secp256k1-zkp

Author	SHA1	Message	Date
Jonas Nick	79fa50b082	release process: mention targeted release schedule	2023-05-24 13:43:28 +00:00
Jonas Nick	165206789b	release process: add sanity checks	2023-05-24 13:43:25 +00:00
Pieter Wuille	3353d3c753	Merge bitcoin-core/secp256k1#1207 : Split fe_set_b32 into reducing and normalizing variants 5b32602295ff7ad9e1973f96b8ee8344b82f4af0 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille) Pull request description: Follow-up to #1205. This splits the `secp256k1_fe_set_b32` function into two variants: * `secp256k1_fe_set_b32_mod`, which returns `void`, reduces modulo the curve order, and only promises weakly normalized output. * `secp256k1_fe_set_b32_limit`, which returns `int` indicating success/failure, and only promises valid output in case the input is in range (but guarantees it's strongly normalized in this case). This removes one of the few cases in the codebase where normalization status depends on runtime values, making it fixed at compile-time instead. ACKs for top commit: real-or-random: ACK 5b32602295ff7ad9e1973f96b8ee8344b82f4af0 jonasnick: ACK 5b32602295ff7ad9e1973f96b8ee8344b82f4af0 Tree-SHA512: 4b93502272638c6ecdef4d74afa629e7ee540c0a20b377dccedbe567857b56c4684fad3af4b4293ed7ba35fed4aa5d0beaacdd77a903f44f24e8d87305919b61	2023-05-11 16:06:15 -04:00
Pieter Wuille	5b32602295	Split fe_set_b32 into reducing and normalizing variants	2023-05-11 13:49:33 -04:00
Jonas Nick	006ddc1f42	Merge bitcoin-core/secp256k1#1306 : build: Make tests work with external default callbacks 1907f0f1664e3a966daa58be956af18e48834ffd build: Make tests work with external default callbacks (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 1907f0f1664e3a966daa58be956af18e48834ffd jonasnick: ACK 1907f0f1664e3a966daa58be956af18e48834ffd Tree-SHA512: 198598f7bf5292bf5709187f9a40ddf9a0fba93e8b62afb49df2c05b4ef61c394cea43ee07615b51ceea97862228d8ad351fddef13c190cb2e6690943ed63128	2023-05-11 17:31:29 +00:00
Tim Ruffing	1907f0f166	build: Make tests work with external default callbacks	2023-05-11 19:08:35 +02:00
Jonas Nick	fb3a806365	Merge bitcoin-core/secp256k1#1133 : schnorrsig: Add test vectors for variable-length messages cd54ac7c1cca509404b62e626a6291f434af88e8 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing) 28687b03128fbdd23a3f901297f523dfae2f82e3 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing) 97a98bed1ed479b1a23d8ae788020d8a6e081cf0 schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK cd54ac7c1cca509404b62e626a6291f434af88e8. I didn't verify the included test vectors match the BIP. jonasnick: ACK cd54ac7c1cca509404b62e626a6291f434af88e8 Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816	2023-05-11 16:44:08 +00:00
Tim Ruffing	cd54ac7c1c	schnorrsig: Improve docs of schnorrsig_sign_custom	2023-05-11 18:36:42 +02:00
Tim Ruffing	28687b0312	schnorrsig: Add BIP340 varlen test vectors	2023-05-11 18:36:42 +02:00
Tim Ruffing	97a98bed1e	schnorrsig: Refactor test vector code to allow varlen messages	2023-05-11 18:36:42 +02:00
Jonas Nick	ab5a917128	Merge bitcoin-core/secp256k1#1303 : ct: Use more volatile 17fa21733aae97bf671fede3ce528c7a3b2f5f14 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing) 5fb336f9ce7d287015ada5d1d6be35d63469c9a4 ct: Use volatile trick in scalar_cond_negate (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14 jonasnick: ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14 Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121	2023-05-11 16:14:44 +00:00
Tim Ruffing	9eb6934f69	Merge bitcoin-core/secp256k1#1305 : Remove unused scratch space from API 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b Remove unused scratch space from API (Jonas Nick) Pull request description: Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff. ACKs for top commit: sipa: ACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b real-or-random: utACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44	2023-05-11 18:07:53 +02:00
Jonas Nick	073d98a076	Merge bitcoin-core/secp256k1#1292 : refactor: Make 64-bit shift explicit d1e48e5474a2be29e17a477874a4963f8f612a5a refactor: Make 64-bit shift explicit (Hennadii Stepanov) b2e29e43d0e5e65c1e1199f86f59689a1e736109 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK d1e48e5474a2be29e17a477874a4963f8f612a5a jonasnick: ACK d1e48e5474a2be29e17a477874a4963f8f612a5a Tree-SHA512: fd07c8c136b1c947900d45b5a4ad4963e2c29884aca62a26be07713dfd1b0c5e7655f07a0b99217fc055bf3266e71cb5edabbd4d5c145a172b4be5d10f7ad51c	2023-05-11 15:06:47 +00:00
Tim Ruffing	17fa21733a	ct: Be cautious and use volatile trick in more "conditional" paths - secp256k1_scalar_cadd_bit - secp256k1_modinvXX_normalize_YY - secp256k1_modinvXX_divsteps_ZZ - ECMULT_CONST_TABLE_GET_GE Even though those code loations are not problematic right now (with current compilers).	2023-05-11 16:32:07 +02:00
Tim Ruffing	5fb336f9ce	ct: Use volatile trick in scalar_cond_negate	2023-05-11 16:32:07 +02:00
Jonas Nick	712e7f8722	Remove unused scratch space from API	2023-05-11 13:39:56 +00:00
Pieter Wuille	54d34b6c24	Merge bitcoin-core/secp256k1#1300 : Avoid normalize conditional on VERIFY 97c63b90390b0b11a5d3530b03855ec9cc0de343 Avoid normalize conditional on VERIFY (Pieter Wuille) Pull request description: In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not. ACKs for top commit: real-or-random: utACK 97c63b90390b0b11a5d3530b03855ec9cc0de343 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed jonasnick: ACK 97c63b90390b0b11a5d3530b03855ec9cc0de343 Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f	2023-05-11 08:30:21 -04:00
Pieter Wuille	c63ec88ebf	Merge bitcoin-core/secp256k1#1066 : Abstract out and merge all the magnitude/normalized logic 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille) 4e176ad5b94f989d5e2c6cdf9b2761a6f6a971e5 Abstract out verify logic for fe_is_square_var (Pieter Wuille) 4371f98346b0a50c0a77e93948fe5e21d9346d06 Abstract out verify logic for fe_add_int (Pieter Wuille) 89e324c6b9d1c74d3636b4ef5b1e5404e3e2053b Abstract out verify logic for fe_half (Pieter Wuille) 283cd80ab471bccb995925eb55865f04e38566f4 Abstract out verify logic for fe_get_bounds (Pieter Wuille) d5aa2f035802047c45605bfa69fb467000e9288f Abstract out verify logic for fe_inv{,_var} (Pieter Wuille) 316764607257084e714898e07234fdc53150b57a Abstract out verify logic for fe_from_storage (Pieter Wuille) 76d31e5047c1d8dfb83b277421f11460f5126a03 Abstract out verify logic for fe_to_storage (Pieter Wuille) 1e6894bdd74c0b94224f2891c9f5501ac7a3b87a Abstract out verify logic for fe_cmov (Pieter Wuille) be82bd8e0347e090037ff1d30a22a9d614db8c9f