Commit Graph

1411 Commits

Author SHA1 Message Date
Tim Ruffing
dceaa1f579 int128: Tidy #includes of int128.h and int128_impl.h
After this commit, int128.h and int128_impl.h are included as follows:
 - .c files which use int128 include int128_impl.h (after util.h)
 - .h files which use int128 include int128.h (after util.h)

This list is exhaustive. util.h needs to included first because it sets
up necessary #defines.
2022-11-07 16:38:30 -05:00
Russell O'Connor
2914bccbc0 Simulated int128 type. 2022-11-07 16:37:24 -05:00
Tobin C. Harding
6a965b6b98 Remove usage of CHECK from non-test file
Currently CHECK is used only in test and bench mark files except for one
usage in `ecmult_impl.h`.

We would like to move the definition of CHECK out of `util.h` so that
`util.h` no longer has a hard dependency on `stdio.h`.

Done in preparation for moving the definition of `CHECK` as part of an
effort to allow secp256k1 to be compiled to WASM as part of
`rust-secp256k1`.
2022-11-08 07:29:52 +11:00
Jesse Posner
dd83e72d52 Add ordinary tweak info 2022-09-01 22:39:34 -07:00
Jesse Posner
d26100cab2 Exclude nonce_process from pre-processing steps 2022-09-01 22:39:22 -07:00
Jesse Posner
b7607f93f2 Fix reference to xonly_tweak_add 2022-09-01 22:38:03 -07:00
Jonas Nick
f7e9a8544f Merge elementsproject/secp256k1-zkp#201: rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
6b6ced9839 rangeproof: add more max_size tests (Jonas Nick)
34876ecb5f rangeproof: add more static test vectors (Jonas Nick)
310e517061 rangeproof: add a bunch more testing (Andrew Poelstra)
f1410cb67a rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size (Andrew Poelstra)

Pull request description:

ACKs for top commit:
  real-or-random:
    tACK 6b6ced9839
  jonasnick:
    ACK 6b6ced9839

Tree-SHA512: 421dfb0824f67f3822be729dc7f11e4654a21e32e3a6c5565e09b191ec57710b33a73c3d09c08f1d767d769f0957006ac257eabe00a2f37f88b99377644e8741
2022-08-25 20:21:47 +00:00
Jonas Nick
6b6ced9839 rangeproof: add more max_size tests 2022-08-25 14:26:02 +00:00
Jonas Nick
34876ecb5f rangeproof: add more static test vectors
Fixes #42
2022-08-25 14:26:02 +00:00
Andrew Poelstra
310e517061 rangeproof: add a bunch more testing
Add two new fixed rangeproof vectors; check that various extracted
values are correct; add a test for creating and verifying single-value
proofs.
2022-08-25 14:26:02 +00:00
Andrew Poelstra
f1410cb67a rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.

There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
2022-08-25 14:26:00 +00:00
Jonas Nick
0202d839fb Merge elementsproject/secp256k1-zkp#199: surjectionproof: make sure that n_used_pubkeys > 0 in generate
5ac8fb035e surjectionproof: make sure that n_used_pubkeys > 0 in generate (Jonas Nick)

Pull request description:

ACKs for top commit:
  apoelstra:
    utACK 5ac8fb035e

Tree-SHA512: 915f7181e69e2c4e1f830d6c2620a2d9b0af4d2ae8a63709b489b01ed9e13ccfeeaedebd4680cf2d927cd473a6ae88602cf29e2fdd116cb597fba6c0ab77720d
2022-08-18 19:54:00 +00:00
Jonas Nick
5ac8fb035e surjectionproof: make sure that n_used_pubkeys > 0 in generate
If the proof was generated with surjectionproof_initialize (as mandated by the
API docs), then n_used_pubkeys can never be 0. Without this commit, compilers
will (rightfully) warn that borromean_s[ring_input_index] is not initialized in
surjectionproof_generate. Therefore, this commit makes sure that n_used_pubkeys
is greater than 0 which ensures that the array is initialized at
ring_input_index.
2022-08-15 20:01:39 +00:00
Andrew Poelstra
5a40f3d99b replace memcmp with secp256k1_memcmp_var throughout the codebase
memcmp only appears in -zkp-specific modules. Fix those.
2022-08-10 22:14:31 +00:00
Andrew Poelstra
92820d944b rangeproof: add a test for all-zero blinding factors 2022-08-10 22:10:33 +00:00
Andrew Poelstra
347f96d94a fix include paths in all the -zkp modules
This is causing out-of-tree build failures in Elements.
2022-08-05 14:56:10 +00:00
Andrew Poelstra
d1175d265d surjectionproof: use secp256k1_memcmp_var rather than bare memcmp
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
2022-07-29 21:04:04 +00:00
Andrew Poelstra
bf18ff5a8c surjectionproof: fix generation to fail when any input == the output
Verification will fail in this case, so don't "succeed" in generating a bad proof.
2022-07-26 17:14:49 +00:00
Andrew Poelstra
4ff6e4274d surjectionproof: add test for existing behavior on input=output proofs 2022-07-26 17:09:36 +00:00
Jon Griffiths
db648478c3 extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation
OpenBSD defines swap64 in <endian.h>.
2022-07-18 12:29:54 +12:00
Jonas Nick
3efeb9da21 Merge bitcoin-core/secp256k1#1121: config: Set preprocessor defaults for ECMULT_* config values
c27ae45144 config: Remove basic-config.h (Tim Ruffing)
da6514a04a config: Introduce DEBUG_CONFIG macro for debug output of config (Tim Ruffing)
d0cf55e13a config: Set preprocessor defaults for ECMULT_* config values (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK c27ae45144
  hebasto:
    ACK c27ae45144, I have reviewed the code and it looks correct.
  jonasnick:
    ACK c27ae45144

