1 #ifndef SECP256K1_SCHNORRSIG_H
2 #define SECP256K1_SCHNORRSIG_H
3 
4 #include "secp256k1.h"
5 #include "secp256k1_extrakeys.h"
6 
7 #ifdef __cplusplus
8 extern "C" {
9 #endif
10 
11 /** This module implements a variant of Schnorr signatures compliant with
12  *  Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1"
13  *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
14  */
15 
16 /** A pointer to a function to deterministically generate a nonce.
17  *
18  *  Same as secp256k1_nonce function with the exception of accepting an
19  *  additional pubkey argument and not requiring an attempt argument. The pubkey
20  *  argument can protect signature schemes with key-prefixed challenge hash
21  *  inputs against reusing the nonce when signing with the wrong precomputed
22  *  pubkey.
23  *
24  *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
25  *           return an error.
26  *  Out:     nonce32:   pointer to a 32-byte array to be filled by the function.
27  *  In:      msg32:     the 32-byte message hash being verified (will not be NULL)
28  *           key32:     pointer to a 32-byte secret key (will not be NULL)
29  *      xonly_pk32:     the 32-byte serialized xonly pubkey corresponding to key32
30  *                      (will not be NULL)
31  *           algo16:    pointer to a 16-byte array describing the signature
32  *                      algorithm (will not be NULL).
33  *           data:      Arbitrary data pointer that is passed through.
34  *
35  *  Except for test cases, this function should compute some cryptographic hash of
36  *  the message, the key, the pubkey, the algorithm description, and data.
37  */
38 typedef int (*secp256k1_nonce_function_hardened)(
39     unsigned char *nonce32,
40     const unsigned char *msg32,
41     const unsigned char *key32,
42     const unsigned char *xonly_pk32,
43     const unsigned char *algo16,
44     void *data
45 );
46 
47 /** An implementation of the nonce generation function as defined in Bitcoin
48  *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
49  *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
50  *
51  *  If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
52  *  auxiliary random data as defined in BIP-340. If the data pointer is NULL,
53  *  schnorrsig_sign does not produce BIP-340 compliant signatures. The algo16
54  *  argument must be non-NULL, otherwise the function will fail and return 0.
55  *  The hash will be tagged with algo16 after removing all terminating null
56  *  bytes. Therefore, to create BIP-340 compliant signatures, algo16 must be set
57  *  to "BIP0340/nonce\0\0\0"
58  */
59 SECP256K1_API extern const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340;
60 
61 /** Create a Schnorr signature.
62  *
63  *  Does _not_ strictly follow BIP-340 because it does not verify the resulting
64  *  signature. Instead, you can manually use secp256k1_schnorrsig_verify and
65  *  abort if it fails.
66  *
67  *  Otherwise BIP-340 compliant if the noncefp argument is NULL or
68  *  secp256k1_nonce_function_bip340 and the ndata argument is 32-byte auxiliary
69  *  randomness.
70  *
71  *  Returns 1 on success, 0 on failure.
72  *  Args:    ctx: pointer to a context object, initialized for signing (cannot be NULL)
73  *  Out:   sig64: pointer to a 64-byte array to store the serialized signature (cannot be NULL)
74  *  In:    msg32: the 32-byte message being signed (cannot be NULL)
75  *       keypair: pointer to an initialized keypair (cannot be NULL)
76  *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bip340 is used
77  *         ndata: pointer to arbitrary data used by the nonce generation
78  *                function (can be NULL). If it is non-NULL and
79  *                secp256k1_nonce_function_bip340 is used, then ndata must be a
80  *                pointer to 32-byte auxiliary randomness as per BIP-340.
81  */
82 SECP256K1_API int secp256k1_schnorrsig_sign(
83     const secp256k1_context* ctx,
84     unsigned char *sig64,
85     const unsigned char *msg32,
86     const secp256k1_keypair *keypair,
87     secp256k1_nonce_function_hardened noncefp,
88     void *ndata
89 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
90 
91 /** Verify a Schnorr signature.
92  *
93  *  Returns: 1: correct signature
94  *           0: incorrect signature
95  *  Args:    ctx: a secp256k1 context object, initialized for verification.
96  *  In:    sig64: pointer to the 64-byte signature to verify (cannot be NULL)
97  *         msg32: the 32-byte message being verified (cannot be NULL)
98  *        pubkey: pointer to an x-only public key to verify with (cannot be NULL)
99  */
100 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
101     const secp256k1_context* ctx,
102     const unsigned char *sig64,
103     const unsigned char *msg32,
104     const secp256k1_xonly_pubkey *pubkey
105 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
106 
107 #ifdef __cplusplus
108 }
109 #endif
110 
111 #endif /* SECP256K1_SCHNORRSIG_H */
112