github.com/igggame/nebulas-go@v2.1.0+incompatible/crypto/keystore/secp256k1/libsecp256k1/src/secp256k1.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #include "include/secp256k1.h" 8 9 #include "util.h" 10 #include "num_impl.h" 11 #include "field_impl.h" 12 #include "scalar_impl.h" 13 #include "group_impl.h" 14 #include "ecmult_impl.h" 15 #include "ecmult_const_impl.h" 16 #include "ecmult_gen_impl.h" 17 #include "ecdsa_impl.h" 18 #include "eckey_impl.h" 19 #include "hash_impl.h" 20 21 #define ARG_CHECK(cond) do { \ 22 if (EXPECT(!(cond), 0)) { \ 23 secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 24 return 0; \ 25 } \ 26 } while(0) 27 28 static void default_illegal_callback_fn(const char* str, void* data) { 29 (void)data; 30 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); 31 abort(); 32 } 33 34 static const secp256k1_callback default_illegal_callback = { 35 default_illegal_callback_fn, 36 NULL 37 }; 38 39 static void default_error_callback_fn(const char* str, void* data) { 40 (void)data; 41 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); 42 abort(); 43 } 44 45 static const secp256k1_callback default_error_callback = { 46 default_error_callback_fn, 47 NULL 48 }; 49 50 51 struct secp256k1_context_struct { 52 secp256k1_ecmult_context ecmult_ctx; 53 secp256k1_ecmult_gen_context ecmult_gen_ctx; 54 secp256k1_callback illegal_callback; 55 secp256k1_callback error_callback; 56 }; 57 58 secp256k1_context* secp256k1_context_create(unsigned int flags) { 59 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context)); 60 ret->illegal_callback = default_illegal_callback; 61 ret->error_callback = default_error_callback; 62 63 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { 64 secp256k1_callback_call(&ret->illegal_callback, 65 "Invalid flags"); 66 free(ret); 67 return NULL; 68 } 69 70 secp256k1_ecmult_context_init(&ret->ecmult_ctx); 71 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx); 72 73 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { 74 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback); 75 } 76 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { 77 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback); 78 } 79 80 return ret; 81 } 82 83 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) { 84 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context)); 85 ret->illegal_callback = ctx->illegal_callback; 86 ret->error_callback = ctx->error_callback; 87 secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback); 88 secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback); 89 return ret; 90 } 91 92 void secp256k1_context_destroy(secp256k1_context* ctx) { 93 if (ctx != NULL) { 94 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx); 95 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 96 97 free(ctx); 98 } 99 } 100 101 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 102 if (fun == NULL) { 103 fun = default_illegal_callback_fn; 104 } 105 ctx->illegal_callback.fn = fun; 106 ctx->illegal_callback.data = data; 107 } 108 109 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 110 if (fun == NULL) { 111 fun = default_error_callback_fn; 112 } 113 ctx->error_callback.fn = fun; 114 ctx->error_callback.data = data; 115 } 116 117 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) { 118 if (sizeof(secp256k1_ge_storage) == 64) { 119 /* When the secp256k1_ge_storage type is exactly 64 byte, use its 120 * representation inside secp256k1_pubkey, as conversion is very fast. 121 * Note that secp256k1_pubkey_save must use the same representation. */ 122 secp256k1_ge_storage s; 123 memcpy(&s, &pubkey->data[0], 64); 124 secp256k1_ge_from_storage(ge, &s); 125 } else { 126 /* Otherwise, fall back to 32-byte big endian for X and Y. */ 127 secp256k1_fe x, y; 128 secp256k1_fe_set_b32(&x, pubkey->data); 129 secp256k1_fe_set_b32(&y, pubkey->data + 32); 130 secp256k1_ge_set_xy(ge, &x, &y); 131 } 132 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x)); 133 return 1; 134 } 135 136 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) { 137 if (sizeof(secp256k1_ge_storage) == 64) { 138 secp256k1_ge_storage s; 139 secp256k1_ge_to_storage(&s, ge); 140 memcpy(&pubkey->data[0], &s, 