Version: v1.7.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Oct 19, 2021 License: GPL-3.0, BSD-3-Clause Imports: 9 Imported by: 14



Package secp256k1 wraps the bitcoin secp256k1 C library.

secp256k1 refers to the parameters of the elliptic curve used in Bitcoin's public-key cryptography and is defined in Standards for Efficient Cryptography (SEC)(Certicom Research,

Package secp256k1 provides wrapper functions to utilize the library functions in Go.

Source Files

Each source file has the following contents

- secp256.go  : Provides wrapper functions to utilize the secp256k1 library written in C
- curve.go    : Implements Koblitz elliptic curves
- panic_cb.go : Provides callbacks for converting libsecp256k1 internal faults into recoverable Go panics
- schnorr.go  : Implements Schnorr signature algorithm. It is planned to be used in Klaytn



This section is empty.


View Source
var (
	ErrInvalidMsgLen       = errors.New("invalid message length, need 32 bytes")
	ErrInvalidSignatureLen = errors.New("invalid signature length")
	ErrInvalidRecoveryID   = errors.New("invalid signature recovery id")
	ErrInvalidKey          = errors.New("invalid private key")
	ErrInvalidPubkey       = errors.New("invalid public key")
	ErrSignFailed          = errors.New("signing failed")
	ErrRecoverFailed       = errors.New("recovery failed")


func CompressPubkey

func CompressPubkey(x, y *big.Int) []byte

CompressPubkey encodes a public key to 33-byte compressed format.

func ComputeC

func ComputeC(keys ...[]byte) []byte

ComputeC derives the common value for multiple public keys.

func DecompressPubkey

func DecompressPubkey(pubkey []byte) (x, y *big.Int)

DecompressPubkey parses a public key in the 33-byte compressed format. It returns non-nil coordinates if the public key is valid.

func RecoverPubkey

func RecoverPubkey(msg []byte, sig []byte) ([]byte, error)

RecoverPubkey returns the public key of the signer. msg must be the 32-byte hash of the message to be signed. sig must be a 65-byte compact ECDSA signature containing the recovery id as the last element.

func ScAdd

func ScAdd(a, b []byte) []byte

ScAdd is a simple C-binding performing addition between two input scalars.

func ScBaseMul

func ScBaseMul(a []byte) []byte

ScBaseMul is a simple C-binding performing a * G where a is an input scalar and G is SECP256k1 curve.

func ScMul

func ScMul(a, b []byte) []byte

ScMul is a simple C-binding performing multiplication for two input scalars.

func ScPointMul

func ScPointMul(point, a []byte) []byte

ScPointMul is a simple C-binding performing multiplication between a curve point and a scalar. Returns a point in the uncompressed format.

func ScSub

func ScSub(a, b []byte) []byte

ScSub is a simple C-binding performing subtraction between two input scalars.

func SchnorrSignMultiBootstrap

func SchnorrSignMultiBootstrap(G *BitCurve, msg, privateKey, publicKey []byte, othersPublicKeys ...[]byte) (Q, R, y []byte)

SchnorrSignMultiBootstrap computes an individual share of a Schnorr multi-signature given all public keys. Q: a dedicated, security hardened public key for this multi-signature party R: a part of the generating multi-signature for the input publickey y: a dedicated, security hardened private key for this multi-signature party

func SchnorrSignMultiComputeS

func SchnorrSignMultiComputeS(msg, P, R, y []byte) []byte

SchnorrSignMultiComputeS computes the s part of a Schnorr multi-signature (i.e., s in (R, s)).

func SchnorrSignSingle

func SchnorrSignSingle(G *BitCurve, msg, x, P []byte) ([]byte, []byte)

SchnorrSignSingle digitally signs the input message using Schnorr signature scheme.

func SchnorrVerify

func SchnorrVerify(G *BitCurve, msg, R, s, P []byte) bool

SchnorrVerifySingle verifies a Schnorr signature. Note that this implementation is relatively slow compared to the C implementation. Use this sparingly.

func SchnorrVerifyNative

func SchnorrVerifyNative(message, R, s, P []byte) bool

SchnorrVerifyMulti verifies a Schnorr signature. Returns true iff (R, s) is a valid signature verifiable by P; false otherwise. R and P should be uncompressed points on SECP256k1 curve with proper padding in front (i.e., starting with 0x04). P can be a single key or a combined public key s.t. P = P0 + P1 + ... + PN where Pi is a public key for i = 0..N. s is a 32-byte scalar.

func Sign

func Sign(msg []byte, seckey []byte) ([]byte, error)

Sign creates a recoverable ECDSA signature. The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.

The caller is responsible for ensuring that msg cannot be chosen directly by an attacker. It is usually preferable to use a cryptographic hash function on any input before handing it to this function.

func VerifySignature

func VerifySignature(pubkey, msg, signature []byte) bool

VerifySignature checks that the given pubkey created signature over message. The signature should be in [R || S] format.


type BitCurve

type BitCurve struct {
	P       *big.Int // the order of the underlying field
	N       *big.Int // the order of the base point
	B       *big.Int // the constant of the BitCurve equation
	Gx, Gy  *big.Int // (x,y) of the base point
	BitSize int      // the size of the underlying field

A BitCurve represents a Koblitz Curve with a=0. See

func S256

func S256() *BitCurve

S256 returns a BitCurve which implements secp256k1.

func (*BitCurve) Add

func (BitCurve *BitCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add returns the sum of (x1,y1) and (x2,y2)

func (*BitCurve) Double

func (BitCurve *BitCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double returns 2*(x,y)

func (*BitCurve) IsOnCurve

func (BitCurve *BitCurve) IsOnCurve(x, y *big.Int) bool

IsOnCurve returns true if the given (x,y) lies on the BitCurve.

func (*BitCurve) Marshal

func (BitCurve *BitCurve) Marshal(x, y *big.Int) []byte

Marshal converts a point into the form specified in section 4.3.6 of ANSI X9.62.

func (*BitCurve) Params

func (BitCurve *BitCurve) Params() *elliptic.CurveParams

func (*BitCurve) ScalarBaseMult

func (BitCurve *BitCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func (*BitCurve) ScalarMult

func (BitCurve *BitCurve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int)

func (*BitCurve) Unmarshal

func (BitCurve *BitCurve) Unmarshal(data []byte) (x, y *big.Int)

Unmarshal converts a point, serialised by Marshal, into an x, y pair. On error, x = nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL