This introduces variants of the divsteps-based GCD algorithm used for
modular inverses to compute Jacobi symbols. Changes compared to
the normal vartime divsteps:
* Only positive matrices are used, guaranteeing that f and g remain
positive.
* An additional jac variable is updated to track sign changes during
matrix computation.
* There is (so far) no proof that this algorithm terminates within
reasonable amount of time for every input, but experimentally it
appears to almost always need less than 900 iterations. To account
for that, only a bounded number of iterations is performed (1500),
after which failure is returned. In VERIFY mode a lower iteration
count is used to make sure that callers exercise their fallback.
* The algorithm converges to f=g=gcd(f0,g0) rather than g=0. To keep
this test simple, the end condition is f=1, which won't be reached
if started with non-coprime or g=0 inputs. Because of that we only
support coprime non-zero inputs.
d21647520532957a78027be1ab606b814a2ec720 test secp256k1_i128_to_i64 (Russell O'Connor)
4bc429019dc4bff6af0f9824ad6ab6745f09f8ba Add a secp256k1_i128_to_u64 function. (Russell O'Connor)
Pull request description:
I wanted to experiment with what would be required to split up `secp256k1_i128_to_i64` between those cases when a signed 64 bit value is being demoted, versus an unsigned 64 bit value is being extracted from the lower bits, and this is the result.
I'm not sure this is a useful PR, so feel free to close it. However, since it is already written, I figured it is worth at least discussing.
ACKs for top commit:
sipa:
utACK d21647520532957a78027be1ab606b814a2ec720
real-or-random:
ACK d21647520532957a78027be1ab606b814a2ec720
Tree-SHA512: 41dbb1d33b3078bee8e71a838cfad6f1859c0bba602ae061259add8e9e8ea5aa482daa41de79dbd7433ddbef4a0bc52757f3c45d63acc9c0eb05aa3ca891b922
This change eases the use of alternate build systems by moving
the variables in `src/libsecp256k1-config.h` to compiler macros
for each invocation, preventing duplication of these variables
for each build system.
Co-authored-by: Ali Sherief <ali@notatether.com>
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.
```
h = hashlib.sha256()
for i in range(1_000_000):
h.update(b'a')
print(h.hexdigest())
```
070e772211b3fcd297577b90b56bbf7a5cfbd0a3 Faster fixed-input ecmult tests (Pieter Wuille)
Pull request description:
Given how much #920 slowed down the tests with low iteration count, replace it with 3 different similar test:
* count >= 1: a test with 1024 multiplies that tests any pattern of 6 bits in windows not more than 20 bits wide
* count >= 3: a test with 2048 multiplies that tests any pattern of 8 consecutive bits
* count >= 35: the old test (which effectively tests all 2-bit patterns)
ACKs for top commit:
robot-dreams:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3, the addition of the `CONDITIONAL_TEST` macro is nice.
real-or-random:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3
Tree-SHA512: b4ccca42c71fcd1baa7143f73d1c3ac9d012c296485164a03341dbeee02e4ba9f7c7ad6b441923a5fe0286c97eff60815033adb4e1d30b3ef08bcb79590327ff
3d7cbafb5fd7f152fc47dc907af5df03150accc0 tests: Fix test whose result is implementation-defined (Tim Ruffing)
Pull request description:
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we restore the name of the function. It was mistakenly
renamed in 6173839c90553385171d560be8a17cbe167e3bef using
"search and replace".
ACKs for top commit:
robot-dreams:
ACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
sipa:
utACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we improve the identity check such that it covers the
VERIFY struct members.
