Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950 #132

Merged
merged 81 commits into from
Jul 13, 2021

Conversation

jonasnick
Copy link
Contributor

[bitcoin-core/secp256k1#831]: Safegcd inverses, drop Jacobi symbols, remove libgmp
[bitcoin-core/secp256k1#907]: changed import to use brackets <> for openssl
[bitcoin-core/secp256k1#903]: Make argument of fe_normalizes_to_zero{_var} const
[bitcoin-core/secp256k1#889]: fix uninitialized read in tests
[bitcoin-core/secp256k1#918]: Clean up configuration in gen_context
[bitcoin-core/secp256k1#906]: Use modified divsteps with initial delta=1/2 for constant-time
[bitcoin-core/secp256k1#928]: Define SECP256K1_BUILD in secp256k1.c directly.
[bitcoin-core/secp256k1#922]: Add mingw32-w64/wine CI build
[bitcoin-core/secp256k1#933]: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers
Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM
[bitcoin-core/secp256k1#925]: changed include statements without prefix 'include/'
[bitcoin-core/secp256k1#937]: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs.
[bitcoin-core/secp256k1#926]: secp256k1.h: clarify that by default arguments must be != NULL
Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards
[bitcoin-core/secp256k1#850]: add secp256k1_ec_pubkey_cmp method
[bitcoin-core/secp256k1#930]: Add ARM32/ARM64 CI
[bitcoin-core/secp256k1#941]: Clean up git tree
[bitcoin-core/secp256k1#846]: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs
[bitcoin-core/secp256k1#947]: ci: Run PRs on merge result even for i686
[bitcoin-core/secp256k1#662]: Add ecmult_gen, ecmult_const and ecmult to benchmark
[bitcoin-core/secp256k1#950]: ci: Add ppc64le build

This PR can be recreated with ./contrib/sync-upstream.sh range 1758a92f.

@jesseposner I had to change one of the test cases in the ECDSA adaptor sig module (see commit message). Does that still test what you wanted to test?

PiRK and others added 30 commits February 4, 2021 09:52
This was detected while running the tests with the `-Wconditional-uninitialized` flag

```
./autogen.sh
CC=clang CFLAGS="-Wconditional-uninitialized" ./configure
make check
```

The resulting warning is a false positive, but setting the value to -1
ensures that the CHECK below will fail if recid is never written to.
This compiler flag is available for clang but not gcc.

Test plan:

```
autogen.sh
./configure
make check
CC=clang ./configure
make check
```

If a variable is used uninitialized, the warning should look something
like:
```
  CC       src/tests-tests.o
src/tests.c:4336:15: warning: variable 'recid' may be uninitialized when used here [-Wconditional-uninitialized]
        CHECK(recid >= 0 && recid < 4);
              ^~~~~
./src/util.h:54:18: note: expanded from macro 'CHECK'
    if (EXPECT(!(cond), 0)) { \
                 ^~~~
./src/util.h:41:39: note: expanded from macro 'EXPECT'
                                      ^
src/tests.c:4327:14: note: initialize the variable 'recid' to silence this warning
    int recid;
             ^
              = 0
1 warning generated.
```
These functions count the number of trailing zeroes in non-zero integers.
This adds a long comment explaining the algorithm and implementation choices by building
it up step by step in Python.

Comments in the code are also reworked/added, with references to the long explanation.
This adds tests for the modinv{32,64}_impl.h directly (before the functions are used
inside the field/scalar code). It uses a naive implementation of modular multiplication
and gcds in order to verify the modular inverses themselves.
This commit adds functions to verify and compare numbers in signed{30,62} notation,
and uses that to do more extensive bounds checking on various variables in the modinv
code.
This temporarily duplicates the inversion code across the 4x64 and 8x32
implementations. Those implementations will be replaced in a later commit.
This temporarily duplicates the inversion code across the 5x52 and 10x26
implementations. Those implementations will be replaced in a next commit.
Add a new run_inverse_tests that replaces all existing field/scalar inverse tests,
and tests a few identities for fixed inputs, small numbers (-999...999), random
inputs (structured and unstructured), as well as comparing with the output of
secp256k1_fe_inv_all_var.
No exposed functions rely on Jacobi symbol computation anymore. Remove it; it can always
be brough back later if needed.
The whole "num" API and its libgmp-based implementation are now unused. Remove them.
Both the field and scalar modulus can be written in signed{30,62} notation
with one or more zero limbs. Make use of this in the update_de function to
avoid a few wide multiplications when that is the case.

