No description
52380bf304
c6b6b8f1bb Merge #830: Rip out non-endomorphism code + dependencies c582abade1 Consistency improvements to the comments 63c6b71616 Reorder comments/function around scalar_split_lambda 2edc514c90 WNAF of lambda_split output has max size 129 4232e5b7da Rip out non-endomorphism code ebad8414b0 Check correctness of lambda split without -DVERIFY fe7fc1fda8 Make lambda constant accessible 9d2f2b44d8 Add tests to exercise lambda split near bounds 9aca2f7f07 Add secp256k1_split_lambda_verify acab934d24 Detailed comments for secp256k1_scalar_split_lambda 76ed922a5f Increase precision of g1 and g2 6173839c90 Switch to our own memcmp function 63150ab4da Merge #827: Rename testrand functions to have test in name c5257aed0b Merge #821: travis: Explicitly set --with-valgrind bb1f54280f Merge #818: Add static assertion that uint32_t is unsigned int or wider a45c1fa63c Rename testrand functions to have test in name 5006895bd6 Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests 4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND 66a765c775 travis: Explicitly set --with-valgrind d7838ba6a6 Merge #813: Enable configuring Valgrind support 7ceb0b7611 Merge #819: Enable -Wundef warning 8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig 08d7d89299 Make pubkey parsing test whether points are in the correct subgroup 87af00b511 Abstract out challenge computation in schnorrsig 63e1b2aa7d Disable output buffering in tests_exhaustive.c 39f67dd072 Support splitting exhaustive tests across cores e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs 49e6630bca refactor: move RNG seeding to testrand b110c106fa Change exhaustive test groups so they have a point with X=1 cec7b18a34 Select exhaustive lambda in function of order 78f6cdfaae Make the curve B constant a secp256k1_fe d7f39ae4b6 Delete gej_is_valid_var: unused outside tests 8bcd78cd79 Make secp256k1_scalar_b32 detect overflow in scalar_low c498366e5b Move exhaustive tests for recovery to module be31791543 Make group order purely compile-time in exhaustive tests e73ff30922 Enable -Wundef warning c0041b5cfc Add static assertion that uint32_t is unsigned int or wider 4ad408faf3 Merge #782: Check if variable=yes instead of if var is set in travis.sh 412bf874d0 configure: Allow specifying --with[out]-valgrind explicitly 34debf7a6d Modify .travis.yml to explictly pass no in env vars instead of setting to nothing a0e99fc121 Merge #814: tests: Initialize random group elements fully 5738e8622d tests: Initialize random group elements fully c9939ba55d Merge #812: travis: run bench_schnorrsig a51f2af62b travis: run bench_schnorrsig ef37761fee Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false git-subtree-dir: src/secp256k1 git-subtree-split: c6b6b8f1bb044d7d1aa065ebb674adde98a36a8e |
||
|---|---|---|
| build-aux/m4 | ||
| contrib | ||
| include | ||
| obj | ||
| sage | ||
| src | ||
| .gitignore | ||
| .travis.yml | ||
| autogen.sh | ||
| configure.ac | ||
| COPYING | ||
| libsecp256k1.pc.in | ||
| Makefile.am | ||
| README.md | ||
| SECURITY.md | ||
libsecp256k1
Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.
This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.
Features:
- secp256k1 ECDSA signing/verification and key generation.
- Additive and multiplicative tweaking of secret/public keys.
- Serialization/parsing of secret keys, public keys, signatures.
- Constant time, constant memory access signing and public key generation.
- Derandomized ECDSA (via RFC6979 or with a caller provided function.)
- Very efficient implementation.
- Suitable for embedded systems.
- Optional module for public key recovery.
- Optional module for ECDH key exchange (experimental).
Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.
Implementation details
- General
- No runtime heap allocation.
- Extensive testing infrastructure.
- Structured to facilitate review and analysis.
- Intended to be portable to any system with a C89 compiler and uint64_t support.
- No use of floating types.
- Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
- Field operations
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Scalar operations
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Using 4 64-bit limbs (relying on __int128 support in the compiler).
- Using 8 32-bit limbs.
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
- Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
- Point multiplication for verification (aP + bG).
- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
- Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
- Access the table with branch-free conditional moves so memory access is uniform.
- No data-dependent branches
- Optional runtime blinding which attempts to frustrate differential power analysis.
- The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.
Build steps
libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ make check
$ sudo make install # optional
Exhaustive tests
$ ./exhaustive_tests
With valgrind, you might need to increase the max stack size:
$ valgrind --max-stackframe=2500000 ./exhaustive_tests
Test coverage
This library aims to have full coverage of the reachable lines and branches.
To create a test coverage report, configure with --enable-coverage (use of GCC is necessary):
$ ./configure --enable-coverage
Run the tests:
$ make check
To create a report, gcovr is recommended, as it includes branch coverage reporting:
$ gcovr --exclude 'src/bench*' --print-summary
To create a HTML report with coloured and annotated source code:
$ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html
Reporting a vulnerability
See SECURITY.md