376733b58b musig-spec: clarify hashing in noncegen by converting ints to bytes (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 376733b58b
Tree-SHA512: c4708c476094d242fe7312177e345932bd40b52549007b43d2e5e4efc094101624d8583647f305bcbd042692a9d0117eda38f71e22fee0e0f49d677d9f512a8e
b7f8ea2f2a musig-spec: address robot-dreams' comments (Jonas Nick)
Pull request description:
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
ACKs for top commit:
real-or-random:
ACK b7f8ea2f2a
Tree-SHA512: 6f9066af2f67b6d2769f38ebb2537769568e77bab18d487590a0095a695eab5c34a7177e4d299f27e3e30628dd07aff831f3f08db256cf2ae13ea0d92f3e18b8
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
fd51a6281e musig-spec: add authors (Jonas Nick)
f56e223a7a musig-spec: explain NonceGen and tweaking in signing flow context (Jonas Nick)
e463ea42bb musig-spec: mention stateless signing in signing flow (Jonas Nick)
a29b961eb7 musig-spec: add acknowledgements and improve abstract (Jonas Nick)
1a086ba9c9 musig-spec: add optional arguments to strengthen nonce function (Jonas Nick)
8d04ac318f musig-spec: remove unnecessary and inconsistent input paragraph (Jonas Nick)
Pull request description:
Based on #177
It's likely we're missing people in the acknowledgements. Ping me if you think you are.
ACKs for top commit:
real-or-random:
ACK fd51a6281e
Tree-SHA512: 5240b783c15f76655b2593422dc7c76de1c5e298bbe2f39858daca4ee1b1877f1ff179b4043e6f1f75f8c804b734f4bb739d38a18a54b094d8640c57fd074ed9
645d9c53c4 examples: let musig use random.h instead of /dev/urandom (Jonas Nick)
eccba5b4e5 examples: relicense musig example to CC0 public domain (Jonas Nick)
7c5af740fa ci: fix missing EXPERIMENTAL flags (Jonas Nick)
03bea1e173 configure: add -zkp modules to dev-mode and remove redundant code (Jonas Nick)
2adb741c45 examples: rename example_musig to musig_example for consistency (Jonas Nick)
37d36927df tests: Add tests for _read_be32 and _write_be32 (Tim Ruffing)
616b43dd3b util: Remove endianness detection (Tim Ruffing)
8d89b9e6e5 hash: Make code agnostic of endianness (Tim Ruffing)
55512d30b7 doc: clean up module help text in configure.ac (Elliott Jin)
d9d94a9969 doc: mention optional modules in README (Elliott Jin)
7f09d0f311 README: mention that ARM assembly is experimental (Jonas Nick)
80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental (Jonas Nick)
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
f8d9174357 Add SHA256 bit counter tests (Tim Ruffing)
9b514ce1d2 Add test vector for very long SHA256 messages (Tim Ruffing)
8e3dde1137 Simplify struct initializer for SHA256 padding (Tim Ruffing)
eb28464a8b Change SHA256 byte counter from size_t to uint64_t (Tim Ruffing)
21b2ebaf74 configure: Remove redundant pkg-config code (Tim Ruffing)
0d253d52e8 configure: Use modern way to set AR (Tim Ruffing)
e0838d663d configure: Add hidden --enable-dev-mode to enable all the stuff (Tim Ruffing)
fabd579dfa configure: Remove redundant code that sets _enable variables (Tim Ruffing)
0d4226c051 configure: Use canonical variable prefix _enable consistently (Tim Ruffing)
7c9502cece Add a copy of the CC0 license to the examples (Elichai Turkel)
42e03432e6 Add usage examples to the readme (Elichai Turkel)
517644eab1 Optionally compile the examples in autotools, compile+run in travis (Elichai Turkel)
422a7cc86a Add a ecdh shared secret example (Elichai Turkel)
b0cfbcc143 Add a Schnorr signing and verifying example (Elichai Turkel)
fee7d4bf9e Add an ECDSA signing and verifying example (Elichai Turkel)
e848c3799c Update sage files for new formulae (Peter Dettman)
d64bb5d4f3 Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff Further improve doubling formula using fe_half (Peter Dettman)
557b31fac3 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a42 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257ed Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e Add _fe_half and use in _gej_add_ge (Peter Dettman)
3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count (Tim Ruffing)
c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs (Tim Ruffing)
e51ad3b737 ci: Retry `brew update` a few times to avoid random failures (Tim Ruffing)
b1cb969e8a ci: Revert "Attempt to make macOS builds more reliable" (Tim Ruffing)
