
2304 lines
77 KiB
Raw Normal View History

// Bitcoin secp256k1 bindings
// Written in 2014 by
// Dawid Ciężarkiewicz
// Andrew Poelstra
// To the extent possible under law, the author(s) have dedicated all
// copyright and related and neighboring rights to this software to
// the public domain worldwide. This software is distributed without
// any warranty.
// You should have received a copy of the CC0 Public Domain Dedication
// along with this software.
// If not, see <>.
//! Public and secret keys.
2021-09-09 09:41:11 +00:00
use core::{fmt, ptr, str};
use core::ops::BitXor;
use core::convert::TryFrom;
use crate::{constants, from_hex, Secp256k1, Signing, Verification};
use crate::Error::{self, InvalidPublicKey, InvalidPublicKeySum, InvalidSecretKey};
use crate::ffi::{self, CPtr, impl_array_newtype};
use crate::ffi::types::c_uint;
#[cfg(feature = "serde")]
use serde::ser::SerializeTuple;
#[cfg(feature = "global-context")]
use crate::{Message, ecdsa, SECP256K1};
#[cfg(all(feature = "global-context", feature = "rand-std"))]
use crate::schnorr;
/// Secret 256-bit key used as `x` in an ECDSA signature.
/// # Examples
/// Basic usage:
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, SecretKey};
/// let secp = Secp256k1::new();
/// let secret_key = SecretKey::new(&mut rand::thread_rng());
/// # }
/// ```
pub struct SecretKey([u8; constants::SECRET_KEY_SIZE]);
impl_array_newtype!(SecretKey, u8, constants::SECRET_KEY_SIZE);
impl str::FromStr for SecretKey {
type Err = Error;
fn from_str(s: &str) -> Result<SecretKey, Error> {
let mut res = [0u8; constants::SECRET_KEY_SIZE];
match from_hex(s, &mut res) {
Ok(constants::SECRET_KEY_SIZE) => SecretKey::from_slice(&res),
_ => Err(Error::InvalidSecretKey)
/// The number 1 encoded as a secret key.
pub const ONE_KEY: SecretKey = SecretKey([0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 1]);
/// A Secp256k1 public key, used for verification of signatures.
/// # Examples
/// Basic usage:
/// ```
/// # #[cfg(any(feature = "alloc", feature = "std"))] {
/// use secp256k1::{SecretKey, Secp256k1, PublicKey};
/// let secp = Secp256k1::new();
/// let secret_key = SecretKey::from_slice(&[0xcd; 32]).expect("32 bytes, within curve order");
/// let public_key = PublicKey::from_secret_key(&secp, &secret_key);
/// # }
/// ```
#[derive(Copy, Clone, PartialEq, Eq, Debug, Hash)]
2021-03-31 01:07:20 +00:00
pub struct PublicKey(ffi::PublicKey);
impl fmt::LowerHex for PublicKey {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let ser = self.serialize();
for ch in &ser[..] {
write!(f, "{:02x}", *ch)?;
impl fmt::Display for PublicKey {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
fmt::LowerHex::fmt(self, f)
impl str::FromStr for PublicKey {
type Err = Error;
fn from_str(s: &str) -> Result<PublicKey, Error> {
let mut res = [0u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE];
match from_hex(s, &mut res) {
Ok(constants::PUBLIC_KEY_SIZE) => {
_ => Err(Error::InvalidPublicKey)
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))]
fn random_32_bytes<R: rand::Rng + ?Sized>(rng: &mut R) -> [u8; 32] {
let mut ret = [0u8; 32];
rng.fill_bytes(&mut ret);
2014-08-16 09:21:35 +00:00
impl SecretKey {
/// Generates a new random secret key.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, SecretKey};
/// let secret_key = SecretKey::new(&mut rand::thread_rng());
/// # }
/// ```
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))]
#[cfg_attr(docsrs, doc(cfg(feature = "rand")))]
pub fn new<R: rand::Rng + ?Sized>(rng: &mut R) -> SecretKey {
let mut data = random_32_bytes(rng);
unsafe {
while ffi::secp256k1_ec_seckey_verify(
) == 0
data = random_32_bytes(rng);
/// Converts a `SECRET_KEY_SIZE`-byte slice to a secret key.
/// # Examples
/// ```
/// use secp256k1::SecretKey;
/// let sk = SecretKey::from_slice(&[0xcd; 32]).expect("32 bytes, within curve order");
/// ```
pub fn from_slice(data: &[u8])-> Result<SecretKey, Error> {
match <[u8; constants::SECRET_KEY_SIZE]>::try_from(data) {
Ok(data) => {
unsafe {
if ffi::secp256k1_ec_seckey_verify(
) == 0
return Err(InvalidSecretKey);
Err(_) => Err(InvalidSecretKey)
/// Creates a new secret key using data from BIP-340 [`KeyPair`].
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, SecretKey, KeyPair};
/// let secp = Secp256k1::new();
/// let key_pair = KeyPair::new(&secp, &mut rand::thread_rng());
/// let secret_key = SecretKey::from_keypair(&key_pair);
/// # }
/// ```
pub fn from_keypair(keypair: &KeyPair) -> Self {
let mut sk = [0u8; constants::SECRET_KEY_SIZE];
unsafe {
let ret = ffi::secp256k1_keypair_sec(
debug_assert_eq!(ret, 1);
/// Returns the secret key as a byte value.
pub fn secret_bytes(&self) -> [u8; constants::SECRET_KEY_SIZE] {
2020-02-07 04:31:43 +00:00
/// Negates one secret key.
pub fn negate_assign(
&mut self
) {
unsafe {
let res = ffi::secp256k1_ec_seckey_negate(
2020-02-07 04:31:43 +00:00
debug_assert_eq!(res, 1);
2020-02-07 04:31:43 +00:00
/// Adds one secret key to another, modulo the curve order.
/// # Errors
/// Returns an error if the resulting key would be invalid or if the tweak was not a 32-byte
/// length slice.
pub fn add_assign(
&mut self,
other: &[u8],
) -> Result<(), Error> {
if other.len() != 32 {
return Err(Error::InvalidTweak);
unsafe {
if ffi::secp256k1_ec_seckey_tweak_add(
) != 1
} else {
2016-08-20 17:00:39 +00:00
/// Multiplies one secret key by another, modulo the curve order. Will
/// return an error if the resulting key would be invalid or if
/// the tweak was not a 32-byte length slice.
pub fn mul_assign(
&mut self,
other: &[u8],
) -> Result<(), Error> {
if other.len() != 32 {
return Err(Error::InvalidTweak);
2016-08-20 17:00:39 +00:00
unsafe {
if ffi::secp256k1_ec_seckey_tweak_mul(
) != 1
2016-08-20 17:00:39 +00:00
} else {
/// Constructs an ECDSA signature for `msg` using the global [`SECP256K1`] context.
#[cfg(feature = "global-context")]
#[cfg_attr(docsrs, doc(cfg(feature = "global-context")))]
pub fn sign_ecdsa(&self, msg: Message) -> ecdsa::Signature {
SECP256K1.sign_ecdsa(&msg, self)
/// Returns the [`KeyPair`] for this [`SecretKey`].
/// This is equivalent to using [`KeyPair::from_secret_key`].
pub fn keypair<C: Signing>(&self, secp: &Secp256k1<C>) -> KeyPair {
KeyPair::from_secret_key(secp, self)
/// Returns the [`PublicKey`] for this [`SecretKey`].
/// This is equivalent to using [`PublicKey::from_secret_key`].
pub fn public_key<C: Signing>(&self, secp: &Secp256k1<C>) -> PublicKey {
PublicKey::from_secret_key(secp, self)
/// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`SecretKey`].