Improve comments/checks for fe_sqrt (Pieter Wuille) 6ab35082efe904cbb7ca5225134a1d3647e35388 Abstract out verify logic for fe_sqr (Pieter Wuille) 4c25f6efbd5f8b4738c1c16daf73906d45c5f579 Abstract out verify logic for fe_mul (Pieter Wuille) e179e651cbb20031905e01f37596e20ec2cb788a Abstract out verify logic for fe_add (Pieter Wuille) 7e7ad7ff570645304459242104406d6e1f79857c Abstract out verify logic for fe_mul_int (Pieter Wuille) 65d82a3445265767375383a5b68b5f61aeadefca Abstract out verify logic for fe_negate (Pieter Wuille) 144670893eccd84d638951f6c5bae43fc97e3c7b Abstract out verify logic for fe_get_b32 (Pieter Wuille) f7a7666aeb8db92b9171f4765f7d405b7b73d946 Abstract out verify logic for fe_set_b32 (Pieter Wuille) ce4d2093e86fedca676dbbe59b50bdcf8c599704 Abstract out verify logic for fe_cmp_var (Pieter Wuille) 7d7d43c6dd2741853de4631881d77ae38a14cd23 Improve comments/check for fe_equal{,_var} (Pieter Wuille) c5e788d672d78315e7269fd3743eadae6428468e Abstract out verify logic for fe_is_odd (Pieter Wuille) d3f3fe8616d02bd1c62376c1318be69c64eea982 Abstract out verify logic for fe_is_zero (Pieter Wuille) c701d9a4719adff20fa83511f946e4abbd4d8cda Abstract out verify logic for fe_clear (Pieter Wuille) 19a2bfeeeac4274bbeca7f8757a2ee73bdf03895 Abstract out verify logic for fe_set_int (Pieter Wuille) 864f9db491b4e1204fda5168174b235f9eefb56e Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille) 6c31371120bb85a397bf1caa73fd1c9b8405d35e Abstract out verify logic for fe_normalize_var (Pieter Wuille) e28b51f52254b93805350354567a944ca4d79ae2 Abstract out verify logic for fe_normalize_weak (Pieter Wuille) b6b6f9cb97f6c9313871c278ec73f209ef537a44 Abstract out verify logic for fe_normalize (Pieter Wuille) 7fa51955592ccf4fb424a7a538372ad159e77293 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille) b29566c51b2a47139d610bf686e09ae9f9d24001 Merge magnitude/normalized fields, move/improve comments (Pieter Wuille) Pull request description: Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field. This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation. Fixes #1060. ACKs for top commit: jonasnick: ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 real-or-random: ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4	2023-05-11 08:23:48 -04:00
Pieter Wuille	7fc642fa25	Simplify secp256k1_fe_{impl_,}verify	2023-05-11 06:25:59 -04:00
Pieter Wuille	4e176ad5b9	Abstract out verify logic for fe_is_square_var	2023-05-11 06:25:56 -04:00
Pieter Wuille	4371f98346	Abstract out verify logic for fe_add_int	2023-05-11 06:25:19 -04:00
Pieter Wuille	89e324c6b9	Abstract out verify logic for fe_half	2023-05-11 06:25:15 -04:00
Pieter Wuille	283cd80ab4	Abstract out verify logic for fe_get_bounds	2023-05-11 06:24:26 -04:00
Pieter Wuille	d5aa2f0358	Abstract out verify logic for fe_inv{,_var}	2023-05-11 06:24:26 -04:00
Pieter Wuille	3167646072	Abstract out verify logic for fe_from_storage	2023-05-11 06:24:26 -04:00
Pieter Wuille	76d31e5047	Abstract out verify logic for fe_to_storage	2023-05-11 06:24:26 -04:00
Pieter Wuille	1e6894bdd7	Abstract out verify logic for fe_cmov	2023-05-11 06:24:26 -04:00
Pieter Wuille	be82bd8e03	Improve comments/checks for fe_sqrt	2023-05-11 06:24:22 -04:00
Pieter Wuille	6ab35082ef	Abstract out verify logic for fe_sqr	2023-05-11 06:18:40 -04:00
