Bitcoin Core  27.99.0
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 /* This is a C project. It should not be compiled with a C++ compiler,
8  * and we error out if we detect one.
9  *
10  * We still want to be able to test the project with a C++ compiler
11  * because it is still good to know if this will lead to real trouble, so
12  * there is a possibility to override the check. But be warned that
13  * compiling with a C++ compiler is not supported. */
14 #if defined(__cplusplus) && !defined(SECP256K1_CPLUSPLUS_TEST_OVERRIDE)
15 #error Trying to compile a C project with a C++ compiler.
16 #endif
17 
18 #define SECP256K1_BUILD
19 
20 #include "../include/secp256k1.h"
21 #include "../include/secp256k1_preallocated.h"
22 
23 #include "assumptions.h"
24 #include "checkmem.h"
25 #include "util.h"
26 
27 #include "field_impl.h"
28 #include "scalar_impl.h"
29 #include "group_impl.h"
30 #include "ecmult_impl.h"
31 #include "ecmult_const_impl.h"
32 #include "ecmult_gen_impl.h"
33 #include "ecdsa_impl.h"
34 #include "eckey_impl.h"
35 #include "hash_impl.h"
36 #include "int128_impl.h"
37 #include "scratch_impl.h"
38 #include "selftest.h"
39 
40 #ifdef SECP256K1_NO_BUILD
41 # error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c"
42 #endif
43 
44 #define ARG_CHECK(cond) do { \
45  if (EXPECT(!(cond), 0)) { \
46  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
47  return 0; \
48  } \
49 } while(0)
50 
51 #define ARG_CHECK_VOID(cond) do { \
52  if (EXPECT(!(cond), 0)) { \
53  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
54  return; \
55  } \
56 } while(0)
57 
58 /* Note that whenever you change the context struct, you must also change the
59  * context_eq function. */
65 };
66 
68  { 0 },
71  0
72 };
75 
76 /* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof.
77  *
78  * This is intended for "context" functions such as secp256k1_context_clone. Function which need specific
79  * features of a context should still check for these features directly. For example, a function that needs
80  * ecmult_gen should directly check for the existence of the ecmult_gen context. */
83 }
84 
85 void secp256k1_selftest(void) {
87  secp256k1_callback_call(&default_error_callback, "self test failed");
88  }
89 }
90 
92  size_t ret = sizeof(secp256k1_context);
93  /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
94  VERIFY_CHECK(ret != 0);
95 
98  "Invalid flags");
99  return 0;
100  }
101 
104  "Declassify flag requires running with memory checking");
105  return 0;
106  }
107 
108  return ret;
109 }
110 
112  VERIFY_CHECK(ctx != NULL);
114  return sizeof(secp256k1_context);
115 }
116 
118  size_t prealloc_size;
120 
122 
124  if (prealloc_size == 0) {
125  return NULL;
126  }
127  VERIFY_CHECK(prealloc != NULL);
128  ret = (secp256k1_context*)prealloc;
129  ret->illegal_callback = default_illegal_callback;
130  ret->error_callback = default_error_callback;
131 
132  /* Flags have been checked by secp256k1_context_preallocated_size. */
134  secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx);
136 
137  return ret;
138 }
139 
141  size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
143  if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
144  free(ctx);
145  return NULL;
146  }
147 
148  return ctx;
149 }
150 
153  VERIFY_CHECK(ctx != NULL);
154  ARG_CHECK(prealloc != NULL);
156 
157  ret = (secp256k1_context*)prealloc;
158  *ret = *ctx;
159  return ret;
160 }
161 
164  size_t prealloc_size;
165 
166  VERIFY_CHECK(ctx != NULL);
168 
169  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
170  ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
172  return ret;
173 }
174 
176  ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx));
177 
178  /* Defined as noop */
179  if (ctx == NULL) {
180  return;
181  }
182 
184 }
185 
187  ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx));
188 
189  /* Defined as noop */
190  if (ctx == NULL) {
191  return;
192  }
193 
195  free(ctx);
196 }
197 
198 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
199  /* We compare pointers instead of checking secp256k1_context_is_proper() here
200  because setting callbacks is allowed on *copies* of the static context:
201  it's harmless and makes testing easier. */
203  if (fun == NULL) {
205  }
206  ctx->illegal_callback.fn = fun;
207  ctx->illegal_callback.data = data;
208 }
209 
210 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
211  /* We compare pointers instead of checking secp256k1_context_is_proper() here
212  because setting callbacks is allowed on *copies* of the static context:
213  it's harmless and makes testing easier. */
215  if (fun == NULL) {
217  }
218  ctx->error_callback.fn = fun;
219  ctx->error_callback.data = data;
220 }
221 
223  VERIFY_CHECK(ctx != NULL);
224  return secp256k1_scratch_create(&ctx->error_callback, max_size);
225 }
226 
228  VERIFY_CHECK(ctx != NULL);
230 }
231 
232 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
233  * of the software.
