Bitcoin ABC 0.33.6
P2P Digital Currency
ecdsa_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7
8#ifndef SECP256K1_ECDSA_IMPL_H
9#define SECP256K1_ECDSA_IMPL_H
10
11#include "scalar.h"
12#include "field.h"
13#include "group.h"
14#include "ecmult.h"
15#include "ecmult_gen.h"
16#include "ecdsa.h"
17
22static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
23 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
24 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
25);
26
32static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
33 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
34);
35
36static int secp256k1_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend) {
37 size_t lenleft;
38 unsigned char b1;
39 VERIFY_CHECK(len != NULL);
40 *len = 0;
41 if (*sigp >= sigend) {
42 return 0;
43 }
44 b1 = *((*sigp)++);
45 if (b1 == 0xFF) {
46 /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */
47 return 0;
48 }
49 if ((b1 & 0x80) == 0) {
50 /* X.690-0207 8.1.3.4 short form length octets */
51 *len = b1;
52 return 1;
53 }
54 if (b1 == 0x80) {
55 /* Indefinite length is not allowed in DER. */
56 return 0;
57 }
58 /* X.690-207 8.1.3.5 long form length octets */
59 lenleft = b1 & 0x7F; /* lenleft is at least 1 */
60 if (lenleft > (size_t)(sigend - *sigp)) {
61 return 0;
62 }
63 if (**sigp == 0) {
64 /* Not the shortest possible length encoding. */
65 return 0;
66 }
67 if (lenleft > sizeof(size_t)) {
68 /* The resulting length would exceed the range of a size_t, so
69 * certainly longer than the passed array size.
70 */
71 return 0;
72 }
73 while (lenleft > 0) {
74 *len = (*len << 8) | **sigp;
75 (*sigp)++;
76 lenleft--;
77 }
78 if (*len > (size_t)(sigend - *sigp)) {
79 /* Result exceeds the length of the passed array. */
80 return 0;
81 }
82 if (*len < 128) {
83 /* Not the shortest possible length encoding. */
84 return 0;
85 }
86 return 1;
87}
88
89static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) {
90 int overflow = 0;
91 unsigned char ra[32] = {0};
92 size_t rlen;
93
94 if (*sig == sigend || **sig != 0x02) {
95 /* Not a primitive integer (X.690-0207 8.3.1). */
96 return 0;
97 }
98 (*sig)++;
99 if (secp256k1_der_read_len(&rlen, sig, sigend) == 0) {
100 return 0;
101 }
102 if (rlen == 0 || rlen > (size_t)(sigend - *sig)) {
103 /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */
104 return 0;
105 }
106 if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) {
107 /* Excessive 0x00 padding. */
108 return 0;
109 }
110 if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) {
111 /* Excessive 0xFF padding. */
112 return 0;
113 }
114 if ((**sig & 0x80) == 0x80) {
115 /* Negative. */
116 overflow = 1;
117 }
118 /* There is at most one leading zero byte:
119 * if there were two leading zero bytes, we would have failed and returned 0
120 * because of excessive 0x00 padding already. */
121 if (rlen > 0 && **sig == 0) {
122 /* Skip leading zero byte */
123 rlen--;
124 (*sig)++;
125 }
126 if (rlen > 32) {
127 overflow = 1;
128 }
129 if (!overflow) {
130 if (rlen) memcpy(ra + 32 - rlen, *sig, rlen);
131 secp256k1_scalar_set_b32(r, ra, &overflow);
132 }
133 if (overflow) {
134 secp256k1_scalar_set_int(r, 0);
135 }
136 (*sig) += rlen;
137 return 1;
138}
139
140static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) {
141 const unsigned char *sigend = sig + size;
142 size_t rlen;
143 if (sig == sigend || *(sig++) != 0x30) {
144 /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */
145 return 0;
146 }
147 if (secp256k1_der_read_len(&rlen, &sig, sigend) == 0) {
148 return 0;
149 }
150 if (rlen != (size_t)(sigend - sig)) {
151 /* Tuple exceeds bounds or garage after tuple. */
152 return 0;
153 }
154
155 if (!secp256k1_der_parse_integer(rr, &sig, sigend)) {
156 return 0;
157 }
158 if (!secp256k1_der_parse_integer(rs, &sig, sigend)) {
159 return 0;
160 }
161
162 if (sig != sigend) {
163 /* Trailing garbage inside tuple. */
164 return 0;
165 }
166
167 return 1;
168}
169
170static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) {
171 unsigned char r[33] = {0}, s[33] = {0};
172 unsigned char *rp = r, *sp = s;
173 size_t lenR = 33, lenS = 33;
174 secp256k1_scalar_get_b32(&r[1], ar);
175 secp256k1_scalar_get_b32(&s[1], as);
176 while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
177 while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
178 if (*size < 6+lenS+lenR) {
179 *size = 6 + lenS + lenR;
180 return 0;
181 }
182 *size = 6 + lenS + lenR;
183 sig[0] = 0x30;
184 sig[1] = 4 + lenS + lenR;
185 sig[2] = 0x02;
186 sig[3] = lenR;
187 memcpy(sig+4, rp, lenR);
188 sig[4+lenR] = 0x02;
189 sig[5+lenR] = lenS;
190 memcpy(sig+lenR+6, sp, lenS);
191 return 1;
192}
193
