-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync Upstream #159
Sync Upstream #159
Conversation
This is a pedantic case of UB.
…1_fe_from_storage` to call `secp256k1_fe_verify` 1. secp256k1_fe_verify is removed from tests since, it throws an error if VERIFY is not defined during compilation. (Ex: ./configure --enable-coverage) 2. `secp256k1_fe_from_storage` calls `secp256k1_fe_verify` in the VERIFY build to check for invalid field element.
… from tests.c and modify `_fe_from_storage` to call `_fe_verify` d439937 tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify` (siv2r) Pull request description: ACKs for top commit: roconnor-blockstream: utACK d439937 diff looks correct, I also didn't run the tests locally. real-or-random: utACK d439937 diff looks correct, I didn't run the tests locally jonasnick: ACK d439937 ran tests with `--enable-coverage` Tree-SHA512: c3c9ecf8e9b7dfdcd1144ddcf8bcc637996c699dbd0fc6223e6186d082908728468fa276b09c6f344e036ca05f54432dde6366a83eb39f915a334164faadd556
…building without VERIFY 189f6bc Fix unused parameter warnings when building without VERIFY (Jonas Nick) Pull request description: This commit makes `./configure --enable-coverage && make check` free of warnings. ACKs for top commit: practicalswift: cr ACK 189f6bc elichai: utACK 189f6bc siv2r: Tested ACK 189f6bc Tree-SHA512: 727fe0e40ff61f404780b32dfa4102a58bed9d922e61bd17ddaaf1243b0c06edd9697ff4763b5e92d033e7db3778193bee07d85cfa3b9c46d45e5fec3f568009
…hnorrsig_sign const db4667d Make aux_rand32 arg to secp256k1_schnorrsig_sign const (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK db4667d diff looks good jonasnick: ACK db4667d Tree-SHA512: 6f003c856b0e11f3f41f6d8007470129f02f9075416c6a5d3904f8efb5fa461f38e600a6b31d326314b2961946c8c6b3bca1a8e9b333b52e099a6f023a04c698
bc08599 Remove OpenSSL testing support (Pieter Wuille) Pull request description: This removes the ability to test against OpenSSL, as well as the OpenSSL verification benchmark. The motivation is that OpenSSL 3 is deprecating part of the API used here (see #869), and I'm not sure it's worth maintaining. We do lose the fact that this is the only test that verifies randomly-generated cases against an independent implementation. On the other hand, there are tons of existing fixed tests now that test all kinds of edge cases already. ACKs for top commit: elichai: tACK bc08599 real-or-random: ACK bc08599 jonasnick: ACK bc08599 Tree-SHA512: 632e6d3cf7bbc5828f5ca1f0f2a92c80bcb681bbcd4320c352b4a86fd521e410c852ccebcfc30fadc8fbf86649267a9e521f53e0f78072a8cd74d8726da28973
9be7b0f Avoid computing out-of-bounds pointer. (Tim Ruffing) Pull request description: This is a pedantic case of UB. Spotted in #879. ACKs for top commit: elichai: ACK 9be7b0f practicalswift: cr ACK 9be7b0f sipa: ACK 9be7b0f Tree-SHA512: a9d028c4cdb37ad0d5fcf0d2f678eef732a653d37155a69a20272c6b283c28e083172485d7a37dc4a7c6100b22a6f5b6a92e729239031be228cc511842ee35e8
…n 5x52 field mul/sqr b53e0cd Avoid overly-wide multiplications (Peter Dettman) Pull request description: Speeds up bench_ecdh, bench_sign, bench_verify relative to master by 5+% at -O3, haswell. ACKs for top commit: sipa: ACK b53e0cd real-or-random: ACK b53e0cd I've inspected the diff and run the tests without asm for a CPU day Tree-SHA512: 4f79c98371a3dc9da013632210c8db979f910b222291999dfaa0c31849a77eb427361e4ab9206cbfee73c30a8933178784d6cb8e747e8dca6b227eb77fbea2a2
1. add `print_output_table_header_row` func to print the table header for benchmark output 2. modify the following benchmarks to include the table header - bench_ecdh.c - bench_ecmult.c - bench_internal.c - bench_recover.c - bench_schnorrsig.c - bench_sign.c - bench_verify.c
044d956 Fix G.y parity in sage code (Pieter Wuille) Pull request description: I'm not sure if `EllipticCurve.lift_x` has well-defined Y coordinate or not, but at least my current version of Sage computes the wrong G. Fix this. ACKs for top commit: real-or-random: ACK 044d956 Tree-SHA512: afb919af29027da2bb3c58628924f9740672d3c347ad39cc663c9c399b1aa8536256fd3fd4e1e54457e38344704d47f281d82488da413f4e6e67e191decc960f
… line and CSV outputs b4b1306 create csv file from the benchmark output (siv2r) 26a255b Shared benchmark format for command line and CSV outputs (siv2r) Pull request description: ACKs for top commit: real-or-random: ACK b4b1306 jonasnick: ACK b4b1306 Tree-SHA512: 1eebbdd7701ad21d9647434ff05f23827be217d47870bb05a2fdb12447abc365fc6e56306f344e05d8d2ec1ff5532562131b3876261733e4412117357c5c65f8
Previously "ecmult{,_multi} xg" meant multiplication with (x - 1) random points and base point G. Now - ecmult_{,multi_}xp means multiplication with x random points and - ecmult_{,multi_}xp_g means multiplication with x random points and G
This makes the semantic of have_flag more clear and fixes a bug that was introduced in 2fe1b50 Add ecmult_gen, ecmult_const and ecmult to benchmark where the behavior introduced by this commit was already assumed. If bench_ecmult was called without arguments, have_flag("simple") returned 1 and no scratch space was allocated which led to very wrong output.
