The VERIFY macro turns on various paranoid consistency checks, but
the complete functionality should still be tested without it.
This also adds a couple of static test points for extremely small
split inputs/outputs. The existing bounds vectors already check
extremely large outputs.
This allows us to shift by 256+128 = 384 bits, which is a multiple of the limb size of
the scalar representation. This also happens to be the most precision possible for g2
that still fits into a 256-bit value.
a45c1fa63c Rename testrand functions to have test in name (Pieter Wuille)
Pull request description:
Suggested here: https://github.com/bitcoin-core/secp256k1/pull/808#discussion_r488871913
ACKs for top commit:
real-or-random:
ACK a45c1fa63c diff looks good
elichai:
utACK a45c1fa63c
Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND (Jonas Nick)
66a765c775 travis: Explicitly set --with-valgrind (Jonas Nick)
Pull request description:
Also remove CPPFLAGS=-DVALGRIND because that's redundant with when
configured with --enable-valgrind.
ACKs for top commit:
real-or-random:
ACK 4eecb4d6ef diff and travis output look good
sipa:
utACK 4eecb4d6ef
elichai:
ACK 4eecb4d6ef
Tree-SHA512: c22d79fccaa926a074272b63a61f052f4bec3b1e5a871e3f08a4f6c19046da575779126a7008eb8a7513e70997b32d1dc6565dfb7aa41c57c0b6ef15ebbc8303
c0041b5cfc Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)
Pull request description:
Solves one item in #792 .
ACKs for top commit:
sipa:
utACK c0041b5cfc
elichai:
ACK c0041b5cfc
Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig (Pieter Wuille)
08d7d89299 Make pubkey parsing test whether points are in the correct subgroup (Pieter Wuille)
87af00b511 Abstract out challenge computation in schnorrsig (Pieter Wuille)
63e1b2aa7d Disable output buffering in tests_exhaustive.c (Pieter Wuille)
39f67dd072 Support splitting exhaustive tests across cores (Pieter Wuille)
e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs (Pieter Wuille)
49e6630bca refactor: move RNG seeding to testrand (Pieter Wuille)
b110c106fa Change exhaustive test groups so they have a point with X=1 (Pieter Wuille)
cec7b18a34 Select exhaustive lambda in function of order (Pieter Wuille)
78f6cdfaae Make the curve B constant a secp256k1_fe (Pieter Wuille)
d7f39ae4b6 Delete gej_is_valid_var: unused outside tests (Pieter Wuille)
8bcd78cd79 Make secp256k1_scalar_b32 detect overflow in scalar_low (Pieter Wuille)
c498366e5b Move exhaustive tests for recovery to module (Pieter Wuille)
be31791543 Make group order purely compile-time in exhaustive tests (Pieter Wuille)
Pull request description:
A few miscellaneous improvements:
* Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
* Move exhaustive tests for recovery module to the recovery module directory
* Make `secp256k1_scalar_set_b32` detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
* Change the small test groups so that they include a point with X coordinate 1.
* Initialize the RNG seed, allowing configurating from the cmdline, and report it.
* Permit changing the number of iterations (re-randomizing for each).
* Support splitting the work across cores from the cmdline.
And a big one:
* Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).
ACKs for top commit:
real-or-random:
ACK 8b7dcdd955
jonasnick:
ACK 8b7dcdd955
Tree-SHA512: 18d7f362402085238faaced164c0ca34079717a477001fc0b13448b3529ea2ad705793a13b7a36f34bf12e9231fee11070f88cc51bfc2a83ca82aa13f7aaae71
412bf874d0 configure: Allow specifying --with[out]-valgrind explicitly (Luke Dashjr)
Pull request description:
ACKs for top commit:
sipa:
ACK 412bf874d0. Tested by running configure on a system with and without valgrind, and with no argument, with `--with-valgrind`, and with `--without-valgrind`.
real-or-random:
ACK 412bf874d0
jonasnick:
ACK 412bf874d0
Tree-SHA512: 92417609751e5af813faff1661055cd37f3d00dbcf109a8f14f8ba59d9f3d620c9c6b67d2b1629b6ab75e2afcd47d2b3898a0427931567fb505bc92fa5ee3532
This enables testing overflow is correctly encoded in the recid, and
likely triggers more edge cases.
Also introduce a Sage script to generate the parameters.
34debf7a6d Modify .travis.yml to explictly pass no in env vars instead of setting to nothing (Elichai Turkel)
ef37761fee Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 34debf7a6d
jonasnick:
ACK 34debf7a6d
Tree-SHA512: 91becfbc9cb7587ee55b2bceb604ea0aed8860990d63a5f414b11db92180c090ea8bcc048c2fb67a094e892138e3be46f00562bf78b7c3369232457289cde447
5738e8622d tests: Initialize random group elements fully (Tim Ruffing)
Pull request description:
Also fix add a missing comment.
