phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-10 03:47:29 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
bitcoin/README.md
fanquake 29fde0223a Squashed 'src/secp256k1/' changes from 199d27cea3..efe85c70a2 
efe85c70a2 Merge bitcoin-core/secp256k1#1466: release cleanup: bump version after 0.4.1
4b2e06f460 release cleanup: bump version after 0.4.1
1ad5185cd4 Merge bitcoin-core/secp256k1#1465: release: prepare for 0.4.1
672053d801 release: prepare for 0.4.1
1a81df826e Merge bitcoin-core/secp256k1#1380: Add ABI checking tool for release process
74a4d974d5 doc: Add ABI checking with `check-abi.sh` to the Release Process
e7f830e32c Add `tools/check-abi.sh`
77af1da9f6 Merge bitcoin-core/secp256k1#1455: doc: improve secp256k1_fe_set_b32_mod doc
3928b7c383 doc: improve secp256k1_fe_set_b32_mod doc
5e9a4d7aec Merge bitcoin-core/secp256k1#990: Add comment on length checks when parsing ECDSA sigs
4197d667ec Merge bitcoin-core/secp256k1#1431: Add CONTRIBUTING.md
0e5ea62207 CONTRIBUTING: add some coding and style conventions
e2c9888eee Merge bitcoin-core/secp256k1#1451: changelog: add entry for "field: Remove x86_64 asm"
d2e36a2b81 changelog: add entry for "field: Remove x86_64 asm"
1a432cb982 README: update first sentence
0922a047fb docs: move coverage report instructions to CONTRIBUTING
76880e4015 Add CONTRIBUTING.md including scope and guidelines for new code
d3e29db8bb Merge bitcoin-core/secp256k1#1450: Add group.h ge/gej equality functions
04af0ba162 Replace ge_equals_ge[,j] calls with group.h equality calls
60525f6c14 Add unit tests for group.h equality functions
a47cd97d51 Add group.h ge/gej equality functions
10e6d29b60 Merge bitcoin-core/secp256k1#1446: field: Remove x86_64 asm
07687e811d Merge bitcoin-core/secp256k1#1393: Implement new policy for VERIFY_CHECK and #ifdef VERIFY (issue #1381)
bb4672342e remove VERIFY_SETUP define
a3a3e11acd remove unneeded VERIFY_SETUP uses in ECMULT_CONST_TABLE_GET_GE macro
a0fb68a2e7 introduce and use SECP256K1_SCALAR_VERIFY macro
cf25c86d05 introduce and use SECP256K1_{FE,GE,GEJ}_VERIFY macros
5d89bc031b remove superfluous `#ifdef VERIFY`/`#endif` preprocessor conditions
c2688f8de9 redefine VERIFY_CHECK to empty in production (non-VERIFY) mode
5814d8485c Merge bitcoin-core/secp256k1#1438: correct assertion for secp256k1_fe_mul_inner
c1b4966410 Merge bitcoin-core/secp256k1#1445: bench: add --help option to bench_internal
f07cead0ca build: Don't call assembly an optimization
2f0762fa8f field: Remove x86_64 asm
1ddd76af0a bench: add --help option to bench_internal
e72103932d Merge bitcoin-core/secp256k1#1441: asm: add .note.GNU-stack section for non-exec stack
ea47c82e01 Merge bitcoin-core/secp256k1#1442: Return temporaries to being unsigned in secp256k1_fe_sqr_inner
dcdda31f2c Tighten secp256k1_fe_mul_inner's VERIFY_BITS checks
10271356c8 Return temporaries to being unsigned in secp256k1_fe_sqr_inner
33dc7e4d3e asm: add .note.GNU-stack section for non-exec stack
c891c5c2f4 Merge bitcoin-core/secp256k1#1437: ci: Ignore internal errors of snapshot compilers
8185e72d29 ci: Ignore internal errors in snapshot compilers
40f50d0fbd Merge bitcoin-core/secp256k1#1184: Signed-digit based ecmult_const algorithm
8e2a5fe908 correct assertion for secp256k1_fe_mul_inner
355bbdf38a Add changelog entry for signed-digit ecmult_const algorithm
21f49d9bec Remove unused secp256k1_scalar_shr_int
115fdc7232 Remove unused secp256k1_wnaf_const
aa9f3a3c00 ecmult_const: add/improve tests
4d16e90111 Signed-digit based ecmult_const algorithm
ba523be067 make SECP256K1_SCALAR_CONST reduce modulo exhaustive group order
2140da9cd5 Add secp256k1_scalar_half for halving scalars (+ tests/benchmarks).
1f1bb78b7f Merge bitcoin-core/secp256k1#1430: README: remove CI badge
5dab0baa80 README: remove CI badge
b314cf2833 Merge bitcoin-core/secp256k1#1426: ci/cirrus: Add native ARM64 jobs
fa4d6c76b6 ci/cirrus: Add native ARM64 persistent workers
ee7aaf213e Merge bitcoin-core/secp256k1#1395: tests: simplify `random_fe_non_zero` (remove loop limit and unneeded normalize)
ba9cb6f378 Merge bitcoin-core/secp256k1#1424: ci: Bump major versions for docker actions
d9d80fd155 ci: Bump major versions for docker actions
4fd00f4bfe Merge bitcoin-core/secp256k1#1422: cmake: Install `libsecp256k1.pc` file
421d84855a ci: Align Autotools/CMake `CI_INSTALL` directory names
9f005c60d6 cmake: Install `libsecp256k1.pc` file
2262d0eaab ci/cirrus: Bring back skeleton .cirrus.yml without jobs
b10ddd2bd2 Merge bitcoin-core/secp256k1#1416: doc: Align documented scripts with CI ones
49be5be9e8 Merge bitcoin-core/secp256k1#1390: tests: Replace counting_illegal_callbacks with CHECK_ILLEGAL_VOID
cbf3053ff1 Merge bitcoin-core/secp256k1#1417: release cleanup: bump version after 0.4.0
9b118bc7fb release cleanup: bump version after 0.4.0
70303643cf tests: add CHECK_ERROR_VOID and use it in scratch tests
f8d7ea68df tests: Replace counting_illegal_callbacks with CHECK_ILLEGAL_VOID
b0f7bfedc9 doc: Do not mention soname in CHANGELOG.md "ABI Compatibility" section
bd9d98d353 doc: Align documented scripts with CI ones
a1d52e3e12 tests: remove unnecessary test in run_ec_pubkey_parse_test
875b0ada25 tests: remove unnecessary set_illegal_callback
c45b7c4fbb refactor: introduce testutil.h (deduplicate `random_fe_`, `ge_equals_` helpers)
dc5514144f tests: simplify `random_fe_non_zero` (remove loop limit and unneeded normalize)
e02f313b1f Add comment on length checks when parsing ECDSA sigs

