Bitcoin Core  24.99.0
P2P Digital Currency
ecdsa.c
Go to the documentation of this file.
1 /*************************************************************************
2  * Written in 2020-2022 by Elichai Turkel *
3  * To the extent possible under law, the author(s) have dedicated all *
4  * copyright and related and neighboring rights to the software in this *
5  * file to the public domain worldwide. This software is distributed *
6  * without any warranty. For the CC0 Public Domain Dedication, see *
7  * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
8  *************************************************************************/
9 
10 #include <stdio.h>
11 #include <assert.h>
12 #include <string.h>
13 
14 #include <secp256k1.h>
15 
16 #include "random.h"
17 
18 
19 
20 int main(void) {
21  /* Instead of signing the message directly, we must sign a 32-byte hash.
22  * Here the message is "Hello, world!" and the hash function was SHA-256.
23  * An actual implementation should just call SHA-256, but this example
24  * hardcodes the output to avoid depending on an additional library.
25  * See https://bitcoin.stackexchange.com/questions/81115/if-someone-wanted-to-pretend-to-be-satoshi-by-posting-a-fake-signature-to-defrau/81116#81116 */
26  unsigned char msg_hash[32] = {
27  0x31, 0x5F, 0x5B, 0xDB, 0x76, 0xD0, 0x78, 0xC4,
28  0x3B, 0x8A, 0xC0, 0x06, 0x4E, 0x4A, 0x01, 0x64,
29  0x61, 0x2B, 0x1F, 0xCE, 0x77, 0xC8, 0x69, 0x34,
30  0x5B, 0xFC, 0x94, 0xC7, 0x58, 0x94, 0xED, 0xD3,
31  };
32  unsigned char seckey[32];
33  unsigned char randomize[32];
34  unsigned char compressed_pubkey[33];
35  unsigned char serialized_signature[64];
36  size_t len;
37  int is_signature_valid;
38  int return_val;
39  secp256k1_pubkey pubkey;
41  /* The specification in secp256k1.h states that `secp256k1_ec_pubkey_create` needs
42  * a context object initialized for signing and `secp256k1_ecdsa_verify` needs
43  * a context initialized for verification, which is why we create a context
44  * for both signing and verification with the SECP256K1_CONTEXT_SIGN and
45  * SECP256K1_CONTEXT_VERIFY flags. */
47  if (!fill_random(randomize, sizeof(randomize))) {
48  printf("Failed to generate randomness\n");
49  return 1;
50  }
51  /* Randomizing the context is recommended to protect against side-channel
52  * leakage See `secp256k1_context_randomize` in secp256k1.h for more
53  * information about it. This should never fail. */
54  return_val = secp256k1_context_randomize(ctx, randomize);
55  assert(return_val);
56 
57  /*** Key Generation ***/
58 
59  /* If the secret key is zero or out of range (bigger than secp256k1's
60  * order), we try to sample a new key. Note that the probability of this
61  * happening is negligible. */
62  while (1) {
63  if (!fill_random(seckey, sizeof(seckey))) {
64  printf("Failed to generate randomness\n");
65  return 1;
66  }
67  if (secp256k1_ec_seckey_verify(ctx, seckey)) {
68  break;
69  }
70  }
71 
72  /* Public key creation using a valid context with a verified secret key should never fail */
73  return_val = secp256k1_ec_pubkey_create(ctx, &pubkey, seckey);
74  assert(return_val);
75 
76  /* Serialize the pubkey in a compressed form(33 bytes). Should always return 1. */
77  len = sizeof(compressed_pubkey);
78  return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey, &len, &pubkey, SECP256K1_EC_COMPRESSED);
79  assert(return_val);
80  /* Should be the same size as the size of the output, because we passed a 33 byte array. */
81  assert(len == sizeof(compressed_pubkey));
82 
83  /*** Signing ***/
84 
85  /* Generate an ECDSA signature `noncefp` and `ndata` allows you to pass a
86  * custom nonce function, passing `NULL` will use the RFC-6979 safe default.
87  * Signing with a valid context, verified secret key
88  * and the default nonce function should never fail. */
89  return_val = secp256k1_ecdsa_sign(ctx, &sig, msg_hash, seckey, NULL, NULL);
90  assert(return_val);
91 
92  /* Serialize the signature in a compact form. Should always return 1
93  * according to the documentation in secp256k1.h. */
94  return_val = secp256k1_ecdsa_signature_serialize_compact(ctx, serialized_signature, &sig);
95  assert(return_val);
96 
97 
98  /*** Verification ***/
99 
100  /* Deserialize the signature. This will return 0 if the signature can't be parsed correctly. */
101  if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, serialized_signature)) {
102  printf("Failed parsing the signature\n");
103  return 1;
104  }
105 
106  /* Deserialize the public key. This will return 0 if the public key can't be parsed correctly. */
107  if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, compressed_pubkey, sizeof(compressed_pubkey))) {
108  printf("Failed parsing the public key\n");
109  return 1;
110  }
111 
112  /* Verify a signature. This will return 1 if it's valid and 0 if it's not. */
113  is_signature_valid = secp256k1_ecdsa_verify(ctx, &sig, msg_hash, &pubkey);
114 
115  printf("Is the signature valid? %s\n", is_signature_valid ? "true" : "false");
116  printf("Secret Key: ");
117  print_hex(seckey, sizeof(seckey));
118  printf("Public Key: ");
119  print_hex(compressed_pubkey, sizeof(compressed_pubkey));
120  printf("Signature: ");
121  print_hex(serialized_signature, sizeof(serialized_signature));
122 
123 
124  /* This will clear everything from the context and free the memory */
126 
127  /* It's best practice to try to clear secrets from memory after using them.
128  * This is done because some bugs can allow an attacker to leak memory, for
129  * example through "out of bounds" array access (see Heartbleed), Or the OS
130  * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
131  *
132  * TODO: Prevent these writes from being optimized out, as any good compiler
133  * will remove any writes that aren't used. */
134  memset(seckey, 0, sizeof(seckey));
135 
136  return 0;
137 }
int main(void)
Definition: ecdsa.c:20
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1079
static int fill_random(unsigned char *data, size_t size)
Definition: random.h:37
static void print_hex(unsigned char *data, size_t size)
Definition: random.h:66
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:706
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:335
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:246
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:528
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:514
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:228
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:551
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:205
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:400
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:199
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:368
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
static secp256k1_context * ctx
Definition: tests.c:34
assert(!tx.IsCoinBase())