purify/docs/puresign_2codecs_2bppp_8cpp_source.html

// Copyright (c) 2026 Judica, Inc.

// Distributed under the MIT software license, see the accompanying

// file COPYING or https://opensource.org/license/mit/.


#include "purify/puresign/bppp.hpp"


#include <algorithm>

#include <cassert>

#include <cstdint>

#include <limits>

#include <optional>


#include "../detail/common.hpp"

#include "purify/secp_bridge.h"


namespace purify::puresign_plusplus {


namespace {


Result<bool> nonce_proof_matches_nonce(const NonceProof& nonce_proof, purify_secp_context* secp_context) {

    XOnly32 xonly{};

    int parity = 0;

    PURIFY_RETURN_IF_ERROR(require_secp_context(secp_context, "nonce_proof_matches_nonce:secp_context"),

                           "nonce_proof_matches_nonce:secp_context");

    if (purify_bip340_xonly_from_point(secp_context, nonce_proof.commitment_point.data(), xonly.data(), &parity) == 0) {

        return unexpected_error(ErrorCode::BackendRejectedInput,

                                "nonce_proof_matches_nonce:invalid_commitment_point");

    }

    (void)parity;

    return xonly == nonce_proof.nonce.xonly;

}


}  // namespace


Bytes PublicKey::serialize() const {

    Bytes out;

    out.reserve(kSerializedSize);

    std::array<unsigned char, 64> packed = purify_pubkey.to_bytes_be();

    out.insert(out.end(), packed.begin(), packed.end());

    out.insert(out.end(), bip340_pubkey.begin(), bip340_pubkey.end());

    return out;

}


Result<PublicKey> PublicKey::deserialize(std::span<const unsigned char> serialized,

                                         purify_secp_context* secp_context) {

    if (serialized.size() != kSerializedSize) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "PublicKey::deserialize:size");

    }

    PublicKey out{};

    out.purify_pubkey = UInt512::from_bytes_be(serialized.data(), 64);

    PURIFY_RETURN_IF_ERROR(validate_public_key(out.purify_pubkey), "PublicKey::deserialize:validate_public_key");

    std::copy(serialized.begin() + 64, serialized.end(), out.bip340_pubkey.begin());

    PURIFY_RETURN_IF_ERROR(require_secp_context(secp_context, "PublicKey::deserialize:secp_context"),

                           "PublicKey::deserialize:secp_context");

    if (purify_bip340_validate_xonly_pubkey(secp_context, out.bip340_pubkey.data()) == 0) {

        return unexpected_error(ErrorCode::BackendRejectedInput,

                                "PublicKey::deserialize:bip340_validate_xonly_pubkey");

    }

    return out;

}


Bytes Nonce::serialize() const {

    return Bytes(xonly.begin(), xonly.end());

}


Result<Nonce> Nonce::deserialize(std::span<const unsigned char> serialized,

                                 purify_secp_context* secp_context) {

    if (serialized.size() != kSerializedSize) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "Nonce::deserialize:size");

    }

    Nonce out{};

    std::copy(serialized.begin(), serialized.end(), out.xonly.begin());

    PURIFY_RETURN_IF_ERROR(require_secp_context(secp_context, "Nonce::deserialize:secp_context"),

                           "Nonce::deserialize:secp_context");

    if (purify_bip340_validate_xonly_pubkey(secp_context, out.xonly.data()) == 0) {

        return unexpected_error(ErrorCode::BackendRejectedInput, "Nonce::deserialize:bip340_validate_xonly_pubkey");

    }

    return out;

}


Nonce Signature::nonce() const {

    Nonce out{};

    std::copy(bytes.begin(), bytes.begin() + 32, out.xonly.begin());

    return out;

}


Scalar32 Signature::s() const {

    Scalar32 out{};

    std::copy(bytes.begin() + 32, bytes.end(), out.begin());

    return out;

}


Bytes Signature::serialize() const {

    return Bytes(bytes.begin(), bytes.end());

}


Result<Signature> Signature::deserialize(std::span<const unsigned char> serialized,

