New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add scriptPubKey enforced sendescrow and redeemescrow API calls #319
Conversation
Should be possible to implement this much more cleanly using the MULTISIG opcodes. Also, what do escrow transactions look like in the GUI? |
I overlooked that MULTISIG allows for less signatures than keys. I will
My plan is to make the display look reasonable, but not provide a GUI for |
I personnally don't feel this should go into the main client implementation, but in some sort of extension instead |
Davout, care to explain why? Without support in the main client implementation we couldn't expect these transactions to be relayed or mined by most miners. Also an external implementation would require apis for importing/exporting transactions, and wouldn't e.g. have access to the wallet keys and address book. Seems ugly to me. The api/cli presented in this patch is nice (well, the redeem needs to also support sendmany redemptions). Obviously a GUI for this would take a bit more work— and might reasonably wait until there are some examples of the functionality being used to inform the design. |
I would like to see some rethinking of IsStandard, but IMO that is quite a way down the road. I would like to see the codebase generally cleaned a ton before that ever happens. |
I modified zamgo's https://github.com/sacarlson/bitcoin-webskin to support and help document sendescrow and redeemescrow and also incorporated the changes into MultiCoin https://github.com/sacarlson/MultiCoin so that people can start learning how to start using escrow services in the furture. MultiCoin's escrow features have now been tested on testnet and weedsnet and will also be supported on beertokensnet. I hope soon we will start to see escrow on bitcoin mainnet. I will also support any changes in the escrow API format if needed. |
@gmaxwell just my personal opinion, it doesn't matter that much, and consensus seems to go the other way :) |
Changed:
@sacarlson - looks very interesting |
Oh, I found a bug in CHECKMULTISIG. It drops one too many items from the stack, so I had to push a dummy value to work around that. |
Todays tests with me and groffer on his bitcoin branch https://github.com/groffer/bitcoin for multisign transactions were a success on commit d260515 to see detailed IRC session of tests see http://paste.ubuntu.com/637841/ I also merged this with my bitcoin branch MultiCoin for further testing and updated my branch of bitcoin-webskin to include the new features. |
It would be nice if redeem worked even when you had non of the required keys, so someone could request payment from an escrow which they can't sign for by forming a txn and sending it around to people to sign. This would also make it easier for escrow parties who keep their escrow keys offline, — as they could start the escrow release process from a host with the blockchain but gets signed by offline hosts. |
@gmaxwell - good point, and actually it already works this way. If you have none of the keys, it will create a tx without any signatures. To increase visibility into the signature collection process, the latest commit adds the list of addresses that have signed the tx to the output of the RPC call. The latest commit also refactors the script Solver function so it can be used to check more complex scripts that include repeated segments. multisign now uses this facility to perform exact script matching. This prevents an attacker from fooling the user into thinking a tx is protected when it is put fully under the control of the attacker by a maliciously crafted script. |
Also added some unit tests for script.cpp. |
Can you write up a description of what the values in the TxIn are, and what operations are being done to them in the TxOut to redeem? My puny brain is having trouble figuring out what the ROLL SIZE NOT OVER HASH.. is accomplishing. Looking at: http://blockexplorer.com/testnet/tx/a17b21f52859ed326d1395d8a56d5c7389f5fc83c17b9140a71d7cb86fdf0f5f#i96368 ... the TxIn is: ... and the TxOut is: 3 OP_ROLL OP_SIZE OP_NOT OP_OVER OP_HASH160 3 OP_ROLL OP_SIZE OP_NOT OP_OVER OP_HASH160 3 OP_ROLL OP_SIZE OP_NOT OP_OVER OP_HASH160 3 OP_CHECKMULTISIG |
There's a bit more operand stack detail in comments on line 1575, and a writeup below. This is a 2 party out of 3 spend, with one party not participating. The scriptSig (TxIn) is (reading from right to left): OP_0 (to work around a bug in OP_CHECKMULTISIG), then two participating signatures, then the number of signatures, followed by the two participating pubkeys, then an empty operand holding place for the third pubkey that is not participating in this spend. The scriptPubKey (TxOut) is (reading from left to right):
Note: we do a OP_SIZE OP_NOT to check if a pubkey is a placeholder. If we did OP_0 OP_NE, it would fail because pubkeys cannot be cast to bignums. I'll be happy to cover this in more detail where needed. |
Unless I'm grossly misunderstanding CHECKMULTISIG, the simplest form of a 2-of-3 CHECKMULTISIG would be: TxIn: sig1 sig2 I've been working on schemes to hash the public keys so that people can use shorter bitcoin addresses... |
