github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/include/secp256k1.h (about) 1 #ifndef SECP256K1_H 2 #define SECP256K1_H 3 4 #ifdef __cplusplus 5 extern "C" { 6 #endif 7 8 #include <stddef.h> 9 10 /* These rules specify the order of arguments in API calls: 11 * 12 * 1. Context pointers go first, followed by output arguments, combined 13 * output/input arguments, and finally input-only arguments. 14 * 2. Array lengths always immediately the follow the argument whose length 15 * they describe, even if this violates rule 1. 16 * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated 17 * later go first. This means: signatures, public nonces, private nonces, 18 * messages, public keys, secret keys, tweaks. 19 * 4. Arguments that are not data pointers go last, from more complex to less 20 * complex: function pointers, algorithm names, messages, void pointers, 21 * counts, flags, booleans. 22 * 5. Opaque data pointers follow the function pointer they are to be passed to. 23 */ 24 25 /** Opaque data structure that holds context information (precomputed tables etc.). 26 * 27 * The purpose of context structures is to cache large precomputed data tables 28 * that are expensive to construct, and also to maintain the randomization data 29 * for blinding. 30 * 31 * Do not create a new context object for each operation, as construction is 32 * far slower than all other API calls (~100 times slower than an ECDSA 33 * verification). 34 * 35 * A constructed context can safely be used from multiple threads 36 * simultaneously, but API call that take a non-const pointer to a context 37 * need exclusive access to it. In particular this is the case for 38 * secp256k1_context_destroy and secp256k1_context_randomize. 39 * 40 * Regarding randomization, either do it once at creation time (in which case 41 * you do not need any locking for the other calls), or use a read-write lock. 42 */ 43 typedef struct secp256k1_context_struct secp256k1_context; 44 45 /** Opaque data structure that holds rewriteable "scratch space" 46 * 47 * The purpose of this structure is to replace dynamic memory allocations, 48 * because we target architectures where this may not be available. It is 49 * essentially a resizable (within specified parameters) block of bytes, 50 * which is initially created either by memory allocation or TODO as a pointer 51 * into some fixed rewritable space. 52 * 53 * Unlike the context object, this cannot safely be shared between threads 54 * without additional synchronization logic. 55 */ 56 typedef struct secp256k1_scratch_space_struct secp256k1_scratch_space; 57 58 /** Opaque data structure that holds a parsed and valid public key. 59 * 60 * The exact representation of data inside is implementation defined and not 61 * guaranteed to be portable between different platforms or versions. It is 62 * however guaranteed to be 64 bytes in size, and can be safely copied/moved. 63 * If you need to convert to a format suitable for storage, transmission, or 64 * comparison, use secp256k1_ec_pubkey_serialize and secp256k1_ec_pubkey_parse. 65 */ 66 typedef struct { 67 unsigned char data[64]; 68 } secp256k1_pubkey; 69 70 /** Opaque data structured that holds a parsed ECDSA signature. 71 * 72 * The exact representation of data inside is implementation defined and not 73 * guaranteed to be portable between different platforms or versions. It is 74 * however guaranteed to be 64 bytes in size, and can be safely copied/moved. 75 * If you need to convert to a format suitable for storage, transmission, or 76 * comparison, use the secp256k1_ecdsa_signature_serialize_* and 77 * secp256k1_ecdsa_signature_parse_* functions. 78 */ 79 typedef struct { 80 unsigned char data[64]; 81 } secp256k1_ecdsa_signature; 82 83 /** A pointer to a function to deterministically generate a nonce. 84 * 85 * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail. 86 * Out: nonce32: pointer to a 32-byte array to be filled by the function. 87 * In: msg32: the 32-byte message hash being verified (will not be NULL) 88 * key32: pointer to a 32-byte secret key (will not be NULL) 89 * algo16: pointer to a 16-byte array describing the signature 90 * algorithm (will be NULL for ECDSA for compatibility). 91 * data: Arbitrary data pointer that is passed through. 92 * attempt: how many iterations we have tried to find a nonce. 93 * This will almost always be 0, but different attempt values 94 * are required to result in a different nonce. 95 * 96 * Except for test cases, this function should compute some cryptographic hash of 97 * the message, the algorithm, the key and the attempt. 