Skip to content

Commit

Permalink
Add hazmat usage example
Browse files Browse the repository at this point in the history
  • Loading branch information
theStack committed Nov 8, 2024
1 parent 3099dfc commit 42c1040
Show file tree
Hide file tree
Showing 4 changed files with 212 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ ecdsa_example
schnorr_example
ellswift_example
musig_example
hazmat_example
*.exe
*.so
*.a
Expand Down
11 changes: 11 additions & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,17 @@ musig_example_LDFLAGS += -lbcrypt
endif
TESTS += musig_example
endif
if ENABLE_MODULE_HAZMAT
noinst_PROGRAMS += hazmat_example
musig_example_SOURCES = examples/hazmat.c
musig_example_CPPFLAGS = -I$(top_srcdir)/include -DSECP256K1_STATIC
musig_example_LDADD = libsecp256k1.la
musig_example_LDFLAGS = -static
if BUILD_WINDOWS
musig_example_LDFLAGS += -lbcrypt
endif
TESTS += hazmat_example
endif
endif

### Precomputed tables
Expand Down
4 changes: 4 additions & 0 deletions examples/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,7 @@ endif()
if(SECP256K1_ENABLE_MODULE_MUSIG)
add_example(musig)
endif()

if(SECP256K1_ENABLE_MODULE_HAZMAT)
add_example(hazmat)
endif()
196 changes: 196 additions & 0 deletions examples/hazmat.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
/*************************************************************************
* To the extent possible under law, the author(s) have dedicated all *
* copyright and related and neighboring rights to the software in this *
* file to the public domain worldwide. This software is distributed *
* without any warranty. For the CC0 Public Domain Dedication, see *
* EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
*************************************************************************/

#include <assert.h>
#include <stdio.h>
#include <string.h>

#include <secp256k1.h>
#include <secp256k1_hazmat.h>

#include "examples_util.h"

int main(void) {
secp256k1_context* ctx;
unsigned char randomize[32];
secp256k1_hazmat_scalar a[3], a_sum;
secp256k1_hazmat_point A[3], A_sum;
unsigned char lhs_ser[33], rhs_ser[33];
int return_val, i;

/* Create a secp256k1 context
* Note that in the hazmat module, the context is only needed for multiplication
* with the generator point (function `secp256k1_hazmat_multiply_with_generator`).
*/
ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
if (!fill_random(randomize, sizeof(randomize))) {
printf("Failed to generate randomness\n");
return 1;
}
/* Randomizing the context is recommended to protect against side-channel
* leakage. See `secp256k1_context_randomize` in secp256k1.h for more
* information about it. This should never fail.
*/
return_val = secp256k1_context_randomize(ctx, randomize);
assert(return_val);

/* Generate keypairs */
for (i = 0; i < 3; i++) {
unsigned char scalar_buf[32];
unsigned char point_ser[33];

if (!fill_random(scalar_buf, sizeof(scalar_buf))) {
printf("Failed to generate randomness\n");
return 1;
}
if (!secp256k1_hazmat_scalar_parse(&a[i], scalar_buf) || secp256k1_hazmat_scalar_is_zero(&a[i])) {
printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
return 1;
}
secp256k1_hazmat_multiply_with_generator(ctx, &A[i], &a[i]);

secp256k1_hazmat_point_serialize(point_ser, &A[i]);
printf("scalar a_%d: ", i+1); print_hex(scalar_buf, sizeof(scalar_buf));
printf("point A_%d: ", i+1); print_hex(point_ser, sizeof(point_ser));

secure_erase(scalar_buf, sizeof(scalar_buf));
}

/* Simple example: verify that (a_1 + a_2 + a_3) * G = A_1 + A_2 + A_3 holds */
secp256k1_hazmat_scalar_set_zero(&a_sum);
secp256k1_hazmat_point_set_infinity(&A_sum);
for (i = 0; i < 3; i++) {
secp256k1_hazmat_scalar_add(&a_sum, &a_sum, &a[i]);
secp256k1_hazmat_point_add(&A_sum, &A_sum, &A[i]);
}

{
secp256k1_hazmat_point A_lhs;

secp256k1_hazmat_multiply_with_generator(ctx, &A_lhs, &a_sum);
secp256k1_hazmat_point_serialize(lhs_ser, &A_lhs);
secp256k1_hazmat_point_serialize(rhs_ser, &A_sum);

printf("\n");
printf("(a_1 + a_2 + a_3) * G: ");
print_hex(lhs_ser, sizeof(lhs_ser));
printf(" A_1 + A_2 + A_3: ");
print_hex(rhs_ser, sizeof(rhs_ser));

/* Verify equality for both the hazmat points and their serialization */
return_val = secp256k1_hazmat_point_equal(&A_lhs, &A_sum);
assert(return_val == 1);
return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser));
assert(return_val == 0);
}

