[secp256k1.git] / src / ecdsa_impl.h

/**********************************************************************
 * Copyright (c) 2013-2015 Pieter Wuille                              *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/


#ifndef SECP256K1_ECDSA_IMPL_H
#define SECP256K1_ECDSA_IMPL_H

#include "scalar.h"
#include "field.h"
#include "group.h"
#include "ecmult.h"
#include "ecmult_gen.h"
#include "ecdsa.h"

/** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1
 *  sage: for t in xrange(1023, -1, -1):
 *     ..   p = 2**256 - 2**32 - t
 *     ..   if p.is_prime():
 *     ..     print '%x'%p
 *     ..     break
 *   'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'
 *  sage: a = 0
 *  sage: b = 7
 *  sage: F = FiniteField (p)
 *  sage: '%x' % (EllipticCurve ([F (a), F (b)]).order())
 *   'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
 */
static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
    0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
    0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
);

/** Difference between field and order, values 'p' and 'n' values defined in
 *  "Standards for Efficient Cryptography" (SEC2) 2.7.1.
 *  sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
 *  sage: a = 0
 *  sage: b = 7
 *  sage: F = FiniteField (p)
 *  sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order())
 *   '14551231950b75fc4402da1722fc9baee'
 */
static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
    0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
);

static int secp256k1_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend) {
    size_t lenleft;
    unsigned char b1;
    VERIFY_CHECK(len != NULL);
    *len = 0;
    if (*sigp >= sigend) {
        return 0;
    }
    b1 = *((*sigp)++);
    if (b1 == 0xFF) {
        /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */
        return 0;
    }
    if ((b1 & 0x80) == 0) {
        /* X.690-0207 8.1.3.4 short form length octets */
        *len = b1;
        return 1;
    }
    if (b1 == 0x80) {
        /* Indefinite length is not allowed in DER. */
        return 0;
    }
    /* X.690-207 8.1.3.5 long form length octets */
    lenleft = b1 & 0x7F; /* lenleft is at least 1 */
    if (lenleft > (size_t)(sigend - *sigp)) {
        return 0;
    }
    if (**sigp == 0) {
        /* Not the shortest possible length encoding. */
        return 0;
    }
    if (lenleft > sizeof(size_t)) {
        /* The resulting length would exceed the range of a size_t, so
         * certainly longer than the passed array size.
         */
        return 0;
    }
    while (lenleft > 0) {
        *len = (*len << 8) | **sigp;
        (*sigp)++;
        lenleft--;
    }
    if (*len > (size_t)(sigend - *sigp)) {
        /* Result exceeds the length of the passed array. */
        return 0;
    }
    if (*len < 128) {
        /* Not the shortest possible length encoding. */
        return 0;
    }
    return 1;
}

static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) {
    int overflow = 0;
    unsigned char ra[32] = {0};
    size_t rlen;

    if (*sig == sigend || **sig != 0x02) {
        /* Not a primitive integer (X.690-0207 8.3.1). */
        return 0;
    }
    (*sig)++;
    if (secp256k1_der_read_len(&rlen, sig, sigend) == 0) {
        return 0;
    }
    if (rlen == 0 || *sig + rlen > sigend) {
        /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1).  */
        return 0;
    }
    if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) {
        /* Excessive 0x00 padding. */
        return 0;
    }
    if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) {
        /* Excessive 0xFF padding. */
        return 0;
    }
    if ((**sig & 0x80) == 0x80) {
        /* Negative. */
        overflow = 1;
    }
    /* There is at most one leading zero byte:
     * if there were two leading zero bytes, we would have failed and returned 0
     * because of excessive 0x00 padding already. */
    if (rlen > 0 && **sig == 0) {
        /* Skip leading zero byte */
        rlen--;
        (*sig)++;
    }
    if (rlen > 32) {
        overflow = 1;
    }
    if (!overflow) {
        memcpy(ra + 32 - rlen, *sig, rlen);
        secp256k1_scalar_set_b32(r, ra, &overflow);
    }
    if (overflow) {
        secp256k1_scalar_set_int(r, 0);
    }
    (*sig) += rlen;
    return 1;
}

