The prover, when run on recent sage versions, failed to prove some of its
goals due to a change in sage. This commit adapts our code accordingly.
The prover passes again after this commit.
The macOS CI tasks often error fail when doing `brew update` with
git fetch errors:
```
remote: fatal: packfile /data/repositories/b/nw/b6/07/5c/123272362/network.git/objects/pack/pack-2139bd07361b62a358e380a0e7d58ec35593d191.pack cannot be accessed
fatal: protocol error: bad pack header
Error: Fetching /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core failed!
```
Superficially this seems to be a problem on the GitHub server because
the message shows a "remote" error. But it seems we're the only one in
the world running into this specific issue when doing `brew update`, so
it's more likely that the something else is the culprit, and this error
message is just a symptom.
This commit replaces `brew update` with a complete reinstallation of
brew. This is essentially a shot in the dark but it's worth a try, and
I doubt it's significantly more expensive. If that won't work, we may
consider simply retrying `brew update` a few times.
According to [autoconf 2.70](https://www.gnu.org/software/autoconf/manual/autoconf-2.70/html_node/Obsolete-Macros.html)
documentation, the `AC_PROG_CC_C89' is replaced by `AC_PROG_CC`, which
defines the same variable `ac_cv_prog_cc_c89`.
Avoids the following message:
```
configure.ac:23: warning: The macro `AC_PROG_CC_C89' is obsolete.
```
Also, remove deprecated `AM_PROG_CC_C_O`.
Python 3 often returns iterable map objects where Python 2 returned
list. We can just them down to lists explicitly.
Overlooked in 13c88efed0005eb6745a222963ee74564054eafb.
b797a500ec194948eecbea8bd80f6b7d455f7ca2 Create a SECP256K1_ECMULT_TABLE_VERIFY macro. (Russell O'Connor)
a731200cc30fcf019af08a41f7b6f329a08eaa0c Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function. (Russell O'Connor)
fe34d9f3419d090e94b0c0897895c5b2b9fdc244 Eliminate input_pos state field from ecmult_strauss_wnaf. (Russell O'Connor)
0397d00ba0401bf5be7c4312d84d17fc789a6566 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf. (Russell O'Connor)
7ba3ffcca0ae054cf0a1d6407c2dcf7445a46935 Remove the unused pre_a_lam allocations. (Russell O'Connor)
b3b57ad6eedac86bda40f062daee7d5f4241d25c Eliminate the pre_a_lam array from ecmult_strauss_wnaf. (Russell O'Connor)
ae7ba0f922b4c1439888b8488b307cd0f0e8ec59 Remove the unused prej allocations. (Russell O'Connor)
e5c18892db69b5db44d282225ab4fea788af8035 Eliminate the prej array from ecmult_strauss_wnaf. (Russell O'Connor)
c9da1baad125e830901f0ed6ad65eb4f9ccb81f4 Move secp256k1_fe_one to field.h (Russell O'Connor)
Pull request description:
ACKs for top commit:
sipa:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
jonasnick:
ACK b797a500ec194948eecbea8bd80f6b7d455f7ca2
Tree-SHA512: 6742469979c306104a0861be76c2be86bf8ab14116b00afbd24f91b9e3ea843bf9b9a74552b367bd06ee617090019ad4df6be037d58937c8c869f8b37ddaa6cc
070e772211b3fcd297577b90b56bbf7a5cfbd0a3 Faster fixed-input ecmult tests (Pieter Wuille)
Pull request description:
Given how much #920 slowed down the tests with low iteration count, replace it with 3 different similar test:
* count >= 1: a test with 1024 multiplies that tests any pattern of 6 bits in windows not more than 20 bits wide
* count >= 3: a test with 2048 multiplies that tests any pattern of 8 consecutive bits
* count >= 35: the old test (which effectively tests all 2-bit patterns)
ACKs for top commit:
robot-dreams:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3, the addition of the `CONDITIONAL_TEST` macro is nice.
real-or-random:
ACK 070e772211b3fcd297577b90b56bbf7a5cfbd0a3
Tree-SHA512: b4ccca42c71fcd1baa7143f73d1c3ac9d012c296485164a03341dbeee02e4ba9f7c7ad6b441923a5fe0286c97eff60815033adb4e1d30b3ef08bcb79590327ff
45f37b650635e46865104f37baed26ef8d2cfb97 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes#1063. (Paul Miller)
Pull request description:
ACKs for top commit:
siv2r:
ACK 45f37b6. The diff looks good. It reduces `msg32` to modulo curve order for rfc6979 nonce generation. All tests passed on my machine with `make check`.