/// This is equivalent to `XOnlyPublicKey::from_keypair(self.keypair(secp))`.
pub fn x_only_public_key<C: Signing>(&self, secp: &Secp256k1<C>) -> (XOnlyPublicKey, Parity) {
let kp = self.keypair(secp);
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl serde::Serialize for SecretKey {
fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
if s.is_human_readable() {
let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2];
s.serialize_str(crate::to_hex(&self.0, &mut buf).expect("fixed-size hex serialization"))
} else {
let mut tuple = s.serialize_tuple(constants::SECRET_KEY_SIZE)?;
for byte in self.0.iter() {
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl<'de> serde::Deserialize<'de> for SecretKey {
fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
if d.is_human_readable() {
"a hex string representing 32 byte SecretKey"
} else {
let visitor = super::serde_util::Tuple32Visitor::new(
"raw 32 bytes SecretKey",
d.deserialize_tuple(constants::SECRET_KEY_SIZE, visitor)
impl PublicKey {
/// Obtains a raw const pointer suitable for use with FFI functions.
pub fn as_ptr(&self) -> *const ffi::PublicKey {
/// Obtains a raw mutable pointer suitable for use with FFI functions.
2019-04-16 18:48:24 +00:00
pub fn as_mut_ptr(&mut self) -> *mut ffi::PublicKey {
&mut self.0
2019-04-16 18:48:24 +00:00
/// Creates a new public key from a [`SecretKey`].
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, SecretKey, PublicKey};
/// let secp = Secp256k1::new();
/// let secret_key = SecretKey::new(&mut rand::thread_rng());
/// let public_key = PublicKey::from_secret_key(&secp, &secret_key);
/// # }
/// ```
pub fn from_secret_key<C: Signing>(secp: &Secp256k1<C>,sk: &SecretKey) -> PublicKey {
unsafe {
let mut pk = ffi::PublicKey::new();
// We can assume the return value because it's not possible to construct
// an invalid `SecretKey` without transmute trickery or something.
let res = ffi::secp256k1_ec_pubkey_create(secp.ctx, &mut pk, sk.as_c_ptr());
debug_assert_eq!(res, 1);
/// Creates a new public key from a [`SecretKey`] and the global [`SECP256K1`] context.
#[cfg(feature = "global-context")]
#[cfg_attr(docsrs, doc(cfg(feature = "global-context")))]
pub fn from_secret_key_global(sk: &SecretKey) -> PublicKey {
PublicKey::from_secret_key(&SECP256K1, sk)
/// Creates a public key directly from a slice.
pub fn from_slice(data: &[u8]) -> Result<PublicKey, Error> {
2019-08-08 20:01:08 +00:00
if data.is_empty() {return Err(Error::InvalidPublicKey);}
unsafe {
let mut pk = ffi::PublicKey::new();
if ffi::secp256k1_ec_pubkey_parse(
&mut pk,
2018-12-27 13:39:54 +00:00
data.len() as usize,
) == 1
} else {
2021-11-11 02:41:57 +00:00
/// Creates a new compressed public key using data from BIP-340 [`KeyPair`].
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, PublicKey, KeyPair};
/// let secp = Secp256k1::new();
/// let key_pair = KeyPair::new(&secp, &mut rand::thread_rng());
/// let public_key = PublicKey::from_keypair(&key_pair);
/// # }
/// ```
pub fn from_keypair(keypair: &KeyPair) -> Self {
unsafe {
let mut pk = ffi::PublicKey::new();
let ret = ffi::secp256k1_keypair_pub(
&mut pk,
debug_assert_eq!(ret, 1);
/// Creates a [`PublicKey`] using the key material from `pk` combined with the `parity`.
pub fn from_x_only_public_key(pk: XOnlyPublicKey, parity: Parity) -> PublicKey {
let mut buf = [0u8; 33];
// First byte of a compressed key should be `0x02 AND parity`.
buf[0] = match parity {
Parity::Even => 0x02,
Parity::Odd => 0x03,
PublicKey::from_slice(&buf).expect("we know the buffer is valid")
/// Serializes the key as a byte-encoded pair of values. In compressed form the y-coordinate is
/// represented by only a single bit, as x determines it up to one bit.
pub fn serialize(&self) -> [u8; constants::PUBLIC_KEY_SIZE] {
let mut ret = [0u8; constants::PUBLIC_KEY_SIZE];
self.serialize_internal(&mut ret, ffi::SECP256K1_SER_COMPRESSED);
/// Serializes the key as a byte-encoded pair of values, in uncompressed form.
pub fn serialize_uncompressed(&self) -> [u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE] {
let mut ret = [0u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE];
self.serialize_internal(&mut ret, ffi::SECP256K1_SER_UNCOMPRESSED);
fn serialize_internal(&self, ret: &mut [u8], flag: c_uint) {
let mut ret_len = ret.len();
let res = unsafe {
&mut ret_len,
debug_assert_eq!(res, 1);
debug_assert_eq!(ret_len, ret.len());
2020-02-07 04:31:43 +00:00
/// Negates the public key in place.
2020-02-07 04:31:43 +00:00
pub fn negate_assign<C: Verification>(
&mut self,
secp: &Secp256k1<C>
) {
2020-02-07 04:31:43 +00:00
unsafe {
let res = ffi::secp256k1_ec_pubkey_negate(secp.ctx, &mut self.0);
debug_assert_eq!(res, 1);
2020-02-07 04:31:43 +00:00
/// Adds the `other` public key to `self` in place.
/// # Errors
/// Returns an error if the resulting key would be invalid or if the tweak was not a 32-byte
/// length slice.
pub fn add_exp_assign<C: Verification>(
&mut self,
secp: &Secp256k1<C>,
other: &[u8]
) -> Result<(), Error> {
if other.len() != 32 {
return Err(Error::InvalidTweak);
unsafe {
if ffi::secp256k1_ec_pubkey_tweak_add(secp.ctx, &mut self.0, other.as_c_ptr()) == 1 {
} else {
2016-08-20 17:00:39 +00:00
/// Muliplies the public key in place by the scalar `other`.
/// # Errors
/// Returns an error if the resulting key would be invalid or if the tweak was not a 32-byte
/// length slice.
pub fn mul_assign<C: Verification>(
&mut self,
secp: &Secp256k1<C>,
other: &[u8],
) -> Result<(), Error> {
if other.len() != 32 {
return Err(Error::InvalidTweak);
2016-08-20 17:00:39 +00:00
unsafe {
if ffi::secp256k1_ec_pubkey_tweak_mul(secp.ctx, &mut self.0, other.as_c_ptr()) == 1 {
2016-08-20 17:00:39 +00:00
} else {
2016-08-20 17:00:39 +00:00
/// Adds a second key to this one, returning the sum.
/// # Errors
/// If the result would be the point at infinity, i.e. adding this point to its own negation.
/// # Examples
/// ```
/// # #[cfg(all(feature = "rand-std", any(feature = "alloc", feature = "std")))] {
/// use secp256k1::{rand, Secp256k1};
/// let secp = Secp256k1::new();
/// let mut rng = rand::thread_rng();
/// let (_, pk1) = secp.generate_keypair(&mut rng);
/// let (_, pk2) = secp.generate_keypair(&mut rng);
/// let sum = pk1.combine(&pk2).expect("It's improbable to fail for 2 random public keys");
/// # }
pub fn combine(&self, other: &PublicKey) -> Result<PublicKey, Error> {
2021-03-31 01:07:20 +00:00
PublicKey::combine_keys(&[self, other])
/// Adds the keys in the provided slice together, returning the sum.
/// # Errors
/// Errors under any of the following conditions:
/// - The result would be the point at infinity, i.e. adding a point to its own negation.
/// - The provided slice is empty.