static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) {
    const unsigned char *sigend = sig + size;
    size_t rlen;
    if (sig == sigend || *(sig++) != 0x30) {
        /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */
        return 0;
    }
    if (secp256k1_der_read_len(&rlen, &sig, sigend) == 0) {
        return 0;
    }
    if (rlen != (size_t)(sigend - sig)) {
        /* Tuple exceeds bounds or garage after tuple. */
        return 0;
    }

    if (!secp256k1_der_parse_integer(rr, &sig, sigend)) {
        return 0;
    }
    if (!secp256k1_der_parse_integer(rs, &sig, sigend)) {
        return 0;
    }

    if (sig != sigend) {
        /* Trailing garbage inside tuple. */
        return 0;
    }

    return 1;
}

static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) {
    unsigned char r[33] = {0}, s[33] = {0};
    unsigned char *rp = r, *sp = s;
    size_t lenR = 33, lenS = 33;
    secp256k1_scalar_get_b32(&r[1], ar);
    secp256k1_scalar_get_b32(&s[1], as);
    while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
    while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
    if (*size < 6+lenS+lenR) {
        *size = 6 + lenS + lenR;
        return 0;
    }
    *size = 6 + lenS + lenR;
    sig[0] = 0x30;
    sig[1] = 4 + lenS + lenR;
    sig[2] = 0x02;
    sig[3] = lenR;
    memcpy(sig+4, rp, lenR);
    sig[4+lenR] = 0x02;
    sig[5+lenR] = lenS;
    memcpy(sig+lenR+6, sp, lenS);
    return 1;
}

static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) {
    unsigned char c[32];
    secp256k1_scalar sn, u1, u2;
#if !defined(EXHAUSTIVE_TEST_ORDER)
    secp256k1_fe xr;
#endif
    secp256k1_gej pubkeyj;
    secp256k1_gej pr;

    if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
        return 0;
    }

    secp256k1_scalar_inverse_var(&sn, sigs);
    secp256k1_scalar_mul(&u1, &sn, message);
    secp256k1_scalar_mul(&u2, &sn, sigr);
    secp256k1_gej_set_ge(&pubkeyj, pubkey);
    secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1);
    if (secp256k1_gej_is_infinity(&pr)) {
        return 0;
    }

#if defined(EXHAUSTIVE_TEST_ORDER)
{
    secp256k1_scalar computed_r;
    secp256k1_ge pr_ge;
    secp256k1_ge_set_gej(&pr_ge, &pr);
    secp256k1_fe_normalize(&pr_ge.x);

    secp256k1_fe_get_b32(c, &pr_ge.x);
    secp256k1_scalar_set_b32(&computed_r, c, NULL);
    return secp256k1_scalar_eq(sigr, &computed_r);
}
#else
    secp256k1_scalar_get_b32(c, sigr);
    secp256k1_fe_set_b32(&xr, c);

    /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
     *  in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),
     *  compute the remainder modulo n, and compare it to xr. However:
     *
     *        xr == X(pr) mod n
     *    <=> exists h. (xr + h * n < p && xr + h * n == X(pr))
     *    [Since 2 * n > p, h can only be 0 or 1]
     *    <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr))
     *    [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p]
     *    <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p)
     *    [Multiplying both sides of the equations by pr.z^2 mod p]
     *    <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
     *
     *  Thus, we can avoid the inversion, but we have to check both cases separately.
     *  secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
     */
    if (secp256k1_gej_eq_x_var(&xr, &pr)) {
        /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */
        return 1;
    }
    if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
        /* xr + n >= p, so we can skip testing the second case. */
        return 0;
    }
    secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe);
    if (secp256k1_gej_eq_x_var(&xr, &pr)) {
        /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */
        return 1;
    }
    return 0;
#endif
}

static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) {
    unsigned char b[32];
    secp256k1_gej rp;
    secp256k1_ge r;
    secp256k1_scalar n;
    int overflow = 0;

    secp256k1_ecmult_gen(ctx, &rp, nonce);
    secp256k1_ge_set_gej(&r, &rp);
    secp256k1_fe_normalize(&r.x);
    secp256k1_fe_normalize(&r.y);
    secp256k1_fe_get_b32(b, &r.x);
    secp256k1_scalar_set_b32(sigr, b, &overflow);
    /* These two conditions should be checked before calling */
    VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
    VERIFY_CHECK(overflow == 0);