64); 141 } else { 142 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge)); 143 secp256k1_fe_normalize_var(&ge->x); 144 secp256k1_fe_normalize_var(&ge->y); 145 secp256k1_fe_get_b32(pubkey->data, &ge->x); 146 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y); 147 } 148 } 149 150 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 151 secp256k1_ge Q; 152 153 VERIFY_CHECK(ctx != NULL); 154 ARG_CHECK(pubkey != NULL); 155 memset(pubkey, 0, sizeof(*pubkey)); 156 ARG_CHECK(input != NULL); 157 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) { 158 return 0; 159 } 160 secp256k1_pubkey_save(pubkey, &Q); 161 secp256k1_ge_clear(&Q); 162 return 1; 163 } 164 165 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) { 166 secp256k1_ge Q; 167 size_t len; 168 int ret = 0; 169 170 VERIFY_CHECK(ctx != NULL); 171 ARG_CHECK(outputlen != NULL); 172 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65)); 173 len = *outputlen; 174 *outputlen = 0; 175 ARG_CHECK(output != NULL); 176 memset(output, 0, len); 177 ARG_CHECK(pubkey != NULL); 178 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); 179 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) { 180 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); 181 if (ret) { 182 *outputlen = len; 183 } 184 } 185 return ret; 186 } 187 188 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) { 189 (void)ctx; 190 if (sizeof(secp256k1_scalar) == 32) { 191 /* When the secp256k1_scalar type is exactly 32 byte, use its 192 * representation inside secp256k1_ecdsa_signature, as conversion is very fast. 193 * Note that secp256k1_ecdsa_signature_save must use the same representation. */ 194 memcpy(r, &sig->data[0], 32); 195 memcpy(s, &sig->data[32], 32); 196 } else { 197 secp256k1_scalar_set_b32(r, &sig->data[0], NULL); 198 secp256k1_scalar_set_b32(s, &sig->data[32], NULL); 199 } 200 } 201 202 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) { 203 if (sizeof(secp256k1_scalar) == 32) { 204 memcpy(&sig->data[0], r, 32); 205 memcpy(&sig->data[32], s, 32); 206 } else { 207 secp256k1_scalar_get_b32(&sig->data[0], r); 208 secp256k1_scalar_get_b32(&sig->data[32], s); 209 } 210 } 211 212 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 213 secp256k1_scalar r, s; 214 215 VERIFY_CHECK(ctx != NULL); 216 ARG_CHECK(sig != NULL); 217 ARG_CHECK(input != NULL); 218 219 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) { 220 secp256k1_ecdsa_signature_save(sig, &r, &s); 221 return 1; 222 } else { 223 memset(sig, 0, sizeof(*sig)); 224 return 0; 225 } 226 } 227 228 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) { 229 secp256k1_scalar r, s; 230 int ret = 1; 231 int overflow = 0; 232 233 VERIFY_CHECK(ctx != NULL); 234 ARG_CHECK(sig != NULL); 235 ARG_CHECK(input64 != NULL); 236 237 secp256k1_scalar_set_b32(&r, &input64[0], &overflow); 238 ret &= !overflow; 239 secp256k1_scalar_set_b32(&s, &input64[32], &overflow); 240 ret &= !overflow; 241 if (ret) { 242 secp256k1_ecdsa_signature_save(sig, &r, &s); 243 } else { 244 memset(sig, 0, sizeof(*sig)); 245 } 246 return ret; 247 } 248 249 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) { 250 secp256k1_scalar r, s; 251 252 VERIFY_CHECK(ctx != NULL); 253 ARG_CHECK(output != NULL); 254 ARG_CHECK(outputlen != NULL); 255 ARG_CHECK(sig != NULL); 256 257 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 258 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s); 259 } 260 261 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) { 262 secp256k1_scalar r, s; 263 264 VERIFY_CHECK(ctx != NULL); 265 ARG_CHECK(output64 != NULL); 266 ARG_CHECK(sig != NULL); 267 268 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 269 secp256k1_scalar_get_b32(&output64[0], &r); 270 secp256k1_scalar_get_b32(&output64[32], &s); 271 return 1; 272 } 273 274 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) { 275 secp256k1_scalar r, s; 276 int ret = 0; 277 278 VERIFY_CHECK(ctx != NULL); 279 ARG_CHECK(sigin != NULL); 280 281 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin); 282 ret = secp256k1_scalar_is_high(&s); 283 if (sigout != NULL) { 284 if (ret) { 285 secp256k1_scalar_negate(&s, &s); 286 } 287 secp256k1_ecdsa_signature_save(sigout, &r, &s); 