Fast elliptic curve digital signatures
Project description
About
This is a python package for doing fast elliptic curve cryptography, specifically digital signatures.
Security
There is no nonce reuse, no branching on secret material, and all points are validated before any operations are performed on them. Timing side challenges are mitigated via Montgomery point multiplication. Nonces are generated per RFC6979. The default curve used throughout the package is P256 which provides 128 bits of security. If you require a higher level of security you can specify the curve parameter in a method to use a curve over a bigger field e.g. P384. All that being said, crypto is tricky and I’m not beyond making mistakes. Please use a more established and reviewed library for security critical applications. Open an issue or email me if you see any security issue or risk with this library.
Python Versions Supported
The initial release of this package was targeted at python2.7. Earlier versions may work but have no guarantee of correctness or stability. As of release 1.2.1+ python3 is supported as well. Due to python2’s EOL on January 1st 2020 release 2.x of this package only supports python3.5+.
Operating Systems Supported
This package is targeted at the Linux and MacOS operating systems. Due to the the dependency on the GMP C library building this package on Windows is difficult and no official support or distributions are provided for Windows OSes. See issue11 for what users have done to get things building.
Supported Primitives
Curves over Prime Fields
Name 
Class 
Proposed By 

P192 / secp192r1 

NIST / NSA 
P224 / secp224r1 

NIST / NSA 
P256 / secp256r1 

NIST / NSA 
P384 / secp384r1 

NIST / NSA 
P521 / secp521r1 

NIST / NSA 
secp192k1 

Certicom 
secp224k1 

Certicom 
secp256k1 (bitcoin curve) 

Certicom 
brainpoolP160r1 

BSI 
brainpoolP192r1 

BSI 
brainpoolP224r1 

BSI 
brainpoolP256r1 

BSI 
brainpoolP320r1 

BSI 
brainpoolP384r1 

BSI 
brainpoolP512r1 

BSI 
Arbitrary Curves
As of version 1.5.1 construction of arbitrary curves in Weierstrass form
(y^2 = x^3 + ax + b (mod p)
) is supported. I advise against using custom curves for any
security critical applications. It’s up to you to make sure that the parameters you pass here are
correct, no validation of the base point is done, and in general no sanity checks are done. Use
at your own risk.
from fastecdsa.curve import Curve
curve = Curve(
name, # (str): The name of the curve
p, # (long): The value of p in the curve equation.
a, # (long): The value of a in the curve equation.
b, # (long): The value of b in the curve equation.
q, # (long): The order of the base point of the curve.
gx, # (long): The x coordinate of the base point of the curve.
gy, # (long): The y coordinate of the base point of the curve.
oid # (str): The object identifier of the curve (optional).
)
Hash Functions
Any hash function in the hashlib
module (md5, sha1, sha224, sha256, sha384, sha512
)
will work, as will any hash function that implements the same interface / core functionality as the
those in hashlib
. For instance, if you wish to use SHA3 as the hash function the
pysha3
package will work with this library as long as it is at version >=1.0b1 (as previous
versions didn’t work with the hmac
module which is used in nonce generation). Note
that sha3_224, sha3_256, sha3_384, sha3_512
are all in hashlib
as of python3.6.
Performance
Curves over Prime Fields
Currently it does elliptic curve arithmetic significantly faster than the ecdsa
package. You can see the times for 1,000 signature and verification operations over
various curves below. These were run on an early 2014 MacBook Air with a 1.4 GHz Intel
Core i5.
Curve 


