Previous behaviour would not initialize r->y values in the case where infinity is passed in.
Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity.
c8483520c9 Makefile.am: Don't pass a variable twice (Tim Ruffing)
2161f31785 Makefile.am: Honor config when building gen_context (Tim Ruffing)
99f47c20ec gen_context: Don't use external ASM because it complicates the build (Tim Ruffing)
Pull request description:
Obsoletes #935.
ACKs for top commit:
gmaxwell:
ACK c8483520c9 looks good and works here. Undefign is kinda yuck, but it is already doing it and it's cleaner than the obvious alternatives.
sipa:
utACK c8483520c9. I verified that building still works on ARM64, but without asm of course.
Tree-SHA512: fc5500688b2aecc4238e21c32f65559bcbfd1e83d1ae4d2c8e15573e94613667731064d8b5f2b9e4209016d88118263802ff4b9a73c1f37c224ccf2a4a1d6536
This passes $(DEFS) (which should literally be "-DHAVE_CONFIG_H") to the
compiler when building gen_context.
This has currently no effect because gen_context.c does not check for
this macro but it's conceivable that it may do so in the future.
99e2d5be0d Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. (Gregory Maxwell)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 99e2d5be0d
jonasnick:
utACK 99e2d5be0d
Tree-SHA512: f3f9cfcd62830d7accca74dfce40abb091dec0990a66bad5d2a9599f2533121d8d1422499d511512bfb8d7c57da96e29e012dbc210e2e97ad55ad18de0869735
ae9e648526 Define SECP256K1_BUILD in secp256k1.c directly. (Gregory Maxwell)
Pull request description:
This avoids building without it and makes it safer to use a custom
building environment. Test harnesses need to #include secp256k1.c
first now.
Fixes#927
ACKs for top commit:
sipa:
utACK ae9e648526
real-or-random:
ACK ae9e648526
Tree-SHA512: 65ccc15c18f111ba926db1bb25f06c2beb2997c6f42c6d3ebc371ca84f4b5918379efd25c30556cedfd2e4275758bd79d733e80a11159c6ec013dd4707a683ad
This makes a difference with mingw builds on Wine, where the subsequent
fread() may abort early in the default text mode.
The Microsoft C docs say:
"In text mode, CTRL+Z is interpreted as an EOF character on input."
The same file says that the illegal callback will only triger for violations
explicitly mentioned, which is not true without this commit because we often
don't mention that an argument is not allowed to be NULL.
be0609fd54 Add unit tests for edge cases with delta=1/2 variant of divsteps (Pieter Wuille)
cd393ce228 Optimization: only do 59 hddivsteps per iteration instead of 62 (Pieter Wuille)
277b224b6a Use modified divsteps with initial delta=1/2 for constant-time (Pieter Wuille)
376ca366db Fix typo in explanation (Pieter Wuille)
Pull request description:
This updates the divsteps-based modular inverse code to use the modified version which starts with delta=1/2. For variable time, the delta=1 variant is still used as it appears to be faster.
See https://github.com/sipa/safegcd-bounds/tree/master/coq and https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348 for a proof of correctness of this variant.
TODO:
* [x] Update unit tests to include edge cases specific to this variant
I'm still running the Coq proof verification for the 590 bound in non-native mode. It's unclear how long this will take.
ACKs for top commit:
gmaxwell:
ACK be0609fd54
sanket1729:
crACK be0609fd54
real-or-random:
ACK be0609fd54 careful code review and some testing
Tree-SHA512: 2f8f400ba3ac8dbd08622d564c3b3e5ff30768bd0eb559f2c4279c6c813e17cdde71b1c16f05742c5657b5238b4d592b48306f9f47d7dbdb57907e58dd99b47a
Before this commit, gen_context.c both included libsecp256k1-config.h
and basic-config.h: The former only to obtain ECMULT_GEN_PREC_BITS
and the latter to obtain a basic working configuration to be able to
use the library.
This was inelegant and confusing: It meant that basic-config.h needs
to #undef all the macros defined in libsecp256k1-config.h. Moreover,
it meant that basic-config.h cannot define ECMULT_GEN_PREC_BITS,
essentially making this file specific for use in gen_context.c.
After this commit, gen_context.c include only libsecp256k1-config.h.
basic-config.h is not necessary anymore for the modules used in
gen_context.c because 79f1f7a made the preprocessor detect all the
relevant config options.
On the way, we remove an unused #define in basic-config.h.
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent
delta. This variant only needs at most 590 iterations for 256-bit
inputs rather than 724 (by convex hull bounds analysis).
cc82ad5ab7 Make function argument name consistent with doc (Sanket Kanjalkar)
Pull request description:
ACKs for top commit:
real-or-random:
ACK cc82ad5ab7
Tree-SHA512: ef0f4ee36452dc98fa39677c567313a35b067926c76a8e5c33ae5260d1c672d872a4be1c5ebfbdb3e75d0c70ed1bb7f3dcbc592b932cef8af38cdcd154784a98
This commit adds test coverage including Cirrus scripts, Valgrind
constant time tests for secret data, API tests, nonce function tests,
and test vectors from the spec.
This commit adds the ECDSA adaptor signature APIs:
- Encrypted Signing
Creates an adaptor signature, which includes a proof to verify the adaptor
signature.
- Encryption Verification
Verifies that the adaptor decryption key can be extracted from the adaptor
signature and the completed ECDSA signature.
- Signature Decryption
Derives an ECDSA signature from an adaptor signature and an adaptor decryption
key.
- Key Recovery
Extracts the adaptor decryption key from the complete signature and the adaptor
signature.
4504472269 changed import to use brackets <> for openssl as they are not local to the project (William Bright)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 4504472269
jonasnick:
ACK 4504472269
Tree-SHA512: e35c202835a82dab5fe9f2f75e7752e70b15d5d2ee7485790749f145b35e8e995c4978b4015c726387c24248a7efb636d28791fe882581a144a0ddfb27e14075
24ad04fc06 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS (Pieter Wuille)
ebc1af700f Optimization: track f,g limb count and pass to new variable-time update_fg_var (Peter Dettman)
b306935ac1 Optimization: use formulas instead of lookup tables for cancelling g bits (Peter Dettman)
9164a1b658 Optimization: special-case zero modulus limbs in modinv64 (Pieter Wuille)
1f233b3fa0 Remove num/gmp support (Pieter Wuille)
20448b8d09 Remove unused Jacobi symbol support (Pieter Wuille)
5437e7bdfb Remove unused scalar_sqr (Pieter Wuille)
aa9cc52180 Improve field/scalar inverse tests (Pieter Wuille)
1e0e885c8a Make field/scalar code use the new modinv modules for inverses (Pieter Wuille)
436281afdc Move secp256k1_fe_inverse{_var} to per-impl files (Pieter Wuille)
aa404d53be Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files (Pieter Wuille)
08d54964e5 Improve bounds checks in modinv modules (Pieter Wuille)
151aac00d3 Add tests for modinv modules (Pieter Wuille)
d8a92fcc4c Add extensive comments on the safegcd algorithm and implementation (Pieter Wuille)
8e415acba2 Add safegcd based modular inverse modules (Peter Dettman)
de0a643c3d Add secp256k1_ctz{32,64}_var functions (Pieter Wuille)
Pull request description:
This is a rebased and squashed version of #767, adding safegcd-based implementations of constant-time and variable-time modular inverses for scalars and field elements, by Peter Dettman. The PR is organized as follows:
* **Add secp256k1_ctz{32,64}_var functions** Introduction of ctz functions to util.h (which use `__builtin_ctz` on recent GCC and Clang, but fall back to using a software emulation using de Bruijn on other platforms). This isn't used anywhere in this commit, but does include tests.
* **Add safegcd based modular inverse modules** Add Peter Dettman's safegcd code from #767 (without some of his optimizations, which are moved to later commits), turned into separate modules by me.
* **Add extensive comments on the safegcd algorithm and implementation** Add a long description of the algorithm and optimizations to `doc/safegcd_implementation.md`, as well as additional comments to the code itself. It is probably best to review this together with the previous commit (they're separated to keep authorship).
* **Add tests for modinv modules** Adds tests on the modinv interface directly, for arbitrary moduli.
* **Improve bounds checks in modinv modules** Adds a lot of sanity checking to the modinv modules.
* **Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files** A pure refactor to prepare for switching the field and scalar code to modinv.
* **Make field/scalar code use the new modinv modules for inverses** Actually switch over.
* **Add extra modular inverse tests** This adds modular inverse tests through the field/scalar interface, now that those use modinv.
* **Remove unused Jacobi symbol support** No longer needed.
* **Remove num/gmp support** Bye-bye.
* 3 commits with further optimizations.
ACKs for top commit:
gmaxwell:
ACK 24ad04fc06
sanket1729:
ACK 24ad04fc06
real-or-random:
ACK 24ad04fc06 careful code review, some testing
Tree-SHA512: 732fe29315965e43ec9a10ee8c71eceeb983c43fe443da9dc5380a5a11b5e40b06e98d6abf67b773b1de74571fd2014973c6376f3a0caeac85e0cf163ba2144b
This commit adds proving and verification functions for discrete
logarithm equality.
From the spec (https://github.com/discreetlogcontracts/dlcspecs/pull/114):
"As part of the ECDSA adaptor signature a proof of discrete logarithm
equality must be provided. This is a proof that the discrete logarithm of
some X to the standard base G is the same as the discrete logarithm of
some Z to the base Y. This proof can be constructed by using equality
composition on two Sigma protocols proving knowledge of the discrete
logarithm between both pairs of points. In other words the prover proves
knowledge of a such that X = a * G and b such that Z = b * Y and that
a = b. We make the resulting Sigma protocol non-interactive by applying
the Fiat-Shamir transformation with SHA256 as the challenge hash."
This commit adds a nonce function that will be used by default
for ECDSA adaptor signatures.
This nonce function is similar to secp256k1_nonce_function_hardened
except it uses the compressed 33-byte encoding for the pubkey argument.
We need 33 bytes instead of 32 because, unlike with BIP-340, an ECDSA
X-coordinate alone is not sufficient to disambiguate the Y-coordinate.
The magnitude of the f and g variables generally goes down as the algorithm
progresses. Make use of this by keeping tracking how many limbs are used, and
when the number becomes small enough, make use of this to reduce the complexity
of arithmetic on them.
Refactored by: Pieter Wuille <pieter@wuille.net>
Both the field and scalar modulus can be written in signed{30,62} notation
with one or more zero limbs. Make use of this in the update_de function to
avoid a few wide multiplications when that is the case.
This doesn't appear to be a win in the 32-bit implementation, so only
do it for the 64-bit one.
4091e61924 cirrus: increase timeout for macOS tasks (Jonas Nick)
79d4c3ac68 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS (Jonas Nick)
649bf201d8 musig: fix tests for 32-bit (Jonas Nick)
9361f360bb ci: Select number of parallel make jobs depending on CI environment (Tim Ruffing)
28eccdf806 ci: Split output of logs into multiple sections (Tim Ruffing)
c7f754fe4d ci: Run PRs on merge result instead of on the source branch (Tim Ruffing)
b994a8be3c ci: Print information about binaries using "file" (Tim Ruffing)
f24e122d13 ci: Switch all Linux builds to Debian (Tim Ruffing)
f329bba244 build: Add workaround for automake 1.13 and older (Tim Ruffing)
7d3497cdc4 ctime_test: move context randomization test to the end (Jonas Nick)
e491d06b98 Use bit ops instead of int mult for constant-time logic in gej_add_ge (Tim Ruffing)
cc2a5451dc ci: Refactor Nix shell files (Jonas Nick)
2480e55c8f ci: Remove support for Travis CI (Tim Ruffing)
2b359f1c1d ci: Enable simple cache for brewing valgrind on macOS (Tim Ruffing)
8c02e465c5 ci: Add support for Cirrus CI (Tim Ruffing)
b6f649889a Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. (Russell O'Connor)
482e4a9cfc Add missing secp256k1_ge_set_gej_var decl. (Russell O'Connor)
fb390c5299 Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. (Russell O'Connor)
75d2ae149e Remove unused secp256k1_fe_inv_all_var (Pieter Wuille)
2730618604 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. (Russell O'Connor)
3c15130709 Improve CC_FOR_BUILD detection (Tim Ruffing)
47802a4762 Restructure and tidy configure.ac (Tim Ruffing)
252c19dfc6 Ask brew for valgrind include path (Tim Ruffing)
33cb3c2b1f Add secret key extraction from keypair to constant time tests (Elichai Turkel)
36d9dc1e8e Add seckey extraction from keypair to the extrakeys tests (Elichai Turkel)
fc96aa73f5 Add a function to extract the secretkey from a keypair (Elichai Turkel)
b7bc3a4aaa fixed typo (Ferdinando M. Ametrano)
07aa4c70ff Fix insecure links (Dimitris Apostolou)
18aadf9d28 docs: fix simple typo, dependecy -> dependency (Tim Gates)
329a2e0a3f sage: Add script for generating scalar_split_lambda constants (Tim Ruffing)
f554dfc708 sage: Reorganize files (Tim Ruffing)
6e85d675aa Rename tweak to tweak32 in public API (Jonas Nick)
f587f04e35 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 4091e61924 merge commit picks the right parents, merge resolution and additional commit look good
Tree-SHA512: 4f91842ec08c0d6f62c85f6426fe6af6556b4e7b0e6f2a3317953f61557f9a02855e05a28eaa22d7c245bc915778cea6a43e8c881540de43ce08deb916caf07f
