Skip to content

Commit b9aaa07

Browse files
jonasnickFabcien
authored andcommitted
[SECP256K1] Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
Summary: Backport of [[bitcoin-core/secp256k1#854 | secp256k1#854]] Did the same for the schnorr module. Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, PiRK Reviewed By: #bitcoin_abc, PiRK Differential Revision: https://reviews.bitcoinabc.org/D9376
1 parent bd3ec0d commit b9aaa07

File tree

6 files changed

+94
-82
lines changed

6 files changed

+94
-82
lines changed

src/secp256k1/include/secp256k1.h

+26-19
Original file line numberDiff line numberDiff line change
@@ -452,7 +452,14 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
452452
* 0: incorrect or unparseable signature
453453
* Args: ctx: a secp256k1 context object, initialized for verification.
454454
* In: sig: the signature being verified (cannot be NULL)
455-
* msg32: the 32-byte message hash being verified (cannot be NULL)
455+
* msghash32: the 32-byte message hash being verified (cannot be NULL).
456+
* The verifier must make sure to apply a cryptographic
457+
* hash function to the message by itself and not accept an
458+
* msghash32 value directly. Otherwise, it would be easy to
459+
* create a "valid" signature without knowledge of the
460+
* secret key. See also
461+
* https://bitcoin.stackexchange.com/a/81116/35586 for more
462+
* background on this topic.
456463
* pubkey: pointer to an initialized public key to verify with (cannot be NULL)
457464
*
458465
* To avoid accepting malleable signatures, only ECDSA signatures in lower-S
@@ -467,7 +474,7 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
467474
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
468475
const secp256k1_context* ctx,
469476
const secp256k1_ecdsa_signature *sig,
470-
const unsigned char *msg32,
477+
const unsigned char *msghash32,
471478
const secp256k1_pubkey *pubkey
472479
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
473480

@@ -532,20 +539,20 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_def
532539
*
533540
* Returns: 1: signature created
534541
* 0: the nonce generation function failed, or the secret key was invalid.
535-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
536-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
537-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
538-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
539-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
540-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
542+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
543+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
544+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
545+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
546+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
547+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
541548
*
542549
* The created signature is always in lower-S form. See
543550
* secp256k1_ecdsa_signature_normalize for more details.
544551
*/
545552
SECP256K1_API int secp256k1_ecdsa_sign(
546553
const secp256k1_context* ctx,
547554
secp256k1_ecdsa_signature *sig,
548-
const unsigned char *msg32,
555+
const unsigned char *msghash32,
549556
const unsigned char *seckey,
550557
secp256k1_nonce_function noncefp,
551558
const void *ndata
@@ -626,23 +633,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
626633
* invalid according to secp256k1_ec_seckey_verify, this
627634
* function returns 0. seckey will be set to some unspecified
628635
* value if this function returns 0. (cannot be NULL)
629-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
636+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
630637
* secp256k1_ec_seckey_verify, this function returns 0. For
631638
* uniformly random 32-byte arrays the chance of being invalid
632639
* is negligible (around 1 in 2^128) (cannot be NULL).
633640
*/
634641
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(
635642
const secp256k1_context* ctx,
636643
unsigned char *seckey,
637-
const unsigned char *tweak
644+
const unsigned char *tweak32
638645
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
639646

640647
/** Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED. Will be removed in
641648
* future versions. */
642649
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
643650
const secp256k1_context* ctx,
644651
unsigned char *seckey,
645-
const unsigned char *tweak
652+
const unsigned char *tweak32
646653
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
647654

648655
/** Tweak a public key by adding tweak times the generator to it.
@@ -654,15 +661,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
654661
* (cannot be NULL).
655662
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
656663
* invalid value if this function returns 0 (cannot be NULL).
657-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
664+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
658665
* secp256k1_ec_seckey_verify, this function returns 0. For
659666
* uniformly random 32-byte arrays the chance of being invalid
660667
* is negligible (around 1 in 2^128) (cannot be NULL).
661668
*/
662669
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
663670
const secp256k1_context* ctx,
664671
secp256k1_pubkey *pubkey,
665-
const unsigned char *tweak
672+
const unsigned char *tweak32
666673
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
667674

668675
/** Tweak a secret key by multiplying it by a tweak.
@@ -673,23 +680,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
673680
* invalid according to secp256k1_ec_seckey_verify, this
674681
* function returns 0. seckey will be set to some unspecified
675682
* value if this function returns 0. (cannot be NULL)
676-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
683+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
677684
* secp256k1_ec_seckey_verify, this function returns 0. For
678685
* uniformly random 32-byte arrays the chance of being invalid
679686
* is negligible (around 1 in 2^128) (cannot be NULL).
680687
*/
681688
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(
682689
const secp256k1_context* ctx,
683690
unsigned char *seckey,
684-
const unsigned char *tweak
691+
const unsigned char *tweak32
685692
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
686693

