damus

nostr ios client
git clone git://jb55.com/damus
Log | Files | Refs | README | LICENSE

secp256k1_schnorrsig.h (8160B)

      1 #ifndef SECP256K1_SCHNORRSIG_H
      2 #define SECP256K1_SCHNORRSIG_H
      3 
      4 #include "secp256k1.h"
      5 #include "secp256k1_extrakeys.h"
      6 
      7 #ifdef __cplusplus
      8 extern "C" {
      9 #endif
     10 
     11 /** This module implements a variant of Schnorr signatures compliant with
     12  *  Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1"
     13  *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
     14  */
     15 
     16 /** A pointer to a function to deterministically generate a nonce.
     17  *
     18  *  Same as secp256k1_nonce function with the exception of accepting an
     19  *  additional pubkey argument and not requiring an attempt argument. The pubkey
     20  *  argument can protect signature schemes with key-prefixed challenge hash
     21  *  inputs against reusing the nonce when signing with the wrong precomputed
     22  *  pubkey.
     23  *
     24  *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
     25  *           return an error.
     26  *  Out:  nonce32: pointer to a 32-byte array to be filled by the function
     27  *  In:       msg: the message being verified. Is NULL if and only if msglen
     28  *                 is 0.
     29  *         msglen: the length of the message
     30  *          key32: pointer to a 32-byte secret key (will not be NULL)
     31  *     xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32
     32  *                 (will not be NULL)
     33  *           algo: pointer to an array describing the signature
     34  *                 algorithm (will not be NULL)
     35  *        algolen: the length of the algo array
     36  *           data: arbitrary data pointer that is passed through
     37  *
     38  *  Except for test cases, this function should compute some cryptographic hash of
     39  *  the message, the key, the pubkey, the algorithm description, and data.
     40  */
     41 typedef int (*secp256k1_nonce_function_hardened)(
     42     unsigned char *nonce32,
     43     const unsigned char *msg,
     44     size_t msglen,
     45     const unsigned char *key32,
     46     const unsigned char *xonly_pk32,
     47     const unsigned char *algo,
     48     size_t algolen,
     49     void *data
     50 );
     51 
     52 /** An implementation of the nonce generation function as defined in Bitcoin
     53  *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
     54  *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
     55  *
     56  *  If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
     57  *  auxiliary random data as defined in BIP-340. If the data pointer is NULL,
     58  *  the nonce derivation procedure follows BIP-340 by setting the auxiliary
     59  *  random data to zero. The algo argument must be non-NULL, otherwise the
     60  *  function will fail and return 0. The hash will be tagged with algo.
     61  *  Therefore, to create BIP-340 compliant signatures, algo must be set to
     62  *  "BIP0340/nonce" and algolen to 13.
     63  */
     64 SECP256K1_API const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340;
     65 
     66 /** Data structure that contains additional arguments for schnorrsig_sign_custom.
     67  *
     68  *  A schnorrsig_extraparams structure object can be initialized correctly by
     69  *  setting it to SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT.
     70  *
     71  *  Members:
     72  *      magic: set to SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC at initialization
     73  *             and has no other function than making sure the object is
     74  *             initialized.
     75  *    noncefp: pointer to a nonce generation function. If NULL,
     76  *             secp256k1_nonce_function_bip340 is used
     77  *      ndata: pointer to arbitrary data used by the nonce generation function
     78  *             (can be NULL). If it is non-NULL and
     79  *             secp256k1_nonce_function_bip340 is used, then ndata must be a
     80  *             pointer to 32-byte auxiliary randomness as per BIP-340.
     81  */
     82 typedef struct {
     83     unsigned char magic[4];
     84     secp256k1_nonce_function_hardened noncefp;
     85     void *ndata;
     86 } secp256k1_schnorrsig_extraparams;
     87 
     88 #define SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC { 0xda, 0x6f, 0xb3, 0x8c }
     89 #define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT {\
     90     SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,\
     91     NULL,\
     92     NULL\
     93 }
     94 
     95 /** Create a Schnorr signature.
