Lines Matching +full:rx +full:- +full:input +full:- +full:m
2 * Copyright (C) 2022 - This file is part of libecc project
14 /* BIP0340 needs SHA-256: check it */
16 #error "Error: BIP0340 needs SHA-256 to be defined! Please define it in libecc config file"
33 * in https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
35 * The BIP0340 signature is only compatible with SHA-256 and secp256k1,
46 const u8 *m, u32 m_len, in _bip0340_hash() argument
56 ret = hm->hfunc_init(h_ctx); EG(ret, err); in _bip0340_hash()
57 ret = hm->hfunc_update(h_ctx, tag, tag_len); EG(ret, err); in _bip0340_hash()
58 ret = hm->hfunc_finalize(h_ctx, hash); EG(ret, err); in _bip0340_hash()
60 /* Now compute hash(hash(tag) || hash(tag) || m) */ in _bip0340_hash()
61 ret = hm->hfunc_init(h_ctx); EG(ret, err); in _bip0340_hash()
62 ret = hm->hfunc_update(h_ctx, hash, hm->digest_size); EG(ret, err); in _bip0340_hash()
63 ret = hm->hfunc_update(h_ctx, hash, hm->digest_size); EG(ret, err); in _bip0340_hash()
64 ret = hm->hfunc_update(h_ctx, m, m_len); EG(ret, err); in _bip0340_hash()
71 /* Set the scalar value depending on the parity bit of the input
86 ret = nn_isone(&(P->Z.fp_val), &isone); EG(ret, err); in _bip0340_set_scalar()
90 ret = nn_isodd(&(P->Y.fp_val), &isodd); EG(ret, err); in _bip0340_set_scalar()
93 /* Replace the input scalar by (q - scalar) in _bip0340_set_scalar()
105 * functions. The function returns 0 on success, -1 on error.
120 G = &(in_priv->params->ec_gen); in bip0340_init_pub_key()
122 ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); in bip0340_init_pub_key()
124 out_pub->key_type = BIP0340; in bip0340_init_pub_key()
125 out_pub->params = in_priv->params; in bip0340_init_pub_key()
126 out_pub->magic = PUB_KEY_MAGIC; in bip0340_init_pub_key()
155 * NOTE: because of the semi-deterministinc nonce generation
157 * Hence the following all-in-one signature function.
159 * The function returns 0 on success, -1 on error.
162 const u8 *m, u32 mlen, int (*rand) (nn_t out, nn_src_t q), in _bip0340_sign() argument
204 priv_key = &(key_pair->priv_key); in _bip0340_sign()
205 pub_key = &(key_pair->pub_key); in _bip0340_sign()
206 G = &(priv_key->params->ec_gen); in _bip0340_sign()
207 q = &(priv_key->params->ec_gen_order); in _bip0340_sign()
208 p_bit_len = priv_key->params->ec_fp.p_bitlen; in _bip0340_sign()
209 q_bit_len = priv_key->params->ec_gen_order_bitlen; in _bip0340_sign()
216 ret = prj_pt_copy(&Y, &(pub_key->y)); EG(ret, err); in _bip0340_sign()
220 ret = nn_copy(&d, &(priv_key->x)); EG(ret, err); in _bip0340_sign()
261 ret = _bip0340_hash((const u8*)BIP0340_AUX, sizeof(BIP0340_AUX) - 1, in _bip0340_sign()
263 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
267 if(q_len > hm->digest_size){ in _bip0340_sign()
268 for(i = 0; i < hm->digest_size; i++){ in _bip0340_sign()
271 ret = _bip0340_hash((const u8*)BIP0340_NONCE, sizeof(BIP0340_NONCE) - 1, in _bip0340_sign()
278 ret = _bip0340_hash((const u8*)BIP0340_NONCE, sizeof(BIP0340_NONCE) - 1, in _bip0340_sign()
279 &buff[0], hm->digest_size, hm, &h_ctx); EG(ret, err); in _bip0340_sign()
282 ret = hm->hfunc_update(&h_ctx, &sig[0], p_len); EG(ret, err); in _bip0340_sign()
283 ret = hm->hfunc_update(&h_ctx, m, mlen); EG(ret, err); in _bip0340_sign()
284 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
286 /* Now import the semi-deterministic nonce modulo q */ in _bip0340_sign()
287 ret = nn_init_from_buf(&k, buff, hm->digest_size); EG(ret, err); in _bip0340_sign()
313 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_sign()
317 ret = hm->hfunc_update(&h_ctx, &sig[0], p_len); EG(ret, err); in _bip0340_sign()
319 ret = hm->hfunc_update(&h_ctx, m, mlen); EG(ret, err); in _bip0340_sign()
320 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
321 ret = nn_init_from_buf(&e, buff, hm->digest_size); EG(ret, err); in _bip0340_sign()
373 /* local helper for context sanity checks. Returns 0 on success, -1 on error. */
377 ((A)->magic == BIP0340_VERIFY_MAGIC), ret, err)
381 * The function returns 0 on success, -1 on error.
391 fp *rx; in _bip0340_verify_init() local
398 /* Do some sanity checks on input params */ in _bip0340_verify_init()
399 ret = pub_key_check_initialized_and_type(ctx->pub_key, BIP0340); EG(ret, err); in _bip0340_verify_init()
400 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _bip0340_verify_init()
401 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _bip0340_verify_init()
405 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_init()
408 q = &(ctx->pub_key->params->ec_gen_order); in _bip0340_verify_init()
409 p_bit_len = ctx->pub_key->params->ec_fp.p_bitlen; in _bip0340_verify_init()
410 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in _bip0340_verify_init()
413 s = &(ctx->verify_data.bip0340.s); in _bip0340_verify_init()
414 rx = &(ctx->verify_data.bip0340.r); in _bip0340_verify_init()
423 ret = prj_pt_copy(&Y, &(ctx->pub_key->y)); EG(ret, err); in _bip0340_verify_init()
427 ret = fp_init(rx, ctx->pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_init()
428 ret = fp_import_from_buf(rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_init()
433 dbg_nn_print("r", &(rx->fp_val)); in _bip0340_verify_init()
437 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_init()
438 &sig[0], p_len, ctx->h, in _bip0340_verify_init()
439 &(ctx->verify_data.bip0340.h_ctx)); EG(ret, err); in _bip0340_verify_init()
441 ret = ctx->h->hfunc_update(&(ctx->verify_data.bip0340.h_ctx), &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_init()
444 ctx->verify_data.bip0340.magic = BIP0340_VERIFY_MAGIC; in _bip0340_verify_init()
448 PTR_NULLIFY(rx); in _bip0340_verify_init()
459 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.bip0340), 0, in _bip0340_verify_init()
468 * The function returns 0 on success, -1 on error.
482 BIP0340_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.bip0340), ret, err); in _bip0340_verify_update()
485 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_update()
486 ret = ctx->h->hfunc_update(&(ctx->verify_data.bip0340.h_ctx), chunk, in _bip0340_verify_update()
495 * functions. The function returns 0 on success, -1 on error.
509 BIP0340_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.bip0340), ret, err); in _bip0340_verify_finalize()
512 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_finalize()
519 G = &(ctx->pub_key->params->ec_gen); in _bip0340_verify_finalize()
520 hsize = ctx->h->digest_size; in _bip0340_verify_finalize()
521 q = &(ctx->pub_key->params->ec_gen_order); in _bip0340_verify_finalize()
522 s = &(ctx->verify_data.bip0340.s); in _bip0340_verify_finalize()
523 r = &(ctx->verify_data.bip0340.r); in _bip0340_verify_finalize()
528 ret = prj_pt_copy(&Y, &(ctx->pub_key->y)); EG(ret, err); in _bip0340_verify_finalize()
532 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.bip0340.h_ctx), in _bip0340_verify_finalize()
539 /* Compute s G - e Y */ in _bip0340_verify_finalize()
541 ret = nn_mod_neg(&e, &e, q); EG(ret, err); /* compute -e = (q - e) mod q */ in _bip0340_verify_finalize()
552 dbg_ec_point_print("(s G - e Y)", &sG); in _bip0340_verify_finalize()
563 ret = nn_cmp(&(r->fp_val), &(sG.X.fp_val), &cmp); EG(ret, err); in _bip0340_verify_finalize()
564 ret = (cmp == 0) ? 0 : -1; in _bip0340_verify_finalize()
582 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.bip0340), 0, in _bip0340_verify_finalize()
595 * 32-bit integer manipulation macros (big endian)
627 #define _CHACHA20_ROTL_(x, y) (((x) << (y)) | ((x) >> ((sizeof(u32) * 8) - (y))))
674 GET_UINT32_LE(state[i], key, (4 * (i - 4))); in _bip0340_chacha20_block()
678 GET_UINT32_LE(state[i], nonce, (4 * (i - 13))); in _bip0340_chacha20_block()
