ebb1beea78 sage: Ensure that constraints are always fastfracs (Tim Ruffing)
d8d54859ed ci: Run sage prover on CI (Tim Ruffing)
77cfa98dbc sage: Normalize sign of polynomial factors in prover (Tim Ruffing)
eae75869cf sage: Exit with non-zero status in case of failures (Tim Ruffing)
b54d843eac sage: Fix printing of errors (Tim Ruffing)
e108d0039c sage: Fix incompatibility with sage 9.4 (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK ebb1beea78
jonasnick:
ACK ebb1beea78
Tree-SHA512: 7a4732fd31d925d3dff471911183acc465ddcadbb5c88c46995502df61a913433c7639cb52fad3db72373b7cc47b9b0f063f7f5d5f8189c9ef998955e409479f
The prover, when run on recent sage versions, failed to prove some of its
goals due to a change in sage. This commit adapts our code accordingly.
The prover passes again after this commit.
The macOS CI tasks often error fail when doing `brew update` with
git fetch errors:
```
remote: fatal: packfile /data/repositories/b/nw/b6/07/5c/123272362/network.git/objects/pack/pack-2139bd07361b62a358e380a0e7d58ec35593d191.pack cannot be accessed
fatal: protocol error: bad pack header
Error: Fetching /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core failed!
```
Superficially this seems to be a problem on the GitHub server because
the message shows a "remote" error. But it seems we're the only one in
the world running into this specific issue when doing `brew update`, so
it's more likely that the something else is the culprit, and this error
message is just a symptom.
This commit replaces `brew update` with a complete reinstallation of
brew. This is essentially a shot in the dark but it's worth a try, and
I doubt it's significantly more expensive. If that won't work, we may
consider simply retrying `brew update` a few times.
According to [autoconf 2.70](https://www.gnu.org/software/autoconf/manual/autoconf-2.70/html_node/Obsolete-Macros.html)
documentation, the `AC_PROG_CC_C89' is replaced by `AC_PROG_CC`, which
defines the same variable `ac_cv_prog_cc_c89`.
Avoids the following message:
```
configure.ac:23: warning: The macro `AC_PROG_CC_C89' is obsolete.
```
Also, remove deprecated `AM_PROG_CC_C_O`.
b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad1 Move secp256k1_fe_one to field.h (Russell O'Connor)
Pull request description:
ACKs for top commit:
sipa:
ACK b797a500ec
jonasnick:
ACK b797a500ec
Tree-SHA512: 6742469979c306104a0861be76c2be86bf8ab14116b00afbd24f91b9e3ea843bf9b9a74552b367bd06ee617090019ad4df6be037d58937c8c869f8b37ddaa6cc
69b392f3cb musig: move explanation for aggnonce=inf to spec (Jonas Nick)
4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} (Jonas Nick)
3c122d0780 musig-spec: improve definition of lift_x (Jonas Nick)
e0bb2d7009 musig-spec: improve KeyAgg description (Jonas Nick)
b8f4e75d89 musig-spec: move to doc directory (Jonas Nick)
Pull request description:
Will wait before adding tweaking until #151 is merged.
ACKs for top commit:
robot-dreams:
ACK 69b392f3cb based on:
real-or-random:
ACK 69b392f3cb I haven't looked at every detail but it's certainly ready to be merged as draft spec
Tree-SHA512: e3aa0265a9d7a7648e03ca42575397100edd5af43f0224937af51aa5c77efc451d7938149bdc711f69e24fb9291438453b8cd762affaa1a2e7bcc89f121485df
8088eddc53 musig: add test vector for ordinary (non xonly) tweaking (Elliott Jin)
57a17929fc musig: add ordinary and xonly tweaking to the example (Jonas Nick)
37107361a0 musig: allow ordinary, non-xonly tweaking (Jonas Nick)
c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache (Jonas Nick)
Pull request description:
In short, `musig_pubkey_tweak_add` now allows for xonly _and_ "ordinary" tweaking. Also, in order to allow using `ec_pubkey_tweak_add` on the non-xonly aggregate public key, there's a new function `musig_pubkey_get` that allows obtaining it from the `keyagg_cache`.
One alternative would be that instead of adding `musig_pubkey_get`, we could change `pubkey_agg` to output an ordinary (non-xonly) pubkey. Then users of the API who do not need ordinary (BIP32) tweaking would be forced to call `xonly_pubkey_from_pubkey`. And we'd probably want to change the spec. And it would be a bit weird to output a pubkey that can't be directly schnorrsig_verify'd.
