Make the -sys crate optional

Downstream projects, such as `bitcoin` are using types from this crate
and need to compile the C code even if they only use the types for
checking validity of the data and don't perform cryptographic
operations. Compiling C code is slow and unreliable so there was desire
to avoid this.

This commit introduces pure Rust implementation of basic
non-cryptographic operations (is point on the curve, decompression of
point, secret key constant time comparisons) and feature-gates
cryptographic operations on `secp256k1-sys` which is now optional. To
make use of this, downstream crates will have to deactivate the feature
and possibly feature gate themselves.

The implementation requires a U256 type which was copied from the
`bitcoin` crate. We don't depend on a common crate to avoid needless
compilation when the feature is turned on.

This is a breaking change because users who did cryptographic operations
with `default-features = false` will get compilation errors until they
enable the feature.

Author: Kixunil

Cargo.toml

@@ -18,10 +18,12 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
-default = ["std"]
-std = ["alloc", "secp256k1-sys/std"]
+default = ["sys-std"]
+std = ["alloc"]
+alloc = []
+sys-std = ["std", "sys-alloc", "secp256k1-sys/std"]
 # allow use of Secp256k1::new and related API that requires an allocator
-alloc = ["secp256k1-sys/alloc"]
+sys-alloc = ["secp256k1-sys/alloc"]
 hashes-std = ["std", "hashes/std"]
 rand-std = ["std", "rand", "rand/std", "rand/std_rng"]
 recovery = ["secp256k1-sys/recovery"]
@@ -36,7 +38,7 @@ global-context = ["std"]
 global-context-less-secure = ["global-context"]
 
 [dependencies]
-secp256k1-sys = { version = "0.10.0", default-features = false, path = "./secp256k1-sys" }
+secp256k1-sys = { version = "0.10.0", default-features = false, path = "./secp256k1-sys", optional = true }
 serde = { version = "1.0.103", default-features = false, optional = true }
 
 # You likely only want to enable these if you explicitly do not want to use "std", otherwise enable
@@ -59,15 +61,15 @@ unexpected_cfgs = { level = "deny", check-cfg = ['cfg(bench)', 'cfg(secp256k1_fu
 
 [[example]]
 name = "sign_verify_recovery"
-required-features = ["recovery", "hashes-std"]
+required-features = ["recovery", "hashes-std", "secp256k1-sys"]
 
 [[example]]
 name = "sign_verify"
-required-features = ["hashes-std"]
+required-features = ["hashes-std", "secp256k1-sys"]
 
 [[example]]
 name = "generate_keys"
-required-features = ["rand-std"]
+required-features = ["rand-std", "secp256k1-sys"]
 
 [workspace]
 members = ["secp256k1-sys"]

contrib/_test.sh

@@ -3,7 +3,7 @@
 set -ex
 
 REPO_DIR=$(git rev-parse --show-toplevel)
-FEATURES="hashes global-context lowmemory rand recovery serde std alloc hashes-std rand-std"
+FEATURES="hashes global-context lowmemory rand recovery serde std alloc hashes-std rand-std secp256k1-sys"
 
 cargo --version
 rustc --version
@@ -62,17 +62,17 @@ if [ "$DO_FEATURE_MATRIX" = true ]; then
     fi
 
     # Examples
-    cargo run --locked --example sign_verify --features=hashes-std
-    cargo run --locked --example sign_verify_recovery --features=recovery,hashes-std
-    cargo run --locked --example generate_keys --features=rand-std
+    cargo run --locked --example sign_verify --features=hashes-std,secp256k1-sys
+    cargo run --locked --example sign_verify_recovery --features=recovery,hashes-std,secp256k1-sys
+    cargo run --locked --example generate_keys --features=rand-std,secp256k1-sys
 fi
 
 if [ "$DO_LINT" = true ]
 then
     cargo clippy --locked --all-features --all-targets -- -D warnings
-    cargo clippy --locked --example sign_verify --features=hashes-std -- -D warnings
-    cargo clippy --locked --example sign_verify_recovery --features=recovery,hashes-std -- -D warnings
-    cargo clippy --locked --example generate_keys --features=rand-std -- -D warnings
+    cargo clippy --locked --example sign_verify --features=hashes-std,secp256k1-sys -- -D warnings
+    cargo clippy --locked --example sign_verify_recovery --features=recovery,hashes-std,secp256k1-sys -- -D warnings
+    cargo clippy --locked --example generate_keys --features=rand-std,secp256k1-sys -- -D warnings
 fi
 
