243 Commits

Author SHA1 Message Date
Tim Ruffing
e290c0f835
Merge ElementsProject/secp256k1-zkp#148: fix a couple things to make Elements 22's linter happy
b9ebee1490cc10286780c824a2bfac6bbb961cee fix a couple things to make Elements 22's linter happy (Andrew Poelstra)

Pull request description:

  In Elements 22 the linter looks for executable files that don't have a properly-formed shebang. For some reason it wants `/usr/bin/env bash` rather than `/bin/bash`, and also one of our source files was erroneously 755.

ACKs for top commit:
  real-or-random:
    ACK b9ebee1490cc10286780c824a2bfac6bbb961cee

Tree-SHA512: 00da8fefd67c1882c6cec39dc81ce67ae3f52f902ddf72545e902b8f5bc7cd7c1249bf71027c530245c403a99c86ffbb61a89bc18c27c5ec975f6f653200766c
2021-10-15 15:23:57 +02:00
Andrew Poelstra
b9ebee1490 fix a couple things to make Elements 22's linter happy 2021-10-14 21:21:30 +00:00
Jonas Nick
938725c1c9 Merge commits 'd7ec49a6 9a5a87e0 aa5d34a8 2a3a97c6 ' into temp-merge-976
Also remove remaining uses of ecmult context in secp-zkp and update API tests
accordingly.
2021-09-16 15:21:11 +00:00
Tim Ruffing
2a3a97c665
Merge bitcoin-core/secp256k1#976: secp256k1_schnorrsig_sign_internal should be static
72713872a8597884918bcf1edbc12f5c969ca680 Add missing static to secp256k1_schnorrsig_sign_internal (Elichai Turkel)

Pull request description:

  This function isn't used outside of this module so it should be declared static

ACKs for top commit:
  real-or-random:
    ACK 72713872a8597884918bcf1edbc12f5c969ca680
  jonasnick:
    ACK 72713872a8597884918bcf1edbc12f5c969ca680

Tree-SHA512: 6107a2c84c3e11ffd68de22a5288d989a3c71c2ec1ee4827c88f6165fc27ef8339d0f6740928540e8ccd03aff49a2a96149bf698ccebe6d6d8ad6e23e38e8838
2021-09-15 16:55:50 +02:00
Tim Ruffing
aa5d34a8fe
Merge bitcoin-core/secp256k1#783: Make the public API docs more consistent and explicit
adec5a16383f1704d80d7c767b2a65d9221cee08 Add missing null check for ctx and input keys in the public API (Elichai Turkel)
f4edfc758142d6e100ca5d086126bf532b8a7020 Improve consistency for NULL arguments in the public interface (Elichai Turkel)

Pull request description:

  I went over the public API and added missing explanations on when a pointer can be null and when it cannot,
  and added some missing checks for null ctx and null pubkey pointers.

  Open questions IMHO:
  1. Can `secp256k1_context_create` return NULL? right now it could return null if you replaced the callbacks at compile time to ones that do return(unlike the default ones which never return).
  2. Related to the first, should we document that the callbacks should never return? (in the tests we use returning callbacks but we can violate our own API) right now we say the following:

  > After this callback returns, anything may happen, including crashing.

  Is this enough to document answer `no` for the first question and just saying that if the callback returned then you violated the API so `secp256k1_context_create` can return NULL even though it is promised not to?
  Right now we AFAICT we never check if it returns null

  Another nit I'm not sure about is wording `(does nothing if NULL)`/`(ignored if NULL)`/`(can be NULL)`

  More missing docs:
  1. Documenting the `data` argument to the default nonce functions

ACKs for top commit:
  ariard:
    ACK adec5a16
  jonasnick:
    ACK adec5a16383f1704d80d7c767b2a65d9221cee08

