README
¶
secp256k1-voi - Yet another secp256k1 implementation
Yawning Angel (yawning at schwanenlied dot me)
Ponzi schemes exist in stable disequilibrium. This means that while they can’t ultimately succeed, they can persist indefinitely—until they don’t.
--Harry Markopolos
This is a correctness/simplicity-first implementation of the secp256k1 elliptic curve used by shitcoins, written as an elaborate cry for help.
The following techniques and tools are used for "correctness/simplicity":
- The scalar/field arithmetic implementations are produced by fiat-crypto.
- The scalar/field inversion, and the field square root implementations are produced by addchain.
- Exception free point addition and doubling formulas from "Complete addition formulas for prime order elliptic curves" by Renes, Costello, and Batina are used.
Warning
This product can expose you to chemicals which are know to the State of California to cause cancer. For more information visit www.P65Warnings.ca.gov.
Features
- Formally verified field and scalar arithmetic.
- Constant time curve and scalar arithmetic operations unless explicitly noted otherwise.
- Fast
s * Groutine using precomputed tables. - Fast variable-time
u1 * G + u2 * Proutine for signature verification. - Safe-by-default API, that makes it extremely hard to create invalid points and scalars.
- Point s11n per SEC 1, Version 2.0, Section 2.3.3.
- ECDH per SEC 1, Version 2.0, Section 3.3.1.
- ECDSA per SEC 1, Version 2.0, Section 4.1.3/4.1.4 and BIP-0066.
- ECDSA with RFC 6979 + SHA256 for compatibility.
- ECDSA public key recovery per the various shitcoins.
- Schnorr signatures per BIP-0340.
- Hash to curve per RFC 9380.
Notes
- No, this has not been audited. Unless you are willing to pay for it, do not ask about it. If you do not know how much that will cost, you can not afford it.
- The API and some interals are heavily inspired by Filippo's edwards25519 and nistec packages.
- Only the 64-bit implementations of the underlying field arithmetic are used, as 32-bit architectures are either increasingly irrelevant (x86, ARM) or fucking garbage (WASM). I may reconsider this when Golang gets build tags that make this easy (and no, keeping track of all the architectures is not "easy").
- No attempt is made to sanitize memory. It is a lost cause in most languages, and totally, utterly hopeless in Go.
- SIMD is used to accelerate the constant time table lookups. Building
with
puregodisables the use of assembly. It is almost, but not quite, not even worth having variable-time variants of the multiplies on amd64 due to the vectorized table lookup. - The fiat-crypto ToBytes/FromBytes routines are not used due to our need to handle non-canonical encodings, and the fact that fiat expects and outputs little-endian, while big-endian is customary for this curve.
- Worms in my brain, get them out.
Performance
While this does try to be reasonably performant, the primary goal is to be the most (obviously) correct Golang secp256k1, not the fastest Golang secp256k1.
In short (only relevant figures listed):
cpu: AMD Ryzen 7 5700G with Radeon Graphics
BenchmarkPoint/GLV/ScalarMult-16 18753 64955 ns/op 176 B/op 3 allocs/op
BenchmarkPoint/ScalarBaseMult-16 47127 24230 ns/op 0 B/op 0 allocs/op
BenchmarkPoint/DoubleScalarMultBasepointVartime-16 15546 78549 ns/op 176 B/op 3 allocs/op
BenchmarkPoint/s11n/UncompressedBytes-16 192446 5517 ns/op 0 B/op 0 allocs/op
BenchmarkPoint/s11n/CompressedBytes-16 219115 5520 ns/op 0 B/op 0 allocs/op
"It's alright". Compared to dcrd/dcrec/secp256k1 (aka btcec),
verification performance is basically the same, signing is slower, ECDH
ranges from slightly faster (on x86-64) to slower (purego). On the other
hand, this library is timing side-channel safe on reasonable architectures.
Potential improvements:
- Sit and wait for Go 1.21 to come out, it seems to do better.
- wNAF based point multiplication is probably a gain.
- Go and add "multiply a field element by a small integer" to fiat.
- Pippenger's multi-scalar multiply would be better in certain cases.