This doesn't appear to be a win in the 32-bit implementation, so only
do it for the 64-bit one.
…bits

This only seems to be a win on 64-bit platforms, so only do it there.

Refactored by: Pieter Wuille <[email protected]>
…te_fg_var

The magnitude of the f and g variables generally goes down as the algorithm
progresses. Make use of this by keeping tracking how many limbs are used, and
when the number becomes small enough, make use of this to reduce the complexity
of arithmetic on them.

Refactored by: Pieter Wuille <[email protected]>
24ad04f Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS (Pieter Wuille)
ebc1af7 Optimization: track f,g limb count and pass to new variable-time update_fg_var (Peter Dettman)
b306935 Optimization: use formulas instead of lookup tables for cancelling g bits (Peter Dettman)
9164a1b Optimization: special-case zero modulus limbs in modinv64 (Pieter Wuille)
1f233b3 Remove num/gmp support (Pieter Wuille)
20448b8 Remove unused Jacobi symbol support (Pieter Wuille)
5437e7b Remove unused scalar_sqr (Pieter Wuille)
aa9cc52 Improve field/scalar inverse tests (Pieter Wuille)
1e0e885 Make field/scalar code use the new modinv modules for inverses (Pieter Wuille)
436281a Move secp256k1_fe_inverse{_var} to per-impl files (Pieter Wuille)
aa404d5 Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files (Pieter Wuille)
08d5496 Improve bounds checks in modinv modules (Pieter Wuille)
151aac0 Add tests for modinv modules (Pieter Wuille)
d8a92fc Add extensive comments on the safegcd algorithm and implementation (Pieter Wuille)
8e415ac Add safegcd based modular inverse modules (Peter Dettman)
de0a643 Add secp256k1_ctz{32,64}_var functions (Pieter Wuille)

Pull request description:

  This is a rebased and squashed version of #767, adding safegcd-based implementations of constant-time and variable-time modular inverses for scalars and field elements, by Peter Dettman. The PR is organized as follows:
  * **Add secp256k1_ctz{32,64}_var functions** Introduction of ctz functions to util.h (which use `__builtin_ctz` on recent GCC and Clang, but fall back to using a software emulation using de Bruijn on other platforms). This isn't used anywhere in this commit, but does include tests.
  * **Add safegcd based modular inverse modules** Add Peter Dettman's safegcd code from #767 (without some of his optimizations, which are moved to later commits), turned into separate modules by me.
  * **Add extensive comments on the safegcd algorithm and implementation** Add a long description of the algorithm and optimizations to `doc/safegcd_implementation.md`, as well as additional comments to the code itself. It is probably best to review this together with the previous commit (they're separated to keep authorship).
  * **Add tests for modinv modules** Adds tests on the modinv interface directly, for arbitrary moduli.
  * **Improve bounds checks in modinv modules** Adds a lot of sanity checking to the modinv modules.
  * **Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files** A pure refactor to prepare for switching the field and scalar code to modinv.
  * **Make field/scalar code use the new modinv modules for inverses** Actually switch over.
  * **Add extra modular inverse tests** This adds modular inverse tests through the field/scalar interface, now that those use modinv.
  * **Remove unused Jacobi symbol support** No longer needed.
  * **Remove num/gmp support** Bye-bye.
  * 3 commits with further optimizations.

ACKs for top commit:
  gmaxwell:
    ACK 24ad04f
  sanket1729:
    ACK 24ad04f
  real-or-random:
    ACK 24ad04f careful code review, some testing

Tree-SHA512: 732fe29315965e43ec9a10ee8c71eceeb983c43fe443da9dc5380a5a11b5e40b06e98d6abf67b773b1de74571fd2014973c6376f3a0caeac85e0cf163ba2144b
4504472 changed import to use brackets <> for openssl as they are not local to the project (William Bright)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 4504472
  jonasnick:
    ACK 4504472

Tree-SHA512: e35c202835a82dab5fe9f2f75e7752e70b15d5d2ee7485790749f145b35e8e995c4978b4015c726387c24248a7efb636d28791fe882581a144a0ddfb27e14075
23c3fb6 Make argument of fe_normalizes_to_zero{_var} const (Pieter Wuille)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 23c3fb6 diff looks good
  jonasnick:
    ACK 23c3fb6

Tree-SHA512: a51894a9e59851dc4854e92e4200ef6d12a11f6785b903c23585cfff5ef8d369216f4121260fe8789d46d3e215f3c2baa42decae99ab9328e8081f5274e67fab
99a1cfe print warnings for conditional-uninitialized (PiRK)
3d2cf6c initialize variable in tests (PiRK)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 99a1cfe code inspection
  jonasnick:
    ACK 99a1cfe

Tree-SHA512: 72f92f51c44210ab54f166920f540525db0e3d1f19a2fa56e4a6d157a38a582f9dc649d919cf3278482c9fd723021b07759284a8fccbc574b62a22aac0facf51
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent
delta. This variant only needs at most 590 iterations for 256-bit
inputs rather than 724 (by convex hull bounds analysis).
Before this commit, gen_context.c both included libsecp256k1-config.h
and basic-config.h: The former only to obtain ECMULT_GEN_PREC_BITS
and the latter to obtain a basic working configuration to be able to
use the library.

This was inelegant and confusing: It meant that basic-config.h needs
to #undef all the macros defined in libsecp256k1-config.h. Moreover,
it meant that basic-config.h cannot define ECMULT_GEN_PREC_BITS,
essentially making this file specific for use in gen_context.c.

After this commit, gen_context.c include only libsecp256k1-config.h.
basic-config.h is not necessary anymore for the modules used in
gen_context.c because 79f1f7a made the preprocessor detect all the
relevant config options.

On the way, we remove an unused #define in basic-config.h.
set ECMULT_GEN_PREC_BITS to the "auto" value of 4 in basic_config.h, so libsecp can be used without autoconf
jonasnick and others added 6 commits May 31, 2021 20:46
8f879c2 Fix array size in bench_ecmult (Jonas Nick)
2fe1b50 Add ecmult_gen, ecmult_const and ecmult to benchmark (Jonas Nick)
593e6ba Clean up ecmult_bench to make space for more benchmarks (Jonas Nick)

Pull request description:

  I was trying to determine the impact of ecmult_gen in schnorrsig signing and noticed that there is no way to bench this right now. The new benchmarks look like this:
  ```
  $ ./bench_ecmult
  ecmult_gen: min 20.9us / avg 21.2us / max 21.7us
  ecmult_const: min 63.9us / avg 64.3us / max 64.8us
  ecmult 1: min 49.4us / avg 49.7us / max 50.3us
  ecmult 1g: min 39.8us / avg 40.0us / max 40.3us
  ecmult 2g: min 27.2us / avg 27.3us / max 27.8us
  ecmult_multi 1g: min 39.8us / avg 40.0us / max 40.2us
  ecmult_multi 2g: min 27.2us / avg 27.4us / max 27.7us
  ecmult_multi 3g: min 22.8us / avg 22.9us / max 23.1us
  ecmult_multi 4g: min 20.6us / avg 20.8us / max 21.1us
  ecmult_multi 5g: min 19.3us / avg 19.5us / max 19.7us
  ```

  (Turns out ecmult_gen is 37% of the 55.8us that schnorrsig sign takes)

ACKs for top commit:
  real-or-random:
    ACK 8f879c2
  elichai:
    tACK 8f879c2

Tree-SHA512: 8a739f5de1e2c0467c8d1c3ceeaf453b396a470ea0e8e5bef15fe1b32f3f9633b6b1c7e2ce1d94d736cf3e9adecd8f4f983ad4ba37450cd5991767f1a95db85c
c58c4ea ci: Add ppc64le build (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK c58c4ea
  jonasnick:
    ACK c58c4ea

Tree-SHA512: 8f58783d07b34241619051c8375749699b1bd447de56541b3aea3d2e9546c6eb22fbcae55ad57bff614b8c3455933d74031162d00e5eabe6d1d55d56b4aaca16
This reverts commit 20448b8.