/// - The number of elements in the provided slice is greater than `i32::MAX`.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, PublicKey};
/// let secp = Secp256k1::new();
/// let mut rng = rand::thread_rng();
/// let (_, pk1) = secp.generate_keypair(&mut rng);
/// let (_, pk2) = secp.generate_keypair(&mut rng);
/// let (_, pk3) = secp.generate_keypair(&mut rng);
/// let sum = PublicKey::combine_keys(&[&pk1, &pk2, &pk3]).expect("It's improbable to fail for 3 random public keys");
/// # }
/// ```
2021-03-31 01:07:20 +00:00
pub fn combine_keys(keys: &[&PublicKey]) -> Result<PublicKey, Error> {
use core::mem::transmute;
use core::i32::MAX;
if keys.is_empty() || keys.len() > MAX as usize {
return Err(InvalidPublicKeySum);
unsafe {
let mut ret = ffi::PublicKey::new();
2021-03-31 01:07:20 +00:00
let ptrs : &[*const ffi::PublicKey] =
transmute::<&[&PublicKey], &[*const ffi::PublicKey]>(keys);
if ffi::secp256k1_ec_pubkey_combine(
&mut ret,
2021-03-31 01:07:20 +00:00
keys.len() as i32
) == 1
} else {
/// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`PublicKey`].
pub fn x_only_public_key(&self) -> (XOnlyPublicKey, Parity) {
let mut pk_parity = 0;
unsafe {
let mut xonly_pk = ffi::XOnlyPublicKey::new();
let ret = ffi::secp256k1_xonly_pubkey_from_pubkey(
&mut xonly_pk,
&mut pk_parity,
debug_assert_eq!(ret, 1);
let parity = Parity::from_i32(pk_parity).expect("should not panic, pk_parity is 0 or 1");
(XOnlyPublicKey(xonly_pk), parity)
impl CPtr for PublicKey {
type Target = ffi::PublicKey;
fn as_c_ptr(&self) -> *const Self::Target {
fn as_mut_c_ptr(&mut self) -> *mut Self::Target {
/// Creates a new public key from a FFI public key
impl From<ffi::PublicKey> for PublicKey {
fn from(pk: ffi::PublicKey) -> PublicKey {
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl serde::Serialize for PublicKey {
fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
if s.is_human_readable() {
} else {
let mut tuple = s.serialize_tuple(constants::PUBLIC_KEY_SIZE)?;
for byte in self.serialize().iter() { // Serialize in compressed form.
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl<'de> serde::Deserialize<'de> for PublicKey {
fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<PublicKey, D::Error> {
if d.is_human_readable() {
"an ASCII hex string representing a public key"
} else {
let visitor = super::serde_util::Tuple33Visitor::new(
"33 bytes compressed public key",
d.deserialize_tuple(constants::PUBLIC_KEY_SIZE, visitor)
impl PartialOrd for PublicKey {
fn partial_cmp(&self, other: &PublicKey) -> Option<core::cmp::Ordering> {
impl Ord for PublicKey {
fn cmp(&self, other: &PublicKey) -> core::cmp::Ordering {
/// Opaque data structure that holds a keypair consisting of a secret and a public key.
/// # Serde support
/// [`Serialize`] and [`Deserialize`] are not implemented for this type, even with the `serde`
/// feature active. This is due to security considerations, see the [`serde_keypair`] documentation
/// for details.
/// If the `serde` and `global-context` features are active `KeyPair`s can be serialized and
/// deserialized by annotating them with `#[serde(with = "secp256k1::serde_keypair")]`
/// inside structs or enums for which [`Serialize`] and [`Deserialize`] are being derived.
/// # Examples
/// Basic usage:
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, KeyPair, Secp256k1};
/// let secp = Secp256k1::new();
/// let (secret_key, public_key) = secp.generate_keypair(&mut rand::thread_rng());
/// let key_pair = KeyPair::from_secret_key(&secp, &secret_key);
/// # }
/// ```
/// [`Deserialize`]: serde::Deserialize
/// [`Serialize`]: serde::Serialize
#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct KeyPair(ffi::KeyPair);
impl KeyPair {
/// Obtains a raw const pointer suitable for use with FFI functions.
pub fn as_ptr(&self) -> *const ffi::KeyPair {
/// Obtains a raw mutable pointer suitable for use with FFI functions.
pub fn as_mut_ptr(&mut self) -> *mut ffi::KeyPair {
&mut self.0
/// Creates a [`KeyPair`] directly from a Secp256k1 secret key.
pub fn from_secret_key<C: Signing>(
secp: &Secp256k1<C>,
sk: &SecretKey,
) -> KeyPair {
unsafe {
let mut kp = ffi::KeyPair::new();
if ffi::secp256k1_keypair_create(secp.ctx, &mut kp, sk.as_c_ptr()) == 1 {
} else {
panic!("the provided secret key is invalid: it is corrupted or was not produced by Secp256k1 library")
/// Creates a [`KeyPair`] directly from a secret key slice.
/// # Errors
/// [`Error::InvalidSecretKey`] if the provided data has an incorrect length, exceeds Secp256k1
/// field `p` value or the corresponding public key is not even.
pub fn from_seckey_slice<C: Signing>(
secp: &Secp256k1<C>,
data: &[u8],
) -> Result<KeyPair, Error> {
if data.is_empty() || data.len() != constants::SECRET_KEY_SIZE {
return Err(Error::InvalidSecretKey);
unsafe {
let mut kp = ffi::KeyPair::new();
if ffi::secp256k1_keypair_create(secp.ctx, &mut kp, data.as_c_ptr()) == 1 {
} else {
/// Creates a [`KeyPair`] directly from a secret key string.
/// # Errors
/// [`Error::InvalidSecretKey`] if corresponding public key for the provided secret key is not even.
pub fn from_seckey_str<C: Signing>(secp: &Secp256k1<C>, s: &str) -> Result<KeyPair, Error> {
let mut res = [0u8; constants::SECRET_KEY_SIZE];
match from_hex(s, &mut res) {
Ok(constants::SECRET_KEY_SIZE) => {
KeyPair::from_seckey_slice(secp, &res[0..constants::SECRET_KEY_SIZE])
_ => Err(Error::InvalidPublicKey),
/// Creates a [`KeyPair`] directly from a secret key string and the global [`SECP256K1`] context.
/// # Errors
/// [`Error::InvalidSecretKey`] if corresponding public key for the provided secret key is not even.
#[cfg(feature = "global-context")]
#[cfg_attr(docsrs, doc(cfg(feature = "global-context")))]
pub fn from_seckey_str_global(s: &str) -> Result<KeyPair, Error> {
KeyPair::from_seckey_str(SECP256K1, s)
/// Generates a new random secret key.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, SecretKey, KeyPair};
/// let secp = Secp256k1::new();
/// let key_pair = KeyPair::new(&secp, &mut rand::thread_rng());
/// # }
/// ```
#[cfg(any(test, feature = "rand"))]
#[cfg_attr(docsrs, doc(cfg(feature = "rand")))]
pub fn new<R: rand::Rng + ?Sized, C: Signing>(secp: &Secp256k1<C>, rng: &mut R) -> KeyPair {
let mut random_32_bytes = || {
let mut ret = [0u8; 32];
rng.fill_bytes(&mut ret);
let mut data = random_32_bytes();
unsafe {
let mut keypair = ffi::KeyPair::new();
while ffi::secp256k1_keypair_create(secp.ctx, &mut keypair, data.as_c_ptr()) == 0 {
data = random_32_bytes();
/// Generates a new random secret key using the global [`SECP256K1`] context.
#[cfg(all(feature = "global-context", feature = "rand"))]
#[cfg_attr(docsrs, doc(cfg(all(feature = "global-context", feature = "rand"))))]
pub fn new_global<R: ::rand::Rng + ?Sized>(rng: &mut R) -> KeyPair {
KeyPair::new(SECP256K1, rng)
/// Returns the secret bytes for this key pair.
pub fn secret_bytes(&self) -> [u8; constants::SECRET_KEY_SIZE] {
/// Tweaks a keypair by adding the given tweak to the secret key and updating the public key
/// accordingly.
/// # Errors
/// Returns an error if the resulting key would be invalid or if the tweak was not a 32-byte
/// length slice.
/// NB: Will not error if the tweaked public key has an odd value and can't be used for
/// BIP 340-342 purposes.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{Secp256k1, KeyPair};
/// use secp256k1::rand::{RngCore, thread_rng};
/// let secp = Secp256k1::new();
/// let mut tweak = [0u8; 32];
/// thread_rng().fill_bytes(&mut tweak);
/// let mut key_pair = KeyPair::new(&secp, &mut thread_rng());
/// key_pair.tweak_add_assign(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak");
/// # }
/// ```
// TODO: Add checked implementation
pub fn tweak_add_assign<C: Verification>(
&mut self,
secp: &Secp256k1<C>,
tweak: &[u8],
) -> Result<(), Error> {
if tweak.len() != 32 {
return Err(Error::InvalidTweak);
unsafe {
let err = ffi::secp256k1_keypair_xonly_tweak_add(
&mut self.0,
if err != 1 {
return Err(Error::InvalidTweak);
/// Returns the [`SecretKey`] for this [`KeyPair`].
