From 1123e352be6a9474df4feda1a6bbbc003cbea1ae Mon Sep 17 00:00:00 2001 From: Sebastian Falbesoner Date: Mon, 21 Oct 2024 23:09:54 +0200 Subject: [PATCH 1/2] Add "hazmat" module which exposes low-level primitives (scalar, point) --- CMakeLists.txt | 6 + Makefile.am | 4 + configure.ac | 10 ++ include/secp256k1_hazmat.h | 54 +++++++++ src/CMakeLists.txt | 3 + src/modules/hazmat/Makefile.am.include | 2 + src/modules/hazmat/main_impl.h | 147 +++++++++++++++++++++++++ src/secp256k1.c | 4 + 8 files changed, 230 insertions(+) create mode 100644 include/secp256k1_hazmat.h create mode 100644 src/modules/hazmat/Makefile.am.include create mode 100644 src/modules/hazmat/main_impl.h diff --git a/CMakeLists.txt b/CMakeLists.txt index aba6e51259..d31d12db2b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -62,9 +62,14 @@ option(SECP256K1_ENABLE_MODULE_EXTRAKEYS "Enable extrakeys module." ON) option(SECP256K1_ENABLE_MODULE_SCHNORRSIG "Enable schnorrsig module." ON) option(SECP256K1_ENABLE_MODULE_MUSIG "Enable musig module." ON) option(SECP256K1_ENABLE_MODULE_ELLSWIFT "Enable ElligatorSwift module." ON) +option(SECP256K1_ENABLE_MODULE_HAZMAT "Enable hazmat module." OFF) # Processing must be done in a topological sorting of the dependency graph # (dependent module first). +if(SECP256K1_ENABLE_MODULE_HAZMAT) + add_compile_definitions(ENABLE_MODULE_HAZMAT=1) +endif() + if(SECP256K1_ENABLE_MODULE_ELLSWIFT) add_compile_definitions(ENABLE_MODULE_ELLSWIFT=1) endif() @@ -327,6 +332,7 @@ message(" extrakeys ........................... ${SECP256K1_ENABLE_MODULE_EXTRA message(" schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNORRSIG}") message(" musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG}") message(" ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}") +message(" hazmat .............................. ${SECP256K1_ENABLE_MODULE_HAZMAT}") message("Parameters:") message(" ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}") message(" ecmult gen table size ............... ${SECP256K1_ECMULT_GEN_KB} KiB") diff --git a/Makefile.am b/Makefile.am index a95b4809d4..f4f2e9ea04 100644 --- a/Makefile.am +++ b/Makefile.am @@ -300,3 +300,7 @@ endif if ENABLE_MODULE_ELLSWIFT include src/modules/ellswift/Makefile.am.include endif + +if ENABLE_MODULE_HAZMAT +include src/modules/hazmat/Makefile.am.include +endif diff --git a/configure.ac b/configure.ac index c62a391d78..2420b9cd13 100644 --- a/configure.ac +++ b/configure.ac @@ -192,6 +192,10 @@ AC_ARG_ENABLE(module_ellswift, AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [], [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])]) +AC_ARG_ENABLE(module_hazmat, + AS_HELP_STRING([--enable-module-hazmat],[enable hazmat module [default=no]]), [], + [SECP_SET_DEFAULT([enable_module_hazmat], [no], [yes])]) + AC_ARG_ENABLE(external_default_callbacks, AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]), [], [SECP_SET_DEFAULT([enable_external_default_callbacks], [no], [no])]) @@ -430,6 +434,10 @@ if test x"$enable_module_ecdh" = x"yes"; then SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1" fi +if test x"$enable_module_hazmat" = x"yes"; then + SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_HAZMAT=1" +fi + if test x"$enable_external_default_callbacks" = x"yes"; then SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1" fi @@ -463,6 +471,7 @@ AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x" AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_ELLSWIFT], [test x"$enable_module_ellswift" = x"yes"]) +AM_CONDITIONAL([ENABLE_MODULE_HAZMAT], [test x"$enable_module_hazmat" = x"yes"]) AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"]) AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"]) AM_CONDITIONAL([BUILD_WINDOWS], [test "$build_windows" = "yes"]) @@ -486,6 +495,7 @@ echo " module extrakeys = $enable_module_extrakeys" echo " module schnorrsig = $enable_module_schnorrsig" echo " module musig = $enable_module_musig" echo " module ellswift = $enable_module_ellswift" +echo " module hazmat = $enable_module_hazmat" echo echo " asm = $set_asm" echo " ecmult window size = $set_ecmult_window" diff --git a/include/secp256k1_hazmat.h b/include/secp256k1_hazmat.h new file mode 100644 index 0000000000..0b591e91f7 --- /dev/null +++ b/include/secp256k1_hazmat.h @@ -0,0 +1,54 @@ +#ifndef SECP256K1_HAZMAT_H +#define SECP256K1_HAZMAT_H + +#include "secp256k1.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +/* This module provides low-level cryptographic primitives of secp256k1. + * Note that these can be used incorrectly and require an in-depth knowledge + * of the cryptographic concepts at work, therefore we call this the + * "hazardous materials" library or "hazmat" for short. + */ + +/* Scalar */ +typedef union { + unsigned char data[32]; + uint64_t align8; /* ensure alignment on 8-bytes boundaries */ +} secp256k1_hazmat_scalar; + +SECP256K1_API int secp256k1_hazmat_scalar_parse(secp256k1_hazmat_scalar *s, const unsigned char *bin32); +SECP256K1_API void secp256k1_hazmat_scalar_serialize(unsigned char *bin32, const secp256k1_hazmat_scalar *s); +SECP256K1_API void secp256k1_hazmat_scalar_set_zero(secp256k1_hazmat_scalar *s); +SECP256K1_API int secp256k1_hazmat_scalar_is_zero(const secp256k1_hazmat_scalar *s); +SECP256K1_API void secp256k1_hazmat_scalar_add(secp256k1_hazmat_scalar *sres, const secp256k1_hazmat_scalar *s1, const secp256k1_hazmat_scalar *s2); +SECP256K1_API void secp256k1_hazmat_scalar_mul(secp256k1_hazmat_scalar *sres, const secp256k1_hazmat_scalar *s1, const secp256k1_hazmat_scalar *s2); +SECP256K1_API void secp256k1_hazmat_scalar_negate(secp256k1_hazmat_scalar *s); + +/* Point */ +typedef union { + unsigned char data[160]; + uint64_t align8; /* ensure alignment on 8-bytes boundaries */ +} secp256k1_hazmat_point; + +SECP256K1_API int secp256k1_hazmat_point_parse(secp256k1_hazmat_point *p, const unsigned char *pubkey33); +SECP256K1_API void secp256k1_hazmat_point_serialize(unsigned char *pubkey33, secp256k1_hazmat_point *p); +SECP256K1_API void secp256k1_hazmat_point_set_infinity(secp256k1_hazmat_point *p); +SECP256K1_API int secp256k1_hazmat_point_is_infinity(const secp256k1_hazmat_point *p); +SECP256K1_API void secp256k1_hazmat_point_add(secp256k1_hazmat_point *pres, secp256k1_hazmat_point *p1, secp256k1_hazmat_point *p2); +SECP256K1_API void secp256k1_hazmat_point_negate(secp256k1_hazmat_point *p); +SECP256K1_API int secp256k1_hazmat_point_equal(const secp256k1_hazmat_point *p1, const secp256k1_hazmat_point *p2); + +/* Point multiplication */ +SECP256K1_API void secp256k1_hazmat_multiply_with_generator(const secp256k1_context *ctx, secp256k1_hazmat_point *pres, const secp256k1_hazmat_scalar *s); +SECP256K1_API void secp256k1_hazmat_multiply_with_point(secp256k1_hazmat_point *pres, const secp256k1_hazmat_scalar *s, secp256k1_hazmat_point *p); + +#ifdef __cplusplus +} +#endif + +#endif /* SECP256K1_HAZMAT_H */ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f31b8c8f55..0fc339ffd2 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -138,6 +138,9 @@ if(SECP256K1_INSTALL) if(SECP256K1_ENABLE_MODULE_ELLSWIFT) list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_ellswift.h") endif() + if(SECP256K1_ENABLE_MODULE_HAZMAT) + list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_hazmat.h") + endif() install(FILES ${${PROJECT_NAME}_headers} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} ) diff --git a/src/modules/hazmat/Makefile.am.include b/src/modules/hazmat/Makefile.am.include new file mode 100644 index 