frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,904 Commits 14 Branches 0 Tags
Commit Graph

61 Commits

Author SHA1 Message Date
Jonas Nick
8298c0c79b Merge commits 'c8aa516b 0a40a486 d8a24632 85b00a1c 59547943 5dcc6f8d 07752831 3ef94aa5 1253a277 64b34979 ac83be33 0e5cbd01 e0508ee9 587239db 1ac7e31c d0ad5814 912b7ccc 8746600e ' into temp-merge-1093 
Revert: util: Remove endianness detection
 2022-03-30 15:00:03 +00:00
Peter Dettman
d64bb5d4f3 Add fe_half tests for worst-case inputs 
- Add field method _fe_get_bounds
 2022-02-01 17:51:05 +07:00
Peter Dettman
925f78d55e Add _fe_half and use in _gej_add_ge 
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
- Updated formula and comments in _gej_add_ge
- Added internal benchmark for _fe_half
 2022-01-31 19:41:01 +07:00
Russell O'Connor
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf. 2022-01-19 11:51:43 -05:00
Russell O'Connor
c9da1baad1 Move secp256k1_fe_one to field.h 
This makes secp256k1_fe_one part of field.h's interface, and allows other modules to appropriately access the constant.
 2022-01-19 09:53:02 -05:00
Jonas Nick
72c8deac03 Merge commits with sync-upstream.sh 
da0092bc 10f9bd84 297ce820 f34b5cae 920a0e5f 9526874d aa1b889b 20d791ed 3e7b2ea1 21c188b3 8fa41201 515a5dbd c74a7b7e 74c34e72 7006f1b9 ea5e8a9c 793ad901 2e5e4b67 fecf436d 49f608de 49002274 6ad908aa 4f01840b 61ae37c6 486205aa 5d0dbef0 0559fc6e be6944ad a69df3ad b39d431a 0b83b203 09971a3f 9281c9f4 423b6d19 a310e79e 39a36db9 a1102b12

Deal with
  - secp256k1_test_rng removal in commit
    77a19750b46916b93bb6a08837c26f585bd940fa
  - ecmult_gen context simplification after making table static in commit
    3b0c2185eab0fe5cb910fffee4c88e134f6d3cad
 2022-01-02 16:11:15 +00:00
Russell O'Connor
2888640132 VERIFY_CHECK precondition for secp256k1_fe_set_int. 2021-10-15 11:27:24 -04:00
Tim Ruffing
d49011f54c Make _set_fe_int( . , 0 ) set magnitude to 0 2021-10-15 11:20:27 -04:00
Jonas Nick
d27e459861 Revert "Remove unused Jacobi symbol support" 
This reverts commit 20448b8d09a492afcfcae7721033c13a44a776fd.

The removed functions secp256k1_ge_set_xquad and secp256k1_fe_is_quad_var
are required for some modules in secp256k1-zkp.
 2021-06-14 20:24:08 +00:00
Jonas Nick
c083cc6e52
Merge #903: Make argument of fe_normalizes_to_zero{_var} const 
23c3fb629b905deebc4bcc9914bcfff7b9aedacd Make argument of fe_normalizes_to_zero{_var} const (Pieter Wuille)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 23c3fb629b905deebc4bcc9914bcfff7b9aedacd diff looks good
  jonasnick:
    ACK 23c3fb629b905deebc4bcc9914bcfff7b9aedacd

Tree-SHA512: a51894a9e59851dc4854e92e4200ef6d12a11f6785b903c23585cfff5ef8d369216f4121260fe8789d46d3e215f3c2baa42decae99ab9328e8081f5274e67fab
 2021-03-26 14:57:01 +00:00
Pieter Wuille
23c3fb629b Make argument of fe_normalizes_to_zero{_var} const 2021-03-15 16:01:57 -07:00
Pieter Wuille
20448b8d09 Remove unused Jacobi symbol support 
No exposed functions rely on Jacobi symbol computation anymore. Remove it; it can always
be brough back later if needed.
 2021-03-12 10:06:18 -08:00
Pieter Wuille
75d2ae149e Remove unused secp256k1_fe_inv_all_var 2021-01-23 20:16:51 -08:00
Dimitris Apostolou
07aa4c70ff
Fix insecure links 2020-12-18 00:24:22 +02:00
Pieter Wuille
79f1f7a4f1 Autodetect __int128 availability on the C side 
Instead of supporting configuration of the field and scalar size independently,
both are now controlled by the availability of a 64x64->128 bit multiplication
(currently only through __int128). This is autodetected from the C code through
__SIZEOF_INT128__, but can be overridden using configure's
--with-test-override-wide-multiply, or by defining
USE_FORCE_WIDEMUL_{INT64,INT128} manually.
 2020-08-10 14:56:39 -07:00
Elichai Turkel
a39c2b09de
Fixed UB(arithmetics on uninit values) in cmovs 2020-05-22 13:25:26 +03:00
Marko Bencun
dabfea7e21
field: extend docstring of secp256k1_fe_normalize 2020-01-17 12:41:35 +01:00
Dan Raviv
abe2d3e84b Fix header guards using reserved identifiers 
Identifiers starting with an underscore and followed immediately by a capital letter are reserved by the C++ standard.

The only header guards not fixed are those in the headers auto-generated from java.
 2017-08-26 18:44:21 +03:00
Andrew Poelstra
20b8877be1 Add exhaustive test for group functions on a low-order subgroup 
We observe that when changing the b-value in the elliptic curve formula
`y^2 = x^3 + ax + b`, the group law is unchanged. Therefore our functions
for secp256k1 will be correct if and only if they are correct when applied
to the curve defined by `y^2 = x^3 + 4` defined over the same field. This
curve has a point P of order 199.