/// This is equivalent to using [`SecretKey::from_keypair`].
pub fn secret_key(&self) -> SecretKey {
/// Returns the [`PublicKey`] for this [`KeyPair`].
/// This is equivalent to using [`PublicKey::from_keypair`].
pub fn public_key(&self) -> PublicKey {
/// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`KeyPair`].
/// This is equivalent to using [`XOnlyPublicKey::from_keypair`].
pub fn x_only_public_key(&self) -> (XOnlyPublicKey, Parity) {
/// Constructs an schnorr signature for `msg` using the global [`SECP256K1`] context.
#[cfg(all(feature = "global-context", feature = "rand-std"))]
#[cfg_attr(docsrs, doc(cfg(all(feature = "global-context", feature = "rand-std"))))]
pub fn sign_schnorr(&self, msg: Message) -> schnorr::Signature {
SECP256K1.sign_schnorr(&msg, self)
impl From<KeyPair> for SecretKey {
fn from(pair: KeyPair) -> Self {
impl<'a> From<&'a KeyPair> for SecretKey {
fn from(pair: &'a KeyPair) -> Self {
impl From<KeyPair> for PublicKey {
fn from(pair: KeyPair) -> Self {
impl<'a> From<&'a KeyPair> for PublicKey {
fn from(pair: &'a KeyPair) -> Self {
2021-09-27 11:28:53 +00:00
impl str::FromStr for KeyPair {
type Err = Error;
fn from_str(s: &str) -> Result<Self, Self::Err> {
let ctx = unsafe {
Secp256k1::from_raw_all(ffi::secp256k1_context_no_precomp as *mut ffi::Context)
KeyPair::from_seckey_str(&ctx, s)
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl serde::Serialize for KeyPair {
fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
2021-09-27 11:28:53 +00:00
if s.is_human_readable() {
let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2];
s.serialize_str(crate::to_hex(&self.secret_bytes(), &mut buf)
2021-09-27 11:28:53 +00:00
.expect("fixed-size hex serialization"))
} else {
let mut tuple = s.serialize_tuple(constants::SECRET_KEY_SIZE)?;
for byte in self.secret_bytes().iter() {
2021-09-27 11:28:53 +00:00
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl<'de> serde::Deserialize<'de> for KeyPair {
fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
2021-09-27 11:28:53 +00:00
if d.is_human_readable() {
"a hex string representing 32 byte KeyPair"
} else {
let visitor = super::serde_util::Tuple32Visitor::new(
2021-09-27 11:28:53 +00:00
"raw 32 bytes KeyPair",
|data| unsafe {
let ctx = Secp256k1::from_raw_all(ffi::secp256k1_context_no_precomp as *mut ffi::Context);
KeyPair::from_seckey_slice(&ctx, data)
d.deserialize_tuple(constants::SECRET_KEY_SIZE, visitor)
2021-09-27 11:28:53 +00:00
/// An x-only public key, used for verification of Schnorr signatures and serialized according to BIP-340.
/// # Examples
/// Basic usage:
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{rand, Secp256k1, KeyPair, XOnlyPublicKey};
/// let secp = Secp256k1::new();
/// let key_pair = KeyPair::new(&secp, &mut rand::thread_rng());
/// let xonly = XOnlyPublicKey::from_keypair(&key_pair);
/// # }
/// ```
2021-09-09 09:41:11 +00:00
#[derive(Copy, Clone, PartialEq, Eq, Debug, PartialOrd, Ord, Hash)]
pub struct XOnlyPublicKey(ffi::XOnlyPublicKey);
impl fmt::LowerHex for XOnlyPublicKey {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let ser = self.serialize();
for ch in &ser[..] {
write!(f, "{:02x}", *ch)?;
impl fmt::Display for XOnlyPublicKey {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
fmt::LowerHex::fmt(self, f)
impl str::FromStr for XOnlyPublicKey {
type Err = Error;
fn from_str(s: &str) -> Result<XOnlyPublicKey, Error> {
let mut res = [0u8; constants::SCHNORR_PUBLIC_KEY_SIZE];
2021-09-09 09:41:11 +00:00
match from_hex(s, &mut res) {
Ok(constants::SCHNORR_PUBLIC_KEY_SIZE) => {
2021-09-09 09:41:11 +00:00
_ => Err(Error::InvalidPublicKey),
impl XOnlyPublicKey {
/// Obtains a raw const pointer suitable for use with FFI functions.
2021-09-09 09:41:11 +00:00
pub fn as_ptr(&self) -> *const ffi::XOnlyPublicKey {
/// Obtains a raw mutable pointer suitable for use with FFI functions.
2021-09-09 09:41:11 +00:00
pub fn as_mut_ptr(&mut self) -> *mut ffi::XOnlyPublicKey {
&mut self.0
/// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for `keypair`.
2021-09-09 09:41:11 +00:00
pub fn from_keypair(keypair: &KeyPair) -> (XOnlyPublicKey, Parity) {
2021-09-09 09:41:11 +00:00
let mut pk_parity = 0;
unsafe {
let mut xonly_pk = ffi::XOnlyPublicKey::new();
let ret = ffi::secp256k1_keypair_xonly_pub(
2021-09-09 09:41:11 +00:00
&mut xonly_pk,
&mut pk_parity,
debug_assert_eq!(ret, 1);
let parity = Parity::from_i32(pk_parity).expect("should not panic, pk_parity is 0 or 1");
(XOnlyPublicKey(xonly_pk), parity)
2021-09-09 09:41:11 +00:00
/// Creates a Schnorr public key directly from a slice.
2021-09-09 09:41:11 +00:00
/// # Errors
/// Returns [`Error::InvalidPublicKey`] if the length of the data slice is not 32 bytes or the
/// slice does not represent a valid Secp256k1 point x coordinate.
2021-09-09 09:41:11 +00:00
pub fn from_slice(data: &[u8]) -> Result<XOnlyPublicKey, Error> {
if data.is_empty() || data.len() != constants::SCHNORR_PUBLIC_KEY_SIZE {
2021-09-09 09:41:11 +00:00
return Err(Error::InvalidPublicKey);
unsafe {
let mut pk = ffi::XOnlyPublicKey::new();
if ffi::secp256k1_xonly_pubkey_parse(
&mut pk,
) == 1
} else {
/// Serializes the key as a byte-encoded x coordinate value (32 bytes).
pub fn serialize(&self) -> [u8; constants::SCHNORR_PUBLIC_KEY_SIZE] {
let mut ret = [0u8; constants::SCHNORR_PUBLIC_KEY_SIZE];
2021-09-09 09:41:11 +00:00
unsafe {
let err = ffi::secp256k1_xonly_pubkey_serialize(
debug_assert_eq!(err, 1);
/// Tweaks an x-only PublicKey by adding the generator multiplied with the given tweak to it.
/// # Returns
2021-09-09 09:41:11 +00:00
/// An opaque type representing the parity of the tweaked key, this should be provided to
2021-09-09 09:41:11 +00:00
/// `tweak_add_check` which can be used to verify a tweak more efficiently than regenerating
/// it and checking equality.
