csecp256k1

Haskell FFI bindings to bitcoin-core/secp256k1 (docs.ppad.tech/csecp256k1).
git clone git://git.ppad.tech/csecp256k1.git
Log | Files | Refs | README | LICENSE

secp256k1.h (45171B)


      1 #ifndef SECP256K1_H
      2 #define SECP256K1_H
      3 
      4 #ifdef __cplusplus
      5 extern "C" {
      6 #endif
      7 
      8 #include <stddef.h>
      9 
     10 /** Unless explicitly stated all pointer arguments must not be NULL.
     11  *
     12  * The following rules specify the order of arguments in API calls:
     13  *
     14  * 1. Context pointers go first, followed by output arguments, combined
     15  *    output/input arguments, and finally input-only arguments.
     16  * 2. Array lengths always immediately follow the argument whose length
     17  *    they describe, even if this violates rule 1.
     18  * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated
     19  *    later go first. This means: signatures, public nonces, secret nonces,
     20  *    messages, public keys, secret keys, tweaks.
     21  * 4. Arguments that are not data pointers go last, from more complex to less
     22  *    complex: function pointers, algorithm names, messages, void pointers,
     23  *    counts, flags, booleans.
     24  * 5. Opaque data pointers follow the function pointer they are to be passed to.
     25  */
     26 
     27 /** Opaque data structure that holds context information
     28  *
     29  *  The primary purpose of context objects is to store randomization data for
     30  *  enhanced protection against side-channel leakage. This protection is only
     31  *  effective if the context is randomized after its creation. See
     32  *  haskellsecp256k1_v0_1_0_context_create for creation of contexts and
     33  *  haskellsecp256k1_v0_1_0_context_randomize for randomization.
     34  *
     35  *  A secondary purpose of context objects is to store pointers to callback
     36  *  functions that the library will call when certain error states arise. See
     37  *  haskellsecp256k1_v0_1_0_context_set_error_callback as well as
     38  *  haskellsecp256k1_v0_1_0_context_set_illegal_callback for details. Future library versions
     39  *  may use context objects for additional purposes.
     40  *
     41  *  A constructed context can safely be used from multiple threads
     42  *  simultaneously, but API calls that take a non-const pointer to a context
     43  *  need exclusive access to it. In particular this is the case for
     44  *  haskellsecp256k1_v0_1_0_context_destroy, haskellsecp256k1_v0_1_0_context_preallocated_destroy,
     45  *  and haskellsecp256k1_v0_1_0_context_randomize.
     46  *
     47  *  Regarding randomization, either do it once at creation time (in which case
     48  *  you do not need any locking for the other calls), or use a read-write lock.
     49  */
     50 typedef struct haskellsecp256k1_v0_1_0_context_struct haskellsecp256k1_v0_1_0_context;
     51 
     52 /** Opaque data structure that holds rewritable "scratch space"
     53  *
     54  *  The purpose of this structure is to replace dynamic memory allocations,
     55  *  because we target architectures where this may not be available. It is
     56  *  essentially a resizable (within specified parameters) block of bytes,
     57  *  which is initially created either by memory allocation or TODO as a pointer
     58  *  into some fixed rewritable space.
     59  *
     60  *  Unlike the context object, this cannot safely be shared between threads
     61  *  without additional synchronization logic.
     62  */
     63 typedef struct haskellsecp256k1_v0_1_0_scratch_space_struct haskellsecp256k1_v0_1_0_scratch_space;
     64 
     65 /** Opaque data structure that holds a parsed and valid public key.
     66  *
     67  *  The exact representation of data inside is implementation defined and not
     68  *  guaranteed to be portable between different platforms or versions. It is
     69  *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
     70  *  If you need to convert to a format suitable for storage or transmission,
     71  *  use haskellsecp256k1_v0_1_0_ec_pubkey_serialize and haskellsecp256k1_v0_1_0_ec_pubkey_parse. To
     72  *  compare keys, use haskellsecp256k1_v0_1_0_ec_pubkey_cmp.
     73  */
     74 typedef struct {
     75     unsigned char data[64];
     76 } haskellsecp256k1_v0_1_0_pubkey;
     77 
     78 /** Opaque data structured that holds a parsed ECDSA signature.
     79  *
     80  *  The exact representation of data inside is implementation defined and not
     81  *  guaranteed to be portable between different platforms or versions. It is
     82  *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
     83  *  If you need to convert to a format suitable for storage, transmission, or
     84  *  comparison, use the haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_* and
     85  *  haskellsecp256k1_v0_1_0_ecdsa_signature_parse_* functions.
     86  */
     87 typedef struct {
     88     unsigned char data[64];
     89 } haskellsecp256k1_v0_1_0_ecdsa_signature;
     90 
     91 /** A pointer to a function to deterministically generate a nonce.
     92  *
     93  * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
     94  * Out:     nonce32:   pointer to a 32-byte array to be filled by the function.
     95  * In:      msg32:     the 32-byte message hash being verified (will not be NULL)
     96  *          key32:     pointer to a 32-byte secret key (will not be NULL)
     97  *          algo16:    pointer to a 16-byte array describing the signature
     98  *                     algorithm (will be NULL for ECDSA for compatibility).
     99  *          data:      Arbitrary data pointer that is passed through.
    100  *          attempt:   how many iterations we have tried to find a nonce.
    101  *                     This will almost always be 0, but different attempt values
    102  *                     are required to result in a different nonce.
    103  *
    104  * Except for test cases, this function should compute some cryptographic hash of
    105  * the message, the algorithm, the key and the attempt.
