You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

secp256k1_schnorr.h 8.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. #ifndef _SECP256K1_SCHNORR_
  2. # define _SECP256K1_SCHNORR_
  3. # include "secp256k1.h"
  4. # ifdef __cplusplus
  5. extern "C" {
  6. # endif
  7. /** Create a signature using a custom EC-Schnorr-SHA256 construction. It
  8. * produces non-malleable 64-byte signatures which support public key recovery
  9. * batch validation, and multiparty signing.
  10. * Returns: 1: signature created
  11. * 0: the nonce generation function failed, or the private key was
  12. * invalid.
  13. * Args: ctx: pointer to a context object, initialized for signing
  14. * (cannot be NULL)
  15. * Out: sig64: pointer to a 64-byte array where the signature will be
  16. * placed (cannot be NULL)
  17. * In: msg32: the 32-byte message hash being signed (cannot be NULL)
  18. * seckey: pointer to a 32-byte secret key (cannot be NULL)
  19. * noncefp:pointer to a nonce generation function. If NULL,
  20. * secp256k1_nonce_function_default is used
  21. * ndata: pointer to arbitrary data used by the nonce generation
  22. * function (can be NULL)
  23. */
  24. SECP256K1_API int secp256k1_schnorr_sign(
  25. const secp256k1_context* ctx,
  26. unsigned char *sig64,
  27. const unsigned char *msg32,
  28. const unsigned char *seckey,
  29. secp256k1_nonce_function noncefp,
  30. const void *ndata
  31. ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
  32. /** Verify a signature created by secp256k1_schnorr_sign.
  33. * Returns: 1: correct signature
  34. * 0: incorrect signature
  35. * Args: ctx: a secp256k1 context object, initialized for verification.
  36. * In: sig64: the 64-byte signature being verified (cannot be NULL)
  37. * msg32: the 32-byte message hash being verified (cannot be NULL)
  38. * pubkey: the public key to verify with (cannot be NULL)
  39. */
  40. SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify(
  41. const secp256k1_context* ctx,
  42. const unsigned char *sig64,
  43. const unsigned char *msg32,
  44. const secp256k1_pubkey *pubkey
  45. ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
  46. /** Recover an EC public key from a Schnorr signature created using
  47. * secp256k1_schnorr_sign.
  48. * Returns: 1: public key successfully recovered (which guarantees a correct
  49. * signature).
  50. * 0: otherwise.
  51. * Args: ctx: pointer to a context object, initialized for
  52. * verification (cannot be NULL)
  53. * Out: pubkey: pointer to a pubkey to set to the recovered public key
  54. * (cannot be NULL).
  55. * In: sig64: signature as 64 byte array (cannot be NULL)
  56. * msg32: the 32-byte message hash assumed to be signed (cannot
  57. * be NULL)
  58. */
  59. SECP256K1_API int secp256k1_schnorr_recover(
  60. const secp256k1_context* ctx,
  61. secp256k1_pubkey *pubkey,
  62. const unsigned char *sig64,
  63. const unsigned char *msg32
  64. ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
  65. /** Generate a nonce pair deterministically for use with
  66. * secp256k1_schnorr_partial_sign.
  67. * Returns: 1: valid nonce pair was generated.
  68. * 0: otherwise (nonce generation function failed)
  69. * Args: ctx: pointer to a context object, initialized for signing
  70. * (cannot be NULL)
  71. * Out: pubnonce: public side of the nonce (cannot be NULL)
  72. * privnonce32: private side of the nonce (32 byte) (cannot be NULL)
  73. * In: msg32: the 32-byte message hash assumed to be signed (cannot
  74. * be NULL)
  75. * sec32: the 32-byte private key (cannot be NULL)
  76. * noncefp: pointer to a nonce generation function. If NULL,
  77. * secp256k1_nonce_function_default is used
  78. * noncedata: pointer to arbitrary data used by the nonce generation
  79. * function (can be NULL)
  80. *
  81. * Do not use the output as a private/public key pair for signing/validation.
