Alien-libsecp256k1
view release on metacpan or search on metacpan
libsecp256k1/src/modules/musig/session_impl.h view on Meta::CPAN
#define SECP256K1_MODULE_MUSIG_SESSION_IMPL_H
#include <string.h>
#include "../../../include/secp256k1.h"
#include "../../../include/secp256k1_extrakeys.h"
#include "../../../include/secp256k1_musig.h"
#include "keyagg.h"
#include "session.h"
#include "../../eckey.h"
#include "../../hash.h"
#include "../../scalar.h"
#include "../../util.h"
/* Outputs 33 zero bytes if the given group element is the point at infinity and
* otherwise outputs the compressed serialization */
static void secp256k1_musig_ge_serialize_ext(unsigned char *out33, secp256k1_ge* ge) {
if (secp256k1_ge_is_infinity(ge)) {
memset(out33, 0, 33);
} else {
int ret;
size_t size = 33;
ret = secp256k1_eckey_pubkey_serialize(ge, out33, &size, 1);
#ifdef VERIFY
/* Serialize must succeed because the point is not at infinity */
VERIFY_CHECK(ret && size == 33);
#else
(void) ret;
#endif
}
}
/* Outputs the point at infinity if the given byte array is all zero, otherwise
* attempts to parse compressed point serialization. */
static int secp256k1_musig_ge_parse_ext(secp256k1_ge* ge, const unsigned char *in33) {
unsigned char zeros[33] = { 0 };
if (secp256k1_memcmp_var(in33, zeros, sizeof(zeros)) == 0) {
secp256k1_ge_set_infinity(ge);
return 1;
}
if (!secp256k1_eckey_pubkey_parse(ge, in33, 33)) {
return 0;
}
return secp256k1_ge_is_in_correct_subgroup(ge);
}
static const unsigned char secp256k1_musig_secnonce_magic[4] = { 0x22, 0x0e, 0xdc, 0xf1 };
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk) {
memcpy(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4);
secp256k1_scalar_get_b32(&secnonce->data[4], &k[0]);
secp256k1_scalar_get_b32(&secnonce->data[36], &k[1]);
secp256k1_ge_to_bytes(&secnonce->data[68], pk);
}
static int secp256k1_musig_secnonce_load(const secp256k1_context* ctx, secp256k1_scalar *k, secp256k1_ge *pk, const secp256k1_musig_secnonce *secnonce) {
int is_zero;
ARG_CHECK(secp256k1_memcmp_var(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4) == 0);
/* We make very sure that the nonce isn't invalidated by checking the values
* in addition to the magic. */
is_zero = secp256k1_is_zero_array(&secnonce->data[4], 2 * 32);
secp256k1_declassify(ctx, &is_zero, sizeof(is_zero));
ARG_CHECK(!is_zero);
secp256k1_scalar_set_b32(&k[0], &secnonce->data[4], NULL);
secp256k1_scalar_set_b32(&k[1], &secnonce->data[36], NULL);
secp256k1_ge_from_bytes(pk, &secnonce->data[68]);
return 1;
}
/* If flag is true, invalidate the secnonce; otherwise leave it. Constant-time. */
static void secp256k1_musig_secnonce_invalidate(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, int flag) {
secp256k1_memczero(secnonce->data, sizeof(secnonce->data), flag);
/* The flag argument is usually classified. So, the line above makes the
* magic and public key classified. However, we need both to be
* declassified. Note that we don't declassify the entire object, because if
* flag is 0, then k[0] and k[1] have not been zeroed. */
secp256k1_declassify(ctx, secnonce->data, sizeof(secp256k1_musig_secnonce_magic));
secp256k1_declassify(ctx, &secnonce->data[68], 64);
}
static const unsigned char secp256k1_musig_pubnonce_magic[4] = { 0xf5, 0x7a, 0x3d, 0xa0 };
/* Saves two group elements into a pubnonce. Requires that none of the provided
* group elements is infinity. */
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce* nonce, const secp256k1_ge* ges) {
int i;
memcpy(&nonce->data[0], secp256k1_musig_pubnonce_magic, 4);
for (i = 0; i < 2; i++) {
secp256k1_ge_to_bytes(nonce->data + 4+64*i, &ges[i]);
}
}
/* Loads two group elements from a pubnonce. Returns 1 unless the nonce wasn't
* properly initialized */
