-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upstream PRs 1228, 1236, 1243, 1238, 1246, 1247, 1242, 1250, 1244, 1241, 1257, 1226, 1252, 1118, 1245, 1266, 1269 #254
Upstream PRs 1228, 1236, 1243, 1238, 1246, 1247, 1242, 1250, 1244, 1241, 1257, 1226, 1252, 1118, 1245, 1266, 1269 #254
Conversation
…r 0.3.0 28e63f7 release cleanup: bump version after 0.3.0 (Jonas Nick) Pull request description: Based on #1223. Should be merged only after tagging the release. ACKs for top commit: sipa: ACK 28e63f7 real-or-random: ACK 28e63f7 Tree-SHA512: d219f836c9258af52389f62c167adb79a0f83f520ede514e286e84f0540d35234322e67d582409c332662db17114da1681419d5d400ed88ad2be66a0f6a06089
…v32_inv256 647f0a5 Update comment for secp256k1_modinv32_inv256 (roconnor-blockstream) Pull request description: ACKs for top commit: sipa: ACK 647f0a5 real-or-random: utACK bitcoin-core/secp256k1@647f0a5 Tree-SHA512: 7c2ec02acf985bb6edfc619ce31bd63511ff634d847a25888927b48b5164353a912d470421b0b969a868fbc5b865cbea188e14357557f44be42d5702af7c5a6b
Among other things this allows us to link against object libraries.
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
… building for coverage analysis 8e79c7e build: Ensure no optimization when building for coverage analysis (Hennadii Stepanov) Pull request description: #944 introduced a regression when building for coverage analysis. The `-O2` flag from the default Autoconf's `CFLAGS` overrides the coverage-specific `-O0` one, which makes coverage analysis results [less reliable](https://gcc.gnu.org/onlinedocs/gcc/Gcov-and-Optimization.html). This PR restores the pre-#944 behaviour. In contrast to an alternative smaller diff: ```diff --- a/configure.ac +++ b/configure.ac @@ -240,7 +240,7 @@ fi if test x"$enable_coverage" = x"yes"; then SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOVERAGE=1" - SECP_CFLAGS="-O0 --coverage $SECP_CFLAGS" + CFLAGS="$CFLAGS -O0 --coverage " LDFLAGS="--coverage $LDFLAGS" else # Most likely the CFLAGS already contain -O2 because that is autoconf's default. ``` this PR ensures that the user always has the last word. FWIW, Bitcoin Core uses a similar [approach](https://github.com/bitcoin/bitcoin/blob/460e394625fab2942748aaeec9be31f460f91c58/configure.ac#L879-L884). ACKs for top commit: jonasnick: tested ACK 8e79c7e real-or-random: utACK 8e79c7e Tree-SHA512: f04b55921d397bd7c003ec0283101d3908f3fb507789c855e1b6d5abd150e7d6281d5eeb8fefbb7d6a55b3c6f29a19324f570eee009794f8fa9bca956229e7ce
…ent to 3.13 96dd062 build: bump CMake minimum requirement to 3.13 (Cory Fields) Pull request description: As requested here: bitcoin-core/secp256k1#1230 (comment) . Ping @hebasto Among other things this allows us to link against object libraries. 3.13 has been mentioned several times as a good overlap between newish features and widespread Linux availability. ACKs for top commit: hebasto: ACK 96dd062 real-or-random: utACK 96dd062 Tree-SHA512: 6c744809aa393b48ef10b3d46c6630370c388a8d375116bfad65c6c907e69c36ed71c1579b9d5c3aa976f70b1cd70e837c1a0226910a43539435125115b32568
4ebd828 Apply Checks only in VERIFY mode. (roconnor-blockstream) Pull request description: This is already done in `field_5x52_impl.h`. ACKs for top commit: sipa: ACK 4ebd828 jonasnick: ACK 4ebd828 Tree-SHA512: c24211e5219907e41e2c5792255734bd50ca5866a4863abbb3ec174ed92d1792dd10563a94c08e8fecd6cdf776a9c49ca87e8f9806a023d9081ecc0d55ae3e66
…hidden` fd2a408 Set ARM ASM symbol visibility to `hidden` (Hennadii Stepanov) Pull request description: Solves one item in #1181. To test on arm-32bit hardware, run: ``` $ ./autogen.sh && ./configure --enable-experimental --with-asm=arm && make ``` On master branch (427bc3c): ``` $ nm -D .libs/libsecp256k1.so | grep secp256k1_fe 0000e2bc T secp256k1_fe_mul_inner 0000e8dc T secp256k1_fe_sqr_inner ``` With this PR: ``` $ nm -D .libs/libsecp256k1.so | grep secp256k1_fe | wc -l 0 ``` For reference, see https://sourceware.org/binutils/docs/as/Hidden.html. ACKs for top commit: theuni: ACK fd2a408. sipa: ACK fd2a408 Tree-SHA512: abf8ad332631672c036844f69c5599917c49e12c4402bf9066f93a692d3007b1914bd3eea8f83f0141c1b09d5c88ebc5e6c8bfbb5444b7b3471749f7b901ca59
... and make wording a bit more consistent. Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
… a right shift 3e43041 No need to subtract 1 before doing a right shift (roconnor-blockstream) Pull request description: ACKs for top commit: real-or-random: utACK 3e43041 jonasnick: ACK 3e43041 Tree-SHA512: bcecda11eae3fb845bef7af88c6171bedcd933872d08a9849c0a250cb6c9e982a88bd45e8a8364a4a348f8be413fc91ee04cf8fa78adae44e584e3ad7ec544cf
… building for coverage analysis 5bb03c2 Replace `SECP256K1_ECMULT_TABLE_VERIFY` macro by a function (Hennadii Stepanov) 4429a8c Suppress `-Wunused-parameter` when building for coverage analysis (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK 5bb03c2 jonasnick: ACK 5bb03c2 Tree-SHA512: 19a395434ecefea201a03fc45b3f0b88f1520908926ac1207bbc6570034b1141b49c3c98e66819dcd9069dfdd28c7c6fbe957f13fb6bd178fd57ce65bfbb8fbd
…FAULT_CFLAGS` macro 3addb4c build: Improve `SECP_TRY_APPEND_DEFAULT_CFLAGS` macro (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK 3addb4c jonasnick: ACK 3addb4c Tree-SHA512: 918d906570d82be9354fba72bb55d50b8f661cf7cd4404dc244deb489c2bca95b3942ae8af830873ba825dc8ddc68b99c973fc984ff13fdd1f6668f412ca56a3
Apparently clang 15 is able to compile our cmov code into a branch, at least for fe_cmov and fe_storage_cmov. This commit makes the condition volatile in all cmov implementations (except ge but that one only calls into the fe impls). This is just a quick fix. We should still look into other methods, e.g., asm and #457. We should also consider not caring about constant-time in scalar_low_impl.h We should also consider testing on very new compilers in nightly CI, see bitcoin-core/secp256k1#864 (comment)
…/scalar cmov implementations 4a496a3 ct: Use volatile "trick" in all fe/scalar cmov implementations (Tim Ruffing) Pull request description: Apparently clang 15 is able to compile our cmov code into a branch, at least for fe_cmov and fe_storage_cmov. This commit makes the condition volatile in all cmov implementations (except ge but that one only calls into the fe impls). This is just a quick fix. We should still look into other methods, e.g., asm and #457. We should also consider not caring about constant-time in scalar_low_impl.h We should also consider testing on very new compilers in nightly CI, see bitcoin-core/secp256k1#864 (comment) ACKs for top commit: jonasnick: ACK 4a496a3 Tree-SHA512: a6010f9d752e45f01f88b804a9b27e77caf5ddf133ddcbc4235b94698bda41c9276bf588c93710e538250d1a96844bcec198ec5459e675f166ceaaa42da921d5
…process 0c07c82 Add CMake instructions to release process (Tim Ruffing) Pull request description: ACKs for top commit: hebasto: ACK 0c07c82 jonasnick: ACK 0c07c82 Tree-SHA512: a2c38f71cc96766f833f6ed79af1b560501f2d9516843b789de06c9cbffd7a1d9e8709a2f4d08bea8c1c3616301e51942cfa9f11e25e903ee4146c7733a8cb8c
…arations in include/ consistent 3d1f430 Make position of * in pointer declarations in include/ consistent (Jonas Nick) Pull request description: ACKs for top commit: sipa: utACK 3d1f430. I have not verified these are the only instances where changes would need to be made. apoelstra: utACK 3d1f430 from me too. I also value consistency more than either specific choice.' real-or-random: utACK bitcoin-core/secp256k1@3d1f430 Tree-SHA512: 6361880f4a47e58c83623f094dd121882752fa805e275033cd638d1e8d3477ade9037e5d9e34a57ae46013848648bd7ab764cad326133f2d3435c9a70a0c841b
Adds a test using the Wycheproof vectors as outlined in #1106. The vectors are taken from the Wycheproof repo. We use a python script to convert the JSON-formatted vectors into C code. Co-authored-by: Sean Andersen <6730974+andozw@users.noreply.github.com>
…th x specified as n/d 0f86420 Add exhaustive tests for ecmult_const_xonly (Pieter Wuille) 4485926 Add x-only ecmult_const version for x=n/d (Pieter Wuille) