64 Commits

Author SHA1 Message Date
Tim Ruffing
e4a2f8e500 Move _preallocated functions to separate header 2019-03-05 13:23:13 +01:00
Jonas Nick
77d5b4ac7d Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures. 2019-02-06 11:27:37 +00:00
Andrew Poelstra
f0e4bb9283 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
[0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
2019-01-29 11:02:07 +00:00
Andrew Poelstra
0c17f7972a add surjection proof module
Includes fix and tests by Jonas Nick.
2018-12-14 20:25:51 +00:00
Andrew Poelstra
c174f0c609 Implement ring-signature based whitelist delegation scheme 2018-12-14 20:25:51 +00:00
Pieter Wuille
f4620de040 Constant-time generator module 2018-12-14 20:25:51 +00:00
Gregory Maxwell
ae1e576f67 Pedersen commitments, borromean ring signatures, and ZK range proofs.
This commit adds three new cryptosystems to libsecp256k1:

Pedersen commitments are a system for making blinded commitments
 to a value.  Functionally they work like:
  commit_b,v = H(blind_b || value_v),
 except they are additively homorphic, e.g.
  C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and
  C(b1, v1) - C(b1, v1) = 0, etc.
 The commitments themselves are EC points, serialized as 33 bytes.
 In addition to the commit function this implementation includes
 utility functions for verifying that a set of commitments sums
 to zero, and for picking blinding factors that sum to zero.
 If the blinding factors are uniformly random, pedersen commitments
 have information theoretic privacy.

Borromean ring signatures are a novel efficient ring signature
 construction for AND/OR admissions policies (the code here implements
 an AND of ORs, each of any size).  This construction requires
 32 bytes of signature per pubkey used plus 32 bytes of constant
 overhead. With these you can construct signatures like "Given pubkeys
 A B C D E F G, the signer knows the discrete logs
 satisifying (A || B) & (C || D || E) & (F || G)".

ZK range proofs allow someone to prove a pedersen commitment is in
 a particular range (e.g. [0..2^64)) without revealing the specific
 value.  The construction here is based on the above borromean
 ring signature and uses a radix-4 encoding and other optimizations
 to maximize efficiency.  It also supports encoding proofs with a
 non-private base-10 exponent and minimum-value to allow trading
 off secrecy for size and speed (or just avoiding wasting space
 keeping data private that was already public due to external
 constraints).

A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of
 this can be used to communicate a private message to a receiver
 who shares a secret random seed with the prover.
2018-12-14 20:25:51 +00:00
Pieter Wuille
bc65aa794e Add bench_ecmult 2017-12-07 20:13:04 +00:00
Andrew Poelstra
548de42ecf add resizeable scratch space API
Alignment support by Pieter Wuille.
2017-12-07 20:13:04 +00:00
Andrew Poelstra
a724d7296d configure: add --enable-coverage to set options for coverage analysis 2016-11-28 03:29:01 +00:00
Andrew Poelstra
83836a9547 Add exhaustive tests for group arithmetic, signing, and ecmult on a small group
If you compile without ./configure --enable-exhaustive-tests=no,
this will create a binary ./exhaustive_tests which will execute
every function possible on a group of small order obtained by
moving to a twist of our curve and locating a generator of small
order.

Currently defaults to order 13, though by changing some #ifdefs
you can get a couple other ones. (Currently 199, which will take
forever to run, and 14, which won't work because it's composite.)

TODO exhaustive tests for the various modules
2016-11-26 00:35:00 +00:00
Andrew Poelstra
20b8877be1 Add exhaustive test for group functions on a low-order subgroup
We observe that when changing the b-value in the elliptic curve formula
`y^2 = x^3 + ax + b`, the group law is unchanged. Therefore our functions
for secp256k1 will be correct if and only if they are correct when applied
to the curve defined by `y^2 = x^3 + 4` defined over the same field. This
curve has a point P of order 199.

