secp256k1-zkp

Author	SHA1	Message	Date
Jonas Nick	fb3a806365	Merge bitcoin-core/secp256k1#1133 : schnorrsig: Add test vectors for variable-length messages cd54ac7c1cca509404b62e626a6291f434af88e8 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing) 28687b03128fbdd23a3f901297f523dfae2f82e3 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing) 97a98bed1ed479b1a23d8ae788020d8a6e081cf0 schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK cd54ac7c1cca509404b62e626a6291f434af88e8. I didn't verify the included test vectors match the BIP. jonasnick: ACK cd54ac7c1cca509404b62e626a6291f434af88e8 Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816	2023-05-11 16:44:08 +00:00
Tim Ruffing	cd54ac7c1c	schnorrsig: Improve docs of schnorrsig_sign_custom	2023-05-11 18:36:42 +02:00
Tim Ruffing	28687b0312	schnorrsig: Add BIP340 varlen test vectors	2023-05-11 18:36:42 +02:00
Tim Ruffing	97a98bed1e	schnorrsig: Refactor test vector code to allow varlen messages	2023-05-11 18:36:42 +02:00
Jonas Nick	ab5a917128	Merge bitcoin-core/secp256k1#1303 : ct: Use more volatile 17fa21733aae97bf671fede3ce528c7a3b2f5f14 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing) 5fb336f9ce7d287015ada5d1d6be35d63469c9a4 ct: Use volatile trick in scalar_cond_negate (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14 jonasnick: ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14 Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121	2023-05-11 16:14:44 +00:00
Tim Ruffing	9eb6934f69	Merge bitcoin-core/secp256k1#1305 : Remove unused scratch space from API 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b Remove unused scratch space from API (Jonas Nick) Pull request description: Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff. ACKs for top commit: sipa: ACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b real-or-random: utACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44	2023-05-11 18:07:53 +02:00
Jonas Nick	073d98a076	Merge bitcoin-core/secp256k1#1292 : refactor: Make 64-bit shift explicit d1e48e5474a2be29e17a477874a4963f8f612a5a refactor: Make 64-bit shift explicit (Hennadii Stepanov) b2e29e43d0e5e65c1e1199f86f59689a1e736109 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK d1e48e5474a2be29e17a477874a4963f8f612a5a jonasnick: ACK d1e48e5474a2be29e17a477874a4963f8f612a5a Tree-SHA512: fd07c8c136b1c947900d45b5a4ad4963e2c29884aca62a26be07713dfd1b0c5e7655f07a0b99217fc055bf3266e71cb5edabbd4d5c145a172b4be5d10f7ad51c	2023-05-11 15:06:47 +00:00
Tim Ruffing	17fa21733a	ct: Be cautious and use volatile trick in more "conditional" paths - secp256k1_scalar_cadd_bit - secp256k1_modinvXX_normalize_YY - secp256k1_modinvXX_divsteps_ZZ - ECMULT_CONST_TABLE_GET_GE Even though those code loations are not problematic right now (with current compilers).	2023-05-11 16:32:07 +02:00
Tim Ruffing	5fb336f9ce	ct: Use volatile trick in scalar_cond_negate	2023-05-11 16:32:07 +02:00
Jonas Nick	712e7f8722	Remove unused scratch space from API	2023-05-11 13:39:56 +00:00
Pieter Wuille	54d34b6c24	Merge bitcoin-core/secp256k1#1300 : Avoid normalize conditional on VERIFY 97c63b90390b0b11a5d3530b03855ec9cc0de343 Avoid normalize conditional on VERIFY (Pieter Wuille) Pull request description: In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not. ACKs for top commit: real-or-random: utACK 97c63b90390b0b11a5d3530b03855ec9cc0de343 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed jonasnick: ACK 97c63b90390b0b11a5d3530b03855ec9cc0de343 Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f	2023-05-11 08:30:21 -04:00
