secp256k1-zkp/src/modules/recovery/main_impl.h

/**********************************************************************
 * Copyright (c) 2013-2015 Pieter Wuille                              *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

#ifndef _SECP256K1_MODULE_RECOVERY_MAIN_
#define _SECP256K1_MODULE_RECOVERY_MAIN_

#include "include/secp256k1_recovery.h"

static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context_t* ctx, secp256k1_scalar_t* r, secp256k1_scalar_t* s, int* recid, const secp256k1_ecdsa_recoverable_signature_t* sig) {
    (void)ctx;
    if (sizeof(secp256k1_scalar_t) == 32) {
        /* When the secp256k1_scalar_t type is exactly 32 byte, use its
         * representation inside secp256k1_ecdsa_signature_t, as conversion is very fast.
         * Note that secp256k1_ecdsa_signature_save must use the same representation. */
        memcpy(r, &sig->data[0], 32);
        memcpy(s, &sig->data[32], 32);
    } else {
        secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
        secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
    }
    *recid = sig->data[64];
}

static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature_t* sig, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, int recid) {
    if (sizeof(secp256k1_scalar_t) == 32) {
        memcpy(&sig->data[0], r, 32);
        memcpy(&sig->data[32], s, 32);
    } else {
        secp256k1_scalar_get_b32(&sig->data[0], r);
        secp256k1_scalar_get_b32(&sig->data[32], s);
    }
    sig->data[64] = recid;
}

int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context_t* ctx, secp256k1_ecdsa_recoverable_signature_t* sig, const unsigned char *input64, int recid) {
    secp256k1_scalar_t r, s;
    int ret = 1;
    int overflow = 0;

    (void)ctx;
    ARG_CHECK(sig != NULL);
    ARG_CHECK(input64 != NULL);
    ARG_CHECK(recid >= 0 && recid <= 3);

    secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
    ret &= !overflow;
    secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
    ret &= !overflow;
    if (ret) {
        secp256k1_ecdsa_recoverable_signature_save(sig, &r, &s, recid);
    } else {
        memset(sig, 0, sizeof(*sig));
    }
    return ret;
}

int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context_t* ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature_t* sig) {
    secp256k1_scalar_t r, s;

    (void)ctx;
    ARG_CHECK(output64 != NULL);
    ARG_CHECK(sig != NULL);

    secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);
    secp256k1_scalar_get_b32(&output64[0], &r);
    secp256k1_scalar_get_b32(&output64[32], &s);
    return 1;
}

int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const secp256k1_ecdsa_recoverable_signature_t* sigin) {
    secp256k1_scalar_t r, s;
    int recid;

    (void)ctx;
    ARG_CHECK(sig != NULL);
    ARG_CHECK(sigin != NULL);

    secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);
    secp256k1_ecdsa_signature_save(sig, &r, &s);
    return 1;
}

int secp256k1_ecdsa_sign_recoverable(const secp256k1_context_t* ctx, const unsigned char *msg32, secp256k1_ecdsa_recoverable_signature_t *signature, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata) {
    secp256k1_scalar_t r, s;
    secp256k1_scalar_t sec, non, msg;
    int recid;
    int ret = 0;
    int overflow = 0;
    unsigned int count = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(seckey != NULL);
    if (noncefp == NULL) {
        noncefp = secp256k1_nonce_function_default;
    }

    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
    /* Fail if the secret key is invalid. */
    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
        secp256k1_scalar_set_b32(&msg, msg32, NULL);
        while (1) {
            unsigned char nonce32[32];
            ret = noncefp(nonce32, msg32, seckey, NULL, count, noncedata);
            if (!ret) {
                break;
            }
            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
            memset(nonce32, 0, 32);
            if (!secp256k1_scalar_is_zero(&non) && !overflow) {
                if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
                    break;
                }
            }
            count++;
        }
        secp256k1_scalar_clear(&msg);
        secp256k1_scalar_clear(&non);
        secp256k1_scalar_clear(&sec);
    }
    if (ret) {
        secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
    } else {
        memset(signature, 0, sizeof(*signature));
    }
    return ret;
}

int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char *msg32, const secp256k1_ecdsa_recoverable_signature_t *signature, secp256k1_pubkey_t *pubkey) {
    secp256k1_ge_t q;
    secp256k1_scalar_t r, s;
    secp256k1_scalar_t m;
    int recid;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(pubkey != NULL);

    secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
    ARG_CHECK(recid >= 0 && recid < 4);
    secp256k1_scalar_set_b32(&m, msg32, NULL);
    if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
        secp256k1_pubkey_save(pubkey, &q);
        return 1;
    } else {
        memset(pubkey, 0, sizeof(*pubkey));
        return 0;
    }
}

#endif
Move pubkey recovery code to separate module 2015-08-27 03:42:57 +02:00			`/**********************************************************************`
			`* Copyright (c) 2013-2015 Pieter Wuille *`
			`* Distributed under the MIT software license, see the accompanying *`
			`* file COPYING or http://www.opensource.org/licenses/mit-license.php.*`
			`**********************************************************************/`

			`#ifndef _SECP256K1_MODULE_RECOVERY_MAIN_`
			`#define _SECP256K1_MODULE_RECOVERY_MAIN_`

