status-im/secp256k1
2
0
Fork 0
mirror of https://github.com/status-im/secp256k1.git synced 2025-02-23 11:18:15 +00:00
Code Issues Projects Releases Wiki Activity
1,348 Commits 1 Branch 0 Tags 12 MiB
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tim Ruffing 7973576f6e
Merge #662: Add ecmult_gen, ecmult_const and ecmult to benchmark 
8f879c2887e166da2ec959ce78078f7b84ebfdf9 Fix array size in bench_ecmult (Jonas Nick)
2fe1b50df16c9f41ea77b151634d734b930eeddd Add ecmult_gen, ecmult_const and ecmult to benchmark (Jonas Nick)
593e6bad9c5cda05dd72a5bd8266c4880113b4af Clean up ecmult_bench to make space for more benchmarks (Jonas Nick)

Pull request description:

  I was trying to determine the impact of ecmult_gen in schnorrsig signing and noticed that there is no way to bench this right now. The new benchmarks look like this:
  ```
  $ ./bench_ecmult
  ecmult_gen: min 20.9us / avg 21.2us / max 21.7us
  ecmult_const: min 63.9us / avg 64.3us / max 64.8us
  ecmult 1: min 49.4us / avg 49.7us / max 50.3us
  ecmult 1g: min 39.8us / avg 40.0us / max 40.3us
  ecmult 2g: min 27.2us / avg 27.3us / max 27.8us
  ecmult_multi 1g: min 39.8us / avg 40.0us / max 40.2us
  ecmult_multi 2g: min 27.2us / avg 27.4us / max 27.7us
  ecmult_multi 3g: min 22.8us / avg 22.9us / max 23.1us
  ecmult_multi 4g: min 20.6us / avg 20.8us / max 21.1us
  ecmult_multi 5g: min 19.3us / avg 19.5us / max 19.7us
  ```

  (Turns out ecmult_gen is 37% of the 55.8us that schnorrsig sign takes)

ACKs for top commit:
  real-or-random:
    ACK 8f879c2887e166da2ec959ce78078f7b84ebfdf9
  elichai:
    tACK 8f879c2887e166da2ec959ce78078f7b84ebfdf9

Tree-SHA512: 8a739f5de1e2c0467c8d1c3ceeaf453b396a470ea0e8e5bef15fe1b32f3f9633b6b1c7e2ce1d94d736cf3e9adecd8f4f983ad4ba37450cd5991767f1a95db85c
2021-06-06 13:57:30 +02:00
build-aux/m4
Remove num/gmp support
2021-03-15 13:01:52 -07:00
ci
ci: Make test iterations configurable and tweak for sanitizer builds
2021-05-21 20:48:07 +02:00
contrib
contrib: Explain explicit header guards
2021-05-06 17:12:11 +02:00
doc
Use modified divsteps with initial delta=1/2 for constant-time
2021-04-13 11:59:11 -07:00
include
Merge #850: add secp256k1_ec_pubkey_cmp method
2021-05-13 19:17:53 +00:00
sage
Fix insecure links
2020-12-18 00:24:22 +02:00
src
Fix array size in bench_ecmult
2021-05-31 20:46:04 +00:00
.cirrus.yml
ci: Run PRs on merge result even for i686
2021-05-31 18:11:27 +02:00
.gitignore
Clean up git tree
2021-05-14 11:37:44 +02:00
autogen.sh
Add autoreconf warnings. Replace obsolete AC_TRY_COMPILE.
2014-11-06 22:20:05 +13:00
configure.ac
Merge #889: fix uninitialized read in tests
2021-04-07 12:53:09 +00:00
COPYING
MIT License
2013-05-09 15:24:32 +02:00
libsecp256k1.pc.in
Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
2018-10-22 17:24:45 -07:00
Makefile.am
Makefile.am: Don't pass a variable twice
2021-05-03 15:07:04 +02:00
README.md
Clean up git tree
2021-05-14 11:37:44 +02:00
SECURITY.md
Add SECURITY.md
2019-10-28 14:59:05 +00:00

README.md

libsecp256k1

Build Status

Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.

This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

Features:

  • secp256k1 ECDSA signing/verification and key generation.
  • Additive and multiplicative tweaking of secret/public keys.
  • Serialization/parsing of secret keys, public keys, signatures.
  • Constant time, constant memory access signing and public key generation.
  • Derandomized ECDSA (via RFC6979 or with a caller provided function.)
  • Very efficient implementation.
  • Suitable for embedded systems.
  • Optional module for public key recovery.
  • Optional module for ECDH key exchange.

Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.

Implementation details

  • General
    • No runtime heap allocation.
    • Extensive testing infrastructure.
    • Structured to facilitate review and analysis.
    • Intended to be portable to any system with a C89 compiler and uint64_t support.
    • No use of floating types.
    • Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
  • Field operations
    • Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
      • Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
      • Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
  • Scalar operations
    • Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
      • Using 4 64-bit limbs (relying on __int128 support in the compiler).
      • Using 8 32-bit limbs.
  • Modular inverses (both field elements and scalars) based on safegcd with some modifications, and a variable-time variant (by Peter Dettman).
  • Group operations
    • Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
    • Use addition between points in Jacobian and affine coordinates where possible.
    • Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
    • Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
  • Point multiplication for verification (aP + bG).
    • Use wNAF notation for point multiplicands.
    • Use a much larger window for multiples of G, using precomputed multiples.
    • Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
    • Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
  • Point multiplication for signing
    • Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
    • Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
      • Access the table with branch-free conditional moves so memory access is uniform.
      • No data-dependent branches
    • Optional runtime blinding which attempts to frustrate differential power analysis.
    • The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

Build steps

libsecp256k1 is built using autotools:

$ ./autogen.sh
$ ./configure
$ make
$ make check
$ sudo make install  # optional

Exhaustive tests

$ ./exhaustive_tests

With valgrind, you might need to increase the max stack size:

$ valgrind --max-stackframe=2500000 ./exhaustive_tests

Test coverage

This library aims to have full coverage of the reachable lines and branches.

To create a test coverage report, configure with --enable-coverage (use of GCC is necessary):

$ ./configure --enable-coverage

Run the tests:

$ make check

To create a report, gcovr is recommended, as it includes branch coverage reporting:

$ gcovr --exclude 'src/bench*' --print-summary

To create a HTML report with coloured and annotated source code:

$ mkdir -p coverage
$ gcovr --exclude 'src/bench*' --html --html-details -o coverage/coverage.html

Reporting a vulnerability

See SECURITY.md

Description
Optimized C library for EC operations on curve secp256k1
Readme
Languages
C 91.7%
Sage 2.7%
Assembly 1.8%
CMake 1.4%
M4 1.3%
Other 1.1%