98 */ 99 typedef int (*secp256k1_nonce_function)( 100 unsigned char *nonce32, 101 const unsigned char *msg32, 102 const unsigned char *key32, 103 const unsigned char *algo16, 104 void *data, 105 unsigned int attempt 106 ); 107 108 # if !defined(SECP256K1_GNUC_PREREQ) 109 # if defined(__GNUC__)&&defined(__GNUC_MINOR__) 110 # define SECP256K1_GNUC_PREREQ(_maj,_min) \ 111 ((__GNUC__<<16)+__GNUC_MINOR__>=((_maj)<<16)+(_min)) 112 # else 113 # define SECP256K1_GNUC_PREREQ(_maj,_min) 0 114 # endif 115 # endif 116 117 # if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) ) 118 # if SECP256K1_GNUC_PREREQ(2,7) 119 # define SECP256K1_INLINE __inline__ 120 # elif (defined(_MSC_VER)) 121 # define SECP256K1_INLINE __inline 122 # else 123 # define SECP256K1_INLINE 124 # endif 125 # else 126 # define SECP256K1_INLINE inline 127 # endif 128 129 #ifndef SECP256K1_API 130 # if defined(_WIN32) 131 # ifdef SECP256K1_BUILD 132 # define SECP256K1_API __declspec(dllexport) 133 # else 134 # define SECP256K1_API 135 # endif 136 # elif defined(__GNUC__) && defined(SECP256K1_BUILD) 137 # define SECP256K1_API __attribute__ ((visibility ("default"))) 138 # else 139 # define SECP256K1_API 140 # endif 141 #endif 142 143 /**Warning attributes 144 * NONNULL is not used if SECP256K1_BUILD is set to avoid the compiler optimizing out 145 * some paranoid null checks. */ 146 # if defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4) 147 # define SECP256K1_WARN_UNUSED_RESULT __attribute__ ((__warn_unused_result__)) 148 # else 149 # define SECP256K1_WARN_UNUSED_RESULT 150 # endif 151 # if !defined(SECP256K1_BUILD) && defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4) 152 # define SECP256K1_ARG_NONNULL(_x) __attribute__ ((__nonnull__(_x))) 153 # else 154 # define SECP256K1_ARG_NONNULL(_x) 155 # endif 156 157 /** All flags' lower 8 bits indicate what they're for. Do not use directly. */ 158 #define SECP256K1_FLAGS_TYPE_MASK ((1 << 8) - 1) 159 #define SECP256K1_FLAGS_TYPE_CONTEXT (1 << 0) 160 #define SECP256K1_FLAGS_TYPE_COMPRESSION (1 << 1) 161 /** The higher bits contain the actual data. Do not use directly. */ 162 #define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8) 163 #define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9) 164 #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8) 165 166 /** Flags to pass to secp256k1_context_create. */ 167 #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) 168 #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN) 169 #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT) 170 171 /** Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export. */ 172 #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION) 173 #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION) 174 175 /** Prefix byte used to tag various encoded curvepoints for specific purposes */ 176 #define SECP256K1_TAG_PUBKEY_EVEN 0x02 177 #define SECP256K1_TAG_PUBKEY_ODD 0x03 178 #define SECP256K1_TAG_PUBKEY_UNCOMPRESSED 0x04 179 #define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06 180 #define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07 181 182 /** Create a secp256k1 context object. 183 * 184 * Returns: a newly created context object. 185 * In: flags: which parts of the context to initialize. 186 * 187 * See also secp256k1_context_randomize. 188 */ 189 SECP256K1_API secp256k1_context* secp256k1_context_create( 190 unsigned int flags 191 ) SECP256K1_WARN_UNUSED_RESULT; 192 193 /** Copies a secp256k1 context object. 194 * 195 * Returns: a newly created context object. 196 * Args: ctx: an existing context to copy (cannot be NULL) 197 */ 198 SECP256K1_API secp256k1_context* secp256k1_context_clone( 199 const secp256k1_context* ctx 200 ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; 201 202 /** Destroy a secp256k1 context object. 203 * 204 * The context pointer may not be used afterwards. 205 * Args: ctx: an existing context to destroy (cannot be NULL) 206 */ 207 SECP256K1_API void secp256k1_context_destroy( 208 secp256k1_context* ctx 209 ); 210 211 /** Set a callback function to be called when an illegal argument is passed to 212 * an API call. It will only trigger for violations that are mentioned 213 * explicitly in the header. 214 * 215 * The philosophy is that these shouldn't be dealt with through a 216 * specific return value, as calling code should not have branches to deal with 217 * the case that this code itself is broken. 218 * 219 * On the other hand, during debug stage, one would want to be informed about 220 * such mistakes, and the default (crashing) may be inadvisable. 221 * When this callback is triggered, the API function called is guaranteed not 222 * to cause a crash, though its return value and output arguments are 223 * undefined. 