Commit Graph

1411 Commits

Author SHA1 Message Date
Hennadii Stepanov
5468d70964 build: Add CMake-based build system
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
2023-03-08 13:33:16 +00:00
Tim Ruffing
6048e6c03e Merge bitcoin-core/secp256k1#1222: Remove redundant checks.
5d8f53e312 Remove redudent checks. (Russell O'Connor)

Pull request description:

  These abs checks are implied by the subsequent line, and with the subsequent line written as it is, no underflow is possible with signed integers.

  Follows up on https://github.com/bitcoin-core/secp256k1/pull/1218.

ACKs for top commit:
  sipa:
    utACK 5d8f53e312
  real-or-random:
    ACK 5d8f53e312

Tree-SHA512: ddd6758638fe634866fdaf900224372e2e51cb81ef4d024f169fbc39fff38ef1b29e90e0732877e8910158b82bc428ee9c3a4031882c2850b22ad87cc63ee305
2023-03-08 14:18:44 +01:00
Russell O'Connor
5d8f53e312 Remove redudent checks.
These abs checks are implied by the subsequent line, and with the subsequent line written as it is, no underflow is possible with signed integers.
2023-03-07 09:10:36 -05:00
Jonas Nick
9d1b458d5f Merge bitcoin-core/secp256k1#1217: Add secp256k1_fe_add_int function
b081f7e4cb Add secp256k1_fe_add_int function (Pieter Wuille)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b081f7e4cb
  real-or-random:
    utACK b081f7e4cb

Tree-SHA512: daf9956c81a328505faee7fb59d29ec0c5a326bce7c48159a8e0ed7590505b430785d750d0c34f152b9119ad130030063be999da0c2035747a27fe501e77560a
2023-03-07 14:08:05 +00:00
Russell O'Connor
2ef1c9b387 Update overflow check
One does not simply check for integer overlow.
2023-03-06 18:13:47 -05:00
Tim Ruffing
d23c23e24d musig: Update to BIP v1.0.0-rc.4 (Check pubnonce in NonceGen vectors) 2023-03-03 22:31:28 +01:00
Jonas Nick
a1ec2bb67b musig: add test for signing with wrong secnonce for a keypair 2023-03-03 12:55:00 +00:00
Jonas Nick
bd57a017aa musig: include pubkey in secnonce and compare when signing 2023-03-03 12:55:00 +00:00
Pieter Wuille
b081f7e4cb Add secp256k1_fe_add_int function 2023-03-02 17:09:25 -05:00
Tim Ruffing
4f57024d86 Merge ElementsProject/secp256k1-zkp#211: Update musig module to BIP MuSig2 v1.0.0-rc.3
b43dd83b43 musig: add missing static keyword to function (Jonas Nick)
068e6a036a musig: add test vectors from BIP MuSig (Jonas Nick)
36621d13be musig: update to BIP v1.0.0-rc.2 "Add ''pk'' arg to ''NonceGen''" (Jonas Nick)
d717a4980b musig: update to BIP v0.8 "Switch from X-only to plain pk inputs." (Jonas Nick)
304f1bc96d extrakeys: add pubkey_sort test vectors from BIP MuSig2 (Jonas Nick)
ae89051547 extrakeys: replace xonly_sort with pubkey_sort (Jonas Nick)
98242fcdd9 extrakeys: add secp256k1_pubkey_cmp (Jonas Nick)
73d5b6654d musig: update to BIP v0.7.0 (NonceGen) (Jonas Nick)
060887e9d7 musig: update to BIP v0.5.1 "Rename ordinary tweaking to plain" (Jonas Nick)
cbe2815633 musig: update to BIP v0.4 "Allow the output of NonceAgg to be inf" (Jonas Nick)
206017d67d musig: update to BIP v0.3 (NonceGen) (Jonas Nick)
d800dd55db musig: remove test vectors (Jonas Nick)

Pull request description:

  Version 1.0.0-rc.3 of BIP MuSig2 can be found [here](https://github.com/jonasnick/bips/pull/75). This PR does _not_ implement the following optional features that have been added to BIP MuSig2:

  - variable length messages
  - deterministic signing
  - identifiable aborts

  The PR also does _not_ yet change the `secnonce` structure to also contain the signer's public key (which would also imply changing the seckey argument in `sign` to a keypair). Additionally, we may want to rename some things in the future to be more consistent with the BIP (e.g. keyagg_cache vs. keyagg_ctx, applytweak vs. tweak_add).

