Skip to content

ppad-tech/secp256k1

BranchesTags

Repository files navigation

secp256k1

A pure Haskell implementation of BIP0340 Schnorr signatures, deterministic RFC6979 ECDSA (with BIP0146-style "low-S" signatures), ECDH, and various primitives on the elliptic curve secp256k1.

(See also ppad-csecp256k1 for FFI bindings to bitcoin-core/secp256k1.)

Usage

A sample GHCi session:

  > -- pragmas and b16 import for illustration only; not required
  > :set -XOverloadedStrings
  > :set -XBangPatterns
  > import qualified Data.ByteString.Base16 as B16
  >
  > -- import qualified
  > import qualified Crypto.Curve.Secp256k1 as Secp256k1
  >
  > -- secret, public keys
  > let sec = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF
  :{
  ghci| let Just pub = Secp256k1.parse_point . B16.decodeLenient $
  ghci|       "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"
  ghci| :}
  >
  > let msg = "i approve of this message"
  >
  > -- create and verify a schnorr signature for the message
  > let Just sig0 = Secp256k1.sign_schnorr sec msg mempty
  > Secp256k1.verify_schnorr msg pub sig0
  True
  >
  > -- create and verify a low-S ECDSA signature for the message
  > let Just sig1 = Secp256k1.sign_ecdsa sec msg
  > Secp256k1.verify_ecdsa msg pub sig1
  True
  >
  > -- for faster signs (especially w/ECDSA) and verifies, use a context
  > let !tex = Secp256k1.precompute
  > Secp256k1.verify_schnorr' tex msg pub sig0
  True

Documentation

Haddocks (API documentation, etc.) are hosted at docs.ppad.tech/secp256k1.

Performance

The aim is best-in-class performance for pure Haskell code.

Current benchmark figures on an M4 MacBook Air look like (use cabal bench to run the benchmark suite):

  benchmarking schnorr/sign_schnorr' (large)
  time                 76.57 μs   (76.46 μs .. 76.73 μs)
                       1.000 R²   (0.999 R² .. 1.000 R²)
  mean                 77.81 μs   (77.23 μs .. 79.13 μs)
  std dev              2.732 μs   (1.296 μs .. 5.251 μs)

  benchmarking schnorr/verify_schnorr'
  time                 112.8 μs   (112.4 μs .. 113.1 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 112.4 μs   (112.0 μs .. 112.8 μs)
  std dev              1.246 μs   (1.023 μs .. 1.554 μs)

  benchmarking ecdsa/sign_ecdsa' (large)
  time                 51.22 μs   (51.02 μs .. 51.36 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 51.08 μs   (50.95 μs .. 51.19 μs)
  std dev              403.3 ns   (344.5 ns .. 507.5 ns)

  benchmarking ecdsa/verify_ecdsa'
  time                 105.1 μs   (104.8 μs .. 105.4 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 104.8 μs   (104.4 μs .. 105.8 μs)
  std dev              2.037 μs   (1.170 μs .. 3.692 μs)

  benchmarking ecdh/ecdh (large)
  time                 138.5 μs   (137.8 μs .. 139.4 μs)
                       1.000 R²   (0.999 R² .. 1.000 R²)
  mean                 137.8 μs   (137.4 μs .. 138.4 μs)
  std dev              1.584 μs   (1.119 μs .. 2.541 μs)

Ensure you compile with the 'llvm' flag (and that ppad-fixed and ppad-sha256 have been compiled with the 'llvm' flag) for maximum performance.

Security

This library aims at the maximum security achievable in a garbage-collected language under an optimizing compiler such as GHC, in which strict constant-timeness can be challenging to achieve.

The Schnorr implementation within has been tested against the official BIP0340 vectors, and ECDSA and ECDH have been tested against the relevant Wycheproof vectors (with the former also being tested against noble-secp256k1's vectors), so their implementations are likely to be accurate and safe from attacks targeting e.g. faulty nonce generation or malicious inputs for signature or public key parameters.

