frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,457 Commits 14 Branches 0 Tags
Commit Graph

1375 Commits

Author SHA1 Message Date
Pieter Wuille
7b92cf66c7
Merge pull request #132 
efb7d4b Use constant-time conditional moves instead of byte slicing (Pieter Wuille)
 2014-12-03 21:21:42 +01:00
Pieter Wuille
29ae1310ce Make scalar_add_bit test's overflow detection exact 2014-12-03 18:54:01 +01:00
Pieter Wuille
9048def7c7 Avoid undefined shift behaviour 2014-12-03 18:10:52 +01:00
Pieter Wuille
efb7d4b299 Use constant-time conditional moves instead of byte slicing 2014-12-03 02:41:55 +01:00
Pieter Wuille
82f9254cc0 Fix typo 2014-12-02 18:35:33 +01:00
Pieter Wuille
35399e08c4 Bugfix: b is restricted, not r 2014-12-02 17:43:42 +01:00
Pieter Wuille
c35ff1ea44 Convert lambda splitter to pure scalar code. 
This enables the use of the endomorphism optimization without bignum.
 2014-12-02 16:50:00 +01:00
Peter Dettman
cc604e9842 Avoid division when decomposing scalars 
- In secp256k1_gej_split_exp, there are two divisions used. Since the denominator is a constant known at compile-time, each can be replaced by a multiplication followed by a right-shift (and rounding).
- Add the constants g1, g2 for this purpose and rewrite secp256k1_scalar_split_lambda_var accordingly.
- Remove secp256k1_num_div since no longer used