    if (recid) {
        /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
         * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
         */
        *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
    }
    secp256k1_scalar_mul(&n, sigr, seckey);
    secp256k1_scalar_add(&n, &n, message);
    secp256k1_scalar_inverse(sigs, nonce);
    secp256k1_scalar_mul(sigs, sigs, &n);
    secp256k1_scalar_clear(&n);
    secp256k1_gej_clear(&rp);
    secp256k1_ge_clear(&r);
    if (secp256k1_scalar_is_zero(sigs)) {
        return 0;
    }
    if (secp256k1_scalar_is_high(sigs)) {
        secp256k1_scalar_negate(sigs, sigs);
        if (recid) {
            *recid ^= 1;
        }
    }
    return 1;
}

#endif /* SECP256K1_ECDSA_IMPL_H */
Commit	Line	Data
71712b27	1	/**********************************************************************
fea19e7b	2	* Copyright (c) 2013-2015 Pieter Wuille *
71712b27 GM	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
	5	**********************************************************************/
	6
0a433ea2	7
abe2d3e8 DR	8	#ifndef SECP256K1_ECDSA_IMPL_H
abe2d3e8 DR	9	#define SECP256K1_ECDSA_IMPL_H
7a4b7691	10
f24041d6	11	#include "scalar.h"
11ab5622 PW	12	#include "field.h"
	13	#include "group.h"
	14	#include "ecmult.h"
949c1ebb	15	#include "ecmult_gen.h"
11ab5622	16	#include "ecdsa.h"
607884fc	17
6efd6e77 GM	18	/** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1
	19	* sage: for t in xrange(1023, -1, -1):
	20	* .. p = 2256 - 232 - t
	21	* .. if p.is_prime():
	22	* .. print '%x'%p
	23	* .. break
	24	* 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'
	25	* sage: a = 0
	26	* sage: b = 7
	27	* sage: F = FiniteField (p)
	28	* sage: '%x' % (EllipticCurve ([F (a), F (b)]).order())
	29	* 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
	30	*/
dd891e0e	31	static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST(
4732d260 PW	32	0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
	33	0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
	34	);
f24041d6	35
6efd6e77 GM	36	/** Difference between field and order, values 'p' and 'n' values defined in
	37	* "Standards for Efficient Cryptography" (SEC2) 2.7.1.
	38	* sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
	39	* sage: a = 0
	40	* sage: b = 7
	41	* sage: F = FiniteField (p)
	42	* sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order())
	43	* '14551231950b75fc4402da1722fc9baee'
	44	*/
dd891e0e	45	static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST(
4732d260 PW	46	0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
4732d260 PW	47	);
f24041d6	48
01ee1b3b TR	49	static int secp256k1_der_read_len(size_t len, const unsigned char sigp, const unsigned char sigend) {
	50	size_t lenleft;
	51	unsigned char b1;
	52	VERIFY_CHECK(len != NULL);
	53	*len = 0;
3bb9c447	54	if (*sigp >= sigend) {
01ee1b3b	55	return 0;
26320197	56	}
3bb9c447 PW	57	b1 = ((sigp)++);
	58	if (b1 == 0xFF) {
	59	/* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */
01ee1b3b	60	return 0;
26320197	61	}
3bb9c447 PW	62	if ((b1 & 0x80) == 0) {
3bb9c447 PW	63	/* X.690-0207 8.1.3.4 short form length octets */
01ee1b3b TR	64	*len = b1;
01ee1b3b TR	65	return 1;
26320197	66	}
3bb9c447 PW	67	if (b1 == 0x80) {
