In the field 5x52 asm for x86_64, stack variables are provided as outputs.
The existing inputs are all forcibly allocated to registers, so cannot
coincide, but mark them as early clobber anyway to make this clearer.
In the existing code, the compiler is allowed to allocate the RSI register
for outputs m0, m1, or m2, which are written to before the input in RSI is
read from. Fix this by marking them as early clobber.
Reported by ehoffman2 in https://github.com/bitcoin-core/secp256k1/issues/766
- secp256k1_scalar_cadd_bit
- secp256k1_modinvXX_normalize_YY
- secp256k1_modinvXX_divsteps_ZZ
- ECMULT_CONST_TABLE_GET_GE
Even though those code loations are not problematic right now
(with current compilers).
f3126fdfec7c4dbfab3acf01714325b027110aff norm arg: remove prove edge tests which are now covered by vectors (Jonas Nick)
847ed9ecb2233f1e233fae1791b5adcdeb3be52b norm arg: add verification to prove vectors (Jonas Nick)
cf797ed2a4ccc7422de2f4081a6d6bcf536d72c8 norm arg: add prove test vectors (Jonas Nick)
095c1e749c106285e8252d6490073974dd4d8fcc norm arg: add prove_const to tests (Jonas Nick)
bf7bf8a64fa7a7256ad64f75ae0bcb9fccbd0ea4 norm arg: split norm_arg_zero into prove_edge and verify_zero_len (Jonas Nick)
a70c4d4a8a6970f8e299de541cc75f2fc2e39e76 norm arg: add test vector for |n| = 0 (Jonas Nick)
f5e4b16f0f96ae871d221900673f426e9c9ce85e norm arg: add test vector for sign bit malleability (Jonas Nick)
c0de361fc53dbfb0b058895f4824eba4d423e191 norm arg: allow X and R to be the point at infinity (Jonas Nick)
f22834f20252f9ca3e17f36093940e2aa2735790 norm arg: add verify vector for n = [0], l = [0] (Jonas Nick)
d8e7f3763bac9e52d07643a01c8352cadded64d2 musig: move ge_{serialize,parse}_ext to module-independent file (Jonas Nick)
Pull request description:
ACKs for top commit:
Liam-Eagen:
ACK f3126fd
Tree-SHA512: 1aad86521fce74435beabe7690c7fcc38ad9ae7a884ddcab69ef825b573433f700723a7672d29df1b4465bc33d5957b6a46f657f988cfd2cc73fa94a3472357d
Apparently clang 15 is able to compile our cmov code into a branch,
at least for fe_cmov and fe_storage_cmov. This commit makes the
condition volatile in all cmov implementations (except ge but that
one only calls into the fe impls).
This is just a quick fix. We should still look into other methods,
e.g., asm and #457. We should also consider not caring about
constant-time in scalar_low_impl.h
We should also consider testing on very new compilers in nightly CI,
see https://github.com/bitcoin-core/secp256k1/pull/864#issuecomment-769211867
b43dd83b43eac0ca8ad9ee1f557e9126c9e08d9e musig: add missing static keyword to function (Jonas Nick)
068e6a036a953e48bc90f9a96b318e350f474a3a musig: add test vectors from BIP MuSig (Jonas Nick)
36621d13bedf44eeedd2a1773e30e849972e5bff musig: update to BIP v1.0.0-rc.2 "Add ''pk'' arg to ''NonceGen''" (Jonas Nick)
d717a4980bc3e2e36bd32a02466226ef49a5d625 musig: update to BIP v0.8 "Switch from X-only to plain pk inputs." (Jonas Nick)
304f1bc96d6bdb5c1b5b1b9a321eac8f9a27fde4 extrakeys: add pubkey_sort test vectors from BIP MuSig2 (Jonas Nick)
ae89051547435cab5042a13d85562def9cabdd61 extrakeys: replace xonly_sort with pubkey_sort (Jonas Nick)
98242fcdd9519d0d5a349b0344aeea0ab4e796e9 extrakeys: add secp256k1_pubkey_cmp (Jonas Nick)
73d5b6654d472eb0cebbffd5a934caf174d29307 musig: update to BIP v0.7.0 (NonceGen) (Jonas Nick)
060887e9d749062242b4de3935b27fdcb0802c87 musig: update to BIP v0.5.1 "Rename ordinary tweaking to plain" (Jonas Nick)
cbe2815633411479e8305deb8b69bce94df723af musig: update to BIP v0.4 "Allow the output of NonceAgg to be inf" (Jonas Nick)
206017d67d9bb8b21d5cc924ba53e1618274774c musig: update to BIP v0.3 (NonceGen) (Jonas Nick)
d800dd55db28a710bb510a2a5fc33519d355a91c musig: remove test vectors (Jonas Nick)
Pull request description:
Version 1.0.0-rc.3 of BIP MuSig2 can be found [here](https://github.com/jonasnick/bips/pull/75). This PR does _not_ implement the following optional features that have been added to BIP MuSig2:
- variable length messages
- deterministic signing
- identifiable aborts
The PR also does _not_ yet change the `secnonce` structure to also contain the signer's public key (which would also imply changing the seckey argument in `sign` to a keypair). Additionally, we may want to rename some things in the future to be more consistent with the BIP (e.g. keyagg_cache vs. keyagg_ctx, applytweak vs. tweak_add).
ACKs for top commit:
ariard:
Light Code Review ACK b43dd83b, mostly looks on how the user API will make sense for Lightning, thanks for the answers!
real-or-random:
ACK b43dd83b43eac0ca8ad9ee1f557e9126c9e08d9e
Tree-SHA512: 9b1410951b55a1b0e6590b8c302052996d1fb6d9771765498b4282ff68b44ab0d6add8144c9330217b682ec5a93508b5546099db9a1f2c865f99253010dd76f4
- 0.7.0: Change ''NonceGen'' such that output when message is not present is different from when message is present but has length 0.
- 0.6.0: Change order of arguments and serialization of the message in the ''NonceGen'' hash function