doc: add document describing Taproot sighashes #933
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apoelstra
force-pushed
the
2020-12--sighash-md
branch
4 times, most recently
from
b4792d3
to
a7de102
Compare
sanket1729
reviewed
Dec 3, 2020
doc/taproot-sighash.mediawiki
Outdated
| *** ''sha_single_output'' (32): the SHA256 of the corresponding output in <code>CTxOut</code> format. | ||
| *** '''''NEW''''' ''sha_single_output_witness'' (32): the SHA256 of the serialization of the corresponding output witnesses (rangeproof and surjection proof) in <code>CTxWitness</code> format. | ||
|
|
||
| The total length of ''SigMsg()'' is at most ''491'' bytes. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. |
There was a problem hiding this comment.
One general point for discussion. (Fixed length sighash with positions for fields)
- We observed that having a fixed length sighash with a fixed location for which field occurs where is super helpful in creating complex scripts easily.
- Even though we will new opcodes for getting these directly, it might still be useful to have a structured sighash.
- The only fields with variable length are
assetIssuanceandnValue(assetIssuanceinternally uses confidential value serialization). So, everything can be addressed if we fix the serialization of explicit innValue.
Note that we don't need to change the way serialization is done for these fields in p2p network, but only when we do sighash computation.
Downsides:
- more code complexity
- more divergence from core
There was a problem hiding this comment.
We could add zeros to the hash after nNonce nAmount and nAsset such that they'd always total out to 33 bytes. And same for the fields in the issuance.
I don't think this is too much added complexity and it would give you, as you say, fixed-offset fields in the sighash. I can certainly imagine that being useful for a covenant which is trying to fix one piece of the sighash while not touching anything else.
There was a problem hiding this comment.
We would still have a variable-length encoding based on the sighash flag, and I don't think there's any reasonable way to avoid that (the different flags mean you're hashing different data). But it's easy to fix/check this flag since it appears on the siganture itself, not only inside the sighash.
Do you think we should 0-pad so that the issuance data field is always 130 bytes even if there is no issuance? This adds two full sha2 compressions (at about 200ns/shot on a desktop CPU) and will rarely be nonzero.
There was a problem hiding this comment.
We should compare this overhead to normal signature validation?
There was a problem hiding this comment.
If we still want to maintain length index prefixing, we could change the order in which we do the sighash. We could all the input specific things at the end of the sighash.
There was a problem hiding this comment.
Normal signature validation is 50us. So an added .5us is a 1% performance hit.
I'd rather not change the order of the sighash too much to minimize the cognitive load for people coming from Bitcoin.
There was a problem hiding this comment.
There is also variable length introduced by the presence/absence of the annex. If you are interested in resolving that, then you should pad the annex hash in the case that there is no annex.
sanket1729
reviewed
Dec 3, 2020
doc/taproot-sighash.mediawiki
Outdated
| *** '''''NEW''''' ''nValue'' (9--33): (possibly confidential) amount of the previous output spent by this input. | ||
| *** ''scriptPubKey'' (35): ''scriptPubKey'' of the previous output spent by this input, serialized as script inside <code>CTxOut</code>. Its size is always 35 bytes. | ||
| *** ''nSequence'' (4): ''nSequence'' of this input. | ||
| *** '''''NEW''''' ''asset_issuance'' (0 or 74--130): if ''outpoint_flag & 0x80 == 0x80'': asset issuance data of this input. |
There was a problem hiding this comment.
Should be (82--130) instead of (74--130)? The minimum size is 2 explicit values + 2 32 bytes = 18 + 62 = 82
There was a problem hiding this comment.
The inflationKeys field can be null, in which case it is one byte.
sanket1729
reviewed
Dec 3, 2020
|
Yes, we support sidechains to sidechains, and I believe some of our functional tests depend on this fact. |
This was referenced Dec 3, 2020
|
@sanket1729 updated doc to make confidential fields all fixed-length, including issuance which is now always 130 bytes. I don't think we care about 1% perf hit when validating ANYONECANPAY signatures. If we can get a taproot sig in a blockheader, that saves us 10 signatures' worth of validation which means that even if the block has 100 such inputs (unlikely, nobody uses ACP :)) Taproot will still be a net win. |
|
the |
|
Like, between the |
|
Good point. |
apoelstra
force-pushed
the
2020-12--sighash-md
branch
from
3b960ba
to
169af2d
Compare
|
Rebased. What needs to be done to get this in? |
|
ACK 169af2d |
|
Removed the input |
apoelstra
commented
Jun 8, 2021
apoelstra
force-pushed
the
2020-12--sighash-md
branch
from
d49aab3
to
f18fa5c
Compare
apoelstra
commented
Jun 8, 2021
| ** ''nVersion'' (4): the ''nVersion'' of the transaction. | ||
| ** ''nLockTime'' (4): the ''nLockTime'' of the transaction. | ||
| ** If the ''hash_type & 0x80'' does not equal <code>SIGHASH_ANYONECANPAY</code>: | ||
| *** '''''NEW''''' ''sha_outpoint_flags'' (32): the SHA256 of the serialization of the concatenation of one byte per input of the input's outpoint flags shifted right by 24 bits. (The byte for an pegin input would be 0x40. The byte for an issuance input would be 0x80. The byte for both a pegin and issuance would be 0xc0.) |
There was a problem hiding this comment.