The removed functions secp256k1_ge_set_xquad and secp256k1_fe_is_quad_var
are required for some modules in secp256k1-zkp.
@real-or-random
Copy link
Collaborator

We need to tweak the cirrus config.

Ubsan builds: Container errored with 'OOMKilled'... So maybe increase the memory to 2 GB here.
Valgrind builds: apparently too many iterations for our tests...

@real-or-random
Copy link
Collaborator

Hm, still timeout... It's also possible to double the timeouts: https://cirrus-ci.org/faq/#instance-timed-out

@jonasnick jonasnick force-pushed the temp-merge-950 branch 2 times, most recently from 8c9c5c5 to 40d6a5b Compare June 15, 2021 14:28
@jonasnick
Copy link
Contributor Author

Cool, that worked!

@jesseposner
Copy link
Contributor

@jonasnick
Copy link
Contributor Author

@jesseposner Line 245 has coverage with (and without this PR) according to my test run. Also, I don't know how the commit could have affected that line. The error at line 343 is unreachable now, so I added an explanation as a comment and removed the test case entirely.

* Proof:
* eckey_pubkey_serialize fails <=> deckey = 0
* deckey = 0 <=> s^-1 = 0 or sp = 0
* case 1: s^-1 = 0 impossible by the definition of multiplicative inverse
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While it's true that it's definitionally impossible, if secp256k1_scalar_inverse doesn't check for an overflow, then it can return 0 when s is equal to the curve order q. Neither the implementation on master nor the scalar_low_impl.h implementation implementation in this PR check for an overflow.

This PR adds a new secp256k1_scalar_inverse implementation in scalar_4x64_impl.h and scalar_8x32_impl.h. This new implementation calls to either secp256k1_scalar_to_signed62 or secp256k1_scalar_to_signed30, which in turn check for an overflow (at https://github.com/ElementsProject/secp256k1-zkp/pull/132/files#diff-334ffa39c358290caf0eadd32018e5d9276ea2e76416f28a34b981e59b56a9d9R918 and https://github.com/ElementsProject/secp256k1-zkp/pull/132/files#diff-4112c4b434fd39c8722830f9daf1db7b2feb89cfd73a69c57c4a575575ee9cedR792 respectively), but only if the VERIFY macro is defined.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But s doesn't overflow (it was just loaded from the ecdsa signature).

Copy link
Contributor

@jesseposner jesseposner Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ecdsa signature can contain an s that is equal to the curve order q. When this happens in the implementation on master then secp256k1_scalar_inverse will write 0 to deckey, and the error at line 343 will be reached. With this PR, that is no longer the case because the secp256k1_scalar_inverse implementation has changed such that, if the VERIFY macro is defined then the following check will fail VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0) when s is equal to q.

I also just checked to see what happens if VERIFY is not defined, and with the new implementation secp256k1_scalar_inverse writes 1 to deckey instead of 0, so even without VERIFY, the error at line 343 will not be reached in the new implementation. So it is correct to say that line 343 is unreachable with the new implementation (assuming scalar_low_impl.h is not used). But this depends on the implementation of secp256k1_scalar_inverse, and is not impossible, as is demonstrated by the test case on master which reaches line 343.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I tweaked the comment such that it says that it's unreachable by the tests because scalar_inverse checks for valid inputs in that case (since VERIFY is defined).

@@ -1105,12 +1105,6 @@ void adaptor_tests(void) {
secp256k1_ecdsa_signature sig_tmp;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sig_tmp is no longer used with the removal of the test at 1122.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@jesseposner
Copy link
Contributor

jesseposner commented Jun 23, 2021

@jonasnick I'm finding that line 245 doesn't have coverage consistently because of the buffer fix at 01dfb69. It can get coverage depending on whether the random bit flip causes deserialization to fail, but it doesn't always cause it to fail.

