ade5b367018a624ff7ca1ecbb4a64889d47b0142 tests: add checks for scalar constants `secp256k1_scalar_{zero,one}` (Sebastian Falbesoner)
654246c63585422a184121a26d42dcae792e87c6 refactor: take use of `secp256k1_scalar_{zero,one}` constants (Sebastian Falbesoner)
Pull request description:
Rather than allocating a (non-constant) scalar variable on the stack with the sole purpose of setting it to a constant value, the global constants `secp256k1_scalar_{zero,one}` (apparently introduced in 34a67c773b0871e5797c7ab506d004e80911f120, PR #710) can be directly used instead for the values 0 or 1. There is very likely not even a difference in run-time, but it leads to simpler and less code which might be nice.
ACKs for top commit:
sipa:
utACK ade5b367018a624ff7ca1ecbb4a64889d47b0142
real-or-random:
utACK ade5b367018a624ff7ca1ecbb4a64889d47b0142
Tree-SHA512: 0ff05a449c153f7117a4a56efef04b2087c2330f4692f3390a0b1d95573785ac7ae3fe689ed0ec2ecc64b575d2489d6e341d32567e75a1a4b4d458c3ecd406a1
e83801f5db2cb63e6343eff0ecfa40b7cd4a9090 test: Warn if both `VERIFY` and `COVERAGE` are defined (Hennadii Stepanov)
Pull request description:
Solves one item in https://github.com/bitcoin-core/secp256k1/issues/1235.
Also see: https://github.com/bitcoin-core/secp256k1/pull/1113#discussion_r1127856040.
ACKs for top commit:
sipa:
utACK e83801f5db2cb63e6343eff0ecfa40b7cd4a9090
real-or-random:
ACK e83801f5db2cb63e6343eff0ecfa40b7cd4a9090
Tree-SHA512: 25e10a09ba2c3585148becd06f2a03d85306208bda333827c9ba73eb7fd94ad15536f10daf1b335703e5cb0539584f001501ce9c578f478ff1ebc1051aefde7d
27504d5c941df89bc828067248270179c9dcb04b ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe (Tim Ruffing)
Pull request description:
Don't ask me why this makes a difference. It may be some permission problem even though everything in Cirrus CI runs as root anyway. In any case, I'll probably get mad if I investigate this further.
Fixes#1326.
ACKs for top commit:
hebasto:
ACK 27504d5c941df89bc828067248270179c9dcb04b, tested in my personal Cirrus account.
Tree-SHA512: 08bb1734827579b59c705a44ee8fad6d504031eb5659c2743649be95fb048794b95ac0869a994bfa732f7f0714b4d12674c325637fe079b2266f18a3c14bbec0
Don't ask me why this makes a difference. It may be some permission
problem even though everything in Cirrus CI runs as root anyway. In
any case, I'll probably get mad if I investigate this further.
Fixes#1326.
6433175ffe2435bcee7333e21480e4194083caae Do not invoke fe_is_zero on failed set_b32_limit (Pieter Wuille)
Pull request description:
Noticed in the CI output of #1313 (https://cirrus-ci.com/task/5117786435878912)
The code violates the field element contract that states that a field element that comes out of a failed `secp256k1_fe_set_b32_limit` call cannot be used before overwriting it. This is not an issue in practice, as such failure can only occur with negligible probability, but the experimental compiler in that CI setting is technically correct in detecting this possibility.
Fix it by setting it to 1 based on a `secp256k1_fe_normalizes_to_zero` test rather than a `secp256k1_fe_is_zero` one (which does not require normalization).
ACKs for top commit:
stratospher:
ACK 6433175
real-or-random:
utACK 6433175ffe2435bcee7333e21480e4194083caae
Tree-SHA512: 49da4535181c4607c1f4d23d1fd7cd65e7751c7cfa68643f1da77f3ec7961754fc8553bb415137fd61d86c805fe69f5adf97c05b9dc4d3bf357ae7c6409cc51a
5768b502291ed4214cf84b7d80ff540ed57d45c4 build: Enable -DVERIFY for precomputation binaries (Tim Ruffing)
Pull request description:
because... why not?!
I realized that this can't hurt when working on #1313.
ACKs for top commit:
sipa:
ACK 5768b502291ed4214cf84b7d80ff540ed57d45c4
Tree-SHA512: 2412cb93097f5c7904cfded6816bc5cdc69d958b4023ddaffd6e7575615ac5bfcd3a7cfc9ce2c0b0e6526a6f000dd84ecd32909d9d207a3644aadb5d34905911
31b4bbee1e115865a8a3aff6ccf04f6108371c5d Make fe_cmov take max of magnitudes (Pieter Wuille)
Pull request description:
This addresses part of #1001.
The magnitude and normalization of the output of `secp256k1_fe_cmov` should not depend on the runtime value of `flag`.
ACKs for top commit:
real-or-random:
utACK 31b4bbee1e115865a8a3aff6ccf04f6108371c5d
stratospher:
ACK 31b4bbe.
Tree-SHA512: 08bef9f63797cb8a1f3ea63c716c09aaa267dfee285b74ef5fbb47d614569d2787ec73d21bce080214872dfe70246f73cea42ad3c24e6baccecabe3312f71433
3ad1027a4034da674aeee2a92dfba69b347bbe91 Revert "Remove unused scratch space from API" (Jonas Nick)
Pull request description:
This reverts commit 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b.
