github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/include/secp256k1_schnorrsig.h

github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/include/secp256k1_schnorrsig.h (about)

     1  #ifndef SECP256K1_SCHNORRSIG_H
     2  #define SECP256K1_SCHNORRSIG_H
     3  
     4  #include "secp256k1.h"
     5  #include "secp256k1_extrakeys.h"
     6  
     7  #ifdef __cplusplus
     8  extern "C" {
     9  #endif
    10  
    11  /** This module implements a variant of Schnorr signatures compliant with
    12   *  Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1"
    13   *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
    14   */
    15  
    16  /** A pointer to a function to deterministically generate a nonce.
    17   *
    18   *  Same as secp256k1_nonce function with the exception of accepting an
    19   *  additional pubkey argument and not requiring an attempt argument. The pubkey
    20   *  argument can protect signature schemes with key-prefixed challenge hash
    21   *  inputs against reusing the nonce when signing with the wrong precomputed
    22   *  pubkey.
    23   *
    24   *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
    25   *           return an error.
    26   *  Out:  nonce32: pointer to a 32-byte array to be filled by the function
    27   *  In:       msg: the message being verified. Is NULL if and only if msglen
    28   *                 is 0.
    29   *         msglen: the length of the message
    30   *          key32: pointer to a 32-byte secret key (will not be NULL)
    31   *     xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32
    32   *                 (will not be NULL)
    33   *           algo: pointer to an array describing the signature
    34   *                 algorithm (will not be NULL)
    35   *        algolen: the length of the algo array
    36   *           data: arbitrary data pointer that is passed through
    37   *
    38   *  Except for test cases, this function should compute some cryptographic hash of
    39   *  the message, the key, the pubkey, the algorithm description, and data.
    40   */
    41  typedef int (*secp256k1_nonce_function_hardened)(
    42      unsigned char *nonce32,
    43      const unsigned char *msg,
    44      size_t msglen,
    45      const unsigned char *key32,
    46      const unsigned char *xonly_pk32,
    47      const unsigned char *algo,
    48      size_t algolen,
    49      void *data
    50  );
    51  
    52  /** An implementation of the nonce generation function as defined in Bitcoin
    53   *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
    54   *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
    55   *
    56   *  If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
    57   *  auxiliary random data as defined in BIP-340. If the data pointer is NULL,
    58   *  the nonce derivation procedure follows BIP-340 by setting the auxiliary
    59   *  random data to zero. The algo argument must be non-NULL, otherwise the
    60   *  function will fail and return 0. The hash will be tagged with algo.
    61   *  Therefore, to create BIP-340 compliant signatures, algo must be set to
    62   *  "BIP0340/nonce" and algolen to 13.
    63   */
    64  SECP256K1_API const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340;
    65  
    66  /** Data structure that contains additional arguments for schnorrsig_sign_custom.
    67   *
    68   *  A schnorrsig_extraparams structure object can be initialized correctly by
    69   *  setting it to SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT.
    70   *
    71   *  Members:
    72   *      magic: set to SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC at initialization
    73   *             and has no other function than making sure the object is
    74   *             initialized.
    75   *    noncefp: pointer to a nonce generation function. If NULL,
    76   *             secp256k1_nonce_function_bip340 is used
    77   *      ndata: pointer to arbitrary data used by the nonce generation function
    78   *             (can be NULL). If it is non-NULL and
    79   *             secp256k1_nonce_function_bip340 is used, then ndata must be a
    80   *             pointer to 32-byte auxiliary randomness as per BIP-340.
    81   */
    82  typedef struct secp256k1_schnorrsig_extraparams {
    83      unsigned char magic[4];
    84      secp256k1_nonce_function_hardened noncefp;
    85      void *ndata;
    86  } secp256k1_schnorrsig_extraparams;
    87  
    88  #define SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC { 0xda, 0x6f, 0xb3, 0x8c }
    89  #define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT {\
    90      SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,\
    91      NULL,\
    92      NULL\
    93  }
    94  
    95  /** Create a Schnorr signature.
    96   *
    97   *  Does _not_ strictly follow BIP-340 because it does not verify the resulting
    98   *  signature. Instead, you can manually use secp256k1_schnorrsig_verify and
    99   *  abort if it fails.
