Files

addr2line

lazy.rslib.rs

ahash

convert.rsfallback_hash.rslib.rs

aho_corasick

packed

teddy

compile.rsmod.rsruntime.rs

api.rsmod.rspattern.rsrabinkarp.rsvector.rs

ahocorasick.rsautomaton.rsbuffer.rsbyte_frequencies.rsclasses.rsdfa.rserror.rslib.rsnfa.rsprefilter.rsstate_id.rs

arrayref

lib.rs

arrayvec

array.rsarray_string.rschar.rserrors.rslib.rsmaybe_uninit_stable.rsrange.rs

artemis_asset

lib.rs

artemis_core

lib.rsregistry.rstypes.rs

artemis_erc20_app

lib.rspayload.rs

artemis_eth_app

lib.rspayload.rs

artemis_ethereum

lib.rslog.rs

backtrace

backtrace

libunwind.rsmod.rs

symbolize

gimli

elf.rsmmap_unix.rs

gimli.rsmod.rs

capture.rslib.rsprint.rstypes.rs

base58

lib.rs

bip39

crypto.rserror.rslanguage.rslib.rsmnemonic.rsmnemonic_type.rsseed.rsutil.rs

bitmask

lib.rs

bitvec

boxed

api.rsiter.rsops.rstraits.rs

macros

internal.rs

slice

api.rsiter.rsops.rsproxy.rstraits.rs

vec

api.rsiter.rsops.rstraits.rs

access.rsboxed.rsdomain.rsfields.rsindices.rslib.rsmacros.rsorder.rspointer.rsprelude.rsslice.rsstore.rsvec.rs

blake2_rfc

simd_opt

mod.rs

as_bytes.rsblake2.rsblake2b.rsblake2s.rsbytes.rslib.rssimd.rssimdint.rssimdop.rssimdty.rs

block_buffer

lib.rs

block_padding

lib.rs

byte_slice_cast

lib.rs

byte_tools

lib.rs

byteorder

io.rslib.rs

cfg_if

lib.rs

clear_on_drop

clear.rsclear_on_drop.rsclear_stack_on_return.rsfnoption.rshide.rslib.rs

const_random

lib.rs

const_random_macro

lib.rs

constant_time_eq

lib.rs

crunchy

lib.rs

crypto_mac

errors.rslib.rs

curve25519_dalek

backend

serial

curve_models

mod.rs

scalar_mul

mod.rspippenger.rsprecomputed_straus.rsstraus.rsvariable_base.rsvartime_double_base.rs

u64

constants.rsfield.rsmod.rsscalar.rs

mod.rs

mod.rs

constants.rsedwards.rsfield.rslib.rsmacros.rsmontgomery.rsprelude.rsristretto.rsscalar.rstraits.rswindow.rs

derive_more

add_assign_like.rsadd_helpers.rsadd_like.rsas_mut.rsas_ref.rsconstructor.rsderef.rsderef_mut.rsdisplay.rserror.rsfrom.rsfrom_str.rsindex.rsindex_mut.rsinto.rsinto_iterator.rslib.rsmul_assign_like.rsmul_helpers.rsmul_like.rsnot_like.rsparsing.rssum_like.rstry_into.rsutils.rs

digest

digest.rsdyn_digest.rserrors.rslib.rs

ed25519_dalek

constants.rsed25519.rserrors.rslib.rspublic.rssecret.rssignature.rs

either

lib.rs

environmental

lib.rs

ethabi_decode

decoder.rsevent.rslib.rsparam.rsstd.rstoken.rs

ethbloom

lib.rs

ethereum_types

hash.rslib.rsuint.rs

failure

backtrace

internal.rsmod.rs

error

error_impl.rsmod.rs

as_fail.rsbox_std.rscompat.rscontext.rserror_message.rslib.rsmacros.rsresult_ext.rssync_failure.rs

failure_derive

lib.rs

fake_simd

lib.rs

fixed_hash

hash.rslib.rs

frame_metadata

lib.rs

frame_support

storage

generator

double_map.rsmap.rsmod.rsvalue.rs

child.rshashed.rsmigration.rsmod.rsunhashed.rs

debug.rsdispatch.rserror.rsevent.rshash.rsinherent.rslib.rsmetadata.rsorigin.rstraits.rsunsigned.rsweights.rs

frame_support_procedural

construct_runtime

mod.rsparse.rs

storage

genesis_config

builder_def.rsgenesis_config_def.rsmod.rs

getters.rsinstance_trait.rsmetadata.rsmod.rsparse.rsstorage_struct.rsstore_trait.rs

lib.rs

frame_support_procedural_tools

lib.rssyn_ext.rs

frame_support_procedural_tools_derive

lib.rs

frame_system

extensions

check_genesis.rscheck_mortality.rscheck_nonce.rscheck_spec_version.rscheck_tx_version.rscheck_weight.rsmod.rs

lib.rsoffchain.rsweights.rs

futures

lib.rs

futures_channel

mpsc

mod.rsqueue.rssink_impl.rs

lib.rslock.rsoneshot.rs

futures_core

task

__internal

atomic_waker.rsmod.rs

mod.rspoll.rs

future.rslib.rsstream.rs

futures_executor

enter.rslib.rslocal_pool.rsthread_pool.rsunpark_mutex.rs

futures_io

lib.rs

futures_macro

join.rslib.rsselect.rs

futures_sink

lib.rs

futures_task

arc_wake.rsfuture_obj.rslib.rsnoop_waker.rsspawn.rswaker.rswaker_ref.rs

futures_util

async_await

join_mod.rsmod.rspending.rspoll.rsrandom.rsselect_mod.rs

future

future

catch_unwind.rsflatten.rsfuse.rsmap.rsmod.rsremote_handle.rsshared.rs

try_future

into_future.rsmod.rstry_flatten.rstry_flatten_err.rs

abortable.rseither.rsjoin.rsjoin_all.rslazy.rsmaybe_done.rsmod.rsoption.rspending.rspoll_fn.rsready.rsselect.rsselect_all.rsselect_ok.rstry_join.rstry_join_all.rstry_maybe_done.rstry_select.rs