groffer: appreciate comments on: https://gist.github.com/39158239e36f6af69d6f |
An alternative way for handling N-out-of-M multisig with addresses, without CHECKMULTISIG at all: scriptSig:
So for 2-out-of-3, with the second one missing:
scriptPubKey:
This means output scripts of 12_M-1 bytes (+ M_20 bytes for the addresses), and input scripts of 2*M bytes (+ N times the size of a signature + pubkey). |
groffer: is sipa's suggestion close to what you started with? I'm thinking about whether or not I like the ability to create a multisig address if all you know is the hashes of the public keys. If I'm understanding, use case is:
Advantage is the signature and public key gathering can happen all at once. |
I think this works (somebody check my work) if "we" decide that redeem-with-only-m-full-public-keys is important: TxIn: s1 s2 2 p1 OP_0 p3 ... and is smaller than sipa's suggestion. (although I'm not sure what requirements CHECKMULTISIG puts on public keys, might have to replace the OP_0 with a properly-formatted public key). |
@sipa - that's actually very similar to what I had before switching to OP_CHECKMULTISIG in dc2dfba (search for OP_TUCK). I can revert to that if it's preferred. @gavinandresen - yes, otherwise you have to distribute the pubkeys ahead of time. |
(sorry for the skew - my response was before I saw last comment from @gavinandresen) Yes, CHECKMULTISIG is okay with a malformed pubkey (CheckSig returns false, and the loop moves on to the next pubkey). But the last CHECKMULTISIG solution above can be redeemed with just one correct signature, as coblee explains in the gist. |
I would love to add the case of (a AND b) OR c as mentioned in the gist, and for that matter a generalized disjunctions () OR () OR () . This will enable emergency backup signer. It will also enable contracts based on broadcast information. For example with sender and receiver keys Ks, Kr, a coin with scriptSig (Ks AND K1) OR (Kr AND K2) could be redeemed by sender if private key for K1 is broadcast or by receiver if private key for K2 is broadcast. Should I wait with disjunctions until after this pull is decided, or should I add now? The other question is whether to go with CHECKMULTISIG. Right now I have padding to get around the GetSigOpCount check. I just noticed that CheckBlock uses that, so we won't really be able to change GetSigOpCount anytime soon (and my change to reduce the MULTISIG count from 20 to 5 has to be reverted). Should I revert to the original CHECKSIG implementation? |
On Wed, Aug 24, 2011 at 3:18 PM, groffer
I'd rather do this change once instead of twice. Unless the |
As long as each hash160 is used only once, you can write each boolean expression in reverse-polish notation, and use coblee's technique to evaluate it. For example: a1 OR (a2 AND a3) OR COUNT(a4,a5,a6)>1 For each address element, you need to know the number n of elements on the stack that belong to the RPN processing - all those beneath are pubkey/signature arguments. Here is the same example in RPN notation with stack depth annotated: The first step is to bring the pubkey and signature that are in configuration: [sig] [pubkey] [n elements] into configuration [n elements] [pubkey] [signature] [pubkey]:
Other operations in the RPN form are simply passed through as-is (they manipulate the RPN stack, which is now on top). That means the above example becomes:
This scheme allows any expression over signatures, given in RPN notation to be compiled to bitcoin scripts. It can even be extended to support pubkey-based matching instead of address-based matching. Instead of bringing two elements to the front, one suffices:
If an address or pubkey is present more than once in the expression, put its evaluation logic (together with the corresponding expected position of input arguments) in front. Each time it is used in the RPN processing, use [m] PICK to retrieve its evaluation, except the last time, when you use [m] ROLL. |
I would love to implement the more general solution from @sipa if @gavinandresen is on board with that. |
What does the code for IsStandard() look like with sipa's generalized case? I am NOT on board with implementing sipa's general solution-- can we please start with the cases we know are useful right now, and talk about generalizing when we've got some experience with the simpler multi-sign cases? |
To implement sipa's suggestion we would need RPL -> Script and Script -> RPL conversion functions. Higher level code would generate and look for transactions with specific RPL templates. To start with, IsStandard would accept RPL code within specific limits (recursion depth and operators). The next step would be to write API calls that deals simple multisign RPL code cases. For example: count(a1, a2, .. , an) > m . From a user perspective, there would probably not be a big difference initially, just a difference in IsStandard. |