234  */
235 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
236  if (EXPECT(ctx->declassify, 0)) SECP256K1_CHECKMEM_DEFINE(p, len);
237 }
238 
239 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
240  if (sizeof(secp256k1_ge_storage) == 64) {
241  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
242  * representation inside secp256k1_pubkey, as conversion is very fast.
243  * Note that secp256k1_pubkey_save must use the same representation. */
245  memcpy(&s, &pubkey->data[0], sizeof(s));
247  } else {
248  /* Otherwise, fall back to 32-byte big endian for X and Y. */
249  secp256k1_fe x, y;
251  ARG_CHECK(secp256k1_fe_set_b32_limit(&y, pubkey->data + 32));
252  secp256k1_ge_set_xy(ge, &x, &y);
253  }
255  return 1;
256 }
257 
259  if (sizeof(secp256k1_ge_storage) == 64) {
261  secp256k1_ge_to_storage(&s, ge);
262  memcpy(&pubkey->data[0], &s, sizeof(s));
263  } else {
267  secp256k1_fe_get_b32(pubkey->data, &ge->x);
268  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
269  }
270 }
271 
272 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
273  secp256k1_ge Q;
274 
275  VERIFY_CHECK(ctx != NULL);
276  ARG_CHECK(pubkey != NULL);
277  memset(pubkey, 0, sizeof(*pubkey));
278  ARG_CHECK(input != NULL);
279  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
280  return 0;
281  }
283  return 0;
284  }
285  secp256k1_pubkey_save(pubkey, &Q);
286  secp256k1_ge_clear(&Q);
287  return 1;
288 }
289 
290 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
291  secp256k1_ge Q;
292  size_t len;
293  int ret = 0;
294 
295  VERIFY_CHECK(ctx != NULL);
296  ARG_CHECK(outputlen != NULL);
297  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
298  len = *outputlen;
299  *outputlen = 0;
300  ARG_CHECK(output != NULL);
301  memset(output, 0, len);
302  ARG_CHECK(pubkey != NULL);
304  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
306  if (ret) {
307  *outputlen = len;
308  }
309  }
310  return ret;
311 }
312 
313 int secp256k1_ec_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey0, const secp256k1_pubkey* pubkey1) {
314  unsigned char out[2][33];
315  const secp256k1_pubkey* pk[2];
316  int i;
317 
318  VERIFY_CHECK(ctx != NULL);
319  pk[0] = pubkey0; pk[1] = pubkey1;
320  for (i = 0; i < 2; i++) {
321  size_t out_size = sizeof(out[i]);
322  /* If the public key is NULL or invalid, ec_pubkey_serialize will call
323  * the illegal_callback and return 0. In that case we will serialize the
324  * key as all zeros which is less than any valid public key. This
325  * results in consistent comparisons even if NULL or invalid pubkeys are
326  * involved and prevents edge cases such as sorting algorithms that use
327  * this function and do not terminate as a result. */
328  if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) {
329  /* Note that ec_pubkey_serialize should already set the output to
330  * zero in that case, but it's not guaranteed by the API, we can't
331  * test it and writing a VERIFY_CHECK is more complex than
332  * explicitly memsetting (again). */
333  memset(out[i], 0, sizeof(out[i]));
334  }
335  }
336  return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
337 }
338 
340  (void)ctx;
341  if (sizeof(secp256k1_scalar) == 32) {
342  /* When the secp256k1_scalar type is exactly 32 byte, use its
343  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
344  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
345  memcpy(r, &sig->data[0], 32);
346  memcpy(s, &sig->data[32], 32);
347  } else {
348  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
349  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