I wonder if we should replace this "shifted by 24 bits" language with an explicit list of cases. In both Elements Core and rust-elements, the prevout stored internally does not actually have these bits set; they are extracted during deserialization and recorded separately.
There was a problem hiding this comment.
However you want is fine. I phrased it this way to be forward compatible with new flags that might be added in the future.
There was a problem hiding this comment.
Yeah, that sounds reasonable. Let's keep the existing text.
doc/taproot-sighash.mediawiki
Outdated
| The function ''SigMsg(hash_type, ext_flag)'' computes the message being signed as a byte array. It is implicitly also a function of the spending transaction and the outputs it spends, but these are not listed to keep notation simple. | ||
|
|
||
| The parameter ''hash_type'' is an 8-bit unsigned value. The <code>SIGHASH</code> encodings from the legacy script system are reused, including <code>SIGHASH_ALL</code>, <code>SIGHASH_NONE</code>, <code>SIGHASH_SINGLE</code>, and <code>SIGHASH_ANYONECANPAY</code>, plus the default ''hash_type'' value ''0x00'' which results in signing over the whole transaction just as for <code>SIGHASH_ALL</code>. The following restrictions apply, which cause validation failure if violated: | ||
| * Using any undefined ''hash_type'' (not ''0x00'', ''0x01'', ''0x02'', ''0x03'', ''0x81'', ''0x82'', or ''0x83''<ref>'''Why reject unknown ''hash_type'' values?''' By doing so, it is easier to reason about the worst case amount of signature hashing an implementation with adequate caching must perform.</ref>). |
There was a problem hiding this comment.
we can remove the <ref>...<ref> here and below. Alternative we could add a reference section below, but I don't think that is preferable.
| * Using any undefined ''hash_type'' (not ''0x00'', ''0x01'', ''0x02'', ''0x03'', ''0x81'', ''0x82'', or ''0x83''<ref>'''Why reject unknown ''hash_type'' values?''' By doing so, it is easier to reason about the worst case amount of signature hashing an implementation with adequate caching must perform.</ref>). | ||
| * Using <code>SIGHASH_SINGLE</code> without a "corresponding output" (an output with the same index as the input being verified). | ||
|
|
||
| '''''NEW''''' If the input under consideration is a pegin input, the fields ''nAsset'', ''nValue'' and ''scriptPubKey'', where they appear, are taken from the pegin witness data. The asset used is the asset ID on the sidechain, not that on the parent chain (if any). |
There was a problem hiding this comment.
I think it is preferable for all these NEW statements to be their own paragraph.
There was a problem hiding this comment.
Good catch, I'm sure that was my intent but I guess I didn't look at the rendered version too carefully.
doc/taproot-sighash.mediawiki
Outdated
| ** ''nLockTime'' (4): the ''nLockTime'' of the transaction. | ||
| ** If the ''hash_type & 0x80'' does not equal <code>SIGHASH_ANYONECANPAY</code>: | ||
| *** '''''NEW''''' ''sha_outpoint_flags'' (32): the SHA256 of the serialization of the concatenation of one byte per input of the input's outpoint flags shifted right by 24 bits. (The byte for an pegin input would be 0x40. The byte for an issuance input would be 0x80. The byte for both a pegin and issuance would be 0xc0.) | ||
| *** ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints. Each prevout output index is the masked version containing outpoint flags |
There was a problem hiding this comment.
masked version excluding outpoint flags.
doc/taproot-sighash.mediawiki
Outdated
| ** ''spend_type'' (1): equal to ''(ext_flag * 2) + annex_present'', where ''annex_present'' is 0 if no annex is present, or 1 otherwise (the original witness stack has two or more witness elements, and the first byte of the last element is ''0x50'') | ||
| ** If ''hash_type & 0x80'' equals <code>SIGHASH_ANYONECANPAY</code>: | ||
| *** '''''NEW''''' ''outpoint_flag'' (1): the input's outpoint flags shifted right by 24 bits. (Compare ''sha_outpoint_flags'' above.) | ||
| *** ''outpoint'' (36): the <code>COutPoint</code> of this input (32-byte hash + 4-byte little-endian) where the output index includes the outpoint flags. |
There was a problem hiding this comment.
output index excludes the outpoint flags.
doc/taproot-sighash.mediawiki
Outdated
| *** ''sha_annex'' (32): the SHA256 of ''(compact_size(size of annex) || annex)'', where ''annex'' includes the mandatory ''0x50'' prefix. | ||
| * Data about this output: | ||
| ** If ''hash_type & 3'' equals <code>SIGHASH_SINGLE</code>: | ||
| *** ''sha_single_output'' (32): the SHA256 of the corresponding output in extended <code>CTxOut</code> format. |
There was a problem hiding this comment.
needs a (NEW) before the word extended.
doc/taproot-sighash.mediawiki
Outdated
| *** ''sha_sequences'' (32): the SHA256 of the serialization of all input ''nSequence''. | ||
| *** '''''NEW''''' ''sha_issuances'' (32): the SHA256 of the serialization of the concatenation of all input ''assetIssuance'' or 130 '0x00' bytes for inputs with no issuance | ||
| ** If ''hash_type & 3'' does not equal <code>SIGHASH_NONE</code> or <code>SIGHASH_SINGLE</code>: | ||
| *** ''sha_outputs'' (32): the SHA256 of the serialization of all outputs in extended <code>CTxOut</code> format. |
There was a problem hiding this comment.
