586  ARG_CHECK(n >= 1);
587  ARG_CHECK(pubnonces != NULL);
588 
589  secp256k1_gej_set_infinity(&Qj);
590 
591  for (i = 0; i < n; i++) {
592  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
593  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
594  }
595  if (secp256k1_gej_is_infinity(&Qj)) {
596  return 0;
597  }
598  secp256k1_ge_set_gej(&Q, &Qj);
599  secp256k1_pubkey_save(pubnonce, &Q);
600  return 1;
601 }
602 
603 #ifdef ENABLE_MODULE_ECDH
604 # include "modules/ecdh/main_impl.h"
605 #endif
606 
607 #ifdef ENABLE_MODULE_RECOVERY
608 # include "modules/recovery/main_impl.h"
609 #endif
secp256k1_ecmult_context_is_built
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:67
default_error_callback_fn
static void default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:40
secp256k1_ecdsa_signature_serialize_der
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:270
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
default_illegal_callback
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:35
num_impl.h
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
secp256k1_ec_privkey_negate
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a private key in place.
Definition: secp256k1.c:451
hash_impl.h
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_ecmult_gen_context_clone
static void secp256k1_ecmult_gen_context_clone(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src, const secp256k1_callback *cb)
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_scratch_space_create
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:129
secp256k1_eckey_privkey_tweak_mul
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:336
secp256k1_ec_pubkey_serialize
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:186
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(secp256k1_scratch *scratch)
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:80
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
eckey_impl.h
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_ecdsa_signature_parse_der
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:233
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:157
secp256k1_ec_seckey_verify
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:415
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:19
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
secp256k1_context_struct
Definition: secp256k1.c:52
scratch_impl.h
secp256k1_eckey_pubkey_tweak_add
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, const secp256k1_callback *cb)
default_error_callback
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:46
secp256k1_ecmult_gen_context_clear
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:223
SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:159
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
SECP256K1_FLAGS_TYPE_MASK
#define SECP256K1_FLAGS_TYPE_MASK
All flags&#39; lower 8 bits indicate what they&#39;re for.
Definition: secp256k1.h:158
default_illegal_callback_fn
static void default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:29
secp256k1_nonce_function_rfc6979
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:366
secp256k1_ecdsa_sign
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:369
secp256k1_eckey_pubkey_tweak_mul
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:123
field_impl.h
secp256k1_ge_storage
Definition: group.h:34
secp256k1_context_clone
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copies a secp256k1 context object.
Definition: secp256k1.c:92
secp256k1_ec_pubkey_tweak_mul
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:547
secp256k1_ecmult_context_clone
static void secp256k1_ecmult_context_clone(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src, const secp256k1_callback *cb)
secp256k1_ec_pubkey_combine
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:579
ecmult_impl.h
secp256k1_context_no_precomp_
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:59
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:54
ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:22
secp256k1_ecdsa_verify
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:314
ctx
static secp256k1_context * ctx
Definition: tests.c:46
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ecmult_context_init
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
secp256k1_scratch_space_destroy
void secp256k1_scratch_space_destroy(secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:134
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_ec_pubkey_create
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:428
secp256k1_context_set_error_callback
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:120
secp256k1_context_set_illegal_callback
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:111
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:53
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_eckey_privkey_tweak_add
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_nonce_function_default
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:367
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:13
CHECK
#define CHECK(cond)
Definition: util.h:52
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:55
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:209
SECP256K1_FLAGS_BIT_CONTEXT_SIGN
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:163
EXPECT
#define EXPECT(x, c)
Definition: util.h:42
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_ec_pubkey_negate
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:463
ecmult_gen_impl.h
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
flags
int flags
Definition: bitcoin-tx.cpp:508
main_impl.h
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:67
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
buffer_append
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:331
secp256k1_ec_pubkey_parse
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:171
SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:162
secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:99
secp256k1_ecmult_gen_context_init
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18
main_impl.h
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecmult_const_impl.h
scalar_impl.h
secp256k1_callback_call
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:23
secp256k1_context_destroy
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:101
secp256k1_ecdsa_signature_serialize_compact
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:282
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
count
static int count
Definition: tests.c:45
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:138
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:56
secp256k1_ecmult_context
Definition: ecmult.h:15
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:65
secp256k1_callback::data
const void * data
Definition: util.h:20
secp256k1_scratch_space_struct
Definition: scratch.h:14
secp256k1_ec_pubkey_tweak_add
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:501
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_context_randomize
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:571
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:16
secp256k1_ecmult_context_build
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, const secp256k1_callback *cb)
secp256k1_ec_privkey_tweak_add
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:478
secp256k1_callback
Definition: util.h:18
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:71
group_impl.h
secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
secp256k1_ecmult_context_clear
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
ecdsa_impl.h
SECP256K1_FLAGS_TYPE_COMPRESSION
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:160
secp256k1_ecdsa_signature_parse_compact
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:249
secp256k1_context_create
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object.
Definition: secp256k1.c:67
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_ec_privkey_tweak_mul
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a private key by multiplying it by a tweak.
Definition: secp256k1.c:525
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:66
SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:164
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_ecdsa_signature_normalize
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:295
Generated on Thu Feb 20 2020 20:03:53 for Bitcoin Core by   doxygen 1.8.13