github.com/consensys/gnark-crypto@v0.14.0/ecc/secp256k1/secp256k1.go (about) 1 // Copyright 2020 ConsenSys Software Inc. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package secp256k1 efficient elliptic curve implementation for secp256k1. This curve is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf) and appears in the Bitcoin and Ethereum ECDSA signatures. 16 // 17 // secp256k1: A j=0 curve with 18 // 19 // 𝔽r: r=115792089237316195423570985008687907852837564279074904382605163141518161494337 20 // 𝔽p: p=115792089237316195423570985008687907853269984665640564039457584007908834671663 (2^256 - 2^32 - 977) 21 // (E/𝔽p): Y²=X³+7 22 // 23 // Security: estimated 128-bit level using Pollard's \rho attack 24 // (r is 256 bits) 25 // 26 // # Warning 27 // 28 // This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance. 29 package secp256k1 30 31 import ( 32 "math/big" 33 34 "github.com/consensys/gnark-crypto/ecc" 35 "github.com/consensys/gnark-crypto/ecc/secp256k1/fp" 36 "github.com/consensys/gnark-crypto/ecc/secp256k1/fr" 37 ) 38 39 // ID secp256k1 ID 40 const ID = ecc.SECP256K1 41 42 // aCurveCoeff is the a coefficients of the curve Y²=X³+ax+b 43 var aCurveCoeff fp.Element 44 var bCurveCoeff fp.Element 45 46 // generator of the r-torsion group 47 var g1Gen G1Jac 48 49 var g1GenAff G1Affine 50 51 // point at infinity 52 var g1Infinity G1Jac 53 54 // Parameters useful for the GLV scalar multiplication. The third roots define the 55 // endomorphisms ϕ₁ for <G1Affine>. lambda is such that <r, ϕ-λ> lies above 56 // <r> in the ring Z[ϕ]. More concretely it's the associated eigenvalue 57 // of ϕ₁ restricted to <G1Affine> 58 // see https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/GLV.pdf 59 var thirdRootOneG1 fp.Element 60 var lambdaGLV big.Int 61 62 // glvBasis stores R-linearly independent vectors (a,b), (c,d) 63 // in ker((u,v) → u+vλ[r]), and their determinant 64 var glvBasis ecc.Lattice 65 66 func init() { 67 aCurveCoeff.SetUint64(0) 68 bCurveCoeff.SetUint64(7) 69 70 g1Gen.X.SetString("55066263022277343669578718895168534326250603453777594175500187360389116729240") 71 g1Gen.Y.SetString("32670510020758816978083085130507043184471273380659243275938904335757337482424") 72 g1Gen.Z.SetOne() 73 74 g1GenAff.FromJacobian(&g1Gen) 75 76 // (X,Y,Z) = (1,1,0) 77 g1Infinity.X.SetOne() 78 g1Infinity.Y.SetOne() 79 80 thirdRootOneG1.SetString("55594575648329892869085402983802832744385952214688224221778511981742606582254") // 2^((p-1)/3) 81 lambdaGLV.SetString("37718080363155996902926221483475020450927657555482586988616620542887997980018", 10) // 3^((r-1)/3) 82 _r := fr.Modulus() 83 ecc.PrecomputeLattice(_r, &lambdaGLV, &glvBasis) 84 85 } 86 87 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 88 func Generators() (g1Jac G1Jac, g1Aff G1Affine) { 89 g1Aff = g1GenAff 90 g1Jac = g1Gen 91 return 92 } 93 94 // CurveCoefficients returns the a, b coefficients of the curve equation. 95 func CurveCoefficients() (a, b fp.Element) { 96 return aCurveCoeff, bCurveCoeff 97 }