                                         purify_secp_context* secp_context) {

    if (serialized.size() != kSerializedSize) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "Signature::deserialize:size");

    }

    Signature out{};

    std::copy(serialized.begin(), serialized.end(), out.bytes.begin());

    PURIFY_RETURN_IF_ERROR(require_secp_context(secp_context, "Signature::deserialize:secp_context"),

                           "Signature::deserialize:secp_context");

    if (purify_bip340_validate_signature(secp_context, out.bytes.data()) == 0) {

        return unexpected_error(ErrorCode::BackendRejectedInput, "Signature::deserialize:bip340_validate_signature");

    }

    return out;

}


Result<Bytes> NonceProof::serialize(purify_secp_context* secp_context) const {

    PURIFY_ASSIGN_OR_RETURN(auto match, nonce_proof_matches_nonce(*this, secp_context),

                            "NonceProof::serialize:nonce_proof_matches_nonce");

    if (!match) {

        return unexpected_error(ErrorCode::BindingMismatch, "NonceProof::serialize:nonce_mismatch");

    }

    if (proof.proof.size() > static_cast<std::size_t>(std::numeric_limits<std::uint32_t>::max())) {

        return unexpected_error(ErrorCode::UnexpectedSize, "NonceProof::serialize:proof_size");

    }

    std::size_t serialized_size = 0;

    if (!checked_add_size(168, proof.proof.size(), serialized_size)) {

        return unexpected_error(ErrorCode::Overflow, "NonceProof::serialize:reserve");

    }


    Bytes out;

    out.reserve(serialized_size);

    out.push_back(kSerializationVersion);

    detail::append_u32_le(out, static_cast<std::uint32_t>(proof.proof.size()));

    out.insert(out.end(), nonce.xonly.begin(), nonce.xonly.end());

    out.insert(out.end(), commitment_point.begin(), commitment_point.end());

    out.insert(out.end(), proof.a_commitment.begin(), proof.a_commitment.end());

    out.insert(out.end(), proof.s_commitment.begin(), proof.s_commitment.end());

    out.insert(out.end(), proof.t2.begin(), proof.t2.end());

    out.insert(out.end(), proof.proof.begin(), proof.proof.end());

    return out;

}


Result<NonceProof> NonceProof::deserialize(std::span<const unsigned char> serialized,

                                           purify_secp_context* secp_context) {

    constexpr std::size_t kHeaderSize = 1 + 4 + 32 + 33 + 33 + 33 + 32;

    if (serialized.size() < kHeaderSize) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "NonceProof::deserialize:header");

    }

    if (serialized[0] != kSerializationVersion) {

        return unexpected_error(ErrorCode::BackendRejectedInput, "NonceProof::deserialize:version");

    }

    std::optional<std::uint32_t> proof_size = detail::read_u32_le(serialized, 1);

    assert(proof_size.has_value() && "header length check should guarantee a u32 proof size");

    if (*proof_size != serialized.size() - kHeaderSize) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "NonceProof::deserialize:proof_size");

    }


    NonceProof out{};

    std::copy_n(serialized.begin() + 5, 32, out.nonce.xonly.begin());

    PURIFY_RETURN_IF_ERROR(require_secp_context(secp_context, "NonceProof::deserialize:secp_context"),

                           "NonceProof::deserialize:secp_context");

    if (purify_bip340_validate_xonly_pubkey(secp_context, out.nonce.xonly.data()) == 0) {

        return unexpected_error(ErrorCode::BackendRejectedInput, "NonceProof::deserialize:nonce");

    }

    std::copy_n(serialized.begin() + 37, 33, out.commitment_point.begin());

    std::copy_n(serialized.begin() + 70, 33, out.proof.a_commitment.begin());

    std::copy_n(serialized.begin() + 103, 33, out.proof.s_commitment.begin());

    std::copy_n(serialized.begin() + 136, 32, out.proof.t2.begin());

    out.proof.proof.assign(serialized.begin() + 168, serialized.end());


