solana_secp256k1/lib.rs
1//! Compute-unit-efficient secp256k1 arithmetic for Solana programs. Built on
2//! `secp256k1_recover` syscall abuse, this crate exposes operations needed
3//! for on-chain Schnorr verification, BIP-340 X-only key handling, BIP-341
4//! TapTweak, ECDH, Pedersen commitments, ECDSA, Bulletproofs and many other
5//! arbitrary cryptographic operations at a fraction of the CU cost of other
6//! implementations.
7//!
8//! Headline numbers: `mul_g` 27k, `ec_add` / `ec_sub` / `ec_double` 17k,
9//! `mod_inv` 13k, `mul_mod_p` 1.4k CU. See the README for the full table
10//! and benchmark methodology.
11//!
12//! # Security
13//!
14//! A large portion of CU wins come from branching on input values. This is
15//! the correct call if the goal is to optimize onchain verification of
16//! public values. This comes at the expense of constant-time guarantees.
17//!
18//! Hopefully it goes without saying that even though this library can produce
19//! valid signatures and proofs onchain, it's a very bad idea to leak secret
20//! values onto a public blockchain. What may be less obvious is that, even
21//! in private usage or transaction simulation, using this library to produce
22//! proofs or signatures offchain in an untrusted environment could make you
23//! vulnerable to side channel/timing attacks. If secure offchain signing is
24//! your intended use-case, please consider using k256 instead.
25#![no_std]
26#![forbid(unsafe_code)]
27
28mod lehmer;
29
30pub mod secp256k1;
31pub use secp256k1::Secp256k1;
32
33pub mod traits;
34pub use traits::*;
35
36pub mod errors;
37pub use errors::*;
38
39pub mod compressed_point;
40pub use compressed_point::*;
41
42pub mod uncompressed_point;
43pub use uncompressed_point::*;
44
45pub mod scalar;
46pub use scalar::Scalar;