On January 15, 2016, Bitcoin Core v0.12 shipped with libsecp256k1 as the default backend for consensus-critical ECDSA signature verification, replacing OpenSSL — a dependency that had been part of Bitcoin since Satoshi’s original v0.1 release seven years earlier.
Background:
The libsecp256k1 project was started by Pieter Wuille on March 5, 2013. The initial motivation was performance — Wuille wanted to test whether the GLV-method endomorphism could deliver a meaningful speedup over OpenSSL’s general-purpose elliptic-curve code. Within one week, the library could verify the entire Bitcoin blockchain (block height ~225,000 at the time).
Gregory Maxwell joined the effort and the project expanded from a performance experiment into a full replacement for OpenSSL’s secp256k1 implementation, focused entirely on Bitcoin’s needs.
Why replace OpenSSL:
By 2014, the team had identified several concrete problems with using OpenSSL for consensus-critical code:
- Signature parsing inconsistencies could potentially cause unintended chain splits — different OpenSSL versions could disagree on whether a given signature was valid, which is unacceptable for a system where every node must reach the same conclusion.
- Performance — libsecp256k1 was eventually 2.5–5.5× faster than OpenSSL for signature verification, the dominant cost of validating new blocks.
- Auditability — by focusing on a single curve and only the operations Bitcoin needs, the library was small enough to be reviewed in depth, with constant-time implementations to resist side-channel attacks.
In November 2014, Wuille discovered and reported CVE-2014-3570 — a serious bug in OpenSSL’s BN_sqr (squaring) routine — while writing tests for libsecp256k1. The bug had been latent in OpenSSL for years.
Maxwell summarized the conclusion in the Bitcoin Magazine article: “OpenSSL is not a suitable library for a consensus-critical system like Bitcoin.”
Rollout:
- Bitcoin Core v0.10 (February 2015): libsecp256k1 became the default for wallet signing.
- Bitcoin Core v0.12 (January 15, 2016): libsecp256k1 became the default for consensus-critical ECDSA signature verification.
Significance:
libsecp256k1 represented the most consequential replacement of a dependency that Satoshi had originally chosen. Satoshi’s v0.1 used OpenSSL because it was the obvious choice in 2008 — it was the standard cryptographic library for C++ projects on Windows. By 2016, the Bitcoin Core developers had concluded that “obvious” was not “correct” for a consensus system, and had spent three years building a purpose-made replacement.
This pattern — Satoshi’s design choices being progressively superseded by Bitcoin-specific implementations as the codebase matured — is one of the recurring themes in Bitcoin Core’s evolution. See also PR #4641 (laanwj, 2014) which began the systematic removal of Satoshi’s Hungarian-notation variable naming style from new Bitcoin Core code.