Squashed 'src/secp256k1/' changes from 0b70241..b19c000

b19c000 Merge bitcoin#607: Use size_t shifts when computing a size_t
4d01bc2 Merge bitcoin#606: travis: Remove unused sudo:false
e6d01e9 Use size_t shifts when computing a size_t
7667532 travis: Remove unused sudo:false
ee99f12 Merge bitcoin#599: Switch x86_64 asm to use "i" instead of "n" for immediate values.
d58bc93 Switch x86_64 asm to use "i" instead of "n" for immediate values.
05362ee Merge bitcoin#597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
8348386 Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
aa15154 Merge bitcoin#568: Fix integer overflow in ecmult_multi_var when n is large
2277af5 Fix integer overflow in ecmult_multi_var when n is large
85d0e1b Merge bitcoin#591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
1419637 Merge bitcoin#580: Add trivial ecmult_multi algorithm which does not require a scratch space
a697d82 Add trivial ecmult_multi to the benchmark tool
bade617 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points.
5545e13 Merge bitcoin#584: configure: Use CFLAGS_FOR_BUILD when checking native compiler
20c5869 Merge bitcoin#516: improvements to random seed in src/tests.c
b76e45d Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
870a977 Merge bitcoin#562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
be40c4d Fixup for C90 mixed declarations.
c71dd2c Merge bitcoin#509: Fix algorithm selection in bench_ecmult
6492bf8 Merge bitcoin#518: Summarize build options after running configure
0e9ada1 Merge bitcoin#567: Correct order of libs returned on pkg-config --libs --static libsecp2…
e96901a Merge bitcoin#587: Make randomization of a non-signing context a noop
58df8d0 Merge bitcoin#511: Portability fix for the configure scripts generated
2ebdad7 Merge bitcoin#552: Make constants static:
1c131af Merge bitcoin#551: secp256k1_fe_sqrt: Verify that the arguments don't alias.
ba698f8 Merge bitcoin#539: Assorted minor corrections
949e85b Merge bitcoin#550: Optimize secp256k1_fe_normalize_weak calls.
a34bcaa Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker
2d5f4ce configure: Use CFLAGS_FOR_BUILD when checking native compiler
b408c6a Merge bitcoin#579: Use __GNUC_PREREQ for detecting __builtin_expect
6198375 Make randomization of a non-signing context a noop
c663397 Use __GNUC_PREREQ for detecting __builtin_expect
e34ceb3 Merge bitcoin#557: Eliminate scratch memory used when generating contexts
b3bf5f9 ecmult_impl: expand comment to explain how effective affine interacts with everything
efa783f Store z-ratios in the 'x' coord they'll recover
ffd3b34 add `secp256k1_ge_set_all_gej_var` test which deals with many infinite points
84740ac ecmult_impl: save one fe_inv_var
4704527 ecmult_impl: eliminate scratch memory used when generating context
7f7a2ed ecmult_gen_impl: eliminate scratch memory used when generating context
314a61d Merge bitcoin#553: add static context object which has no capabilities
89a20a8 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
1086fda Merge bitcoin#354: [ECDH API change] Support custom hash function
d3cb1f9 Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
40fde61 prevent attempts to modify `secp256k1_context_no_precomp`
ed7c084 add static context object which has no capabilities
496c5b4 Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B;
bf8b86c secp256k1_fe_sqrt: Verify that the arguments don't alias.
9bd89c8 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
52ab96f clean dependendies in field_*_impl.h
deff5ed Correct math typos in field_*.h