The first step is probably adding some extra specific standard cases to the solver, like 1-of-2, 1-of-3, 2-of-3, a-and-(b-or-c) (anything else that is known to be useful?). This is relatively easy to test, and as IsStandard simpy checks for solutions to an unknown keystore, IsStandard would support them immediately. To generalize IsStandard, you indeed just need to split the script into components. Each is either
To actually solve such scripts in general, you'll indeed want to convert to RPN again, but that can be postponed. PS: shame on me; i was talking about reverse polish notation, but somehow started using the abbreviation "RPL"... |
I think it is easier to check the correctness of a relatively general solution than to have a growing set of special cases. We already have a simple general solution in the current code that does general COUNT(a1..an) > m and is pretty easy to validate. I will switch to back to a CHECKSIG solution since it is simpler, eliminates the need to pad (for SigOpCount workaround) and more flexible for the future. I could also do a general RPN IsStandard - a rudimentary componentized solver is already in the code and as @sipa says, there are only a few cases to consider for each component. |
At the very minimum, even if we don't go for full RPN support now the transaction encoding for the subset we do support should be in the RPN encoding ordering so that extending the support in the future doesn't result in yet another transaction type. |
@gmaxwell good point. |
The right place for this discussion is the bitcoin-dev mailing list. See Mike Hearn's concerns, and see if you can convince him that supporting arbitrary combinations of keys will be easier. |
As far as I understand it, that was about putting arbitrary such expressions in addresses, not about having them pass IsStandard(). Anyway, continuing the discussion there... |
Anybody mind if I close this? BIPs 11 12 and 13 (and my OP_EVAL pull request) are the replacement. |
d7eb1ae Merge pull request bitcoin#342 7914a6e Make lax_der_privatekey_parsing.h not depend on internal code 73f64ff Merge pull request bitcoin#339 9234391 Overhaul flags handling 1a36898 Make flags more explicit, add runtime checks. 1a3e03a Merge pull request bitcoin#340 96be204 Add additional tests for eckey and arg-checks. bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent. 4a243da Move secp256k1_ec_privkey_import/export to contrib. 1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module. e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage. b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation. 70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys. 6c476a8 Minor comment improvements. 131afe5 Merge pull request bitcoin#334 0c6ab2f Introduce explicit lower-S normalization fea19e7 Add contrib/lax_der_parsing.h 3bb9c44 Rewrite ECDSA signature parsing code fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more 49b3749 Add new tests for the extra testrand functions f684d7d Faster secp256k1_rand_int implementation 251b1a6 Improve testrand: add extra random functions 31994c8 Merge pull request bitcoin#338 f79aa88 Bugfix: swap arguments to noncefp c98df26 Merge pull request bitcoin#319 67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse. ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize 7450ef1 Merge pull request bitcoin#328 68a3c76 Merge pull request bitcoin#329 98135ee Merge pull request bitcoin#332 37100d7 improve ECDH header-doc b13d749 Fix couple of typos in API comments 7c823e3 travis: fixup module configs cc3141a Merge pull request bitcoin#325 ee58fae Merge pull request bitcoin#326 213aa67 Do not force benchmarks to be statically linked. 338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979. 52fd03f Merge pull request bitcoin#320 9f6993f Remove some dead code. 357f8cd Merge pull request bitcoin#314 118cd82 Use explicit symbol visibility. 4e64608 Include public module headers when compiling modules. 1f41437 Merge pull request bitcoin#316 fe0d463 Merge pull request bitcoin#317 cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis. 2b199de Use the explicit NULL macro for pointer comparisons. 9e90516 Merge pull request bitcoin#294 dd891e0 Get rid of _t as it is POSIX reserved 201819b Merge pull request bitcoin#313 912f203 Eliminate a few unbraced statements that crept into the code. eeab823 Merge pull request bitcoin#299 486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 05732c5 Callback data: Accept pointers to either const or non-const data 1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs 788038d Use size_t for lengths (at least in external API) c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument 9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op 64b730b secp256k1_context_create: Use unsigned type for flags bitfield cb04ab5 Merge pull request bitcoin#309 a551669 Merge pull request bitcoin#295 81e45ff Update group_impl.h 85e3a2c Merge pull request #112 b2eb63b Merge pull request bitcoin#293 dc0ce9f [API BREAK] Change argument order to out/outin/in 6d947ca Merge pull request bitcoin#298 c822693 Merge pull request bitcoin#301 6d04350 Merge pull request bitcoin#303 7ab311c Merge pull request bitcoin#304 5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer. 263dcbc remove unused assignment