needs a (NEW) before the word extended.
doc/taproot-sighash.mediawiki
Outdated
|
|
||
| '''''NEW''''' If the input under consideration is a pegin input, the fields ''nAsset'', ''nValue'' and ''scriptPubKey'', where they appear, are taken from the pegin witness data. The asset used is the asset ID on the sidechain, not that on the parent chain (if any). | ||
| '''''NEW''''' The epoch field prepended before signature hash is completely dropped. If there are new updates to the taproot signature hashes in elements, they will use new tagged hashes instead of incrementing epochs | ||
| '''''NEW''''' The fields ''nNonce'', ''nAsset'' and ''nValue'' are serialized in a fixed-length format, which consists of their ordinary 1/9/33 byte encoding followed by sufficiently many 0 to pad the length out to 33. When we refer to ''extended <code>CTxOut</code> format'' below, we mean the fields ''nAsset'', ''nValue'', ''nNonce'' serialized in that order in fixed-length format, followed by the ordinary length-prefixed ''scriptPubKey''. |
There was a problem hiding this comment.
I might prefer a term like "padded CTxOut format" or something rather than "extended". To me "extended" conveys that it has more fields. However it isn't a big deal.
|
Added a commit to address all of @roconnor-blockstream comments |
doc/taproot-sighash.mediawiki
Outdated
| ** If ''hash_type & 0x80'' equals <code>SIGHASH_ANYONECANPAY</code>: | ||
| *** '''''NEW''''' ''outpoint_flag'' (1): the input's outpoint flags shifted right by 24 bits. (Compare ''sha_outpoint_flags'' above.) | ||
| *** ''outpoint'' (36): the <code>COutPoint</code> of this input (32-byte hash + 4-byte little-endian) where the output index excludes the outpoint flags. | ||
| *** '''''NEW''''' ''nAsset'' (33): (possibly confidential) assetID of the previous output spent by this input, in fixed-length format |
There was a problem hiding this comment.
slight preference for this to read ", in padded format". And below too.
doc/taproot-sighash.mediawiki
Outdated
| *** ''sha_single_output'' (32): the SHA256 of the corresponding output in '''NEW''' padded <code>CTxOut</code> format. | ||
| *** '''''NEW''''' ''sha_single_output_witness'' (32): the SHA256 of the serialization of the corresponding output witnesses (rangeproof and surjection proof) in <code>CTxOutWitness</code> format. | ||
|
|
||
| The total length of ''SigMsg()'' is ''443'' bytes for <code>ANYONECANPAY</code> sighashes, ''366'' bytes for non-<code>ANYONECANPAY</code> sighashes, and both numbers are reduced by 64 bytes for <code>SIGHASH_NONE</code> sighashes. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. |
There was a problem hiding this comment.
I counted 442 bytes. Anyone want to count again?
There was a problem hiding this comment.
I think this is not updated with the latest numbers after we removed nNonce. Recalculating the numbers
There was a problem hiding this comment.
It's 410/334 for ACP/non-ACP according to my calculations/implementation. Are you taking into consideration the 32-byte annex too?
There was a problem hiding this comment.
I was including the annex.
|
As per offline conversation, added two commits to
I haven't updated the total length arithmetic. Would probably be easiest to do this after it's implemented by poking at the Python implementation. @sanket1729 ? |
|
(fuzz test failure in PSBT module which will be shortly replaced; just kicked the CI job) |
apoelstra
force-pushed
the
2020-12--sighash-md
branch
from
ec4b426
to
cfe5ebb
Compare
apoelstra
force-pushed
the
2020-12--sighash-md
branch
from
cfe5ebb
to
7ca7983
Compare
|
Rebased. CI should pass now. cc @roconnor-blockstream can I have an ack? |
@apoelstra |
|
Fixed the doc, but @sanket1729 I notice that your Python (and C++) impl completely ignore |
is the same as |
|
LGTM |
apoelstra
added a commit
to apoelstra/elements
that referenced
this pull request
Jul 28, 2021
5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec fc26ca8ddef musig: remove unnecessary constant time normalize in combine 48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add 5860b5e0fe7 musig: do not also require schnorrsig module config flag f27fd1d5e75 musig: improve test coverage of pubkey_combine 56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks 08fa02d5791 musig: add key aggregation spec draft 4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient 4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key 2310849f50f musig: compute musig coefficient by hashing key instead of index 9683c8a7eb6 musig: add static test vectors for key aggregation 9b3d7bf5361 extrakeys: add xonly_sort function f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC 6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950 cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind 7226cf215aa ecdsa_adaptor: fix too small buffer in tests b053e853d4f ecdsa_adaptor: fix test case with invalid signature 91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range 907633e2e9a sync-upstream: fix "end" parameter for specifying range 394f49fd1a6 sync-upstream: quote variables 1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier 9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier d27e4598610 Revert "Remove unused Jacobi symbol support" edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950 1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build c58c4ea4707 ci: Add ppc64le build 