[ZPIV] Zerocoin public coin spend. #891
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
assigned 
furszy
changed the title
random-zebra
reviewed
May 9, 2019
furszy
force-pushed
the
public_spend
branch
2 times, most recently
from
5c5c4c4
to
5418fa1
Compare
|
Given the following avg sizes for serialized objects
a publicSpend scriptSig is only about 66 bytes bigger than a "traditional" basecoin input scriptSig. |
|
Great, only regression tests left and we are done. |
furszy
changed the title
presstab
previously requested changes
May 16, 2019
|
@presstab This implementation presents a serious vulnerability with v1 coins due to the lack of the private key in the |
|
Yeah, this public spend implementation doesn't contemplate V1 Serials spends that has been deprecated since May 2018 and available for a short period (from Oct 7 2017 to May 2 2018). Saying that and going little bit deeper on zebra's explanation, V1 serials requires a zkp proving knowledge of |
Warrows
reviewed
May 16, 2019
presstab
dismissed
their stale review
V1 spends are being addressed in a later release.
|
I'll test the latest commits asap. |
random-zebra
force-pushed
the
public_spend
branch
from
70474a9
to
3e35702
Compare
|
Concerning V1, I doubt there are all that many left out there, but it was not explicitly banned, so should be supported when able. I know I have V1 coins that I intentionally locked away for potential testing/dev purposes. Enough value that it is not easily forgotten about. I know that I will accept the tiny chance of losing my coins to a man in the middle attack, over the alternative of 100% chance of not getting my coins back. |
presstab
reviewed
May 24, 2019
[Cleanup] non used variable commented.
…r any future change.
[Unit Test] zc public spend test up-to-date with master.
[zPIV] v1 serials validation was not checked against the publicSpend height.
[Consensus] spork 15 + min prev protocol version. (squash this later)
cleanup, publicCoinSpend object leftover removed + minor log added to CheckProofOfStake.
|
Testnet enforcement height updated, ready to go. |
Fuzzbawls
approved these changes
Jun 7, 2019
Fuzzbawls
added a commit
that referenced
this pull request
Jun 7, 2019
d6149cc [Consensus] Testnet enforcement height. (furszy) 28afbd2 [zPIV] v1 serials modulus fix + isStandardTx fix for publicSpends. (furszy) ddc3f15 [Consensus] spork 15 activation + protocol version bump. (furszy) 216a317 [zPIV] testnet publicSpend enforcement height set. (furszy) 0393227 [Tests] add test reorg for public spend (random-zebra) 2f750e5 [RPC] add 'createrawzerocoinpublicspend' method (random-zebra) b5e2526 [zPIV] publicCoinSpend version field included in the serialization for any future change. (furszy) 46e453b [zPIV] reject priv coin spends on tx mempool acceptance. (furszy) afdb9d4 [RPC] Parse public spend on getserials rpc command. (furszy) 88cdfc6 [FUNCTIONAL TEST] old coinSpend transaction rejected. (furszy) 3d0893a [RPC] spendzerocoin command can now create old zc spends, only for regression tests (furszy) f46b80e [FUNCTIONAL TEST][zPIV] double spent serial validation. (furszy) fdfd999 [zPIV[Unit Test] Possible redundant denomination validation. (furszy) 507f7c8 [FUNCTIONAL TESTS] valid PublicCoinSpend transaction test. (furszy) 262d5e7 [zPIV] mints coin control dialog min accumulation mature text removed + re mint change checkbox not visible anymore. (furszy) a8ce671 [zPIV] use new limit Zerocoin_MaxPublicSpendsPerTransaction for max num of inputs (random-zebra) e0decb1 [zPIV] prevent v1 zerocoins from being selected for PublicSpends (random-zebra) 4439869 [zPIV][Consensus] reject V1 serials spends. (furszy) cb4ffa1 [zPIV] remove enforcement from 'CreateZerocoinSpendTransaction' fixing the unit tests (random-zebra) 657bb41 [zPIV][Cleanup] PublicSpend rebase onto IsZerocoin (random-zebra) 3c74d6d [zPIV] new protocol enforcement height added. Height not final, just randomly selected and tested on regtest. (furszy) f930016 [zPIV] rebase problems fixed. (Needs more testing) (furszy) e7dada8 [zPIV] publicCoinSpend signature hash relevant data inclusion. (furszy) c8d519e [zPIV] zPIV Maturity --> Minimum amount of coins accumulated no needed anymore. (furszy) 0e8d0f9 [Wallet] public coin spend creation connected + first mem pool validation. (furszy) 1db7c59 [UNIT TEST] publicCoinSpend valid input creation and verification. (furszy) ca86660 [Zeroocoin] public coin spend script creation, validation and un/serialization. (furszy) Tree-SHA512: d333dbbf5dba407cf3766adcf42867e2af84951ca381df03c77c01b552ad6ed0721d1eea7ae312595c264196a409603823f36f06e97d377c61c2b7d983880245
Fuzzbawls
