Expand description
Compute-unit-efficient secp256k1 arithmetic for Solana programs. Built on
secp256k1_recover syscall abuse, this crate exposes operations needed
for on-chain Schnorr verification, BIP-340 X-only key handling, BIP-341
TapTweak, ECDH, Pedersen commitments, ECDSA, Bulletproofs and many other
arbitrary cryptographic operations at a fraction of the CU cost of other
implementations.
Headline numbers: mul_g 27k, ec_add / ec_sub / ec_double 17k,
mod_inv 13k, mul_mod_p 1.4k CU. See the README for the full table
and benchmark methodology.
§Security
A large portion of CU wins come from branching on input values. This is the correct call if the goal is to optimize onchain verification of public values. This comes at the expense of constant-time guarantees.
Hopefully it goes without saying that even though this library can produce valid signatures and proofs onchain, it’s a very bad idea to leak secret values onto a public blockchain. What may be less obvious is that, even in private usage or transaction simulation, using this library to produce proofs or signatures offchain in an untrusted environment could make you vulnerable to side channel/timing attacks. If secure offchain signing is your intended use-case, please consider using k256 instead.
Re-exports§
pub use secp256k1::Secp256k1;pub use scalar::Scalar;pub use traits::*;pub use errors::*;pub use compressed_point::*;pub use uncompressed_point::*;
Modules§
- compressed_
point - errors
- scalar
- A 32-byte value tagged as a scalar mod
N. - secp256k1
- All secp256k1 arithmetic: field (mod P), scalar (mod N), and curve ops
built on the
secp256k1_recoversyscall. Both moduli have the form2^256 − Cfor smallC, so multiplication reduces via Crandall (lo + hi · C). Modular inverse goes through a hand-rolled Lehmer extended GCD (seesrc/lehmer.rs). - traits
- uncompressed_
point