New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mitigate partitioning of the anonymity set by fee selection (and avoid excessive transaction costs) #398

Open
defuse opened this Issue Oct 29, 2015 · 12 comments

Comments

Projects
None yet
7 participants
@defuse
Contributor

defuse commented Oct 29, 2015

In current bitcoin land, wallets are free to implement fee estimation differently, and even within the same wallet, later versions can select fees differently than earlier versions. This all serves to partition the anonymity set.

If users are allowed to select fees manually, then habitual "human" patterns (like selecting round base-10 numbers) will also reduce anonymity.

Heuristic fee selection algorithm may also use external sources of information, for example the fees of other transactions in the mempool. If external sources are used, active attackers may be able to "poison" some nodes with strange fee-selection inputs, and then by watching transaction fees, see which ones came from the poisoned nodes.

@ebfull ebfull added in 1.0 and removed needs prioritization labels Nov 2, 2015

@ebfull ebfull modified the milestone: Calgary Design Nov 10, 2015

@zookoatleastauthoritycom

This comment has been minimized.

Show comment
Hide comment
@zookoatleastauthoritycom

zookoatleastauthoritycom Nov 10, 2015

What does it take to close this ticket? How about: define a privacy-safe fee-selection algorithm. Various ways to do that:

  1. It doesn't use potentially sensitive, non-public information,
  2. It results in a lot of convergence so that different clients/users/situations result in the same fees,
    other: ...?

Also probably relevant is current work in fee-selection in Bitcoin-land, e.g. Bram Cohen's proposal: https://medium.com/@bramcohen/how-wallets-can-handle-transaction-fees-ff5d020d14fb

zookoatleastauthoritycom commented Nov 10, 2015

What does it take to close this ticket? How about: define a privacy-safe fee-selection algorithm. Various ways to do that:

  1. It doesn't use potentially sensitive, non-public information,
  2. It results in a lot of convergence so that different clients/users/situations result in the same fees,
    other: ...?

Also probably relevant is current work in fee-selection in Bitcoin-land, e.g. Bram Cohen's proposal: https://medium.com/@bramcohen/how-wallets-can-handle-transaction-fees-ff5d020d14fb

@nathan-at-least nathan-at-least modified the milestone: Calgary Design Nov 10, 2015

@nathan-at-least

This comment has been minimized.

Show comment
Hide comment
@nathan-at-least

nathan-at-least Nov 18, 2015

Contributor

@defuse, @ebfull, and I decided to kick this out to "feature not in 1.0" because we believe it's possible to address this kind of security post-launch by changing wallet implementations without altering the protocol directly.

Contributor

nathan-at-least commented Nov 18, 2015

@defuse, @ebfull, and I decided to kick this out to "feature not in 1.0" because we believe it's possible to address this kind of security post-launch by changing wallet implementations without altering the protocol directly.

@daira daira changed the title from Does fee selection partition the anonymity set? to Mitigate positioning of the anonymity set by fee selection Mar 15, 2016

@daira daira changed the title from Mitigate positioning of the anonymity set by fee selection to Mitigate partitioning of the anonymity set by fee selection Mar 15, 2016

@daira daira added the maybe in 2.0 label Mar 15, 2016

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jun 19, 2016

Contributor

See OpenBazaar/OpenBazaar-Client#1693 for an example of how uncertainty over fees can lead to excessive transaction costs. The API for Bitcoin transaction fees linked from there (here's a snapshot to avoid spamming the API endpoint: https://defuse.ca/b/7DY2WMJEPJIVYx0XvPlftq ) confirms that a large proportion of Bitcoin transactions are paying fees that are unnecessarily high, i.e. that obtain no benefit in confirmation time.

Contributor

daira commented Jun 19, 2016

See OpenBazaar/OpenBazaar-Client#1693 for an example of how uncertainty over fees can lead to excessive transaction costs. The API for Bitcoin transaction fees linked from there (here's a snapshot to avoid spamming the API endpoint: https://defuse.ca/b/7DY2WMJEPJIVYx0XvPlftq ) confirms that a large proportion of Bitcoin transactions are paying fees that are unnecessarily high, i.e. that obtain no benefit in confirmation time.

@daira daira changed the title from Mitigate partitioning of the anonymity set by fee selection to Mitigate partitioning of the anonymity set by fee selection (and avoid excessive transaction costs) Jun 19, 2016

@jl777

This comment has been minimized.

Show comment
Hide comment
@jl777

jl777 Jun 19, 2016

I have a radical idea on this issue. The big problem with txfees are that they can leak privacy or at least make it that much harder to deal with keeping things private.

But of course, we need txfees to prevent spam, but maybe there is a way to have some portion of mining rewards allocated for public use txfees. That creates zero correlations, even if it is transparent as it comes from the miner. So it would dramatically reduce the space on the blockchain by eliminating the need for zkp for the txfee outputs.

The issue that needs to be solved is how to limit the number of free tx anybody can use. If there was a txfee faucet that could be protected from mass abuse, that could solve this issue external to the zcashd.

With 1 ZEC able to fund 1000+ transactions, it seems worth allocating that collectively. I guess when blockchain activity is much higher, it becomes more and more painful, but when the network is young and small it is much more vulnerable to external analysis, and when it is much bigger that the txfee faucet cant fund all the txfees, there will by definition be thousands of transactions per day, which makes the external analysis not so useful

jl777 commented Jun 19, 2016

I have a radical idea on this issue. The big problem with txfees are that they can leak privacy or at least make it that much harder to deal with keeping things private.

But of course, we need txfees to prevent spam, but maybe there is a way to have some portion of mining rewards allocated for public use txfees. That creates zero correlations, even if it is transparent as it comes from the miner. So it would dramatically reduce the space on the blockchain by eliminating the need for zkp for the txfee outputs.

The issue that needs to be solved is how to limit the number of free tx anybody can use. If there was a txfee faucet that could be protected from mass abuse, that could solve this issue external to the zcashd.

With 1 ZEC able to fund 1000+ transactions, it seems worth allocating that collectively. I guess when blockchain activity is much higher, it becomes more and more painful, but when the network is young and small it is much more vulnerable to external analysis, and when it is much bigger that the txfee faucet cant fund all the txfees, there will by definition be thousands of transactions per day, which makes the external analysis not so useful

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jun 19, 2016

Contributor

So, I'm not sure there is much difference between having a zero fee and having a public faucet that pays fees (at least initially when fees are much lower than miner block rewards) except that the public faucet can be turned off in case of spam. The faucet is unlikely to be able to distinguish between legitimate and spammer requests, so turning it off is pretty much all you can do. I like the radical thinking on this issue though.

Contributor

daira commented Jun 19, 2016

So, I'm not sure there is much difference between having a zero fee and having a public faucet that pays fees (at least initially when fees are much lower than miner block rewards) except that the public faucet can be turned off in case of spam. The faucet is unlikely to be able to distinguish between legitimate and spammer requests, so turning it off is pretty much all you can do. I like the radical thinking on this issue though.

@jl777

This comment has been minimized.

