b7ebe6436cd9ea6e91829589b2010c587a033c40 Test APIs of funcs that need an ecmult_gen ctx with static ctx (Jonas Nick)
e82144edfb7673d9a5eeb2b556d08be5223835ac Fixup skew before global Z fixup (Peter Dettman)
40b624c90bff7a40aa28c4d942b0382c300386b8 Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe16c426c082b8df401098c02db53c9a0 ECDH skews by 0 or 1 (Peter Dettman)
15150994333c872a20a1902aa01e1a60dbb1393d Simpler and faster ecdh skew fixup (Peter Dettman)
3d7cbafb5fd7f152fc47dc907af5df03150accc0 tests: Fix test whose result is implementation-defined (Tim Ruffing)
77a19750b46916b93bb6a08837c26f585bd940fa Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684ecca8f767f98ee0ace813103cc88ade secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
3ed0d02bf7690c68ba3ba74da765614809352049 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8483ff4c5f34cfc3aeae794ca2c660d doc: add release_process.md (Jonas Nick)
0bd3e4243caa3c000e6afe3ea5533b97565557c4 build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4276779f115af5985508f54ef9e51be build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
05e049b73c69002f498c3c9c21555fd91f95ccac ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2 ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601aecf3c5a8affb5a4dce5612b298964 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e084334081fa53be81e75c064375f36 ci: Update brew on macOS (Tim Ruffing)
22382f0ea0e234242e248720b9d1d171cb2de0f8 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0e3fceb1cd2e882e1476c950cabc2e8 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3ce3ee8ca443ccad20915217ee74397 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
1287786c7a97eff520ffbd6b0d8b2f99dbfc6371 doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589f61b0e0e9b58388ee3e0da8a2c3c3a doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
22d25c8e0ab1d24f0f4a80fe016cbd71cd889866 Add another ecmult_multi test (Pieter Wuille)
515e7953cab4eb3be063fa3991e4e0663d3f04ae Improve checks at top of _fe_negate methods (Peter Dettman)
e05da9e480de34129a170510a311abb204eefeb3 Fix c++ build (Pieter Wuille)
c45386d994b48f44009c139c7351a521261e8363 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen} (Pieter Wuille)
19d96e15f9b657483c42258568eb70874179d835 Split off .c file from precomputed_ecmult.h (Pieter Wuille)
1a6691adaead20ed55b5400fd4d36f91eb5a3686 Split off .c file from precomputed_ecmult_gen.h (Pieter Wuille)
bb36331412ed68999ac73c871d402e3b03f65700 Simplify precompute_ecmult_print_* (Pieter Wuille)
38cd84a0cb56e031fe43b47e9bdf60349ac9c0a7 Compute ecmult tables at runtime for tests_exhaustive (Pieter Wuille)
e458ec26d61619eafa9fc2b466c1a7b51f794b1f Move ecmult table computation code to separate file (Pieter Wuille)
fc1bf9f15fbe93cb0223c05ee8592ec9bc3070dd Split ecmult table computation and printing (Pieter Wuille)
31feab053b72bfd7ab05347ef7df81b381c92261 Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table (Pieter Wuille)
725370c3f21ad1327b76127784734ffab1f21f97 Rename ecmult_gen_prec -> ecmult_gen_compute_table (Pieter Wuille)
075252c1b7948522455c907ddc97b26f861288eb Rename ecmult_static_pre_g -> precomputed_ecmult (Pieter Wuille)
7cf47f72bc3c2f99e9ac6b050c78b0155a826f74 Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen (Pieter Wuille)
