Latest | 0.3.0 |
---|---|

Homepage | https://github.com/bitcoin-core/secp256k1 |

License | MIT |

Platforms | ios 7.0, osx 10.7 |

Authors |

# libsecp256k1

Optimized C library for EC operations on curve secp256k1.

This library is a work in progress and is being used to research best practices. Use at your own risk.

Features:

- secp256k1 ECDSA signing/verification and key generation.
- Adding/multiplying private/public keys.
- Serialization/parsing of private keys, public keys, signatures.
- Constant time, constant memory access signing and pubkey generation.
- Derandomized DSA (via RFC6979 or with a caller provided function.)
- Very efficient implementation.

## Implementation details

- General
- No runtime heap allocation.
- Extensive testing infrastructure.
- Structured to facilitate review and analysis.
- Intended to be portable to any system with a C89 compiler and uint64_t support.
- Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")

- Field operations
- Optimized implementation of arithmetic modulo the curve’s field size (2^256 – 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs.
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).

- Scalar operations
- Optimized implementation without data-dependent branches of arithmetic modulo the curve’s order.
- Using 4 64-bit limbs (relying on __int128 support in the compiler).
- Using 8 32-bit limbs.

- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
- Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.

- Point multiplication for verification (a
*P + b*G).- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir’s trick to do the multiplication with the public key and the generator simultaneously.
- Optionally (off by default) use secp256k1’s efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.

- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Access the table with branch-free conditional moves so memory access is uniform.
- No data-dependent branches
- The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.

## Build steps

libsecp256k1 is built using autotools:

```
$ ./autogen.sh
$ ./configure
$ make
$ ./tests
$ sudo make install # optional
```

### Latest podspec

{ "name": "secp256k1", "version": "0.3.0", "summary": "Optimized C library for EC operations on curve secp256k1", "description": "Optimized C library for EC operations on curve secp256k1", "homepage": "https://github.com/bitcoin-core/secp256k1", "license": { "type": "MIT", "file": "LICENSE" }, "authors": { "daviyang35": "[email protected]" }, "source": { "git": "https://github.com/bitcoin-core/secp256k1.git" }, "platforms": { "ios": "7.0", "osx": "10.7" }, "prepare_command": "./autogen.sh", "prefix_header_contents": "/* Define if building universal (internal helper macro) */n#define AC_APPLE_UNIVERSAL_BUILD 1nn/* Define this symbol if OpenSSL EC functions are available */n/* #undef ENABLE_OPENSSL_TESTS */nn/* Define this symbol if __builtin_expect is available */n#define HAVE_BUILTIN_EXPECT 1nn/* Define to 1 if you have theheader file. */n#define HAVE_DLFCN_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_INTTYPES_H 1nn/* Define this symbol if libcrypto is installed */n/* #undef HAVE_LIBCRYPTO */nn/* Define this symbol if libgmp is installed */n/* #undef HAVE_LIBGMP */nn/* Define to 1 if you have the header file. */n#define HAVE_MEMORY_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_STDINT_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_STDLIB_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_STRINGS_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_STRING_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_SYS_STAT_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_SYS_TYPES_H 1nn/* Define to 1 if you have the header file. */n#define HAVE_UNISTD_H 1nn/* Define to 1 if the system has the type `__int128'. */n/* #undef HAVE___INT128 */nn/* Define to the sub-directory where libtool stores uninstalled libraries. */n#define LT_OBJDIR ".libs/"nn/* Name of package */n#define PACKAGE "libsecp256k1"nn/* Define to the address where bug reports for this package should be sent. */n#define PACKAGE_BUGREPORT ""nn/* Define to the full name of this package. */n#define PACKAGE_NAME "libsecp256k1"nn/* Define to the full name and version of this package. */n#define PACKAGE_STRING "libsecp256k1 0.1"nn/* Define to the one symbol short name of this package. */n#define PACKAGE_TARNAME "libsecp256k1"nn/* Define to the home page for this package. */n#define PACKAGE_URL ""nn/* Define to the version of this package. */n#define PACKAGE_VERSION "0.1"nn/* Define to 1 if you have the ANSI C header files. */n#define STDC_HEADERS 1nn/* Define this symbol to enable x86_64 assembly optimizations */n/* #undef USE_ASM_X86_64 */nn/* Define this symbol to use endomorphism optimization */n/* #undef USE_ENDOMORPHISM */nn/* Define this symbol to use the FIELD_10X26 implementation */n#define USE_FIELD_10X26 1nn/* Define this symbol to use the FIELD_5X52 implementation */n/* #undef USE_FIELD_5X52 */nn/* Define this symbol to use the native field inverse implementation */n#define USE_FIELD_INV_BUILTIN 1nn/* Define this symbol to use the num-based field inverse implementation */n/* #undef USE_FIELD_INV_NUM */nn/* Define this symbol to use the gmp implementation for num */n/* #undef USE_NUM_GMP */nn/* Define this symbol to use no num implementation */n#define USE_NUM_NONE 1nn/* Define this symbol to use the 4x64 scalar implementation */n/* #undef USE_SCALAR_4X64 */nn/* Define this symbol to use the 8x32 scalar implementation */n#define USE_SCALAR_8X32 1nn/* Define this symbol to use the native scalar inverse implementation */n#define USE_SCALAR_INV_BUILTIN 1nn/* Define this symbol to use the num-based scalar inverse implementation */n/* #undef USE_SCALAR_INV_NUM */nn/* Version number of package */n#define VERSION "0.1"nn/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the mostn significant byte first (like Motorola and SPARC, unlike Intel). */n#if defined AC_APPLE_UNIVERSAL_BUILDn# if defined __BIG_ENDIAN__n# define WORDS_BIGENDIAN 1n# endifn#elsen# ifndef WORDS_BIGENDIANn/* # undef WORDS_BIGENDIAN */n# endifn#endifnn#define DETERMINISTIC 1nn#import "secp256k1.h"", "source_files": [ "include/secp256k1.h", "src/**.{h,c}" ], "public_header_files": "include/secp256k1.h", "exclude_files": [ "src/bench*", "src/test*", "src/gen_context.c", "src/libsecp256k1-config.h" ], "libraries": "c++", "xcconfig": { "HEADER_SEARCH_PATHS": "${PODS_ROOT}/secp256k1" } }

Fri, 23 Feb 2018 00:40:03 +0000