This commit adds a test which computes the subgroup generated by P and
exhaustively checks that addition of every pair of points gives the correct
result.

Unfortunately we cannot test const-time scalar multiplication by the same
mechanism. The reason is that these ecmult functions both compute a wNAF
representation of the scalar, and this representation is tied to the order
of the group.

Testing with the incomplete version of gej_add_ge (found in 5de4c5dff^)
shows that this detects the incompleteness when adding P - 106P, which
is exactly what we expected since 106 is a cube root of 1 mod 199.
2016-11-25 20:45:29 +00:00
Pieter Wuille
e06e878fd7 Remove Schnorr experiment 2016-11-17 18:55:06 -08:00
Andrew Poelstra
ac01378c87 build: add -DSECP256K1_BUILD to benchmark_internal build flags
gcc 6 will warn about our non-null checks when SECP256K1_BUILD
our NONNULL marker is nontrivial. This occurs unless SECP256K1_BUILD
is set, which we had forgotten to do for the internal benchmarks,
which compile directly against the library instead of linking.
2016-07-06 11:55:14 +00:00
Wladimir J. van der Laan
001f1763c7 ARM assembly implementation of field_10x26 inner
Rebased-by: Pieter Wuille <pieter.wuille@gmail.com>
2016-05-25 18:27:47 +02:00
GreenAddress
3093576aa4 JNI library
Squashed and rebased. Thanks to @theuni and @faizkhan00 for doing
the majority of work here! Also thanks to @btchip for help with debugging
and review.
2016-02-01 14:07:18 +01:00
Pieter Wuille
419bf7fd9d
Merge pull request #356
03d84a4 Benchmark against OpenSSL verification (Pieter Wuille)
2015-11-24 21:55:33 +01:00
ptschip
445f7f104c Fix for Windows compile issue
Change CPPFLAGS_FOR_BUILD path  (by paveljanik)
2015-11-16 16:40:12 -08:00
Pieter Wuille
03d84a427f Benchmark against OpenSSL verification 2015-11-15 15:47:49 +01:00
Andrew Poelstra
eed87af10a Change contrib/laxder from headers-only to files compilable as standalone C
Verified that both programs compile with

    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_privatekey_parsing.c
    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_parsing.c
2015-10-29 18:55:49 -05:00
Gregory Maxwell
4a243da47c Move secp256k1_ec_privkey_import/export to contrib.
These functions are intended for compatibility with legacy software,
 and are not normally needed in new secp256k1 applications.

They also do not obeying any particular standard (and likely cannot
 without without undermining their compatibility), and so are a
 better fit for contrib.
2015-10-22 22:57:33 +00:00
Pieter Wuille
fea19e7bb7 Add contrib/lax_der_parsing.h
This shows a snippet of code to do lax DER parsing, without obeying to any
particular standard.
2015-10-21 16:14:35 +02:00
Gregory Maxwell
213aa67397 Do not force benchmarks to be statically linked.
Libtool will do the right thing and use whatever is available
 based on --enable-shared/--enable-static.

This also means that some of the things we build actually
 test the dynamic library.
2015-09-29 19:03:51 +00:00
Cory Fields
6da1446dcf build: fix parallel build 2015-08-31 23:22:13 -04:00
Pieter Wuille
9f443be086 Move pubkey recovery code to separate module 2015-08-28 01:51:52 +02:00
Pieter Wuille
ff3a5dfc97
Merge pull request #284
e4ce393 build: fix hard-coded usage of "gen_context" (Cory Fields)
b8e39ac build: don't use BUILT_SOURCES for the static context header (Cory Fields)
2015-08-03 22:37:27 +02:00
Pieter Wuille
a5a66c70b6 Add support for custom EC-Schnorr-SHA256 signatures 2015-08-03 20:08:51 +02:00
Andrew Poelstra
0739bbb6f0 Add ECDH module which works by hashing the output of ecmult_const 2015-08-01 10:57:33 -05:00
Andrew Poelstra
4401500060 Add constant-time multiply secp256k1_ecmult_const for ECDH
Designed with clear separation of the wNAF conversion, precomputation
and exponentiation (since the precomp at least we will probably want
to separate in the API for users who reuse points a lot.