224 * 225 * Args: ctx: an existing context object (cannot be NULL) 226 * In: fun: a pointer to a function to call when an illegal argument is 227 * passed to the API, taking a message and an opaque pointer 228 * (NULL restores a default handler that calls abort). 229 * data: the opaque pointer to pass to fun above. 230 */ 231 SECP256K1_API void secp256k1_context_set_illegal_callback( 232 secp256k1_context* ctx, 233 void (*fun)(const char* message, void* data), 234 const void* data 235 ) SECP256K1_ARG_NONNULL(1); 236 237 /** Set a callback function to be called when an internal consistency check 238 * fails. The default is crashing. 239 * 240 * This can only trigger in case of a hardware failure, miscompilation, 241 * memory corruption, serious bug in the library, or other error would can 242 * otherwise result in undefined behaviour. It will not trigger due to mere 243 * incorrect usage of the API (see secp256k1_context_set_illegal_callback 244 * for that). After this callback returns, anything may happen, including 245 * crashing. 246 * 247 * Args: ctx: an existing context object (cannot be NULL) 248 * In: fun: a pointer to a function to call when an internal error occurs, 249 * taking a message and an opaque pointer (NULL restores a default 250 * handler that calls abort). 251 * data: the opaque pointer to pass to fun above. 252 */ 253 SECP256K1_API void secp256k1_context_set_error_callback( 254 secp256k1_context* ctx, 255 void (*fun)(const char* message, void* data), 256 const void* data 257 ) SECP256K1_ARG_NONNULL(1); 258 259 /** Create a secp256k1 scratch space object. 260 * 261 * Returns: a newly created scratch space. 262 * Args: ctx: an existing context object (cannot be NULL) 263 * In: max_size: maximum amount of memory to allocate 264 */ 265 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space* secp256k1_scratch_space_create( 266 const secp256k1_context* ctx, 267 size_t max_size 268 ) SECP256K1_ARG_NONNULL(1); 269 270 /** Destroy a secp256k1 scratch space. 271 * 272 * The pointer may not be used afterwards. 273 * Args: scratch: space to destroy 274 */ 275 SECP256K1_API void secp256k1_scratch_space_destroy( 276 secp256k1_scratch_space* scratch 277 ); 278 279 /** Parse a variable-length public key into the pubkey object. 280 * 281 * Returns: 1 if the public key was fully valid. 282 * 0 if the public key could not be parsed or is invalid. 283 * Args: ctx: a secp256k1 context object. 284 * Out: pubkey: pointer to a pubkey object. If 1 is returned, it is set to a 285 * parsed version of input. If not, its value is undefined. 286 * In: input: pointer to a serialized public key 287 * inputlen: length of the array pointed to by input 288 * 289 * This function supports parsing compressed (33 bytes, header byte 0x02 or 290 * 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header 291 * byte 0x06 or 0x07) format public keys. 292 */ 293 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse( 294 const secp256k1_context* ctx, 295 secp256k1_pubkey* pubkey, 296 const unsigned char *input, 297 size_t inputlen 298 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 299 300 /** Serialize a pubkey object into a serialized byte sequence. 301 * 302 * Returns: 1 always. 303 * Args: ctx: a secp256k1 context object. 304 * Out: output: a pointer to a 65-byte (if compressed==0) or 33-byte (if 305 * compressed==1) byte array to place the serialized key 306 * in. 307 * In/Out: outputlen: a pointer to an integer which is initially set to the 308 * size of output, and is overwritten with the written 309 * size. 310 * In: pubkey: a pointer to a secp256k1_pubkey containing an 311 * initialized public key. 312 * flags: SECP256K1_EC_COMPRESSED if serialization should be in 313 * compressed format, otherwise SECP256K1_EC_UNCOMPRESSED. 314 */ 315 SECP256K1_API int secp256k1_ec_pubkey_serialize( 316 const secp256k1_context* ctx, 317 unsigned char *output, 318 size_t *outputlen, 319 const secp256k1_pubkey* pubkey, 320 unsigned int flags 321 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 322 323 /** Parse an ECDSA signature in compact (64 bytes) format. 324 * 325 * Returns: 1 when the signature could be parsed, 0 otherwise. 326 * Args: ctx: a secp256k1 context object 327 * Out: sig: a pointer to a signature object 328 * In: input64: a pointer to the 64-byte array to parse 329 * 330 * The signature must consist of a 32-byte big endian R value, followed by a 331 * 32-byte big endian S value. If R or S fall outside of [0..order-1], the 332 * encoding is invalid. R and S with value 0 are allowed in the encoding. 