Instead of using eta=-delta, use zeta=-(delta+1/2) to represent
delta. This variant only needs at most 590 iterations for 256-bit
inputs rather than 724 (by convex hull bounds analysis).
4504472269df06b8765b134d41f86619cdcdf8f6 changed import to use brackets <> for openssl as they are not local to the project (William Bright)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 4504472269df06b8765b134d41f86619cdcdf8f6
jonasnick:
ACK 4504472269df06b8765b134d41f86619cdcdf8f6
Tree-SHA512: e35c202835a82dab5fe9f2f75e7752e70b15d5d2ee7485790749f145b35e8e995c4978b4015c726387c24248a7efb636d28791fe882581a144a0ddfb27e14075
24ad04fc064e71abdf973e061c30eb1f3f78db39 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS (Pieter Wuille)
ebc1af700f9ec6e96586152b7090a2a6494308c3 Optimization: track f,g limb count and pass to new variable-time update_fg_var (Peter Dettman)
b306935ac12bb24fd931d735b4dfc07f707e7447 Optimization: use formulas instead of lookup tables for cancelling g bits (Peter Dettman)
9164a1b6582e2fc833c760a3403d26b9b0b3b7b3 Optimization: special-case zero modulus limbs in modinv64 (Pieter Wuille)
1f233b3fa05eb29a744487e0682d925055fb0d4c Remove num/gmp support (Pieter Wuille)
20448b8d09a492afcfcae7721033c13a44a776fd Remove unused Jacobi symbol support (Pieter Wuille)
5437e7bdfbffddf69fdf7b4af7e997c78f5dafbf Remove unused scalar_sqr (Pieter Wuille)
aa9cc5218001f14f4312bde1058417d4b755fd11 Improve field/scalar inverse tests (Pieter Wuille)
1e0e885c8ac814c3621d9e43e66d60f25e324e8e Make field/scalar code use the new modinv modules for inverses (Pieter Wuille)
436281afdcb68991395f97338197d208212965e2 Move secp256k1_fe_inverse{_var} to per-impl files (Pieter Wuille)
aa404d53bef21d252a23171381d4bfda6e7e25c6 Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files (Pieter Wuille)
08d54964e51f318ef0cc4ef09d64cfa5ec143c5c Improve bounds checks in modinv modules (Pieter Wuille)
151aac00d31ba5e94800376f6fda4193071168af Add tests for modinv modules (Pieter Wuille)
d8a92fcc4c65cf189ec7bd5298dad8479347c442 Add extensive comments on the safegcd algorithm and implementation (Pieter Wuille)
8e415acba25830da9c23a4dd5531ebfc6b65aae7 Add safegcd based modular inverse modules (Peter Dettman)
de0a643c3dc2c40a447e670cfa1c1683c79c9297 Add secp256k1_ctz{32,64}_var functions (Pieter Wuille)
Pull request description:
This is a rebased and squashed version of #767, adding safegcd-based implementations of constant-time and variable-time modular inverses for scalars and field elements, by Peter Dettman. The PR is organized as follows:
* **Add secp256k1_ctz{32,64}_var functions** Introduction of ctz functions to util.h (which use `__builtin_ctz` on recent GCC and Clang, but fall back to using a software emulation using de Bruijn on other platforms). This isn't used anywhere in this commit, but does include tests.
* **Add safegcd based modular inverse modules** Add Peter Dettman's safegcd code from #767 (without some of his optimizations, which are moved to later commits), turned into separate modules by me.
* **Add extensive comments on the safegcd algorithm and implementation** Add a long description of the algorithm and optimizations to `doc/safegcd_implementation.md`, as well as additional comments to the code itself. It is probably best to review this together with the previous commit (they're separated to keep authorship).
* **Add tests for modinv modules** Adds tests on the modinv interface directly, for arbitrary moduli.
* **Improve bounds checks in modinv modules** Adds a lot of sanity checking to the modinv modules.
* **Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files** A pure refactor to prepare for switching the field and scalar code to modinv.
* **Make field/scalar code use the new modinv modules for inverses** Actually switch over.
* **Add extra modular inverse tests** This adds modular inverse tests through the field/scalar interface, now that those use modinv.
* **Remove unused Jacobi symbol support** No longer needed.
* **Remove num/gmp support** Bye-bye.
* 3 commits with further optimizations.
ACKs for top commit:
gmaxwell:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39
sanket1729:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39
real-or-random:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39 careful code review, some testing
Tree-SHA512: 732fe29315965e43ec9a10ee8c71eceeb983c43fe443da9dc5380a5a11b5e40b06e98d6abf67b773b1de74571fd2014973c6376f3a0caeac85e0cf163ba2144b
The magnitude of the f and g variables generally goes down as the algorithm
progresses. Make use of this by keeping tracking how many limbs are used, and
when the number becomes small enough, make use of this to reduce the complexity
of arithmetic on them.
Refactored by: Pieter Wuille <pieter@wuille.net>
Both the field and scalar modulus can be written in signed{30,62} notation
with one or more zero limbs. Make use of this in the update_de function to
avoid a few wide multiplications when that is the case.
This doesn't appear to be a win in the 32-bit implementation, so only
do it for the 64-bit one.
Add a new run_inverse_tests that replaces all existing field/scalar inverse tests,
and tests a few identities for fixed inputs, small numbers (-999...999), random
inputs (structured and unstructured), as well as comparing with the output of
secp256k1_fe_inv_all_var.