Based on #131
ACKs for top commit:
robot-dreams:
ACK 8088eddc53 based on https://github.com/ElementsProject/secp256k1-zkp/pull/151#issuecomment-1005198409 and the following `range-diff`:
Tree-SHA512: a4a0100f0470c870f88a8da27dbcc4684fcc2caabb368d4340e962e08d5ee04634e6289bafa3448dbfd0b5793a3e70de5bd6ddca7a619cc3220ff762d518a8fe
070e772211 Faster fixed-input ecmult tests (Pieter Wuille)
Pull request description:
Given how much #920 slowed down the tests with low iteration count, replace it with 3 different similar test:
* count >= 1: a test with 1024 multiplies that tests any pattern of 6 bits in windows not more than 20 bits wide
* count >= 3: a test with 2048 multiplies that tests any pattern of 8 consecutive bits
* count >= 35: the old test (which effectively tests all 2-bit patterns)
ACKs for top commit:
robot-dreams:
ACK 070e772211, the addition of the `CONDITIONAL_TEST` macro is nice.
real-or-random:
ACK 070e772211
Tree-SHA512: b4ccca42c71fcd1baa7143f73d1c3ac9d012c296485164a03341dbeee02e4ba9f7c7ad6b441923a5fe0286c97eff60815033adb4e1d30b3ef08bcb79590327ff
45f37b6506 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes#1063. (Paul Miller)
Pull request description:
ACKs for top commit:
siv2r:
ACK 45f37b6. The diff looks good. It reduces `msg32` to modulo curve order for rfc6979 nonce generation. All tests passed on my machine with `make check`.
sipa:
utACK 45f37b6506
real-or-random:
ACK 45f37b6506
Tree-SHA512: 4c36784b2d6f2983bc0c3f380ff59cd9f2bd1822b98116d70964cd15183742fcc1f2ccde225a76dd30d946b3678b2cf29caff018efc07f40a200ee85843b39dd
11d675dce8 whitelist: remove ability to specific nonce function (Andrew Poelstra)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 11d675dce8
Tree-SHA512: aa53d445a1e817e9998a41f5da186f1d92e3da0dcc088b9ff8fe795af06072d3e6b22be7842ece9f4dcb5e0ad97a90ebeaca097247fa8307d88a6d2bfb0fb573
b7ebe6436c Test APIs of funcs that need an ecmult_gen ctx with static ctx (Jonas Nick)
e82144edfb Fixup skew before global Z fixup (Peter Dettman)
40b624c90b Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe1 ECDH skews by 0 or 1 (Peter Dettman)
1515099433 Simpler and faster ecdh skew fixup (Peter Dettman)
3d7cbafb5f tests: Fix test whose result is implementation-defined (Tim Ruffing)
77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
3ed0d02bf7 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8 doc: add release_process.md (Jonas Nick)
0bd3e4243c build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
b4ac1a1d5f ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e ci: Update brew on macOS (Tim Ruffing)
22382f0ea0 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
1287786c7a doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589 doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
22d25c8e0a Add another ecmult_multi test (Pieter Wuille)
515e7953ca Improve checks at top of _fe_negate methods (Peter Dettman)
e05da9e480 Fix c++ build (Pieter Wuille)
c45386d994 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen} (Pieter Wuille)
19d96e15f9 Split off .c file from precomputed_ecmult.h (Pieter Wuille)
1a6691adae Split off .c file from precomputed_ecmult_gen.h (Pieter Wuille)
bb36331412 Simplify precompute_ecmult_print_* (Pieter Wuille)
38cd84a0cb Compute ecmult tables at runtime for tests_exhaustive (Pieter Wuille)
e458ec26d6 Move ecmult table computation code to separate file (Pieter Wuille)
fc1bf9f15f Split ecmult table computation and printing (Pieter Wuille)
31feab053b Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table (Pieter Wuille)
725370c3f2 Rename ecmult_gen_prec -> ecmult_gen_compute_table (Pieter Wuille)
075252c1b7 Rename ecmult_static_pre_g -> precomputed_ecmult (Pieter Wuille)
7cf47f72bc Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen (Pieter Wuille)
f95b8106d0 Rename gen_ecmult_static_pre_g -> precompute_ecmult (Pieter Wuille)
bae77685eb Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen (Pieter Wuille)
7dfceceea6 build: Remove #undef hack for ASM in the precomputation programs (Tim Ruffing)
bb36fe9be0 ci: Test `make precomp` (Tim Ruffing)
d94a37a20c build: Remove CC_FOR_BUILD stuff (Tim Ruffing)
ad63bb4c29 build: Prebuild and distribute ecmult_gen table (Tim Ruffing)
ac49361ed0 prealloc: Get rid of manual memory management for prealloc contexts (Tim Ruffing)