io

allow_std.rsbuf_reader.rsbuf_writer.rschain.rsclose.rscopy.rscopy_buf.rscursor.rsempty.rsflush.rsinto_sink.rslines.rsmod.rsread.rsread_exact.rsread_line.rsread_to_end.rsread_to_string.rsread_until.rsread_vectored.rsrepeat.rsseek.rssink.rssplit.rstake.rswindow.rswrite.rswrite_all.rswrite_vectored.rs

lock

bilock.rsmod.rsmutex.rs

sink

buffer.rsclose.rsdrain.rserr_into.rsfanout.rsflush.rsmap_err.rsmod.rssend.rssend_all.rswith.rswith_flat_map.rs

stream

futures_unordered

abort.rsiter.rsmod.rsready_to_run_queue.rstask.rs

stream

buffer_unordered.rsbuffered.rscatch_unwind.rschain.rschunks.rscollect.rsconcat.rsenumerate.rsfilter.rsfilter_map.rsflatten.rsfold.rsfor_each.rsfor_each_concurrent.rsforward.rsfuse.rsinto_future.rsmap.rsmod.rsnext.rspeek.rsready_chunks.rsscan.rsselect_next_some.rsskip.rsskip_while.rssplit.rstake.rstake_until.rstake_while.rsthen.rszip.rs

try_stream

and_then.rsinto_async_read.rsinto_stream.rsmod.rsor_else.rstry_buffer_unordered.rstry_collect.rstry_concat.rstry_filter.rstry_filter_map.rstry_flatten.rstry_fold.rstry_for_each.rstry_for_each_concurrent.rstry_next.rstry_skip_while.rstry_unfold.rs

empty.rsfutures_ordered.rsiter.rsmod.rsonce.rspending.rspoll_fn.rsrepeat.rsselect.rsselect_all.rsunfold.rs

task

mod.rsspawn.rs

fns.rslib.rsnever.rs

generic_array

arr.rsfunctional.rshex.rsimpls.rsiter.rslib.rssequence.rs

getrandom

error.rserror_impls.rslib.rslinux_android.rsuse_file.rsutil.rsutil_libc.rs

gimli

read

abbrev.rsaddr.rsaranges.rscfi.rsdwarf.rsendian_slice.rsline.rsloclists.rslookup.rsmod.rsop.rspubnames.rspubtypes.rsreader.rsrnglists.rsstr.rsunit.rsvalue.rs

arch.rscommon.rsconstants.rsendianity.rsleb128.rslib.rs

hash256_std_hasher

lib.rs

hash_db

lib.rs

hashbrown

external_trait_impls

mod.rs

raw

bitmask.rsmod.rssse2.rs

lib.rsmacros.rsmap.rsscopeguard.rsset.rs

hex

error.rslib.rs

hex_literal

lib.rs

hmac

lib.rs

hmac_drbg

lib.rs

impl_codec

lib.rs

impl_rlp

lib.rs

impl_serde

lib.rsserialize.rs

impl_trait_for_tuples

full_automatic.rslib.rssemi_automatic.rsutils.rs

inflector

cases

camelcase

mod.rs

case

mod.rs

classcase

mod.rs

kebabcase

mod.rs

pascalcase

mod.rs

screamingsnakecase

mod.rs

sentencecase

mod.rs

snakecase

mod.rs

tablecase

mod.rs

titlecase

mod.rs

traincase

mod.rs

mod.rs

numbers

deordinalize

mod.rs

ordinalize

mod.rs

mod.rs

string

constants

mod.rs

deconstantize

mod.rs

demodulize

mod.rs

pluralize

mod.rs

singularize

mod.rs

mod.rs

suffix

foreignkey

mod.rs

mod.rs

lib.rs

integer_sqrt

lib.rs

itertools

adaptors

mod.rsmulti_product.rs

combinations.rscombinations_with_replacement.rsconcat_impl.rscons_tuples_impl.rsdiff.rseither_or_both.rsexactly_one_err.rsformat.rsfree.rsgroup_map.rsgroupbylazy.rsimpl_macros.rsintersperse.rskmerge_impl.rslazy_buffer.rslib.rsmerge_join.rsminmax.rsmultipeek_impl.rspad_tail.rspeeking_take_while.rspermutations.rsprocess_results_impl.rsput_back_n_impl.rsrciter_impl.rsrepeatn.rssize_hint.rssources.rstee.rstuple_impl.rsunique_impl.rswith_position.rszip_eq_impl.rszip_longest.rsziptuple.rs

keccak

lib.rs

lazy_static

inline_lazy.rslib.rs

libc

unix

linux_like

linux

gnu

b64

x86_64

align.rsmod.rsnot_x32.rs

mod.rs

align.rsmod.rs

align.rsmod.rs

mod.rs

align.rsmod.rs

fixed_width_ints.rslib.rsmacros.rs

lock_api

lib.rsmutex.rsremutex.rsrwlock.rs

log

lib.rsmacros.rs

memchr

x86

avx.rsmod.rssse2.rs

fallback.rsiter.rslib.rsnaive.rs

memory_db

lib.rs

memory_units

lib.rs

merlin

constants.rslib.rsstrobe.rstranscript.rs

nodrop

lib.rs

num_bigint

algorithms.rsbigint.rsbiguint.rslib.rsmacros.rsmonty.rs

num_cpus

lib.rslinux.rs

num_integer

lib.rsroots.rs

num_rational

lib.rs

num_traits

ops

checked.rsinv.rsmod.rsmul_add.rssaturating.rswrapping.rs

bounds.rscast.rsfloat.rsidentities.rsint.rslib.rsmacros.rspow.rsreal.rssign.rs

object

read

coff

file.rsmod.rsrelocation.rssection.rssymbol.rs

elf

compression.rsfile.rsmod.rsnote.rsrelocation.rssection.rssegment.rssymbol.rs

macho

file.rsload_command.rsmod.rsrelocation.rssection.rssegment.rssymbol.rs

pe

file.rsmod.rssection.rs

any.rsmod.rstraits.rsutil.rs

common.rself.rsendian.rslib.rsmacho.rspe.rspod.rs

once_cell

imp_pl.rslib.rs

opaque_debug

lib.rs

pallet_bridge

lib.rs

pallet_verifier

lib.rs

parity_scale_codec

codec.rscompact.rsdecode_all.rsdepth_limit.rsencode_append.rsencode_like.rsjoiner.rskeyedvec.rslib.rs

parity_scale_codec_derive

decode.rsencode.rslib.rstrait_bounds.rsutils.rs

parity_util_mem

allocators.rslib.rsmalloc_size.rsprimitives_impls.rs

parity_util_mem_derive

lib.rs

parity_wasm

builder

code.rsdata.rsexport.rsglobal.rsimport.rsinvoke.rsmemory.rsmisc.rsmod.rsmodule.rstable.rs

elements

export_entry.rsfunc.rsglobal_entry.rsimport_entry.rsindex_map.rsmod.rsmodule.rsname_section.rsops.rsprimitives.rsreloc_section.rssection.rssegment.rstypes.rs

io.rslib.rs

parking_lot

condvar.rsdeadlock.rselision.rsfair_mutex.rslib.rsmutex.rsonce.rsraw_fair_mutex.rsraw_mutex.rsraw_rwlock.rsremutex.rsrwlock.rsutil.rs

parking_lot_core

thread_parker

linux.rsmod.rs

lib.rsparking_lot.rsspinwait.rsutil.rsword_lock.rs

paste

lib.rs

paste_impl

enum_hack.rslib.rs

pbkdf2

lib.rs

pin_project

lib.rs

pin_project_internal

pin_project

attribute.rsderive.rsmod.rs

lib.rspinned_drop.rsproject.rsutils.rs

pin_utils

lib.rsprojection.rsstack_pin.rs

ppv_lite86

x86_64

mod.rssse2.rs

lib.rssoft.rstypes.rs

primitive_types

lib.rs

proc_macro2

detection.rsfallback.rslib.rsparse.rswrapper.rs

proc_macro_crate

lib.rs

proc_macro_hack

error.rsiter.rslib.rsparse.rsquote.rs

proc_macro_nested

lib.rs

quote

ext.rsformat.rsident_fragment.rslib.rsruntime.rsspanned.rsto_tokens.rs

radium

lib.rs

rand

distributions

weighted

alias_method.rsmod.rs

bernoulli.rsbinomial.rscauchy.rsdirichlet.rsexponential.rsfloat.rsgamma.rsinteger.rsmod.rsnormal.rsother.rspareto.rspoisson.rstriangular.rsuniform.rsunit_circle.rsunit_sphere.rsutils.rsweibull.rsziggurat_tables.rs

rngs

adapter

mod.rsread.rsreseeding.rs

entropy.rsmock.rsmod.rssmall.rsstd.rsthread.rs

seq

index.rsmod.rs

lib.rsprelude.rs

rand_chacha

chacha.rsguts.rslib.rs

rand_core

block.rserror.rsimpls.rsle.rslib.rsos.rs

rand_pcg

lib.rspcg128.rspcg64.rs

ref_cast

lib.rstrivial.rs

ref_cast_impl

lib.rs

regex

literal

imp.rsmod.rs

backtrack.rscache.rscompile.rsdfa.rserror.rsexec.rsexpand.rsfind_byte.rsfreqs.rsinput.rslib.rspikevm.rsprog.rsre_builder.rsre_bytes.rsre_set.rsre_trait.rsre_unicode.rssparse.rsutf8.rs

regex_syntax

ast

mod.rsparse.rsprint.rsvisitor.rs

hir

literal

mod.rs

interval.rsmod.rsprint.rstranslate.rsvisitor.rs

unicode_tables

age.rscase_folding_simple.rsgeneral_category.rsgrapheme_cluster_break.rsmod.rsperl_word.rsproperty_bool.rsproperty_names.rsproperty_values.rsscript.rsscript_extension.rssentence_break.rsword_break.rs

either.rserror.rslib.rsparser.rsunicode.rsutf8.rs

rental

lib.rs

rental_impl

lib.rs

rlp

error.rsimpls.rslib.rsrlpin.rsstream.rstraits.rs

rustc_demangle

legacy.rslib.rsv0.rs

rustc_hash

lib.rs

rustc_hex

lib.rs

schnorrkel

batch.rscert.rscontext.rsderive.rserrors.rskeys.rslib.rsmusig.rspoints.rsscalars.rsserdey.rssign.rsvrf.rs

scopeguard

lib.rs

secp256k1

ecmult

mod.rs

der.rsecdh.rsecdsa.rserror.rsfield.rsgroup.rslib.rsscalar.rs

serde

de

from_primitive.rsignored_any.rsimpls.rsmod.rsutf8.rsvalue.rs

private

de.rsmacros.rsmod.rsser.rs

ser

fmt.rsimpls.rsimpossible.rsmod.rs

export.rsinteger128.rslib.rsmacros.rs

serde_derive

internals

ast.rsattr.rscase.rscheck.rsctxt.rsmod.rssymbol.rs

bound.rsde.rsdummy.rsfragment.rslib.rspretend.rsser.rstry.rs

sha2

consts.rslib.rssha256.rssha256_utils.rssha512.rssha512_utils.rs

slab

lib.rs

smallvec

lib.rs

sp_application_crypto

ecdsa.rsed25519.rslib.rssr25519.rstraits.rs

sp_arithmetic

biguint.rsfixed_point.rshelpers_128bit.rslib.rsper_things.rsrational128.rstraits.rs