This commit adds functions to verify and compare numbers in signed{30,62} notation,
and uses that to do more extensive bounds checking on various variables in the modinv
code.
This adds tests for the modinv{32,64}_impl.h directly (before the functions are used
inside the field/scalar code). It uses a naive implementation of modular multiplication
and gcds in order to verify the modular inverses themselves.
This adds a long comment explaining the algorithm and implementation choices by building
it up step by step in Python.
Comments in the code are also reworked/added, with references to the long explanation.
9361f360bb04156c7a0fa8f2664680b74d463ed5 ci: Select number of parallel make jobs depending on CI environment (Tim Ruffing)
28eccdf80641f71fada0ee4065c8127468162176 ci: Split output of logs into multiple sections (Tim Ruffing)
c7f754fe4d5e032fd150c4b9b985855e9fcaa521 ci: Run PRs on merge result instead of on the source branch (Tim Ruffing)
b994a8be3cf8ab0fc6a622980a9845bb82cc17db ci: Print information about binaries using "file" (Tim Ruffing)
f24e122d13db7061b1086ddfd21d3a1c5294213b ci: Switch all Linux builds to Debian (Tim Ruffing)
Pull request description:
Best reviewed commit by commit
ACKs for top commit:
jonasnick:
ACK 9361f360bb04156c7a0fa8f2664680b74d463ed5
sipa:
utACK 9361f360bb04156c7a0fa8f2664680b74d463ed5
Tree-SHA512: fc754e8b57dc58058cebbf63a60ca76e08dbaefea1508ea27b7f962bce697c10033da3f57a35f731bc7cf3e210eb00e3b8985ae8b729d7bd83faee085b878b9c
The experiment of using Nix Shell was not really successful. Most
notably, Nix uses a bunch of wrapper scripts around compilers, which
make the build much less "pure". This may be useful but it's exactly
not what we want for CI. In particular, this resulted in gcc being used
for the "clang" builds because a wrapper script redefined the CC env
variable.
This now builds a single docker image (Debian) for all architectures
that we test in CI on Linux.
7d3497cdc4c747bdd51db70f42fe218622c3169f ctime_test: move context randomization test to the end (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 7d3497cdc4c747bdd51db70f42fe218622c3169f diff looks good
Tree-SHA512: aef006c43df4cab254ee7de79cdd34c4e2f7a463f29d1da6d285006b32bb4e18d0b914a305f371b8b5f5a20594c37ee464eb1e59d1978db9b06bf6b642e651d8
This compiler flag is available for clang but not gcc.
Test plan:
```
autogen.sh
./configure
make check
CC=clang ./configure
make check
```
If a variable is used uninitialized, the warning should look something
like:
```
CC src/tests-tests.o
src/tests.c:4336:15: warning: variable 'recid' may be uninitialized when used here [-Wconditional-uninitialized]
CHECK(recid >= 0 && recid < 4);
^~~~~
./src/util.h:54:18: note: expanded from macro 'CHECK'
if (EXPECT(!(cond), 0)) { \
^~~~
./src/util.h:41:39: note: expanded from macro 'EXPECT'
^
src/tests.c:4327:14: note: initialize the variable 'recid' to silence this warning
int recid;
^
= 0
1 warning generated.
```
This was detected while running the tests with the `-Wconditional-uninitialized` flag
```
./autogen.sh
CC=clang CFLAGS="-Wconditional-uninitialized" ./configure
make check
```
The resulting warning is a false positive, but setting the value to -1
ensures that the CHECK below will fail if recid is never written to.
e491d06b98c9caa5eab74e38ba8419b9fb3b5015 Use bit ops instead of int mult for constant-time logic in gej_add_ge (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
utACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015. Seems obviously better.
elichai:
ACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015
jonasnick:
ACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015
Tree-SHA512: 65977d3405e3b6c184c736d46898b615689b56f7562165114429dea49c0f9feb81d021cbe196c8a813b6239254b394cc24ac8d278dab37e521843a1bb0f70c47
b6f649889ae78573f1959f04172a8e1fe15beab7 Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. (Russell O'Connor)
Pull request description:
This makes the macro robust against a hypothetical `ROUND_TO_ALIGN(foo ? sizeA : size B)` invocation.
See also <https://wiki.sei.cmu.edu/confluence/display/c/PRE01-C.+Use+parentheses+within+macros+around+parameter+names>.
ACKs for top commit:
sipa:
ACK b6f649889ae78573f1959f04172a8e1fe15beab7. This is the way.
jonasnick:
utACK b6f649889ae78573f1959f04172a8e1fe15beab7
real-or-random:
utACK b6f649889ae78573f1959f04172a8e1fe15beab7
Tree-SHA512: 6a2685f959e8ae472259e5ea75fe12e8e6213f56f5aec7603a896c294e6a8833caae25c412607d9c9a3125370a7765a3e506127b101a1b87203f95e326f6c6c6
fb390c5299e999e06b7dff9e77e373600fae9fdf Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. (Russell O'Connor)
Pull request description:
ACKs for top commit:
real-or-random:
utACK fb390c5299e999e06b7dff9e77e373600fae9fdf
jonasnick:
ACK fb390c5299e999e06b7dff9e77e373600fae9fdf
Tree-SHA512: f49da79c0a90d1e82494821e7cf6f61c66bc377a3f37b2d4787ef19d2126e000627bfe4a76aa1c5bfffeb1382054aa824a7e9ab5d73c19d876b0828722c73854
