initial commit

1 files changed, 190 insertions, 0 deletions

diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h
new file mode 100644
index 0000000..5c338f4
--- /dev/null
+++ b/include/secp256k1_schnorrsig.h
@@ -0,0 +1,190 @@
+#ifndef SECP256K1_SCHNORRSIG_H
+#define SECP256K1_SCHNORRSIG_H
+
+#include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /** This module implements a variant of Schnorr signatures compliant with
+     *  Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1"
+     *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
+     */
+
+     /** A pointer to a function to deterministically generate a nonce.
+      *
+      *  Same as secp256k1_nonce function with the exception of accepting an
+      *  additional pubkey argument and not requiring an attempt argument. The pubkey
+      *  argument can protect signature schemes with key-prefixed challenge hash
+      *  inputs against reusing the nonce when signing with the wrong precomputed
+      *  pubkey.
+      *
+      *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
+      *           return an error.
+      *  Out:  nonce32: pointer to a 32-byte array to be filled by the function
+      *  In:       msg: the message being verified. Is NULL if and only if msglen
+      *                 is 0.
+      *         msglen: the length of the message
+      *          key32: pointer to a 32-byte secret key (will not be NULL)
+      *     xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32
+      *                 (will not be NULL)
+      *           algo: pointer to an array describing the signature
+      *                 algorithm (will not be NULL)
+      *        algolen: the length of the algo array
+      *           data: arbitrary data pointer that is passed through
+      *
+      *  Except for test cases, this function should compute some cryptographic hash of
+      *  the message, the key, the pubkey, the algorithm description, and data.
+      */
+    typedef int (*secp256k1_nonce_function_hardened)(
+        unsigned char* nonce32,
+        const unsigned char* msg,
+        size_t msglen,
+        const unsigned char* key32,
+        const unsigned char* xonly_pk32,
+        const unsigned char* algo,
+        size_t algolen,
+        void* data
+        );
+
+    /** An implementation of the nonce generation function as defined in Bitcoin
+     *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
+     *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
+     *
+     *  If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
+     *  auxiliary random data as defined in BIP-340. If the data pointer is NULL,
+     *  the nonce derivation procedure follows BIP-340 by setting the auxiliary
+     *  random data to zero. The algo argument must be non-NULL, otherwise the
+     *  function will fail and return 0. The hash will be tagged with algo.
+     *  Therefore, to create BIP-340 compliant signatures, algo must be set to
+     *  "BIP0340/nonce" and algolen to 13.
+     */
+    SECP256K1_API const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340;
+
+    /** Data structure that contains additional arguments for schnorrsig_sign_custom.
+     *
+     *  A schnorrsig_extraparams structure object can be initialized correctly by
+     *  setting it to SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT.
+     *
+     *  Members:
+     *      magic: set to SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC at initialization
+     *             and has no other function than making sure the object is
+     *             initialized.
+     *    noncefp: pointer to a nonce generation function. If NULL,
+     *             secp256k1_nonce_function_bip340 is used
+     *      ndata: pointer to arbitrary data used by the nonce generation function
+     *             (can be NULL). If it is non-NULL and
+     *             secp256k1_nonce_function_bip340 is used, then ndata must be a
+     *             pointer to 32-byte auxiliary randomness as per BIP-340.
+     */
+    typedef struct {
+        unsigned char magic[4];
+        secp256k1_nonce_function_hardened noncefp;
+        void* ndata;
+    } secp256k1_schnorrsig_extraparams;
+
+#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC { 0xda, 0x6f, 0xb3, 0x8c }
+#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT {\
+    SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,\
+    NULL,\
+    NULL\
+}
+
+    /** Create a Schnorr signature.
+     *
+     *  Does _not_ strictly follow BIP-340 because it does not verify the resulting
+     *  signature. Instead, you can manually use secp256k1_schnorrsig_verify and
+     *  abort if it fails.
+     *
+     *  This function only signs 32-byte messages. If you have messages of a
+     *  different size (or the same size but without a context-specific tag
+     *  prefix), it is recommended to create a 32-byte message hash with
+     *  secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows
+     *  providing an context-specific tag for domain separation. This prevents
+     *  signatures from being valid in multiple contexts by accident.
+     *
+     *  Returns 1 on success, 0 on failure.
+     *  Args:    ctx: pointer to a context object (not secp256k1_context_static).
+     *  Out:   sig64: pointer to a 64-byte array to store the serialized signature.
+     *  In:    msg32: the 32-byte message being signed.
+     *       keypair: pointer to an initialized keypair.
+     *    aux_rand32: 32 bytes of fresh randomness. While recommended to provide
+     *                this, it is only supplemental to security and can be NULL. A
+     *                NULL argument is treated the same as an all-zero one. See
+     *                BIP-340 "Default Signing" for a full explanation of this
+     *                argument and for guidance if randomness is expensive.
+     */
+    SECP256K1_API int secp256k1_schnorrsig_sign32(
+        const secp256k1_context* ctx,
+        unsigned char* sig64,
+        const unsigned char* msg32,
+        const secp256k1_keypair* keypair,
+        const unsigned char* aux_rand32
+    ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+    /** Same as secp256k1_schnorrsig_sign32, but DEPRECATED. Will be removed in
+     *  future versions. */
+    SECP256K1_API int secp256k1_schnorrsig_sign(
+        const secp256k1_context* ctx,
+        unsigned char* sig64,
+        const unsigned char* msg32,
+        const secp256k1_keypair* keypair,
+        const unsigned char* aux_rand32
+    ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
+        SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead");
+
+    /** Create a Schnorr signature with a more flexible API.
+     *
+     *  Same arguments as secp256k1_schnorrsig_sign except that it allows signing
+     *  variable length messages and accepts a pointer to an extraparams object that
+     *  allows customizing signing by passing additional arguments.
+     *
+     *  Equivalent to secp256k1_schnorrsig_sign32(..., aux_rand32) if msglen is 32
+     *  and extraparams is initialized as follows:
+     *  ```
+     *  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
+     *  extraparams.ndata = (unsigned char*)aux_rand32;
+     *  ```
+     *
+     *  Returns 1 on success, 0 on failure.
+     *  Args:   ctx: pointer to a context object (not secp256k1_context_static).
+     *  Out:  sig64: pointer to a 64-byte array to store the serialized signature.
+     *  In:     msg: the message being signed. Can only be NULL if msglen is 0.
+     *       msglen: length of the message.
+     *      keypair: pointer to an initialized keypair.
+     *  extraparams: pointer to an extraparams object (can be NULL).
+     */
+    SECP256K1_API int secp256k1_schnorrsig_sign_custom(
+        const secp256k1_context* ctx,
+        unsigned char* sig64,
+        const unsigned char* msg,
+        size_t msglen,
+        const secp256k1_keypair* keypair,
+        secp256k1_schnorrsig_extraparams* extraparams
+    ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
+
+    /** Verify a Schnorr signature.
+     *
+     *  Returns: 1: correct signature
+     *           0: incorrect signature
+     *  Args:    ctx: pointer to a context object.
+     *  In:    sig64: pointer to the 64-byte signature to verify.
+     *           msg: the message being verified. Can only be NULL if msglen is 0.
+     *        msglen: length of the message
+     *        pubkey: pointer to an x-only public key to verify with
+     */
+    SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
+        const secp256k1_context* ctx,
+        const unsigned char* sig64,
+        const unsigned char* msg,
+        size_t msglen,
+        const secp256k1_xonly_pubkey* pubkey
+    ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_SCHNORRSIG_H */