24ad04fc064e71abdf973e061c30eb1f3f78db39 Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS (Pieter Wuille)
ebc1af700f9ec6e96586152b7090a2a6494308c3 Optimization: track f,g limb count and pass to new variable-time update_fg_var (Peter Dettman)
b306935ac12bb24fd931d735b4dfc07f707e7447 Optimization: use formulas instead of lookup tables for cancelling g bits (Peter Dettman)
9164a1b6582e2fc833c760a3403d26b9b0b3b7b3 Optimization: special-case zero modulus limbs in modinv64 (Pieter Wuille)
1f233b3fa05eb29a744487e0682d925055fb0d4c Remove num/gmp support (Pieter Wuille)
20448b8d09a492afcfcae7721033c13a44a776fd Remove unused Jacobi symbol support (Pieter Wuille)
5437e7bdfbffddf69fdf7b4af7e997c78f5dafbf Remove unused scalar_sqr (Pieter Wuille)
aa9cc5218001f14f4312bde1058417d4b755fd11 Improve field/scalar inverse tests (Pieter Wuille)
1e0e885c8ac814c3621d9e43e66d60f25e324e8e Make field/scalar code use the new modinv modules for inverses (Pieter Wuille)
436281afdcb68991395f97338197d208212965e2 Move secp256k1_fe_inverse{_var} to per-impl files (Pieter Wuille)
aa404d53bef21d252a23171381d4bfda6e7e25c6 Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files (Pieter Wuille)
08d54964e51f318ef0cc4ef09d64cfa5ec143c5c Improve bounds checks in modinv modules (Pieter Wuille)
151aac00d31ba5e94800376f6fda4193071168af Add tests for modinv modules (Pieter Wuille)
d8a92fcc4c65cf189ec7bd5298dad8479347c442 Add extensive comments on the safegcd algorithm and implementation (Pieter Wuille)
8e415acba25830da9c23a4dd5531ebfc6b65aae7 Add safegcd based modular inverse modules (Peter Dettman)
de0a643c3dc2c40a447e670cfa1c1683c79c9297 Add secp256k1_ctz{32,64}_var functions (Pieter Wuille)
Pull request description:
This is a rebased and squashed version of #767, adding safegcd-based implementations of constant-time and variable-time modular inverses for scalars and field elements, by Peter Dettman. The PR is organized as follows:
* **Add secp256k1_ctz{32,64}_var functions** Introduction of ctz functions to util.h (which use `__builtin_ctz` on recent GCC and Clang, but fall back to using a software emulation using de Bruijn on other platforms). This isn't used anywhere in this commit, but does include tests.
* **Add safegcd based modular inverse modules** Add Peter Dettman's safegcd code from #767 (without some of his optimizations, which are moved to later commits), turned into separate modules by me.
* **Add extensive comments on the safegcd algorithm and implementation** Add a long description of the algorithm and optimizations to `doc/safegcd_implementation.md`, as well as additional comments to the code itself. It is probably best to review this together with the previous commit (they're separated to keep authorship).
* **Add tests for modinv modules** Adds tests on the modinv interface directly, for arbitrary moduli.
* **Improve bounds checks in modinv modules** Adds a lot of sanity checking to the modinv modules.
* **Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files** A pure refactor to prepare for switching the field and scalar code to modinv.
* **Make field/scalar code use the new modinv modules for inverses** Actually switch over.
* **Add extra modular inverse tests** This adds modular inverse tests through the field/scalar interface, now that those use modinv.
* **Remove unused Jacobi symbol support** No longer needed.
* **Remove num/gmp support** Bye-bye.
* 3 commits with further optimizations.
ACKs for top commit:
gmaxwell:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39
sanket1729:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39
real-or-random:
ACK 24ad04fc064e71abdf973e061c30eb1f3f78db39 careful code review, some testing
Tree-SHA512: 732fe29315965e43ec9a10ee8c71eceeb983c43fe443da9dc5380a5a11b5e40b06e98d6abf67b773b1de74571fd2014973c6376f3a0caeac85e0cf163ba2144b
The magnitude of the f and g variables generally goes down as the algorithm
progresses. Make use of this by keeping tracking how many limbs are used, and
when the number becomes small enough, make use of this to reduce the complexity
of arithmetic on them.
Refactored by: Pieter Wuille <pieter@wuille.net>
Both the field and scalar modulus can be written in signed{30,62} notation
with one or more zero limbs. Make use of this in the update_de function to
avoid a few wide multiplications when that is the case.
