Interface Secp256k1Wasm

Create a Secp256k1 context object.

The purpose of context structures is to cache large precomputed data tables that are expensive to construct, and also to maintain the randomization data for blinding.

Do not create a new context object for each operation, as construction is far slower than all other API calls (~100 times slower than an ECDSA verification).

Updates the context randomization to protect against side-channel leakage.

Returns 1 if the randomization was successfully updated, or 0 if not.

While secp256k1 code is written to be constant-time no matter what secret values are, it's possible that a future compiler may output code that isn't, and also that the CPU may not emit the same radio frequencies or draw the same amount power for all values.

This function provides a seed that is combined into the blinding value: that blinding value is added before each multiplication (and removed afterwards) so that it does not affect function results, but shields against attacks that rely on any input-dependent behavior.

You should call this after contextCreate or secp256k1_context_clone, and may call this repeatedly afterwards.

Frees a pointer allocated by the malloc method.

Allocates the given number of bytes in WebAssembly memory.

The Secp256k1 library accepts a pointer to a size_t outputlen for both ec_pubkey_serialize & ecdsa_signature_serialize_der.

This is a convenience method to create and set the value of those pointers.

Allocates space for the provided array, and assigns the array to the space.

Tweak a privateKey by adding tweak to it. Returns 1 if adding succeeded, 0 otherwise.

Tweak a privateKey by multiplying tweak to it. Returns 1 if multiplying succeeded, 0 otherwise.

Compute the public key for a secret key.

Returns 1 if the secret was valid and public key stored, otherwise 0.

Parse a variable-length public key into the pubkey object.

Returns 1 if the public key was fully valid, or 0 if the public key could not be parsed or is invalid.

This function supports parsing compressed (33 bytes, header byte 0x02 or 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header byte 0x06 or 0x07) format public keys.

Serialize a pubkey object into a serialized byte sequence.

Always returns 1.

Tweak a publicKey by adding tweak times the generator to it. Returns 1 if adding succeeded, 0 otherwise.

Tweak a publicKey by multiplying it by a tweak value. Returns 1 if multiplying succeeded, 0 otherwise.

Read from WebAssembly memory by creating a new Uint8Array beginning at pointer and continuing through the number of bytes provided.

Read a size_t from WebAssembly memory.

Compute the public key given a recoverable signature and message hash.

Returns 1 if the signature was valid and public key stored, otherwise 0.

Parse an ECDSA signature in compact (64 bytes) format with a recovery number. Returns 1 when the signature could be parsed, 0 otherwise.

The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.

After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.

Serialize a recoverable ECDSA signature in compact (64 byte) format along with the recovery number. Always returns 1.

See recoverableSignatureParse for details about the encoding.

Create a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).

Signatures are 64-bytes, non-malleable, and support both batch validation and multiparty signing. Nonces are generated using RFC6979, where the Section 3.6, 16-byte ASCII "additional data" is set to Schnorr+SHA256 . This avoids leaking a private key by inadvertently creating both an ECDSA signature and a Schnorr signature using the same nonce.

Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.

Note, this WebAssembly Secp256k1 implementation does not currently support the final two arguments from the C library, noncefp and ndata. The default nonce generation function, secp256k1_nonce_function_default, is always used.

Verify a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).

Returns 1 if the signature is valid or 0 on failure.

Verify an ECDSA secret key.

Returns 1 if the secret key is valid, or 0 if the secret key is invalid.

Create an ECDSA signature. The created signature is always in lower-S form.

Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.

Note, this WebAssembly Secp256k1 implementation does not currently support the final two arguments from the C library, noncefp and ndata. The default nonce generation function, secp256k1_nonce_function_default, is always used.

Create a recoverable ECDSA signature. The created signature is always in lower-S form.

Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.

Note, this WebAssembly Secp256k1 implementation does not currently support the final two arguments from the C library, noncefp and ndata. The default nonce generation function, secp256k1_nonce_function_default, is always used.

Malleate an ECDSA signature.

This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R that is not included in the signature.

This method is added by Libauth to make testing of signatureNormalize easier.

Convert a signature to a normalized lower-S form.

Returns 1 if inputSigPtr was not normalized, 0 if inputSigPtr was already normalized.

With ECDSA a third-party can forge a second distinct signature of the same message, given a single initial signature, but without knowing the key. This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R which is not included in the signature.

Forgery of the same message isn't universally problematic, but in systems where message malleability or uniqueness of signatures is important this can cause issues. This forgery can be blocked by all verifiers forcing signers to use a normalized form.

The lower-S form reduces the size of signatures slightly on average when variable length encodings (such as DER) are used and is cheap to verify, making it a good choice. Security of always using lower-S is assured because anyone can trivially modify a signature after the fact to enforce this property anyway.

The lower S value is always between 0x1 and 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0, inclusive.

No other forms of ECDSA malleability are known and none seem likely, but there is no formal proof that ECDSA, even with this additional restriction, is free of other malleability. Commonly used serialization schemes will also accept various non-unique encodings, so care should be taken when this property is required for an application.

The sign function will by default create signatures in the lower-S form, and verify will not accept others. In case signatures come from a system that cannot enforce this property, signatureNormalize must be called before verification.

Parse an ECDSA signature in compact (64 bytes) format. Returns 1 when the signature could be parsed, 0 otherwise.

The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.

After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.

Parse a DER ECDSA signature.

Returns 1 when the signature could be parsed, 0 otherwise.

This function will accept any valid DER encoded signature, even if the encoded numbers are out of range.

After the call, sig will always be initialized. If parsing failed or the encoded numbers are out of range, signature validation with it is guaranteed to fail for every message and public key.

Serialize an ECDSA signature in compact (64 byte) format. Always returns 1.

See signatureParseCompact for details about the encoding.

Serialize an ECDSA signature in DER format.

Returns 1 if enough space was available to serialize, 0 otherwise.

Verify an ECDSA signature.

Returns 1 if the signature is valid, 0 if the signature is incorrect or failed parsing.

To avoid accepting malleable signatures, only ECDSA signatures in lower-S form are accepted.

If you need to accept ECDSA signatures from sources that do not obey this rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to validation, but be aware that doing so results in malleable signatures.