Commit Graph

32 Commits

Author SHA1 Message Date
Kittywhiskers Van Gogh
78a9f1e55b merge bitcoin#27479: BIP324: ElligatorSwift integrations 2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
4ac25312cc partial bitcoin#27445: Update src/secp256k1 subtree to release v0.3.1
excludes:
- 719a74989be3cfbc4422ec07cac199c295d28d05
- 621c17869d3754559c03e4f2bee73885659e0c68
2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
2458280f41 merge bitcoin#27230: Update src/secp256k1 subtree to upstream release v0.3.0 2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
a3f29982ad partial bitcoin#26691: Update secp256k1 subtree to libsecp256k1 version 0.2.0
notes:
- excludes changes made to `SignSchnorr`, `XOnlyPubKey`, kernel context and absent {fuzz,bench} tests
2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
e2f576b3c8 merge bitcoin#25251: Consolidate Windows ASLR workarounds for upstream secp256k1 changes 2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
ac140f0299 partial bitcoin#24792: Update libsecp256k1 subtree to current master
excludes:
- d960d4fd3a767cf5695bed96c5f329056f77d0da
- 404c53062bb80853d5967187bdb7b5f7e749de7f
2023-11-21 07:59:03 -06:00
Kittywhiskers Van Gogh
7e6213b0ff partial bitcoin#23383: Update libsecp256k1 subtree to current master
excludes
- 314195c8be3bd7db0d5817c4fb3aa85c84363ce9
2023-11-21 07:59:03 -06:00
fanquake
54f3b66902
Partial merge #22448: Update libsecp256k1 subtree to latest upstream
c020cbaa5c8e9e61b2b8efd8dc09be743fcd4273 Squashed 'src/secp256k1/' changes from efad3506a8..be8d9c262f (Pieter Wuille)

Pull request description:

  This updates our src/secp256k1 subtree to the lastest upstream master. Notable changes:
  * New schnorrsig API (https://github.com/bitcoin-core/secp256k1/pull/844), which adds support for variable-length messages (not used in BIP341/342 transaction signing, so not relevant for us, but it changes the API, and makes some other simplifications). Some of our call sites had to be adapted.
  * Don't use asm optimizations for `gen_context` (https://github.com/bitcoin-core/secp256k1/pull/965). This fixes #22441.
  * Various testing/CI improvements

ACKs for top commit:
  hebasto:
    ACK e4ffb44716bb7a7b9f0a5d70ac07058632234370
  jonatack:
    Light ACK e4ffb44716bb7a7b9f0a5d70ac07058632234370 debug built (debian clang 13.0), ran bitcoind node/tests/git-subtree-check.sh, lightly reviewed the diff and API changes
  fanquake:
    ACK e4ffb44716bb7a7b9f0a5d70ac07058632234370

Tree-SHA512: 89a5c3019ec010d578e84bcef756d2c679420c5c768bcdece673405c4e10955179c5a1339aafc68b8b74b1e3912e147bf2f392f44f15af73791d93f6537960b3
2021-08-11 00:05:23 +03:00
W. J. van der Laan
bc61867454
Merge #21573: Update libsecp256k1 subtree to latest master
5c7ee1b2da6bf783d27034fca9dfd3a64ed525cb libsecp256k1 no longer has --with-bignum= configure option (Pieter Wuille)
bdca9bcb6c9379707d09c63f02326884befbefb2 Squashed 'src/secp256k1/' changes from 3967d96bf1..efad3506a8 (Pieter Wuille)
cabb5661234f8d832dbc3b65bf80b0acc02db0a0 Disable certain false positive warnings for libsecp256k1 msvc build (Pieter Wuille)

Pull request description:

  This updates our src/secp256k1 subtree to the latest upstream master. The changes include:

  * The introduction of safegcd-based modular inverses, reducing ECDSA signing time by 25%-30% and ECDSA verification time by 15%-17%.
    * [Original paper](https://gcd.cr.yp.to/papers.html) by Daniel J. Bernstein and Bo-Yin Yang
    * [Implementation](https://github.com/bitcoin-core/secp256k1/pull/767) by Peter Dettman; [final](https://github.com/bitcoin-core/secp256k1/pull/831) version
    * [Explanation](https://github.com/bitcoin-core/secp256k1/blob/master/doc/safegcd_implementation.md) of the algorithm using Python snippets
    * [Analysis](https://github.com/sipa/safegcd-bounds) of the maximum number of iterations the algorithm needs
    * [Formal proof in Coq](https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348) by Russell O'Connor, for a high-level equivalent algorithm
  * Removal of libgmp as an (optional) dependency (which wasn't used in the Bitcoin Core build)
  * CI changes (Travis -> Cirrus)
  * Build system improvements

ACKs for top commit:
  laanwj:
    Tested ACK 5c7ee1b2da6bf783d27034fca9dfd3a64ed525cb

Tree-SHA512: ad8ac3746264d279556a4aa7efdde3733e114fdba8856dd53218588521f04d83950366f5c1ea8fd56329b4c7fe08eedf8e206f8f26dbe3f0f81852e138655431
2021-08-11 00:05:23 +03:00
fanquake
ee2a08fe89
Merge #20257: Update secp256k1 subtree to latest master
6c0259fc2f8bd34ba83ad10a6a11d6d99e8d1fc7 Squashed 'src/secp256k1/' changes from c6b6b8f1bb..3967d96bf1 (Pieter Wuille)

Pull request description:

  Nothing important changed, but this silences this (erroneous) warning in certain GCC 9 versions:

  ```
  In file included from src/secp256k1.c:16:
  src/ecmult_impl.h: In function ‘secp256k1_ecmult’:
  src/ecmult_impl.h:496:48: warning: array subscript [1, 268435456] is outside array bounds of ‘struct secp256k1_strauss_point_state[1]’ [-Warray-bounds]
    496 |             secp256k1_gej tmp = a[state->ps[np].input_pos];
        |                                   ~~~~~~~~~~~~~^~~~~~~~~~
  src/ecmult_impl.h:565:42: note: while referencing ‘ps’
    565 |     struct secp256k1_strauss_point_state ps[1];
        |                                          ^~
  src/ecmult_impl.h:502:139: warning: array subscript [1, 268435456] is outside array bounds of ‘struct secp256k1_strauss_point_state[1]’ [-Warray-bounds]
    502 |             secp256k1_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z));
        |                                                                                                                              ~~~~~~~~~~~~~^~~~~~~~~~
  src/ecmult_impl.h:565:42: note: while referencing ‘ps’
    565 |     struct secp256k1_strauss_point_state ps[1];
        |                                          ^~
  ```

  (see https://github.com/bitcoin-core/secp256k1/issues/834)

ACKs for top commit:
  fanquake:
    ACK 5803f5f5f6030e69b46a46f0511b8173bf89de0d  - performed the update myself and got the same change: [check_20257_subtree](https://github.com/fanquake/bitcoin/tree/check_20257_subtree).
  hebasto:
    ACK 5803f5f5f6030e69b46a46f0511b8173bf89de0d, tested on Linux Mint 20 (x86_64) with `gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0` -- no warnings are emitted.

Tree-SHA512: 386281d23aee93a3b1d1a09fec8319c3a477e46967430c935677eed54abddc62d5a7710f9eeab1ec476ace05adcb194b5b377712e44a6bb95a74ffa35faf77f3
2021-08-11 00:05:23 +03:00
fanquake
63ee0494c4
Merge #20147: Update libsecp256k1 (endomorphism, test improvements)
52380bf304b1c02dda23f1e2fad0159e29b2f7a2 Squashed 'src/secp256k1/' changes from 8ab24e8dad..c6b6b8f1bb (Pieter Wuille)

Pull request description:

  This updates the libsecp256k1 subtree to the latest master, which includes:

  * Enabling the GLV endomorphism optimization by default (and removing support for the non-GLV EC multiplication)
  * Added a proof for the correctness of the lambda split algorithm by roconnor-blockstream (other code was relying on the fact that it always outputs 128 bit results, which isn't at all obvious).
  * Improved exhaustive tests, in particular for the Schnorr signature module
  * Various other testing and CI improvements

