doxygen/html/recovery_2main__impl_8h_source.html

 /**********************************************************************
  * Copyright (c) 2013-2015 Pieter Wuille                              *
  * Distributed under the MIT software license, see the accompanying   *
  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
  **********************************************************************/

 #ifndef SECP256K1_MODULE_RECOVERY_MAIN_H
 #define SECP256K1_MODULE_RECOVERY_MAIN_H

 #include "include/secp256k1_recovery.h"

 static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const secp256k1_ecdsa_recoverable_signature* sig) {
     (void)ctx;
     if (sizeof(secp256k1_scalar) == 32) {
         /* When the secp256k1_scalar type is exactly 32 byte, use its
          * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
          * Note that secp256k1_ecdsa_signature_save must use the same representation. */
         memcpy(r, &sig->data[0], 32);
         memcpy(s, &sig->data[32], 32);
     } else {
         secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
         secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
     }
     *recid = sig->data[64];
 }

 static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s, int recid) {
     if (sizeof(secp256k1_scalar) == 32) {
         memcpy(&sig->data[0], r, 32);
         memcpy(&sig->data[32], s, 32);
     } else {
         secp256k1_scalar_get_b32(&sig->data[0], r);
         secp256k1_scalar_get_b32(&sig->data[32], s);
     }
     sig->data[64] = recid;
 }

 int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) {
     secp256k1_scalar r, s;
     int ret = 1;
     int overflow = 0;

     (void)ctx;
     ARG_CHECK(sig != NULL);
     ARG_CHECK(input64 != NULL);
     ARG_CHECK(recid >= 0 && recid <= 3);

     secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
     ret &= !overflow;
     secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
     ret &= !overflow;
     if (ret) {
         secp256k1_ecdsa_recoverable_signature_save(sig, &r, &s, recid);
     } else {
         memset(sig, 0, sizeof(*sig));
     }
     return ret;
 }

 int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature* sig) {
     secp256k1_scalar r, s;

     (void)ctx;
     ARG_CHECK(output64 != NULL);
     ARG_CHECK(sig != NULL);
     ARG_CHECK(recid != NULL);

     secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);
     secp256k1_scalar_get_b32(&output64[0], &r);
     secp256k1_scalar_get_b32(&output64[32], &s);
     return 1;
 }

 int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const secp256k1_ecdsa_recoverable_signature* sigin) {
     secp256k1_scalar r, s;
     int recid;

     (void)ctx;
     ARG_CHECK(sig != NULL);
     ARG_CHECK(sigin != NULL);

     secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);
     secp256k1_ecdsa_signature_save(sig, &r, &s);
     return 1;
 }

 static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar* sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid) {
     unsigned char brx[32];
     secp256k1_fe fx;
     secp256k1_ge x;
     secp256k1_gej xj;
     secp256k1_scalar rn, u1, u2;
     secp256k1_gej qj;
     int r;

     if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
         return 0;
     }

     secp256k1_scalar_get_b32(brx, sigr);
     r = secp256k1_fe_set_b32(&fx, brx);
     (void)r;
     VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */
     if (recid & 2) {
         if (secp256k1_fe_cmp_var(&fx, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
             return 0;
         }
         secp256k1_fe_add(&fx, &secp256k1_ecdsa_const_order_as_fe);
     }
     if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1)) {
         return 0;
     }
     secp256k1_gej_set_ge(&xj, &x);
     secp256k1_scalar_inverse_var(&rn, sigr);
     secp256k1_scalar_mul(&u1, &rn, message);
     secp256k1_scalar_negate(&u1, &u1);
     secp256k1_scalar_mul(&u2, &rn, sigs);
     secp256k1_ecmult(ctx, &qj, &xj, &u2, &u1);
     secp256k1_ge_set_gej_var(pubkey, &qj);
     return !secp256k1_gej_is_infinity(&qj);
 }