static int secp256k1_musig_pubnonce_load(const secp256k1_context* ctx, secp256k1_ge* ges, const secp256k1_musig_pubnonce* nonce) {
int i;
ARG_CHECK(secp256k1_memcmp_var(&nonce->data[0], secp256k1_musig_pubnonce_magic, 4) == 0);
for (i = 0; i < 2; i++) {
secp256k1_ge_from_bytes(&ges[i], nonce->data + 4 + 64*i);
}
return 1;
}
static const unsigned char secp256k1_musig_aggnonce_magic[4] = { 0xa8, 0xb7, 0xe4, 0x67 };
static void secp256k1_musig_aggnonce_save(secp256k1_musig_aggnonce* nonce, const secp256k1_ge* ges) {
int i;
memcpy(&nonce->data[0], secp256k1_musig_aggnonce_magic, 4);
for (i = 0; i < 2; i++) {
secp256k1_ge_to_bytes_ext(&nonce->data[4 + 64*i], &ges[i]);
}
}
static int secp256k1_musig_aggnonce_load(const secp256k1_context* ctx, secp256k1_ge* ges, const secp256k1_musig_aggnonce* nonce) {
int i;
ARG_CHECK(secp256k1_memcmp_var(&nonce->data[0], secp256k1_musig_aggnonce_magic, 4) == 0);
for (i = 0; i < 2; i++) {
secp256k1_ge_from_bytes_ext(&ges[i], &nonce->data[4 + 64*i]);
}
return 1;
}
static const unsigned char secp256k1_musig_session_cache_magic[4] = { 0x9d, 0xed, 0xe9, 0x17 };
/* A session consists of
* - 4 byte session cache magic
* - 1 byte the parity of the final nonce
* - 32 byte serialized x-only final nonce
* - 32 byte nonce coefficient b
libsecp256k1/src/modules/musig/session_impl.h view on Meta::CPAN
secp256k1_scalar_set_b32(&k[i], buf, NULL);
/* Attempt to erase secret data */
secp256k1_memclear(buf, sizeof(buf));
secp256k1_sha256_clear(&sha_tmp);
}
secp256k1_memclear(rand, sizeof(rand));
secp256k1_sha256_clear(&sha);
}
static int secp256k1_musig_nonce_gen_internal(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, const unsigned char *input_nonce, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const u...
secp256k1_scalar k[2];
secp256k1_ge nonce_pts[2];
int i;
unsigned char pk_ser[33];
size_t pk_ser_len = sizeof(pk_ser);
unsigned char aggpk_ser[32];
unsigned char *aggpk_ser_ptr = NULL;
secp256k1_ge pk;
int pk_serialize_success;
int ret = 1;
ARG_CHECK(pubnonce != NULL);
memset(pubnonce, 0, sizeof(*pubnonce));
ARG_CHECK(pubkey != NULL);
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
/* Check that the seckey is valid to be able to sign for it later. */
if (seckey != NULL) {
secp256k1_scalar sk;
ret &= secp256k1_scalar_set_b32_seckey(&sk, seckey);
secp256k1_scalar_clear(&sk);
}
if (keyagg_cache != NULL) {
secp256k1_keyagg_cache_internal cache_i;
if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) {
return 0;
}
/* The loaded point cache_i.pk can not be the point at infinity. */
secp256k1_fe_get_b32(aggpk_ser, &cache_i.pk.x);
aggpk_ser_ptr = aggpk_ser;
}
if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {
return 0;
}
pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, 1);
#ifdef VERIFY
/* A pubkey cannot be the point at infinity */
VERIFY_CHECK(pk_serialize_success);
VERIFY_CHECK(pk_ser_len == sizeof(pk_ser));
#else
(void) pk_serialize_success;
#endif
secp256k1_nonce_function_musig(k, input_nonce, msg32, seckey, pk_ser, aggpk_ser_ptr, extra_input32);
VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[0]));
VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[1]));
secp256k1_musig_secnonce_save(secnonce, k, &pk);
secp256k1_musig_secnonce_invalidate(ctx, secnonce, !ret);
for (i = 0; i < 2; i++) {
secp256k1_gej nonce_ptj;
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_ptj, &k[i]);
secp256k1_ge_set_gej(&nonce_pts[i], &nonce_ptj);
secp256k1_declassify(ctx, &nonce_pts[i], sizeof(nonce_pts[i]));
secp256k1_scalar_clear(&k[i]);
secp256k1_gej_clear(&nonce_ptj);
}
/* None of the nonce_pts will be infinity because k != 0 with overwhelming
* probability */
secp256k1_musig_pubnonce_save(pubnonce, nonce_pts);
return ret;
}
int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *ms...