ACKs for top commit:
sipa:
utACK 5738e8622d
Tree-SHA512: c7723e225434e7044379f307b2977a3a5251080793bd87b377a2bbf1d18b39ca05f6fb3b427acec32c3b34f4de678fe7087a2dcca4b5f03ec1fc680a88d82b9a
f431b3f28a valgrind_ctime_test: Add schnorrsig_sign (Jonas Nick)
16ffa9d97c schnorrsig: Add taproot test case (Jonas Nick)
8dfd53ee3f schnorrsig: Add benchmark for sign and verify (Jonas Nick)
4e43520026 schnorrsig: Add BIP-340 compatible signing and verification (Jonas Nick)
7332d2db6b schnorrsig: Add BIP-340 nonce function (Jonas Nick)
7a703fd97d schnorrsig: Init empty experimental module (Jonas Nick)
eabd9bc46a Allow initializing tagged sha256 (Jonas Nick)
6fcb5b845d extrakeys: Add keypair_xonly_tweak_add (Jonas Nick)
58254463f9 extrakeys: Add keypair struct with create, pub and pub_xonly (Jonas Nick)
f0010349b8 Separate helper functions for pubkey_create and seckey_tweak_add (Jonas Nick)
910d9c284c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test (Jonas Nick)
176bfb1110 Separate helper function for ec_pubkey_tweak_add (Jonas Nick)
4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey (Jonas Nick)
47e6618e11 extrakeys: Init empty experimental module (Jonas Nick)
3e08b02e2a Make the secp256k1_declassify argument constant (Jonas Nick)
Pull request description:
This PR implements signing, verification and batch verification as described in [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki) in an experimental module named `schnorrsig`. It includes the test vectors and a benchmarking tool.
This PR also adds a module `extrakeys` that allows [BIP-341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)-style key tweaking.
(Adding ChaCha20 as a CSPRNG and batch verification was moved to PR #760).
In order to enable the module run `./configure` with `--enable-experimental --enable-module-schnorrsig`.
Based on apoelstra's work.
ACKs for top commit:
gmaxwell:
ACK f431b3f28a (exactly matches the previous post-fixup version which I have already reviewed and tested)
sipa:
ACK f431b3f28a
real-or-random:
ACK f431b3f28a careful code review
Tree-SHA512: e15e849c7bb65cdc5d7b1d6874678e275a71e4514de9d5432ec1700de3ba92aa9f381915813f4729057af152d90eea26aabb976ed297019c5767e59cf0bbc693
47a7b8382f Clear field elements when writing infinity (Elichai Turkel)
61d1ecb028 Added test with additions resulting in infinity (Elichai Turkel)
Pull request description:
Currently if `secp256k1_gej_add_var` / `secp256k1_gej_add_ge_var` /` secp256k1_gej_add_zinv_var` receive `P + (-P)` it will set `gej->infinity = 1` but doesn't call initialize the field elements.
Notice that this is the only branch in the function that results in an uninitialized output.
By using `secp256k1_gej_set_infinity()` it will set the field elements to zero while also setting the infinity flag.
I also added a test that fails with valgrind on current master but passes with the fix.
EDIT: This isn't a bug or something necessary, I just personally found this helpful.
ACKs for top commit:
real-or-random:
ACK 47a7b8382f
Tree-SHA512: cdc2efc242a1b04b4f081183c07d4b2602cdba705e6b30b548df4e115e54fb97691f4b1a28f142f02d5e523c020721337a297b17d732acde147b910f5c53bd0a
8bc6aeffa9 Add SHA256 selftest (Pieter Wuille)
5e5fb28b4a Use additional system macros to figure out endianness (Pieter Wuille)
Pull request description:
These are all the architecture macros I could find with known endianness. Use those as a fallback when __BYTE_ORDER__ isn't available.
See https://github.com/bitcoin-core/secp256k1/pull/787#issuecomment-673764652
It also adds a SHA256 selftest, so that improperly overriding the endianness detection will be detected at runtime.
ACKs for top commit:
real-or-random:
ACK 8bc6aeffa9 I read the diff, and tested that the self-test passes/fails with/without the correct endianness setting
gmaxwell:
ACK 8bc6aeffa9 looks good and I also ran the tests on MIPS-BE and verified that forcing it to LE makes the runtime test fail.
Tree-SHA512: aca4cebcd0715dcf5b58f5763cb4283af238987f43bd83a650e38e127f348131692b2eed7ae5b2ae96046d9b971fc77c6ab44467689399fe470a605c3458ecc5
Gregory Maxwell
Pieter Wuille
Russell O'Connor
Tim Ruffing
Jonas Nick
Luke Dashjr
Elichai Turkel