The small buffer was causing the deserialization to fail, although that was undermining the purpose of the random bit flip test, so it's good that you fixed it. To make sure we hit the deserialization error perhaps another test case should be added:

    {
        /* Test failed adaptor sig deserialization */
        unsigned char adaptor_sig_tmp[162];
        memset(&adaptor_sig_tmp, 0xFF, 162);
        CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0);
    }

@jonasnick
Copy link
Contributor Author

@jesseposner thanks for figuring this out. I added your suggested test case.

Previously the ECDSA signature had an overflowing s value, which after the sync
with upstream results in a failing VERIFY_CHECK in the inversion function.
However, normally parsed signatures shouldn't contain overflowing s values.
Also add a specific test that fails adaptor sig deserialization because with the
correct size buffer that's not guaranteed anymore with the existing test.
Copy link
Collaborator

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK f09497e

@jonasnick jonasnick merged commit 6db00f5 into BlockstreamResearch:master Jul 13, 2021
apoelstra added a commit to apoelstra/elements that referenced this pull request Jul 28, 2021
5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec
fc26ca8ddef musig: remove unnecessary constant time normalize in combine
48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add
5860b5e0fe7 musig: do not also require schnorrsig module config flag
f27fd1d5e75 musig: improve test coverage of pubkey_combine
56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks
08fa02d5791 musig: add key aggregation spec draft
4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient
4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key
2310849f50f musig: compute musig coefficient by hashing key instead of index
9683c8a7eb6 musig: add static test vectors for key aggregation
9b3d7bf5361 extrakeys: add xonly_sort function
f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort
d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC
6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950
cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC
f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind
7226cf215aa ecdsa_adaptor: fix too small buffer in tests
b053e853d4f ecdsa_adaptor: fix test case with invalid signature
91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range
907633e2e9a sync-upstream: fix "end" parameter for specifying range
394f49fd1a6 sync-upstream: quote variables
1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier
9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier
d27e4598610 Revert "Remove unused Jacobi symbol support"
edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950
1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build
c58c4ea4707 ci: Add ppc64le build
7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark
8f879c2887e Fix array size in bench_ecmult
2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark
593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks
50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686
a35fdd3478f ci: Run PRs on merge result even for i686
3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs
02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds
489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset
fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc
de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs
399722a63ad Merge ElementsProject#941: Clean up git tree
09b3bb8648f Clean up git tree
bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI
202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method
1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards
69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL
6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method
0d9561ae879 add `secp256k1_ec_pubkey_cmp` method
22a9ea154a2 contrib: Explain explicit header guards
6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs.
185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/'
14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs
4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs
3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir
45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity.
31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in.
dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in.
d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM
8bbad7a18e5 Add asm build to ARM32 CI
7d65ed52142 Add ARM32/ARM64 CI
c8483520c90 Makefile.am: Don't pass a variable twice
2161f31785e Makefile.am: Honor config when building gen_context
99f47c20ec4 gen_context: Don't use external ASM because it complicates the build
98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers
99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers.
34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build
7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly.
ed5a199bed6 tests: fopen /dev/urandom in binary mode
ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly.
4dc37bf81b5 Add mingw32-w64/wine CI build
0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL
efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time
cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context
07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h
a3aa2628c7b gen_context: Don't include basic-config.h
be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps
cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62
277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time
