mirror of
https://github.com/bitcoin/bitcoin.git
synced 2026-01-21 15:50:07 +01:00
64dfdde0aa
8225239Merge #433: Make the libcrypto detection fail the newer API.12de863Make the libcrypto detection fail the newer API.2928420Merge #427: Remove Schnorr from travis as well8eecc4aRemove Schnorr from travis as wella8abae7Merge #310: Add exhaustive test for group functions on a low-order subgroupb4ceedfAdd exhaustive test for verification83836a9Add exhaustive tests for group arithmetic, signing, and ecmult on a small group20b8877Add exhaustive test for group functions on a low-order subgroup80773a6Merge #425: Remove Schnorr experimente06e878Remove Schnorr experiment04c8ef3Merge #407: Modify parameter order of internal functions to match API parameter order6e06696Merge #411: Remove guarantees about memcmp-ability40c8d7eMerge #421: Update scalar_4x64_impl.ha922365Merge #422: Restructure nonce clearing3769783Restructure nonce clearing0f9e69dRestructure nonce clearing9d67afaUpdate scalar_4x64_impl.h7d15cd7Merge #413: fix auto-enabled static precompuatation00c5d2efix auto-enabled static precompuatation91219a1Remove guarantees about memcmp-ability7a49cacMerge #410: Add string.h include to ecmult_impl0bbd5d4Add string.h include to ecmult_impl353c1bfFix secp256k1_ge_set_table_gej_var parameter order541b783Fix secp256k1_ge_set_all_gej_var parameter order7d893f4Fix secp256k1_fe_inv_all_var parameter orderc5b32e1Merge #405: Make secp256k1_fe_sqrt constant time926836aMake secp256k1_fe_sqrt constant timee2a8e92Merge #404: Replace 3M + 4S doubling formula with 2M + 5S one8ec49d8Add note about 2M + 5S doubling formula5a91bd7Merge #400: A couple minor cleanupsac01378build: add -DSECP256K1_BUILD to benchmark_internal build flagsa6c6f99Remove a bunch of unused stdlib #includes65285a6Merge #403: configure: add flag to disable OpenSSL testsa9b2a5dconfigure: add flag to disable OpenSSL testsb340123Merge #402: Add support for testing quadratic residuese6e9805Add function for testing quadratic residue field/group elements.efd953aAdd Jacobi symbol test via GMPfa36a0dMerge #401: ecmult_const: unify endomorphism and non-endomorphism skew casesc6191fdecmult_const: unify endomorphism and non-endomorphism skew cases0b3e618Merge #378: .gitignore build-aux cleanup6042217Merge #384: JNI: align shared files copyright/comments to bitcoinj's24ad20fMerge #399: build: verify that the native compiler works for static precompb3be852Merge #398: Test whether ECDH and Schnorr are enabled for JNIaa0b1fdbuild: verify that the native compiler works for static precompeee808dTest whether ECDH and Schnorr are enabled for JNI7b0fb18Merge #366: ARM assembly implementation of field_10x26 inner (rebase of #173)001f176ARM assembly implementation of field_10x26 inner0172be9Merge #397: Small fixes for sha2563f8b78eFix undefs in hash_impl.h2ab4695Fix state size in sha256 struct6875b01Merge #386: Add some missing `VERIFY_CHECK(ctx != NULL)`2c52b5dMerge #389: Cast pointers through uintptr_t under JNI43097a4Merge #390: Update bitcoin-core GitHub links31c9c12Merge #391: JNI: Only call ecdsa_verify if its inputs parsed correctly1cb2302Merge #392: Add testcase which hits additional branch in secp256k1_scalar_sqrd2ee340Merge #388: bench_ecdh: fix call to secp256k1_context_create093a497Add testcase which hits additional branch in secp256k1_scalar_sqra40c701JNI: Only call ecdsa_verify if its inputs parsed correctlyfaa2a11Update bitcoin-core GitHub links47b9e78Cast pointers through uintptr_t under JNIf36f9c6bench_ecdh: fix call to secp256k1_context_createbcc4881Add some missing `VERIFY_CHECK(ctx != NULL)` for functions that use `ARG_CHECK`6ceea2calign shared files copyright/comments to bitcoinj's70141a8Update .gitignore7b549b1Merge #373: build: fix x86_64 asm detection for some compilersbc7c93cMerge #374: Add note about y=0 being possible on one of the sextic twistse457018Merge #364: JNI rebased86e2d07JNI library: cleanup, removed unimplemented code3093576aJNI librarybd2895fMerge pull request #371e72e93aAdd note about y=0 being possible on one of the sextic twists3f8fdfbbuild: fix x86_64 asm detection for some compilerse5a9047[Trivial] Remove double semicolonsc18b869Merge pull request #3603026daaMerge pull request #30203d4611Add sage verification script for the group lawsa965937Merge pull request #36183221ecAdd experimental features to configure5d4c5a3Prevent damage_array in the signature test from going out of bounds.419bf7fMerge pull request #35603d84a4Benchmark against OpenSSL verification git-subtree-dir: src/secp256k1 git-subtree-split:8225239f49
libsecp256k1
Optimized C library for EC operations on curve secp256k1.
This library is a work in progress and is being used to research best practices. Use at your own risk.
Features:
- secp256k1 ECDSA signing/verification and key generation.
- Adding/multiplying private/public keys.
- Serialization/parsing of private keys, public keys, signatures.
- Constant time, constant memory access signing and pubkey generation.
- Derandomized DSA (via RFC6979 or with a caller provided function.)
- Very efficient implementation.
Implementation details
- General
- No runtime heap allocation.
- Extensive testing infrastructure.
- Structured to facilitate review and analysis.
- Intended to be portable to any system with a C89 compiler and uint64_t support.
- Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
- Field operations
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs.
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Scalar operations
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Using 4 64-bit limbs (relying on __int128 support in the compiler).
- Using 8 32-bit limbs.
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
- Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
- Point multiplication for verification (aP + bG).
- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
- Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Access the table with branch-free conditional moves so memory access is uniform.
- No data-dependent branches
- The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
Build steps
libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ ./tests
$ sudo make install # optional