6573c08f65 ecmult_gen: Tidy precomputed file and save space (Tim Ruffing)
5eba83f17c ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS (Tim Ruffing)
fdb33dd122 refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table (Tim Ruffing)
a4875e30a6 refactor: Move default callbacks to util.h (Tim Ruffing)
4c94c55bce doc: Remove obsolete hint for valgrind stack size (Tim Ruffing)
5106226991 exhaustive_tests: Fix with ecmult_gen table with custom generator (Tim Ruffing)
e1a76530db refactor: Make generator a parameter of ecmult_gen_create_prec_table (Tim Ruffing)
9ad09f6911 refactor: Rename program that generates static ecmult_gen table (Tim Ruffing)
8ae18f1ab3 refactor: Rename file that contains static ecmult_gen table (Tim Ruffing)
00d2fa116e ecmult_gen: Make code consistent with comment (Tim Ruffing)
3b0c2185ea ecmult_gen: Simplify ecmult_gen context after making table static (Tim Ruffing)
e43ba02cfc refactor: Decouple table generation and ecmult_gen context (Tim Ruffing)
22dc2c0a0d ecmult_gen: Move table creation to new file and force static prec (Tim Ruffing)
099bad945e Comment and check a parameter for inf in secp256k1_ecmult_const. (Russell O'Connor)
6c0be857f8 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. (Russell O'Connor)
5eb519e1f6 ci: reduce TEST_ITERS in memcheck run (Pieter Wuille)
e2cf77328a Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255. (Pieter Wuille)
c0cd7de6d4 build: add -no-undefined to libtool LDFLAGS (fanquake)
fe32a79d35 build: pass win32-dll to LT_INIT (fanquake)
7c7ce872a5 build: Add a check that Valgrind actually supports a host platform (Hennadii Stepanov)
592661c22f ci: move test environment variable declaration to .cirrus.yml (siv2r)
dcbe84b841 bench: add --help option to bench. (siv2r)
2b7c7497ef build: replace backtick command substitution with $() (fanquake)
60bf8890df ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS (Jonas Nick)
214042a170 build: don't append valgrind CPPFLAGS if not installed (fanquake)
812ff5c747 doc: remove use of 0xa0 "no break space" (fanquake)
dc9b6853b7 doc: Minor fixes in safegcd_implementation.md (Elliott Jin)
233297579d Fix typos (Dimitris Apostolou)
72de1359e9 ci: Enable -g if we set CFLAGS manually (Tim Ruffing)
16d132215c refactor: Use (int)&(int) in boolean context to avoid compiler warning (MarcoFalke)
3b157c48ed doc: Suggest keys.openpgp.org as keyserver in SECURITY.md (Tim Ruffing)
73a7472cd0 doc: Replace apoelstra's GPG key by jonasnick's GPG key (Tim Ruffing)
af6abcb3d0 Make bench support selecting which benchmarks to run (Pieter Wuille)
9f56bdf5b9 Merge bench_schnorrsig into bench (Pieter Wuille)
3208557ae1 Merge bench_recover into bench (Pieter Wuille)
855e18d8a8 Merge bench_ecdh into bench (Pieter Wuille)
2a7be678a6 Combine bench_sign and bench_verify into single bench (Pieter Wuille)
5324f8942d Make aux_rnd32==NULL behave identical to 0x0000..00. (Pieter Wuille)
2888640132 VERIFY_CHECK precondition for secp256k1_fe_set_int. (Russell O'Connor)
d49011f54c Make _set_fe_int( . , 0 ) set magnitude to 0 (Tim Ruffing)
23e2f66726 bench: don't return 1 in have_flag() if argc = 1 (Jonas Nick)
96b1ad2ea9 bench_ecmult: improve clarity of output (Jonas Nick)
b4b130678d create csv file from the benchmark output (siv2r)
26a255beb6 Shared benchmark format for command line and CSV outputs (siv2r)
044d956305 Fix G.y parity in sage code (Pieter Wuille)
b53e0cd61f Avoid overly-wide multiplications (Peter Dettman)
9be7b0f083 Avoid computing out-of-bounds pointer. (Tim Ruffing)
bc08599e77 Remove OpenSSL testing support (Pieter Wuille)
db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const (Pieter Wuille)
189f6bcfef Fix unused parameter warnings when building without VERIFY (Jonas Nick)
d43993724d tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify` (siv2r)
Pull request description:
[bitcoin-core/secp256k1#986]: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify`
[bitcoin-core/secp256k1#987]: Fix unused parameter warnings when building without VERIFY
[bitcoin-core/secp256k1#966]: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
[bitcoin-core/secp256k1#983]: [RFC] Remove OpenSSL testing support
[bitcoin-core/secp256k1#952]: Avoid computing out-of-bounds pointer.
