 |
Bitcoin Core
27.99.0
P2P Digital Currency
|
|
Bitcoin Core
27.99.0
P2P Digital Currency
|
#include "scalar.h"#include "field.h"#include "group.h"#include "ecmult.h"#include "ecmult_gen.h"#include "ecdsa.h"Go to the source code of this file.
Functions | |
| static int | secp256k1_der_read_len (size_t *len, const unsigned char **sigp, const unsigned char *sigend) |
| static int | secp256k1_der_parse_integer (secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) |
| static int | secp256k1_ecdsa_sig_parse (secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) |
| static int | secp256k1_ecdsa_sig_serialize (unsigned char *sig, size_t *size, const secp256k1_scalar *ar, const secp256k1_scalar *as) |
| static int | secp256k1_ecdsa_sig_verify (const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) |
| static int | secp256k1_ecdsa_sig_sign (const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) |
Variables | |
| static const secp256k1_fe | secp256k1_ecdsa_const_order_as_fe |
| Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1 $ sage -c 'load("secp256k1_params.sage"); print(hex(N))' 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141. More... | |
| static const secp256k1_fe | secp256k1_ecdsa_const_p_minus_order |
| Difference between field and order, values 'p' and 'n' values defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. More... | |
|
static |
Definition at line 90 of file ecdsa_impl.h.
|
static |
|
static |
|
static |
|
static |
|
static |
We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), compute the remainder modulo n, and compare it to xr. However:
xr == X(pr) mod n
<=> exists h. (xr + h * n < p && xr + h * n == X(pr)) [Since 2 * n > p, h can only be 0 or 1] <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr)) [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p] <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p) [Multiplying both sides of the equations by pr.z^2 mod p] <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x)
Thus, we can avoid the inversion, but we have to check both cases separately. secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test.
Definition at line 195 of file ecdsa_impl.h.
|
static |
Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1 $ sage -c 'load("secp256k1_params.sage"); print(hex(N))' 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141.
Definition at line 22 of file ecdsa_impl.h.
|
static |
Difference between field and order, values 'p' and 'n' values defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1.
$ sage -c 'load("secp256k1_params.sage"); print(hex(P-N))' 0x14551231950b75fc4402da1722fc9baee
Definition at line 32 of file ecdsa_impl.h.
1.9.1