Documentation
¶
Overview ¶
Package secp256k1 implements the secp256k1 elliptic curve as specified in SEC 2, Version 2.0, Section 2.4.1.
Index ¶
- Constants
- func SplitUncompressedPoint(ptBytes []byte) ([]byte, uint64)
- type Point
- func (v *Point) Add(p, q *Point) *Point
- func (v *Point) CompressedBytes() []byte
- func (v *Point) ConditionalNegate(p *Point, ctrl uint64) *Point
- func (v *Point) ConditionalSelect(a, b *Point, ctrl uint64) *Point
- func (v *Point) Double(p *Point) *Point
- func (v *Point) DoubleScalarMultBasepointVartime(u1, u2 *Scalar, p *Point) *Point
- func (v *Point) Equal(p *Point) uint64
- func (v *Point) Generator() *Point
- func (v *Point) Identity() *Point
- func (v *Point) IsIdentity() uint64
- func (v *Point) IsYOdd() uint64
- func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point
- func (v *Point) MultiScalarMultVartime(scalars []*Scalar, points []*Point) *Point
- func (v *Point) Negate(p *Point) *Point
- func (v *Point) ScalarBaseMult(s *Scalar) *Point
- func (v *Point) ScalarMult(s *Scalar, p *Point) *Point
- func (v *Point) Set(p *Point) *Point
- func (v *Point) SetBytes(src []byte) (*Point, error)
- func (v *Point) SetCompressedBytes(src []byte) (*Point, error)
- func (v *Point) SetUncompressedBytes(src []byte) (*Point, error)
- func (v *Point) SetUniformBytes(src []byte) *Point
- func (v *Point) Subtract(p, q *Point) *Point
- func (v *Point) UncompressedBytes() []byte
- func (v *Point) XBytes() ([]byte, error)
- type Scalar
- func (s *Scalar) Add(a, b *Scalar) *Scalar
- func (s *Scalar) Bytes() []byte
- func (s *Scalar) ConditionalNegate(a *Scalar, ctrl uint64) *Scalar
- func (s *Scalar) ConditionalSelect(a, b *Scalar, ctrl uint64) *Scalar
- func (s *Scalar) Equal(a *Scalar) uint64
- func (z *Scalar) Invert(x *Scalar) *Scalar
- func (s *Scalar) IsGreaterThanHalfN() uint64
- func (s *Scalar) IsZero() uint64
- func (s *Scalar) Multiply(a, b *Scalar) *Scalar
- func (s *Scalar) Negate(a *Scalar) *Scalar
- func (s *Scalar) One() *Scalar
- func (s *Scalar) Product(vec ...*Scalar) *Scalar
- func (s *Scalar) Set(a *Scalar) *Scalar
- func (s *Scalar) SetBytes(src *[ScalarSize]byte) (*Scalar, uint64)
- func (s *Scalar) SetCanonicalBytes(src *[ScalarSize]byte) (*Scalar, error)
- func (s *Scalar) Square(a *Scalar) *Scalar
- func (s *Scalar) Subtract(a, b *Scalar) *Scalar
- func (s *Scalar) Sum(vec ...*Scalar) *Scalar
- func (s *Scalar) Zero() *Scalar
Constants ¶
const ( // CompressedPointSize is the size of a compressed point in bytes, // in the SEC 1, Version 2.0, Section 2.3.3 encoding (`Y_EvenOrOdd | X`). CompressedPointSize = 33 // UncompressedPointSize is the size of an uncompressed point in // bytes in the SEC 1, Version 2.0, Section 2.3.3 encoding // (`0x04 | X | Y`). UncompressedPointSize = 65 // IdentityPointSize is the size of the point at infinity in bytes, // in the SEC 1, Version 2.0, Section 2.3.3 encoding (`0x00`). IdentityPointSize = 1 // CoordSize is the size of a coordinate in bytes, in the SEC 1, // Version 2.0, Section 2.3.5 encoding. CoordSize = 32 )
const ScalarSize = 32
ScalarSize is the size of a scalar in bytes.
Variables ¶
This section is empty.
Functions ¶
func SplitUncompressedPoint ¶
SplitUncompressedPoint splits the SEC 1, Verson 2.0, Section 2.3.3 uncompressed encoding of a point into the 32-byte big-endian byte encoding of the x-coordinate, and a uint64 indicating if the y-coordinate is odd.