376ca366db0 Fix typo in explanation
1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests
f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module
5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc
b0ffa923199 ecdsa_adaptor: add tests
6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs
c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const
6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl
cc82ad5ab74 Make function argument name consistent with doc
4504472269d changed import to use brackets <> for openssl as they are not local to the project
26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp
b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality
d8f336564fe ecdsa_adaptor: add nonce function and tags
654cd633f50 ecdsa_adaptor: initialize project
23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const
24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS
ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var
b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits
9164a1b6582 Optimization: special-case zero modulus limbs in modinv64
1f233b3fa05 Remove num/gmp support
fac477f822a Merge ElementsProject#126: Upstream PRs  ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901
20448b8d09a Remove unused Jacobi symbol support
5437e7bdfbf Remove unused scalar_sqr
aa9cc521800 Improve field/scalar inverse tests
1e0e885c8ac Make field/scalar code use the new modinv modules for inverses
436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files
aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files
08d54964e51 Improve bounds checks in modinv modules
6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs
4091e619248 cirrus: increase timeout for macOS tasks
136ed8f84d9 sync-upstream: Fix output of command to reproduce
38f1e777d49 sync-upstream: Create proper links to upstream PRs
79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS
649bf201d85 musig: fix tests for 32-bit
151aac00d31 Add tests for modinv modules
d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation
8e415acba25 Add safegcd based modular inverse modules
de0a643c3dc Add secp256k1_ctz{32,64}_var functions
d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901
4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements
9361f360bb0 ci: Select number of parallel make jobs depending on CI environment
28eccdf8064 ci: Split output of logs into multiple sections
c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch
b994a8be3cf ci: Print information about binaries using "file"
f24e122d13d ci: Switch all Linux builds to Debian
ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older
3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end
6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto
e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil
7d3497cdc4c ctime_test: move context randomization test to the end
99a1cfec174 print warnings for conditional-uninitialized
3d2cf6c5bd3 initialize variable in tests
f329bba2442 build: Add workaround for automake 1.13 and older
24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge
e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge
f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI
cc2a5451dc8 ci: Refactor Nix shell files
2480e55c8f3 ci: Remove support for Travis CI
2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS
8c02e465c5a ci: Add support for Cirrus CI
659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter.
b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation.
a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl.
5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs.
db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var
b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values.
75d2ae149ef Remove unused secp256k1_fe_inv_all_var
482e4a9cfce Add missing secp256k1_ge_set_gej_var decl.
27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values.
fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers.
ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs
7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs
f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements
328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair
3c15130709d Improve CC_FOR_BUILD detection
47802a47624 Restructure and tidy configure.ac
252c19dfc65 Ask brew for valgrind include path
8c727b9087a Merge ElementsProject#860: fixed trivial typo
cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config
96c83a83dcf Remove repeated schnorr flag from travis config
d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind
41d6963bc1c rangeproof: clarify rewind outlen argument
673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module
b7bc3a4aaa5 fixed typo
47efb5e39a1 ecdsa-s2c: add ctime tests
396b558273c ecdsa-s2c: add anti-klepto protocol
290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality
8e46cac5b31 ecdsa-s2c: block in module
826bd04b43f add eccommit functionality
33cb3c2b1fc Add secret key extraction from keypair to constant time tests
36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests
fc96aa73f5c Add a function to extract the secretkey from a keypair
98dac878398 Merge ElementsProject#858: Fix insecure links
07aa4c70ffb Fix insecure links
b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency
18aadf9d288 docs: fix simple typo, dependecy -> dependency
2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants
dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
6e85d675aaf Rename tweak to tweak32 in public API
f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants
f554dfc7088 sage: Reorganize files

