37d36927dff793e61df6d6f6a6c50e8fa2519e33 tests: Add tests for _read_be32 and _write_be32 (Tim Ruffing)
616b43dd3b6949923f0752cd60382153cfd5dda9 util: Remove endianness detection (Tim Ruffing)
8d89b9e6e562000cdb91a70a85fae5e4817cec8a hash: Make code agnostic of endianness (Tim Ruffing)
Pull request description:
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
ACKs for top commit:
sipa:
utACK 37d36927dff793e61df6d6f6a6c50e8fa2519e33
robot-dreams:
ACK 37d36927dff793e61df6d6f6a6c50e8fa2519e33
Tree-SHA512: b03cec67756fb3c94ca8e7e06f974136050efd5065f392dba6eed4d0dbe61dbf93dad054627267225bac1bb302bb025f86588612ef7d4beeb834466686c70b8f
55512d30b7921bc46247a78be1da98108f243c1c doc: clean up module help text in configure.ac (Elliott Jin)
d9d94a9969785abbb3e04b2b9f75f1049c7b8936 doc: mention optional modules in README (Elliott Jin)
Pull request description:
ACKs for top commit:
real-or-random:
utACK 55512d30b7921bc46247a78be1da98108f243c1c
jonasnick:
ACK 55512d30b7921bc46247a78be1da98108f243c1c
Tree-SHA512: ae4ec355730983117c5e9a8a8abd17aaf42afe6f8f8f7474a551df6269a62094883e0827d2f3642e3ed6eb26cf71982c20f7ac27498cb4bd7e4aea57ec308d6a
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
7f09d0f311117289719b690f91f6a907c2c6f3e2 README: mention that ARM assembly is experimental (Jonas Nick)
80cf4eea5fa0162350614c08f2252a07f9d7804b build: stop treating schnorrsig, extrakeys modules as experimental (Jonas Nick)
Pull request description:
Fixes#992
ACKs for top commit:
real-or-random:
ACK 7f09d0f311117289719b690f91f6a907c2c6f3e2
fanquake:
ACK 7f09d0f311117289719b690f91f6a907c2c6f3e2 - When this is in, I think we'll do a subtree update in Core, and prune some build cruft on our side.
Tree-SHA512: 13deb82dcca88bacb2cd5c1c589a8d4af2277c4d675262337ae4d7e93eb41d43825dda4945ca1c202c36aaa2e6fd42de9c6d711fe8d71bce578368281db698b2
b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3153dc055e0e76101ed9e4607155870 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6ea2768f5355eb4617283086f756931 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da4457325c4be539838ceed21b31c60fbd Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606acb285cc7ef11662ce166ed67e9015 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
Pull request description:
Should be merged before #995 if we want this.
I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.
ACKs for top commit:
sipa:
utACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
jonasnick:
ACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
f8d9174357391ab4bf65a2f4d9d9cfb8039dc592 Add SHA256 bit counter tests (Tim Ruffing)
9b514ce1d25f1944c549ead30cc84367d616e0e6 Add test vector for very long SHA256 messages (Tim Ruffing)
8e3dde113741615fcb1aedcacfc54bd3b3d204f1 Simplify struct initializer for SHA256 padding (Tim Ruffing)
eb28464a8bf8652a2b49d2ed765801d7c0aa195d Change SHA256 byte counter from size_t to uint64_t (Tim Ruffing)
Pull request description:
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
This also simplifies the struct initializer for the padding.
Since missing elements are initialized with zeros, this change is
purely syntactical.
