D7644.diff
No OneTemporary
Actions

Size

9 KB

Subscribers

None

D7644.diff
View Options

	diff --git a/src/secp256k1/include/secp256k1_extrakeys.h b/src/secp256k1/include/secp256k1_extrakeys.h
	--- a/src/secp256k1/include/secp256k1_extrakeys.h
	+++ b/src/secp256k1/include/secp256k1_extrakeys.h
	@@ -202,6 +202,33 @@
	const secp256k1_keypair *keypair
	) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);

	+/** Tweak a keypair by adding tweak32 to the secret key and updating the public
	+ * key accordingly.
	+ *
	+ * Calling this function and then secp256k1_keypair_pub results in the same
	+ * public key as calling secp256k1_keypair_xonly_pub and then
	+ * secp256k1_xonly_pubkey_tweak_add.
	+ *
	+ * Returns: 0 if the arguments are invalid or the resulting keypair would be
	+ * invalid (only when the tweak is the negation of the keypair's
	+ * secret key). 1 otherwise.
	+ *
	+ * Args: ctx: pointer to a context object initialized for verification
	+ * (cannot be NULL)
	+ * In/Out: keypair: pointer to a keypair to apply the tweak to. Will be set to
	+ * an invalid value if this function returns 0 (cannot be
	+ * NULL).
	+ * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according
	+ * to secp256k1_ec_seckey_verify, this function returns 0. For
	+ * uniformly random 32-byte arrays the chance of being invalid
	+ * is negligible (around 1 in 2^128) (cannot be NULL).
	+ */
	+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(
	+ const secp256k1_context* ctx,
	+ secp256k1_keypair *keypair,
	+ const unsigned char *tweak32
	+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
	+
	#ifdef __cplusplus
	}
	#endif
	diff --git a/src/secp256k1/src/modules/extrakeys/main_impl.h b/src/secp256k1/src/modules/extrakeys/main_impl.h
	--- a/src/secp256k1/src/modules/extrakeys/main_impl.h
	+++ b/src/secp256k1/src/modules/extrakeys/main_impl.h
	@@ -214,4 +214,35 @@
	return 1;
	}

	+int secp256k1_keypair_xonly_tweak_add(const secp256k1_context* ctx, secp256k1_keypair keypair, const unsigned char tweak32) {
	+ secp256k1_ge pk;
	+ secp256k1_scalar sk;
	+ int y_parity;
	+ int ret;
	+
	+ VERIFY_CHECK(ctx != NULL);
	+ ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
	+ ARG_CHECK(keypair != NULL);
	+ ARG_CHECK(tweak32 != NULL);
	+
	+ ret = secp256k1_keypair_load(ctx, &sk, &pk, keypair);
	+ memset(keypair, 0, sizeof(*keypair));
	+
	+ y_parity = secp256k1_extrakeys_ge_even_y(&pk);
	+ if (y_parity == 1) {
	+ secp256k1_scalar_negate(&sk, &sk);
	+ }
	+
	+ ret &= secp256k1_ec_seckey_tweak_add_helper(&sk, tweak32);
	+ ret &= secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32);
	+
	+ secp256k1_declassify(ctx, &ret, sizeof(ret));
	+ if (ret) {
	+ secp256k1_keypair_save(keypair, &sk, &pk);
	+ }
	+
	+ secp256k1_scalar_clear(&sk);
	+ return ret;
	+}
	+
	#endif
	diff --git a/src/secp256k1/src/modules/extrakeys/tests_impl.h b/src/secp256k1/src/modules/extrakeys/tests_impl.h
	--- a/src/secp256k1/src/modules/extrakeys/tests_impl.h
	+++ b/src/secp256k1/src/modules/extrakeys/tests_impl.h
	@@ -401,6 +401,114 @@
	secp256k1_context_destroy(verify);
	}