7dfceceea692c4118829c06128c41623b2373ac2 build: Remove #undef hack for ASM in the precomputation programs (Tim Ruffing)
bb36fe9be0998c81ebc9f18e122bb7617d919877 ci: Test `make precomp` (Tim Ruffing)
d94a37a20c3b5b44f1bcf60d309ffc50727e18e4 build: Remove CC_FOR_BUILD stuff (Tim Ruffing)
ad63bb4c296e6007dab22cda05fd599b20139362 build: Prebuild and distribute ecmult_gen table (Tim Ruffing)
ac49361ed0a342e01eafb1410c5b43e1214efaac prealloc: Get rid of manual memory management for prealloc contexts (Tim Ruffing)
6573c08f656f8ec305a2db801d57bfe6441e83e0 ecmult_gen: Tidy precomputed file and save space (Tim Ruffing)
5eba83f17c5aa1cf3698bb057a4b3ee35f3b6c30 ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS (Tim Ruffing)
fdb33dd1227f935ca95c7f8bd9429f42e18a870e refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table (Tim Ruffing)
a4875e30a631d67b77b41f37fc3bf06ffb8ff11f refactor: Move default callbacks to util.h (Tim Ruffing)
4c94c55bce9e1fae8fd2e8993726c8ec74cc0f7d doc: Remove obsolete hint for valgrind stack size (Tim Ruffing)
5106226991117da78f85ca88b7ea66c2ac8fe0b3 exhaustive_tests: Fix with ecmult_gen table with custom generator (Tim Ruffing)
e1a76530db40b8aa8953717d9f984b6bdf845308 refactor: Make generator a parameter of ecmult_gen_create_prec_table (Tim Ruffing)
9ad09f6911906a1fa9af2c5540a8004e44f3ccc6 refactor: Rename program that generates static ecmult_gen table (Tim Ruffing)
8ae18f1ab3dce4c487bab75c2f0cdf4fe311b318 refactor: Rename file that contains static ecmult_gen table (Tim Ruffing)
00d2fa116ed7a8c2d049723aca8d8b6d1c49f6a8 ecmult_gen: Make code consistent with comment (Tim Ruffing)
3b0c2185eab0fe5cb910fffee4c88e134f6d3cad ecmult_gen: Simplify ecmult_gen context after making table static (Tim Ruffing)
e43ba02cfc836dba48c8c9a483e79b7589ce9ae1 refactor: Decouple table generation and ecmult_gen context (Tim Ruffing)
22dc2c0a0dc3b321e72253f492cfa8bcbf00169b ecmult_gen: Move table creation to new file and force static prec (Tim Ruffing)
Pull request description:
This resolves#893, resolves#692 (and also resolvesbitcoin/bitcoin#22854).
- [x] Extract table generation to separate function in separate file (to be used by generation script and exhaustive tests)
- [x] Tidy up
- [x] Remove code that deals with non-static tables
- [x] Make functions that need ecmult_gen not depend on signing context
- [x] Rename stuff to make it fit the new structure and consistent with how we hande verification tables (#956)
- [x] Fix exhaustive tests
- [x] Make table generation function take generator as input
- [x] Overwrite the static tables with a table with custom generator in exhaustive tests
- [x] Overhaul script that generates table files
- [x] Make table generation function take PREC_BITS as input (I have some code already, just not yet in this branch)
- [x] Change generation script to generate three tables (for all three values of ECMULT_GEN_PREC_BITS)
- [x] Ship pre-built tables
- [x] Add pregenerated table file to repo
- [x] Remove generation of table file from build process (like in #956)
- [x] Remove left-over stuff (e.g., detecting a compiler running on the build machine) from build system
- [x] Final cleanups (copyright headers, commit, messages, etc.)
- [ ] (separate PR:) Make sure link-time optimization remove corresponding static tables (and code) when no signing/verifcation function is called
- [ ] (separate PR:) Compile precomputation as a separate object file and link it (https://github.com/bitcoin-core/secp256k1/pull/988#issuecomment-977813538)
- [ ] (separate PR:) Document the backwards-compatible API changes made in this PR and in #956.
- [ ] Maybe deprecate the static context
ACKs for top commit:
sipa:
ACK 7dfceceea692c4118829c06128c41623b2373ac2
robot-dreams:
ACK 7dfceceea692c4118829c06128c41623b2373ac2 (based on range-diff between 56284c7d44c0ed46e636588bfbf6c403b7dfa6c1 and 7dfceceea692c4118829c06128c41623b2373ac2)
Tree-SHA512: 6efb3f36f05efe3b79bbd877881fe1409f71fd6488d24c811b2e77d9f053bed78670dd1dcbb42ad780458a51c4ffa36de9cd6567271b22041dc7a122ceb677c5
This is a backwards-compatible API change: Before this commit, a context
initialized for signing was required to call functions that rely on
ecmult_gen. After this commit, this is no longer necessary because the
static ecmult_gen table is always present. In practice this means that
the corresponding functions will just work instead of calling the
illegal callback when given a context which is not (officially)
initialized for signing.
This is in line with 6815761, which made the analogous change with
respect to ecmult and contexts initialized for signing. But as opposed
to 681571, which removed the ecmult context entirely, we cannot remove
the ecmult_gen context entirely because it is still used for random
blinding. Moreover, since the secp256k1_context_no_precomp context is
const and cannot meaningfully support random blinding, we refrain (for
now) from changing its API, i.e., the illegal callback will still be
called when trying to use ecmult_gen operations with the static
secp256k1_context_no_precomp context.