    106  */
    107 typedef int (*haskellsecp256k1_v0_1_0_nonce_function)(
    108     unsigned char *nonce32,
    109     const unsigned char *msg32,
    110     const unsigned char *key32,
    111     const unsigned char *algo16,
    112     void *data,
    113     unsigned int attempt
    114 );
    115 
    116 # if !defined(SECP256K1_GNUC_PREREQ)
    117 #  if defined(__GNUC__)&&defined(__GNUC_MINOR__)
    118 #   define SECP256K1_GNUC_PREREQ(_maj,_min) \
    119  ((__GNUC__<<16)+__GNUC_MINOR__>=((_maj)<<16)+(_min))
    120 #  else
    121 #   define SECP256K1_GNUC_PREREQ(_maj,_min) 0
    122 #  endif
    123 # endif
    124 
    125 /*  When this header is used at build-time the SECP256K1_BUILD define needs to be set
    126  *  to correctly setup export attributes and nullness checks.  This is normally done
    127  *  by secp256k1.c but to guard against this header being included before secp256k1.c
    128  *  has had a chance to set the define (e.g. via test harnesses that just includes
    129  *  secp256k1.c) we set SECP256K1_NO_BUILD when this header is processed without the
    130  *  BUILD define so this condition can be caught.
    131  */
    132 #ifndef SECP256K1_BUILD
    133 # define SECP256K1_NO_BUILD
    134 #endif
    135 
    136 /* Symbol visibility. */
    137 #if defined(_WIN32)
    138   /* GCC for Windows (e.g., MinGW) accepts the __declspec syntax
    139    * for MSVC compatibility. A __declspec declaration implies (but is not
    140    * exactly equivalent to) __attribute__ ((visibility("default"))), and so we
    141    * actually want __declspec even on GCC, see "Microsoft Windows Function
    142    * Attributes" in the GCC manual and the recommendations in
    143    * https://gcc.gnu.org/wiki/Visibility. */
    144 # if defined(SECP256K1_BUILD)
    145 #  if defined(DLL_EXPORT) || defined(SECP256K1_DLL_EXPORT)
    146     /* Building libsecp256k1 as a DLL.
    147      * 1. If using Libtool, it defines DLL_EXPORT automatically.
    148      * 2. In other cases, SECP256K1_DLL_EXPORT must be defined. */
    149 #   define SECP256K1_API extern __declspec (dllexport)
    150 #  endif
    151   /* The user must define SECP256K1_STATIC when consuming libsecp256k1 as a static
    152    * library on Windows. */
    153 # elif !defined(SECP256K1_STATIC)
    154    /* Consuming libsecp256k1 as a DLL. */
    155 #  define SECP256K1_API extern __declspec (dllimport)
    156 # endif
    157 #endif
    158 #ifndef SECP256K1_API
    159 # if defined(__GNUC__) && (__GNUC__ >= 4) && defined(SECP256K1_BUILD)
    160    /* Building libsecp256k1 on non-Windows using GCC or compatible. */
    161 #  define SECP256K1_API extern __attribute__ ((visibility ("default")))
    162 # else
    163    /* All cases not captured above. */
    164 #  define SECP256K1_API extern
    165 # endif
    166 #endif
    167 
    168 /* Warning attributes
    169  * NONNULL is not used if SECP256K1_BUILD is set to avoid the compiler optimizing out
    170  * some paranoid null checks. */
    171 # if defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4)
    172 #  define SECP256K1_WARN_UNUSED_RESULT __attribute__ ((__warn_unused_result__))
    173 # else
    174 #  define SECP256K1_WARN_UNUSED_RESULT
    175 # endif
    176 # if !defined(SECP256K1_BUILD) && defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4)
    177 #  define SECP256K1_ARG_NONNULL(_x)  __attribute__ ((__nonnull__(_x)))
    178 # else
    179 #  define SECP256K1_ARG_NONNULL(_x)
    180 # endif
    181 
    182 /* Attribute for marking functions, types, and variables as deprecated */
    183 #if !defined(SECP256K1_BUILD) && defined(__has_attribute)
    184 # if __has_attribute(__deprecated__)
    185 #  define SECP256K1_DEPRECATED(_msg) __attribute__ ((__deprecated__(_msg)))
    186 # else
    187 #  define SECP256K1_DEPRECATED(_msg)
    188 # endif
    189 #else
    190 # define SECP256K1_DEPRECATED(_msg)
    191 #endif
    192 
    193 /* All flags' lower 8 bits indicate what they're for. Do not use directly. */
    194 #define SECP256K1_FLAGS_TYPE_MASK ((1 << 8) - 1)
    195 #define SECP256K1_FLAGS_TYPE_CONTEXT (1 << 0)
    196 #define SECP256K1_FLAGS_TYPE_COMPRESSION (1 << 1)
    197 /* The higher bits contain the actual data. Do not use directly. */
    198 #define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8)
    199 #define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9)
    200 #define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10)
    201 #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8)
    202 
    203 /** Context flags to pass to haskellsecp256k1_v0_1_0_context_create, haskellsecp256k1_v0_1_0_context_preallocated_size, and
    204  *  haskellsecp256k1_v0_1_0_context_preallocated_create. */
    205 #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT)
    206 
    207 /** Deprecated context flags. These flags are treated equivalent to SECP256K1_CONTEXT_NONE. */
    208 #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY)
    209 #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN)
    210 
    211 /* Testing flag. Do not use. */
    212 #define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY)
    213 
    214 /** Flag to pass to haskellsecp256k1_v0_1_0_ec_pubkey_serialize. */
    215 #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION)
    216 #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION)
    217 
    218 /** Prefix byte used to tag various encoded curvepoints for specific purposes */
    219 #define SECP256K1_TAG_PUBKEY_EVEN 0x02
    220 #define SECP256K1_TAG_PUBKEY_ODD 0x03
    221 #define SECP256K1_TAG_PUBKEY_UNCOMPRESSED 0x04
    222 #define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06
    223 #define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07
    224 
    225 /** A built-in constant secp256k1 context object with static storage duration, to be
    226  *  used in conjunction with haskellsecp256k1_v0_1_0_selftest.