288 } 289 290 return ret; 291 } 292 293 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) { 294 secp256k1_ge q; 295 secp256k1_scalar r, s; 296 secp256k1_scalar m; 297 VERIFY_CHECK(ctx != NULL); 298 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 299 ARG_CHECK(msg32 != NULL); 300 ARG_CHECK(sig != NULL); 301 ARG_CHECK(pubkey != NULL); 302 303 secp256k1_scalar_set_b32(&m, msg32, NULL); 304 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 305 return (!secp256k1_scalar_is_high(&s) && 306 secp256k1_pubkey_load(ctx, &q, pubkey) && 307 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); 308 } 309 310 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 311 unsigned char keydata[112]; 312 int keylen = 64; 313 secp256k1_rfc6979_hmac_sha256_t rng; 314 unsigned int i; 315 /* We feed a byte array to the PRNG as input, consisting of: 316 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. 317 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 318 * - optionally 16 extra bytes with the algorithm name. 319 * Because the arguments have distinct fixed lengths it is not possible for 320 * different argument mixtures to emulate each other and result in the same 321 * nonces. 322 */ 323 memcpy(keydata, key32, 32); 324 memcpy(keydata + 32, msg32, 32); 325 if (data != NULL) { 326 memcpy(keydata + 64, data, 32); 327 keylen = 96; 328 } 329 if (algo16 != NULL) { 330 memcpy(keydata + keylen, algo16, 16); 331 keylen += 16; 332 } 333 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen); 334 memset(keydata, 0, sizeof(keydata)); 335 for (i = 0; i <= counter; i++) { 336 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 337 } 338 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 339 return 1; 340 } 341 342 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; 343 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; 344 345 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { 346 secp256k1_scalar r, s; 347 secp256k1_scalar sec, non, msg; 348 int ret = 0; 349 int overflow = 0; 350 VERIFY_CHECK(ctx != NULL); 351 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 352 ARG_CHECK(msg32 != NULL); 353 ARG_CHECK(signature != NULL); 354 ARG_CHECK(seckey != NULL); 355 if (noncefp == NULL) { 356 noncefp = secp256k1_nonce_function_default; 357 } 358 359 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 360 /* Fail if the secret key is invalid. */ 361 if (!overflow && !secp256k1_scalar_is_zero(&sec)) { 362 unsigned char nonce32[32]; 363 unsigned int count = 0; 364 secp256k1_scalar_set_b32(&msg, msg32, NULL); 365 while (1) { 366 ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 367 if (!ret) { 368 break; 369 } 370 secp256k1_scalar_set_b32(&non, nonce32, &overflow); 371 if (!overflow && !secp256k1_scalar_is_zero(&non)) { 372 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) { 373 break; 374 } 375 } 376 count++; 377 } 378 memset(nonce32, 0, 32); 379 secp256k1_scalar_clear(&msg); 380 secp256k1_scalar_clear(&non); 381 secp256k1_scalar_clear(&sec); 382 } 383 if (ret) { 384 secp256k1_ecdsa_signature_save(signature, &r, &s); 385 } else { 386 memset(signature, 0, sizeof(*signature)); 387 } 388 return ret; 389 } 390 391 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { 392 secp256k1_scalar sec; 393 int ret; 394 int overflow; 395 VERIFY_CHECK(ctx != NULL); 396 ARG_CHECK(seckey != NULL); 397 398 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 399 ret = !overflow && !secp256k1_scalar_is_zero(&sec); 400 secp256k1_scalar_clear(&sec); 401 return ret; 402 } 403 404 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) { 405 secp256k1_gej pj; 406 secp256k1_ge p; 407 secp256k1_scalar sec; 408 int overflow; 409 int ret = 0; 410 VERIFY_CHECK(ctx != NULL); 411 ARG_CHECK(pubkey != NULL); 412 memset(pubkey, 0, sizeof(*pubkey)); 413 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 414 ARG_CHECK(seckey != NULL); 415 416 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 417 ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec)); 418 if (ret) { 419 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); 420 secp256k1_ge_set_gej(&p, &pj); 421 secp256k1_pubkey_save(pubkey, &p); 422 } 423 secp256k1_scalar_clear(&sec); 424 return