Removing the scratch space from the API may break bindings to the library.
ACKs for top commit:
sipa:
ACK 3ad1027a4034da674aeee2a92dfba69b347bbe91
real-or-random:
ACK 3ad1027a4034da674aeee2a92dfba69b347bbe91
Tree-SHA512: ad394c0a2f83fe3a5f400c0e8f2b9bf40037ce4141d4414e6345918f5e6003c61da02a538425a49bdeb5700f5ecb713bd58f5752c0715fb1fcc4950099fdc0e6
8c9ae37a5a26cdeb6365624fee43f41b238830e4 Add release note (Pieter Wuille)
350b4bd6e6efd3c62875820fdeb2740738937922 Mark stack variables as early clobber for technical correctness (Pieter Wuille)
0c729ba70d963f2798184b0b8524d7de2f3ced9f Bugfix: mark outputs as early clobber in scalar x86_64 asm (Pieter Wuille)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 8c9ae37a5a26cdeb6365624fee43f41b238830e4
jonasnick:
ACK 8c9ae37a5a26cdeb6365624fee43f41b238830e4
Tree-SHA512: 874d01f5540d14b5188aec25f6441dbc6631f8d3980416040a3e250f1aef75150068415e7a458a9a3fb0d7cbdeb97f5c7e089b187d6d3dd79aa6e45274c241b6
c6bb29b3037c6b5264f2d2916c5a2d38de25df19 build: Rename `64bit` to `x86_64` (Hennadii Stepanov)
03246457a8f7091e13af13a50d7ae33cf42e08b5 autotools: Add `SECP_ARM32_ASM_CHECK` macro (Hennadii Stepanov)
ed4ba238e2cb2f24301c1add238cf7ff062286c3 cmake: Add `check_arm32_assembly` function (Hennadii Stepanov)
e5cf4bf3ff9aac5b5897a8a9852cfbb84da0bfb1 build: Rename `arm` to `arm32` (Hennadii Stepanov)
Pull request description:
Closes https://github.com/bitcoin-core/secp256k1/issues/1034.
Solves one item in https://github.com/bitcoin-core/secp256k1/issues/1235.
ACKs for top commit:
real-or-random:
ACK c6bb29b3037c6b5264f2d2916c5a2d38de25df19 tested on x86_64 but not on ARM
Tree-SHA512: c3615a18cfa30bb2cc53be18c09ccab08fc800b84444d8c6b333347b4db039a3981da61e7da5086dd9f4472838d7c031d554be9ddc7c435ba906852bba593982
In the field 5x52 asm for x86_64, stack variables are provided as outputs.
The existing inputs are all forcibly allocated to registers, so cannot
coincide, but mark them as early clobber anyway to make this clearer.
In the existing code, the compiler is allowed to allocate the RSI register
for outputs m0, m1, or m2, which are written to before the input in RSI is
read from. Fix this by marking them as early clobber.
Reported by ehoffman2 in https://github.com/bitcoin-core/secp256k1/issues/766
5b32602295ff7ad9e1973f96b8ee8344b82f4af0 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille)
Pull request description:
Follow-up to #1205.
This splits the `secp256k1_fe_set_b32` function into two variants:
* `secp256k1_fe_set_b32_mod`, which returns `void`, reduces modulo the curve order, and only promises weakly normalized output.
* `secp256k1_fe_set_b32_limit`, which returns `int` indicating success/failure, and only promises valid output in case the input is in range (but guarantees it's strongly normalized in this case).
This removes one of the few cases in the codebase where normalization status depends on runtime values, making it fixed at compile-time instead.
ACKs for top commit:
real-or-random:
ACK 5b32602295ff7ad9e1973f96b8ee8344b82f4af0
jonasnick:
ACK 5b32602295ff7ad9e1973f96b8ee8344b82f4af0
Tree-SHA512: 4b93502272638c6ecdef4d74afa629e7ee540c0a20b377dccedbe567857b56c4684fad3af4b4293ed7ba35fed4aa5d0beaacdd77a903f44f24e8d87305919b61
cd54ac7c1cca509404b62e626a6291f434af88e8 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing)
28687b03128fbdd23a3f901297f523dfae2f82e3 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing)
97a98bed1ed479b1a23d8ae788020d8a6e081cf0 schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK cd54ac7c1cca509404b62e626a6291f434af88e8. I didn't verify the included test vectors match the BIP.
jonasnick:
ACK cd54ac7c1cca509404b62e626a6291f434af88e8
Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816
17fa21733aae97bf671fede3ce528c7a3b2f5f14 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing)
5fb336f9ce7d287015ada5d1d6be35d63469c9a4 ct: Use volatile trick in scalar_cond_negate (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14
jonasnick:
ACK 17fa21733aae97bf671fede3ce528c7a3b2f5f14
Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121
712e7f8722eba5dec2bc6b37d75aadeb6f6e633b Remove unused scratch space from API (Jonas Nick)
Pull request description:
Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff.
ACKs for top commit:
sipa:
ACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b
real-or-random:
utACK 712e7f8722eba5dec2bc6b37d75aadeb6f6e633b
Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44
- secp256k1_scalar_cadd_bit
- secp256k1_modinvXX_normalize_YY
- secp256k1_modinvXX_divsteps_ZZ
- ECMULT_CONST_TABLE_GET_GE
Even though those code loations are not problematic right now
(with current compilers).
