github.com/klaytn/klaytn@v1.12.1/crypto/secp256k1/libsecp256k1/include/secp256k1.h (about)

     1  #ifndef _SECP256K1_
     2  # define _SECP256K1_
     3  
     4  # ifdef __cplusplus
     5  extern "C" {
     6  # endif
     7  
     8  #include <stddef.h>
     9  
    10  /* These rules specify the order of arguments in API calls:
    11   *
    12   * 1. Context pointers go first, followed by output arguments, combined
    13   *    output/input arguments, and finally input-only arguments.
    14   * 2. Array lengths always immediately the follow the argument whose length
    15   *    they describe, even if this violates rule 1.
    16   * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated
    17   *    later go first. This means: signatures, public nonces, private nonces,
    18   *    messages, public keys, secret keys, tweaks.
    19   * 4. Arguments that are not data pointers go last, from more complex to less
    20   *    complex: function pointers, algorithm names, messages, void pointers,
    21   *    counts, flags, booleans.
    22   * 5. Opaque data pointers follow the function pointer they are to be passed to.
    23   */
    24  
    25  /** Opaque data structure that holds context information (precomputed tables etc.).
    26   *
    27   *  The purpose of context structures is to cache large precomputed data tables
    28   *  that are expensive to construct, and also to maintain the randomization data
    29   *  for blinding.
    30   *
    31   *  Do not create a new context object for each operation, as construction is
    32   *  far slower than all other API calls (~100 times slower than an ECDSA
    33   *  verification).
    34   *
    35   *  A constructed context can safely be used from multiple threads
    36   *  simultaneously, but API call that take a non-const pointer to a context
    37   *  need exclusive access to it. In particular this is the case for
    38   *  secp256k1_context_destroy and secp256k1_context_randomize.
    39   *
    40   *  Regarding randomization, either do it once at creation time (in which case
    41   *  you do not need any locking for the other calls), or use a read-write lock.
    42   */
    43  typedef struct secp256k1_context_struct secp256k1_context;
    44  
    45  /** Opaque data structure that holds a parsed and valid public key.
    46   *
    47   *  The exact representation of data inside is implementation defined and not
    48   *  guaranteed to be portable between different platforms or versions. It is
    49   *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
    50   *  If you need to convert to a format suitable for storage, transmission, or
    51   *  comparison, use secp256k1_ec_pubkey_serialize and secp256k1_ec_pubkey_parse.
    52   */
    53  typedef struct {
    54      unsigned char data[64];
    55  } secp256k1_pubkey;
    56  
    57  /** Opaque data structured that holds a parsed ECDSA signature.
    58   *
    59   *  The exact representation of data inside is implementation defined and not
    60   *  guaranteed to be portable between different platforms or versions. It is
    61   *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
    62   *  If you need to convert to a format suitable for storage, transmission, or
    63   *  comparison, use the secp256k1_ecdsa_signature_serialize_* and
    64   *  secp256k1_ecdsa_signature_serialize_* functions.
    65   */
    66  typedef struct {
    67      unsigned char data[64];
    68  } secp256k1_ecdsa_signature;
    69  
    70  /** A pointer to a function to deterministically generate a nonce.
    71   *
    72   * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
    73   * Out:     nonce32:   pointer to a 32-byte array to be filled by the function.
    74   * In:      msg32:     the 32-byte message hash being verified (will not be NULL)
    75   *          key32:     pointer to a 32-byte secret key (will not be NULL)
    76   *          algo16:    pointer to a 16-byte array describing the signature
    77   *                     algorithm (will be NULL for ECDSA for compatibility).
    78   *          data:      Arbitrary data pointer that is passed through.
    79   *          attempt:   how many iterations we have tried to find a nonce.
    80   *                     This will almost always be 0, but different attempt values
    81   *                     are required to result in a different nonce.
    82   *
    83   * Except for test cases, this function should compute some cryptographic hash of
    84   * the message, the algorithm, the key and the attempt.