ret; 425 } 426 427 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) { 428 secp256k1_scalar sec; 429 VERIFY_CHECK(ctx != NULL); 430 ARG_CHECK(seckey != NULL); 431 432 secp256k1_scalar_set_b32(&sec, seckey, NULL); 433 secp256k1_scalar_negate(&sec, &sec); 434 secp256k1_scalar_get_b32(seckey, &sec); 435 436 return 1; 437 } 438 439 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) { 440 int ret = 0; 441 secp256k1_ge p; 442 VERIFY_CHECK(ctx != NULL); 443 ARG_CHECK(pubkey != NULL); 444 445 ret = secp256k1_pubkey_load(ctx, &p, pubkey); 446 memset(pubkey, 0, sizeof(*pubkey)); 447 if (ret) { 448 secp256k1_ge_neg(&p, &p); 449 secp256k1_pubkey_save(pubkey, &p); 450 } 451 return ret; 452 } 453 454 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 455 secp256k1_scalar term; 456 secp256k1_scalar sec; 457 int ret = 0; 458 int overflow = 0; 459 VERIFY_CHECK(ctx != NULL); 460 ARG_CHECK(seckey != NULL); 461 ARG_CHECK(tweak != NULL); 462 463 secp256k1_scalar_set_b32(&term, tweak, &overflow); 464 secp256k1_scalar_set_b32(&sec, seckey, NULL); 465 466 ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term); 467 memset(seckey, 0, 32); 468 if (ret) { 469 secp256k1_scalar_get_b32(seckey, &sec); 470 } 471 472 secp256k1_scalar_clear(&sec); 473 secp256k1_scalar_clear(&term); 474 return ret; 475 } 476 477 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 478 secp256k1_ge p; 479 secp256k1_scalar term; 480 int ret = 0; 481 int overflow = 0; 482 VERIFY_CHECK(ctx != NULL); 483 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 484 ARG_CHECK(pubkey != NULL); 485 ARG_CHECK(tweak != NULL); 486 487 secp256k1_scalar_set_b32(&term, tweak, &overflow); 488 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey); 489 memset(pubkey, 0, sizeof(*pubkey)); 490 if (ret) { 491 if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { 492 secp256k1_pubkey_save(pubkey, &p); 493 } else { 494 ret = 0; 495 } 496 } 497 498 return ret; 499 } 500 501 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 502 secp256k1_scalar factor; 503 secp256k1_scalar sec; 504 int ret = 0; 505 int overflow = 0; 506 VERIFY_CHECK(ctx != NULL); 507 ARG_CHECK(seckey != NULL); 508 ARG_CHECK(tweak != NULL); 509 510 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 511 secp256k1_scalar_set_b32(&sec, seckey, NULL); 512 ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor); 513 memset(seckey, 0, 32); 514 if (ret) { 515 secp256k1_scalar_get_b32(seckey, &sec); 516 } 517 518 secp256k1_scalar_clear(&sec); 519 secp256k1_scalar_clear(&factor); 520 return ret; 521 } 522 523 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 524 secp256k1_ge p; 525 secp256k1_scalar factor; 526 int ret = 0; 527 int overflow = 0; 528 VERIFY_CHECK(ctx != NULL); 529 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 530 ARG_CHECK(pubkey != NULL); 531 ARG_CHECK(tweak != NULL); 532 533 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 534 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey); 535 memset(pubkey, 0, sizeof(*pubkey)); 536 if (ret) { 537 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { 538 secp256k1_pubkey_save(pubkey, &p); 539 } else { 540 ret = 0; 541 } 542 } 543 544 return ret; 545 } 546 547 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) { 548 VERIFY_CHECK(ctx != NULL); 549 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 550 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 551 return 1; 552 } 553 554 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) { 555 size_t i; 556 secp256k1_gej Qj; 557 secp256k1_ge Q; 558 559 ARG_CHECK(pubnonce != NULL); 560 memset(pubnonce, 0, sizeof(*pubnonce)); 561 ARG_CHECK(n >= 1); 562 ARG_CHECK(pubnonces != NULL); 563 564 secp256k1_gej_set_infinity(&Qj); 565 566 for (i = 0; i < n; i++) { 567 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]); 568 secp256k1_gej_add_ge(&Qj, &Qj, &Q); 569 } 570 if (secp256k1_gej_is_infinity(&Qj)) { 571 return 0; 572 } 573 secp256k1_ge_set_gej(&Q, &Qj); 574 secp256k1_pubkey_save(pubnonce, &Q); 575 return 1; 576 } 577 578 #ifdef ENABLE_MODULE_ECDH 579 # include "modules/ecdh/main_impl.h" 580 #endif 581 582 #ifdef ENABLE_MODULE_RECOVERY 583 # include "modules/recovery/main_impl.h" 584 #endif