On January 15, 2016, Bitcoin Core v0.12 shipped with libsecp256k1 as the default backend for consensus-critical ECDSA signature verification, replacing OpenSSL — a dependency that had been part of Bitcoin since Satoshi’s original v0.1 release seven years earlier.
Background
The libsecp256k1 project was started by Pieter Wuille on March 5, 2013. The initial motivation was performance — Wuille wanted to test whether the GLV-method endomorphism could deliver a meaningful speedup over OpenSSL’s general-purpose elliptic-curve code. Within one week, the library could verify the entire Bitcoin blockchain (block height ~225,000 at the time).
Gregory Maxwell joined the effort and the project expanded from a performance experiment into a full replacement for OpenSSL’s secp256k1 implementation, focused entirely on Bitcoin’s needs.
Why replace OpenSSL
By 2014, the team had identified several concrete problems with using OpenSSL for consensus-critical code:
- Signature parsing inconsistencies could potentially cause unintended chain splits — different OpenSSL versions could disagree on whether a given signature was valid, which is unacceptable for a system where every node must reach the same conclusion.
- Performance — libsecp256k1 was eventually 2.5–5.5× faster than OpenSSL for signature verification, the dominant cost of validating new blocks.
- Auditability — by focusing on a single curve and only the operations Bitcoin needs, the library was small enough to be reviewed in depth, with constant-time implementations to resist side-channel attacks.
In November 2014, Wuille discovered and reported CVE-2014-3570 — a serious bug in OpenSSL’s BN_sqr (squaring) routine — while writing tests for libsecp256k1. The bug had been latent in OpenSSL for years.
Maxwell summarized the conclusion in the Bitcoin Magazine article: “OpenSSL is not a suitable library for a consensus-critical system like Bitcoin.”
Rollout
- Bitcoin Core v0.10 (February 2015): libsecp256k1 became the default for wallet signing.
- Bitcoin Core v0.12 (January 15, 2016): libsecp256k1 became the default for consensus-critical ECDSA signature verification.
Significance
libsecp256k1 replaced OpenSSL in Bitcoin’s consensus signature verification — the code path where every node must reach the same verdict, or the chain splits. Satoshi’s v0.1 used OpenSSL because it was the obvious choice in 2008 — it was the standard cryptographic library for C++ projects on Windows. By 2016, the Bitcoin Core developers had concluded that “obvious” was not “correct” for a consensus system, and had spent three years building a purpose-made replacement.
This pattern — Satoshi’s design choices being progressively superseded by Bitcoin-specific implementations as the codebase matured — is one of the recurring themes in Bitcoin Core’s evolution. See also PR #4641 (laanwj, 2014) which began the systematic removal of Satoshi’s Hungarian-notation variable naming style from new Bitcoin Core code.
The libsecp256k1 transition is read as a load-bearing event in multiple participant and dependency records. Wladimir van der Laan’s biography records the v0.12 ship date as a defining achievement of his lead-maintainer tenure. Pieter Wuille’s biography treats the library — which Wuille started in 2013 — as one of the foundational pillars of his contribution record. Gregory Maxwell’s biography anchors co-authorship of libsecp256k1 as one of two pillars of his record (the other being CoinJoin / Confidential Transactions). And the 2011 Bitcoin v0.5 Crypto++-removal entry reads the same dependency-replacement arc from its earlier endpoint — Crypto++ to OpenSSL in 2011, OpenSSL to libsecp256k1 in 2016 — treating the v0.12 ship date as the terminal row of that chain.