ACKs for top commit:
sipa:
utACK f8d9174357391ab4bf65a2f4d9d9cfb8039dc592
jonasnick:
ACK f8d9174357391ab4bf65a2f4d9d9cfb8039dc592
Tree-SHA512: 4fba64b255ef34bb144e4ac6d796798d620d6a7a0f3be409a46b98a8aedb129be19a6816b07caa4d1a3862a01769b42ce70240690fddc6231d591e6c06252750
eac0df13799e38a5f2d88b12348170bda276f952 musig: mention how keyagg_cache tweak and parity relate to spec (Jonas Nick)
57eb6b41671ccbd11f11a2bfb2a4467c78e85e67 musig-spec: move description of secret key negation to spec (Jonas Nick)
633d01add0f259abe638a9f2763685bbaecd527f musig-spec: add x-only and ordinary tweaking to musig (Jonas Nick)
aee0747e38c87a426145c2646e34e77b09b80801 musig-spec: add general description of tweaking (Jonas Nick)
fb060a0c4e36486fed4d1981b2314949b6a3fbb8 musig-spec: add Session Context to simplify sign/verify/sigagg (Jonas Nick)
3aec4332b59d496b24ecca42d076f96d36121908 musig-spec: move remarks on spec below specification section (Jonas Nick)
628d52c7186af72e9bd8fe4b89c1befdbaec2dfd musig-spec: fix title/abstract and make algo names bold (Jonas Nick)
5b760cc172ec288ac0b0069cb11ba54c73e01cb7 musig-spec: consistently call partial sigs psig (Jonas Nick)
f0edc9075539bddff2726065271c86fd7b480c9f musig: fix number of tweaks in tweak_test (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK eac0df13799e38a5f2d88b12348170bda276f952 -- I haven't checked all the indices etc, so this is more of a Concept ACK than a "pseudocode review ACK" but we we have the ACK by Brandon and this is anyway still a draft, so I think this is good to be merged.
Tree-SHA512: 9e16e7892e103205d96060158a7a6c01480d2b59300bbf9f0655b4d26586e632be8b8f656fe07c7ece1421ec91e0b387d6fcf363db7aedc0402d265b1d9df474
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
Besides reducing the number of arguments, this also removes the R argument from
PartialSigAgg which was not defined precisely:
* The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point
Moreover, this paves the way for adding the tweaking, which requires
PartialSigAgg to also have access to challenge e and can now be easily computed
from the Session Context.
We will need more of these explanations and it's better if they do not interfere
the specification section. The remarks section is intended for content that's
not required for implementing the spec.
_tagged_sha256 simply cannot have invalid inputs.
The other functions could in some sense have invalid inputs but only in
violation of the type system. For example, a pubkey could be invalid but
invalid objects of type secp256k1_pubkey either can't be obtained
via the API or will be caught by an ARG_CHECK when calling pubkey_load.
This is consistent with similar functions in the public API, e.g.,
_ec_pubkey_negate or _ec_pubkey_serialize.
21b2ebaf74222017f85123deb6f30a33c7678513 configure: Remove redundant pkg-config code (Tim Ruffing)
Pull request description:
This removes code that detects the pkg-config tool. We used this
back in the days when we had dependencies. ;) It can always be brought
back if we'll need it in the future.
Note that we still deliver a .pc file for this library, and there is
code in Makefile.am to install it. But this does not require the
pkg-config tool; only consumers of the .pc file will need it. This can
be verified by running `make install` (maybe after `mkdir /tmp/pre` and
`./configure --prefix=/tmp/pre` and checking that the .pc file is
installed correctly.
ACKs for top commit:
theuni:
ACK 21b2ebaf74222017f85123deb6f30a33c7678513.
fanquake:
ACK 21b2ebaf74222017f85123deb6f30a33c7678513
Tree-SHA512: 07affcd0e85f59d10479f279c832b1384208bead2fd152e0d1e3d99167dba4e14dbe87b0bc9c367f0f18da3d37f1d51de064689bff329ee5b01cacfe54e5ede7
This removes code that detects the pkg-config tool. We used this
back in the days when we had dependencies. ;) It can always be brought
back if we'll need it in the future.
Note that we still deliver a .pc file for this library, and there is
code in Makefile.am to install it. But this does not require the
pkg-config tool; only consumers of the .pc file will need it. This can
be verified by running `make install` (maybe after `mkdir /tmp/pre` and
`./configure --prefix=/tmp/pre` and checking that the .pc file is
installed correctly.