Rebased-by: Pieter Wuille
 2014-12-02 16:50:00 +01:00
Pieter Wuille
ff8746d457 Add secp256k1_scalar_mul_shift_var 2014-12-02 16:50:00 +01:00
Pieter Wuille
bd313f7d6e
Merge pull request #119 
597128d Make num optional (Pieter Wuille)
659b554 Make constant initializers independent from num (Pieter Wuille)
 2014-12-02 16:42:50 +01:00
Pieter Wuille
276f987d70
Merge pull request #124 
4d4eeea Make secp256k1_fe_mul_inner use the r != property (Pieter Wuille)
be82e92 Require that r and b are different for field multiplication. (Pieter Wuille)
 2014-12-02 16:39:20 +01:00
Pieter Wuille
24b3c65e0d Add a test case for ECDSA recomputing infinity 2014-12-01 14:45:05 +01:00
Pieter Wuille
32600e5086 Add a test for r >= order signature handling 
Suggested by Greg Maxwell.
 2014-12-01 14:23:09 +01:00
Pieter Wuille
4d4eeea4ac Make secp256k1_fe_mul_inner use the r != property 
Suggested by Peter Dettman.
 2014-12-01 13:40:36 +01:00
Pieter Wuille
be82e92fc4 Require that r and b are different for field multiplication. 
Suggested by Peter Dettman, this prepares for slightly faster muitiplication
which writes results immediately to r before finishing reading b.
 2014-12-01 13:40:34 +01:00
Pieter Wuille
597128d389 Make num optional 2014-12-01 12:38:38 +01:00
Pieter Wuille
659b554d7b Make constant initializers independent from num 2014-12-01 12:38:38 +01:00
Pieter Wuille
0af5b47133
Merge pull request #120 
e3d692f Explain why no y=0 check is necessary for doubling (Pieter Wuille)
f7dc1c6 Optimize doubling: secp256k1 has no y=0 point (Pieter Wuille)
 2014-12-01 12:38:13 +01:00
Pieter Wuille
c76be9efa0 Remove unused num functions 2014-11-30 23:38:01 +01:00
Pieter Wuille
4285a98722 Move lambda-splitting code to scalar. 
It's not really an operation on group elements.
 2014-11-30 23:38:01 +01:00
Pieter Wuille
f24041d6aa Switch all EC/ECDSA logic from num to scalar 2014-11-30 23:38:01 +01:00
Pieter Wuille
6794be6080 Add scalar splitting functions 
Which currently delegate to the lambda-splitter in group.
 2014-11-30 23:38:01 +01:00
Pieter Wuille
d1502eb459 Add secp256k1_scalar_inverse_var which delegates to GMP 2014-11-30 23:38:01 +01:00
Pieter Wuille
b5c9ee756f Make test_point_times_order test meaningful again 
As wnaf splitting is scalar based, multiplying with the order directly
would be reduced to multiplication with zero before even converting to
wnaf.
 2014-11-30 23:38:01 +01:00
Pieter Wuille
0b73059709 Switch wnaf splitting from num-based to scalar-based 2014-11-30 23:38:01 +01:00
Pieter Wuille
1e6c77c321 Generalize secp256k1_scalar_get_bits 2014-11-30 23:38:01 +01:00
Pieter Wuille
5213207856 Add secp256k1_scalar_add_bit 2014-11-30 23:37:58 +01:00
Pieter Wuille
6e0528785d Do signature recovery/verification with 4 possible recid case 2014-11-29 10:57:50 +01:00
Pieter Wuille
e3d692ff75 Explain why no y=0 check is necessary for doubling 
Explanation suggested by Greg Maxwell.
 2014-11-28 22:18:50 +01:00
Pieter Wuille
f7dc1c6513 Optimize doubling: secp256k1 has no y=0 point 2014-11-28 22:18:30 +01:00
Pieter Wuille
2a54f9bcee Correct typo in comment 2014-11-28 16:39:36 +01:00
Pieter Wuille
3ce74b1266 Tweak precomputed table size for G 2014-11-26 23:45:49 +01:00
Pieter Wuille
99f0728f23 Fix secp256k1_num_set_bin handling of 0 2014-11-26 15:21:31 +01:00
Pieter Wuille
d907ebc0e3 Add bounds checking to field element setters 2014-11-26 15:21:31 +01:00
Pieter Wuille
665775b2b9 Don't split the g factor when not using endomorphism 2014-11-25 14:29:02 +01:00
Pieter Wuille
3bf029d676 Add test that recovering infinity fails 2014-11-18 13:13:17 +01:00
Pieter Wuille
4861f83686 Test whether recovered public keys are not infinity 
Fixes a bug discovered by Sergio Demian Lerner.
 2014-11-18 12:37:39 +01:00
Pieter Wuille
bbe67d8b29 Make secp256k1_eckey_pubkey_serialize fail for infinity 2014-11-18 12:37:38 +01:00
Pieter Wuille
f49b2ef840 Add DETERMINISTIC to avoid line number/source dependent binaries 
This will make it easier to detect changes without semantic impact.
 2014-11-18 11:08:44 +01:00
Gregory Maxwell
71712b27e5 Switch to C89 comments in prep for making the whole codebase C89 compatible. 
This should be whitespace/comment only changes and should produce the same
object code.
 2014-11-15 07:33:07 -08:00
Pieter Wuille
f8cce95650 Add overflow analysis to field_10x26_impl.h 2014-11-14 17:52:39 +01:00
Pieter Wuille
a51859871a Add overflow analysis to field_5x52_int128_impl.h 2014-11-13 07:47:40 -08:00
Pieter Wuille
fa0d620668 Add equalities relating input and output variables 2014-11-13 07:00:44 -08:00
Peter Dettman
5dd421bab5 Rewrite mul/sqr for 32bit/64bit 
- interleave calculation of the lower and upper partial product ranges, and reduction
- less registers needed, more opportunities for parallel ops
 2014-11-13 04:46:17 -08:00
Gregory Maxwell
861f9a59cc field_gmp's negate doesn't need to use the magnitude argument. 2014-11-13 01:45:56 -08:00
Gregory Maxwell
f0709ac57e Avoid forward static decl of undefined functions, also fix a paren warning in the tests. 2014-11-13 01:45:49 -08:00
Gregory Maxwell
3276e7d4e2 Signed/unsigned comparisons in tests. 2014-11-12 15:47:12 -08:00
Gregory Maxwell
850562e3f1 Avoid unsigned comparison in scalar arith. 2014-11-12 15:47:12 -08:00
Gregory Maxwell
65a14abb48 Fix varrious signed/unsigned comparisons. 2014-11-12 15:47:12 -08:00
Gregory Maxwell
e9e0e21a6f Avoid a shadowed variable. 2014-11-12 15:47:12 -08:00