	+void test_keypair_add(void) {
	+ unsigned char sk[32];
	+ secp256k1_keypair keypair;
	+ unsigned char overflows[32];
	+ unsigned char zeros96[96] = { 0 };
	+ unsigned char tweak[32];
	+ int i;
	+ int ecount = 0;
	+ secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
	+ secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
	+ secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
	+
	+ CHECK(sizeof(zeros96) == sizeof(keypair));
	+ secp256k1_rand256(sk);
	+ secp256k1_rand256(tweak);
	+ memset(overflows, 0xFF, 32);
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+
	+ CHECK(secp256k1_keypair_xonly_tweak_add(none, &keypair, tweak) == 0);
	+ CHECK(ecount == 1);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(sign, &keypair, tweak) == 0);
	+ CHECK(ecount == 2);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, NULL, tweak) == 0);
	+ CHECK(ecount == 3);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0);
	+ CHECK(ecount == 4);
	+ /* This does not set the keypair to zeroes */
	+ CHECK(memcmp(&keypair, zeros96, sizeof(keypair)) != 0);
	+
	+ /* Invalid tweak zeroes the keypair */
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0);
	+ CHECK(memcmp(&keypair, zeros96, sizeof(keypair)) == 0);
	+
	+ /* A zero tweak is fine */
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1);
	+
	+ /* Fails if the resulting keypair was (sk=0, pk=infinity) */
	+ for (i = 0; i < count; i++) {
	+ secp256k1_scalar scalar_tweak;
	+ secp256k1_keypair keypair_tmp;
	+ secp256k1_rand256(sk);
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ memcpy(&keypair_tmp, &keypair, sizeof(keypair));
	+ /* Because sk may be negated before adding, we need to try with tweak =
	+ * sk as well as tweak = -sk. */
	+ secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
	+ secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
	+ secp256k1_scalar_get_b32(tweak, &scalar_tweak);
	+ CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0)
	+ \|\| (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0));
	+ CHECK(memcmp(&keypair, zeros96, sizeof(keypair)) == 0
	+ \|\| memcmp(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0);
	+ }
	+
	+ /* Invalid keypair with a valid tweak */
	+ memset(&keypair, 0, sizeof(keypair));
	+ secp256k1_rand256(tweak);
	+ ecount = 0;
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
	+ CHECK(ecount == 1);
	+ CHECK(memcmp(&keypair, zeros96, sizeof(keypair)) == 0);
	+ /* Only seckey part of keypair invalid */
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ memset(&keypair, 0, 32);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
	+ CHECK(ecount == 2);
	+ /* Only pubkey part of keypair invalid */
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ memset(&keypair.data[32], 0, 64);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
	+ CHECK(ecount == 3);
	+
	+ /* Check that the keypair_tweak_add implementation is correct */
	+ CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
	+ for (i = 0; i < count; i++) {
	+ secp256k1_xonly_pubkey internal_pk;
	+ secp256k1_xonly_pubkey output_pk;
	+ secp256k1_pubkey output_pk_xy;
	+ secp256k1_pubkey output_pk_expected;
	+ unsigned char pk32[32];
	+ int pk_parity;
	+
	+ secp256k1_rand256(tweak);
	+ CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
	+ CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
	+ CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
	+
	+ /* Check that it passes xonly_pubkey_tweak_add_check */
	+ CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1);
	+ CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1);
	+
	+ /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */
	+ CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1);
	+ CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1);
	+ CHECK(memcmp(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
	+
	+ /* Check that the secret key in the keypair is tweaked correctly */
	+ CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, &keypair.data[0]) == 1);
	+ CHECK(memcmp(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
	+ }
	+ secp256k1_context_destroy(none);
	+ secp256k1_context_destroy(sign);
	+ secp256k1_context_destroy(verify);
	+}
	+
	void run_extrakeys_tests(void) {
	/* xonly key test cases */
	test_xonly_pubkey();
	@@ -410,6 +518,7 @@

	/* keypair tests */
	test_keypair();
	+ test_keypair_add();
	}

	#endif
	diff --git a/src/secp256k1/src/valgrind_ctime_test.c b/src/secp256k1/src/valgrind_ctime_test.c
	--- a/src/secp256k1/src/valgrind_ctime_test.c
	+++ b/src/secp256k1/src/valgrind_ctime_test.c
	@@ -61,7 +61,9 @@
	msg[i] = i + 1;
	}

	- ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN \| SECP256K1_CONTEXT_DECLASSIFY);
	+ ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN
	+ \| SECP256K1_CONTEXT_VERIFY
	+ \| SECP256K1_CONTEXT_DECLASSIFY);

	/* Test keygen. */
	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	@@ -135,11 +137,18 @@
	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	CHECK(ret);

	+ /* Test keypair_create and keypair_xonly_tweak_add. */
	#if ENABLE_MODULE_EXTRAKEYS
	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	ret = secp256k1_keypair_create(ctx, &keypair, key);
	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	CHECK(ret == 1);
	+
	+ /* The tweak is not treated as a secret in keypair_tweak_add */
	+ VALGRIND_MAKE_MEM_DEFINED(msg, 32);
	+ ret = secp256k1_keypair_xonly_tweak_add(ctx, &keypair, msg);
	+ VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	+ CHECK(ret == 1);
	#endif

	secp256k1_context_destroy(ctx);

File Metadata

Mime Type: text/plain
Expires: Sat, Mar 1, 10:47 (11 h, 11 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 5187394
Default Alt Text: D7644.diff (9 KB)

D7644.diffNo OneTemporaryActions

D7644.diffView Options

File Metadata

Event Timeline

D7644.diff
No OneTemporary
Actions

D7644.diff
View Options