Class Secp256k1
- Namespace
- Secp256k1Net
- Assembly
- Secp256k1.Net.dll
public class Secp256k1 : IDisposable- Inheritance
-
Secp256k1
- Implements
- Inherited Members
Constructors
Secp256k1(ErrorCallbackDelegate)
public Secp256k1(ErrorCallbackDelegate errorCallback = null)Parameters
errorCallbackErrorCallbackDelegate
Fields
HASH_LENGTH
public const int HASH_LENGTH = 32Field Value
NONCE_LENGTH
public const int NONCE_LENGTH = 32Field Value
SECRET_KEY_LENGTH
public const int SECRET_KEY_LENGTH = 32Field Value
SECRET_LENGTH
public const int SECRET_LENGTH = 32Field Value
SERIALIZED_COMPRESSED_PUBKEY_LENGTH
public const int SERIALIZED_COMPRESSED_PUBKEY_LENGTH = 33Field Value
SERIALIZED_DER_SIGNATURE_MAX_SIZE
public const int SERIALIZED_DER_SIGNATURE_MAX_SIZE = 72Field Value
SERIALIZED_SIGNATURE_SIZE
public const int SERIALIZED_SIGNATURE_SIZE = 64Field Value
SERIALIZED_UNCOMPRESSED_PUBKEY_LENGTH
public const int SERIALIZED_UNCOMPRESSED_PUBKEY_LENGTH = 65Field Value
UNSERIALIZED_PUBKEY_LENGTH
public const int UNSERIALIZED_PUBKEY_LENGTH = 64Field Value
UNSERIALIZED_SIGNATURE_LENGTH
public const int UNSERIALIZED_SIGNATURE_LENGTH = 64Field Value
UNSERIALIZED_SIGNATURE_SIZE
public const int UNSERIALIZED_SIGNATURE_SIZE = 65Field Value
Properties
LibPath
Gets the path to the loaded native library.
public static string LibPath { get; }Property Value
Methods
CombinePublicKeys(byte[][], bool)
Combines multiple public keys into a single public key by adding them together. Useful for multisig and key aggregation schemes.
public static byte[] CombinePublicKeys(byte[][] publicKeys, bool compressed = true)Parameters
publicKeysbyte[][]Array of serialized public keys (each 33 or 65 bytes).
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized combined public key.
Exceptions
- ArgumentException
Thrown when any public key is invalid or combination fails.
CompressPublicKey(ReadOnlySpan<byte>)
Compresses a public key to 33-byte format.
public static byte[] CompressPublicKey(ReadOnlySpan<byte> publicKey)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
Returns
- byte[]
33-byte compressed public key.
Exceptions
- ArgumentException
Thrown when the public key is invalid.
ComputeSharedSecret(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Computes an ECDH shared secret.
public static byte[] ComputeSharedSecret(ReadOnlySpan<byte> publicKey, ReadOnlySpan<byte> secretKey)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
secretKeyReadOnlySpan<byte>32-byte secret key.
Returns
- byte[]
32-byte shared secret.
Exceptions
- ArgumentException
Thrown when the public key is invalid or ECDH computation fails.
CreateKeyPair(bool)
Creates a new key pair (secret key and public key).
public static (byte[] SecretKey, byte[] PublicKey) CreateKeyPair(bool compressed = true)Parameters
compressedboolIf true, returns 33-byte compressed public key; otherwise 65-byte uncompressed.
Returns
CreatePublicKey(ReadOnlySpan<byte>, bool)
Creates a serialized public key from a secret key.
public static byte[] CreatePublicKey(ReadOnlySpan<byte> secretKey, bool compressed = true)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key.
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized public key (33 or 65 bytes).
Exceptions
- ArgumentException
Thrown when the secret key is invalid.
CreateSecretKey()
Generates a new random secret key using a cryptographically secure random number generator.
public static byte[] CreateSecretKey()Returns
- byte[]
32-byte secret key.
CreateXOnlyPublicKey(ReadOnlySpan<byte>)
Creates a serialized x-only public key from a secret key.
public static (byte[] XOnlyPublicKey, byte Parity) CreateXOnlyPublicKey(ReadOnlySpan<byte> secretKey)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key.
Returns
- (byte[] XOnlyPublicKey, byte Parity)
Tuple of 32-byte x-only public key and parity (0 or 1).
Exceptions
- ArgumentException
Thrown when the secret key is invalid.
DecompressPublicKey(ReadOnlySpan<byte>)
Decompresses a public key to 65-byte uncompressed format.
public static byte[] DecompressPublicKey(ReadOnlySpan<byte> publicKey)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
Returns
- byte[]
65-byte uncompressed public key.
Exceptions
- ArgumentException
Thrown when the public key is invalid.
Dispose()
Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
public void Dispose()EcPubkeyCmp(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Compare two public keys using lexicographic (of compressed serialization) order
public int EcPubkeyCmp(ReadOnlySpan<byte> pubkey1, ReadOnlySpan<byte> pubkey2)Parameters
pubkey1ReadOnlySpan<byte>first public key to compare
pubkey2ReadOnlySpan<byte>second public key to compare
Returns
- int
<0 if the first public key is less than the second >0 if the first public key is greater than the second 0 if the two public keys are equal
EcPubkeyCombine(Span<byte>, byte[][])
Add a number of public keys together.
public bool EcPubkeyCombine(Span<byte> @out, byte[][] ins)Parameters
outSpan<byte>pointer to a public key object for placing the resulting public key.
insbyte[][]pointer to array of pointers to public keys.
Returns
- bool
1: the sum of the public keys is valid. 0: the sum of the public keys is not valid.
EcPubkeyCreate(Span<byte>, ReadOnlySpan<byte>)
Compute the public key for a secret key.
public bool EcPubkeyCreate(Span<byte> pubkey, ReadOnlySpan<byte> seckey)Parameters
pubkeySpan<byte>pointer to the created public key.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
Returns
- bool
1: secret was valid, public key stores. 0: secret was invalid, try again.
EcPubkeyNegate(Span<byte>)
Negates a public key in place.
public bool EcPubkeyNegate(Span<byte> pubkey)Parameters
Returns
- bool
1 always
EcPubkeyParse(Span<byte>, ReadOnlySpan<byte>)
Parse a variable-length public key into the pubkey object.
public bool EcPubkeyParse(Span<byte> pubkey, ReadOnlySpan<byte> input)Parameters
pubkeySpan<byte>pointer to a pubkey object. If 1 is returned, it is set to a parsed version of input. If not, its value is undefined.
inputReadOnlySpan<byte>pointer to a serialized public key
Returns
- bool
1 if the public key was fully valid. 0 if the public key could not be parsed or is invalid.
EcPubkeySerialize(Span<byte>, ref nuint, ReadOnlySpan<byte>, Secp256k1EcFlags)
Serialize a pubkey object into a serialized byte sequence.
public bool EcPubkeySerialize(Span<byte> output, ref nuint outputlen, ReadOnlySpan<byte> pubkey, Secp256k1EcFlags flags)Parameters
outputSpan<byte>pointer to a 65-byte (if compressed==0) or 33-byte (if compressed==1) byte array to place the serialized key in.
outputlennuintpointer to an integer which is initially set to the size of output, and is overwritten with the written size.
pubkeyReadOnlySpan<byte>pointer to a secp256k1_pubkey containing an initialized public key.
flagsSecp256k1EcFlagsSECP256K1_EC_COMPRESSED if serialization should be in compressed format, otherwise SECP256K1_EC_UNCOMPRESSED.
Returns
- bool
1 always.
EcPubkeySort(byte[][])
Sort an array of public keys in lexicographic order (of their compressed serialization). The input array is reordered in place.
public bool EcPubkeySort(byte[][] publicKeys)Parameters
publicKeysbyte[][]Array of 64-byte public keys to sort. The array will be modified in place.
Returns
- bool
True on success, false on failure.
Exceptions
- ArgumentException
Thrown when the array is null, empty, or contains invalid elements.
EcPubkeyTweakAdd(Span<byte>, ReadOnlySpan<byte>)
Tweak a public key by adding tweak times the generator to it.
public bool EcPubkeyTweakAdd(Span<byte> pubkey, ReadOnlySpan<byte> tweak32)Parameters
pubkeySpan<byte>pointer to a public key object. pubkey will be set to an invalid value if this function returns 0.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak, which must be valid according to secp256k1_ec_seckey_verify or 32 zero bytes. For uniformly random 32-byte tweaks, the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid or the resulting public key would be invalid (only when the tweak is the negation of the corresponding secret key). 1 otherwise.