f95b8106d02f8dd4088609a38647033de217bb5a Rename gen_ecmult_static_pre_g -> precompute_ecmult (Pieter Wuille)
bae77685ebc3ae695e3a50e1c4dbe7aa936ae7a5 Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen (Pieter Wuille)
7dfceceea692c4118829c06128c41623b2373ac2 build: Remove #undef hack for ASM in the precomputation programs (Tim Ruffing)
bb36fe9be0998c81ebc9f18e122bb7617d919877 ci: Test `make precomp` (Tim Ruffing)
d94a37a20c3b5b44f1bcf60d309ffc50727e18e4 build: Remove CC_FOR_BUILD stuff (Tim Ruffing)
ad63bb4c296e6007dab22cda05fd599b20139362 build: Prebuild and distribute ecmult_gen table (Tim Ruffing)
ac49361ed0a342e01eafb1410c5b43e1214efaac prealloc: Get rid of manual memory management for prealloc contexts (Tim Ruffing)
6573c08f656f8ec305a2db801d57bfe6441e83e0 ecmult_gen: Tidy precomputed file and save space (Tim Ruffing)
5eba83f17c5aa1cf3698bb057a4b3ee35f3b6c30 ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS (Tim Ruffing)
fdb33dd1227f935ca95c7f8bd9429f42e18a870e refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table (Tim Ruffing)
a4875e30a631d67b77b41f37fc3bf06ffb8ff11f refactor: Move default callbacks to util.h (Tim Ruffing)
4c94c55bce9e1fae8fd2e8993726c8ec74cc0f7d doc: Remove obsolete hint for valgrind stack size (Tim Ruffing)
5106226991117da78f85ca88b7ea66c2ac8fe0b3 exhaustive_tests: Fix with ecmult_gen table with custom generator (Tim Ruffing)
e1a76530db40b8aa8953717d9f984b6bdf845308 refactor: Make generator a parameter of ecmult_gen_create_prec_table (Tim Ruffing)
9ad09f6911906a1fa9af2c5540a8004e44f3ccc6 refactor: Rename program that generates static ecmult_gen table (Tim Ruffing)
8ae18f1ab3dce4c487bab75c2f0cdf4fe311b318 refactor: Rename file that contains static ecmult_gen table (Tim Ruffing)
00d2fa116ed7a8c2d049723aca8d8b6d1c49f6a8 ecmult_gen: Make code consistent with comment (Tim Ruffing)
3b0c2185eab0fe5cb910fffee4c88e134f6d3cad ecmult_gen: Simplify ecmult_gen context after making table static (Tim Ruffing)
e43ba02cfc836dba48c8c9a483e79b7589ce9ae1 refactor: Decouple table generation and ecmult_gen context (Tim Ruffing)
22dc2c0a0dc3b321e72253f492cfa8bcbf00169b ecmult_gen: Move table creation to new file and force static prec (Tim Ruffing)
099bad945e9a7c5237cdd764eca420285a9de279 Comment and check a parameter for inf in secp256k1_ecmult_const. (Russell O'Connor)
6c0be857f8fee7807a2a704465d2e0f6b1f021e3 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. (Russell O'Connor)
5eb519e1f60c305e9240946d5773a635192d2a1a ci: reduce TEST_ITERS in memcheck run (Pieter Wuille)
e2cf77328a07c9d972db6a4a65f65424634b54ab Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255. (Pieter Wuille)
c0cd7de6d4e497c0e678f7098079727188e81de8 build: add -no-undefined to libtool LDFLAGS (fanquake)
fe32a79d354dfc7f341dbfdd6b8f0d408bd76e5b build: pass win32-dll to LT_INIT (fanquake)
7c7ce872a53f386f7c6a3a8ea04442840902193b build: Add a check that Valgrind actually supports a host platform (Hennadii Stepanov)
592661c22f56736099f83700be8cf280f8a963ff ci: move test environment variable declaration to .cirrus.yml (siv2r)
dcbe84b84182bb077bc8639536a778a3129b1b3e bench: add --help option to bench. (siv2r)
2b7c7497ef66eae3a178b666fe17af40495322a6 build: replace backtick command substitution with $() (fanquake)
