2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d Save negations in var-time group addition (Peter Dettman)
Pull request description:
- Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
- 2 fewer _fe_negate in each method
- Updated operation counts and standardize layout
- Added internal benchmark for _gej_add_zinv_var
benchmark_internal shows about 2% speedup in each method as a result (64bit).
ACKs for top commit:
real-or-random:
ACK 2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d
jonasnick:
ACK 2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d
Tree-SHA512: 01366fa23c83a8dd37c9a0a24e0acc53ce38a201607fe4da6672ea5618d82c62d1299f0e0aa50317883821539af739ea52b6561faff230c148e6fdc5bc5af30b
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3153dc055e0e76101ed9e4607155870 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6ea2768f5355eb4617283086f756931 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da4457325c4be539838ceed21b31c60fbd Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606acb285cc7ef11662ce166ed67e9015 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
Pull request description:
Should be merged before #995 if we want this.
I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.
ACKs for top commit:
sipa:
utACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
jonasnick:
ACK b8f8b99f0fb3a5cd4c6fb1c9c8dfed881839e19e
Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.
```
h = hashlib.sha256()
for i in range(1_000_000):
h.update(b'a')
print(h.hexdigest())
```
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
e848c3799c4f31367c3ed98d17e3b7de504d4c6e Update sage files for new formulae (Peter Dettman)
d64bb5d4f3fbd48b570d847c9389b9cf8f3d9abc Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff8e64f8de3ae8ecfebeab1e84ca420e Further improve doubling formula using fe_half (Peter Dettman)
557b31fac36529948709d4bfcc00ad3acb7e83b9 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a424d9dee12a4e11f0479410b7e4cc930 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257eddc2d7614985be60bee29cf2bec65fb Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e112cd00f1e2867886bdc751a5d6606 Add _fe_half and use in _gej_add_ge (Peter Dettman)
Pull request description:
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
Gives around 2-3% faster signing and ECDH, depending on compiler/platform.
ACKs for top commit:
sipa:
utACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
jonasnick:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
real-or-random:
ACK e848c3799c4f31367c3ed98d17e3b7de504d4c6e
Tree-SHA512: 81a6c93b3d983f1b48ec8e8b6f262ba914215045a95415147f41ee6e85296aa4d0cbbad9f370cdf475571447baad861d2cc8e0b04a71202d48959cb8a098f584
b797a500ec194948eecbea8bd80f6b7d455f7ca2 Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc30fcf019af08a41f7b6f329a08eaa0c Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f3419d090e94b0c0897895c5b2b9fdc244 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0401bf5be7c4312d84d17fc789a6566 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0ae054cf0a1d6407c2dcf7445a46935 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6eedac86bda40f062daee7d5f4241d25c Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922b4c1439888b8488b307cd0f0e8ec59 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db69b5db44d282225ab4fea788af8035 Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad125e830901f0ed6ad65eb4f9ccb81f4 Move secp256k1_fe_one to field.h (Russell O'Connor)
Pull request description:
ACKs for top commit:
sipa:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
jonasnick:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
Tree-SHA512: 6742469979c306104a0861be76c2be86bf8ab14116b00afbd24f91b9e3ea843bf9b9a74552b367bd06ee617090019ad4df6be037d58937c8c869f8b37ddaa6cc
070e772211b3fcd297577b90b56bbf7a5cfbd0a3 Faster fixed-input ecmult tests (Pieter Wuille)
Pull request description:
Given how much #920 slowed down the tests with low iteration count, replace it with 3 different similar test:
* count >= 1: a test with 1024 multiplies that tests any pattern of 6 bits in windows not more than 20 bits wide
* count >= 3: a test with 2048 multiplies that tests any pattern of 8 consecutive bits
* count >= 35: the old test (which effectively tests all 2-bit patterns)
ACKs for top commit:
robot-dreams:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3, the addition of the `CONDITIONAL_TEST` macro is nice.
real-or-random:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3
Tree-SHA512: b4ccca42c71fcd1baa7143f73d1c3ac9d012c296485164a03341dbeee02e4ba9f7c7ad6b441923a5fe0286c97eff60815033adb4e1d30b3ef08bcb79590327ff
3d7cbafb5fd7f152fc47dc907af5df03150accc0 tests: Fix test whose result is implementation-defined (Tim Ruffing)
Pull request description:
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we restore the name of the function. It was mistakenly
renamed in 6173839c90553385171d560be8a17cbe167e3bef using
"search and replace".
ACKs for top commit:
robot-dreams:
ACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
sipa:
utACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
77a19750b46916b93bb6a08837c26f585bd940fa Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684ecca8f767f98ee0ace813103cc88ade secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
Pull request description:
Just some easy low-hanging fruit. It's complete overkill to use the RFC6979 RNG for our test randomness. Replace it with a modern non-cryptographic RNG with good properties. It's a few % speedup for me.
Given the internal naming of all these functions to be "testrand", I'm not concerned about the risk of someone using this for something that needs actual cryptographic randomness.
ACKs for top commit:
robot-dreams:
ACK 77a19750b46916b93bb6a08837c26f585bd940fa
real-or-random:
utACK 77a19750b46916b93bb6a08837c26f585bd940fa
Tree-SHA512: 2706f37689e037e84b5df25c98af924c0756e6d59f5f822b23aec5ba381b2d536e0848f134026e2568396427218f1c770f1bb07613d702efb23a84015dc9271d
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we improve the identity check such that it covers the
VERIFY struct members.
b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2 ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601aecf3c5a8affb5a4dce5612b298964 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e084334081fa53be81e75c064375f36 ci: Update brew on macOS (Tim Ruffing)
22382f0ea0e234242e248720b9d1d171cb2de0f8 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0e3fceb1cd2e882e1476c950cabc2e8 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3ce3ee8ca443ccad20915217ee74397 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
Pull request description:
ACKs for top commit:
elichai:
utACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
jonasnick:
ACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
Tree-SHA512: b283d7b1c72cf87484de1fe98318298698fe9982dc33389eaca62e92318ab0074c183b9799add274f46358032491fee875e5ffb2a76a47f3b07520b850f4c85e
1287786c7a97eff520ffbd6b0d8b2f99dbfc6371 doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589f61b0e0e9b58388ee3e0da8a2c3c3a doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
Pull request description:
When reviewing #816 I noticed the upper bounds in the comment at the top of `field_5x52_impl.h` were off by 1 (see `fe_verify`). This PR fixes the upper bounds and also cleans up the comment along the way.
ACKs for top commit:
real-or-random:
ACK 1287786c7a97eff520ffbd6b0d8b2f99dbfc6371
Tree-SHA512: 4b7dadc92451ab1ceb5a547a3101ff37f3ffd0645490563f1f3442ea8d6219f100ed914289d22435c4172d190fa1ff52e37e4464132bb3f9bbcc338488227f7b
