frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,985 Commits 14 Branches 0 Tags
006ddc1f42862a85d189fd503573ca1ac10a69e8
Commit Graph

1985 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonas Nick
006ddc1f42 Merge bitcoin-core/secp256k1#1306: build: Make tests work with external default callbacks 
1907f0f166 build: Make tests work with external default callbacks (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 1907f0f166
  jonasnick:
    ACK 1907f0f166

Tree-SHA512: 198598f7bf5292bf5709187f9a40ddf9a0fba93e8b62afb49df2c05b4ef61c394cea43ee07615b51ceea97862228d8ad351fddef13c190cb2e6690943ed63128
 2023-05-11 17:31:29 +00:00
Tim Ruffing
1907f0f166 build: Make tests work with external default callbacks 2023-05-11 19:08:35 +02:00
Jonas Nick
fb3a806365 Merge bitcoin-core/secp256k1#1133: schnorrsig: Add test vectors for variable-length messages 
cd54ac7c1c schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing)
28687b0312 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing)
97a98bed1e schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK cd54ac7c1c. I didn't verify the included test vectors match the BIP.
  jonasnick:
    ACK cd54ac7c1c

Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816
 2023-05-11 16:44:08 +00:00
Tim Ruffing
cd54ac7c1c schnorrsig: Improve docs of schnorrsig_sign_custom 2023-05-11 18:36:42 +02:00
Tim Ruffing
28687b0312 schnorrsig: Add BIP340 varlen test vectors 2023-05-11 18:36:42 +02:00
Tim Ruffing
97a98bed1e schnorrsig: Refactor test vector code to allow varlen messages 2023-05-11 18:36:42 +02:00
Jonas Nick
ab5a917128 Merge bitcoin-core/secp256k1#1303: ct: Use more volatile 
17fa21733a ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing)
5fb336f9ce ct: Use volatile trick in scalar_cond_negate (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 17fa21733a
  jonasnick:
    ACK 17fa21733a

Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121
 2023-05-11 16:14:44 +00:00
Tim Ruffing
9eb6934f69 Merge bitcoin-core/secp256k1#1305: Remove unused scratch space from API 
712e7f8722 Remove unused scratch space from API (Jonas Nick)

Pull request description:

  Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff.

ACKs for top commit:
  sipa:
    ACK 712e7f8722
  real-or-random:
    utACK 712e7f8722

Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44
 2023-05-11 18:07:53 +02:00
Jonas Nick
073d98a076 Merge bitcoin-core/secp256k1#1292: refactor: Make 64-bit shift explicit 
d1e48e5474 refactor: Make 64-bit shift explicit (Hennadii Stepanov)
b2e29e43d0 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    utACK d1e48e5474
  jonasnick:
    ACK d1e48e5474

Tree-SHA512: fd07c8c136b1c947900d45b5a4ad4963e2c29884aca62a26be07713dfd1b0c5e7655f07a0b99217fc055bf3266e71cb5edabbd4d5c145a172b4be5d10f7ad51c
 2023-05-11 15:06:47 +00:00
Tim Ruffing
17fa21733a ct: Be cautious and use volatile trick in more "conditional" paths 
- secp256k1_scalar_cadd_bit
 - secp256k1_modinvXX_normalize_YY
 - secp256k1_modinvXX_divsteps_ZZ
 - ECMULT_CONST_TABLE_GET_GE

Even though those code loations are not problematic right now
(with current compilers).
 2023-05-11 16:32:07 +02:00
Tim Ruffing
5fb336f9ce ct: Use volatile trick in scalar_cond_negate 2023-05-11 16:32:07 +02:00
Jonas Nick
712e7f8722 Remove unused scratch space from API 2023-05-11 13:39:56 +00:00
Pieter Wuille
54d34b6c24 Merge bitcoin-core/secp256k1#1300: Avoid normalize conditional on VERIFY 
97c63b9039 Avoid normalize conditional on VERIFY (Pieter Wuille)

Pull request description:

  In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not.

