eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec (Jonas Nick)
57eb6b4167 musig-spec: move description of secret key negation to spec (Jonas Nick)
633d01add0 musig-spec: add x-only and ordinary tweaking to musig (Jonas Nick)
aee0747e38 musig-spec: add general description of tweaking (Jonas Nick)
fb060a0c4e musig-spec: add Session Context to simplify sign/verify/sigagg (Jonas Nick)
3aec4332b5 musig-spec: move remarks on spec below specification section (Jonas Nick)
628d52c718 musig-spec: fix title/abstract and make algo names bold (Jonas Nick)
5b760cc172 musig-spec: consistently call partial sigs psig (Jonas Nick)
f0edc90755 musig: fix number of tweaks in tweak_test (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK eac0df1379 -- I haven't checked all the indices etc, so this is more of a Concept ACK than a "pseudocode review ACK" but we we have the ACK by Brandon and this is anyway still a draft, so I think this is good to be merged.
Tree-SHA512: 9e16e7892e103205d96060158a7a6c01480d2b59300bbf9f0655b4d26586e632be8b8f656fe07c7ece1421ec91e0b387d6fcf363db7aedc0402d265b1d9df474
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
Besides reducing the number of arguments, this also removes the R argument from
PartialSigAgg which was not defined precisely:
* The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point
Moreover, this paves the way for adding the tweaking, which requires
PartialSigAgg to also have access to challenge e and can now be easily computed
from the Session Context.
We will need more of these explanations and it's better if they do not interfere
the specification section. The remarks section is intended for content that's
not required for implementing the spec.
69b392f3cb musig: move explanation for aggnonce=inf to spec (Jonas Nick)
4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} (Jonas Nick)
3c122d0780 musig-spec: improve definition of lift_x (Jonas Nick)
e0bb2d7009 musig-spec: improve KeyAgg description (Jonas Nick)
b8f4e75d89 musig-spec: move to doc directory (Jonas Nick)
Pull request description:
Will wait before adding tweaking until #151 is merged.
ACKs for top commit:
robot-dreams:
ACK 69b392f3cb based on:
real-or-random:
ACK 69b392f3cb I haven't looked at every detail but it's certainly ready to be merged as draft spec
Tree-SHA512: e3aa0265a9d7a7648e03ca42575397100edd5af43f0224937af51aa5c77efc451d7938149bdc711f69e24fb9291438453b8cd762affaa1a2e7bcc89f121485df
8088eddc53 musig: add test vector for ordinary (non xonly) tweaking (Elliott Jin)
57a17929fc musig: add ordinary and xonly tweaking to the example (Jonas Nick)
37107361a0 musig: allow ordinary, non-xonly tweaking (Jonas Nick)
c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache (Jonas Nick)
Pull request description:
In short, `musig_pubkey_tweak_add` now allows for xonly _and_ "ordinary" tweaking. Also, in order to allow using `ec_pubkey_tweak_add` on the non-xonly aggregate public key, there's a new function `musig_pubkey_get` that allows obtaining it from the `keyagg_cache`.
One alternative would be that instead of adding `musig_pubkey_get`, we could change `pubkey_agg` to output an ordinary (non-xonly) pubkey. Then users of the API who do not need ordinary (BIP32) tweaking would be forced to call `xonly_pubkey_from_pubkey`. And we'd probably want to change the spec. And it would be a bit weird to output a pubkey that can't be directly schnorrsig_verify'd.
Based on #131
ACKs for top commit:
robot-dreams:
ACK 8088eddc53 based on https://github.com/ElementsProject/secp256k1-zkp/pull/151#issuecomment-1005198409 and the following `range-diff`:
Tree-SHA512: a4a0100f0470c870f88a8da27dbcc4684fcc2caabb368d4340e962e08d5ee04634e6289bafa3448dbfd0b5793a3e70de5bd6ddca7a619cc3220ff762d518a8fe
11d675dce8 whitelist: remove ability to specific nonce function (Andrew Poelstra)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 11d675dce8
Tree-SHA512: aa53d445a1e817e9998a41f5da186f1d92e3da0dcc088b9ff8fe795af06072d3e6b22be7842ece9f4dcb5e0ad97a90ebeaca097247fa8307d88a6d2bfb0fb573
b7ebe6436c Test APIs of funcs that need an ecmult_gen ctx with static ctx (Jonas Nick)
e82144edfb Fixup skew before global Z fixup (Peter Dettman)
40b624c90b Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe1 ECDH skews by 0 or 1 (Peter Dettman)
1515099433 Simpler and faster ecdh skew fixup (Peter Dettman)
3d7cbafb5f tests: Fix test whose result is implementation-defined (Tim Ruffing)
77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
3ed0d02bf7 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8 doc: add release_process.md (Jonas Nick)
0bd3e4243c build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
b4ac1a1d5f ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e ci: Update brew on macOS (Tim Ruffing)
22382f0ea0 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
1287786c7a doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589 doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
22d25c8e0a Add another ecmult_multi test (Pieter Wuille)
515e7953ca Improve checks at top of _fe_negate methods (Peter Dettman)
e05da9e480 Fix c++ build (Pieter Wuille)
c45386d994 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen} (Pieter Wuille)
19d96e15f9 Split off .c file from precomputed_ecmult.h (Pieter Wuille)
1a6691adae Split off .c file from precomputed_ecmult_gen.h (Pieter Wuille)
bb36331412 Simplify precompute_ecmult_print_* (Pieter Wuille)
38cd84a0cb Compute ecmult tables at runtime for tests_exhaustive (Pieter Wuille)
e458ec26d6 Move ecmult table computation code to separate file (Pieter Wuille)
fc1bf9f15f Split ecmult table computation and printing (Pieter Wuille)
31feab053b Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table (Pieter Wuille)
725370c3f2 Rename ecmult_gen_prec -> ecmult_gen_compute_table (Pieter Wuille)
075252c1b7 Rename ecmult_static_pre_g -> precomputed_ecmult (Pieter Wuille)
7cf47f72bc Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen (Pieter Wuille)
f95b8106d0 Rename gen_ecmult_static_pre_g -> precompute_ecmult (Pieter Wuille)
bae77685eb Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen (Pieter Wuille)
7dfceceea6 build: Remove #undef hack for ASM in the precomputation programs (Tim Ruffing)
bb36fe9be0 ci: Test `make precomp` (Tim Ruffing)
d94a37a20c build: Remove CC_FOR_BUILD stuff (Tim Ruffing)
ad63bb4c29 build: Prebuild and distribute ecmult_gen table (Tim Ruffing)
ac49361ed0 prealloc: Get rid of manual memory management for prealloc contexts (Tim Ruffing)
6573c08f65 ecmult_gen: Tidy precomputed file and save space (Tim Ruffing)
5eba83f17c ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS (Tim Ruffing)
fdb33dd122 refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table (Tim Ruffing)
a4875e30a6 refactor: Move default callbacks to util.h (Tim Ruffing)
4c94c55bce doc: Remove obsolete hint for valgrind stack size (Tim Ruffing)
5106226991 exhaustive_tests: Fix with ecmult_gen table with custom generator (Tim Ruffing)
e1a76530db refactor: Make generator a parameter of ecmult_gen_create_prec_table (Tim Ruffing)
9ad09f6911 refactor: Rename program that generates static ecmult_gen table (Tim Ruffing)
8ae18f1ab3 refactor: Rename file that contains static ecmult_gen table (Tim Ruffing)