733 remain = ((q_len - size) < CHACHA20_MAX_ASKED_LEN) ? (q_len - size): CHACHA20_MAX_ASKED_LEN; in _bip0340_compute_batch_csprng_scalars()
742 scalar[0] &= (u8)((0x1 << (q_bit_len % 8)) - 1); in _bip0340_compute_batch_csprng_scalars()
746 /* Check if the scalar is between 1 and q-1 */ in _bip0340_compute_batch_csprng_scalars()
760 const u8 **m, const u32 *m_len, u32 num, in _bip0340_compute_batch_csprng_seed() argument
773 /* Get our hash mapping for SHA-256 as we need a fixed 256-bit key in _bip0340_compute_batch_csprng_seed()
779 MUST_HAVE((seedlen == hm->digest_size), ret, err); in _bip0340_compute_batch_csprng_seed()
782 * with SHA-256 */ in _bip0340_compute_batch_csprng_seed()
783 ret = hm->hfunc_init(&h_ctx); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
785 ret = fp_export_to_buf(&Pubx[0], p_len, &(pub_keys[i]->y.X)); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
786 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
789 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
792 ret = hm->hfunc_update(&h_ctx, s[i], s_len[i]); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
794 ret = hm->hfunc_finalize(&h_ctx, seed); in _bip0340_compute_batch_csprng_seed()
804 * This returns 0 if *all* the signatures are correct, and -1 if at least
809 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in _bip0340_verify_batch_no_memory() argument
817 fp rx; in _bip0340_verify_batch_no_memory() local
837 rx.magic = WORD(0); in _bip0340_verify_batch_no_memory()
843 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL), ret, err); in _bip0340_verify_batch_no_memory()
858 hsize = hm->digest_size; in _bip0340_verify_batch_no_memory()
871 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _bip0340_verify_batch_no_memory()
873 q = &(pub_key->params->ec_gen_order); in _bip0340_verify_batch_no_memory()
874 shortw_curve = &(pub_key->params->ec_curve); in _bip0340_verify_batch_no_memory()
875 pub_key_y = &(pub_key->y); in _bip0340_verify_batch_no_memory()
876 key_type = pub_key->key_type; in _bip0340_verify_batch_no_memory()
877 G = &(pub_key->params->ec_gen); in _bip0340_verify_batch_no_memory()
878 p_bit_len = pub_key->params->ec_fp.p_bitlen; in _bip0340_verify_batch_no_memory()
879 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _bip0340_verify_batch_no_memory()
903 ret = _bip0340_compute_batch_csprng_seed(s, s_len, pub_keys, m, m_len, num, in _bip0340_verify_batch_no_memory()
908 /* Get a pseudo-random scalar a for randomizing the linear combination */ in _bip0340_verify_batch_no_memory()
917 ret = fp_init(&rx, pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_batch_no_memory()
918 ret = fp_import_from_buf(&rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_batch_no_memory()
923 dbg_nn_print("r", &(rx.fp_val)); in _bip0340_verify_batch_no_memory()
936 /* Compute R from rx */ in _bip0340_verify_batch_no_memory()
937 ret = fp_copy(&(R->X), &rx); EG(ret, err); in _bip0340_verify_batch_no_memory()
938 ret = aff_pt_y_from_x(&(R->Y), &(R->Z), &rx, shortw_curve); EG(ret, err); in _bip0340_verify_batch_no_memory()
940 ret = nn_isodd(&(R->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch_no_memory()
942 ret = fp_copy(&(R->Y), &(R->Z)); EG(ret, err); in _bip0340_verify_batch_no_memory()
944 ret = fp_one(&(R->Z)); EG(ret, err); in _bip0340_verify_batch_no_memory()
962 ret = nn_isodd(&(Y->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch_no_memory()
965 ret = fp_neg(&(Y->Y), &(Y->Y)); EG(ret, err); in _bip0340_verify_batch_no_memory()
969 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_batch_no_memory()
972 ret = fp_export_to_buf(&Pubx[0], p_len, &(Y->X)); EG(ret, err); in _bip0340_verify_batch_no_memory()