  82. */
  83. SECP256K1_API int secp256k1_schnorr_generate_nonce_pair(
  84. const secp256k1_context* ctx,
  85. secp256k1_pubkey *pubnonce,
  86. unsigned char *privnonce32,
  87. const unsigned char *msg32,
  88. const unsigned char *sec32,
  89. secp256k1_nonce_function noncefp,
  90. const void* noncedata
  91. ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
  92. /** Produce a partial Schnorr signature, which can be combined using
  93. * secp256k1_schnorr_partial_combine, to end up with a full signature that is
  94. * verifiable using secp256k1_schnorr_verify.
  95. * Returns: 1: signature created successfully.
  96. * 0: no valid signature exists with this combination of keys, nonces
  97. * and message (chance around 1 in 2^128)
  98. * -1: invalid private key, nonce, or public nonces.
  99. * Args: ctx: pointer to context object, initialized for signing (cannot
  100. * be NULL)
  101. * Out: sig64: pointer to 64-byte array to put partial signature in
  102. * In: msg32: pointer to 32-byte message to sign
  103. * sec32: pointer to 32-byte private key
  104. * pubnonce_others: pointer to pubkey containing the sum of the other's
  105. * nonces (see secp256k1_ec_pubkey_combine)
  106. * secnonce32: pointer to 32-byte array containing our nonce
  107. *
  108. * The intended procedure for creating a multiparty signature is:
  109. * - Each signer S[i] with private key x[i] and public key Q[i] runs
  110. * secp256k1_schnorr_generate_nonce_pair to produce a pair (k[i],R[i]) of
  111. * private/public nonces.
  112. * - All signers communicate their public nonces to each other (revealing your
  113. * private nonce can lead to discovery of your private key, so it should be
  114. * considered secret).
  115. * - All signers combine all the public nonces they received (excluding their
  116. * own) using secp256k1_ec_pubkey_combine to obtain an
  117. * Rall[i] = sum(R[0..i-1,i+1..n]).
  118. * - All signers produce a partial signature using
  119. * secp256k1_schnorr_partial_sign, passing in their own private key x[i],
  120. * their own private nonce k[i], and the sum of the others' public nonces
  121. * Rall[i].
  122. * - All signers communicate their partial signatures to each other.
  123. * - Someone combines all partial signatures using
  124. * secp256k1_schnorr_partial_combine, to obtain a full signature.
  125. * - The resulting signature is validatable using secp256k1_schnorr_verify, with
  126. * public key equal to the result of secp256k1_ec_pubkey_combine of the
  127. * signers' public keys (sum(Q[0..n])).
  128. *
  129. * Note that secp256k1_schnorr_partial_combine and secp256k1_ec_pubkey_combine
  130. * function take their arguments in any order, and it is possible to
  131. * pre-combine several inputs already with one call, and add more inputs later
  132. * by calling the function again (they are commutative and associative).
  133. */
  134. SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_partial_sign(
  135. const secp256k1_context* ctx,
  136. unsigned char *sig64,
  137. const unsigned char *msg32,
  138. const unsigned char *sec32,
  139. const secp256k1_pubkey *pubnonce_others,
  140. const unsigned char *secnonce32
  141. ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
  142. /** Combine multiple Schnorr partial signatures.
  143. * Returns: 1: the passed signatures were successfully combined.
  144. * 0: the resulting signature is not valid (chance of 1 in 2^256)
  145. * -1: some inputs were invalid, or the signatures were not created
  146. * using the same set of nonces
  147. * Args: ctx: pointer to a context object
  148. * Out: sig64: pointer to a 64-byte array to place the combined signature
  149. * (cannot be NULL)
  150. * In: sig64sin: pointer to an array of n pointers to 64-byte input
  151. * signatures
  152. * n: the number of signatures to combine (at least 1)
  153. */
  154. SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_partial_combine(
  155. const secp256k1_context* ctx,
  156. unsigned char *sig64,
  157. const unsigned char * const * sig64sin,
  158. size_t n
  159. ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
  160. # ifdef __cplusplus
  161. }
  162. # endif
  163. #endif