Tree-SHA512: 6fe785776b7e451e9e8cae944987f927b1eb2e2d404dfcb1b0ceb0a30bda4ce16469708920269417e5ada09739723a430e270dea1868fe7d12ccd5699dde5976
2021-09-15 16:36:11 +02:00
Elichai Turkel
72713872a8
Add missing static to secp256k1_schnorrsig_sign_internal 2021-09-15 12:46:13 +03:00
Pieter Wuille
db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const 2021-09-11 10:05:14 -04:00
Russell O'Connor
6815761cf5 Remove ecmult_context.
These tables stored in this context are now statically available from the generated ecmult_static_pre_g.h file.
2021-08-20 11:11:26 -04:00
Jonas Nick
881b15cb43
Merge elementsproject/secp256k1-zkp#139: musig: use tagged hash for the list of pubkeys to aggregate
8f093be374da794b835302bfb81a72e2bdd51d26 musig: use tagged hash for the list of pubkeys to aggregate (Jonas Nick)
a6a768a4bf3a243609e508c492307cb0fe754bda musig: make key agg test vector more precise (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 5369dc5b4039dd4cda2c50282db2882c088b96e1daa5801240f92be1832ed8f29317fdbfc3cab211707155c284a68dc593967f3141703e2544f6b8dc1553e44d
2021-08-02 11:34:07 +00:00
Andrew Poelstra
6ad66de680 rangeproof: add an (unnecessary) variable initialization to shut up CI 2021-07-27 18:15:58 +00:00
Andrew Poelstra
2979e4d9d4 Merge commits '8ae56e33 75ce488c 4866178d 446d28d9 253f90cd ec3aaa50 0440945f 7688a4f1 be8d9c26 ' into temp-merge-965 2021-07-27 18:12:45 +00:00
Jonas Nick
8f093be374 musig: use tagged hash for the list of pubkeys to aggregate
This is done to use tagged hashing consistently. Changes the musig test vectors.
2021-07-27 11:37:10 +00:00
Jonas Nick
a6a768a4bf musig: make key agg test vector more precise 2021-07-27 10:06:22 +00:00
Jonas Nick
fc26ca8dde musig: remove unnecessary constant time normalize in combine 2021-07-14 19:59:38 +00:00
Jonas Nick
48f63efe68 musig: remove unnecessary branch in pubkey_tweak_add 2021-07-14 19:59:38 +00:00
Jonas Nick
f27fd1d5e7 musig: improve test coverage of pubkey_combine 2021-07-14 19:59:38 +00:00
Jonas Nick
56014e8ca0 musig: change pubkey_combine arg to array of pointers to pks
... instead of taking an array of pubkeys directly
2021-07-14 19:59:38 +00:00
Jonas Nick
08fa02d579 musig: add key aggregation spec draft 2021-07-14 19:59:38 +00:00
Jonas Nick
4a9b059b16 musig: rename Musig coefficient to KeyAgg coefficient
This is done to be consistent with the MuSig2 paper
2021-07-14 19:59:19 +00:00
Jonas Nick
4bc46d836e musig: optimize key aggregation using const 1 for 2nd key 2021-07-14 19:58:54 +00:00
Jonas Nick
2310849f50 musig: compute musig coefficient by hashing key instead of index 2021-07-14 19:41:38 +00:00
Jonas Nick
9683c8a7eb musig: add static test vectors for key aggregation 2021-07-14 19:41:38 +00:00
Jonas Nick
9b3d7bf536 extrakeys: add xonly_sort function 2021-07-14 19:41:38 +00:00
Jonas Nick
f31affd8a6 extrakeys: add hsort, in-place, iterative heapsort 2021-07-14 19:29:30 +00:00
Jonas Nick
d9560e0af7
Merge elementsproject/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC
cc0b279568d6edaa0b966b4333a0008f4ef63efa Eliminate a wrong -Wmaybe-uninitialized warning in GCC (Tim Ruffing)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK cc0b279568d6edaa0b966b4333a0008f4ef63efa