    227  *
    228  *  This context object offers *only limited functionality* , i.e., it cannot be used
    229  *  for API functions that perform computations involving secret keys, e.g., signing
    230  *  and public key generation. If this restriction applies to a specific API function,
    231  *  it is mentioned in its documentation. See haskellsecp256k1_v0_1_0_context_create if you need a
    232  *  full context object that supports all functionality offered by the library.
    233  *
    234  *  It is highly recommended to call haskellsecp256k1_v0_1_0_selftest before using this context.
    235  */
    236 SECP256K1_API const haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_static;
    237 
    238 /** Deprecated alias for haskellsecp256k1_v0_1_0_context_static. */
    239 SECP256K1_API const haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_no_precomp
    240 SECP256K1_DEPRECATED("Use haskellsecp256k1_v0_1_0_context_static instead");
    241 
    242 /** Perform basic self tests (to be used in conjunction with haskellsecp256k1_v0_1_0_context_static)
    243  *
    244  *  This function performs self tests that detect some serious usage errors and
    245  *  similar conditions, e.g., when the library is compiled for the wrong endianness.
    246  *  This is a last resort measure to be used in production. The performed tests are
    247  *  very rudimentary and are not intended as a replacement for running the test
    248  *  binaries.
    249  *
    250  *  It is highly recommended to call this before using haskellsecp256k1_v0_1_0_context_static.
    251  *  It is not necessary to call this function before using a context created with
    252  *  haskellsecp256k1_v0_1_0_context_create (or haskellsecp256k1_v0_1_0_context_preallocated_create), which will
    253  *  take care of performing the self tests.
    254  *
    255  *  If the tests fail, this function will call the default error handler to abort the
    256  *  program (see haskellsecp256k1_v0_1_0_context_set_error_callback).
    257  */
    258 SECP256K1_API void haskellsecp256k1_v0_1_0_selftest(void);
    259 
    260 
    261 /** Create a secp256k1 context object (in dynamically allocated memory).
    262  *
    263  *  This function uses malloc to allocate memory. It is guaranteed that malloc is
    264  *  called at most once for every call of this function. If you need to avoid dynamic
    265  *  memory allocation entirely, see haskellsecp256k1_v0_1_0_context_static and the functions in
    266  *  haskellsecp256k1_v0_1_0_preallocated.h.
    267  *
    268  *  Returns: pointer to a newly created context object.
    269  *  In:      flags: Always set to SECP256K1_CONTEXT_NONE (see below).
    270  *
    271  *  The only valid non-deprecated flag in recent library versions is
    272  *  SECP256K1_CONTEXT_NONE, which will create a context sufficient for all functionality
    273  *  offered by the library. All other (deprecated) flags will be treated as equivalent
    274  *  to the SECP256K1_CONTEXT_NONE flag. Though the flags parameter primarily exists for
    275  *  historical reasons, future versions of the library may introduce new flags.
    276  *
    277  *  If the context is intended to be used for API functions that perform computations
    278  *  involving secret keys, e.g., signing and public key generation, then it is highly
    279  *  recommended to call haskellsecp256k1_v0_1_0_context_randomize on the context before calling
    280  *  those API functions. This will provide enhanced protection against side-channel
    281  *  leakage, see haskellsecp256k1_v0_1_0_context_randomize for details.
    282  *
    283  *  Do not create a new context object for each operation, as construction and
    284  *  randomization can take non-negligible time.
    285  */
    286 SECP256K1_API haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_create(
    287     unsigned int flags
    288 ) SECP256K1_WARN_UNUSED_RESULT;
    289 
    290 /** Copy a secp256k1 context object (into dynamically allocated memory).
    291  *
    292  *  This function uses malloc to allocate memory. It is guaranteed that malloc is
    293  *  called at most once for every call of this function. If you need to avoid dynamic
    294  *  memory allocation entirely, see the functions in haskellsecp256k1_v0_1_0_preallocated.h.
    295  *
    296  *  Cloning haskellsecp256k1_v0_1_0_context_static is not possible, and should not be emulated by
    297  *  the caller (e.g., using memcpy). Create a new context instead.
    298  *
    299  *  Returns: pointer to a newly created context object.
    300  *  Args:    ctx: pointer to a context to copy (not haskellsecp256k1_v0_1_0_context_static).
    301  */
    302 SECP256K1_API haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_clone(
    303     const haskellsecp256k1_v0_1_0_context *ctx
    304 ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT;
    305 
    306 /** Destroy a secp256k1 context object (created in dynamically allocated memory).
    307  *
    308  *  The context pointer may not be used afterwards.
    309  *
    310  *  The context to destroy must have been created using haskellsecp256k1_v0_1_0_context_create
    311  *  or haskellsecp256k1_v0_1_0_context_clone. If the context has instead been created using
    312  *  haskellsecp256k1_v0_1_0_context_preallocated_create or haskellsecp256k1_v0_1_0_context_preallocated_clone, the
    313  *  behaviour is undefined. In that case, haskellsecp256k1_v0_1_0_context_preallocated_destroy must
    314  *  be used instead.
    315  *
    316  *  Args:   ctx: pointer to a context to destroy, constructed using
    317  *               haskellsecp256k1_v0_1_0_context_create or haskellsecp256k1_v0_1_0_context_clone
    318  *               (i.e., not haskellsecp256k1_v0_1_0_context_static).
    319  */
    320 SECP256K1_API void haskellsecp256k1_v0_1_0_context_destroy(
    321     haskellsecp256k1_v0_1_0_context *ctx
    322 ) SECP256K1_ARG_NONNULL(1);
    323 
    324 /** Set a callback function to be called when an illegal argument is passed to
    325  *  an API call. It will only trigger for violations that are mentioned
    326  *  explicitly in the header.
    327  *
    328  *  The philosophy is that these shouldn't be dealt with through a
    329  *  specific return value, as calling code should not have branches to deal with
    330  *  the case that this code itself is broken.
    331  *
    332  *  On the other hand, during debug stage, one would want to be informed about
    333  *  such mistakes, and the default (crashing) may be inadvisable.
    334  *  When this callback is triggered, the API function called is guaranteed not
    335  *  to cause a crash, though its return value and output arguments are
    336  *  undefined.
    337  *
    338  *  When this function has not been called (or called with fn==NULL), then the
    339  *  default handler will be used. The library provides a default handler which
    340  *  writes the message to stderr and calls abort. This default handler can be
    341  *  replaced at link time if the preprocessor macro
    342  *  USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build
    343  *  has been configured with --enable-external-default-callbacks. Then the
    344  *  following two symbols must be provided to link against:
    345  *   - void haskellsecp256k1_v0_1_0_default_illegal_callback_fn(const char *message, void *data);
    346  *   - void haskellsecp256k1_v0_1_0_default_error_callback_fn(const char *message, void *data);
    347  *  The library can call these default handlers even before a proper callback data
    348  *  pointer could have been set using haskellsecp256k1_v0_1_0_context_set_illegal_callback or
    349  *  haskellsecp256k1_v0_1_0_context_set_error_callback, e.g., when the creation of a context
    350  *  fails. In this case, the corresponding default handler will be called with
    351  *  the data pointer argument set to NULL.
    352  *
    353  *  Args: ctx:  pointer to a context object.
    354  *  In:   fun:  pointer to a function to call when an illegal argument is
    355  *              passed to the API, taking a message and an opaque pointer.
    356  *              (NULL restores the default handler.)
    357  *        data: the opaque pointer to pass to fun above, must be NULL for the default handler.
    358  *
    359  *  See also haskellsecp256k1_v0_1_0_context_set_error_callback.
    360  */
    361 SECP256K1_API void haskellsecp256k1_v0_1_0_context_set_illegal_callback(
    362     haskellsecp256k1_v0_1_0_context *ctx,
    363     void (*fun)(const char *message, void *data),
    364     const void *data
    365 ) SECP256K1_ARG_NONNULL(1);
    366 
    367 /** Set a callback function to be called when an internal consistency check
    368  *  fails.
    369  *
    370  *  The default callback writes an error message to stderr and calls abort
    371  *  to abort the program.
    372  *
    373  *  This can only trigger in case of a hardware failure, miscompilation,
    374  *  memory corruption, serious bug in the library, or other error would can
    375  *  otherwise result in undefined behaviour. It will not trigger due to mere
    376  *  incorrect usage of the API (see haskellsecp256k1_v0_1_0_context_set_illegal_callback
    377  *  for that). After this callback returns, anything may happen, including
    378  *  crashing.
    379  *
    380  *  Args: ctx:  pointer to a context object.
    381  *  In:   fun:  pointer to a function to call when an internal error occurs,
    382  *              taking a message and an opaque pointer (NULL restores the
    383  *              default handler, see haskellsecp256k1_v0_1_0_context_set_illegal_callback
    384  *              for details).
    385  *        data: the opaque pointer to pass to fun above, must be NULL for the default handler.
    386  *
    387  *  See also haskellsecp256k1_v0_1_0_context_set_illegal_callback.
    388  */
    389 SECP256K1_API void haskellsecp256k1_v0_1_0_context_set_error_callback(
    390     haskellsecp256k1_v0_1_0_context *ctx,
    391     void (*fun)(const char *message, void *data),
    392     const void *data
    393 ) SECP256K1_ARG_NONNULL(1);
    394 
    395 /** Create a secp256k1 scratch space object.
    396  *
    397  *  Returns: a newly created scratch space.
    398  *  Args: ctx:  pointer to a context object.
    399  *  In:   size: amount of memory to be available as scratch space. Some extra
    400  *              (<100 bytes) will be allocated for extra accounting.
    401  */
    402 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT haskellsecp256k1_v0_1_0_scratch_space *haskellsecp256k1_v0_1_0_scratch_space_create(
    403     const haskellsecp256k1_v0_1_0_context *ctx,
    404     size_t size
    405 ) SECP256K1_ARG_NONNULL(1);
    406 
    407 /** Destroy a secp256k1 scratch space.
    408  *
    409  *  The pointer may not be used afterwards.
    410  *  Args:       ctx: pointer to a context object.
    411  *          scratch: space to destroy
    412  */
    413 SECP256K1_API void haskellsecp256k1_v0_1_0_scratch_space_destroy(
    414     const haskellsecp256k1_v0_1_0_context *ctx,
    415     haskellsecp256k1_v0_1_0_scratch_space *scratch
    416 ) SECP256K1_ARG_NONNULL(1);
    417 
    418 /** Parse a variable-length public key into the pubkey object.
    419  *
    420  *  Returns: 1 if the public key was fully valid.
    421  *           0 if the public key could not be parsed or is invalid.
    422  *  Args: ctx:      pointer to a context object.
    423  *  Out:  pubkey:   pointer to a pubkey object. If 1 is returned, it is set to a
    424  *                  parsed version of input. If not, its value is undefined.
    425  *  In:   input:    pointer to a serialized public key
    426  *        inputlen: length of the array pointed to by input
    427  *
    428  *  This function supports parsing compressed (33 bytes, header byte 0x02 or
    429  *  0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header
    430  *  byte 0x06 or 0x07) format public keys.
    431  */
    432 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_parse(
    433     const haskellsecp256k1_v0_1_0_context *ctx,
    434     haskellsecp256k1_v0_1_0_pubkey *pubkey,
    435     const unsigned char *input,
    436     size_t inputlen
    437 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    438 
    439 /** Serialize a pubkey object into a serialized byte sequence.
