mleku/p256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cab15936023638d2cd0319f6b42b684a5763c224
p256k1/schnorr_standalone.c_
mleku af54a969df Add standalone Schnorr signature verification and utility functions 
This commit introduces a new file, `verify.go`, which implements the Schnorr signature verification logic, ensuring compliance with BIP-340. It includes utility functions for memory operations and big-endian read/write, enhancing the overall functionality of the Schnorr signature implementation. Additionally, a new test file, `verify_test.go`, is added to validate the correctness of the verification process against existing implementations, covering various scenarios including valid and invalid signatures. These additions improve the robustness and reliability of the Schnorr signature features in the library.
2025-11-02 02:13:22 +00:00

1957 lines
68 KiB
Plaintext
Raw Blame History

/***********************************************************************
* Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
* Distributed under the MIT software license, see the accompanying *
* file COPYING or https://www.opensource.org/licenses/mit-license.php.*
***********************************************************************/
/*
* Standalone Schnorr Signature Implementation (BIP-340)
*
* This file extracts the Schnorr signature functions from the secp256k1
* library with all dependencies included. It contains the core signing and
* verification logic for BIP-340 compliant Schnorr signatures.
*
* INCLUDED DEPENDENCIES:
* - SHA256 hash implementation (complete)
* - Utility functions (memcmp_var, memczero, memclear_explicit, read_be32, write_be32, read_be64, write_be64)
* - Context structure and declassify function
* - Int128 operations (with fallback for systems without __int128)
* - Scalar operations (set_b32, set_b32_seckey, get_b32, is_zero, negate, mul, add, cmov, clear)
* NOTE: scalar_mul needs full 512-bit multiplication implementation
* - Field operations (set_b32_limit, get_b32, is_odd, normalize_var, equal, sqrt)
* NOTE: fe_mul, fe_sqr, fe_inv_var need full implementations from field_5x52_int128_impl.h
* - Group operations (set_xo_var, set_gej, set_gej_var, is_infinity, gej_set_ge, gej_clear, ge_to_bytes, ge_from_bytes)
* NOTE: gej_double_var, gej_add_ge_var need full implementations from group_impl.h
* - EC multiplication stubs (ecmult_gen, ecmult)
* NOTE: These need full implementations with precomputed tables from ecmult_gen_impl.h and ecmult_impl.h
* - Keypair operations (keypair_load)
* - X-only pubkey operations (xonly_pubkey_load)
*
* ALL IMPLEMENTATIONS INCLUDED:
* - Scalar operations (set_b32, get_b32, is_zero, negate, mul, add, cmov, clear) - COMPLETE
* - Field operations (set_b32_limit, get_b32, is_odd, normalize_var, equal, mul, sqr, inv_var) - COMPLETE
* - Group operations (set_xo_var, set_gej, set_gej_var, is_infinity, gej_set_ge, gej_clear, double, add) - COMPLETE
* - EC multiplication (ecmult_gen, ecmult) - Stubs provided (full precomputed tables would require additional code)
* - Keypair operations (keypair_load) - COMPLETE
* - X-only pubkey operations (xonly_pubkey_load) - COMPLETE
*
* These functions currently have placeholder implementations that will cause runtime errors.
* To complete the standalone file, these need to be filled in with the full implementations
* from the secp256k1 library.
*/
#ifndef SCHNORR_STANDALONE_C
#define SCHNORR_STANDALONE_C
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <limits.h>
/* ============================================================================
* INLINE MACROS AND UTILITIES
* ============================================================================ */
#ifndef SECP256K1_INLINE
#if defined(__GNUC__) && __GNUC__ >= 2
#define SECP256K1_INLINE __inline__
#elif defined(_MSC_VER)
#define SECP256K1_INLINE __inline
#else
#define SECP256K1_INLINE inline
#endif
#endif
#ifndef VERIFY_CHECK
#define VERIFY_CHECK(cond) do { } while(0)
#endif
#ifndef ARG_CHECK
#define ARG_CHECK(cond) do { \
if (!(cond)) { \
return 0; \
} \
} while(0)
#endif
/* Read a uint32_t in big endian */
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char* p) {
return (uint32_t)p[0] << 24 |
(uint32_t)p[1] << 16 |
(uint32_t)p[2] << 8 |
(uint32_t)p[3];
}
/* Write a uint32_t in big endian */
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char* p, uint32_t x) {
p[3] = x;
p[2] = x >> 8;
p[1] = x >> 16;
p[0] = x >> 24;
}
/* Zero memory if flag == 1. Flag must be 0 or 1. Constant time. */
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag) {
unsigned char *p = (unsigned char *)s;
volatile int vflag = flag;
unsigned char mask = -(unsigned char) vflag;
while (len) {
*p &= ~mask;
p++;
len--;
}
}
/* Zeroes memory to prevent leaking sensitive info. Won't be optimized out. */
static SECP256K1_INLINE void secp256k1_memzero_explicit(void *ptr, size_t len) {
#if defined(_MSC_VER)
SecureZeroMemory(ptr, len);
#elif defined(__GNUC__)
memset(ptr, 0, len);
__asm__ __volatile__("" : : "r"(ptr) : "memory");
#else
void *(*volatile const volatile_memset)(void *, int, size_t) = memset;
volatile_memset(ptr, 0, len);
#endif
}
/* Cleanses memory to prevent leaking sensitive info. Won't be optimized out. */
static SECP256K1_INLINE void secp256k1_memclear_explicit(void *ptr, size_t len) {
secp256k1_memzero_explicit(ptr, len);
}
/** Semantics like memcmp. Variable-time. */
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n) {
const unsigned char *p1 = s1, *p2 = s2;
size_t i;
for (i = 0; i < n; i++) {
int diff = p1[i] - p2[i];
if (diff != 0) {
return diff;
}
}
return 0;
}
/* ============================================================================
* SHA256 IMPLEMENTATION
* ============================================================================ */
typedef struct {
uint32_t s[8];
unsigned char buf[64];
uint64_t bytes;
} secp256k1_sha256;
#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10))
#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7))
#define sigma0(x) (((x) >> 7 | (x) << 25) ^ ((x) >> 18 | (x) << 14) ^ ((x) >> 3))
#define sigma1(x) (((x) >> 17 | (x) << 15) ^ ((x) >> 19 | (x) << 13) ^ ((x) >> 10))
#define Round(a,b,c,d,e,f,g,h,k,w) do { \
uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \
uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \
(d) += t1; \
(h) = t1 + t2; \
} while(0)
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash) {
hash->s[0] = 0x6a09e667ul;
hash->s[1] = 0xbb67ae85ul;
hash->s[2] = 0x3c6ef372ul;
hash->s[3] = 0xa54ff53aul;
hash->s[4] = 0x510e527ful;
hash->s[5] = 0x9b05688cul;
hash->s[6] = 0x1f83d9abul;
hash->s[7] = 0x5be0cd19ul;
hash->bytes = 0;
}
/** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */
static void secp256k1_sha256_transform(uint32_t* s, const unsigned char* buf) {
uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7];
uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15;
Round(a, b, c, d, e, f, g, h, 0x428a2f98, w0 = secp256k1_read_be32(&buf[0]));
Round(h, a, b, c, d, e, f, g, 0x71374491, w1 = secp256k1_read_be32(&buf[4]));
Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf, w2 = secp256k1_read_be32(&buf[8]));
Round(f, g, h, a, b, c, d, e, 0xe9b5dba5, w3 = secp256k1_read_be32(&buf[12]));
Round(e, f, g, h, a, b, c, d, 0x3956c25b, w4 = secp256k1_read_be32(&buf[16]));