Tree-SHA512: ee9ae840ba7df471f566fc9b4d5bdf04e1d0759bd6fec1d1144e0e7b3f12603865371d238f8a2ee4648db88224e5ea582ab837c2cbc041d2582141736ebe5fd0
2021-07-14 13:57:13 +00:00
Tim Ruffing
cc0b279568 Eliminate a wrong -Wmaybe-uninitialized warning in GCC 2021-07-13 17:30:05 +02:00
Jonas Nick
7226cf215a ecdsa_adaptor: fix too small buffer in tests
Also add a specific test that fails adaptor sig deserialization because with the
correct size buffer that's not guaranteed anymore with the existing test.
2021-07-13 14:09:58 +00:00
Jonas Nick
b053e853d4 ecdsa_adaptor: fix test case with invalid signature
Previously the ECDSA signature had an overflowing s value, which after the sync
with upstream results in a failing VERIFY_CHECK in the inversion function.
However, normally parsed signatures shouldn't contain overflowing s values.
2021-07-13 14:09:58 +00:00
Elichai Turkel
adec5a1638 Add missing null check for ctx and input keys in the public API 2021-07-04 12:47:46 +03:00
Tim Ruffing
f698caaff6 Use unsigned char consistently for byte arrays
C++ does not allow initialization with string literals but we do it in other
places and -fpermissive will convince g++ to compile.
2021-07-04 11:37:06 +02:00
Tim Ruffing
769528f307 Don't use string literals for char arrays without NUL termination
unsigned char foo[4] = "abcd" is not valid C++ because the string
literal "abcd" does not fit into foo due to the terminating NUL
character. This is valid in C, it will just omit the NUL character.

Fixes #962.
2021-07-04 10:40:30 +02:00
Tim Ruffing
2cc3cfa583 Fix -Wmissing-braces warning in clang 2021-07-04 02:01:44 +02:00
Jonas Nick
fdd06b7967 schnorrsig: add tests for sign_custom and varlen msg verification 2021-06-27 20:26:15 +00:00
Jonas Nick
d8d806aaf3 schnorrsig: add extra parameter struct for sign_custom
This simplifies the interface of sign_custom and allows adding more parameters
later in a backward compatible way.
2021-06-27 20:26:15 +00:00
Jonas Nick
a0c3fc177f schnorrsig: allow signing and verification of variable length msgs
Varlen message support for the default sign function comes from recommending
tagged_sha256. sign_custom on the other hand gets the ability to directly sign
message of any length. This also implies signing and verification support for
the empty message (NULL) with msglen 0.

Tests for variable lengths follow in a later commit.
2021-06-27 20:26:15 +00:00
Jonas Nick
b6c0b72fb0 schnorrsig: remove noncefp args from sign; add sign_custom function
This makes the default sign function easier to use while allowing more granular
control through sign_custom.

Tests for sign_custom follow in a later commit.
2021-06-27 20:26:15 +00:00
Jonas Nick
edcacc2b2e Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950 2021-06-14 18:16:46 +00:00
Jonas Nick
442cee5baf schnorrsig: add algolen argument to nonce_function_hardened
This avoids having to remove trailing NUL bytes in the nonce function
2021-05-28 11:40:52 +00:00
Jonas Nick
202a030f7d
Merge #850: add secp256k1_ec_pubkey_cmp method
6eceec6d566898a5c157630e47f95b260767026b add `secp256k1_xonly_pubkey_cmp` method (Andrew Poelstra)
0d9561ae879848191a14bcc67db87cbfd44fb69a add `secp256k1_ec_pubkey_cmp` method (Andrew Poelstra)

Pull request description:

ACKs for top commit:
  elichai:
    Code review ACK 6eceec6d566898a5c157630e47f95b260767026b
  jonasnick:
    ACK 6eceec6d566898a5c157630e47f95b260767026b
  real-or-random:
    ACK 6eceec6d566898a5c157630e47f95b260767026b