194static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) {
195 unsigned char c[32];
196 secp256k1_scalar sn, u1, u2;
197#if !defined(EXHAUSTIVE_TEST_ORDER)
198 secp256k1_fe xr;
199#endif
200 secp256k1_gej pubkeyj;
201 secp256k1_gej pr;
202
203 if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
204 return 0;
205 }
206
207 secp256k1_scalar_inverse_var(&sn, sigs);
208 secp256k1_scalar_mul(&u1, &sn, message);
209 secp256k1_scalar_mul(&u2, &sn, sigr);
210 secp256k1_gej_set_ge(&pubkeyj, pubkey);
211 secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
212 if (secp256k1_gej_is_infinity(&pr)) {
213 return 0;
214 }
215
216#if defined(EXHAUSTIVE_TEST_ORDER)
217{
218 secp256k1_scalar computed_r;
219 secp256k1_ge pr_ge;
220 secp256k1_ge_set_gej(&pr_ge, &pr);
221 secp256k1_fe_normalize(&pr_ge.x);
222
223 secp256k1_fe_get_b32(c, &pr_ge.x);
224 secp256k1_scalar_set_b32(&computed_r, c, NULL);
225 return secp256k1_scalar_eq(sigr, &computed_r);
226}
227#else
228 secp256k1_scalar_get_b32(c, sigr);
229 /* we can ignore the fe_set_b32_limit return value, because we know the input is in range */
230 (void)secp256k1_fe_set_b32_limit(&xr, c);
231
248 if (secp256k1_gej_eq_x_var(&xr, &pr)) {
249 /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */
250 return 1;
251 }
252 if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
253 /* xr + n >= p, so we can skip testing the second case. */
254 return 0;
255 }
256 secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe);
257 if (secp256k1_gej_eq_x_var(&xr, &pr)) {
258 /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */
259 return 1;
260 }
261 return 0;
262#endif
263}
264
265static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) {
266 unsigned char b[32];
267 secp256k1_gej rp;
268 secp256k1_ge r;
269 secp256k1_scalar n;
270 int overflow = 0;
271 int high;
272
273 secp256k1_ecmult_gen(ctx, &rp, nonce);
274 secp256k1_ge_set_gej(&r, &rp);
275 secp256k1_fe_normalize(&r.x);
276 secp256k1_fe_normalize(&r.y);
277 secp256k1_fe_get_b32(b, &r.x);
278 secp256k1_scalar_set_b32(sigr, b, &overflow);
279 if (recid) {
280 /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
281 * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
282 */
283 *recid = (overflow << 1) | secp256k1_fe_is_odd(&r.y);
284 }
285 secp256k1_scalar_mul(&n, sigr, seckey);
286 secp256k1_scalar_add(&n, &n, message);
287 secp256k1_scalar_inverse(sigs, nonce);
288 secp256k1_scalar_mul(sigs, sigs, &n);
289 secp256k1_scalar_clear(&n);
290 secp256k1_gej_clear(&rp);
291 secp256k1_ge_clear(&r);
292 high = secp256k1_scalar_is_high(sigs);
293 secp256k1_scalar_cond_negate(sigs, high);
294 if (recid) {
295 *recid ^= high;
296 }
297 /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
298 * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
299 */
300 return (int)(!secp256k1_scalar_is_zero(sigr)) & (int)(!secp256k1_scalar_is_zero(sigs));
301}
302
303#endif /* SECP256K1_ECDSA_IMPL_H */
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
Definition: ecdsa_impl.h:194
secp256k1_ecdsa_const_p_minus_order
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order
Difference between field and order, values 'p' and 'n' values defined in "Standards for Efficient Cry...
Definition: ecdsa_impl.h:32
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
Definition: ecdsa_impl.h:265
secp256k1_ecdsa_const_order_as_fe
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe
Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2....
Definition: ecdsa_impl.h:22
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *ar, const secp256k1_scalar *as)
Definition: ecdsa_impl.h:170
secp256k1_der_parse_integer
static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend)
Definition: ecdsa_impl.h:89
secp256k1_der_read_len
static int secp256k1_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend)
Definition: ecdsa_impl.h:36
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size)
Definition: ecdsa_impl.h:140
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
ecmult_gen.h
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_gej_clear
static void secp256k1_gej_clear(secp256k1_gej *r)
Clear a secp256k1_gej to prevent leaking sensitive information.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_gej_eq_x_var
static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a)
Compare the X coordinate of a group element (jacobian).
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
ctx
secp256k1_context * ctx
Definition: bench_impl.h:13
sig
SchnorrSig sig
Definition: processor.cpp:537
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:143
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
Generated on Sat Jun 20 2026 17:27:43 for Bitcoin ABC by doxygen 1.9.4