Bitcoin Core  26.99.0
P2P Digital Currency
main_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2020 Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_EXTRAKEYS_MAIN_H
8 #define SECP256K1_MODULE_EXTRAKEYS_MAIN_H
9 
10 #include "../../../include/secp256k1.h"
11 #include "../../../include/secp256k1_extrakeys.h"
12 #include "../../util.h"
13 
15  return secp256k1_pubkey_load(ctx, ge, (const secp256k1_pubkey *) pubkey);
16 }
17 
20 }
21 
22 int secp256k1_xonly_pubkey_parse(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) {
24  secp256k1_fe x;
25 
26  VERIFY_CHECK(ctx != NULL);
27  ARG_CHECK(pubkey != NULL);
28  memset(pubkey, 0, sizeof(*pubkey));
29  ARG_CHECK(input32 != NULL);
30 
31  if (!secp256k1_fe_set_b32_limit(&x, input32)) {
32  return 0;
33  }
34  if (!secp256k1_ge_set_xo_var(&pk, &x, 0)) {
35  return 0;
36  }
38  return 0;
39  }
41  return 1;
42 }
43 
44 int secp256k1_xonly_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) {
46 
47  VERIFY_CHECK(ctx != NULL);
48  ARG_CHECK(output32 != NULL);
49  memset(output32, 0, 32);
50  ARG_CHECK(pubkey != NULL);
51 
52  if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
53  return 0;
54  }
55  secp256k1_fe_get_b32(output32, &pk.x);
56  return 1;
57 }
58 
60  unsigned char out[2][32];
61  const secp256k1_xonly_pubkey* pk[2];
62  int i;
63 
64  VERIFY_CHECK(ctx != NULL);
65  pk[0] = pk0; pk[1] = pk1;
66  for (i = 0; i < 2; i++) {
67  /* If the public key is NULL or invalid, xonly_pubkey_serialize will
68  * call the illegal_callback and return 0. In that case we will
69  * serialize the key as all zeros which is less than any valid public
70  * key. This results in consistent comparisons even if NULL or invalid
71  * pubkeys are involved and prevents edge cases such as sorting
72  * algorithms that use this function and do not terminate as a
73  * result. */
74  if (!secp256k1_xonly_pubkey_serialize(ctx, out[i], pk[i])) {
75  /* Note that xonly_pubkey_serialize should already set the output to
76  * zero in that case, but it's not guaranteed by the API, we can't
77  * test it and writing a VERIFY_CHECK is more complex than
78  * explicitly memsetting (again). */
79  memset(out[i], 0, sizeof(out[i]));
80  }
81  }
82  return secp256k1_memcmp_var(out[0], out[1], sizeof(out[1]));
83 }
84 
89  int y_parity = 0;
91 
92  if (secp256k1_fe_is_odd(&r->y)) {
93  secp256k1_fe_negate(&r->y, &r->y, 1);
94  y_parity = 1;
95  }
96  return y_parity;
97 }
98 
99 int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context* ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) {
101  int tmp;
102 
103  VERIFY_CHECK(ctx != NULL);
104  ARG_CHECK(xonly_pubkey != NULL);
105  ARG_CHECK(pubkey != NULL);
106 
107  if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {
108  return 0;
109  }
111  if (pk_parity != NULL) {
112  *pk_parity = tmp;
113  }
114  secp256k1_xonly_pubkey_save(xonly_pubkey, &pk);
115  return 1;
116 }
117 
118 int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
120 
121  VERIFY_CHECK(ctx != NULL);
122  ARG_CHECK(output_pubkey != NULL);
123  memset(output_pubkey, 0, sizeof(*output_pubkey));
124  ARG_CHECK(internal_pubkey != NULL);
125  ARG_CHECK(tweak32 != NULL);
126 
127  if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
128  || !secp256k1_ec_pubkey_tweak_add_helper(&pk, tweak32)) {
129  return 0;
130  }
131  secp256k1_pubkey_save(output_pubkey, &pk);
132  return 1;
133 }
134 
135 int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
137  unsigned char pk_expected32[32];
138 
139  VERIFY_CHECK(ctx != NULL);
140  ARG_CHECK(internal_pubkey != NULL);
141  ARG_CHECK(tweaked_pubkey32 != NULL);
142  ARG_CHECK(tweak32 != NULL);
143 
144  if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
145  || !secp256k1_ec_pubkey_tweak_add_helper(&pk, tweak32)) {
146  return 0;
147  }
150  secp256k1_fe_get_b32(pk_expected32, &pk.x);
151 
152  return secp256k1_memcmp_var(&pk_expected32, tweaked_pubkey32, 32) == 0
153  && secp256k1_fe_is_odd(&pk.y) == tweaked_pk_parity;
154 }
155 
157  secp256k1_scalar_get_b32(&keypair->data[0], sk);
158  secp256k1_pubkey_save((secp256k1_pubkey *)&keypair->data[32], pk);
159 }
160 
161 
163  int ret;
164 
165  ret = secp256k1_scalar_set_b32_seckey(sk, &keypair->data[0]);
166  /* We can declassify ret here because sk is only zero if a keypair function
167  * failed (which zeroes the keypair) and its return value is ignored. */
168  secp256k1_declassify(ctx, &ret, sizeof(ret));
169  ARG_CHECK(ret);
170  return ret;
171 }
172 
173 /* Load a keypair into pk and sk (if non-NULL). This function declassifies pk
174  * and ARG_CHECKs that the keypair is not invalid. It always initializes sk and
175  * pk with dummy values. */
177  int ret;
178  const secp256k1_pubkey *pubkey = (const secp256k1_pubkey *)&keypair->data[32];
179 
180  /* Need to declassify the pubkey because pubkey_load ARG_CHECKs if it's
181  * invalid. */
182  secp256k1_declassify(ctx, pubkey, sizeof(*pubkey));
183  ret = secp256k1_pubkey_load(ctx, pk, pubkey);
184  if (sk != NULL) {
185  ret = ret && secp256k1_keypair_seckey_load(ctx, sk, keypair);