EcPubkeyTweakMul(Span<byte>, ReadOnlySpan<byte>)
Tweak a public key by multiplying it by a tweak value.
public bool EcPubkeyTweakMul(Span<byte> pubkey, ReadOnlySpan<byte> tweak32)Parameters
pubkeySpan<byte>pointer to a public key object. pubkey will be set to an invalid value if this function returns 0.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak. If the tweak is invalid according to secp256k1_ec_seckey_verify, this function returns 0. For uniformly random 32-byte arrays the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid. 1 otherwise.
EcSeckeyNegate(Span<byte>)
Negates a secret key in place.
public bool EcSeckeyNegate(Span<byte> seckey)Parameters
seckeySpan<byte>pointer to the 32-byte secret key to be negated. If the secret key is invalid according to secp256k1_ec_seckey_verify, this function returns 0 and seckey will be set to some unspecified value.
Returns
- bool
0 if the given secret key is invalid according to secp256k1_ec_seckey_verify. 1 otherwise
EcSeckeyTweakAdd(Span<byte>, ReadOnlySpan<byte>)
Tweak a secret key by adding tweak to it.
public bool EcSeckeyTweakAdd(Span<byte> seckey, ReadOnlySpan<byte> tweak32)Parameters
seckeySpan<byte>pointer to a 32-byte secret key. If the secret key is invalid according to secp256k1_ec_seckey_verify, this function returns 0. seckey will be set to some unspecified value if this function returns 0.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak, which must be valid according to secp256k1_ec_seckey_verify or 32 zero bytes. For uniformly random 32-byte tweaks, the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid or the resulting secret key would be invalid (only when the tweak is the negation of the secret key). 1 otherwise.
EcSeckeyTweakMul(Span<byte>, ReadOnlySpan<byte>)
Tweak a secret key by multiplying it by a tweak.
public bool EcSeckeyTweakMul(Span<byte> seckey, ReadOnlySpan<byte> tweak32)Parameters
seckeySpan<byte>pointer to a 32-byte secret key. If the secret key is invalid according to secp256k1_ec_seckey_verify, this function returns 0. seckey will be set to some unspecified value if this function returns 0.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak. If the tweak is invalid according to secp256k1_ec_seckey_verify, this function returns 0. For uniformly random 32-byte arrays the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid. 1 otherwise.
EcSeckeyVerify(ReadOnlySpan<byte>)
Verify an elliptic curve secret key.
A secret key is valid if it is not 0 and less than the secp256k1 curve order when interpreted as an integer (most significant byte first). The probability of choosing a 32-byte string uniformly at random which is an invalid secret key is negligible. However, if it does happen it should be assumed that the randomness source is severely broken and there should be no retry.
public bool EcSeckeyVerify(ReadOnlySpan<byte> seckey)Parameters
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
Returns
- bool
1: secret key is valid 0: secret key is invalid
Ecdh(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Compute an EC Diffie-Hellman secret in constant time
public bool Ecdh(Span<byte> output, ReadOnlySpan<byte> pubkey, ReadOnlySpan<byte> seckey)Parameters
outputSpan<byte>pointer to an array to be filled by hashfp.
pubkeyReadOnlySpan<byte>pointer to a secp256k1_pubkey containing an initialized public key.
seckeyReadOnlySpan<byte>a 32-byte scalar with which to multiply the point.
Returns
- bool
1: exponentiation was successful 0: scalar was invalid (zero or overflow) or hashfp returned 0
Ecdh(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, EcdhHashFunction, nint)
Compute an EC Diffie-Hellman secret in constant time
public bool Ecdh(Span<byte> output, ReadOnlySpan<byte> pubkey, ReadOnlySpan<byte> seckey, EcdhHashFunction hashfp, nint data)Parameters
outputSpan<byte>pointer to an array to be filled by hashfp.
pubkeyReadOnlySpan<byte>pointer to a secp256k1_pubkey containing an initialized public key.
seckeyReadOnlySpan<byte>a 32-byte scalar with which to multiply the point.
hashfpEcdhHashFunctionpointer to a hash function. If NULL, secp256k1_ecdh_hash_function_sha256 is used (in which case, 32 bytes will be written to output).
datanintarbitrary data pointer that is passed through to hashfp (can be NULL for secp256k1_ecdh_hash_function_sha256).
Returns
- bool
1: exponentiation was successful 0: scalar was invalid (zero or overflow) or hashfp returned 0
EcdhHashFunctionDefault(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>)
A default ECDH hash function (currently equal to secp256k1_ecdh_hash_function_sha256). Populates the output parameter with 32 bytes.
public bool EcdhHashFunctionDefault(Span<byte> output, ReadOnlySpan<byte> x32, ReadOnlySpan<byte> y32, Span<byte> data)Parameters
outputSpan<byte>pointer to an array to be filled by the function
x32ReadOnlySpan<byte>pointer to a 32-byte x coordinate
y32ReadOnlySpan<byte>pointer to a 32-byte y coordinate
dataSpan<byte>arbitrary data pointer that is passed through
Returns
- bool
True on success, false on failure.
EcdhHashFunctionSha256(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>)
An implementation of SHA256 hash function that applies to compressed public key. Populates the output parameter with 32 bytes.
public bool EcdhHashFunctionSha256(Span<byte> output, ReadOnlySpan<byte> x32, ReadOnlySpan<byte> y32, Span<byte> data)Parameters
outputSpan<byte>pointer to an array to be filled by the function
x32ReadOnlySpan<byte>pointer to a 32-byte x coordinate
y32ReadOnlySpan<byte>pointer to a 32-byte y coordinate
dataSpan<byte>arbitrary data pointer that is passed through
Returns
- bool
True on success, false on failure.
EcdsaRecover(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Recover an ECDSA public key from a signature.
Successful public key recovery guarantees that the signature, after normalization, passes secp256k1_ecdsa_verify. Thus, explicit verification is not necessary.
However, a recoverable signature that successfully passes secp256k1_ecdsa_recover, when converted to a non-recoverable signature (using secp256k1_ecdsa_recoverable_signature_convert), is not guaranteed to be normalized and thus not guaranteed to pass secp256k1_ecdsa_verify. If a normalized signature is required, call secp256k1_ecdsa_signature_normalize after secp256k1_ecdsa_recoverable_signature_convert.
public bool EcdsaRecover(Span<byte> pubkey, ReadOnlySpan<byte> sig, ReadOnlySpan<byte> msghash32)Parameters
pubkeySpan<byte>pointer to the recovered public key.
sigReadOnlySpan<byte>pointer to initialized signature that supports pubkey recovery.
msghash32ReadOnlySpan<byte>the 32-byte message hash assumed to be signed.
Returns
- bool
1: public key successfully recovered 0: otherwise.
EcdsaRecoverableSignatureConvert(Span<byte>, ReadOnlySpan<byte>)
Convert a recoverable signature into a normal signature.
public bool EcdsaRecoverableSignatureConvert(Span<byte> sig, ReadOnlySpan<byte> sigin)Parameters
sigSpan<byte>pointer to a normal signature.
siginReadOnlySpan<byte>pointer to a recoverable signature.
Returns
- bool
1
EcdsaRecoverableSignatureParseCompact(Span<byte>, ReadOnlySpan<byte>, int)
Parse a compact ECDSA signature (64 bytes + recovery id).
public bool EcdsaRecoverableSignatureParseCompact(Span<byte> sig, ReadOnlySpan<byte> input64, int recid)Parameters
sigSpan<byte>pointer to a signature object
input64ReadOnlySpan<byte>pointer to a 64-byte compact signature
recidintthe recovery id (0, 1, 2 or 3)
Returns
- bool
1 when the signature could be parsed, 0 otherwise
EcdsaRecoverableSignatureSerializeCompact(Span<byte>, out int, ReadOnlySpan<byte>)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
public bool EcdsaRecoverableSignatureSerializeCompact(Span<byte> output64, out int recid, ReadOnlySpan<byte> sig)Parameters
output64Span<byte>pointer to a 64-byte array of the compact signature.
recidintpointer to an integer to hold the recovery id.
sigReadOnlySpan<byte>pointer to an initialized signature object.
Returns
- bool
1
EcdsaSign(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Create an ECDSA signature.
public bool EcdsaSign(Span<byte> sig, ReadOnlySpan<byte> msghash32, ReadOnlySpan<byte> seckey)Parameters
sigSpan<byte>pointer to an array where the signature will be placed.
msghash32ReadOnlySpan<byte>the 32-byte message hash being signed.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
Returns
- bool
1: signature created 0: the nonce generation function failed, or the secret key was invalid.
