github.com/klaytn/klaytn@v1.12.1/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about)

     1  /**********************************************************************
     2   * Copyright (c) 2013-2015 Pieter Wuille                              *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  #include "include/secp256k1.h"
     8  
     9  #include "util.h"
    10  #include "num_impl.h"
    11  #include "field_impl.h"
    12  #include "scalar_impl.h"
    13  #include "group_impl.h"
    14  #include "ecmult_impl.h"
    15  #include "ecmult_const_impl.h"
    16  #include "ecmult_gen_impl.h"
    17  #include "ecdsa_impl.h"
    18  #include "eckey_impl.h"
    19  #include "hash_impl.h"
    20  
    21  #define ARG_CHECK(cond) do { \
    22      if (EXPECT(!(cond), 0)) { \
    23          secp256k1_callback_call(&ctx->illegal_callback, #cond); \
    24          return 0; \
    25      } \
    26  } while(0)
    27  
    28  static void default_illegal_callback_fn(const char* str, void* data) {
    29      fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
    30      abort();
    31  }
    32  
    33  static const secp256k1_callback default_illegal_callback = {
    34      default_illegal_callback_fn,
    35      NULL
    36  };
    37  
    38  static void default_error_callback_fn(const char* str, void* data) {
    39      fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
    40      abort();
    41  }
    42  
    43  static const secp256k1_callback default_error_callback = {
    44      default_error_callback_fn,
    45      NULL
    46  };
    47  
    48  
    49  struct secp256k1_context_struct {
    50      secp256k1_ecmult_context ecmult_ctx;
    51      secp256k1_ecmult_gen_context ecmult_gen_ctx;
    52      secp256k1_callback illegal_callback;
    53      secp256k1_callback error_callback;
    54  };
    55  
    56  secp256k1_context* secp256k1_context_create(unsigned int flags) {
    57      secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
    58      ret->illegal_callback = default_illegal_callback;
    59      ret->error_callback = default_error_callback;
    60  
    61      if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
    62              secp256k1_callback_call(&ret->illegal_callback,
    63                                      "Invalid flags");
    64              free(ret);
    65              return NULL;
    66      }
    67  
    68      secp256k1_ecmult_context_init(&ret->ecmult_ctx);
    69      secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
    70  
    71      if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
    72          secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
    73      }
    74      if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
    75          secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
    76      }
    77  
    78      return ret;
    79  }
    80  
    81  secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
    82      secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context));
    83      ret->illegal_callback = ctx->illegal_callback;
    84      ret->error_callback = ctx->error_callback;
    85      secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
    86      secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
    87      return ret;
    88  }
    89  
    90  void secp256k1_context_destroy(secp256k1_context* ctx) {
    91      if (ctx != NULL) {
    92          secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
    93          secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
    94  
    95          free(ctx);
    96      }
    97  }
    98  
    99  void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
   100      if (fun == NULL) {
   101          fun = default_illegal_callback_fn;
   102      }
   103      ctx->illegal_callback.fn = fun;
   104      ctx->illegal_callback.data = data;
   105  }
   106  
   107  void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
   108      if (fun == NULL) {
   109          fun = default_error_callback_fn;
   110      }
   111      ctx->error_callback.fn = fun;
   112      ctx->error_callback.data = data;
   113  }
   114  
   115  static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
   116      if (sizeof(secp256k1_ge_storage) == 64) {
   117          /* When the secp256k1_ge_storage type is exactly 64 byte, use its
   118           * representation inside secp256k1_pubkey, as conversion is very fast.
   119           * Note that secp256k1_pubkey_save must use the same representation. */
   120          secp256k1_ge_storage s;
   121          memcpy(&s, &pubkey->data[0], 64);
   122          secp256k1_ge_from_storage(ge, &s);
   123      } else {
   124          /* Otherwise, fall back to 32-byte big endian for X and Y. */
   125          secp256k1_fe x, y;
   126          secp256k1_fe_set_b32(&x, pubkey->data);
   127          secp256k1_fe_set_b32(&y, pubkey->data + 32);
   128          secp256k1_ge_set_xy(ge, &x, &y);
   129      }
   130      ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
   131      return 1;
   132  }
   133  
   134  static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
   135      if (sizeof(secp256k1_ge_storage) == 64) {
   136          secp256k1_ge_storage s;
   137          secp256k1_ge_to_storage(&s, ge);
   138          memcpy(&pubkey->data[0], &s, 64);
   139      } else {
   140          VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
   141          secp256k1_fe_normalize_var(&ge->x);
   142          secp256k1_fe_normalize_var(&ge->y);
   143          secp256k1_fe_get_b32(pubkey->data, &ge->x);
   144          secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
   145      }
   146  }
   147  
   148  int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
   149      secp256k1_ge Q;
   150  
   151      VERIFY_CHECK(ctx != NULL);
   152      ARG_CHECK(pubkey != NULL);
   153      memset(pubkey, 0, sizeof(*pubkey));
   154      ARG_CHECK(input != NULL);
   155      if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
   156          return 0;
   157      }
   158      secp256k1_pubkey_save(pubkey, &Q);
   159      secp256k1_ge_clear(&Q);
   160      return 1;
   161  }
   162  
   163  int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
   164      secp256k1_ge Q;
   165      size_t len;
   166      int ret = 0;
   167  
   168      VERIFY_CHECK(ctx != NULL);
   169      ARG_CHECK(outputlen != NULL);
   170      ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
   171      len = *outputlen;
   172      *outputlen = 0;
   173      ARG_CHECK(output != NULL);
   174      memset(output, 0, len);
   175      ARG_CHECK(pubkey != NULL);
   176      ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
   177      if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
   178          ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
   179          if (ret) {
   180              *outputlen = len;
   181          }
   182      }
   183      return ret;
   184  }
   185  
   186  static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
   187      (void)ctx;
   188      if (sizeof(secp256k1_scalar) == 32) {
   189          /* When the secp256k1_scalar type is exactly 32 byte, use its
   190           * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
   191           * Note that secp256k1_ecdsa_signature_save must use the same representation. */
   192          memcpy(r, &sig->data[0], 32);
   193          memcpy(s, &sig->data[32], 32);
   194      } else {
   195          secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
   196          secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
   197      }
   198  }
   199  
   200  static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
   201      if (sizeof(secp256k1_scalar) == 32) {
   202          memcpy(&sig->data[0], r, 32);
   203          memcpy(&sig->data[32], s, 32);
   204      } else {
   205          secp256k1_scalar_get_b32(&sig->data[0], r);
   206          secp256k1_scalar_get_b32(&sig->data[32], s);
   207      }
   208  }
   209  
   210  int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
   211      secp256k1_scalar r, s;
   212  
   213      VERIFY_CHECK(ctx != NULL);
   214      ARG_CHECK(sig != NULL);
   215      ARG_CHECK(input != NULL);
   216  
   217      if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
   218          secp256k1_ecdsa_signature_save(sig, &r, &s);
   219          return 1;
   220      } else {
   221          memset(sig, 0, sizeof(*sig));
   222          return 0;
   223      }
   224  }
   225  
   226  int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
   227      secp256k1_scalar r, s;
   228      int ret = 1;
   229      int overflow = 0;
   230  
   231      VERIFY_CHECK(ctx != NULL);
   232      ARG_CHECK(sig != NULL);
   233      ARG_CHECK(input64 != NULL);
   234  
   235      secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
   236      ret &= !overflow;
   237      secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
   238      ret &= !overflow;
   239      if (ret) {
   240          secp256k1_ecdsa_signature_save(sig, &r, &s);
   241      } else {
   242          memset(sig, 0, sizeof(*sig));
   243      }
   244      return ret;
   245  }
   246  
   247  int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
   248      secp256k1_scalar r, s;
   249  
   250      VERIFY_CHECK(ctx != NULL);
   251      ARG_CHECK(output != NULL);
   252      ARG_CHECK(outputlen != NULL);
   253      ARG_CHECK(sig != NULL);
   254  
   255      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   256      return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
   257  }
   258  
   259  int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
   260      secp256k1_scalar r, s;
   261  
   262      VERIFY_CHECK(ctx != NULL);
   263      ARG_CHECK(output64 != NULL);
   264      ARG_CHECK(sig != NULL);
   265  
   266      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   267      secp256k1_scalar_get_b32(&output64[0], &r);
   268      secp256k1_scalar_get_b32(&output64[32], &s);
   269      return 1;
   270  }
   271  
   272  int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
   273      secp256k1_scalar r, s;
   274      int ret = 0;
   275  
   276      VERIFY_CHECK(ctx != NULL);
   277      ARG_CHECK(sigin != NULL);
   278  
   279      secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
   280      ret = secp256k1_scalar_is_high(&s);
   281      if (sigout != NULL) {
   282          if (ret) {
   283              secp256k1_scalar_negate(&s, &s);
   284          }
   285          secp256k1_ecdsa_signature_save(sigout, &r, &s);
   286      }
   287  
   288      return ret;
   289  }
   290  
   291  int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
   292      secp256k1_ge q;
   293      secp256k1_scalar r, s;
   294      secp256k1_scalar m;
   295      VERIFY_CHECK(ctx != NULL);
   296      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   297      ARG_CHECK(msg32 != NULL);
   298      ARG_CHECK(sig != NULL);
   299      ARG_CHECK(pubkey != NULL);
   300  
   301      secp256k1_scalar_set_b32(&m, msg32, NULL);
   302      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   303      return (!secp256k1_scalar_is_high(&s) &&
   304              secp256k1_pubkey_load(ctx, &q, pubkey) &&
   305              secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
   306  }
   307  
   308  static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
   309     unsigned char keydata[112];
   310     int keylen = 64;
   311     secp256k1_rfc6979_hmac_sha256_t rng;
   312     unsigned int i;
   313     /* We feed a byte array to the PRNG as input, consisting of:
   314      * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
   315      * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
   316      * - optionally 16 extra bytes with the algorithm name.