7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark 8f879c2887e Fix array size in bench_ecmult 2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark 593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks 50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686 a35fdd3478f ci: Run PRs on merge result even for i686 3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a63ad Merge ElementsProject#941: Clean up git tree 09b3bb8648f Clean up git tree bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI 202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method 0d9561ae879 add `secp256k1_ec_pubkey_cmp` method 22a9ea154a2 contrib: Explain explicit header guards 6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/' 14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir 45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a18e5 Add asm build to ARM32 CI 7d65ed52142 Add ARM32/ARM64 CI c8483520c90 Makefile.am: Don't pass a variable twice 2161f31785e Makefile.am: Honor config when building gen_context 99f47c20ec4 gen_context: Don't use external ASM because it complicates the build 98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build 7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199bed6 tests: fopen /dev/urandom in binary mode ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf81b5 Add mingw32-w64/wine CI build 0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context 07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h a3aa2628c7b gen_context: Don't include basic-config.h be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62 277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time 376ca366db0 Fix typo in explanation 1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module 5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc b0ffa923199 ecdsa_adaptor: add tests 6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const 6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl cc82ad5ab74 Make function argument name consistent with doc 4504472269d changed import to use brackets <> for openssl as they are not local to the project 26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality d8f336564fe ecdsa_adaptor: add nonce function and tags 654cd633f50 ecdsa_adaptor: initialize project 23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const 24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits 9164a1b6582 Optimization: special-case zero modulus limbs in modinv64 1f233b3fa05 Remove num/gmp support fac477f822a Merge ElementsProject#126: Upstream PRs ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901 20448b8d09a Remove unused Jacobi symbol support 5437e7bdfbf Remove unused scalar_sqr aa9cc521800 Improve field/scalar inverse tests 1e0e885c8ac Make field/scalar code use the new modinv modules for inverses 436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files 08d54964e51 Improve bounds checks in modinv modules 6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs 4091e619248 cirrus: increase timeout for macOS tasks 136ed8f84d9 sync-upstream: Fix output of command to reproduce 38f1e777d49 sync-upstream: Create proper links to upstream PRs 79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS 649bf201d85 musig: fix tests for 32-bit 151aac00d31 Add tests for modinv modules d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation 8e415acba25 Add safegcd based modular inverse modules de0a643c3dc Add secp256k1_ctz{32,64}_var functions d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901 4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements 9361f360bb0 ci: Select number of parallel make jobs depending on CI environment 28eccdf8064 ci: Split output of logs into multiple sections c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch b994a8be3cf ci: Print information about binaries using "file" f24e122d13d ci: Switch all Linux builds to Debian ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older 3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end 6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil 7d3497cdc4c ctime_test: move context randomization test to the end 99a1cfec174 print warnings for conditional-uninitialized 3d2cf6c5bd3 initialize variable in tests f329bba2442 build: Add workaround for automake 1.13 and older 24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI cc2a5451dc8 ci: Refactor Nix shell files 2480e55c8f3 ci: Remove support for Travis CI 2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS 8c02e465c5a ci: Add support for Cirrus CI 659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter. b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl. 5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs. db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values. 