Bitcoin Core mirror and no, I don't give a fuck about Monero.
Find a file
Pieter Wuille 21288f2d05
Merge pull request #103
f8cce95 Add overflow analysis to field_10x26_impl.h (Pieter Wuille)
a518598 Add overflow analysis to field_5x52_int128_impl.h (Pieter Wuille)
fa0d620 Add equalities relating input and output variables (Pieter Wuille)
5dd421b Rewrite mul/sqr for 32bit/64bit (Peter Dettman)
2014-11-15 01:29:44 +01:00
build-aux/m4 Use same build template as bitcoin. Add bitcoin_secp.m4. 2014-11-07 01:55:27 +13:00
include Add non-null and unused-result warnings for the external API. 2014-11-12 12:23:09 -08:00
obj Add obj/ directory 2013-04-11 12:46:39 +02:00
src Add overflow analysis to field_10x26_impl.h 2014-11-14 17:52:39 +01:00
.gitignore Better .gitignore for bench binaries 2014-11-01 06:01:40 -07:00
.travis.yml Implementations for scalar without data-dependent branches. 2014-11-04 03:01:55 -08:00
autogen.sh Add autoreconf warnings. Replace obsolete AC_TRY_COMPILE. 2014-11-06 22:20:05 +13:00
configure.ac Enable warnings. 2014-11-13 01:45:57 -08:00
COPYING MIT License 2013-05-09 15:24:32 +02:00
libsecp256k1.pc.in packaging: fixup pkg-config 2014-05-20 21:02:05 -04:00
Makefile.am field_gmp's negate doesn't need to use the magnitude argument. 2014-11-13 01:45:56 -08:00
nasm_lt.sh autotools: autotools'ify libsecp256k1 2014-01-17 23:24:12 -05:00
README.md Nothing-up-my-sleeving blinding for a*G 2014-09-01 14:56:12 +02:00
TODO updates 2013-05-06 13:28:46 +02:00

libsecp256k1

Build Status

Optimized C library for EC operations on curve secp256k1.

This library is experimental, so use at your own risk.

Features:

  • Low-level field and group operations on secp256k1.
  • ECDSA signing/verification and key generation.
  • Adding/multiplying private/public keys.
  • Serialization/parsing of private keys, public keys, signatures.
  • Very efficient implementation.

Implementation details

  • General
    • Avoid dynamic memory usage almost everywhere.
  • Field operations
    • Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
      • Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
      • Using 10 26-bit limbs.
      • Using GMP.
    • Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
  • Group operations
    • Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
    • Use addition between points in Jacobian and affine coordinates where possible.
  • Point multiplication for verification (aP + bG).
    • Use wNAF notation for point multiplicands.
    • Use a much larger window for multiples of G, using precomputed multiples.
    • Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
    • Optionally use secp256k1's efficiently-computable endomorphism to split the multiplicands into 4 half-sized ones first.
  • Point multiplication for signing
    • Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
    • Slice the precomputed table in memory per byte, so memory access to the table becomes uniform.
    • Not fully constant-time, but the precomputed tables add and eventually subtract points for which no known scalar (private key) is known, blinding non-constant time effects even from an attacker with control over the private key used.

Build steps

libsecp256k1 is built using autotools:

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install  # optional