0000000000..6339ff36bc --- /dev/null +++ b/src/modules/hazmat/Makefile.am.include @@ -0,0 +1,2 @@ +include_HEADERS += include/secp256k1_hazmat.h +noinst_HEADERS += src/modules/hazmat/main_impl.h diff --git a/src/modules/hazmat/main_impl.h b/src/modules/hazmat/main_impl.h new file mode 100644 index 0000000000..a6cd628454 --- /dev/null +++ b/src/modules/hazmat/main_impl.h @@ -0,0 +1,147 @@ +/*********************************************************************** + * Distributed under the MIT software license, see the accompanying * + * file COPYING or https://www.opensource.org/licenses/mit-license.php.* + ***********************************************************************/ + +#ifndef SECP256K1_MODULE_HAZMAT_MAIN_H +#define SECP256K1_MODULE_HAZMAT_MAIN_H + +#include "../../../include/secp256k1.h" +#include "../../../include/secp256k1_hazmat.h" +#include "../../scalar.h" +#include "../../group.h" +#include "../../eckey.h" +#include "../../ecmult_const.h" + +typedef struct { + secp256k1_gej gej; + int z_is_one; /* set if z == 1, i.e. gej can be converted to ge trivially by assigning x/y */ +} secp256k1_hazmat_point_struct; + +/* Verify that the opaque data types are large enough to hold the underlying structures + (note that this function is never called at run-time and only exists since the STATIC_ASSERT + macro can only be used inside of functions) */ +static void secp256k1_hazmat_assertions(void) { + STATIC_ASSERT(sizeof(secp256k1_hazmat_scalar) >= sizeof(secp256k1_scalar)); + STATIC_ASSERT(sizeof(secp256k1_hazmat_point) >= sizeof(secp256k1_hazmat_point_struct)); +} + +int secp256k1_hazmat_scalar_parse(secp256k1_hazmat_scalar *s, const unsigned char *bin32) { + int overflow; + secp256k1_scalar_set_b32((secp256k1_scalar*)s, bin32, &overflow); + return !overflow; +} + +void secp256k1_hazmat_scalar_serialize(unsigned char *bin32, const secp256k1_hazmat_scalar *s) { + secp256k1_scalar_get_b32(bin32, (secp256k1_scalar*)s); +} + +void secp256k1_hazmat_scalar_set_zero(secp256k1_hazmat_scalar *s) { + *((secp256k1_scalar*)s) = secp256k1_scalar_zero; +} + +int secp256k1_hazmat_scalar_is_zero(const secp256k1_hazmat_scalar *s) { + return secp256k1_scalar_is_zero((secp256k1_scalar*)s); +} + +void secp256k1_hazmat_scalar_add(secp256k1_hazmat_scalar *sres, const secp256k1_hazmat_scalar *s1, const secp256k1_hazmat_scalar *s2) { + secp256k1_scalar_add((secp256k1_scalar*)sres, (secp256k1_scalar*)s1, (secp256k1_scalar*)s2); +} + +void secp256k1_hazmat_scalar_mul(secp256k1_hazmat_scalar *sres, const secp256k1_hazmat_scalar *s1, const secp256k1_hazmat_scalar *s2) { + secp256k1_scalar_mul((secp256k1_scalar*)sres, (secp256k1_scalar*)s1, (secp256k1_scalar*)s2); +} + +void secp256k1_hazmat_scalar_negate(secp256k1_hazmat_scalar *s) { + secp256k1_scalar_negate((secp256k1_scalar*)s, (secp256k1_scalar*)s); +} + +static void secp256k1_hazmat_point_to_ge(secp256k1_ge *ge, secp256k1_hazmat_point_struct *p) { + if (p->z_is_one) { + secp256k1_ge_set_xy(ge, &p->gej.x, &p->gej.y); + } else { + secp256k1_ge_set_gej(ge, &p->gej); + p->z_is_one = 1; + } +} + +int secp256k1_hazmat_point_parse(secp256k1_hazmat_point *p, const unsigned char *pubkey33) { + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + secp256k1_ge ge; + + if (!secp256k1_eckey_pubkey_parse(&ge, pubkey33, 33)) { + return 0; + } + secp256k1_gej_set_ge(&ps->gej, &ge); + ps->z_is_one = 1; + return 1; +} + +void secp256k1_hazmat_point_serialize(unsigned char *pubkey33, secp256k1_hazmat_point *p) { + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + secp256k1_ge ge; + size_t size; + int ret; + + secp256k1_hazmat_point_to_ge(&ge, ps); + ret = secp256k1_eckey_pubkey_serialize(&ge, pubkey33, &size, 1); + VERIFY_CHECK(ret == 1 && size == 33); + (void)ret; +} + +void