git-subtree-dir: src/secp256k1
git-subtree-split: efe85c70a2e357e3605a8901a9662295bae1001f
2024-01-04 14:40:28 +00:00

7 KiB
Raw Blame History

libsecp256k1

Dependencies: None irc.libera.chat #secp256k1

High-performance high-assurance C library for digital signatures and other cryptographic primitives on the secp256k1 elliptic curve.

This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

Features:

  • secp256k1 ECDSA signing/verification and key generation.
  • Additive and multiplicative tweaking of secret/public keys.
  • Serialization/parsing of secret keys, public keys, signatures.
  • Constant time, constant memory access signing and public key generation.
  • Derandomized ECDSA (via RFC6979 or with a caller provided function.)
  • Very efficient implementation.
  • Suitable for embedded systems.
  • No runtime dependencies.
  • Optional module for public key recovery.
  • Optional module for ECDH key exchange.
  • Optional module for Schnorr signatures according to BIP-340.

Implementation details

  • General
    • No runtime heap allocation.
    • Extensive testing infrastructure.
    • Structured to facilitate review and analysis.
    • Intended to be portable to any system with a C89 compiler and uint64_t support.
    • No use of floating types.
    • Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
  • Field operations
    • Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
      • Using 5 52-bit limbs
      • Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
        • This is an experimental feature that has not received enough scrutiny to satisfy the standard of quality of this library but is made available for testing and review by the community.
  • Scalar operations
    • Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
      • Using 4 64-bit limbs (relying on __int128 support in the compiler).
      • Using 8 32-bit limbs.
  • Modular inverses (both field elements and scalars) based on safegcd with some modifications, and a variable-time variant (by Peter Dettman).
  • Group operations
    • Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
    • Use addition between points in Jacobian and affine coordinates where possible.
    • Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
    • Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
  • Point multiplication for verification (aP + bG).
    • Use wNAF notation for point multiplicands.
    • Use a much larger window for multiples of G, using precomputed multiples.
    • Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
    • Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
  • Point multiplication for signing
    • Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
    • Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
      • Access the table with branch-free conditional moves so memory access is uniform.
      • No data-dependent branches
    • Optional runtime blinding which attempts to frustrate differential power analysis.
    • The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

Building with Autotools

$ ./autogen.sh
$ ./configure
$ make
$ make check  # run the test suite
$ sudo make install  # optional

To compile optional modules (such as Schnorr signatures), you need to run ./configure with additional flags (such as --enable-module-schnorrsig). Run ./configure --help to see the full list of available flags.

Building with CMake (experimental)

To maintain a pristine source tree, CMake encourages to perform an out-of-source build by using a separate dedicated build tree.

Building on POSIX systems

$ mkdir build && cd build
$ cmake ..
$ make
$ make check  # run the test suite
$ sudo make install  # optional

To compile optional modules (such as Schnorr signatures), you need to run cmake with additional flags (such as -DSECP256K1_ENABLE_MODULE_SCHNORRSIG=ON). Run cmake .. -LH to see the full list of available flags.

Cross compiling

To alleviate issues with cross compiling, preconfigured toolchain files are available in the cmake directory. For example, to cross compile for Windows:

$ cmake .. -DCMAKE_TOOLCHAIN_FILE=../cmake/x86_64-w64-mingw32.toolchain.cmake

To cross compile for Android with NDK (using NDK's toolchain file, and assuming the ANDROID_NDK_ROOT environment variable has been set):

$ cmake .. -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK_ROOT}/build/cmake/android.toolchain.cmake" -DANDROID_ABI=arm64-v8a -DANDROID_PLATFORM=28

Building on Windows

To build on Windows with Visual Studio, a proper generator must be specified for a new build tree.

The following example assumes using of Visual Studio 2022 and CMake v3.21+.

In "Developer Command Prompt for VS 2022":

>cmake -G "Visual Studio 17 2022" -A x64 -S . -B build
>cmake --build build --config RelWithDebInfo

Usage examples

Usage examples can be found in the examples directory. To compile them you need to configure with --enable-examples.

To compile the Schnorr signature and ECDH examples, you also need to configure with --enable-module-schnorrsig and --enable-module-ecdh.

Benchmark

If configured with --enable-benchmark (which is the default), binaries for benchmarking the libsecp256k1 functions will be present in the root directory after the build.

To print the benchmark result to the command line:

$ ./bench_name

To create a CSV file for the benchmark result :

$ ./bench_name | sed '2d;s/ \{1,\}//g' > bench_name.csv

Reporting a vulnerability

See SECURITY.md

Contributing to libsecp256k1

See CONTRIBUTING.md