60bf8890df5360148df921f26d8dc4d667dd5926 ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS (Jonas Nick)
214042a170c860523b7aad2a251b0dbfbaefb235 build: don't append valgrind CPPFLAGS if not installed (fanquake)
812ff5c74745e451f1a9de83b5bd0d0c18c75e5f doc: remove use of 0xa0 "no break space" (fanquake)
dc9b6853b72b9a492cad230623670e89157525ca doc: Minor fixes in safegcd_implementation.md (Elliott Jin)
233297579db61ffe6bf7e882b2ee1c3796f874d8 Fix typos (Dimitris Apostolou)
72de1359e953390dc2f1ab5a59dd1a4057000acb ci: Enable -g if we set CFLAGS manually (Tim Ruffing)
16d132215cab68e57798927301268518bc1c3bf8 refactor: Use (int)&(int) in boolean context to avoid compiler warning (MarcoFalke)
3b157c48edb8ab080683232125dc7ec058bbd24c doc: Suggest keys.openpgp.org as keyserver in SECURITY.md (Tim Ruffing)
73a7472cd0335f2aa7eaf2c514e909ce36aba291 doc: Replace apoelstra's GPG key by jonasnick's GPG key (Tim Ruffing)
af6abcb3d0097a7f7892fb8b54a4c6363e5c2c7f Make bench support selecting which benchmarks to run (Pieter Wuille)
9f56bdf5b9ba2e22e77c6adaaeb8302398732df3 Merge bench_schnorrsig into bench (Pieter Wuille)
3208557ae1062f7fcce25d5f2c5a29dc34a18895 Merge bench_recover into bench (Pieter Wuille)
855e18d8a809b98a622ab55765792aca132ea640 Merge bench_ecdh into bench (Pieter Wuille)
2a7be678a660d58742b1e767444c0fe75fa22592 Combine bench_sign and bench_verify into single bench (Pieter Wuille)
5324f8942dd322448fae6c9b225ecac2854fa7e2 Make aux_rnd32==NULL behave identical to 0x0000..00. (Pieter Wuille)
2888640132eb64ed30a8a208931f27447c3e0366 VERIFY_CHECK precondition for secp256k1_fe_set_int. (Russell O'Connor)
d49011f54c2b31807158bdf06364f331558cccc7 Make _set_fe_int( . , 0 ) set magnitude to 0 (Tim Ruffing)
23e2f66726f930ac01d5075106aa16a4073442b4 bench: don't return 1 in have_flag() if argc = 1 (Jonas Nick)
96b1ad2ea9f9d9419e566b95162487c48902c3eb bench_ecmult: improve clarity of output (Jonas Nick)
b4b130678db31a7cabc2cde091bc4acbca92b7a3 create csv file from the benchmark output (siv2r)
26a255beb673217c839dcc51790d9a484f9a292d Shared benchmark format for command line and CSV outputs (siv2r)
044d95630556dda5492a70af056bc277f0b79ebc Fix G.y parity in sage code (Pieter Wuille)
b53e0cd61fce0bcef178f317537c91efc9afd04d Avoid overly-wide multiplications (Peter Dettman)
9be7b0f08340a063d961547b5d2663405f3fc162 Avoid computing out-of-bounds pointer. (Tim Ruffing)
bc08599e776aff33c834ef829843ec5f629d1f39 Remove OpenSSL testing support (Pieter Wuille)
db4667d5e0e13d1359991379df3400f64918b4e8 Make aux_rand32 arg to secp256k1_schnorrsig_sign const (Pieter Wuille)
189f6bcfef6578b89e21f937b24060f74bd18f00 Fix unused parameter warnings when building without VERIFY (Jonas Nick)
d43993724deb5fdc1d2162f7423f8e8398103dd5 tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify` (siv2r)
Pull request description:
[bitcoin-core/secp256k1#986]: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify`
[bitcoin-core/secp256k1#987]: Fix unused parameter warnings when building without VERIFY
[bitcoin-core/secp256k1#966]: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
[bitcoin-core/secp256k1#983]: [RFC] Remove OpenSSL testing support
[bitcoin-core/secp256k1#952]: Avoid computing out-of-bounds pointer.