This doesn't appear to be a win in the 32-bit implementation, so only
do it for the 64-bit one.
Add a new run_inverse_tests that replaces all existing field/scalar inverse tests,
and tests a few identities for fixed inputs, small numbers (-999...999), random
inputs (structured and unstructured), as well as comparing with the output of
secp256k1_fe_inv_all_var.
This commit adds functions to verify and compare numbers in signed{30,62} notation,
and uses that to do more extensive bounds checking on various variables in the modinv
code.
This adds tests for the modinv{32,64}_impl.h directly (before the functions are used
inside the field/scalar code). It uses a naive implementation of modular multiplication
and gcds in order to verify the modular inverses themselves.
This adds a long comment explaining the algorithm and implementation choices by building
it up step by step in Python.
Comments in the code are also reworked/added, with references to the long explanation.
9361f360bb04156c7a0fa8f2664680b74d463ed5 ci: Select number of parallel make jobs depending on CI environment (Tim Ruffing)
28eccdf80641f71fada0ee4065c8127468162176 ci: Split output of logs into multiple sections (Tim Ruffing)
c7f754fe4d5e032fd150c4b9b985855e9fcaa521 ci: Run PRs on merge result instead of on the source branch (Tim Ruffing)
b994a8be3cf8ab0fc6a622980a9845bb82cc17db ci: Print information about binaries using "file" (Tim Ruffing)
f24e122d13db7061b1086ddfd21d3a1c5294213b ci: Switch all Linux builds to Debian (Tim Ruffing)
Pull request description:
Best reviewed commit by commit
ACKs for top commit:
jonasnick:
ACK 9361f360bb04156c7a0fa8f2664680b74d463ed5
sipa:
utACK 9361f360bb04156c7a0fa8f2664680b74d463ed5
Tree-SHA512: fc754e8b57dc58058cebbf63a60ca76e08dbaefea1508ea27b7f962bce697c10033da3f57a35f731bc7cf3e210eb00e3b8985ae8b729d7bd83faee085b878b9c
The experiment of using Nix Shell was not really successful. Most
notably, Nix uses a bunch of wrapper scripts around compilers, which
make the build much less "pure". This may be useful but it's exactly
not what we want for CI. In particular, this resulted in gcc being used
for the "clang" builds because a wrapper script redefined the CC env
variable.
This now builds a single docker image (Debian) for all architectures
that we test in CI on Linux.
7d3497cdc4c747bdd51db70f42fe218622c3169f ctime_test: move context randomization test to the end (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 7d3497cdc4c747bdd51db70f42fe218622c3169f diff looks good
Tree-SHA512: aef006c43df4cab254ee7de79cdd34c4e2f7a463f29d1da6d285006b32bb4e18d0b914a305f371b8b5f5a20594c37ee464eb1e59d1978db9b06bf6b642e651d8
e491d06b98c9caa5eab74e38ba8419b9fb3b5015 Use bit ops instead of int mult for constant-time logic in gej_add_ge (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
utACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015. Seems obviously better.
elichai:
ACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015
jonasnick:
ACK e491d06b98c9caa5eab74e38ba8419b9fb3b5015
Tree-SHA512: 65977d3405e3b6c184c736d46898b615689b56f7562165114429dea49c0f9feb81d021cbe196c8a813b6239254b394cc24ac8d278dab37e521843a1bb0f70c47
b6f649889ae78573f1959f04172a8e1fe15beab7 Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation. (Russell O'Connor)
Pull request description:
This makes the macro robust against a hypothetical `ROUND_TO_ALIGN(foo ? sizeA : size B)` invocation.
See also <https://wiki.sei.cmu.edu/confluence/display/c/PRE01-C.+Use+parentheses+within+macros+around+parameter+names>.
ACKs for top commit:
sipa:
ACK b6f649889ae78573f1959f04172a8e1fe15beab7. This is the way.
