secp256k1

Pure Haskell Schnorr, ECDSA on the elliptic curve secp256k1 (docs.ppad.tech/secp256k1).
git clone git://git.ppad.tech/secp256k1.git
Log | Files | Refs | README | LICENSE

README.md (2905B)

      1 # ppad-secp256k1
      2 
      3 A pure Haskell implementation of [BIP0340][bp340] Schnorr signatures
      4 and deterministic [RFC6979][r6979] ECDSA (with [BIP0146][bp146]-style
      5 "low-S" signatures) on the elliptic curve secp256k1.
      6 
      7 ## Usage
      8 
      9 A sample GHCi session:
     10 
     11 ```
     12   > :set -XOverloadedStrings
     13   >
     14   > -- import qualified
     15   > import qualified Crypto.Curve.Secp256k1 as Secp256k1
     16   >
     17   > -- secret, public keys
     18   > let sec = Secp256k1.parse_integer "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF"
     19   > let Just pub = Secp256k1.parse_point "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"
     20   >
     21   > let msg = "i approve of this message"
     22   >
     23   > -- create and verify a schnorr signature for the message
     24   > let sig0 = Secp256k1.sign_schnorr sec msg mempty
     25   > Secp256k1.verify_schnorr msg pub sig0
     26   True
     27   >
     28   > -- create a low-S ECDSA signature for the message
     29   > let sig1 = Secp256k1.sign_ecdsa sec msg
     30   >
     31   > -- verify it
     32   > Secp256k1.verify_ecdsa msg pub sig1
     33   > True
     34 ```
     35 
     36 ## Documentation
     37 
     38 Haddocks (API documentation, etc.) are hosted at
     39 [docs.ppad.tech/secp256k1][hadoc].
     40 
     41 ## Security
     42 
     43 This library is in a **pre-release** state. It ultimately aims at the
     44 maximum security achievable in a garbage-collected language under an
     45 optimizing compiler such as GHC, in which strict constant-timeness can
     46 be challenging to achieve, but we're not there quite yet.
     47 
     48 The Schnorr implementation within has been tested against the [official
     49 BIP0340 vectors][ut340], and ECDSA has been tested against the relevant
     50 [Wycheproof vectors][wyche], so their implementations are likely to be
     51 accurate and safe from attacks targeting e.g. faulty nonce generation or
     52 malicious inputs for signature parameters.
     53 
     54 However, the signature schemes are **not** implemented so as to be
     55 constant-time with respect to secrets, and no effort has yet been made
     56 to quantify the degree to which they deviate from that. Perhaps
     57 obviously: you shouldn't deploy the implementations within in any
     58 situation where they can easily be used as an oracle to construct a
     59 [timing attack][timea].
     60 
     61 If you discover any vulnerabilities, please disclose them via
     62 security@ppad.tech.
     63 
     64 ## Development
     65 
     66 You'll require [Nix][nixos] with [flake][flake] support enabled. Enter a
     67 development shell with:
     68 
     69 ```
     70 $ nix develop
     71 ```
     72 
     73 Then do e.g.:
     74 
     75 ```
     76 $ cabal repl ppad-secp256k1
     77 ```
     78 
     79 to get a REPL for the main library.
     80 
     81 [bp340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
     82 [ut340]: https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv
     83 [bp146]: https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki
     84 [r6979]: https://www.rfc-editor.org/rfc/rfc6979
     85 [nixos]: https://nixos.org/
     86 [flake]: https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-flake.html
     87 [hadoc]: https://docs.ppad.tech/secp256k1
     88 [wyche]: https://github.com/C2SP/wycheproof
     89 [timea]: https://en.wikipedia.org/wiki/Timing_attack