ABC/schnorr__impl_8h_source.html

 /***********************************************************************

  * Copyright (c) 2017 Amaury SÉCHET                                    *

  * Distributed under the MIT software license, see the accompanying    *

  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*

  ***********************************************************************/


 #ifndef SECP256K1_MODULE_SCHNORR_IMPL_H

 #define SECP256K1_MODULE_SCHNORR_IMPL_H


 #include <string.h>


 #include "schnorr.h"

 #include "field.h"

 #include "group.h"

 #include "hash.h"

 #include "ecmult.h"

 #include "ecmult_gen.h"


 static int secp256k1_schnorr_sig_verify(

     const secp256k1_ecmult_context* ctx,

     const unsigned char *sig64,

     secp256k1_ge *pubkey,

     const unsigned char *msg32

 ) {

     secp256k1_gej Pj, Rj;

     secp256k1_fe Rx;

     secp256k1_scalar e, s;

     int overflow;


     VERIFY_CHECK(!secp256k1_ge_is_infinity(pubkey));


     /* Extract s */

     overflow = 0;

     secp256k1_scalar_set_b32(&s, sig64 + 32, &overflow);

     if (overflow) {

         return 0;

     }


     /* Extract R.x */

     if (!secp256k1_fe_set_b32(&Rx, sig64)) {

         return 0;

     }


     /* Compute e */

     secp256k1_schnorr_compute_e(&e, sig64, pubkey, msg32);


     /* Verify the signature */

     secp256k1_scalar_negate(&e, &e);

     secp256k1_gej_set_ge(&Pj, pubkey);

     secp256k1_ecmult(ctx, &Rj, &Pj, &e, &s);

     if (secp256k1_gej_is_infinity(&Rj)) {

         return 0;

     }


     /* Check that R.x is what we expect */

     if (!secp256k1_gej_eq_x_var(&Rx, &Rj)) {

         return 0;

     }


     /* Check that jacobi(R.y) is 1 */

     if (!secp256k1_gej_has_quad_y_var(&Rj)) {

         return 0;

     }


     /* All good, we have a valid signature. */

     return 1;

 }


 static int secp256k1_schnorr_compute_e(

     secp256k1_scalar* e,

     const unsigned char *r,

     secp256k1_ge *p,

     const unsigned char *msg32

 ) {

     int overflow = 0;

     size_t size = 0;

     secp256k1_sha256 sha;

     unsigned char buf[33];

     secp256k1_sha256_initialize(&sha);


     /* R.x */

     secp256k1_sha256_write(&sha, r, 32);


     /* compressed P */

     secp256k1_eckey_pubkey_serialize(p, buf, &size, 1);

     VERIFY_CHECK(size == 33);

     secp256k1_sha256_write(&sha, buf, 33);


     /* msg */

     secp256k1_sha256_write(&sha, msg32, 32);


     /* compute e */

     secp256k1_sha256_finalize(&sha, buf);

     secp256k1_scalar_set_b32(e, buf, &overflow);

     return !overflow & !secp256k1_scalar_is_zero(e);

 }


 static int secp256k1_schnorr_sig_sign(

     const secp256k1_context* ctx,

     unsigned char *sig64,

     const unsigned char *msg32,

     const secp256k1_scalar *privkey,

     secp256k1_ge *pubkey,

     secp256k1_nonce_function noncefp,

     const void *ndata

 ) {

     secp256k1_ge R;

     secp256k1_gej Rj;

     secp256k1_scalar k, e, s;

     ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));


     VERIFY_CHECK(!secp256k1_scalar_is_zero(privkey));

     VERIFY_CHECK(!secp256k1_ge_is_infinity(pubkey));


     if (!secp256k1_schnorr_sig_generate_k(ctx, &k, msg32, privkey, noncefp, ndata)) {

         return 0;

     }


     /* Compute R */

     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Rj, &k);

     secp256k1_ge_set_gej(&R, &Rj);


     /*

      * We declassify R to allow using it as a branch point.

      * This is fine because R is not a secret.