sp_core

offchain

mod.rsstorage.rstesting.rs

changes_trie.rscrypto.rsecdsa.rsed25519.rshash.rshasher.rshashing.rshexdisplay.rslib.rssandbox.rssr25519.rstasks.rstesting.rstraits.rsu32_trait.rsuint.rsvrf.rs

sp_debug_derive

impls.rslib.rs

sp_externalities

extensions.rslib.rsscope_limited.rs

sp_inherents

lib.rs

sp_io

batch_verifier.rslib.rs

sp_panic_handler

lib.rs

sp_runtime

generic

block.rschecked_extrinsic.rsdigest.rsera.rsheader.rsmod.rsunchecked_extrinsic.rs

offchain

http.rsmod.rsstorage.rsstorage_lock.rs

curve.rslib.rsrandom_number_generator.rsruntime_string.rstesting.rstraits.rstransaction_validity.rs

sp_runtime_interface

host.rsimpls.rslib.rspass_by.rsutil.rswasm.rs

sp_runtime_interface_proc_macro

pass_by

codec.rsenum_.rsinner.rsmod.rs

runtime_interface

bare_function_interface.rshost_function_interface.rsmod.rstrait_decl_impl.rs

lib.rsutils.rs

sp_state_machine

changes_trie

build.rsbuild_cache.rsbuild_iterator.rschanges_iterator.rsinput.rsmod.rsprune.rsstorage.rssurface_iterator.rs

overlayed_changes

changeset.rsmod.rs

backend.rsbasic.rserror.rsext.rsin_memory_backend.rslib.rsproving_backend.rsread_only.rsstats.rstesting.rstrie_backend.rstrie_backend_essence.rs

sp_std

lib.rswith_std.rs

sp_storage

lib.rs

sp_tracing

lib.rsproxy.rs

sp_trie

error.rslib.rsnode_codec.rsnode_header.rsstorage_proof.rstrie_stream.rs

sp_version

lib.rs

sp_wasm_interface

lib.rswasmi_impl.rs

stable_deref_trait

lib.rs

static_assertions

assert_cfg.rsassert_eq_align.rsassert_eq_size.rsassert_fields.rsassert_impl.rsassert_obj_safe.rsassert_trait.rsassert_type.rsconst_assert.rslib.rs

substrate_bip39

lib.rs

subtle

lib.rs

syn

gen

fold.rsgen_helper.rsvisit.rsvisit_mut.rs

attr.rsbigint.rsbuffer.rscustom_keyword.rscustom_punctuation.rsdata.rsderive.rsdiscouraged.rserror.rsexport.rsexpr.rsext.rsfile.rsgenerics.rsgroup.rsident.rsitem.rslib.rslifetime.rslit.rslookahead.rsmac.rsmacros.rsop.rsparse.rsparse_macro_input.rsparse_quote.rspat.rspath.rsprint.rspunctuated.rssealed.rsspan.rsspanned.rsstmt.rsthread.rstoken.rstt.rsty.rsverbatim.rs

synstructure

lib.rsmacros.rs

thread_local

cached.rslib.rsthread_id.rsunreachable.rs

tiny_keccak

keccak.rslib.rs

toml

datetime.rsde.rslib.rsmacros.rsmap.rsser.rsspanned.rstokens.rsvalue.rs

tracing

dispatcher.rsfield.rslevel_filters.rslib.rsmacros.rsspan.rsstdlib.rssubscriber.rs

tracing_attributes

lib.rs

tracing_core

callsite.rsdispatcher.rsevent.rsfield.rslib.rsmetadata.rsparent.rsspan.rsstdlib.rssubscriber.rs

trie_db

nibble

leftnibbleslice.rsmod.rsnibbleslice.rsnibblevec.rs

proof

generate.rsmod.rsverify.rs

fatdb.rsfatdbmut.rsiter_build.rsiterator.rslib.rslookup.rsnode.rsnode_codec.rsrecorder.rssectriedb.rssectriedbmut.rstrie_codec.rstriedb.rstriedbmut.rs

trie_root

lib.rs

twox_hash

lib.rssixty_four.rsstd_support.rsthirty_two.rs

typenum

array.rsbit.rsint.rslib.rsmarker_traits.rsoperator_aliases.rsprivate.rstype_operators.rsuint.rs

uint

lib.rsuint.rs

unicode_normalization

__test_api.rsdecompose.rslib.rslookups.rsnormalize.rsperfect_hash.rsquick_check.rsrecompose.rsstream_safe.rstables.rs

unicode_xid

lib.rstables.rs

wasmi

memory

mmap_bytebuf.rsmod.rs

prepare

compile.rsmod.rs

func.rsglobal.rshost.rsimports.rsisa.rslib.rsmodule.rsnan_preserving_float.rsrunner.rstable.rstypes.rsvalue.rs

wasmi_validation

context.rsfunc.rslib.rsstack.rsutil.rs

zeroize

lib.rs

zeroize_derive

lib.rs

>

//! Pure Rust implementation of the secp256k1 curve and fast ECDSA
//! signatures. The secp256k1 curve is used excusively in Bitcoin and
//! Ethereum alike cryptocurrencies.