687694
/** Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in
688695
* future versions. */
689696
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
690697
const secp256k1_context* ctx,
691698
unsigned char *seckey,
692-
const unsigned char *tweak
699+
const unsigned char *tweak32
693700
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
694701

695702
/** Tweak a public key by multiplying it by a tweak value.
@@ -699,15 +706,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
699706
* (cannot be NULL).
700707
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
701708
* invalid value if this function returns 0 (cannot be NULL).
702-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
709+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
703710
* secp256k1_ec_seckey_verify, this function returns 0. For
704711
* uniformly random 32-byte arrays the chance of being invalid
705712
* is negligible (around 1 in 2^128) (cannot be NULL).
706713
*/
707714
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
708715
const secp256k1_context* ctx,
709716
secp256k1_pubkey *pubkey,
710-
const unsigned char *tweak
717+
const unsigned char *tweak32
711718
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
712719

713720
/** Updates the context randomization to protect against side-channel leakage.

src/secp256k1/include/secp256k1_recovery.h

+12-12
Original file line numberDiff line numberDiff line change
@@ -71,17 +71,17 @@ SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(
7171
*
7272
* Returns: 1: signature created
7373
* 0: the nonce generation function failed, or the secret key was invalid.
74-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
77-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
74+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
77+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
8080
*/
8181
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
8282
const secp256k1_context* ctx,
8383
secp256k1_ecdsa_recoverable_signature *sig,
84-
const unsigned char *msg32,
84+
const unsigned char *msghash32,
8585
const unsigned char *seckey,
8686
secp256k1_nonce_function noncefp,
8787
const void *ndata
@@ -91,16 +91,16 @@ SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
9191
*
9292
* Returns: 1: public key successfully recovered (which guarantees a correct signature).
9393
* 0: otherwise.
94-
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95-
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96-
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97-
* msg32: the 32-byte message hash assumed to be signed (cannot be NULL)
94+
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95+
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96+
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97+
* msghash32: the 32-byte message hash assumed to be signed (cannot be NULL)
9898
*/
9999
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
100100
const secp256k1_context* ctx,
101101
secp256k1_pubkey *pubkey,
102102
const secp256k1_ecdsa_recoverable_signature *sig,
103-
const unsigned char *msg32
103+
const unsigned char *msghash32
104104
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
105105

106106
#ifdef __cplusplus

src/secp256k1/include/secp256k1_schnorr.h

+18-13
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,18 @@ extern "C" {
1313
* 0: incorrect signature
1414
* Args: ctx: a secp256k1 context object, initialized for verification.
1515
* In: sig64: the 64-byte signature being verified (cannot be NULL)
16-
* msg32: the 32-byte message hash being verified (cannot be NULL)
16+
* msghash32: the 32-byte message hash being verified (cannot be NULL).
17+
* The verifier must make sure to apply a cryptographic
18+
* hash function to the message by itself and not accept an
19+
* msghash32 value directly. Otherwise, it would be easy to
20+
* create a "valid" signature without knowledge of the
21+
* secret key.
1722
* pubkey: the public key to verify with (cannot be NULL)
1823
*/
1924
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify(
2025
const secp256k1_context* ctx,
2126
const unsigned char *sig64,
22-
const unsigned char *msg32,
27+
const unsigned char *msghash32,
2328
const secp256k1_pubkey *pubkey
2429
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
2530

@@ -30,21 +35,21 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify(
3035
* Returns: 1: signature created
3136
* 0: the nonce generation function failed, or the private key was
3237
* invalid.
33-
* Args: ctx: pointer to a context object, initialized for signing
34-
* (cannot be NULL)
35-
* Out: sig64: pointer to a 64-byte array where the signature will be
36-
* placed (cannot be NULL)
37-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
38-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
39-
* noncefp:pointer to a nonce generation function. If NULL,
40-
* secp256k1_nonce_function_default is used
41-
* ndata: pointer to arbitrary data used by the nonce generation
42-
* function (can be NULL)
38+
* Args: ctx: pointer to a context object, initialized for signing
39+
* (cannot be NULL)
40+
* Out: sig64: pointer to a 64-byte array where the signature will be
41+
* placed (cannot be NULL)
42+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL).
43+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
44+
* noncefp: pointer to a nonce generation function. If NULL,
45+
* secp256k1_nonce_function_default is used
46+
* ndata: pointer to arbitrary data used by the nonce generation
47+
* function (can be NULL)
4348
*/
4449
SECP256K1_API int secp256k1_schnorr_sign(
4550
const secp256k1_context *ctx,
4651
unsigned char *sig64,
47-
const unsigned char *msg32,
52+
const unsigned char *msghash32,
4853
const unsigned char *seckey,
4954
secp256k1_nonce_function noncefp,
5055
const void *ndata