    440  *
    441  *  Returns: 1 always.
    442  *  Args:   ctx:        pointer to a context object.
    443  *  Out:    output:     pointer to a 65-byte (if compressed==0) or 33-byte (if
    444  *                      compressed==1) byte array to place the serialized key
    445  *                      in.
    446  *  In/Out: outputlen:  pointer to an integer which is initially set to the
    447  *                      size of output, and is overwritten with the written
    448  *                      size.
    449  *  In:     pubkey:     pointer to a haskellsecp256k1_v0_1_0_pubkey containing an
    450  *                      initialized public key.
    451  *          flags:      SECP256K1_EC_COMPRESSED if serialization should be in
    452  *                      compressed format, otherwise SECP256K1_EC_UNCOMPRESSED.
    453  */
    454 SECP256K1_API int haskellsecp256k1_v0_1_0_ec_pubkey_serialize(
    455     const haskellsecp256k1_v0_1_0_context *ctx,
    456     unsigned char *output,
    457     size_t *outputlen,
    458     const haskellsecp256k1_v0_1_0_pubkey *pubkey,
    459     unsigned int flags
    460 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    461 
    462 /** Compare two public keys using lexicographic (of compressed serialization) order
    463  *
    464  *  Returns: <0 if the first public key is less than the second
    465  *           >0 if the first public key is greater than the second
    466  *           0 if the two public keys are equal
    467  *  Args: ctx:      pointer to a context object
    468  *  In:   pubkey1:  first public key to compare
    469  *        pubkey2:  second public key to compare
    470  */
    471 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_cmp(
    472     const haskellsecp256k1_v0_1_0_context *ctx,
    473     const haskellsecp256k1_v0_1_0_pubkey *pubkey1,
    474     const haskellsecp256k1_v0_1_0_pubkey *pubkey2
    475 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    476 
    477 /** Parse an ECDSA signature in compact (64 bytes) format.
    478  *
    479  *  Returns: 1 when the signature could be parsed, 0 otherwise.
    480  *  Args: ctx:      pointer to a context object
    481  *  Out:  sig:      pointer to a signature object
    482  *  In:   input64:  pointer to the 64-byte array to parse
    483  *
    484  *  The signature must consist of a 32-byte big endian R value, followed by a
    485  *  32-byte big endian S value. If R or S fall outside of [0..order-1], the
    486  *  encoding is invalid. R and S with value 0 are allowed in the encoding.
    487  *
    488  *  After the call, sig will always be initialized. If parsing failed or R or
    489  *  S are zero, the resulting sig value is guaranteed to fail verification for
    490  *  any message and public key.
    491  */
    492 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(
    493     const haskellsecp256k1_v0_1_0_context *ctx,
    494     haskellsecp256k1_v0_1_0_ecdsa_signature *sig,
    495     const unsigned char *input64
    496 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    497 
    498 /** Parse a DER ECDSA signature.
    499  *
    500  *  Returns: 1 when the signature could be parsed, 0 otherwise.
    501  *  Args: ctx:      pointer to a context object
    502  *  Out:  sig:      pointer to a signature object
    503  *  In:   input:    pointer to the signature to be parsed
    504  *        inputlen: the length of the array pointed to be input
    505  *
    506  *  This function will accept any valid DER encoded signature, even if the
    507  *  encoded numbers are out of range.
    508  *
    509  *  After the call, sig will always be initialized. If parsing failed or the
    510  *  encoded numbers are out of range, signature verification with it is
    511  *  guaranteed to fail for every message and public key.
    512  */
    513 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(
    514     const haskellsecp256k1_v0_1_0_context *ctx,
    515     haskellsecp256k1_v0_1_0_ecdsa_signature *sig,
    516     const unsigned char *input,
    517     size_t inputlen
    518 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    519 
    520 /** Serialize an ECDSA signature in DER format.
    521  *
    522  *  Returns: 1 if enough space was available to serialize, 0 otherwise
    523  *  Args:   ctx:       pointer to a context object
    524  *  Out:    output:    pointer to an array to store the DER serialization
    525  *  In/Out: outputlen: pointer to a length integer. Initially, this integer
    526  *                     should be set to the length of output. After the call
    527  *                     it will be set to the length of the serialization (even
    528  *                     if 0 was returned).
    529  *  In:     sig:       pointer to an initialized signature object
    530  */
    531 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(
    532     const haskellsecp256k1_v0_1_0_context *ctx,
    533     unsigned char *output,
    534     size_t *outputlen,
    535     const haskellsecp256k1_v0_1_0_ecdsa_signature *sig
    536 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    537 
    538 /** Serialize an ECDSA signature in compact (64 byte) format.
    539  *
    540  *  Returns: 1
    541  *  Args:   ctx:       pointer to a context object
    542  *  Out:    output64:  pointer to a 64-byte array to store the compact serialization
    543  *  In:     sig:       pointer to an initialized signature object
    544  *
    545  *  See haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact for details about the encoding.
    546  */
    547 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(
    548     const haskellsecp256k1_v0_1_0_context *ctx,
    549     unsigned char *output64,
    550     const haskellsecp256k1_v0_1_0_ecdsa_signature *sig
    551 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    552 
    553 /** Verify an ECDSA signature.
    554  *
    555  *  Returns: 1: correct signature
    556  *           0: incorrect or unparseable signature
    557  *  Args:    ctx:       pointer to a context object
    558  *  In:      sig:       the signature being verified.
    559  *           msghash32: the 32-byte message hash being verified.