added
Needs Release Notes
furszy
added a commit
that referenced
this pull request
Oct 24, 2019
e06f7b6 [Tests] Minor optimizations in zerocoin_valid_public_spend test (random-zebra) cdc18ea [RPC] fix parameters check for spendzerocoin (missing ispublicspend) (random-zebra) 72bc39a [Tests] Add zerocoin_valid_public_spend to testRunner (random-zebra) 26045d3 [Consensus] Set zc PublicSpend version v3/v4 via SPORK (random-zebra) Pull request description: This follows #936 It sets the required version for zerocoin PublicSpends via SPORK instead of having it height-based. When `SPORK_18_ZEROCOIN_PUBLICSPEND_V4` is not active (default), the required version is v3 (where old version 1 serials cannot be spent. ref: #891 ). It also fixes the relative functional test `zerocoin_valid_public_spend.py` and adds it to the test_runner. ACKs for top commit: furszy: utACK e06f7b6 Warrows: utACK e06f7b6 Tree-SHA512: 07f18e77a91503f5d48dafad32364cc6292ffd1f9a3f9286a78de72dafc98b07342e6abd96eaabe55d20193f10be383c8d5bbac1b33c45712ade8c522e457b3f
furszy
referenced
this pull request
in furszy/bitcoin-core
Sep 23, 2021
5f6ceaf schnorrsig: allow setting MSGLEN != 32 in benchmark fdd06b7 schnorrsig: add tests for sign_custom and varlen msg verification d8d806a schnorrsig: add extra parameter struct for sign_custom a0c3fc1 schnorrsig: allow signing and verification of variable length msgs 5a8e499 Add secp256k1_tagged_sha256 as defined in BIP-340 b6c0b72 schnorrsig: remove noncefp args from sign; add sign_custom function 442cee5 schnorrsig: add algolen argument to nonce_function_hardened df3bfa1 schnorrsig: clarify result of calling nonce_function_bip340 without data 99e8614 README: mention schnorrsig module 3dc8c07 Merge bitcoin#846: ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 02dcea1 ci: Make test iterations configurable and tweak for sanitizer builds 489ff5c tests: Treat empty SECP2561_TEST_ITERS as if it was unset fcfcb97 ci: Simplify to use generic wrapper for QEMU, Valgrind, etc de4157f ci: Run ASan/LSan and reorganize sanitizer and Valgrind jobs 399722a Merge bitcoin#941: Clean up git tree 09b3bb8 Clean up git tree bf0ac46 Merge bitcoin#930: Add ARM32/ARM64 CI 202a030 Merge bitcoin#850: add `secp256k1_ec_pubkey_cmp` method 1e78c18 Merge bitcoin-core/secp256k1#940: contrib: Explain explicit header guards 6939487 Merge bitcoin#926: secp256k1.h: clarify that by default arguments must be != NULL 6eceec6 add `secp256k1_xonly_pubkey_cmp` method 0d9561a add `secp256k1_ec_pubkey_cmp` method 22a9ea1 contrib: Explain explicit header guards 6c52ae8 Merge bitcoin#937: Have ge_set_gej_var, gej_double_var and ge_set_all_gej_var initialize all fields of their outputs. 185a6af Merge bitcoin#925: changed include statements without prefix 'include/' 14c9739 tests: Improve secp256k1_ge_set_all_gej_var for some infinity inputs 4a19668 tests: Test secp256k1_ge_set_all_gej_var for all infinity inputs 3c90bdd change local lib headers to be relative for those pointing at "include/" dir 45b6468 Have secp256k1_ge_set_all_gej_var initialize all fields. Previous behaviour would not initialize r->y values in the case where infinity is passed in. Furthermore, the previous behaviour wouldn't initialize anything in the case where all inputs were infinity. 31c0f6d Have secp256k1_gej_double_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. dd6c3de Have secp256k1_ge_set_gej_var initialize all fields. Previous behaviour would not initialize r->x and r->y values in the case where infinity is passed in. d0bd269 Merge bitcoin-core/secp256k1#936: Fix gen_context/ASM build on ARM 8bbad7a Add asm build to ARM32 CI 7d65ed5 Add ARM32/ARM64 CI c848352 Makefile.am: Don't pass a variable twice 2161f31 Makefile.am: Honor config when building gen_context 99f47c2 gen_context: Don't use external ASM because it complicates the build 98e0358 Merge bitcoin#933: Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers 99e2d5b Avoids a missing brace warning in schnorrsig/tests_impl.h on old compilers. 34388af Merge bitcoin#922: Add mingw32-w64/wine CI build 7012a18 Merge bitcoin#928: Define SECP256K1_BUILD in secp256k1.c directly. ed5a199 tests: fopen /dev/urandom in binary mode ae9e648 Define SECP256K1_BUILD in secp256k1.c directly. 