4efb3f8 Add check that restrict pointers don't alias with all parameters.
1e6f1f5 Merge bitcoin#529: fix tests.c in the count == 0 case
c8fbc3c [ECDH API change] Allow pass arbitrary data to hash function
b00be65 [ECDH API change] Support custom hash function
95e99f1 fix tests.c in the count == 0 case
452d8e4 Merge bitcoin#523: scratch: add stack frame support
6fe5043 scratch: add stack frame support
9bc2e26 Merge bitcoin#522: parameterize ecmult_const over input size
7c1b91b parameterize ecmult_const over input size
dbc3ddd Merge bitcoin#513: Increase sparsity of pippenger fixed window naf representation
3965027 Summarize build options in configure script
0f05173 Fix algorithm selection in bench_ecmult
fb9271d Merge bitcoin#510: add a couple missing `const`s to ecmult_pippenger_wnaf
cd5f602 Merge bitcoin#515: Fix typo
09146ae Merge bitcoin#512: secp256k1_ec_privkey_negate - fix documentation
ec0a7b3 Don't touch leading zeros in wnaf_fixed.
9e36d1b Fix bug in wnaf_fixed where the wnaf array is not completely zeroed when given a 0 scalar.
96f68a0 Don't invert scalar in wnaf_fixed when it is even because a caller might intentionally give a scalar with many leading zeros.
8b3841c fix bug in fread() failure check
cddef0c tests: add warning message when /dev/urandom fails
9b7c47a Fix typo
6dbb007 Increase sparsity of pippenger fixed window naf representation
1646ace secp256k1_ec_privkey_negate - fix documentation
270f6c8 Portability fix for the configure scripts generated
9b3ff03 add a couple missing `const`s to ecmult_pippenger_wnaf
cd329db Merge bitcoin#460: [build] Update ax_jni_include_dir.m4 macro
7f9c1a1 Merge bitcoin#498: tests: Avoid calling fclose(...) with an invalid argument
f99aa8d Merge bitcoin#499: tests: Make sure we get the requested number of bytes from /dev/urandom
b549d3d Merge bitcoin#472: [build] Set --enable-jni to no by default instead of auto.
d333521 Merge bitcoin#494: Support OpenSSL versions >= 1.1 for ENABLE_OPENSSL_TESTS
2ef8ea5 Merge bitcoin#495: Add bench_ecmult to .gitignore
82a96e4 tests: Make sure we get the requested number of bytes from /dev/urandom
5aae5b5 Avoid calling fclose(...) with an invalid argument
cb32940 Add bench_ecmult to .gitignore
31abd3a Support OpenSSL versions >= 1.1 for ENABLE_OPENSSL_TESTS
c95f6f1 Merge bitcoin#487: fix tests typo, s/changed/unchanged
fb46c83 Merge bitcoin#463: Reduce usage of hardcoded size constants
02f5001 Merge bitcoin#490: Disambiguate bench functions and types
1f46d60 Disambiguate bench functions and types
f54c6c5 Merge bitcoin#480: Enable benchmark building by default
c77fc08 Merge bitcoin#486: Add pippenger_wnaf for multi-multiplication
d2f9c6b Use more precise pippenger bucket windows
4c950bb Save some additions per window in _pippenger_wnaf
a58f543 Add flags for choosing algorithm in ecmult_multi benchmark
36b22c9 Use scratch space dependent batching in ecmult_multi
355a38f Add pippenger_wnaf ecmult_multi
bc65aa7 Add bench_ecmult
dba5471 Add ecmult_multi tests
8c1c831 Generalize Strauss to support multiple points
548de42 add resizeable scratch space API
0e96cdc fix typo, s/changed/unchanged
c7680e5 Reduce usage of hardcoded size constants
6ad5cdb Merge bitcoin#479: Get rid of reserved _t in type names
7a78f60 Print whether we're building benchmarks
4afec9f Build benchmarks by default
d1dc9df Get rid of reserved _t in type names
57752d2 [build] Set --enable-jni to no by default instead of auto.
e7daa9b [build] Tweak JNI macro to warn instead of error for JNI not found.
5b22977 [build] Update ax_jni_include_dir.m4 macro to deal with recent versions of macOS