This commit adds a test which computes the subgroup generated by P and
exhaustively checks that addition of every pair of points gives the correct
result.

Unfortunately we cannot test const-time scalar multiplication by the same
mechanism. The reason is that these ecmult functions both compute a wNAF
representation of the scalar, and this representation is tied to the order
of the group.

Testing with the incomplete version of gej_add_ge (found in 5de4c5dff^)
shows that this detects the incompleteness when adding P - 106P, which
is exactly what we expected since 106 is a cube root of 1 mod 199.
 2016-11-25 20:45:29 +00:00
llamasoft
7d893f4980 Fix secp256k1_fe_inv_all_var parameter order 
Rearranged secp256k1_fe_inv_all_var parameters so length is after array.
Text editor removed some trailing whitespaces.
 2016-07-26 12:15:19 -05:00
Pieter Wuille
926836ad36 Make secp256k1_fe_sqrt constant time 2016-07-09 14:23:44 +02:00
Pieter Wuille
e6e9805fc4 Add function for testing quadratic residue field/group elements. 2016-07-04 13:55:04 +02:00
Pieter Wuille
646662517f Improvements for coordinate decompression 2015-11-05 00:04:39 +01:00
Gregory Maxwell
269d422703 Comment copyediting. 2015-10-31 08:31:15 +00:00
Gregory Maxwell
cfe0ed916a Fix miscellaneous style nits that irritate overactive static analysis. 
Also increase consistency with how overflow && zero is tested, and
 avoid some mixed declarations and code that GCC wasn't detecting.
 2015-09-24 08:42:37 +00:00
Pieter Wuille
dd891e0ed5 Get rid of _t as it is POSIX reserved 2015-09-21 21:03:37 +02:00
Veres Lajos
de7e398dfa small typo fix 2015-08-10 22:05:52 +01:00
Gregory Maxwell
bb0ea50de8 Replace set/add with cmov in secp256k1_gej_add_ge. 
Use a conditional move of the same kind we use for the affine points
 in the storage  type instead of multiplying  with the infinity flag
 and adding.  This results in fewer constructions to worry about for
 sidechannel behavior.

It also might be faster: It doesn't appear to benchmark as slower for
 me at least; but I think  the CMOV is faster than the mul_int + add,
 but slower than the set+add;  making it a wash.
 2015-04-22 00:43:30 +00:00
Pieter Wuille
443cd4b8ee Get rid of hex format and some binary conversions 2015-02-23 04:37:21 -08:00
Pieter Wuille
fcc48c4561 Remove the non-storage cmov 2015-01-25 00:56:22 -04:00
Pieter Wuille
ff889f7d90 Field storage type 2015-01-25 00:11:20 -04:00
Pieter Wuille
0768bd55a1 Get rid of variable-length hex string conversions 2015-01-24 21:52:48 -04:00
Gregory Maxwell
3627437d80 C89 nits and dead code removal. 2015-01-23 04:17:12 +00:00
Pieter Wuille
4732d26069 Convert the field/group/ecdsa constant initialization to static consts 2015-01-22 22:44:52 -05:00
Peter Dettman
49ee0dbe16 Add _normalizes_to_zero_var variant 2014-12-20 14:38:29 +01:00
Peter Dettman
eed599dd72 Add _fe_normalizes_to_zero method 2014-12-20 14:38:24 +01:00
Pieter Wuille
d7174edf5f Weak normalization for secp256k1_fe_equal 2014-12-20 14:38:20 +01:00
Pieter Wuille
0295f0a33d weak normalization 2014-12-20 14:38:07 +01:00
Pieter Wuille
7277fd76e2 Remove GMP field implementation 2014-12-17 12:41:31 +01:00
Pieter Wuille
6a9901e15b
Merge pull request #137 
39bd94d Variable time normalize (Pieter Wuille)
 2014-12-07 14:35:23 +01:00
Pieter Wuille
39bd94d86d Variable time normalize 2014-12-06 18:18:28 +01:00
Pieter Wuille
2b9388b647 Remove unused secp256k1_fe_inv_all 2014-12-05 18:13:51 +01:00
Pieter Wuille
efb7d4b299 Use constant-time conditional moves instead of byte slicing 2014-12-03 02:41:55 +01:00
Pieter Wuille
bd313f7d6e
Merge pull request #119 
597128d Make num optional (Pieter Wuille)
659b554 Make constant initializers independent from num (Pieter Wuille)
 2014-12-02 16:42:50 +01:00
Pieter Wuille
be82e92fc4 Require that r and b are different for field multiplication. 
Suggested by Peter Dettman, this prepares for slightly faster muitiplication
which writes results immediately to r before finishing reading b.
 2014-12-01 13:40:34 +01:00
Pieter Wuille
597128d389 Make num optional 2014-12-01 12:38:38 +01:00
Pieter Wuille
f24041d6aa Switch all EC/ECDSA logic from num to scalar 2014-11-30 23:38:01 +01:00
Pieter Wuille
d907ebc0e3 Add bounds checking to field element setters 2014-11-26 15:21:31 +01:00
Gregory Maxwell
71712b27e5 Switch to C89 comments in prep for making the whole codebase C89 compatible. 
This should be whitespace/comment only changes and should produce the same
object code.
 2014-11-15 07:33:07 -08:00
Gregory Maxwell
a4a43d7543 Reorder static to comply with C99 and switch to the inline macro. 2014-11-12 13:07:55 -08:00