   100   *
   101   *  This function only signs 32-byte messages. If you have messages of a
   102   *  different size (or the same size but without a context-specific tag
   103   *  prefix), it is recommended to create a 32-byte message hash with
   104   *  secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows
   105   *  providing an context-specific tag for domain separation. This prevents
   106   *  signatures from being valid in multiple contexts by accident.
   107   *
   108   *  Returns 1 on success, 0 on failure.
   109   *  Args:    ctx: pointer to a context object (not secp256k1_context_static).
   110   *  Out:   sig64: pointer to a 64-byte array to store the serialized signature.
   111   *  In:    msg32: the 32-byte message being signed.
   112   *       keypair: pointer to an initialized keypair.
   113   *    aux_rand32: 32 bytes of fresh randomness. While recommended to provide
   114   *                this, it is only supplemental to security and can be NULL. A
   115   *                NULL argument is treated the same as an all-zero one. See
   116   *                BIP-340 "Default Signing" for a full explanation of this
   117   *                argument and for guidance if randomness is expensive.
   118   */
   119  SECP256K1_API int secp256k1_schnorrsig_sign32(
   120      const secp256k1_context *ctx,
   121      unsigned char *sig64,
   122      const unsigned char *msg32,
   123      const secp256k1_keypair *keypair,
   124      const unsigned char *aux_rand32
   125  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
   126  
   127  /** Same as secp256k1_schnorrsig_sign32, but DEPRECATED. Will be removed in
   128   *  future versions. */
   129  SECP256K1_API int secp256k1_schnorrsig_sign(
   130      const secp256k1_context *ctx,
   131      unsigned char *sig64,
   132      const unsigned char *msg32,
   133      const secp256k1_keypair *keypair,
   134      const unsigned char *aux_rand32
   135  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
   136    SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead");
   137  
   138  /** Create a Schnorr signature with a more flexible API.
   139   *
   140   *  Same arguments as secp256k1_schnorrsig_sign except that it allows signing
   141   *  variable length messages and accepts a pointer to an extraparams object that
   142   *  allows customizing signing by passing additional arguments.
   143   *
   144   *  Equivalent to secp256k1_schnorrsig_sign32(..., aux_rand32) if msglen is 32
   145   *  and extraparams is initialized as follows:
   146   *  ```
   147   *  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
   148   *  extraparams.ndata = (unsigned char*)aux_rand32;
   149   *  ```
   150   *
   151   *  Returns 1 on success, 0 on failure.
   152   *  Args:   ctx: pointer to a context object (not secp256k1_context_static).
   153   *  Out:  sig64: pointer to a 64-byte array to store the serialized signature.
   154   *  In:     msg: the message being signed. Can only be NULL if msglen is 0.
   155   *       msglen: length of the message.
   156   *      keypair: pointer to an initialized keypair.
   157   *  extraparams: pointer to an extraparams object (can be NULL).
   158   */
   159  SECP256K1_API int secp256k1_schnorrsig_sign_custom(
   160      const secp256k1_context *ctx,
   161      unsigned char *sig64,
   162      const unsigned char *msg,
   163      size_t msglen,
   164      const secp256k1_keypair *keypair,
   165      secp256k1_schnorrsig_extraparams *extraparams
   166  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
   167  
   168  /** Verify a Schnorr signature.
   169   *
   170   *  Returns: 1: correct signature
   171   *           0: incorrect signature
   172   *  Args:    ctx: pointer to a context object.
   173   *  In:    sig64: pointer to the 64-byte signature to verify.
   174   *           msg: the message being verified. Can only be NULL if msglen is 0.
   175   *        msglen: length of the message
   176   *        pubkey: pointer to an x-only public key to verify with
   177   */
   178  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
   179      const secp256k1_context *ctx,
   180      const unsigned char *sig64,
   181      const unsigned char *msg,
   182      size_t msglen,
   183      const secp256k1_xonly_pubkey *pubkey
   184  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
   185  
   186  #ifdef __cplusplus
   187  }
   188  #endif
   189  
   190  #endif /* SECP256K1_SCHNORRSIG_H */