97c63b9039 Avoid normalize conditional on VERIFY (Pieter Wuille)
Pull request description:
In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not.
ACKs for top commit:
real-or-random:
utACK 97c63b9039 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed
jonasnick:
ACK 97c63b9039
Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f
7fc642fa25 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille)
4e176ad5b9 Abstract out verify logic for fe_is_square_var (Pieter Wuille)
4371f98346 Abstract out verify logic for fe_add_int (Pieter Wuille)
89e324c6b9 Abstract out verify logic for fe_half (Pieter Wuille)
283cd80ab4 Abstract out verify logic for fe_get_bounds (Pieter Wuille)
d5aa2f0358 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille)
3167646072 Abstract out verify logic for fe_from_storage (Pieter Wuille)
76d31e5047 Abstract out verify logic for fe_to_storage (Pieter Wuille)
1e6894bdd7 Abstract out verify logic for fe_cmov (Pieter Wuille)
be82bd8e03 Improve comments/checks for fe_sqrt (Pieter Wuille)
6ab35082ef Abstract out verify logic for fe_sqr (Pieter Wuille)
4c25f6efbd Abstract out verify logic for fe_mul (Pieter Wuille)
e179e651cb Abstract out verify logic for fe_add (Pieter Wuille)
7e7ad7ff57 Abstract out verify logic for fe_mul_int (Pieter Wuille)
65d82a3445 Abstract out verify logic for fe_negate (Pieter Wuille)
144670893e Abstract out verify logic for fe_get_b32 (Pieter Wuille)
f7a7666aeb Abstract out verify logic for fe_set_b32 (Pieter Wuille)
ce4d2093e8 Abstract out verify logic for fe_cmp_var (Pieter Wuille)
7d7d43c6dd Improve comments/check for fe_equal{,_var} (Pieter Wuille)
c5e788d672 Abstract out verify logic for fe_is_odd (Pieter Wuille)
d3f3fe8616 Abstract out verify logic for fe_is_zero (Pieter Wuille)
c701d9a471 Abstract out verify logic for fe_clear (Pieter Wuille)
19a2bfeeea Abstract out verify logic for fe_set_int (Pieter Wuille)
864f9db491 Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille)
6c31371120 Abstract out verify logic for fe_normalize_var (Pieter Wuille)
e28b51f522 Abstract out verify logic for fe_normalize_weak (Pieter Wuille)
b6b6f9cb97 Abstract out verify logic for fe_normalize (Pieter Wuille)
7fa5195559 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille)
b29566c51b Merge magnitude/normalized fields, move/improve comments (Pieter Wuille)
Pull request description:
Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field.
This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation.
Fixes#1060.
ACKs for top commit:
jonasnick:
ACK 7fc642fa25
real-or-random:
ACK 7fc642fa25
Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4
bbc834467c Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2ae4 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f20266722a Add invariant checking to group elements (Pieter Wuille)
a18821d5b1 Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb90ac Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696fd4d Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)
Pull request description:
Rebase of #791.
* Clean up infinity handling, make x/y/z always initialized for infinity.
* Make secp256k1_ecmult_const handle infinity.
* Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes.
* Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
* Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`).
* Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode.
ACKs for top commit:
jonasnick:
ACK bbc834467c
real-or-random:
ACK bbc834467c
Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19
Infinity isn't currently needed here, but correctly handling it is a
little more safe against future changes.
Update docs for it to make it clear that it is not constant time in A
(the input point). It never was constant time in Q (and would be a little
complicated to make constant time in A).
If it was later made constant time in A, infinity support would be easy
to preserve, e.g. by running it on a dummy value and cmoving infinity into
the output.
2e65f1fdbc Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille)
Pull request description:
The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one.
ACKs for top commit:
stratospher:
ACK 2e65f1f.
real-or-random:
utACK 2e65f1fdbc
Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814
For the sake of completeness, add the missing descriptions for the
return value and parameters (`ctx`, `sig64`, `keypair`), in the same
wording/style as for the function `secp256k1_schnorrsig_sign32`.
bef448f9af cmake: Fix library ABI versioning (Hennadii Stepanov)
Pull request description:
This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.
To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`:
- incrementing of `*_LIB_VERSION_CURRENT`
- setting `*_LIB_VERSION_REVISION` to zero
- incrementing of `*_LIB_VERSION_AGE`
ACKs for top commit:
real-or-random:
ACK bef448f9af diff looks good and I tested on Linux
Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5
An executable target in the `COMMAND` option will automatically be
replaced by the location of the executable created at build time.
This change fixes tests for Windows binaries using Wine.
7e977b3c50 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing)
2418d3260a autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing)
8764034ed5 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing)
e1b9ce8811 autotools: Use same conventions for all pregenerated files (Tim Ruffing)
08f4b1632d autotools: Move code around to tidy Makefile (Tim Ruffing)
529b54d922 autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing)
Pull request description:
Follow-up to https://github.com/bitcoin-core/secp256k1/pull/1245.
This builds on top of https://github.com/bitcoin-core/secp256k1/pull/1276. Let's only merge https://github.com/bitcoin-core/secp256k1/pull/1276 as a hotfix for the Core build.
ACKs for top commit:
hebasto:
ACK 7e977b3c50
Tree-SHA512: 42e09feaed15d903e759360e1dfbd1afce9da07a55512e2e791147b72d9b6477e34ae6028439af57dbcae318081a37ddcf3a630f9617bfea95c130135ba2313f
