README.md
1 libsecp256k1 2 ============ 3 4  5 [](https://web.libera.chat/#secp256k1) 6 7 High-performance high-assurance C library for digital signatures and other cryptographic primitives on the secp256k1 elliptic curve. 8 9 This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose. 10 11 Features: 12 * secp256k1 ECDSA signing/verification and key generation. 13 * Additive and multiplicative tweaking of secret/public keys. 14 * Serialization/parsing of secret keys, public keys, signatures. 15 * Constant time, constant memory access signing and public key generation. 16 * Derandomized ECDSA (via RFC6979 or with a caller provided function.) 17 * Very efficient implementation. 18 * Suitable for embedded systems. 19 * No runtime dependencies. 20 * Optional module for public key recovery. 21 * Optional module for ECDH key exchange. 22 * Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki). 23 * Optional module for ElligatorSwift key exchange according to [BIP-324](https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki). 24 * Optional module for MuSig2 Schnorr multi-signatures according to [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki). 25 26 Implementation details 27 ---------------------- 28 29 * General 30 * No runtime heap allocation. 31 * Extensive testing infrastructure. 32 * Structured to facilitate review and analysis. 33 * Intended to be portable to any system with a C89 compiler and uint64_t support. 34 * No use of floating types. 35 * Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.") 36 * Field operations 37 * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1). 38 * Using 5 52-bit limbs 39 * Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan). 40 * This is an experimental feature that has not received enough scrutiny to satisfy the standard of quality of this library but is made available for testing and review by the community. 41 * Scalar operations 42 * Optimized implementation without data-dependent branches of arithmetic modulo the curve's order. 43 * Using 4 64-bit limbs (relying on __int128 support in the compiler). 44 * Using 8 32-bit limbs. 45 * Modular inverses (both field elements and scalars) based on [safegcd](https://gcd.cr.yp.to/index.html) with some modifications, and a variable-time variant (by Peter Dettman). 46 * Group operations 47 * Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7). 48 * Use addition between points in Jacobian and affine coordinates where possible. 49 * Use a unified addition/doubling formula where necessary to avoid data-dependent branches. 50 * Point/x comparison without a field inversion by comparison in the Jacobian coordinate space. 51 * Point multiplication for verification (a*P + b*G). 52 * Use wNAF notation for point multiplicands. 53 * Use a much larger window for multiples of G, using precomputed multiples. 54 * Use Shamir's trick to do the multiplication with the public key and the generator simultaneously. 55 * Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones. 56 * Point multiplication for signing 57 * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions. 58 * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains) 59 * Access the table with branch-free conditional moves so memory access is uniform. 60 * No data-dependent branches 61 * Optional runtime blinding which attempts to frustrate differential power analysis. 62 * The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally. 63 64 Obtaining and verifying 65 ----------------------- 66 67 The git tag for each release (e.g. `v0.6.0`) is GPG-signed by one of the maintainers. 68 For a fully verified build of this project, it is recommended to obtain this repository 69 via git, obtain the GPG keys of the signing maintainer(s), and then verify the release 70 tag's signature using git. 71 72 This can be done with the following steps: 73 74 1. Obtain the GPG keys listed in [SECURITY.md](./SECURITY.md). 75 2. If possible, cross-reference these key IDs with another source controlled by its owner (e.g. 76 social media, personal website). This is to mitigate the unlikely case that incorrect 77 content is being presented by this repository. 78 3. Clone the repository: 79 ``` 80 git clone https://github.com/bitcoin-core/secp256k1 81 ``` 82 4. Check out the latest release tag, e.g. 83 ``` 84 git checkout v0.6.0 85 ``` 86 5. Use git to verify the GPG signature: 87 ``` 88 % git tag -v v0.6.0 | grep -C 3 'Good signature' 89 90 gpg: Signature made Mon 04 Nov 2024 12:14:44 PM EST 91 gpg: using RSA key 4BBB845A6F5A65A69DFAEC234861DBF262123605 92 gpg: Good signature from "Jonas Nick <jonas@n-ck.net>" [unknown] 93 gpg: aka "Jonas Nick <jonasd.nick@gmail.com>" [unknown] 94 gpg: WARNING: This key is not certified with a trusted signature! 95 gpg: There is no indication that the signature belongs to the owner. 96 Primary key fingerprint: 36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366 97 Subkey fingerprint: 4BBB 845A 6F5A 65A6 9DFA EC23 4861 DBF2 6212 3605 98 ``` 99 100 Building with Autotools 101 ----------------------- 102 103 $ ./autogen.sh # Generate a ./configure script 104 $ ./configure # Generate a build system 105 $ make # Run the actual build process 106 $ make check # Run the test suite 107 $ sudo make install # Install the library into the system (optional) 108 109 To compile optional modules (such as Schnorr signatures), you need to run `./configure` with additional flags (such as `--enable-module-schnorrsig`). Run `./configure --help` to see the full list of available flags. 110 111 Building with CMake 112 ------------------- 113 114 To maintain a pristine source tree, CMake encourages to perform an out-of-source build by using a separate dedicated build tree. 115 116 ### Building on POSIX systems 117 118 $ cmake -B build # Generate a build system in subdirectory "build" 119 $ cmake --build build # Run the actual build process 120 $ ctest --test-dir build # Run the test suite 121 $ sudo cmake --install build # Install the library into the system (optional) 122 123 To compile optional modules (such as Schnorr signatures), you need to run `cmake` with additional flags (such as `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG=ON`). Run `cmake -B build -LH` or `ccmake -B build` to see the full list of available flags. 124 125 ### Cross compiling 126 127 To alleviate issues with cross compiling, preconfigured toolchain files are available in the `cmake` directory. 128 For example, to cross compile for Windows: 129 130 $ cmake -B build -DCMAKE_TOOLCHAIN_FILE=cmake/x86_64-w64-mingw32.toolchain.cmake 131 132 To cross compile for Android with [NDK](https://developer.android.com/ndk/guides/cmake) (using NDK's toolchain file, and assuming the `ANDROID_NDK_ROOT` environment variable has been set): 133 134 $ cmake -B build -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK_ROOT}/build/cmake/android.toolchain.cmake" -DANDROID_ABI=arm64-v8a -DANDROID_PLATFORM=28 135 136 ### Building on Windows 137 138 The following example assumes Visual Studio 2022. Using clang-cl is recommended. 139 140 In "Developer Command Prompt for VS 2022": 141 142 >cmake -B build -T ClangCL 143 >cmake --build build --config RelWithDebInfo 144 145 Usage examples 146 ----------- 147 Usage examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`. 148 * [ECDSA example](examples/ecdsa.c) 149 * [Schnorr signatures example](examples/schnorr.c) 150 * [Deriving a shared secret (ECDH) example](examples/ecdh.c) 151 * [ElligatorSwift key exchange example](examples/ellswift.c) 152 * [MuSig2 Schnorr multi-signatures example](examples/musig.c) 153 154 To compile the examples, make sure the corresponding modules are enabled. 155 156 Benchmark 157 ------------ 158 If configured with `--enable-benchmark` (which is the default), binaries for benchmarking the libsecp256k1 functions will be present in the root directory after the build. 159 160 To print the benchmark result to the command line: 161 162 $ ./bench_name 163 164 To create a CSV file for the benchmark result : 165 166 $ ./bench_name | sed '2d;s/ \{1,\}//g' > bench_name.csv 167 168 Reporting a vulnerability 169 ------------ 170 171 See [SECURITY.md](SECURITY.md) 172 173 Contributing to libsecp256k1 174 ------------ 175 176 See [CONTRIBUTING.md](CONTRIBUTING.md)