/// # Errors
/// If the resulting key would be invalid or if the tweak was not a 32-byte length slice.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{Secp256k1, KeyPair};
/// use secp256k1::rand::{RngCore, thread_rng};
/// let secp = Secp256k1::new();
/// let mut tweak = [0u8; 32];
/// thread_rng().fill_bytes(&mut tweak);
/// let mut key_pair = KeyPair::new(&secp, &mut thread_rng());
/// let (mut public_key, _parity) = key_pair.x_only_public_key();
/// public_key.tweak_add_assign(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak");
/// # }
/// ```
2021-09-09 09:41:11 +00:00
pub fn tweak_add_assign<V: Verification>(
&mut self,
secp: &Secp256k1<V>,
tweak: &[u8],
) -> Result<Parity, Error> {
2021-09-09 09:41:11 +00:00
if tweak.len() != 32 {
return Err(Error::InvalidTweak);
let mut pk_parity = 0;
2021-09-09 09:41:11 +00:00
unsafe {
let mut pubkey = ffi::PublicKey::new();
let mut err = ffi::secp256k1_xonly_pubkey_tweak_add(
&mut pubkey,
if err != 1 {
return Err(Error::InvalidTweak);
err = ffi::secp256k1_xonly_pubkey_from_pubkey(
&mut self.0,
&mut pk_parity,
2021-09-09 09:41:11 +00:00
if err == 0 {
return Err(Error::InvalidPublicKey);
2021-09-09 09:41:11 +00:00
2021-09-09 09:41:11 +00:00
/// Verifies that a tweak produced by [`XOnlyPublicKey::tweak_add_assign`] was computed correctly.
/// Should be called on the original untweaked key. Takes the tweaked key and output parity from
/// [`XOnlyPublicKey::tweak_add_assign`] as input.
2021-09-09 09:41:11 +00:00
/// Currently this is not much more efficient than just recomputing the tweak and checking
/// equality. However, in future this API will support batch verification, which is
/// significantly faster, so it is wise to design protocols with this in mind.
2021-09-09 09:41:11 +00:00
/// # Returns
/// True if tweak and check is successful, false otherwise.
/// # Examples
/// ```
/// # #[cfg(all(feature = "std", feature = "rand-std"))] {
/// use secp256k1::{Secp256k1, KeyPair};
/// use secp256k1::rand::{thread_rng, RngCore};
/// let secp = Secp256k1::new();
/// let mut tweak = [0u8; 32];
/// thread_rng().fill_bytes(&mut tweak);
/// let mut key_pair = KeyPair::new(&secp, &mut thread_rng());
/// let (mut public_key, _) = key_pair.x_only_public_key();
/// let original = public_key;
/// let parity = public_key.tweak_add_assign(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak");
/// assert!(original.tweak_add_check(&secp, &public_key, parity, tweak));
/// # }
/// ```
2021-09-09 09:41:11 +00:00
pub fn tweak_add_check<V: Verification>(
secp: &Secp256k1<V>,
tweaked_key: &Self,
tweaked_parity: Parity,
2021-09-09 09:41:11 +00:00
tweak: [u8; 32],
) -> bool {
let tweaked_ser = tweaked_key.serialize();
unsafe {
let err = ffi::secp256k1_xonly_pubkey_tweak_add_check(
2021-09-09 09:41:11 +00:00
err == 1
/// Returns the [`PublicKey`] for this [`XOnlyPublicKey`].
/// This is equivalent to using [`PublicKey::from_xonly_and_parity(self, parity)`].
pub fn public_key(&self, parity: Parity) -> PublicKey {
PublicKey::from_x_only_public_key(*self, parity)
2021-09-09 09:41:11 +00:00
/// Represents the parity passed between FFI function calls.
2022-01-06 17:17:26 +00:00
#[derive(Copy, Clone, PartialEq, Eq, Debug, PartialOrd, Ord, Hash)]
pub enum Parity {
/// Even parity.
Even = 0,
/// Odd parity.
Odd = 1,
impl Parity {
/// Converts parity into an integer (byte) value.
/// This returns `0` for even parity and `1` for odd parity.
pub fn to_u8(self) -> u8 {
self as u8
/// Converts parity into an integer value.
/// This returns `0` for even parity and `1` for odd parity.
pub fn to_i32(self) -> i32 {
self as i32
/// Constructs a [`Parity`] from a byte.
/// The only allowed values are `0` meaning even parity and `1` meaning odd.
/// Other values result in error being returned.
pub fn from_u8(parity: u8) -> Result<Parity, InvalidParityValue> {
/// Constructs a [`Parity`] from a signed integer.
/// The only allowed values are `0` meaning even parity and `1` meaning odd.
/// Other values result in error being returned.
pub fn from_i32(parity: i32) -> Result<Parity, InvalidParityValue> {
match parity {
0 => Ok(Parity::Even),
1 => Ok(Parity::Odd),
_ => Err(InvalidParityValue(parity)),
/// The conversion returns `0` for even parity and `1` for odd.
impl From<Parity> for i32 {
fn from(parity: Parity) -> i32 {
/// The conversion returns `0` for even parity and `1` for odd.
impl From<Parity> for u8 {
fn from(parity: Parity) -> u8 {
/// Returns even parity if the operands are equal, odd otherwise.
impl BitXor for Parity {
type Output = Parity;
fn bitxor(self, rhs: Parity) -> Self::Output {
// This works because Parity has only two values (i.e. only 1 bit of information).
if self == rhs {
Parity::Even // 1^1==0 and 0^0==0
} else {
Parity::Odd // 1^0==1 and 0^1==1
/// Error returned when conversion from an integer to `Parity` fails.
// Note that we don't allow inspecting the value because we may change the type.
// Yes, this comment is intentionally NOT doc comment.
// Too many derives for compatibility with current Error type.
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash, Ord, PartialOrd)]
pub struct InvalidParityValue(i32);
impl fmt::Display for InvalidParityValue {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "invalid value {} for Parity - must be 0 or 1", self.0)
#[cfg(feature = "std")]
#[cfg_attr(docsrs, doc(cfg(feature = "std")))]
impl std::error::Error for InvalidParityValue {}
impl From<InvalidParityValue> for Error {
fn from(error: InvalidParityValue) -> Self {
/// The parity is serialized as `u8` - `0` for even, `1` for odd.
2022-01-06 17:17:26 +00:00
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl serde::Serialize for Parity {
fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
2022-01-06 17:17:26 +00:00
/// The parity is deserialized as `u8` - `0` for even, `1` for odd.
2022-01-06 17:17:26 +00:00
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl<'de> serde::Deserialize<'de> for Parity {
fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
struct Visitor;
2022-01-06 17:17:26 +00:00
impl<'de> serde::de::Visitor<'de> for Visitor
2022-01-06 17:17:26 +00:00
type Value = Parity;
fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
formatter.write_str("8-bit integer (byte) with value 0 or 1")
2022-01-06 17:17:26 +00:00
fn visit_u8<E>(self, v: u8) -> Result<Self::Value, E>
where E: serde::de::Error
2022-01-06 17:17:26 +00:00
use serde::de::Unexpected;
.map_err(|_| E::invalid_value(Unexpected::Unsigned(v.into()), &"0 or 1"))
2022-01-06 17:17:26 +00:00
2022-01-06 17:17:26 +00:00
2021-09-09 09:41:11 +00:00
impl CPtr for XOnlyPublicKey {
type Target = ffi::XOnlyPublicKey;
fn as_c_ptr(&self) -> *const Self::Target {
fn as_mut_c_ptr(&mut self) -> *mut Self::Target {
/// Creates a new Schnorr public key from a FFI x-only public key.
2021-09-09 09:41:11 +00:00
impl From<ffi::XOnlyPublicKey> for XOnlyPublicKey {
fn from(pk: ffi::XOnlyPublicKey) -> XOnlyPublicKey {
impl From<PublicKey> for XOnlyPublicKey {
fn from(src: PublicKey) -> XOnlyPublicKey {
2021-09-09 09:41:11 +00:00
unsafe {
let mut pk = ffi::XOnlyPublicKey::new();
&mut pk,
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl serde::Serialize for XOnlyPublicKey {
fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
2021-09-09 09:41:11 +00:00
if s.is_human_readable() {
} else {
let mut tuple = s.serialize_tuple(constants::SCHNORR_PUBLIC_KEY_SIZE)?;
for byte in self.serialize().iter() {
2021-09-09 09:41:11 +00:00
#[cfg(feature = "serde")]
#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
impl<'de> serde::Deserialize<'de> for XOnlyPublicKey {
fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
2021-09-09 09:41:11 +00:00
if d.is_human_readable() {
"a hex string representing 32 byte schnorr public key"
} else {
let visitor = super::serde_util::Tuple32Visitor::new(
2021-09-09 09:41:11 +00:00
"raw 32 bytes schnorr public key",
d.deserialize_tuple(constants::SCHNORR_PUBLIC_KEY_SIZE, visitor)
2021-09-09 09:41:11 +00:00
/// Serde implementation for the [`KeyPair`] type.
