Skip to content

Commit dc6e5c3

Browse files
Merge #854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
6e85d67 Rename tweak to tweak32 in public API (Jonas Nick) f587f04 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation (Jonas Nick) Pull request description: This fixes #307 if there's nothing else that's confusing. ACKs for top commit: real-or-random: ACK 6e85d67 I inspected the diff Tree-SHA512: 1b0dc9dfffd497058dc39c962a512ed6d7f89218020fef9d2c03aaae1aefbf272b918c4fe6503434b62547714855fe1b8b89f2366f3ae6cde16143207c9e6b86
2 parents 8f0c6f1 + 6e85d67 commit dc6e5c3

File tree

4 files changed

+70
-63
lines changed

4 files changed

+70
-63
lines changed

include/secp256k1.h

+26-19
Original file line numberDiff line numberDiff line change
@@ -452,7 +452,14 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
452452
* 0: incorrect or unparseable signature
453453
* Args: ctx: a secp256k1 context object, initialized for verification.
454454
* In: sig: the signature being verified (cannot be NULL)
455-
* msg32: the 32-byte message hash being verified (cannot be NULL)
455+
* msghash32: the 32-byte message hash being verified (cannot be NULL).
456+
* The verifier must make sure to apply a cryptographic
457+
* hash function to the message by itself and not accept an
458+
* msghash32 value directly. Otherwise, it would be easy to
459+
* create a "valid" signature without knowledge of the
460+
* secret key. See also
461+
* https://bitcoin.stackexchange.com/a/81116/35586 for more
462+
* background on this topic.
456463
* pubkey: pointer to an initialized public key to verify with (cannot be NULL)
457464
*
458465
* To avoid accepting malleable signatures, only ECDSA signatures in lower-S
@@ -467,7 +474,7 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
467474
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
468475
const secp256k1_context* ctx,
469476
const secp256k1_ecdsa_signature *sig,
470-
const unsigned char *msg32,
477+
const unsigned char *msghash32,
471478
const secp256k1_pubkey *pubkey
472479
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
473480

@@ -532,20 +539,20 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_def
532539
*
533540
* Returns: 1: signature created
534541
* 0: the nonce generation function failed, or the secret key was invalid.
535-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
536-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
537-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
538-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
539-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
540-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
542+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
543+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
544+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
545+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
546+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
547+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
541548
*
542549
* The created signature is always in lower-S form. See
543550
* secp256k1_ecdsa_signature_normalize for more details.
544551
*/
545552
SECP256K1_API int secp256k1_ecdsa_sign(
546553
const secp256k1_context* ctx,
547554
secp256k1_ecdsa_signature *sig,
548-
const unsigned char *msg32,
555+
const unsigned char *msghash32,
549556
const unsigned char *seckey,
550557
secp256k1_nonce_function noncefp,
551558
const void *ndata
@@ -626,23 +633,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
626633
* invalid according to secp256k1_ec_seckey_verify, this
627634
* function returns 0. seckey will be set to some unspecified
628635
* value if this function returns 0. (cannot be NULL)
629-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
636+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
630637
* secp256k1_ec_seckey_verify, this function returns 0. For
631638
* uniformly random 32-byte arrays the chance of being invalid
632639
* is negligible (around 1 in 2^128) (cannot be NULL).
633640
*/
634641
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(
635642
const secp256k1_context* ctx,
636643
unsigned char *seckey,
637-
const unsigned char *tweak
644+
const unsigned char *tweak32
638645
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
639646

640647
/** Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED. Will be removed in
641648
* future versions. */
642649
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
643650
const secp256k1_context* ctx,
644651
unsigned char *seckey,
645-
const unsigned char *tweak
652+
const unsigned char *tweak32
646653
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
647654

648655
/** Tweak a public key by adding tweak times the generator to it.
@@ -654,15 +661,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
654661
* (cannot be NULL).
655662
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
656663
* invalid value if this function returns 0 (cannot be NULL).
657-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
664+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
658665
* secp256k1_ec_seckey_verify, this function returns 0. For
659666
* uniformly random 32-byte arrays the chance of being invalid
660667
* is negligible (around 1 in 2^128) (cannot be NULL).
661668
*/
662669
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
663670
const secp256k1_context* ctx,
664671
secp256k1_pubkey *pubkey,
665-
const unsigned char *tweak
672+
const unsigned char *tweak32
666673
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
667674