 int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
     secp256k1_scalar r, s;
     secp256k1_scalar sec, non, msg;
     int recid;
     int ret = 0;
     int overflow = 0;
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
     ARG_CHECK(msg32 != NULL);
     ARG_CHECK(signature != NULL);
     ARG_CHECK(seckey != NULL);
     if (noncefp == NULL) {
         noncefp = secp256k1_nonce_function_default;
     }

     secp256k1_scalar_set_b32(&sec, seckey, &overflow);
     /* Fail if the secret key is invalid. */
     if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
         unsigned char nonce32[32];
         unsigned int count = 0;
         secp256k1_scalar_set_b32(&msg, msg32, NULL);
         while (1) {
             ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
             if (!ret) {
                 break;
             }
             secp256k1_scalar_set_b32(&non, nonce32, &overflow);
             if (!secp256k1_scalar_is_zero(&non) && !overflow) {
                 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
                     break;
                 }
             }
             count++;
         }
         memset(nonce32, 0, 32);
         secp256k1_scalar_clear(&msg);
         secp256k1_scalar_clear(&non);
         secp256k1_scalar_clear(&sec);
     }
     if (ret) {
         secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
     } else {
         memset(signature, 0, sizeof(*signature));
     }
     return ret;
 }

 int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
     secp256k1_ge q;
     secp256k1_scalar r, s;
     secp256k1_scalar m;
     int recid;
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
     ARG_CHECK(msg32 != NULL);
     ARG_CHECK(signature != NULL);
     ARG_CHECK(pubkey != NULL);

     secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
     VERIFY_CHECK(recid >= 0 && recid < 4);  /* should have been caught in parse_compact */
     secp256k1_scalar_set_b32(&m, msg32, NULL);
     if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
         secp256k1_pubkey_save(pubkey, &q);
         return 1;
     } else {
         memset(pubkey, 0, sizeof(*pubkey));
         return 0;
     }
 }

 #endif /* SECP256K1_MODULE_RECOVERY_MAIN_H */
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).

secp256k1_ecmult_context_is_built
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)

VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:67

secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.

secp256k1_fe
Definition: field_10x26.h:12

secp256k1_nonce_function_default
SECP256K1_API const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:367

secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)

secp256k1_ecdsa_recoverable_signature_load
static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Definition: main_impl.h:12

secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:113

secp256k1_ecdsa_recoverable_signature_convert
int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74

secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24

secp256k1_ecdsa_recoverable_signature_serialize_compact
int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60

secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).

secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.

secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:157

secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.

secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24

secp256k1_context_struct
Definition: secp256k1.c:52

secp256k1_ecdsa_const_order_as_fe
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe
Group order for secp256k1 defined as &#39;n&#39; in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: ecdsa_impl.h:31

secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:223

secp256k1_ecdsa_recoverable_signature_parse_compact
int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38

secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.

secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:54

ARG_CHECK
#define ARG_CHECK(cond)
Definition: secp256k1.c:22

ctx
static secp256k1_context * ctx
Definition: tests.c:46

secp256k1_ecdsa_recover
int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:170

secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:53

secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.

secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14

secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.

secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...

secp256k1_ecdsa_sign_recoverable
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123

secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.

secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.

secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:99

secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.

secp256k1_ecdsa_recoverable_signature::data
unsigned char data[65]
Definition: secp256k1_recovery.h:25

memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18

count
static int count
Definition: tests.c:45

secp256k1_recovery.h

secp256k1_ecmult_context
Definition: ecmult.h:15

secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.

secp256k1_ecdsa_sig_recover
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid)
Definition: main_impl.h:87

secp256k1_ecmult_gen_context_is_built
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)

secp256k1_ecdsa_recoverable_signature_save
static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s, int recid)
Definition: main_impl.h:27

secp256k1_ecdsa_const_p_minus_order
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order
Difference between field and order, values &#39;p&#39; and &#39;n&#39; values defined in "Standards for Efficient Cry...
Definition: ecdsa_impl.h:45

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:66