Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/ecdsa_impl.h
Show First 20 Lines • Show All 282 Lines • ▼ Show 20 Lines | static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) { | ||||
int high; | int high; | ||||
secp256k1_ecmult_gen(ctx, &rp, nonce); | secp256k1_ecmult_gen(ctx, &rp, nonce); | ||||
secp256k1_ge_set_gej(&r, &rp); | secp256k1_ge_set_gej(&r, &rp); | ||||
secp256k1_fe_normalize(&r.x); | secp256k1_fe_normalize(&r.x); | ||||
secp256k1_fe_normalize(&r.y); | secp256k1_fe_normalize(&r.y); | ||||
secp256k1_fe_get_b32(b, &r.x); | secp256k1_fe_get_b32(b, &r.x); | ||||
secp256k1_scalar_set_b32(sigr, b, &overflow); | secp256k1_scalar_set_b32(sigr, b, &overflow); | ||||
/* These two conditions should be checked before calling */ | |||||
VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr)); | |||||
VERIFY_CHECK(overflow == 0); | |||||
if (recid) { | if (recid) { | ||||
/* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log | /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log | ||||
* of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. | * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. | ||||
*/ | */ | ||||
*recid = (overflow << 1) | secp256k1_fe_is_odd(&r.y); | *recid = (overflow << 1) | secp256k1_fe_is_odd(&r.y); | ||||
} | } | ||||
secp256k1_scalar_mul(&n, sigr, seckey); | secp256k1_scalar_mul(&n, sigr, seckey); | ||||
secp256k1_scalar_add(&n, &n, message); | secp256k1_scalar_add(&n, &n, message); | ||||
secp256k1_scalar_inverse(sigs, nonce); | secp256k1_scalar_inverse(sigs, nonce); | ||||
secp256k1_scalar_mul(sigs, sigs, &n); | secp256k1_scalar_mul(sigs, sigs, &n); | ||||
secp256k1_scalar_clear(&n); | secp256k1_scalar_clear(&n); | ||||
secp256k1_gej_clear(&rp); | secp256k1_gej_clear(&rp); | ||||
secp256k1_ge_clear(&r); | secp256k1_ge_clear(&r); | ||||
high = secp256k1_scalar_is_high(sigs); | high = secp256k1_scalar_is_high(sigs); | ||||
secp256k1_scalar_cond_negate(sigs, high); | secp256k1_scalar_cond_negate(sigs, high); | ||||
if (recid) { | if (recid) { | ||||
*recid ^= high; | *recid ^= high; | ||||
} | } | ||||
return !secp256k1_scalar_is_zero(sigs); | /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature. | ||||
* This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N. | |||||
*/ | |||||
return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs); | |||||
} | } | ||||
#endif /* SECP256K1_ECDSA_IMPL_H */ | #endif /* SECP256K1_ECDSA_IMPL_H */ |