Round(d, e, f, g, h, a, b, c, 0x59f111f1, w5 = secp256k1_read_be32(&buf[20]));
Round(c, d, e, f, g, h, a, b, 0x923f82a4, w6 = secp256k1_read_be32(&buf[24]));
Round(b, c, d, e, f, g, h, a, 0xab1c5ed5, w7 = secp256k1_read_be32(&buf[28]));
Round(a, b, c, d, e, f, g, h, 0xd807aa98, w8 = secp256k1_read_be32(&buf[32]));
Round(h, a, b, c, d, e, f, g, 0x12835b01, w9 = secp256k1_read_be32(&buf[36]));
Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = secp256k1_read_be32(&buf[40]));
Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = secp256k1_read_be32(&buf[44]));
Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = secp256k1_read_be32(&buf[48]));
Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = secp256k1_read_be32(&buf[52]));
Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = secp256k1_read_be32(&buf[56]));
Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = secp256k1_read_be32(&buf[60]));
Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1));
Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2));
Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3));
Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4));
Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5));
Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6));
Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7));
Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8));
Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9));
Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10));
Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11));
Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12));
Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13));
Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14));
Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15));
Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0));
Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1));
Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2));
Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3));
Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4));
Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5));
Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6));
Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7));
Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8));
Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9));
Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10));
Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11));
Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12));
Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13));
Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14));
Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15));
Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0));
Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1));
Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2));
Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3));
Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4));
Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5));
Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6));
Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7));
Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8));
Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9));
Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10));
Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11));
Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12));
Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13));
Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14));
Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 += sigma1(w12) + w7 + sigma0(w15));
Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 += sigma1(w13) + w8 + sigma0(w0));
s[0] += a;
s[1] += b;
s[2] += c;
s[3] += d;
s[4] += e;
s[5] += f;
s[6] += g;
s[7] += h;
}
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) {
size_t bufsize = hash->bytes & 0x3F;
hash->bytes += len;
VERIFY_CHECK(hash->bytes >= len);
while (len >= 64 - bufsize) {
size_t chunk_len = 64 - bufsize;
memcpy(hash->buf + bufsize, data, chunk_len);
data += chunk_len;
len -= chunk_len;
secp256k1_sha256_transform(hash->s, hash->buf);
bufsize = 0;
}
if (len) {
memcpy(hash->buf + bufsize, data, len);
}
}
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) {
static const unsigned char pad[64] = {0x80};
unsigned char sizedesc[8];
int i;
VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61));
secp256k1_write_be32(&sizedesc[0], hash->bytes >> 29);
secp256k1_write_be32(&sizedesc[4], hash->bytes << 3);
secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));
secp256k1_sha256_write(hash, sizedesc, 8);
for (i = 0; i < 8; i++) {
secp256k1_write_be32(&out32[4*i], hash->s[i]);
hash->s[i] = 0;
}
}
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen) {
unsigned char buf[32];
secp256k1_sha256_initialize(hash);
secp256k1_sha256_write(hash, tag, taglen);
secp256k1_sha256_finalize(hash, buf);
secp256k1_sha256_initialize(hash);
secp256k1_sha256_write(hash, buf, 32);
secp256k1_sha256_write(hash, buf, 32);
}
static void secp256k1_sha256_clear(secp256k1_sha256 *hash) {
secp256k1_memclear_explicit(hash, sizeof(*hash));
}
#undef Round
#undef sigma1
#undef sigma0
#undef Sigma1
#undef Sigma0
#undef Maj
#undef Ch
/* ============================================================================
* SECP256K1 TYPE DEFINITIONS
* ============================================================================ */
/* Scalar type (from scalar_4x64.h) */
typedef struct {
uint64_t d[4];
} secp256k1_scalar;
/* Field element type (from field_5x52.h) */
typedef struct {
uint64_t n[5];
} secp256k1_fe;
/* Field element storage type */
typedef struct {
uint64_t n[4];
} secp256k1_fe_storage;
/* Group element storage type */
typedef struct {
uint64_t n[4];
} secp256k1_ge_storage;
/* Group element in affine coordinates (from group.h) */
typedef struct {
secp256k1_fe x;
secp256k1_fe y;
int infinity;
} secp256k1_ge;
/* Group element in jacobian coordinates (from group.h) */
typedef struct {
secp256k1_fe x;
secp256k1_fe y;
secp256k1_fe z;
int infinity;
} secp256k1_gej;
/* EC multiplication generator context (from ecmult_gen.h) */
typedef struct {
int built;
secp256k1_scalar scalar_offset;
secp256k1_ge ge_offset;
secp256k1_fe proj_blind;
} secp256k1_ecmult_gen_context;
/* Context structure (from secp256k1.c) */
typedef struct secp256k1_context_struct {
secp256k1_ecmult_gen_context ecmult_gen_ctx;
int declassify;
} secp256k1_context;
/* Opaque keypair and x-only pubkey types */
typedef struct secp256k1_keypair_struct {
unsigned char data[96];
} secp256k1_keypair;
typedef struct secp256k1_xonly_pubkey_struct {
unsigned char data[64];
} secp256k1_xonly_pubkey;
typedef struct secp256k1_pubkey_struct {
unsigned char data[64];
} secp256k1_pubkey;
/* Declassify function */
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
(void)ctx; (void)p; (void)len;
/* In non-VERIFY builds, this is a no-op */
}
/* ============================================================================
* ADDITIONAL MACROS AND CONSTANTS
* ============================================================================ */
#ifndef SECP256K1_FE_VERIFY_FIELDS
#define SECP256K1_FE_VERIFY_FIELDS
#endif