ACKs for top commit:
  fanquake:
    ACK 9e5626d2a8ddbbd7640ff53f89f3a7021d747633 - performed a squash and checked that the changes were the same. The non-endomorphism code has now been ripped out.
  benthecarman:
    ACK 9e5626d

Tree-SHA512: 50fda5f3f934ee525f01cfc15e4f5efbc5261a97f2b77fe1b3453ee0edcf1281ad74ab4532a2fe1fe907652dd47023beff8cf3d73bf34f65ac914a694b9e7110
2021-08-11 00:05:23 +03:00
fanquake
c2ab8285d8
Merge #19944: Update secp256k1 subtree (including BIP340 support)
b9c1a7648131c5deec9704ee9acd00ec1820b9ce Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad (Pieter Wuille)

Pull request description:

  This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version.

  As it adds BIP340 support (see https://github.com/bitcoin-core/secp256k1/pull/558), this is a prerequisite for #17977. In particular, it contains:
  * A few generic library improvements
  * Support for x-only public keys as used by BIP340.
  * Support for "key pair" objects, making signing more efficient by using a precomputed public key.
  * Signing support for BIP340 Schnorr (single-party) signatures.
  * Verification support for BIP340 Schnorr signatures.
  * Support for verifying tweaked x-only keys, as used by BIP341's Taproot construction.

  Things that are not included:
  * MuSig, nor any kind of multisignatures, threshold signatures, ... on top.
  * Batch verification.
  * Support for variable-length messages in BIP340 (which are still being discussed, but won't affect BIP341, or Bitcoin Core).
  * A few more generic improvements that are still in the pipeline, including faster modular inversions.

ACKs for top commit:
  instagibbs:
    ACK 894fb33f4c1b24667891f7d2aff9f486177b1173
  fanquake:
    ACK 894fb33f4c1b24667891f7d2aff9f486177b1173. Any Valgrind concerns will be addressed upstream, see discussion in https://github.com/bitcoin-core/secp256k1/pull/813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it's current state.
  benthecarman:
    ACK `894fb33`

Tree-SHA512: 6dc992f4477069b7fbd223316f1be955750923be1479c38adad2312649fdca1f316edb375c42ef9d97cea2407caaef49fb8c93abd6c037fe1a522910cbbc2479
2021-08-11 00:05:22 +03:00
fanquake
9d36ba6570
Merge #19228: Update libsecp256k1 subtree
e10439ce5a54cd13062e4ed07ebc681e385ed5cb scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc4233059bb576c658d1b20bbfbfc00e8481f Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419c090b0af65edc9eb07ac0a736eb351b69 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b5d874b501c114bced5d764db7f4f5ce99 Squashed 'src/secp256k1/' changes from b19c000063..2ed54da18a (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439ce5a54cd13062e4ed07ebc681e385ed5cb I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439ce5a54cd13062e4ed07ebc681e385ed5cb
  Sjors:
    ACK e10439ce5a54cd13062e4ed07ebc681e385ed5cb
  jonasnick:
    reACK e10439ce5a54cd13062e4ed07ebc681e385ed5cb

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
2021-08-11 00:05:22 +03:00
Wladimir J. van der Laan
0d49c6fa00
Merge #15703: Update secp256k1 subtree to latest upstream
54245985fb3c89d72e285c4db39d38ed2f5fb0de Squashed 'src/secp256k1/' changes from 0b70241850..b19c000063 (Pieter Wuille)

Pull request description:

  It's been 1.5 years since our secp256k1 subtree was updated, while the upstream project has undergone a number of incremental improvements (performance, tests, build system fixes), plus gained the groundwork for batch verification.

  As we're early in the 0.19 window, this seems like a good time to get these merged.

ACKs for commit 99df27:
  fanquake:
    utACK 99df276 the subtree merge, still need to test the actual changes.
  laanwj:
    utACK 99df276da

Tree-SHA512: 769a699366321635068ebfbd9d3f30f6e72401c4fcdc1fdc84e5b3fd888c3f01437748f6cd23a507ab47cf04c226cd504fd48aee654457c34bb106c9db7e5c09
2020-03-14 11:01:03 -05:00
MarcoFalke
3c5bd7708b
Merge #11421: Merge current secp256k1 subtree
fd86f998f Squashed 'src/secp256k1/' changes from 84973d393..0b7024185 (MarcoFalke)

Pull request description:

  The subtree should now match upstream again. Check with:

  ```sh
  ./contrib/devtools/git-subtree-check.sh src/secp256k1
  ```

  The changes are only documentation/refactoring related.