git-subtree-dir: src/secp256k1
git-subtree-split: b19c000

.gitignore

@@ -1,5 +1,16 @@
 *.tar.gz
 
+bench_inv
+bench_ecdh
+bench_ecmult
+bench_sign
+bench_verify
+bench_schnorr_verify
+bench_recover
+bench_internal
+tests
+exhaustive_tests
+gen_context
 *.exe
 src/layercoin
 src/layercoind

src/bench_ecmult.c

@@ -0,0 +1,207 @@
+/**********************************************************************
+ * Copyright (c) 2017 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+#include <stdio.h>
+
+#include "include/secp256k1.h"
+
+#include "util.h"
+#include "hash_impl.h"
+#include "num_impl.h"
+#include "field_impl.h"
+#include "group_impl.h"
+#include "scalar_impl.h"
+#include "ecmult_impl.h"
+#include "bench.h"
+#include "secp256k1.c"
+
+#define POINTS 32768
+#define ITERS 10000
+
+typedef struct {
+    /* Setup once in advance */
+    secp256k1_context* ctx;
+    secp256k1_scratch_space* scratch;
+    secp256k1_scalar* scalars;
+    secp256k1_ge* pubkeys;
+    secp256k1_scalar* seckeys;
+    secp256k1_gej* expected_output;
+    secp256k1_ecmult_multi_func ecmult_multi;
+
+    /* Changes per test */
+    size_t count;
+    int includes_g;
+
+    /* Changes per test iteration */
+    size_t offset1;
+    size_t offset2;
+
+    /* Test output. */
+    secp256k1_gej* output;
+} bench_data;
+
+static int bench_callback(secp256k1_scalar* sc, secp256k1_ge* ge, size_t idx, void* arg) {
+    bench_data* data = (bench_data*)arg;
+    if (data->includes_g) ++idx;
+    if (idx == 0) {
+        *sc = data->scalars[data->offset1];
+        *ge = secp256k1_ge_const_g;
+    } else {
+        *sc = data->scalars[(data->offset1 + idx) % POINTS];
+        *ge = data->pubkeys[(data->offset2 + idx - 1) % POINTS];
+    }
+    return 1;
+}
+
+static void bench_ecmult(void* arg) {
+    bench_data* data = (bench_data*)arg;
+
+    size_t count = data->count;
+    int includes_g = data->includes_g;
+    size_t iters = 1 + ITERS / count;
+    size_t iter;
+
+    for (iter = 0; iter < iters; ++iter) {
+        data->ecmult_multi(&data->ctx->ecmult_ctx, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_callback, arg, count - includes_g);
+        data->offset1 = (data->offset1 + count) % POINTS;
+        data->offset2 = (data->offset2 + count - 1) % POINTS;
+    }
+}
+
+static void bench_ecmult_setup(void* arg) {
+    bench_data* data = (bench_data*)arg;
+    data->offset1 = (data->count * 0x537b7f6f + 0x8f66a481) % POINTS;
+    data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS;
+}
+
+static void bench_ecmult_teardown(void* arg) {
+    bench_data* data = (bench_data*)arg;
+    size_t iters = 1 + ITERS / data->count;
+    size_t iter;
+    /* Verify the results in teardown, to avoid doing comparisons while benchmarking. */
+    for (iter = 0; iter < iters; ++iter) {
+        secp256k1_gej tmp;
+        secp256k1_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL);
+        CHECK(secp256k1_gej_is_infinity(&tmp));
+    }
+}
+
+static void generate_scalar(uint32_t num, secp256k1_scalar* scalar) {
+    secp256k1_sha256 sha256;
+    unsigned char c[11] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0};
+    unsigned char buf[32];
+    int overflow = 0;
+    c[6] = num;
+    c[7] = num >> 8;
+    c[8] = num >> 16;
+    c[9] = num >> 24;
+    secp256k1_sha256_initialize(&sha256);
+    secp256k1_sha256_write(&sha256, c, sizeof(c));
+    secp256k1_sha256_finalize(&sha256, buf);
+    secp256k1_scalar_set_b32(scalar, buf, &overflow);
+    CHECK(!overflow);
+}
+
+static void run_test(bench_data* data, size_t count, int includes_g) {
+    char str[32];
+    static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
+    size_t iters = 1 + ITERS / count;
+    size_t iter;
+
+    data->count = count;
