Commit Graph

1444 Commits

Author SHA1 Message Date
Andrew Poelstra
bf18ff5a8c surjectionproof: fix generation to fail when any input == the output
Verification will fail in this case, so don't "succeed" in generating a bad proof.
2022-07-26 17:14:49 +00:00
Andrew Poelstra
4ff6e4274d surjectionproof: add test for existing behavior on input=output proofs 2022-07-26 17:09:36 +00:00
Jon Griffiths
db648478c3 extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation
OpenBSD defines swap64 in <endian.h>.
2022-07-18 12:29:54 +12:00
Jonas Nick
3efeb9da21 Merge bitcoin-core/secp256k1#1121: config: Set preprocessor defaults for ECMULT_* config values
c27ae45144 config: Remove basic-config.h (Tim Ruffing)
da6514a04a config: Introduce DEBUG_CONFIG macro for debug output of config (Tim Ruffing)
d0cf55e13a config: Set preprocessor defaults for ECMULT_* config values (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK c27ae45144
  hebasto:
    ACK c27ae45144, I have reviewed the code and it looks correct.
  jonasnick:
    ACK c27ae45144

Tree-SHA512: 56b0f384bd9f42cf7c903bec08f4807db1415ddf9a06676dfe1e638e4d02431c522ef0422585e85429074e0dbb51da4f400cf53e8f883d6e07122731c57be1e3
2022-07-11 12:14:25 +00:00
Jonas Nick
6a873cc4a9 Merge bitcoin-core/secp256k1#1122: tests: Randomize the context with probability 15/16 instead of 1/4
17065f48ae tests: Randomize the context with probability 15/16 instead of 1/4 (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 17065f48ae
  jonasnick:
    ACK 17065f48ae

Tree-SHA512: 3b7005770007b922a294be610f23da60b0dde74dfd7585d64a2cb04eaa6ec879de8d21a0ade31c1857019a8dd97260fa3aa167ae16fc55027ef280a3e3feaa6d
2022-07-11 11:21:57 +00:00
Tim Ruffing
17065f48ae tests: Randomize the context with probability 15/16 instead of 1/4 2022-07-08 18:45:32 +02:00
Tim Ruffing
c27ae45144 config: Remove basic-config.h
It's unused and thus potentially confusing.
2022-07-07 20:32:18 +02:00
Tim Ruffing
da6514a04a config: Introduce DEBUG_CONFIG macro for debug output of config 2022-07-07 20:32:08 +02:00
Tim Ruffing
d0cf55e13a config: Set preprocessor defaults for ECMULT_* config values
This simplifies manual builds and solves one item in #929.
2022-07-06 15:07:57 +02:00
Tim Ruffing
55f8bc99dc ecmult_gen: Improve comments about projective blinding
Whenever I read this code, I first think that rescaling ctx->initial is
a dead store because we overwrite it later with gb. But that's wrong.
The rescaling blinds the computation of gb and affects its result.
2022-07-05 19:28:09 +02:00
Tim Ruffing
7a86955800 ecmult_gen: Simplify code (no observable change) 2022-07-05 19:28:09 +02:00
Tim Ruffing
4cc0b1b669 ecmult_gen: Skip RNG when creating blinding if no seed is available
Running the RNG is pointless if no seed is available because the key
will be fixed. The computation just wastes time.

Previously, users could avoid this computation at least by asking for
a context without signing capabilities. But since 3b0c218 we always
build an ecmult_gen context, ignoring the context flags. Moreover,
users could never avoid this pointless computation when asking for
the creation of a signing context.
2022-07-05 19:27:47 +02:00
Tim Ruffing
40a3473a9d build: Fix #include "..." paths to get rid of further -I arguments
This simplifies building without a build system.

This is in line with #925; the paths fixed here were either forgotten
there or only introduced later. This commit also makes the Makefile
stricter so that further "wrong" #include paths will lead to build
errors even in autotools builds.

This belongs to #929.

Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
2022-07-01 15:03:35 +02:00
henopied
069aba8125 Fix sepc256k1 -> secp256k1 typo in group.h 2022-06-29 20:08:47 -05:00
Jonas Nick
accadc94df Merge bitcoin-core/secp256k1#1114: _scratch_destroy: move VERIFY_CHECK after invalid scrach space check
1827c9bf2b scratch_destroy: move VERIFY_CHECK after invalid scrach space check (siv2r)

Pull request description:

ACKs for top commit:
  sipa:
    utACK 1827c9bf2b
  jonasnick:
    ACK 1827c9bf2b

Tree-SHA512: 5c4f97ca16f46380b30d1d077a54e25eab21efb10e0ce3ca27e7f73a2318d130f0f0773e26b2fdfc8f9d98c1334880f9d80a51b0941be3ba0af2b656b7c0ea7e
2022-06-29 20:32:00 +00:00
Jonas Nick
cd47033335 Merge bitcoin-core/secp256k1#1084: ci: Add MSVC builds
49e2acd927 configure: Improve rationale for WERROR_CFLAGS (Tim Ruffing)
8dc4b03341 ci: Add a C++ job that compiles the public headers without -fpermissive (Tim Ruffing)
51f296a46c ci: Run persistent wineserver to speed up wine (Tim Ruffing)
3fb3269c22 ci: Add 32-bit MinGW64 build (Tim Ruffing)
9efc2e5221 ci: Add MSVC builds (Tim Ruffing)
2be6ba0fed configure: Convince autotools to work with MSVC's archiver lib.exe (Tim Ruffing)
bd81f4140a schnorrsig bench: Suppress a stupid warning in MSVC (Tim Ruffing)
09f3d71c51 configure: Add a few CFLAGS for MSVC (Tim Ruffing)
3b4f3d0d46 build: Reject C++ compilers in the preprocessor (Tim Ruffing)
1cc0941414 configure: Don't abort if the compiler does not define __STDC__ (Tim Ruffing)
cca8cbbac8 configure: Output message when checking for valgrind (Tim Ruffing)
1a6be5745f bench: Make benchmarks compile on MSVC (Tim Ruffing)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 49e2acd927

Tree-SHA512: 986c498fb218231fff3519167d34a92e11dea6a4383788a9723be105c20578cd483c6b06ba5686c6669e3a02cfeebc29b8e5f1428552ebf4ec67fa7a86957548
2022-06-29 15:39:28 +00:00
siv2r
1827c9bf2b scratch_destroy: move VERIFY_CHECK after invalid scrach space check 2022-06-29 20:24:11 +05:30
Tim Ruffing
bd81f4140a schnorrsig bench: Suppress a stupid warning in MSVC 2022-06-29 11:05:40 +02:00
Tim Ruffing
8b013fce51 Merge bitcoin-core/secp256k1#1056: Save negations in var-time group addition
2f984ffc45 Save negations in var-time group addition (Peter Dettman)

Pull request description:

  - Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
  - 2 fewer _fe_negate in each method
  - Updated operation counts and standardize layout
  - Added internal benchmark for _gej_add_zinv_var

  benchmark_internal shows about 2% speedup in each method as a result (64bit).

ACKs for top commit:
  real-or-random:
    ACK 2f984ffc45
  jonasnick:
    ACK 2f984ffc45

Tree-SHA512: 01366fa23c83a8dd37c9a0a24e0acc53ce38a201607fe4da6672ea5618d82c62d1299f0e0aa50317883821539af739ea52b6561faff230c148e6fdc5bc5af30b
2022-04-16 12:58:57 +02:00
Jonas Nick
510b61a803 musig: add test vectors for applying multiple tweaks 2022-04-04 21:38:46 +00:00
Jonas Nick
8298c0c79b Merge commits 'c8aa516b 0a40a486 d8a24632 85b00a1c 59547943 5dcc6f8d 07752831 3ef94aa5 1253a277 64b34979 ac83be33 0e5cbd01 e0508ee9 587239db 1ac7e31c d0ad5814 912b7ccc 8746600e ' into temp-merge-1093
Revert: util: Remove endianness detection
2022-03-30 15:00:03 +00:00
Peter Dettman
2f984ffc45 Save negations in var-time group addition
- Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
- 2 fewer _fe_negate in each method
- Updated operation counts and standardize layout
- Added internal benchmark for _gej_add_zinv_var
- Update sage files (fixed by Tim Ruffing)
2022-03-28 23:40:55 +07:00
Tim Ruffing
37d36927df tests: Add tests for _read_be32 and _write_be32 2022-03-26 10:26:53 +01:00
Tim Ruffing
616b43dd3b util: Remove endianness detection 2022-03-25 11:32:22 +01:00
Tim Ruffing
8d89b9e6e5 hash: Make code agnostic of endianness
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).

