Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/modules/schnorrsig/main_impl.h
Show First 20 Lines • Show All 102 Lines • ▼ Show 20 Lines | static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha) { | ||||
sha->s[3] = 0xd1627e0ful; | sha->s[3] = 0xd1627e0ful; | ||||
sha->s[4] = 0x97c87550ul; | sha->s[4] = 0x97c87550ul; | ||||
sha->s[5] = 0x003cc765ul; | sha->s[5] = 0x003cc765ul; | ||||
sha->s[6] = 0x90f61164ul; | sha->s[6] = 0x90f61164ul; | ||||
sha->s[7] = 0x33e9b66aul; | sha->s[7] = 0x33e9b66aul; | ||||
sha->bytes = 64; | sha->bytes = 64; | ||||
} | } | ||||
static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32) | |||||
{ | |||||
unsigned char buf[32]; | |||||
secp256k1_sha256 sha; | |||||
/* tagged hash(r.x, pk.x, msg32) */ | |||||
secp256k1_schnorrsig_sha256_tagged(&sha); | |||||
secp256k1_sha256_write(&sha, r32, 32); | |||||
secp256k1_sha256_write(&sha, pubkey32, 32); | |||||
secp256k1_sha256_write(&sha, msg32, 32); | |||||
secp256k1_sha256_finalize(&sha, buf); | |||||
/* Set scalar e to the challenge hash modulo the curve order as per | |||||
* BIP340. */ | |||||
secp256k1_scalar_set_b32(e, buf, NULL); | |||||
} | |||||
int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) { | int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) { | ||||
secp256k1_scalar sk; | secp256k1_scalar sk; | ||||
secp256k1_scalar e; | secp256k1_scalar e; | ||||
secp256k1_scalar k; | secp256k1_scalar k; | ||||
secp256k1_gej rj; | secp256k1_gej rj; | ||||
secp256k1_ge pk; | secp256k1_ge pk; | ||||
secp256k1_ge r; | secp256k1_ge r; | ||||
secp256k1_sha256 sha; | |||||
unsigned char buf[32] = { 0 }; | unsigned char buf[32] = { 0 }; | ||||
unsigned char pk_buf[32]; | unsigned char pk_buf[32]; | ||||
unsigned char seckey[32]; | unsigned char seckey[32]; | ||||
int ret = 1; | int ret = 1; | ||||
VERIFY_CHECK(ctx != NULL); | VERIFY_CHECK(ctx != NULL); | ||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); | ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); | ||||
ARG_CHECK(sig64 != NULL); | ARG_CHECK(sig64 != NULL); | ||||
Show All 27 Lines | int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) { | ||||
secp256k1_declassify(ctx, &r, sizeof(r)); | secp256k1_declassify(ctx, &r, sizeof(r)); | ||||
secp256k1_fe_normalize_var(&r.y); | secp256k1_fe_normalize_var(&r.y); | ||||
if (secp256k1_fe_is_odd(&r.y)) { | if (secp256k1_fe_is_odd(&r.y)) { | ||||
secp256k1_scalar_negate(&k, &k); | secp256k1_scalar_negate(&k, &k); | ||||
} | } | ||||
secp256k1_fe_normalize_var(&r.x); | secp256k1_fe_normalize_var(&r.x); | ||||
secp256k1_fe_get_b32(&sig64[0], &r.x); | secp256k1_fe_get_b32(&sig64[0], &r.x); | ||||
/* tagged hash(r.x, pk.x, msg32) */ | secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf); | ||||
secp256k1_schnorrsig_sha256_tagged(&sha); | |||||
secp256k1_sha256_write(&sha, &sig64[0], 32); | |||||
secp256k1_sha256_write(&sha, pk_buf, sizeof(pk_buf)); | |||||
secp256k1_sha256_write(&sha, msg32, 32); | |||||
secp256k1_sha256_finalize(&sha, buf); | |||||
/* Set scalar e to the challenge hash modulo the curve order as per | |||||