Timing-sensitive operations, e.g. elliptic curve scalar multiplication, have been explicitly written so as to execute in time constant with respect to secret data. Moreover, fixed-size (256-bit) wide words with constant-time operations provided by ppad-fixed are used exclusively internally, avoiding timing variations incurred by use of GHC's variable-size Integer type.

Criterion benchmarks attest that any timing variation between cases with differing inputs is attributable to noise:

  benchmarking derive_pub/wnaf, sk = 2
  time                 29.67 μs   (29.64 μs .. 29.71 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 29.68 μs   (29.64 μs .. 29.71 μs)
  std dev              121.1 ns   (83.80 ns .. 177.2 ns)

  benchmarking derive_pub/wnaf, sk = 2 ^ 255 - 19
  time                 29.68 μs   (29.65 μs .. 29.72 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 29.71 μs   (29.68 μs .. 29.75 μs)
  std dev              106.7 ns   (71.74 ns .. 174.7 ns)

  benchmarking schnorr/sign_schnorr' (small)
  time                 76.27 μs   (76.21 μs .. 76.32 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 76.44 μs   (76.40 μs .. 76.50 μs)
  std dev              162.3 ns   (123.1 ns .. 246.7 ns)

  benchmarking schnorr/sign_schnorr' (large)
  time                 76.35 μs   (76.31 μs .. 76.38 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 76.37 μs   (76.35 μs .. 76.40 μs)
  std dev              84.10 ns   (67.03 ns .. 112.7 ns)

  benchmarking ecdsa/sign_ecdsa' (small)
  time                 52.34 μs   (52.22 μs .. 52.49 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 52.35 μs   (52.30 μs .. 52.42 μs)
  std dev              205.9 ns   (159.2 ns .. 281.1 ns)

  benchmarking ecdsa/sign_ecdsa' (large)
  time                 52.40 μs   (52.31 μs .. 52.55 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 52.66 μs   (52.47 μs .. 52.99 μs)
  std dev              813.7 ns   (427.9 ns .. 1.244 μs)
  variance introduced by outliers: 10% (moderately inflated)

  benchmarking ecdh/ecdh (small)
  time                 143.6 μs   (143.4 μs .. 143.7 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 143.7 μs   (143.3 μs .. 144.6 μs)
  std dev              2.022 μs   (846.9 ns .. 3.402 μs)

  benchmarking ecdh/ecdh (large)
  time                 143.8 μs   (143.7 μs .. 143.9 μs)
                       1.000 R²   (1.000 R² .. 1.000 R²)
  mean                 143.8 μs   (143.7 μs .. 143.9 μs)
  std dev              385.2 ns   (265.9 ns .. 544.5 ns)

Note also that care has been taken to ensure that allocation is held constant across input sizes for all sensitive operations:

  derive_pub

    Case                     Allocated  GCs
    wnaf, sk = 2                   304    0
    wnaf, sk = 2 ^ 255 - 19        304    0

  schnorr

    Case                   Allocated  GCs
    sign_schnorr' (small)     27,104    0
    sign_schnorr' (large)     27,104    0

  ecdsa

    Case                   Allocated  GCs
    sign_ecdsa' (small)     61,592    0
    sign_ecdsa' (large)     61,592    0

  ecdh

    Case          Allocated  GCs
    ecdh (small)      1,880    0
    ecdh (large)      1,880    0

Though constant-resource execution is enforced rigorously, take reasonable security precautions as appropriate. You shouldn't deploy the implementations within in any situation where they could easily be used as an oracle to construct a timing attack, and you shouldn't give sophisticated malicious actors access to your computer.

If you discover any vulnerabilities, please disclose them via [email protected].

Development

You'll require Nix with flake support enabled. Enter a development shell with:

$ nix develop

Then do e.g.:

$ cabal repl ppad-secp256k1

to get a REPL for the main library.

About

Pure Haskell Schnorr, ECDSA, ECDH on the elliptic curve secp256k1

Topics

haskell ecdsa ecdh secp256k1 schnorr elliptic-curve-cryptography

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

9 tags

Packages

No packages published

Languages