b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense 6da1446 build: fix parallel build 5eb4356 Merge pull request bitcoin#291 c996d53 Print success 9f443be Move pubkey recovery code to separate module d49abbd Separate ECDSA recovery tests 439d34a Separate recoverable and normal signatures a7b046e Merge pull request bitcoin#289 f66907f Improve/reformat API documentation secp256k1.h 2f77487 Add context building benchmarks cc623d5 Merge pull request bitcoin#287 de7e398 small typo fix 9d96e36 Merge pull request bitcoin#280 432e1ce Merge pull request bitcoin#283 14727fd Use correct name in gitignore 356b0e9 Actually test static precomputation in Travis ff3a5df Merge pull request bitcoin#284 2587208 Merge pull request bitcoin#212 a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures d84a378 Merge pull request bitcoin#252 72ae443 Improve perf. of cmov-based table lookup 92e53fc Implement endomorphism optimization for secp256k1_ecmult_const ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time 91c0ce9 Add benchmarks for ECDH and const-time multiplication 0739bbb Add ECDH module which works by hashing the output of ecmult_const 4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH e4ce393 build: fix hard-coded usage of "gen_context" b8e39ac build: don't use BUILT_SOURCES for the static context header baa75da tests: add a couple tests ae4f0c6 Merge pull request bitcoin#278 995c548 Introduce callback functions for dealing with errors. c333074 Merge pull request bitcoin#282 18c329c Remove the internal secp256k1_ecdsa_sig_t type 74a2acd Add a secp256k1_ecdsa_signature_t type 23cfa91 Introduce secp256k1_pubkey_t type 4c63780 Merge pull request bitcoin#269 3e6f1e2 Change rfc6979 implementation to be a generic PRNG ed5334a Update configure.ac to make it build on OpenBSD 1b68366 Merge pull request bitcoin#274 a83bb48 Make ecmult static precomputation default 166b32f Merge pull request bitcoin#276 c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean. 125c15d Merge pull request bitcoin#275 76f6769 Fix build with static ecmult altroot and make dist. 5133f78 Merge pull request bitcoin#254 b0a60e6 Merge pull request bitcoin#258 733c1e6 Add travis build to test the static context. fbecc38 Add ability to use a statically generated ecmult context. 4fb174d Merge pull request bitcoin#263 4ab8990 Merge pull request bitcoin#270 bdf0e0c Merge pull request bitcoin#271 31d0c1f Merge pull request bitcoin#273 eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER 55399c2 Further performance improvements to _ecmult_wnaf 99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function. 145cc6e Improve performance of _ecmult_wnaf 36b305a Verify the result of GMP modular inverse using non-GMP code 0cbc860 Merge pull request bitcoin#266 06ff7fe Merge pull request bitcoin#267 5a43124 Save 1 _fe_negate since s1 == -s2 a5d796e Update code comments 3f3964e Add specific VERIFY tests for _fe_cmov 7d054cd Refactor to save a _fe_negate b28d02a Refactor to remove a local var 55e7fc3 Perf. improvement in _gej_add_ge a0601cd Fix VERIFY calculations in _fe_cmov methods 17f7148 Merge pull request bitcoin#261 7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y 8c5d5f7 tests: Add failing unit test for bitcoin#257 (bad addition formula) 5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P bcf2fcf gej_add_ge: rearrange algebra e2a07c7 Fix compilation with C++ 873a453 Merge pull request bitcoin#250 91eb0da Merge pull request bitcoin#247 210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress` a1d5ae1 Tiny optimization 729badf Merge pull request bitcoin#210 2d5a186 Apply effective-affine trick to precomp 4f9791a Effective affine addition in EC multiplication 2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto git-subtree-dir: src/secp256k1 git-subtree-split: d7eb1ae
2bfb82b Merge pull request bitcoin#351 06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out 970164d Merge pull request bitcoin#348 6466625 Improvements for coordinate decompression e2100ad Merge pull request bitcoin#347 8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t. c69dea0 Clear output in more cases for pubkey_combine, adds tests. 269d422 Comment copyediting. b4d17da Merge pull request bitcoin#344 4709265 Merge pull request bitcoin#345 26abce7 Adds 32 static test vectors for scalar mul, sqr, inv. 5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests. 3b7bc69 Merge pull request bitcoin#343 eed87af Change contrib/laxder from headers-only to files compilable as standalone C d7eb1ae Merge pull request bitcoin#342 7914a6e Make lax_der_privatekey_parsing.h not depend on internal code 73f64ff Merge pull request bitcoin#339 9234391 Overhaul flags handling 1a36898 Make flags more explicit, add runtime checks. 1a3e03a Merge pull request bitcoin#340 96be204 Add additional tests for eckey and arg-checks. bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent. 4a243da Move secp256k1_ec_privkey_import/export to contrib. 1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module. e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage. b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation. 70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys. 6c476a8 Minor comment improvements. 131afe5 Merge pull request bitcoin#334 0c6ab2f Introduce explicit lower-S normalization fea19e7 Add contrib/lax_der_parsing.h 3bb9c44 Rewrite ECDSA signature parsing code fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more 49b3749 Add new tests for the extra testrand functions f684d7d Faster secp256k1_rand_int implementation 251b1a6 Improve testrand: add extra random functions 31994c8 Merge pull request bitcoin#338 f79aa88 Bugfix: swap arguments to noncefp c98df26 Merge pull request bitcoin#319 67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse. ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize 7450ef1 Merge pull request bitcoin#328 68a3c76 Merge pull request bitcoin#329 98135ee Merge pull request bitcoin#332 37100d7 improve ECDH header-doc b13d749 Fix couple of typos in API comments 7c823e3 travis: fixup module configs cc3141a Merge pull request bitcoin#325 ee58fae Merge pull request bitcoin#326 213aa67 Do not force benchmarks to be statically linked. 338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979. 52fd03f Merge pull request bitcoin#320 9f6993f Remove some dead code. 357f8cd Merge pull request bitcoin#314 118cd82 Use explicit symbol visibility. 4e64608 Include public module headers when compiling modules. 1f41437 Merge pull request bitcoin#316 fe0d463 Merge pull request bitcoin#317 cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis. 2b199de Use the explicit NULL macro for pointer comparisons. 9e90516 Merge pull request bitcoin#294 dd891e0 Get rid of _t as it is POSIX reserved 201819b Merge pull request bitcoin#313 912f203 Eliminate a few unbraced statements that crept into the code. eeab823 Merge pull request bitcoin#299 486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 05732c5 Callback data: Accept pointers to either const or non-const data 1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs 788038d Use size_t for lengths (at least in external API) c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument 9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op 64b730b secp256k1_context_create: Use unsigned type for flags bitfield cb04ab5 Merge pull request bitcoin#309 a551669 Merge pull request bitcoin#295 81e45ff Update group_impl.h 85e3a2c Merge pull request #112 b2eb63b Merge pull request bitcoin#293 dc0ce9f [API BREAK] Change argument order to out/outin/in 6d947ca Merge pull request bitcoin#298 c822693 Merge pull request bitcoin#301 6d04350 Merge pull request bitcoin#303 7ab311c Merge pull request bitcoin#304 5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer. 263dcbc remove unused assignment b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense 6da1446 build: fix parallel build 5eb4356 Merge pull request bitcoin#291 c996d53 Print success 9f443be Move pubkey recovery code to separate module d49abbd Separate ECDSA recovery tests 439d34a Separate recoverable and normal signatures a7b046e Merge pull request bitcoin#289 f66907f Improve/reformat API documentation secp256k1.h 2f77487 Add context building benchmarks cc623d5 Merge pull request bitcoin#287 de7e398 small typo fix 9d96e36 Merge pull request bitcoin#280 432e1ce Merge pull request bitcoin#283 14727fd Use correct name in gitignore 356b0e9 Actually test static precomputation in Travis ff3a5df Merge pull request bitcoin#284 2587208 Merge pull request bitcoin#212 a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures d84a378 Merge pull request bitcoin#252 72ae443 Improve perf. of cmov-based table lookup 92e53fc Implement endomorphism optimization for secp256k1_ecmult_const ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time 91c0ce9 Add benchmarks for ECDH and const-time multiplication 0739bbb Add ECDH module which works by hashing the output of ecmult_const 4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH e4ce393 build: fix hard-coded usage of "gen_context" b8e39ac build: don't use BUILT_SOURCES for the static context header baa75da tests: add a couple tests ae4f0c6 Merge pull request bitcoin#278 995c548 Introduce callback functions for dealing with errors. c333074 Merge pull request bitcoin#282 18c329c Remove the internal secp256k1_ecdsa_sig_t type 74a2acd Add a secp256k1_ecdsa_signature_t type 23cfa91 Introduce secp256k1_pubkey_t type 4c63780 Merge pull request bitcoin#269 3e6f1e2 Change rfc6979 implementation to be a generic PRNG ed5334a Update configure.ac to make it build on OpenBSD 1b68366 Merge pull request bitcoin#274 a83bb48 Make ecmult static precomputation default 166b32f Merge pull request bitcoin#276 c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean. 125c15d Merge pull request bitcoin#275 76f6769 Fix build with static ecmult altroot and make dist. 5133f78 Merge pull request bitcoin#254 b0a60e6 Merge pull request bitcoin#258 733c1e6 Add travis build to test the static context. fbecc38 Add ability to use a statically generated ecmult context. 