75d2ae149ef Remove unused secp256k1_fe_inv_all_var 482e4a9cfce Add missing secp256k1_ge_set_gej_var decl. 27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs 7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements 328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair 3c15130709d Improve CC_FOR_BUILD detection 47802a47624 Restructure and tidy configure.ac 252c19dfc65 Ask brew for valgrind include path 8c727b9087a Merge ElementsProject#860: fixed trivial typo cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config 96c83a83dcf Remove repeated schnorr flag from travis config d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind 41d6963bc1c rangeproof: clarify rewind outlen argument 673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module b7bc3a4aaa5 fixed typo 47efb5e39a1 ecdsa-s2c: add ctime tests 396b558273c ecdsa-s2c: add anti-klepto protocol 290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality 8e46cac5b31 ecdsa-s2c: block in module 826bd04b43f add eccommit functionality 33cb3c2b1fc Add secret key extraction from keypair to constant time tests 36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests fc96aa73f5c Add a function to extract the secretkey from a keypair 98dac878398 Merge ElementsProject#858: Fix insecure links 07aa4c70ffb Fix insecure links b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency 18aadf9d288 docs: fix simple typo, dependecy -> dependency 2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 6e85d675aaf Rename tweak to tweak32 in public API f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants f554dfc7088 sage: Reorganize files git-subtree-dir: src/secp256k1 git-subtree-split: 5d2df0541960554be5c0ba58d86e5fa479935000
apoelstra
added a commit
to apoelstra/elements
that referenced
this pull request
Jul 28, 2021
90580edcc98 Merge pull request ElementsProject#140 from apoelstra/2021-07--resync 6ad66de6802 rangeproof: add an (unnecessary) variable initialization to shut up CI 2979e4d9d46 Merge commits '8ae56e33 75ce488c 4866178d 446d28d9 253f90cd ec3aaa50 0440945f 7688a4f1 be8d9c26 ' into temp-merge-965 5d2df054196 Merge BlockstreamResearch/secp256k1-zkp#120: Add MuSig Key Aggregation spec fc26ca8ddef musig: remove unnecessary constant time normalize in combine 48f63efe683 musig: remove unnecessary branch in pubkey_tweak_add 5860b5e0fe7 musig: do not also require schnorrsig module config flag f27fd1d5e75 musig: improve test coverage of pubkey_combine 56014e8ca01 musig: change pubkey_combine arg to array of pointers to pks 08fa02d5791 musig: add key aggregation spec draft 4a9b059b16d musig: rename Musig coefficient to KeyAgg coefficient 4bc46d836e7 musig: optimize key aggregation using const 1 for 2nd key 2310849f50f musig: compute musig coefficient by hashing key instead of index 9683c8a7eb6 musig: add static test vectors for key aggregation 9b3d7bf5361 extrakeys: add xonly_sort function f31affd8a61 extrakeys: add hsort, in-place, iterative heapsort be8d9c262f4 Merge bitcoin-core/secp256k1#965: gen_context: Don't use any ASM d9560e0af78 Merge BlockstreamResearch/secp256k1-zkp#136: Eliminate a wrong -Wmaybe-uninitialized warning in GCC aeece445997 gen_context: Don't use any ASM 6db00f5b2e0 Merge BlockstreamResearch/secp256k1-zkp#132: Upstream PRs 831, 907, 903, 889, 918, 906, 928, 922, 933, Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM, 925, 937, 926, Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards, 850, 930, 941, 846, 947, 662, 950 cc0b279568d Eliminate a wrong -Wmaybe-uninitialized warning in GCC f09497ea3e0 CI: tweak cirrus.yml to prevent OOM and timeout w sanitizer/valgrind 7226cf215aa ecdsa_adaptor: fix too small buffer in tests b053e853d4f ecdsa_adaptor: fix test case with invalid signature 91b64770c3b Merge BlockstreamResearch/secp256k1-zkp#135: sync-upstream: fix "end" parameter for specifying range 907633e2e9a sync-upstream: fix "end" parameter for specifying range 394f49fd1a6 sync-upstream: quote variables 1bb5db3d602 Merge BlockstreamResearch/secp256k1-zkp#134: sync-upstream: parse merge commits w/ and w/o repo identifier 9321d42f751 sync-upstream: parse merge commits w/ and w/o repo identifier 7688a4f13a3 Merge bitcoin-core/secp256k1#963: "Schnorrsig API overhaul" fixups 90e83449b2c ci: Add C++ test f698caaff6a Use unsigned char consistently for byte arrays b5b8e7b7190 Don't declare constants twice 769528f3071 Don't use string literals for char arrays without NUL termination 2cc3cfa5838 Fix -Wmissing-braces warning in clang 0440945fb5c Merge ElementsProject#844: schnorrsig API overhaul ec3aaa5014f Merge ElementsProject#960: tests_exhaustive: check the result of secp256k1_ecdsa_sign a1ee83c6546 tests_exhaustive: check the result of secp256k1_ecdsa_sign 253f90cdeb1 Merge bitcoin-core/secp256k1#951: configure: replace AC_PATH_PROG to AC_CHECK_PROG 446d28d9de3 Merge bitcoin-core/secp256k1#944: Various improvements related to CFLAGS 0302138f750 ci: Make compiler warning into errors on CI b924e1e605d build: Ensure that configure's compile checks default to -O2 7939cd571c7 build: List *CPPFLAGS before *CFLAGS like on the compiler command line 595e8a35d80 build: Enable -Wcast-align=strict warning 07256267ffa build: Use own variable SECP_CFLAGS instead of touching user CFLAGS 4866178dfc9 Merge bitcoin-core/secp256k1#955: Add random field multiply/square tests 75ce488c2a6 Merge bitcoin-core/secp256k1#959: tests: really test the non-var scalar inverse 41ed13942bd tests: really test the non-var scalar inverse 5f6ceafcfa4 schnorrsig: allow setting MSGLEN != 32 in benchmark fdd06b79671 schnorrsig: add tests for sign_custom and varlen msg verification d8d806aaf38 schnorrsig: add extra parameter struct for sign_custom a0c3fc177f7 schnorrsig: allow signing and verification of variable length msgs 5a8e4991ad4 Add secp256k1_tagged_sha256 as defined in BIP-340 b6c0b72fb06 schnorrsig: remove noncefp args from sign; add sign_custom function bdf19f105c6 Add random field multiply/square tests 8ae56e33e74 Merge ElementsProject#879: Avoid passing out-of-bound pointers to 0-size memcpy a4642fa15ee