/// Only the secret key part of the [`KeyPair`] is serialized using the [`SecretKey`] serde
/// implementation, meaning the public key has to be regenerated on deserialization.
/// **Attention:** The deserialization algorithm uses the [global context] to generate the public key
/// belonging to the secret key to form a [`KeyPair`]. The typical caveats regarding use of the
/// [global context] with secret data apply.
/// [`SecretKey`]: crate::SecretKey
/// [global context]: crate::SECP256K1
#[cfg(all(feature = "global-context", feature = "serde"))]
pub mod serde_keypair {
use serde::{Deserialize, Deserializer, Serialize, Serializer};
use crate::key::{KeyPair, SecretKey};
pub fn serialize<S>(key: &KeyPair, serializer: S) -> Result<S::Ok, S::Error>
S: Serializer,
pub fn deserialize<'de, D>(deserializer: D) -> Result<KeyPair, D::Error>
D: Deserializer<'de>,
let secret_key = SecretKey::deserialize(deserializer)?;
mod test {
use super::*;
use core::str::FromStr;
2014-08-10 02:02:09 +00:00
#[cfg(any(feature = "alloc", feature = "std"))]
use rand::{Error, RngCore, thread_rng, rngs::mock::StepRng};
#[cfg(target_arch = "wasm32")]
use wasm_bindgen_test::wasm_bindgen_test as test;
use super::{XOnlyPublicKey, PublicKey, Secp256k1, SecretKey, KeyPair, Parity};
use crate::{constants, from_hex, to_hex};
use crate::Error::{InvalidPublicKey, InvalidSecretKey};
2018-03-21 22:01:08 +00:00
macro_rules! hex {
($hex:expr) => ({
let mut result = vec![0; $hex.len() / 2];
from_hex($hex, &mut result).expect("valid hex string");
2018-03-21 22:01:08 +00:00
2014-08-10 02:02:09 +00:00
fn skey_from_slice() {
let sk = SecretKey::from_slice(&[1; 31]);
assert_eq!(sk, Err(InvalidSecretKey));
let sk = SecretKey::from_slice(&[1; 32]);
2014-08-10 02:02:09 +00:00
fn pubkey_from_slice() {
assert_eq!(PublicKey::from_slice(&[]), Err(InvalidPublicKey));
assert_eq!(PublicKey::from_slice(&[1, 2, 3]), Err(InvalidPublicKey));
let uncompressed = PublicKey::from_slice(&[4, 54, 57, 149, 239, 162, 148, 175, 246, 254, 239, 75, 154, 152, 10, 82, 234, 224, 85, 220, 40, 100, 57, 121, 30, 162, 94, 156, 135, 67, 74, 49, 179, 57, 236, 53, 162, 124, 149, 144, 168, 77, 74, 30, 72, 211, 229, 110, 111, 55, 96, 193, 86, 227, 183, 152, 195, 155, 51, 247, 123, 113, 60, 228, 188]);
let compressed = PublicKey::from_slice(&[3, 23, 183, 225, 206, 31, 159, 148, 195, 42, 67, 115, 146, 41, 248, 140, 11, 3, 51, 41, 111, 180, 110, 143, 114, 134, 88, 73, 198, 174, 52, 184, 78]);
#[cfg(any(feature = "alloc", feature = "std"))]
fn keypair_slice_round_trip() {
let s = Secp256k1::new();
let (sk1, pk1) = s.generate_keypair(&mut thread_rng());
assert_eq!(SecretKey::from_slice(&sk1[..]), Ok(sk1));
assert_eq!(PublicKey::from_slice(&pk1.serialize()[..]), Ok(pk1));
assert_eq!(PublicKey::from_slice(&pk1.serialize_uncompressed()[..]), Ok(pk1));
2014-08-10 02:02:09 +00:00
#[cfg(any(feature = "alloc", feature = "std"))]
fn invalid_secret_key() {
// Zero
assert_eq!(SecretKey::from_slice(&[0; 32]), Err(InvalidSecretKey));
// -1
assert_eq!(SecretKey::from_slice(&[0xff; 32]), Err(InvalidSecretKey));
// Top of range
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x40,
// One past top of range
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41,
#[cfg(any(feature = "alloc", feature = "std"))]
fn test_out_of_range() {
struct BadRng(u8);
impl RngCore for BadRng {
fn next_u32(&mut self) -> u32 { unimplemented!() }
fn next_u64(&mut self) -> u64 { unimplemented!() }
// This will set a secret key to a little over the
// group order, then decrement with repeated calls
// until it returns a valid key
fn fill_bytes(&mut self, data: &mut [u8]) {
let group_order: [u8; 32] = [
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41];
assert_eq!(data.len(), 32);
data[31] = self.0;
self.0 -= 1;
fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
let s = Secp256k1::new();
s.generate_keypair(&mut BadRng(0xff));
fn test_pubkey_from_bad_slice() {
// Bad sizes
PublicKey::from_slice(&[0; constants::PUBLIC_KEY_SIZE - 1]),
PublicKey::from_slice(&[0; constants::PUBLIC_KEY_SIZE + 1]),
PublicKey::from_slice(&[0; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE - 1]),
PublicKey::from_slice(&[0; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE + 1]),
// Bad parse
PublicKey::from_slice(&[0xff; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE]),
PublicKey::from_slice(&[0x55; constants::PUBLIC_KEY_SIZE]),
fn test_seckey_from_bad_slice() {
// Bad sizes
SecretKey::from_slice(&[0; constants::SECRET_KEY_SIZE - 1]),
SecretKey::from_slice(&[0; constants::SECRET_KEY_SIZE + 1]),
// Bad parse
SecretKey::from_slice(&[0xff; constants::SECRET_KEY_SIZE]),
SecretKey::from_slice(&[0x00; constants::SECRET_KEY_SIZE]),
#[cfg(all(feature = "rand", any(feature = "alloc", feature = "std")))]
fn test_debug_output() {
let s = Secp256k1::new();
let (sk, _) = s.generate_keypair(&mut StepRng::new(1, 1));
assert_eq!(&format!("{:?}", sk),
let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2];
assert_eq!(to_hex(&sk[..], &mut buf).unwrap(),
#[cfg(any(feature = "alloc", feature = "std"))]
fn test_display_output() {
static SK_BYTES: [u8; 32] = [
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
let s = Secp256k1::signing_only();
let sk = SecretKey::from_slice(&SK_BYTES).expect("sk");
// In fuzzing mode secret->public key derivation is different, so
// hard-code the expected result.
let pk = PublicKey::from_secret_key(&s, &sk);
let pk = PublicKey::from_slice(&[0x02, 0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f, 0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d, 0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54, 0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66]).expect("pk");
let long_str: String = core::iter::repeat('a').take(1024 * 1024).collect();
// In fuzzing mode the Y coordinate is expected to match the X, so this
// test uses invalid public keys.