4dc37bf Add mingw32-w64/wine CI build 0881633 secp256k1.h: clarify that by default arguments must be != NULL efad350 Merge bitcoin#906: Use modified divsteps with initial delta=1/2 for constant-time cc2c09e Merge bitcoin#918: Clean up configuration in gen_context 0706796 add ECMULT_GEN_PREC_BITS to basic_config.h a3aa262 gen_context: Don't include basic-config.h be0609f Add unit tests for edge cases with delta=1/2 variant of divsteps cd393ce Optimization: only do 59 hddivsteps per iteration instead of 62 277b224 Use modified divsteps with initial delta=1/2 for constant-time 376ca36 Fix typo in explanation 1e5d50f Merge bitcoin#889: fix uninitialized read in tests c083cc6 Merge bitcoin#903: Make argument of fe_normalizes_to_zero{_var} const 6e89853 Merge bitcoin#907: changed import to use brackets <> for openssl 4504472 changed import to use brackets <> for openssl as they are not local to the project 26de4df Merge bitcoin#831: Safegcd inverses, drop Jacobi symbols, remove libgmp 23c3fb6 Make argument of fe_normalizes_to_zero{_var} const 24ad04f Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS ebc1af7 Optimization: track f,g limb count and pass to new variable-time update_fg_var b306935 Optimization: use formulas instead of lookup tables for cancelling g bits 9164a1b Optimization: special-case zero modulus limbs in modinv64 1f233b3 Remove num/gmp support 20448b8 Remove unused Jacobi symbol support 5437e7b Remove unused scalar_sqr aa9cc52 Improve field/scalar inverse tests 1e0e885 Make field/scalar code use the new modinv modules for inverses 436281a Move secp256k1_fe_inverse{_var} to per-impl files aa404d5 Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files 08d5496 Improve bounds checks in modinv modules 151aac0 Add tests for modinv modules d8a92fc Add extensive comments on the safegcd algorithm and implementation 8e415ac Add safegcd based modular inverse modules de0a643 Add secp256k1_ctz{32,64}_var functions 4c3ba88 Merge bitcoin#901: ci: Switch all Linux builds to Debian and more improvements 9361f36 ci: Select number of parallel make jobs depending on CI environment 28eccdf ci: Split output of logs into multiple sections c7f754f ci: Run PRs on merge result instead of on the source branch b994a8b ci: Print information about binaries using "file" f24e122 ci: Switch all Linux builds to Debian ebdba03 Merge bitcoin#891: build: Add workaround for automake 1.13 and older 3a8b47b Merge bitcoin#894: ctime_test: move context randomization test to the end 7d3497c ctime_test: move context randomization test to the end 99a1cfe print warnings for conditional-uninitialized 3d2cf6c initialize variable in tests f329bba build: Add workaround for automake 1.13 and older 24d1656 Merge bitcoin#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge e491d06 Use bit ops instead of int mult for constant-time logic in gej_add_ge f8c0b57 Merge bitcoin#864: Add support for Cirrus CI cc2a545 ci: Refactor Nix shell files 2480e55 ci: Remove support for Travis CI 2b359f1 ci: Enable simple cache for brewing valgrind on macOS 8c02e46 ci: Add support for Cirrus CI 659d0d4 Merge bitcoin#880: Add parens around ROUND_TO_ALIGN's parameter. b6f6498 Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. a4abaab Merge bitcoin#877: Add missing secp256k1_ge_set_gej_var decl. 5671e5f Merge bitcoin#874: Remove underscores from header defs. db72678 Merge bitcoin#878: Remove unused secp256k1_fe_inv_all_var b732701 Merge bitcoin#875: Avoid casting (void**) values. 75d2ae1 Remove unused secp256k1_fe_inv_all_var 482e4a9 Add missing secp256k1_ge_set_gej_var decl. 2730618 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values. fb390c5 Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. f2d9aea Merge bitcoin#862: Autoconf improvements 328aaef Merge bitcoin#845: Extract the secret key from a keypair 3c15130 Improve CC_FOR_BUILD detection 47802a4 Restructure and tidy configure.ac 252c19d Ask brew for valgrind include path 8c727b9 Merge bitcoin#860: fixed trivial typo b7bc3a4 fixed typo 33cb3c2 Add secret key extraction from keypair to constant time tests 36d9dc1 Add seckey extraction from keypair to the extrakeys tests fc96aa7 Add a function to extract the secretkey from a keypair 98dac87 Merge bitcoin#858: Fix insecure links 07aa4c7 Fix insecure links b61f9da Merge bitcoin#857: docs: fix simple typo, dependecy -> dependency 18aadf9 docs: fix simple typo, dependecy -> dependency 2d9e717 Merge bitcoin#852: Add sage script for generating scalar_split_lambda constants dc6e5c3 Merge bitcoin#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 6e85d67 Rename tweak to tweak32 in public API f587f04 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 329a2e0 sage: Add script for generating scalar_split_lambda constants 8f0c6f1 Merge bitcoin#851: make test count iteration configurable by environment variable f4fa8d2 forbid a test iteration of 0 or less f554dfc sage: Reorganize files 3a10696 Merge bitcoin#849: Convert Sage code to Python 3 (as used by Sage >= 9) 