|
|
|
libsecp256k1
|
|
|
|
============
|
|
|
|
|
|
|
|
[![Build Status](https://travis-ci.org/bitcoin/secp256k1.svg?branch=master)](https://travis-ci.org/bitcoin/secp256k1)
|
|
|
|
|
|
|
|
Optimized C library for EC operations on curve secp256k1.
|
|
|
|
|
|
|
|
This library is experimental, so use at your own risk.
|
|
|
|
|
|
|
|
Features:
|
|
|
|
* Low-level field and group operations on secp256k1.
|
|
|
|
* ECDSA signing/verification and key generation.
|
|
|
|
* Adding/multiplying private/public keys.
|
|
|
|
* Serialization/parsing of private keys, public keys, signatures.
|
|
|
|
* Very efficient implementation.
|
|
|
|
|
|
|
|
Implementation details
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
* General
|
|
|
|
* Avoid dynamic memory usage almost everywhere.
|
|
|
|
* Field operations
|
|
|
|
* Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
|
|
|
|
* Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
|
|
|
|
* Using 10 26-bit limbs.
|
|
|
|
* Using GMP.
|
|
|
|
* Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
|
|
|
|
* Group operations
|
|
|
|
* Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
|
|
|
|
* Use addition between points in Jacobian and affine coordinates where possible.
|
|
|
|
* Point multiplication for verification (a*P + b*G).
|
|
|
|
* Use wNAF notation for point multiplicands.
|
|
|
|
* Use a much larger window for multiples of G, using precomputed multiples.
|
|
|
|
* Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
|
|
|
|
* Optionally use secp256k1's efficiently-computable endomorphism to split the multiplicands into 4 half-sized ones first.
|
|
|
|
* Point multiplication for signing
|
|
|
|
* Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
|
|
|
|
* Slice the precomputed table in memory per byte, so memory access to the table becomes uniform.
|
|
|
|
* Not fully constant-time.
|
|
|
|
|
|
|
|
Build steps
|
|
|
|
-----------
|
|
|
|
|
|
|
|
libsecp256k1 is built using autotools:
|
|
|
|
|
|
|
|
$ ./autogen.sh
|
|
|
|
$ ./configure
|
|
|
|
$ make
|
|
|
|
$ sudo make install # optional
|