 # Build the docs if told to (this only works with the nightly toolchain)

src/context.rs

@@ -4,11 +4,16 @@
 //!
 
 use core::borrow::Borrow;
-use core::{ptr, str};
+use core::str;
+#[cfg(feature = "secp256k1-sys")]
+use core::ptr;
 
+#[cfg(feature = "secp256k1-sys")]
 use secp256k1_sys::types::{c_int, c_uchar, c_void};
 
+#[cfg(feature = "secp256k1-sys")]
 use crate::ffi::{self, CPtr};
+#[cfg(feature = "secp256k1-sys")]
 use crate::key::{PublicKey, SecretKey};
 use crate::{constants, Error};
 
@@ -20,7 +25,7 @@ const SHARED_SECRET_SIZE: usize = constants::SECRET_KEY_SIZE;
 /// # Examples
 ///
 /// ```
-/// # #[cfg(feature = "rand-std")] {
+/// # #[cfg(all(feature = "rand-std", feature = "secp256k1-sys"))] {
 /// # use secp256k1::{rand, Secp256k1};
 /// # use secp256k1::ecdh::SharedSecret;
 /// let s = Secp256k1::new();
@@ -39,6 +44,7 @@ impl_non_secure_erase!(SharedSecret, 0, [0u8; SHARED_SECRET_SIZE]);
 impl SharedSecret {
     /// Creates a new shared secret from a pubkey and secret key.
     #[inline]
+    #[cfg(feature = "secp256k1-sys")]
     pub fn new(point: &PublicKey, scalar: &SecretKey) -> SharedSecret {
         let mut buf = [0u8; SHARED_SECRET_SIZE];
         let res = unsafe {
@@ -125,6 +131,7 @@ impl AsRef<[u8]> for SharedSecret {
 /// assert_eq!(secret1, secret2)
 /// # }
 /// ```
+#[cfg(feature = "secp256k1-sys")]
 pub fn shared_secret_point(point: &PublicKey, scalar: &SecretKey) -> [u8; 64] {
     let mut xy = [0u8; 64];
 
@@ -144,6 +151,7 @@ pub fn shared_secret_point(point: &PublicKey, scalar: &SecretKey) -> [u8; 64] {
     xy
 }
 
+#[cfg(feature = "secp256k1-sys")]
 unsafe extern "C" fn c_callback(
     output: *mut c_uchar,
     x: *const c_uchar,
@@ -184,6 +192,7 @@ impl<'de> ::serde::Deserialize<'de> for SharedSecret {
 }
 
 #[cfg(test)]
+#[cfg(feature = "secp256k1-sys")]
 #[allow(unused_imports)]
 mod tests {
     #[cfg(target_arch = "wasm32")]
@@ -194,6 +203,7 @@ mod tests {
 
     #[test]
     #[cfg(feature = "rand-std")]
+    #[cfg(feature = "secp256k1-sys")]
     fn ecdh() {
         let s = Secp256k1::signing_only();
         let (sk1, pk1) = s.generate_keypair(&mut rand::thread_rng());
@@ -207,6 +217,7 @@ mod tests {
     }
 
     #[test]
+    #[cfg(feature = "secp256k1-sys")]
     fn test_c_callback() {
         let x = [5u8; 32];
         let y = [7u8; 32];
@@ -226,6 +237,7 @@ mod tests {
     #[test]
     #[cfg(not(secp256k1_fuzz))]
     #[cfg(all(feature = "hashes-std", feature = "rand-std"))]
+    #[cfg(feature = "secp256k1-sys")]
     fn hashes_and_sys_generate_same_secret() {
         use hashes::{sha256, Hash, HashEngine};
 