00d2fa116e ecmult_gen: Make code consistent with comment (Tim Ruffing)
3b0c2185ea ecmult_gen: Simplify ecmult_gen context after making table static (Tim Ruffing)
e43ba02cfc refactor: Decouple table generation and ecmult_gen context (Tim Ruffing)
22dc2c0a0d ecmult_gen: Move table creation to new file and force static prec (Tim Ruffing)
099bad945e Comment and check a parameter for inf in secp256k1_ecmult_const. (Russell O'Connor)
6c0be857f8 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. (Russell O'Connor)
5eb519e1f6 ci: reduce TEST_ITERS in memcheck run (Pieter Wuille)
e2cf77328a Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255. (Pieter Wuille)
c0cd7de6d4 build: add -no-undefined to libtool LDFLAGS (fanquake)
fe32a79d35 build: pass win32-dll to LT_INIT (fanquake)
7c7ce872a5 build: Add a check that Valgrind actually supports a host platform (Hennadii Stepanov)
592661c22f ci: move test environment variable declaration to .cirrus.yml (siv2r)
dcbe84b841 bench: add --help option to bench. (siv2r)
2b7c7497ef build: replace backtick command substitution with $() (fanquake)
60bf8890df ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS (Jonas Nick)
214042a170 build: don't append valgrind CPPFLAGS if not installed (fanquake)
812ff5c747 doc: remove use of 0xa0 "no break space" (fanquake)
dc9b6853b7 doc: Minor fixes in safegcd_implementation.md (Elliott Jin)
233297579d Fix typos (Dimitris Apostolou)
72de1359e9 ci: Enable -g if we set CFLAGS manually (Tim Ruffing)
16d132215c refactor: Use (int)&(int) in boolean context to avoid compiler warning (MarcoFalke)
3b157c48ed doc: Suggest keys.openpgp.org as keyserver in SECURITY.md (Tim Ruffing)
73a7472cd0 doc: Replace apoelstra's GPG key by jonasnick's GPG key (Tim Ruffing)
af6abcb3d0 Make bench support selecting which benchmarks to run (Pieter Wuille)
9f56bdf5b9 Merge bench_schnorrsig into bench (Pieter Wuille)
3208557ae1 Merge bench_recover into bench (Pieter Wuille)
855e18d8a8 Merge bench_ecdh into bench (Pieter Wuille)
2a7be678a6 Combine bench_sign and bench_verify into single bench (Pieter Wuille)
5324f8942d Make aux_rnd32==NULL behave identical to 0x0000..00. (Pieter Wuille)
2888640132 VERIFY_CHECK precondition for secp256k1_fe_set_int. (Russell O'Connor)
d49011f54c Make _set_fe_int( . , 0 ) set magnitude to 0 (Tim Ruffing)
23e2f66726 bench: don't return 1 in have_flag() if argc = 1 (Jonas Nick)
96b1ad2ea9 bench_ecmult: improve clarity of output (Jonas Nick)
b4b130678d create csv file from the benchmark output (siv2r)
26a255beb6 Shared benchmark format for command line and CSV outputs (siv2r)
044d956305 Fix G.y parity in sage code (Pieter Wuille)
b53e0cd61f Avoid overly-wide multiplications (Peter Dettman)
9be7b0f083 Avoid computing out-of-bounds pointer. (Tim Ruffing)
bc08599e77 Remove OpenSSL testing support (Pieter Wuille)
db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const (Pieter Wuille)
189f6bcfef Fix unused parameter warnings when building without VERIFY (Jonas Nick)
d43993724d tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify` (siv2r)
Pull request description:
[bitcoin-core/secp256k1#986]: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify`
[bitcoin-core/secp256k1#987]: Fix unused parameter warnings when building without VERIFY
[bitcoin-core/secp256k1#966]: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
[bitcoin-core/secp256k1#983]: [RFC] Remove OpenSSL testing support
[bitcoin-core/secp256k1#952]: Avoid computing out-of-bounds pointer.
[bitcoin-core/secp256k1#810]: Avoid overly-wide multiplications in 5x52 field mul/sqr
[bitcoin-core/secp256k1#996]: Fix G.y parity in sage code
[bitcoin-core/secp256k1#989]: Shared benchmark format for command line and CSV outputs
[bitcoin-core/secp256k1#999]: bench_ecmult: improve clarity of output
[bitcoin-core/secp256k1#943]: VERIFY_CHECK precondition for secp256k1_fe_set_int.