Speedup 
P192 
3.62s 
1m35.49s 
~26x 
P224 
4.50s 
2m13.42s 
~29x 
P256 
6.15s 
2m52.43s 
~28x 
P384 
12.11s 
6m21.01s 
~31x 
P521 
22.21s 
11m39.53s 
~31x 
secp256k1 
5.92s 
2m57.19s 
~30x 
Benchmarking
If you’d like to benchmark performance on your machine you can do so using the command:
$ python setup.py benchmark
This will use the timeit
module to benchmark 1000 signature and verification operations
for each curve supported by this package. Alternatively, if you have not cloned the repo but
have installed the package via e.g. pip
you can use the following command:
$ python m fastecdsa.benchmark
Installing
You can use pip: $ pip install fastecdsa
or clone the repo and use
$ python setup.py install
. Note that you need to have a C compiler.
You also need to have GMP on your system as the underlying
C code in this package includes the gmp.h
header (and links against gmp
via the lgmp
flag). You can install all dependencies as follows:
apt
$ sudo aptget install pythondev libgmp3dev
yum
$ sudo yum install pythondevel gmpdevel
Usage
Generating Keys
You can use this package to generate keys if you like. Recall that private keys on elliptic curves are integers, and public keys are points i.e. integer pairs.
from fastecdsa import keys, curve
"""The reason there are two ways to generate a keypair is that generating the public key requires
a point multiplication, which can be expensive. That means sometimes you may want to delay
generating the public key until it is actually needed."""
# generate a keypair (i.e. both keys) for curve P256
priv_key, pub_key = keys.gen_keypair(curve.P256)
# generate a private key for curve P256
priv_key = keys.gen_private_key(curve.P256)
# get the public key corresponding to the private key we just generated
pub_key = keys.get_public_key(priv_key, curve.P256)
Signing and Verifying
Some basic usage is shown below:
from fastecdsa import curve, ecdsa, keys
from hashlib import sha384
m = "a message to sign via ECDSA" # some message
''' use default curve and hash function (P256 and SHA2) '''
private_key = keys.gen_private_key(curve.P256)
public_key = keys.get_public_key(private_key, curve.P256)
# standard signature, returns two integers
r, s = ecdsa.sign(m, private_key)
# should return True as the signature we just generated is valid.
valid = ecdsa.verify((r, s), m, public_key)
''' specify a different hash function to use with ECDSA '''
r, s = ecdsa.sign(m, private_key, hashfunc=sha384)
valid = ecdsa.verify((r, s), m, public_key, hashfunc=sha384)
''' specify a different curve to use with ECDSA '''
private_key = keys.gen_private_key(curve.P224)
public_key = keys.get_public_key(private_key, curve.P224)
r, s = ecdsa.sign(m, private_key, curve=curve.P224)
valid = ecdsa.verify((r, s), m, public_key, curve=curve.P224)
''' using SHA3 via pysha3>=1.0b1 package '''
import sha3 # pip install [user] pysha3==1.0b1
from hashlib import sha3_256
private_key, public_key = keys.gen_keypair(curve.P256)
r, s = ecdsa.sign(m, private_key, hashfunc=sha3_256)
valid = ecdsa.verify((r, s), m, public_key, hashfunc=sha3_256)
Arbitrary Elliptic Curve Arithmetic
The Point
class allows arbitrary arithmetic to be performed over curves. The two main
operations are point addition and point multiplication (by a scalar) which can be done via the
standard python operators (+
and *
respectively):
# example taken from the document below (section 4.3.2):
# https://koclab.cs.ucsb.edu/teaching/cren/docs/w02/nistroutines.pdf
from fastecdsa.curve import P256
from fastecdsa.point import Point
xs = 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9
ys = 0xc093ae7ff36e5380fc01a5aad1e66659702de80f53cec576b6350b243042a256
S = Point(xs, ys, curve=P256)
xt = 0x55a8b00f8da1d44e62f6b3b25316212e39540dc861c89575bb8cf92e35e0986b
yt = 0x5421c3209c2d6c704835d82ac4c3dd90f61a8a52598b9e7ab656e9d8c8b24316
T = Point(xt, yt, curve=P256)
# Point Addition
R = S + T
# Point Subtraction: (xs, ys)  (xt, yt) = (xs, ys) + (xt, yt)
R = S  T
# Point Doubling
R = S + S # produces the same value as the operation below
R = 2 * S # S * 2 works fine too i.e. order doesn't matter
d = 0xc51e4753afdec1e6b6c6a5b992f43f8dd0c7a8933072708b6522468b2ffb06fd
# Scalar Multiplication
R = d * S # S * d works fine too i.e. order doesn't matter
e = 0xd37f628ece72a462f0145cbefe3f0b355ee8332d37acdd83a358016aea029db7
# Joint Scalar Multiplication
R = d * S + e * T
Importing and Exporting Keys
You can also export keys as files, ASN.1 encoded and formatted per RFC5480 and RFC5915. Both private keys and public keys can be exported as follows:
from fastecdsa.curve import P256
from fastecdsa.keys import export_key, gen_keypair
d, Q = gen_keypair(P256)
# save the private key to disk
export_key(d, curve=P256, filepath='/path/to/exported/p256.key')
# save the public key to disk
export_key(Q, curve=P256, filepath='/path/to/exported/p256.pub')
Keys stored in this format can also be imported. The import function will figure out if the key is a public or private key and parse it accordingly:
from fastecdsa.keys import import_key
# if the file is a private key then parsed_d is a long and parsed_Q is a Point object
# if the file is a public key then parsed_d will be None
parsed_d, parsed_Q = import_key('/path/to/file.key')
Other encoding formats can also be specified, such as SEC1 for public keys. This is done using
classes found in the fastecdsa.encoding
package, and passing them as keyword args to
the key functions:
from fastecdsa.curve import P256
from fastecdsa.encoding.sec1 import SEC1Encoder
from fastecdsa.keys import export_key, gen_keypair, import_key
_, Q = gen_keypair(P256)
export_key(Q, curve=P256, filepath='/path/to/p256.key', encoder=SEC1Encoder)
parsed_Q = import_key('/path/to/p256.key', curve=P256, public=True, decoder=SEC1Encoder)
Encoding Signatures
DER encoding of ECDSA signatures as defined in RFC2459 is also supported. The
fastecdsa.encoding.der
provides the DEREncoder
class which encodes signatures:
from fastecdsa.encoding.der import DEREncoder
r, s = 0xdeadc0de, 0xbadc0de
encoded = DEREncoder.encode_signature(r, s)
decoded_r, decoded_s = DEREncoder.decode_signature(encoded)
Acknowledgements
Thanks to those below for contributing improvements:
boneyard93501
clouds56
mkus
sirk390
targon
NotStatilko
bbbrumley
luinxz
JJChiDguez
J08nY
trevorcrypto
sylvainpelissier
Project details
Release history Release notifications  RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for fastecdsa2.3.0cp311cp311macosx_12_0_arm64.whl
Algorithm  Hash digest  