350  }
351 }
352 
354  if (sizeof(secp256k1_scalar) == 32) {
355  memcpy(&sig->data[0], r, 32);
356  memcpy(&sig->data[32], s, 32);
357  } else {
358  secp256k1_scalar_get_b32(&sig->data[0], r);
359  secp256k1_scalar_get_b32(&sig->data[32], s);
360  }
361 }
362 
363 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
364  secp256k1_scalar r, s;
365 
366  VERIFY_CHECK(ctx != NULL);
367  ARG_CHECK(sig != NULL);
368  ARG_CHECK(input != NULL);
369 
370  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
371  secp256k1_ecdsa_signature_save(sig, &r, &s);
372  return 1;
373  } else {
374  memset(sig, 0, sizeof(*sig));
375  return 0;
376  }
377 }
378 
379 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
380  secp256k1_scalar r, s;
381  int ret = 1;
382  int overflow = 0;
383 
384  VERIFY_CHECK(ctx != NULL);
385  ARG_CHECK(sig != NULL);
386  ARG_CHECK(input64 != NULL);
387 
388  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
389  ret &= !overflow;
390  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
391  ret &= !overflow;
392  if (ret) {
393  secp256k1_ecdsa_signature_save(sig, &r, &s);
394  } else {
395  memset(sig, 0, sizeof(*sig));
396  }
397  return ret;
398 }
399 
400 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
401  secp256k1_scalar r, s;
402 
403  VERIFY_CHECK(ctx != NULL);
404  ARG_CHECK(output != NULL);
405  ARG_CHECK(outputlen != NULL);
406  ARG_CHECK(sig != NULL);
407 
408  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
409  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
410 }
411 
413  secp256k1_scalar r, s;
414 
415  VERIFY_CHECK(ctx != NULL);
416  ARG_CHECK(output64 != NULL);
417  ARG_CHECK(sig != NULL);
418 
419  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
420  secp256k1_scalar_get_b32(&output64[0], &r);
421  secp256k1_scalar_get_b32(&output64[32], &s);
422  return 1;
423 }
424 
426  secp256k1_scalar r, s;
427  int ret = 0;
428 
429  VERIFY_CHECK(ctx != NULL);
430  ARG_CHECK(sigin != NULL);
431 
432  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
434  if (sigout != NULL) {
435  if (ret) {
436  secp256k1_scalar_negate(&s, &s);
437  }
438  secp256k1_ecdsa_signature_save(sigout, &r, &s);
439  }
440 
441  return ret;
442 }
443 
444 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
445  secp256k1_ge q;
446  secp256k1_scalar r, s;
448  VERIFY_CHECK(ctx != NULL);
449  ARG_CHECK(msghash32 != NULL);
450  ARG_CHECK(sig != NULL);
451  ARG_CHECK(pubkey != NULL);
452 
453  secp256k1_scalar_set_b32(&m, msghash32, NULL);
454  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
455  return (!secp256k1_scalar_is_high(&s) &&
456  secp256k1_pubkey_load(ctx, &q, pubkey) &&
457  secp256k1_ecdsa_sig_verify(&r, &s, &q, &m));
458 }
459 
460 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
461  memcpy(buf + *offset, data, len);
462  *offset += len;
463 }
464 
465 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
466  unsigned char keydata[112];
467  unsigned int offset = 0;
469  unsigned int i;
471  unsigned char msgmod32[32];
472  secp256k1_scalar_set_b32(&msg, msg32, NULL);
473  secp256k1_scalar_get_b32(msgmod32, &msg);
474  /* We feed a byte array to the PRNG as input, consisting of:
475  * - the private key (32 bytes) and reduced message (32 bytes), see RFC 6979 3.2d.
476  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
477  * - optionally 16 extra bytes with the algorithm name.
478  * Because the arguments have distinct fixed lengths it is not possible for
479  * different argument mixtures to emulate each other and result in the same
480  * nonces.