#[cfg(any(feature = "alloc", feature = "std"))]
fn test_pubkey_serialize() {
let s = Secp256k1::new();
let (_, pk1) = s.generate_keypair(&mut StepRng::new(1,1));
&[4, 124, 121, 49, 14, 253, 63, 197, 50, 39, 194, 107, 17, 193, 219, 108, 154, 126, 9, 181, 248, 2, 12, 149, 233, 198, 71, 149, 134, 250, 184, 154, 229, 185, 28, 165, 110, 27, 3, 162, 126, 238, 167, 157, 242, 221, 76, 251, 237, 34, 231, 72, 39, 245, 3, 191, 64, 111, 170, 117, 103, 82, 28, 102, 163][..]);
&[3, 124, 121, 49, 14, 253, 63, 197, 50, 39, 194, 107, 17, 193, 219, 108, 154, 126, 9, 181, 248, 2, 12, 149, 233, 198, 71, 149, 134, 250, 184, 154, 229][..]);
#[cfg(any(feature = "alloc", feature = "std"))]
fn test_addition() {
let s = Secp256k1::new();
let (mut sk1, mut pk1) = s.generate_keypair(&mut thread_rng());
let (mut sk2, mut pk2) = s.generate_keypair(&mut thread_rng());
assert_eq!(PublicKey::from_secret_key(&s, &sk1), pk1);
assert!(pk1.add_exp_assign(&s, &sk2[..]).is_ok());
assert_eq!(PublicKey::from_secret_key(&s, &sk1), pk1);
assert_eq!(PublicKey::from_secret_key(&s, &sk2), pk2);
assert!(pk2.add_exp_assign(&s, &sk1[..]).is_ok());
assert_eq!(PublicKey::from_secret_key(&s, &sk2), pk2);
2016-01-09 03:45:20 +00:00
2016-08-20 17:00:39 +00:00
#[cfg(any(feature = "alloc", feature = "std"))]
2016-08-20 17:00:39 +00:00
fn test_multiplication() {
let s = Secp256k1::new();
let (mut sk1, mut pk1) = s.generate_keypair(&mut thread_rng());
let (mut sk2, mut pk2) = s.generate_keypair(&mut thread_rng());
2016-08-20 17:00:39 +00:00
assert_eq!(PublicKey::from_secret_key(&s, &sk1), pk1);
assert!(pk1.mul_assign(&s, &sk2[..]).is_ok());
assert_eq!(PublicKey::from_secret_key(&s, &sk1), pk1);
2016-08-20 17:00:39 +00:00
assert_eq!(PublicKey::from_secret_key(&s, &sk2), pk2);
assert!(pk2.mul_assign(&s, &sk1[..]).is_ok());
assert_eq!(PublicKey::from_secret_key(&s, &sk2), pk2);
2016-08-20 17:00:39 +00:00
2020-02-07 04:31:43 +00:00
#[cfg(any(feature = "alloc", feature = "std"))]
2020-02-07 04:31:43 +00:00
fn test_negation() {
let s = Secp256k1::new();
let (mut sk, mut pk) = s.generate_keypair(&mut thread_rng());
let original_sk = sk;
let original_pk = pk;
assert_eq!(PublicKey::from_secret_key(&s, &sk), pk);
2020-02-07 04:31:43 +00:00
assert_ne!(original_sk, sk);
assert_ne!(original_pk, pk);
2020-02-07 04:31:43 +00:00
assert_eq!(original_sk, sk);
assert_eq!(original_pk, pk);
assert_eq!(PublicKey::from_secret_key(&s, &sk), pk);
2016-01-09 03:45:20 +00:00
#[cfg(any(feature = "alloc", feature = "std"))]
2016-01-09 03:45:20 +00:00
fn pubkey_hash() {
use std::collections::hash_map::DefaultHasher;
use std::hash::{Hash, Hasher};
2016-01-09 03:45:20 +00:00
use std::collections::HashSet;
fn hash<T: Hash>(t: &T) -> u64 {
let mut s = DefaultHasher::new();
2016-01-09 03:45:20 +00:00
t.hash(&mut s);
let s = Secp256k1::new();
let mut set = HashSet::new();
const COUNT : usize = 1024;
for _ in 0..COUNT {
let (_, pk) = s.generate_keypair(&mut thread_rng());
2016-01-09 03:45:20 +00:00
let hash = hash(&pk);
assert_eq!(set.len(), COUNT);
2016-01-09 03:45:20 +00:00
fn pubkey_combine() {
let compressed1 = PublicKey::from_slice(
let compressed2 = PublicKey::from_slice(
let exp_sum = PublicKey::from_slice(
let sum1 = compressed1.combine(&compressed2);
let sum2 = compressed2.combine(&compressed1);
assert_eq!(sum1, sum2);
assert_eq!(sum1.unwrap(), exp_sum);
2021-03-31 01:07:20 +00:00
fn pubkey_combine_keys() {
let compressed1 = PublicKey::from_slice(
let compressed2 = PublicKey::from_slice(
let compressed3 = PublicKey::from_slice(
let exp_sum = PublicKey::from_slice(
let sum1 = PublicKey::combine_keys(&[&compressed1, &compressed2, &compressed3]);
let sum2 = PublicKey::combine_keys(&[&compressed1, &compressed2, &compressed3]);
assert_eq!(sum1, sum2);
assert_eq!(sum1.unwrap(), exp_sum);
fn pubkey_combine_keys_empty_slice() {
#[cfg(any(feature = "alloc", feature = "std"))]
fn create_pubkey_combine() {
let s = Secp256k1::new();
let (mut sk1, pk1) = s.generate_keypair(&mut thread_rng());
let (sk2, pk2) = s.generate_keypair(&mut thread_rng());
let sum1 = pk1.combine(&pk2);
let sum2 = pk2.combine(&pk1);
assert_eq!(sum1, sum2);
let sksum = PublicKey::from_secret_key(&s, &sk1);
assert_eq!(Ok(sksum), sum1);
2018-05-29 11:11:18 +00:00
fn pubkey_equal() {
let pk1 = PublicKey::from_slice(
let pk2 = pk1;
2018-05-29 11:11:18 +00:00
let pk3 = PublicKey::from_slice(
assert!(pk1 == pk2);
assert!(pk1 <= pk2);
assert!(pk2 <= pk1);
assert!(!(pk2 < pk1));
assert!(!(pk1 < pk2));
assert!(pk3 > pk1);
assert!(pk1 < pk3);
assert!(pk3 >= pk1);
assert!(pk1 <= pk3);
2018-05-29 11:11:18 +00:00
#[cfg(all(feature = "serde", any(feature = "alloc", feature = "std")))]
fn test_serde() {
use serde_test::{Configure, Token, assert_tokens};
static SK_BYTES: [u8; 32] = [
1, 1, 1, 1, 1, 1, 1, 1,
0, 1, 2, 3, 4, 5, 6, 7,
0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0,
99, 99, 99, 99, 99, 99, 99, 99
static SK_STR: &'static str = "\
static PK_BYTES: [u8; 33] = [
0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f,
0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d,
0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54,
0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66,
static PK_STR: &'static str = "\
let s = Secp256k1::new();
let sk = SecretKey::from_slice(&SK_BYTES).unwrap();
// In fuzzing mode secret->public key derivation is different, so
// hard-code the expected result.
let pk = PublicKey::from_secret_key(&s, &sk);
let pk = PublicKey::from_slice(&PK_BYTES).expect("pk");
assert_tokens(&sk.compact(), &[
Token::Tuple{ len: 32 },
Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1),
Token::U8(0), Token::U8(1), Token::U8(2), Token::U8(3), Token::U8(4), Token::U8(5), Token::U8(6), Token::U8(7),
Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0),
Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99),
assert_tokens(&sk.readable(), &[Token::BorrowedStr(SK_STR)]);
assert_tokens(&sk.readable(), &[Token::Str(SK_STR)]);
assert_tokens(&sk.readable(), &[Token::String(SK_STR)]);
assert_tokens(&pk.compact(), &[
Token::Tuple{ len: 33 },
Token::U8(0x18), Token::U8(0x84), Token::U8(0x57), Token::U8(0x81), Token::U8(0xf6), Token::U8(0x31), Token::U8(0xc4), Token::U8(0x8f),
Token::U8(0x1c), Token::U8(0x97), Token::U8(0x09), Token::U8(0xe2), Token::U8(0x30), Token::U8(0x92), Token::U8(0x06), Token::U8(0x7d),
Token::U8(0x06), Token::U8(0x83), Token::U8(0x7f), Token::U8(0x30), Token::U8(0xaa), Token::U8(0x0c), Token::U8(0xd0), Token::U8(0x54),
Token::U8(0x4a), Token::U8(0xc8), Token::U8(0x87), Token::U8(0xfe), Token::U8(0x91), Token::U8(0xdd), Token::U8(0xd1), Token::U8(0x66),
assert_tokens(&pk.readable(), &[Token::BorrowedStr(PK_STR)]);
assert_tokens(&pk.readable(), &[Token::Str(PK_STR)]);
assert_tokens(&pk.readable(), &[Token::String(PK_STR)]);
#[cfg(any(feature = "alloc", feature = "std"))]
fn test_tweak_add_assign_then_tweak_add_check() {
let s = Secp256k1::new();
for _ in 0..10 {
let mut tweak = [0u8; 32];
thread_rng().fill_bytes(&mut tweak);
let mut kp = KeyPair::new(&s, &mut thread_rng());
let (mut pk, _parity) = kp.x_only_public_key();
let orig_pk = pk;
kp.tweak_add_assign(&s, &tweak).expect("Tweak error");
let parity = pk.tweak_add_assign(&s, &tweak).expect("Tweak error");
let (back, _) = XOnlyPublicKey::from_keypair(&kp);
assert_eq!(back, pk);
assert!(orig_pk.tweak_add_check(&s, &pk, parity, tweak));
fn test_from_key_pubkey() {
let kpk1 = PublicKey::from_str(
let kpk2 = PublicKey::from_str(
let pk1 = XOnlyPublicKey::from(kpk1);
let pk2 = XOnlyPublicKey::from(kpk2);
assert_eq!(pk1.serialize()[..], kpk1.serialize()[1..]);
assert_eq!(pk2.serialize()[..], kpk2.serialize()[1..]);
#[cfg(all(feature = "global-context", feature = "serde"))]
fn test_serde_keypair() {
use serde::{Deserialize, Deserializer, Serialize, Serializer};
use serde_test::{Configure, Token, assert_tokens};
use super::serde_keypair;
use crate::key::KeyPair;
// Normally users would derive the serde traits, but we can't easily enable the serde macros
// here, so they are implemented manually to be able to test the behaviour.