   317      * Because the arguments have distinct fixed lengths it is not possible for
   318      *  different argument mixtures to emulate each other and result in the same
   319      *  nonces.
   320      */
   321     memcpy(keydata, key32, 32);
   322     memcpy(keydata + 32, msg32, 32);
   323     if (data != NULL) {
   324         memcpy(keydata + 64, data, 32);
   325         keylen = 96;
   326     }
   327     if (algo16 != NULL) {
   328         memcpy(keydata + keylen, algo16, 16);
   329         keylen += 16;
   330     }
   331     secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen);
   332     memset(keydata, 0, sizeof(keydata));
   333     for (i = 0; i <= counter; i++) {
   334         secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
   335     }
   336     secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   337     return 1;
   338  }
   339  
   340  const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
   341  const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
   342  
   343  int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
   344      secp256k1_scalar r, s;
   345      secp256k1_scalar sec, non, msg;
   346      int ret = 0;
   347      int overflow = 0;
   348      VERIFY_CHECK(ctx != NULL);
   349      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   350      ARG_CHECK(msg32 != NULL);
   351      ARG_CHECK(signature != NULL);
   352      ARG_CHECK(seckey != NULL);
   353      if (noncefp == NULL) {
   354          noncefp = secp256k1_nonce_function_default;
   355      }
   356  
   357      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   358      /* Fail if the secret key is invalid. */
   359      if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
   360          unsigned char nonce32[32];
   361          unsigned int count = 0;
   362          secp256k1_scalar_set_b32(&msg, msg32, NULL);
   363          while (1) {
   364              ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
   365              if (!ret) {
   366                  break;
   367              }
   368              secp256k1_scalar_set_b32(&non, nonce32, &overflow);
   369              if (!overflow && !secp256k1_scalar_is_zero(&non)) {
   370                  if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
   371                      break;
   372                  }
   373              }
   374              count++;
   375          }
   376          memset(nonce32, 0, 32);
   377          secp256k1_scalar_clear(&msg);
   378          secp256k1_scalar_clear(&non);
   379          secp256k1_scalar_clear(&sec);
   380      }
   381      if (ret) {
   382          secp256k1_ecdsa_signature_save(signature, &r, &s);
   383      } else {
   384          memset(signature, 0, sizeof(*signature));
   385      }
   386      return ret;
   387  }
   388  
   389  int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
   390      secp256k1_scalar sec;
   391      int ret;
   392      int overflow;
   393      VERIFY_CHECK(ctx != NULL);
   394      ARG_CHECK(seckey != NULL);
   395  
   396      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   397      ret = !overflow && !secp256k1_scalar_is_zero(&sec);
   398      secp256k1_scalar_clear(&sec);
   399      return ret;
   400  }
   401  
   402  int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
   403      secp256k1_gej pj;
   404      secp256k1_ge p;
   405      secp256k1_scalar sec;
   406      int overflow;
   407      int ret = 0;
   408      VERIFY_CHECK(ctx != NULL);
   409      ARG_CHECK(pubkey != NULL);
   410      memset(pubkey, 0, sizeof(*pubkey));
   411      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   412      ARG_CHECK(seckey != NULL);
   413  
   414      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   415      ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec));
   416      if (ret) {
   417          secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
   418          secp256k1_ge_set_gej(&p, &pj);
   419          secp256k1_pubkey_save(pubkey, &p);
   420      }
   421      secp256k1_scalar_clear(&sec);
   422      return ret;
   423  }
   424  
   425  int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
   426      secp256k1_scalar term;
   427      secp256k1_scalar sec;
   428      int ret = 0;
   429      int overflow = 0;