333 * 334 * After the call, sig will always be initialized. If parsing failed or R or 335 * S are zero, the resulting sig value is guaranteed to fail validation for any 336 * message and public key. 337 */ 338 SECP256K1_API int secp256k1_ecdsa_signature_parse_compact( 339 const secp256k1_context* ctx, 340 secp256k1_ecdsa_signature* sig, 341 const unsigned char *input64 342 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 343 344 /** Parse a DER ECDSA signature. 345 * 346 * Returns: 1 when the signature could be parsed, 0 otherwise. 347 * Args: ctx: a secp256k1 context object 348 * Out: sig: a pointer to a signature object 349 * In: input: a pointer to the signature to be parsed 350 * inputlen: the length of the array pointed to be input 351 * 352 * This function will accept any valid DER encoded signature, even if the 353 * encoded numbers are out of range. 354 * 355 * After the call, sig will always be initialized. If parsing failed or the 356 * encoded numbers are out of range, signature validation with it is 357 * guaranteed to fail for every message and public key. 358 */ 359 SECP256K1_API int secp256k1_ecdsa_signature_parse_der( 360 const secp256k1_context* ctx, 361 secp256k1_ecdsa_signature* sig, 362 const unsigned char *input, 363 size_t inputlen 364 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 365 366 /** Serialize an ECDSA signature in DER format. 367 * 368 * Returns: 1 if enough space was available to serialize, 0 otherwise 369 * Args: ctx: a secp256k1 context object 370 * Out: output: a pointer to an array to store the DER serialization 371 * In/Out: outputlen: a pointer to a length integer. Initially, this integer 372 * should be set to the length of output. After the call 373 * it will be set to the length of the serialization (even 374 * if 0 was returned). 375 * In: sig: a pointer to an initialized signature object 376 */ 377 SECP256K1_API int secp256k1_ecdsa_signature_serialize_der( 378 const secp256k1_context* ctx, 379 unsigned char *output, 380 size_t *outputlen, 381 const secp256k1_ecdsa_signature* sig 382 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 383 384 /** Serialize an ECDSA signature in compact (64 byte) format. 385 * 386 * Returns: 1 387 * Args: ctx: a secp256k1 context object 388 * Out: output64: a pointer to a 64-byte array to store the compact serialization 389 * In: sig: a pointer to an initialized signature object 390 * 391 * See secp256k1_ecdsa_signature_parse_compact for details about the encoding. 392 */ 393 SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact( 394 const secp256k1_context* ctx, 395 unsigned char *output64, 396 const secp256k1_ecdsa_signature* sig 397 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 398 399 /** Verify an ECDSA signature. 400 * 401 * Returns: 1: correct signature 402 * 0: incorrect or unparseable signature 403 * Args: ctx: a secp256k1 context object, initialized for verification. 404 * In: sig: the signature being verified (cannot be NULL) 405 * msg32: the 32-byte message hash being verified (cannot be NULL) 406 * pubkey: pointer to an initialized public key to verify with (cannot be NULL) 407 * 408 * To avoid accepting malleable signatures, only ECDSA signatures in lower-S 409 * form are accepted. 410 * 411 * If you need to accept ECDSA signatures from sources that do not obey this 412 * rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to 413 * validation, but be aware that doing so results in malleable signatures. 414 * 415 * For details, see the comments for that function. 416 */ 417 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify( 418 const secp256k1_context* ctx, 419 const secp256k1_ecdsa_signature *sig, 420 const unsigned char *msg32, 421 const secp256k1_pubkey *pubkey 422 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 423 424 /** Convert a signature to a normalized lower-S form. 425 * 426 * Returns: 1 if sigin was not normalized, 0 if it already was. 427 * Args: ctx: a secp256k1 context object 428 * Out: sigout: a pointer to a signature to fill with the normalized form, 429 * or copy if the input was already normalized. (can be NULL if 430 * you're only interested in whether the input was already 431 * normalized). 432 * In: sigin: a pointer to a signature to check/normalize (cannot be NULL, 433 * can be identical to sigout) 434 * 435 * With ECDSA a third-party can forge a second distinct signature of the same 436 * message, given a single initial signature, but without knowing the key. This 437 * is done by negating the S value modulo the order of the curve, 'flipping' 438 * the sign of the random point R which is not included in the signature. 