+    data->includes_g = includes_g;
+
+    /* Compute (the negation of) the expected results directly. */
+    data->offset1 = (data->count * 0x537b7f6f + 0x8f66a481) % POINTS;
+    data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS;
+    for (iter = 0; iter < iters; ++iter) {
+        secp256k1_scalar tmp;
+        secp256k1_scalar total = data->scalars[(data->offset1++) % POINTS];
+        size_t i = 0;
+        for (i = 0; i + 1 < count; ++i) {
+            secp256k1_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]);
+            secp256k1_scalar_add(&total, &total, &tmp);
+        }
+        secp256k1_scalar_negate(&total, &total);
+        secp256k1_ecmult(&data->ctx->ecmult_ctx, &data->expected_output[iter], NULL, &zero, &total);
+    }
+
+    /* Run the benchmark. */
+    sprintf(str, includes_g ? "ecmult_%ig" : "ecmult_%i", (int)count);
+    run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * (1 + ITERS / count));
+}
+
+int main(int argc, char **argv) {
+    bench_data data;
+    int i, p;
+    secp256k1_gej* pubkeys_gej;
+    size_t scratch_size;
+
+    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+    scratch_size = secp256k1_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16;
+    data.scratch = secp256k1_scratch_space_create(data.ctx, scratch_size);
+    data.ecmult_multi = secp256k1_ecmult_multi_var;
+
+    if (argc > 1) {
+        if(have_flag(argc, argv, "pippenger_wnaf")) {
+            printf("Using pippenger_wnaf:\n");
+            data.ecmult_multi = secp256k1_ecmult_pippenger_batch_single;
+        } else if(have_flag(argc, argv, "strauss_wnaf")) {
+            printf("Using strauss_wnaf:\n");
+            data.ecmult_multi = secp256k1_ecmult_strauss_batch_single;
+        } else if(have_flag(argc, argv, "simple")) {
+            printf("Using simple algorithm:\n");
+            data.ecmult_multi = secp256k1_ecmult_multi_var;
+            secp256k1_scratch_space_destroy(data.scratch);
+            data.scratch = NULL;
+        } else {
+            fprintf(stderr, "%s: unrecognized argument '%s'.\n", argv[0], argv[1]);
+            fprintf(stderr, "Use 'pippenger_wnaf', 'strauss_wnaf', 'simple' or no argument to benchmark a combined algorithm.\n");
+            return 1;
+        }
+    }
+
+    /* Allocate stuff */
+    data.scalars = malloc(sizeof(secp256k1_scalar) * POINTS);
+    data.seckeys = malloc(sizeof(secp256k1_scalar) * POINTS);
+    data.pubkeys = malloc(sizeof(secp256k1_ge) * POINTS);
+    data.expected_output = malloc(sizeof(secp256k1_gej) * (ITERS + 1));
+    data.output = malloc(sizeof(secp256k1_gej) * (ITERS + 1));
+
+    /* Generate a set of scalars, and private/public keypairs. */
+    pubkeys_gej = malloc(sizeof(secp256k1_gej) * POINTS);
+    secp256k1_gej_set_ge(&pubkeys_gej[0], &secp256k1_ge_const_g);
+    secp256k1_scalar_set_int(&data.seckeys[0], 1);
+    for (i = 0; i < POINTS; ++i) {
+        generate_scalar(i, &data.scalars[i]);
+        if (i) {
+            secp256k1_gej_double_var(&pubkeys_gej[i], &pubkeys_gej[i - 1], NULL);
+            secp256k1_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]);
+        }
+    }
+    secp256k1_ge_set_all_gej_var(data.pubkeys, pubkeys_gej, POINTS);
+    free(pubkeys_gej);
+
+    for (i = 1; i <= 8; ++i) {
+        run_test(&data, i, 1);
+    }
+
+    for (p = 0; p <= 11; ++p) {
+        for (i = 9; i <= 16; ++i) {
+            run_test(&data, i << p, 1);
+        }
+    }
+    secp256k1_context_destroy(data.ctx);
+    if (data.scratch != NULL) {
+        secp256k1_scratch_space_destroy(data.scratch);
+    }
+    free(data.scalars);
+    free(data.pubkeys);
+    free(data.seckeys);
+    free(data.output);
+    free(data.expected_output);
+
+    return(0);
+}

