Create a Secp256k1 context object.
The purpose of context structures is to cache large precomputed data tables that are expensive to construct, and also to maintain the randomization data for blinding.
Do not create a new context object for each operation, as construction is far slower than all other API calls (~100 times slower than an ECDSA verification).
a Context flag representing the capabilities needed
Create a Secp256k1 context object.
The purpose of context structures is to cache large precomputed data tables that are expensive to construct, and also to maintain the randomization data for blinding.
Do not create a new context object for each operation, as construction is far slower than all other API calls (~100 times slower than an ECDSA verification).
a Context flag representing the capabilities needed
Updates the context randomization to protect against side-channel leakage.
Returns 1 if the randomization was successfully updated, or 0 if not.
While secp256k1 code is written to be constant-time no matter what secret values are, it's possible that a future compiler may output code that isn't, and also that the CPU may not emit the same radio frequencies or draw the same amount power for all values.
This function provides a seed that is combined into the blinding value: that blinding value is added before each multiplication (and removed afterwards) so that it does not affect function results, but shields against attacks that rely on any input-dependent behavior.
You should call this after contextCreate or
secp256k1_context_clone, and may call this repeatedly afterwards.
pointer to a context object
pointer to a 32-byte random seed
Updates the context randomization to protect against side-channel leakage.
Returns 1 if the randomization was successfully updated, or 0 if not.
While secp256k1 code is written to be constant-time no matter what secret values are, it's possible that a future compiler may output code that isn't, and also that the CPU may not emit the same radio frequencies or draw the same amount power for all values.
This function provides a seed that is combined into the blinding value: that blinding value is added before each multiplication (and removed afterwards) so that it does not affect function results, but shields against attacks that rely on any input-dependent behavior.
You should call this after contextCreate or
secp256k1_context_clone, and may call this repeatedly afterwards.
pointer to a context object
pointer to a 32-byte random seed
Frees a pointer allocated by the malloc method.
the pointer to be freed
Frees a pointer allocated by the malloc method.
the pointer to be freed
Allocates the given number of bytes in WebAssembly memory.
the number of bytes to allocate
Allocates the given number of bytes in WebAssembly memory.
The Secp256k1 library accepts a pointer to a size_t outputlen for both
ec_pubkey_serialize & ecdsa_signature_serialize_der.
This is a convenience method to create and set the value of those pointers.
the value of the size_t (e.g. the buffer length)
The Secp256k1 library accepts a pointer to a size_t outputlen for both
ec_pubkey_serialize & ecdsa_signature_serialize_der.
This is a convenience method to create and set the value of those pointers.
the value of the size_t (e.g. the buffer length)
Allocates space for the provided array, and assigns the array to the space.
a Uint8Array to allocate in WebAssembly memory
Allocates space for the provided array, and assigns the array to the space.
a Uint8Array to allocate in WebAssembly memory
Tweak a privateKey by adding tweak to it. Returns 1 if adding succeeded, 0 otherwise.
pointer to a context object
pointer to a 32 byte private key
pointer to a 256 bit int representing the tweak value
Tweak a privateKey by adding tweak to it. Returns 1 if adding succeeded, 0 otherwise.
pointer to a context object
pointer to a 32 byte private key
pointer to a 256 bit int representing the tweak value
Tweak a privateKey by multiplying tweak to it. Returns 1 if multiplying succeeded, 0 otherwise.
pointer to a context object
pointer to a 32 byte private key
pointer to a 256 bit int representing the tweak value
Tweak a privateKey by multiplying tweak to it. Returns 1 if multiplying succeeded, 0 otherwise.
pointer to a context object
pointer to a 32 byte private key
pointer to a 256 bit int representing the tweak value
Compute the public key for a secret key.
Returns 1 if the secret was valid and public key stored, otherwise 0.
pointer to a context object, initialized for signing
pointer to the created public key (note, this is an internal representation, and must be serialized for outside use)
pointer to a 32-byte private key
Compute the public key for a secret key.