…tput 23e2f66 bench: don't return 1 in have_flag() if argc = 1 (Jonas Nick) 96b1ad2 bench_ecmult: improve clarity of output (Jonas Nick) Pull request description: Previously "ecmult{,_multi} xg" meant multiplication with (x - 1) random points and base point G. Now - xP means multiplication with x random points and - xP & G means multiplication with x random points and G ACKs for top commit: siv2r: tACK 23e2f66 real-or-random: ACK 23e2f66 Tree-SHA512: 0218aaa0baa4c2f92a7b98c97b8cc3b596e3da44d7f38ab4bdd707a4bdb96bb071b953fc6106cd34977a562278e4eaa860a3a7fa64c323c5117945e7a3107162
…56k1_fe_set_int. 2888640 VERIFY_CHECK precondition for secp256k1_fe_set_int. (Russell O'Connor) d49011f Make _set_fe_int( . , 0 ) set magnitude to 0 (Tim Ruffing) Pull request description: Also set the magnitude to 0 when setting the value to 0. ACKs for top commit: real-or-random: ACK 2888640 jonasnick: ACK 2888640 Tree-SHA512: 6ec9b3485380503b11c00f30bfa79f92ba3facb93ee4f3df582b881c4e19fb8ae8b5acd5aeb6326497c290cd0904230d0356f33bd136ca577d2f25616279e090
BIP340's default signing algorithm always requires an aux_rnd argument, but permits using an all-zero one when no randomness is available. Make secp256k1_schnorrsig_sign follow this even when aux_rnd32==NULL, by treating the same as if an all-zero byte array was provided as input.
…cal to 0x0000..00. 5324f89 Make aux_rnd32==NULL behave identical to 0x0000..00. (Pieter Wuille) Pull request description: BIP340's default signing algorithm always requires an aux_rnd argument, but permits using an all-zero one when no randomness is available. Make secp256k1_schnorrsig_sign follow this even when aux_rnd32==NULL, by treating the same as if an all-zero byte array was provided as input. ACKs for top commit: junderw: ACK 5324f89 elichai: ACK 5324f89 jonasnick: ACK 5324f89 real-or-random: utACK 5324f89 Tree-SHA512: caa1d5a0eacea3239d8aaace5284eedcd850058bbe759768e626233a010199db6c637618aedccfb51fe94ec8d28f45bc0c441be77e2e12fa2a393b9cc3a5d3ae
… field_5x52_impl.h comment 1287786 doc: Add comment to top of field_10x26_impl.h (Elliott Jin) 58da5bd doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin) Pull request description: When reviewing #816 I noticed the upper bounds in the comment at the top of `field_5x52_impl.h` were off by 1 (see `fe_verify`). This PR fixes the upper bounds and also cleans up the comment along the way. ACKs for top commit: real-or-random: ACK 1287786 Tree-SHA512: 4b7dadc92451ab1ceb5a547a3101ff37f3ffd0645490563f1f3442ea8d6219f100ed914289d22435c4172d190fa1ff52e37e4464132bb3f9bbcc338488227f7b
b4ac1a1 ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing) e70acab ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing) d07e301 ci: Update brew on macOS (Tim Ruffing) 22382f0 ci: Test different ecmult window sizes (Tim Ruffing) 26a022a ci: Remove STATICPRECOMPUTATION (Tim Ruffing) 10461d8 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing) Pull request description: ACKs for top commit: elichai: utACK b4ac1a1 jonasnick: ACK b4ac1a1 Tree-SHA512: b283d7b1c72cf87484de1fe98318298698fe9982dc33389eaca62e92318ab0074c183b9799add274f46358032491fee875e5ffb2a76a47f3b07520b850f4c85e
A compiler may add struct padding and fe_cmov is not guaranteed to preserve it. On the way, we improve the identity check such that it covers the VERIFY struct members.