[bitcoin-core/secp256k1#810]: Avoid overly-wide multiplications in 5x52 field mul/sqr
[bitcoin-core/secp256k1#996]: Fix G.y parity in sage code
[bitcoin-core/secp256k1#989]: Shared benchmark format for command line and CSV outputs
[bitcoin-core/secp256k1#999]: bench_ecmult: improve clarity of output
[bitcoin-core/secp256k1#943]: VERIFY_CHECK precondition for secp256k1_fe_set_int.
[bitcoin-core/secp256k1#1002]: Make aux_rnd32==NULL behave identical to 0x0000..00.
[bitcoin-core/secp256k1#991]: Merge all "external" benchmarks into a single bench binary
[bitcoin-core/secp256k1#1007]: doc: Replace apoelstra's GPG key by jonasnick's GPG key
[bitcoin-core/secp256k1#1009]: refactor: Use (int)&(int) in boolean context to avoid compiler warning
[bitcoin-core/secp256k1#1011]: ci: Enable -g if we set CFLAGS manually
[bitcoin-core/secp256k1#1012]: Fix typos
[bitcoin-core/secp256k1#1010]: doc: Minor fixes in safegcd_implementation.md
[bitcoin-core/secp256k1#1020]: doc: remove use of <0xa0> "no break space"
[bitcoin-core/secp256k1#1019]: build: don't append valgrind CPPFLAGS if not installed (macOS)
[bitcoin-core/secp256k1#1004]: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
[bitcoin-core/secp256k1#1025]: build: replace backtick command substitution with $()
[bitcoin-core/secp256k1#1008]: bench.c: add `--help` option and ci: move env variables
[bitcoin-core/secp256k1#1027]: build: Add a check that Valgrind actually supports a host platform
[bitcoin-core/secp256k1#1022]: build: Windows DLL additions
[bitcoin-core/secp256k1#920]: Test all ecmult functions with many j*2^i combinations
[bitcoin-core/secp256k1#942]: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
[bitcoin-core/secp256k1#988]: Make signing table fully static
[bitcoin-core/secp256k1#1042]: Follow-ups to making all tables fully static
[bitcoin-core/secp256k1#816]: Improve checks at top of _fe_negate methods
[bitcoin-core/secp256k1#1044]: Add another ecmult_multi test
[bitcoin-core/secp256k1#1030]: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
[bitcoin-core/secp256k1#1047]: ci: Various improvements
[bitcoin-core/secp256k1#1053]: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
[bitcoin-core/secp256k1#964]: Add release-process.md
[bitcoin-core/secp256k1#1052]: Use xoshiro256++ instead of RFC6979 for tests
[bitcoin-core/secp256k1#1054]: tests: Fix test whose result is implementation-defined
[bitcoin-core/secp256k1#1029]: Simpler and faster ecdh skew fixup
This PR can be recreated with `./contrib/sync-upstream.sh range a1102b12196ea27f44d6201de4d25926a2ae9640`.
ACKs for top commit:
apoelstra:
utACK b7ebe6436cd9ea6e91829589b2010c587a033c40
real-or-random:
ACK b7ebe6436cd9ea6e91829589b2010c587a033c40 diff looks good. tested on my machine, also on valgrind.
Tree-SHA512: 8b01347bbb9ac35cb93df628eaaf2a997fc8182046588bccc48a0623e9595d40cad2d46102a9c62c819ff77069331f344361138fd8ad0afc81bba9c1690bb541
e82144edfb7673d9a5eeb2b556d08be5223835ac Fixup skew before global Z fixup (Peter Dettman)
40b624c90bff7a40aa28c4d942b0382c300386b8 Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe16c426c082b8df401098c02db53c9a0 ECDH skews by 0 or 1 (Peter Dettman)
15150994333c872a20a1902aa01e1a60dbb1393d Simpler and faster ecdh skew fixup (Peter Dettman)
Pull request description:
This PR adds a `_gej_cmov` method, with accompanying tests, and uses it to simplify the skew fixup at the end of `_ecmult_const`.