Returns 1 if the secret was valid and public key stored, otherwise 0.
pointer to a context object, initialized for signing
pointer to the created public key (note, this is an internal representation, and must be serialized for outside use)
pointer to a 32-byte private key
Parse a variable-length public key into the pubkey object.
Returns 1 if the public key was fully valid, or 0 if the public key could not be parsed or is invalid.
This function supports parsing compressed (33 bytes, header byte 0x02 or 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header byte 0x06 or 0x07) format public keys.
pointer to a context object
a pointer to a 64 byte space where the parsed public key will be written. (internal format)
pointer to a serialized public key
the number of bytes to read from publicKeyInPtr
(Note, this should be a simple integer, rather than a size_t pointer as
is required by the serialization methods.)
Parse a variable-length public key into the pubkey object.
Returns 1 if the public key was fully valid, or 0 if the public key could not be parsed or is invalid.
This function supports parsing compressed (33 bytes, header byte 0x02 or 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header byte 0x06 or 0x07) format public keys.
pointer to a context object
a pointer to a 64 byte space where the parsed public key will be written. (internal format)
pointer to a serialized public key
the number of bytes to read from publicKeyInPtr
(Note, this should be a simple integer, rather than a size_t pointer as
is required by the serialization methods.)
Serialize a pubkey object into a serialized byte sequence.
Always returns 1.
pointer to a context object
pointer to a 65-byte (if uncompressed) or 33-byte (if compressed) byte array in which to place the serialized key
pointer to an integer that is initially set to the size of output, and is overwritten with the written size
pointer to a public key (parsed, internal format)
a CompressionFlag indicating compressed or uncompressed
Serialize a pubkey object into a serialized byte sequence.
Always returns 1.
pointer to a context object
pointer to a 65-byte (if uncompressed) or 33-byte (if compressed) byte array in which to place the serialized key
pointer to an integer that is initially set to the size of output, and is overwritten with the written size
pointer to a public key (parsed, internal format)
a CompressionFlag indicating compressed or uncompressed
Tweak a publicKey by adding tweak times the generator to it. Returns 1 if adding succeeded, 0 otherwise.
pointer to a context object
pointer to a 64 byte space representing a public key (internal format)
pointer to a 256 bit int representing the tweak value
Tweak a publicKey by adding tweak times the generator to it. Returns 1 if adding succeeded, 0 otherwise.
pointer to a context object
pointer to a 64 byte space representing a public key (internal format)
pointer to a 256 bit int representing the tweak value
Tweak a publicKey by multiplying it by a tweak value. Returns 1 if multiplying succeeded, 0 otherwise.
pointer to a context object
pointer to a 64 byte space representing a public key (internal format)
pointer to a 256 bit int representing the tweak value
Tweak a publicKey by multiplying it by a tweak value. Returns 1 if multiplying succeeded, 0 otherwise.
pointer to a context object
pointer to a 64 byte space representing a public key (internal format)
pointer to a 256 bit int representing the tweak value
Read from WebAssembly memory by creating a new Uint8Array beginning at
pointer and continuing through the number of bytes provided.
a pointer to the beginning of the Uint8Array element
the number of bytes to copy
Read from WebAssembly memory by creating a new Uint8Array beginning at
pointer and continuing through the number of bytes provided.
a pointer to the beginning of the Uint8Array element
the number of bytes to copy
Read a size_t from WebAssembly memory.
a pointer to the size_t variable to read
Read a size_t from WebAssembly memory.
a pointer to the size_t variable to read
Compute the public key given a recoverable signature and message hash.
Returns 1 if the signature was valid and public key stored, otherwise 0.
pointer to a context object, initialized for signing
pointer to the created public key (note, this is an internal representation, and must be serialized for outside use)
pointer to a recoverable signature (internal format)
pointer to the 32-byte message hash the signed by this signature
Compute the public key given a recoverable signature and message hash.