481  */
482  buffer_append(keydata, &offset, key32, 32);
483  buffer_append(keydata, &offset, msgmod32, 32);
484  if (data != NULL) {
485  buffer_append(keydata, &offset, data, 32);
486  }
487  if (algo16 != NULL) {
488  buffer_append(keydata, &offset, algo16, 16);
489  }
490  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
491  memset(keydata, 0, sizeof(keydata));
492  for (i = 0; i <= counter; i++) {
493  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
494  }
496  return 1;
497 }
498 
501 
502 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
503  secp256k1_scalar sec, non, msg;
504  int ret = 0;
505  int is_sec_valid;
506  unsigned char nonce32[32];
507  unsigned int count = 0;
508  /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
511  if (recid) {
512  *recid = 0;
513  }
514  if (noncefp == NULL) {
516  }
517 
518  /* Fail if the secret key is invalid. */
519  is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
520  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
521  secp256k1_scalar_set_b32(&msg, msg32, NULL);
522  while (1) {
523  int is_nonce_valid;
524  ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
525  if (!ret) {
526  break;
527  }
528  is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
529  /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
530  secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
531  if (is_nonce_valid) {
532  ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
533  /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
534  secp256k1_declassify(ctx, &ret, sizeof(ret));
535  if (ret) {
536  break;
537  }
538  }
539  count++;
540  }
541  /* We don't want to declassify is_sec_valid and therefore the range of
542  * seckey. As a result is_sec_valid is included in ret only after ret was
543  * used as a branching variable. */
544  ret &= is_sec_valid;
545  memset(nonce32, 0, 32);
551  if (recid) {
552  const int zero = 0;
553  secp256k1_int_cmov(recid, &zero, !ret);
554  }
555  return ret;
556 }
557 
558 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
559  secp256k1_scalar r, s;
560  int ret;
561  VERIFY_CHECK(ctx != NULL);
563  ARG_CHECK(msghash32 != NULL);
564  ARG_CHECK(signature != NULL);
565  ARG_CHECK(seckey != NULL);
566 
567  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
568  secp256k1_ecdsa_signature_save(signature, &r, &s);
569  return ret;
570 }
571 
572 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
573  secp256k1_scalar sec;
574  int ret;
575  VERIFY_CHECK(ctx != NULL);
576  ARG_CHECK(seckey != NULL);
577 
578  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
580  return ret;
581 }
582 
583 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
584  secp256k1_gej pj;
585  int ret;
586 
587  ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
589 
590  secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
591  secp256k1_ge_set_gej(p, &pj);
592  return ret;
593 }
594 
595 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
596  secp256k1_ge p;
597  secp256k1_scalar seckey_scalar;
598  int ret = 0;
599  VERIFY_CHECK(ctx != NULL);
600  ARG_CHECK(pubkey != NULL);
601  memset(pubkey, 0, sizeof(*pubkey));
603  ARG_CHECK(seckey != NULL);
604 
605  ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
606  secp256k1_pubkey_save(pubkey, &p);
607  secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
608 
609  secp256k1_scalar_clear(&seckey_scalar);
610  return ret;
611 }
612 
613 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
614  secp256k1_scalar sec;
615  int ret = 0;
616  VERIFY_CHECK(ctx != NULL);
617  ARG_CHECK(seckey != NULL);
618 
619  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
621  secp256k1_scalar_negate(&sec, &sec);
622  secp256k1_scalar_get_b32(seckey, &sec);
623 
625  return ret;
626 }
627 
628 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
629  return secp256k1_ec_seckey_negate(ctx, seckey);
630 }
631 
633  int ret = 0;
634  secp256k1_ge p;
635  VERIFY_CHECK(ctx != NULL);
636  ARG_CHECK(pubkey != NULL);
637 
638  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
639  memset(pubkey, 0, sizeof(*pubkey));
640  if (ret) {
641  secp256k1_ge_neg(&p, &p);
642  secp256k1_pubkey_save(pubkey, &p);
643  }
644  return ret;
645 }
646 
647 
648 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
649  secp256k1_scalar term;
650  int overflow = 0;
651  int ret = 0;
652 
653  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
654  ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
655  secp256k1_scalar_clear(&term);
656  return ret;
657 }
658 
659 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
660  secp256k1_scalar sec;
661  int ret = 0;
662  VERIFY_CHECK(ctx != NULL);
663  ARG_CHECK(seckey != NULL);
664  ARG_CHECK(tweak32 != NULL);
665 
666  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
667  ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
669  secp256k1_scalar_get_b32(seckey, &sec);
670 
672  return ret;
673 }
674 
675 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
676  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
677 }
678 
679 static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) {
680  secp256k1_scalar term;
681  int overflow = 0;
682  secp256k1_scalar_set_b32(&term, tweak32, &overflow);
683  return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term);
684 }
685 
686 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
687  secp256k1_ge p;
688  int ret = 0;
689  VERIFY_CHECK(ctx != NULL);
690  ARG_CHECK(pubkey != NULL);
691  ARG_CHECK(tweak32 != NULL);
692 
693  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
694  memset(pubkey, 0, sizeof(*pubkey));
695  ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32);
696  if (ret) {
697  secp256k1_pubkey_save(pubkey, &p);
698  }
699 
700  return ret;
701 }
702 
703 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
704  secp256k1_scalar factor;
705  secp256k1_scalar sec;
706  int ret = 0;
707  int overflow = 0;
708  VERIFY_CHECK(ctx != NULL);
709  ARG_CHECK(seckey != NULL);
710  ARG_CHECK(tweak32 != NULL);
711 
712  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
713  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
714  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
716  secp256k1_scalar_get_b32(seckey, &sec);
717 