EcdsaSign(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, NonceFunction, nint)
Create an ECDSA signature.
public bool EcdsaSign(Span<byte> sig, ReadOnlySpan<byte> msghash32, ReadOnlySpan<byte> seckey, NonceFunction noncefp, nint ndata)Parameters
sigSpan<byte>pointer to an array where the signature will be placed.
msghash32ReadOnlySpan<byte>the 32-byte message hash being signed.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
noncefpNonceFunctionpointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used.
ndatanintpointer to arbitrary data used by the nonce generation function (can be NULL). If it is non-NULL and secp256k1_nonce_function_default is used, then ndata must be a pointer to 32-bytes of additional data.
The created signature is always in lower-S form. See secp256k1_ecdsa_signature_normalize for more details.
Returns
- bool
1: signature created 0: the nonce generation function failed, or the secret key was invalid.
EcdsaSignRecoverable(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Create a recoverable ECDSA signature.
public bool EcdsaSignRecoverable(Span<byte> sig, ReadOnlySpan<byte> msghash32, ReadOnlySpan<byte> seckey)Parameters
sigSpan<byte>pointer to an array where the signature will be placed.
msghash32ReadOnlySpan<byte>the 32-byte message hash being signed.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
Returns
- bool
1: signature created 0: the nonce generation function failed, or the secret key was invalid.
EcdsaSignRecoverable(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, NonceFunction, nint)
Create a recoverable ECDSA signature.
public bool EcdsaSignRecoverable(Span<byte> sig, ReadOnlySpan<byte> msghash32, ReadOnlySpan<byte> seckey, NonceFunction noncefp, nint ndata)Parameters
sigSpan<byte>pointer to an array where the signature will be placed.
msghash32ReadOnlySpan<byte>the 32-byte message hash being signed.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
noncefpNonceFunctionpointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used.
ndatanintpointer to arbitrary data used by the nonce generation function (can be NULL for secp256k1_nonce_function_default).
Returns
- bool
1: signature created 0: the nonce generation function failed, or the secret key was invalid.
EcdsaSignatureNormalize(Span<byte>, ReadOnlySpan<byte>)
Convert a signature to a normalized lower-S form.
public bool EcdsaSignatureNormalize(Span<byte> sigout, ReadOnlySpan<byte> sigin)Parameters
sigoutSpan<byte>pointer to a signature to fill with the normalized form, or copy if the input was already normalized. (can be NULL if you're only interested in whether the input was already normalized).
siginReadOnlySpan<byte>pointer to a signature to check/normalize (can be identical to sigout)
With ECDSA a third-party can forge a second distinct signature of the same message, given a single initial signature, but without knowing the key. This is done by negating the S value modulo the order of the curve, 'flipping' the sign of the random point R which is not included in the signature.
Forgery of the same message isn't universally problematic, but in systems where message malleability or uniqueness of signatures is important this can cause issues. This forgery can be blocked by all verifiers forcing signers to use a normalized form.
The lower-S form reduces the size of signatures slightly on average when variable length encodings (such as DER) are used and is cheap to verify, making it a good choice. Security of always using lower-S is assured because anyone can trivially modify a signature after the fact to enforce this property anyway.
The lower S value is always between 0x1 and 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0, inclusive.
No other forms of ECDSA malleability are known and none seem likely, but there is no formal proof that ECDSA, even with this additional restriction, is free of other malleability. Commonly used serialization schemes will also accept various non-unique encodings, so care should be taken when this property is required for an application.
The secp256k1_ecdsa_sign function will by default create signatures in the lower-S form, and secp256k1_ecdsa_verify will not accept others. In case signatures come from a system that cannot enforce this property, secp256k1_ecdsa_signature_normalize must be called before verification.
Returns
- bool
1 if sigin was not normalized, 0 if it already was.
EcdsaSignatureParseCompact(Span<byte>, ReadOnlySpan<byte>)
Parse an ECDSA signature in compact (64 bytes) format.
public bool EcdsaSignatureParseCompact(Span<byte> sig, ReadOnlySpan<byte> input64)Parameters
sigSpan<byte>pointer to a signature object
input64ReadOnlySpan<byte>pointer to the 64-byte array to parse
The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.
After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail verification for any message and public key.
Returns
- bool
1 when the signature could be parsed, 0 otherwise.
EcdsaSignatureParseDer(Span<byte>, ReadOnlySpan<byte>)
Parse a DER ECDSA signature.
public bool EcdsaSignatureParseDer(Span<byte> sig, ReadOnlySpan<byte> input)Parameters
sigSpan<byte>pointer to a signature object
inputReadOnlySpan<byte>pointer to the signature to be parsed
Returns
- bool
1 when the signature could be parsed, 0 otherwise.
EcdsaSignatureSerializeCompact(Span<byte>, ReadOnlySpan<byte>)
Serialize an ECDSA signature in compact (64 byte) format.
public bool EcdsaSignatureSerializeCompact(Span<byte> output64, ReadOnlySpan<byte> sig)Parameters
output64Span<byte>pointer to a 64-byte array to store the compact serialization
sigReadOnlySpan<byte>pointer to an initialized signature object
See secp256k1_ecdsa_signature_parse_compact for details about the encoding.
Returns
- bool
1
EcdsaSignatureSerializeDer(Span<byte>, ref nuint, ReadOnlySpan<byte>)
Serialize an ECDSA signature in DER format.
public bool EcdsaSignatureSerializeDer(Span<byte> output, ref nuint outputlen, ReadOnlySpan<byte> sig)Parameters
outputSpan<byte>pointer to an array to store the DER serialization
outputlennuintpointer to a length integer. Initially, this integer should be set to the length of output. After the call it will be set to the length of the serialization (even if 0 was returned).
sigReadOnlySpan<byte>pointer to an initialized signature object
Returns
- bool
1 if enough space was available to serialize, 0 otherwise
EcdsaVerify(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verify an ECDSA signature.
public bool EcdsaVerify(ReadOnlySpan<byte> sig, ReadOnlySpan<byte> msghash32, ReadOnlySpan<byte> pubkey)Parameters
sigReadOnlySpan<byte>the signature being verified.
msghash32ReadOnlySpan<byte>the 32-byte message hash being verified. The verifier must make sure to apply a cryptographic hash function to the message by itself and not accept an msghash32 value directly. Otherwise, it would be easy to create a "valid" signature without knowledge of the secret key. See also https://bitcoin.stackexchange.com/a/81116/35586 for more background on this topic.
pubkeyReadOnlySpan<byte>pointer to an initialized public key to verify with.
To avoid accepting malleable signatures, only ECDSA signatures in lower-S form are accepted.
If you need to accept ECDSA signatures from sources that do not obey this rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to verification, but be aware that doing so results in malleable signatures.
For details, see the comments for that function.
Returns
- bool
1: correct signature 0: incorrect or unparseable signature
EllswiftCreate(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Compute an ElligatorSwift public key for a secret key.
public bool EllswiftCreate(Span<byte> ell64, ReadOnlySpan<byte> seckey32, ReadOnlySpan<byte> auxrnd32)Parameters
ell64Span<byte>pointer to a 64-byte array to receive the ElligatorSwift public key
seckey32ReadOnlySpan<byte>pointer to a 32-byte secret key
auxrnd32ReadOnlySpan<byte>(optional) pointer to 32 bytes of randomness
Constant time in seckey and auxrnd32, but not in the resulting public key.
It is recommended that auxrnd32 contains 32 uniformly random bytes, though it is optional (and does result in encodings that are indistinguishable from uniform even without any auxrnd32). It differs from the (mandatory) rnd32 argument to secp256k1_ellswift_encode in this regard.
This function can be used instead of calling secp256k1_ec_pubkey_create followed by secp256k1_ellswift_encode. It is safer, as it uses the secret key as entropy for the encoding (supplemented with auxrnd32, if provided).
Like secp256k1_ellswift_encode, this function does not guarantee that the computed encoding is stable across versions of the library, even if all arguments (including auxrnd32) are the same.
Returns
- bool
1: secret was valid, public key was stored. 0: secret was invalid, try again.
EllswiftDecode(Span<byte>, ReadOnlySpan<byte>)
Decode a 64-bytes ElligatorSwift encoded public key.
public bool EllswiftDecode(Span<byte> pubkey, ReadOnlySpan<byte> ell64)Parameters
pubkeySpan<byte>pointer to a secp256k1_pubkey that will be filled
ell64ReadOnlySpan<byte>pointer to a 64-byte array to decode
This function runs in variable time.