src/secp256k1/src/modules/recovery/main_impl.h

+6-6
Original file line numberDiff line numberDiff line change
@@ -120,35 +120,35 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, cons
120120
return !secp256k1_gej_is_infinity(&qj);
121121
}
122122

123-
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
123+
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
124124
secp256k1_scalar r, s;
125125
int ret, recid;
126126
const unsigned char secp256k1_ecdsa_recoverable_algo16[17] = "ECDSA+Recovery ";
127127
VERIFY_CHECK(ctx != NULL);
128128
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
129-
ARG_CHECK(msg32 != NULL);
129+
ARG_CHECK(msghash32 != NULL);
130130
ARG_CHECK(signature != NULL);
131131
ARG_CHECK(seckey != NULL);
132132

133-
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msg32, seckey, noncefp, secp256k1_ecdsa_recoverable_algo16, noncedata);
133+
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msghash32, seckey, noncefp, secp256k1_ecdsa_recoverable_algo16, noncedata);
134134
secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
135135
return ret;
136136
}
137137

138-
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
138+
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) {
139139
secp256k1_ge q;
140140
secp256k1_scalar r, s;
141141
secp256k1_scalar m;
142142
int recid;
143143
VERIFY_CHECK(ctx != NULL);
144144
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
145-
ARG_CHECK(msg32 != NULL);
145+
ARG_CHECK(msghash32 != NULL);
146146
ARG_CHECK(signature != NULL);
147147
ARG_CHECK(pubkey != NULL);
148148

149149
secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
150150
VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
151-
secp256k1_scalar_set_b32(&m, msg32, NULL);
151+
secp256k1_scalar_set_b32(&m, msghash32, NULL);
152152
if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
153153
secp256k1_pubkey_save(pubkey, &q);
154154
return 1;

src/secp256k1/src/modules/schnorr/main_impl.h

+6-6
Original file line numberDiff line numberDiff line change
@@ -13,27 +13,27 @@
1313
int secp256k1_schnorr_verify(
1414
const secp256k1_context* ctx,
1515
const unsigned char *sig64,
16-
const unsigned char *msg32,
16+
const unsigned char *msghash32,
1717
const secp256k1_pubkey *pubkey
1818
) {
1919
secp256k1_ge q;
2020
VERIFY_CHECK(ctx != NULL);
2121
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
22-
ARG_CHECK(msg32 != NULL);
22+
ARG_CHECK(msghash32 != NULL);
2323
ARG_CHECK(sig64 != NULL);
2424
ARG_CHECK(pubkey != NULL);
2525

2626
if (!secp256k1_pubkey_load(ctx, &q, pubkey)) {
2727
return 0;
2828
}
2929

30-
return secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64, &q, msg32);
30+
return secp256k1_schnorr_sig_verify(&ctx->ecmult_ctx, sig64, &q, msghash32);
3131
}
3232

3333
int secp256k1_schnorr_sign(
3434
const secp256k1_context *ctx,
3535
unsigned char *sig64,
36-
const unsigned char *msg32,
36+
const unsigned char *msghash32,
3737
const unsigned char *seckey,
3838
secp256k1_nonce_function noncefp,
3939
const void *ndata
@@ -46,7 +46,7 @@ int secp256k1_schnorr_sign(
4646
int pubkeyret;
4747
VERIFY_CHECK(ctx != NULL);
4848
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
49-
ARG_CHECK(msg32 != NULL);
49+
ARG_CHECK(msghash32 != NULL);
5050
ARG_CHECK(sig64 != NULL);
5151
ARG_CHECK(seckey != NULL);
5252

@@ -65,7 +65,7 @@ int secp256k1_schnorr_sign(
6565
overflow |= secp256k1_scalar_is_zero(&sec);
6666
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, overflow);
6767

68-
ret = secp256k1_schnorr_sig_sign(ctx, sig64, msg32, &sec, &p, noncefp, ndata);
68+
ret = secp256k1_schnorr_sig_sign(ctx, sig64, msghash32, &sec, &p, noncefp, ndata);
6969
if (!ret) {
7070
memset(sig64, 0, 64);
7171
}

0 commit comments

Comments
 (0)