Bitcoin Core  27.99.0 P2P Digital Currency
secp256k1_ellswift.h
Go to the documentation of this file.
1 #ifndef SECP256K1_ELLSWIFT_H
2 #define SECP256K1_ELLSWIFT_H
3
4 #include "secp256k1.h"
5
6 #ifdef __cplusplus
7 extern "C" {
8 #endif
9
10 /* This module provides an implementation of ElligatorSwift as well as a
11  * version of x-only ECDH using it (including compatibility with BIP324).
12  *
13  * ElligatorSwift is described in https://eprint.iacr.org/2022/759 by
14  * Chavez-Saab, Rodriguez-Henriquez, and Tibouchi. It permits encoding
15  * uniformly chosen public keys as 64-byte arrays which are indistinguishable
16  * from uniformly random arrays.
17  *
18  * Let f be the function from pairs of field elements to point X coordinates,
19  * defined as follows (all operations modulo p = 2^256 - 2^32 - 977)
20  * f(u,t):
21  * - Let C = 0xa2d2ba93507f1df233770c2a797962cc61f6d15da14ecd47d8d27ae1cd5f852,
22  * a square root of -3.
23  * - If u=0, set u=1 instead.
24  * - If t=0, set t=1 instead.
25  * - If u^3 + t^2 + 7 = 0, multiply t by 2.
26  * - Let X = (u^3 + 7 - t^2) / (2 * t)
27  * - Let Y = (X + t) / (C * u)
28  * - Return the first in [u + 4 * Y^2, (-X/Y - u) / 2, (X/Y - u) / 2] that is an
29  * X coordinate on the curve (at least one of them is, for any u and t).
30  *
31  * Then an ElligatorSwift encoding of x consists of the 32-byte big-endian
32  * encodings of field elements u and t concatenated, where f(u,t) = x.
33  * The encoding algorithm is described in the paper, and effectively picks a
34  * uniformly random pair (u,t) among those which encode x.
35  *
36  * If the Y coordinate is relevant, it is given the same parity as t.
37  *
38  * Changes w.r.t. the the paper:
39  * - The u=0, t=0, and u^3+t^2+7=0 conditions result in decoding to the point
40  * at infinity in the paper. Here they are remapped to finite points.
41  * - The paper uses an additional encoding bit for the parity of y. Here the
42  * parity of t is used (negating t does not affect the decoded x coordinate,
43  * so this is possible).
44  *
45  * For mathematical background about the scheme, see the doc/ellswift.md file.
46  */
47
65  unsigned char *output,
66  const unsigned char *x32,
67  const unsigned char *ell_a64,
68  const unsigned char *ell_b64,
69  void *data
70 );
71
76
84
108  const secp256k1_context *ctx,
109  unsigned char *ell64,
110  const secp256k1_pubkey *pubkey,
111  const unsigned char *rnd32
113
124  const secp256k1_context *ctx,
125  secp256k1_pubkey *pubkey,
126  const unsigned char *ell64
128
155  const secp256k1_context *ctx,
156  unsigned char *ell64,
157  const unsigned char *seckey32,
158  const unsigned char *auxrnd32
160
186  const secp256k1_context *ctx,
187  unsigned char *output,
188  const unsigned char *ell_a64,
189  const unsigned char *ell_b64,
190  const unsigned char *seckey32,
191  int party,
193  void *data
195
196 #ifdef __cplusplus
197 }
198 #endif
199
200 #endif /* SECP256K1_ELLSWIFT_H */
#define SECP256K1_ARG_NONNULL(_x)
Definition: secp256k1.h:179
#define SECP256K1_API
Definition: secp256k1.h:164
#define SECP256K1_WARN_UNUSED_RESULT
Definition: secp256k1.h:174
SECP256K1_API const secp256k1_ellswift_xdh_hash_function secp256k1_ellswift_xdh_hash_function_prefix
An implementation of an secp256k1_ellswift_xdh_hash_function which uses SHA256(prefix64 || ell_a64 ||...
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ellswift_create(const secp256k1_context *ctx, unsigned char *ell64, const unsigned char *seckey32, const unsigned char *auxrnd32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute an ElligatorSwift public key for a secret key.
Definition: main_impl.h:450
SECP256K1_API int secp256k1_ellswift_decode(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *ell64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Decode a 64-bytes ElligatorSwift encoded public key.
Definition: main_impl.h:489
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ellswift_xdh(const secp256k1_context *ctx, unsigned char *output, const unsigned char *ell_a64, const unsigned char *ell_b64, const unsigned char *seckey32, int party, secp256k1_ellswift_xdh_hash_function hashfp, void *data) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7)
Given a private key, and ElligatorSwift public keys sent in both directions, compute a shared secret ...
Definition: main_impl.h:549
int(* secp256k1_ellswift_xdh_hash_function)(unsigned char *output, const unsigned char *x32, const unsigned char *ell_a64, const unsigned char *ell_b64, void *data)
A pointer to a function used by secp256k1_ellswift_xdh to hash the shared X coordinate along with the...
SECP256K1_API const secp256k1_ellswift_xdh_hash_function secp256k1_ellswift_xdh_hash_function_bip324
An implementation of an secp256k1_ellswift_xdh_hash_function compatible with BIP324.
SECP256K1_API int secp256k1_ellswift_encode(const secp256k1_context *ctx, unsigned char *ell64, const secp256k1_pubkey *pubkey, const unsigned char *rnd32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Construct a 64-byte ElligatorSwift encoding of a given pubkey.
Definition: main_impl.h:399
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74