      */

     secp256k1_declassify(ctx, &R, sizeof(R));

     secp256k1_scalar_cond_negate(&k, !secp256k1_fe_is_quad_var(&R.y));


     /* Compute the signature. */

     secp256k1_fe_normalize(&R.x);

     secp256k1_fe_get_b32(sig64, &R.x);

     secp256k1_schnorr_compute_e(&e, sig64, pubkey, msg32);

     secp256k1_scalar_mul(&s, &e, privkey);

     secp256k1_scalar_add(&s, &s, &k);

     secp256k1_scalar_get_b32(sig64 + 32, &s);


     /* Cleanup locals that may contain private data. */

     secp256k1_scalar_clear(&k);

     return 1;

 }


 static int secp256k1_schnorr_sig_generate_k(

     const secp256k1_context* ctx,

     secp256k1_scalar *k,

     const unsigned char *msg32,

     const secp256k1_scalar *privkey,

     secp256k1_nonce_function noncefp,

     const void *ndata

 ) {

     int ret = 0;

     unsigned int count = 0;

     unsigned char nonce32[32], seckey[32];


     /* Seed used to make sure we generate different values of k for schnorr */

     const unsigned char secp256k1_schnorr_algo16[17] = "Schnorr+SHA256  ";


     if (noncefp == NULL) {

         noncefp = secp256k1_nonce_function_default;

     }


     secp256k1_scalar_get_b32(seckey, privkey);

     while (1) {

         int overflow;

         ret = noncefp(nonce32, msg32, seckey, secp256k1_schnorr_algo16, (void*)ndata, count++);

         if (!ret) {

             break;

         }


         secp256k1_scalar_set_b32(k, nonce32, &overflow);

         overflow |= secp256k1_scalar_is_zero(k);

         /* The nonce is still secret here, but it overflowing or being zero is is less likely than 1:2^255. */

         secp256k1_declassify(ctx, &overflow, sizeof(overflow));

         if (!overflow) {

             break;

         }


         secp256k1_scalar_clear(k);

     }


     /* Cleanup locals that may contain private data. */

     memset(seckey, 0, 32);

     memset(nonce32, 0, 32);

     return ret;

 }


 #endif

ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12

secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)

ecmult.h

secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.

ecmult_gen.h

secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.

secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)

field.h

secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.

secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.

secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.

secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.

group.h

secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.

secp256k1_gej_eq_x_var
static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a)
Compare the X coordinate of a group element (jacobian).

secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.

secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.

secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.

secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.

secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.

secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.

secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.

secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.

secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).

secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).

secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).

secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.

schnorr.h

secp256k1_schnorr_sig_verify
static int secp256k1_schnorr_sig_verify(const secp256k1_ecmult_context *ctx, const unsigned char *sig64, secp256k1_ge *pubkey, const unsigned char *msg32)
Custom Schnorr-based signature scheme.
Definition: schnorr_impl.h:51

secp256k1_schnorr_compute_e
static int secp256k1_schnorr_compute_e(secp256k1_scalar *e, const unsigned char *r, secp256k1_ge *p, const unsigned char *msg32)
Definition: schnorr_impl.h:101

secp256k1_schnorr_sig_sign
static int secp256k1_schnorr_sig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_scalar *privkey, secp256k1_ge *pubkey, secp256k1_nonce_function noncefp, const void *ndata)
Definition: schnorr_impl.h:130

secp256k1_schnorr_sig_generate_k
static int secp256k1_schnorr_sig_generate_k(const secp256k1_context *ctx, secp256k1_scalar *k, const unsigned char *msg32, const secp256k1_scalar *privkey, secp256k1_nonce_function noncefp, const void *ndata)
Definition: schnorr_impl.h:176

secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)

secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)

secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)

VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68

ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:28

secp256k1_declassify
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235

secp256k1_nonce_function_default
SECP256K1_API const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:477

secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:100

string.h

secp256k1_context_struct
Definition: secp256k1.c:69

secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71

secp256k1_ecmult_context
Definition: ecmult.h:14

secp256k1_fe
Definition: field_10x26.h:12

secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13

secp256k1_ge::x
secp256k1_fe x
Definition: group.h:14

secp256k1_ge::y
secp256k1_fe y
Definition: group.h:15

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_sha256
Definition: hash.h:13

count
static int count
Definition: tests.c:31