4fb174d Merge pull request bitcoin#263 4ab8990 Merge pull request bitcoin#270 bdf0e0c Merge pull request bitcoin#271 31d0c1f Merge pull request bitcoin#273 eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER 55399c2 Further performance improvements to _ecmult_wnaf 99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function. 145cc6e Improve performance of _ecmult_wnaf 36b305a Verify the result of GMP modular inverse using non-GMP code 0cbc860 Merge pull request bitcoin#266 06ff7fe Merge pull request bitcoin#267 5a43124 Save 1 _fe_negate since s1 == -s2 a5d796e Update code comments 3f3964e Add specific VERIFY tests for _fe_cmov 7d054cd Refactor to save a _fe_negate b28d02a Refactor to remove a local var 55e7fc3 Perf. improvement in _gej_add_ge a0601cd Fix VERIFY calculations in _fe_cmov methods 17f7148 Merge pull request bitcoin#261 7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y 8c5d5f7 tests: Add failing unit test for bitcoin#257 (bad addition formula) 5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P bcf2fcf gej_add_ge: rearrange algebra e2a07c7 Fix compilation with C++ 873a453 Merge pull request bitcoin#250 91eb0da Merge pull request bitcoin#247 210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress` a1d5ae1 Tiny optimization 729badf Merge pull request bitcoin#210 2d5a186 Apply effective-affine trick to precomp 4f9791a Effective affine addition in EC multiplication 2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto git-subtree-dir: src/secp256k1 git-subtree-split: 2bfb82b
991d637 Pedersen commitments, borromean ring signatures, and ZK range proofs. 6ab73e4 Add 64-bit integer utilities bd2895f Merge pull request bitcoin#371 e5a9047 [Trivial] Remove double semicolons c18b869 Merge pull request bitcoin#360 3026daa Merge pull request bitcoin#302 03d4611 Add sage verification script for the group laws a965937 Merge pull request bitcoin#361 83221ec Add experimental features to configure 5d4c5a3 Prevent damage_array in the signature test from going out of bounds. 419bf7f Merge pull request bitcoin#356 6c527ec Merge pull request bitcoin#357 445f7f1 Fix for Windows compile issue 03d84a4 Benchmark against OpenSSL verification 2bfb82b Merge pull request bitcoin#351 06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out 970164d Merge pull request bitcoin#348 6466625 Improvements for coordinate decompression e2100ad Merge pull request bitcoin#347 8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t. c69dea0 Clear output in more cases for pubkey_combine, adds tests. 269d422 Comment copyediting. b4d17da Merge pull request bitcoin#344 4709265 Merge pull request bitcoin#345 26abce7 Adds 32 static test vectors for scalar mul, sqr, inv. 5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests. 3b7bc69 Merge pull request bitcoin#343 eed87af Change contrib/laxder from headers-only to files compilable as standalone C d7eb1ae Merge pull request bitcoin#342 7914a6e Make lax_der_privatekey_parsing.h not depend on internal code 73f64ff Merge pull request bitcoin#339 9234391 Overhaul flags handling 1a36898 Make flags more explicit, add runtime checks. 1a3e03a Merge pull request bitcoin#340 96be204 Add additional tests for eckey and arg-checks. bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent. 4a243da Move secp256k1_ec_privkey_import/export to contrib. 1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module. e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage. b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation. 70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys. 6c476a8 Minor comment improvements. 131afe5 Merge pull request bitcoin#334 0c6ab2f Introduce explicit lower-S normalization fea19e7 Add contrib/lax_der_parsing.h 3bb9c44 Rewrite ECDSA signature parsing code fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more 49b3749 Add new tests for the extra testrand functions f684d7d Faster secp256k1_rand_int implementation 251b1a6 Improve testrand: add extra random functions 31994c8 Merge pull request bitcoin#338 f79aa88 Bugfix: swap arguments to noncefp c98df26 Merge pull request bitcoin#319 67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse. ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize 7450ef1 Merge pull request bitcoin#328 68a3c76 Merge pull request bitcoin#329 98135ee Merge pull request bitcoin#332 37100d7 improve ECDH header-doc b13d749 Fix couple of typos in API comments 7c823e3 travis: fixup module configs cc3141a Merge pull request bitcoin#325 ee58fae Merge pull request bitcoin#326 213aa67 Do not force benchmarks to be statically linked. 338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979. 52fd03f Merge pull request bitcoin#320 9f6993f Remove some dead code. 357f8cd Merge pull request bitcoin#314 118cd82 Use explicit symbol visibility. 4e64608 Include public module headers when compiling modules. 1f41437 Merge pull request bitcoin#316 fe0d463 Merge pull request bitcoin#317 cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis. 2b199de Use the explicit NULL macro for pointer comparisons. 