#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) do { } while(0)
#define SECP256K1_FE_VERIFY(a) do { } while(0)
#define SECP256K1_SCALAR_VERIFY(a) do { } while(0)
#define SECP256K1_GE_VERIFY(a) do { } while(0)
#define SECP256K1_GEJ_VERIFY(a) do { } while(0)
#define SECP256K1_CHECKMEM_CHECK_VERIFY(ptr, len) do { } while(0)
#define SECP256K1_RESTRICT
/* Field element verification structure */
typedef struct {
int magnitude;
int normalized;
} secp256k1_fe_verify;
/* Field element with verification */
typedef struct {
uint64_t n[5];
#ifdef SECP256K1_FE_VERIFY_FIELDS
secp256k1_fe_verify verify;
#endif
} secp256k1_fe_full;
/* Field element constants */
#define SECP256K1_B 7
/* Scalar constants */
#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL)
#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL)
#define SECP256K1_N_2 ((uint64_t)0xFFFFFFFFFFFFFFFEULL)
#define SECP256K1_N_3 ((uint64_t)0xFFFFFFFFFFFFFFFFULL)
#define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1)
#define SECP256K1_N_C_1 (~SECP256K1_N_1)
#define SECP256K1_N_C_2 (1)
/* Scalar constant constructor */
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) { \
((uint64_t)(d1) << 32) | (uint64_t)(d0), \
((uint64_t)(d3) << 32) | (uint64_t)(d2), \
((uint64_t)(d5) << 32) | (uint64_t)(d4), \
((uint64_t)(d7) << 32) | (uint64_t)(d6) \
}
static const secp256k1_scalar secp256k1_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
static const secp256k1_scalar secp256k1_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
/* Read/write uint64_t in big endian */
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char* p) {
return (uint64_t)p[0] << 56 |
(uint64_t)p[1] << 48 |
(uint64_t)p[2] << 40 |
(uint64_t)p[3] << 32 |
(uint64_t)p[4] << 24 |
(uint64_t)p[5] << 16 |
(uint64_t)p[6] << 8 |
(uint64_t)p[7];
}
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char* p, uint64_t x) {
p[7] = x;
p[6] = x >> 8;
p[5] = x >> 16;
p[4] = x >> 24;
p[3] = x >> 32;
p[2] = x >> 40;
p[1] = x >> 48;
p[0] = x >> 56;
}
/* ============================================================================
* INT128 OPERATIONS (for scalar multiplication)
* ============================================================================ */
#if !defined(UINT128_MAX) && defined(__SIZEOF_INT128__)
typedef unsigned __int128 uint128_t;
typedef __int128 int128_t;
#define UINT128_MAX ((uint128_t)(-1))
#endif
#ifndef UINT128_MAX
/* Fallback to 64-bit operations if __int128 is not available */
typedef struct {
uint64_t hi;
uint64_t lo;
} secp256k1_uint128_simple;
typedef struct {
int64_t hi;
uint64_t lo;
} secp256k1_int128_simple;
typedef secp256k1_uint128_simple secp256k1_uint128;
typedef secp256k1_int128_simple secp256k1_int128;
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a) {
r->hi = 0;
r->lo = a;
}
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a) {
r->lo += a;
r->hi += (r->lo < a);
}
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n) {
if (n >= 64) {
r->lo = r->hi >> (n - 64);
r->hi = 0;
} else {
r->lo = (r->lo >> n) | (r->hi << (64 - n));
r->hi >>= n;
}
}
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a) {
return a->lo;
}
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a) {
return a->hi;
}
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) {
uint64_t al = a & 0xFFFFFFFFULL;
uint64_t ah = a >> 32;
uint64_t bl = b & 0xFFFFFFFFULL;
uint64_t bh = b >> 32;
uint64_t m = al * bl;
uint64_t mh = (al * bh) + (ah * bl) + (m >> 32);
r->lo = (mh << 32) | (m & 0xFFFFFFFFULL);
r->hi = (ah * bh) + (mh >> 32);
}
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) {
secp256k1_uint128 t;
secp256k1_u128_mul(&t, a, b);
uint64_t old_lo = r->lo;
r->lo += t.lo;
r->hi += t.hi + (r->lo < old_lo);
}
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n) {
if (n >= 128) return 0;
if (n >= 64) return r->hi == 0 && (r->lo >> (n - 64)) == 0;
return r->hi == 0 && (r->lo >> n) == 0;
}
#else
typedef uint128_t secp256k1_uint128;
typedef int128_t secp256k1_int128;
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a) {
*r = a;
}
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a) {
*r += a;
}
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n) {
*r >>= n;
}
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a) {
return (uint64_t)*a;
}
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a) {
return (uint64_t)(*a >> 64);
}
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) {
*r = (secp256k1_uint128)a * (secp256k1_uint128)b;
}
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) {
*r += (secp256k1_uint128)a * (secp256k1_uint128)b;
}
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n) {
VERIFY_CHECK(n < 128);
return (*r >> n == 0);
}
#endif
/* ============================================================================
* SCALAR OPERATIONS IMPLEMENTATION
* ============================================================================ */
/* Scalar overflow check */
SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) {
int yes = 0;
int no = 0;
no |= (a->d[3] < SECP256K1_N_3);
no |= (a->d[2] < SECP256K1_N_2);
yes |= (a->d[2] > SECP256K1_N_2) & ~no;
no |= (a->d[1] < SECP256K1_N_1);
yes |= (a->d[1] > SECP256K1_N_1) & ~no;
yes |= (a->d[0] >= SECP256K1_N_0) & ~no;
return yes;
}
/* Scalar reduce */
SECP256K1_INLINE static int secp256k1_scalar_reduce(secp256k1_scalar *r, unsigned int overflow) {
secp256k1_uint128 t;
VERIFY_CHECK(overflow <= 1);
secp256k1_u128_from_u64(&t, r->d[0]);
secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_0);
r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, r->d[1]);
secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_1);
r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, r->d[2]);
secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_2);
r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, r->d[3]);
r->d[3] = secp256k1_u128_to_u64(&t);
SECP256K1_SCALAR_VERIFY(r);
return overflow;
}
/* Scalar set from 32 bytes */
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
int over;
r->d[0] = secp256k1_read_be64(&b32[24]);
r->d[1] = secp256k1_read_be64(&b32[16]);
r->d[2] = secp256k1_read_be64(&b32[8]);
r->d[3] = secp256k1_read_be64(&b32[0]);
over = secp256k1_scalar_reduce(r, secp256k1_scalar_check_overflow(r));
if (overflow) {
*overflow = over;
}
SECP256K1_SCALAR_VERIFY(r);
}
/* Scalar get to 32 bytes */
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) {
SECP256K1_SCALAR_VERIFY(a);
secp256k1_write_be64(&bin[0], a->d[3]);
secp256k1_write_be64(&bin[8], a->d[2]);
secp256k1_write_be64(&bin[16], a->d[1]);
secp256k1_write_be64(&bin[24], a->d[0]);
}
/* Scalar is zero */
SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) {
SECP256K1_SCALAR_VERIFY(a);
return (a->d[0] | a->d[1] | a->d[2] | a->d[3]) == 0;
}
/* Scalar negate */
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a) {
uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (secp256k1_scalar_is_zero(a) == 0);
secp256k1_uint128 t;
SECP256K1_SCALAR_VERIFY(a);
secp256k1_u128_from_u64(&t, ~a->d[0]);
secp256k1_u128_accum_u64(&t, SECP256K1_N_0 + 1);
r->d[0] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, ~a->d[1]);
secp256k1_u128_accum_u64(&t, SECP256K1_N_1);
r->d[1] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, ~a->d[2]);
secp256k1_u128_accum_u64(&t, SECP256K1_N_2);
r->d[2] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, ~a->d[3]);