sipa:
utACK 45f37b650635e46865104f37baed26ef8d2cfb97
real-or-random:
ACK 45f37b650635e46865104f37baed26ef8d2cfb97
Tree-SHA512: 4c36784b2d6f2983bc0c3f380ff59cd9f2bd1822b98116d70964cd15183742fcc1f2ccde225a76dd30d946b3678b2cf29caff018efc07f40a200ee85843b39dd
e82144edfb7673d9a5eeb2b556d08be5223835ac Fixup skew before global Z fixup (Peter Dettman)
40b624c90bff7a40aa28c4d942b0382c300386b8 Add tests for _gej_cmov (Peter Dettman)
8c13a9bfe16c426c082b8df401098c02db53c9a0 ECDH skews by 0 or 1 (Peter Dettman)
15150994333c872a20a1902aa01e1a60dbb1393d Simpler and faster ecdh skew fixup (Peter Dettman)
Pull request description:
This PR adds a `_gej_cmov` method, with accompanying tests, and uses it to simplify the skew fixup at the end of `_ecmult_const`.
In the existing code, `_wnaf_const` chooses a skew of either 1 or 2, and `_ecmult_const` needs a call to `_ge_set_gej` (which does an expensive field inversion internally) and some overly-complicated conversions to/from `_ge_storage` so that `_ge_storage_cmov` can be used to select what value to add for the fixup.
This PR uses a simpler scheme where `_wnaf_const` chooses a skew of 0 or 1 and no longer needs special handling for scalars with value negative one. A new `_gej_cmov` method is used at the end of `_ecmult_const` for const-time optional addition to adjust the final result for the skew. Finally, the skew fixup is moved to before the global-Z adjustment, and the precomputed table entries (for 1P, λ(1P)) are used for the skew fixup, saving a field multiply and ensuring the fixup is done on the same isomorphism as the ladder.
The resulting `_wnaf_const` and `_ecmult_const` are shorter and simpler, and the ECDH benchmark is around 5% faster (64bit, i7).
Edit: Updated description once the final scope was clear.
ACKs for top commit:
apoelstra:
ACK e82144ed
sipa:
ACK e82144edfb7673d9a5eeb2b556d08be5223835ac
real-or-random:
ACK e82144edfb7673d9a5eeb2b556d08be5223835ac
Tree-SHA512: 10d6770f4ef4f8d0c78abbf58d643f25f5daef68896643af0a3f7f877414e23356724b6f20af2027316a4353a35b8cb0a7851e057a3f6483897df02bf033a8a2
3d7cbafb5fd7f152fc47dc907af5df03150accc0 tests: Fix test whose result is implementation-defined (Tim Ruffing)
Pull request description:
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we restore the name of the function. It was mistakenly
renamed in 6173839c90553385171d560be8a17cbe167e3bef using
"search and replace".
ACKs for top commit:
robot-dreams:
ACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
sipa:
utACK 3d7cbafb5fd7f152fc47dc907af5df03150accc0
Tree-SHA512: f8bb643d4915e9ce9c4fe45b48a2878f6cf1f29e654be1c150cdf65c6959cf65f8491928cf098da5a01f1d488ba475914905ca96b232abed499eb6ed65e53fb8
77a19750b46916b93bb6a08837c26f585bd940fa Use xoshiro256++ PRNG instead of RFC6979 in tests (Pieter Wuille)
5f2efe684ecca8f767f98ee0ace813103cc88ade secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N) (Pieter Wuille)
Pull request description:
Just some easy low-hanging fruit. It's complete overkill to use the RFC6979 RNG for our test randomness. Replace it with a modern non-cryptographic RNG with good properties. It's a few % speedup for me.
Given the internal naming of all these functions to be "testrand", I'm not concerned about the risk of someone using this for something that needs actual cryptographic randomness.
ACKs for top commit:
robot-dreams:
ACK 77a19750b46916b93bb6a08837c26f585bd940fa
real-or-random:
utACK 77a19750b46916b93bb6a08837c26f585bd940fa
Tree-SHA512: 2706f37689e037e84b5df25c98af924c0756e6d59f5f822b23aec5ba381b2d536e0848f134026e2568396427218f1c770f1bb07613d702efb23a84015dc9271d
3ed0d02bf7690c68ba3ba74da765614809352049 doc: add CHANGELOG template (Jonas Nick)
6f42dc16c8483ff4c5f34cfc3aeae794ca2c660d doc: add release_process.md (Jonas Nick)
0bd3e4243caa3c000e6afe3ea5533b97565557c4 build: set library version to 0.0.0 explicitly (Jonas Nick)
b4b02fd8c4276779f115af5985508f54ef9e51be build: change libsecp version from 0.1 to 0.1.0-pre (Jonas Nick)
Pull request description:
This is an attempt at a simple release process. Fixes#856. To keep it simple, there is no concept of release candidates for now.
The release version is determined by semantic versioning of the API. Since it does not seem to be a lot of work, it is proper to also version the ABI with the libtool versioning system. This versioning scheme (semver API, libtool versioning ABI) follows the suggestion in the [autotools mythbusters](https://autotools.io/libtool/version.html).
Experimental modules are a bit of a headache, as expected. This release process suggests to treat any change in experimental modules as backwards compatible. That way, users of stable modules are not bothered by frequent non-backwards compatible releases. But a downside is that one must not use experimental modules in shared libraries (which should be mentioned in the README?). It would be nice if we could make the schnorrsig module stable in the not too distant future (see also #817).
ACKs for top commit:
apoelstra:
utACK 3ed0d02bf7690c68ba3ba74da765614809352049
elichai:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
sipa:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
real-or-random:
ACK 3ed0d02bf7690c68ba3ba74da765614809352049
Tree-SHA512: 25a04335a9579e16de48d378b93a9c6a248529f67f7c436680fa2d495192132743ce016c547aa9718cdcc7fe932de31dd7594f49052e8bd85572a84264f2dbee
05e049b73c69002f498c3c9c21555fd91f95ccac ecmult: move `_ecmult_odd_multiples_table_globalz_windowa` (siv2r)
Pull request description:
Fixes#1035
**Changes:**
- move `secp256k1_ecmult_odd_multiples_table_globalz_windowa` function from ecmult to ecmult_const
- remove outdated comment
ACKs for top commit:
robot-dreams:
utACK 05e049b73c69002f498c3c9c21555fd91f95ccac (`diff` between removed and added lines is exactly as expected)
real-or-random:
utACK 05e049b73c69002f498c3c9c21555fd91f95ccac
Tree-SHA512: 3fad4e93c641b642e84f4bbafcb8083d3e63b0523009fe0edcb2c1ebe1571d822320451289c651403ed1dc033ec6a7a3e8c3c56ad93d81bb1590cf9ff15a3b34
A compiler may add struct padding and fe_cmov is not guaranteed to
preserve it.
On the way, we improve the identity check such that it covers the
VERIFY struct members.
b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2 ci: Run valgrind/memcheck tasks with 2 CPUs (Tim Ruffing)
e70acab601aecf3c5a8affb5a4dce5612b298964 ci: Use Cirrus "greedy" flag to use idle CPU time when available (Tim Ruffing)
d07e30176e084334081fa53be81e75c064375f36 ci: Update brew on macOS (Tim Ruffing)
22382f0ea0e234242e248720b9d1d171cb2de0f8 ci: Test different ecmult window sizes (Tim Ruffing)
26a022a3a0e3fceb1cd2e882e1476c950cabc2e8 ci: Remove STATICPRECOMPUTATION (Tim Ruffing)
10461d8bd3ce3ee8ca443ccad20915217ee74397 precompute_ecmult: Always compute all tables up to default WINDOW_G (Tim Ruffing)
Pull request description:
ACKs for top commit:
elichai:
utACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
jonasnick:
ACK b4ac1a1d5f4d51b9836ac310b78bc9d4256580c2
Tree-SHA512: b283d7b1c72cf87484de1fe98318298698fe9982dc33389eaca62e92318ab0074c183b9799add274f46358032491fee875e5ffb2a76a47f3b07520b850f4c85e
1287786c7a97eff520ffbd6b0d8b2f99dbfc6371 doc: Add comment to top of field_10x26_impl.h (Elliott Jin)
58da5bd589f61b0e0e9b58388ee3e0da8a2c3c3a doc: Fix upper bounds + cleanup in field_5x52_impl.h comment (Elliott Jin)
Pull request description:
When reviewing #816 I noticed the upper bounds in the comment at the top of `field_5x52_impl.h` were off by 1 (see `fe_verify`). This PR fixes the upper bounds and also cleans up the comment along the way.
ACKs for top commit:
real-or-random:
ACK 1287786c7a97eff520ffbd6b0d8b2f99dbfc6371
Tree-SHA512: 4b7dadc92451ab1ceb5a547a3101ff37f3ffd0645490563f1f3442ea8d6219f100ed914289d22435c4172d190fa1ff52e37e4464132bb3f9bbcc338488227f7b
22d25c8e0ab1d24f0f4a80fe016cbd71cd889866 Add another ecmult_multi test (Pieter Wuille)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 22d25c8e0ab1d24f0f4a80fe016cbd71cd889866
Tree-SHA512: e1394fa1708e65a66d4b324cca60dd49c67e37b23b7da2a3ff0db7a2a25c23976cb03b96a8c8584ee81aaec559feb84fb113dff2e2ebf89110ed466a4a6b158b