@@ -248,7 +260,10 @@ mod tests {
 
         assert_eq!(secret_bh.as_byte_array(), secret_sys.as_ref());
     }
+}
 
+#[cfg(test)]
+mod non_crypto_tests {
     #[test]
     #[cfg(all(feature = "serde", feature = "alloc"))]
     fn serde() {
@@ -262,7 +277,7 @@ mod tests {
         ];
         static STR: &str = "01010101010101010001020304050607ffff0000ffff00006363636363636363";
 
-        let secret = SharedSecret::from_slice(&BYTES).unwrap();
+        let secret = super::SharedSecret::from_slice(&BYTES).unwrap();
 
         assert_tokens(&secret.compact(), &[Token::BorrowedBytes(&BYTES[..])]);
         assert_tokens(&secret.compact(), &[Token::Bytes(&BYTES)]);
@@ -283,6 +298,7 @@ mod benches {
     use crate::Secp256k1;
 
     #[bench]
+    #[cfg(feature = "secp256k1-sys")]
     pub fn bench_ecdh(bh: &mut Bencher) {
         let s = Secp256k1::signing_only();
         let (sk, pk) = s.generate_keypair(&mut rand::thread_rng());

src/ecdh.rs

@@ -0,0 +1,130 @@
+//! Pure Rust implementation of basic secp256k1-related checks.
+//!
+//! It can be useful to have the key types provided by this library without full cryptography and
+//! implied compilation/linking of C. However for compatibility, we must check the keys when
+//! deserializing. Therefore we need at least some basic secp256k1 math to do that.
+//!
+//! We explicitly do **not** implement point operations or similarly advanced features.
+
+pub(crate) mod u256;
+pub(crate) mod zp;
+
+use zp::Zp;
+use crate::Parity;
+
+fn is_point_on_curve(x: Zp, y: Zp) -> bool {
+    y * y == x * x * x + Zp::wrapping_from(u256::U256::from(7u128))
+}
+
+fn compute_y_coord(x: Zp, parity: Parity) -> Option<Zp> {
+    (x * x * x + Zp::wrapping_from(u256::U256::from(7u128))).sqrt(parity)
+}
+
+#[derive(Copy, Clone, Debug, PartialOrd, Ord, PartialEq, Eq, Hash)]
+pub(crate) struct PublicKey {
+    x: Zp,
+    y: Zp,
+}
+
+impl PublicKey {
+    pub(crate) fn decode(key: &[u8]) -> Option<Self> {
+        match *key.get(0)? {
+            0x04 if key.len() == 65 => {
+                let x = Zp::from_be_bytes(key[1..33].try_into().expect("static len"))?;
+                let y = Zp::from_be_bytes(key[33..].try_into().expect("static len"))?;
+                if is_point_on_curve(x, y) {
+                    Some(PublicKey { x, y })
+                } else {
+                    None
+                }
+            },
+            parity @ (0x02 | 0x03) if key.len() == 33 => {
+                let x = Zp::from_be_bytes(key[1..33].try_into().expect("static len"))?;
+                let y = compute_y_coord(x, if parity == 0x02 { Parity::Even } else { Parity::Odd})?;
+                Some(PublicKey { x, y })