Returns
- bool
always 1
EllswiftEncode(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Construct a 64-byte ElligatorSwift encoding of a given pubkey.
public bool EllswiftEncode(Span<byte> ell64, ReadOnlySpan<byte> pubkey, ReadOnlySpan<byte> rnd32)Parameters
ell64Span<byte>pointer to a 64-byte array to be filled
pubkeyReadOnlySpan<byte>pointer to a secp256k1_pubkey containing an initialized public key
rnd32ReadOnlySpan<byte>pointer to 32 bytes of randomness
It is recommended that rnd32 consists of 32 uniformly random bytes, not known to any adversary trying to detect whether public keys are being encoded, though 16 bytes of randomness (padded to an array of 32 bytes, e.g., with zeros) suffice to make the result indistinguishable from uniform. The randomness in rnd32 must not be a deterministic function of the pubkey (it can be derived from the private key, though).
It is not guaranteed that the computed encoding is stable across versions of the library, even if all arguments to this function (including rnd32) are the same.
This function runs in variable time.
Returns
- bool
1 always.
EllswiftXdh(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, int, EllswiftXdhHashFunction, nint)
Given a private key, and ElligatorSwift public keys sent in both directions, compute a shared secret using x-only Elliptic Curve Diffie-Hellman (ECDH).
public bool EllswiftXdh(Span<byte> output, ReadOnlySpan<byte> ell_a64, ReadOnlySpan<byte> ell_b64, ReadOnlySpan<byte> seckey32, int party, EllswiftXdhHashFunction hashfp, nint data)Parameters
outputSpan<byte>pointer to an array to be filled by hashfp.
ell_a64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party A (will not be NULL)
ell_b64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party B (will not be NULL)
seckey32ReadOnlySpan<byte>pointer to our 32-byte secret key
partyintboolean indicating which party we are: zero if we are party A, non-zero if we are party B. seckey32 must be the private key corresponding to that party's ell_?64. This correspondence is not checked.
hashfpEllswiftXdhHashFunctionpointer to a hash function.
datanintarbitrary data pointer passed through to hashfp.
Constant time in seckey32.
This function is more efficient than decoding the public keys, and performing ECDH on them.
Returns
- bool
1: shared secret was successfully computed 0: secret was invalid or hashfp returned 0
EllswiftXdhHashFunctionBip324(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>)
An implementation of an secp256k1_ellswift_xdh_hash_function compatible with BIP324. It returns H_tag(ell_a64 || ell_b64 || x32), where H_tag is the BIP340 tagged hash function with tag "bip324_ellswift_xonly_ecdh". Equivalent to secp256k1_ellswift_xdh_hash_function_prefix with prefix64 set to SHA256("bip324_ellswift_xonly_ecdh")||SHA256("bip324_ellswift_xonly_ecdh"). The data argument is ignored.
public bool EllswiftXdhHashFunctionBip324(Span<byte> output, ReadOnlySpan<byte> x32, ReadOnlySpan<byte> ell_a64, ReadOnlySpan<byte> ell_b64, Span<byte> data)Parameters
outputSpan<byte>pointer to an array to be filled by the function
x32ReadOnlySpan<byte>pointer to the 32-byte serialized X coordinate of the resulting shared point (will not be NULL)
ell_a64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party A (will not be NULL)
ell_b64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party B (will not be NULL)
dataSpan<byte>arbitrary data pointer that is passed through
Returns
- bool
True on success, false on failure.
EllswiftXdhHashFunctionPrefix(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>)
An implementation of an secp256k1_ellswift_xdh_hash_function which uses SHA256(prefix64 || ell_a64 || ell_b64 || x32), where prefix64 is the 64-byte array pointed to by data.
public bool EllswiftXdhHashFunctionPrefix(Span<byte> output, ReadOnlySpan<byte> x32, ReadOnlySpan<byte> ell_a64, ReadOnlySpan<byte> ell_b64, Span<byte> data)Parameters
outputSpan<byte>pointer to an array to be filled by the function
x32ReadOnlySpan<byte>pointer to the 32-byte serialized X coordinate of the resulting shared point (will not be NULL)
ell_a64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party A (will not be NULL)
ell_b64ReadOnlySpan<byte>pointer to the 64-byte encoded public key of party B (will not be NULL)
dataSpan<byte>arbitrary data pointer that is passed through
Returns
- bool
True on success, false on failure.
IsNormalizedSignature(ReadOnlySpan<byte>)
Checks if a signature is in normalized lower-S form.
public static bool IsNormalizedSignature(ReadOnlySpan<byte> signature)Parameters
signatureReadOnlySpan<byte>64-byte compact signature.
Returns
- bool
True if the signature is already normalized, false if it needed normalization.
Exceptions
- ArgumentException
Thrown when the signature is invalid.
IsValidPublicKey(ReadOnlySpan<byte>)
Verifies that a serialized public key is valid.
public static bool IsValidPublicKey(ReadOnlySpan<byte> publicKey)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
Returns
- bool
True if the public key is valid, false otherwise.
IsValidSecretKey(ReadOnlySpan<byte>)
Verifies that a secret key is valid.
public static bool IsValidSecretKey(ReadOnlySpan<byte> secretKey)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key to validate.
Returns
- bool
True if the secret key is valid, false otherwise.
KeypairCreate(Span<byte>, ReadOnlySpan<byte>)
Compute the keypair for a valid secret key.
See the documentation of secp256k1_ec_seckey_verify for more information about the validity of secret keys.
public bool KeypairCreate(Span<byte> keypair, ReadOnlySpan<byte> seckey)Parameters
keypairSpan<byte>pointer to the created keypair.
seckeyReadOnlySpan<byte>pointer to a 32-byte secret key.
Returns
- bool
1: secret key is valid 0: secret key is invalid
KeypairPub(Span<byte>, ReadOnlySpan<byte>)
Get the public key from a keypair.
public bool KeypairPub(Span<byte> pubkey, ReadOnlySpan<byte> keypair)Parameters
pubkeySpan<byte>pointer to a pubkey object, set to the keypair public key.
keypairReadOnlySpan<byte>pointer to a keypair.
Returns
- bool
1 always.
KeypairSec(Span<byte>, ReadOnlySpan<byte>)
Get the secret key from a keypair.
public bool KeypairSec(Span<byte> seckey, ReadOnlySpan<byte> keypair)Parameters
seckeySpan<byte>pointer to a 32-byte buffer for the secret key.
keypairReadOnlySpan<byte>pointer to a keypair.
Returns
- bool
1 always.
KeypairXonlyPub(Span<byte>, out int, ReadOnlySpan<byte>)
Get the x-only public key from a keypair.
This is the same as calling secp256k1_keypair_pub and then secp256k1_xonly_pubkey_from_pubkey.
public bool KeypairXonlyPub(Span<byte> pubkey, out int pk_parity, ReadOnlySpan<byte> keypair)Parameters
pubkeySpan<byte>pointer to an xonly_pubkey object, set to the keypair public key after converting it to an xonly_pubkey.
pk_parityintIgnored if NULL. Otherwise, pointer to an integer that will be set to the pk_parity argument of secp256k1_xonly_pubkey_from_pubkey.
keypairReadOnlySpan<byte>pointer to a keypair.
Returns
- bool
1 always.
KeypairXonlyTweakAdd(Span<byte>, ReadOnlySpan<byte>)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Calling this function and then secp256k1_keypair_pub results in the same public key as calling secp256k1_keypair_xonly_pub and then secp256k1_xonly_pubkey_tweak_add.
public bool KeypairXonlyTweakAdd(Span<byte> keypair, ReadOnlySpan<byte> tweak32)Parameters
keypairSpan<byte>pointer to a keypair to apply the tweak to. Will be set to an invalid value if this function returns 0.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak, which must be valid according to secp256k1_ec_seckey_verify or 32 zero bytes. For uniformly random 32-byte tweaks, the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid or the resulting keypair would be invalid (only when the tweak is the negation of the keypair's secret key). 1 otherwise.
MusigAggnonceParse(Span<byte>, ReadOnlySpan<byte>)
Parse an aggregate public nonce.
public bool MusigAggnonceParse(Span<byte> nonce, ReadOnlySpan<byte> in66)Parameters
nonceSpan<byte>pointer to a nonce object
in66ReadOnlySpan<byte>pointer to the 66-byte nonce to be parsed
Returns
- bool
1 when the nonce could be parsed, 0 otherwise.
MusigAggnonceSerialize(Span<byte>, ReadOnlySpan<byte>)
Serialize an aggregate public nonce
public bool MusigAggnonceSerialize(Span<byte> out66, ReadOnlySpan<byte> nonce)Parameters
out66Span<byte>pointer to a 66-byte array to store the serialized nonce
nonceReadOnlySpan<byte>pointer to the nonce
Returns
- bool
1 always
MusigNonceAgg(Span<byte>, byte[][])
Aggregates the nonces of all signers into a single nonce
This can be done by an untrusted party to reduce the communication between signers. Instead of everyone sending nonces to everyone else, there can be one party receiving all nonces, aggregating the nonces with this function and then sending only the aggregate nonce back to the signers.