[bitcoin-core/secp256k1#810]: Avoid overly-wide multiplications in 5x52 field mul/sqr
[bitcoin-core/secp256k1#996]: Fix G.y parity in sage code
[bitcoin-core/secp256k1#989]: Shared benchmark format for command line and CSV outputs
[bitcoin-core/secp256k1#999]: bench_ecmult: improve clarity of output
[bitcoin-core/secp256k1#943]: VERIFY_CHECK precondition for secp256k1_fe_set_int.
[bitcoin-core/secp256k1#1002]: Make aux_rnd32==NULL behave identical to 0x0000..00.
[bitcoin-core/secp256k1#991]: Merge all "external" benchmarks into a single bench binary
[bitcoin-core/secp256k1#1007]: doc: Replace apoelstra's GPG key by jonasnick's GPG key
[bitcoin-core/secp256k1#1009]: refactor: Use (int)&(int) in boolean context to avoid compiler warning
[bitcoin-core/secp256k1#1011]: ci: Enable -g if we set CFLAGS manually
[bitcoin-core/secp256k1#1012]: Fix typos
[bitcoin-core/secp256k1#1010]: doc: Minor fixes in safegcd_implementation.md
[bitcoin-core/secp256k1#1020]: doc: remove use of <0xa0> "no break space"
[bitcoin-core/secp256k1#1019]: build: don't append valgrind CPPFLAGS if not installed (macOS)
[bitcoin-core/secp256k1#1004]: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
[bitcoin-core/secp256k1#1025]: build: replace backtick command substitution with $()
[bitcoin-core/secp256k1#1008]: bench.c: add `--help` option and ci: move env variables
[bitcoin-core/secp256k1#1027]: build: Add a check that Valgrind actually supports a host platform
[bitcoin-core/secp256k1#1022]: build: Windows DLL additions
[bitcoin-core/secp256k1#920]: Test all ecmult functions with many j*2^i combinations
[bitcoin-core/secp256k1#942]: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
[bitcoin-core/secp256k1#988]: Make signing table fully static
[bitcoin-core/secp256k1#1042]: Follow-ups to making all tables fully static
[bitcoin-core/secp256k1#816]: Improve checks at top of _fe_negate methods
[bitcoin-core/secp256k1#1044]: Add another ecmult_multi test
[bitcoin-core/secp256k1#1030]: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
[bitcoin-core/secp256k1#1047]: ci: Various improvements
[bitcoin-core/secp256k1#1053]: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
[bitcoin-core/secp256k1#964]: Add release-process.md
[bitcoin-core/secp256k1#1052]: Use xoshiro256++ instead of RFC6979 for tests
[bitcoin-core/secp256k1#1054]: tests: Fix test whose result is implementation-defined
[bitcoin-core/secp256k1#1029]: Simpler and faster ecdh skew fixup
This PR can be recreated with `./contrib/sync-upstream.sh range a1102b12196ea27f44d6201de4d25926a2ae9640`.
ACKs for top commit:
apoelstra:
utACK b7ebe6436c
real-or-random:
ACK b7ebe6436c diff looks good. tested on my machine, also on valgrind.
Tree-SHA512: 8b01347bbb9ac35cb93df628eaaf2a997fc8182046588bccc48a0623e9595d40cad2d46102a9c62c819ff77069331f344361138fd8ad0afc81bba9c1690bb541
