Silence a compiler warning about an unitialized use of a scalar in case
the user tries to provide a 0-length list of commitments.
Also ensures that commitments have normalized field elements when they
are loaded into ges.
Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.
There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
5ac8fb035e8f0ad012d9f54b49e77b5d1f5e713a surjectionproof: make sure that n_used_pubkeys > 0 in generate (Jonas Nick)
Pull request description:
ACKs for top commit:
apoelstra:
utACK 5ac8fb035e8f0ad012d9f54b49e77b5d1f5e713a
Tree-SHA512: 915f7181e69e2c4e1f830d6c2620a2d9b0af4d2ae8a63709b489b01ed9e13ccfeeaedebd4680cf2d927cd473a6ae88602cf29e2fdd116cb597fba6c0ab77720d
If the proof was generated with surjectionproof_initialize (as mandated by the
API docs), then n_used_pubkeys can never be 0. Without this commit, compilers
will (rightfully) warn that borromean_s[ring_input_index] is not initialized in
surjectionproof_generate. Therefore, this commit makes sure that n_used_pubkeys
is greater than 0 which ensures that the array is initialized at
ring_input_index.
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3153dc055e0e76101ed9e4607155870 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6ea2768f5355eb4617283086f756931 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da4457325c4be539838ceed21b31c60fbd Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606acb285cc7ef11662ce166ed67e9015 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
Pull request description:
Should be merged before #995 if we want this.
I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.
ACKs for top commit:
sipa:
utACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
jonasnick:
ACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.
```
h = hashlib.sha256()
for i in range(1_000_000):
h.update(b'a')
print(h.hexdigest())
```
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
e848c3799c4f31367c3ed98d17e3b7de504d4c6e Update sage files for new formulae (Peter Dettman)
d64bb5d4f3fbd48b570d847c9389b9cf8f3d9abc Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff8e64f8de3ae8ecfebeab1e84ca420e Further improve doubling formula using fe_half (Peter Dettman)
557b31fac36529948709d4bfcc00ad3acb7e83b9 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a424d9dee12a4e11f0479410b7e4cc930 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257eddc2d7614985be60bee29cf2bec65fb Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e112cd00f1e2867886bdc751a5d6606 Add _fe_half and use in _gej_add_ge (Peter Dettman)
Pull request description:
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
Gives around 2-3% faster signing and ECDH, depending on compiler/platform.
ACKs for top commit:
sipa:
utACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
jonasnick:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
real-or-random:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
Tree-SHA512: 81a6c93b3d983f1b48ec8e8b6f262ba914215045a95415147f41ee6e85296aa4d0cbbad9f370cdf475571447baad861d2cc8e0b04a71202d48959cb8a098f584
b797a500ec194948eecbea8bd80f6b7d455f7ca2 Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc30fcf019af08a41f7b6f329a08eaa0c Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f3419d090e94b0c0897895c5b2b9fdc244 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0401bf5be7c4312d84d17fc789a6566 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0ae054cf0a1d6407c2dcf7445a46935 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6eedac86bda40f062daee7d5f4241d25c Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922b4c1439888b8488b307cd0f0e8ec59 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db69b5db44d282225ab4fea788af8035 Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad125e830901f0ed6ad65eb4f9ccb81f4 Move secp256k1_fe_one to field.h (Russell O'Connor)
Pull request description:
ACKs for top commit:
sipa:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
jonasnick:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
Tree-SHA512: 6742469979c306104a0861be76c2be86bf8ab14116b00afbd24f91b9e3ea843bf9b9a74552b367bd06ee617090019ad4df6be037d58937c8c869f8b37ddaa6cc
69b392f3cbd4dbff953ec8f2ff44f6a8f612b661 musig: move explanation for aggnonce=inf to spec (Jonas Nick)
4824220bb71102064babf832372f4e5ae43ef16f musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} (Jonas Nick)
3c122d07807dfaea6457d8a48ba4adc7a15f1182 musig-spec: improve definition of lift_x (Jonas Nick)
e0bb2d7009eebe2b25dfe977fe3534ad507251ab musig-spec: improve KeyAgg description (Jonas Nick)
b8f4e75d89071515231be03727d47a34b1c12cab musig-spec: move to doc directory (Jonas Nick)
Pull request description:
Will wait before adding tweaking until #151 is merged.
ACKs for top commit:
robot-dreams:
ACK 69b392f3cbd4dbff953ec8f2ff44f6a8f612b661 based on:
real-or-random:
ACK 69b392f3cb I haven't looked at every detail but it's certainly ready to be merged as draft spec
Tree-SHA512: e3aa0265a9d7a7648e03ca42575397100edd5af43f0224937af51aa5c77efc451d7938149bdc711f69e24fb9291438453b8cd762affaa1a2e7bcc89f121485df