    PURIFY_ASSIGN_OR_RETURN(auto match, nonce_proof_matches_nonce(out, secp_context),

                            "NonceProof::deserialize:nonce_proof_matches_nonce");

    if (!match) {

        return unexpected_error(ErrorCode::BindingMismatch, "NonceProof::deserialize:nonce_mismatch");

    }

    return out;

}


Result<Bytes> ProvenSignature::serialize(purify_secp_context* secp_context) const {

    PURIFY_ASSIGN_OR_RETURN(const auto& nonce_proof_bytes, nonce_proof.serialize(secp_context),

                            "ProvenSignature::serialize:nonce_proof");

    if (nonce_proof_bytes.size() > static_cast<std::size_t>(std::numeric_limits<std::uint32_t>::max())) {

        return unexpected_error(ErrorCode::UnexpectedSize, "ProvenSignature::serialize:nonce_proof_size");

    }

    std::size_t serialized_size = 0;

    if (!checked_add_size(69, nonce_proof_bytes.size(), serialized_size)) {

        return unexpected_error(ErrorCode::Overflow, "ProvenSignature::serialize:reserve");

    }


    Bytes out;

    out.reserve(serialized_size);

    out.push_back(kSerializationVersion);

    detail::append_u32_le(out, static_cast<std::uint32_t>(nonce_proof_bytes.size()));

    out.insert(out.end(), nonce_proof_bytes.begin(), nonce_proof_bytes.end());

    out.insert(out.end(), signature.bytes.begin(), signature.bytes.end());

    return out;

}


Result<ProvenSignature> ProvenSignature::deserialize(std::span<const unsigned char> serialized,

                                                     purify_secp_context* secp_context) {

    if (serialized.size() < 69) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "ProvenSignature::deserialize:header");

    }

    if (serialized[0] != kSerializationVersion) {

        return unexpected_error(ErrorCode::BackendRejectedInput, "ProvenSignature::deserialize:version");

    }

    std::optional<std::uint32_t> nonce_proof_size = detail::read_u32_le(serialized, 1);

    assert(nonce_proof_size.has_value() && "header length check should guarantee a u32 nonce proof size");

    const std::size_t payload_size = serialized.size() - 5;

    if (*nonce_proof_size > payload_size || payload_size - *nonce_proof_size != 64) {

        return unexpected_error(ErrorCode::InvalidFixedSize, "ProvenSignature::deserialize:size");

    }


    PURIFY_ASSIGN_OR_RETURN(auto nonce_proof_value,

                            NonceProof::deserialize(serialized.subspan(5, *nonce_proof_size), secp_context),

                            "ProvenSignature::deserialize:nonce_proof");

    PURIFY_ASSIGN_OR_RETURN(auto signature_value,

                            Signature::deserialize(serialized.subspan(5 + *nonce_proof_size, 64), secp_context),

                            "ProvenSignature::deserialize:signature");

    return ProvenSignature{signature_value, nonce_proof_value};

}


}  // namespace purify::puresign_plusplus

purify::Expected
Purify result carrier that either holds a value or an error.
Definition expected.hpp:64

PURIFY_RETURN_IF_ERROR
#define PURIFY_RETURN_IF_ERROR(expr, context)
Evaluates an expected-like expression and returns the wrapped error on failure.
Definition error.hpp:329

PURIFY_ASSIGN_OR_RETURN
#define PURIFY_ASSIGN_OR_RETURN(lhs, expr, context)
Evaluates an expected-like expression, binds the value to lhs, and propagates errors.
Definition error.hpp:338

purify::detail::read_u32_le
std::optional< std::uint32_t > read_u32_le(std::span< const unsigned char > bytes, std::size_t offset)
Definition common.hpp:35

purify::detail::append_u32_le
void append_u32_le(Bytes &out, std::uint32_t value)
Definition common.hpp:29

purify::puresign_plusplus
Definition bppp.hpp:20

purify::puresign_plusplus::Scalar32
std::array< unsigned char, 32 > Scalar32
Definition bppp.hpp:22