Show comment
Hide comment
@jl777

jl777 Jun 19, 2016

having zero txfee wont work as there wont be any protection from infinite spam, especially from competitive anon coins with aggressive community.

having a public faucet funded by the blockchain directly solves the txfee contamination issue and also prevent any bloat from txfee (assuming you can use transparent txfee to pay for joinsplit funds

the faucet will simply run out of funds during a spam attack and the free txfees automatically turn into not free, thus making the spam attack cost real funds.

If we end up with a constant amount of spam attacks that makes the faucet useless, then plan B can be used.

jl777 commented Jun 19, 2016

having zero txfee wont work as there wont be any protection from infinite spam, especially from competitive anon coins with aggressive community.

having a public faucet funded by the blockchain directly solves the txfee contamination issue and also prevent any bloat from txfee (assuming you can use transparent txfee to pay for joinsplit funds

the faucet will simply run out of funds during a spam attack and the free txfees automatically turn into not free, thus making the spam attack cost real funds.

If we end up with a constant amount of spam attacks that makes the faucet useless, then plan B can be used.

@jl777

This comment has been minimized.

Show comment
Hide comment
@jl777

jl777 Jun 19, 2016

Plan B would be a heuristic that is regression tested against all prior spam attacks, ie find a pattern that would identify the spam attack vs normal transactions. I am sure a very high accuracy discriminator can be created using SVM.

So each spam attack would require retraining the SVM to detect a similar pattern spam attack. Since each attack is an annoyance and not costing people money, making each attack automatically make the spam detector smarter actually extracts value from each spam attack

jl777 commented Jun 19, 2016

Plan B would be a heuristic that is regression tested against all prior spam attacks, ie find a pattern that would identify the spam attack vs normal transactions. I am sure a very high accuracy discriminator can be created using SVM.

So each spam attack would require retraining the SVM to detect a similar pattern spam attack. Since each attack is an annoyance and not costing people money, making each attack automatically make the spam detector smarter actually extracts value from each spam attack

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jun 20, 2016

Contributor

The difference between the fee faucet idea, and having miners increase their fee requirements (from zero) in case of a spam attack, is that the fee faucet is more centralised. That does allow for easier detection of attacks, but it's not clear to me that centralisation is a good thing here. (It's not as bad as other forms of centralisation because only relatively small transaction fees are at stake, but it still goes against the grain.)

Contributor

daira commented Jun 20, 2016

The difference between the fee faucet idea, and having miners increase their fee requirements (from zero) in case of a spam attack, is that the fee faucet is more centralised. That does allow for easier detection of attacks, but it's not clear to me that centralisation is a good thing here. (It's not as bad as other forms of centralisation because only relatively small transaction fees are at stake, but it still goes against the grain.)

@jl777

This comment has been minimized.

Show comment
Hide comment
@jl777

jl777 Jun 20, 2016

my prediction is that if it is left up to the miners, we wont have many free txfee, ie they will always set the fee to non-zero to maximize revenues.

so, it seems the practical choice is to fund the fee faucet in a decentralized way, ie part of the protocol, and have the relatively small amount of funds managed in a distributed fashion. Nothing says there cant be half a dozen fee faucets run by community volunteers. So there doesnt even have to be centralization of the fee faucet policy making, each of the distributed set of fee faucets could have discretion over its own share of funds.

zcash is already going completely against the grain! you guys actually listen to external feedbacks

jl777 commented Jun 20, 2016

my prediction is that if it is left up to the miners, we wont have many free txfee, ie they will always set the fee to non-zero to maximize revenues.

so, it seems the practical choice is to fund the fee faucet in a decentralized way, ie part of the protocol, and have the relatively small amount of funds managed in a distributed fashion. Nothing says there cant be half a dozen fee faucets run by community volunteers. So there doesnt even have to be centralization of the fee faucet policy making, each of the distributed set of fee faucets could have discretion over its own share of funds.

zcash is already going completely against the grain! you guys actually listen to external feedbacks

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jun 20, 2016

Contributor

In the case of Bitcoin, it's not so much that miners are demanding high fees, as that transaction creators --or the writers of wallet software-- don't know what fees to use (I think the API I linked to is probably not well-known, and can't be used automatically because it's limited to 5000 requests/hour). So they overestimate.

Contributor

daira commented Jun 20, 2016

In the case of Bitcoin, it's not so much that miners are demanding high fees, as that transaction creators --or the writers of wallet software-- don't know what fees to use (I think the API I linked to is probably not well-known, and can't be used automatically because it's limited to 5000 requests/hour). So they overestimate.

@jl777

This comment has been minimized.

Show comment
Hide comment
@jl777

jl777 Jun 20, 2016

well using a public website API seems like centralization and a single point of failure.
I just point out that a lot of miners are in it just for the money and if given a choice of charging txfee or not, will charge txfees.

jl777 commented Jun 20, 2016

well using a public website API seems like centralization and a single point of failure.
I just point out that a lot of miners are in it just for the money and if given a choice of charging txfee or not, will charge txfees.

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Jun 20, 2016

Contributor

Right, I wasn't suggesting using a centralised API (although there are various decentralised ways you could imagine to communicate expected fee information). Note that we can't prevent miners from refusing to include transactions that don't pay a minimum fee. Whether they do so is at least as much about social expectations as it is a protocol issue.

Contributor

daira commented Jun 20, 2016

Right, I wasn't suggesting using a centralised API (although there are various decentralised ways you could imagine to communicate expected fee information). Note that we can't prevent miners from refusing to include transactions that don't pay a minimum fee. Whether they do so is at least as much about social expectations as it is a protocol issue.

