secp256k1_schnorrsig.h File Reference

#include "secp256k1.h"
#include "secp256k1_extrakeys.h"

Include dependency graph for secp256k1_schnorrsig.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	secp256k1_schnorrsig_extraparams

Macros
#define	SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC   { 0xda, 0x6f, 0xb3, 0x8c }
#define	SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT

Typedefs
typedef int(*	secp256k1_nonce_function_hardened) (unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)

Functions
SECP256K1_API int	secp256k1_schnorrsig_sign32 (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
SECP256K1_API int	secp256k1_schnorrsig_sign (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
SECP256K1_API int	secp256k1_schnorrsig_sign_custom (const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int	secp256k1_schnorrsig_verify (const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)

Variables
SECP256K1_API const secp256k1_nonce_function_hardened	secp256k1_nonce_function_bip340

Macro Definition Documentation

SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT

#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT

Value:

    {\
    SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,\
    NULL,\
    NULL\
}

Definition at line 89 of file secp256k1_schnorrsig.h.

#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT {\
    SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,\
    NULL,\
    NULL\
}

SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC

#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC   { 0xda, 0x6f, 0xb3, 0x8c }

Definition at line 88 of file secp256k1_schnorrsig.h.

Typedef Documentation

secp256k1_nonce_function_hardened

typedef int(* secp256k1_nonce_function_hardened) (unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)

This module implements a variant of Schnorr signatures compliant with Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1" (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki). A pointer to a function to deterministically generate a nonce.

Same as secp256k1_nonce function with the exception of accepting an additional pubkey argument and not requiring an attempt argument. The pubkey argument can protect signature schemes with key-prefixed challenge hash inputs against reusing the nonce when signing with the wrong precomputed pubkey.

Returns: 1 if a nonce was successfully generated. 0 will cause signing to return an error. Out: nonce32: pointer to a 32-byte array to be filled by the function In: msg: the message being verified. Is NULL if and only if msglen is 0. msglen: the length of the message key32: pointer to a 32-byte secret key (will not be NULL) xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32 (will not be NULL) algo: pointer to an array describing the signature algorithm (will not be NULL) algolen: the length of the algo array data: arbitrary data pointer that is passed through

Except for test cases, this function should compute some cryptographic hash of the message, the key, the pubkey, the algorithm description, and data.

Definition at line 41 of file secp256k1_schnorrsig.h.

Function Documentation

secp256k1_schnorrsig_sign()

SECP256K1_API int secp256k1_schnorrsig_sign	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg32,
		const secp256k1_keypair *	keypair,
		const unsigned char *	aux_rand32 )

Same as secp256k1_schnorrsig_sign32, but DEPRECATED. Will be removed in future versions.

Definition at line 200 of file main_impl.h.

                                                                                                                                                                                 {
    return secp256k1_schnorrsig_sign32(ctx, sig64, msg32, keypair, aux_rand32);
}

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_schnorrsig_sign32()

SECP256K1_API int secp256k1_schnorrsig_sign32	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg32,
		const secp256k1_keypair *	keypair,
		const unsigned char *	aux_rand32 )

Create a Schnorr signature.

Does not strictly follow BIP-340 because it does not verify the resulting signature. Instead, you can manually use secp256k1_schnorrsig_verify and abort if it fails.

This function only signs 32-byte messages. If you have messages of a different size (or the same size but without a context-specific tag prefix), it is recommended to create a 32-byte message hash with secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows providing an context-specific tag for domain separation. This prevents signatures from being valid in multiple contexts by accident.

Returns 1 on success, 0 on failure. Args: ctx: pointer to a context object, initialized for signing. Out: sig64: pointer to a 64-byte array to store the serialized signature. In: msg32: the 32-byte message being signed. keypair: pointer to an initialized keypair. aux_rand32: 32 bytes of fresh randomness. While recommended to provide this, it is only supplemental to security and can be NULL. A NULL argument is treated the same as an all-zero one. See BIP-340 "Default Signing" for a full explanation of this argument and for guidance if randomness is expensive.

Definition at line 195 of file main_impl.h.