13c88ef Convert Sage code to Python 3 (as used by Sage >= 9) 0ce4554 make test count iteration configurable by environment variable 9e5939d Merge bitcoin#835: Don't use reserved identifiers memczero and benchmark_verify_t d0a83f7 Merge bitcoin#839: Prevent arithmetic on NULL pointer if the scratch space is too small 903b16a Merge bitcoin#840: Return NULL early in context_preallocated_create if flags invalid 1f4dd03 Typedef (u)int128_t only when they're not provided by the compiler 3967d96 Merge bitcoin#838: Make autotools check for all the used openssl functions 3734b68 Configure echo if openssl tests are enabled ebfa205 Return NULL early in context_preallocated_create if flags invalid 6f54e69 Merge bitcoin#841: Avoids a potentially shortening size_t to int cast in strauss_wnaf_ 29a299e Run the undefined behaviour sanitizer on Travis 7506e06 Prevent arithmetic on NULL pointer if the scratch space is too small 8893f42 Avoids a potentially shortening size_t to int cast in strauss_wnaf_ e669277 Modify bitcoin_secp.m4's openssl check to call all the functions that we use in the tests/benchmarks. That way linking will fail if those symbols are missing ac05f61 Merge bitcoin#809: Stop treating ECDH as experimental e6e3d5d travis: add schnorrsig to valgrind and big endian platform test 353dff1 Stop treating ECDH as experimental e89278f Don't use reserved identifiers memczero and benchmark_verify_t c6b6b8f Merge bitcoin#830: Rip out non-endomorphism code + dependencies c582aba Consistency improvements to the comments 63c6b71 Reorder comments/function around scalar_split_lambda 2edc514 WNAF of lambda_split output has max size 129 4232e5b Rip out non-endomorphism code ebad841 Check correctness of lambda split without -DVERIFY fe7fc1f Make lambda constant accessible 9d2f2b4 Add tests to exercise lambda split near bounds 9aca2f7 Add secp256k1_split_lambda_verify acab934 Detailed comments for secp256k1_scalar_split_lambda 76ed922 Increase precision of g1 and g2 6173839 Switch to our own memcmp function 63150ab Merge bitcoin#827: Rename testrand functions to have test in name c5257ae Merge bitcoin#821: travis: Explicitly set --with-valgrind bb1f542 Merge bitcoin#818: Add static assertion that uint32_t is unsigned int or wider a45c1fa Rename testrand functions to have test in name 5006895 Merge bitcoin#808: Exhaustive test improvements + exhaustive schnorrsig tests 4eecb4d travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND 66a765c travis: Explicitly set --with-valgrind d7838ba Merge bitcoin#813: Enable configuring Valgrind support 7ceb0b7 Merge bitcoin#819: Enable -Wundef warning 8b7dcdd Add exhaustive test for extrakeys and schnorrsig 08d7d89 Make pubkey parsing test whether points are in the correct subgroup 87af00b Abstract out challenge computation in schnorrsig 63e1b2a Disable output buffering in tests_exhaustive.c 39f67dd Support splitting exhaustive tests across cores e99b26f Give exhaustive_tests count and seed cmdline inputs 49e6630 refactor: move RNG seeding to testrand b110c10 Change exhaustive test groups so they have a point with X=1 cec7b18 Select exhaustive lambda in function of order 78f6cdf Make the curve B constant a secp256k1_fe d7f39ae Delete gej_is_valid_var: unused outside tests 8bcd78c Make secp256k1_scalar_b32 detect overflow in scalar_low c498366 Move exhaustive tests for recovery to module be31791 Make group order purely compile-time in exhaustive tests e73ff30 Enable -Wundef warning c0041b5 Add static assertion that uint32_t is unsigned int or wider 4ad408f Merge bitcoin#782: Check if variable=yes instead of if var is set in travis.sh 412bf87 configure: Allow specifying --with[out]-valgrind explicitly 34debf7 Modify .travis.yml to explictly pass no in env vars instead of setting to nothing a0e99fc Merge bitcoin#814: tests: Initialize random group elements fully 5738e86 tests: Initialize random group elements fully c9939ba Merge bitcoin#812: travis: run bench_schnorrsig a51f2af travis: run bench_schnorrsig 8ab24e8 Merge bitcoin#558: Add schnorrsig module which implements BIP-340 compliant signatures f3733c5 Merge bitcoin#797: Fix Jacobi benchmarks and other benchmark improvements cb5524a Add benchmark for secp256k1_ge_set_gej_var 5c6af60 Make jacobi benchmarks vary inputs d0fdd5f Randomize the Z coordinates in bench_internal c7a3424 Rename bench_internal variables 875d68b Merge bitcoin#699: Initialize field elements when resulting in infinity 54caf2e Merge bitcoin#799: Add fallback LE/BE for architectures with known endianness + SHA256 selftest f431b3f valgrind_ctime_test: Add schnorrsig_sign 16ffa9d schnorrsig: Add taproot test case 