Tree-SHA512: 43e8a95bcbfefef9e19ec38a92d2d57fdd4a16ddf726e036d36a0d806eb6f35b45b40ee69f980430e107895ec8725b5de4e36456b026214675e0b19630bb6fe9
2020-02-08 23:33:25 -06:00
Wladimir J. van der Laan
5f2c9d7307
Merge #10633: doc: Fix various typos
0a5a6b9 Fixed multiple typos (Dimitris Tsapakidis)

Tree-SHA512: 57748710bcbc03945b160db5e95bd686a2c64605f25d5e11d8ed9d0e1be3b3bf287a63588dc6eb33d0cef4ff17c765fda7c226d667a357acc539c8fcf2b9bb7e
2019-07-11 10:34:46 -05:00
Wladimir J. van der Laan
c7aa3723c7 Merge #10323: Update to latest libsecp256k1 master
e7c1b44 Squashed 'src/secp256k1/' changes from 8225239..84973d3 (Pieter Wuille)

Tree-SHA512: 3e1ba6e6ad9d68170a1a60bd963f2dbaa8b0ae592cc562e6cd23b2c7653f0b8016e4c682681ae2fb3714106a41f8b89708e16e8f52a42ff3db59fc28262eea0b
2019-06-26 12:43:19 -05:00
Wladimir J. van der Laan
3aee86d6fc Merge #9334: Update to latest libsecp256k1
7b49f22 Squashed 'src/secp256k1/' changes from 7a49cac..8225239 (Pieter Wuille)
2018-01-17 17:31:12 +01:00
Pieter Wuille
55ccc56a80 Merge #8453: Bring secp256k1 subtree up to date with master
b213535 Squashed 'src/secp256k1/' changes from 6c527ec..7a49cac (Wladimir J. van der Laan)
2018-01-08 18:04:55 +01:00
UdjinM6
83813caafd Cleanup 2016-02-15 00:01:44 +03:00
UdjinM6
a5ac60b868 Merge remote-tracking branch 'bitcoin/0.12' into HEAD
+ merge fixes
+ keepass on evhttp
2016-02-06 16:48:04 +03:00
MarcoFalke
fa63e49b35 Merge commit '5ad54630935d1f340666de7bc9ffef9b8a1df296' into HEAD 2015-11-24 09:22:18 +01:00
Pieter Wuille
9e475d5a4d Update libsecp256k1 2015-11-13 00:12:43 +01:00
Pieter Wuille
4dda253190 Update libsecp256k1 2015-04-22 14:03:10 -07:00
Pieter Wuille
223d8630b0 Update libsecp256k1. 2015-03-27 14:03:36 -07:00
Pieter Wuille
602ebf5279 Update libsecp256k1 2015-01-06 00:28:47 +01:00
Pieter Wuille
63b5a1dc80 Do not use libgmp automatically in libsecp256k1 2014-12-23 14:20:28 +01:00
Pieter Wuille
253e207132 Update libsecp256k1 2014-12-11 01:58:25 +01:00
Pieter Wuille
0dcfb91d56 Update libsecp256k1 2014-12-04 19:17:07 +01:00
Pieter Wuille
2245a95ce8 Merge commit 'd48555b36ac512161b81f9b6bca7bea16a0cd806' as 'src/secp256k1' 2014-11-18 18:06:36 +01:00
Pieter Wuille
7a7e109139 Delete src/secp256k1 before subtree import 2014-11-18 18:06:36 +01:00
Cory Fields
5566826635 secp256k1: Add build-side changes for libsecp256k1
Note: This is added to our existing automake targets rather than as a
libtool-style lib. The switch to libtool-style targets can come later if it
proves to not add any complications.
2014-07-01 12:27:19 -04:00