Tree-SHA512: 56b0f384bd9f42cf7c903bec08f4807db1415ddf9a06676dfe1e638e4d02431c522ef0422585e85429074e0dbb51da4f400cf53e8f883d6e07122731c57be1e3
2022-07-11 12:14:25 +00:00
Jonas Nick
6a873cc4a9 Merge bitcoin-core/secp256k1#1122: tests: Randomize the context with probability 15/16 instead of 1/4
17065f48ae tests: Randomize the context with probability 15/16 instead of 1/4 (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 17065f48ae
  jonasnick:
    ACK 17065f48ae

Tree-SHA512: 3b7005770007b922a294be610f23da60b0dde74dfd7585d64a2cb04eaa6ec879de8d21a0ade31c1857019a8dd97260fa3aa167ae16fc55027ef280a3e3feaa6d
2022-07-11 11:21:57 +00:00
Tim Ruffing
17065f48ae tests: Randomize the context with probability 15/16 instead of 1/4 2022-07-08 18:45:32 +02:00
Tim Ruffing
c27ae45144 config: Remove basic-config.h
It's unused and thus potentially confusing.
2022-07-07 20:32:18 +02:00
Tim Ruffing
da6514a04a config: Introduce DEBUG_CONFIG macro for debug output of config 2022-07-07 20:32:08 +02:00
Tim Ruffing
d0cf55e13a config: Set preprocessor defaults for ECMULT_* config values
This simplifies manual builds and solves one item in #929.
2022-07-06 15:07:57 +02:00
Tim Ruffing
55f8bc99dc ecmult_gen: Improve comments about projective blinding
Whenever I read this code, I first think that rescaling ctx->initial is
a dead store because we overwrite it later with gb. But that's wrong.
The rescaling blinds the computation of gb and affects its result.
2022-07-05 19:28:09 +02:00
Tim Ruffing
7a86955800 ecmult_gen: Simplify code (no observable change) 2022-07-05 19:28:09 +02:00
Tim Ruffing
4cc0b1b669 ecmult_gen: Skip RNG when creating blinding if no seed is available
Running the RNG is pointless if no seed is available because the key
will be fixed. The computation just wastes time.

Previously, users could avoid this computation at least by asking for
a context without signing capabilities. But since 3b0c218 we always
build an ecmult_gen context, ignoring the context flags. Moreover,
users could never avoid this pointless computation when asking for
the creation of a signing context.
2022-07-05 19:27:47 +02:00
Tim Ruffing
40a3473a9d build: Fix #include "..." paths to get rid of further -I arguments
This simplifies building without a build system.

This is in line with #925; the paths fixed here were either forgotten
there or only introduced later. This commit also makes the Makefile
stricter so that further "wrong" #include paths will lead to build
errors even in autotools builds.

This belongs to #929.

Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
2022-07-01 15:03:35 +02:00
henopied
069aba8125 Fix sepc256k1 -> secp256k1 typo in group.h 2022-06-29 20:08:47 -05:00
Jonas Nick
accadc94df Merge bitcoin-core/secp256k1#1114: _scratch_destroy: move VERIFY_CHECK after invalid scrach space check
1827c9bf2b scratch_destroy: move VERIFY_CHECK after invalid scrach space check (siv2r)

Pull request description:

ACKs for top commit:
  sipa:
    utACK 1827c9bf2b
  jonasnick:
    ACK 1827c9bf2b