configure: replace AC_PATH_PROG to AC_CHECK_PROG d27e4598610 Revert "Remove unused Jacobi symbol support" edcacc2b2ec Merge commits '26de4dfe 6e898534 c083cc6e 1e5d50fa cc2c09e3 efad3506 7012a188 34388af6 98e0358d d0bd2693 185a6af2 6c52ae87 69394879 1e78c18d 202a030f bf0ac460 399722a6 3dc8c072 50f33677 7973576f 1758a92f ' into temp-merge-950 1758a92ffd8 Merge ElementsProject#950: ci: Add ppc64le build c58c4ea4707 ci: Add ppc64le build 7973576f6e3 Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark 8f879c2887e Fix array size in bench_ecmult 2fe1b50df16 Add ecmult_gen, ecmult_const and ecmult to benchmark 593e6bad9c5 Clean up ecmult_bench to make space for more benchmarks 50f33677122 Merge ElementsProject#947: ci: Run PRs on merge result even for i686 a35fdd3478f ci: Run PRs on merge result even for i686 442cee5bafb schnorrsig: add algolen argument to nonce_function_hardened df3bfa12c3b schnorrsig: clarify result of calling nonce_function_bip340 without data 99e8614812b README: mention schnorrsig module 3dc8c072b6d Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1ad94 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c20a1 tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97e74b ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f13ac ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a63ad Merge ElementsProject#941: Clean up git tree 09b3bb8648f Clean up git tree bf0ac460661 Merge ElementsProject#930: Add ARM32/ARM64 CI 202a030f7d1 Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18d5b8 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 69394879b64 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6d566 add `secp256k1_xonly_pubkey_cmp` method 0d9561ae879 add `secp256k1_ec_pubkey_cmp` method 22a9ea154a2 contrib: Explain explicit header guards 6c52ae87247 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af2279 Merge ElementsProject#925: changed include statements without prefix 'include/' 14c9739a1fb tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668c37b tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdda95a change local lib headers to be relative for those pointing at "include/" dir 45b6468d7e3 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6de413 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de3227 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd2693e30 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a18e5 Add asm build to ARM32 CI 7d65ed52142 Add ARM32/ARM64 CI c8483520c90 Makefile.am: Don't pass a variable twice 2161f31785e Makefile.am: Honor config when building gen_context 99f47c20ec4 gen_context: Don't use external ASM because it complicates the build 98e0358d297 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5be0db Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af6b6a Merge ElementsProject#922: Add mingw32-w64/wine CI build 7012a188e6e Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199bed6 tests: fopen /dev/urandom in binary mode ae9e648526c Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf81b5 Add mingw32-w64/wine CI build 0881633dfd0 secp256k1.h: clarify that by default arguments must be != NULL efad3506a89 Merge ElementsProject#906: Use modified divsteps with initial delta=1/2 for constant-time cc2c09e3a78 Merge ElementsProject#918: Clean up configuration in gen_context 07067967ee9 add ECMULT_GEN_PREC_BITS to basic_config.h a3aa2628c7b gen_context: Don't include basic-config.h be0609fd54a Add unit tests for edge cases with delta=1/2 variant of divsteps cd393ce2283 Optimization: only do 59 hddivsteps per iteration instead of 62 277b224b6ab Use modified divsteps with initial delta=1/2 for constant-time 376ca366db0 Fix typo in explanation 1e5d50fa93d Merge ElementsProject#889: fix uninitialized read in tests f3708a1ecb4 Merge ElementsProject#117: Add ECDSA adaptor signatures module 5710ebacb9e Merge ElementsProject#128: Make function argument name consistent with doc b0ffa923199 ecdsa_adaptor: add tests 6955af5ca89 ecdsa_adaptor: add ECDSA adaptor signature APIs c083cc6e52a Merge ElementsProject#903: Make argument of fe_normalizes_to_zero{_var} const 6e898534ff4 Merge ElementsProject#907: changed import to use brackets <> for openssl cc82ad5ab74 Make function argument name consistent with doc 4504472269d changed import to use brackets <> for openssl as they are not local to the project 26de4dfeb1f Merge ElementsProject#831: Safegcd inverses, drop Jacobi symbols, remove libgmp b508e5dd9b1 ecdsa_adaptor: add support for proof of discrete logarithm equality d8f336564fe ecdsa_adaptor: add nonce function and tags 654cd633f50 ecdsa_adaptor: initialize project 23c3fb629b9 Make argument of fe_normalizes_to_zero{_var} const 24ad04fc064 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS ebc1af700f9 Optimization: track f,g limb count and pass to new variable-time update_fg_var b306935ac12 Optimization: use formulas instead of lookup tables for cancelling g bits 9164a1b6582 Optimization: special-case zero modulus limbs in modinv64 1f233b3fa05 Remove num/gmp support fac477f822a Merge ElementsProject#126: Upstream PRs ElementsProject#854 ElementsProject#852 ElementsProject#857 ElementsProject#858 ElementsProject#860 ElementsProject#845 ElementsProject#862 ElementsProject#875 ElementsProject#878 ElementsProject#874 ElementsProject#877 ElementsProject#880 ElementsProject#864 ElementsProject#882 ElementsProject#894 ElementsProject#891 ElementsProject#901 