Changes: - move `secp256k1_ecmult_odd_multiples_table_globalz_windowa` function from ecmult to ecmult_const - remove outdated comment
…s_table_globalz_windowa` 05e049b ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r) Pull request description: Fixes #1035 **Changes:** - move `secp256k1_ecmult_odd_multiples_table_globalz_windowa` function from ecmult to ecmult_const - remove outdated comment ACKs for top commit: robot-dreams: utACK 05e049b (`diff` between removed and added lines is exactly as expected) real-or-random: utACK 05e049b Tree-SHA512: 3fad4e93c641b642e84f4bbafcb8083d3e63b0523009fe0edcb2c1ebe1571d822320451289c651403ed1dc033ec6a7a3e8c3c56ad93d81bb1590cf9ff15a3b34
3ed0d02 doc: add CHANGELOG template (Jonas Nick) 6f42dc1 doc: add release_process.md (Jonas Nick) 0bd3e42 build: set library version to 0.0.0 explicitly (Jonas Nick) b4b02fd build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick) Pull request description: This is an attempt at a simple release process. Fixes #856. To keep it simple, there is no concept of release candidates for now. The release version is determined by semantic versioning of the API. Since it does not seem to be a lot of work, it is proper to also version the ABI with the libtool versioning system. This versioning scheme (semver API, libtool versioning ABI) follows the suggestion in the [autotools mythbusters](https://autotools.io/libtool/version.html). Experimental modules are a bit of a headache, as expected. This release process suggests to treat any change in experimental modules as backwards compatible. That way, users of stable modules are not bothered by frequent non-backwards compatible releases. But a downside is that one must not use experimental modules in shared libraries (which should be mentioned in the README?). It would be nice if we could make the schnorrsig module stable in the not too distant future (see also #817). ACKs for top commit: apoelstra: utACK 3ed0d02 elichai: ACK 3ed0d02 sipa: ACK 3ed0d02 real-or-random: ACK 3ed0d02 Tree-SHA512: 25a04335a9579e16de48d378b93a9c6a248529f67f7c436680fa2d495192132743ce016c547aa9718cdcc7fe932de31dd7594f49052e8bd85572a84264f2dbee
…9 for tests 77a1975 Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille) 5f2efe6 secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille) Pull request description: Just some easy low-hanging fruit. It's complete overkill to use the RFC6979 RNG for our test randomness. Replace it with a modern non-cryptographic RNG with good properties. It's a few % speedup for me. Given the internal naming of all these functions to be "testrand", I'm not concerned about the risk of someone using this for something that needs actual cryptographic randomness. ACKs for top commit: robot-dreams: ACK 77a1975 real-or-random: utACK 77a1975 Tree-SHA512: 2706f37689e037e84b5df25c98af924c0756e6d59f5f822b23aec5ba381b2d536e0848f134026e2568396427218f1c770f1bb07613d702efb23a84015dc9271d
…plementation-defined 3d7cbaf tests: Fix test whose result is implementation-defined (Tim Ruffing) Pull request description: A compiler may add struct padding and fe_cmov is not guaranteed to preserve it. On the way, we restore the name of the function. It was mistakenly renamed in 6173839 using "search and replace". ACKs for top commit: robot-dreams: ACK 3d7cbaf sipa: utACK 3d7cbaf Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
e82144e Fixup skew before global Z fixup (Peter Dettman) 40b624c Add tests for _gej_cmov (Peter Dettman) 8c13a9b ECDH skews by 0 or 1 (Peter Dettman) 1515099 Simpler and faster ecdh skew fixup (Peter Dettman) Pull request description: This PR adds a `_gej_cmov` method, with accompanying tests, and uses it to simplify the skew fixup at the end of `_ecmult_const`. In the existing code, `_wnaf_const` chooses a skew of either 1 or 2, and `_ecmult_const` needs a call to `_ge_set_gej` (which does an expensive field inversion internally) and some overly-complicated conversions to/from `_ge_storage` so that `_ge_storage_cmov` can be used to select what value to add for the fixup. This PR uses a simpler scheme where `_wnaf_const` chooses a skew of 0 or 1 and no longer needs special handling for scalars with value negative one. A new `_gej_cmov` method is used at the end of `_ecmult_const` for const-time optional addition to adjust the final result for the skew. Finally, the skew fixup is moved to before the global-Z adjustment, and the precomputed table entries (for 1P, λ(1P)) are used for the skew fixup, saving a field multiply and ensuring the fixup is done on the same isomorphism as the ladder. The resulting `_wnaf_const` and `_ecmult_const` are shorter and simpler, and the ECDH benchmark is around 5% faster (64bit, i7). Edit: Updated description once the final scope was clear. ACKs for top commit: apoelstra: ACK e82144e sipa: ACK e82144e real-or-random: ACK e82144e Tree-SHA512: 10d6770f4ef4f8d0c78abbf58d643f25f5daef68896643af0a3f7f877414e23356724b6f20af2027316a4353a35b8cb0a7851e057a3f6483897df02bf033a8a2
da0092b 10f9bd8 297ce82 f34b5ca 920a0e5 9526874 aa1b889 20d791e 3e7b2ea 21c188b 8fa4120 515a5db c74a7b7 74c34e7 7006f1b ea5e8a9 793ad90 2e5e4b6 fecf436 49f608d 4900227 6ad908a 4f01840 61ae37c 486205a 5d0dbef 0559fc6 be6944a a69df3a b39d431 0b83b20 09971a3 9281c9f 423b6d1 a310e79 39a36db a1102b1 Deal with - secp256k1_test_rng removal in commit 77a1975 - ecmult_gen context simplification after making table static in commit 3b0c218
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK 72c8dea
Checked that all the merge conflicts were resolved sensibly (none were particularly serious, mostly they were related to the benchmark refactorings). A bit annoying that we have so many CHECK
macros to change. Maybe we should change our idiom here to not hardcode numbers.
e.g. |
The API tests of upstream functions were similarly amended in commit 3b0c218.
@apoelstra That's a good idea and thanks for your review. I added a commit that adds API tests for static contexts for the functions whose API tests were fixed in the merge commit (similar to what upstream did). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK b7ebe64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK b7ebe64 diff looks good. tested on my machine, also on valgrind.