+            },
+            _ => None,
+        }
+    }
+
+    pub(crate) fn serialize_compressed(&self) -> [u8; 33] {
+        let mut buf = [0; 33];
+        buf[0] = if self.y.is_even() {
+            0x02
+        } else {
+            0x03
+        };
+        buf[1..].copy_from_slice(&self.x.to_be_bytes());
+        buf
+    }
+
+    pub(crate) fn serialize_uncompressed(&self) -> [u8; 65] {
+        let mut buf = [0; 65];
+        buf[0] = 0x04;
+        buf[1..33].copy_from_slice(&self.x.to_be_bytes());
+        buf[33..].copy_from_slice(&self.y.to_be_bytes());
+        buf
+    }
+
+    pub(crate) fn to_xonly(&self) -> (XOnlyPublicKey, Parity) {
+        let parity = if self.y.is_even() {
+            Parity::Even
+        } else {
+            Parity::Odd
+        };
+        (XOnlyPublicKey { x: self.x }, parity)
+    }
+}
+
+#[derive(Copy, Clone, Debug, PartialOrd, Ord, PartialEq, Eq, Hash)]
+pub(crate) struct XOnlyPublicKey {
+    x: Zp,
+}
+
+impl XOnlyPublicKey {
+    pub(crate) fn from_bytes(bytes: &[u8; 32]) -> Option<Self> {
+        let x = Zp::from_be_bytes(bytes)?;
+        compute_y_coord(x, Parity::Even)?;
+        Some(XOnlyPublicKey { x })
+    }
+
+    pub(crate) fn serialize(&self) -> [u8; 32] {
+        self.x.to_be_bytes()
+    }
+}
+
+pub(crate) fn is_seckey_valid(scalar: &[u8; 32]) -> bool {
+    let sum = scalar.iter().copied().fold(0u8, u8::wrapping_add);
+    if launder_u8(sum) == 0 {
+        return false;
+    }
+
+    // Translated from the C version
+    const N: [u32; 8] = [0xD0364141, 0xBFD25E8C, 0xAF48A03B, 0xBAAEDCE6, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF];
+    let mut buf = [0; 8];
+    for (chunk, dst) in scalar.chunks_exact(4).rev().zip(&mut buf) {
+        *dst = u32::from_be_bytes(chunk.try_into().expect("chunk_exact returns 4-byte slices"));
+    }
+    let scalar = buf;
+    let mut yes = 0u8;
+    let mut no = 0u8;
+    no |= u8::from(scalar[7] < N[7]); /* No need for a > check. */
+    no |= u8::from(scalar[6] < N[6]); /* No need for a > check. */
+    no |= u8::from(scalar[5] < N[5]); /* No need for a > check. */
+    no |= u8::from(scalar[4] < N[4]);
+    yes |= u8::from(scalar[4] > N[4]) & !no;
+    no |= u8::from(scalar[3] < N[3]) & !yes;
+    yes |= u8::from(scalar[3] > N[3]) & !no;
+    no |= u8::from(scalar[2] < N[2]) & !yes;
+    yes |= u8::from(scalar[2] > N[2]) & !no;
+    no |= u8::from(scalar[1] < N[1]) & !yes;
+    yes |= u8::from(scalar[1] > N[1]) & !no;
+    yes |= u8::from(scalar[0] >= N[0]) & !no;
+    launder_u8(yes) == 0
+}
+
+fn launder_u8(val: u8) -> u8 {
+    unsafe {
+        core::ptr::read_volatile(&val)
+    }
+}