Pieter Wuille	c63ec88ebf	Merge bitcoin-core/secp256k1#1066 : Abstract out and merge all the magnitude/normalized logic 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille) 4e176ad5b94f989d5e2c6cdf9b2761a6f6a971e5 Abstract out verify logic for fe_is_square_var (Pieter Wuille) 4371f98346b0a50c0a77e93948fe5e21d9346d06 Abstract out verify logic for fe_add_int (Pieter Wuille) 89e324c6b9d1c74d3636b4ef5b1e5404e3e2053b Abstract out verify logic for fe_half (Pieter Wuille) 283cd80ab471bccb995925eb55865f04e38566f4 Abstract out verify logic for fe_get_bounds (Pieter Wuille) d5aa2f035802047c45605bfa69fb467000e9288f Abstract out verify logic for fe_inv{,_var} (Pieter Wuille) 316764607257084e714898e07234fdc53150b57a Abstract out verify logic for fe_from_storage (Pieter Wuille) 76d31e5047c1d8dfb83b277421f11460f5126a03 Abstract out verify logic for fe_to_storage (Pieter Wuille) 1e6894bdd74c0b94224f2891c9f5501ac7a3b87a Abstract out verify logic for fe_cmov (Pieter Wuille) be82bd8e0347e090037ff1d30a22a9d614db8c9f Improve comments/checks for fe_sqrt (Pieter Wuille) 6ab35082efe904cbb7ca5225134a1d3647e35388 Abstract out verify logic for fe_sqr (Pieter Wuille) 4c25f6efbd5f8b4738c1c16daf73906d45c5f579 Abstract out verify logic for fe_mul (Pieter Wuille) e179e651cbb20031905e01f37596e20ec2cb788a Abstract out verify logic for fe_add (Pieter Wuille) 7e7ad7ff570645304459242104406d6e1f79857c Abstract out verify logic for fe_mul_int (Pieter Wuille) 65d82a3445265767375383a5b68b5f61aeadefca Abstract out verify logic for fe_negate (Pieter Wuille) 144670893eccd84d638951f6c5bae43fc97e3c7b Abstract out verify logic for fe_get_b32 (Pieter Wuille) f7a7666aeb8db92b9171f4765f7d405b7b73d946 Abstract out verify logic for fe_set_b32 (Pieter Wuille) ce4d2093e86fedca676dbbe59b50bdcf8c599704 Abstract out verify logic for fe_cmp_var (Pieter Wuille) 7d7d43c6dd2741853de4631881d77ae38a14cd23 Improve comments/check for fe_equal{,_var} (Pieter Wuille) c5e788d672d78315e7269fd3743eadae6428468e Abstract out verify logic for fe_is_odd (Pieter Wuille) d3f3fe8616d02bd1c62376c1318be69c64eea982 Abstract out verify logic for fe_is_zero (Pieter Wuille) c701d9a4719adff20fa83511f946e4abbd4d8cda Abstract out verify logic for fe_clear (Pieter Wuille) 19a2bfeeeac4274bbeca7f8757a2ee73bdf03895 Abstract out verify logic for fe_set_int (Pieter Wuille) 864f9db491b4e1204fda5168174b235f9eefb56e Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille) 6c31371120bb85a397bf1caa73fd1c9b8405d35e Abstract out verify logic for fe_normalize_var (Pieter Wuille) e28b51f52254b93805350354567a944ca4d79ae2 Abstract out verify logic for fe_normalize_weak (Pieter Wuille) b6b6f9cb97f6c9313871c278ec73f209ef537a44 Abstract out verify logic for fe_normalize (Pieter Wuille) 7fa51955592ccf4fb424a7a538372ad159e77293 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille) b29566c51b2a47139d610bf686e09ae9f9d24001 Merge magnitude/normalized fields, move/improve comments (Pieter Wuille) Pull request description: Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field. This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation. Fixes #1060. ACKs for top commit: jonasnick: ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 real-or-random: ACK 7fc642fa25ad03ebd95cfe237b625dfb6dfdfa94 Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4	2023-05-11 08:23:48 -04:00
Pieter Wuille	7fc642fa25	Simplify secp256k1_fe_{impl_,}verify	2023-05-11 06:25:59 -04:00
Pieter Wuille	4e176ad5b9	Abstract out verify logic for fe_is_square_var	2023-05-11 06:25:56 -04:00
Pieter Wuille	4371f98346	Abstract out verify logic for fe_add_int	2023-05-11 06:25:19 -04:00
Pieter Wuille	89e324c6b9	Abstract out verify logic for fe_half	2023-05-11 06:25:15 -04:00
Pieter Wuille	283cd80ab4	Abstract out verify logic for fe_get_bounds	2023-05-11 06:24:26 -04:00
Pieter Wuille	d5aa2f0358	Abstract out verify logic for fe_inv{,_var}	2023-05-11 06:24:26 -04:00
Pieter Wuille	3167646072	Abstract out verify logic for fe_from_storage	2023-05-11 06:24:26 -04:00
Pieter Wuille	76d31e5047	Abstract out verify logic for fe_to_storage	2023-05-11 06:24:26 -04:00
Pieter Wuille	1e6894bdd7	Abstract out verify logic for fe_cmov	2023-05-11 06:24:26 -04:00
Pieter Wuille	be82bd8e03	Improve comments/checks for fe_sqrt	2023-05-11 06:24:22 -04:00
