bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2ae456c7ae60e92ddc354071f21fb6aa62 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f20266722ac93ca66d1beb0d2f2d2469b95aafea Add invariant checking to group elements (Pieter Wuille)
a18821d5b1d44db0e7c8335f338cc9876bec98cb Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb90acd9d61c5b38e862877fdeacaff74a50 Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696fd4da3788758bb3fdae66c7ae262dbf224 Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)
Pull request description:
Rebase of #791.
* Clean up infinity handling, make x/y/z always initialized for infinity.
* Make secp256k1_ecmult_const handle infinity.
* Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes.
* Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
* Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`).
* Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode.
ACKs for top commit:
jonasnick:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
real-or-random:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19
Infinity isn't currently needed here, but correctly handling it is a
little more safe against future changes.
Update docs for it to make it clear that it is not constant time in A
(the input point). It never was constant time in Q (and would be a little
complicated to make constant time in A).
If it was later made constant time in A, infinity support would be easy
to preserve, e.g. by running it on a dummy value and cmoving infinity into
the output.
2e65f1fdbcc87e2ef8c0baf4abc8ee0f56daf7fe Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille)
Pull request description:
The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one.
ACKs for top commit:
stratospher:
ACK 2e65f1f.
real-or-random:
utACK 2e65f1fdbc
Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814
f3126fdfec7c4dbfab3acf01714325b027110aff norm arg: remove prove edge tests which are now covered by vectors (Jonas Nick)
847ed9ecb2233f1e233fae1791b5adcdeb3be52b norm arg: add verification to prove vectors (Jonas Nick)
cf797ed2a4ccc7422de2f4081a6d6bcf536d72c8 norm arg: add prove test vectors (Jonas Nick)
095c1e749c106285e8252d6490073974dd4d8fcc norm arg: add prove_const to tests (Jonas Nick)
bf7bf8a64fa7a7256ad64f75ae0bcb9fccbd0ea4 norm arg: split norm_arg_zero into prove_edge and verify_zero_len (Jonas Nick)
a70c4d4a8a6970f8e299de541cc75f2fc2e39e76 norm arg: add test vector for |n| = 0 (Jonas Nick)
f5e4b16f0f96ae871d221900673f426e9c9ce85e norm arg: add test vector for sign bit malleability (Jonas Nick)
c0de361fc53dbfb0b058895f4824eba4d423e191 norm arg: allow X and R to be the point at infinity (Jonas Nick)
f22834f20252f9ca3e17f36093940e2aa2735790 norm arg: add verify vector for n = [0], l = [0] (Jonas Nick)
d8e7f3763bac9e52d07643a01c8352cadded64d2 musig: move ge_{serialize,parse}_ext to module-independent file (Jonas Nick)
Pull request description:
ACKs for top commit:
Liam-Eagen:
ACK f3126fd
Tree-SHA512: 1aad86521fce74435beabe7690c7fcc38ad9ae7a884ddcab69ef825b573433f700723a7672d29df1b4465bc33d5957b6a46f657f988cfd2cc73fa94a3472357d
For the sake of completeness, add the missing descriptions for the
return value and parameters (`ctx`, `sig64`, `keypair`), in the same
wording/style as for the function `secp256k1_schnorrsig_sign32`.
bef448f9af248dba016883401de07b431f3e686e cmake: Fix library ABI versioning (Hennadii Stepanov)
Pull request description:
This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.
To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`:
- incrementing of `*_LIB_VERSION_CURRENT`
- setting `*_LIB_VERSION_REVISION` to zero
- incrementing of `*_LIB_VERSION_AGE`
ACKs for top commit:
real-or-random:
ACK bef448f9af248dba016883401de07b431f3e686e diff looks good and I tested on Linux
Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5
An executable target in the `COMMAND` option will automatically be
replaced by the location of the executable created at build time.
This change fixes tests for Windows binaries using Wine.