439 * 440 * Forgery of the same message isn't universally problematic, but in systems 441 * where message malleability or uniqueness of signatures is important this can 442 * cause issues. This forgery can be blocked by all verifiers forcing signers 443 * to use a normalized form. 444 * 445 * The lower-S form reduces the size of signatures slightly on average when 446 * variable length encodings (such as DER) are used and is cheap to verify, 447 * making it a good choice. Security of always using lower-S is assured because 448 * anyone can trivially modify a signature after the fact to enforce this 449 * property anyway. 450 * 451 * The lower S value is always between 0x1 and 452 * 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0, 453 * inclusive. 454 * 455 * No other forms of ECDSA malleability are known and none seem likely, but 456 * there is no formal proof that ECDSA, even with this additional restriction, 457 * is free of other malleability. Commonly used serialization schemes will also 458 * accept various non-unique encodings, so care should be taken when this 459 * property is required for an application. 460 * 461 * The secp256k1_ecdsa_sign function will by default create signatures in the 462 * lower-S form, and secp256k1_ecdsa_verify will not accept others. In case 463 * signatures come from a system that cannot enforce this property, 464 * secp256k1_ecdsa_signature_normalize must be called before verification. 465 */ 466 SECP256K1_API int secp256k1_ecdsa_signature_normalize( 467 const secp256k1_context* ctx, 468 secp256k1_ecdsa_signature *sigout, 469 const secp256k1_ecdsa_signature *sigin 470 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3); 471 472 /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. 473 * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of 474 * extra entropy. 475 */ 476 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979; 477 478 /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */ 479 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default; 480 481 /** Create an ECDSA signature. 482 * 483 * Returns: 1: signature created 484 * 0: the nonce generation function failed, or the private key was invalid. 485 * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) 486 * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) 487 * In: msg32: the 32-byte message hash being signed (cannot be NULL) 488 * seckey: pointer to a 32-byte secret key (cannot be NULL) 489 * noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used 490 * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) 491 * 492 * The created signature is always in lower-S form. See 493 * secp256k1_ecdsa_signature_normalize for more details. 494 */ 495 SECP256K1_API int secp256k1_ecdsa_sign( 496 const secp256k1_context* ctx, 497 secp256k1_ecdsa_signature *sig, 498 const unsigned char *msg32, 499 const unsigned char *seckey, 500 secp256k1_nonce_function noncefp, 501 const void *ndata 502 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 503 504 /** Verify an ECDSA secret key. 505 * 506 * Returns: 1: secret key is valid 507 * 0: secret key is invalid 508 * Args: ctx: pointer to a context object (cannot be NULL) 509 * In: seckey: pointer to a 32-byte secret key (cannot be NULL) 510 */ 511 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify( 512 const secp256k1_context* ctx, 513 const unsigned char *seckey 514 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); 515 516 /** Compute the public key for a secret key. 517 * 518 * Returns: 1: secret was valid, public key stores 519 * 0: secret was invalid, try again 520 * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) 521 * Out: pubkey: pointer to the created public key (cannot be NULL) 522 * In: seckey: pointer to a 32-byte private key (cannot be NULL) 523 */ 524 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create( 525 const secp256k1_context* ctx, 526 secp256k1_pubkey *pubkey, 527 const unsigned char *seckey 528 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 529 530 /** Negates a private key in place. 531 * 532 * Returns: 1 always 533 * Args: ctx: pointer to a context object 534 * In/Out: seckey: pointer to the 32-byte private key to be negated (cannot be NULL) 535 */ 536 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate( 537 const secp256k1_context* ctx, 538 unsigned char *seckey 539 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); 540 541 /** Negates a public key in place. 