Pieter Wuille	6ab35082ef	Abstract out verify logic for fe_sqr	2023-05-11 06:18:40 -04:00
Pieter Wuille	4c25f6efbd	Abstract out verify logic for fe_mul	2023-05-11 06:18:40 -04:00
Pieter Wuille	e179e651cb	Abstract out verify logic for fe_add	2023-05-11 06:18:40 -04:00
Pieter Wuille	7e7ad7ff57	Abstract out verify logic for fe_mul_int	2023-05-11 06:18:40 -04:00
Pieter Wuille	65d82a3445	Abstract out verify logic for fe_negate	2023-05-11 06:18:40 -04:00
Pieter Wuille	144670893e	Abstract out verify logic for fe_get_b32	2023-05-11 06:18:40 -04:00
Pieter Wuille	f7a7666aeb	Abstract out verify logic for fe_set_b32	2023-05-11 06:18:40 -04:00
Pieter Wuille	ce4d2093e8	Abstract out verify logic for fe_cmp_var	2023-05-11 06:18:40 -04:00
Pieter Wuille	7d7d43c6dd	Improve comments/check for fe_equal{,_var}	2023-05-11 06:18:40 -04:00
Pieter Wuille	c5e788d672	Abstract out verify logic for fe_is_odd	2023-05-11 06:18:40 -04:00
Pieter Wuille	d3f3fe8616	Abstract out verify logic for fe_is_zero	2023-05-11 06:18:40 -04:00
Pieter Wuille	c701d9a471	Abstract out verify logic for fe_clear	2023-05-11 06:18:40 -04:00
Pieter Wuille	19a2bfeeea	Abstract out verify logic for fe_set_int	2023-05-11 06:18:40 -04:00
Pieter Wuille	864f9db491	Abstract out verify logic for fe_normalizes_to_zero{,_var}	2023-05-11 06:18:40 -04:00
Pieter Wuille	6c31371120	Abstract out verify logic for fe_normalize_var	2023-05-11 06:18:40 -04:00
Pieter Wuille	e28b51f522	Abstract out verify logic for fe_normalize_weak	2023-05-11 06:18:40 -04:00
Pieter Wuille	b6b6f9cb97	Abstract out verify logic for fe_normalize	2023-05-11 06:18:40 -04:00
Pieter Wuille	7fa5195559	Bugfix: correct SECP256K1_FE_CONST mag/norm fields	2023-05-11 06:18:37 -04:00
Hennadii Stepanov	e5cf4bf3ff	build: Rename `arm` to `arm32`	2023-05-11 10:03:23 +01:00
Pieter Wuille	b29566c51b	Merge magnitude/normalized fields, move/improve comments Also split secp256k1_fe_verify into a generic and an implementation specific part.	2023-05-11 04:25:19 -04:00
Pieter Wuille	97c63b9039	Avoid normalize conditional on VERIFY	2023-05-11 03:41:48 -04:00
Tim Ruffing	341cc19726	Merge bitcoin-core/secp256k1#1299 : Infinity handling: ecmult_const(infinity) works, and group verification bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille) 0a2e0b2ae456c7ae60e92ddc354071f21fb6aa62 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille) f20266722ac93ca66d1beb0d2f2d2469b95aafea Add invariant checking to group elements (Pieter Wuille) a18821d5b1d44db0e7c8335f338cc9876bec98cb Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille) 3086cb90acd9d61c5b38e862877fdeacaff74a50 Expose secp256k1_fe_verify to other modules (Pieter Wuille) a0e696fd4da3788758bb3fdae66c7ae262dbf224 Make secp256k1_ecmult_const handle infinity (Gregory Maxwell) Pull request description: Rebase of #791. * Clean up infinity handling, make x/y/z always initialized for infinity. * Make secp256k1_ecmult_const handle infinity. * Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. * Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output. * Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`). * Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode. ACKs for top commit: jonasnick: ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41 real-or-random: ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19	2023-05-10 18:44:18 +02:00
Pieter Wuille	6ec3731e8c	Simplify test PRNG implementation	2023-05-10 10:40:08 -04:00
Pieter Wuille	bbc834467c	Avoid secp256k1_ge_set_gej_zinv with uninitialized z	2023-05-10 09:25:09 -04:00
Pieter Wuille	0a2e0b2ae4	Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY	2023-05-10 09:25:09 -04:00
Pieter Wuille	f20266722a	Add invariant checking to group elements	2023-05-10 09:25:09 -04:00
Pieter Wuille	a18821d5b1	Always initialize output coordinates in secp256k1_ge_set_gej	2023-05-10 09:25:06 -04:00
Pieter Wuille	3086cb90ac	Expose secp256k1_fe_verify to other modules	2023-05-10 09:06:02 -04:00

... 5 6 7 8 9 ...

2289 Commits