#![deny(unused_import_braces, unused_imports,
        unused_comparisons, unused_must_use,
        unused_variables, non_shorthand_field_patterns,
        unreachable_code, unused_parens)]

#![cfg_attr(not(feature = "std"), no_std)]

#[macro_use]
mod field;
#[macro_use]
mod group;
mod scalar;
mod ecmult;
mod ecdsa;
mod ecdh;
mod error;
mod der;

#[macro_use]
extern crate alloc;

use core::convert::TryFrom;
#[cfg(feature = "hmac")]
use hmac_drbg::HmacDRBG;
#[cfg(feature = "hmac")]
use sha2::Sha256;
#[cfg(feature = "hmac")]
use typenum::U32;
use arrayref::{array_ref, array_mut_ref};
use rand::Rng;
use digest::generic_array::GenericArray;
use digest::Digest;

use crate::field::Field;
use crate::group::{Affine, Jacobian};
use crate::scalar::Scalar;
use crate::ecmult::{ECMULT_CONTEXT, ECMULT_GEN_CONTEXT};

pub use crate::error::Error;

/// Curve related structs.
pub mod curve {
    pub use crate::field::Field;
    pub use crate::group::{Affine, Jacobian, AffineStorage, AFFINE_G, CURVE_B};
    pub use crate::scalar::Scalar;

    pub use crate::ecmult::{ECMultContext, ECMultGenContext,
                            ECMULT_CONTEXT, ECMULT_GEN_CONTEXT};
}

/// Utilities to manipulate the secp256k1 curve parameters.
pub mod util {
    pub const TAG_PUBKEY_EVEN: u8 = 0x02;
    pub const TAG_PUBKEY_ODD: u8 = 0x03;
    pub const TAG_PUBKEY_FULL: u8 = 0x04;
    pub const TAG_PUBKEY_HYBRID_EVEN: u8 = 0x06;
    pub const TAG_PUBKEY_HYBRID_ODD: u8 = 0x07;

    pub const MESSAGE_SIZE: usize = 32;
    pub const SECRET_KEY_SIZE: usize = 32;
    pub const RAW_PUBLIC_KEY_SIZE: usize = 64;
    pub const FULL_PUBLIC_KEY_SIZE: usize = 65;
    pub const COMPRESSED_PUBLIC_KEY_SIZE: usize = 33;
    pub const SIGNATURE_SIZE: usize = 64;
    pub const DER_MAX_SIGNATURE_SIZE: usize = 72;

    pub use crate::group::{AFFINE_INFINITY, JACOBIAN_INFINITY,
                           set_table_gej_var, globalz_set_table_gej};
    pub use crate::ecmult::{WINDOW_A, WINDOW_G, ECMULT_TABLE_SIZE_A, ECMULT_TABLE_SIZE_G,
                            odd_multiples_table};

    pub use crate::der::SignatureArray;
}

#[derive(Debug, Clone, Eq, PartialEq)]
/// Public key on a secp256k1 curve.
pub struct PublicKey(Affine);
#[derive(Debug, Clone, Eq, PartialEq)]
/// Secret key (256-bit) on a secp256k1 curve.
pub struct SecretKey(Scalar);
#[derive(Debug, Clone, Eq, PartialEq)]
/// An ECDSA signature.
pub struct Signature {
    pub r: Scalar,
    pub s: Scalar
}
#[derive(Debug, Clone, Copy, Eq, PartialEq)]
/// Tag used for public key recovery from signatures.
pub struct RecoveryId(u8);
#[derive(Debug, Clone, Eq, PartialEq)]
/// Hashed message input to an ECDSA signature.
pub struct Message(pub Scalar);
#[derive(Debug, Clone, Eq, PartialEq)]
/// Shared secret using ECDH.
pub struct SharedSecret<D: Digest>(GenericArray<u8, D::OutputSize>);

/// Format for public key parsing.
pub enum PublicKeyFormat {
    /// Compressed public key, 33 bytes.
    Compressed,
    /// Full length public key, 65 bytes.
    Full,
    /// Raw public key, 64 bytes.
    Raw,
}

impl PublicKey {
    pub fn from_secret_key(seckey: &SecretKey) -> PublicKey {
        let mut pj = Jacobian::default();
        ECMULT_GEN_CONTEXT.ecmult_gen(&mut pj, &seckey.0);
        let mut p = Affine::default();
        p.set_gej(&pj);
        PublicKey(p)
    }

    pub fn parse_slice(p: &[u8], format: Option<PublicKeyFormat>) -> Result<PublicKey, Error> {
        let format = match (p.len(), format) {
            (util::FULL_PUBLIC_KEY_SIZE, None) |
            (util::FULL_PUBLIC_KEY_SIZE, Some(PublicKeyFormat::Full)) =>
                PublicKeyFormat::Full,
            (util::COMPRESSED_PUBLIC_KEY_SIZE, None) |
            (util::COMPRESSED_PUBLIC_KEY_SIZE, Some(PublicKeyFormat::Compressed)) =>
                PublicKeyFormat::Compressed,
            (util::RAW_PUBLIC_KEY_SIZE, None) |
            (util::RAW_PUBLIC_KEY_SIZE, Some(PublicKeyFormat::Raw)) =>
                PublicKeyFormat::Raw,
            _ => return Err(Error::InvalidInputLength),
        };

        match format {
            PublicKeyFormat::Full => {
                let mut a = [0; util::FULL_PUBLIC_KEY_SIZE];
                a.copy_from_slice(p);
                Self::parse(&a)
            },
            PublicKeyFormat::Raw => {
                use util::TAG_PUBKEY_FULL;

                let mut a = [0; util::FULL_PUBLIC_KEY_SIZE];
                a[0] = TAG_PUBKEY_FULL;
                a[1..].copy_from_slice(p);
                Self::parse(&a)
            },
            PublicKeyFormat::Compressed => {
                let mut a = [0; util::COMPRESSED_PUBLIC_KEY_SIZE];
                a.copy_from_slice(p);
                Self::parse_compressed(&a)
            },
        }
    }

