97c63b90390b0b11a5d3530b03855ec9cc0de343 Avoid normalize conditional on VERIFY (Pieter Wuille)
Pull request description:
In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not.
ACKs for top commit:
real-or-random:
utACK 97c63b90390b0b11a5d3530b03855ec9cc0de343 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed
jonasnick:
ACK 97c63b90390b0b11a5d3530b03855ec9cc0de343
Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f
7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille)
4e176ad5b94f989d5e2c6cdf9b2761a6f6a971e5 Abstract out verify logic for fe_is_square_var (Pieter Wuille)
4371f98346b0a50c0a77e93948fe5e21d9346d06 Abstract out verify logic for fe_add_int (Pieter Wuille)
89e324c6b9d1c74d3636b4ef5b1e5404e3e2053b Abstract out verify logic for fe_half (Pieter Wuille)
283cd80ab471bccb995925eb55865f04e38566f4 Abstract out verify logic for fe_get_bounds (Pieter Wuille)
d5aa2f035802047c45605bfa69fb467000e9288f Abstract out verify logic for fe_inv{,_var} (Pieter Wuille)
316764607257084e714898e07234fdc53150b57a Abstract out verify logic for fe_from_storage (Pieter Wuille)
76d31e5047c1d8dfb83b277421f11460f5126a03 Abstract out verify logic for fe_to_storage (Pieter Wuille)
1e6894bdd74c0b94224f2891c9f5501ac7a3b87a Abstract out verify logic for fe_cmov (Pieter Wuille)
be82bd8e0347e090037ff1d30a22a9d614db8c9f Improve comments/checks for fe_sqrt (Pieter Wuille)
6ab35082efe904cbb7ca5225134a1d3647e35388 Abstract out verify logic for fe_sqr (Pieter Wuille)
4c25f6efbd5f8b4738c1c16daf73906d45c5f579 Abstract out verify logic for fe_mul (Pieter Wuille)
e179e651cbb20031905e01f37596e20ec2cb788a Abstract out verify logic for fe_add (Pieter Wuille)
7e7ad7ff570645304459242104406d6e1f79857c Abstract out verify logic for fe_mul_int (Pieter Wuille)
65d82a3445265767375383a5b68b5f61aeadefca Abstract out verify logic for fe_negate (Pieter Wuille)
144670893eccd84d638951f6c5bae43fc97e3c7b Abstract out verify logic for fe_get_b32 (Pieter Wuille)
f7a7666aeb8db92b9171f4765f7d405b7b73d946 Abstract out verify logic for fe_set_b32 (Pieter Wuille)
ce4d2093e86fedca676dbbe59b50bdcf8c599704 Abstract out verify logic for fe_cmp_var (Pieter Wuille)
7d7d43c6dd2741853de4631881d77ae38a14cd23 Improve comments/check for fe_equal{,_var} (Pieter Wuille)
c5e788d672d78315e7269fd3743eadae6428468e Abstract out verify logic for fe_is_odd (Pieter Wuille)
d3f3fe8616d02bd1c62376c1318be69c64eea982 Abstract out verify logic for fe_is_zero (Pieter Wuille)
c701d9a4719adff20fa83511f946e4abbd4d8cda Abstract out verify logic for fe_clear (Pieter Wuille)
19a2bfeeeac4274bbeca7f8757a2ee73bdf03895 Abstract out verify logic for fe_set_int (Pieter Wuille)
864f9db491b4e1204fda5168174b235f9eefb56e Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille)
6c31371120bb85a397bf1caa73fd1c9b8405d35e Abstract out verify logic for fe_normalize_var (Pieter Wuille)
e28b51f52254b93805350354567a944ca4d79ae2 Abstract out verify logic for fe_normalize_weak (Pieter Wuille)
b6b6f9cb97f6c9313871c278ec73f209ef537a44 Abstract out verify logic for fe_normalize (Pieter Wuille)
7fa51955592ccf4fb424a7a538372ad159e77293 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille)
b29566c51b2a47139d610bf686e09ae9f9d24001 Merge magnitude/normalized fields, move/improve comments (Pieter Wuille)
Pull request description:
Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field.
This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation.
Fixes#1060.
ACKs for top commit:
jonasnick:
ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94
real-or-random:
ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94
Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4
bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2ae456c7ae60e92ddc354071f21fb6aa62 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f20266722ac93ca66d1beb0d2f2d2469b95aafea Add invariant checking to group elements (Pieter Wuille)
a18821d5b1d44db0e7c8335f338cc9876bec98cb Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb90acd9d61c5b38e862877fdeacaff74a50 Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696fd4da3788758bb3fdae66c7ae262dbf224 Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)
Pull request description:
Rebase of #791.