ACKs for top commit:
  ariard:
    Light Code Review ACK b43dd83b, mostly looks on how the user API will make sense for Lightning, thanks for the answers!
  real-or-random:
    ACK b43dd83b43

Tree-SHA512: 9b1410951b55a1b0e6590b8c302052996d1fb6d9771765498b4282ff68b44ab0d6add8144c9330217b682ec5a93508b5546099db9a1f2c865f99253010dd76f4
2023-03-02 15:24:50 +01:00
Pieter Wuille
6be01036c8 Add secp256k1_fe_is_square_var function
The implementation calls the secp256k1_modinvNN_jacobi_var code, falling back
to computing a square root in the (extremely rare) case it failed converge.
2023-02-28 15:57:32 -05:00
Pieter Wuille
1de2a01c2b Native jacobi symbol algorithm
This introduces variants of the divsteps-based GCD algorithm used for
modular inverses to compute Jacobi symbols. Changes compared to
the normal vartime divsteps:
* Only positive matrices are used, guaranteeing that f and g remain
  positive.
* An additional jac variable is updated to track sign changes during
  matrix computation.
* There is (so far) no proof that this algorithm terminates within
  reasonable amount of time for every input, but experimentally it
  appears to almost always need less than 900 iterations. To account
  for that, only a bounded number of iterations is performed (1500),
  after which failure is returned. In VERIFY mode a lower iteration
  count is used to make sure that callers exercise their fallback.
* The algorithm converges to f=g=gcd(f0,g0) rather than g=0. To keep
  this test simple, the end condition is f=1, which won't be reached
  if started with non-coprime or g=0 inputs. Because of that we only
  support coprime non-zero inputs.
2023-02-28 15:54:00 -05:00
Pieter Wuille
04c6c1b181 Make secp256k1_modinv64_det_check_pow2 support abs val 2023-02-27 15:38:05 -05:00
Pieter Wuille
5fffb2c7af Make secp256k1_i128_check_pow2 support -(2^n) 2023-02-27 15:38:05 -05:00
Pieter Wuille
1b21aa5175 Merge bitcoin-core/secp256k1#1078: group: Save a normalize_to_zero in gej_add_ge
e089eecc1e group: Further simply gej_add_ge (Tim Ruffing)
ac71020ebe group: Save a normalize_to_zero in gej_add_ge (Tim Ruffing)

Pull request description:

  As discovered  by sipa in #1033.

  See commit message for reasoning but note that the infinity handling will be replaced in the second commit again.

ACKs for top commit:
  sipa:
    ACK e089eecc1e
  apoelstra:
    ACK e089eecc1e

Tree-SHA512: fb1b5742e73dd8b2172b4d3e2852490cfd626e8673b72274d281fa34b04e9368a186895fb9cd232429c22b14011df136f4c09bdc7332beef2b3657f7f2798d66
2023-02-14 14:55:46 -05:00
Jonas Nick
d7fb25c8ca Make sure that bppp_log2 isn't called with value 0
Author:    Jonas Nick <jonasd.nick@gmail.com>
Date:      Thu Feb 9 21:31:43 2023 +0000
2023-02-13 23:53:36 -08:00
sanket1729
e5a01d12c6 Rename buletproof_pp* to bppp* 2023-02-13 22:16:17 -08:00
Jonas Nick
c983186872 transcript: add tests 2023-02-13 22:15:47 -08:00
Jonas Nick
73edc75528 norm arg: add verification vectors
norm arg: add verify test vector with vector size > 1
2023-02-13 22:15:47 -08:00
Jonas Nick
13ad32e814 norm arg: add tests for zero length and zero vectors 2023-02-13 22:15:47 -08:00
sanket1729
2574516483 Add testcases for bulletproofs++ norm arugment 2023-02-13 22:15:47 -08:00
sanket1729
46c7391154 Add norm argument verify API 2023-02-13 22:15:46 -08:00
Jonas Nick
b43dd83b43 musig: add missing static keyword to function 2023-02-13 14:03:51 +00:00
Jonas Nick
068e6a036a musig: add test vectors from BIP MuSig 2023-02-13 14:03:51 +00:00
Jonas Nick
36621d13be musig: update to BIP v1.0.0-rc.2 "Add ''pk'' arg to ''NonceGen''" 2023-02-13 14:03:51 +00:00
Jonas Nick
d717a4980b musig: update to BIP v0.8 "Switch from X-only to plain pk inputs." 2023-02-13 14:03:51 +00:00
Jonas Nick
304f1bc96d extrakeys: add pubkey_sort test vectors from BIP MuSig2 2023-02-13 14:03:51 +00:00
Jonas Nick
ae89051547 extrakeys: replace xonly_sort with pubkey_sort 2023-02-13 14:03:51 +00:00
Jonas Nick
98242fcdd9 extrakeys: add secp256k1_pubkey_cmp 2023-02-13 14:03:51 +00:00
Jonas Nick
73d5b6654d musig: update to BIP v0.7.0 (NonceGen)
- 0.7.0: Change ''NonceGen'' such that output when message is not present is different from when message is present but has length 0.
- 0.6.0: Change order of arguments and serialization of the message in the ''NonceGen'' hash function
2023-02-13 14:03:51 +00:00
Jonas Nick
060887e9d7 musig: update to BIP v0.5.1 "Rename ordinary tweaking to plain" 2023-02-13 14:03:51 +00:00
sanket1729
d9145455bb Add bulletproofs++ norm argument prove API 2023-02-08 13:07:05 -08:00
sanket1729
8638f0e0ce Add internal BP++ commit API 2023-02-08 13:07:05 -08:00
sanket1729
412f8f66a0 Add utility functions required in norm argument 2023-02-08 03:09:11 -08:00
sanket1729
420353d7da Add utilities for log2 2023-02-08 03:09:11 -08:00
sanket1729
17417d44f3 Add utilities from uncompressed Bulletproofs PR
Add a transcript module for doing a generic Fiat Shamir
2023-02-08 03:09:11 -08:00
Andrew Poelstra
48563c8c79 bulletproofs: add API functionality to generate a large set of generators 2023-02-08 03:09:11 -08:00
Andrew Poelstra
048f9f8642 bulletproofs: add new empty module 2023-02-08 03:09:11 -08:00
Andrew Poelstra
6162d577fe generator: cleanups in Pedersen/generator code
Silence a compiler warning about an unitialized use of a scalar in case
the user tries to provide a 0-length list of commitments.