If the aggregator does not compute the aggregate nonce correctly, the final signature will be invalid.
public bool MusigNonceAgg(Span<byte> aggnonce, byte[][] pubnonces)Parameters
aggnonceSpan<byte>pointer to an aggregate public nonce object for musig_nonce_process
pubnoncesbyte[][]array of pointers to public nonces sent by the signers
Returns
- bool
0 if the arguments are invalid, 1 otherwise
MusigNonceGen(Span<byte>, Span<byte>, Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Starts a signing session by generating a nonce
This function outputs a secret nonce that will be required for signing and a corresponding public nonce that is intended to be sent to other signers.
MuSig differs from regular Schnorr signing in that implementers must take special care to not reuse a nonce. This can be ensured by following these rules:
1. Each call to this function must have a UNIQUE session_secrand32 that must NOT BE REUSED in subsequent calls to this function and must be KEPT SECRET (even from other signers). 2. If you already know the seckey, message or aggregate public key cache, they can be optionally provided to derive the nonce and increase misuse-resistance. The extra_input32 argument can be used to provide additional data that does not repeat in normal scenarios, such as the current time. 3. Avoid copying (or serializing) the secnonce. This reduces the possibility that it is used more than once for signing.
If you don't have access to good randomness for session_secrand32, but you have access to a non-repeating counter, then see secp256k1_musig_nonce_gen_counter.
Remember that nonce reuse will leak the secret key! Note that using the same seckey for multiple MuSig sessions is fine.
public bool MusigNonceGen(Span<byte> secnonce, Span<byte> pubnonce, Span<byte> session_secrand32, ReadOnlySpan<byte> seckey, ReadOnlySpan<byte> pubkey, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> keyagg_cache, ReadOnlySpan<byte> extra_input32)Parameters
secnonceSpan<byte>pointer to a structure to store the secret nonce
pubnonceSpan<byte>pointer to a structure to store the public nonce
session_secrand32Span<byte>a 32-byte session_secrand32 as explained above. Must be unique to this call to secp256k1_musig_nonce_gen and must be uniformly random. If the function call is successful, the session_secrand32 buffer is invalidated to prevent reuse.
seckeyReadOnlySpan<byte>the 32-byte secret key that will later be used for signing, if already known (can be NULL)
pubkeyReadOnlySpan<byte>public key of the signer creating the nonce. The secnonce output of this function cannot be used to sign for any other public key. While the public key should correspond to the provided seckey, a mismatch will not cause the function to return 0.
msg32ReadOnlySpan<byte>the 32-byte message that will later be signed, if already known (can be NULL)
keyagg_cacheReadOnlySpan<byte>pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) public key if already known (can be NULL)
extra_input32ReadOnlySpan<byte>an optional 32-byte array that is input to the nonce derivation function (can be NULL)
Returns
- bool
0 if the arguments are invalid and 1 otherwise
MusigNonceGenCounter(Span<byte>, Span<byte>, ulong, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Alternative way to generate a nonce and start a signing session
This function outputs a secret nonce that will be required for signing and a corresponding public nonce that is intended to be sent to other signers.
This function differs from secp256k1_musig_nonce_gen by accepting a non-repeating counter value instead of a secret random value. This requires that a secret key is provided to secp256k1_musig_nonce_gen_counter (through the keypair argument), as opposed to secp256k1_musig_nonce_gen where the seckey argument is optional.
MuSig differs from regular Schnorr signing in that implementers must take special care to not reuse a nonce. This can be ensured by following these rules:
1. The nonrepeating_cnt argument must be a counter value that never repeats, i.e., you must never call secp256k1_musig_nonce_gen_counter twice with the same keypair and nonrepeating_cnt value. For example, this implies that if the same keypair is used with secp256k1_musig_nonce_gen_counter on multiple devices, none of the devices should have the same counter value as any other device. 2. If the seckey, message or aggregate public key cache is already available at this stage, any of these can be optionally provided, in which case they will be used in the derivation of the nonce and increase misuse-resistance. The extra_input32 argument can be used to provide additional data that does not repeat in normal scenarios, such as the current time. 3. Avoid copying (or serializing) the secnonce. This reduces the possibility that it is used more than once for signing.
Remember that nonce reuse will leak the secret key! Note that using the same keypair for multiple MuSig sessions is fine.
public bool MusigNonceGenCounter(Span<byte> secnonce, Span<byte> pubnonce, ulong nonrepeating_cnt, ReadOnlySpan<byte> keypair, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> keyagg_cache, ReadOnlySpan<byte> extra_input32)Parameters
secnonceSpan<byte>pointer to a structure to store the secret nonce
pubnonceSpan<byte>pointer to a structure to store the public nonce
nonrepeating_cntulongthe value of a counter as explained above. Must be unique to this call to secp256k1_musig_nonce_gen.
keypairReadOnlySpan<byte>keypair of the signer creating the nonce. The secnonce output of this function cannot be used to sign for any other keypair.
msg32ReadOnlySpan<byte>the 32-byte message that will later be signed, if already known (can be NULL)
keyagg_cacheReadOnlySpan<byte>pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) public key if already known (can be NULL)
extra_input32ReadOnlySpan<byte>an optional 32-byte array that is input to the nonce derivation function (can be NULL)
Returns
- bool
0 if the arguments are invalid and 1 otherwise
MusigNonceProcess(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Takes the aggregate nonce and creates a session that is required for signing and verification of partial signatures.
public bool MusigNonceProcess(Span<byte> session, ReadOnlySpan<byte> aggnonce, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> keyagg_cache)Parameters
sessionSpan<byte>pointer to a struct to store the session
aggnonceReadOnlySpan<byte>pointer to an aggregate public nonce object that is the output of musig_nonce_agg
msg32ReadOnlySpan<byte>the 32-byte message to sign
keyagg_cacheReadOnlySpan<byte>pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) pubkey
Returns
- bool
0 if the arguments are invalid, 1 otherwise
MusigPartialSigAgg(Span<byte>, ReadOnlySpan<byte>, byte[][])
Aggregates partial signatures
public bool MusigPartialSigAgg(Span<byte> sig64, ReadOnlySpan<byte> session, byte[][] partial_sigs)Parameters
sig64Span<byte>complete (but possibly invalid) Schnorr signature
sessionReadOnlySpan<byte>pointer to the session that was created with musig_nonce_process
partial_sigsbyte[][]array of pointers to partial signatures to aggregate
Returns
- bool
0 if the arguments are invalid, 1 otherwise (which does NOT mean the resulting signature verifies).
MusigPartialSigParse(Span<byte>, ReadOnlySpan<byte>)
Parse a MuSig partial signature.
public bool MusigPartialSigParse(Span<byte> sig, ReadOnlySpan<byte> in32)Parameters
sigSpan<byte>pointer to a signature object
in32ReadOnlySpan<byte>pointer to the 32-byte signature to be parsed
Returns
- bool
1 when the signature could be parsed, 0 otherwise.
MusigPartialSigSerialize(Span<byte>, ReadOnlySpan<byte>)
Serialize a MuSig partial signature
public bool MusigPartialSigSerialize(Span<byte> out32, ReadOnlySpan<byte> sig)Parameters
out32Span<byte>pointer to a 32-byte array to store the serialized signature
sigReadOnlySpan<byte>pointer to the signature
Returns
- bool
1 always
MusigPartialSigVerify(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verifies an individual signer's partial signature
The signature is verified for a specific signing session. In order to avoid accidentally verifying a signature from a different or non-existing signing session, you must ensure the following: 1. The keyagg_cache argument is identical to the one used to create the session with musig_nonce_process. 2. The pubkey argument must be identical to the one sent by the signer before aggregating it with musig_pubkey_agg to create the keyagg_cache. 3. The pubnonce argument must be identical to the one sent by the signer before aggregating it with musig_nonce_agg and using the result to create the session with musig_nonce_process.
It is not required to call this function in regular MuSig sessions, because if any partial signature does not verify, the final signature will not verify either, so the problem will be caught. However, this function provides the ability to identify which specific partial signature fails verification.
public bool MusigPartialSigVerify(ReadOnlySpan<byte> partial_sig, ReadOnlySpan<byte> pubnonce, ReadOnlySpan<byte> pubkey, ReadOnlySpan<byte> keyagg_cache, ReadOnlySpan<byte> session)Parameters
partial_sigReadOnlySpan<byte>pointer to partial signature to verify, sent by the signer associated with
pubnonceandpubkeypubnonceReadOnlySpan<byte>public nonce of the signer in the signing session
pubkeyReadOnlySpan<byte>public key of the signer in the signing session
keyagg_cacheReadOnlySpan<byte>pointer to the keyagg_cache that was output when the aggregate public key for this signing session
sessionReadOnlySpan<byte>pointer to the session that was created with
musig_nonce_process
Returns
- bool
0 if the arguments are invalid or the partial signature does not verify, 1 otherwise
MusigPartialSign(Span<byte>, Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Produces a partial signature
This function overwrites the given secnonce with zeros and will abort if given a secnonce that is all zeros. This is a best effort attempt to protect against nonce reuse. However, this is of course easily defeated if the secnonce has been copied (or serialized). Remember that nonce reuse will leak the secret key!
For signing to succeed, the secnonce provided to this function must have been generated for the provided keypair. This means that when signing for a keypair consisting of a seckey and pubkey, the secnonce must have been created by calling musig_nonce_gen with that pubkey. Otherwise, the illegal_callback is called.
This function does not verify the output partial signature, deviating from the BIP 327 specification. It is recommended to verify the output partial signature with secp256k1_musig_partial_sig_verify to prevent random or adversarially provoked computation errors.
public bool MusigPartialSign(Span<byte> partial_sig, Span<byte> secnonce, ReadOnlySpan<byte> keypair, ReadOnlySpan<byte> keyagg_cache, ReadOnlySpan<byte> session)Parameters
partial_sigSpan<byte>pointer to struct to store the partial signature
secnonceSpan<byte>pointer to the secnonce struct created in musig_nonce_gen that has been never used in a partial_sign call before and has been created for the keypair
keypairReadOnlySpan<byte>pointer to keypair to sign the message with
keyagg_cacheReadOnlySpan<byte>pointer to the keyagg_cache that was output when the aggregate public key for this session
sessionReadOnlySpan<byte>pointer to the session that was created with musig_nonce_process
Returns
- bool
0 if the arguments are invalid or the provided secnonce has already been used for signing, 1 otherwise
MusigPubkeyAgg(Span<byte>, Span<byte>, byte[][])
Computes an aggregate public key and uses it to initialize a keyagg_cache
Different orders of pubkeys result in different agg_pks.
Before aggregating, the pubkeys can be sorted with secp256k1_ec_pubkey_sort which ensures the same agg_pk result for the same multiset of pubkeys. This is useful to do before pubkey_agg, such that the order of pubkeys does not affect the aggregate public key.
public bool MusigPubkeyAgg(Span<byte> agg_pk, Span<byte> keyagg_cache, byte[][] pubkeys)Parameters
agg_pkSpan<byte>the MuSig-aggregated x-only public key. If you do not need it, this arg can be NULL.
keyagg_cacheSpan<byte>if non-NULL, pointer to a musig_keyagg_cache struct that is required for signing (or observing the signing session and verifying partial signatures).
pubkeysbyte[][]input array of pointers to public keys to aggregate. The order is important; a different order will result in a different aggregate public key.
Returns
- bool
0 if the arguments are invalid, 1 otherwise
MusigPubkeyEcTweakAdd(Span<byte>, Span<byte>, ReadOnlySpan<byte>)
public bool MusigPubkeyEcTweakAdd(Span<byte> output_pubkey, Span<byte> keyagg_cache, ReadOnlySpan<byte> tweak32)Parameters
Returns
MusigPubkeyGet(Span<byte>, ReadOnlySpan<byte>)
Obtain the aggregate public key from a keyagg_cache.
This is only useful if you need the non-xonly public key, in particular for plain (non-xonly) tweaking or batch-verifying multiple key aggregations (not implemented).
public bool MusigPubkeyGet(Span<byte> agg_pk, ReadOnlySpan<byte> keyagg_cache)Parameters
agg_pkSpan<byte>the MuSig-aggregated public key.
keyagg_cacheReadOnlySpan<byte>pointer to a
musig_keyagg_cachestruct initialized bymusig_pubkey_agg
Returns
- bool
0 if the arguments are invalid, 1 otherwise
MusigPubkeyXonlyTweakAdd(Span<byte>, Span<byte>, ReadOnlySpan<byte>)
public bool MusigPubkeyXonlyTweakAdd(Span<byte> output_pubkey, Span<byte> keyagg_cache, ReadOnlySpan<byte> tweak32)Parameters
Returns
MusigPubnonceParse(Span<byte>, ReadOnlySpan<byte>)
Parse a signer's public nonce.
public bool MusigPubnonceParse(Span<byte> nonce, ReadOnlySpan<byte> in66)Parameters
nonceSpan<byte>pointer to a nonce object
in66ReadOnlySpan<byte>pointer to the 66-byte nonce to be parsed
Returns
- bool
1 when the nonce could be parsed, 0 otherwise.
MusigPubnonceSerialize(Span<byte>, ReadOnlySpan<byte>)
Serialize a signer's public nonce
public bool MusigPubnonceSerialize(Span<byte> out66, ReadOnlySpan<byte> nonce)Parameters
out66Span<byte>pointer to a 66-byte array to store the serialized nonce
nonceReadOnlySpan<byte>pointer to the nonce
Returns
- bool
1 always
NegatePublicKey(ReadOnlySpan<byte>, bool)
Negates a public key.
public static byte[] NegatePublicKey(ReadOnlySpan<byte> publicKey, bool compressed = true)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized negated public key.
Exceptions
- ArgumentException
Thrown when the public key is invalid.
NegateSecretKey(ReadOnlySpan<byte>)
Negates a secret key in place.
public static byte[] NegateSecretKey(ReadOnlySpan<byte> secretKey)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key.
Returns
- byte[]
32-byte negated secret key.
Exceptions
- ArgumentException
Thrown when the secret key is invalid.
NonceFunctionBip340(Span<byte>, ReadOnlySpan<byte>, nuint, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, nuint, Span<byte>)
An implementation of the nonce generation function as defined in Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1" (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
If a data pointer is passed, it is assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340. If the data pointer is NULL, the nonce derivation procedure follows BIP-340 by setting the auxiliary random data to zero. The algo argument must be non-NULL, otherwise the function will fail and return 0. The hash will be tagged with algo. Therefore, to create BIP-340 compliant signatures, algo must be set to "BIP0340/nonce" and algolen to 13.
public bool NonceFunctionBip340(Span<byte> nonce32, ReadOnlySpan<byte> msg, nuint msglen, ReadOnlySpan<byte> key32, ReadOnlySpan<byte> xonly_pk32, ReadOnlySpan<byte> algo, nuint algolen, Span<byte> data)Parameters
nonce32Span<byte>pointer to a 32-byte array to be filled by the function
msgReadOnlySpan<byte>the message being verified. Is NULL if and only if msglen is 0.
msglennuintthe length of the message
key32ReadOnlySpan<byte>pointer to a 32-byte secret key (will not be NULL)
xonly_pk32ReadOnlySpan<byte>the 32-byte serialized xonly pubkey corresponding to key32 (will not be NULL)
algoReadOnlySpan<byte>pointer to an array describing the signature algorithm (will not be NULL)
algolennuintthe length of the algo array
dataSpan<byte>arbitrary data pointer that is passed through
Except for test cases, this function should compute some cryptographic hash of the message, the key, the pubkey, the algorithm description, and data.
Returns
- bool
True on success, false on failure.
NonceFunctionDefault(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>, uint)
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
public bool NonceFunctionDefault(Span<byte> nonce32, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> key32, ReadOnlySpan<byte> algo16, Span<byte> data, uint attempt)Parameters
nonce32Span<byte>pointer to a 32-byte array to be filled by the function.
msg32ReadOnlySpan<byte>the 32-byte message hash being verified (will not be NULL)
key32ReadOnlySpan<byte>pointer to a 32-byte secret key (will not be NULL)
algo16ReadOnlySpan<byte>pointer to a 16-byte array describing the signature algorithm (will be NULL for ECDSA for compatibility).
dataSpan<byte>Arbitrary data pointer that is passed through.
attemptuinthow many iterations we have tried to find a nonce. This will almost always be 0, but different attempt values are required to result in a different nonce.
Except for test cases, this function should compute some cryptographic hash of the message, the algorithm, the key and the attempt.
Returns
- bool
True on success, false on failure.
NonceFunctionRfc6979(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>, uint)
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. If a data pointer is passed, it is assumed to be a pointer to 32 bytes of extra entropy.
public bool NonceFunctionRfc6979(Span<byte> nonce32, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> key32, ReadOnlySpan<byte> algo16, Span<byte> data, uint attempt)Parameters
nonce32Span<byte>pointer to a 32-byte array to be filled by the function.
msg32ReadOnlySpan<byte>the 32-byte message hash being verified (will not be NULL)
key32ReadOnlySpan<byte>pointer to a 32-byte secret key (will not be NULL)
algo16ReadOnlySpan<byte>pointer to a 16-byte array describing the signature algorithm (will be NULL for ECDSA for compatibility).
dataSpan<byte>Arbitrary data pointer that is passed through.
attemptuinthow many iterations we have tried to find a nonce. This will almost always be 0, but different attempt values are required to result in a different nonce.