purify::puresign_plusplus::XOnly32
std::array< unsigned char, 32 > XOnly32
Definition bppp.hpp:23

purify::require_secp_context
Status require_secp_context(const purify_secp_context *context, const char *error_context)
Definition common.hpp:56

purify::unexpected_error
constexpr Unexpected< Error > unexpected_error(ErrorCode code, const char *context=nullptr)
Constructs an unexpected Error value from a machine-readable code.
Definition error.hpp:293

purify::ErrorCode::BindingMismatch
@ BindingMismatch

purify::ErrorCode::Overflow
@ Overflow

purify::ErrorCode::InvalidFixedSize
@ InvalidFixedSize

purify::ErrorCode::BackendRejectedInput
@ BackendRejectedInput

purify::ErrorCode::UnexpectedSize
@ UnexpectedSize

purify::validate_public_key
Status validate_public_key(const UInt512 &packed)
Validates the packed public-key encoding range.
Definition curve.cpp:314

purify::Bytes
std::vector< unsigned char > Bytes
Dynamically sized byte string used for messages, serialized witnesses, and proofs.
Definition common.hpp:99

purify::checked_add_size
bool checked_add_size(std::size_t lhs, std::size_t rhs, std::size_t &out) noexcept
Definition common.hpp:63

bppp.hpp
Experimental BPPP-backed PureSign proof(R) helpers.

secp_bridge.h
Narrow C ABI exposing secp256k1 scalar and HMAC helpers to the C++ headers.

purify_bip340_xonly_from_point
int purify_bip340_xonly_from_point(purify_secp_context *context, const unsigned char point33[33], unsigned char xonly32[32], int *parity_out)
Converts a compressed secp256k1 point into its x-only public key encoding.
Definition bppp_bridge.c:603

purify_bip340_validate_signature
int purify_bip340_validate_signature(purify_secp_context *context, const unsigned char sig64[64])
Returns nonzero when the 64-byte BIP340 signature has a syntactically valid encoding.
Definition bppp_bridge.c:662

purify_bip340_validate_xonly_pubkey
int purify_bip340_validate_xonly_pubkey(purify_secp_context *context, const unsigned char xonly_pubkey32[32])
Returns nonzero when the x-only public key encoding parses successfully.
Definition bppp_bridge.c:645

purify::BigUInt< 8 >::from_bytes_be
static BigUInt from_bytes_be(const unsigned char *data, std::size_t size)
Parses a big-endian byte string into the fixed-width integer.
Definition numeric.hpp:235

purify::BigUInt::to_bytes_be
std::array< unsigned char, Words *8 > to_bytes_be() const
Serializes the value to a fixed-width big-endian byte array.
Definition numeric.hpp:621

purify::bppp::ExperimentalCircuitZkNormArgProof::t2
ScalarBytes t2
Definition bppp.hpp:261

purify::bppp::ExperimentalCircuitZkNormArgProof::proof
Bytes proof
Definition bppp.hpp:262

purify::bppp::ExperimentalCircuitZkNormArgProof::a_commitment
PointBytes a_commitment
Witness-only outer A commitment; verifiers re-anchor it to the public statement.
Definition bppp.hpp:259

purify::bppp::ExperimentalCircuitZkNormArgProof::s_commitment
PointBytes s_commitment
Definition bppp.hpp:260

purify::puresign_plusplus::NonceProof
Definition bppp.hpp:255

purify::puresign_plusplus::NonceProof::commitment_point
bppp::PointBytes commitment_point
Definition bppp.hpp:259

purify::puresign_plusplus::NonceProof::deserialize
static Result< NonceProof > deserialize(std::span< const unsigned char > serialized, purify_secp_context *secp_context)
Definition bppp.cpp:144

purify::puresign_plusplus::NonceProof::serialize
Result< Bytes > serialize(purify_secp_context *secp_context) const
Definition bppp.cpp:117

purify::puresign_plusplus::NonceProof::proof
bppp::ExperimentalCircuitZkNormArgProof proof
Definition bppp.hpp:260