668675
/** Tweak a secret key by multiplying it by a tweak.
@@ -673,23 +680,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
673680
* invalid according to secp256k1_ec_seckey_verify, this
674681
* function returns 0. seckey will be set to some unspecified
675682
* value if this function returns 0. (cannot be NULL)
676-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
683+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
677684
* secp256k1_ec_seckey_verify, this function returns 0. For
678685
* uniformly random 32-byte arrays the chance of being invalid
679686
* is negligible (around 1 in 2^128) (cannot be NULL).
680687
*/
681688
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(
682689
const secp256k1_context* ctx,
683690
unsigned char *seckey,
684-
const unsigned char *tweak
691+
const unsigned char *tweak32
685692
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
686693

687694
/** Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in
688695
* future versions. */
689696
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
690697
const secp256k1_context* ctx,
691698
unsigned char *seckey,
692-
const unsigned char *tweak
699+
const unsigned char *tweak32
693700
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
694701

695702
/** Tweak a public key by multiplying it by a tweak value.
@@ -699,15 +706,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
699706
* (cannot be NULL).
700707
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
701708
* invalid value if this function returns 0 (cannot be NULL).
702-
* In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
709+
* In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
703710
* secp256k1_ec_seckey_verify, this function returns 0. For
704711
* uniformly random 32-byte arrays the chance of being invalid
705712
* is negligible (around 1 in 2^128) (cannot be NULL).
706713
*/
707714
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
708715
const secp256k1_context* ctx,
709716
secp256k1_pubkey *pubkey,
710-
const unsigned char *tweak
717+
const unsigned char *tweak32
711718
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
712719

713720
/** Updates the context randomization to protect against side-channel leakage.

include/secp256k1_recovery.h

+12-12
Original file line numberDiff line numberDiff line change
@@ -71,17 +71,17 @@ SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(
7171
*
7272
* Returns: 1: signature created
7373
* 0: the nonce generation function failed, or the secret key was invalid.
74-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
77-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
74+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
77+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
8080
*/
8181
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
8282
const secp256k1_context* ctx,
8383
secp256k1_ecdsa_recoverable_signature *sig,
84-
const unsigned char *msg32,
84+
const unsigned char *msghash32,
8585
const unsigned char *seckey,
8686
secp256k1_nonce_function noncefp,
8787
const void *ndata
@@ -91,16 +91,16 @@ SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
9191
*
9292
* Returns: 1: public key successfully recovered (which guarantees a correct signature).
9393
* 0: otherwise.
94-
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95-
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96-
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97-
* msg32: the 32-byte message hash assumed to be signed (cannot be NULL)
94+
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95+
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96+
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97+
* msghash32: the 32-byte message hash assumed to be signed (cannot be NULL)
9898
*/
9999
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
100100
const secp256k1_context* ctx,
101101
secp256k1_pubkey *pubkey,
102102
const secp256k1_ecdsa_recoverable_signature *sig,
103-
const unsigned char *msg32
103+
const unsigned char *msghash32
104104
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
105105

106106
#ifdef __cplusplus

src/modules/recovery/main_impl.h

+6-6
Original file line numberDiff line numberDiff line change
@@ -120,34 +120,34 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, cons
120120
return !secp256k1_gej_is_infinity(&qj);
121121
}
122122

123-
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
123+
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
124124
secp256k1_scalar r, s;
125125
int ret, recid;
126126
VERIFY_CHECK(ctx != NULL);
127127
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
128-
ARG_CHECK(msg32 != NULL);
128+
ARG_CHECK(msghash32 != NULL);
129129
ARG_CHECK(signature != NULL);
130130
ARG_CHECK(seckey != NULL);
131131

132-
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msg32, seckey, noncefp, noncedata);
132+
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msghash32, seckey, noncefp, noncedata);
133133
secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
134134
return ret;
135135
}
136136

137-
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
137+
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) {
138138
secp256k1_ge q;
139139
secp256k1_scalar r, s;
140140
secp256k1_scalar m;
141141
int recid;
142142
VERIFY_CHECK(ctx != NULL);
143143
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
144-
ARG_CHECK(msg32 != NULL);
144+
ARG_CHECK(msghash32 != NULL);
145145
ARG_CHECK(signature != NULL);
146146
ARG_CHECK(pubkey != NULL);
147147

148148
secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
149149
VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
150-
secp256k1_scalar_set_b32(&m, msg32, NULL);
150+
secp256k1_scalar_set_b32(&m, msghash32, NULL);
151151
if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
152152
secp256k1_pubkey_save(pubkey, &q);
153153
return 1;

0 commit comments

Comments
 (0)