e0db3f8a25 build: Replace use of deprecated autoconf macro AC_PROG_CC_C89 (laanwj)
d9396a56da ci: Attempt to make macOS builds more reliable (Tim Ruffing)
ebb1beea78 sage: Ensure that constraints are always fastfracs (Tim Ruffing)
d8d54859ed ci: Run sage prover on CI (Tim Ruffing)
77cfa98dbc sage: Normalize sign of polynomial factors in prover (Tim Ruffing)
eae75869cf sage: Exit with non-zero status in case of failures (Tim Ruffing)
b54d843eac sage: Fix printing of errors (Tim Ruffing)
e108d0039c sage: Fix incompatibility with sage 9.4 (Tim Ruffing)
b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad1 Move secp256k1_fe_one to field.h (Russell O'Connor)
070e772211 Faster fixed-input ecmult tests (Pieter Wuille)
45f37b6506 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes#1063. (Paul Miller)
Pull request description:
[bitcoin-core/secp256k1#1064]: Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes#1063
[bitcoin-core/secp256k1#1049]: Faster fixed-input ecmult tests
[bitcoin-core/secp256k1#899]: Reduce stratch space needed by ecmult_strauss_wnaf.
[bitcoin-core/secp256k1#1068]: sage: Fix incompatibility with sage 9.4
[bitcoin-core/secp256k1#1072]: ci: Attempt to make macOS builds more reliable
[bitcoin-core/secp256k1#1069]: build: Replace use of deprecated autoconf macro AC_PROG_CC_C89
[bitcoin-core/secp256k1#1074]: ci: Retry brew update a few times to avoid random failures
[bitcoin-core/secp256k1#1026]: ecdh: Add test computing shared_secret=basepoint with random inputs
[bitcoin-core/secp256k1#1033]: Add _fe_half and use in _gej_add_ge and _gej_double
[bitcoin-core/secp256k1#748]: Add usage examples
[bitcoin-core/secp256k1#1079]: configure: Add hidden --enable-dev-mode to enable all the stuff
[bitcoin-core/secp256k1#1088]: configure: Use modern way to set AR
[bitcoin-core/secp256k1#1090]: configure: Remove redundant pkg-config code
[bitcoin-core/secp256k1#731]: Change SHA256 byte counter from size_t to uint64_t
[bitcoin-core/secp256k1#1089]: Schnorrsig API improvements
[bitcoin-core/secp256k1#995]: build: stop treating schnorrsig, extrakeys modules as experimental
[bitcoin-core/secp256k1#1094]: doc: Clarify configure flags for optional modules
[bitcoin-core/secp256k1#1093]: hash: Make code agnostic of endianness
This PR can be recreated with `./sync-upstream.sh range 8746600eec5e7fcd35dabd480839a3a4bdfee87b`.
ACKs for top commit:
real-or-random:
ACK 645d9c53c4 I rederived the tree, and tested it with MSVC, including the musig example
Tree-SHA512: 3b771630806ed8481053958c21820dce6e869371833cd18a5c430a2768bda8064ad2bb247afbe38e3fa37320a8b1dbbe65ad68c8963efb995d96aa29ae574884
c715407b4f musig-spec: fix partial sig verification note in intro (Jonas Nick)
11fb8a664b musig-spec: expand on signing flow (Jonas Nick)
Pull request description:
based on #173
ACKs for top commit:
real-or-random:
ACK c715407b4f
Tree-SHA512: def3158157e3b369ede5469501d4899bfe0dd0ec7282883847e0dd58d7874761cf681b9416e79e01d84873446a5187b330fb3b30533059216db8178dd1dd0548
79472c7ee5 configure: Check compile+link when checking existence of functions (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 79472c7ee5
Tree-SHA512: 947f794138636390d74366d9d06eb18f315f038a8555d1057c407f5592f1bd432a74c94ab758a85a5d8324908f46656518ebce30124f56a9d9c3936d144789ae
37d36927df tests: Add tests for _read_be32 and _write_be32 (Tim Ruffing)
616b43dd3b util: Remove endianness detection (Tim Ruffing)
8d89b9e6e5 hash: Make code agnostic of endianness (Tim Ruffing)
Pull request description:
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
ACKs for top commit:
sipa:
utACK 37d36927df
robot-dreams:
ACK 37d36927df
Tree-SHA512: b03cec67756fb3c94ca8e7e06f974136050efd5065f392dba6eed4d0dbe61dbf93dad054627267225bac1bb302bb025f86588612ef7d4beeb834466686c70b8f
- add BIP header & abstract
- rename MuSig to MuSig2 because some people may want to use the 3-round version
- remove applications because we don't need to motivate an informational BIP
- x-only -> X-only
- remove overly repetetitive "The algorithm [...] is defined as"
- move "Remarks" and "Design" out of "Description" section and move "Test
vectors and ..." into "Description" section. The idea is that the Description
contains everything that is absolutely required to implement the BIP (safely).