3bb9c447 PW	68	/* Indefinite length is not allowed in DER. */
01ee1b3b	69	return 0;
3bb9c447 PW	70	}
3bb9c447 PW	71	/* X.690-207 8.1.3.5 long form length octets */
3cb057f8	72	lenleft = b1 & 0x7F; /* lenleft is at least 1 */
01ee1b3b TR	73	if (lenleft > (size_t)(sigend - *sigp)) {
01ee1b3b TR	74	return 0;
3bb9c447 PW	75	}
	76	if (**sigp == 0) {
	77	/* Not the shortest possible length encoding. */
01ee1b3b	78	return 0;
3bb9c447	79	}
01ee1b3b	80	if (lenleft > sizeof(size_t)) {
269d4227 GM	81	/* The resulting length would exceed the range of a size_t, so
	82	* certainly longer than the passed array size.
	83	*/
01ee1b3b	84	return 0;
26320197	85	}
3bb9c447	86	while (lenleft > 0) {
01ee1b3b	87	len = (len << 8) \| **sigp;
3bb9c447 PW	88	(*sigp)++;
	89	lenleft--;
	90	}
01ee1b3b	91	if (len > (size_t)(sigend - sigp)) {
3cb057f8	92	/* Result exceeds the length of the passed array. */
01ee1b3b	93	return 0;
3cb057f8	94	}
01ee1b3b	95	if (*len < 128) {
3bb9c447	96	/* Not the shortest possible length encoding. */
01ee1b3b	97	return 0;
3bb9c447	98	}
01ee1b3b	99	return 1;
3bb9c447 PW	100	}
	101
	102	static int secp256k1_der_parse_integer(secp256k1_scalar r, const unsigned char sig, const unsigned char sigend) {
	103	int overflow = 0;
	104	unsigned char ra[32] = {0};
01ee1b3b	105	size_t rlen;
3bb9c447 PW	106
	107	if (sig == sigend \|\| *sig != 0x02) {
	108	/* Not a primitive integer (X.690-0207 8.3.1). */
26320197 GM	109	return 0;
26320197 GM	110	}
3bb9c447	111	(*sig)++;
01ee1b3b TR	112	if (secp256k1_der_read_len(&rlen, sig, sigend) == 0) {
	113	return 0;
	114	}
	115	if (rlen == 0 \|\| *sig + rlen > sigend) {
3bb9c447	116	/* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */
26320197 GM	117	return 0;
26320197 GM	118	}
3bb9c447 PW	119	if (*sig == 0x00 && rlen > 1 && (((sig)[1]) & 0x80) == 0x00) {
3bb9c447 PW	120	/* Excessive 0x00 padding. */
26320197 GM	121	return 0;
26320197 GM	122	}
3bb9c447 PW	123	if (*sig == 0xFF && rlen > 1 && (((sig)[1]) & 0x80) == 0x80) {
3bb9c447 PW	124	/* Excessive 0xFF padding. */
26320197 GM	125	return 0;
26320197 GM	126	}
3bb9c447 PW	127	if ((**sig & 0x80) == 0x80) {
	128	/* Negative. */
	129	overflow = 1;
	130	}
14c7dbd4 TR	131	/* There is at most one leading zero byte:
	132	* if there were two leading zero bytes, we would have failed and returned 0
	133	* because of excessive 0x00 padding already. */
	134	if (rlen > 0 && **sig == 0) {
	135	/* Skip leading zero byte */
3bb9c447 PW	136	rlen--;
	137	(*sig)++;
	138	}
	139	if (rlen > 32) {
	140	overflow = 1;
f24041d6	141	}
3bb9c447 PW	142	if (!overflow) {
	143	memcpy(ra + 32 - rlen, *sig, rlen);
	144	secp256k1_scalar_set_b32(r, ra, &overflow);
	145	}
	146	if (overflow) {
	147	secp256k1_scalar_set_int(r, 0);
	148	}
	149	(*sig) += rlen;
	150	return 1;
	151	}
	152
	153	static int secp256k1_ecdsa_sig_parse(secp256k1_scalar rr, secp256k1_scalar rs, const unsigned char *sig, size_t size) {
	154	const unsigned char *sigend = sig + size;
01ee1b3b	155	size_t rlen;
3bb9c447 PW	156	if (sig == sigend \|\| *(sig++) != 0x30) {
3bb9c447 PW	157	/* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */
26320197 GM	158	return 0;
26320197 GM	159	}
01ee1b3b TR	160	if (secp256k1_der_read_len(&rlen, &sig, sigend) == 0) {
