README.md (2905B)
1 # ppad-secp256k1 2 3 A pure Haskell implementation of [BIP0340][bp340] Schnorr signatures 4 and deterministic [RFC6979][r6979] ECDSA (with [BIP0146][bp146]-style 5 "low-S" signatures) on the elliptic curve secp256k1. 6 7 ## Usage 8 9 A sample GHCi session: 10 11 ``` 12 > :set -XOverloadedStrings 13 > 14 > -- import qualified 15 > import qualified Crypto.Curve.Secp256k1 as Secp256k1 16 > 17 > -- secret, public keys 18 > let sec = Secp256k1.parse_integer "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF" 19 > let Just pub = Secp256k1.parse_point "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659" 20 > 21 > let msg = "i approve of this message" 22 > 23 > -- create and verify a schnorr signature for the message 24 > let sig0 = Secp256k1.sign_schnorr sec msg mempty 25 > Secp256k1.verify_schnorr msg pub sig0 26 True 27 > 28 > -- create a low-S ECDSA signature for the message 29 > let sig1 = Secp256k1.sign_ecdsa sec msg 30 > 31 > -- verify it 32 > Secp256k1.verify_ecdsa msg pub sig1 33 > True 34 ``` 35 36 ## Documentation 37 38 Haddocks (API documentation, etc.) are hosted at 39 [docs.ppad.tech/secp256k1][hadoc]. 40 41 ## Security 42 43 This library is in a **pre-release** state. It ultimately aims at the 44 maximum security achievable in a garbage-collected language under an 45 optimizing compiler such as GHC, in which strict constant-timeness can 46 be challenging to achieve, but we're not there quite yet. 47 48 The Schnorr implementation within has been tested against the [official 49 BIP0340 vectors][ut340], and ECDSA has been tested against the relevant 50 [Wycheproof vectors][wyche], so their implementations are likely to be 51 accurate and safe from attacks targeting e.g. faulty nonce generation or 52 malicious inputs for signature parameters. 53 54 However, the signature schemes are **not** implemented so as to be 55 constant-time with respect to secrets, and no effort has yet been made 56 to quantify the degree to which they deviate from that. Perhaps 57 obviously: you shouldn't deploy the implementations within in any 58 situation where they can easily be used as an oracle to construct a 59 [timing attack][timea]. 60 61 If you discover any vulnerabilities, please disclose them via 62 security@ppad.tech. 63 64 ## Development 65 66 You'll require [Nix][nixos] with [flake][flake] support enabled. Enter a 67 development shell with: 68 69 ``` 70 $ nix develop 71 ``` 72 73 Then do e.g.: 74 75 ``` 76 $ cabal repl ppad-secp256k1 77 ``` 78 79 to get a REPL for the main library. 80 81 [bp340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki 82 [ut340]: https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv 83 [bp146]: https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki 84 [r6979]: https://www.rfc-editor.org/rfc/rfc6979 85 [nixos]: https://nixos.org/ 86 [flake]: https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-flake.html 87 [hadoc]: https://docs.ppad.tech/secp256k1 88 [wyche]: https://github.com/C2SP/wycheproof 89 [timea]: https://en.wikipedia.org/wiki/Timing_attack