src/scratch.h

@@ -0,0 +1,39 @@
+/**********************************************************************
+ * Copyright (c) 2017 Andrew Poelstra	                              *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_SCRATCH_
+#define _SECP256K1_SCRATCH_
+
+#define SECP256K1_SCRATCH_MAX_FRAMES	5
+
+/* The typedef is used internally; the struct name is used in the public API
+ * (where it is exposed as a different typedef) */
+typedef struct secp256k1_scratch_space_struct {
+    void *data[SECP256K1_SCRATCH_MAX_FRAMES];
+    size_t offset[SECP256K1_SCRATCH_MAX_FRAMES];
+    size_t frame_size[SECP256K1_SCRATCH_MAX_FRAMES];
+    size_t frame;
+    size_t max_size;
+    const secp256k1_callback* error_callback;
+} secp256k1_scratch;
+
+static secp256k1_scratch* secp256k1_scratch_create(const secp256k1_callback* error_callback, size_t max_size);
+
+static void secp256k1_scratch_destroy(secp256k1_scratch* scratch);
+
+/** Attempts to allocate a new stack frame with `n` available bytes. Returns 1 on success, 0 on failure */
+static int secp256k1_scratch_allocate_frame(secp256k1_scratch* scratch, size_t n, size_t objects);
+
+/** Deallocates a stack frame */
+static void secp256k1_scratch_deallocate_frame(secp256k1_scratch* scratch);
+
+/** Returns the maximum allocation the scratch space will allow */
+static size_t secp256k1_scratch_max_allocation(const secp256k1_scratch* scratch, size_t n_objects);
+
+/** Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available space */
+static void *secp256k1_scratch_alloc(secp256k1_scratch* scratch, size_t n);
+
+#endif

src/scratch_impl.h

@@ -0,0 +1,86 @@
+/**********************************************************************
+ * Copyright (c) 2017 Andrew Poelstra                                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_SCRATCH_IMPL_H_
+#define _SECP256K1_SCRATCH_IMPL_H_
+
+#include "scratch.h"
+
+/* Using 16 bytes alignment because common architectures never have alignment
+ * requirements above 8 for any of the types we care about. In addition we
+ * leave some room because currently we don't care about a few bytes.
+ * TODO: Determine this at configure time. */
+#define ALIGNMENT 16
+
+static secp256k1_scratch* secp256k1_scratch_create(const secp256k1_callback* error_callback, size_t max_size) {
+    secp256k1_scratch* ret = (secp256k1_scratch*)checked_malloc(error_callback, sizeof(*ret));
+    if (ret != NULL) {
+        memset(ret, 0, sizeof(*ret));
+        ret->max_size = max_size;
+        ret->error_callback = error_callback;
+    }
+    return ret;
+}
+
+static void secp256k1_scratch_destroy(secp256k1_scratch* scratch) {
+    if (scratch != NULL) {
+        VERIFY_CHECK(scratch->frame == 0);
+        free(scratch);
+    }
+}
+
+static size_t secp256k1_scratch_max_allocation(const secp256k1_scratch* scratch, size_t objects) {
+    size_t i = 0;
+    size_t allocated = 0;
+    for (i = 0; i < scratch->frame; i++) {
+        allocated += scratch->frame_size[i];
+    }
+    if (scratch->max_size - allocated <= objects * ALIGNMENT) {
+        return 0;
+    }
+    return scratch->max_size - allocated - objects * ALIGNMENT;
+}
+
+static int secp256k1_scratch_allocate_frame(secp256k1_scratch* scratch, size_t n, size_t objects) {
+    VERIFY_CHECK(scratch->frame < SECP256K1_SCRATCH_MAX_FRAMES);
+
+    if (n <= secp256k1_scratch_max_allocation(scratch, objects)) {
+        n += objects * ALIGNMENT;
+        scratch->data[scratch->frame] = checked_malloc(scratch->error_callback, n);
+        if (scratch->data[scratch->frame] == NULL) {
+            return 0;
+        }
+        scratch->frame_size[scratch->frame] = n;
+        scratch->offset[scratch->frame] = 0;
+        scratch->frame++;
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+static void secp256k1_scratch_deallocate_frame(secp256k1_scratch* scratch) {
+    VERIFY_CHECK(scratch->frame > 0);
+    scratch->frame -= 1;
+    free(scratch->data[scratch->frame]);
+}
+
+static void *secp256k1_scratch_alloc(secp256k1_scratch* scratch, size_t size) {
+    void *ret;
+    size_t frame = scratch->frame - 1;
+    size = ((size + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
+
+    if (scratch->frame == 0 || size + scratch->offset[frame] > scratch->frame_size[frame]) {
+        return NULL;
+    }
+    ret = (void *) ((unsigned char *) scratch->data[frame] + scratch->offset[frame]);
+    memset(ret, 0, size);
+    scratch->offset[frame] += size;
+
+    return ret;
+}
+
+#endif