    pub fn parse(p: &[u8; util::FULL_PUBLIC_KEY_SIZE]) -> Result<PublicKey, Error> {
        use util::{TAG_PUBKEY_FULL, TAG_PUBKEY_HYBRID_EVEN, TAG_PUBKEY_HYBRID_ODD};

        if !(p[0] == TAG_PUBKEY_FULL || p[0] == TAG_PUBKEY_HYBRID_EVEN || p[0] == TAG_PUBKEY_HYBRID_ODD) {
            return Err(Error::InvalidPublicKey);
        }
        let mut x = Field::default();
        let mut y = Field::default();
        if !x.set_b32(array_ref!(p, 1, 32)) {
            return Err(Error::InvalidPublicKey);
        }
        if !y.set_b32(array_ref!(p, 33, 32)) {
            return Err(Error::InvalidPublicKey);
        }
        let mut elem = Affine::default();
        elem.set_xy(&x, &y);
        if (p[0] == TAG_PUBKEY_HYBRID_EVEN || p[0] == TAG_PUBKEY_HYBRID_ODD) &&
            (y.is_odd() != (p[0] == TAG_PUBKEY_HYBRID_ODD))
        {
            return Err(Error::InvalidPublicKey);
        }
        if elem.is_infinity() {
            return Err(Error::InvalidPublicKey);
        }
        if elem.is_valid_var() {
            return Ok(PublicKey(elem));
        } else {
            return Err(Error::InvalidPublicKey);
        }
    }

    pub fn parse_compressed(p: &[u8; util::COMPRESSED_PUBLIC_KEY_SIZE]) -> Result<PublicKey, Error> {
        use util::{TAG_PUBKEY_EVEN, TAG_PUBKEY_ODD};

        if !(p[0] == TAG_PUBKEY_EVEN || p[0] == TAG_PUBKEY_ODD) {
            return Err(Error::InvalidPublicKey);
        }
        let mut x = Field::default();
        if !x.set_b32(array_ref!(p, 1, 32)) {
            return Err(Error::InvalidPublicKey);
        }
        let mut elem = Affine::default();
        elem.set_xo_var(&x, p[0] == TAG_PUBKEY_ODD);
        if elem.is_infinity() {
            return Err(Error::InvalidPublicKey);
        }
        if elem.is_valid_var() {
            return Ok(PublicKey(elem));
        } else {
            return Err(Error::InvalidPublicKey);
        }
    }

    pub fn serialize(&self) -> [u8; util::FULL_PUBLIC_KEY_SIZE] {
        use util::TAG_PUBKEY_FULL;

        debug_assert!(!self.0.is_infinity());

        let mut ret = [0u8; 65];
        let mut elem = self.0.clone();

        elem.x.normalize_var();
        elem.y.normalize_var();
        elem.x.fill_b32(array_mut_ref!(ret, 1, 32));
        elem.y.fill_b32(array_mut_ref!(ret, 33, 32));
        ret[0] = TAG_PUBKEY_FULL;

        ret
    }

    pub fn serialize_compressed(&self) -> [u8; util::COMPRESSED_PUBLIC_KEY_SIZE] {
        use util::{TAG_PUBKEY_ODD, TAG_PUBKEY_EVEN};

        debug_assert!(!self.0.is_infinity());

        let mut ret = [0u8; 33];
        let mut elem = self.0.clone();

        elem.x.normalize_var();
        elem.y.normalize_var();
        elem.x.fill_b32(array_mut_ref!(ret, 1, 32));
        ret[0] = if elem.y.is_odd() {
            TAG_PUBKEY_ODD
        } else {
            TAG_PUBKEY_EVEN
        };

        ret
    }

    pub fn tweak_add_assign(&mut self, tweak: &SecretKey) -> Result<(), Error> {
        let mut r = Jacobian::default();
        let a = Jacobian::from_ge(&self.0);
        let one = Scalar::from_int(1);
        ECMULT_CONTEXT.ecmult(&mut r, &a, &one, &tweak.0);

        if r.is_infinity() {
            return Err(Error::TweakOutOfRange);
        }

        self.0.set_gej(&r);
        Ok(())
    }

    pub fn tweak_mul_assign(&mut self, tweak: &SecretKey) -> Result<(), Error> {
        if tweak.0.is_zero() {
            return Err(Error::TweakOutOfRange);
        }

        let mut r = Jacobian::default();
        let zero = Scalar::from_int(0);
        let pt = Jacobian::from_ge(&self.0);
        ECMULT_CONTEXT.ecmult(&mut r, &pt, &tweak.0, &zero);

        self.0.set_gej(&r);
        Ok(())
    }

    pub fn combine(keys: &[PublicKey]) -> Result<Self, Error> {
        let mut qj = Jacobian::default();
        qj.set_infinity();

        for key in keys {
            qj = qj.add_ge(&key.0);
        }

        if qj.is_infinity() {
            return Err(Error::InvalidPublicKey);
        }

        let q = Affine::from_gej(&qj);
        Ok(PublicKey(q))
    }
}

impl Into<Affine> for PublicKey {
    fn into(self) -> Affine {
        self.0
    }
}

impl SecretKey {
    pub fn parse(p: &[u8; util::SECRET_KEY_SIZE]) -> Result<SecretKey, Error> {
        let mut elem = Scalar::default();
        if !bool::from(elem.set_b32(p)) {
            Self::try_from(elem)
        } else {
            Err(Error::InvalidSecretKey)
        }
    }

    pub fn parse_slice(p: &[u8]) -> Result<SecretKey, Error> {
        if p.len() != util::SECRET_KEY_SIZE {
            return Err(Error::InvalidInputLength);
        }