int ret = 1;
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(secnonce != NULL);
memset(secnonce, 0, sizeof(*secnonce));
ARG_CHECK(session_secrand32 != NULL);
/* Check in constant time that the session_secrand32 is not 0 as a
* defense-in-depth measure that may protect against a faulty RNG. */
ret &= !secp256k1_is_zero_array(session_secrand32, 32);
/* We can declassify because branching on ret is only relevant when this
* function called with an invalid session_secrand32 argument */
secp256k1_declassify(ctx, &ret, sizeof(ret));
if (ret == 0) {
secp256k1_musig_secnonce_invalidate(ctx, secnonce, 1);
return 0;
}
ret &= secp256k1_musig_nonce_gen_internal(ctx, secnonce, pubnonce, session_secrand32, seckey, pubkey, msg32, keyagg_cache, extra_input32);
/* Set the session_secrand32 buffer to zero to prevent the caller from using
* nonce_gen multiple times with the same buffer. */
secp256k1_memczero(session_secrand32, 32, ret);
return ret;
}
int secp256k1_musig_nonce_gen_counter(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig...
unsigned char buf[32] = { 0 };
unsigned char seckey[32];
secp256k1_pubkey pubkey;
int ret;
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(secnonce != NULL);
memset(secnonce, 0, sizeof(*secnonce));
ARG_CHECK(keypair != NULL);
secp256k1_write_be64(buf, nonrepeating_cnt);
/* keypair_sec and keypair_pub do not fail if the arguments are not NULL */
ret = secp256k1_keypair_sec(ctx, seckey, keypair);
VERIFY_CHECK(ret);
ret = secp256k1_keypair_pub(ctx, &pubkey, keypair);
VERIFY_CHECK(ret);
#ifndef VERIFY
(void) ret;
#endif
if (!secp256k1_musig_nonce_gen_internal(ctx, secnonce, pubnonce, buf, seckey, &pubkey, msg32, keyagg_cache, extra_input32)) {
return 0;
}
secp256k1_memclear(seckey, sizeof(seckey));
return 1;
}
static int secp256k1_musig_sum_pubnonces(const secp256k1_context* ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce * const* pubnonces, size_t n_pubnonces) {
size_t i;
int j;
secp256k1_gej_set_infinity(&summed_pubnonces[0]);
secp256k1_gej_set_infinity(&summed_pubnonces[1]);
for (i = 0; i < n_pubnonces; i++) {
secp256k1_ge nonce_pts[2];
if (!secp256k1_musig_pubnonce_load(ctx, nonce_pts, pubnonces[i])) {
return 0;
}
for (j = 0; j < 2; j++) {
secp256k1_gej_add_ge_var(&summed_pubnonces[j], &summed_pubnonces[j], &nonce_pts[j], NULL);
}
}
return 1;
}
int secp256k1_musig_nonce_agg(const secp256k1_context* ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce * const* pubnonces, size_t n_pubnonces) {
secp256k1_gej aggnonce_ptsj[2];
( run in 1.499 second using v1.01-cache-2.11-cpan-62a16548d74 )