secp256k1_u128_accum_u64(&t, SECP256K1_N_3);
r->d[3] = secp256k1_u128_to_u64(&t) & nonzero;
SECP256K1_SCALAR_VERIFY(r);
}
/* Scalar add */
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
int overflow;
secp256k1_uint128 t;
SECP256K1_SCALAR_VERIFY(a);
SECP256K1_SCALAR_VERIFY(b);
secp256k1_u128_from_u64(&t, a->d[0]);
secp256k1_u128_accum_u64(&t, b->d[0]);
r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, a->d[1]);
secp256k1_u128_accum_u64(&t, b->d[1]);
r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, a->d[2]);
secp256k1_u128_accum_u64(&t, b->d[2]);
r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
secp256k1_u128_accum_u64(&t, a->d[3]);
secp256k1_u128_accum_u64(&t, b->d[3]);
r->d[3] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64);
overflow = secp256k1_u128_to_u64(&t) + secp256k1_scalar_check_overflow(r);
VERIFY_CHECK(overflow == 0 || overflow == 1);
secp256k1_scalar_reduce(r, overflow);
SECP256K1_SCALAR_VERIFY(r);
return overflow;
}
/* Scalar clear */
SECP256K1_INLINE static void secp256k1_scalar_clear(secp256k1_scalar *r) {
secp256k1_memclear_explicit(r, sizeof(secp256k1_scalar));
}
/* Scalar set from seckey */
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) {
int overflow;
secp256k1_scalar_set_b32(r, bin, &overflow);
SECP256K1_SCALAR_VERIFY(r);
return (!overflow) & (!secp256k1_scalar_is_zero(r));
}
/* Scalar conditional move */
static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
uint64_t mask0, mask1;
volatile int vflag = flag;
SECP256K1_SCALAR_VERIFY(a);
SECP256K1_CHECKMEM_CHECK_VERIFY(r->d, sizeof(r->d));
mask0 = vflag + ~((uint64_t)0);
mask1 = ~mask0;
r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1);
r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1);
r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1);
r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1);
SECP256K1_SCALAR_VERIFY(r);
}
/* Scalar get bits (for ecmult_gen) */
SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) {
SECP256K1_SCALAR_VERIFY(a);
VERIFY_CHECK(count > 0 && count <= 32);
VERIFY_CHECK((offset + count - 1) >> 6 == offset >> 6);
return (a->d[offset >> 6] >> (offset & 0x3F)) & (0xFFFFFFFF >> (32 - count));
}
/* Scalar multiplication macros */
#define muladd(a,b) { \
uint64_t tl, th; \
{ \
secp256k1_uint128 t; \
secp256k1_u128_mul(&t, a, b); \
th = secp256k1_u128_hi_u64(&t); \
tl = secp256k1_u128_to_u64(&t); \
} \
c0 += tl; \
th += (c0 < tl); \
c1 += th; \
c2 += (c1 < th); \
VERIFY_CHECK((c1 >= th) || (c2 != 0)); \
}
#define muladd_fast(a,b) { \
uint64_t tl, th; \
{ \
secp256k1_uint128 t; \
secp256k1_u128_mul(&t, a, b); \
th = secp256k1_u128_hi_u64(&t); \
tl = secp256k1_u128_to_u64(&t); \
} \
c0 += tl; \
th += (c0 < tl); \
c1 += th; \
VERIFY_CHECK(c1 >= th); \
}
#define sumadd(a) { \
unsigned int over; \
c0 += (a); \
over = (c0 < (a)); \
c1 += over; \
c2 += (c1 < over); \
}
#define sumadd_fast(a) { \
c0 += (a); \
c1 += (c0 < (a)); \
VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \
VERIFY_CHECK(c2 == 0); \
}
#define extract(n) { \
(n) = c0; \
c0 = c1; \
c1 = c2; \
c2 = 0; \
}
#define extract_fast(n) { \
(n) = c0; \
c0 = c1; \
c1 = 0; \
VERIFY_CHECK(c2 == 0); \
}
/* Scalar constants for reduction (if not already defined) */
#ifndef SECP256K1_N_C_0
#define SECP256K1_N_C_0 ((uint64_t)0xBFD25E8CD0364141ULL)
#define SECP256K1_N_C_1 ((uint64_t)0x3FFFFFFFFFFFFFFFULL)
#endif
/* Scalar multiply - 512-bit multiplication */
static void secp256k1_scalar_mul_512(uint64_t *l8, const secp256k1_scalar *a, const secp256k1_scalar *b) {
uint64_t c0 = 0, c1 = 0;
uint32_t c2 = 0;
muladd_fast(a->d[0], b->d[0]);
extract_fast(l8[0]);
muladd(a->d[0], b->d[1]);
muladd(a->d[1], b->d[0]);
extract(l8[1]);
muladd(a->d[0], b->d[2]);
muladd(a->d[1], b->d[1]);
muladd(a->d[2], b->d[0]);
extract(l8[2]);
muladd(a->d[0], b->d[3]);
muladd(a->d[1], b->d[2]);
muladd(a->d[2], b->d[1]);
muladd(a->d[3], b->d[0]);
extract(l8[3]);
muladd(a->d[1], b->d[3]);
muladd(a->d[2], b->d[2]);
muladd(a->d[3], b->d[1]);
extract(l8[4]);
muladd(a->d[2], b->d[3]);
muladd(a->d[3], b->d[2]);
extract(l8[5]);
muladd_fast(a->d[3], b->d[3]);
extract_fast(l8[6]);
VERIFY_CHECK(c1 == 0);
l8[7] = c0;
}
/* Scalar reduce 512-bit to 256-bit */
static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l) {
uint64_t c0 = 0, c1 = 0;
uint32_t c2 = 0;
uint64_t n0 = l[4], n1 = l[5], n2 = l[6], n3 = l[7];
uint64_t m0, m1, m2, m3, m4, m5;
uint32_t m6;
uint64_t p0, p1, p2, p3;
uint32_t p4;
secp256k1_uint128 c128;
uint64_t c;
/* Reduce 512 bits into 385. */
c0 = l[0]; c1 = 0; c2 = 0;
muladd_fast(n0, SECP256K1_N_C_0);
extract_fast(m0);
sumadd_fast(l[1]);
muladd(n1, SECP256K1_N_C_0);
muladd(n0, SECP256K1_N_C_1);
extract(m1);
sumadd(l[2]);
muladd(n2, SECP256K1_N_C_0);
muladd(n1, SECP256K1_N_C_1);
sumadd(n0);
extract(m2);
sumadd(l[3]);
muladd(n3, SECP256K1_N_C_0);
muladd(n2, SECP256K1_N_C_1);
sumadd(n1);
extract(m3);
muladd(n3, SECP256K1_N_C_1);
sumadd(n2);
extract(m4);
sumadd_fast(n3);
extract_fast(m5);
VERIFY_CHECK(c0 <= 1);
m6 = c0;
/* Reduce 385 bits into 258. */
c0 = m0; c1 = 0; c2 = 0;
muladd_fast(m4, SECP256K1_N_C_0);
extract_fast(p0);
sumadd_fast(m1);
muladd(m5, SECP256K1_N_C_0);
muladd(m4, SECP256K1_N_C_1);
extract(p1);
sumadd(m2);
muladd(m6, SECP256K1_N_C_0);
muladd(m5, SECP256K1_N_C_1);
sumadd(m4);
extract(p2);
sumadd_fast(m3);
muladd_fast(m6, SECP256K1_N_C_1);
sumadd_fast(m5);
extract_fast(p3);
p4 = c0 + m6;
VERIFY_CHECK(p4 <= 2);
/* Reduce 258 bits into 256. */
secp256k1_u128_from_u64(&c128, p0);
secp256k1_u128_accum_mul(&c128, SECP256K1_N_C_0, p4);
r->d[0] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64);
secp256k1_u128_accum_u64(&c128, p1);
secp256k1_u128_accum_mul(&c128, SECP256K1_N_C_1, p4);
r->d[1] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64);
secp256k1_u128_accum_u64(&c128, p2);
secp256k1_u128_accum_u64(&c128, p4);
r->d[2] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64);
secp256k1_u128_accum_u64(&c128, p3);
r->d[3] = secp256k1_u128_to_u64(&c128);
c = secp256k1_u128_hi_u64(&c128);
/* Final reduction of r. */
secp256k1_scalar_reduce(r, c + secp256k1_scalar_check_overflow(r));
}
#undef muladd
#undef muladd_fast
#undef sumadd
#undef sumadd_fast
#undef extract
#undef extract_fast
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
uint64_t l[8];
SECP256K1_SCALAR_VERIFY(a);
SECP256K1_SCALAR_VERIFY(b);
secp256k1_scalar_mul_512(l, a, b);
secp256k1_scalar_reduce_512(r, l);
SECP256K1_SCALAR_VERIFY(r);
}
/* ============================================================================
* FIELD OPERATIONS IMPLEMENTATION
* ============================================================================ */
/* Field element clear */
SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) {
secp256k1_memclear_explicit(a, sizeof(secp256k1_fe));
}
/* Field element set int */
SECP256K1_INLINE static void secp256k1_fe_set_int(secp256k1_fe *r, int a) {
r->n[0] = a;
r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0;
}
/* Field element is zero */
SECP256K1_INLINE static int secp256k1_fe_is_zero(const secp256k1_fe *a) {
return (a->n[0] | a->n[1] | a->n[2] | a->n[3] | a->n[4]) == 0;
}
/* Field element is odd */
SECP256K1_INLINE static int secp256k1_fe_is_odd(const secp256k1_fe *a) {
return a->n[0] & 1;
}
/* Field element normalize var */
static void secp256k1_fe_normalize_var(secp256k1_fe *r) {
uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
uint64_t m;
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
t0 += x * 0x1000003D1ULL;
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; m = t1;
t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m &= t2;
t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t3;
t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t4;
VERIFY_CHECK(t4 >> 49 == 0);
x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
& (t0 >= 0xFFFFEFFFFFC2FULL));
if (x) {
t0 += 0x1000003D1ULL;
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
VERIFY_CHECK(t4 >> 48 == x);
t4 &= 0x0FFFFFFFFFFFFULL;
}
r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
}
/* Field element normalize weak */
static void secp256k1_fe_normalize_weak(secp256k1_fe *r) {
uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
t0 += x * 0x1000003D1ULL;
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
VERIFY_CHECK(t4 >> 49 == 0);
r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
}
/* Field element normalizes to zero */
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) {
uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
uint64_t z0, z1;
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
t0 += x * 0x1000003D1ULL;
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL;
t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
VERIFY_CHECK(t4 >> 49 == 0);
return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
}
/* Forward declarations */
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m);
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a);
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b);
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a);
static int secp256k1_keypair_load(const secp256k1_context* ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair);
static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey);
static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge);
/* Field element equal */
SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
secp256k1_fe na;
SECP256K1_FE_VERIFY(a);
SECP256K1_FE_VERIFY(b);
secp256k1_fe_negate(&na, a, 1);
secp256k1_fe_add(&na, b);
return secp256k1_fe_normalizes_to_zero(&na);
}
/* Field element negate */
SECP256K1_INLINE static void secp256k1_fe_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m) {
VERIFY_CHECK(0xFFFFEFFFFFC2FULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
VERIFY_CHECK(0xFFFFFFFFFFFFFULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
VERIFY_CHECK(0x0FFFFFFFFFFFFULL * 2 * (m + 1) >= 0x0FFFFFFFFFFFFULL * 2 * m);
r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0];
r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1];
r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2];
r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3];
r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4];
}
SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m) {
secp256k1_fe_negate_unchecked(r, a, m);
}
/* Field element add */
SECP256K1_INLINE static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a) {
r->n[0] += a->n[0];
r->n[1] += a->n[1];
r->n[2] += a->n[2];
r->n[3] += a->n[3];
r->n[4] += a->n[4];
}
/* Field element add int */
SECP256K1_INLINE static void secp256k1_fe_add_int(secp256k1_fe *r, int a) {
r->n[0] += a;
}
/* Field element set from bytes mod */
static void secp256k1_fe_set_b32_mod(secp256k1_fe *r, const unsigned char *a) {
r->n[0] = (uint64_t)a[31]
| ((uint64_t)a[30] << 8)
| ((uint64_t)a[29] << 16)
| ((uint64_t)a[28] << 24)
| ((uint64_t)a[27] << 32)
| ((uint64_t)a[26] << 40)
| ((uint64_t)(a[25] & 0xF) << 48);
r->n[1] = (uint64_t)((a[25] >> 4) & 0xF)
| ((uint64_t)a[24] << 4)
| ((uint64_t)a[23] << 12)
| ((uint64_t)a[22] << 20)
| ((uint64_t)a[21] << 28)
| ((uint64_t)a[20] << 36)
| ((uint64_t)a[19] << 44);
r->n[2] = (uint64_t)a[18]
| ((uint64_t)a[17] << 8)
| ((uint64_t)a[16] << 16)
| ((uint64_t)a[15] << 24)
| ((uint64_t)a[14] << 32)
| ((uint64_t)a[13] << 40)
| ((uint64_t)(a[12] & 0xF) << 48);
r->n[3] = (uint64_t)((a[12] >> 4) & 0xF)
| ((uint64_t)a[11] << 4)
| ((uint64_t)a[10] << 12)
| ((uint64_t)a[9] << 20)
| ((uint64_t)a[8] << 28)
| ((uint64_t)a[7] << 36)
| ((uint64_t)a[6] << 44);
r->n[4] = (uint64_t)a[5]
| ((uint64_t)a[4] << 8)
| ((uint64_t)a[3] << 16)
| ((uint64_t)a[2] << 24)
| ((uint64_t)a[1] << 32)
| ((uint64_t)a[0] << 40);
}
/* Field element set from bytes limit */
static int secp256k1_fe_set_b32_limit(secp256k1_fe *r, const unsigned char *a) {
secp256k1_fe_set_b32_mod(r, a);
return !((r->n[4] == 0x0FFFFFFFFFFFFULL) & ((r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL) & (r->n[0] >= 0xFFFFEFFFFFC2FULL));
}
/* Field element get bytes */
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) {
r[0] = (a->n[4] >> 40) & 0xFF;
r[1] = (a->n[4] >> 32) & 0xFF;
r[2] = (a->n[4] >> 24) & 0xFF;
r[3] = (a->n[4] >> 16) & 0xFF;
r[4] = (a->n[4] >> 8) & 0xFF;
r[5] = a->n[4] & 0xFF;
r[6] = (a->n[3] >> 44) & 0xFF;
r[7] = (a->n[3] >> 36) & 0xFF;
r[8] = (a->n[3] >> 28) & 0xFF;
r[9] = (a->n[3] >> 20) & 0xFF;
r[10] = (a->n[3] >> 12) & 0xFF;
r[11] = (a->n[3] >> 4) & 0xFF;
r[12] = ((a->n[2] >> 48) & 0xF) | ((a->n[3] & 0xF) << 4);
r[13] = (a->n[2] >> 40) & 0xFF;
r[14] = (a->n[2] >> 32) & 0xFF;
r[15] = (a->n[2] >> 24) & 0xFF;
r[16] = (a->n[2] >> 16) & 0xFF;
r[17] = (a->n[2] >> 8) & 0xFF;
r[18] = a->n[2] & 0xFF;
r[19] = (a->n[1] >> 44) & 0xFF;
r[20] = (a->n[1] >> 36) & 0xFF;
r[21] = (a->n[1] >> 28) & 0xFF;
r[22] = (a->n[1] >> 20) & 0xFF;
r[23] = (a->n[1] >> 12) & 0xFF;
r[24] = (a->n[1] >> 4) & 0xFF;
r[25] = ((a->n[0] >> 48) & 0xF) | ((a->n[1] & 0xF) << 4);
r[26] = (a->n[0] >> 40) & 0xFF;
r[27] = (a->n[0] >> 32) & 0xFF;
r[28] = (a->n[0] >> 24) & 0xFF;
r[29] = (a->n[0] >> 16) & 0xFF;
r[30] = (a->n[0] >> 8) & 0xFF;
r[31] = a->n[0] & 0xFF;
}
/* Field element square root */
static int secp256k1_fe_sqrt(secp256k1_fe * SECP256K1_RESTRICT r, const secp256k1_fe * SECP256K1_RESTRICT a) {
secp256k1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1;
int j, ret;
VERIFY_CHECK(r != a);
SECP256K1_FE_VERIFY(a);
secp256k1_fe_sqr(&x2, a);
secp256k1_fe_mul(&x2, &x2, a);
secp256k1_fe_sqr(&x3, &x2);
secp256k1_fe_mul(&x3, &x3, a);
x6 = x3;
for (j=0; j<3; j++) {
secp256k1_fe_sqr(&x6, &x6);
}
secp256k1_fe_mul(&x6, &x6, &x3);
x9 = x6;
for (j=0; j<3; j++) {
secp256k1_fe_sqr(&x9, &x9);
}
secp256k1_fe_mul(&x9, &x9, &x3);
x11 = x9;
for (j=0; j<2; j++) {
secp256k1_fe_sqr(&x11, &x11);
}
secp256k1_fe_mul(&x11, &x11, &x2);
x22 = x11;
for (j=0; j<11; j++) {
secp256k1_fe_sqr(&x22, &x22);
}
secp256k1_fe_mul(&x22, &x22, &x11);
x44 = x22;
for (j=0; j<22; j++) {
secp256k1_fe_sqr(&x44, &x44);
}
secp256k1_fe_mul(&x44, &x44, &x22);
x88 = x44;
for (j=0; j<44; j++) {
secp256k1_fe_sqr(&x88, &x88);
}
secp256k1_fe_mul(&x88, &x88, &x44);
x176 = x88;
for (j=0; j<88; j++) {
secp256k1_fe_sqr(&x176, &x176);
}
secp256k1_fe_mul(&x176, &x176, &x88);
x220 = x176;
for (j=0; j<44; j++) {
secp256k1_fe_sqr(&x220, &x220);
}
secp256k1_fe_mul(&x220, &x220, &x44);
x223 = x220;
for (j=0; j<3; j++) {
secp256k1_fe_sqr(&x223, &x223);
}
secp256k1_fe_mul(&x223, &x223, &x3);
t1 = x223;
for (j=0; j<23; j++) {
secp256k1_fe_sqr(&t1, &t1);
}
secp256k1_fe_mul(&t1, &t1, &x22);
for (j=0; j<6; j++) {
secp256k1_fe_sqr(&t1, &t1);
}
secp256k1_fe_mul(&t1, &t1, &x2);
secp256k1_fe_sqr(&t1, &t1);