str4d added a commit to str4d/zcash that referenced this issue May 2, 2017

Squashed 'src/secp256k1/' changes from 22f60a6..cbc20b8
cbc20b8 Merge zcash#452: Minor optimizations to _scalar_inverse to save 4M
4cc8f52 Merge zcash#437: Unroll secp256k1_fe_(get|set)_b32 to make them much faster.
465159c Further shorten the addition chain for scalar inversion.
a2b6b19 Fix benchmark print_number infinite loop.
8b7680a Unroll secp256k1_fe_(get|set)_b32 for 10x26.
aa84990 Unroll secp256k1_fe_(get|set)_b32 for 5x52.
cf12fa1 Minor optimizations to _scalar_inverse to save 4M
1199492 Merge zcash#408: Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
6af0871 Merge zcash#441: secp256k1_context_randomize: document.
ab31a52 Merge zcash#444: test: Use checked_alloc
eda5c1a Merge zcash#449: Remove executable bit from secp256k1.c
51b77ae Remove executable bit from secp256k1.c
5eb030c test: Use checked_alloc
72d952c FIXUP: Missing "is"
70ff29b secp256k1_context_randomize: document.
9d560f9 Merge zcash#428: Exhaustive recovery
8e48aa6 Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
2cee5fd exhaustive tests: add recovery module
8225239 Merge zcash#433: Make the libcrypto detection fail the newer API.
12de863 Make the libcrypto detection fail the newer API.
678b0e5 exhaustive tests: remove erroneous comment from ecdsa_sig_sign
2928420 Merge zcash#427: Remove Schnorr from travis as well
03ff8c2 group_impl.h: remove unused `secp256k1_ge_set_infinity` function
a724d72 configure: add --enable-coverage to set options for coverage analysis
b595163 recovery: add tests to cover API misusage
8eecc4a Remove Schnorr from travis as well
6f8ae2f ecdh: test NULL-checking of arguments
25e3cfb ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign
a8abae7 Merge zcash#310: Add exhaustive test for group functions on a low-order subgroup
b4ceedf Add exhaustive test for verification
83836a9 Add exhaustive tests for group arithmetic, signing, and ecmult on a small group
20b8877 Add exhaustive test for group functions on a low-order subgroup
80773a6 Merge zcash#425: Remove Schnorr experiment
e06e878 Remove Schnorr experiment
04c8ef3 Merge zcash#407: Modify parameter order of internal functions to match API parameter order
6e06696 Merge zcash#411: Remove guarantees about memcmp-ability
40c8d7e Merge zcash#421: Update scalar_4x64_impl.h
a922365 Merge zcash#422: Restructure nonce clearing
3769783 Restructure nonce clearing
0f9e69d Restructure nonce clearing
9d67afa Update scalar_4x64_impl.h
7d15cd7 Merge zcash#413: fix auto-enabled static precompuatation
00c5d2e fix auto-enabled static precompuatation
91219a1 Remove guarantees about memcmp-ability
7a49cac Merge zcash#410: Add string.h include to ecmult_impl
0bbd5d4 Add string.h include to ecmult_impl
353c1bf Fix secp256k1_ge_set_table_gej_var parameter order
541b783 Fix secp256k1_ge_set_all_gej_var parameter order
7d893f4 Fix secp256k1_fe_inv_all_var parameter order
c5b32e1 Merge zcash#405: Make secp256k1_fe_sqrt constant time
926836a Make secp256k1_fe_sqrt constant time
e2a8e92 Merge zcash#404: Replace 3M + 4S doubling formula with 2M + 5S one
8ec49d8 Add note about 2M + 5S doubling formula
5a91bd7 Merge zcash#400: A couple minor cleanups
ac01378 build: add -DSECP256K1_BUILD to benchmark_internal build flags
a6c6f99 Remove a bunch of unused stdlib #includes
65285a6 Merge zcash#403: configure: add flag to disable OpenSSL tests
a9b2a5d configure: add flag to disable OpenSSL tests
b340123 Merge zcash#402: Add support for testing quadratic residues
e6e9805 Add function for testing quadratic residue field/group elements.
efd953a Add Jacobi symbol test via GMP
fa36a0d Merge zcash#401: ecmult_const: unify endomorphism and non-endomorphism skew cases
c6191fd ecmult_const: unify endomorphism and non-endomorphism skew cases
0b3e618 Merge zcash#378: .gitignore build-aux cleanup
6042217 Merge zcash#384: JNI: align shared files copyright/comments to bitcoinj's
24ad20f Merge zcash#399: build: verify that the native compiler works for static precomp
b3be852 Merge zcash#398: Test whether ECDH and Schnorr are enabled for JNI
aa0b1fd build: verify that the native compiler works for static precomp
eee808d Test whether ECDH and Schnorr are enabled for JNI
7b0fb18 Merge zcash#366: ARM assembly implementation of field_10x26 inner (rebase of zcash#173)
001f176 ARM assembly implementation of field_10x26 inner
0172be9 Merge zcash#397: Small fixes for sha256
3f8b78e Fix undefs in hash_impl.h
2ab4695 Fix state size in sha256 struct
6875b01 Merge zcash#386: Add some missing `VERIFY_CHECK(ctx != NULL)`
2c52b5d Merge zcash#389: Cast pointers through uintptr_t under JNI
43097a4 Merge zcash#390: Update bitcoin-core GitHub links
31c9c12 Merge zcash#391: JNI: Only call ecdsa_verify if its inputs parsed correctly
1cb2302 Merge zcash#392: Add testcase which hits additional branch in secp256k1_scalar_sqr
d2ee340 Merge zcash#388: bench_ecdh: fix call to secp256k1_context_create
093a497 Add testcase which hits additional branch in secp256k1_scalar_sqr
a40c701 JNI: Only call ecdsa_verify if its inputs parsed correctly
faa2a11 Update bitcoin-core GitHub links
47b9e78 Cast pointers through uintptr_t under JNI
f36f9c6 bench_ecdh: fix call to secp256k1_context_create
bcc4881 Add some missing `VERIFY_CHECK(ctx != NULL)` for functions that use `ARG_CHECK`
6ceea2c align shared files copyright/comments to bitcoinj's
70141a8 Update .gitignore
7b549b1 Merge zcash#373: build: fix x86_64 asm detection for some compilers
bc7c93c Merge zcash#374: Add note about y=0 being possible on one of the sextic twists
e457018 Merge zcash#364: JNI rebased
86e2d07 JNI library: cleanup, removed unimplemented code
3093576a JNI library
bd2895f Merge pull request zcash#371
e72e93a Add note about y=0 being possible on one of the sextic twists
3f8fdfb build: fix x86_64 asm detection for some compilers
e5a9047 [Trivial] Remove double semicolons
c18b869 Merge pull request zcash#360
3026daa Merge pull request zcash#302
03d4611 Add sage verification script for the group laws
a965937 Merge pull request zcash#361
83221ec Add experimental features to configure
5d4c5a3 Prevent damage_array in the signature test from going out of bounds.
419bf7f Merge pull request zcash#356
6c527ec Merge pull request zcash#357
445f7f1 Fix for Windows compile issue
03d84a4 Benchmark against OpenSSL verification
2bfb82b Merge pull request zcash#351
06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out
970164d Merge pull request zcash#348
6466625 Improvements for coordinate decompression
e2100ad Merge pull request zcash#347
8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t.
c69dea0 Clear output in more cases for pubkey_combine, adds tests.
269d422 Comment copyediting.
b4d17da Merge pull request zcash#344
4709265 Merge pull request zcash#345
26abce7 Adds 32 static test vectors for scalar mul, sqr, inv.
5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests.
3b7bc69 Merge pull request zcash#343
eed87af Change contrib/laxder from headers-only to files compilable as standalone C