Except for test cases, this function should compute some cryptographic hash of the message, the algorithm, the key and the attempt.
Returns
- bool
True on success, false on failure.
NormalizeSignature(ReadOnlySpan<byte>)
Normalizes a signature to lower-S form.
public static byte[] NormalizeSignature(ReadOnlySpan<byte> signature)Parameters
signatureReadOnlySpan<byte>64-byte compact signature.
Returns
- byte[]
Normalized 64-byte compact signature in lower-S form.
Exceptions
- ArgumentException
Thrown when the signature is invalid.
RecoverPublicKey(ReadOnlySpan<byte>, byte, ReadOnlySpan<byte>, bool)
Recovers a public key from a recoverable ECDSA signature.
public static byte[] RecoverPublicKey(ReadOnlySpan<byte> signature, byte recoveryId, ReadOnlySpan<byte> messageHash, bool compressed = true)Parameters
signatureReadOnlySpan<byte>64-byte compact signature.
recoveryIdbyteRecovery ID (0-3).
messageHashReadOnlySpan<byte>32-byte message hash that was signed.
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized public key (33 or 65 bytes).
Exceptions
- ArgumentException
Thrown when recovery fails.
SchnorrsigSign32(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Create a Schnorr signature.
Does not strictly follow BIP-340 because it does not verify the resulting signature. Instead, you can manually use secp256k1_schnorrsig_verify and abort if it fails.
This function only signs 32-byte messages. If you have messages of a different size (or the same size but without a context-specific tag prefix), it is recommended to create a 32-byte message hash with secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows providing an context-specific tag for domain separation. This prevents signatures from being valid in multiple contexts by accident.
Returns 1 on success, 0 on failure.
public bool SchnorrsigSign32(Span<byte> sig64, ReadOnlySpan<byte> msg32, ReadOnlySpan<byte> keypair, ReadOnlySpan<byte> aux_rand32)Parameters
sig64Span<byte>pointer to a 64-byte array to store the serialized signature.
msg32ReadOnlySpan<byte>the 32-byte message being signed.
keypairReadOnlySpan<byte>pointer to an initialized keypair.
aux_rand32ReadOnlySpan<byte>32 bytes of fresh randomness. While recommended to provide this, it is only supplemental to security and can be NULL. A NULL argument is treated the same as an all-zero one. See BIP-340 "Default Signing" for a full explanation of this argument and for guidance if randomness is expensive.
Returns
SchnorrsigSignCustom(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, Span<byte>)
Create a Schnorr signature with a more flexible API.
Same arguments as secp256k1_schnorrsig_sign except that it allows signing variable length messages and accepts a pointer to an extraparams object that allows customizing signing by passing additional arguments.
Equivalent to secp256k1_schnorrsig_sign32(..., aux_rand32) if msglen is 32 and extraparams is initialized as follows: secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; extraparams.ndata = (unsigned char*)aux_rand32;
Returns 1 on success, 0 on failure.
public bool SchnorrsigSignCustom(Span<byte> sig64, ReadOnlySpan<byte> msg, ReadOnlySpan<byte> keypair, Span<byte> extraparams)Parameters
sig64Span<byte>pointer to a 64-byte array to store the serialized signature.
msgReadOnlySpan<byte>the message being signed. Can only be NULL if msglen is 0.
keypairReadOnlySpan<byte>pointer to an initialized keypair.
extraparamsSpan<byte>pointer to an extraparams object (can be NULL).
Returns
SchnorrsigVerify(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verify a Schnorr signature.
public bool SchnorrsigVerify(ReadOnlySpan<byte> sig64, ReadOnlySpan<byte> msg, ReadOnlySpan<byte> pubkey)Parameters
sig64ReadOnlySpan<byte>pointer to the 64-byte signature to verify.
msgReadOnlySpan<byte>the message being verified. Can only be NULL if msglen is 0.
pubkeyReadOnlySpan<byte>pointer to an x-only public key to verify with
Returns
- bool
1: correct signature 0: incorrect signature
Selftest()
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
This function performs self tests that detect some serious usage errors and similar conditions, e.g., when the library is compiled for the wrong endianness. This is a last resort measure to be used in production. The performed tests are very rudimentary and are not intended as a replacement for running the test binaries.
It is highly recommended to call this before using secp256k1_context_static. It is not necessary to call this function before using a context created with secp256k1_context_create (or secp256k1_context_preallocated_create), which will take care of performing the self tests.
If the tests fail, this function will call the default error callback to abort the program (see secp256k1_context_set_error_callback).
public void Selftest()SetErrorCallback(ErrorCallbackDelegate, nint)
Sets user-defined error calback for this context.
public void SetErrorCallback(ErrorCallbackDelegate cb, nint data = 0)Parameters
cbErrorCallbackDelegateUser-defined callback, it is called in the case of the error or illegal operation.
datanintUser-defined callback marker, it is passed as second argument when callback is called.
Sign(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Creates an ECDSA signature in compact format.
public static byte[] Sign(ReadOnlySpan<byte> messageHash, ReadOnlySpan<byte> secretKey)Parameters
messageHashReadOnlySpan<byte>32-byte message hash to sign.
secretKeyReadOnlySpan<byte>32-byte secret key.
Returns
- byte[]
64-byte compact signature.
Exceptions
- ArgumentException
Thrown when signing fails (invalid secret key or nonce generation failure).
SignRecoverable(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Creates a recoverable ECDSA signature.
public static (byte[] Signature, byte RecoveryId) SignRecoverable(ReadOnlySpan<byte> messageHash, ReadOnlySpan<byte> secretKey)Parameters
messageHashReadOnlySpan<byte>32-byte message hash to sign.
secretKeyReadOnlySpan<byte>32-byte secret key.
Returns
- (byte[] XOnlyPublicKey, byte Parity)
Tuple of 64-byte compact signature and recovery ID (0-3).
Exceptions
- ArgumentException
Thrown when signing fails.
SignSchnorr(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>, bool)
Creates a Schnorr signature (BIP-340). For variable-length messages, use TaggedHash(ReadOnlySpan<byte>, ReadOnlySpan<byte>) to create a 32-byte hash with domain separation.
public static byte[] SignSchnorr(ReadOnlySpan<byte> messageHash, ReadOnlySpan<byte> secretKey, ReadOnlySpan<byte> auxRand = default, bool verify = true)Parameters
messageHashReadOnlySpan<byte>32-byte message hash to sign. Use TaggedHash(ReadOnlySpan<byte>, ReadOnlySpan<byte>) to hash variable-length messages.
secretKeyReadOnlySpan<byte>32-byte secret key.
auxRandReadOnlySpan<byte>Optional 32 bytes of auxiliary randomness. If null, zeros are used.
verifyboolIf true (default), verifies the signature after signing to strictly follow BIP-340. Set to false for better performance when verification is not required.
Returns
- byte[]
64-byte Schnorr signature.
Exceptions
- ArgumentException
Thrown when signing or verification fails.
SignatureFromDer(ReadOnlySpan<byte>)
Converts a DER-encoded signature to compact format.
public static byte[] SignatureFromDer(ReadOnlySpan<byte> derSignature)Parameters
derSignatureReadOnlySpan<byte>DER-encoded signature.
Returns
- byte[]
64-byte compact signature.
Exceptions
- ArgumentException
Thrown when the signature is invalid.
SignatureToDer(ReadOnlySpan<byte>)
Converts a compact signature to DER format.
public static byte[] SignatureToDer(ReadOnlySpan<byte> compactSignature)Parameters
compactSignatureReadOnlySpan<byte>64-byte compact signature.
Returns
- byte[]
DER-encoded signature (up to 72 bytes).
Exceptions
- ArgumentException
Thrown when the signature is invalid.
TaggedHash(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Computes a tagged hash as defined in BIP-340. Returns SHA256(SHA256(tag) || SHA256(tag) || message).
public static byte[] TaggedHash(ReadOnlySpan<byte> tag, ReadOnlySpan<byte> message)Parameters
tagReadOnlySpan<byte>Tag bytes for domain separation.
messageReadOnlySpan<byte>Message to hash.
Returns
- byte[]
32-byte hash.
TaggedSha256(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Compute a tagged hash as defined in BIP-340.