	161	return 0;
	162	}
ec8f20ba TR	163	if (rlen != (size_t)(sigend - sig)) {
ec8f20ba TR	164	/* Tuple exceeds bounds or garage after tuple. */
26320197 GM	165	return 0;
26320197 GM	166	}
3bb9c447 PW	167
3bb9c447 PW	168	if (!secp256k1_der_parse_integer(rr, &sig, sigend)) {
26320197 GM	169	return 0;
26320197 GM	170	}
3bb9c447	171	if (!secp256k1_der_parse_integer(rs, &sig, sigend)) {
26320197 GM	172	return 0;
26320197 GM	173	}
3bb9c447 PW	174
	175	if (sig != sigend) {
	176	/* Trailing garbage inside tuple. */
	177	return 0;
	178	}
	179
d41e93a5	180	return 1;
607884fc PW	181	}
607884fc PW	182
dd891e0e	183	static int secp256k1_ecdsa_sig_serialize(unsigned char sig, size_t size, const secp256k1_scalar* ar, const secp256k1_scalar* as) {
f24041d6	184	unsigned char r[33] = {0}, s[33] = {0};
f24041d6	185	unsigned char rp = r, sp = s;
788038d3	186	size_t lenR = 33, lenS = 33;
18c329c5 PW	187	secp256k1_scalar_get_b32(&r[1], ar);
18c329c5 PW	188	secp256k1_scalar_get_b32(&s[1], as);
f24041d6 PW	189	while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
f24041d6 PW	190	while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
26320197	191	if (*size < 6+lenS+lenR) {
74a2acdb	192	*size = 6 + lenS + lenR;
d41e93a5	193	return 0;
26320197	194	}
0a07e62f PW	195	*size = 6 + lenS + lenR;
	196	sig[0] = 0x30;
	197	sig[1] = 4 + lenS + lenR;
	198	sig[2] = 0x02;
	199	sig[3] = lenR;
f24041d6	200	memcpy(sig+4, rp, lenR);
0a07e62f PW	201	sig[4+lenR] = 0x02;
0a07e62f PW	202	sig[5+lenR] = lenS;
f24041d6	203	memcpy(sig+lenR+6, sp, lenS);
d41e93a5	204	return 1;
0a07e62f PW	205	}
0a07e62f PW	206
dd891e0e	207	static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context ctx, const secp256k1_scalar sigr, const secp256k1_scalar sigs, const secp256k1_ge pubkey, const secp256k1_scalar *message) {
792bcdb0	208	unsigned char c[32];
dd891e0e	209	secp256k1_scalar sn, u1, u2;
b4ceedf1	210	#if !defined(EXHAUSTIVE_TEST_ORDER)
dd891e0e	211	secp256k1_fe xr;
b4ceedf1	212	#endif
dd891e0e PW	213	secp256k1_gej pubkeyj;
dd891e0e PW	214	secp256k1_gej pr;
792bcdb0	215
18c329c5	216	if (secp256k1_scalar_is_zero(sigr) \|\| secp256k1_scalar_is_zero(sigs)) {
d41e93a5	217	return 0;
26320197	218	}
607884fc	219
18c329c5	220	secp256k1_scalar_inverse_var(&sn, sigs);
f24041d6	221	secp256k1_scalar_mul(&u1, &sn, message);
18c329c5	222	secp256k1_scalar_mul(&u2, &sn, sigr);
792bcdb0	223	secp256k1_gej_set_ge(&pubkeyj, pubkey);
a9b6595e	224	secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1);
ce7eb6fb PW	225	if (secp256k1_gej_is_infinity(&pr)) {
	226	return 0;
	227	}
b4ceedf1 AP	228
	229	#if defined(EXHAUSTIVE_TEST_ORDER)
	230	{
	231	secp256k1_scalar computed_r;
b4ceedf1 AP	232	secp256k1_ge pr_ge;
	233	secp256k1_ge_set_gej(&pr_ge, &pr);
	234	secp256k1_fe_normalize(&pr_ge.x);
	235
	236	secp256k1_fe_get_b32(c, &pr_ge.x);
678b0e54	237	secp256k1_scalar_set_b32(&computed_r, c, NULL);
b4ceedf1 AP	238	return secp256k1_scalar_eq(sigr, &computed_r);
	239	}
	240	#else
18c329c5	241	secp256k1_scalar_get_b32(c, sigr);
ce7eb6fb	242	secp256k1_fe_set_b32(&xr, c);
13278f64	243
3627437d GM	244	/** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
	245	* in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),