973 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_batch_no_memory()
974 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_verify_batch_no_memory()
975 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _bip0340_verify_batch_no_memory()
996 ret = nn_mod_neg(&S_sum, &S_sum, q); EG(ret, err); /* -S_sum = q - S_sum*/ in _bip0340_verify_batch_no_memory()
1003 ret = (iszero == 1) ? 0 : -1; in _bip0340_verify_batch_no_memory()
1022 fp_uninit(&rx); in _bip0340_verify_batch_no_memory()
1028 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in _bip0340_verify_batch() argument
1037 fp rx; in _bip0340_verify_batch() local
1059 rx.magic = WORD(0); in _bip0340_verify_batch()
1065 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL), ret, err); in _bip0340_verify_batch()
1089 … ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _bip0340_verify_batch()
1115 hsize = hm->digest_size; in _bip0340_verify_batch()
1128 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _bip0340_verify_batch()
1130 q = &(pub_key->params->ec_gen_order); in _bip0340_verify_batch()
1131 shortw_curve = &(pub_key->params->ec_curve); in _bip0340_verify_batch()
1132 pub_key_y = &(pub_key->y); in _bip0340_verify_batch()
1133 key_type = pub_key->key_type; in _bip0340_verify_batch()
1134 G = &(pub_key->params->ec_gen); in _bip0340_verify_batch()
1135 p_bit_len = pub_key->params->ec_fp.p_bitlen; in _bip0340_verify_batch()
1136 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _bip0340_verify_batch()
1155 ret = _bip0340_compute_batch_csprng_seed(s, s_len, pub_keys, m, m_len, num, in _bip0340_verify_batch()
1160 /* Get a pseudo-random scalar a for randomizing the linear combination */ in _bip0340_verify_batch()
1169 ret = fp_init(&rx, pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_batch()
1170 ret = fp_import_from_buf(&rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_batch()
1175 dbg_nn_print("r", &(rx.fp_val)); in _bip0340_verify_batch()
1191 /* Compute R from rx */ in _bip0340_verify_batch()
1192 ret = fp_copy(&(R->X), &rx); EG(ret, err); in _bip0340_verify_batch()
1193 ret = aff_pt_y_from_x(&(R->Y), &(R->Z), &rx, shortw_curve); EG(ret, err); in _bip0340_verify_batch()
1195 ret = nn_isodd(&(R->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch()
1197 ret = fp_copy(&(R->Y), &(R->Z)); EG(ret, err); in _bip0340_verify_batch()
1199 ret = fp_one(&(R->Z)); EG(ret, err); in _bip0340_verify_batch()
1220 ret = nn_isodd(&(Y->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch()
1223 ret = fp_neg(&(Y->Y), &(Y->Y)); EG(ret, err); in _bip0340_verify_batch()
1230 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_batch()
1233 ret = fp_export_to_buf(&Pubx[0], p_len, &(Y->X)); EG(ret, err); in _bip0340_verify_batch()
1234 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_batch()
1235 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_verify_batch()
1236 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _bip0340_verify_batch()
1253 /****** Bos-Coster algorithm ****************/ in _bip0340_verify_batch()
1256 if(ret == -2){ in _bip0340_verify_batch()
1257 /* In case of Bos-Coster time out, we fall back to the in _bip0340_verify_batch()
1260 … ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _bip0340_verify_batch()
1271 ret = iszero ? 0 : -1; in _bip0340_verify_batch()
1291 fp_uninit(&rx); in _bip0340_verify_batch()
1297 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in bip0340_verify_batch() argument
1305 ret = _bip0340_verify_batch(s, s_len, pub_keys, m, m_len, num, sig_type, in bip0340_verify_batch()
1311 ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in bip0340_verify_batch()