    560  *                      The verifier must make sure to apply a cryptographic
    561  *                      hash function to the message by itself and not accept an
    562  *                      msghash32 value directly. Otherwise, it would be easy to
    563  *                      create a "valid" signature without knowledge of the
    564  *                      secret key. See also
    565  *                      https://bitcoin.stackexchange.com/a/81116/35586 for more
    566  *                      background on this topic.
    567  *           pubkey:    pointer to an initialized public key to verify with.
    568  *
    569  * To avoid accepting malleable signatures, only ECDSA signatures in lower-S
    570  * form are accepted.
    571  *
    572  * If you need to accept ECDSA signatures from sources that do not obey this
    573  * rule, apply haskellsecp256k1_v0_1_0_ecdsa_signature_normalize to the signature prior to
    574  * verification, but be aware that doing so results in malleable signatures.
    575  *
    576  * For details, see the comments for that function.
    577  */
    578 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ecdsa_verify(
    579     const haskellsecp256k1_v0_1_0_context *ctx,
    580     const haskellsecp256k1_v0_1_0_ecdsa_signature *sig,
    581     const unsigned char *msghash32,
    582     const haskellsecp256k1_v0_1_0_pubkey *pubkey
    583 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    584 
    585 /** Convert a signature to a normalized lower-S form.
    586  *
    587  *  Returns: 1 if sigin was not normalized, 0 if it already was.
    588  *  Args: ctx:    pointer to a context object
    589  *  Out:  sigout: pointer to a signature to fill with the normalized form,
    590  *                or copy if the input was already normalized. (can be NULL if
    591  *                you're only interested in whether the input was already
    592  *                normalized).
    593  *  In:   sigin:  pointer to a signature to check/normalize (can be identical to sigout)
    594  *
    595  *  With ECDSA a third-party can forge a second distinct signature of the same
    596  *  message, given a single initial signature, but without knowing the key. This
    597  *  is done by negating the S value modulo the order of the curve, 'flipping'
    598  *  the sign of the random point R which is not included in the signature.
    599  *
    600  *  Forgery of the same message isn't universally problematic, but in systems
    601  *  where message malleability or uniqueness of signatures is important this can
    602  *  cause issues. This forgery can be blocked by all verifiers forcing signers
    603  *  to use a normalized form.
    604  *
    605  *  The lower-S form reduces the size of signatures slightly on average when
    606  *  variable length encodings (such as DER) are used and is cheap to verify,
    607  *  making it a good choice. Security of always using lower-S is assured because
    608  *  anyone can trivially modify a signature after the fact to enforce this
    609  *  property anyway.
    610  *
    611  *  The lower S value is always between 0x1 and
    612  *  0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
    613  *  inclusive.
    614  *
    615  *  No other forms of ECDSA malleability are known and none seem likely, but
    616  *  there is no formal proof that ECDSA, even with this additional restriction,
    617  *  is free of other malleability. Commonly used serialization schemes will also
    618  *  accept various non-unique encodings, so care should be taken when this
    619  *  property is required for an application.
    620  *
    621  *  The haskellsecp256k1_v0_1_0_ecdsa_sign function will by default create signatures in the
    622  *  lower-S form, and haskellsecp256k1_v0_1_0_ecdsa_verify will not accept others. In case
    623  *  signatures come from a system that cannot enforce this property,
    624  *  haskellsecp256k1_v0_1_0_ecdsa_signature_normalize must be called before verification.
    625  */
    626 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(
    627     const haskellsecp256k1_v0_1_0_context *ctx,
    628     haskellsecp256k1_v0_1_0_ecdsa_signature *sigout,
    629     const haskellsecp256k1_v0_1_0_ecdsa_signature *sigin
    630 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3);
    631 
    632 /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
    633  * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
    634  * extra entropy.
    635  */
    636 SECP256K1_API const haskellsecp256k1_v0_1_0_nonce_function haskellsecp256k1_v0_1_0_nonce_function_rfc6979;
    637 
    638 /** A default safe nonce generation function (currently equal to haskellsecp256k1_v0_1_0_nonce_function_rfc6979). */
    639 SECP256K1_API const haskellsecp256k1_v0_1_0_nonce_function haskellsecp256k1_v0_1_0_nonce_function_default;
    640 
    641 /** Create an ECDSA signature.
    642  *
    643  *  Returns: 1: signature created
    644  *           0: the nonce generation function failed, or the secret key was invalid.
    645  *  Args:    ctx:       pointer to a context object (not haskellsecp256k1_v0_1_0_context_static).
    646  *  Out:     sig:       pointer to an array where the signature will be placed.
    647  *  In:      msghash32: the 32-byte message hash being signed.
    648  *           seckey:    pointer to a 32-byte secret key.
    649  *           noncefp:   pointer to a nonce generation function. If NULL,
    650  *                      haskellsecp256k1_v0_1_0_nonce_function_default is used.
    651  *           ndata:     pointer to arbitrary data used by the nonce generation function
    652  *                      (can be NULL). If it is non-NULL and
    653  *                      haskellsecp256k1_v0_1_0_nonce_function_default is used, then ndata must be a
    654  *                      pointer to 32-bytes of additional data.
    655  *
    656  * The created signature is always in lower-S form. See
    657  * haskellsecp256k1_v0_1_0_ecdsa_signature_normalize for more details.
    658  */
    659 SECP256K1_API int haskellsecp256k1_v0_1_0_ecdsa_sign(
    660     const haskellsecp256k1_v0_1_0_context *ctx,
    661     haskellsecp256k1_v0_1_0_ecdsa_signature *sig,
    662     const unsigned char *msghash32,
    663     const unsigned char *seckey,
    664     haskellsecp256k1_v0_1_0_nonce_function noncefp,
    665     const void *ndata
    666 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    667 
    668 /** Verify an ECDSA secret key.
    669  *
    670  *  A secret key is valid if it is not 0 and less than the secp256k1 curve order
    671  *  when interpreted as an integer (most significant byte first). The
    672  *  probability of choosing a 32-byte string uniformly at random which is an
    673  *  invalid secret key is negligible.
    674  *
    675  *  Returns: 1: secret key is valid
    676  *           0: secret key is invalid
    677  *  Args:    ctx: pointer to a context object.
    678  *  In:      seckey: pointer to a 32-byte secret key.
    679  */
    680 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_seckey_verify(
    681     const haskellsecp256k1_v0_1_0_context *ctx,
    682     const unsigned char *seckey
    683 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
    684 
    685 /** Compute the public key for a secret key.
    686  *
    687  *  Returns: 1: secret was valid, public key stores.
    688  *           0: secret was invalid, try again.
    689  *  Args:    ctx:    pointer to a context object (not haskellsecp256k1_v0_1_0_context_static).
    690  *  Out:     pubkey: pointer to the created public key.
    691  *  In:      seckey: pointer to a 32-byte secret key.
    692  */
    693 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_create(
    694     const haskellsecp256k1_v0_1_0_context *ctx,
    695     haskellsecp256k1_v0_1_0_pubkey *pubkey,
    696     const unsigned char *seckey
    697 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    698 
    699 /** Negates a secret key in place.
    700  *
    701  *  Returns: 0 if the given secret key is invalid according to
    702  *           haskellsecp256k1_v0_1_0_ec_seckey_verify. 1 otherwise
    703  *  Args:   ctx:    pointer to a context object
    704  *  In/Out: seckey: pointer to the 32-byte secret key to be negated. If the
    705  *                  secret key is invalid according to
    706  *                  haskellsecp256k1_v0_1_0_ec_seckey_verify, this function returns 0 and
    707  *                  seckey will be set to some unspecified value.
    708  */
    709 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_seckey_negate(
    710     const haskellsecp256k1_v0_1_0_context *ctx,
    711     unsigned char *seckey
    712 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
    713 
    714 /** Same as haskellsecp256k1_v0_1_0_ec_seckey_negate, but DEPRECATED. Will be removed in
    715  *  future versions. */
    716 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_privkey_negate(
    717     const haskellsecp256k1_v0_1_0_context *ctx,
    718     unsigned char *seckey
    719 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
    720   SECP256K1_DEPRECATED("Use haskellsecp256k1_v0_1_0_ec_seckey_negate instead");
    721 
    722 /** Negates a public key in place.
    723  *
    724  *  Returns: 1 always
    725  *  Args:   ctx:        pointer to a context object
    726  *  In/Out: pubkey:     pointer to the public key to be negated.
    727  */
    728 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_negate(
    729     const haskellsecp256k1_v0_1_0_context *ctx,
    730     haskellsecp256k1_v0_1_0_pubkey *pubkey
    731 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
    732 
    733 /** Tweak a secret key by adding tweak to it.
    734  *
    735  *  Returns: 0 if the arguments are invalid or the resulting secret key would be
    736  *           invalid (only when the tweak is the negation of the secret key). 1
    737  *           otherwise.
    738  *  Args:    ctx:   pointer to a context object.
    739  *  In/Out: seckey: pointer to a 32-byte secret key. If the secret key is
    740  *                  invalid according to haskellsecp256k1_v0_1_0_ec_seckey_verify, this
    741  *                  function returns 0. seckey will be set to some unspecified
    742  *                  value if this function returns 0.
    743  *  In:    tweak32: pointer to a 32-byte tweak, which must be valid according to
    744  *                  haskellsecp256k1_v0_1_0_ec_seckey_verify or 32 zero bytes. For uniformly
    745  *                  random 32-byte tweaks, the chance of being invalid is
    746  *                  negligible (around 1 in 2^128).
    747  */
    748 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(
    749     const haskellsecp256k1_v0_1_0_context *ctx,
    750     unsigned char *seckey,
    751     const unsigned char *tweak32
    752 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    753 
    754 /** Same as haskellsecp256k1_v0_1_0_ec_seckey_tweak_add, but DEPRECATED. Will be removed in
    755  *  future versions. */
    756 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_privkey_tweak_add(
    757     const haskellsecp256k1_v0_1_0_context *ctx,
    758     unsigned char *seckey,
    759     const unsigned char *tweak32
    760 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
    761   SECP256K1_DEPRECATED("Use haskellsecp256k1_v0_1_0_ec_seckey_tweak_add instead");
    762 
    763 /** Tweak a public key by adding tweak times the generator to it.
    764  *
    765  *  Returns: 0 if the arguments are invalid or the resulting public key would be
    766  *           invalid (only when the tweak is the negation of the corresponding
    767  *           secret key). 1 otherwise.
    768  *  Args:    ctx:   pointer to a context object.
    769  *  In/Out: pubkey: pointer to a public key object. pubkey will be set to an
    770  *                  invalid value if this function returns 0.
    771  *  In:    tweak32: pointer to a 32-byte tweak, which must be valid according to
    772  *                  haskellsecp256k1_v0_1_0_ec_seckey_verify or 32 zero bytes. For uniformly
    773  *                  random 32-byte tweaks, the chance of being invalid is
    774  *                  negligible (around 1 in 2^128).
    775  */
    776 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(
    777     const haskellsecp256k1_v0_1_0_context *ctx,
    778     haskellsecp256k1_v0_1_0_pubkey *pubkey,
    779     const unsigned char *tweak32
    780 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    781 
    782 /** Tweak a secret key by multiplying it by a tweak.
    783  *
    784  *  Returns: 0 if the arguments are invalid. 1 otherwise.
    785  *  Args:   ctx:    pointer to a context object.
    786  *  In/Out: seckey: pointer to a 32-byte secret key. If the secret key is
    787  *                  invalid according to haskellsecp256k1_v0_1_0_ec_seckey_verify, this
    788  *                  function returns 0. seckey will be set to some unspecified
    789  *                  value if this function returns 0.