8dfd53e schnorrsig: Add benchmark for sign and verify 4e43520 schnorrsig: Add BIP-340 compatible signing and verification 7332d2d schnorrsig: Add BIP-340 nonce function 7a703fd schnorrsig: Init empty experimental module eabd9bc Allow initializing tagged sha256 6fcb5b8 extrakeys: Add keypair_xonly_tweak_add 5825446 extrakeys: Add keypair struct with create, pub and pub_xonly f001034 Separate helper functions for pubkey_create and seckey_tweak_add 910d9c2 extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test 176bfb1 Separate helper function for ec_pubkey_tweak_add 4cd2ee4 extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey f49c989 Merge bitcoin#806: Trivial: Add test logs to gitignore aabf00c Merge bitcoin#648: Prevent ints from wrapping around in scratch space functions f5adab1 Merge bitcoin#805: Remove the extremely outdated TODO file. bceefd6 Add test logs to gitignore 1c32519 Remove the extremely outdated TODO file. 47e6618 extrakeys: Init empty experimental module 3e08b02 Make the secp256k1_declassify argument constant 8bc6aef Add SHA256 selftest 670cdd3 Merge bitcoin#798: Check assumptions on integer implementation at compile time 5e5fb28 Use additional system macros to figure out endianness 7c06899 Compile-time check assumptions on integer types 02b6c87 Add support for (signed) __int128 979961c Merge bitcoin#787: Use preprocessor macros instead of autoconf to detect endianness 887bd1f Merge bitcoin#793: Make scalar/field choice depend on C-detected __int128 availability 0dccf98 Use preprocessor macros instead of autoconf to detect endianness b2c8c42 Merge bitcoin#795: Avoid linking libcrypto in the valgrind ct test. 57d3a3c Avoid linking libcrypto in the valgrind ct test. 79f1f7a Autodetect __int128 availability on the C side 0d7727f Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field 805082d Merge bitcoin#696: Run a Travis test on s390x (big endian) 3929536 Test travis s390x (big endian) ef37761 Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false 6034a04 Merge bitcoin#778: secp256k1_gej_double_nonzero supports infinity f609159 Merge bitcoin#779: travis: Fix argument quoting for ./configure 9e49a9b travis: Fix argument quoting for ./configure 18d3632 secp256k1_gej_double_nonzero supports infinity 214cb3c Merge bitcoin#772: Improve constant-timeness on PowerPC 40412b1 Merge bitcoin#774: tests: Abort if malloc() fails during context cloning tests 2e1b9e0 tests: Abort if malloc() fails during context cloning tests 67a429f Suppress a harmless variable-time optimization by clang in _int_cmov 5b19633 Remove redundant "? 1 : 0" after comparisons in scalar code 3e5cfc5 Merge bitcoin#741: Remove unnecessary sign variable from wnaf_const 66bb932 Merge bitcoin#773: Fix some compile problems on weird/old compilers. 1309c03 Fix some compile problems on weird/old compilers. 2309c7d Merge bitcoin#769: Undef HAVE___INT128 in basic-config.h to fix gen_context compilation 22e578b Undef HAVE___INT128 in basic-config.h to fix gen_context compilation 3f4a5a1 Merge bitcoin#765: remove dead store in ecdsa_signature_parse_der_lax f00d657 remove dead store in ecdsa_signature_parse_der_lax dbd41db Merge bitcoin#759: Fix uninitialized variables in ecmult_multi test 2e7fc5b Fix uninitialized variables in ecmult_multi test 2ed54da Merge bitcoin#755: Recovery signing: add to constant time test, and eliminate non ct operators 2860950 Add tests for the cmov implementations 73596a8 Add ecdsa_sign_recoverable to the ctime tests 2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery 5e1c885 Merge bitcoin#754: Fix uninit values passed into cmov f79a7ad Add valgrind uninit check to cmovs output 05d315a Merge bitcoin#752: autoconf: Use ":" instead of "dnl" as a noop a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs 3a6fd7f Merge bitcoin#750: Add macOS to the CI 5e8747a autoconf: Use ":" instead of "dnl" as a noop 71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh 99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04) 0c5ff90 Add macOS support to travis b6807d9 Move travis script into a standalone sh file f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation 37dba32 Remove unnecessary sign variable from wnaf_const 6bb0b77 Fix test_constant_wnaf for -1 and add a test for it. 39198a0 Merge bitcoin#732: Retry if r is zero during signing 59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h 4e28465 Fix typo in ecmult_const_impl.h f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable ffef45c Make recovery/main_impl.h non-executable 2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS 3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS 84b5fc5 build: fix OpenSSL EC detection on macOS 37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb 93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign" 7e3952a Clarify documentation of tweak functions. 