186  }
187  if (!ret) {
189  if (sk != NULL) {
190  *sk = secp256k1_scalar_one;
191  }
192  }
193  return ret;
194 }
195 
196 int secp256k1_keypair_create(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *seckey32) {
197  secp256k1_scalar sk;
199  int ret = 0;
200  VERIFY_CHECK(ctx != NULL);
201  ARG_CHECK(keypair != NULL);
202  memset(keypair, 0, sizeof(*keypair));
204  ARG_CHECK(seckey32 != NULL);
205 
206  ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &sk, &pk, seckey32);
207  secp256k1_keypair_save(keypair, &sk, &pk);
208  secp256k1_memczero(keypair, sizeof(*keypair), !ret);
209 
211  return ret;
212 }
213 
214 int secp256k1_keypair_sec(const secp256k1_context* ctx, unsigned char *seckey, const secp256k1_keypair *keypair) {
215  VERIFY_CHECK(ctx != NULL);
216  ARG_CHECK(seckey != NULL);
217  memset(seckey, 0, 32);
218  ARG_CHECK(keypair != NULL);
219 
220  memcpy(seckey, &keypair->data[0], 32);
221  return 1;
222 }
223 
225  VERIFY_CHECK(ctx != NULL);
226  ARG_CHECK(pubkey != NULL);
227  memset(pubkey, 0, sizeof(*pubkey));
228  ARG_CHECK(keypair != NULL);
229 
230  memcpy(pubkey->data, &keypair->data[32], sizeof(*pubkey));
231  return 1;
232 }
233 
234 int secp256k1_keypair_xonly_pub(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) {
236  int tmp;
237 
238  VERIFY_CHECK(ctx != NULL);
239  ARG_CHECK(pubkey != NULL);
240  memset(pubkey, 0, sizeof(*pubkey));
241  ARG_CHECK(keypair != NULL);
242 
243  if (!secp256k1_keypair_load(ctx, NULL, &pk, keypair)) {
244  return 0;
245  }
247  if (pk_parity != NULL) {
248  *pk_parity = tmp;
249  }
251 
252  return 1;
253 }
254 
255 int secp256k1_keypair_xonly_tweak_add(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) {
257  secp256k1_scalar sk;
258  int y_parity;
259  int ret;
260 
261  VERIFY_CHECK(ctx != NULL);
262  ARG_CHECK(keypair != NULL);
263  ARG_CHECK(tweak32 != NULL);
264 
265  ret = secp256k1_keypair_load(ctx, &sk, &pk, keypair);
266  memset(keypair, 0, sizeof(*keypair));
267 
268  y_parity = secp256k1_extrakeys_ge_even_y(&pk);
269  if (y_parity == 1) {
270  secp256k1_scalar_negate(&sk, &sk);
271  }
272 
273  ret &= secp256k1_ec_seckey_tweak_add_helper(&sk, tweak32);
275 
276  secp256k1_declassify(ctx, &ret, sizeof(ret));
277  if (ret) {
278  secp256k1_keypair_save(keypair, &sk, &pk);
279  }
280 
282  return ret;
283 }
284 
285 #endif
int ret
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static int secp256k1_keypair_load(const secp256k1_context *ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair)
Definition: main_impl.h:176
int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey32)
Compute the keypair for a secret key.
Definition: main_impl.h:196
static void secp256k1_keypair_save(secp256k1_keypair *keypair, const secp256k1_scalar *sk, secp256k1_ge *pk)
Definition: main_impl.h:156
int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:118
int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
int secp256k1_keypair_sec(const secp256k1_context *ctx, unsigned char *seckey, const secp256k1_keypair *keypair)
Get the secret key from a keypair.
Definition: main_impl.h:214
int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
static int secp256k1_keypair_seckey_load(const secp256k1_context *ctx, secp256k1_scalar *sk, const secp256k1_keypair *keypair)
Definition: main_impl.h:162
int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair)
Get the public key from a keypair.
Definition: main_impl.h:224
int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge)
Definition: main_impl.h:18
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
static int secp256k1_extrakeys_ge_even_y(secp256k1_ge *r)
Keeps a group element as is if it has an even Y and otherwise negates it.
Definition: main_impl.h:88
int secp256k1_xonly_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_xonly_pubkey *pk0, const secp256k1_xonly_pubkey *pk1)
Compare two x-only public keys using lexicographic order.
Definition: main_impl.h:59
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:216
#define secp256k1_fe_is_odd
Definition: field.h:86
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
#define secp256k1_fe_get_b32
Definition: field.h:90
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:212
#define SECP256K1_INLINE
Definition: util.h:48
#define VERIFY_CHECK(cond)
Definition: util.h:139
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:193
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:648
#define ARG_CHECK(cond)
Definition: secp256k1.c:44
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:583
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:679
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_fe y
Definition: group.h:18
Opaque data structure that holds a keypair consisting of a secret and a public key.
unsigned char data[96]
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
unsigned char data[64]
Definition: secp256k1.h:75
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
Opaque data structure that holds a parsed and valid "x-only" public key.