This is useful for creating a message hash and achieving domain separation through an application-specific tag. This function returns SHA256(SHA256(tag)||SHA256(tag)||msg). Therefore, tagged hash implementations optimized for a specific tag can precompute the SHA256 state after hashing the tag hashes.
public bool TaggedSha256(Span<byte> hash32, ReadOnlySpan<byte> tag, ReadOnlySpan<byte> msg)Parameters
hash32Span<byte>pointer to a 32-byte array to store the resulting hash
tagReadOnlySpan<byte>pointer to an array containing the tag
msgReadOnlySpan<byte>pointer to an array containing the message
Returns
- bool
1 always.
TweakPublicKeyAdd(ReadOnlySpan<byte>, ReadOnlySpan<byte>, bool)
Tweaks a public key by adding tweak times the generator to it. Used in BIP-32 HD wallet derivation.
public static byte[] TweakPublicKeyAdd(ReadOnlySpan<byte> publicKey, ReadOnlySpan<byte> tweak, bool compressed = true)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
tweakReadOnlySpan<byte>32-byte tweak value.
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized tweaked public key.
Exceptions
- ArgumentException
Thrown when the public key or tweak is invalid.
TweakPublicKeyMul(ReadOnlySpan<byte>, ReadOnlySpan<byte>, bool)
Tweaks a public key by multiplying it by a tweak value.
public static byte[] TweakPublicKeyMul(ReadOnlySpan<byte> publicKey, ReadOnlySpan<byte> tweak, bool compressed = true)Parameters
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
tweakReadOnlySpan<byte>32-byte tweak value.
compressedboolIf true, returns 33-byte compressed format; otherwise 65-byte uncompressed.
Returns
- byte[]
Serialized tweaked public key.
Exceptions
- ArgumentException
Thrown when the public key or tweak is invalid.
TweakSecretKeyAdd(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Tweaks a secret key by adding a tweak value to it. Used in BIP-32 HD wallet derivation.
public static byte[] TweakSecretKeyAdd(ReadOnlySpan<byte> secretKey, ReadOnlySpan<byte> tweak)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key.
tweakReadOnlySpan<byte>32-byte tweak value.
Returns
- byte[]
32-byte tweaked secret key.
Exceptions
- ArgumentException
Thrown when the secret key or tweak is invalid.
TweakSecretKeyMul(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Tweaks a secret key by multiplying it by a tweak value.
public static byte[] TweakSecretKeyMul(ReadOnlySpan<byte> secretKey, ReadOnlySpan<byte> tweak)Parameters
secretKeyReadOnlySpan<byte>32-byte secret key.
tweakReadOnlySpan<byte>32-byte tweak value.
Returns
- byte[]
32-byte tweaked secret key.
Exceptions
- ArgumentException
Thrown when the secret key or tweak is invalid.
Verify(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verifies an ECDSA signature.
public static bool Verify(ReadOnlySpan<byte> signature, ReadOnlySpan<byte> messageHash, ReadOnlySpan<byte> publicKey)Parameters
signatureReadOnlySpan<byte>64-byte compact signature.
messageHashReadOnlySpan<byte>32-byte message hash that was signed.
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
Returns
- bool
True if the signature is valid, false otherwise.
VerifyDer(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verifies an ECDSA signature in DER format.
public static bool VerifyDer(ReadOnlySpan<byte> derSignature, ReadOnlySpan<byte> messageHash, ReadOnlySpan<byte> publicKey)Parameters
derSignatureReadOnlySpan<byte>DER-encoded signature.
messageHashReadOnlySpan<byte>32-byte message hash that was signed.
publicKeyReadOnlySpan<byte>Serialized public key (33 or 65 bytes).
Returns
- bool
True if the signature is valid, false otherwise.
VerifySchnorr(ReadOnlySpan<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Verifies a Schnorr signature (BIP-340).
public static bool VerifySchnorr(ReadOnlySpan<byte> signature, ReadOnlySpan<byte> message, ReadOnlySpan<byte> publicKey)Parameters
signatureReadOnlySpan<byte>64-byte Schnorr signature.
messageReadOnlySpan<byte>Message that was signed (variable length).
publicKeyReadOnlySpan<byte>Public key in any format: 32-byte x-only, 33-byte compressed, or 65-byte uncompressed.
Returns
- bool
True if the signature is valid, false otherwise.
Exceptions
- ArgumentException
Thrown when the public key format is invalid.
XonlyPubkeyCmp(ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Compare two x-only public keys using lexicographic order
public int XonlyPubkeyCmp(ReadOnlySpan<byte> pk1, ReadOnlySpan<byte> pk2)Parameters
pk1ReadOnlySpan<byte>pk2ReadOnlySpan<byte>
Returns
- int
<0 if the first public key is less than the second >0 if the first public key is greater than the second 0 if the two public keys are equal
XonlyPubkeyFromPubkey(Span<byte>, out int, ReadOnlySpan<byte>)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
public bool XonlyPubkeyFromPubkey(Span<byte> xonly_pubkey, out int pk_parity, ReadOnlySpan<byte> pubkey)Parameters
xonly_pubkeySpan<byte>pointer to an x-only public key object for placing the converted public key.
pk_parityintIgnored if NULL. Otherwise, pointer to an integer that will be set to 1 if the point encoded by xonly_pubkey is the negation of the pubkey and set to 0 otherwise.
pubkeyReadOnlySpan<byte>pointer to a public key that is converted.
Returns
- bool
1 always.
XonlyPubkeyParse(Span<byte>, ReadOnlySpan<byte>)
Parse a 32-byte sequence into a xonly_pubkey object.
public bool XonlyPubkeyParse(Span<byte> pubkey, ReadOnlySpan<byte> input32)Parameters
pubkeySpan<byte>pointer to a pubkey object. If 1 is returned, it is set to a parsed version of input. If not, it's set to an invalid value.
input32ReadOnlySpan<byte>pointer to a serialized xonly_pubkey.
Returns
- bool
1 if the public key was fully valid. 0 if the public key could not be parsed or is invalid.
XonlyPubkeySerialize(Span<byte>, ReadOnlySpan<byte>)
Serialize an xonly_pubkey object into a 32-byte sequence.
public bool XonlyPubkeySerialize(Span<byte> output32, ReadOnlySpan<byte> pubkey)Parameters
output32Span<byte>pointer to a 32-byte array to place the serialized key in.
pubkeyReadOnlySpan<byte>pointer to a secp256k1_xonly_pubkey containing an initialized public key.
Returns
- bool
1 always.
XonlyPubkeyTweakAdd(Span<byte>, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Note that the resulting point can not in general be represented by an x-only pubkey because it may have an odd Y coordinate. Instead, the output_pubkey is a normal secp256k1_pubkey.
public bool XonlyPubkeyTweakAdd(Span<byte> output_pubkey, ReadOnlySpan<byte> internal_pubkey, ReadOnlySpan<byte> tweak32)Parameters
output_pubkeySpan<byte>pointer to a public key to store the result. Will be set to an invalid value if this function returns 0.
internal_pubkeyReadOnlySpan<byte>pointer to an x-only pubkey to apply the tweak to.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak, which must be valid according to secp256k1_ec_seckey_verify or 32 zero bytes. For uniformly random 32-byte tweaks, the chance of being invalid is negligible (around 1 in 2^128).
Returns
- bool
0 if the arguments are invalid or the resulting public key would be invalid (only when the tweak is the negation of the corresponding secret key). 1 otherwise.
XonlyPubkeyTweakAddCheck(ReadOnlySpan<byte>, int, ReadOnlySpan<byte>, ReadOnlySpan<byte>)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_pubkey and tweak32.
The tweaked pubkey is represented by its 32-byte x-only serialization and its pk_parity, which can both be obtained by converting the result of tweak_add to a secp256k1_xonly_pubkey.
Note that this alone does not verify that the tweaked pubkey is a commitment. If the tweak is not chosen in a specific way, the tweaked pubkey can easily be the result of a different internal_pubkey and tweak.
public bool XonlyPubkeyTweakAddCheck(ReadOnlySpan<byte> tweaked_pubkey32, int tweaked_pk_parity, ReadOnlySpan<byte> internal_pubkey, ReadOnlySpan<byte> tweak32)Parameters
tweaked_pubkey32ReadOnlySpan<byte>pointer to a serialized xonly_pubkey.
tweaked_pk_parityintthe parity of the tweaked pubkey (whose serialization is passed in as tweaked_pubkey32). This must match the pk_parity value that is returned when calling secp256k1_xonly_pubkey with the tweaked pubkey, or this function will fail.
internal_pubkeyReadOnlySpan<byte>pointer to an x-only public key object to apply the tweak to.
tweak32ReadOnlySpan<byte>pointer to a 32-byte tweak.
Returns
- bool
0 if the arguments are invalid or the tweaked pubkey is not the result of tweaking the internal_pubkey with tweak32. 1 otherwise.