7a30cb0c9d Merge BlockstreamResearch/secp256k1-zkp#187: musig-spec: remove it from this repo cc07b8f7a9 musig-spec: remove it c1640b7049 Merge BlockstreamResearch/secp256k1-zkp#166: musig-spec: Add naive Python reference implementation c235e5055f musig-spec: Add naive Python reference implementation d45fbdcfad Merge BlockstreamResearch/secp256k1-zkp#180: musig: add test vectors for applying multiple tweaks 9a814bea32 Merge BlockstreamResearch/secp256k1-zkp#186: musig-spec: Minor cleanup 67247e53af musig-spec: More minor cleanup 9a1645f0ef Merge BlockstreamResearch/secp256k1-zkp#184: musig-spec: minor fixups bf615193ce musig-spec: minor fixups ebd10f210b Merge BlockstreamResearch/secp256k1-zkp#185: musig-spec: Clarify negation for signing and verification 0940575215 musig-spec: Clarify negation for signing and verification 18a35ec1af Merge BlockstreamResearch/secp256k1-zkp#183: Improve writing in Signing flow 1b292cdb52 Improve writing in Signing flow a86bfa991a Merge BlockstreamResearch/secp256k1-zkp#181: musig-spec: clarify hashing in noncegen by converting ints to bytes 4469cad42f Merge BlockstreamResearch/secp256k1-zkp#182: musig-spec: address robot-dreams' comments b7f8ea2f2a musig-spec: address robot-dreams' comments 376733b58b musig-spec: clarify hashing in noncegen by converting ints to bytes 510b61a803 musig: add test vectors for applying multiple tweaks ac477d5148 Merge BlockstreamResearch/secp256k1-zkp#179: musig-spec: Improve writing in Motivation, Design d903c09fd2 musig-spec: Improve writing in Motivation, Design 1d0d60d9eb Merge BlockstreamResearch/secp256k1-zkp#178: musig-spec: expand on signing flow fd51a6281e musig-spec: add authors f56e223a7a musig-spec: explain NonceGen and tweaking in signing flow context e463ea42bb musig-spec: mention stateless signing in signing flow a29b961eb7 musig-spec: add acknowledgements and improve abstract 1a086ba9c9 musig-spec: add optional arguments to strengthen nonce function 8d04ac318f musig-spec: remove unnecessary and inconsistent input paragraph 6c0aecf72b Merge BlockstreamResearch/secp256k1-zkp#174: Upstream PRs 1064, 1049, 899, 1068, 1072, 1069, 1074, 1026, 1033, 748, 1079, 1088, 1090, 731, 1089, 995, 1094, 1093 eafcd04216 Merge BlockstreamResearch/secp256k1-zkp#176: musig-spec: expand on signing flow c715407b4f musig-spec: fix partial sig verification note in intro 11fb8a664b musig-spec: expand on signing flow 43c853fa28 Merge BlockstreamResearch/secp256k1-zkp#173: musig-spec: Add motivation and design sections 3deaa006a0 Merge BlockstreamResearch/secp256k1-zkp#175: configure: Check compile+link when checking existence of functions 79472c7ee5 configure: Check compile+link when checking existence of functions 645d9c53c4 examples: let musig use random.h instead of /dev/urandom eccba5b4e5 examples: relicense musig example to CC0 public domain 802b7daf23 musig-spec: add motivation and design sections 7c5af740fa ci: fix missing EXPERIMENTAL flags 03bea1e173 configure: add -zkp modules to dev-mode and remove redundant code 2adb741c45 examples: rename example_musig to musig_example for consistency 8298c0c79b Merge commits 'c8aa516b 0a40a486 d8a24632 85b00a1c 59547943 5dcc6f8d 07752831 3ef94aa5 1253a277 64b34979 ac83be33 0e5cbd01 e0508ee9 587239db 1ac7e31c d0ad5814 912b7ccc 8746600e ' into temp-merge-1093 8746600eec Merge bitcoin-core/secp256k1#1093: hash: Make code agnostic of endianness 686d96222d musig-spec: various cleanups ef537b2065 musig-spec: fix unnecessary O(n^2) KeyAgg runtime 37d36927df tests: Add tests for _read_be32 and _write_be32 912b7ccc44 Merge bitcoin-core/secp256k1#1094: doc: Clarify configure flags for optional modules 55512d30b7 doc: clean up module help text in configure.ac d9d94a9969 doc: mention optional modules in README 616b43dd3b util: Remove endianness detection 8d89b9e6e5 hash: Make code agnostic of endianness d0ad5814a5 Merge bitcoin-core/secp256k1#995: build: stop treating schnorrsig, extrakeys modules as experimental 1ac7e31c5b Merge bitcoin-core/secp256k1#1089: Schnorrsig API improvements 587239dbe3 Merge bitcoin-core/secp256k1#731: Change SHA256 byte counter from size_t to uint64_t f8d9174357 Add SHA256 bit counter tests d13429e28c Merge BlockstreamResearch/secp256k1-zkp#167: Add ordinary and x-only tweaking to spec and simplify implementation eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec 57eb6b4167 musig-spec: move description of secret key negation to spec 633d01add0 musig-spec: add x-only and ordinary tweaking to musig aee0747e38 musig-spec: add general description of tweaking fb060a0c4e musig-spec: add Session Context to simplify sign/verify/sigagg 3aec4332b5 musig-spec: move remarks on spec below specification section 628d52c718 musig-spec: fix title/abstract and make algo names bold 5b760cc172 musig-spec: consistently call partial sigs psig 7f09d0f311 README: mention that ARM assembly is experimental