89853a0 Make tweak function documentation more consistent. 41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 22911ee Rename private key to secret key in public API (with the exception of function names) 5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0 f03df0e Define valid ECDSA keys in the documentation of seckey_verify 5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows 3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify 9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key 4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero 0199387 Add test for memczero() 52a0351 Suppress a harmless variable-time optimization by clang in memczero 8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark ed1b911 Merge bitcoin#700: Allow overriding default flags 85b35af Add running benchmarks regularly and under valgrind in travis ca4906b Pass num of iters to benchmarks as variable, and define envvar 02dd5f1 free the ctx at the end of bench_ecdh e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest. 08fb6c4 Run valgrind_ctime_test in travis 3d23022 Constant-time behaviour test using valgrind memtest. 96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data. 0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1 7b50483 Adds a declassify operation to aid constant-time analysis. 34a67c7 Eliminate harmless non-constant time operations on secret data. ca739cb Compile with optimization flag -O2 by default instead of -O3 eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1 856a01d Merge bitcoin#714: doc: document the length requirements of output parameter. d72b9e2 Merge bitcoin#682: Remove Java Native Interface 4b48a43 doc: document the length requirements of output parameter. 1b4d256 Merge bitcoin#713: Docstrings dabfea7 field: extend docstring of secp256k1_fe_normalize dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32 074ab58 Merge bitcoin#704: README: add a section for test coverage acb7f97 README: add a section for test coverage 227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const. d567b77 Clarify comments about use of rzr on ge functions and abs function. 2241ae6 Remove secret-dependant non-constant time operation in ecmult_const. 642cd06 Remove Java Native Interface 83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual) ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables 613c34c Remove test in configure.ac because it doesn't have an effect f45d897 Merge bitcoin#703: Overhaul README.md 2e759ec Overhaul README.md d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math bde2a32 Convert bench.h to fixed-point math 47a7b83 Clear field elements when writing infinity 61d1ecb Added test with additions resulting in infinity 387d723 Merge bitcoin#679: Add SECURITY.md 0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed… a0771d1 Explicitly disable buffering for stderr in tests fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run. 22a6031 Merge bitcoin#690: Add valgrind check to travis 544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh b4c1382 Add valgrind check to travis 0c774d8 Merge bitcoin#688: Fix ASM setting in travis 5c5f71e Fix ASM setting in travis e2625f8 Merge bitcoin#684: Make no-float policy explicit bae1bea Make no-float policy explicit 78c3836 Add SECURITY.md 362bb25 Modified bench_scalar_split so it won't get optimized out 73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out 770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527 137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit 0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist 59782c6 Remove mention of ec_privkey_export because it doesn't exist 96cd94e Merge bitcoin#337: variable sized precomputed table for signing dcb2e3b variable signing precompute table b4bff99 Merge bitcoin#661: Make ./configure string consistent a467047 Make ./configure string consistent e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests b64a2e2 Fix a nit in the recovery tests e028aa3 Merge bitcoin#650: secp256k1/src/tests.c: Properly handle sscanf return value f1e11d3 Merge bitcoin#654: Fix typo (∞) ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1 556caad Fix typo in docs for _context_set_illegal_callback 0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow. 786dfb4 Merge bitcoin#583: JNI: fix use sig array e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check 384f556 Merge