SHA256  b943a1ad3e1e306f0df422b198f544d029a70f19581e5b56a36ddfbe6302a33d 

MD5  7d911a0e6261dcd01cdd2c44548ed68c 

BLAKE2b256  06d6eec43aa4d16fc626e8a7fdbc437278b97903ec8ff69a0075cbd8e40d1f93 
Hashes for fastecdsa2.3.0cp310cp310win_amd64.whl
Algorithm  Hash digest  

SHA256  c72f8f13160798b431c8a772e4e4bce39adf6faeea80fbf75f88010d0b304aa1 

MD5  be363d1fdf9338521fc95dca7a452604 

BLAKE2b256  88e40081bef22304409919e27e092b84f140e458901239ff9501f330cf593f0d 
Hashes for fastecdsa2.3.0cp310cp310macosx_12_0_arm64.whl
Algorithm  Hash digest  

SHA256  0147804e6bf4915e83064f17a4bcc518d986dab87cba3609409e9f56b8d56772 

MD5  a210ab252dd593361173bfe1013a03ab 

BLAKE2b256  129e37259c2876f35944493124cef57ce7c065aa0a1d3597c150696831bf0250 
Hashes for fastecdsa2.3.0cp39cp39win_amd64.whl
Algorithm  Hash digest  

SHA256  e45be9bcd063362576f93b344e032c743572c2a9ca7426eea3e4035ba21b1654 

MD5  8dc9788a2a3410eaa72ac7e9fe373047 

BLAKE2b256  9ad74bea8f902271bcd6b454ee58adb64ac7f2a0cec2d7f9a9d1e1ba7c60f231 
Hashes for fastecdsa2.3.0cp39cp39macosx_12_0_arm64.whl
Algorithm  Hash digest  

SHA256  7b91663b36137454299d7487a7a1b4a345120bd098ab5f7d7b0a02b50d6c9706 

MD5  12ae87aab346c9cfa08283c17bd2298f 

BLAKE2b256  66aebdb782e2ebfdfc2d828b4a78f608e6b8ca2b686ea1a490e1e5b92cd97d32 
Hashes for fastecdsa2.3.0cp38cp38win_amd64.whl
Algorithm  Hash digest  

SHA256  b0a4637e99cc22b5107d32ae001c2e36a5821c7a50ac001b806d64c157bf62c0 

MD5  e5104c8747eec45c3b20c0d503ace03a 

BLAKE2b256  706495dcbc61bfebde626502d1a4c90dc38088bbb47150dcc44bd7572cc7647f 
Hashes for fastecdsa2.3.0cp38cp38macosx_12_0_arm64.whl
Algorithm  Hash digest  

SHA256  fd61e461389a4fc1e965a1bbd5efb77588a0ebae2328aecdf011a5e9d439ce66 

MD5  9840b51b34a456e94f895960e46cb2b8 

BLAKE2b256  afc0157f944319d958f18b05b428390198b2e371343adfab118a81fb3c29caaa 
Hashes for fastecdsa2.3.0cp37cp37mwin_amd64.whl
Algorithm  Hash digest  

SHA256  8011db68e65b747b11ffa9575dc5bc6ad6d02aa971054e952e261694f705845a 

MD5  e65055931a4db4e249801d048e5585a4 

BLAKE2b256  b4583f4297c80ddea592101e6954cee21718c44eb71d53044daf1ba81a593b8b 
Hashes for fastecdsa2.3.0cp37cp37mmacosx_12_0_arm64.whl
Algorithm  Hash digest  

SHA256  82985e09b299ba400f1a21f2872dcc8e659bc127286f026d01b3540853298f9c 

MD5  801d4752f81c8b0f32237838fb842fd4 

BLAKE2b256  19e90aa5a5dddadacdb92a27735fc9795a9348c1c1aa156bc2ae9571bb422a79 