purify::puresign_plusplus::NonceProof::kSerializationVersion
static constexpr unsigned char kSerializationVersion
Definition bppp.hpp:256

purify::puresign_plusplus::NonceProof::nonce
Nonce nonce
Definition bppp.hpp:258

purify::puresign_plusplus::Nonce
Public BIP340 nonce point in x-only form.
Definition bppp.hpp:182

purify::puresign_plusplus::Nonce::deserialize
static Result< Nonce > deserialize(std::span< const unsigned char > serialized, purify_secp_context *secp_context)
Parses a serialized x-only nonce.
Definition bppp.cpp:71

purify::puresign_plusplus::Nonce::xonly
XOnly32 xonly
Definition bppp.hpp:185

purify::puresign_plusplus::Nonce::serialize
Bytes serialize() const
Serializes this x-only nonce into its fixed-size wire format.
Definition bppp.cpp:67

purify::puresign_plusplus::Nonce::kSerializedSize
static constexpr std::size_t kSerializedSize
Definition bppp.hpp:183

purify::puresign_plusplus::ProvenSignature
Definition bppp.hpp:267

purify::puresign_plusplus::ProvenSignature::serialize
Result< Bytes > serialize(purify_secp_context *secp_context) const
Definition bppp.cpp:180

purify::puresign_plusplus::ProvenSignature::kSerializationVersion
static constexpr unsigned char kSerializationVersion
Definition bppp.hpp:268

purify::puresign_plusplus::ProvenSignature::deserialize
static Result< ProvenSignature > deserialize(std::span< const unsigned char > serialized, purify_secp_context *secp_context)
Definition bppp.cpp:200

purify::puresign_plusplus::ProvenSignature::signature
Signature signature
Definition bppp.hpp:270

purify::puresign_plusplus::ProvenSignature::nonce_proof
NonceProof nonce_proof
Definition bppp.hpp:271

purify::puresign_plusplus::PublicKey
Definition bppp.hpp:34

purify::puresign_plusplus::PublicKey::deserialize
static Result< PublicKey > deserialize(std::span< const unsigned char > serialized, purify_secp_context *secp_context)
Parses a serialized PureSign++ public-key bundle.
Definition bppp.cpp:49

purify::puresign_plusplus::PublicKey::bip340_pubkey
XOnly32 bip340_pubkey
Definition bppp.hpp:38

purify::puresign_plusplus::PublicKey::serialize
Bytes serialize() const
Serializes this PureSign++ public-key bundle into its fixed-size wire format.
Definition bppp.cpp:40

purify::puresign_plusplus::PublicKey::kSerializedSize
static constexpr std::size_t kSerializedSize
Definition bppp.hpp:35

purify::puresign_plusplus::PublicKey::purify_pubkey
UInt512 purify_pubkey
Definition bppp.hpp:37

purify::puresign_plusplus::Signature
Standard 64-byte BIP340 signature.
Definition bppp.hpp:195

purify::puresign_plusplus::Signature::serialize
Bytes serialize() const
Serializes this signature into its fixed-size wire format.
Definition bppp.cpp:98

purify::puresign_plusplus::Signature::kSerializedSize
static constexpr std::size_t kSerializedSize
Definition bppp.hpp:196

purify::puresign_plusplus::Signature::bytes
Signature64 bytes
Definition bppp.hpp:198

purify::puresign_plusplus::Signature::s
Scalar32 s() const
Returns the 32-byte Schnorr s scalar encoded in the last 32 signature bytes.
Definition bppp.cpp:92

purify::puresign_plusplus::Signature::nonce
Nonce nonce() const
Returns the x-only public nonce encoded in the first 32 signature bytes.
Definition bppp.cpp:86

purify::puresign_plusplus::Signature::deserialize
static Result< Signature > deserialize(std::span< const unsigned char > serialized, purify_secp_context *secp_context)
Parses a serialized BIP340 signature.
Definition bppp.cpp:102

purify_secp_context
Definition bppp_bridge.c:36