bitcoin#652: README.md: update instruction to run tests ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h 7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding 2abcf95 jni: Use only Guava for hex encoding and decoding 271582b Fix typo 60f7f2d Don't assume that ALIGNMENT > 1 in tests ada6361 Use ROUND_TO_ALIGN in scratch_create 8ecc6ce Add check preventing rounding to alignment from wrapping around in scratch_alloc 4edaf06 Add check preventing integer multiplication wrapping around in scratch_max_allocation ce6d438 README.md: update instruction to run tests b1e68cb Fix typo in secp256k1_preallocated.h a11c76c secp256k1/src/tests.c: Properly handle sscanf return value 8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands. 94ae7cb Moved a dereference so the null check will be before the dereferencing 2cb73b1 scalar_impl.h: fix includes fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const. ee9e68c Add a descriptive comment for secp256k1_ecmult_const. d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul () 6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul () e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails. f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness. 8d1563b Note intention of timing sidechannel freeness. 1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY. ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs. 544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes 143dc6e Merge bitcoin#595: Allow to use external default callbacks e49f799 Add missing #(un)defines to base-config.h 77defd2 Add secp256k1_ prefix to default callback functions 908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c 5db782e Allow usage of external default callbacks 6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails. 6c36de7 Merge bitcoin#600: scratch space: use single allocation 98836b1 scratch: replace frames with "checkpoint" system 7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated 5a4bc0b scratch: unify allocations c2b028a scratch space: thread `error_callback` into all scratch space functions 0be1a4a scratch: add magic bytes to beginning of structure 92a48a7 scratch space: use single allocation 40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small dcf3920 Fix ability to compile tests without -DVERIFY. a484e00 Merge bitcoin#566: Enable context creation in preallocated memory 0522caa Explain caller's obligations for preallocated memory 238305f Move _preallocated functions to separate header 695feb6 Export _preallocated functions 814cc78 Add tests for contexts in preallocated memory ba12dd0 Check arguments of _preallocated functions 5feadde Support cloning a context into preallocated memory c4fd5da Switch to a single malloc call ef020de Add size constants for preallocated memory 1bf7c05 Prepare for manual memory management in preallocated memory 248bffb Guard memcmp in tests against mixed size inputs. 36698dc Merge bitcoin#596: Make WINDOW_G configurable a61a93f Clean up ./configure help strings 2842dc5 Make WINDOW_G configurable 1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically" 662918c Revert "Merge bitcoin#620: Install headers automatically" 14c7dbd Simplify control flow in DER parsing ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons 01ee1b3 Parse DER-enconded length into a size_t instead of an int 912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config 91fae3a Merge bitcoin#620: Install headers automatically 5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...) 975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const() 735fbde Merge bitcoin#619: Clear a copied secret key after negation 16e8615 Install headers automatically 069870d Clear a copied secret key after negation 8979ec0 Pass scalar by reference in secp256k1_wnaf_const() 84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture b19c000 Merge bitcoin#607: Use size_t shifts when computing a size_t 4d01bc2 Merge bitcoin#606: travis: Remove unused sudo:false e6d01e9 Use size_t shifts when computing a size_t 7667532 travis: Remove unused sudo:false 248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...) 9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small ee99f12 Merge bitcoin#599: Switch x86_64 asm to use "i" instead of "n" for immediate values. d58bc93 Switch x86_64 asm to use "i" instead of "n" for immediate values. 