    85   */
    86  typedef int (*secp256k1_nonce_function)(
    87      unsigned char *nonce32,
    88      const unsigned char *msg32,
    89      const unsigned char *key32,
    90      const unsigned char *algo16,
    91      void *data,
    92      unsigned int attempt
    93  );
    94  
    95  # if !defined(SECP256K1_GNUC_PREREQ)
    96  #  if defined(__GNUC__)&&defined(__GNUC_MINOR__)
    97  #   define SECP256K1_GNUC_PREREQ(_maj,_min) \
    98   ((__GNUC__<<16)+__GNUC_MINOR__>=((_maj)<<16)+(_min))
    99  #  else
   100  #   define SECP256K1_GNUC_PREREQ(_maj,_min) 0
   101  #  endif
   102  # endif
   103  
   104  # if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) )
   105  #  if SECP256K1_GNUC_PREREQ(2,7)
   106  #   define SECP256K1_INLINE __inline__
   107  #  elif (defined(_MSC_VER))
   108  #   define SECP256K1_INLINE __inline
   109  #  else
   110  #   define SECP256K1_INLINE
   111  #  endif
   112  # else
   113  #  define SECP256K1_INLINE inline
   114  # endif
   115  
   116  #ifndef SECP256K1_API
   117  # if defined(_WIN32)
   118  #  ifdef SECP256K1_BUILD
   119  #   define SECP256K1_API __declspec(dllexport)
   120  #  else
   121  #   define SECP256K1_API
   122  #  endif
   123  # elif defined(__GNUC__) && defined(SECP256K1_BUILD)
   124  #  define SECP256K1_API __attribute__ ((visibility ("default")))
   125  # else
   126  #  define SECP256K1_API
   127  # endif
   128  #endif
   129  
   130  /**Warning attributes
   131    * NONNULL is not used if SECP256K1_BUILD is set to avoid the compiler optimizing out
   132    * some paranoid null checks. */
   133  # if defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4)
   134  #  define SECP256K1_WARN_UNUSED_RESULT __attribute__ ((__warn_unused_result__))
   135  # else
   136  #  define SECP256K1_WARN_UNUSED_RESULT
   137  # endif
   138  # if !defined(SECP256K1_BUILD) && defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4)
   139  #  define SECP256K1_ARG_NONNULL(_x)  __attribute__ ((__nonnull__(_x)))
   140  # else
   141  #  define SECP256K1_ARG_NONNULL(_x)
   142  # endif
   143  
   144  /** All flags' lower 8 bits indicate what they're for. Do not use directly. */
   145  #define SECP256K1_FLAGS_TYPE_MASK ((1 << 8) - 1)
   146  #define SECP256K1_FLAGS_TYPE_CONTEXT (1 << 0)
   147  #define SECP256K1_FLAGS_TYPE_COMPRESSION (1 << 1)
   148  /** The higher bits contain the actual data. Do not use directly. */
   149  #define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8)
   150  #define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9)
   151  #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8)
   152  
   153  /** Flags to pass to secp256k1_context_create. */
   154  #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY)
   155  #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN)
   156  #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT)
   157  
   158  /** Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export. */
   159  #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION)
   160  #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION)
   161  
   162  /** Create a secp256k1 context object.
   163   *
   164   *  Returns: a newly created context object.
   165   *  In:      flags: which parts of the context to initialize.
   166   */
   167  SECP256K1_API secp256k1_context* secp256k1_context_create(
   168      unsigned int flags
   169  ) SECP256K1_WARN_UNUSED_RESULT;
   170  
   171  /** Copies a secp256k1 context object.
   172   *
   173   *  Returns: a newly created context object.
   174   *  Args:    ctx: an existing context to copy (cannot be NULL)
   175   */
   176  SECP256K1_API secp256k1_context* secp256k1_context_clone(
   177      const secp256k1_context* ctx
   178  ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT;
   179  
   180  /** Destroy a secp256k1 context object.
   181   *
   182   *  The context pointer may not be used afterwards.
   183   *  Args:   ctx: an existing context to destroy (cannot be NULL)
   184   */
   185  SECP256K1_API void secp256k1_context_destroy(
   186      secp256k1_context* ctx
   187  );
   188  
   189  /** Set a callback function to be called when an illegal argument is passed to
   190   *  an API call. It will only trigger for violations that are mentioned
   191   *  explicitly in the header.