d7eb1ae Merge pull request zcash#342
7914a6e Make lax_der_privatekey_parsing.h not depend on internal code
73f64ff Merge pull request zcash#339
9234391 Overhaul flags handling
1a36898 Make flags more explicit, add runtime checks.
1a3e03a Merge pull request zcash#340
96be204 Add additional tests for eckey and arg-checks.
bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent.
4a243da Move secp256k1_ec_privkey_import/export to contrib.
1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module.
e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage.
b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation.
70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys.
6c476a8 Minor comment improvements.
131afe5 Merge pull request zcash#334
0c6ab2f Introduce explicit lower-S normalization
fea19e7 Add contrib/lax_der_parsing.h
3bb9c44 Rewrite ECDSA signature parsing code
fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more
49b3749 Add new tests for the extra testrand functions
f684d7d Faster secp256k1_rand_int implementation
251b1a6 Improve testrand: add extra random functions
31994c8 Merge pull request zcash#338
f79aa88 Bugfix: swap arguments to noncefp
c98df26 Merge pull request zcash#319
67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse.
ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize
7450ef1 Merge pull request zcash#328
68a3c76 Merge pull request zcash#329
98135ee Merge pull request zcash#332
37100d7 improve ECDH header-doc
b13d749 Fix couple of typos in API comments
7c823e3 travis: fixup module configs
cc3141a Merge pull request zcash#325
ee58fae Merge pull request zcash#326
213aa67 Do not force benchmarks to be statically linked.
338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979.
52fd03f Merge pull request zcash#320
9f6993f Remove some dead code.
357f8cd Merge pull request zcash#314
118cd82 Use explicit symbol visibility.
4e64608 Include public module headers when compiling modules.
1f41437 Merge pull request zcash#316
fe0d463 Merge pull request zcash#317
cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis.
2b199de Use the explicit NULL macro for pointer comparisons.
9e90516 Merge pull request zcash#294
dd891e0 Get rid of _t as it is POSIX reserved
201819b Merge pull request zcash#313
912f203 Eliminate a few unbraced statements that crept into the code.
eeab823 Merge pull request zcash#299
486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export
05732c5 Callback data: Accept pointers to either const or non-const data
1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs
788038d Use size_t for lengths (at least in external API)
c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument
9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op
64b730b secp256k1_context_create: Use unsigned type for flags bitfield
cb04ab5 Merge pull request zcash#309
a551669 Merge pull request zcash#295
81e45ff Update group_impl.h
85e3a2c Merge pull request zcash#112
b2eb63b Merge pull request zcash#293
dc0ce9f [API BREAK] Change argument order to out/outin/in
6d947ca Merge pull request zcash#298
c822693 Merge pull request zcash#301
6d04350 Merge pull request zcash#303
7ab311c Merge pull request zcash#304
5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer.
263dcbc remove unused assignment
b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense
6da1446 build: fix parallel build
5eb4356 Merge pull request zcash#291
c996d53 Print success
9f443be Move pubkey recovery code to separate module
d49abbd Separate ECDSA recovery tests
439d34a Separate recoverable and normal signatures
a7b046e Merge pull request zcash#289
f66907f Improve/reformat API documentation secp256k1.h
2f77487 Add context building benchmarks
cc623d5 Merge pull request zcash#287
de7e398 small typo fix
9d96e36 Merge pull request zcash#280
432e1ce Merge pull request zcash#283
14727fd Use correct name in gitignore
356b0e9 Actually test static precomputation in Travis
ff3a5df Merge pull request zcash#284
2587208 Merge pull request zcash#212
a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures
d84a378 Merge pull request zcash#252
72ae443 Improve perf. of cmov-based table lookup
92e53fc Implement endomorphism optimization for secp256k1_ecmult_const
ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time
91c0ce9 Add benchmarks for ECDH and const-time multiplication
0739bbb Add ECDH module which works by hashing the output of ecmult_const
4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH
e4ce393 build: fix hard-coded usage of "gen_context"
b8e39ac build: don't use BUILT_SOURCES for the static context header
baa75da tests: add a couple tests
ae4f0c6 Merge pull request zcash#278
995c548 Introduce callback functions for dealing with errors.
c333074 Merge pull request zcash#282
18c329c Remove the internal secp256k1_ecdsa_sig_t type
74a2acd Add a secp256k1_ecdsa_signature_t type
23cfa91 Introduce secp256k1_pubkey_t type
4c63780 Merge pull request zcash#269
3e6f1e2 Change rfc6979 implementation to be a generic PRNG
ed5334a Update configure.ac to make it build on OpenBSD
1b68366 Merge pull request zcash#274
a83bb48 Make ecmult static precomputation default
166b32f Merge pull request zcash#276
c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean.
125c15d Merge pull request zcash#275
76f6769 Fix build with static ecmult altroot and make dist.
5133f78 Merge pull request zcash#254
b0a60e6 Merge pull request zcash#258
733c1e6 Add travis build to test the static context.
fbecc38 Add ability to use a statically generated ecmult context.
4fb174d Merge pull request zcash#263
4ab8990 Merge pull request zcash#270
bdf0e0c Merge pull request zcash#271
31d0c1f Merge pull request zcash#273
eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER
55399c2 Further performance improvements to _ecmult_wnaf
99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function.
145cc6e Improve performance of _ecmult_wnaf
36b305a Verify the result of GMP modular inverse using non-GMP code
0cbc860 Merge pull request zcash#266
06ff7fe Merge pull request zcash#267
5a43124 Save 1 _fe_negate since s1 == -s2
a5d796e Update code comments
3f3964e Add specific VERIFY tests for _fe_cmov
7d054cd Refactor to save a _fe_negate
b28d02a Refactor to remove a local var
55e7fc3 Perf. improvement in _gej_add_ge
a0601cd Fix VERIFY calculations in _fe_cmov methods
17f7148 Merge pull request zcash#261
7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y
8c5d5f7 tests: Add failing unit test for zcash#257 (bad addition formula)
5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P
bcf2fcf gej_add_ge: rearrange algebra
e2a07c7 Fix compilation with C++
873a453 Merge pull request zcash#250
91eb0da Merge pull request zcash#247
210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress`
a1d5ae1 Tiny optimization
729badf Merge pull request zcash#210
2d5a186 Apply effective-affine trick to precomp
4f9791a Effective affine addition in EC multiplication
2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto

git-subtree-dir: src/secp256k1
git-subtree-split: cbc20b8c34d44c2ef175420f3cdfe054f82e8e2c

str4d added a commit to str4d/zcash that referenced this issue May 2, 2017

Squashed 'src/secp256k1/' changes from 22f60a6..cbc20b8
cbc20b8 Merge zcash#452: Minor optimizations to _scalar_inverse to save 4M
4cc8f52 Merge zcash#437: Unroll secp256k1_fe_(get|set)_b32 to make them much faster.
465159c Further shorten the addition chain for scalar inversion.
a2b6b19 Fix benchmark print_number infinite loop.
8b7680a Unroll secp256k1_fe_(get|set)_b32 for 10x26.
aa84990 Unroll secp256k1_fe_(get|set)_b32 for 5x52.
cf12fa1 Minor optimizations to _scalar_inverse to save 4M
1199492 Merge zcash#408: Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
6af0871 Merge zcash#441: secp256k1_context_randomize: document.
ab31a52 Merge zcash#444: test: Use checked_alloc
eda5c1a Merge zcash#449: Remove executable bit from secp256k1.c
51b77ae Remove executable bit from secp256k1.c
5eb030c test: Use checked_alloc
72d952c FIXUP: Missing "is"
70ff29b secp256k1_context_randomize: document.
9d560f9 Merge zcash#428: Exhaustive recovery
8e48aa6 Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
2cee5fd exhaustive tests: add recovery module
8225239 Merge zcash#433: Make the libcrypto detection fail the newer API.
12de863 Make the libcrypto detection fail the newer API.
678b0e5 exhaustive tests: remove erroneous comment from ecdsa_sig_sign
2928420 Merge zcash#427: Remove Schnorr from travis as well
03ff8c2 group_impl.h: remove unused `secp256k1_ge_set_infinity` function
a724d72 configure: add --enable-coverage to set options for coverage analysis
b595163 recovery: add tests to cover API misusage
8eecc4a Remove Schnorr from travis as well
6f8ae2f ecdh: test NULL-checking of arguments
25e3cfb ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign
a8abae7 Merge zcash#310: Add exhaustive test for group functions on a low-order subgroup
b4ceedf Add exhaustive test for verification
83836a9 Add exhaustive tests for group arithmetic, signing, and ecmult on a small group
20b8877 Add exhaustive test for group functions on a low-order subgroup
80773a6 Merge zcash#425: Remove Schnorr experiment
e06e878 Remove Schnorr experiment
04c8ef3 Merge zcash#407: Modify parameter order of internal functions to match API parameter order
6e06696 Merge zcash#411: Remove guarantees about memcmp-ability
40c8d7e Merge zcash#421: Update scalar_4x64_impl.h
a922365 Merge zcash#422: Restructure nonce clearing
3769783 Restructure nonce clearing
0f9e69d Restructure nonce clearing
9d67afa Update scalar_4x64_impl.h
7d15cd7 Merge zcash#413: fix auto-enabled static precompuatation
00c5d2e fix auto-enabled static precompuatation
91219a1 Remove guarantees about memcmp-ability
7a49cac Merge zcash#410: Add string.h include to ecmult_impl
0bbd5d4 Add string.h include to ecmult_impl
353c1bf Fix secp256k1_ge_set_table_gej_var parameter order
541b783 Fix secp256k1_ge_set_all_gej_var parameter order
7d893f4 Fix secp256k1_fe_inv_all_var parameter order
c5b32e1 Merge zcash#405: Make secp256k1_fe_sqrt constant time
926836a Make secp256k1_fe_sqrt constant time
e2a8e92 Merge zcash#404: Replace 3M + 4S doubling formula with 2M + 5S one
8ec49d8 Add note about 2M + 5S doubling formula
5a91bd7 Merge zcash#400: A couple minor cleanups
ac01378 build: add -DSECP256K1_BUILD to benchmark_internal build flags
a6c6f99 Remove a bunch of unused stdlib #includes
65285a6 Merge zcash#403: configure: add flag to disable OpenSSL tests
a9b2a5d configure: add flag to disable OpenSSL tests
b340123 Merge zcash#402: Add support for testing quadratic residues
e6e9805 Add function for testing quadratic residue field/group elements.
efd953a Add Jacobi symbol test via GMP
fa36a0d Merge zcash#401: ecmult_const: unify endomorphism and non-endomorphism skew cases
c6191fd ecmult_const: unify endomorphism and non-endomorphism skew cases
0b3e618 Merge zcash#378: .gitignore build-aux cleanup
6042217 Merge zcash#384: JNI: align shared files copyright/comments to bitcoinj's
24ad20f Merge zcash#399: build: verify that the native compiler works for static precomp
b3be852 Merge zcash#398: Test whether ECDH and Schnorr are enabled for JNI
aa0b1fd build: verify that the native compiler works for static precomp
eee808d Test whether ECDH and Schnorr are enabled for JNI
7b0fb18 Merge zcash#366: ARM assembly implementation of field_10x26 inner (rebase of zcash#173)
001f176 ARM assembly implementation of field_10x26 inner
0172be9 Merge zcash#397: Small fixes for sha256
3f8b78e Fix undefs in hash_impl.h
2ab4695 Fix state size in sha256 struct
6875b01 Merge zcash#386: Add some missing `VERIFY_CHECK(ctx != NULL)`
2c52b5d Merge zcash#389: Cast pointers through uintptr_t under JNI
43097a4 Merge zcash#390: Update bitcoin-core GitHub links
31c9c12 Merge zcash#391: JNI: Only call ecdsa_verify if its inputs parsed correctly
1cb2302 Merge zcash#392: Add testcase which hits additional branch in secp256k1_scalar_sqr
d2ee340 Merge zcash#388: bench_ecdh: fix call to secp256k1_context_create
093a497 Add testcase which hits additional branch in secp256k1_scalar_sqr
a40c701 JNI: Only call ecdsa_verify if its inputs parsed correctly
faa2a11 Update bitcoin-core GitHub links
47b9e78 Cast pointers through uintptr_t under JNI
f36f9c6 bench_ecdh: fix call to secp256k1_context_create
bcc4881 Add some missing `VERIFY_CHECK(ctx != NULL)` for functions that use `ARG_CHECK`
6ceea2c align shared files copyright/comments to bitcoinj's
70141a8 Update .gitignore
7b549b1 Merge zcash#373: build: fix x86_64 asm detection for some compilers
bc7c93c Merge zcash#374: Add note about y=0 being possible on one of the sextic twists
e457018 Merge zcash#364: JNI rebased
86e2d07 JNI library: cleanup, removed unimplemented code
3093576a JNI library
bd2895f Merge pull request zcash#371
e72e93a Add note about y=0 being possible on one of the sextic twists
3f8fdfb build: fix x86_64 asm detection for some compilers
e5a9047 [Trivial] Remove double semicolons
c18b869 Merge pull request zcash#360
3026daa Merge pull request zcash#302
03d4611 Add sage verification script for the group laws
a965937 Merge pull request zcash#361
83221ec Add experimental features to configure
5d4c5a3 Prevent damage_array in the signature test from going out of bounds.
419bf7f Merge pull request zcash#356
6c527ec Merge pull request zcash#357
445f7f1 Fix for Windows compile issue
03d84a4 Benchmark against OpenSSL verification
2bfb82b Merge pull request zcash#351
06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out
970164d Merge pull request zcash#348
6466625 Improvements for coordinate decompression
e2100ad Merge pull request zcash#347
8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t.
c69dea0 Clear output in more cases for pubkey_combine, adds tests.
269d422 Comment copyediting.
b4d17da Merge pull request zcash#344
4709265 Merge pull request zcash#345
26abce7 Adds 32 static test vectors for scalar mul, sqr, inv.
5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests.
3b7bc69 Merge pull request zcash#343