b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs f813bb0df3 schnorrsig: Adapt example to new API 99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions 3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated 80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental e0508ee9db Merge bitcoin-core/secp256k1#1090: configure: Remove redundant pkg-config code 21b2ebaf74 configure: Remove redundant pkg-config code 0e5cbd01b3 Merge bitcoin-core/secp256k1#1088: configure: Use modern way to set AR 0d253d52e8 configure: Use modern way to set AR 9b514ce1d2 Add test vector for very long SHA256 messages 8e3dde1137 Simplify struct initializer for SHA256 padding eb28464a8b Change SHA256 byte counter from size_t to uint64_t ac83be33d0 Merge bitcoin-core/secp256k1#1079: configure: Add hidden --enable-dev-mode to enable all the stuff e0838d663d configure: Add hidden --enable-dev-mode to enable all the stuff fabd579dfa configure: Remove redundant code that sets _enable variables 0d4226c051 configure: Use canonical variable prefix _enable consistently 64b34979ed Merge bitcoin-core/secp256k1#748: Add usage examples 7c9502cece Add a copy of the CC0 license to the examples 42e03432e6 Add usage examples to the readme 517644eab1 Optionally compile the examples in autotools, compile+run in travis 422a7cc86a Add a ecdh shared secret example b0cfbcc143 Add a Schnorr signing and verifying example fee7d4bf9e Add an ECDSA signing and verifying example 1253a27756 Merge bitcoin-core/secp256k1#1033: Add _fe_half and use in _gej_add_ge and _gej_double 3ef94aa5ba Merge bitcoin-core/secp256k1#1026: ecdh: Add test computing shared_secret=basepoint with random inputs 3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs 077528317d Merge bitcoin-core/secp256k1#1074: ci: Retry brew update a few times to avoid random failures e51ad3b737 ci: Retry `brew update` a few times to avoid random failures b1cb969e8a ci: Revert "Attempt to make macOS builds more reliable" f0edc90755 musig: fix number of tweaks in tweak_test 5dcc6f8dbd Merge bitcoin-core/secp256k1#1069: build: Replace use of deprecated autoconf macro AC_PROG_CC_C89 59547943d6 Merge bitcoin-core/secp256k1#1072: ci: Attempt to make macOS builds more reliable 85b00a1c65 Merge bitcoin-core/secp256k1#1068: sage: Fix incompatibility with sage 9.4 ebb1beea78 sage: Ensure that constraints are always fastfracs d8d54859ed ci: Run sage prover on CI 77cfa98dbc sage: Normalize sign of polynomial factors in prover eae75869cf sage: Exit with non-zero status in case of failures d9396a56da ci: Attempt to make macOS builds more reliable e0db3f8a25 build: Replace use of deprecated autoconf macro AC_PROG_CC_C89 e848c3799c Update sage files for new formulae d64bb5d4f3 Add fe_half tests for worst-case inputs b54d843eac sage: Fix printing of errors 725d895fc5 Merge BlockstreamResearch/secp256k1-zkp#165: musig-spec: improve security argument for handling infinity 4eb8b932ff Further improve doubling formula using fe_half 557b31fac3 Doubling formula using fe_half 2cbb4b1a42 Run more iterations of run_field_misc 9cc5c257ed Add test for secp256k1_fe_half 925f78d55e Add _fe_half and use in _gej_add_ge e108d0039c sage: Fix incompatibility with sage 9.4 aa1acb4bd1 musig-spec: improve security argument for handling infinity d8a2463246 Merge bitcoin-core/secp256k1#899: Reduce stratch space needed by ecmult_strauss_wnaf. 73f0cbd3cc Merge BlockstreamResearch/secp256k1-zkp#157: Add description of MuSig signing to musig-spec.md 8fd97d8116 Merge BlockstreamResearch/secp256k1-zkp#158: Small musig improvements 772df3694e Merge BlockstreamResearch/secp256k1-zkp#151: MuSig: Add Minimal Compatibility with BIP32 Tweaking 0a40a4861a Merge bitcoin-core/secp256k1#1049: Faster fixed-input ecmult tests 69b392f3cb musig: move explanation for aggnonce=inf to spec 4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} 3c122d0780 musig-spec: improve definition of lift_x e0bb2d7009 musig-spec: improve KeyAgg description b8f4e75d89 musig-spec: move to doc directory 070e772211 Faster fixed-input ecmult tests c8aa516b57 Merge bitcoin-core/secp256k1#1064: Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes ElementsProject#1063 8088eddc53 musig: add test vector for ordinary (non xonly) tweaking 57a17929fc musig: add ordinary and xonly tweaking to the example 37107361a0 musig: allow ordinary, non-xonly tweaking c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro. a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf. 0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. 