* Clean up infinity handling, make x/y/z always initialized for infinity.
* Make secp256k1_ecmult_const handle infinity.
* Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes.
* Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
* Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`).
* Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode.
ACKs for top commit:
jonasnick:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
real-or-random:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19
Infinity isn't currently needed here, but correctly handling it is a
little more safe against future changes.
Update docs for it to make it clear that it is not constant time in A
(the input point). It never was constant time in Q (and would be a little
complicated to make constant time in A).
If it was later made constant time in A, infinity support would be easy
to preserve, e.g. by running it on a dummy value and cmoving infinity into
the output.
2e65f1fdbcc87e2ef8c0baf4abc8ee0f56daf7fe Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille)
Pull request description:
The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one.
ACKs for top commit:
stratospher:
ACK 2e65f1f.
real-or-random:
utACK 2e65f1fdbc
Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814
For the sake of completeness, add the missing descriptions for the
return value and parameters (`ctx`, `sig64`, `keypair`), in the same
wording/style as for the function `secp256k1_schnorrsig_sign32`.
bef448f9af248dba016883401de07b431f3e686e cmake: Fix library ABI versioning (Hennadii Stepanov)
Pull request description:
This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.
To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`:
- incrementing of `*_LIB_VERSION_CURRENT`
- setting `*_LIB_VERSION_REVISION` to zero
- incrementing of `*_LIB_VERSION_AGE`
ACKs for top commit:
real-or-random:
ACK bef448f9af248dba016883401de07b431f3e686e diff looks good and I tested on Linux
Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5
An executable target in the `COMMAND` option will automatically be
replaced by the location of the executable created at build time.
This change fixes tests for Windows binaries using Wine.
7e977b3c5071fc17575ff88ebbc9db7b17c70497 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing)
2418d3260ac51ba0f148fb20e19c8f41bba8a135 autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing)
8764034ed55bffc8a26fbe377ac505359f8828e9 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing)
e1b9ce881159e8e2572467f1426f200e987a4d44 autotools: Use same conventions for all pregenerated files (Tim Ruffing)
08f4b1632d0ad976fe00ee606f3a95894555a2e1 autotools: Move code around to tidy Makefile (Tim Ruffing)
529b54d9224e680197e6052b505d2a66398e0d36 autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing)
Pull request description:
Follow-up to https://github.com/bitcoin-core/secp256k1/pull/1245.
This builds on top of https://github.com/bitcoin-core/secp256k1/pull/1276. Let's only merge https://github.com/bitcoin-core/secp256k1/pull/1276 as a hotfix for the Core build.
ACKs for top commit:
hebasto:
ACK 7e977b3c5071fc17575ff88ebbc9db7b17c70497
Tree-SHA512: 42e09feaed15d903e759360e1dfbd1afce9da07a55512e2e791147b72d9b6477e34ae6028439af57dbcae318081a37ddcf3a630f9617bfea95c130135ba2313f
71f746c057a66d5ae0dfdb5d439bc49592c0d16e cmake: Include `include` directory for subtree builds (Hennadii Stepanov)
5431b9decdbbdf30c5c5f2aed4b59662f5c681a2 cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL` (Hennadii Stepanov)
162608cc982538906e775d0c549aff2de5dee413 cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21 (Hennadii Stepanov)
Pull request description:
This PR:
1. Emulates [`PROJECT_IS_TOP_LEVEL`](https://cmake.org/cmake/help/latest/variable/PROJECT_IS_TOP_LEVEL.html) variable for CMake versions where it is not available.
2. Makes the `SECP256K1_INSTALL` option dependent on `PROJECT_IS_TOP_LEVEL` (a [follow up](https://github.com/bitcoin-core/secp256k1/pull/1263#issuecomment-1516564300) of https://github.com/bitcoin-core/secp256k1/pull/1263).
3. Makes integration of this project as a subtree easier. A top project can `#include <secp256k1.h>` with no additional `target_include_directories()` commands. For example, see https://github.com/hebasto/secp256k1-CMake-example/tree/subtree.
ACKs for top commit:
theuni:
utACK 71f746c057a66d5ae0dfdb5d439bc49592c0d16e.
Tree-SHA512: 8ccdbcc94b26f36e772611ebaab0f2846debd6ad20f9e361be31a8d2128a14273acb692b0631026e12cc6cdef6d445dce0fd3beb4f71af47b46dfcf840a18879