05362ee Merge bitcoin#597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build 8348386 Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build aa15154 Merge bitcoin#568: Fix integer overflow in ecmult_multi_var when n is large 2277af5 Fix integer overflow in ecmult_multi_var when n is large dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config 310111e Keep LDFLAGS if `--coverage` 85d0e1b Merge bitcoin#591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing. 1419637 Merge bitcoin#580: Add trivial ecmult_multi algorithm which does not require a scratch space a697d82 Add trivial ecmult_multi to the benchmark tool bade617 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points. 5545e13 Merge bitcoin#584: configure: Use CFLAGS_FOR_BUILD when checking native compiler 20c5869 Merge bitcoin#516: improvements to random seed in src/tests.c b76e45d Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing. 870a977 Merge bitcoin#562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse be40c4d Fixup for C90 mixed declarations. c71dd2c Merge bitcoin#509: Fix algorithm selection in bench_ecmult 6492bf8 Merge bitcoin#518: Summarize build options after running configure 0e9ada1 Merge bitcoin#567: Correct order of libs returned on pkg-config --libs --static libsecp2… e96901a Merge bitcoin#587: Make randomization of a non-signing context a noop 58df8d0 Merge bitcoin#511: Portability fix for the configure scripts generated 2ebdad7 Merge bitcoin#552: Make constants static: 1c131af Merge bitcoin#551: secp256k1_fe_sqrt: Verify that the arguments don't alias. ba698f8 Merge bitcoin#539: Assorted minor corrections 949e85b Merge bitcoin#550: Optimize secp256k1_fe_normalize_weak calls. a34bcaa Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker 2d5f4ce configure: Use CFLAGS_FOR_BUILD when checking native compiler b408c6a Merge bitcoin#579: Use __GNUC_PREREQ for detecting __builtin_expect 6198375 Make randomization of a non-signing context a noop 74e2dbd JNI: fix use sig array c663397 Use __GNUC_PREREQ for detecting __builtin_expect 3cb057f Fix possible integer overflow in DER parsing e34ceb3 Merge bitcoin#557: Eliminate scratch memory used when generating contexts b3bf5f9 ecmult_impl: expand comment to explain how effective affine interacts with everything efa783f Store z-ratios in the 'x' coord they'll recover ffd3b34 add `secp256k1_ge_set_all_gej_var` test which deals with many infinite points 84740ac ecmult_impl: save one fe_inv_var 4704527 ecmult_impl: eliminate scratch memory used when generating context 7f7a2ed ecmult_gen_impl: eliminate scratch memory used when generating context 314a61d Merge bitcoin#553: add static context object which has no capabilities 89a20a8 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call. d3cb1f9 Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse 40fde61 prevent attempts to modify `secp256k1_context_no_precomp` ed7c084 add static context object which has no capabilities 496c5b4 Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B; bf8b86c secp256k1_fe_sqrt: Verify that the arguments don't alias. 9bd89c8 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead. 52ab96f clean dependendies in field_*_impl.h deff5ed Correct math typos in field_*.h 4efb3f8 Add check that restrict pointers don't alias with all parameters. 3965027 Summarize build options in configure script 0f05173 Fix algorithm selection in bench_ecmult 8b3841c fix bug in fread() failure check cddef0c tests: add warning message when /dev/urandom fails 270f6c8 Portability fix for the configure scripts generated git-subtree-dir: src/secp256k1 git-subtree-split: 5f6ceaf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recent exploits over the Zerocoin protocol (Wrapped serials and broken P1 proof) required us to enable the zerocoin spork and deactivate the zPIV functionality in order to secure the supply until the pertinent review process is completed.
This PR aims to move forward from this undesired situation by enabling a secure and chain storage friendly solution for the zerocoin public spend (aka zPIV to PIV conversion).
The explanation of how this works can be defined as follows:
The commitment is defined as:
Comm(S, v), whereSis a formatted public key hash andva random big number part of a group order.This is the first required step that we need to take in order to allow everyone to move their zPIV safely and securely back into PIV while we continue to work for a better privacy solution.
The public coin spend validation flow follow the previous coin spend flow and not modifies any major area of it, could easily end up with major architectural modifications that want to avoid in this undesired situation.
When #888 is completed, this will be rebased on top.
** This surely will need some more modifications and cleanup, making it public now to start testing and playing with it as soon as possible **