8f093be374 musig: use tagged hash for the list of pubkeys to aggregate (Jonas Nick)
a6a768a4bf musig: make key agg test vector more precise (Jonas Nick)
Pull request description:
Top commit has no ACKs.
Tree-SHA512: 5369dc5b4039dd4cda2c50282db2882c088b96e1daa5801240f92be1832ed8f29317fdbfc3cab211707155c284a68dc593967f3141703e2544f6b8dc1553e44d
aeece44599 gen_context: Don't use any ASM (Tim Ruffing)
Pull request description:
See https://github.com/bitcoin/bitcoin/issues/22441 , we need to wait for the testing results there.
ACKs for top commit:
sipa:
utACK aeece44599
jonasnick:
ACK aeece44599
Tree-SHA512: 52ff90f3dedda90124140de1c2c1c065a2f9374930d6b988d35c37f5eeae97f7d557b7ab0cf99d22add5a76ff8a3e06226572e43949e12d1048cb323d1b3d92b
f09497ea3e CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind (Jonas Nick)
7226cf215a ecdsa_adaptor: fix too small buffer in tests (Jonas Nick)
b053e853d4 ecdsa_adaptor: fix test case with invalid signature (Jonas Nick)
d27e459861 Revert "Remove unused Jacobi symbol support" (Jonas Nick)
c58c4ea470 ci: Add ppc64le build (Tim Ruffing)
8f879c2887 Fix array size in bench_ecmult (Jonas Nick)
2fe1b50df1 Add ecmult_gen, ecmult_const and ecmult to benchmark (Jonas Nick)
593e6bad9c Clean up ecmult_bench to make space for more benchmarks (Jonas Nick)
a35fdd3478 ci: Run PRs on merge result even for i686 (Tim Ruffing)
02dcea1ad9 ci: Make test iterations configurable and tweak for sanitizer builds (Tim Ruffing)
489ff5c20a tests: Treat empty SECP2561_TEST_ITERS as if it was unset (Tim Ruffing)
fcfcb97e74 ci: Simplify to use generic wrapper for QEMU, Valgrind, etc (Tim Ruffing)
de4157f13a ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs (Tim Ruffing)
09b3bb8648 Clean up git tree (Tim Ruffing)
8bbad7a18e Add asm build to ARM32 CI (Pieter Wuille)
7d65ed5214 Add ARM32/ARM64 CI (Pieter Wuille)
6eceec6d56 add `secp256k1_xonly_pubkey_cmp` method (Andrew Poelstra)
0d9561ae87 add `secp256k1_ec_pubkey_cmp` method (Andrew Poelstra)
22a9ea154a contrib: Explain explicit header guards (Tim Ruffing)
0881633dfd secp256k1.h: clarify that by default arguments must be != NULL (Jonas Nick)
14c9739a1f tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs (Tim Ruffing)
4a19668c37 tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs (Tim Ruffing)
45b6468d7e Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. (Russell O'Connor)
31c0f6de41 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. (Russell O'Connor)
dd6c3de322 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. (Russell O'Connor)
3c90bdda95 change local lib headers to be relative for those pointing at "include/" dir (William Bright)
c8483520c9 Makefile.am: Don't pass a variable twice (Tim Ruffing)
2161f31785 Makefile.am: Honor config when building gen_context (Tim Ruffing)
99f47c20ec gen_context: Don't use external ASM because it complicates the build (Tim Ruffing)
99e2d5be0d Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. (Gregory Maxwell)
ed5a199bed tests: fopen /dev/urandom in binary mode (Tim Ruffing)
4dc37bf81b Add mingw32-w64/wine CI build (Pieter Wuille)
ae9e648526 Define SECP256K1_BUILD in secp256k1.c directly. (Gregory Maxwell)
be0609fd54 Add unit tests for edge cases with delta=1/2 variant of divsteps (Pieter Wuille)
cd393ce228 Optimization: only do 59 hddivsteps per iteration instead of 62 (Pieter Wuille)
277b224b6a Use modified divsteps with initial delta=1/2 for constant-time (Pieter Wuille)
376ca366db Fix typo in explanation (Pieter Wuille)
07067967ee add ECMULT_GEN_PREC_BITS to basic_config.h (Aaron Voisine)
a3aa2628c7 gen_context: Don't include basic-config.h (Tim Ruffing)
99a1cfec17 print warnings for conditional-uninitialized (PiRK)
3d2cf6c5bd initialize variable in tests (PiRK)
23c3fb629b Make argument of fe_normalizes_to_zero{_var} const (Pieter Wuille)
4504472269 changed import to use brackets <> for openssl as they are not local to the project (William Bright)
24ad04fc06 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS (Pieter Wuille)
ebc1af700f Optimization: track f,g limb count and pass to new variable-time update_fg_var (Peter Dettman)
b306935ac1 Optimization: use formulas instead of lookup tables for cancelling g bits (Peter Dettman)
9164a1b658 Optimization: special-case zero modulus limbs in modinv64 (Pieter Wuille)
1f233b3fa0 Remove num/gmp support (Pieter Wuille)
20448b8d09 Remove unused Jacobi symbol support (Pieter Wuille)
5437e7bdfb Remove unused scalar_sqr (Pieter Wuille)
aa9cc52180 Improve field/scalar inverse tests (Pieter Wuille)
1e0e885c8a Make field/scalar code use the new modinv modules for inverses (Pieter Wuille)
436281afdc Move secp256k1_fe_inverse{_var} to per-impl files (Pieter Wuille)
aa404d53be Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files (Pieter Wuille)
08d54964e5 Improve bounds checks in modinv modules (Pieter Wuille)
151aac00d3 Add tests for modinv modules (Pieter Wuille)
d8a92fcc4c Add extensive comments on the safegcd algorithm and implementation (Pieter Wuille)
8e415acba2 Add safegcd based modular inverse modules (Peter Dettman)
de0a643c3d Add secp256k1_ctz{32,64}_var functions (Pieter Wuille)
Pull request description:
ACKs for top commit:
real-or-random:
ACK f09497ea3e
Tree-SHA512: 6cf3e96c5974e9aa17bd649fa7fdd738090ec3ab8c99e144fec397c086a24adc2ace9a5218a3c527989fc07e1d5c669027e4c895caf92d22771c8414b2a9bf35
Also add a specific test that fails adaptor sig deserialization because with the
correct size buffer that's not guaranteed anymore with the existing test.
Previously the ECDSA signature had an overflowing s value, which after the sync
with upstream results in a failing VERIFY_CHECK in the inversion function.
However, normally parsed signatures shouldn't contain overflowing s values.
unsigned char foo[4] = "abcd" is not valid C++ because the string
literal "abcd" does not fit into foo due to the terminating NUL
character. This is valid in C, it will just omit the NUL character.
Fixes#962.
5f6ceafcfa schnorrsig: allow setting MSGLEN != 32 in benchmark (Jonas Nick)
fdd06b7967 schnorrsig: add tests for sign_custom and varlen msg verification (Jonas Nick)
d8d806aaf3 schnorrsig: add extra parameter struct for sign_custom (Jonas Nick)
a0c3fc177f schnorrsig: allow signing and verification of variable length msgs (Jonas Nick)
5a8e4991ad Add secp256k1_tagged_sha256 as defined in BIP-340 (Jonas Nick)
b6c0b72fb0 schnorrsig: remove noncefp args from sign; add sign_custom function (Jonas Nick)
442cee5baf schnorrsig: add algolen argument to nonce_function_hardened (Jonas Nick)
df3bfa12c3 schnorrsig: clarify result of calling nonce_function_bip340 without data (Jonas Nick)
99e8614812 README: mention schnorrsig module (Jonas Nick)
Pull request description:
This is a work in progress because I wanted to put this up for discussion before writing tests. It addresses the TODOs that didn't make it in the schnorrsig PR and changes the APIs of `schnorrsig_sign`, `schnorrsig_verify` and `hardened_nonce_function`.
- Ideally, the new `aux_rand32` argument for `sign` would be const, but didn't find a solution I was happy with.
- Support for variable length message signing and verification supports the [suggested BIP amendment](https://github.com/sipa/bips/issues/207#issuecomment-673681901) for such messages.
- ~~`sign_custom` with its opaque config object allows adding more arguments later without having to change the API again. Perhaps there are other sensible customization options, but I'm thinking of [sign-to-contract/covert-channel](https://github.com/bitcoin-core/secp256k1/pull/590) in particular. It would require adding the fields `unsigned char *s2c_data32` and `secp256k1_s2c_opening *s2c_opening` to the config struct. The former is the data to commit to and the latter is written to by `sign_custom`.~~ (EDIT: see below)
ACKs for top commit:
ariard:
utACK 5f6ceaf
LLFourn:
utACK 5f6ceafcfa
Tree-SHA512: cf1716dddf4f29bcacf542ed22622a817d0ec9c20d0592333cb7e6105902c77d819952e776b9407fae1333cbd03d63fded492d3a5df7769dcc5b450d91bb4761
a1ee83c654 tests_exhaustive: check the result of secp256k1_ecdsa_sign (Nicolas Iooss)
Pull request description:
Hello,
In `test_exhaustive_sign`, if `secp256k1_ecdsa_sign` fails, the signature which is then loaded by `secp256k1_ecdsa_signature_load` is garbage. Exit early with an error when this occurs.
By the way, I am wondering whether attribute `SECP256K1_WARN_UNUSED_RESULT` should be added to function `secp256k1_ecdsa_sign`: as (according to the documentation of this function) the nonce generation function may fail, it seems to be a good idea to force callers to check the value returned by this function. What do you think about this?
ACKs for top commit:
sipa:
ACK a1ee83c654
real-or-random:
utACK a1ee83c654
Tree-SHA512: d8c186afecbd95522e909c269255e8879695bf9df2de91f0f9303e575e18f03cafc66683d863e6cf9892fe61b668eab00d586861c39013292b71484a962f846d
If `secp256k1_ecdsa_sign` fails, the signature which is then loaded by
`secp256k1_ecdsa_signature_load` is garbage. Exit early with an error
when this occurs.
0302138f75 ci: Make compiler warning into errors on CI (Tim Ruffing)
b924e1e605 build: Ensure that configure's compile checks default to -O2 (Tim Ruffing)
7939cd571c build: List *CPPFLAGS before *CFLAGS like on the compiler command line (Tim Ruffing)
595e8a35d8 build: Enable -Wcast-align=strict warning (Tim Ruffing)
07256267ff build: Use own variable SECP_CFLAGS instead of touching user CFLAGS (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 0302138f75
Tree-SHA512: 619eb6b512ae0eb8c51134f5bb1b7bc7a397321dc51073ae3117f9433505ec19b407518b47a181163e1a841216b20487c7a50c6f5045faffa5cfa7fad0b8c906