* BIP340. */ | |||||
secp256k1_scalar_set_b32(&e, buf, NULL); | |||||
secp256k1_scalar_mul(&e, &e, &sk); | secp256k1_scalar_mul(&e, &e, &sk); | ||||
secp256k1_scalar_add(&e, &e, &k); | secp256k1_scalar_add(&e, &e, &k); | ||||
secp256k1_scalar_get_b32(&sig64[32], &e); | secp256k1_scalar_get_b32(&sig64[32], &e); | ||||
memczero(sig64, 64, !ret); | memczero(sig64, 64, !ret); | ||||
secp256k1_scalar_clear(&k); | secp256k1_scalar_clear(&k); | ||||
secp256k1_scalar_clear(&sk); | secp256k1_scalar_clear(&sk); | ||||
memset(seckey, 0, sizeof(seckey)); | memset(seckey, 0, sizeof(seckey)); | ||||
return ret; | return ret; | ||||
} | } | ||||
int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) { | int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) { | ||||
secp256k1_scalar s; | secp256k1_scalar s; | ||||
secp256k1_scalar e; | secp256k1_scalar e; | ||||
secp256k1_gej rj; | secp256k1_gej rj; | ||||
secp256k1_ge pk; | secp256k1_ge pk; | ||||
secp256k1_gej pkj; | secp256k1_gej pkj; | ||||
secp256k1_fe rx; | secp256k1_fe rx; | ||||
secp256k1_ge r; | secp256k1_ge r; | ||||
secp256k1_sha256 sha; | |||||
unsigned char buf[32]; | unsigned char buf[32]; | ||||
int overflow; | int overflow; | ||||
VERIFY_CHECK(ctx != NULL); | VERIFY_CHECK(ctx != NULL); | ||||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); | ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); | ||||
ARG_CHECK(sig64 != NULL); | ARG_CHECK(sig64 != NULL); | ||||
ARG_CHECK(msg32 != NULL); | ARG_CHECK(msg32 != NULL); | ||||
ARG_CHECK(pubkey != NULL); | ARG_CHECK(pubkey != NULL); | ||||
if (!secp256k1_fe_set_b32(&rx, &sig64[0])) { | if (!secp256k1_fe_set_b32(&rx, &sig64[0])) { | ||||
return 0; | return 0; | ||||
} | } | ||||
secp256k1_scalar_set_b32(&s, &sig64[32], &overflow); | secp256k1_scalar_set_b32(&s, &sig64[32], &overflow); | ||||
if (overflow) { | if (overflow) { | ||||
return 0; | return 0; | ||||
} | } | ||||
if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) { | if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) { | ||||
return 0; | return 0; | ||||
} | } | ||||
secp256k1_schnorrsig_sha256_tagged(&sha); | /* Compute e. */ | ||||
secp256k1_sha256_write(&sha, &sig64[0], 32); | |||||
secp256k1_fe_get_b32(buf, &pk.x); | secp256k1_fe_get_b32(buf, &pk.x); | ||||
secp256k1_sha256_write(&sha, buf, sizeof(buf)); | secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, buf); | ||||
secp256k1_sha256_write(&sha, msg32, 32); | |||||
secp256k1_sha256_finalize(&sha, buf); | |||||
secp256k1_scalar_set_b32(&e, buf, NULL); | |||||
/* Compute rj = s*G + (-e)*pkj */ | /* Compute rj = s*G + (-e)*pkj */ | ||||
secp256k1_scalar_negate(&e, &e); | secp256k1_scalar_negate(&e, &e); | ||||
secp256k1_gej_set_ge(&pkj, &pk); | secp256k1_gej_set_ge(&pkj, &pk); | ||||
secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); | secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); | ||||
secp256k1_ge_set_gej_var(&r, &rj); | secp256k1_ge_set_gej_var(&r, &rj); | ||||
if (secp256k1_ge_is_infinity(&r)) { | if (secp256k1_ge_is_infinity(&r)) { | ||||
Show All 9 Lines |