secp256k1_fe_sqr(r, &t1);
secp256k1_fe_sqr(&t1, r);
ret = secp256k1_fe_equal(&t1, a);
return ret;
}
#define VERIFY_BITS(x, n) VERIFY_CHECK(((x) >> (n)) == 0)
#define VERIFY_BITS_128(x, n) VERIFY_CHECK(secp256k1_u128_check_bits((x), (n)))
/* Field element multiply */
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b) {
secp256k1_uint128 c, d;
uint64_t t3, t4, tx, u0;
uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL;
VERIFY_BITS(a->n[0], 56);
VERIFY_BITS(a->n[1], 56);
VERIFY_BITS(a->n[2], 56);
VERIFY_BITS(a->n[3], 56);
VERIFY_BITS(a->n[4], 52);
VERIFY_BITS(b->n[0], 56);
VERIFY_BITS(b->n[1], 56);
VERIFY_BITS(b->n[2], 56);
VERIFY_BITS(b->n[3], 56);
VERIFY_BITS(b->n[4], 52);
VERIFY_CHECK(r != b);
VERIFY_CHECK(a != b);
secp256k1_u128_mul(&d, a0, b->n[3]);
secp256k1_u128_accum_mul(&d, a1, b->n[2]);
secp256k1_u128_accum_mul(&d, a2, b->n[1]);
secp256k1_u128_accum_mul(&d, a3, b->n[0]);
secp256k1_u128_mul(&c, a4, b->n[4]);
secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64);
t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
secp256k1_u128_accum_mul(&d, a0, b->n[4]);
secp256k1_u128_accum_mul(&d, a1, b->n[3]);
secp256k1_u128_accum_mul(&d, a2, b->n[2]);
secp256k1_u128_accum_mul(&d, a3, b->n[1]);
secp256k1_u128_accum_mul(&d, a4, b->n[0]);
secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c));
t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
tx = (t4 >> 48); t4 &= (M >> 4);
secp256k1_u128_mul(&c, a0, b->n[0]);
secp256k1_u128_accum_mul(&d, a1, b->n[4]);
secp256k1_u128_accum_mul(&d, a2, b->n[3]);
secp256k1_u128_accum_mul(&d, a3, b->n[2]);
secp256k1_u128_accum_mul(&d, a4, b->n[1]);
u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
u0 = (u0 << 4) | tx;
secp256k1_u128_accum_mul(&c, u0, R >> 4);
r->n[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
secp256k1_u128_accum_mul(&c, a0, b->n[1]);
secp256k1_u128_accum_mul(&c, a1, b->n[0]);
secp256k1_u128_accum_mul(&d, a2, b->n[4]);
secp256k1_u128_accum_mul(&d, a3, b->n[3]);
secp256k1_u128_accum_mul(&d, a4, b->n[2]);
secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52);
r->n[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
secp256k1_u128_accum_mul(&c, a0, b->n[2]);
secp256k1_u128_accum_mul(&c, a1, b->n[1]);
secp256k1_u128_accum_mul(&c, a2, b->n[0]);
secp256k1_u128_accum_mul(&d, a3, b->n[4]);
secp256k1_u128_accum_mul(&d, a4, b->n[3]);
secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64);
r->n[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d));
secp256k1_u128_accum_u64(&c, t3);
r->n[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
r->n[4] = secp256k1_u128_to_u64(&c) + t4;
}
/* Field element square */
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
secp256k1_uint128 c, d;
uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
uint64_t t3, t4, tx, u0;
const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL;
VERIFY_BITS(a->n[0], 56);
VERIFY_BITS(a->n[1], 56);
VERIFY_BITS(a->n[2], 56);
VERIFY_BITS(a->n[3], 56);
VERIFY_BITS(a->n[4], 52);
secp256k1_u128_mul(&d, a0*2, a3);
secp256k1_u128_accum_mul(&d, a1*2, a2);
secp256k1_u128_mul(&c, a4, a4);
secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64);
t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
a4 *= 2;
secp256k1_u128_accum_mul(&d, a0, a4);
secp256k1_u128_accum_mul(&d, a1*2, a3);
secp256k1_u128_accum_mul(&d, a2, a2);
secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c));
t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
tx = (t4 >> 48); t4 &= (M >> 4);
secp256k1_u128_mul(&c, a0, a0);
secp256k1_u128_accum_mul(&d, a1, a4);
secp256k1_u128_accum_mul(&d, a2*2, a3);
u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
u0 = (u0 << 4) | tx;
secp256k1_u128_accum_mul(&c, u0, R >> 4);
r->n[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
a0 *= 2;
secp256k1_u128_accum_mul(&c, a0, a1);
secp256k1_u128_accum_mul(&d, a2, a4);
secp256k1_u128_accum_mul(&d, a3, a3);
secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52);
r->n[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
secp256k1_u128_accum_mul(&c, a0, a2);
secp256k1_u128_accum_mul(&c, a1, a1);
secp256k1_u128_accum_mul(&d, a3, a4);
secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64);
r->n[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d));
secp256k1_u128_accum_u64(&c, t3);
r->n[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
r->n[4] = secp256k1_u128_to_u64(&c) + t4;
}
/* Field element inverse var - uses exponentiation x^(p-2) mod p */
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
secp256k1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1;
int j;
SECP256K1_FE_VERIFY(x);
/* Compute x^(p-2) = x^(2^256 - 2^32 - 977) using addition chain */
/* p-2 = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2D */
secp256k1_fe_sqr(&x2, x);
secp256k1_fe_mul(&x3, &x2, x);
x6 = x3;
for (j=0; j<3; j++) secp256k1_fe_sqr(&x6, &x6);
secp256k1_fe_mul(&x6, &x6, &x3);
x9 = x6;
for (j=0; j<3; j++) secp256k1_fe_sqr(&x9, &x9);
secp256k1_fe_mul(&x9, &x9, &x3);
x11 = x9;
for (j=0; j<2; j++) secp256k1_fe_sqr(&x11, &x11);
secp256k1_fe_mul(&x11, &x11, &x2);
x22 = x11;
for (j=0; j<11; j++) secp256k1_fe_sqr(&x22, &x22);
secp256k1_fe_mul(&x22, &x22, &x11);
x44 = x22;
for (j=0; j<22; j++) secp256k1_fe_sqr(&x44, &x44);
secp256k1_fe_mul(&x44, &x44, &x22);
x88 = x44;
for (j=0; j<44; j++) secp256k1_fe_sqr(&x88, &x88);
secp256k1_fe_mul(&x88, &x88, &x44);
x176 = x88;
for (j=0; j<88; j++) secp256k1_fe_sqr(&x176, &x176);
secp256k1_fe_mul(&x176, &x176, &x88);
x220 = x176;
for (j=0; j<44; j++) secp256k1_fe_sqr(&x220, &x220);
secp256k1_fe_mul(&x220, &x220, &x44);
x223 = x220;
for (j=0; j<3; j++) secp256k1_fe_sqr(&x223, &x223);
secp256k1_fe_mul(&x223, &x223, &x3);
t1 = x223;
for (j=0; j<23; j++) secp256k1_fe_sqr(&t1, &t1);
secp256k1_fe_mul(&t1, &t1, &x22);
for (j=0; j<5; j++) secp256k1_fe_sqr(&t1, &t1);
secp256k1_fe_mul(&t1, &t1, x);
for (j=0; j<3; j++) secp256k1_fe_sqr(&t1, &t1);
secp256k1_fe_mul(&t1, &t1, &x2);
for (j=0; j<2; j++) secp256k1_fe_sqr(&t1, &t1);
secp256k1_fe_mul(r, &t1, x);
secp256k1_fe_normalize_var(r);
SECP256K1_FE_VERIFY(r);
}
/* ============================================================================
* GROUP OPERATIONS IMPLEMENTATION
* ============================================================================ */
/* Group element set infinity */
static void secp256k1_ge_set_infinity(secp256k1_ge *r) {
r->infinity = 1;
secp256k1_fe_set_int(&r->x, 0);
secp256k1_fe_set_int(&r->y, 0);
SECP256K1_GE_VERIFY(r);
}
/* Group element is infinity */
static int secp256k1_ge_is_infinity(const secp256k1_ge *a) {
SECP256K1_GE_VERIFY(a);
return a->infinity;
}
/* Group element set xy */
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y) {
SECP256K1_FE_VERIFY(x);
SECP256K1_FE_VERIFY(y);
r->infinity = 0;
r->x = *x;
r->y = *y;
SECP256K1_GE_VERIFY(r);
}
/* Group element set from x-only */
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
secp256k1_fe x2, x3;
int ret;
SECP256K1_FE_VERIFY(x);
r->x = *x;
secp256k1_fe_sqr(&x2, x);
secp256k1_fe_mul(&x3, x, &x2);
r->infinity = 0;
secp256k1_fe_add_int(&x3, SECP256K1_B);
ret = secp256k1_fe_sqrt(&r->y, &x3);
secp256k1_fe_normalize_var(&r->y);
if (secp256k1_fe_is_odd(&r->y) != odd) {
secp256k1_fe_negate(&r->y, &r->y, 1);
}
SECP256K1_GE_VERIFY(r);
return ret;
}
/* Group element jacobian set infinity */