eed87af Change contrib/laxder from headers-only to files compilable as standalone C
d7eb1ae Merge pull request zcash#342
7914a6e Make lax_der_privatekey_parsing.h not depend on internal code
73f64ff Merge pull request zcash#339
9234391 Overhaul flags handling
1a36898 Make flags more explicit, add runtime checks.
1a3e03a Merge pull request zcash#340
96be204 Add additional tests for eckey and arg-checks.
bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent.
4a243da Move secp256k1_ec_privkey_import/export to contrib.
1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module.
e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage.
b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation.
70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys.
6c476a8 Minor comment improvements.
131afe5 Merge pull request zcash#334
0c6ab2f Introduce explicit lower-S normalization
fea19e7 Add contrib/lax_der_parsing.h
3bb9c44 Rewrite ECDSA signature parsing code
fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more
49b3749 Add new tests for the extra testrand functions
f684d7d Faster secp256k1_rand_int implementation
251b1a6 Improve testrand: add extra random functions
31994c8 Merge pull request zcash#338
f79aa88 Bugfix: swap arguments to noncefp
c98df26 Merge pull request zcash#319
67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse.
ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize
7450ef1 Merge pull request zcash#328
68a3c76 Merge pull request zcash#329
98135ee Merge pull request zcash#332
37100d7 improve ECDH header-doc
b13d749 Fix couple of typos in API comments
7c823e3 travis: fixup module configs
cc3141a Merge pull request zcash#325
ee58fae Merge pull request zcash#326
213aa67 Do not force benchmarks to be statically linked.
338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979.
52fd03f Merge pull request zcash#320
9f6993f Remove some dead code.
357f8cd Merge pull request zcash#314
118cd82 Use explicit symbol visibility.
4e64608 Include public module headers when compiling modules.
1f41437 Merge pull request zcash#316
fe0d463 Merge pull request zcash#317
cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis.
2b199de Use the explicit NULL macro for pointer comparisons.
9e90516 Merge pull request zcash#294
dd891e0 Get rid of _t as it is POSIX reserved
201819b Merge pull request zcash#313
912f203 Eliminate a few unbraced statements that crept into the code.
eeab823 Merge pull request zcash#299
486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export
05732c5 Callback data: Accept pointers to either const or non-const data
1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs
788038d Use size_t for lengths (at least in external API)
c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument
9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op
64b730b secp256k1_context_create: Use unsigned type for flags bitfield
cb04ab5 Merge pull request zcash#309
a551669 Merge pull request zcash#295
81e45ff Update group_impl.h
85e3a2c Merge pull request zcash#112
b2eb63b Merge pull request zcash#293
dc0ce9f [API BREAK] Change argument order to out/outin/in
6d947ca Merge pull request zcash#298
c822693 Merge pull request zcash#301
6d04350 Merge pull request zcash#303
7ab311c Merge pull request zcash#304
5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer.
263dcbc remove unused assignment
b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense
6da1446 build: fix parallel build
5eb4356 Merge pull request zcash#291
c996d53 Print success
9f443be Move pubkey recovery code to separate module
d49abbd Separate ECDSA recovery tests
439d34a Separate recoverable and normal signatures
a7b046e Merge pull request zcash#289
f66907f Improve/reformat API documentation secp256k1.h
2f77487 Add context building benchmarks
cc623d5 Merge pull request zcash#287
de7e398 small typo fix
9d96e36 Merge pull request zcash#280
432e1ce Merge pull request zcash#283
14727fd Use correct name in gitignore
356b0e9 Actually test static precomputation in Travis
ff3a5df Merge pull request zcash#284
2587208 Merge pull request zcash#212
a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures
d84a378 Merge pull request zcash#252
72ae443 Improve perf. of cmov-based table lookup
92e53fc Implement endomorphism optimization for secp256k1_ecmult_const
ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time
91c0ce9 Add benchmarks for ECDH and const-time multiplication
0739bbb Add ECDH module which works by hashing the output of ecmult_const
4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH
e4ce393 build: fix hard-coded usage of "gen_context"
b8e39ac build: don't use BUILT_SOURCES for the static context header
baa75da tests: add a couple tests
ae4f0c6 Merge pull request zcash#278
995c548 Introduce callback functions for dealing with errors.
c333074 Merge pull request zcash#282
18c329c Remove the internal secp256k1_ecdsa_sig_t type
74a2acd Add a secp256k1_ecdsa_signature_t type
23cfa91 Introduce secp256k1_pubkey_t type
4c63780 Merge pull request zcash#269
3e6f1e2 Change rfc6979 implementation to be a generic PRNG
ed5334a Update configure.ac to make it build on OpenBSD
1b68366 Merge pull request zcash#274
a83bb48 Make ecmult static precomputation default
166b32f Merge pull request zcash#276
c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean.
125c15d Merge pull request zcash#275
76f6769 Fix build with static ecmult altroot and make dist.
5133f78 Merge pull request zcash#254
b0a60e6 Merge pull request zcash#258
733c1e6 Add travis build to test the static context.
fbecc38 Add ability to use a statically generated ecmult context.
4fb174d Merge pull request zcash#263
4ab8990 Merge pull request zcash#270
bdf0e0c Merge pull request zcash#271
31d0c1f Merge pull request zcash#273
eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER
55399c2 Further performance improvements to _ecmult_wnaf
99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function.
145cc6e Improve performance of _ecmult_wnaf
36b305a Verify the result of GMP modular inverse using non-GMP code
0cbc860 Merge pull request zcash#266
06ff7fe Merge pull request zcash#267
5a43124 Save 1 _fe_negate since s1 == -s2
a5d796e Update code comments
3f3964e Add specific VERIFY tests for _fe_cmov
7d054cd Refactor to save a _fe_negate
b28d02a Refactor to remove a local var
55e7fc3 Perf. improvement in _gej_add_ge
a0601cd Fix VERIFY calculations in _fe_cmov methods
17f7148 Merge pull request zcash#261
7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y
8c5d5f7 tests: Add failing unit test for zcash#257 (bad addition formula)
5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P
bcf2fcf gej_add_ge: rearrange algebra
e2a07c7 Fix compilation with C++
873a453 Merge pull request zcash#250
91eb0da Merge pull request zcash#247
210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress`
a1d5ae1 Tiny optimization
729badf Merge pull request zcash#210
2d5a186 Apply effective-affine trick to precomp
4f9791a Effective affine addition in EC multiplication
2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto

git-subtree-dir: src/secp256k1
git-subtree-split: cbc20b8c34d44c2ef175420f3cdfe054f82e8e2c

str4d added a commit to str4d/zcash that referenced this issue Jun 6, 2017

Squashed 'src/secp256k1/' changes from 22f60a6..84973d3
84973d3 Merge zcash#454: Remove residual parts from the schnorr expirement.
5e95bf2 Remove residual parts from the schnorr expirement.
cbc20b8 Merge zcash#452: Minor optimizations to _scalar_inverse to save 4M
4cc8f52 Merge zcash#437: Unroll secp256k1_fe_(get|set)_b32 to make them much faster.
465159c Further shorten the addition chain for scalar inversion.
a2b6b19 Fix benchmark print_number infinite loop.
8b7680a Unroll secp256k1_fe_(get|set)_b32 for 10x26.
aa84990 Unroll secp256k1_fe_(get|set)_b32 for 5x52.
cf12fa1 Minor optimizations to _scalar_inverse to save 4M
1199492 Merge zcash#408: Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
6af0871 Merge zcash#441: secp256k1_context_randomize: document.
ab31a52 Merge zcash#444: test: Use checked_alloc
eda5c1a Merge zcash#449: Remove executable bit from secp256k1.c
51b77ae Remove executable bit from secp256k1.c
5eb030c test: Use checked_alloc
72d952c FIXUP: Missing "is"
70ff29b secp256k1_context_randomize: document.
9d560f9 Merge zcash#428: Exhaustive recovery
8e48aa6 Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
2cee5fd exhaustive tests: add recovery module
8225239 Merge zcash#433: Make the libcrypto detection fail the newer API.
12de863 Make the libcrypto detection fail the newer API.
678b0e5 exhaustive tests: remove erroneous comment from ecdsa_sig_sign
2928420 Merge zcash#427: Remove Schnorr from travis as well
03ff8c2 group_impl.h: remove unused `secp256k1_ge_set_infinity` function
a724d72 configure: add --enable-coverage to set options for coverage analysis
b595163 recovery: add tests to cover API misusage
8eecc4a Remove Schnorr from travis as well
6f8ae2f ecdh: test NULL-checking of arguments
25e3cfb ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign
a8abae7 Merge zcash#310: Add exhaustive test for group functions on a low-order subgroup
b4ceedf Add exhaustive test for verification
83836a9 Add exhaustive tests for group arithmetic, signing, and ecmult on a small group
20b8877 Add exhaustive test for group functions on a low-order subgroup
80773a6 Merge zcash#425: Remove Schnorr experiment
e06e878 Remove Schnorr experiment
04c8ef3 Merge zcash#407: Modify parameter order of internal functions to match API parameter order
6e06696 Merge zcash#411: Remove guarantees about memcmp-ability
40c8d7e Merge zcash#421: Update scalar_4x64_impl.h
a922365 Merge zcash#422: Restructure nonce clearing
3769783 Restructure nonce clearing
0f9e69d Restructure nonce clearing
9d67afa Update scalar_4x64_impl.h
7d15cd7 Merge zcash#413: fix auto-enabled static precompuatation
00c5d2e fix auto-enabled static precompuatation
91219a1 Remove guarantees about memcmp-ability
7a49cac Merge zcash#410: Add string.h include to ecmult_impl
0bbd5d4 Add string.h include to ecmult_impl
353c1bf Fix secp256k1_ge_set_table_gej_var parameter order
541b783 Fix secp256k1_ge_set_all_gej_var parameter order
7d893f4 Fix secp256k1_fe_inv_all_var parameter order
c5b32e1 Merge zcash#405: Make secp256k1_fe_sqrt constant time
926836a Make secp256k1_fe_sqrt constant time
e2a8e92 Merge zcash#404: Replace 3M + 4S doubling formula with 2M + 5S one
8ec49d8 Add note about 2M + 5S doubling formula
5a91bd7 Merge zcash#400: A couple minor cleanups
ac01378 build: add -DSECP256K1_BUILD to benchmark_internal build flags
a6c6f99 Remove a bunch of unused stdlib #includes
65285a6 Merge zcash#403: configure: add flag to disable OpenSSL tests
a9b2a5d configure: add flag to disable OpenSSL tests
b340123 Merge zcash#402: Add support for testing quadratic residues
e6e9805 Add function for testing quadratic residue field/group elements.
efd953a Add Jacobi symbol test via GMP
fa36a0d Merge zcash#401: ecmult_const: unify endomorphism and non-endomorphism skew cases
c6191fd ecmult_const: unify endomorphism and non-endomorphism skew cases
0b3e618 Merge zcash#378: .gitignore build-aux cleanup
6042217 Merge zcash#384: JNI: align shared files copyright/comments to bitcoinj's
24ad20f Merge zcash#399: build: verify that the native compiler works for static precomp
b3be852 Merge zcash#398: Test whether ECDH and Schnorr are enabled for JNI
aa0b1fd build: verify that the native compiler works for static precomp
eee808d Test whether ECDH and Schnorr are enabled for JNI
7b0fb18 Merge zcash#366: ARM assembly implementation of field_10x26 inner (rebase of zcash#173)
001f176 ARM assembly implementation of field_10x26 inner
0172be9 Merge zcash#397: Small fixes for sha256
3f8b78e Fix undefs in hash_impl.h
2ab4695 Fix state size in sha256 struct
6875b01 Merge zcash#386: Add some missing `VERIFY_CHECK(ctx != NULL)`
2c52b5d Merge zcash#389: Cast pointers through uintptr_t under JNI
43097a4 Merge zcash#390: Update bitcoin-core GitHub links
31c9c12 Merge zcash#391: JNI: Only call ecdsa_verify if its inputs parsed correctly
1cb2302 Merge zcash#392: Add testcase which hits additional branch in secp256k1_scalar_sqr
d2ee340 Merge zcash#388: bench_ecdh: fix call to secp256k1_context_create
093a497 Add testcase which hits additional branch in secp256k1_scalar_sqr
a40c701 JNI: Only call ecdsa_verify if its inputs parsed correctly
faa2a11 Update bitcoin-core GitHub links
47b9e78 Cast pointers through uintptr_t under JNI
f36f9c6 bench_ecdh: fix call to secp256k1_context_create
bcc4881 Add some missing `VERIFY_CHECK(ctx != NULL)` for functions that use `ARG_CHECK`
6ceea2c align shared files copyright/comments to bitcoinj's
70141a8 Update .gitignore
7b549b1 Merge zcash#373: build: fix x86_64 asm detection for some compilers
bc7c93c Merge zcash#374: Add note about y=0 being possible on one of the sextic twists
e457018 Merge zcash#364: JNI rebased
86e2d07 JNI library: cleanup, removed unimplemented code
3093576a JNI library
bd2895f Merge pull request zcash#371
e72e93a Add note about y=0 being possible on one of the sextic twists
3f8fdfb build: fix x86_64 asm detection for some compilers
e5a9047 [Trivial] Remove double semicolons
c18b869 Merge pull request zcash#360
3026daa Merge pull request zcash#302
03d4611 Add sage verification script for the group laws
a965937 Merge pull request zcash#361
83221ec Add experimental features to configure
5d4c5a3 Prevent damage_array in the signature test from going out of bounds.
419bf7f Merge pull request zcash#356
6c527ec Merge pull request zcash#357
445f7f1 Fix for Windows compile issue
03d84a4 Benchmark against OpenSSL verification
2bfb82b Merge pull request zcash#351
06aeea5 Turn secp256k1_ec_pubkey_serialize outlen to in/out
970164d Merge pull request zcash#348
6466625 Improvements for coordinate decompression
e2100ad Merge pull request zcash#347
8e48787 Change secp256k1_ec_pubkey_combine's count argument to size_t.
c69dea0 Clear output in more cases for pubkey_combine, adds tests.
269d422 Comment copyediting.
b4d17da Merge pull request zcash#344
4709265 Merge pull request zcash#345
26abce7 Adds 32 static test vectors for scalar mul, sqr, inv.
5b71a3f Better error case handling for pubkey_create & pubkey_serialize, more tests.
3b7bc69 Merge pull request zcash#343
eed87af Change contrib/laxder from headers-only to files compilable as standalone C
d7eb1ae Merge pull request zcash#342