   192   *
   193   *  The philosophy is that these shouldn't be dealt with through a
   194   *  specific return value, as calling code should not have branches to deal with
   195   *  the case that this code itself is broken.
   196   *
   197   *  On the other hand, during debug stage, one would want to be informed about
   198   *  such mistakes, and the default (crashing) may be inadvisable.
   199   *  When this callback is triggered, the API function called is guaranteed not
   200   *  to cause a crash, though its return value and output arguments are
   201   *  undefined.
   202   *
   203   *  Args: ctx:  an existing context object (cannot be NULL)
   204   *  In:   fun:  a pointer to a function to call when an illegal argument is
   205   *              passed to the API, taking a message and an opaque pointer
   206   *              (NULL restores a default handler that calls abort).
   207   *        data: the opaque pointer to pass to fun above.
   208   */
   209  SECP256K1_API void secp256k1_context_set_illegal_callback(
   210      secp256k1_context* ctx,
   211      void (*fun)(const char* message, void* data),
   212      const void* data
   213  ) SECP256K1_ARG_NONNULL(1);
   214  
   215  /** Set a callback function to be called when an internal consistency check
   216   *  fails. The default is crashing.
   217   *
   218   *  This can only trigger in case of a hardware failure, miscompilation,
   219   *  memory corruption, serious bug in the library, or other error would can
   220   *  otherwise result in undefined behaviour. It will not trigger due to mere
   221   *  incorrect usage of the API (see secp256k1_context_set_illegal_callback
   222   *  for that). After this callback returns, anything may happen, including
   223   *  crashing.
   224   *
   225   *  Args: ctx:  an existing context object (cannot be NULL)
   226   *  In:   fun:  a pointer to a function to call when an internal error occurs,
   227   *              taking a message and an opaque pointer (NULL restores a default
   228   *              handler that calls abort).
   229   *        data: the opaque pointer to pass to fun above.
   230   */
   231  SECP256K1_API void secp256k1_context_set_error_callback(
   232      secp256k1_context* ctx,
   233      void (*fun)(const char* message, void* data),
   234      const void* data
   235  ) SECP256K1_ARG_NONNULL(1);
   236  
   237  /** Parse a variable-length public key into the pubkey object.
   238   *
   239   *  Returns: 1 if the public key was fully valid.
   240   *           0 if the public key could not be parsed or is invalid.
   241   *  Args: ctx:      a secp256k1 context object.
   242   *  Out:  pubkey:   pointer to a pubkey object. If 1 is returned, it is set to a
   243   *                  parsed version of input. If not, its value is undefined.
   244   *  In:   input:    pointer to a serialized public key
   245   *        inputlen: length of the array pointed to by input
   246   *
   247   *  This function supports parsing compressed (33 bytes, header byte 0x02 or
   248   *  0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header
   249   *  byte 0x06 or 0x07) format public keys.
   250   */
   251  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(
   252      const secp256k1_context* ctx,
   253      secp256k1_pubkey* pubkey,
   254      const unsigned char *input,
   255      size_t inputlen
   256  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   257  
   258  /** Serialize a pubkey object into a serialized byte sequence.
   259   *
   260   *  Returns: 1 always.
   261   *  Args:   ctx:        a secp256k1 context object.
   262   *  Out:    output:     a pointer to a 65-byte (if compressed==0) or 33-byte (if
   263   *                      compressed==1) byte array to place the serialized key
   264   *                      in.
   265   *  In/Out: outputlen:  a pointer to an integer which is initially set to the
   266   *                      size of output, and is overwritten with the written
   267   *                      size.
   268   *  In:     pubkey:     a pointer to a secp256k1_pubkey containing an
   269   *                      initialized public key.
   270   *          flags:      SECP256K1_EC_COMPRESSED if serialization should be in
   271   *                      compressed format, otherwise SECP256K1_EC_UNCOMPRESSED.
   272   */
   273  SECP256K1_API int secp256k1_ec_pubkey_serialize(
   274      const secp256k1_context* ctx,
   275      unsigned char *output,
   276      size_t *outputlen,
   277      const secp256k1_pubkey* pubkey,
   278      unsigned int flags
   279  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
   280  
   281  /** Parse an ECDSA signature in compact (64 bytes) format.
   282   *
   283   *  Returns: 1 when the signature could be parsed, 0 otherwise.
   284   *  Args: ctx:      a secp256k1 context object
   285   *  Out:  sig:      a pointer to a signature object
   286   *  In:   input64:  a pointer to the 64-byte array to parse
   287   *
   288   *  The signature must consist of a 32-byte big endian R value, followed by a
   289   *  32-byte big endian S value. If R or S fall outside of [0..order-1], the
   290   *  encoding is invalid. R and S with value 0 are allowed in the encoding.
   291   *
   292   *  After the call, sig will always be initialized. If parsing failed or R or
   293   *  S are zero, the resulting sig value is guaranteed to fail validation for any
   294   *  message and public key.
   295   */
   296  SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(
   297      const secp256k1_context* ctx,
   298      secp256k1_ecdsa_signature* sig,
   299      const unsigned char *input64
   300  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   301  
   302  /** Parse a DER ECDSA signature.
   303   *
   304   *  Returns: 1 when the signature could be parsed, 0 otherwise.
   305   *  Args: ctx:      a secp256k1 context object
   306   *  Out:  sig:      a pointer to a signature object
   307   *  In:   input:    a pointer to the signature to be parsed
   308   *        inputlen: the length of the array pointed to be input
   309   *
   310   *  This function will accept any valid DER encoded signature, even if the
   311   *  encoded numbers are out of range.
   312   *
   313   *  After the call, sig will always be initialized. If parsing failed or the
   314   *  encoded numbers are out of range, signature validation with it is
   315   *  guaranteed to fail for every message and public key.
   316   */
   317  SECP256K1_API int secp256k1_ecdsa_signature_parse_der(
   318      const secp256k1_context* ctx,
   319      secp256k1_ecdsa_signature* sig,
   320      const unsigned char *input,
   321      size_t inputlen
   322  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   323  
   324  /** Serialize an ECDSA signature in DER format.
   325   *
   326   *  Returns: 1 if enough space was available to serialize, 0 otherwise
   327   *  Args:   ctx:       a secp256k1 context object
   328   *  Out:    output:    a pointer to an array to store the DER serialization
   329   *  In/Out: outputlen: a pointer to a length integer. Initially, this integer
   330   *                     should be set to the length of output. After the call
   331   *                     it will be set to the length of the serialization (even
   332   *                     if 0 was returned).
   333   *  In:     sig:       a pointer to an initialized signature object
   334   */
   335  SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(
   336      const secp256k1_context* ctx,
   337      unsigned char *output,
   338      size_t *outputlen,
   339      const secp256k1_ecdsa_signature* sig
   340  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
   341  
   342  /** Serialize an ECDSA signature in compact (64 byte) format.
   343   *
   344   *  Returns: 1
   345   *  Args:   ctx:       a secp256k1 context object
   346   *  Out:    output64:  a pointer to a 64-byte array to store the compact serialization
   347   *  In:     sig:       a pointer to an initialized signature object
   348   *
   349   *  See secp256k1_ecdsa_signature_parse_compact for details about the encoding.
   350   */
   351  SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
   352      const secp256k1_context* ctx,
   353      unsigned char *output64,
   354      const secp256k1_ecdsa_signature* sig
   355  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   356  
   357  /** Verify an ECDSA signature.
   358   *
   359   *  Returns: 1: correct signature
   360   *           0: incorrect or unparseable signature
   361   *  Args:    ctx:       a secp256k1 context object, initialized for verification.
   362   *  In:      sig:       the signature being verified (cannot be NULL)
   363   *           msg32:     the 32-byte message hash being verified (cannot be NULL)
   364   *           pubkey:    pointer to an initialized public key to verify with (cannot be NULL)
   365   *
   366   * To avoid accepting malleable signatures, only ECDSA signatures in lower-S
   367   * form are accepted.
   368   *
   369   * If you need to accept ECDSA signatures from sources that do not obey this
   370   * rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to
   371   * validation, but be aware that doing so results in malleable signatures.
   372   *
   373   * For details, see the comments for that function.