   430      VERIFY_CHECK(ctx != NULL);
   431      ARG_CHECK(seckey != NULL);
   432      ARG_CHECK(tweak != NULL);
   433  
   434      secp256k1_scalar_set_b32(&term, tweak, &overflow);
   435      secp256k1_scalar_set_b32(&sec, seckey, NULL);
   436  
   437      ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
   438      memset(seckey, 0, 32);
   439      if (ret) {
   440          secp256k1_scalar_get_b32(seckey, &sec);
   441      }
   442  
   443      secp256k1_scalar_clear(&sec);
   444      secp256k1_scalar_clear(&term);
   445      return ret;
   446  }
   447  
   448  int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
   449      secp256k1_ge p;
   450      secp256k1_scalar term;
   451      int ret = 0;
   452      int overflow = 0;
   453      VERIFY_CHECK(ctx != NULL);
   454      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   455      ARG_CHECK(pubkey != NULL);
   456      ARG_CHECK(tweak != NULL);
   457  
   458      secp256k1_scalar_set_b32(&term, tweak, &overflow);
   459      ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
   460      memset(pubkey, 0, sizeof(*pubkey));
   461      if (ret) {
   462          if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
   463              secp256k1_pubkey_save(pubkey, &p);
   464          } else {
   465              ret = 0;
   466          }
   467      }
   468  
   469      return ret;
   470  }
   471  
   472  int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
   473      secp256k1_scalar factor;
   474      secp256k1_scalar sec;
   475      int ret = 0;
   476      int overflow = 0;
   477      VERIFY_CHECK(ctx != NULL);
   478      ARG_CHECK(seckey != NULL);
   479      ARG_CHECK(tweak != NULL);
   480  
   481      secp256k1_scalar_set_b32(&factor, tweak, &overflow);
   482      secp256k1_scalar_set_b32(&sec, seckey, NULL);
   483      ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
   484      memset(seckey, 0, 32);
   485      if (ret) {
   486          secp256k1_scalar_get_b32(seckey, &sec);
   487      }
   488  
   489      secp256k1_scalar_clear(&sec);
   490      secp256k1_scalar_clear(&factor);
   491      return ret;
   492  }
   493  
   494  int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
   495      secp256k1_ge p;
   496      secp256k1_scalar factor;
   497      int ret = 0;
   498      int overflow = 0;
   499      VERIFY_CHECK(ctx != NULL);
   500      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   501      ARG_CHECK(pubkey != NULL);
   502      ARG_CHECK(tweak != NULL);
   503  
   504      secp256k1_scalar_set_b32(&factor, tweak, &overflow);
   505      ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
   506      memset(pubkey, 0, sizeof(*pubkey));
   507      if (ret) {
   508          if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
   509              secp256k1_pubkey_save(pubkey, &p);
   510          } else {
   511              ret = 0;
   512          }
   513      }
   514  
   515      return ret;
   516  }
   517  
   518  int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
   519      VERIFY_CHECK(ctx != NULL);
   520      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   521      secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
   522      return 1;
   523  }
   524  
   525  int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
   526      size_t i;
   527      secp256k1_gej Qj;
   528      secp256k1_ge Q;
   529  
   530      ARG_CHECK(pubnonce != NULL);
   531      memset(pubnonce, 0, sizeof(*pubnonce));
   532      ARG_CHECK(n >= 1);
   533      ARG_CHECK(pubnonces != NULL);
   534  
   535      secp256k1_gej_set_infinity(&Qj);
   536  
   537      for (i = 0; i < n; i++) {
   538          secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
   539          secp256k1_gej_add_ge(&Qj, &Qj, &Q);
   540      }
   541      if (secp256k1_gej_is_infinity(&Qj)) {
   542          return 0;
   543      }
   544      secp256k1_ge_set_gej(&Q, &Qj);
   545      secp256k1_pubkey_save(pubnonce, &Q);
   546      return 1;
   547  }
   548  
   549  #ifdef ENABLE_MODULE_ECDH
   550  # include "modules/ecdh/main_impl.h"
   551  #endif
   552  
   553  #ifdef ENABLE_MODULE_SCHNORR
   554  # include "modules/schnorr/main_impl.h"
   555  #endif
   556  
   557  #ifdef ENABLE_MODULE_RECOVERY
   558  # include "modules/recovery/main_impl.h"
   559  #endif