[bitcoin-core/secp256k1#1002]: Make aux_rnd32==NULL behave identical to 0x0000..00.
[bitcoin-core/secp256k1#991]: Merge all "external" benchmarks into a single bench binary
[bitcoin-core/secp256k1#1007]: doc: Replace apoelstra's GPG key by jonasnick's GPG key
[bitcoin-core/secp256k1#1009]: refactor: Use (int)&(int) in boolean context to avoid compiler warning
[bitcoin-core/secp256k1#1011]: ci: Enable -g if we set CFLAGS manually
[bitcoin-core/secp256k1#1012]: Fix typos
[bitcoin-core/secp256k1#1010]: doc: Minor fixes in safegcd_implementation.md
[bitcoin-core/secp256k1#1020]: doc: remove use of <0xa0> "no break space"
[bitcoin-core/secp256k1#1019]: build: don't append valgrind CPPFLAGS if not installed (macOS)
[bitcoin-core/secp256k1#1004]: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
[bitcoin-core/secp256k1#1025]: build: replace backtick command substitution with $()
[bitcoin-core/secp256k1#1008]: bench.c: add `--help` option and ci: move env variables
[bitcoin-core/secp256k1#1027]: build: Add a check that Valgrind actually supports a host platform
[bitcoin-core/secp256k1#1022]: build: Windows DLL additions
[bitcoin-core/secp256k1#920]: Test all ecmult functions with many j*2^i combinations
[bitcoin-core/secp256k1#942]: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
[bitcoin-core/secp256k1#988]: Make signing table fully static
[bitcoin-core/secp256k1#1042]: Follow-ups to making all tables fully static
[bitcoin-core/secp256k1#816]: Improve checks at top of _fe_negate methods
[bitcoin-core/secp256k1#1044]: Add another ecmult_multi test
[bitcoin-core/secp256k1#1030]: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
[bitcoin-core/secp256k1#1047]: ci: Various improvements
[bitcoin-core/secp256k1#1053]: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
[bitcoin-core/secp256k1#964]: Add release-process.md
[bitcoin-core/secp256k1#1052]: Use xoshiro256++ instead of RFC6979 for tests
[bitcoin-core/secp256k1#1054]: tests: Fix test whose result is implementation-defined
[bitcoin-core/secp256k1#1029]: Simpler and faster ecdh skew fixup
This PR can be recreated with `./contrib/sync-upstream.sh range a1102b12196ea27f44d6201de4d25926a2ae9640`.
ACKs for top commit:
apoelstra:
utACK b7ebe6436c
real-or-random:
ACK b7ebe6436c diff looks good. tested on my machine, also on valgrind.
Tree-SHA512: 8b01347bbb9ac35cb93df628eaaf2a997fc8182046588bccc48a0623e9595d40cad2d46102a9c62c819ff77069331f344361138fd8ad0afc81bba9c1690bb541
e82144edfb Fixup skew before global Z fixup (Peter Dettman)
40b624c90b Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe1 ECDH skews by 0 or 1 (Peter Dettman)
1515099433 Simpler and faster ecdh skew fixup (Peter Dettman)
Pull request description:
This PR adds a `_gej_cmov` method, with accompanying tests, and uses it to simplify the skew fixup at the end of `_ecmult_const`.
In the existing code, `_wnaf_const` chooses a skew of either 1 or 2, and `_ecmult_const` needs a call to `_ge_set_gej` (which does an expensive field inversion internally) and some overly-complicated conversions to/from `_ge_storage` so that `_ge_storage_cmov` can be used to select what value to add for the fixup.
This PR uses a simpler scheme where `_wnaf_const` chooses a skew of 0 or 1 and no longer needs special handling for scalars with value negative one. A new `_gej_cmov` method is used at the end of `_ecmult_const` for const-time optional addition to adjust the final result for the skew. Finally, the skew fixup is moved to before the global-Z adjustment, and the precomputed table entries (for 1P, λ(1P)) are used for the skew fixup, saving a field multiply and ensuring the fixup is done on the same isomorphism as the ladder.
The resulting `_wnaf_const` and `_ecmult_const` are shorter and simpler, and the ECDH benchmark is around 5% faster (64bit, i7).
Edit: Updated description once the final scope was clear.
ACKs for top commit:
apoelstra:
ACK e82144ed
sipa:
ACK e82144edfb
real-or-random:
ACK e82144edfb
Tree-SHA512: 10d6770f4ef4f8d0c78abbf58d643f25f5daef68896643af0a3f7f877414e23356724b6f20af2027316a4353a35b8cb0a7851e057a3f6483897df02bf033a8a2
3d7cbafb5f tests: Fix test whose result is implementation-defined (Tim Ruffing)
Pull request description:
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we restore the name of the function. It was mistakenly
renamed in 6173839c90 using
"search and replace".
ACKs for top commit:
robot-dreams:
ACK 3d7cbafb5f
sipa:
utACK 3d7cbafb5f
Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
Pull request description:
Just some easy low-hanging fruit. It's complete overkill to use the RFC6979 RNG for our test randomness. Replace it with a modern non-cryptographic RNG with good properties. It's a few % speedup for me.
Given the internal naming of all these functions to be "testrand", I'm not concerned about the risk of someone using this for something that needs actual cryptographic randomness.
ACKs for top commit:
robot-dreams:
ACK 77a19750b4
real-or-random:
utACK 77a19750b4
Tree-SHA512: 2706f37689e037e84b5df25c98af924c0756e6d59f5f822b23aec5ba381b2d536e0848f134026e2568396427218f1c770f1bb07613d702efb23a84015dc9271d
3ed0d02bf7 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8 doc: add release_process.md (Jonas Nick)
0bd3e4243c build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
Pull request description:
This is an attempt at a simple release process. Fixes#856. To keep it simple, there is no concept of release candidates for now.
The release version is determined by semantic versioning of the API. Since it does not seem to be a lot of work, it is proper to also version the ABI with the libtool versioning system. This versioning scheme (semver API, libtool versioning ABI) follows the suggestion in the [autotools mythbusters](https://autotools.io/libtool/version.html).
Experimental modules are a bit of a headache, as expected. This release process suggests to treat any change in experimental modules as backwards compatible. That way, users of stable modules are not bothered by frequent non-backwards compatible releases. But a downside is that one must not use experimental modules in shared libraries (which should be mentioned in the README?). It would be nice if we could make the schnorrsig module stable in the not too distant future (see also #817).
ACKs for top commit:
apoelstra:
utACK 3ed0d02bf7
elichai:
ACK 3ed0d02bf7
sipa:
ACK 3ed0d02bf7
real-or-random:
ACK 3ed0d02bf7
Tree-SHA512: 25a04335a9579e16de48d378b93a9c6a248529f67f7c436680fa2d495192132743ce016c547aa9718cdcc7fe932de31dd7594f49052e8bd85572a84264f2dbee
05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
Pull request description:
Fixes#1035
**Changes:**
- move `secp256k1_ecmult_odd_multiples_table_globalz_windowa` function from ecmult to ecmult_const
- remove outdated comment
ACKs for top commit:
robot-dreams:
utACK 05e049b73c (`diff` between removed and added lines is exactly as expected)
real-or-random:
utACK 05e049b73c
Tree-SHA512: 3fad4e93c641b642e84f4bbafcb8083d3e63b0523009fe0edcb2c1ebe1571d822320451289c651403ed1dc033ec6a7a3e8c3c56ad93d81bb1590cf9ff15a3b34
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we improve the identity check such that it covers the
VERIFY struct members.