        let mut a = [0; 32];
        a.copy_from_slice(p);
        Self::parse(&a)
    }

    pub fn random<R: Rng>(rng: &mut R) -> SecretKey {
        loop {
            let mut ret = [0u8; util::SECRET_KEY_SIZE];
            rng.fill_bytes(&mut ret);

            match Self::parse(&ret) {
                Ok(key) => return key,
                Err(_) => (),
            }
        }
    }

    pub fn serialize(&self) -> [u8; util::SECRET_KEY_SIZE] {
        self.0.b32()
    }

    pub fn tweak_add_assign(&mut self, tweak: &SecretKey) -> Result<(), Error> {
        let v = &self.0 + &tweak.0;
        if v.is_zero() {
            return Err(Error::TweakOutOfRange);
        }
        self.0 = v;
        Ok(())
    }

    pub fn tweak_mul_assign(&mut self, tweak: &SecretKey) -> Result<(), Error> {
        if tweak.0.is_zero() {
            return Err(Error::TweakOutOfRange);
        }

        self.0 *= &tweak.0;
        Ok(())
    }

    pub fn inv(&self) -> Self {
        SecretKey(self.0.inv())
    }
}

impl Default for SecretKey {
    fn default() -> SecretKey {
        let mut elem = Scalar::default();
        let overflowed = bool::from(elem.set_b32(
            &[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		      0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
              0x00,0x00,0x00,0x00,0x00,0x01]
        ));
        debug_assert!(!overflowed);
        debug_assert!(!elem.is_zero());
        SecretKey(elem)
    }
}

impl Into<Scalar> for SecretKey {
    fn into(self) -> Scalar {
        self.0.clone()
    }
}

impl TryFrom<Scalar> for SecretKey {
    type Error = Error;

    fn try_from(scalar: Scalar) -> Result<Self, Error> {
        if scalar.is_zero() {
            Err(Error::InvalidSecretKey)
        } else {
            Ok(Self(scalar))
        }
    }
}

impl Drop for SecretKey {
    fn drop(&mut self) {
        self.0.clear();
    }
}

impl core::fmt::LowerHex for SecretKey {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        let scalar: Scalar = self.clone().into();

        write!(f, "{:x}", scalar)
    }
}

impl Signature {
    pub fn parse(p: &[u8; util::SIGNATURE_SIZE]) -> Signature {
        let mut r = Scalar::default();
        let mut s = Scalar::default();

        // Okay for signature to overflow
        let _ = r.set_b32(array_ref!(p, 0, 32));
        let _ = s.set_b32(array_ref!(p, 32, 32));

        Signature { r, s }
    }

    pub fn parse_slice(p: &[u8]) -> Result<Signature, Error> {
        if p.len() != util::SIGNATURE_SIZE {
            return Err(Error::InvalidInputLength);
        }

        let mut a = [0; util::SIGNATURE_SIZE];
        a.copy_from_slice(p);
        Ok(Self::parse(&a))
    }

    pub fn parse_der(p: &[u8]) -> Result<Signature, Error> {
        let mut decoder = der::Decoder::new(p);

        decoder.read_constructed_sequence()?;
        let rlen = decoder.read_len()?;

        if rlen != decoder.remaining_len() {
            return Err(Error::InvalidSignature);
        }

        let r = decoder.read_integer()?;
        let s = decoder.read_integer()?;

        if decoder.remaining_len() != 0 {
            return Err(Error::InvalidSignature);
        }

        Ok(Signature { r, s })
    }

    /// Converts a "lax DER"-encoded byte slice to a signature. This is basically
    /// only useful for validating signatures in the Bitcoin blockchain from before
    /// 2016. It should never be used in new applications. This library does not
    /// support serializing to this "format"
    pub fn parse_der_lax(p: &[u8]) -> Result<Signature, Error> {
        let mut decoder = der::Decoder::new(p);

        decoder.read_constructed_sequence()?;
        decoder.read_seq_len_lax()?;

        let r = decoder.read_integer_lax()?;
        let s = decoder.read_integer_lax()?;

        Ok(Signature { r, s })
    }

    /// Normalizes a signature to a "low S" form. In ECDSA, signatures are
    /// of the form (r, s) where r and s are numbers lying in some finite
    /// field. The verification equation will pass for (r, s) iff it passes
    /// for (r, -s), so it is possible to ``modify'' signatures in transit
    /// by flipping the sign of s. This does not constitute a forgery since
    /// the signed message still cannot be changed, but for some applications,
    /// changing even the signature itself can be a problem. Such applications
    /// require a "strong signature". It is believed that ECDSA is a strong
    /// signature except for this ambiguity in the sign of s, so to accommodate
    /// these applications libsecp256k1 will only accept signatures for which
    /// s is in the lower half of the field range. This eliminates the
    /// ambiguity.
    ///
    /// However, for some systems, signatures with high s-values are considered
    /// valid. (For example, parsing the historic Bitcoin blockchain requires
    /// this.) For these applications we provide this normalization function,
    /// which ensures that the s value lies in the lower half of its range.
    pub fn normalize_s(&mut self) {
        if self.s.is_high() {
            self.s = -self.s.clone();
        }
    }


    pub fn serialize(&self) -> [u8; util::SIGNATURE_SIZE] {
        let mut ret = [0u8; 64];
        self.r.fill_b32(array_mut_ref!(ret, 0, 32));
        self.s.fill_b32(array_mut_ref!(ret, 32, 32));
        ret
    }

    pub fn serialize_der(&self) -> der::SignatureArray {
        fn fill_scalar_with_leading_zero(scalar: &Scalar) -> [u8; 33] {
            let mut ret = [0u8; 33];
            scalar.fill_b32(array_mut_ref!(ret, 1, 32));
            ret
        }