542 * 543 * Returns: 1 always 544 * Args: ctx: pointer to a context object 545 * In/Out: pubkey: pointer to the public key to be negated (cannot be NULL) 546 */ 547 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate( 548 const secp256k1_context* ctx, 549 secp256k1_pubkey *pubkey 550 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); 551 552 /** Tweak a private key by adding tweak to it. 553 * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for 554 * uniformly random 32-byte arrays, or if the resulting private key 555 * would be invalid (only when the tweak is the complement of the 556 * private key). 1 otherwise. 557 * Args: ctx: pointer to a context object (cannot be NULL). 558 * In/Out: seckey: pointer to a 32-byte private key. 559 * In: tweak: pointer to a 32-byte tweak. 560 */ 561 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add( 562 const secp256k1_context* ctx, 563 unsigned char *seckey, 564 const unsigned char *tweak 565 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 566 567 /** Tweak a public key by adding tweak times the generator to it. 568 * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for 569 * uniformly random 32-byte arrays, or if the resulting public key 570 * would be invalid (only when the tweak is the complement of the 571 * corresponding private key). 1 otherwise. 572 * Args: ctx: pointer to a context object initialized for validation 573 * (cannot be NULL). 574 * In/Out: pubkey: pointer to a public key object. 575 * In: tweak: pointer to a 32-byte tweak. 576 */ 577 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add( 578 const secp256k1_context* ctx, 579 secp256k1_pubkey *pubkey, 580 const unsigned char *tweak 581 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 582 583 /** Tweak a private key by multiplying it by a tweak. 584 * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for 585 * uniformly random 32-byte arrays, or equal to zero. 1 otherwise. 586 * Args: ctx: pointer to a context object (cannot be NULL). 587 * In/Out: seckey: pointer to a 32-byte private key. 588 * In: tweak: pointer to a 32-byte tweak. 589 */ 590 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul( 591 const secp256k1_context* ctx, 592 unsigned char *seckey, 593 const unsigned char *tweak 594 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 595 596 /** Tweak a public key by multiplying it by a tweak value. 597 * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for 598 * uniformly random 32-byte arrays, or equal to zero. 1 otherwise. 599 * Args: ctx: pointer to a context object initialized for validation 600 * (cannot be NULL). 601 * In/Out: pubkey: pointer to a public key obkect. 602 * In: tweak: pointer to a 32-byte tweak. 603 */ 604 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul( 605 const secp256k1_context* ctx, 606 secp256k1_pubkey *pubkey, 607 const unsigned char *tweak 608 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 609 610 /** Updates the context randomization to protect against side-channel leakage. 611 * Returns: 1: randomization successfully updated 612 * 0: error 613 * Args: ctx: pointer to a context object (cannot be NULL) 614 * In: seed32: pointer to a 32-byte random seed (NULL resets to initial state) 615 * 616 * While secp256k1 code is written to be constant-time no matter what secret 617 * values are, it's possible that a future compiler may output code which isn't, 618 * and also that the CPU may not emit the same radio frequencies or draw the same 619 * amount power for all values. 620 * 621 * This function provides a seed which is combined into the blinding value: that 622 * blinding value is added before each multiplication (and removed afterwards) so 623 * that it does not affect function results, but shields against attacks which 624 * rely on any input-dependent behaviour. 625 * 626 * You should call this after secp256k1_context_create or 627 * secp256k1_context_clone, and may call this repeatedly afterwards. 628 */ 629 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize( 630 secp256k1_context* ctx, 631 const unsigned char *seed32 632 ) SECP256K1_ARG_NONNULL(1); 633 634 /** Add a number of public keys together. 635 * Returns: 1: the sum of the public keys is valid. 636 * 0: the sum of the public keys is not valid. 637 * Args: ctx: pointer to a context object 638 * Out: out: pointer to a public key object for placing the resulting public key 639 * (cannot be NULL) 640 * In: ins: pointer to array of pointers to public keys (cannot be NULL) 641 * n: the number of public keys to add together (must be at least 1) 642 */ 643 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine( 644 const secp256k1_context* ctx, 645 secp256k1_pubkey *out, 646 const secp256k1_pubkey * const * ins, 647 size_t n 648 ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 649 650 #ifdef __cplusplus 651 } 652 #endif 653 654 #endif /* SECP256K1_H */