src/key.rs

@@ -0,0 +1,229 @@
+/// Implementation of field of Z<sub>P</sub>, where P is the secp256k1 paramter.
+
+use super::u256::U256;
+use core::ops::{Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign, Div, DivAssign};
+
+const P: U256 = U256::from_be_bytes([
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
+]);
+
+/// Implementation of `Z_p` cyclic group where `p` is the size of the field used in secp256k1 - se
+/// the `P` constant in this library.
+#[derive(Copy, Clone, Eq, PartialEq, Ord, PartialOrd, Hash, Debug)]
+pub(crate) struct Zp(U256);
+
+impl Zp {
+    pub(crate) const ZERO: Self = Zp(U256::ZERO);
+    pub(crate) const ONE: Self = Zp(U256::ONE);
+
+    /// Converts the value % P to Self
+    pub(crate) fn wrapping_from(value: U256) -> Self {
+        if value >= P {
+            Zp(value.wrapping_sub(P))
+        } else {
+            Zp(value)
+        }
+    }
+
+    pub(crate) fn checked_from(value: U256) -> Option<Self> {
+        if value >= P {
+            None
+        } else {
+            Some(Zp(value))
+        }
+    }
+
+    pub fn to_be_bytes(&self) -> [u8; 32] {
+        self.0.to_be_bytes()
+    }
+
+    pub fn from_be_bytes(bytes: &[u8; 32]) -> Option<Self> {
+        Self::checked_from(U256::from_be_bytes(*bytes))
+    }
+
+    pub(crate) fn is_zero(&self) -> bool {
+        self.0.is_zero()
+    }
+
+    pub(crate) fn is_even(&self) -> bool {
+        self.0 < P / 2u128.into()
+    }
+
+    pub(crate) fn parity(&self) -> crate::Parity {
+        if self.is_even() { crate::Parity::Even } else { crate::Parity::Odd }
+    }
+
+    pub(crate) fn pow(mut self, mut exp: U256) -> Self {
+        let mut res = Zp::ONE;
+        while exp != U256::ZERO {
+            if exp & U256::ONE == U256::ONE {
+                res = res * self;
+            }
+            self = self * self;
+            exp = exp >> 1;
+        }
+        res
+    }
+
+    pub fn multiplicative_inverse(self) -> Self {
+        // refactored from
+        // https://github.com/paritytech/bigint/blob/master/src/uint.rs
+        let mut mn = (P, self.0);
+		let mut xy = (Zp::ZERO, Zp::ONE);
+
+		while mn.1 != U256::ZERO {
+            let sb = xy.1 * (mn.0 / mn.1) ;
+            xy = (xy.1, xy.0 - sb);
+			mn = (mn.1, mn.0 % mn.1);
+		}
+
+		xy.0
+    }
+
+    pub(crate) fn sqrt(&self, parity: crate::Parity) -> Option<Self> {
+        // Copied from https://github.com/KanoczTomas/ecc-generic
+        // and simplified
+        if self.is_zero() {
+            return Some(*self);
+        }
+        if !self.is_quadratic_residue() {
+            return None;
+        }
+        let res = self.pow((P + U256::ONE) / 4u128.into());
+        if parity == res.parity() {
+            Some(res)
+        } else {
+            Some(-res)
+        }
+    }
+
+    pub fn is_quadratic_residue(self) -> bool {
+        // Copied from https://github.com/KanoczTomas/ecc-generic
+        //if self % p == 0
+        //As Zp is already mod p, we just have to check if it is 0
+        match self.is_zero() {
+            true => true,
+            false => self.pow((P - U256::ONE) / 2u128.into()) == Zp::ONE
+        }
+
+    }
+}
+
+// We use simple subtraction instead of modulo as it should be more efficient
+impl Add for Zp {
+    type Output = Self;
+
+    fn add(self, rhs: Zp) -> Self::Output {
+        let (res, overflow) = self.0.overflowing_add(rhs.0);
+        Zp(if overflow || res >= P {
+            res.wrapping_sub(P)
+        } else {
+            res
+        })
+    }
+}
+
+impl AddAssign for Zp {
+    fn add_assign(&mut self, rhs: Self) {
+        *self = *self + rhs;
+    }
+}
+
+impl Sub for Zp {
+    type Output = Self;
+
+    fn sub(self, rhs: Zp) -> Self::Output {
+        let (res, overflow) = self.0.overflowing_sub(rhs.0);
+        Zp(if overflow || res >= P {
+            res.wrapping_add(P)
+        } else {
+            res
+        })
+    }
+}
+
+impl SubAssign for Zp {
+    fn sub_assign(&mut self, rhs: Self) {
+        *self = *self - rhs;
+    }
+}
+
+impl Mul<U256> for Zp {
+    type Output = Zp;
+
+    /// Double-and-add algorithm
+    fn mul(self, mut rhs: U256) -> Self::Output {
+        let mut res = Zp::ZERO;
+        let high = U256::ONE << 255;
+
+        for _ in 0..256 {
+            // Can't use *= 2 - that would cause infinite recursion.
+            // Don't ask how I know.
+            res += res;
+            if rhs & high != U256::ZERO {
+                res += self;
+            }
+            rhs = rhs.wrapping_shl(1);
+        }
+
+        res
+    }
+}
+
+impl Mul<u64> for Zp {
+    type Output = Zp;
+
+    fn mul(self, rhs: u64) -> Self::Output {
+        self * U256::from(rhs)
+    }
+}
+
+impl MulAssign<u64> for Zp {
+    fn mul_assign(&mut self, rhs: u64) {
+        *self = *self * rhs;
+    }
+}
+
+impl Mul for Zp {
+    type Output = Zp;
+
+    fn mul(self, rhs: Zp) -> Self::Output {
+        self * rhs.0
+    }
+}
+
+impl MulAssign for Zp {
+    fn mul_assign(&mut self, rhs: Self) {
+        *self = *self * rhs;
+    }
+}
+
+impl Div for Zp {
+    type Output = Zp;
+
+    fn div(self, rhs: Zp) -> Self::Output {
+        self * rhs.multiplicative_inverse()
+    }
+}
+
+impl DivAssign for Zp {
+    fn div_assign(&mut self, rhs: Self) {
+        *self = *self / rhs;
+    }
+}
+
+impl Neg for Zp {
+    type Output = Zp;
+
+    fn neg(self) -> Self::Output {
+        if self.is_zero() {
+            self
+        } else {
+            Zp(P - self.0)
+        }
+    }
+}
+

