main_impl.h File Reference

#include "../../../include/secp256k1.h"
#include "../../../include/secp256k1_schnorrsig.h"
#include "../../hash.h"

Include dependency graph for main_impl.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
int	secp256k1_schnorrsig_sign32 (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32)
int	secp256k1_schnorrsig_sign (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32)
int	secp256k1_schnorrsig_sign_custom (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams)
int	secp256k1_schnorrsig_verify (const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey)

Variables
const secp256k1_nonce_function_hardened	secp256k1_nonce_function_bip340 = nonce_function_bip340

Function Documentation

secp256k1_schnorrsig_sign()

int secp256k1_schnorrsig_sign	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg32,
		const secp256k1_keypair *	keypair,
		const unsigned char *	aux_rand32 )

Same as secp256k1_schnorrsig_sign32, but DEPRECATED. Will be removed in future versions.

Definition at line 200 of file main_impl.h.

                                                                                                                                                                                 {
    return secp256k1_schnorrsig_sign32(ctx, sig64, msg32, keypair, aux_rand32);
}

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_schnorrsig_sign32()

int secp256k1_schnorrsig_sign32	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg32,
		const secp256k1_keypair *	keypair,
		const unsigned char *	aux_rand32 )

Create a Schnorr signature.

Does not strictly follow BIP-340 because it does not verify the resulting signature. Instead, you can manually use secp256k1_schnorrsig_verify and abort if it fails.

This function only signs 32-byte messages. If you have messages of a different size (or the same size but without a context-specific tag prefix), it is recommended to create a 32-byte message hash with secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows providing an context-specific tag for domain separation. This prevents signatures from being valid in multiple contexts by accident.

Returns 1 on success, 0 on failure. Args: ctx: pointer to a context object, initialized for signing. Out: sig64: pointer to a 64-byte array to store the serialized signature. In: msg32: the 32-byte message being signed. keypair: pointer to an initialized keypair. aux_rand32: 32 bytes of fresh randomness. While recommended to provide this, it is only supplemental to security and can be NULL. A NULL argument is treated the same as an all-zero one. See BIP-340 "Default Signing" for a full explanation of this argument and for guidance if randomness is expensive.

Definition at line 195 of file main_impl.h.

                                                                                                                                                                                   {
    /* We cast away const from the passed aux_rand32 argument since we know the default nonce function does not modify it. */
    return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg32, 32, keypair, secp256k1_nonce_function_bip340, (unsigned char*)aux_rand32);
}

Here is the caller graph for this function:

secp256k1_schnorrsig_sign_custom()

int secp256k1_schnorrsig_sign_custom	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg,
		size_t	msglen,
		const secp256k1_keypair *	keypair,
		secp256k1_schnorrsig_extraparams *	extraparams )

Create a Schnorr signature with a more flexible API.

Same arguments as secp256k1_schnorrsig_sign except that it allows signing variable length messages and accepts a pointer to an extraparams object that allows customizing signing by passing additional arguments.

Creates the same signatures as schnorrsig_sign if msglen is 32 and the extraparams.ndata is the same as aux_rand32.

In: msg: the message being signed. Can only be NULL if msglen is 0. msglen: length of the message extraparams: pointer to a extraparams object (can be NULL)

Definition at line 204 of file main_impl.h.

                                                                                                                                                                                                                   {
    secp256k1_nonce_function_hardened noncefp = NULL;
    void *ndata = NULL;
    VERIFY_CHECK(ctx != NULL);
 
    if (extraparams != NULL) {
        ARG_CHECK(secp256k1_memcmp_var(extraparams->magic,
                                       schnorrsig_extraparams_magic,
                                       sizeof(extraparams->magic)) == 0);
        noncefp = extraparams->noncefp;
        ndata = extraparams->ndata;
    }
    return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg, msglen, keypair, noncefp, ndata);
}

Here is the caller graph for this function:

secp256k1_schnorrsig_verify()

int secp256k1_schnorrsig_verify	(	const secp256k1_context *	ctx,
		const unsigned char *	sig64,
		const unsigned char *	msg,
		size_t	msglen,
		const secp256k1_xonly_pubkey *	pubkey )

Verify a Schnorr signature.

Returns: 1: correct signature 0: incorrect signature Args: ctx: a secp256k1 context object, initialized for verification. In: sig64: pointer to the 64-byte signature to verify. msg: the message being verified. Can only be NULL if msglen is 0. msglen: length of the message pubkey: pointer to an x-only public key to verify with (cannot be NULL)

Definition at line 219 of file main_impl.h.

                                                                                                                                                                         {
    secp256k1_scalar s;
    secp256k1_scalar e;
    secp256k1_gej rj;
    secp256k1_ge pk;
    secp256k1_gej pkj;
    secp256k1_fe rx;
    secp256k1_ge r;
    unsigned char buf[32];
    int overflow;
 
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(msg != NULL || msglen == 0);
    ARG_CHECK(pubkey != NULL);
 
    if (!secp256k1_fe_set_b32(&rx, &sig64[0])) {
        return 0;
    }
 
    secp256k1_scalar_set_b32(&s, &sig64[32], &overflow);
    if (overflow) {
        return 0;
    }
 
    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
        return 0;
    }
 
    /* Compute e. */
    secp256k1_fe_get_b32(buf, &pk.x);
    secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, buf);
 
    /* Compute rj =  s*G + (-e)*pkj */
    secp256k1_scalar_negate(&e, &e);
    secp256k1_gej_set_ge(&pkj, &pk);
    secp256k1_ecmult(&rj, &pkj, &e, &s);
 
    secp256k1_ge_set_gej_var(&r, &rj);
    if (secp256k1_ge_is_infinity(&r)) {
        return 0;
    }
 
    secp256k1_fe_normalize_var(&r.y);
    return !secp256k1_fe_is_odd(&r.y) &&
           secp256k1_fe_equal_var(&rx, &r.x);
}

Here is the caller graph for this function:

Variable Documentation

secp256k1_nonce_function_bip340

const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340 = nonce_function_bip340

An implementation of the nonce generation function as defined in Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1" (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).

If a data pointer is passed, it is assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340. If the data pointer is NULL, the nonce derivation procedure follows BIP-340 by setting the auxiliary random data to zero. The algo argument must be non-NULL, otherwise the function will fail and return 0. The hash will be tagged with algo. Therefore, to create BIP-340 compliant signatures, algo must be set to "BIP0340/nonce" and algolen to 13.

Definition at line 99 of file main_impl.h.