Fixes #1080.
2022-03-25 11:32:14 +01:00
Tim Ruffing
1ac7e31c5b Merge bitcoin-core/secp256k1#1089: Schnorrsig API improvements
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)

Pull request description:

  Should be merged before #995 if we want this.

  I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.

ACKs for top commit:
  sipa:
    utACK b8f8b99f0f
  jonasnick:
    ACK b8f8b99f0f

Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
2022-03-25 00:15:15 +01:00
Tim Ruffing
f8d9174357 Add SHA256 bit counter tests 2022-03-23 16:33:44 +01:00
Jonas Nick
eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec
Also rename internal_key_parity -> parity_acc because the former is
confusing.
2022-03-21 22:10:24 +00:00
Jonas Nick
57eb6b4167 musig-spec: move description of secret key negation to spec
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
2022-03-21 22:10:24 +00:00
Tim Ruffing
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate 2022-03-17 22:41:36 +01:00
Tim Ruffing
3b4f3d0d46 build: Reject C++ compilers in the preprocessor 2022-03-17 22:32:24 +01:00
Tim Ruffing
1a6be5745f bench: Make benchmarks compile on MSVC 2022-03-16 16:36:29 +01:00
Tim Ruffing
9b514ce1d2 Add test vector for very long SHA256 messages
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.

```
h = hashlib.sha256()
for i in range(1_000_000):
    h.update(b'a')
print(h.hexdigest())
```
2022-03-07 12:54:13 +01:00
Tim Ruffing
8e3dde1137 Simplify struct initializer for SHA256 padding
Since missing elements are initialized with zeros, this change is
purely syntactical.
2022-03-02 15:54:33 +01:00
Tim Ruffing
eb28464a8b Change SHA256 byte counter from size_t to uint64_t
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.

This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
2022-03-02 15:54:33 +01:00
Tim Ruffing
e089eecc1e group: Further simply gej_add_ge 2022-02-26 13:23:22 +01:00
Tim Ruffing
ac71020ebe group: Save a normalize_to_zero in gej_add_ge
The code currently switches to the alternative formula for lambda only if (R,M)
= (0,0) but the alternative formula works whenever M = 0: Specifically, M = 0
implies y1 = -y2. If x1 = x2, then a = -b this is the r = infinity case that we
handle separately. If x1 != x2, then the denominator in the alternative formula
is non-zero, so this formula is well-defined.

One needs to carefully check that the infinity assignment is still correct
because now the definition of m_alt at this point in the code has changed. But
this is true:

Case y1 = -y2:
  Then degenerate = true and infinity = ((x1 - x2)Z == 0) & ~a->infinity .
  a->infinity is handled separately.
  And if ~a->infinity, then Z = Z1 != 0,
  so infinity = (x1 - x2 == 0) = (a == -b) by case condition.

Case y1 != -y2:
  Then degenerate = false and infinity = ((y1 + y2)Z == 0) & ~a->infinity .
  a->infinity is handled separately.
  And if ~a->infinity, then Z = Z1 != 0,
  so infinity = (y1 + y2 == 0) = false by case condition.

Co-Authored-By: Pieter Wuille <pieter@wuille.net>
2022-02-21 11:25:18 +01:00
Tim Ruffing
1253a27756 Merge bitcoin-core/secp256k1#1033: Add _fe_half and use in _gej_add_ge and _gej_double
e848c3799c Update sage files for new formulae (Peter Dettman)
d64bb5d4f3 Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff Further improve doubling formula using fe_half (Peter Dettman)
557b31fac3 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a42 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257ed Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e Add _fe_half and use in _gej_add_ge (Peter Dettman)

Pull request description:

  - Trades 1 _half for 3 _mul_int and 2 _normalize_weak

  Gives around 2-3% faster signing and ECDH, depending on compiler/platform.