Returns 1 if the signature was valid and public key stored, otherwise 0.
pointer to a context object, initialized for signing
pointer to the created public key (note, this is an internal representation, and must be serialized for outside use)
pointer to a recoverable signature (internal format)
pointer to the 32-byte message hash the signed by this signature
Parse an ECDSA signature in compact (64 bytes) format with a recovery number. Returns 1 when the signature could be parsed, 0 otherwise.
The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.
After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.
pointer to a context object
a pointer to a 65 byte space where the parsed signature will be written. (internal format)
pointer to a serialized signature in compact format
the recovery number, as an int. (Not a pointer)
Parse an ECDSA signature in compact (64 bytes) format with a recovery number. Returns 1 when the signature could be parsed, 0 otherwise.
The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.
After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.
pointer to a context object
a pointer to a 65 byte space where the parsed signature will be written. (internal format)
pointer to a serialized signature in compact format
the recovery number, as an int. (Not a pointer)
Serialize a recoverable ECDSA signature in compact (64 byte) format along with the recovery number. Always returns 1.
See recoverableSignatureParse for details about the encoding.
pointer to a context object
pointer to a 64-byte space to store the compact serialization
pointer to an int that will store the recovery number
pointer to the 65-byte signature to be serialized (internal format)
Serialize a recoverable ECDSA signature in compact (64 byte) format along with the recovery number. Always returns 1.
See recoverableSignatureParse for details about the encoding.
pointer to a context object
pointer to a 64-byte space to store the compact serialization
pointer to an int that will store the recovery number
pointer to the 65-byte signature to be serialized (internal format)
Create a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).
Signatures are 64-bytes, non-malleable, and support both batch validation
and multiparty signing. Nonces are generated using RFC6979, where the
Section 3.6, 16-byte ASCII "additional data" is set to Schnorr+SHA256 .
This avoids leaking a private key by inadvertently creating both an ECDSA
signature and a Schnorr signature using the same nonce.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 64 byte space where the signature will be written
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Create a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).
Signatures are 64-bytes, non-malleable, and support both batch validation
and multiparty signing. Nonces are generated using RFC6979, where the
Section 3.6, 16-byte ASCII "additional data" is set to Schnorr+SHA256 .
This avoids leaking a private key by inadvertently creating both an ECDSA
signature and a Schnorr signature using the same nonce.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 64 byte space where the signature will be written
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Verify a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).
Returns 1 if the signature is valid or 0 on failure.
pointer to a context object, initialized for verification.
pointer to the 64-byte schnorr signature being verified
pointer to the 32-byte message hash being verified
pointer to the parsed pubkey with which to verify (internal format)
Verify a Secp256k1 EC-Schnorr-SHA256 signature (BCH construction).
Returns 1 if the signature is valid or 0 on failure.
pointer to a context object, initialized for verification.
pointer to the 64-byte schnorr signature being verified
pointer to the 32-byte message hash being verified
Verify an ECDSA secret key.
Returns 1 if the secret key is valid, or 0 if the secret key is invalid.
pointer to a context object
pointer to a 32-byte secret key
Verify an ECDSA secret key.
Returns 1 if the secret key is valid, or 0 if the secret key is invalid.
pointer to a context object
pointer to a 32-byte secret key
Create an ECDSA signature. The created signature is always in lower-S form.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 64 byte space where the signature will be written (internal format)
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Create an ECDSA signature. The created signature is always in lower-S form.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 64 byte space where the signature will be written (internal format)
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Create a recoverable ECDSA signature. The created signature is always in lower-S form.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 65 byte space where the signature will be written (internal format)
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Create a recoverable ECDSA signature. The created signature is always in lower-S form.
Returns 1 if the signature was created, 0 if the nonce generation function failed, or the private key was invalid.