jonasnick:
utACK b6f649889ae78573f1959f04172a8e1fe15beab7
real-or-random:
utACK b6f649889ae78573f1959f04172a8e1fe15beab7
Tree-SHA512: 6a2685f959e8ae472259e5ea75fe12e8e6213f56f5aec7603a896c294e6a8833caae25c412607d9c9a3125370a7765a3e506127b101a1b87203f95e326f6c6c6
fb390c5299e999e06b7dff9e77e373600fae9fdf Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers. (Russell O'Connor)
Pull request description:
ACKs for top commit:
real-or-random:
utACK fb390c5299e999e06b7dff9e77e373600fae9fdf
jonasnick:
ACK fb390c5299e999e06b7dff9e77e373600fae9fdf
Tree-SHA512: f49da79c0a90d1e82494821e7cf6f61c66bc377a3f37b2d4787ef19d2126e000627bfe4a76aa1c5bfffeb1382054aa824a7e9ab5d73c19d876b0828722c73854
3c15130709da26a6d2f25a483aa45e14bf1e4feb Improve CC_FOR_BUILD detection (Tim Ruffing)
47802a476246b67360bc24df78fe5fad6b93c296 Restructure and tidy configure.ac (Tim Ruffing)
252c19dfc654dbb10a35579fa36edb3466904758 Ask brew for valgrind include path (Tim Ruffing)
Pull request description:
See individual commit messages. These are improvements in preparation of the switch to Cirrus CI. (Maybe I'll just open a PR on top of this one.)
The first commit made the difference between successful build https://cirrus-ci.com/task/6740575057608704 and unsuccessful build https://cirrus-ci.com/task/4909571074424832.
I've tested the second commit without cross-compilation and with cross-compilation for android (https://github.com/bitcoin-core/secp256k1/issues/621#issuecomment-495703399)
When working on the autoconf stuff, I noticed two things that I just want to write down here:
- At some point we should update [build-aux/m4/ax_prog_cc_for_build.m4](https://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html). This is outdated, and [there have been a lot of fixes](https://github.com/autoconf-archive/autoconf-archive/pull/207) But the latest version is [broken](https://lists.gnu.org/archive/html/autoconf-archive-maintainers/2020-06/msg00002.html), so now is probably not the time.
- The latest autoconf 2.70 deprecates `AC_PROG_CC_C89`. It's not needed anymore because `AC_PROG_CC` cares about testing for version support. This makes autoconf 2.70 output a warning that we should probably just ignore. We don't want to force users onto 2.70...
ACKs for top commit:
sipa:
utACK 3c15130709da26a6d2f25a483aa45e14bf1e4feb
jonasnick:
utACK 3c15130 makes sense (with my very basic understanding of autoconf)
Tree-SHA512: 595b9de316374c2213f1340cddaa22eb3190b01fa99aa6ae26e77804df41e7ecf96a09e03c28e8f8b9fd04e211e4ee2f78f1e5a7995143c84f99d2e16d4f0260
33cb3c2b1fc3f3fe46c6d0eab118248ea86c1f06 Add secret key extraction from keypair to constant time tests (Elichai Turkel)
36d9dc1e8e6e3b15d805f04c973a8784a78880f6 Add seckey extraction from keypair to the extrakeys tests (Elichai Turkel)
fc96aa73f5c7f62452847a31821890ff1f72a5a4 Add a function to extract the secretkey from a keypair (Elichai Turkel)
Pull request description:
With schnorrsig if you need to tweak the secret key (for BIP32) you must use the keypair API to get compatible secret/public keys which you do by calling `secp256k1_keypair_xonly_tweak_add()`, but after that there's no currently a way to extract the secret key back for storage.
so I added a `secp256k1_keypair_seckey` function to extract the key
ACKs for top commit:
jonasnick:
ACK 33cb3c2b1fc3f3fe46c6d0eab118248ea86c1f06
real-or-random:
ACK 33cb3c2b1fc3f3fe46c6d0eab118248ea86c1f06 code inspection, tests pass
Tree-SHA512: 11212db38c8b87a87e2dc35c4d6993716867b45215b94b20522b1b3164ca63d4c6bf5192a6bff0e9267b333779cc8164844c56669a94e9be72df9ef025ffcfd4
This commits simply uses CC as CC_FOR_BUILD and the same for
corresponding flags if we're not cross-compiling. This has a number of
benefits in this common case:
- It avoids strange cases where very old compilers are used (#768).
- Flags are consistently set for CC and CC_FOR_BUILD.
- ./configure is faster.
- You get compiler x consistently if you set CC=x; we got this wrong
in CI in the past.
./configure warns if a _FOR_BUILD variable is set but ignored because
we're not cross-compiling.
The change exposed that //-style comments are used in gen_context.c,
which is also fixed by this commit.
This commit also reorganizes code in configure.ac to have a cleaner
separation of sections.
Valgrind is typically installed using brew on macOS. This commit
makes ./configure detect this case set the appropriate include
directory (in the same way as we already do for openssl and gmp).
