1 #ifndef SECP256K1_SCHNORRSIG_H 2 #define SECP256K1_SCHNORRSIG_H 3 4 #include "secp256k1.h" 5 #include "secp256k1_extrakeys.h" 6 7 #ifdef __cplusplus 8 extern "C" { 9 #endif 10 11 /** This module implements a variant of Schnorr signatures compliant with 12 * Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1" 13 * (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki). 14 */ 15 16 /** A pointer to a function to deterministically generate a nonce. 17 * 18 * Same as secp256k1_nonce function with the exception of accepting an 19 * additional pubkey argument and not requiring an attempt argument. The pubkey 20 * argument can protect signature schemes with key-prefixed challenge hash 21 * inputs against reusing the nonce when signing with the wrong precomputed 22 * pubkey. 23 * 24 * Returns: 1 if a nonce was successfully generated. 0 will cause signing to 25 * return an error. 26 * Out: nonce32: pointer to a 32-byte array to be filled by the function. 27 * In: msg32: the 32-byte message hash being verified (will not be NULL) 28 * key32: pointer to a 32-byte secret key (will not be NULL) 29 * xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32 30 * (will not be NULL) 31 * algo16: pointer to a 16-byte array describing the signature 32 * algorithm (will not be NULL). 33 * data: Arbitrary data pointer that is passed through. 34 * 35 * Except for test cases, this function should compute some cryptographic hash of 36 * the message, the key, the pubkey, the algorithm description, and data. 37 */ 38 typedef int (*secp256k1_nonce_function_hardened)( 39 unsigned char *nonce32, 40 const unsigned char *msg32, 41 const unsigned char *key32, 42 const unsigned char *xonly_pk32, 43 const unsigned char *algo16, 44 void *data 45 ); 46 47 /** An implementation of the nonce generation function as defined in Bitcoin 48 * Improvement Proposal 340 "Schnorr Signatures for secp256k1" 49 * (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki). 50 * 51 * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of 52 * auxiliary random data as defined in BIP-340. If the data pointer is NULL, 53 * schnorrsig_sign does not produce BIP-340 compliant signatures. The algo16 54 * argument must be non-NULL, otherwise the function will fail and return 0. 55 * The hash will be tagged with algo16 after removing all terminating null 56 * bytes. Therefore, to create BIP-340 compliant signatures, algo16 must be set 57 * to "BIP0340/nonce\0\0\0" 58 */ 59 SECP256K1_API extern const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340; 60 61 /** Create a Schnorr signature. 62 * 63 * Does _not_ strictly follow BIP-340 because it does not verify the resulting 64 * signature. Instead, you can manually use secp256k1_schnorrsig_verify and 65 * abort if it fails. 66 * 67 * Otherwise BIP-340 compliant if the noncefp argument is NULL or 68 * secp256k1_nonce_function_bip340 and the ndata argument is 32-byte auxiliary 69 * randomness. 70 * 71 * Returns 1 on success, 0 on failure. 72 * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) 73 * Out: sig64: pointer to a 64-byte array to store the serialized signature (cannot be NULL) 74 * In: msg32: the 32-byte message being signed (cannot be NULL) 75 * keypair: pointer to an initialized keypair (cannot be NULL) 76 * noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bip340 is used 77 * ndata: pointer to arbitrary data used by the nonce generation 78 * function (can be NULL). If it is non-NULL and 79 * secp256k1_nonce_function_bip340 is used, then ndata must be a 80 * pointer to 32-byte auxiliary randomness as per BIP-340. 81 */ 82 SECP256K1_API int secp256k1_schnorrsig_sign( 83 const secp256k1_context* ctx, 84 unsigned char *sig64, 85 const unsigned char *msg32, 86 const secp256k1_keypair *keypair, 87 secp256k1_nonce_function_hardened noncefp, 88 void *ndata 89 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 90 91 /** Verify a Schnorr signature. 92 * 93 * Returns: 1: correct signature 94 * 0: incorrect signature 95 * Args: ctx: a secp256k1 context object, initialized for verification. 96 * In: sig64: pointer to the 64-byte signature to verify (cannot be NULL) 97 * msg32: the 32-byte message being verified (cannot be NULL) 98 * pubkey: pointer to an x-only public key to verify with (cannot be NULL) 99 */ 100 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify( 101 const secp256k1_context* ctx, 102 const unsigned char *sig64, 103 const unsigned char *msg32, 104 const secp256k1_xonly_pubkey *pubkey 105 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); 106 107 #ifdef __cplusplus 108 } 109 #endif 110 111 #endif /* SECP256K1_SCHNORRSIG_H */ 112