In the existing code, `_wnaf_const` chooses a skew of either 1 or 2, and `_ecmult_const` needs a call to `_ge_set_gej` (which does an expensive field inversion internally) and some overly-complicated conversions to/from `_ge_storage` so that `_ge_storage_cmov` can be used to select what value to add for the fixup.
This PR uses a simpler scheme where `_wnaf_const` chooses a skew of 0 or 1 and no longer needs special handling for scalars with value negative one. A new `_gej_cmov` method is used at the end of `_ecmult_const` for const-time optional addition to adjust the final result for the skew. Finally, the skew fixup is moved to before the global-Z adjustment, and the precomputed table entries (for 1P, λ(1P)) are used for the skew fixup, saving a field multiply and ensuring the fixup is done on the same isomorphism as the ladder.
The resulting `_wnaf_const` and `_ecmult_const` are shorter and simpler, and the ECDH benchmark is around 5% faster (64bit, i7).
Edit: Updated description once the final scope was clear.
ACKs for top commit:
apoelstra:
ACK e82144ed
sipa:
ACK e82144edfb7673d9a5eeb2b556d08be5223835ac
real-or-random:
ACK e82144edfb7673d9a5eeb2b556d08be5223835ac
Tree-SHA512: 10d6770f4ef4f8d0c78abbf58d643f25f5daef68896643af0a3f7f877414e23356724b6f20af2027316a4353a35b8cb0a7851e057a3f6483897df02bf033a8a2
3d7cbafb5fd7f152fc47dc907af5df03150accc0 tests: Fix test whose result is implementation-defined (Tim Ruffing)
Pull request description:
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we restore the name of the function. It was mistakenly
renamed in 6173839c90553385171d560be8a17cbe167e3bef using
"search and replace".
ACKs for top commit:
robot-dreams:
ACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
sipa:
utACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
77a19750b46916b93bb6a08837c26f585bd940fa Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684ecca8f767f98ee0ace813103cc88ade secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
Pull request description:
Just some easy low-hanging fruit. It's complete overkill to use the RFC6979 RNG for our test randomness. Replace it with a modern non-cryptographic RNG with good properties. It's a few % speedup for me.
Given the internal naming of all these functions to be "testrand", I'm not concerned about the risk of someone using this for something that needs actual cryptographic randomness.
ACKs for top commit:
robot-dreams:
ACK 77a19750b46916b93bb6a08837c26f585bd940fa
real-or-random:
utACK 77a19750b46916b93bb6a08837c26f585bd940fa
Tree-SHA512: 2706f37689e037e84b5df25c98af924c0756e6d59f5f822b23aec5ba381b2d536e0848f134026e2568396427218f1c770f1bb07613d702efb23a84015dc9271d
3ed0d02bf7690c68ba3ba74da765614809352049 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8483ff4c5f34cfc3aeae794ca2c660d doc: add release_process.md (Jonas Nick)
0bd3e4243caa3c000e6afe3ea5533b97565557c4 build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4276779f115af5985508f54ef9e51be build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
Pull request description:
This is an attempt at a simple release process. Fixes#856. To keep it simple, there is no concept of release candidates for now.
The release version is determined by semantic versioning of the API. Since it does not seem to be a lot of work, it is proper to also version the ABI with the libtool versioning system. This versioning scheme (semver API, libtool versioning ABI) follows the suggestion in the [autotools mythbusters](https://autotools.io/libtool/version.html).
Experimental modules are a bit of a headache, as expected. This release process suggests to treat any change in experimental modules as backwards compatible. That way, users of stable modules are not bothered by frequent non-backwards compatible releases. But a downside is that one must not use experimental modules in shared libraries (which should be mentioned in the README?). It would be nice if we could make the schnorrsig module stable in the not too distant future (see also #817).