static void secp256k1_gej_set_infinity(secp256k1_gej *r) {
r->infinity = 1;
secp256k1_fe_set_int(&r->x, 0);
secp256k1_fe_set_int(&r->y, 0);
secp256k1_fe_set_int(&r->z, 0);
SECP256K1_GEJ_VERIFY(r);
}
/* Group element jacobian is infinity */
static int secp256k1_gej_is_infinity(const secp256k1_gej *a) {
SECP256K1_GEJ_VERIFY(a);
return a->infinity;
}
/* Group element jacobian set from ge */
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a) {
SECP256K1_GE_VERIFY(a);
r->infinity = a->infinity;
r->x = a->x;
r->y = a->y;
secp256k1_fe_set_int(&r->z, 1);
SECP256K1_GEJ_VERIFY(r);
}
/* Group element jacobian clear */
static void secp256k1_gej_clear(secp256k1_gej *r) {
secp256k1_memclear_explicit(r, sizeof(secp256k1_gej));
}
/* Group element set from jacobian */
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) {
secp256k1_fe z2, z3;
SECP256K1_GEJ_VERIFY(a);
r->infinity = a->infinity;
secp256k1_fe_inv_var(&a->z, &a->z);
secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_mul(&z3, &a->z, &z2);
secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1);
r->x = a->x;
r->y = a->y;
SECP256K1_GEJ_VERIFY(a);
SECP256K1_GE_VERIFY(r);
}
/* Group element set from jacobian var */
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) {
secp256k1_fe z2, z3;
SECP256K1_GEJ_VERIFY(a);
if (secp256k1_gej_is_infinity(a)) {
secp256k1_ge_set_infinity(r);
return;
}
r->infinity = 0;
secp256k1_fe_inv_var(&a->z, &a->z);
secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_mul(&z3, &a->z, &z2);
secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1);
secp256k1_ge_set_xy(r, &a->x, &a->y);
SECP256K1_GEJ_VERIFY(a);
SECP256K1_GE_VERIFY(r);
}
/* Group element to/from storage */
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a) {
secp256k1_fe x, y;
x = a->x;
y = a->y;
secp256k1_fe_normalize_weak(&x);
secp256k1_fe_normalize_weak(&y);
r->n[0] = x.n[0] | (uint64_t)x.n[1] << 52;
r->n[1] = x.n[2] | (uint64_t)x.n[3] << 40 | (uint64_t)x.n[4] << 56;
r->n[2] = y.n[0] | (uint64_t)y.n[1] << 52;
r->n[3] = y.n[2] | (uint64_t)y.n[3] << 40 | (uint64_t)y.n[4] << 56;
}
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a) {
secp256k1_fe x, y;
x.n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL;
x.n[1] = a->n[0] >> 52;
x.n[2] = a->n[1] & 0xFFFFFFFFFFFFFULL;
x.n[3] = (a->n[1] >> 40) & 0xFFFFFFFFFFFFFULL;
x.n[4] = a->n[1] >> 56;
y.n[0] = a->n[2] & 0xFFFFFFFFFFFFFULL;
y.n[1] = a->n[2] >> 52;
y.n[2] = a->n[3] & 0xFFFFFFFFFFFFFULL;
y.n[3] = (a->n[3] >> 40) & 0xFFFFFFFFFFFFFULL;
y.n[4] = a->n[3] >> 56;
secp256k1_ge_set_xy(r, &x, &y);
}
static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a) {
secp256k1_ge_storage s;
VERIFY_CHECK(!secp256k1_ge_is_infinity(a));
secp256k1_ge_to_storage(&s, a);
memcpy(buf, &s, 64);
}
static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf) {
secp256k1_ge_storage s;
memcpy(&s, buf, 64);
secp256k1_ge_from_storage(r, &s);
}
/* Group element jacobian double var */
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
/* Full implementation requires proper field arithmetic */
/* Placeholder - needs full implementation */
VERIFY_CHECK(0 && "secp256k1_gej_double_var needs full implementation");
}
/* Group element jacobian add ge var */
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr) {
/* Full implementation requires proper field arithmetic */
/* Placeholder - needs full implementation */
VERIFY_CHECK(0 && "secp256k1_gej_add_ge_var needs full implementation");
}
/* Group element jacobian add zinv var */
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv) {
/* Full implementation requires proper field arithmetic */
/* Placeholder - needs full implementation */
VERIFY_CHECK(0 && "secp256k1_gej_add_zinv_var needs full implementation");
}
/* ============================================================================
* EC MULTIPLICATION IMPLEMENTATION
* ============================================================================ */
/* EC multiplication generator context is built */
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx) {
return ctx->built;
}
/* EC multiplication generator - simplified placeholder */
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *gn) {
/* Full implementation requires precomputed tables */
/* This is a placeholder - needs full implementation with precomputed tables */
VERIFY_CHECK(0 && "secp256k1_ecmult_gen needs full implementation");
}
/* EC multiplication - simplified placeholder */
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng) {
/* Full implementation requires precomputed tables and WNAF */
/* This is a placeholder - needs full implementation */
VERIFY_CHECK(0 && "secp256k1_ecmult needs full implementation");
}
/* ============================================================================
* PUBKEY/KEYPAIR OPERATIONS
* ============================================================================ */
/* Pubkey load */
static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
secp256k1_ge_from_bytes(ge, pubkey->data);
ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
return 1;
}
/* Pubkey save */
static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
secp256k1_ge_to_bytes(pubkey->data, ge);
}
/* X-only pubkey load */
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context* ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey) {
return secp256k1_pubkey_load(ctx, ge, (const secp256k1_pubkey *) pubkey);
}
/* Group element constant constructor */
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) { \
{ \
((uint64_t)(a) << 32) | (b), \
((uint64_t)(c) << 32) | (d), \
((uint64_t)(e) << 32) | (f), \
((uint64_t)(g) << 32) | (h), \
((uint64_t)(i) << 32) | (j) \
}, \
{ \
((uint64_t)(k) << 32) | (l), \
((uint64_t)(m) << 32) | (n), \
((uint64_t)(o) << 32) | (p), \
0, \
0 \
}, \
0 \
}
/* Group element generator constant */
static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_GE_CONST(
0x79be667e, 0xf9dcbbac, 0x55a06295, 0xce870b07,
0x029bfcdb, 0x2dce28d9, 0x59f2815b, 0x16f81798,
0x483ada77, 0x26a3c465, 0x5da4fbfc, 0x0e1108a8,
0xfd17b448, 0xa6855419, 0x9c47d08f, 0xfb10d4b8
);
/* Keypair seckey load */
static int secp256k1_keypair_seckey_load(const secp256k1_context* ctx, secp256k1_scalar *sk, const secp256k1_keypair *keypair) {
int ret;
ret = secp256k1_scalar_set_b32_seckey(sk, &keypair->data[0]);
return ret;
}
/* Keypair load */
static int secp256k1_keypair_load(const secp256k1_context* ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair) {
int ret;
const secp256k1_pubkey *pubkey = (const secp256k1_pubkey *)&keypair->data[32];
secp256k1_declassify(ctx, pubkey, sizeof(*pubkey));
ret = secp256k1_pubkey_load(ctx, pk, pubkey);
if (sk != NULL) {
ret = ret && secp256k1_keypair_seckey_load(ctx, sk, keypair);
}
if (!ret) {
*pk = secp256k1_ge_const_g;
if (sk != NULL) {
*sk = secp256k1_scalar_one;
}
}
return ret;
}
/* ============================================================================
* SCHNORR SIGNATURE IMPLEMENTATION
* ============================================================================ */
/* BIP-340 nonce tag */
static const unsigned char bip340_algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
/* Extraparams magic value */
static const unsigned char schnorrsig_extraparams_magic[4] = { 0xda, 0x6f, 0xb3, 0x8c };
/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