src/key/non_c/mod.rs

@@ -64,7 +64,7 @@
 //! Alternately, keys and messages can be parsed from slices, like
 //!
 //! ```rust
-//! # #[cfg(feature = "alloc")] {
+//! # #[cfg(all(feature =  "alloc", feature = "secp256k1-sys"))] {
 //! use secp256k1::{Secp256k1, Message, SecretKey, PublicKey};
 //!
 //! let secp = Secp256k1::new();
@@ -82,7 +82,7 @@
 //! Users who only want to verify signatures can use a cheaper context, like so:
 //!
 //! ```rust
-//! # #[cfg(feature = "alloc")] {
+//! # #[cfg(all(feature =  "alloc", feature = "secp256k1-sys"))] {
 //! use secp256k1::{Secp256k1, Message, ecdsa, PublicKey};
 //!
 //! let secp = Secp256k1::verification_only();
@@ -121,12 +121,21 @@
 //! Observe that the same code using, say [`signing_only`](struct.Secp256k1.html#method.signing_only)
 //! to generate a context would simply not compile.
 //!
+//! This library also provides various key types that are sometimes used mainly to verify input and
+//! as newtypes. For that the whole C library may be too much so this library also provides a pure
+//! Rust implementation of parsing and validity checking (including curve checks). This is used
+//! whenever the `secp256k1-sys` feature is disabled. If you're using this library only for parsing
+//! you will improve the compile time by disabling the feature. Therefore the set of all possible
+//! values the types accept as valid stays the same regardless of the `secp256k1-sys` feature.
+//!
 //! ## Crate features/optional dependencies
 //!
 //! This crate provides the following opt-in Cargo features:
 //!
 //! * `std` - use standard Rust library, enabled by default.
 //! * `alloc` - use the `alloc` standard Rust library to provide heap allocations.
+//! * `secp256k1-sys` - actually builds/links the C library and enables use of cryptographic
+//!                     algorithms. Enabled by default.
 //! * `rand` - use `rand` library to provide random generator (e.g. to generate keys).
 //! * `rand-std` - use `rand` library with its `std` feature enabled. (Implies `rand`.)
 //! * `hashes` - use the `hashes` library.
@@ -165,32 +174,42 @@ mod key;
 
 pub mod constants;
 pub mod ecdh;
+#[cfg(feature = "secp256k1-sys")]
 pub mod ecdsa;
+#[cfg(feature = "secp256k1-sys")]
 pub mod ellswift;
 pub mod scalar;
+#[cfg(feature = "secp256k1-sys")]
 pub mod schnorr;
 #[cfg(feature = "serde")]
 mod serde_util;
 
 use core::marker::PhantomData;
+#[cfg(feature = "secp256k1-sys")]
 use core::ptr::NonNull;
-use core::{fmt, mem, str};
+use core::{fmt, str};
+#[cfg(feature = "secp256k1-sys")]
+use core::mem;
 