   374   */
   375  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
   376      const secp256k1_context* ctx,
   377      const secp256k1_ecdsa_signature *sig,
   378      const unsigned char *msg32,
   379      const secp256k1_pubkey *pubkey
   380  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
   381  
   382  /** Convert a signature to a normalized lower-S form.
   383   *
   384   *  Returns: 1 if sigin was not normalized, 0 if it already was.
   385   *  Args: ctx:    a secp256k1 context object
   386   *  Out:  sigout: a pointer to a signature to fill with the normalized form,
   387   *                or copy if the input was already normalized. (can be NULL if
   388   *                you're only interested in whether the input was already
   389   *                normalized).
   390   *  In:   sigin:  a pointer to a signature to check/normalize (cannot be NULL,
   391   *                can be identical to sigout)
   392   *
   393   *  With ECDSA a third-party can forge a second distinct signature of the same
   394   *  message, given a single initial signature, but without knowing the key. This
   395   *  is done by negating the S value modulo the order of the curve, 'flipping'
   396   *  the sign of the random point R which is not included in the signature.
   397   *
   398   *  Forgery of the same message isn't universally problematic, but in systems
   399   *  where message malleability or uniqueness of signatures is important this can
   400   *  cause issues. This forgery can be blocked by all verifiers forcing signers
   401   *  to use a normalized form.
   402   *
   403   *  The lower-S form reduces the size of signatures slightly on average when
   404   *  variable length encodings (such as DER) are used and is cheap to verify,
   405   *  making it a good choice. Security of always using lower-S is assured because
   406   *  anyone can trivially modify a signature after the fact to enforce this
   407   *  property anyway.
   408   *
   409   *  The lower S value is always between 0x1 and
   410   *  0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
   411   *  inclusive.
   412   *
   413   *  No other forms of ECDSA malleability are known and none seem likely, but
   414   *  there is no formal proof that ECDSA, even with this additional restriction,
   415   *  is free of other malleability. Commonly used serialization schemes will also
   416   *  accept various non-unique encodings, so care should be taken when this
   417   *  property is required for an application.
   418   *
   419   *  The secp256k1_ecdsa_sign function will by default create signatures in the
   420   *  lower-S form, and secp256k1_ecdsa_verify will not accept others. In case
   421   *  signatures come from a system that cannot enforce this property,
   422   *  secp256k1_ecdsa_signature_normalize must be called before verification.
   423   */
   424  SECP256K1_API int secp256k1_ecdsa_signature_normalize(
   425      const secp256k1_context* ctx,
   426      secp256k1_ecdsa_signature *sigout,
   427      const secp256k1_ecdsa_signature *sigin
   428  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3);
   429  
   430  /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
   431   * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
   432   * extra entropy.
   433   */
   434  SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979;
   435  
   436  /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */
   437  SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default;
   438  
   439  /** Create an ECDSA signature.
   440   *
   441   *  Returns: 1: signature created
   442   *           0: the nonce generation function failed, or the private key was invalid.
   443   *  Args:    ctx:    pointer to a context object, initialized for signing (cannot be NULL)
   444   *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
   445   *  In:      msg32:  the 32-byte message hash being signed (cannot be NULL)
   446   *           seckey: pointer to a 32-byte secret key (cannot be NULL)
   447   *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
   448   *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
   449   *
   450   * The created signature is always in lower-S form. See
   451   * secp256k1_ecdsa_signature_normalize for more details.
   452   */
   453  SECP256K1_API int secp256k1_ecdsa_sign(
   454      const secp256k1_context* ctx,
   455      secp256k1_ecdsa_signature *sig,
   456      const unsigned char *msg32,
   457      const unsigned char *seckey,
   458      secp256k1_nonce_function noncefp,
   459      const void *ndata
   460  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
   461  
   462  /** Verify an ECDSA secret key.
   463   *
   464   *  Returns: 1: secret key is valid
   465   *           0: secret key is invalid
   466   *  Args:    ctx: pointer to a context object (cannot be NULL)
   467   *  In:      seckey: pointer to a 32-byte secret key (cannot be NULL)
   468   */
   469  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(
   470      const secp256k1_context* ctx,
   471      const unsigned char *seckey
   472  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
   473  
   474  /** Compute the public key for a secret key.