secp256k1_hazmat_point_set_infinity(secp256k1_hazmat_point *p) { + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + + secp256k1_gej_set_infinity(&ps->gej); + ps->z_is_one = 0; +} + +int secp256k1_hazmat_point_is_infinity(const secp256k1_hazmat_point *p) { + const secp256k1_hazmat_point_struct *ps = (const secp256k1_hazmat_point_struct*)p; + + return secp256k1_gej_is_infinity(&ps->gej); +} + +void secp256k1_hazmat_point_add(secp256k1_hazmat_point *pres, secp256k1_hazmat_point *p1, secp256k1_hazmat_point *p2) { + secp256k1_hazmat_point_struct *press = (secp256k1_hazmat_point_struct*)pres; + secp256k1_hazmat_point_struct *p1s = (secp256k1_hazmat_point_struct*)p1; + secp256k1_hazmat_point_struct *p2s = (secp256k1_hazmat_point_struct*)p2; + secp256k1_ge ge; + + secp256k1_hazmat_point_to_ge(&ge, p2s); + secp256k1_gej_add_ge(&press->gej, &p1s->gej, &ge); + press->z_is_one = 0; +} + +void secp256k1_hazmat_point_negate(secp256k1_hazmat_point *p) { + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + + secp256k1_gej_neg(&ps->gej, &ps->gej); + /* negation only changes y; z is untouched, so no update of z_is_one is needed */ +} + +int secp256k1_hazmat_point_equal(const secp256k1_hazmat_point *p1, const secp256k1_hazmat_point *p2) { + const secp256k1_hazmat_point_struct *p1s = (secp256k1_hazmat_point_struct*)p1; + const secp256k1_hazmat_point_struct *p2s = (secp256k1_hazmat_point_struct*)p2; + + return secp256k1_gej_eq_var(&p1s->gej, &p2s->gej); +} + +void secp256k1_hazmat_multiply_with_generator(const secp256k1_context *ctx, secp256k1_hazmat_point *p, const secp256k1_hazmat_scalar *s) { + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + + secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ps->gej, (secp256k1_scalar*)s); + ps->z_is_one = 0; +} + +void secp256k1_hazmat_multiply_with_point(secp256k1_hazmat_point *pres, const secp256k1_hazmat_scalar *s, secp256k1_hazmat_point *p) { + secp256k1_hazmat_point_struct *press = (secp256k1_hazmat_point_struct*)pres; + secp256k1_hazmat_point_struct *ps = (secp256k1_hazmat_point_struct*)p; + secp256k1_ge ge; + + secp256k1_hazmat_point_to_ge(&ge, ps); + secp256k1_ecmult_const(&press->gej, &ge, (secp256k1_scalar*)s); + press->z_is_one = 0; +} + +#endif diff --git a/src/secp256k1.c b/src/secp256k1.c index a248519dfd..65eeafe40c 100644 --- a/src/secp256k1.c +++ b/src/secp256k1.c @@ -829,3 +829,7 @@ int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, #ifdef ENABLE_MODULE_ELLSWIFT # include "modules/ellswift/main_impl.h" #endif + +#ifdef ENABLE_MODULE_HAZMAT +# include "modules/hazmat/main_impl.h" +#endif From c4e73d55a6a25843ce4f5a0057cdf67db9d6ba87 Mon Sep 17 00:00:00 2001 From: Sebastian Falbesoner Date: Fri, 8 Nov 2024 01:20:21 +0100 Subject: [PATCH 2/2] Add hazmat usage example --- .gitignore | 1 + Makefile.am | 11 +++ examples/CMakeLists.txt | 4 + examples/hazmat.c | 196 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 212 insertions(+) create mode 100644 examples/hazmat.c diff --git a/.gitignore b/.gitignore index bffba8cb2c..16cbd810e3 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ ecdsa_example schnorr_example ellswift_example musig_example +hazmat_example *.exe *.so *.a diff --git a/Makefile.am b/Makefile.am index f4f2e9ea04..11ecaa3d9c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -206,6 +206,17 @@ musig_example_LDFLAGS += -lbcrypt endif TESTS += musig_example endif +if ENABLE_MODULE_HAZMAT +noinst_PROGRAMS += hazmat_example +hazmat_example_SOURCES = examples/hazmat.c +hazmat_example_CPPFLAGS = -I$(top_srcdir)/include -DSECP256K1_STATIC +hazmat_example_LDADD = libsecp256k1.la +hazmat_example_LDFLAGS = -static +if BUILD_WINDOWS +hazmat_example_LDFLAGS += -lbcrypt +endif +TESTS += hazmat_example +endif endif ### Precomputed tables diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index c9da9de6be..7f040f79ee 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -29,3 +29,7 @@ endif() if(SECP256K1_ENABLE_MODULE_MUSIG) add_example(musig) endif() + +if(SECP256K1_ENABLE_MODULE_HAZMAT) + add_example(hazmat) +endif() diff --git a/examples/hazmat.c b/examples/hazmat.c new file mode 100644 index 0000000000..bd538b698c --- /dev/null +++ b/examples/hazmat.c @@ -0,0 +1,196 @@ +/************************************************************************* + * To the extent possible under law, the author(s) have dedicated all * + * copyright and related and neighboring rights to the software in this * + * file to the public domain worldwide. This software is distributed * + * without any warranty. For the CC0 Public Domain Dedication, see * + * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 * + *************************************************************************/ + +#include +#include +#include + +#include +#include + +#include "examples_util.h" + +int main(void) { + secp256k1_context* ctx; + unsigned char randomize[32]; + secp256k1_hazmat_scalar a[3], a_sum; + secp256k1_hazmat_point A[3], A_sum; + unsigned char lhs_ser[33], rhs_ser[33]; + int return_val, i; + + /* Create a secp256k1 context + * Note that in the hazmat module, the context is only needed for multiplication + * with the generator point (function `secp256k1_hazmat_multiply_with_generator`). + */ + ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); + if (!fill_random(randomize, sizeof(randomize))) { + printf("Failed to generate randomness\n"); + return 1; + } + /* Randomizing the context is recommended to protect against side-channel + * leakage. See `secp256k1_context_randomize` in secp256k1.h for more + * information about it. This should never fail. + */ + return_val = secp256k1_context_randomize(ctx, randomize); + assert(return_val); + + /* Generate keypairs */ + for (i = 0; i < 3; i++) { + unsigned char scalar_buf[32]; + unsigned char point_ser[33]; + + if (!fill_random(scalar_buf, sizeof(scalar_buf))) { + printf("Failed to generate randomness\n"); + return 1; + } + if (!secp256k1_hazmat_scalar_parse(&a[i], scalar_buf) || secp256k1_hazmat_scalar_is_zero(&a[i])) { + printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n"); + return 1; + } + secp256k1_hazmat_multiply_with_generator(ctx, &A[i], &a[i]); + + secp256k1_hazmat_point_serialize(point_ser, &A[i]); + printf("scalar a_%d: ", i+1); print_hex(scalar_buf, sizeof(scalar_buf)); + printf("point A_%d: ", i+1); print_hex(point_ser, sizeof(point_ser)); + + secure_erase(scalar_buf, sizeof(scalar_buf)); + } + + /* Simple example: verify that (a_1 + a_2 + a_3) * G = A_1 + A_2 + A_3 holds */ + secp256k1_hazmat_scalar_set_zero(&a_sum); + secp256k1_hazmat_point_set_infinity(&A_sum); + for (i = 0; i < 3; i++) { + secp256k1_hazmat_scalar_add(&a_sum, &a_sum, &a[i]); + secp256k1_hazmat_point_add(&A_sum, &A_sum, &A[i]); + } + + { + secp256k1_hazmat_point A_lhs; + + secp256k1_hazmat_multiply_with_generator(ctx, &A_lhs, &a_sum); + secp256k1_hazmat_point_serialize(lhs_ser, &A_lhs); + secp256k1_hazmat_point_serialize(rhs_ser, &A_sum); + + printf("\n"); + printf("(a_1 + a_2 + a_3) * G: "); + print_hex(lhs_ser, sizeof(lhs_ser)); + printf(" A_1 + A_2 + A_3: "); + print_hex(rhs_ser, sizeof(rhs_ser)); + + /* Verify equality for both the hazmat points and their serialization */ + return_val = secp256k1_hazmat_point_equal(&A_lhs, &A_sum); + assert(return_val == 1); + return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser)); + assert(return_val == 0); + } + + /* Next example: verify that a_1 * A_2 = A_1 * a_2 (ECDH) */ + { + secp256k1_hazmat_point