 #[cfg(all(feature = "global-context", feature = "std"))]
 pub use context::global::{self, SECP256K1};
 #[cfg(feature = "rand")]
 pub use rand;
+#[cfg(feature = "secp256k1-sys")]
 pub use secp256k1_sys as ffi;
 #[cfg(feature = "serde")]
 pub use serde;
 
+pub use crate::context::{Context, Signing, Verification};
 #[cfg(feature = "alloc")]
 pub use crate::context::{All, SignOnly, VerifyOnly};
+#[cfg(feature = "secp256k1-sys")]
 pub use crate::context::{
-    AllPreallocated, Context, PreallocatedContext, SignOnlyPreallocated, Signing, Verification,
-    VerifyOnlyPreallocated,
+    AllPreallocated, PreallocatedContext, SignOnlyPreallocated, VerifyOnlyPreallocated,
 };
+#[cfg(feature = "secp256k1-sys")]
 use crate::ffi::types::AlignedType;
+#[cfg(feature = "secp256k1-sys")]
 use crate::ffi::CPtr;
 pub use crate::key::{InvalidParityValue, Keypair, Parity, PublicKey, SecretKey, XOnlyPublicKey};
 pub use crate::scalar::Scalar;
@@ -352,21 +371,27 @@ impl std::error::Error for Error {
 
 /// The secp256k1 engine, used to execute all signature operations.
 pub struct Secp256k1<C: Context> {
+    #[cfg(feature = "secp256k1-sys")]
     ctx: NonNull<ffi::Context>,
     phantom: PhantomData<C>,
 }
 
 // The underlying secp context does not contain any references to memory it does not own.
+#[cfg(feature = "secp256k1-sys")]
 unsafe impl<C: Context> Send for Secp256k1<C> {}
 // The API does not permit any mutation of `Secp256k1` objects except through `&mut` references.
+#[cfg(feature = "secp256k1-sys")]
 unsafe impl<C: Context> Sync for Secp256k1<C> {}
 
+#[cfg(feature = "secp256k1-sys")]
 impl<C: Context> PartialEq for Secp256k1<C> {
     fn eq(&self, _other: &Secp256k1<C>) -> bool { true }
 }
 
+#[cfg(feature = "secp256k1-sys")]
 impl<C: Context> Eq for Secp256k1<C> {}
 
+#[cfg(feature = "secp256k1-sys")]
 impl<C: Context> Drop for Secp256k1<C> {
     fn drop(&mut self) {
         unsafe {
@@ -379,11 +404,17 @@ impl<C: Context> Drop for Secp256k1<C> {
 }
 
 impl<C: Context> fmt::Debug for Secp256k1<C> {
+    #[cfg(feature = "secp256k1-sys")]
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "<secp256k1 context {:?}, {}>", self.ctx, C::DESCRIPTION)
     }
+    #[cfg(not(feature = "secp256k1-sys"))]
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "<secp256k1 context (trivial), {}>", C::DESCRIPTION)
+    }
 }
 
+#[cfg(feature = "secp256k1-sys")]
 impl<C: Context> Secp256k1<C> {
     /// Getter for the raw pointer to the underlying secp256k1 context. This
     /// shouldn't be needed with normal usage of the library. It enables
@@ -429,6 +460,7 @@ impl<C: Context> Secp256k1<C> {
     }
 }
 
+#[cfg(feature = "secp256k1-sys")]
 impl<C: Signing> Secp256k1<C> {
     /// Generates a random keypair. Convenience function for [`SecretKey::new`] and
     /// [`PublicKey::from_secret_key`].
@@ -500,14 +532,15 @@ fn to_hex<'a>(src: &[u8], target: &'a mut [u8]) -> Result<&'a str, ()> {
     return unsafe { Ok(str::from_utf8_unchecked(result)) };
 }
 
-#[cfg(feature = "rand")]
+#[cfg(all(feature = "rand", feature = "secp256k1-sys"))]
 pub(crate) fn random_32_bytes<R: rand::Rng + ?Sized>(rng: &mut R) -> [u8; 32] {
     let mut ret = [0u8; 32];
     rng.fill(&mut ret);
     ret
 }
 