	246	* compute the remainder modulo n, and compare it to xr. However:
	247	*
	248	* xr == X(pr) mod n
	249	* <=> exists h. (xr + h * n < p && xr + h * n == X(pr))
	250	* [Since 2 * n > p, h can only be 0 or 1]
	251	* <=> (xr == X(pr)) \|\| (xr + n < p && xr + n == X(pr))
	252	* [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p]
	253	* <=> (xr == pr.x / pr.z^2 mod p) \|\| (xr + n < p && xr + n == pr.x / pr.z^2 mod p)
	254	* [Multiplying both sides of the equations by pr.z^2 mod p]
	255	* <=> (xr * pr.z^2 mod p == pr.x) \|\| (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
	256	*
	257	* Thus, we can avoid the inversion, but we have to check both cases separately.
	258	* secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
	259	*/
ce7eb6fb	260	if (secp256k1_gej_eq_x_var(&xr, &pr)) {
6c476a8a	261	/* xr * pr.z^2 mod p == pr.x, so the signature is valid. */
ce7eb6fb PW	262	return 1;
ce7eb6fb PW	263	}
4732d260	264	if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
6c476a8a	265	/* xr + n >= p, so we can skip testing the second case. */
ce7eb6fb	266	return 0;
4adf6b2a	267	}
4732d260	268	secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe);
ce7eb6fb	269	if (secp256k1_gej_eq_x_var(&xr, &pr)) {
3627437d	270	/* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */
ce7eb6fb PW	271	return 1;
	272	}
	273	return 0;
b4ceedf1	274	#endif
607884fc PW	275	}
607884fc PW	276
dd891e0e	277	static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context ctx, secp256k1_scalar sigr, secp256k1_scalar sigs, const secp256k1_scalar seckey, const secp256k1_scalar message, const secp256k1_scalar nonce, int *recid) {
792bcdb0	278	unsigned char b[32];
dd891e0e PW	279	secp256k1_gej rp;
	280	secp256k1_ge r;
	281	secp256k1_scalar n;
792bcdb0 GM	282	int overflow = 0;
792bcdb0 GM	283
a9b6595e	284	secp256k1_ecmult_gen(ctx, &rp, nonce);
50eb498e	285	secp256k1_ge_set_gej(&r, &rp);
50eb498e PW	286	secp256k1_fe_normalize(&r.x);
	287	secp256k1_fe_normalize(&r.y);
	288	secp256k1_fe_get_b32(b, &r.x);
18c329c5	289	secp256k1_scalar_set_b32(sigr, b, &overflow);
25e3cfbf AP	290	/* These two conditions should be checked before calling */
	291	VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
	292	VERIFY_CHECK(overflow == 0);
	293
26320197	294	if (recid) {
269d4227 GM	295	/* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
	296	* of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
	297	*/
a9f5c8b8	298	*recid = (overflow ? 2 : 0) \| (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
26320197	299	}
18c329c5	300	secp256k1_scalar_mul(&n, sigr, seckey);
a9f5c8b8	301	secp256k1_scalar_add(&n, &n, message);
18c329c5 PW	302	secp256k1_scalar_inverse(sigs, nonce);
18c329c5 PW	303	secp256k1_scalar_mul(sigs, sigs, &n);
a9f5c8b8	304	secp256k1_scalar_clear(&n);
2f6c8019 GM	305	secp256k1_gej_clear(&rp);
2f6c8019 GM	306	secp256k1_ge_clear(&r);
18c329c5	307	if (secp256k1_scalar_is_zero(sigs)) {
d41e93a5	308	return 0;
26320197	309	}
18c329c5 PW	310	if (secp256k1_scalar_is_high(sigs)) {
18c329c5 PW	311	secp256k1_scalar_negate(sigs, sigs);
26320197	312	if (recid) {
50eb498e	313	*recid ^= 1;
26320197	314	}
50eb498e	315	}
eb0be8ee	316	return 1;
0a07e62f PW	317	}
0a07e62f PW	318
abe2d3e8	319	#endif /* SECP256K1_ECDSA_IMPL_H */