secp256k1

Pure Haskell Schnorr, ECDSA on the elliptic curve secp256k1 (docs.ppad.tech/secp256k1).
git clone git://git.ppad.tech/secp256k1.git
Log | Files | Refs | README | LICENSE

commit f179ea0c298a8d9d0bc20649003554e5d22939b7
parent 2e4fe1c16d971fb43e9efb70d01d4e2dfc5c4a56
Author: Jared Tobin <jared@jtobin.io>
Date:   Fri, 14 Mar 2025 14:58:02 +0400

release: v0.3.0

Diffstat:
MCHANGELOG | 4++++
MREADME.md | 15++++++++-------
Mlib/Crypto/Curve/Secp256k1.hs | 7++++---
Mppad-secp256k1.cabal | 9+++++----
4 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG @@ -1,5 +1,9 @@ # Changelog +- 0.3.0 (2025-03-14) + * Adds 'ecdh' for computing ECDH secrets, any given secret being the + SHA256 hash of the x-coordinate of the appropriate secp256k1 point. + - 0.2.2 (2025-02-16) * Exports the secp256k1 "point at infinity" as _CURVE_ZERO. diff --git a/README.md b/README.md @@ -118,13 +118,14 @@ garbage-collected language under an optimizing compiler such as GHC, in which strict constant-timeness can be [challenging to achieve][const]. The Schnorr implementation within has been tested against the [official -BIP0340 vectors][ut340], and ECDSA has been tested against the relevant -[Wycheproof vectors][wyche], so their implementations are likely to be -accurate and safe from attacks targeting e.g. faulty nonce generation or -malicious inputs for signature parameters. Timing-sensitive operations, -e.g. elliptic curve scalar multiplication, have been explicitly written -so as to execute *algorithmically* in time constant with respect to -secret data, and evidence from benchmarks supports this: +BIP0340 vectors][ut340], and ECDSA and ECDH have been tested against +the relevant [Wycheproof vectors][wyche], so their implementations +are likely to be accurate and safe from attacks targeting e.g. faulty +nonce generation or malicious inputs for signature or public key +parameters. Timing-sensitive operations, e.g. elliptic curve scalar +multiplication, have been explicitly written so as to execute +*algorithmically* in time constant with respect to secret data, and +evidence from benchmarks supports this: ``` benchmarking derive_pub/sk = 2 diff --git a/lib/Crypto/Curve/Secp256k1.hs b/lib/Crypto/Curve/Secp256k1.hs @@ -15,10 +15,11 @@ -- Maintainer: Jared Tobin <jared@ppad.tech> -- -- Pure [BIP0340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki) --- Schnorr signatures and deterministic +-- Schnorr signatures, deterministic -- [RFC6979](https://www.rfc-editor.org/rfc/rfc6979) ECDSA (with -- [BIP0146](https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki)-style --- "low-S" signatures) on the elliptic curve secp256k1. +-- "low-S" signatures), and ECDH shared secret computation +-- on the elliptic curve secp256k1. module Crypto.Curve.Secp256k1 ( -- * Field and group parameters @@ -1241,7 +1242,7 @@ _verify_ecdsa_unrestricted _mul (SHA256.hash -> h) p (ECDSA r s) -- ecdh ----------------------------------------------------------------------- --- SEC1-v2 3.3.1, plus hash +-- SEC1-v2 3.3.1, plus SHA256 hash -- | Compute a shared secret, given a secret key and public secp256k1 point, -- via Elliptic Curve Diffie-Hellman (ECDH). diff --git a/ppad-secp256k1.cabal b/ppad-secp256k1.cabal @@ -1,7 +1,8 @@ cabal-version: 3.0 name: ppad-secp256k1 -version: 0.2.2 -synopsis: Schnorr signatures & ECDSA on the elliptic curve secp256k1 +version: 0.3.0 +synopsis: Schnorr signatures, ECDSA, and ECDH on the elliptic curve + secp256k1 license: MIT license-file: LICENSE author: Jared Tobin @@ -11,8 +12,8 @@ build-type: Simple tested-with: GHC == { 9.8.1, 9.6.4 } extra-doc-files: CHANGELOG description: - Pure BIP0340-style Schnorr signatures and deterministic RFC6979 ECDSA on - the elliptic curve secp256k1. + Pure BIP0340-style Schnorr signatures, deterministic RFC6979 ECDSA, and + ECDH shared secret computation on the elliptic curve secp256k1. source-repository head type: git