mirror of
https://github.com/bitcoin/bitcoin.git
synced 2026-01-18 22:35:39 +01:00
9d09322b41
1897b8eMerge pull request #229efc571cAdd simple testcases for signing with rfc6979 extra entropy.1573a10Add ability to pass extra entropy to rfc69793087bc4Merge pull request #228d9b9f11Merge pull request #2180065a8fEliminate multiple-returns from secp256k1.c.354ffa3Make secp256k1_ec_pubkey_create reject oversized secrets.27bc131Silence some warnings from pedantic static analysis tools, improve compatibility with C++.3b7ea63Merge pull request #221f789c5bMerge pull request #2154bc273bMerge pull request #222137a8ecMerge pull request #2167c3771dDisable overlength-strings warnings.8956111use 128-bit hex seed02efd06Use RFC6979 for test PRNGsae55e85Use faster byteswapping and avoid alignment-increasing casts.443cd4bGet rid of hex format and some binary conversions0bada0eMerge #214: Improve signing API documentation & specification8030d7cImprove signing API documentation & specification7b2fc1cMerge #213: Removed gotos, which are hard to trace and maintain.11690d3Removed gotos, which are hard to trace and maintain.122a1ecMerge pull request #205035406dMerge pull request #2062d4cd53Merge pull request #16134b898dAdditional comments for the testing PRNG and a seeding fix.6efd6e7Some comments explaining some of the constants in the code.ffccfd2x86_64 assembly optimization for scalar_4x6467cbdf0Merge pull request #207039723dBenchmarks for all internal operations6cc8425Include a comment on secp256k1_ecdsa_sign explaining low-s.f88343fMerge pull request #203d61e899Add group operation counts2473f17Merge pull request #202b5bbce6Some readme updates, e.g. removal of the GMP field.f0d851eMerge pull request #201a0ea884Merge pull request #200f735446Convert the rest of the codebase to C89.bf2e1acConvert tests to C89. (also fixes a use of bare "inline" in field)fc8285fMerge pull request #199fff412eMerge pull request #1974be8d6fCentralize the definition of uint128_t and use it uniformly.d9543c9Switch scalar code to C89.fcc48c4Remove the non-storage cmov 55422b6 Switch ecmult_gen to use storage types41f8455Use group element storage type in EC multiplicationse68d720Add group element storage typeff889f7Field storage type7137be8Merge pull request #1960768bd5Get rid of variable-length hex string conversionse84e761Merge pull request #195792bcdbCovert several more files to C89.45cdf44Merge pull request #19317db09eMerge pull request #194402878afix ifdef/ifndef25b35c7Convert field code to strict C89 (+ long long, +__int128)3627437C89 nits and dead code removal.a9f350dMerge pull request #1914732d26Convert the field/group/ecdsa constant initialization to static consts19f3e76Remove unused secp256k1_fe_inner_{start, stop} functionsf1ebfe3Convert the scalar constant initialization to static consts git-subtree-dir: src/secp256k1 git-subtree-split:1897b8e90b
libsecp256k1
Optimized C library for EC operations on curve secp256k1.
This library is a work in progress and is being used to research best practices. Use at your own risk.
Features:
- secp256k1 ECDSA signing/verification and key generation.
- Adding/multiplying private/public keys.
- Serialization/parsing of private keys, public keys, signatures.
- Constant time, constant memory access signing and pubkey generation.
- Derandomized DSA (via RFC6979 or with a caller provided function.)
- Very efficient implementation.
Implementation details
- General
- No runtime heap allocation.
- Extensive testing infrastructure.
- Structured to facilitate review and analysis.
- Intended to be portable to any system with a C89 compiler and uint64_t support.
- Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
- Field operations
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs.
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Scalar operations
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Using 4 64-bit limbs (relying on __int128 support in the compiler).
- Using 8 32-bit limbs.
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
- Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
- Point multiplication for verification (aP + bG).
- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
- Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Access the table with branch-free conditional moves so memory access is uniform.
- No data-dependent branches
- The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
Build steps
libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ ./tests
$ sudo make install # optional