git-subtree-dir: src/secp256k1
git-subtree-split: 5d2df0541960554be5c0ba58d86e5fa479935000
apoelstra added a commit to apoelstra/elements that referenced this pull request Jul 28, 2021
90580edcc98 Merge pull request ElementsProject#140 from apoelstra/2021-07--resync
6ad66de6802 rangeproof: add an (unnecessary) variable initialization to shut up CI
2979e4d9d46 Merge commits '8ae56e33 75ce488c 4866178d 446d28d9 253f90cd ec3aaa50 0440945f 7688a4f1 be8d9c26 ' into temp-merge-965
5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec
fc26ca8ddef musig: remove unnecessary constant time normalize in combine
48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add
5860b5e0fe7 musig: do not also require schnorrsig module config flag
f27fd1d5e75 musig: improve test coverage of pubkey_combine
56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks
08fa02d5791 musig: add key aggregation spec draft
4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient
4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key
2310849f50f musig: compute musig coefficient by hashing key instead of index
9683c8a7eb6 musig: add static test vectors for key aggregation
9b3d7bf5361 extrakeys: add xonly_sort function
f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort
be8d9c262f4 Merge bitcoin-core/secp256k1#965: gen_context: Don't use any ASM
d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC
aeece445997 gen_context: Don't use any ASM
6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950
cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC
f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind
7226cf215aa ecdsa_adaptor: fix too small buffer in tests
b053e853d4f ecdsa_adaptor: fix test case with invalid signature
91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range
907633e2e9a sync-upstream: fix "end" parameter for specifying range
394f49fd1a6 sync-upstream: quote variables
1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier
9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier
7688a4f13a3 Merge bitcoin-core/secp256k1#963: "Schnorrsig API overhaul" fixups
90e83449b2c ci: Add C++ test
f698caaff6a Use unsigned char consistently for byte arrays
b5b8e7b7190 Don't declare constants twice
769528f3071 Don't use string literals for char arrays without NUL termination
2cc3cfa5838 Fix -Wmissing-braces warning in clang
0440945fb5c Merge ElementsProject#844: schnorrsig API overhaul
ec3aaa5014f Merge ElementsProject#960: tests_exhaustive: check the result of secp256k1_ecdsa_sign
a1ee83c6546 tests_exhaustive: check the result of secp256k1_ecdsa_sign
253f90cdeb1 Merge bitcoin-core/secp256k1#951: configure: replace AC_PATH_PROG to AC_CHECK_PROG
446d28d9de3 Merge bitcoin-core/secp256k1#944: Various improvements related to CFLAGS
0302138f750 ci: Make compiler warning into errors on CI
b924e1e605d build: Ensure that configure's compile checks default to -O2
7939cd571c7 build: List *CPPFLAGS before *CFLAGS like on the compiler command line
595e8a35d80 build: Enable -Wcast-align=strict warning
07256267ffa build: Use own variable SECP_CFLAGS instead of touching user CFLAGS
4866178dfc9 Merge bitcoin-core/secp256k1#955: Add random field multiply/square tests
75ce488c2a6 Merge bitcoin-core/secp256k1#959: tests: really test the non-var scalar inverse
41ed13942bd tests: really test the non-var scalar inverse
5f6ceafcfa4 schnorrsig: allow setting MSGLEN != 32 in benchmark
fdd06b79671 schnorrsig: add tests for sign_custom and varlen msg verification
d8d806aaf38 schnorrsig: add extra parameter struct for sign_custom
a0c3fc177f7 schnorrsig: allow signing and verification of variable length msgs
5a8e4991ad4 Add secp256k1_tagged_sha256 as defined in BIP-340
b6c0b72fb06 schnorrsig: remove noncefp args from sign; add sign_custom function
bdf19f105c6 Add random field multiply/square tests
8ae56e33e74 Merge ElementsProject#879: Avoid passing out-of-bound pointers to 0-size memcpy
a4642fa15ee configure: replace AC_PATH_PROG to AC_CHECK_PROG
d27e4598610 Revert "Remove unused Jacobi symbol support"
edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950
1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build
c58c4ea4707 ci: Add ppc64le build
7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark
8f879c2887e Fix array size in bench_ecmult
2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark
593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks
50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686
a35fdd3478f ci: Run PRs on merge result even for i686
442cee5bafb schnorrsig: add algolen argument to nonce_function_hardened
df3bfa12c3b schnorrsig: clarify result of calling nonce_function_bip340 without data
99e8614812b README: mention schnorrsig module
3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs
02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds
489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset
fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc
de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs
399722a63ad Merge ElementsProject#941: Clean up git tree
09b3bb8648f Clean up git tree
bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI
202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method
1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards
69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL
6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method
0d9561ae879 add `secp256k1_ec_pubkey_cmp` method
22a9ea154a2 contrib: Explain explicit header guards
6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs.
185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/'
14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs
4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs
3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir
45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity.
31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in.
dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in.
d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM
8bbad7a18e5 Add asm build to ARM32 CI
7d65ed52142 Add ARM32/ARM64 CI
c8483520c90 Makefile.am: Don't pass a variable twice
2161f31785e Makefile.am: Honor config when building gen_context
99f47c20ec4 gen_context: Don't use external ASM because it complicates the build
98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers
99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers.
34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build