/* Next example: verify that a_1 * A_2 = A_1 * a_2 (ECDH) */
{
secp256k1_hazmat_point lhs, rhs;

secp256k1_hazmat_multiply_with_point(&lhs, &a[0], &A[1]);
secp256k1_hazmat_multiply_with_point(&rhs, &a[1], &A[0]);
secp256k1_hazmat_point_serialize(lhs_ser, &lhs);
secp256k1_hazmat_point_serialize(rhs_ser, &rhs);

printf("\n");
printf(" a_1 * A_2: ");
print_hex(lhs_ser, sizeof(lhs_ser));
printf(" A_1 * a_2: ");
print_hex(rhs_ser, sizeof(rhs_ser));

return_val = secp256k1_hazmat_point_equal(&lhs, &rhs);
assert(return_val == 1);
return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser));
assert(return_val == 0);
}

/* Yet another example, to demonstrate also scalar multiplication:
* verify that (a_1 * a_2) * A_3 = a_1 * (a_2 * A_3) */
{
secp256k1_hazmat_point lhs, rhs;
secp256k1_hazmat_scalar tmp_scalar;
secp256k1_hazmat_point tmp_point;

secp256k1_hazmat_scalar_mul(&tmp_scalar, &a[0], &a[1]);
secp256k1_hazmat_multiply_with_point(&lhs, &tmp_scalar, &A[2]);
secp256k1_hazmat_multiply_with_point(&tmp_point, &a[1], &A[2]);
secp256k1_hazmat_multiply_with_point(&rhs, &a[0], &tmp_point);
secp256k1_hazmat_point_serialize(lhs_ser, &lhs);
secp256k1_hazmat_point_serialize(rhs_ser, &rhs);

printf("\n");
printf("(a_1 * a_2) * A_3: ");
print_hex(lhs_ser, sizeof(lhs_ser));
printf(" a_1 * (a_2 * A_3): ");
print_hex(rhs_ser, sizeof(rhs_ser));

return_val = secp256k1_hazmat_point_equal(&lhs, &rhs);
assert(return_val == 1);
return_val = memcmp(lhs_ser, rhs_ser, sizeof(lhs_ser));
assert(return_val == 0);
}

/* Show negation and neutral elements for scalars and points:
* a_i - a_i = 0
* A_i - A_i = point at infinity
*/
for (i = 0; i < 3; i++) {
secp256k1_hazmat_scalar a_result, a_negated;
secp256k1_hazmat_point A_result, A_negated;

a_negated = a[i];
secp256k1_hazmat_scalar_negate(&a_negated);
secp256k1_hazmat_scalar_add(&a_result, &a[i], &a_negated);
assert(secp256k1_hazmat_scalar_is_zero(&a_result));

A_negated = A[i];
secp256k1_hazmat_point_negate(&A_negated);
secp256k1_hazmat_point_add(&A_result, &A[i], &A_negated);
assert(secp256k1_hazmat_point_is_infinity(&A_result));
}

/* To demonstrate parsing points and scalars, verify that the discrete log
* of the generator point is the scalar with value 1. */
{
secp256k1_hazmat_point generator, generator_calculated;
secp256k1_hazmat_scalar scalar_one;
unsigned char generator_ser[33] =
"\x02\x79\xBE\x66\x7E\xF9\xDC\xBB\xAC\x55\xA0\x62\x95\xCE\x87\x0B\x07"
"\x02\x9B\xFC\xDB\x2D\xCE\x28\xD9\x59\xF2\x81\x5B\x16\xF8\x17\x98";
unsigned char scalar_one_ser[32] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01";
unsigned char generator_calculated_ser[33];

return_val = secp256k1_hazmat_point_parse(&generator, generator_ser);
assert(return_val);
return_val = secp256k1_hazmat_scalar_parse(&scalar_one, scalar_one_ser);
assert(return_val);
secp256k1_hazmat_multiply_with_generator(ctx, &generator_calculated, &scalar_one);
secp256k1_hazmat_point_serialize(generator_calculated_ser, &generator_calculated);
return_val = secp256k1_hazmat_point_equal(&generator, &generator_calculated);
assert(return_val == 1);
return_val = memcmp(generator_ser, generator_calculated_ser, sizeof(generator_ser));
assert(return_val == 0);
}

/* It's best practice to try to clear secrets from memory after using them.
* This is done because some bugs can allow an attacker to leak memory, for
* example through "out of bounds" array access (see Heartbleed), or the OS
* swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
*
* Here we are preventing these writes from being optimized out, as any good compiler
* will remove any writes that aren't used. */
for (i = 0; i < 3; i++) {
secure_erase(&a[i], sizeof(a[i]));
}
secure_erase(&a_sum, sizeof(a_sum));

return 0;
}

0 comments on commit 42c1040

Please sign in to comment.