ACKs for top commit:
apoelstra:
utACK 3ed0d02bf7690c68ba3ba74da765614809352049
elichai:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
sipa:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
real-or-random:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
Tree-SHA512: 25a04335a9579e16de48d378b93a9c6a248529f67f7c436680fa2d495192132743ce016c547aa9718cdcc7fe932de31dd7594f49052e8bd85572a84264f2dbee
05e049b73c69002f498c3c9c21555fd91f95ccac ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
Pull request description:
Fixes#1035
**Changes:**
- move `secp256k1_ecmult_odd_multiples_table_globalz_windowa` function from ecmult to ecmult_const
- remove outdated comment
ACKs for top commit:
robot-dreams:
utACK 05e049b73c69002f498c3c9c21555fd91f95ccac (`diff` between removed and added lines is exactly as expected)
real-or-random:
utACK 05e049b73c69002f498c3c9c21555fd91f95ccac
Tree-SHA512: 3fad4e93c641b642e84f4bbafcb8083d3e63b0523009fe0edcb2c1ebe1571d822320451289c651403ed1dc033ec6a7a3e8c3c56ad93d81bb1590cf9ff15a3b34
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we improve the identity check such that it covers the
VERIFY struct members.
b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2 ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601aecf3c5a8affb5a4dce5612b298964 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e084334081fa53be81e75c064375f36 ci: Update brew on macOS (Tim Ruffing)
22382f0ea0e234242e248720b9d1d171cb2de0f8 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0e3fceb1cd2e882e1476c950cabc2e8 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3ce3ee8ca443ccad20915217ee74397 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
Pull request description:
ACKs for top commit:
elichai:
utACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
jonasnick:
ACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
Tree-SHA512: b283d7b1c72cf87484de1fe98318298698fe9982dc33389eaca62e92318ab0074c183b9799add274f46358032491fee875e5ffb2a76a47f3b07520b850f4c85e
1287786c7a97eff520ffbd6b0d8b2f99dbfc6371 doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589f61b0e0e9b58388ee3e0da8a2c3c3a doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
Pull request description:
When reviewing #816 I noticed the upper bounds in the comment at the top of `field_5x52_impl.h` were off by 1 (see `fe_verify`). This PR fixes the upper bounds and also cleans up the comment along the way.
ACKs for top commit:
real-or-random:
ACK 1287786c7a97eff520ffbd6b0d8b2f99dbfc6371
Tree-SHA512: 4b7dadc92451ab1ceb5a547a3101ff37f3ffd0645490563f1f3442ea8d6219f100ed914289d22435c4172d190fa1ff52e37e4464132bb3f9bbcc338488227f7b
22d25c8e0ab1d24f0f4a80fe016cbd71cd889866 Add another ecmult_multi test (Pieter Wuille)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 22d25c8e0ab1d24f0f4a80fe016cbd71cd889866
Tree-SHA512: e1394fa1708e65a66d4b324cca60dd49c67e37b23b7da2a3ff0db7a2a25c23976cb03b96a8c8584ee81aaec559feb84fb113dff2e2ebf89110ed466a4a6b158b
The preinstalled brew is very old and tries to download prebuilt bottles
from a server which is no longer available. Because that will fail, brew
falls back to building our dependencies (e.g., autotools) from source,
which takes very long.
This commit makes sure that brew is updated before we start the build.
We also need to remove the `--shallow` argument from `brew tap`. It
doesn't exist in recent brew versions.
515e7953cab4eb3be063fa3991e4e0663d3f04ae Improve checks at top of _fe_negate methods (Peter Dettman)
Pull request description:
In theory we could have a single static assertion that would ensure all of these are always true (for any magnitude up to the limit), but I think this small redundancy is clearer.