20448b8d09a Remove unused Jacobi symbol support 5437e7bdfbf Remove unused scalar_sqr aa9cc521800 Improve field/scalar inverse tests 1e0e885c8ac Make field/scalar code use the new modinv modules for inverses 436281afdcb Move secp256k1_fe_inverse{_var} to per-impl files aa404d53bef Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files 08d54964e51 Improve bounds checks in modinv modules 6a7861f646f Merge ElementsProject#127: sync-upstream: Create proper links to upstream PRs 4091e619248 cirrus: increase timeout for macOS tasks 136ed8f84d9 sync-upstream: Fix output of command to reproduce 38f1e777d49 sync-upstream: Create proper links to upstream PRs 79d4c3ac681 whitelist: add SECP_INCLUDES to bench_whitelist CPPFLAGS 649bf201d85 musig: fix tests for 32-bit 151aac00d31 Add tests for modinv modules d8a92fcc4c6 Add extensive comments on the safegcd algorithm and implementation 8e415acba25 Add safegcd based modular inverse modules de0a643c3dc Add secp256k1_ctz{32,64}_var functions d4ca81f48e9 Merge commits 'dc6e5c3a 2d9e7175 b61f9da5 98dac878 8c727b90 328aaef2 f2d9aeae b732701f db726782 5671e5f3 a4abaab7 659d0d47 f8c0b57e 24d1656c 3a8b47bc ebdba03c 4c3ba88c ' into temp-merge-901 4c3ba88c3a8 Merge ElementsProject#901: ci: Switch all Linux builds to Debian and more improvements 9361f360bb0 ci: Select number of parallel make jobs depending on CI environment 28eccdf8064 ci: Split output of logs into multiple sections c7f754fe4d5 ci: Run PRs on merge result instead of on the source branch b994a8be3cf ci: Print information about binaries using "file" f24e122d13d ci: Switch all Linux builds to Debian ebdba03cb56 Merge ElementsProject#891: build: Add workaround for automake 1.13 and older 3a8b47bc6d1 Merge ElementsProject#894: ctime_test: move context randomization test to the end 6da00ec6245 Merge pull request ElementsProject#124 from apoelstra/2021-02--rename-klepto e354c5751d6 ecdsa_s2c: rename anti-klepto to anti-exfil 7d3497cdc4c ctime_test: move context randomization test to the end 99a1cfec174 print warnings for conditional-uninitialized 3d2cf6c5bd3 initialize variable in tests f329bba2442 build: Add workaround for automake 1.13 and older 24d1656c328 Merge ElementsProject#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge e491d06b98c Use bit ops instead of int mult for constant-time logic in gej_add_ge f8c0b57e6ba Merge ElementsProject#864: Add support for Cirrus CI cc2a5451dc8 ci: Refactor Nix shell files 2480e55c8f3 ci: Remove support for Travis CI 2b359f1c1d8 ci: Enable simple cache for brewing valgrind on macOS 8c02e465c5a ci: Add support for Cirrus CI 659d0d47989 Merge ElementsProject#880: Add parens around ROUND_TO_ALIGN's parameter. b6f649889ae Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. a4abaab7931 Merge ElementsProject#877: Add missing secp256k1_ge_set_gej_var decl. 5671e5f3fd0 Merge ElementsProject#874: Remove underscores from header defs. db726782fa2 Merge ElementsProject#878: Remove unused secp256k1_fe_inv_all_var b732701faa7 Merge ElementsProject#875: Avoid casting (void**) values. 9570f674cc7 Avoid passing out-of-bound pointers to 0-size memcpy 75d2ae149ef Remove unused secp256k1_fe_inv_all_var 482e4a9cfce Add missing secp256k1_ge_set_gej_var decl. 27306186045 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. fb390c5299e Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. ed69ea79b42 Merge ElementsProject#98: Add contrib/sync-upstream.sh script to automate syncing PRs 7eeacd7725f Add contrib/sync-upstream.sh script to automate merging upstream PRs f2d9aeae6d5 Merge ElementsProject#862: Autoconf improvements 328aaef22a4 Merge ElementsProject#845: Extract the secret key from a keypair 3c15130709d Improve CC_FOR_BUILD detection 47802a47624 Restructure and tidy configure.ac 252c19dfc65 Ask brew for valgrind include path 8c727b9087a Merge ElementsProject#860: fixed trivial typo cfac088e1b2 Merge ElementsProject#119: Remove repeated schnorr flag from travis config 96c83a83dcf Remove repeated schnorr flag from travis config d2b6740688f Merge pull request ElementsProject#118 from jonasnick/clarify-rangeproof-rewind 41d6963bc1c rangeproof: clarify rewind outlen argument 673e551f4d1 Merge ElementsProject#111: Add ECDSA sign-to-contract module b7bc3a4aaa5 fixed typo 47efb5e39a1 ecdsa-s2c: add ctime tests 396b558273c ecdsa-s2c: add anti-klepto protocol 290dee566e1 ecdsa-s2c: add actual sign-to-contract functionality 8e46cac5b31 ecdsa-s2c: block in module 826bd04b43f add eccommit functionality 33cb3c2b1fc Add secret key extraction from keypair to constant time tests 36d9dc1e8e6 Add seckey extraction from keypair to the extrakeys tests fc96aa73f5c Add a function to extract the secretkey from a keypair 98dac878398 Merge ElementsProject#858: Fix insecure links 07aa4c70ffb Fix insecure links b61f9da54ef Merge ElementsProject#857: docs: fix simple typo, dependecy -> dependency 18aadf9d288 docs: fix simple typo, dependecy -> dependency 2d9e7175c6e Merge ElementsProject#852: Add sage script for generating scalar_split_lambda constants dc6e5c3a5c4 Merge ElementsProject#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 6e85d675aaf Rename tweak to tweak32 in public API f587f04e357 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 329a2e0a3f2 sage: Add script for generating scalar_split_lambda constants f554dfc7088 sage: Reorganize files git-subtree-dir: src/secp256k1 git-subtree-split: 90580edcc98350c9df9bebee58d2f9616d801849