7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly.
ed5a199bed6 tests: fopen /dev/urandom in binary mode
ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly.
4dc37bf81b5 Add mingw32-w64/wine CI build
0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL
efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time
cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context
07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h
a3aa2628c7b gen_context: Don't include basic-config.h
be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps
cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62
277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time
376ca366db0 Fix typo in explanation
1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests
f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module
5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc
b0ffa923199 ecdsa_adaptor: add tests
6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs
c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const
6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl
cc82ad5ab74 Make function argument name consistent with doc
4504472269d changed import to use brackets <> for openssl as they are not local to the project
26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp
b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality
d8f336564fe ecdsa_adaptor: add nonce function and tags
654cd633f50 ecdsa_adaptor: initialize project
23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const
24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS
ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var
b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits
9164a1b6582 Optimization: special-case zero modulus limbs in modinv64
1f233b3fa05 Remove num/gmp support
fac477f822a Merge ElementsProject#126: Upstream PRs  ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901
20448b8d09a Remove unused Jacobi symbol support
5437e7bdfbf Remove unused scalar_sqr
aa9cc521800 Improve field/scalar inverse tests
1e0e885c8ac Make field/scalar code use the new modinv modules for inverses
436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files
aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files
08d54964e51 Improve bounds checks in modinv modules
6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs
4091e619248 cirrus: increase timeout for macOS tasks
136ed8f84d9 sync-upstream: Fix output of command to reproduce
38f1e777d49 sync-upstream: Create proper links to upstream PRs
79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS
649bf201d85 musig: fix tests for 32-bit
151aac00d31 Add tests for modinv modules
d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation
8e415acba25 Add safegcd based modular inverse modules
de0a643c3dc Add secp256k1_ctz{32,64}_var functions
d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901
4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements
9361f360bb0 ci: Select number of parallel make jobs depending on CI environment
28eccdf8064 ci: Split output of logs into multiple sections
c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch
b994a8be3cf ci: Print information about binaries using "file"
f24e122d13d ci: Switch all Linux builds to Debian
ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older
3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end
6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto
e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil
7d3497cdc4c ctime_test: move context randomization test to the end
99a1cfec174 print warnings for conditional-uninitialized
3d2cf6c5bd3 initialize variable in tests
f329bba2442 build: Add workaround for automake 1.13 and older
24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge
e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge
f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI
cc2a5451dc8 ci: Refactor Nix shell files
2480e55c8f3 ci: Remove support for Travis CI
2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS
8c02e465c5a ci: Add support for Cirrus CI
659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter.
b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation.
a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl.
5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs.
db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var
b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values.
9570f674cc7 Avoid passing out-of-bound pointers to 0-size memcpy
75d2ae149ef Remove unused secp256k1_fe_inv_all_var
482e4a9cfce Add missing secp256k1_ge_set_gej_var decl.
27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values.
fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers.
ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs
7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs
f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements
328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair
3c15130709d Improve CC_FOR_BUILD detection
47802a47624 Restructure and tidy configure.ac
252c19dfc65 Ask brew for valgrind include path
8c727b9087a Merge ElementsProject#860: fixed trivial typo
cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config
96c83a83dcf Remove repeated schnorr flag from travis config
d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind
41d6963bc1c rangeproof: clarify rewind outlen argument
673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module
b7bc3a4aaa5 fixed typo
47efb5e39a1 ecdsa-s2c: add ctime tests
396b558273c ecdsa-s2c: add anti-klepto protocol
290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality
8e46cac5b31 ecdsa-s2c: block in module
826bd04b43f add eccommit functionality
33cb3c2b1fc Add secret key extraction from keypair to constant time tests
36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests
fc96aa73f5c Add a function to extract the secretkey from a keypair
98dac878398 Merge ElementsProject#858: Fix insecure links
07aa4c70ffb Fix insecure links
b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency
18aadf9d288 docs: fix simple typo, dependecy -> dependency
2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants
dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
6e85d675aaf Rename tweak to tweak32 in public API
f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants
f554dfc7088 sage: Reorganize files

git-subtree-dir: src/secp256k1
git-subtree-split: 90580edcc98350c9df9bebee58d2f9616d801849
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.