borromean_impl.h File Reference

#include "scalar.h"
#include "field.h"
#include "group.h"
#include "hash.h"
#include "eckey.h"
#include "ecmult.h"
#include "ecmult_gen.h"
#include "borromean.h"
#include <limits.h>
#include <string.h>

Include dependency graph for borromean_impl.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros
#define	BE32(p)   ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))

Functions
int	secp256k1_borromean_verify (const secp256k1_ecmult_context *ecmult_ctx, secp256k1_scalar *evalues, const unsigned char *e0, const secp256k1_scalar *s, const secp256k1_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen)
	"Borromean" ring signature. More...
int	secp256k1_borromean_sign (const secp256k1_ecmult_context *ecmult_ctx, const secp256k1_ecmult_gen_context *ecmult_gen_ctx, unsigned char *e0, secp256k1_scalar *s, const secp256k1_gej *pubs, const secp256k1_scalar *k, const secp256k1_scalar *sec, const size_t *rsizes, const size_t *secidx, size_t nrings, const unsigned char *m, size_t mlen)

Macro Definition Documentation

BE32

#define BE32

(

p

)

((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))

Definition at line 26 of file borromean_impl.h.

Function Documentation

secp256k1_borromean_sign()

int secp256k1_borromean_sign	(	const secp256k1_ecmult_context *	ecmult_ctx,
		const secp256k1_ecmult_gen_context *	ecmult_gen_ctx,
		unsigned char *	e0,
		secp256k1_scalar *	s,
		const secp256k1_gej *	pubs,
		const secp256k1_scalar *	k,
		const secp256k1_scalar *	sec,
		const size_t *	rsizes,
		const size_t *	secidx,
		size_t	nrings,
		const unsigned char *	m,
		size_t	mlen
	)

The signing algorithm as a whole is not memory uniform so there is likely a cache sidechannel that leaks which members are non-forgeries. That the forgeries themselves are variable time may leave an additional privacy impacting timing side-channel, but not a key loss one.

Definition at line 112 of file borromean_impl.h.

secp256k1_borromean_verify()

int secp256k1_borromean_verify	(	const secp256k1_ecmult_context *	ecmult_ctx,
		secp256k1_scalar *	evalues,
		const unsigned char *	e0,
		const secp256k1_scalar *	s,
		const secp256k1_gej *	pubs,
		const size_t *	rsizes,
		size_t	nrings,
		const unsigned char *	m,
		size_t	mlen
	)

"Borromean" ring signature.

Verifies nrings concurrent ring signatures all sharing a challenge value. Signature is one s value per pubkey and a hash. Verification equation: | m = H(P_{0..}||message) (Message must contain pubkeys or a pubkey commitment) | For each ring i: | | en = to_scalar(H(e0||m||i||0)) | | For each pubkey j: | | | r = s_i_j G + en * P_i_j | | | e = H(r||m||i||j) | | | en = to_scalar(e) | | r_i = r | return e_0 ==== H(r_{0..i}||m)

Definition at line 58 of file borromean_impl.h.