mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-02-21 14:34:49 +01:00
Bitcoin Core integration/staging tree
b9c1a76481
8ab24e8dad Merge #558: Add schnorrsig module which implements BIP-340 compliant signatures f3733c5433 Merge #797: Fix Jacobi benchmarks and other benchmark improvements cb5524adc5 Add benchmark for secp256k1_ge_set_gej_var 5c6af60ec5 Make jacobi benchmarks vary inputs d0fdd5f009 Randomize the Z coordinates in bench_internal c7a3424c5f Rename bench_internal variables 875d68b95f Merge #699: Initialize field elements when resulting in infinity 54caf2e74f Merge #799: Add fallback LE/BE for architectures with known endianness + SHA256 selftest f431b3f28a valgrind_ctime_test: Add schnorrsig_sign 16ffa9d97c schnorrsig: Add taproot test case 8dfd53ee3f schnorrsig: Add benchmark for sign and verify 4e43520026 schnorrsig: Add BIP-340 compatible signing and verification 7332d2db6b schnorrsig: Add BIP-340 nonce function 7a703fd97d schnorrsig: Init empty experimental module eabd9bc46a Allow initializing tagged sha256 6fcb5b845d extrakeys: Add keypair_xonly_tweak_add 58254463f9 extrakeys: Add keypair struct with create, pub and pub_xonly f0010349b8 Separate helper functions for pubkey_create and seckey_tweak_add 910d9c284c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test 176bfb1110 Separate helper function for ec_pubkey_tweak_add 4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey f49c9896b0 Merge #806: Trivial: Add test logs to gitignore aabf00c155 Merge #648: Prevent ints from wrapping around in scratch space functions f5adab16a9 Merge #805: Remove the extremely outdated TODO file. bceefd6547 Add test logs to gitignore 1c325199d5 Remove the extremely outdated TODO file. 47e6618e11 extrakeys: Init empty experimental module 3e08b02e2a Make the secp256k1_declassify argument constant 8bc6aeffa9 Add SHA256 selftest 670cdd3f8b Merge #798: Check assumptions on integer implementation at compile time 5e5fb28b4a Use additional system macros to figure out endianness 7c068998ba Compile-time check assumptions on integer types 02b6c87b52 Add support for (signed) __int128 979961c506 Merge #787: Use preprocessor macros instead of autoconf to detect endianness 887bd1f8b6 Merge #793: Make scalar/field choice depend on C-detected __int128 availability 0dccf98a21 Use preprocessor macros instead of autoconf to detect endianness b2c8c42cf1 Merge #795: Avoid linking libcrypto in the valgrind ct test. 57d3a3c64c Avoid linking libcrypto in the valgrind ct test. 79f1f7a4f1 Autodetect __int128 availability on the C side 0d7727f95e Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field 805082de11 Merge #696: Run a Travis test on s390x (big endian) 39295362cf Test travis s390x (big endian) 6034a04fb1 Merge #778: secp256k1_gej_double_nonzero supports infinity f60915906d Merge #779: travis: Fix argument quoting for ./configure 9e49a9b255 travis: Fix argument quoting for ./configure 18d36327fd secp256k1_gej_double_nonzero supports infinity 214cb3c321 Merge #772: Improve constant-timeness on PowerPC 40412b1930 Merge #774: tests: Abort if malloc() fails during context cloning tests 2e1b9e0458 tests: Abort if malloc() fails during context cloning tests 67a429f31f Suppress a harmless variable-time optimization by clang in _int_cmov 5b196338f0 Remove redundant "? 1 : 0" after comparisons in scalar code 3e5cfc5c73 Merge #741: Remove unnecessary sign variable from wnaf_const 66bb9320c0 Merge #773: Fix some compile problems on weird/old compilers. 1309c03c45 Fix some compile problems on weird/old compilers. 2309c7dd4a Merge #769: Undef HAVE___INT128 in basic-config.h to fix gen_context compilation 22e578bb11 Undef HAVE___INT128 in basic-config.h to fix gen_context compilation 3f4a5a10e4 Merge #765: remove dead store in ecdsa_signature_parse_der_lax f00d6575ca remove dead store in ecdsa_signature_parse_der_lax dbd41db16a Merge #759: Fix uninitialized variables in ecmult_multi test 2e7fc5b537 Fix uninitialized variables in ecmult_multi test 37dba329c6 Remove unnecessary sign variable from wnaf_const 6bb0b77e15 Fix test_constant_wnaf for -1 and add a test for it. 47a7b8382f Clear field elements when writing infinity 61d1ecb028 Added test with additions resulting in infinity 60f7f2de5d Don't assume that ALIGNMENT > 1 in tests ada6361dec Use ROUND_TO_ALIGN in scratch_create 8ecc6ce50e Add check preventing rounding to alignment from wrapping around in scratch_alloc 4edaf06fb0 Add check preventing integer multiplication wrapping around in scratch_max_allocation git-subtree-dir: src/secp256k1 git-subtree-split: 8ab24e8dad9d43fc6661842149899e3cc9213b24 |
||
|---|---|---|
| build-aux/m4 | ||
| contrib | ||
| include | ||
| obj | ||
| sage | ||
| src | ||
| .gitignore | ||
| .travis.yml | ||
| autogen.sh | ||
| configure.ac | ||
| COPYING | ||
| libsecp256k1.pc.in | ||
| Makefile.am | ||
| README.md | ||
| SECURITY.md | ||
libsecp256k1
Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.
This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.
Features:
- secp256k1 ECDSA signing/verification and key generation.
- Additive and multiplicative tweaking of secret/public keys.
- Serialization/parsing of secret keys, public keys, signatures.
- Constant time, constant memory access signing and public key generation.
- Derandomized ECDSA (via RFC6979 or with a caller provided function.)
- Very efficient implementation.
- Suitable for embedded systems.
- Optional module for public key recovery.
- Optional module for ECDH key exchange (experimental).
Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.
Implementation details
- General
- No runtime heap allocation.
- Extensive testing infrastructure.
- Structured to facilitate review and analysis.
- Intended to be portable to any system with a C89 compiler and uint64_t support.
- No use of floating types.
- Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
- Field operations
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
- Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
- Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
- Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
- Scalar operations
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Using 4 64-bit limbs (relying on __int128 support in the compiler).
- Using 8 32-bit limbs.
- Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
- Group operations
- Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
- Use addition between points in Jacobian and affine coordinates where possible.
- Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
- Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
- Point multiplication for verification (aP + bG).
- Use wNAF notation for point multiplicands.
- Use a much larger window for multiples of G, using precomputed multiples.
- Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
- Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
- Point multiplication for signing
- Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
- Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
- Access the table with branch-free conditional moves so memory access is uniform.
- No data-dependent branches
- Optional runtime blinding which attempts to frustrate differential power analysis.
- The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.
Build steps
libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ make check
$ sudo make install # optional
Exhaustive tests
$ ./exhaustive_tests
With valgrind, you might need to increase the max stack size:
$ valgrind --max-stackframe=2500000 ./exhaustive_tests
Test coverage
This library aims to have full coverage of the reachable lines and branches.
To create a test coverage report, configure with --enable-coverage (use of GCC is necessary):
$ ./configure --enable-coverage
Run the tests:
$ make check
To create a report, gcovr is recommended, as it includes branch coverage reporting:
$ gcovr --exclude 'src/bench*' --print-summary
To create a HTML report with coloured and annotated source code:
$ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html
Reporting a vulnerability
See SECURITY.md