schnorr.c
1 /************************************************************************* 2 * Written in 2020-2022 by Elichai Turkel * 3 * To the extent possible under law, the author(s) have dedicated all * 4 * copyright and related and neighboring rights to the software in this * 5 * file to the public domain worldwide. This software is distributed * 6 * without any warranty. For the CC0 Public Domain Dedication, see * 7 * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 * 8 *************************************************************************/ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <assert.h> 13 #include <string.h> 14 15 #include <secp256k1.h> 16 #include <secp256k1_extrakeys.h> 17 #include <secp256k1_schnorrsig.h> 18 19 #include "examples_util.h" 20 21 int main(void) { 22 unsigned char msg[] = {'H', 'e', 'l', 'l', 'o', ' ', 'W', 'o', 'r', 'l', 'd', '!'}; 23 unsigned char msg_hash[32]; 24 unsigned char tag[] = {'m', 'y', '_', 'f', 'a', 'n', 'c', 'y', '_', 'p', 'r', 'o', 't', 'o', 'c', 'o', 'l'}; 25 unsigned char seckey[32]; 26 unsigned char randomize[32]; 27 unsigned char auxiliary_rand[32]; 28 unsigned char serialized_pubkey[32]; 29 unsigned char signature[64]; 30 int is_signature_valid, is_signature_valid2; 31 int return_val; 32 secp256k1_xonly_pubkey pubkey; 33 secp256k1_keypair keypair; 34 /* Before we can call actual API functions, we need to create a "context". */ 35 secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 36 if (!fill_random(randomize, sizeof(randomize))) { 37 printf("Failed to generate randomness\n"); 38 return EXIT_FAILURE; 39 } 40 /* Randomizing the context is recommended to protect against side-channel 41 * leakage See `secp256k1_context_randomize` in secp256k1.h for more 42 * information about it. This should never fail. */ 43 return_val = secp256k1_context_randomize(ctx, randomize); 44 assert(return_val); 45 46 /*** Key Generation ***/ 47 if (!fill_random(seckey, sizeof(seckey))) { 48 printf("Failed to generate randomness\n"); 49 return EXIT_FAILURE; 50 } 51 /* Try to create a keypair with a valid context. This only fails if the 52 * secret key is zero or out of range (greater than secp256k1's order). Note 53 * that the probability of this occurring is negligible with a properly 54 * functioning random number generator. */ 55 if (!secp256k1_keypair_create(ctx, &keypair, seckey)) { 56 printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n"); 57 return EXIT_FAILURE; 58 } 59 60 /* Extract the X-only public key from the keypair. We pass NULL for 61 * `pk_parity` as the parity isn't needed for signing or verification. 62 * `secp256k1_keypair_xonly_pub` supports returning the parity for 63 * other use cases such as tests or verifying Taproot tweaks. 64 * This should never fail with a valid context and public key. */ 65 return_val = secp256k1_keypair_xonly_pub(ctx, &pubkey, NULL, &keypair); 66 assert(return_val); 67 68 /* Serialize the public key. Should always return 1 for a valid public key. */ 69 return_val = secp256k1_xonly_pubkey_serialize(ctx, serialized_pubkey, &pubkey); 70 assert(return_val); 71 72 /*** Signing ***/ 73 74 /* Instead of signing (possibly very long) messages directly, we sign a 75 * 32-byte hash of the message in this example. 76 * 77 * We use secp256k1_tagged_sha256 to create this hash. This function expects 78 * a context-specific "tag", which restricts the context in which the signed 79 * messages should be considered valid. For example, if protocol A mandates 80 * to use the tag "my_fancy_protocol" and protocol B mandates to use the tag 81 * "my_boring_protocol", then signed messages from protocol A will never be 82 * valid in protocol B (and vice versa), even if keys are reused across 83 * protocols. This implements "domain separation", which is considered good 84 * practice. It avoids attacks in which users are tricked into signing a 85 * message that has intended consequences in the intended context (e.g., 86 * protocol A) but would have unintended consequences if it were valid in 87 * some other context (e.g., protocol B). */ 88 return_val = secp256k1_tagged_sha256(ctx, msg_hash, tag, sizeof(tag), msg, sizeof(msg)); 89 assert(return_val); 90 91 /* Generate 32 bytes of randomness to use with BIP-340 schnorr signing. */ 92 if (!fill_random(auxiliary_rand, sizeof(auxiliary_rand))) { 93 printf("Failed to generate randomness\n"); 94 return EXIT_FAILURE; 95 } 96 97 /* Generate a Schnorr signature. 98 * 99 * We use the secp256k1_schnorrsig_sign32 function that provides a simple 100 * interface for signing 32-byte messages (which in our case is a hash of 101 * the actual message). BIP-340 recommends passing 32 bytes of randomness 102 * to the signing function to improve security against side-channel attacks. 103 * Signing with a valid context, a 32-byte message, a verified keypair, and 104 * any 32 bytes of auxiliary random data should never fail. */ 105 return_val = secp256k1_schnorrsig_sign32(ctx, signature, msg_hash, &keypair, auxiliary_rand); 106 assert(return_val); 107 108 /*** Verification ***/ 109 110 /* Deserialize the public key. This will return 0 if the public key can't 111 * be parsed correctly */ 112 if (!secp256k1_xonly_pubkey_parse(ctx, &pubkey, serialized_pubkey)) { 113 printf("Failed parsing the public key\n"); 114 return EXIT_FAILURE; 115 } 116 117 /* Compute the tagged hash on the received messages using the same tag as the signer. */ 118 return_val = secp256k1_tagged_sha256(ctx, msg_hash, tag, sizeof(tag), msg, sizeof(msg)); 119 assert(return_val); 120 121 /* Verify a signature. This will return 1 if it's valid and 0 if it's not. */ 122 is_signature_valid = secp256k1_schnorrsig_verify(ctx, signature, msg_hash, 32, &pubkey); 123 124 125 printf("Is the signature valid? %s\n", is_signature_valid ? "true" : "false"); 126 printf("Secret Key: "); 127 print_hex(seckey, sizeof(seckey)); 128 printf("Public Key: "); 129 print_hex(serialized_pubkey, sizeof(serialized_pubkey)); 130 printf("Signature: "); 131 print_hex(signature, sizeof(signature)); 132 133 /* This will clear everything from the context and free the memory */ 134 secp256k1_context_destroy(ctx); 135 136 /* Bonus example: if all we need is signature verification (and no key 137 generation or signing), we don't need to use a context created via 138 secp256k1_context_create(). We can simply use the static (i.e., global) 139 context secp256k1_context_static. See its description in 140 include/secp256k1.h for details. */ 141 is_signature_valid2 = secp256k1_schnorrsig_verify(secp256k1_context_static, 142 signature, msg_hash, 32, &pubkey); 143 assert(is_signature_valid2 == is_signature_valid); 144 145 /* It's best practice to try to clear secrets from memory after using them. 146 * This is done because some bugs can allow an attacker to leak memory, for 147 * example through "out of bounds" array access (see Heartbleed), or the OS 148 * swapping them to disk. Hence, we overwrite the secret key buffer with zeros. 149 * 150 * Here we are preventing these writes from being optimized out, as any good compiler 151 * will remove any writes that aren't used. */ 152 secure_erase(seckey, sizeof(seckey)); 153 return EXIT_SUCCESS; 154 }