Types ¶
type Point ¶
type Point struct {
// contains filtered or unexported fields
}
Point represets a point on the secp256k1 curve. All arguments and receivers are allowed to alias. The zero value is NOT valid, and may only be used as a receiver.
Properly initialized Points will always either be on the curve, or the point at infinity, and all of the curve arithmetic routines handle the point at infinity correctly.
func NewGeneratorPoint ¶
func NewGeneratorPoint() *Point
NewGeneratorPoint returns a new Point set to the canonical generator.
func NewIdentityPoint ¶
func NewIdentityPoint() *Point
NewIdentityPoint returns a new Point set to the identity element (point at infinity).
func NewPointFrom ¶
NewPointFrom returns a new Point set to an existing Point.
func NewPointFromBytes ¶
NewPointFromBytes creates a new Point from either of the SEC 1 encodings (uncompressed or compressed).
func NewPointFromCoords ¶
NewPointFromCoords creates a new Point from the big-endian encoded x and y coordinates.
func RecoverPoint ¶
RecoverPoint reconstructs a point from the Scalar representation of the x-coordinate, and a "recovery ID" in the range `[0,3]`.
func (*Point) CompressedBytes ¶
CompressedBytes returns the SEC 1, Version 2.0, Section 2.3.3 compressed or infinity encoding of `v`.
func (*Point) ConditionalNegate ¶
ConditionalNegate sets `v = p` iff `ctrl == 0`, `v = -p` otherwise, and returns `v`.
func (*Point) ConditionalSelect ¶
ConditionalSelect sets `v = a` iff `ctrl == 0`, `v = b` otherwise, and returns `v`.
func (*Point) Double ¶
Double sets `v = p + p`, and returns `v`. Calling `Add(p, p)` will also return correct results, however this method is faster.
func (*Point) DoubleScalarMultBasepointVartime ¶
DoubleScalarMultBasepointVartime sets `v = u1 * G + u2 * P`, and returns `v` in variable time, where `G` is the generator.
func (*Point) IsIdentity ¶
IsIdentity returns 1 iff `v` is the identity point, 0 otherwise.
func (*Point) MultiScalarMult ¶
MultiScalarMult sets `v = sum(scalars[i] * points[i])`, and returns `v`.
func (*Point) MultiScalarMultVartime ¶
MultiScalarMultVartime sets `v = sum(scalars[i] * points[i])`, and returns `v` in variable time.
func (*Point) ScalarBaseMult ¶
ScalarBaseMult sets `v = s * G`, and returns `v`, where `G` is the generator.
func (*Point) ScalarMult ¶
ScalarMult sets `v = s * p`, and returns `v`.
func (*Point) SetBytes ¶
SetBytes sets `p = src`, where `src` is a valid SEC 1, Version 2.0, Section 2.3.3 encoding of a point. If `src` is not a valid encoding of `p`, SetBytes returns nil and an error, and the receiver is unchanged.
func (*Point) SetCompressedBytes ¶
SetCompressedBytes sets `p = src`, where `src` is a valid SEC 1, Verson 2.0, Section 2.3.3 compressed encoding of a point. If `src` is not a valid compressed encodiong of a point, SetCompressedBytes returns nil and an error, and the receiver is unchanged.
func (*Point) SetUncompressedBytes ¶
SetUncompressedBytes sets `p = src`, where `src` is a valid SEC 1, Verson 2.0, Section 2.3.3 uncompressed encoding of a point. If `src` is not a valid uncompressed encodiong of a point, SetUncompressedBytes returns nil and an error, and the receiver is unchanged.
func (*Point) SetUniformBytes ¶
SetUniformBytes sets `v = map_to_curve(OS2IP(src) mod p)`, where `src` MUST have a length in the range `[32,64]`-bytes, and returns `v`.
If called with exactly 48-bytes of data, this can be used to implement `encode_to_curve` and `hash_to_curve`, per "Hashing to Elliptic Curves". With a cryptographically insignificant probability, the result may be the point at infinity.