7ba3ffcca0 Remove the unused pre_a_lam allocations. b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf. ae7ba0f922 Remove the unused prej allocations. e5c18892db Eliminate the prej array from ecmult_strauss_wnaf. c9da1baad1 Move secp256k1_fe_one to field.h 45f37b6506 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes ElementsProject#1063. a5b5909e8d Merge BlockstreamResearch/secp256k1-zkp#163: Typo, add subscript i 44001ad716 Typo fix, add subscript i eb5e71b5dc Merge BlockstreamResearch/secp256k1-zkp#162: whitelist: remove ability to specific nonce function 11d675dce8 whitelist: remove ability to specific nonce function 21e2d65b79 Merge BlockstreamResearch/secp256k1-zkp#159: Sync Upstream b7ebe6436c Test APIs of funcs that need an ecmult_gen ctx with static ctx d895b10c18 musig: mention musig.md in example 588009d26f musig: improve doc of partial_sig_verify regarding signing sessions 72c8deac03 Merge commits with sync-upstream.sh a1102b1219 Merge bitcoin-core/secp256k1#1029: Simpler and faster ecdh skew fixup b1094953c4 musig: remove superfluous comment e82144edfb Fixup skew before global Z fixup 40b624c90b Add tests for _gej_cmov 8c13a9bfe1 ECDH skews by 0 or 1 1515099433 Simpler and faster ecdh skew fixup 39a36db94a Merge bitcoin-core/secp256k1#1054: tests: Fix test whose result is implementation-defined a310e79ee5 Merge bitcoin-core/secp256k1#1052: Use xoshiro256++ instead of RFC6979 for tests 423b6d19d3 Merge bitcoin-core/secp256k1#964: Add release-process.md 9281c9f4e1 Merge bitcoin-core/secp256k1#1053: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` 77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests 5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) 05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` 3d7cbafb5f tests: Fix test whose result is implementation-defined 3ed0d02bf7 doc: add CHANGELOG template 6f42dc16c8 doc: add release_process.md 0bd3e4243c build: set library version to 0.0.0 explicitly b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre 09971a3ffd Merge bitcoin-core/secp256k1#1047: ci: Various improvements 0b83b203e1 Merge bitcoin-core/secp256k1#1030: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment 1287786c7a doc: Add comment to top of field_10x26_impl.h 58da5bd589 doc: Fix upper bounds + cleanup in field_5x52_impl.h comment b39d431aed Merge bitcoin-core/secp256k1#1044: Add another ecmult_multi test b4ac1a1d5f ci: Run valgrind/memcheck tasks with 2 CPUs e70acab601 ci: Use Cirrus "greedy" flag to use idle CPU time when available d07e30176e ci: Update brew on macOS 22382f0ea0 ci: Test different ecmult window sizes a69df3ad24 Merge bitcoin-core/secp256k1#816: Improve checks at top of _fe_negate methods 22d25c8e0a Add another ecmult_multi test 515e7953ca Improve checks at top of _fe_negate methods b2206619e6 Merge BlockstreamResearch/secp256k1-zkp#131: Replace MuSig(1) module with MuSig2 26a022a3a0 ci: Remove STATICPRECOMPUTATION 10461d8bd3 precompute_ecmult: Always compute all tables up to default WINDOW_G be6944ade9 Merge bitcoin-core/secp256k1#1042: Follow-ups to making all tables fully static e05da9e480 Fix c++ build c45386d994 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen} 19d96e15f9 Split off .c file from precomputed_ecmult.h 1a6691adae Split off .c file from precomputed_ecmult_gen.h bb36331412 Simplify precompute_ecmult_print_* 38cd84a0cb Compute ecmult tables at runtime for tests_exhaustive e458ec26d6 Move ecmult table computation code to separate file fc1bf9f15f Split ecmult table computation and printing 31feab053b Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table 725370c3f2 Rename ecmult_gen_prec -> ecmult_gen_compute_table 075252c1b7 Rename ecmult_static_pre_g -> precomputed_ecmult 7cf47f72bc Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen f95b8106d0 Rename gen_ecmult_static_pre_g -> precompute_ecmult bae77685eb Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen ac1e36769d musig: turn off multiexponentiation for now 3c79d97bd9 ci: increase timeout for macOS tasks 22c88815c7 musig: replace MuSig(1) with MuSig2 0559fc6e41 Merge bitcoin-core/secp256k1#988: Make signing table fully static 7dfceceea6 build: Remove #undef hack for ASM in the precomputation programs bb36fe9be0 ci: Test `make precomp` d94a37a20c build: Remove CC_FOR_BUILD stuff ad63bb4c29 build: Prebuild and distribute ecmult_gen table ac49361ed0 prealloc: Get rid of manual memory management for prealloc contexts 6573c08f65 ecmult_gen: Tidy precomputed file and save space 5eba83f17c ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS 5d0dbef018 Merge bitcoin-core/secp256k1#942: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. 486205aa68 Merge bitcoin-core/secp256k1#920: Test all ecmult functions with many j*2^i combinations fdb33dd122 refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table 5eb519e1f6 ci: reduce TEST_ITERS in memcheck run e2cf77328a Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255. 61ae37c612 Merge bitcoin-core/secp256k1#1022: build: Windows DLL additions 4f01840b82 Merge bitcoin-core/secp256k1#1027: build: Add a check that Valgrind actually supports a host platform 6ad908aa00 Merge bitcoin-core/secp256k1#1008: bench.c: add `--help` option and ci: move env variables 592661c22f ci: move test environment variable declaration to .cirrus.yml dcbe84b841 bench: add --help option to bench. 