Merge pull request #20

[secp256k1.git] / README.md

libsecp256k1
============

Optimized C library for EC operations on curve secp256k1.

This library is experimental, so use at your own risk.

Features:
* Low-level field and group operations on secp256k1.
* ECDSA signing/verification and key generation.
* Adding/multiplying private/public keys.
* Serialization/parsing of private keys, public keys, signatures.
* Very efficient implementation.

Implementation details
----------------------

* General
  * Avoid dynamic memory usage almost everywhere.
* Field operations
  * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
    * Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
    * Using 10 26-bit limbs.
    * Using GMP.
  * Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
* Group operations
  * Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
  * Use addition between points in Jacobian and affine coordinates where possible.
* Point multiplication for verification (a*P + b*G).
  * Use wNAF notation for point multiplicands.
  * Use a much larger window for multiples of G, using precomputed multiples.
  * Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
  * Optionally use secp256k1's efficiently-computable endomorphism to split the multiplicands into 4 half-sized ones first.
* Point multiplication for signing
  * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
  * Slice the precomputed table in memory per byte, so memory access to the table becomes uniform.
  * Not fully constant-time.

Build steps
-----------

libsecp256k1 is built using autotools:

    $ aclocal
    $ autoreconf --install
    $ automake
    $ ./configure
    $ make
    $ sudo make install  # optional