Pieter Wuille	4c25f6efbd	Abstract out verify logic for fe_mul	2023-05-11 06:18:40 -04:00
Pieter Wuille	e179e651cb	Abstract out verify logic for fe_add	2023-05-11 06:18:40 -04:00
Pieter Wuille	7e7ad7ff57	Abstract out verify logic for fe_mul_int	2023-05-11 06:18:40 -04:00
Pieter Wuille	65d82a3445	Abstract out verify logic for fe_negate	2023-05-11 06:18:40 -04:00
Pieter Wuille	144670893e	Abstract out verify logic for fe_get_b32	2023-05-11 06:18:40 -04:00
Pieter Wuille	f7a7666aeb	Abstract out verify logic for fe_set_b32	2023-05-11 06:18:40 -04:00
Pieter Wuille	ce4d2093e8	Abstract out verify logic for fe_cmp_var	2023-05-11 06:18:40 -04:00
Pieter Wuille	7d7d43c6dd	Improve comments/check for fe_equal{,_var}	2023-05-11 06:18:40 -04:00
Pieter Wuille	c5e788d672	Abstract out verify logic for fe_is_odd	2023-05-11 06:18:40 -04:00
Pieter Wuille	d3f3fe8616	Abstract out verify logic for fe_is_zero	2023-05-11 06:18:40 -04:00
Pieter Wuille	c701d9a471	Abstract out verify logic for fe_clear	2023-05-11 06:18:40 -04:00
Pieter Wuille	19a2bfeeea	Abstract out verify logic for fe_set_int	2023-05-11 06:18:40 -04:00
Pieter Wuille	864f9db491	Abstract out verify logic for fe_normalizes_to_zero{,_var}	2023-05-11 06:18:40 -04:00
Pieter Wuille	6c31371120	Abstract out verify logic for fe_normalize_var	2023-05-11 06:18:40 -04:00
Pieter Wuille	e28b51f522	Abstract out verify logic for fe_normalize_weak	2023-05-11 06:18:40 -04:00
Pieter Wuille	b6b6f9cb97	Abstract out verify logic for fe_normalize	2023-05-11 06:18:40 -04:00
Pieter Wuille	7fa5195559	Bugfix: correct SECP256K1_FE_CONST mag/norm fields	2023-05-11 06:18:37 -04:00
Pieter Wuille	b29566c51b	Merge magnitude/normalized fields, move/improve comments Also split secp256k1_fe_verify into a generic and an implementation specific part.	2023-05-11 04:25:19 -04:00
Pieter Wuille	97c63b9039	Avoid normalize conditional on VERIFY	2023-05-11 03:41:48 -04:00
Tim Ruffing	341cc19726	Merge bitcoin-core/secp256k1#1299 : Infinity handling: ecmult_const(infinity) works, and group verification bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille) 0a2e0b2ae456c7ae60e92ddc354071f21fb6aa62 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille) f20266722ac93ca66d1beb0d2f2d2469b95aafea Add invariant checking to group elements (Pieter Wuille) a18821d5b1d44db0e7c8335f338cc9876bec98cb Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille) 3086cb90acd9d61c5b38e862877fdeacaff74a50 Expose secp256k1_fe_verify to other modules (Pieter Wuille) a0e696fd4da3788758bb3fdae66c7ae262dbf224 Make secp256k1_ecmult_const handle infinity (Gregory Maxwell) Pull request description: Rebase of #791. * Clean up infinity handling, make x/y/z always initialized for infinity. * Make secp256k1_ecmult_const handle infinity. * Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. * Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output. * Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`). * Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode. ACKs for top commit: jonasnick: ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41 real-or-random: ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19	2023-05-10 18:44:18 +02:00
Pieter Wuille	bbc834467c	Avoid secp256k1_ge_set_gej_zinv with uninitialized z	2023-05-10 09:25:09 -04:00

1 2 3 4 5 ...

1989 Commits