0d253d52e804a5affb0f1c851ec250071e7345d9 configure: Use modern way to set AR (Tim Ruffing)
Pull request description:
ACKs for top commit:
jb55:
tACK 0d253d52e804a5affb0f1c851ec250071e7345d9
hebasto:
ACK 0d253d52e804a5affb0f1c851ec250071e7345d9
jonasnick:
ACK 0d253d52e804a5affb0f1c851ec250071e7345d9
Tree-SHA512: c85a068b0b6cd0ae59c796d4493d50b1d92394b8620dd65affb5aaac889a41aa625408062f49fbed761217ab2bc35ec10942684a84487cb81becdadf5f2ae2af
This uses AM_PROG_AR to discover ar, which is the recommended way to do
so. Among other advantages, it honors the AR environment variable (as
set from the outside). The macro has been around since automake 1.11.2
(Dec 2011).
This commit also removes code that discovers ranlib and strip. ranlib
has been obsolete for decades (ar does its task now automatically), and
anyway LT_INIT takes care of discovering it. The code we used to set
STRIP was last mentioned in the automake 1.5 manual. Since automake 1.6
(Mar 2002), strip is discovered automatically when necessary (look for
the *private* macro AM_PROG_INSTALL_STRIP in the automake manual).
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.
```
h = hashlib.sha256()
for i in range(1_000_000):
h.update(b'a')
print(h.hexdigest())
```
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
7c9502cece9c9e8d811333f7ab5bb22f4eb01c04 Add a copy of the CC0 license to the examples (Elichai Turkel)
42e03432e6be7f0bf18c7f86130d3930bdf4038d Add usage examples to the readme (Elichai Turkel)
517644eab14ef397e1f0bc2b45f2dff8b1a473ec Optionally compile the examples in autotools, compile+run in travis (Elichai Turkel)
422a7cc86ae86496794c5014028ee249bbe0e072 Add a ecdh shared secret example (Elichai Turkel)
b0cfbcc14347ff6b04ff62a0d935638840a37971 Add a Schnorr signing and verifying example (Elichai Turkel)
fee7d4bf9e4ea316ea4ff3151bbe52bec1f0745c Add an ECDSA signing and verifying example (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 7c9502cece9c9e8d811333f7ab5bb22f4eb01c04
jonasnick:
ACK 7c9502cece9c9e8d811333f7ab5bb22f4eb01c04
Tree-SHA512: c475cfd5b324b1e2d7126aa5bb1e7da25183b50adb7357d464c140de83d9097cb1bdc027d09aeadf167dbf9c8afd123235b0a1a742c5795089862418fafa1964
e848c3799c4f31367c3ed98d17e3b7de504d4c6e Update sage files for new formulae (Peter Dettman)
d64bb5d4f3fbd48b570d847c9389b9cf8f3d9abc Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff8e64f8de3ae8ecfebeab1e84ca420e Further improve doubling formula using fe_half (Peter Dettman)
557b31fac36529948709d4bfcc00ad3acb7e83b9 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a424d9dee12a4e11f0479410b7e4cc930 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257eddc2d7614985be60bee29cf2bec65fb Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e112cd00f1e2867886bdc751a5d6606 Add _fe_half and use in _gej_add_ge (Peter Dettman)
Pull request description:
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
Gives around 2-3% faster signing and ECDH, depending on compiler/platform.
ACKs for top commit:
sipa:
utACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
jonasnick:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
real-or-random:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
Tree-SHA512: 81a6c93b3d983f1b48ec8e8b6f262ba914215045a95415147f41ee6e85296aa4d0cbbad9f370cdf475571447baad861d2cc8e0b04a71202d48959cb8a098f584
3531a43b5bc739838f5634afcfd02bdbef71b1ef ecdh: Make generator_basepoint test depend on global iteration count (Tim Ruffing)
c881dd49bdb865d9e455d504b90aebf77e807e85 ecdh: Add test computing shared_secret=basepoint with random inputs (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 3531a43b5bc739838f5634afcfd02bdbef71b1ef
Tree-SHA512: 5a2e47bad7ec5b3fd9033283fe00e54563b7b1655baf2b8ca39718deceddcc816bb8fcda0d07af6f1f8a785642da5dc69b7df52a1ddd445a3a98a5d5ecff6780