Also ensures that commitments have normalized field elements when they
are loaded into ges.
2023-02-08 03:09:11 -08:00
Tim Ruffing
ca92a35d01 field: Simplify code in secp256k1_fe_set_b32 2023-02-01 12:29:34 +01:00
Tim Ruffing
d93f62e369 field: Verify field element even after secp256k1_fe_set_b32 fails 2023-02-01 12:29:03 +01:00
Andrew Poelstra
0a6006989f Revert "Remove unused scalar_sqr"
This reverts commit 5437e7bdfb.
2023-01-23 10:18:21 -08:00
Andrew Poelstra
87373f5145 MOVE ONLY: move Pedersen commitment stuff to generator module from rangeproof module
You can verify this commit with `git diff --color-moved=zebra`
2023-01-23 10:18:21 -08:00
Jonas Nick
cbe2815633 musig: update to BIP v0.4 "Allow the output of NonceAgg to be inf" 2023-01-23 09:36:46 +00:00
Jonas Nick
206017d67d musig: update to BIP v0.3 (NonceGen)
- 0.3.0: Hash i - 1 instead of i in NonceGen
- 0.2.0: Change order of arguments in NonceGen hash function
2023-01-23 09:36:45 +00:00
Jonas Nick
d800dd55db musig: remove test vectors
These vectors are superseded by test vectors in BIP MuSig2 which will be added
in a later commit.
2023-01-23 09:36:45 +00:00
Jonas Nick
eb6bebaee3 scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs
VERIFY_CHECK(r1 != r2) is added because otherwise the verify_scalar_split fails.
2023-01-19 21:14:38 +00:00
Jonas Nick
620ba3d74b benchmarks: fix bench_scalar_split
scalar_split_lambda requires that the input pointer is different to both output
pointers. Without this fix, the internal benchmarks crash when compiled with
-DVERIFY.

This was introduced in commit 362bb25608 (which
requires configuring with --enable-endomorphism to exhibit the crash).
2023-01-19 18:12:31 +00:00
Pieter Wuille
5fbff5d348 Merge bitcoin-core/secp256k1#1170: contexts: Forbid destroying, cloning and randomizing the static context
e39d954f11 tests: Add CHECK_ILLEGAL(_VOID) macros and use in static ctx tests (Tim Ruffing)
61841fc9ee contexts: Forbid randomizing secp256k1_context_static (Tim Ruffing)
4b6df5e33e contexts: Forbid cloning/destroying secp256k1_context_static (Tim Ruffing)

Pull request description:

  As discussed in #1126.

  For randomization, this has a history. Initially, this threw the illegal callback but then we changed it to be a no-op on non-signing contexts: 6198375218 But this was with (non-static) none/verification contexts in mind, not with the static context. If we anyway forbid cloning the static context, you should never a way to randomize a copy of the static context. (You need a copy because the static context itself is not writable. But you cannot obtain a copy except when using memcpy etc.)

ACKs for top commit:
  sipa:
    utACK e39d954f11
  apoelstra:
    ACK e39d954f11

Tree-SHA512: dc804b15652d536b5d67db7297ac0e65eab3a64cbb35a9856329cb87e7ea0fe8ea733108104b3bba580077fe03d6ad6b161c797cf866a74722bab7849f0bb60c
2023-01-19 13:04:18 -05:00
Pieter Wuille
233822d849 Merge bitcoin-core/secp256k1#1195: ctime_tests: improve output when CHECKMEM_RUNNING is not defined
8f51229e03 ctime_tests: improve output when CHECKMEM_RUNNING is not defined (Jonas Nick)

Pull request description:

  When seeing the output
  ```
  Unless compiled under msan, this test can only usefully be run inside valgrind.
  ```
  I thought that I would have to go back to the `configure` output to manually check if it was compiled under memsan to determine whether this test can be usefully run outside valgrind. But when we go into this branch then it was definitely not compiled under msan, which means that we can make the output clearer.

ACKs for top commit:
  sipa:
    utACK 8f51229e03
  real-or-random:
    utACK 8f51229e03

Tree-SHA512: a4953a158b1375d8fc3a2ee29e7014c5399becf5f75ffd3765c0141861e092fbc120003e00dfd25ec54b92a466e133377b96d5a9f4017c100aaf64fb9a045df1
2023-01-19 11:00:16 -05:00