55512d30b7 doc: clean up module help text in configure.ac (Elliott Jin)
d9d94a9969 doc: mention optional modules in README (Elliott Jin)
Pull request description:
ACKs for top commit:
real-or-random:
utACK 55512d30b7
jonasnick:
ACK 55512d30b7
Tree-SHA512: ae4ec355730983117c5e9a8a8abd17aaf42afe6f8f8f7474a551df6269a62094883e0827d2f3642e3ed6eb26cf71982c20f7ac27498cb4bd7e4aea57ec308d6a
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
7f09d0f311 README: mention that ARM assembly is experimental (Jonas Nick)
80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental (Jonas Nick)
Pull request description:
Fixes#992
ACKs for top commit:
real-or-random:
ACK 7f09d0f311
fanquake:
ACK 7f09d0f311 - When this is in, I think we'll do a subtree update in Core, and prune some build cruft on our side.
Tree-SHA512: 13deb82dcca88bacb2cd5c1c589a8d4af2277c4d675262337ae4d7e93eb41d43825dda4945ca1c202c36aaa2e6fd42de9c6d711fe8d71bce578368281db698b2
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
Pull request description:
Should be merged before #995 if we want this.
I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.
ACKs for top commit:
sipa:
utACK b8f8b99f0f
jonasnick:
ACK b8f8b99f0f
Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
f8d9174357 Add SHA256 bit counter tests (Tim Ruffing)
9b514ce1d2 Add test vector for very long SHA256 messages (Tim Ruffing)
8e3dde1137 Simplify struct initializer for SHA256 padding (Tim Ruffing)
eb28464a8b Change SHA256 byte counter from size_t to uint64_t (Tim Ruffing)
Pull request description:
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
This also simplifies the struct initializer for the padding.
Since missing elements are initialized with zeros, this change is
purely syntactical.
ACKs for top commit:
sipa:
utACK f8d9174357
jonasnick:
ACK f8d9174357
Tree-SHA512: 4fba64b255ef34bb144e4ac6d796798d620d6a7a0f3be409a46b98a8aedb129be19a6816b07caa4d1a3862a01769b42ce70240690fddc6231d591e6c06252750
eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec (Jonas Nick)
57eb6b4167 musig-spec: move description of secret key negation to spec (Jonas Nick)
633d01add0 musig-spec: add x-only and ordinary tweaking to musig (Jonas Nick)
aee0747e38 musig-spec: add general description of tweaking (Jonas Nick)
fb060a0c4e musig-spec: add Session Context to simplify sign/verify/sigagg (Jonas Nick)
3aec4332b5 musig-spec: move remarks on spec below specification section (Jonas Nick)
628d52c718 musig-spec: fix title/abstract and make algo names bold (Jonas Nick)
5b760cc172 musig-spec: consistently call partial sigs psig (Jonas Nick)
f0edc90755 musig: fix number of tweaks in tweak_test (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK eac0df1379 -- I haven't checked all the indices etc, so this is more of a Concept ACK than a "pseudocode review ACK" but we we have the ACK by Brandon and this is anyway still a draft, so I think this is good to be merged.
Tree-SHA512: 9e16e7892e103205d96060158a7a6c01480d2b59300bbf9f0655b4d26586e632be8b8f656fe07c7ece1421ec91e0b387d6fcf363db7aedc0402d265b1d9df474
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
Besides reducing the number of arguments, this also removes the R argument from
PartialSigAgg which was not defined precisely:
* The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point
Moreover, this paves the way for adding the tweaking, which requires
PartialSigAgg to also have access to challenge e and can now be easily computed
from the Session Context.