099bad945e Comment and check a parameter for inf in secp256k1_ecmult_const. 6c0be857f8 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. 4900227451 Merge bitcoin-core/secp256k1#1025: build: replace backtick command substitution with $() 7c7ce872a5 build: Add a check that Valgrind actually supports a host platform a4875e30a6 refactor: Move default callbacks to util.h 4c94c55bce doc: Remove obsolete hint for valgrind stack size 5106226991 exhaustive_tests: Fix with ecmult_gen table with custom generator e1a76530db refactor: Make generator a parameter of ecmult_gen_create_prec_table 9ad09f6911 refactor: Rename program that generates static ecmult_gen table 8ae18f1ab3 refactor: Rename file that contains static ecmult_gen table 00d2fa116e ecmult_gen: Make code consistent with comment 3b0c2185ea ecmult_gen: Simplify ecmult_gen context after making table static 2b7c7497ef build: replace backtick command substitution with $() 49f608de47 Merge bitcoin-core/secp256k1#1004: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS c0cd7de6d4 build: add -no-undefined to libtool LDFLAGS fe32a79d35 build: pass win32-dll to LT_INIT 60bf8890df ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS fecf436d53 Merge bitcoin-core/secp256k1#1019: build: don't append valgrind CPPFLAGS if not installed (macOS) 2e5e4b67df Merge bitcoin-core/secp256k1#1020: doc: remove use of <0xa0> "no break space" 812ff5c747 doc: remove use of 0xa0 "no break space" 214042a170 build: don't append valgrind CPPFLAGS if not installed e43ba02cfc refactor: Decouple table generation and ecmult_gen context 22dc2c0a0d ecmult_gen: Move table creation to new file and force static prec 793ad9016a Merge bitcoin-core/secp256k1#1010: doc: Minor fixes in safegcd_implementation.md dc9b6853b7 doc: Minor fixes in safegcd_implementation.md ea5e8a9c47 Merge bitcoin-core/secp256k1#1012: Fix typos 233297579d Fix typos 7006f1b97f Merge bitcoin-core/secp256k1#1011: ci: Enable -g if we set CFLAGS manually 72de1359e9 ci: Enable -g if we set CFLAGS manually 74c34e727b Merge bitcoin-core/secp256k1#1009: refactor: Use (int)&(int) in boolean context to avoid compiler warning 16d132215c refactor: Use (int)&(int) in boolean context to avoid compiler warning c74a7b7e51 Merge bitcoin-core/secp256k1#1007: doc: Replace apoelstra's GPG key by jonasnick's GPG key 3b157c48ed doc: Suggest keys.openpgp.org as keyserver in SECURITY.md 73a7472cd0 doc: Replace apoelstra's GPG key by jonasnick's GPG key 515a5dbd02 Merge bitcoin-core/secp256k1#991: Merge all "external" benchmarks into a single bench binary af6abcb3d0 Make bench support selecting which benchmarks to run 9f56bdf5b9 Merge bench_schnorrsig into bench 3208557ae1 Merge bench_recover into bench 855e18d8a8 Merge bench_ecdh into bench 2a7be678a6 Combine bench_sign and bench_verify into single bench 8fa41201bd Merge bitcoin-core/secp256k1#1002: Make aux_rnd32==NULL behave identical to 0x0000..00. 5324f8942d Make aux_rnd32==NULL behave identical to 0x0000..00. 21c188b3c5 Merge bitcoin-core/secp256k1#943: VERIFY_CHECK precondition for secp256k1_fe_set_int. 3e7b2ea194 Merge bitcoin-core/secp256k1#999: bench_ecmult: improve clarity of output 23e2f66726 bench: don't return 1 in have_flag() if argc = 1 96b1ad2ea9 bench_ecmult: improve clarity of output 20d791edfb Merge bitcoin-core/secp256k1#989: Shared benchmark format for command line and CSV outputs aa1b889b61 Merge bitcoin-core/secp256k1#996: Fix G.y parity in sage code 044d956305 Fix G.y parity in sage code b4b130678d create csv file from the benchmark output 26a255beb6 Shared benchmark format for command line and CSV outputs 9526874d14 Merge bitcoin-core/secp256k1#810: Avoid overly-wide multiplications in 5x52 field mul/sqr 6b8733577e Merge BlockstreamResearch/secp256k1-zkp#147: whitelist: fix SECP256K1_WHITELIST_MAX_N_KEYS constant 920a0e5fa6 Merge bitcoin-core/secp256k1#952: Avoid computing out-of-bounds pointer. f34b5cae03 Merge bitcoin-core/secp256k1#983: [RFC] Remove OpenSSL testing support 27d1c3b6a1 whitelist: add test for MAX_N_KEYS c8ac14d9dc whitelist: fix SECP256K1_WHITELIST_MAX_N_KEYS constant 297ce82091 Merge bitcoin-core/secp256k1#966: Make aux_rand32 arg to secp256k1_schnorrsig_sign const 2888640132 VERIFY_CHECK precondition for secp256k1_fe_set_int. d49011f54c Make _set_fe_int( . , 0 ) set magnitude to 0 e290c0f835 Merge BlockstreamResearch/secp256k1-zkp#148: fix a couple things to make Elements 22's linter happy 7812feb896 Merge BlockstreamResearch/secp256k1-zkp#144: Upstream PRs 969, 956, 783, 976 b9ebee1490 fix a couple things to make Elements 22's linter happy bc08599e77 Remove OpenSSL testing support 10f9bd84f4 Merge bitcoin-core/secp256k1#987: Fix unused parameter warnings when building without VERIFY 189f6bcfef Fix unused parameter warnings when building without VERIFY da0092bccc Merge