ACKs for top commit:
sipa:
utACK 515e7953cab4eb3be063fa3991e4e0663d3f04ae
real-or-random:
ACK 515e7953cab4eb3be063fa3991e4e0663d3f04ae bounds hold by inspection and by robot-dreams's script
Tree-SHA512: c33e47e186b37ca0b4e8d23712f8e5ab0c113024a0229fc6ce63b8cbad21bddbecc0c50029721a1fb3376b2d1da678c1ddb69c5ae971d84ddb7993c755867da4
ac1e36769dda3964f7294319ecb06fb5c414938d musig: turn off multiexponentiation for now (Jonas Nick)
3c79d97bd92ec22cc204ff5a08c9b0e5adda12e6 ci: increase timeout for macOS tasks (Jonas Nick)
22c88815c76e6edb23baf9401f820e1a944c3ecf musig: replace MuSig(1) with MuSig2 (Jonas Nick)
Pull request description:
The main commit comprises `905 insertions(+), 1253 deletions(-)`. The diff isn't as small as I had hoped, but that's mostly because it was possible to simplify the API quite substantially which required rewriting large parts. Sorry, almost all of the changes are in one big commit which makes the diff very hard to read. Perhaps best to re-review most parts from scratch.
A few key changes:
- Obviously no commitment round. No big session struct and no `verifier` sessions. No `signer` struct.
- There's a new `secnonce` struct that is the output of musig_nonce_gen and derived from a uniformly random session_id32. The derivation can be strengthened by adding whatever session parameters (combined_pk, msg) are available. The nonce function is my ad-hoc construction that allows for these optional inputs. Please have a look at that.
- The secnonce is made invalid after being used in partial_sign.
- Adaptor signatures basically work as before, according to https://github.com/ElementsProject/scriptless-scripts/pull/24 (with the exception that they operate on aggregate instead of partial sigs)
- To avoid making this PR overly complex I did not consider how this implementation interacts with nested-MuSig, sign-to-contract, and antiklepto.
- Testing should be close to complete. There's no reachable line or branch that isn't exercised by the tests.
- [x] ~In the current implementation when a signer sends an invalid nonce (i.e. some garbage that can't be mapped to a group element), it is ignored when combining nonces. Only after receiving the signers partial signature and running `partial_sig_verify` will we notice that the signer misbehaved. The reason for this is that 1) this makes the API simpler and 2) malicious peers don't gain any additional powers because they can always interrupt the protocol by refusing to sign. However, this is up for discussion.~ EDIT: this is not the case anymore since invalid nonces are rejected when they're parsed.
- [x] ~For every partial signature we verify we have to parse the pubnonce (two compressed points), despite having parsed it in `process_nonces` already. This is not great. `process_nonces` could optionally output the array of parsed pubnonces.~ EDIT: fixed by having a dedicated type for nonces.
- [x] ~I left `src/modules/musig/musig.md` unchanged for now. Perhaps we should merge it with the `musig-spec`~ EDIT: musig.md is updated
- [x] partial verification should use multiexp to compute `R1 + b*R2 + c*P`, but this can be done in a separate PR
- [x] renaming wishlist
- pre_session -> keyagg_cache (because there is no session anymore)
- pubkey_combine, nonce_combine, partial_sig_combine -> pubkey_agg, nonce_agg, partial_sig_agg (shorter, matches terminology in musig2)
- musig_session_init -> musig_start (shorter, simpler) or [musig_generate_nonce](https://github.com/ElementsProject/secp256k1-zkp/pull/131#discussion_r654190890) or musig_prepare
- musig_partial_signature to musig_partial_sig (shorter)
- [x] perhaps remove pubnonces and n_pubnonces argument from process_nonces (and then also add a opaque type for the combined nonce?)