Note, this WebAssembly Secp256k1 implementation does not currently support
the final two arguments from the C library, noncefp and ndata. The
default nonce generation function, secp256k1_nonce_function_default, is
always used.
pointer to a context object, initialized for signing
pointer to a 65 byte space where the signature will be written (internal format)
pointer to the 32-byte message hash being signed
pointer to a 32-byte secret key
Malleate an ECDSA signature.
This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R that is not included in the signature.
This method is added by Libauth to make testing of signatureNormalize
easier.
pointer to a context object
pointer to a 64 byte space where the malleated signature will be written (internal format)
pointer to a signature to malleate
Malleate an ECDSA signature.
This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R that is not included in the signature.
This method is added by Libauth to make testing of signatureNormalize
easier.
pointer to a context object
pointer to a 64 byte space where the malleated signature will be written (internal format)
pointer to a signature to malleate
Convert a signature to a normalized lower-S form.
Returns 1 if inputSigPtr was not normalized, 0 if inputSigPtr was already normalized.
With ECDSA a third-party can forge a second distinct signature of the same message, given a single initial signature, but without knowing the key. This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R which is not included in the signature.
Forgery of the same message isn't universally problematic, but in systems where message malleability or uniqueness of signatures is important this can cause issues. This forgery can be blocked by all verifiers forcing signers to use a normalized form.
The lower-S form reduces the size of signatures slightly on average when variable length encodings (such as DER) are used and is cheap to verify, making it a good choice. Security of always using lower-S is assured because anyone can trivially modify a signature after the fact to enforce this property anyway.
The lower S value is always between 0x1 and
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
inclusive.
No other forms of ECDSA malleability are known and none seem likely, but there is no formal proof that ECDSA, even with this additional restriction, is free of other malleability. Commonly used serialization schemes will also accept various non-unique encodings, so care should be taken when this property is required for an application.
The sign function will by default create signatures in the lower-S form,
and verify will not accept others. In case signatures come from a system
that cannot enforce this property, signatureNormalize must be called
before verification.
pointer to a context object
pointer to a 64 byte space where the normalized signature will be written (internal format)
pointer to a signature to check/normalize (internal format)
Convert a signature to a normalized lower-S form.
Returns 1 if inputSigPtr was not normalized, 0 if inputSigPtr was already normalized.
With ECDSA a third-party can forge a second distinct signature of the same message, given a single initial signature, but without knowing the key. This is done by negating the S value modulo the order of the curve, "flipping" the sign of the random point R which is not included in the signature.
Forgery of the same message isn't universally problematic, but in systems where message malleability or uniqueness of signatures is important this can cause issues. This forgery can be blocked by all verifiers forcing signers to use a normalized form.
The lower-S form reduces the size of signatures slightly on average when variable length encodings (such as DER) are used and is cheap to verify, making it a good choice. Security of always using lower-S is assured because anyone can trivially modify a signature after the fact to enforce this property anyway.
The lower S value is always between 0x1 and
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
inclusive.
No other forms of ECDSA malleability are known and none seem likely, but there is no formal proof that ECDSA, even with this additional restriction, is free of other malleability. Commonly used serialization schemes will also accept various non-unique encodings, so care should be taken when this property is required for an application.
The sign function will by default create signatures in the lower-S form,
and verify will not accept others. In case signatures come from a system
that cannot enforce this property, signatureNormalize must be called
before verification.
pointer to a context object
pointer to a 64 byte space where the normalized signature will be written (internal format)
pointer to a signature to check/normalize (internal format)
Parse an ECDSA signature in compact (64 bytes) format. Returns 1 when the signature could be parsed, 0 otherwise.
The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.
After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.
pointer to a context object
a pointer to a 64 byte space where the parsed signature will be written. (internal format)
pointer to a serialized signature in compact format
Parse an ECDSA signature in compact (64 bytes) format. Returns 1 when the signature could be parsed, 0 otherwise.
The signature must consist of a 32-byte big endian R value, followed by a 32-byte big endian S value. If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.