9e90516 Merge pull request bitcoin#294 dd891e0 Get rid of _t as it is POSIX reserved 201819b Merge pull request bitcoin#313 912f203 Eliminate a few unbraced statements that crept into the code. eeab823 Merge pull request bitcoin#299 486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 05732c5 Callback data: Accept pointers to either const or non-const data 1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs 788038d Use size_t for lengths (at least in external API) c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument 9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op 64b730b secp256k1_context_create: Use unsigned type for flags bitfield cb04ab5 Merge pull request bitcoin#309 a551669 Merge pull request bitcoin#295 81e45ff Update group_impl.h 85e3a2c Merge pull request bitcoin#112 b2eb63b Merge pull request bitcoin#293 dc0ce9f [API BREAK] Change argument order to out/outin/in 6d947ca Merge pull request bitcoin#298 c822693 Merge pull request bitcoin#301 6d04350 Merge pull request bitcoin#303 7ab311c Merge pull request bitcoin#304 5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer. 263dcbc remove unused assignment b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense 6da1446 build: fix parallel build 5eb4356 Merge pull request bitcoin#291 c996d53 Print success 9f443be Move pubkey recovery code to separate module d49abbd Separate ECDSA recovery tests 439d34a Separate recoverable and normal signatures a7b046e Merge pull request bitcoin#289 f66907f Improve/reformat API documentation secp256k1.h 2f77487 Add context building benchmarks cc623d5 Merge pull request bitcoin#287 de7e398 small typo fix 2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto REVERT: 71ed475 Pedersen commitments, borromean ring signatures, and ZK range proofs. REVERT: afd1379 Add 64-bit integer utilities git-subtree-dir: src/secp256k1 git-subtree-split: 991d637d80377f09d574afb8482c45ed628f17a3
6c527ec Merge pull request bitcoin#357 445f7f1 Fix for Windows compile issue 2bfb82b Merge pull request bitcoin#351 06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out 970164d Merge pull request bitcoin#348 6466625 Improvements for coordinate decompression e2100ad Merge pull request bitcoin#347 8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t. c69dea0 Clear output in more cases for pubkey_combine, adds tests. 269d422 Comment copyediting. b4d17da Merge pull request bitcoin#344 4709265 Merge pull request bitcoin#345 26abce7 Adds 32 static test vectors for scalar mul, sqr, inv. 5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests. 3b7bc69 Merge pull request bitcoin#343 eed87af Change contrib/laxder from headers-only to files compilable as standalone C d7eb1ae Merge pull request bitcoin#342 7914a6e Make lax_der_privatekey_parsing.h not depend on internal code 73f64ff Merge pull request bitcoin#339 9234391 Overhaul flags handling 1a36898 Make flags more explicit, add runtime checks. 1a3e03a Merge pull request bitcoin#340 96be204 Add additional tests for eckey and arg-checks. bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent. 4a243da Move secp256k1_ec_privkey_import/export to contrib. 1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module. e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage. b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation. 70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys. 6c476a8 Minor comment improvements. 131afe5 Merge pull request bitcoin#334 0c6ab2f Introduce explicit lower-S normalization fea19e7 Add contrib/lax_der_parsing.h 3bb9c44 Rewrite ECDSA signature parsing code fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more 49b3749 Add new tests for the extra testrand functions f684d7d Faster secp256k1_rand_int implementation 251b1a6 Improve testrand: add extra random functions 31994c8 Merge pull request bitcoin#338 f79aa88 Bugfix: swap arguments to noncefp c98df26 Merge pull request bitcoin#319 67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse. ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize 7450ef1 Merge pull request bitcoin#328 68a3c76 Merge pull request bitcoin#329 98135ee Merge pull request bitcoin#332 37100d7 improve ECDH header-doc b13d749 Fix couple of typos in API comments 7c823e3 travis: fixup module configs cc3141a Merge pull request bitcoin#325 ee58fae Merge pull request bitcoin#326 213aa67 Do not force benchmarks to be statically linked. 338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979. 52fd03f Merge pull request bitcoin#320 9f6993f Remove some dead code. 357f8cd Merge pull request bitcoin#314 118cd82 Use explicit symbol visibility. 4e64608 Include public module headers when compiling modules. 1f41437 Merge pull request bitcoin#316 fe0d463 Merge pull request bitcoin#317 cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis. 2b199de Use the explicit NULL macro for pointer comparisons. 