Most users SHOULD use a higher-level `encode_to_curve` or `hash_to_curve` implementation instead.
func (*Point) UncompressedBytes ¶
UncompressedBytes returns the SEC 1, Version 2.0, Section 2.3.3 uncompressed or infinity encoding of `v`.
type Scalar ¶
type Scalar struct {
// contains filtered or unexported fields
}
Scalar is an integer modulo `n = 2^256 - 432420386565659656852420866394968145599`. All arguments and receivers are allowed to alias. The zero value is a valid zero element.
func NewScalarFrom ¶
NewScalarFrom returns a new Scalar set to an existing Scalar.
func NewScalarFromBytes ¶
func NewScalarFromBytes(src *[ScalarSize]byte) (*Scalar, uint64)
NewScalarFromBytes creates a new Scalar from the 32-byte big-endian encoding of `s`, and returns `s, 0`. If `src` is not a canonical encoding of `s`, `src` is reduced modulo n, and NewScalarFromBytes returns `s, 1`.
func NewScalarFromCanonicalBytes ¶
func NewScalarFromCanonicalBytes(src *[ScalarSize]byte) (*Scalar, error)
NewScalarFromCanonicalBytes creates a new Scalar from the canonical 32-byte big-endian byte representation.
func NewScalarFromUint64 ¶
NewScalarFromUint64 creates a new Scalar from a uint64.
func (*Scalar) ConditionalNegate ¶
ConditionalNegate sets `s = a` iff `ctrl == 0`, `s = -a` otherwise, and returns `s`.
func (*Scalar) ConditionalSelect ¶
ConditionalSelect sets `s = a` iff `ctrl == 0`, `s = b` otherwise, and returns `s`.
func (*Scalar) IsGreaterThanHalfN ¶
IsGreaterThanHalfN returns 1 iff `s > n / 2`, where `n` is the order of G, 0 otherwise.
func (*Scalar) Product ¶
Product sets `s = vec[0] * ... * vec[n]` and returns `s`. If `vec` is empty, `s` will be set to `1`.
func (*Scalar) SetBytes ¶
func (s *Scalar) SetBytes(src *[ScalarSize]byte) (*Scalar, uint64)
SetBytes sets `s = src`, where `src` is a 32-byte big-endian encoding of `s`, and returns `s, 0`. If `src` is not a canonical encoding of `s`, `src` is reduced modulo n, and SetBytes returns `s, 1`.
func (*Scalar) SetCanonicalBytes ¶
func (s *Scalar) SetCanonicalBytes(src *[ScalarSize]byte) (*Scalar, error)
SetCanonicalBytes sets `s = src`, where `src` is a 32-byte big-endian encoding of `s`, and returns `s`. If `src` is not a canonical encoding of `s`, SetCanonicalBytes returns nil and an error, and the receiver is unchanged.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
disalloweq
Package disalloweq provides a method for disallowing struct comparisons with the `==` operator.
|
Package disalloweq provides a method for disallowing struct comparisons with the `==` operator. |
|
fiat/secp256k1montgomery
Code generated by Fiat Cryptography.
|
Code generated by Fiat Cryptography. |
|
fiat/secp256k1montgomeryscalar
Code generated by Fiat Cryptography.
|
Code generated by Fiat Cryptography. |
|
field
Package field implements arithmetic modulo p = 2^256 - 2^32 - 977.
|
Package field implements arithmetic modulo p = 2^256 - 2^32 - 977. |
|
swu
Package swu implements the Simplified Shallue-van de Woestijne-Ulas method.
|
Package swu implements the Simplified Shallue-van de Woestijne-Ulas method. |
|
asm
Module
|
|
|
Package secec implements the common primitives on top of secp256k1, with an API that is close to the runtime library's `crypto/ecdsa` and `crypto/ecdh` packages.
|
Package secec implements the common primitives on top of secp256k1, with an API that is close to the runtime library's `crypto/ecdsa` and `crypto/ecdh` packages. |
|
bitcoin
Package bitcoin implements the bitcoin specific primitives.
|
Package bitcoin implements the bitcoin specific primitives. |
|
h2c
Package h2c implements Hashing to Elliptic Curves as specified in RFC 9380.
|
Package h2c implements Hashing to Elliptic Curves as specified in RFC 9380. |