                                                                                                                                                                                   {
    /* We cast away const from the passed aux_rand32 argument since we know the default nonce function does not modify it. */
    return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg32, 32, keypair, secp256k1_nonce_function_bip340, (unsigned char*)aux_rand32);
}

Here is the caller graph for this function:

secp256k1_schnorrsig_sign_custom()

SECP256K1_API int secp256k1_schnorrsig_sign_custom	(	const secp256k1_context *	ctx,
		unsigned char *	sig64,
		const unsigned char *	msg,
		size_t	msglen,
		const secp256k1_keypair *	keypair,
		secp256k1_schnorrsig_extraparams *	extraparams )

Create a Schnorr signature with a more flexible API.

Same arguments as secp256k1_schnorrsig_sign except that it allows signing variable length messages and accepts a pointer to an extraparams object that allows customizing signing by passing additional arguments.

Creates the same signatures as schnorrsig_sign if msglen is 32 and the extraparams.ndata is the same as aux_rand32.

In: msg: the message being signed. Can only be NULL if msglen is 0. msglen: length of the message extraparams: pointer to a extraparams object (can be NULL)

Definition at line 204 of file main_impl.h.

                                                                                                                                                                                                                   {
    secp256k1_nonce_function_hardened noncefp = NULL;
    void *ndata = NULL;
    VERIFY_CHECK(ctx != NULL);
 
    if (extraparams != NULL) {
        ARG_CHECK(secp256k1_memcmp_var(extraparams->magic,
                                       schnorrsig_extraparams_magic,
                                       sizeof(extraparams->magic)) == 0);
        noncefp = extraparams->noncefp;
        ndata = extraparams->ndata;
    }
    return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg, msglen, keypair, noncefp, ndata);
}

Here is the caller graph for this function:

secp256k1_schnorrsig_verify()

SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify	(	const secp256k1_context *	ctx,
		const unsigned char *	sig64,
		const unsigned char *	msg,
		size_t	msglen,
		const secp256k1_xonly_pubkey *	pubkey )

Verify a Schnorr signature.

Returns: 1: correct signature 0: incorrect signature Args: ctx: a secp256k1 context object, initialized for verification. In: sig64: pointer to the 64-byte signature to verify. msg: the message being verified. Can only be NULL if msglen is 0. msglen: length of the message pubkey: pointer to an x-only public key to verify with (cannot be NULL)

Definition at line 219 of file main_impl.h.

                                                                                                                                                                         {
    secp256k1_scalar s;
    secp256k1_scalar e;
    secp256k1_gej rj;
    secp256k1_ge pk;
    secp256k1_gej pkj;
    secp256k1_fe rx;
    secp256k1_ge r;
    unsigned char buf[32];
    int overflow;
 
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(msg != NULL || msglen == 0);
    ARG_CHECK(pubkey != NULL);
 
    if (!secp256k1_fe_set_b32(&rx, &sig64[0])) {
        return 0;
    }
 
    secp256k1_scalar_set_b32(&s, &sig64[32], &overflow);
    if (overflow) {
        return 0;
    }
 
    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
        return 0;
    }
 
    /* Compute e. */
    secp256k1_fe_get_b32(buf, &pk.x);
    secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, buf);
 
    /* Compute rj =  s*G + (-e)*pkj */
    secp256k1_scalar_negate(&e, &e);
    secp256k1_gej_set_ge(&pkj, &pk);
    secp256k1_ecmult(&rj, &pkj, &e, &s);
 
    secp256k1_ge_set_gej_var(&r, &rj);
    if (secp256k1_ge_is_infinity(&r)) {
        return 0;
    }
 
    secp256k1_fe_normalize_var(&r.y);
    return !secp256k1_fe_is_odd(&r.y) &&
           secp256k1_fe_equal_var(&rx, &r.x);
}

Here is the caller graph for this function:

Variable Documentation

secp256k1_nonce_function_bip340

SECP256K1_API const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340

extern

An implementation of the nonce generation function as defined in Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1" (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).

If a data pointer is passed, it is assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340. If the data pointer is NULL, the nonce derivation procedure follows BIP-340 by setting the auxiliary random data to zero. The algo argument must be non-NULL, otherwise the function will fail and return 0. The hash will be tagged with algo. Therefore, to create BIP-340 compliant signatures, algo must be set to "BIP0340/nonce" and algolen to 13.

Definition at line 99 of file main_impl.h.