    790  *  In:    tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
    791  *                  haskellsecp256k1_v0_1_0_ec_seckey_verify, this function returns 0. For
    792  *                  uniformly random 32-byte arrays the chance of being invalid
    793  *                  is negligible (around 1 in 2^128).
    794  */
    795 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(
    796     const haskellsecp256k1_v0_1_0_context *ctx,
    797     unsigned char *seckey,
    798     const unsigned char *tweak32
    799 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    800 
    801 /** Same as haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in
    802  *  future versions. */
    803 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_privkey_tweak_mul(
    804     const haskellsecp256k1_v0_1_0_context *ctx,
    805     unsigned char *seckey,
    806     const unsigned char *tweak32
    807 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
    808   SECP256K1_DEPRECATED("Use haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul instead");
    809 
    810 /** Tweak a public key by multiplying it by a tweak value.
    811  *
    812  *  Returns: 0 if the arguments are invalid. 1 otherwise.
    813  *  Args:    ctx:   pointer to a context object.
    814  *  In/Out: pubkey: pointer to a public key object. pubkey will be set to an
    815  *                  invalid value if this function returns 0.
    816  *  In:    tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to
    817  *                  haskellsecp256k1_v0_1_0_ec_seckey_verify, this function returns 0. For
    818  *                  uniformly random 32-byte arrays the chance of being invalid
    819  *                  is negligible (around 1 in 2^128).
    820  */
    821 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(
    822     const haskellsecp256k1_v0_1_0_context *ctx,
    823     haskellsecp256k1_v0_1_0_pubkey *pubkey,
    824     const unsigned char *tweak32
    825 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    826 
    827 /** Randomizes the context to provide enhanced protection against side-channel leakage.
    828  *
    829  *  Returns: 1: randomization successful
    830  *           0: error
    831  *  Args:    ctx:       pointer to a context object (not haskellsecp256k1_v0_1_0_context_static).
    832  *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state).
    833  *
    834  * While secp256k1 code is written and tested to be constant-time no matter what
    835  * secret values are, it is possible that a compiler may output code which is not,
    836  * and also that the CPU may not emit the same radio frequencies or draw the same
    837  * amount of power for all values. Randomization of the context shields against
    838  * side-channel observations which aim to exploit secret-dependent behaviour in
    839  * certain computations which involve secret keys.
    840  *
    841  * It is highly recommended to call this function on contexts returned from
    842  * haskellsecp256k1_v0_1_0_context_create or haskellsecp256k1_v0_1_0_context_clone (or from the corresponding
    843  * functions in haskellsecp256k1_v0_1_0_preallocated.h) before using these contexts to call API
    844  * functions that perform computations involving secret keys, e.g., signing and
    845  * public key generation. It is possible to call this function more than once on
    846  * the same context, and doing so before every few computations involving secret
    847  * keys is recommended as a defense-in-depth measure. Randomization of the static
    848  * context haskellsecp256k1_v0_1_0_context_static is not supported.
    849  *
    850  * Currently, the random seed is mainly used for blinding multiplications of a
    851  * secret scalar with the elliptic curve base point. Multiplications of this
    852  * kind are performed by exactly those API functions which are documented to
    853  * require a context that is not haskellsecp256k1_v0_1_0_context_static. As a rule of thumb,
    854  * these are all functions which take a secret key (or a keypair) as an input.
    855  * A notable exception to that rule is the ECDH module, which relies on a different
    856  * kind of elliptic curve point multiplication and thus does not benefit from
    857  * enhanced protection against side-channel leakage currently.
    858  */
    859 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_context_randomize(
    860     haskellsecp256k1_v0_1_0_context *ctx,
    861     const unsigned char *seed32
    862 ) SECP256K1_ARG_NONNULL(1);
    863 
    864 /** Add a number of public keys together.
    865  *
    866  *  Returns: 1: the sum of the public keys is valid.
    867  *           0: the sum of the public keys is not valid.
    868  *  Args:   ctx:        pointer to a context object.
    869  *  Out:    out:        pointer to a public key object for placing the resulting public key.
    870  *  In:     ins:        pointer to array of pointers to public keys.
    871  *          n:          the number of public keys to add together (must be at least 1).
    872  */
    873 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_ec_pubkey_combine(
    874     const haskellsecp256k1_v0_1_0_context *ctx,
    875     haskellsecp256k1_v0_1_0_pubkey *out,
    876     const haskellsecp256k1_v0_1_0_pubkey * const *ins,
    877     size_t n
    878 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
    879 
    880 /** Compute a tagged hash as defined in BIP-340.
    881  *
    882  *  This is useful for creating a message hash and achieving domain separation
    883  *  through an application-specific tag. This function returns
    884  *  SHA256(SHA256(tag)||SHA256(tag)||msg). Therefore, tagged hash
    885  *  implementations optimized for a specific tag can precompute the SHA256 state
    886  *  after hashing the tag hashes.
    887  *
    888  *  Returns: 1 always.
    889  *  Args:    ctx: pointer to a context object
    890  *  Out:  hash32: pointer to a 32-byte array to store the resulting hash
    891  *  In:      tag: pointer to an array containing the tag
    892  *        taglen: length of the tag array
    893  *           msg: pointer to an array containing the message
    894  *        msglen: length of the message array
    895  */
    896 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int haskellsecp256k1_v0_1_0_tagged_sha256(
    897     const haskellsecp256k1_v0_1_0_context *ctx,
    898     unsigned char *hash32,
    899     const unsigned char *tag,
    900     size_t taglen,
    901     const unsigned char *msg,
    902     size_t msglen
    903 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
    904 
    905 #ifdef __cplusplus
    906 }
    907 #endif
    908 
    909 #endif /* SECP256K1_H */