   475   *
   476   *  Returns: 1: secret was valid, public key stores
   477   *           0: secret was invalid, try again
   478   *  Args:   ctx:        pointer to a context object, initialized for signing (cannot be NULL)
   479   *  Out:    pubkey:     pointer to the created public key (cannot be NULL)
   480   *  In:     seckey:     pointer to a 32-byte private key (cannot be NULL)
   481   */
   482  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
   483      const secp256k1_context* ctx,
   484      secp256k1_pubkey *pubkey,
   485      const unsigned char *seckey
   486  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   487  
   488  /** Tweak a private key by adding tweak to it.
   489   * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
   490   *          uniformly random 32-byte arrays, or if the resulting private key
   491   *          would be invalid (only when the tweak is the complement of the
   492   *          private key). 1 otherwise.
   493   * Args:    ctx:    pointer to a context object (cannot be NULL).
   494   * In/Out:  seckey: pointer to a 32-byte private key.
   495   * In:      tweak:  pointer to a 32-byte tweak.
   496   */
   497  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
   498      const secp256k1_context* ctx,
   499      unsigned char *seckey,
   500      const unsigned char *tweak
   501  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   502  
   503  /** Tweak a public key by adding tweak times the generator to it.
   504   * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
   505   *          uniformly random 32-byte arrays, or if the resulting public key
   506   *          would be invalid (only when the tweak is the complement of the
   507   *          corresponding private key). 1 otherwise.
   508   * Args:    ctx:    pointer to a context object initialized for validation
   509   *                  (cannot be NULL).
   510   * In/Out:  pubkey: pointer to a public key object.
   511   * In:      tweak:  pointer to a 32-byte tweak.
   512   */
   513  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
   514      const secp256k1_context* ctx,
   515      secp256k1_pubkey *pubkey,
   516      const unsigned char *tweak
   517  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   518  
   519  /** Tweak a private key by multiplying it by a tweak.
   520   * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
   521   *          uniformly random 32-byte arrays, or equal to zero. 1 otherwise.
   522   * Args:   ctx:    pointer to a context object (cannot be NULL).
   523   * In/Out: seckey: pointer to a 32-byte private key.
   524   * In:     tweak:  pointer to a 32-byte tweak.
   525   */
   526  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
   527      const secp256k1_context* ctx,
   528      unsigned char *seckey,
   529      const unsigned char *tweak
   530  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   531  
   532  /** Tweak a public key by multiplying it by a tweak value.
   533   * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
   534   *          uniformly random 32-byte arrays, or equal to zero. 1 otherwise.
   535   * Args:    ctx:    pointer to a context object initialized for validation
   536   *                 (cannot be NULL).
   537   * In/Out:  pubkey: pointer to a public key obkect.
   538   * In:      tweak:  pointer to a 32-byte tweak.
   539   */
   540  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
   541      const secp256k1_context* ctx,
   542      secp256k1_pubkey *pubkey,
   543      const unsigned char *tweak
   544  ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   545  
   546  /** Updates the context randomization.
   547   *  Returns: 1: randomization successfully updated
   548   *           0: error
   549   *  Args:    ctx:       pointer to a context object (cannot be NULL)
   550   *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state)
   551   */
   552  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(
   553      secp256k1_context* ctx,
   554      const unsigned char *seed32
   555  ) SECP256K1_ARG_NONNULL(1);
   556  
   557  /** Add a number of public keys together.
   558   *  Returns: 1: the sum of the public keys is valid.
   559   *           0: the sum of the public keys is not valid.
   560   *  Args:   ctx:        pointer to a context object
   561   *  Out:    out:        pointer to a public key object for placing the resulting public key
   562   *                      (cannot be NULL)
   563   *  In:     ins:        pointer to array of pointers to public keys (cannot be NULL)
   564   *          n:          the number of public keys to add together (must be at least 1)
   565   */
   566  SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(
   567      const secp256k1_context* ctx,
   568      secp256k1_pubkey *out,
   569      const secp256k1_pubkey * const * ins,
   570      size_t n
   571  ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
   572  
   573  # ifdef __cplusplus
   574  }
   575  # endif
   576  
   577  #endif