Goodbye OpenSSL, hello libsecp256k1

Todays newsletter finishes chapter 4 from Bitcoin: A Work in Progress.

For something completely different, check out episode 73 of Bitcoin, Explained, where we attempt to explain OP_VAULT.

How to prevent another debacle with OpenSSL? Well, just get rid of it…

While all this was happening, Pieter Wuille a.k.a. Sipa was working on a library that was specifically designed to create and verify Bitcoin signatures. His original motivation had nothing to do with security; he just wanted it to work faster than OpenSSL.

He explains this in a podcast he did with Chaincode. Basically, he wanted to make a library that would be about four times faster. He could’ve tried to modify the OpenSSL code itself, but it’s such a nightmare to change that code. Additionally, the OpenSSL code is very generic: It has to support all different kinds of cryptography. So if you want to change anything, you have to be very abstract in all the things you do.

Instead, he decided to essentially write it from scratch, specifically for the secp256k1 curve. It was added to Bitcoin Core relatively early — first just to verify signatures, and then later on to create signatures as well.

This happened to coincide with the aforementioned security vulnerability, and the general reaction was that because there was a near miss which could’ve been a serious problem, moving away from OpenSSL for critical matters would be a good idea.

With signing and signature validation taken care of, Bitcoin still relied on OpenSSL for other things — though much less than it had in the past. But developers had already made the decision to get rid of the remaining OpenSSL uses over time by copying or rewriting the various parts of the library that Bitcoin Core needs. This process was completed in 2019. The first version of Bitcoin Core to ship without OpenSSL was 0.20.0, which was released in June 2020.

So Wuille’s libsecp256k1 — initially designed to be a performance improvement — pivoted to be a new library for Bitcoin that would remove the risks that came with OpenSSL. However, this came with two risks of its own:

However, it was deemed a risk worth taking, because the other option was waiting for OpenSSL to explode. Additionally, a lot of good cryptographers reviewed libsecp256k1 and compared it against OpenSSL before its adoption. It’s also used by Ethereum and other cryptocurrencies — basically, any cryptocurrency that uses the secp256k1 elliptic curve.