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
struct KeyPairWrapper(KeyPair);
impl<'de> Deserialize<'de> for KeyPairWrapper {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where D: Deserializer<'de> {
impl Serialize for KeyPairWrapper {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error> where S: Serializer {
serde_keypair::serialize(&self.0, serializer)
static SK_BYTES: [u8; 32] = [
1, 1, 1, 1, 1, 1, 1, 1,
0, 1, 2, 3, 4, 5, 6, 7,
0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0,
99, 99, 99, 99, 99, 99, 99, 99
static SK_STR: &'static str = "\
let sk = KeyPairWrapper(KeyPair::from_seckey_slice(&crate::SECP256K1, &SK_BYTES).unwrap());
assert_tokens(&sk.compact(), &[
Token::Tuple{ len: 32 },
Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1),
Token::U8(0), Token::U8(1), Token::U8(2), Token::U8(3), Token::U8(4), Token::U8(5), Token::U8(6), Token::U8(7),
Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0),
Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99),
assert_tokens(&sk.readable(), &[Token::BorrowedStr(SK_STR)]);
assert_tokens(&sk.readable(), &[Token::Str(SK_STR)]);
assert_tokens(&sk.readable(), &[Token::String(SK_STR)]);
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn keys() -> (SecretKey, PublicKey, KeyPair, XOnlyPublicKey) {
let secp = Secp256k1::new();
static SK_BYTES: [u8; 32] = [
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
static PK_BYTES: [u8; 32] = [
0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f,
0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d,
0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54,
0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66
let mut pk_bytes = [0u8; 33];
pk_bytes[0] = 0x02; // Use positive Y co-ordinate.
let sk = SecretKey::from_slice(&SK_BYTES).expect("failed to parse sk bytes");
let pk = PublicKey::from_slice(&pk_bytes).expect("failed to create pk from iterator");
let kp = KeyPair::from_secret_key(&secp, &sk);
let xonly = XOnlyPublicKey::from_slice(&PK_BYTES).expect("failed to get xonly from slice");
(sk, pk, kp, xonly)
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn convert_public_key_to_xonly_public_key() {
let (_sk, pk, _kp, want) = keys();
let (got, parity) = pk.x_only_public_key();
assert_eq!(parity, Parity::Even);
assert_eq!(got, want)
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn convert_secret_key_to_public_key() {
let secp = Secp256k1::new();
let (sk, want, _kp, _xonly) = keys();
let got = sk.public_key(&secp);
assert_eq!(got, want)
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn convert_secret_key_to_x_only_public_key() {
let secp = Secp256k1::new();
let (sk, _pk, _kp, want) = keys();
let (got, parity) = sk.x_only_public_key(&secp);
assert_eq!(parity, Parity::Even);
assert_eq!(got, want)
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn convert_keypair_to_public_key() {
let (_sk, want, kp, _xonly) = keys();
let got = kp.public_key();
assert_eq!(got, want)
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn convert_keypair_to_x_only_public_key() {
let (_sk, _pk, kp, want) = keys();
let (got, parity) = kp.x_only_public_key();
assert_eq!(parity, Parity::Even);
assert_eq!(got, want)
// SecretKey -> KeyPair -> SecretKey
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn roundtrip_secret_key_via_keypair() {
let secp = Secp256k1::new();
let (sk, _pk, _kp, _xonly) = keys();
let kp = sk.keypair(&secp);
let back = kp.secret_key();
assert_eq!(back, sk)
// KeyPair -> SecretKey -> KeyPair
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn roundtrip_keypair_via_secret_key() {
let secp = Secp256k1::new();
let (_sk, _pk, kp, _xonly) = keys();
let sk = kp.secret_key();
let back = sk.keypair(&secp);
assert_eq!(back, kp)
// XOnlyPublicKey -> PublicKey -> XOnlyPublicKey
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn roundtrip_x_only_public_key_via_public_key() {
let (_sk, _pk, _kp, xonly) = keys();
let pk = xonly.public_key(Parity::Even);
let (back, parity) = pk.x_only_public_key();
assert_eq!(parity, Parity::Even);
assert_eq!(back, xonly)
// PublicKey -> XOnlyPublicKey -> PublicKey
#[cfg(all(not(fuzzing), any(feature = "alloc", feature = "std")))]
fn roundtrip_public_key_via_x_only_public_key() {
let (_sk, pk, _kp, _xonly) = keys();
let (xonly, parity) = pk.x_only_public_key();
let back = xonly.public_key(parity);
assert_eq!(back, pk)
fn public_key_from_x_only_public_key_and_odd_parity() {
let s = "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166";
let mut want = String::from("03");
let xonly = XOnlyPublicKey::from_str(s).expect("failed to parse xonly pubkey string");
let pk = xonly.public_key(Parity::Odd);
let got = format!("{}", pk);
assert_eq!(got, want)
#[cfg(all(feature = "global-context", feature = "serde"))]
fn test_serde_x_only_pubkey() {
use serde_test::{Configure, Token, assert_tokens};
static SK_BYTES: [u8; 32] = [
1, 1, 1, 1, 1, 1, 1, 1,
0, 1, 2, 3, 4, 5, 6, 7,
0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0,
99, 99, 99, 99, 99, 99, 99, 99
static PK_STR: &'static str = "\
let kp = KeyPair::from_seckey_slice(&crate::SECP256K1, &SK_BYTES).unwrap();
let (pk, _parity) = XOnlyPublicKey::from_keypair(&kp);
assert_tokens(&pk.compact(), &[
Token::Tuple{ len: 32 },
Token::U8(0x18), Token::U8(0x84), Token::U8(0x57), Token::U8(0x81), Token::U8(0xf6), Token::U8(0x31), Token::U8(0xc4), Token::U8(0x8f),
Token::U8(0x1c), Token::U8(0x97), Token::U8(0x09), Token::U8(0xe2), Token::U8(0x30), Token::U8(0x92), Token::U8(0x06), Token::U8(0x7d),
Token::U8(0x06), Token::U8(0x83), Token::U8(0x7f), Token::U8(0x30), Token::U8(0xaa), Token::U8(0x0c), Token::U8(0xd0), Token::U8(0x54),
Token::U8(0x4a), Token::U8(0xc8), Token::U8(0x87), Token::U8(0xfe), Token::U8(0x91), Token::U8(0xdd), Token::U8(0xd1), Token::U8(0x66),
assert_tokens(&pk.readable(), &[Token::BorrowedStr(PK_STR)]);
assert_tokens(&pk.readable(), &[Token::Str(PK_STR)]);
assert_tokens(&pk.readable(), &[Token::String(PK_STR)]);