        let r_full = fill_scalar_with_leading_zero(&self.r);
        let s_full = fill_scalar_with_leading_zero(&self.s);

        fn integer_slice(full: &[u8; 33]) -> &[u8] {
            let mut len = 33;
            while len > 1 &&
                full[full.len() - len] == 0 &&
                full[full.len() - len + 1] < 0x80
            {
                len -= 1;
            }
            &full[(full.len() - len)..]
        }

        let r = integer_slice(&r_full);
        let s = integer_slice(&s_full);

        let mut ret = der::SignatureArray::new(6 + r.len() + s.len());
        {
            let l = ret.as_mut();
            l[0] = 0x30;
            l[1] = 4 + r.len() as u8 + s.len() as u8;
            l[2] = 0x02;
            l[3] = r.len() as u8;
            l[4..(4 + r.len())].copy_from_slice(r);
            l[4 + r.len()] = 0x02;
            l[5 + r.len()] = s.len() as u8;
            l[(6 + r.len())..(6 + r.len() + s.len())].copy_from_slice(s);
        }

        ret
    }
}

impl Message {
    pub fn parse(p: &[u8; util::MESSAGE_SIZE]) -> Message {
        let mut m = Scalar::default();

        // Okay for message to overflow.
        let _ = m.set_b32(p);

        Message(m)
    }

    pub fn parse_slice(p: &[u8]) -> Result<Message, Error> {
        if p.len() != util::MESSAGE_SIZE {
            return Err(Error::InvalidInputLength);
        }

        let mut a = [0; util::MESSAGE_SIZE];
        a.copy_from_slice(p);
        Ok(Self::parse(&a))
    }

    pub fn serialize(&self) -> [u8; util::MESSAGE_SIZE] {
        self.0.b32()
    }
}

impl RecoveryId {
    /// Parse recovery ID starting with 0.
    pub fn parse(p: u8) -> Result<RecoveryId, Error> {
        if p < 4 {
            Ok(RecoveryId(p))
        } else {
            Err(Error::InvalidRecoveryId)
        }
    }

    /// Parse recovery ID as Ethereum RPC format, starting with 27.
    pub fn parse_rpc(p: u8) -> Result<RecoveryId, Error> {
        if p >= 27 && p < 27 + 4 {
            RecoveryId::parse(p - 27)
        } else {
            Err(Error::InvalidRecoveryId)
        }
    }

    pub fn serialize(&self) -> u8 {
        self.0
    }
}

impl Into<u8> for RecoveryId {
    fn into(self) -> u8 {
        self.0
    }
}

impl Into<i32> for RecoveryId {
    fn into(self) -> i32 {
        self.0 as i32
    }
}

impl<D: Digest + Default> SharedSecret<D> {
    pub fn new(pubkey: &PublicKey, seckey: &SecretKey) -> Result<SharedSecret<D>, Error> {
        let inner = match ECMULT_CONTEXT.ecdh_raw::<D>(&pubkey.0, &seckey.0) {
            Some(val) => val,
            None => return Err(Error::InvalidSecretKey),
        };

        Ok(SharedSecret(inner))
    }

}

impl<D: Digest> AsRef<[u8]> for SharedSecret<D> {
    fn as_ref(&self) -> &[u8] {
        &self.0.as_ref()
    }
}

impl<D: Digest> Drop for SharedSecret<D> {
    fn drop(&mut self) {
        let zero_array = GenericArray::clone_from_slice(&vec![0;D::output_size()]);
         unsafe {
            core::ptr::write_volatile(&mut self.0, zero_array);
        }
    }
}

/// Check signature is a valid message signed by public key.
pub fn verify(message: &Message, signature: &Signature, pubkey: &PublicKey) -> bool {
    ECMULT_CONTEXT.verify_raw(&signature.r, &signature.s, &pubkey.0, &message.0)
}

/// Recover public key from a signed message.
pub fn recover(message: &Message, signature: &Signature, recovery_id: &RecoveryId) -> Result<PublicKey, Error> {
    ECMULT_CONTEXT.recover_raw(&signature.r, &signature.s, recovery_id.0, &message.0).map(|v| PublicKey(v))
}

/// Sign a message using the secret key.
#[cfg(feature = "hmac")]
pub fn sign(message: &Message, seckey: &SecretKey) -> (Signature, RecoveryId) {
    let seckey_b32 = seckey.0.b32();
    let message_b32 = message.0.b32();

    let mut drbg = HmacDRBG::<Sha256>::new(&seckey_b32, &message_b32, &[]);
    let mut nonce = Scalar::default();
    let mut overflow;

    let result;
    loop {
        let generated = drbg.generate::<U32>(None);
        overflow = bool::from(nonce.set_b32(array_ref!(generated, 0, 32)));

        if !overflow && !nonce.is_zero() {
            match ECMULT_GEN_CONTEXT.sign_raw(&seckey.0, &message.0, &nonce) {
                Ok(val) => {
                    result = val;
                    break
                },
                Err(_) => (),
            }
        }
    }

    #[allow(unused_assignments)]
    {
        nonce = Scalar::default();
    }
    let (sigr, sigs, recid) = result;

    (Signature {
        r: sigr,
        s: sigs,
    }, RecoveryId(recid))
}

#[cfg(test)]
mod tests {
    use crate::SecretKey;
    use hex_literal::hex;

    #[test]
    fn secret_key_inverse_is_sane() {
        let sk = SecretKey::parse(&[1; 32]).unwrap();
        let inv = sk.inv();
        let invinv = inv.inv();
        assert_eq!(sk, invinv);
        // Check that the inverse of `[1; 32]` is same as rust-secp256k1
        assert_eq!(inv, SecretKey::parse(&hex!("1536f1d756d1abf83aaf173bc5ee3fc487c93010f18624d80bd6d4038fadd59e")).unwrap())
    }
}