Tree-SHA512: f95cbf65f16c88a4adfa1ea7cc6ddabab14baa3b68fa069e78e6faad4852cdbfaea42ee72590d2e0b8f3159cf9b37969511550eb6b2d256b101e2147711cc817
2021-05-13 19:17:53 +00:00
Andrew Poelstra
6eceec6d56 add secp256k1_xonly_pubkey_cmp method 2021-05-06 18:36:44 +00:00
William Bright
3c90bdda95 change local lib headers to be relative for those pointing at "include/" dir
added relative paths to header files imported from src directory

added include guards for contrib/ files when referring to secp256k1.h
2021-05-05 09:24:05 -04:00
Gregory Maxwell
99e2d5be0d Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers.
GCC 4.9.2, at least, emits "warning: missing braces around initializer"
 without this.
2021-05-02 20:02:12 +00:00
Jesse Posner
b0ffa92319 ecdsa_adaptor: add tests
This commit adds test coverage including Cirrus scripts, Valgrind
constant time tests for secret data, API tests, nonce function tests,
and test vectors from the spec.
2021-03-26 16:04:56 -07:00
Jesse Posner
6955af5ca8 ecdsa_adaptor: add ECDSA adaptor signature APIs
This commit adds the ECDSA adaptor signature APIs:

- Encrypted Signing

  Creates an adaptor signature, which includes a proof to verify the adaptor
  signature.

- Encryption Verification

  Verifies that the adaptor decryption key can be extracted from the adaptor
  signature and the completed ECDSA signature.

- Signature Decryption

  Derives an ECDSA signature from an adaptor signature and an adaptor decryption
  key.

- Key Recovery

  Extracts the adaptor decryption key from the complete signature and the adaptor
  signature.
2021-03-26 16:04:52 -07:00
Jesse Posner
b508e5dd9b ecdsa_adaptor: add support for proof of discrete logarithm equality
This commit adds proving and verification functions for discrete
logarithm equality.

From the spec (https://github.com/discreetlogcontracts/dlcspecs/pull/114):

"As part of the ECDSA adaptor signature a proof of discrete logarithm
equality must be provided. This is a proof that the discrete logarithm of
some X to the standard base G is the same as the discrete logarithm of
some Z to the base Y. This proof can be constructed by using equality
composition on two Sigma protocols proving knowledge of the discrete
logarithm between both pairs of points. In other words the prover proves
knowledge of a such that X = a * G and b such that Z = b * Y and that
a = b. We make the resulting Sigma protocol non-interactive by applying
the Fiat-Shamir transformation with SHA256 as the challenge hash."
2021-03-16 16:13:34 -07:00
Jesse Posner
d8f336564f ecdsa_adaptor: add nonce function and tags
This commit adds a nonce function that will be used by default
for ECDSA adaptor signatures.

This nonce function is similar to secp256k1_nonce_function_hardened
except it uses the compressed 33-byte encoding for the pubkey argument.
We need 33 bytes instead of 32 because, unlike with BIP-340, an ECDSA
X-coordinate alone is not sufficient to disambiguate the Y-coordinate.
2021-03-16 16:13:34 -07:00
Jesse Posner
654cd633f5 ecdsa_adaptor: initialize project
This commit adds the foundational configuration and building scripts
and an initial structure for the project.
2021-03-16 16:13:31 -07:00
Jonas Nick
79d4c3ac68 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS
This will fix the following compile error on macOS

In file included from src/num.h:17,
                 from src/num_impl.h:14,
                 from src/bench_whitelist.c:14:
src/num_gmp.h:10:10: fatal error: gmp.h: No such file or directory
2021-03-10 13:28:16 +00:00
Jonas Nick
649bf201d8 musig: fix tests for 32-bit 2021-03-10 13:20:01 +00:00
Jonas Nick
d4ca81f48e Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901
Also add -zkp modules to .cirrus.yml.
2021-03-08 13:35:16 +00:00