- [x] write the `combined_pubkey` into the `pre_session` struct (as suggested [below](https://github.com/ElementsProject/secp256k1-zkp/pull/131#issuecomment-866904975): then 1) session_init and process_nonces don't need a combined_pk argument (and there can't be mix up between tweaked and untweaked keys) and 2) pubkey_tweak doesn't need an input_pubkey and the output_pubkey can be written directly into the pre_session (reducing frustration such as Replace MuSig(1) module with MuSig2 #131 (comment))
- [x] perhaps allow adapting both partial sigs (`partial_sig` struct) and aggregate partial sigs (64 raw bytes) as suggested [below](https://github.com/ElementsProject/secp256k1-zkp/pull/131#issuecomment-867281531).
Based on #120.
ACKs for top commit:
robot-dreams:
ACK ac1e36769dda3964f7294319ecb06fb5c414938d
real-or-random:
ACK ac1e36769dda3964f7294319ecb06fb5c414938d
Tree-SHA512: 916b42811aa5c00649cfb923d2002422c338106a6936a01253ba693015a242f21f7f7b4cce60d5ab5764a129926c6fd6676977c69c9e6e0aedc51b308ac6578d
e05da9e480de34129a170510a311abb204eefeb3 Fix c++ build (Pieter Wuille)
c45386d994b48f44009c139c7351a521261e8363 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen} (Pieter Wuille)
19d96e15f9b657483c42258568eb70874179d835 Split off .c file from precomputed_ecmult.h (Pieter Wuille)
1a6691adaead20ed55b5400fd4d36f91eb5a3686 Split off .c file from precomputed_ecmult_gen.h (Pieter Wuille)
bb36331412ed68999ac73c871d402e3b03f65700 Simplify precompute_ecmult_print_* (Pieter Wuille)
38cd84a0cb56e031fe43b47e9bdf60349ac9c0a7 Compute ecmult tables at runtime for tests_exhaustive (Pieter Wuille)
e458ec26d61619eafa9fc2b466c1a7b51f794b1f Move ecmult table computation code to separate file (Pieter Wuille)
fc1bf9f15fbe93cb0223c05ee8592ec9bc3070dd Split ecmult table computation and printing (Pieter Wuille)
31feab053b72bfd7ab05347ef7df81b381c92261 Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table (Pieter Wuille)
725370c3f21ad1327b76127784734ffab1f21f97 Rename ecmult_gen_prec -> ecmult_gen_compute_table (Pieter Wuille)
075252c1b7948522455c907ddc97b26f861288eb Rename ecmult_static_pre_g -> precomputed_ecmult (Pieter Wuille)
7cf47f72bc3c2f99e9ac6b050c78b0155a826f74 Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen (Pieter Wuille)
f95b8106d02f8dd4088609a38647033de217bb5a Rename gen_ecmult_static_pre_g -> precompute_ecmult (Pieter Wuille)
bae77685ebc3ae695e3a50e1c4dbe7aa936ae7a5 Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen (Pieter Wuille)
Pull request description:
This PR implements a number of changes to follow up after merging #988:
* Naming consistency:
* All precomputed table files now have name `precomputed_*.*`
* All source files related to the creation of the precomputed table files have name `precompute_*.*`.
* All source files related to the computation of tables (whether they go in precomputed files or not) have name `*_compute_table.*`.
* Make the tables for exhaustive tests be computed at runtime rather than compile time (this was already the case for ecmult_gen, but not ecmult). This is a preparation for the next point, as the alternative would be to have separate precomputed libraries for the exhaustive tests and other binaries.
* Moves the actual tables to separate `precomputed_*.c` files, which are compiled only once as part of a new `libsecp256k1_precomputed.la`, included where relevant. The corresponding `precomputed_*.h` file are normal source files.
Retry of #1041.
ACKs for top commit:
real-or-random:
ACK e05da9e480de34129a170510a311abb204eefeb3
jonasnick:
ACK e05da9e480de34129a170510a311abb204eefeb3
Tree-SHA512: 71eadd66e30e511b786e910755e0eda53330dfa163b37e33602c3392f7b893569f56d3ca9870e85cbb3de83880fc5aef61ac3d55d759d7395086a69023f13f03