After the call, sig will always be initialized. If parsing failed or R or S are zero, the resulting sig value is guaranteed to fail validation for any message and public key.
pointer to a context object
a pointer to a 64 byte space where the parsed signature will be written. (internal format)
pointer to a serialized signature in compact format
Parse a DER ECDSA signature.
Returns 1 when the signature could be parsed, 0 otherwise.
This function will accept any valid DER encoded signature, even if the encoded numbers are out of range.
After the call, sig will always be initialized. If parsing failed or the encoded numbers are out of range, signature validation with it is guaranteed to fail for every message and public key.
pointer to a context object
a pointer to a 64 byte space where the parsed signature will be written. (internal format)
pointer to a DER serialized signature
the number of bytes to read from sigDERInPtr (Note,
this should be a simple integer, rather than a size_t pointer as is
required by the serialization methods.)
Parse a DER ECDSA signature.
Returns 1 when the signature could be parsed, 0 otherwise.
This function will accept any valid DER encoded signature, even if the encoded numbers are out of range.
After the call, sig will always be initialized. If parsing failed or the encoded numbers are out of range, signature validation with it is guaranteed to fail for every message and public key.
pointer to a context object
a pointer to a 64 byte space where the parsed signature will be written. (internal format)
pointer to a DER serialized signature
the number of bytes to read from sigDERInPtr (Note,
this should be a simple integer, rather than a size_t pointer as is
required by the serialization methods.)
Serialize an ECDSA signature in compact (64 byte) format. Always returns 1.
See signatureParseCompact for details about the encoding.
pointer to a context object
pointer to a 64-byte space to store the compact serialization
pointer to the 64-byte signature to be serialized (internal format)
Serialize an ECDSA signature in compact (64 byte) format. Always returns 1.
See signatureParseCompact for details about the encoding.
pointer to a context object
pointer to a 64-byte space to store the compact serialization
pointer to the 64-byte signature to be serialized (internal format)
Serialize an ECDSA signature in DER format.
Returns 1 if enough space was available to serialize, 0 otherwise.
pointer to a context object
pointer to a 72 byte space to store the DER serialization
pointer to a size_t integer. Initially,
this should be set to the length of outputDERSigPtr (72). After the call
it will be set to the length of the serialization (even if 0 was returned).
pointer to the 64-byte signature to be serialized (internal format)
Serialize an ECDSA signature in DER format.
Returns 1 if enough space was available to serialize, 0 otherwise.
pointer to a context object
pointer to a 72 byte space to store the DER serialization
pointer to a size_t integer. Initially,
this should be set to the length of outputDERSigPtr (72). After the call
it will be set to the length of the serialization (even if 0 was returned).
pointer to the 64-byte signature to be serialized (internal format)
Verify an ECDSA signature.
Returns 1 if the signature is valid, 0 if the signature is incorrect or failed parsing.
To avoid accepting malleable signatures, only ECDSA signatures in lower-S form are accepted.
If you need to accept ECDSA signatures from sources that do not obey this rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to validation, but be aware that doing so results in malleable signatures.
pointer to a context object, initialized for verification.
pointer to the parsed signature being verified (internal format)
pointer to the 32-byte message hash being verified
pointer to the parsed pubkey with which to verify (internal format)
Verify an ECDSA signature.
Returns 1 if the signature is valid, 0 if the signature is incorrect or failed parsing.
To avoid accepting malleable signatures, only ECDSA signatures in lower-S form are accepted.
If you need to accept ECDSA signatures from sources that do not obey this rule, apply secp256k1_ecdsa_signature_normalize to the signature prior to validation, but be aware that doing so results in malleable signatures.
pointer to a context object, initialized for verification.
pointer to the parsed signature being verified (internal format)
pointer to the 32-byte message hash being verified
pointer to the parsed pubkey with which to verify (internal format)
Generated using TypeDoc
An object that wraps the WebAssembly implementation of
libsecp256k1.It's very unlikely that consumers will need to use this interface directly. See [[Secp256k1]] for a more purely-functional API.