Tree-SHA512: 5c4f97ca16f46380b30d1d077a54e25eab21efb10e0ce3ca27e7f73a2318d130f0f0773e26b2fdfc8f9d98c1334880f9d80a51b0941be3ba0af2b656b7c0ea7e
2022-06-29 20:32:00 +00:00
Jonas Nick
cd47033335 Merge bitcoin-core/secp256k1#1084: ci: Add MSVC builds
49e2acd927 configure: Improve rationale for WERROR_CFLAGS (Tim Ruffing)
8dc4b03341 ci: Add a C++ job that compiles the public headers without -fpermissive (Tim Ruffing)
51f296a46c ci: Run persistent wineserver to speed up wine (Tim Ruffing)
3fb3269c22 ci: Add 32-bit MinGW64 build (Tim Ruffing)
9efc2e5221 ci: Add MSVC builds (Tim Ruffing)
2be6ba0fed configure: Convince autotools to work with MSVC's archiver lib.exe (Tim Ruffing)
bd81f4140a schnorrsig bench: Suppress a stupid warning in MSVC (Tim Ruffing)
09f3d71c51 configure: Add a few CFLAGS for MSVC (Tim Ruffing)
3b4f3d0d46 build: Reject C++ compilers in the preprocessor (Tim Ruffing)
1cc0941414 configure: Don't abort if the compiler does not define __STDC__ (Tim Ruffing)
cca8cbbac8 configure: Output message when checking for valgrind (Tim Ruffing)
1a6be5745f bench: Make benchmarks compile on MSVC (Tim Ruffing)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 49e2acd927

Tree-SHA512: 986c498fb218231fff3519167d34a92e11dea6a4383788a9723be105c20578cd483c6b06ba5686c6669e3a02cfeebc29b8e5f1428552ebf4ec67fa7a86957548
2022-06-29 15:39:28 +00:00
siv2r
1827c9bf2b scratch_destroy: move VERIFY_CHECK after invalid scrach space check 2022-06-29 20:24:11 +05:30
Tim Ruffing
bd81f4140a schnorrsig bench: Suppress a stupid warning in MSVC 2022-06-29 11:05:40 +02:00
Tim Ruffing
8b013fce51 Merge bitcoin-core/secp256k1#1056: Save negations in var-time group addition
2f984ffc45 Save negations in var-time group addition (Peter Dettman)

Pull request description:

  - Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
  - 2 fewer _fe_negate in each method
  - Updated operation counts and standardize layout
  - Added internal benchmark for _gej_add_zinv_var

  benchmark_internal shows about 2% speedup in each method as a result (64bit).

ACKs for top commit:
  real-or-random:
    ACK 2f984ffc45
  jonasnick:
    ACK 2f984ffc45

Tree-SHA512: 01366fa23c83a8dd37c9a0a24e0acc53ce38a201607fe4da6672ea5618d82c62d1299f0e0aa50317883821539af739ea52b6561faff230c148e6fdc5bc5af30b
2022-04-16 12:58:57 +02:00
Jonas Nick
510b61a803 musig: add test vectors for applying multiple tweaks 2022-04-04 21:38:46 +00:00
Jonas Nick
8298c0c79b Merge commits 'c8aa516b 0a40a486 d8a24632 85b00a1c 59547943 5dcc6f8d 07752831 3ef94aa5 1253a277 64b34979 ac83be33 0e5cbd01 e0508ee9 587239db 1ac7e31c d0ad5814 912b7ccc 8746600e ' into temp-merge-1093
Revert: util: Remove endianness detection
2022-03-30 15:00:03 +00:00
Peter Dettman
2f984ffc45 Save negations in var-time group addition
- Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
- 2 fewer _fe_negate in each method
- Updated operation counts and standardize layout
- Added internal benchmark for _gej_add_zinv_var
- Update sage files (fixed by Tim Ruffing)
2022-03-28 23:40:55 +07:00
Tim Ruffing
37d36927df tests: Add tests for _read_be32 and _write_be32 2022-03-26 10:26:53 +01:00
Tim Ruffing
616b43dd3b util: Remove endianness detection 2022-03-25 11:32:22 +01:00
Tim Ruffing
8d89b9e6e5 hash: Make code agnostic of endianness
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).

Fixes #1080.
2022-03-25 11:32:14 +01:00
Tim Ruffing
1ac7e31c5b Merge bitcoin-core/secp256k1#1089: Schnorrsig API improvements
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)

Pull request description:

  Should be merged before #995 if we want this.

  I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.

ACKs for top commit:
  sipa:
    utACK b8f8b99f0f
  jonasnick:
    ACK b8f8b99f0f

Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
2022-03-25 00:15:15 +01:00
Tim Ruffing
f8d9174357 Add SHA256 bit counter tests 2022-03-23 16:33:44 +01:00
Jonas Nick
eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec
Also rename internal_key_parity -> parity_acc because the former is
confusing.
2022-03-21 22:10:24 +00:00
Jonas Nick
57eb6b4167 musig-spec: move description of secret key negation to spec
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
2022-03-21 22:10:24 +00:00
Tim Ruffing
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate 2022-03-17 22:41:36 +01:00
Tim Ruffing
3b4f3d0d46 build: Reject C++ compilers in the preprocessor 2022-03-17 22:32:24 +01:00
Tim Ruffing
1a6be5745f bench: Make benchmarks compile on MSVC 2022-03-16 16:36:29 +01:00
Tim Ruffing
9b514ce1d2 Add test vector for very long SHA256 messages
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.

```
h = hashlib.sha256()
for i in range(1_000_000):
    h.update(b'a')
print(h.hexdigest())
```
2022-03-07 12:54:13 +01:00