     96  *
     97  *  Does _not_ strictly follow BIP-340 because it does not verify the resulting
     98  *  signature. Instead, you can manually use secp256k1_schnorrsig_verify and
     99  *  abort if it fails.
    100  *
    101  *  This function only signs 32-byte messages. If you have messages of a
    102  *  different size (or the same size but without a context-specific tag
    103  *  prefix), it is recommended to create a 32-byte message hash with
    104  *  secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows
    105  *  providing an context-specific tag for domain separation. This prevents
    106  *  signatures from being valid in multiple contexts by accident.
    107  *
    108  *  Returns 1 on success, 0 on failure.
    109  *  Args:    ctx: pointer to a context object (not secp256k1_context_static).
    110  *  Out:   sig64: pointer to a 64-byte array to store the serialized signature.
    111  *  In:    msg32: the 32-byte message being signed.
    112  *       keypair: pointer to an initialized keypair.
    113  *    aux_rand32: 32 bytes of fresh randomness. While recommended to provide
    114  *                this, it is only supplemental to security and can be NULL. A
    115  *                NULL argument is treated the same as an all-zero one. See
    116  *                BIP-340 "Default Signing" for a full explanation of this
    117  *                argument and for guidance if randomness is expensive.
    118  */
    119 SECP256K1_API int secp256k1_schnorrsig_sign32(
    120     const secp256k1_context *ctx,
    121     unsigned char *sig64,
    122     const unsigned char *msg32,
    123     const secp256k1_keypair *keypair,
    124     const unsigned char *aux_rand32
    125 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    126 
    127 /** Same as secp256k1_schnorrsig_sign32, but DEPRECATED. Will be removed in
    128  *  future versions. */
    129 SECP256K1_API int secp256k1_schnorrsig_sign(
    130     const secp256k1_context *ctx,
    131     unsigned char *sig64,
    132     const unsigned char *msg32,
    133     const secp256k1_keypair *keypair,
    134     const unsigned char *aux_rand32
    135 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
    136   SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead");
    137 
    138 /** Create a Schnorr signature with a more flexible API.
    139  *
    140  *  Same arguments as secp256k1_schnorrsig_sign except that it allows signing
    141  *  variable length messages and accepts a pointer to an extraparams object that
    142  *  allows customizing signing by passing additional arguments.
    143  *
    144  *  Equivalent to secp256k1_schnorrsig_sign32(..., aux_rand32) if msglen is 32
    145  *  and extraparams is initialized as follows:
    146  *  ```
    147  *  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
    148  *  extraparams.ndata = (unsigned char*)aux_rand32;
    149  *  ```
    150  *
    151  *  Returns 1 on success, 0 on failure.
    152  *  Args:   ctx: pointer to a context object (not secp256k1_context_static).
    153  *  Out:  sig64: pointer to a 64-byte array to store the serialized signature.
    154  *  In:     msg: the message being signed. Can only be NULL if msglen is 0.
    155  *       msglen: length of the message.
    156  *      keypair: pointer to an initialized keypair.
    157  *  extraparams: pointer to an extraparams object (can be NULL).
    158  */
    159 SECP256K1_API int secp256k1_schnorrsig_sign_custom(
    160     const secp256k1_context *ctx,
    161     unsigned char *sig64,
    162     const unsigned char *msg,
    163     size_t msglen,
    164     const secp256k1_keypair *keypair,
    165     secp256k1_schnorrsig_extraparams *extraparams
    166 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
    167 
    168 /** Verify a Schnorr signature.
    169  *
    170  *  Returns: 1: correct signature
    171  *           0: incorrect signature
    172  *  Args:    ctx: a secp256k1 context object.
    173  *  In:    sig64: pointer to the 64-byte signature to verify.
    174  *           msg: the message being verified. Can only be NULL if msglen is 0.
    175  *        msglen: length of the message
    176  *        pubkey: pointer to an x-only public key to verify with (cannot be NULL)
    177  */
    178 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
    179     const secp256k1_context *ctx,
    180     const unsigned char *sig64,
    181     const unsigned char *msg,
    182     size_t msglen,
    183     const secp256k1_xonly_pubkey *pubkey
    184 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
    185 
    186 #ifdef __cplusplus
    187 }
    188 #endif
    189 
    190 #endif /* SECP256K1_SCHNORRSIG_H */