gwillen
pushed a commit
that referenced
this pull request
Jun 1, 2022
delta1
pushed a commit
to delta1/elements
that referenced
this pull request
Apr 5, 2023
be8d9c262f Merge bitcoin-core/secp256k1#965: gen_context: Don't use any ASM aeece44599 gen_context: Don't use any ASM 7688a4f13a Merge bitcoin-core/secp256k1#963: "Schnorrsig API overhaul" fixups 90e83449b2 ci: Add C++ test f698caaff6 Use unsigned char consistently for byte arrays b5b8e7b719 Don't declare constants twice 769528f307 Don't use string literals for char arrays without NUL termination 2cc3cfa583 Fix -Wmissing-braces warning in clang 0440945fb5 Merge ElementsProject#844: schnorrsig API overhaul ec3aaa5014 Merge ElementsProject#960: tests_exhaustive: check the result of secp256k1_ecdsa_sign a1ee83c654 tests_exhaustive: check the result of secp256k1_ecdsa_sign 253f90cdeb Merge bitcoin-core/secp256k1#951: configure: replace AC_PATH_PROG to AC_CHECK_PROG 446d28d9de Merge bitcoin-core/secp256k1#944: Various improvements related to CFLAGS 0302138f75 ci: Make compiler warning into errors on CI b924e1e605 build: Ensure that configure's compile checks default to -O2 7939cd571c build: List *CPPFLAGS before *CFLAGS like on the compiler command line 595e8a35d8 build: Enable -Wcast-align=strict warning 07256267ff build: Use own variable SECP_CFLAGS instead of touching user CFLAGS 4866178dfc Merge bitcoin-core/secp256k1#955: Add random field multiply/square tests 75ce488c2a Merge bitcoin-core/secp256k1#959: tests: really test the non-var scalar inverse 41ed13942b tests: really test the non-var scalar inverse 5f6ceafcfa schnorrsig: allow setting MSGLEN != 32 in benchmark fdd06b7967 schnorrsig: add tests for sign_custom and varlen msg verification d8d806aaf3 schnorrsig: add extra parameter struct for sign_custom a0c3fc177f schnorrsig: allow signing and verification of variable length msgs 5a8e4991ad Add secp256k1_tagged_sha256 as defined in BIP-340 b6c0b72fb0 schnorrsig: remove noncefp args from sign; add sign_custom function bdf19f105c Add random field multiply/square tests 8ae56e33e7 Merge ElementsProject#879: Avoid passing out-of-bound pointers to 0-size memcpy a4642fa15e configure: replace AC_PATH_PROG to AC_CHECK_PROG 1758a92ffd Merge ElementsProject#950: ci: Add ppc64le build c58c4ea470 ci: Add ppc64le build 7973576f6e Merge ElementsProject#662: Add ecmult_gen, ecmult_const and ecmult to benchmark 8f879c2887 Fix array size in bench_ecmult 2fe1b50df1 Add ecmult_gen, ecmult_const and ecmult to benchmark 593e6bad9c Clean up ecmult_bench to make space for more benchmarks 50f3367712 Merge ElementsProject#947: ci: Run PRs on merge result even for i686 a35fdd3478 ci: Run PRs on merge result even for i686 442cee5baf schnorrsig: add algolen argument to nonce_function_hardened df3bfa12c3 schnorrsig: clarify result of calling nonce_function_bip340 without data 99e8614812 README: mention schnorrsig module 3dc8c072b6 Merge ElementsProject#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1ad9 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c20a tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97e74 ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f13a ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a63a Merge ElementsProject#941: Clean up git tree 09b3bb8648 Clean up git tree bf0ac46066 Merge ElementsProject#930: Add ARM32/ARM64 CI 202a030f7d Merge ElementsProject#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18d5b Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 69394879b6 Merge ElementsProject#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6d56 add `secp256k1_xonly_pubkey_cmp` method 0d9561ae87 add `secp256k1_ec_pubkey_cmp` method 22a9ea154a contrib: Explain explicit header guards 6c52ae8724 Merge ElementsProject#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af227 Merge ElementsProject#925: changed include statements without prefix 'include/' 14c9739a1f tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668c37 tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdda95 change local lib headers to be relative for those pointing at "include/" dir 45b6468d7e Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6de41 Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de322 Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd2693e3 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a18e Add asm build to ARM32 CI 7d65ed5214 Add ARM32/ARM64 CI c8483520c9 Makefile.am: Don't pass a variable twice 2161f31785 Makefile.am: Honor config when building gen_context 99f47c20ec gen_context: Don't use external ASM because it complicates the build 98e0358d29 Merge ElementsProject#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5be0d Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af6b6 Merge ElementsProject#922: Add mingw32-w64/wine CI build 7012a188e6 Merge ElementsProject#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199bed tests: fopen /dev/urandom in binary mode ae9e648526 Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf81b Add mingw32-w64/wine CI build 0881633dfd secp256k1.h: clarify that by default arguments must be != NULL 9570f674cc Avoid passing out-of-bound pointers to 0-size memcpy git-subtree-dir: src/secp256k1 git-subtree-split: be8d9c262f46309d9b4165b0498b71d704aba8fe
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks to @roconnor-blockstream for writing the first draft of this document.