mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-01-25 18:53:23 -03:00
Bitcoin Core mirror and no, I don't give a fuck about Monero.
fabdcc633e
|
||
---|---|---|
include | ||
m4 | ||
obj | ||
src | ||
.gitignore | ||
.travis.yml | ||
autogen.sh | ||
configure.ac | ||
COPYING | ||
libsecp256k1.pc.in | ||
Makefile.am | ||
nasm_lt.sh | ||
README.md | ||
TODO |
libsecp256k1
Optimized C library for EC operations on curve secp256k1.
This library is experimental, so use at your own risk.
Features:
- Low-level field and group operations on secp256k1.
- ECDSA signing/verification and key generation.
- Adding/multiplying private/public keys.
- Serialization/parsing of private keys, public keys, signatures.
- Very efficient implementation.
Implementation details
- General
- Avoid dynamic memory usage almost everywhere.
- Field operations
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs.
- Using GMP.
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Point multiplication for verification (aP + bG).
- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
- Optionally use secp256k1's efficiently-computable endomorphism to split the multiplicands into 4 half-sized ones first.
- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Slice the precomputed table in memory per byte, so memory access to the table becomes uniform.
- Not fully constant-time, but the precomputed tables add and eventually subtract points for which no known scalar (private key) is known, blinding non-constant time effects even from an attacker with control over the private key used.
Build steps
libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install # optional