Merge bitcoin-core/secp256k1#1192: Switch to exhaustive groups with small B coefficient

ce60785b26 Introduce SECP256K1_B macro for curve b coefficient (Pieter Wuille) 4934aa7995 Switch to exhaustive groups with small B coefficient (Pieter Wuille) Pull request description: This has the advantage that in the future, multiplication with B can be done using `secp256k1_fe_mul_int` rather than the slower `secp256k1_fe_mul`. ACKs for top commit: real-or-random: ACK ce60785b26 also ran the exhaustive tests with the group of size 7 apoelstra: ACK ce60785b26 Tree-SHA512: 006041189d18319ddb9c0ed54e479f393b83ab2a368d198bd24860d1d2574c0c1a311aea24fbef2e74bb7859a687dfc803b9e963e6dc5c61cb707e20f52b5a70
2023-01-16 22:30:31 +01:00
parent a7a7bfaf3d ce60785b26
commit a01a7d86dc
5 changed files with 157 additions and 111 deletions
--- a/src/modules/recovery/tests_exhaustive_impl.h
+++ b/src/modules/recovery/tests_exhaustive_impl.h
@@ -43,8 +43,7 @@ static void test_exhaustive_recovery_sign(const secp256k1_context *ctx, const se
                      (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);
                /* The recid's second bit is for conveying overflow (R.x value >= group order).
                 * In the actual secp256k1 this is an astronomically unlikely event, but in the
-                 * small group used here, it will be the case for all points except the ones where
-                 * R.x=1 (which the group is specifically selected to have).
+                 * small group used here, it will almost certainly be the case for all points.
                 * Note that this isn't actually useful; full recovery would need to convey
                 * floor(R.x / group_order), but only one bit is used as that is sufficient
                 * in the real group. */