bitcoin-core/secp256k1#986: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify` d43993724d tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify` 7fec4e7acc Merge BlockstreamResearch/secp256k1-zkp#145: sync-upstream: fix quoting 938725c1c9 Merge commits 'd7ec49a6 9a5a87e0 aa5d34a8 2a3a97c6 ' into temp-merge-976 95ee1fa030 sync-upstream: fix quoting 2a3a97c665 Merge bitcoin-core/secp256k1#976: `secp256k1_schnorrsig_sign_internal` should be static aa5d34a8fe Merge bitcoin-core/secp256k1#783: Make the public API docs more consistent and explicit 72713872a8 Add missing static to secp256k1_schnorrsig_sign_internal db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const 9a5a87e0f1 Merge bitcoin-core/secp256k1#956: Replace ecmult_context with a generated static array. 20abd52c2e Add tests for pre_g tables. 6815761cf5 Remove ecmult_context. f20dcbbad1 Correct typo. 16a3cc07e8 Generate ecmult_static_pre_g.h 8de2d86a06 Bump memory limits in advance of making the ecmult context static. d7ec49a689 Merge bitcoin-core/secp256k1#969: ci: Fixes after Debian release 5d5c74a057 tests: Rewrite code to circument potential bug in clang 3d2f492ceb ci: Install libasan6 (instead of 5) after Debian upgrade 9447642140 Merge BlockstreamResearch/secp256k1-zkp#142: musig: fix session_init argument NULL check 9124ce0d9c musig: fix session_init argument NULL check 881b15cb43 Merge BlockstreamResearch/secp256k1-zkp#139: musig: use tagged hash for the list of pubkeys to aggregate 8f093be374 musig: use tagged hash for the list of pubkeys to aggregate a6a768a4bf musig: make key agg test vector more precise adec5a1638 Add missing null check for ctx and input keys in the public API f4edfc7581 Improve consistency for NULL arguments in the public interface 9be7b0f083 Avoid computing out-of-bounds pointer. b53e0cd61f Avoid overly-wide multiplications git-subtree-dir: src/secp256k1 git-subtree-split: 7a30cb0c9d99ab195c461a6fb4e654cd4ef19a8d
[bitcoin-core/secp256k1#986]: tests: remove
secp256k1_fe_verify
from tests.c and modify_fe_from_storage
to call_fe_verify
[bitcoin-core/secp256k1#987]: Fix unused parameter warnings when building without VERIFY
[bitcoin-core/secp256k1#966]: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
[bitcoin-core/secp256k1#983]: [RFC] Remove OpenSSL testing support
[bitcoin-core/secp256k1#952]: Avoid computing out-of-bounds pointer.
[bitcoin-core/secp256k1#810]: Avoid overly-wide multiplications in 5x52 field mul/sqr
[bitcoin-core/secp256k1#996]: Fix G.y parity in sage code
[bitcoin-core/secp256k1#989]: Shared benchmark format for command line and CSV outputs
[bitcoin-core/secp256k1#999]: bench_ecmult: improve clarity of output
[bitcoin-core/secp256k1#943]: VERIFY_CHECK precondition for secp256k1_fe_set_int.
[bitcoin-core/secp256k1#1002]: Make aux_rnd32==NULL behave identical to 0x0000..00.
[bitcoin-core/secp256k1#991]: Merge all "external" benchmarks into a single bench binary
[bitcoin-core/secp256k1#1007]: doc: Replace apoelstra's GPG key by jonasnick's GPG key
[bitcoin-core/secp256k1#1009]: refactor: Use (int)&(int) in boolean context to avoid compiler warning
[bitcoin-core/secp256k1#1011]: ci: Enable -g if we set CFLAGS manually
[bitcoin-core/secp256k1#1012]: Fix typos
[bitcoin-core/secp256k1#1010]: doc: Minor fixes in safegcd_implementation.md
[bitcoin-core/secp256k1#1020]: doc: remove use of <0xa0> "no break space"
[bitcoin-core/secp256k1#1019]: build: don't append valgrind CPPFLAGS if not installed (macOS)
[bitcoin-core/secp256k1#1004]: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
[bitcoin-core/secp256k1#1025]: build: replace backtick command substitution with $()
[bitcoin-core/secp256k1#1008]: bench.c: add
--help
option and ci: move env variables[bitcoin-core/secp256k1#1027]: build: Add a check that Valgrind actually supports a host platform
[bitcoin-core/secp256k1#1022]: build: Windows DLL additions
[bitcoin-core/secp256k1#920]: Test all ecmult functions with many j*2^i combinations
[bitcoin-core/secp256k1#942]: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
[bitcoin-core/secp256k1#988]: Make signing table fully static
[bitcoin-core/secp256k1#1042]: Follow-ups to making all tables fully static
[bitcoin-core/secp256k1#816]: Improve checks at top of _fe_negate methods
[bitcoin-core/secp256k1#1044]: Add another ecmult_multi test
[bitcoin-core/secp256k1#1030]: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
[bitcoin-core/secp256k1#1047]: ci: Various improvements
[bitcoin-core/secp256k1#1053]: ecmult: move
_ecmult_odd_multiples_table_globalz_windowa
[bitcoin-core/secp256k1#964]: Add release-process.md
[bitcoin-core/secp256k1#1052]: Use xoshiro256++ instead of RFC6979 for tests
[bitcoin-core/secp256k1#1054]: tests: Fix test whose result is implementation-defined
[bitcoin-core/secp256k1#1029]: Simpler and faster ecdh skew fixup
This PR can be recreated with
./contrib/sync-upstream.sh range a1102b12196ea27f44d6201de4d25926a2ae9640
.