foster/bitcoin-bitcoin-core
0
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-08 10:31:50 -05:00
Code Issues Activity
Bitcoin Core integration/staging tree
16 commits 6 branches 321 tags 2.3 GiB
C++ 56.4%
C 22.7%
Python 17.6%
CMake 1%
Shell 0.8%
Other 1.3%
Find a file
Pieter Wuille 52380bf304 Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 
c6b6b8f1bb Merge #830: Rip out non-endomorphism code + dependencies
c582abade1 Consistency improvements to the comments
63c6b71616 Reorder comments/function around scalar_split_lambda
2edc514c90 WNAF of lambda_split output has max size 129
4232e5b7da Rip out non-endomorphism code
ebad8414b0 Check correctness of lambda split without -DVERIFY
fe7fc1fda8 Make lambda constant accessible
9d2f2b44d8 Add tests to exercise lambda split near bounds
9aca2f7f07 Add secp256k1_split_lambda_verify
acab934d24 Detailed comments for secp256k1_scalar_split_lambda
76ed922a5f Increase precision of g1 and g2
6173839c90 Switch to our own memcmp function
63150ab4da Merge #827: Rename testrand functions to have test in name
c5257aed0b Merge #821: travis: Explicitly set --with-valgrind
bb1f54280f Merge #818: Add static assertion that uint32_t is unsigned int or wider
a45c1fa63c Rename testrand functions to have test in name
5006895bd6 Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests
4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND
66a765c775 travis: Explicitly set --with-valgrind
d7838ba6a6 Merge #813: Enable configuring Valgrind support
7ceb0b7611 Merge #819: Enable -Wundef warning
8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig
08d7d89299 Make pubkey parsing test whether points are in the correct subgroup
87af00b511 Abstract out challenge computation in schnorrsig
63e1b2aa7d Disable output buffering in tests_exhaustive.c
39f67dd072 Support splitting exhaustive tests across cores
e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs
49e6630bca refactor: move RNG seeding to testrand
b110c106fa Change exhaustive test groups so they have a point with X=1
cec7b18a34 Select exhaustive lambda in function of order
78f6cdfaae Make the curve B constant a secp256k1_fe
d7f39ae4b6 Delete gej_is_valid_var: unused outside tests
8bcd78cd79 Make secp256k1_scalar_b32 detect overflow in scalar_low
c498366e5b Move exhaustive tests for recovery to module
be31791543 Make group order purely compile-time in exhaustive tests
e73ff30922 Enable -Wundef warning
c0041b5cfc Add static assertion that uint32_t is unsigned int or wider
4ad408faf3 Merge #782: Check if variable=yes instead of if var is set in travis.sh
412bf874d0 configure: Allow specifying --with[out]-valgrind explicitly
34debf7a6d Modify .travis.yml to explictly pass no in env vars instead of setting to nothing
a0e99fc121 Merge #814: tests: Initialize random group elements fully
5738e8622d tests: Initialize random group elements fully
c9939ba55d Merge #812: travis: run bench_schnorrsig
a51f2af62b travis: run bench_schnorrsig
ef37761fee Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false

git-subtree-dir: src/secp256k1
git-subtree-split: c6b6b8f1bb044d7d1aa065ebb674adde98a36a8e
2020-10-14 11:41:15 -07:00
build-aux/m4 Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad 2020-09-11 12:44:08 -07:00
contrib Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
include Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad 2020-09-11 12:44:08 -07:00
obj Squashed 'src/secp256k1/' content from commit ad2028f 2014-11-18 18:06:36 +01:00
sage Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
src Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
.gitignore Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad 2020-09-11 12:44:08 -07:00
.travis.yml Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
autogen.sh Squashed 'src/secp256k1/' content from commit ad2028f 2014-11-18 18:06:36 +01:00
configure.ac Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
COPYING Squashed 'src/secp256k1/' content from commit ad2028f 2014-11-18 18:06:36 +01:00
libsecp256k1.pc.in Squashed 'src/secp256k1/' changes from 0b70241850..b19c000063 2019-03-31 11:41:05 -07:00
Makefile.am Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad 2020-09-11 12:44:08 -07:00
README.md Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb 2020-10-14 11:41:15 -07:00
SECURITY.md Squashed 'src/secp256k1/' changes from b19c000063..2ed54da18a 2020-06-09 13:39:09 -07:00

README.md

libsecp256k1

Build Status

Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.

This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

Features:

  • secp256k1 ECDSA signing/verification and key generation.
  • Additive and multiplicative tweaking of secret/public keys.
  • Serialization/parsing of secret keys, public keys, signatures.
  • Constant time, constant memory access signing and public key generation.
  • Derandomized ECDSA (via RFC6979 or with a caller provided function.)
  • Very efficient implementation.
  • Suitable for embedded systems.
  • Optional module for public key recovery.
  • Optional module for ECDH key exchange (experimental).

Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.

Implementation details

  • General
    • No runtime heap allocation.
    • Extensive testing infrastructure.
    • Structured to facilitate review and analysis.
    • Intended to be portable to any system with a C89 compiler and uint64_t support.
    • No use of floating types.
    • Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
  • Field operations
    • Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
      • Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
      • Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
    • Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
  • Scalar operations
    • Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
      • Using 4 64-bit limbs (relying on __int128 support in the compiler).
      • Using 8 32-bit limbs.
  • Group operations
    • Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
    • Use addition between points in Jacobian and affine coordinates where possible.
    • Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
    • Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
  • Point multiplication for verification (aP + bG).
    • Use wNAF notation for point multiplicands.
    • Use a much larger window for multiples of G, using precomputed multiples.
    • Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
    • Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
  • Point multiplication for signing
    • Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
    • Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
      • Access the table with branch-free conditional moves so memory access is uniform.
      • No data-dependent branches
    • Optional runtime blinding which attempts to frustrate differential power analysis.
    • The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

Build steps

libsecp256k1 is built using autotools:

$ ./autogen.sh
$ ./configure
$ make
$ make check
$ sudo make install  # optional

Exhaustive tests

$ ./exhaustive_tests

With valgrind, you might need to increase the max stack size:

$ valgrind --max-stackframe=2500000 ./exhaustive_tests

Test coverage

This library aims to have full coverage of the reachable lines and branches.

To create a test coverage report, configure with --enable-coverage (use of GCC is necessary):

$ ./configure --enable-coverage

Run the tests:

$ make check

To create a report, gcovr is recommended, as it includes branch coverage reporting:

$ gcovr --exclude 'src/bench*' --print-summary

To create a HTML report with coloured and annotated source code:

$ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html

Reporting a vulnerability

See SECURITY.md