lhs, rhs; + + secp256k1_hazmat_multiply_with_point(&lhs, &a[0], &A[1]); + secp256k1_hazmat_multiply_with_point(&rhs, &a[1], &A[0]); + secp256k1_hazmat_point_serialize(lhs_ser, &lhs); + secp256k1_hazmat_point_serialize(rhs_ser, &rhs); + + printf("\n"); + printf(" a_1 * A_2: "); + print_hex(lhs_ser, sizeof(lhs_ser)); + printf(" A_1 * a_2: "); + print_hex(rhs_ser, sizeof(rhs_ser)); + + return_val = secp256k1_hazmat_point_equal(&lhs, &rhs); + assert(return_val == 1); + return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser)); + assert(return_val == 0); + } + + /* Yet another example, to demonstrate also scalar multiplication: + * verify that (a_1 * a_2) * A_3 = a_1 * (a_2 * A_3) */ + { + secp256k1_hazmat_point lhs, rhs; + secp256k1_hazmat_scalar tmp_scalar; + secp256k1_hazmat_point tmp_point; + + secp256k1_hazmat_scalar_mul(&tmp_scalar, &a[0], &a[1]); + secp256k1_hazmat_multiply_with_point(&lhs, &tmp_scalar, &A[2]); + secp256k1_hazmat_multiply_with_point(&tmp_point, &a[1], &A[2]); + secp256k1_hazmat_multiply_with_point(&rhs, &a[0], &tmp_point); + secp256k1_hazmat_point_serialize(lhs_ser, &lhs); + secp256k1_hazmat_point_serialize(rhs_ser, &rhs); + + printf("\n"); + printf("(a_1 * a_2) * A_3: "); + print_hex(lhs_ser, sizeof(lhs_ser)); + printf(" a_1 * (a_2 * A_3): "); + print_hex(rhs_ser, sizeof(rhs_ser)); + + return_val = secp256k1_hazmat_point_equal(&lhs, &rhs); + assert(return_val == 1); + return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser)); + assert(return_val == 0); + } + + /* Show negation and neutral elements for scalars and points: + * a_i - a_i = 0 + * A_i - A_i = point at infinity + */ + for (i = 0; i < 3; i++) { + secp256k1_hazmat_scalar a_result, a_negated; + secp256k1_hazmat_point A_result, A_negated; + + a_negated = a[i]; + secp256k1_hazmat_scalar_negate(&a_negated); + secp256k1_hazmat_scalar_add(&a_result, &a[i], &a_negated); + assert(secp256k1_hazmat_scalar_is_zero(&a_result)); + + A_negated = A[i]; + secp256k1_hazmat_point_negate(&A_negated); + secp256k1_hazmat_point_add(&A_result, &A[i], &A_negated); + assert(secp256k1_hazmat_point_is_infinity(&A_result)); + } + + /* To demonstrate parsing points and scalars, verify that the discrete log + * of the generator point is the scalar with value 1. */ + { + secp256k1_hazmat_point generator, generator_calculated; + secp256k1_hazmat_scalar scalar_one; + unsigned char generator_ser[33] = + "\x02\x79\xBE\x66\x7E\xF9\xDC\xBB\xAC\x55\xA0\x62\x95\xCE\x87\x0B\x07" + "\x02\x9B\xFC\xDB\x2D\xCE\x28\xD9\x59\xF2\x81\x5B\x16\xF8\x17\x98"; + unsigned char scalar_one_ser[32] = + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"; + unsigned char generator_calculated_ser[33]; + + return_val = secp256k1_hazmat_point_parse(&generator, generator_ser); + assert(return_val); + return_val = secp256k1_hazmat_scalar_parse(&scalar_one, scalar_one_ser); + assert(return_val); + secp256k1_hazmat_multiply_with_generator(ctx, &generator_calculated, &scalar_one); + secp256k1_hazmat_point_serialize(generator_calculated_ser, &generator_calculated); + return_val = secp256k1_hazmat_point_equal(&generator, &generator_calculated); + assert(return_val == 1); + return_val = memcmp(generator_ser, generator_calculated_ser, sizeof(generator_ser)); + assert(return_val == 0); + } + + /* It's best practice to try to clear secrets from memory after using them. + * This is done because some bugs can allow an attacker to leak memory, for + * example through "out of bounds" array access (see Heartbleed), or the OS + * swapping them to disk. Hence, we overwrite the secret key buffer with zeros. + * + * Here we are preventing these writes from being optimized out, as any good compiler + * will remove any writes that aren't used. */ + for (i = 0; i < 3; i++) { + secure_erase(&a[i], sizeof(a[i])); + } + secure_erase(&a_sum, sizeof(a_sum)); + + return 0; +}