Future work:
  - actually separate precomp in the API
  - do multiexp rather than single exponentiation
2015-07-31 12:39:09 -05:00
Cory Fields
e4ce393683 build: fix hard-coded usage of "gen_context"
The binary needs an extension on some platforms.
2015-07-31 13:34:01 -04:00
Cory Fields
b8e39ac5e4 build: don't use BUILT_SOURCES for the static context header
BUILT_SOURCES simply forces the header to be built first.

Use real dependencies instead. This fixes builds with dependency tracking
disabled where a real target is specified.

As a bonus, this also fixes the issue of gen_context and the header not being
rebuilt when gen_context.c is touched.
2015-07-31 13:26:30 -04:00
Gregory Maxwell
c37812f54c Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean. 2015-07-16 00:05:32 +00:00
Gregory Maxwell
76f67697ec Fix build with static ecmult altroot and make dist.
Gen_context was unable to find the required headers without some
 autotools fixups.  Make dist was also broken without the extra
 sources for the host side table builder utility.
2015-07-15 22:08:00 +00:00
Thomas Daede
fbecc38a89 Add ability to use a statically generated ecmult context.
This vastly shrinks the size of the context required for signing on devices with
memory-mapped Flash.

Tables are generated by the new gen_context tool into a header.
2015-07-13 18:00:03 -07:00
Pieter Wuille
039723d5da Benchmarks for all internal operations 2015-02-02 20:02:39 -08:00
Pieter Wuille
bbd5ba7cfa Use rfc6979 as default nonce generation function 2014-12-20 14:36:13 +01:00
Pieter Wuille
7277fd76e2 Remove GMP field implementation 2014-12-17 12:41:31 +01:00
Pieter Wuille
6558a26770 Make the benchmarks print out stats 2014-12-09 01:27:39 +01:00
Pieter Wuille
000bdf6dc3 Rename bench_verify to bench_recovery 2014-12-09 00:12:02 +01:00
Pieter Wuille
67935050e1 Convert YASM code into inline assembly 2014-12-04 13:54:01 +01:00
Cory Fields
e2274c58e6 build: osx: attempt to work with homebrew keg-only packages 2014-11-24 11:49:22 -05:00
Gregory Maxwell
861f9a59cc field_gmp's negate doesn't need to use the magnitude argument. 2014-11-13 01:45:56 -08:00
kiwigb
6fac238f03 Use same build template as bitcoin. Add bitcoin_secp.m4. 2014-11-07 01:55:27 +13:00
kiwigb
f9aac5b034 Remove INCLUDES. Obsolete, appears unused anyway. 2014-11-06 22:35:41 +13:00
Pieter Wuille
1d52a8b155 Implementations for scalar without data-dependent branches. 2014-11-04 03:01:55 -08:00
Peter Dettman
e2d66a2c62 Fix build for 64bit field under OSX
- caused by 8881212ebc
- OSX's ar tool doesn't work for empty archives ("ar: no archive members specified")
- introduce COMMON_LIB variable; leave empty when not using asm
2014-11-03 09:50:05 +07:00
Pieter Wuille
fa5c13ff4c Add bench_sign tool 2014-10-31 08:23:34 -07:00
Pieter Wuille
504c63d72a Rename bench to bench_verify 2014-10-31 03:34:36 -07:00
Pieter Wuille
81dc171604
Merge pull request #79
ae2679b Add bench_inv tool (Pieter Wuille)
2014-10-31 02:19:18 -07:00
Pieter Wuille
520ba3c921 Remove OpenSSL bignum implementation 2014-10-31 02:10:13 -07:00