719  secp256k1_scalar_clear(&factor);
720  return ret;
721 }
722 
723 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
724  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
725 }
726 
727 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
728  secp256k1_ge p;
729  secp256k1_scalar factor;
730  int ret = 0;
731  int overflow = 0;
732  VERIFY_CHECK(ctx != NULL);
733  ARG_CHECK(pubkey != NULL);
734  ARG_CHECK(tweak32 != NULL);
735 
736  secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
737  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
738  memset(pubkey, 0, sizeof(*pubkey));
739  if (ret) {
740  if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) {
741  secp256k1_pubkey_save(pubkey, &p);
742  } else {
743  ret = 0;
744  }
745  }
746 
747  return ret;
748 }
749 
750 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
751  VERIFY_CHECK(ctx != NULL);
753 
756  }
757  return 1;
758 }
759 
760 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
761  size_t i;
762  secp256k1_gej Qj;
763  secp256k1_ge Q;
764 
765  VERIFY_CHECK(ctx != NULL);
766  ARG_CHECK(pubnonce != NULL);
767  memset(pubnonce, 0, sizeof(*pubnonce));
768  ARG_CHECK(n >= 1);
769  ARG_CHECK(pubnonces != NULL);
770 
772 
773  for (i = 0; i < n; i++) {
774  ARG_CHECK(pubnonces[i] != NULL);
775  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
776  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
777  }
778  if (secp256k1_gej_is_infinity(&Qj)) {
779  return 0;
780  }
781  secp256k1_ge_set_gej(&Q, &Qj);
782  secp256k1_pubkey_save(pubnonce, &Q);
783  return 1;
784 }
785 
786 int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
787  secp256k1_sha256 sha;
788  VERIFY_CHECK(ctx != NULL);
789  ARG_CHECK(hash32 != NULL);
790  ARG_CHECK(tag != NULL);
791  ARG_CHECK(msg != NULL);
792 
793  secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
794  secp256k1_sha256_write(&sha, msg, msglen);
795  secp256k1_sha256_finalize(&sha, hash32);
796  return 1;
797 }
798 
799 #ifdef ENABLE_MODULE_ECDH
800 # include "modules/ecdh/main_impl.h"
801 #endif
802 
803 #ifdef ENABLE_MODULE_RECOVERY
805 #endif
806 
807 #ifdef ENABLE_MODULE_EXTRAKEYS
809 #endif
810 
811 #ifdef ENABLE_MODULE_SCHNORRSIG
813 #endif
814 
815 #ifdef ENABLE_MODULE_ELLSWIFT
817 #endif
int ret
int flags
Definition: bitcoin-tx.cpp:530
#define SECP256K1_CHECKMEM_DEFINE(p, len)
Definition: checkmem.h:84
#define SECP256K1_CHECKMEM_RUNNING()
Definition: checkmem.h:86
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_is_zero
Definition: field.h:85
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
#define secp256k1_fe_get_b32
Definition: field.h:90
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
#define EXPECT(x, c)
Definition: util.h:26
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:142
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:212
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:226
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
static const secp256k1_callback default_error_callback
Definition: util.h:97
#define SECP256K1_INLINE
Definition: util.h:48
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
#define VERIFY_CHECK(cond)
Definition: util.h:139
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:193
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:72
static const secp256k1_callback default_illegal_callback
Definition: util.h:92
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:675
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:628
const secp256k1_nonce_function secp256k1_nonce_function_default
Definition: secp256k1.c:500
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
Definition: secp256k1.c:499
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:786
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:686
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:222
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
Definition: secp256k1.c:648
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:703
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
const secp256k1_context * secp256k1_context_static
Definition: secp256k1.c:73
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:572
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:659
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
#define ARG_CHECK(cond)
Definition: secp256k1.c:44
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:583
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:235
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:613
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:760
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:460
static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32)
Definition: secp256k1.c:679
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:750
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:595
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:227
static const secp256k1_context secp256k1_context_static_
Definition: secp256k1.c:67
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:727
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:558
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:632
#define ARG_CHECK_VOID(cond)
Definition: secp256k1.c:51
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:723
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:502
struct secp256k1_context_struct secp256k1_context
Unless explicitly stated all pointer arguments must not be NULL.
Definition: secp256k1.h:50
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:200
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:107
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:215
#define SECP256K1_FLAGS_TYPE_MASK
Definition: secp256k1.h:194
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:201
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:195
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:196
static int secp256k1_selftest_passes(void)
Definition: selftest.h:28
void(* fn)(const char *text, void *data)
Definition: util.h:68
const void * data
Definition: util.h:69
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
unsigned char data[64]
Definition: secp256k1.h:88
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
unsigned char data[64]
Definition: secp256k1.h:75
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static int count