ACKs for top commit:
  sipa:
    utACK e848c3799c
  jonasnick:
    ACK e848c3799c
  real-or-random:
    ACK e848c3799c

Tree-SHA512: 81a6c93b3d983f1b48ec8e8b6f262ba914215045a95415147f41ee6e85296aa4d0cbbad9f370cdf475571447baad861d2cc8e0b04a71202d48959cb8a098f584
2022-02-21 11:00:08 +01:00
Tim Ruffing
3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count
Co-authored-by: Elliott Jin <elliott.jin@gmail.com>
2022-02-11 16:39:04 +01:00
Tim Ruffing
c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs 2022-02-11 16:39:04 +01:00
Jonas Nick
f0edc90755 musig: fix number of tweaks in tweak_test 2022-02-07 13:56:56 +00:00
Peter Dettman
d64bb5d4f3 Add fe_half tests for worst-case inputs
- Add field method _fe_get_bounds
2022-02-01 17:51:05 +07:00
Peter Dettman
4eb8b932ff Further improve doubling formula using fe_half 2022-01-31 19:41:07 +07:00
Pieter Wuille
557b31fac3 Doubling formula using fe_half 2022-01-31 19:41:07 +07:00
Pieter Wuille
2cbb4b1a42 Run more iterations of run_field_misc
At count=64, this makes the test take around 1% of the total time.
2022-01-31 19:41:07 +07:00
Pieter Wuille
9cc5c257ed Add test for secp256k1_fe_half 2022-01-31 19:41:07 +07:00
Peter Dettman
925f78d55e Add _fe_half and use in _gej_add_ge
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
- Updated formula and comments in _gej_add_ge
- Added internal benchmark for _fe_half
2022-01-31 19:41:01 +07:00
Jonas Nick
d8a2463246 Merge bitcoin-core/secp256k1#899: Reduce stratch space needed by ecmult_strauss_wnaf.
b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad1 Move secp256k1_fe_one to field.h (Russell O'Connor)

Pull request description:

ACKs for top commit:
  sipa:
    ACK b797a500ec
  jonasnick:
    ACK b797a500ec

Tree-SHA512: 6742469979c306104a0861be76c2be86bf8ab14116b00afbd24f91b9e3ea843bf9b9a74552b367bd06ee617090019ad4df6be037d58937c8c869f8b37ddaa6cc
2022-01-26 14:49:40 +00:00
Tim Ruffing
73f0cbd3cc Merge ElementsProject/secp256k1-zkp#157: Add description of MuSig signing to musig-spec.md
69b392f3cb musig: move explanation for aggnonce=inf to spec (Jonas Nick)
4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} (Jonas Nick)
3c122d0780 musig-spec: improve definition of lift_x (Jonas Nick)
e0bb2d7009 musig-spec: improve KeyAgg description (Jonas Nick)
b8f4e75d89 musig-spec: move to doc directory (Jonas Nick)

Pull request description:

  Will wait before adding tweaking until #151 is merged.

ACKs for top commit:
  robot-dreams:
    ACK 69b392f3cb based on:
  real-or-random:
    ACK 69b392f3cb I haven't looked at every detail but it's certainly ready to be merged as draft spec

Tree-SHA512: e3aa0265a9d7a7648e03ca42575397100edd5af43f0224937af51aa5c77efc451d7938149bdc711f69e24fb9291438453b8cd762affaa1a2e7bcc89f121485df
2022-01-25 10:55:25 +01:00
Tim Ruffing
8fd97d8116 Merge ElementsProject/secp256k1-zkp#158: Small musig improvements
d895b10c18 musig: mention musig.md in example (Jonas Nick)
588009d26f musig: improve doc of partial_sig_verify regarding signing sessions (Jonas Nick)
b1094953c4 musig: remove superfluous comment (Jonas Nick)

Pull request description:

ACKs for top commit:
  robot-dreams:
    ACK d895b10c18
  real-or-random:
    ACK d895b10c18

Tree-SHA512: 35169240868500bb27e5a6b8779f090d3f33a6c0cb1a4574e6e53e9c52782f454fe7df6d49b68e0acdd174e25a756bf6267339f0d4e94f28d5ae49145f21e298
2022-01-25 10:53:38 +01:00