 #[cfg(test)]
+#[cfg(feature = "secp256k1-sys")]
 mod tests {
     use std::str::FromStr;
 

src/key/non_c/u256.rs

@@ -23,6 +23,7 @@ macro_rules! impl_array_newtype {
             fn index(&self, index: I) -> &Self::Output { &self.0[index] }
         }
 
+        #[cfg(feature = "secp256k1-sys")]
         impl $crate::ffi::CPtr for $thing {
             type Target = $ty;
 
@@ -63,6 +64,7 @@ macro_rules! impl_non_secure_erase {
             /// is very subtle. For more discussion on this, please see the documentation
             /// of the [`zeroize`](https://docs.rs/zeroize) crate.
             #[inline]
+            #[cfg(feature = "secp256k1-sys")]
             pub fn non_secure_erase(&mut self) {
                 secp256k1_sys::non_secure_erase_impl(&mut self.$target, $value);
             }
@@ -99,7 +101,14 @@ macro_rules! impl_fast_comparisons {
             /// serializes `self` and `other` before comparing them. This function provides a faster
             /// comparison if you know that your types come from the same library version.
             pub fn cmp_fast_unstable(&self, other: &Self) -> core::cmp::Ordering {
-                self.0.cmp_fast_unstable(&other.0)
+                #[cfg(feature = "secp256k1-sys")]
+                {
+                    self.0.cmp_fast_unstable(&other.0)
+                }
+                #[cfg(not(feature = "secp256k1-sys"))]
+                {
+                    self.0.cmp(&other.0)
+                }
             }
 
             /// Like `cmp::Eq` but faster and with no guarantees across library versions.
@@ -108,7 +117,14 @@ macro_rules! impl_fast_comparisons {
             /// `self` and `other` before comparing them. This function provides a faster equality
             /// check if you know that your types come from the same library version.
             pub fn eq_fast_unstable(&self, other: &Self) -> bool {
-                self.0.eq_fast_unstable(&other.0)
+                #[cfg(feature = "secp256k1-sys")]
+                {
+                    self.0.eq_fast_unstable(&other.0)
+                }
+                #[cfg(not(feature = "secp256k1-sys"))]
+                {
+                    self.0 == other.0
+                }
             }
         }
     };

src/key/non_c/zp.rs

@@ -99,8 +99,10 @@ impl Scalar {
 
     // returns a reference to internal bytes
     // non-public to not leak the internal representation
+    #[cfg(feature = "secp256k1-sys")]
     pub(crate) fn as_be_bytes(&self) -> &[u8; 32] { &self.0 }
 
+    #[cfg(feature = "secp256k1-sys")]
     pub(crate) fn as_c_ptr(&self) -> *const u8 {
         use secp256k1_sys::CPtr;
 

src/lib.rs

@@ -6,7 +6,10 @@ use core::fmt;
 
 use crate::constants::SECRET_KEY_SIZE;
 use crate::ecdh::SharedSecret;
-use crate::key::{Keypair, SecretKey};
+#[cfg(feature = "secp256k1-sys")]
+use crate::key::Keypair;
+
+use crate::key::SecretKey;
 use crate::to_hex;
 macro_rules! impl_display_secret {
     // Default hasher exists only in standard library and not alloc
@@ -127,6 +130,7 @@ impl SecretKey {
     pub fn display_secret(&self) -> DisplaySecret { DisplaySecret { secret: self.secret_bytes() } }
 }
 
+#[cfg(feature = "secp256k1-sys")]
 impl Keypair {
     /// Formats the explicit byte value of the secret key kept inside the type as a
     /// little-endian hexadecimal string using the provided formatter.
@@ -171,7 +175,7 @@ impl SharedSecret {
     ///
     /// ```
     /// # #[cfg(not(secp256k1_fuzz))]
-    /// # #[cfg(feature = "std")] {
+    /// # #[cfg(all(feature = "std", feature = "secp256k1-sys"))] {
     /// # use std::str::FromStr;
     /// use secp256k1::{SecretKey, PublicKey};
     /// use secp256k1::ecdh::SharedSecret;