9e90516 Merge pull request bitcoin#294 dd891e0 Get rid of _t as it is POSIX reserved 201819b Merge pull request bitcoin#313 912f203 Eliminate a few unbraced statements that crept into the code. eeab823 Merge pull request bitcoin#299 486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 05732c5 Callback data: Accept pointers to either const or non-const data 1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs 788038d Use size_t for lengths (at least in external API) c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument 9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op 64b730b secp256k1_context_create: Use unsigned type for flags bitfield cb04ab5 Merge pull request bitcoin#309 a551669 Merge pull request bitcoin#295 81e45ff Update group_impl.h 85e3a2c Merge pull request bitcoin#112 b2eb63b Merge pull request bitcoin#293 dc0ce9f [API BREAK] Change argument order to out/outin/in 6d947ca Merge pull request bitcoin#298 c822693 Merge pull request bitcoin#301 6d04350 Merge pull request bitcoin#303 7ab311c Merge pull request bitcoin#304 5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer. 263dcbc remove unused assignment b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense 6da1446 build: fix parallel build 5eb4356 Merge pull request bitcoin#291 c996d53 Print success 9f443be Move pubkey recovery code to separate module d49abbd Separate ECDSA recovery tests 439d34a Separate recoverable and normal signatures a7b046e Merge pull request bitcoin#289 f66907f Improve/reformat API documentation secp256k1.h 2f77487 Add context building benchmarks cc623d5 Merge pull request bitcoin#287 de7e398 small typo fix 9d96e36 Merge pull request bitcoin#280 432e1ce Merge pull request bitcoin#283 14727fd Use correct name in gitignore 356b0e9 Actually test static precomputation in Travis ff3a5df Merge pull request bitcoin#284 2587208 Merge pull request bitcoin#212 a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures d84a378 Merge pull request bitcoin#252 72ae443 Improve perf. of cmov-based table lookup 92e53fc Implement endomorphism optimization for secp256k1_ecmult_const ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time 91c0ce9 Add benchmarks for ECDH and const-time multiplication 0739bbb Add ECDH module which works by hashing the output of ecmult_const 4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH e4ce393 build: fix hard-coded usage of "gen_context" b8e39ac build: don't use BUILT_SOURCES for the static context header baa75da tests: add a couple tests ae4f0c6 Merge pull request bitcoin#278 995c548 Introduce callback functions for dealing with errors. c333074 Merge pull request bitcoin#282 18c329c Remove the internal secp256k1_ecdsa_sig_t type 74a2acd Add a secp256k1_ecdsa_signature_t type 23cfa91 Introduce secp256k1_pubkey_t type 4c63780 Merge pull request bitcoin#269 3e6f1e2 Change rfc6979 implementation to be a generic PRNG ed5334a Update configure.ac to make it build on OpenBSD 1b68366 Merge pull request bitcoin#274 a83bb48 Make ecmult static precomputation default 166b32f Merge pull request bitcoin#276 c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean. 125c15d Merge pull request bitcoin#275 76f6769 Fix build with static ecmult altroot and make dist. 5133f78 Merge pull request bitcoin#254 b0a60e6 Merge pull request bitcoin#258 733c1e6 Add travis build to test the static context. fbecc38 Add ability to use a statically generated ecmult context. 4fb174d Merge pull request bitcoin#263 4ab8990 Merge pull request bitcoin#270 bdf0e0c Merge pull request bitcoin#271 31d0c1f Merge pull request bitcoin#273 eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER 55399c2 Further performance improvements to _ecmult_wnaf 99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function. 145cc6e Improve performance of _ecmult_wnaf 36b305a Verify the result of GMP modular inverse using non-GMP code 0cbc860 Merge pull request bitcoin#266 06ff7fe Merge pull request bitcoin#267 5a43124 Save 1 _fe_negate since s1 == -s2 a5d796e Update code comments 3f3964e Add specific VERIFY tests for _fe_cmov 7d054cd Refactor to save a _fe_negate b28d02a Refactor to remove a local var 55e7fc3 Perf. improvement in _gej_add_ge a0601cd Fix VERIFY calculations in _fe_cmov methods 17f7148 Merge pull request bitcoin#261 7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y 8c5d5f7 tests: Add failing unit test for bitcoin#257 (bad addition formula) 5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P bcf2fcf gej_add_ge: rearrange algebra e2a07c7 Fix compilation with C++ 873a453 Merge pull request bitcoin#250 91eb0da Merge pull request bitcoin#247 210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress` a1d5ae1 Tiny optimization 729badf Merge pull request bitcoin#210 2d5a186 Apply effective-affine trick to precomp 4f9791a Effective affine addition in EC multiplication 2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto git-subtree-dir: src/secp256k1 git-subtree-split: 6c527ec
Update mpos reward check to ignore the refunds
Core QA cherries bitcoin#8047 - [qa] test_framework: Set wait-timeout for bitcoind procs bitcoin#8095 - Test framework: only cleanup on successful test runs bitcoin#8214 - [qa] mininode: fail on send_message instead of silent return
completing the debian package
Added the JetBrains Rider IDE to the list of supported editors.
code, spelling and grammar fixes for node_client chapter
This implements an initial feature set for "escrow" transactions, as mentioned on various threads on the forum. It allows coins to be controlled by threshold voting among multiple parties.