secp256k1

secp256k1 copied to clipboard

Use arc4random_buf() as the best practice method for obtaining randomness on OpenBSD (examples)

3

The method above is suggested instead of the current `getentropy()`, which is not intended to be used by user code. See OpenBSD's [man page](https://man.openbsd.org/getentropy.2): > [getentropy](https://man.openbsd.org/getentropy.2#getentropy~2)() is not intended for...

alpn

Memory zeroization improvements

7

Existing 'best effort' zeriozation for private data is hardly even best effort. At a minimum we should consider doing this via an extern-ed function and memset_s if available. No guarantees...

gmaxwell

Low-footprint mode

15

The current strategy is optimized for large fast chips with huge cache. Especially signing would be useful on some embedded devices where multiple megabytes of pre-computation is not acceptable. Reasonably...

gmaxwell

Create a document for embedded use

1

Libsecp256k1 is designed to work on embedded systems too-- and AFAIK it's the only publicly available library with any power analysis countermeasures at all, but like other generic embedded libraries...

gmaxwell

Unnecessary call to secp256k1_sha256_initialize

5

When computing tagged-hashes for Schnorr sigs the 3 methods (challenge, aux, nonce) first call `secp256k1_sha256_initialize` that sets the hashstate (ie. s[0] to s[7] and bytes) to their default SHA256 values...

Coding-Enthusiast

From PR https://github.com/bitcoin-core/secp256k1/pull/711, which has been closed: > The issue is that MSVC for 32-bit targets implements 64x64->64 bit multiplications using a non-constant subroutine. The subroutine is not constant-time because...

real-or-random

Add secp256k1_pubkey_sort

8

This PR adds a `secp256k1_pubkey_sort` function the the public API which was originally part of the musig PR (#1479). However, I opened a separate PR because it adds internal functions...

jonasnick

Add BIP352 `silentpayments` module

4

Depends on https://github.com/bitcoin-core/secp256k1/pull/1518 --- This PR adds a new Silent Payments ([BIP352](https://github.com/bitcoin/bips/pull/1458)) module to secp256k1. It is a continuation of the work started in https://github.com/bitcoin-core/secp256k1/pull/1471. The module implements the full...

josibake

Include reference implementation for X + Parity Keys

1

According to BIP-340, XOnly keys have 32 bytes and signatures have 64 bytes. If X + Parity is used, signatures would be 65 bytes and Keys 33 bytes. Really, they...

JeremyRubin

autotools: Disable eager MSan in ctime_tests

2

This is the autotools solution for #1516. Alternatively, we could have a full-blown `--enable-msan` option, but it's more work, and I'm not convinced that it's necessary or at least much...

real-or-random