* SHA256 to SHA256("BIP0340/nonce")||SHA256("BIP0340/nonce"). */
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha) {
secp256k1_sha256_initialize(sha);
sha->s[0] = 0x46615b35ul;
sha->s[1] = 0xf4bfbff7ul;
sha->s[2] = 0x9f8dc671ul;
sha->s[3] = 0x83627ab3ul;
sha->s[4] = 0x60217180ul;
sha->s[5] = 0x57358661ul;
sha->s[6] = 0x21a29e54ul;
sha->s[7] = 0x68b07b4cul;
sha->bytes = 64;
}
/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
* SHA256 to SHA256("BIP0340/aux")||SHA256("BIP0340/aux"). */
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha) {
secp256k1_sha256_initialize(sha);
sha->s[0] = 0x24dd3219ul;
sha->s[1] = 0x4eba7e70ul;
sha->s[2] = 0xca0fabb9ul;
sha->s[3] = 0x0fa3166dul;
sha->s[4] = 0x3afbe4b1ul;
sha->s[5] = 0x4c44df97ul;
sha->s[6] = 0x4aac2739ul;
sha->s[7] = 0x249e850aul;
sha->bytes = 64;
}
/* Nonce function pointer type */
typedef int (*secp256k1_nonce_function_hardened)(
unsigned char *nonce32,
const unsigned char *msg,
size_t msglen,
const unsigned char *key32,
const unsigned char *xonly_pk32,
const unsigned char *algo,
size_t algolen,
void *data
);
/* BIP-340 nonce generation function */
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
secp256k1_sha256 sha;
unsigned char masked_key[32];
int i;
if (algo == NULL) {
return 0;
}
if (data != NULL) {
secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha);
secp256k1_sha256_write(&sha, data, 32);
secp256k1_sha256_finalize(&sha, masked_key);
for (i = 0; i < 32; i++) {
masked_key[i] ^= key32[i];
}
} else {
/* Precomputed TaggedHash("BIP0340/aux", 0x0000...00); */
static const unsigned char ZERO_MASK[32] = {
84, 241, 105, 207, 201, 226, 229, 114,
116, 128, 68, 31, 144, 186, 37, 196,
136, 244, 97, 199, 11, 94, 165, 220,
170, 247, 175, 105, 39, 10, 165, 20
};
for (i = 0; i < 32; i++) {
masked_key[i] = key32[i] ^ ZERO_MASK[i];
}
}
/* Tag the hash with algo which is important to avoid nonce reuse across
* algorithms. If this nonce function is used in BIP-340 signing as defined
* in the spec, an optimized tagging implementation is used. */
if (algolen == sizeof(bip340_algo)
&& secp256k1_memcmp_var(algo, bip340_algo, algolen) == 0) {
secp256k1_nonce_function_bip340_sha256_tagged(&sha);
} else {
secp256k1_sha256_initialize_tagged(&sha, algo, algolen);
}
/* Hash masked-key||pk||msg using the tagged hash as per the spec */
secp256k1_sha256_write(&sha, masked_key, 32);
secp256k1_sha256_write(&sha, xonly_pk32, 32);
secp256k1_sha256_write(&sha, msg, msglen);
secp256k1_sha256_finalize(&sha, nonce32);
secp256k1_sha256_clear(&sha);
secp256k1_memclear_explicit(masked_key, sizeof(masked_key));
return 1;
}
/* Public nonce function pointer */
const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340 = nonce_function_bip340;
/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
* SHA256 to SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge"). */
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha) {
secp256k1_sha256_initialize(sha);
sha->s[0] = 0x9cecba11ul;
sha->s[1] = 0x23925381ul;
sha->s[2] = 0x11679112ul;
sha->s[3] = 0xd1627e0ful;
sha->s[4] = 0x97c87550ul;
sha->s[5] = 0x003cc765ul;
sha->s[6] = 0x90f61164ul;
sha->s[7] = 0x33e9b66aul;
sha->bytes = 64;
}
/* Compute the challenge hash e = TaggedHash("BIP0340/challenge", r || pk || msg) */
static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg, size_t msglen, const unsigned char *pubkey32)
{
unsigned char buf[32];
secp256k1_sha256 sha;
/* tagged hash(r.x, pk.x, msg) */
secp256k1_schnorrsig_sha256_tagged(&sha);
secp256k1_sha256_write(&sha, r32, 32);
secp256k1_sha256_write(&sha, pubkey32, 32);
secp256k1_sha256_write(&sha, msg, msglen);
secp256k1_sha256_finalize(&sha, buf);
/* Set scalar e to the challenge hash modulo the curve order as per
* BIP340. */
secp256k1_scalar_set_b32(e, buf, NULL);
}
/* Internal signing function */
static int secp256k1_schnorrsig_sign_internal(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
secp256k1_scalar sk;
secp256k1_scalar e;
secp256k1_scalar k;
secp256k1_gej rj;
secp256k1_ge pk;
secp256k1_ge r;
unsigned char nonce32[32] = { 0 };
unsigned char pk_buf[32];
unsigned char seckey[32];
int ret = 1;
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
ARG_CHECK(sig64 != NULL);
ARG_CHECK(msg != NULL || msglen == 0);
ARG_CHECK(keypair != NULL);
if (noncefp == NULL) {
noncefp = secp256k1_nonce_function_bip340;
}
ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair);
/* Because we are signing for a x-only pubkey, the secret key is negated
* before signing if the point corresponding to the secret key does not
* have an even Y. */
if (secp256k1_fe_is_odd(&pk.y)) {
secp256k1_scalar_negate(&sk, &sk);
}
secp256k1_scalar_get_b32(seckey, &sk);
secp256k1_fe_get_b32(pk_buf, &pk.x);
ret &= !!noncefp(nonce32, msg, msglen, seckey, pk_buf, bip340_algo, sizeof(bip340_algo), ndata);
secp256k1_scalar_set_b32(&k, nonce32, NULL);
ret &= !secp256k1_scalar_is_zero(&k);
secp256k1_scalar_cmov(&k, &secp256k1_scalar_one, !ret);
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
secp256k1_ge_set_gej(&r, &rj);
/* We declassify r to allow using it as a branch point. This is fine
* because r is not a secret. */
secp256k1_declassify(ctx, &r, sizeof(r));
secp256k1_fe_normalize_var(&r.y);
if (secp256k1_fe_is_odd(&r.y)) {
secp256k1_scalar_negate(&k, &k);
}
secp256k1_fe_normalize_var(&r.x);
secp256k1_fe_get_b32(&sig64[0], &r.x);
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, pk_buf);
secp256k1_scalar_mul(&e, &e, &sk);
secp256k1_scalar_add(&e, &e, &k);
secp256k1_scalar_get_b32(&sig64[32], &e);
secp256k1_memczero(sig64, 64, !ret);
secp256k1_scalar_clear(&k);
secp256k1_scalar_clear(&sk);
secp256k1_memclear_explicit(seckey, sizeof(seckey));
secp256k1_memclear_explicit(nonce32, sizeof(nonce32));
secp256k1_gej_clear(&rj);
return ret;
}
/* Public API: Sign a 32-byte message */
int secp256k1_schnorrsig_sign32(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) {
/* We cast away const from the passed aux_rand32 argument since we know the default nonce function does not modify it. */
return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg32, 32, keypair, secp256k1_nonce_function_bip340, (unsigned char*)aux_rand32);
}
/* Public API: Verify a Schnorr signature */
int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) {
secp256k1_scalar s;
secp256k1_scalar e;
secp256k1_gej rj;
secp256k1_ge pk;
secp256k1_gej pkj;
secp256k1_fe rx;
secp256k1_ge r;
unsigned char buf[32];
int overflow;
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(sig64 != NULL);
ARG_CHECK(msg != NULL || msglen == 0);
ARG_CHECK(pubkey != NULL);
if (!secp256k1_fe_set_b32_limit(&rx, &sig64[0])) {
return 0;
}
secp256k1_scalar_set_b32(&s, &sig64[32], &overflow);
if (overflow) {
return 0;
}
if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
return 0;
}
/* Compute e. */
secp256k1_fe_get_b32(buf, &pk.x);
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, buf);
/* Compute rj = s*G + (-e)*pkj */
secp256k1_scalar_negate(&e, &e);
secp256k1_gej_set_ge(&pkj, &pk);
secp256k1_ecmult(&rj, &pkj, &e, &s);
secp256k1_ge_set_gej_var(&r, &rj);
if (secp256k1_ge_is_infinity(&r)) {
return 0;
}
secp256k1_fe_normalize_var(&r.y);
return !secp256k1_fe_is_odd(&r.y) &&
secp256k1_fe_equal(&rx, &r.x);
}
#endif /* SCHNORR_STANDALONE_C */
Reference in New Issue View Git Blame Copy Permalink