ACKs for top commit:
  real-or-random:
    utACK 97c63b9039 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed
  jonasnick:
    ACK 97c63b9039

Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f
 2023-05-11 08:30:21 -04:00
Pieter Wuille
c63ec88ebf Merge bitcoin-core/secp256k1#1066: Abstract out and merge all the magnitude/normalized logic 
7fc642fa25 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille)
4e176ad5b9 Abstract out verify logic for fe_is_square_var (Pieter Wuille)
4371f98346 Abstract out verify logic for fe_add_int (Pieter Wuille)
89e324c6b9 Abstract out verify logic for fe_half (Pieter Wuille)
283cd80ab4 Abstract out verify logic for fe_get_bounds (Pieter Wuille)
d5aa2f0358 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille)
3167646072 Abstract out verify logic for fe_from_storage (Pieter Wuille)
76d31e5047 Abstract out verify logic for fe_to_storage (Pieter Wuille)
1e6894bdd7 Abstract out verify logic for fe_cmov (Pieter Wuille)
be82bd8e03 Improve comments/checks for fe_sqrt (Pieter Wuille)
6ab35082ef Abstract out verify logic for fe_sqr (Pieter Wuille)
4c25f6efbd Abstract out verify logic for fe_mul (Pieter Wuille)
e179e651cb Abstract out verify logic for fe_add (Pieter Wuille)
7e7ad7ff57 Abstract out verify logic for fe_mul_int (Pieter Wuille)
65d82a3445 Abstract out verify logic for fe_negate (Pieter Wuille)
144670893e Abstract out verify logic for fe_get_b32 (Pieter Wuille)
f7a7666aeb Abstract out verify logic for fe_set_b32 (Pieter Wuille)
ce4d2093e8 Abstract out verify logic for fe_cmp_var (Pieter Wuille)
7d7d43c6dd Improve comments/check for fe_equal{,_var} (Pieter Wuille)
c5e788d672 Abstract out verify logic for fe_is_odd (Pieter Wuille)
d3f3fe8616 Abstract out verify logic for fe_is_zero (Pieter Wuille)
c701d9a471 Abstract out verify logic for fe_clear (Pieter Wuille)
19a2bfeeea Abstract out verify logic for fe_set_int (Pieter Wuille)
864f9db491 Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille)
6c31371120 Abstract out verify logic for fe_normalize_var (Pieter Wuille)
e28b51f522 Abstract out verify logic for fe_normalize_weak (Pieter Wuille)
b6b6f9cb97 Abstract out verify logic for fe_normalize (Pieter Wuille)
7fa5195559 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille)
b29566c51b Merge magnitude/normalized fields, move/improve comments (Pieter Wuille)

Pull request description:

  Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field.

  This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation.

  Fixes #1060.

ACKs for top commit:
  jonasnick:
    ACK 7fc642fa25
  real-or-random:
    ACK 7fc642fa25

Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4
 2023-05-11 08:23:48 -04:00
Pieter Wuille
7fc642fa25 Simplify secp256k1_fe_{impl_,}verify 2023-05-11 06:25:59 -04:00
Pieter Wuille
4e176ad5b9 Abstract out verify logic for fe_is_square_var 2023-05-11 06:25:56 -04:00
Pieter Wuille
4371f98346 Abstract out verify logic for fe_add_int 2023-05-11 06:25:19 -04:00
Pieter Wuille
89e324c6b9 Abstract out verify logic for fe_half 2023-05-11 06:25:15 -04:00
Pieter Wuille
283cd80ab4 Abstract out verify logic for fe_get_bounds 2023-05-11 06:24:26 -04:00
Pieter Wuille
d5aa2f0358 Abstract out verify logic for fe_inv{,_var} 2023-05-11 06:24:26 -04:00
Pieter Wuille
3167646072 Abstract out verify logic for fe_from_storage 2023-05-11 06:24:26 -04:00
Pieter Wuille
76d31e5047 Abstract out verify logic for fe_to_storage 2023-05-11 06:24:26 -04:00
Pieter Wuille
1e6894bdd7 Abstract out verify logic for fe_cmov 2023-05-11 06:24:26 -04:00
Pieter Wuille
be82bd8e03 Improve comments/checks for fe_sqrt 2023-05-11 06:24:22 -04:00
Pieter Wuille
6ab35082ef Abstract out verify logic for fe_sqr 2023-05-11 06:18:40 -04:00
Pieter Wuille
4c25f6efbd Abstract out verify logic for fe_mul 2023-05-11 06:18:40 -04:00
Pieter Wuille
e179e651cb Abstract out verify logic for fe_add 2023-05-11 06:18:40 -04:00
Pieter Wuille
7e7ad7ff57 Abstract out verify logic for fe_mul_int 2023-05-11 06:18:40 -04:00
Pieter Wuille
65d82a3445 Abstract out verify logic for fe_negate 2023-05-11 06:18:40 -04:00
Pieter Wuille
144670893e Abstract out verify logic for fe_get_b32 2023-05-11 06:18:40 -04:00
Pieter Wuille
f7a7666aeb Abstract out verify logic for fe_set_b32 2023-05-11 06:18:40 -04:00
Pieter Wuille
ce4d2093e8 Abstract out verify logic for fe_cmp_var 2023-05-11 06:18:40 -04:00
Pieter Wuille
7d7d43c6dd Improve comments/check for fe_equal{,_var} 2023-05-11 06:18:40 -04:00
Pieter Wuille
c5e788d672 Abstract out verify logic for fe_is_odd 2023-05-11 06:18:40 -04:00
Pieter Wuille
d3f3fe8616 Abstract out verify logic for fe_is_zero 2023-05-11 06:18:40 -04:00
Pieter Wuille
c701d9a471 Abstract out verify logic for fe_clear 2023-05-11 06:18:40 -04:00
Pieter Wuille
19a2bfeeea Abstract out verify logic for fe_set_int 2023-05-11 06:18:40 -04:00
Pieter Wuille
864f9db491 Abstract out verify logic for fe_normalizes_to_zero{,_var} 2023-05-11 06:18:40 -04:00
Pieter Wuille
6c31371120 Abstract out verify logic for fe_normalize_var 2023-05-11 06:18:40 -04:00
Pieter Wuille
e28b51f522 Abstract out verify logic for fe_normalize_weak 2023-05-11 06:18:40 -04:00
Pieter Wuille
b6b6f9cb97 Abstract out verify logic for fe_normalize 2023-05-11 06:18:40 -04:00
Pieter Wuille
7fa5195559 Bugfix: correct SECP256K1_FE_CONST mag/norm fields 2023-05-11 06:18:37 -04:00
Pieter Wuille
b29566c51b Merge magnitude/normalized fields, move/improve comments 
Also split secp256k1_fe_verify into a generic and an implementation
specific part.
 2023-05-11 04:25:19 -04:00
Pieter Wuille
97c63b9039 Avoid normalize conditional on VERIFY 2023-05-11 03:41:48 -04:00
Tim Ruffing
341cc19726 Merge bitcoin-core/secp256k1#1299: Infinity handling: ecmult_const(infinity) works, and group verification 
bbc834467c Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2ae4 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f20266722a Add invariant checking to group elements (Pieter Wuille)
a18821d5b1 Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb90ac Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696fd4d Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)

Pull request description:

  Rebase of #791.

  * Clean up infinity handling, make x/y/z always initialized for infinity.
  * Make secp256k1_ecmult_const handle infinity.
    * Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes.
    * Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
  * Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`).
  * Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode.

ACKs for top commit:
  jonasnick:
    ACK bbc834467c
  real-or-random:
    ACK bbc834467c

Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19
 2023-05-10 18:44:18 +02:00
Pieter Wuille
bbc834467c Avoid secp256k1_ge_set_gej_zinv with uninitialized z 2023-05-10 09:25:09 -04:00
Pieter Wuille
0a2e0b2ae4 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY 2023-05-10 09:25:09 -04:00
Pieter Wuille
f20266722a Add invariant checking to group elements 2023-05-10 09:25:09 -04:00
Pieter Wuille
a18821d5b1 Always initialize output coordinates in secp256k1_ge_set_gej 2023-05-10 09:25:06 -04:00
Pieter Wuille
3086cb90ac Expose secp256k1_fe_verify to other modules 2023-05-10 09:06:02 -04:00