			`#include "include/secp256k1_recovery.h"`

			`static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context_t* ctx, secp256k1_scalar_t* r, secp256k1_scalar_t* s, int* recid, const secp256k1_ecdsa_recoverable_signature_t* sig) {`
			`(void)ctx;`
			`if (sizeof(secp256k1_scalar_t) == 32) {`
			`/* When the secp256k1_scalar_t type is exactly 32 byte, use its`
			`* representation inside secp256k1_ecdsa_signature_t, as conversion is very fast.`
			`* Note that secp256k1_ecdsa_signature_save must use the same representation. */`
			`memcpy(r, &sig->data[0], 32);`
			`memcpy(s, &sig->data[32], 32);`
			`} else {`
			`secp256k1_scalar_set_b32(r, &sig->data[0], NULL);`
			`secp256k1_scalar_set_b32(s, &sig->data[32], NULL);`
			`}`
			`*recid = sig->data[64];`
			`}`

			`static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature_t* sig, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, int recid) {`
			`if (sizeof(secp256k1_scalar_t) == 32) {`
			`memcpy(&sig->data[0], r, 32);`
			`memcpy(&sig->data[32], s, 32);`
			`} else {`
			`secp256k1_scalar_get_b32(&sig->data[0], r);`
			`secp256k1_scalar_get_b32(&sig->data[32], s);`
			`}`
			`sig->data[64] = recid;`
			`}`

			`int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context_t* ctx, secp256k1_ecdsa_recoverable_signature_t* sig, const unsigned char *input64, int recid) {`
			`secp256k1_scalar_t r, s;`
			`int ret = 1;`
			`int overflow = 0;`

			`(void)ctx;`
			`ARG_CHECK(sig != NULL);`
			`ARG_CHECK(input64 != NULL);`
			`ARG_CHECK(recid >= 0 && recid <= 3);`

			`secp256k1_scalar_set_b32(&r, &input64[0], &overflow);`
			`ret &= !overflow;`
			`secp256k1_scalar_set_b32(&s, &input64[32], &overflow);`
			`ret &= !overflow;`
			`if (ret) {`
			`secp256k1_ecdsa_recoverable_signature_save(sig, &r, &s, recid);`
			`} else {`
			`memset(sig, 0, sizeof(*sig));`
			`}`
			`return ret;`
			`}`

			`int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context_t* ctx, unsigned char output64, int recid, const secp256k1_ecdsa_recoverable_signature_t* sig) {`
			`secp256k1_scalar_t r, s;`

			`(void)ctx;`
			`ARG_CHECK(output64 != NULL);`
			`ARG_CHECK(sig != NULL);`

			`secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig);`
			`secp256k1_scalar_get_b32(&output64[0], &r);`
			`secp256k1_scalar_get_b32(&output64[32], &s);`
			`return 1;`
			`}`

			`int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const secp256k1_ecdsa_recoverable_signature_t* sigin) {`
			`secp256k1_scalar_t r, s;`
			`int recid;`

			`(void)ctx;`
			`ARG_CHECK(sig != NULL);`
			`ARG_CHECK(sigin != NULL);`

			`secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin);`
			`secp256k1_ecdsa_signature_save(sig, &r, &s);`
			`return 1;`
			`}`

			`int secp256k1_ecdsa_sign_recoverable(const secp256k1_context_t* ctx, const unsigned char msg32, secp256k1_ecdsa_recoverable_signature_t signature, const unsigned char seckey, secp256k1_nonce_function_t noncefp, const void noncedata) {`
			`secp256k1_scalar_t r, s;`
			`secp256k1_scalar_t sec, non, msg;`
			`int recid;`
			`int ret = 0;`
			`int overflow = 0;`
			`unsigned int count = 0;`
			`ARG_CHECK(ctx != NULL);`
			`ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));`
			`ARG_CHECK(msg32 != NULL);`
			`ARG_CHECK(signature != NULL);`
			`ARG_CHECK(seckey != NULL);`
			`if (noncefp == NULL) {`
			`noncefp = secp256k1_nonce_function_default;`
			`}`

			`secp256k1_scalar_set_b32(&sec, seckey, &overflow);`
			`/* Fail if the secret key is invalid. */`
			`if (!overflow && !secp256k1_scalar_is_zero(&sec)) {`
			`secp256k1_scalar_set_b32(&msg, msg32, NULL);`
			`while (1) {`
			`unsigned char nonce32[32];`
			`ret = noncefp(nonce32, msg32, seckey, NULL, count, noncedata);`
			`if (!ret) {`
			`break;`
			`}`
			`secp256k1_scalar_set_b32(&non, nonce32, &overflow);`
			`memset(nonce32, 0, 32);`
			`if (!secp256k1_scalar_is_zero(&non) && !overflow) {`
			`if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {`
			`break;`
			`}`
			`}`
			`count++;`
			`}`
			`secp256k1_scalar_clear(&msg);`
			`secp256k1_scalar_clear(&non);`
			`secp256k1_scalar_clear(&sec);`
			`}`
			`if (ret) {`
			`secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);`
			`} else {`
			`memset(signature, 0, sizeof(*signature));`
			`}`
			`return ret;`
			`}`

			`int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char msg32, const secp256k1_ecdsa_recoverable_signature_t signature, secp256k1_pubkey_t *pubkey) {`
			`secp256k1_ge_t q;`
			`secp256k1_scalar_t r, s;`
			`secp256k1_scalar_t m;`
			`int recid;`
			`ARG_CHECK(ctx != NULL);`
			`ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));`
			`ARG_CHECK(msg32 != NULL);`
			`ARG_CHECK(signature != NULL);`
			`ARG_CHECK(pubkey != NULL);`

			`secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);`
			`ARG_CHECK(recid >= 0 && recid < 4);`
			`secp256k1_scalar_set_b32(&m, msg32, NULL);`
			`if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {`
			`secp256k1_pubkey_save(pubkey, &q);`
			`return 1;`
			`} else {`
			`memset(pubkey, 0, sizeof(*pubkey));`
			`return 0;`
			`}`
			`}`

			`#endif`