7914a6e Make lax_der_privatekey_parsing.h not depend on internal code
73f64ff Merge pull request zcash#339
9234391 Overhaul flags handling
1a36898 Make flags more explicit, add runtime checks.
1a3e03a Merge pull request zcash#340
96be204 Add additional tests for eckey and arg-checks.
bb5aa4d Make the tweak function zeroize-output-on-fail behavior consistent.
4a243da Move secp256k1_ec_privkey_import/export to contrib.
1b3efc1 Move secp256k1_ecdsa_sig_recover into the recovery module.
e3cd679 Eliminate all side-effects from VERIFY_CHECK() usage.
b30fc85 Avoid nonce_function_rfc6979 algo16 argument emulation.
70d4640 Make secp256k1_ec_pubkey_create skip processing invalid secret keys.
6c476a8 Minor comment improvements.
131afe5 Merge pull request zcash#334
0c6ab2f Introduce explicit lower-S normalization
fea19e7 Add contrib/lax_der_parsing.h
3bb9c44 Rewrite ECDSA signature parsing code
fa57f1b Use secp256k1_rand_int and secp256k1_rand_bits more
49b3749 Add new tests for the extra testrand functions
f684d7d Faster secp256k1_rand_int implementation
251b1a6 Improve testrand: add extra random functions
31994c8 Merge pull request zcash#338
f79aa88 Bugfix: swap arguments to noncefp
c98df26 Merge pull request zcash#319
67f7da4 Extensive interface and operations tests for secp256k1_ec_pubkey_parse.
ee2cb40 Add ARG_CHECKs to secp256k1_ec_pubkey_parse/secp256k1_ec_pubkey_serialize
7450ef1 Merge pull request zcash#328
68a3c76 Merge pull request zcash#329
98135ee Merge pull request zcash#332
37100d7 improve ECDH header-doc
b13d749 Fix couple of typos in API comments
7c823e3 travis: fixup module configs
cc3141a Merge pull request zcash#325
ee58fae Merge pull request zcash#326
213aa67 Do not force benchmarks to be statically linked.
338fc8b Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979.
52fd03f Merge pull request zcash#320
9f6993f Remove some dead code.
357f8cd Merge pull request zcash#314
118cd82 Use explicit symbol visibility.
4e64608 Include public module headers when compiling modules.
1f41437 Merge pull request zcash#316
fe0d463 Merge pull request zcash#317
cfe0ed9 Fix miscellaneous style nits that irritate overactive static analysis.
2b199de Use the explicit NULL macro for pointer comparisons.
9e90516 Merge pull request zcash#294
dd891e0 Get rid of _t as it is POSIX reserved
201819b Merge pull request zcash#313
912f203 Eliminate a few unbraced statements that crept into the code.
eeab823 Merge pull request zcash#299
486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export
05732c5 Callback data: Accept pointers to either const or non-const data
1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs
788038d Use size_t for lengths (at least in external API)
c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument
9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op
64b730b secp256k1_context_create: Use unsigned type for flags bitfield
cb04ab5 Merge pull request zcash#309
a551669 Merge pull request zcash#295
81e45ff Update group_impl.h
85e3a2c Merge pull request zcash#112
b2eb63b Merge pull request zcash#293
dc0ce9f [API BREAK] Change argument order to out/outin/in
6d947ca Merge pull request zcash#298
c822693 Merge pull request zcash#301
6d04350 Merge pull request zcash#303
7ab311c Merge pull request zcash#304
5fb3229 Fixes a bug where bench_sign would fail due to passing in too small a buffer.
263dcbc remove unused assignment
b183b41 bugfix: "ARG_CHECK(ctx != NULL)" makes no sense
6da1446 build: fix parallel build
5eb4356 Merge pull request zcash#291
c996d53 Print success
9f443be Move pubkey recovery code to separate module
d49abbd Separate ECDSA recovery tests
439d34a Separate recoverable and normal signatures
a7b046e Merge pull request zcash#289
f66907f Improve/reformat API documentation secp256k1.h
2f77487 Add context building benchmarks
cc623d5 Merge pull request zcash#287
de7e398 small typo fix
9d96e36 Merge pull request zcash#280
432e1ce Merge pull request zcash#283
14727fd Use correct name in gitignore
356b0e9 Actually test static precomputation in Travis
ff3a5df Merge pull request zcash#284
2587208 Merge pull request zcash#212
a5a66c7 Add support for custom EC-Schnorr-SHA256 signatures
d84a378 Merge pull request zcash#252
72ae443 Improve perf. of cmov-based table lookup
92e53fc Implement endomorphism optimization for secp256k1_ecmult_const
ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time
91c0ce9 Add benchmarks for ECDH and const-time multiplication
0739bbb Add ECDH module which works by hashing the output of ecmult_const
4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH
e4ce393 build: fix hard-coded usage of "gen_context"
b8e39ac build: don't use BUILT_SOURCES for the static context header
baa75da tests: add a couple tests
ae4f0c6 Merge pull request zcash#278
995c548 Introduce callback functions for dealing with errors.
c333074 Merge pull request zcash#282
18c329c Remove the internal secp256k1_ecdsa_sig_t type
74a2acd Add a secp256k1_ecdsa_signature_t type
23cfa91 Introduce secp256k1_pubkey_t type
4c63780 Merge pull request zcash#269
3e6f1e2 Change rfc6979 implementation to be a generic PRNG
ed5334a Update configure.ac to make it build on OpenBSD
1b68366 Merge pull request zcash#274
a83bb48 Make ecmult static precomputation default
166b32f Merge pull request zcash#276
c37812f Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean.
125c15d Merge pull request zcash#275
76f6769 Fix build with static ecmult altroot and make dist.
5133f78 Merge pull request zcash#254
b0a60e6 Merge pull request zcash#258
733c1e6 Add travis build to test the static context.
fbecc38 Add ability to use a statically generated ecmult context.
4fb174d Merge pull request zcash#263
4ab8990 Merge pull request zcash#270
bdf0e0c Merge pull request zcash#271
31d0c1f Merge pull request zcash#273
eb2c8ff Add missing casts to SECP256K1_FE_CONST_INNER
55399c2 Further performance improvements to _ecmult_wnaf
99fd963 Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function.
145cc6e Improve performance of _ecmult_wnaf
36b305a Verify the result of GMP modular inverse using non-GMP code
0cbc860 Merge pull request zcash#266
06ff7fe Merge pull request zcash#267
5a43124 Save 1 _fe_negate since s1 == -s2
a5d796e Update code comments
3f3964e Add specific VERIFY tests for _fe_cmov
7d054cd Refactor to save a _fe_negate
b28d02a Refactor to remove a local var
55e7fc3 Perf. improvement in _gej_add_ge
a0601cd Fix VERIFY calculations in _fe_cmov methods
17f7148 Merge pull request zcash#261
7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y
8c5d5f7 tests: Add failing unit test for zcash#257 (bad addition formula)
5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P
bcf2fcf gej_add_ge: rearrange algebra
e2a07c7 Fix compilation with C++
873a453 Merge pull request zcash#250
91eb0da Merge pull request zcash#247
210ffed Use separate in and out pointers in `secp256k1_ec_pubkey_decompress`
a1d5ae1 Tiny optimization
729badf Merge pull request zcash#210
2d5a186 Apply effective-affine trick to precomp
4f9791a Effective affine addition in EC multiplication
2b4cf41 Use pkg-config always when possible, with failover to manual checks for libcrypto

git-subtree-dir: src/secp256k1
git-subtree-split: 84973d393ac240a90b2e1a6538c5368202bc2224
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment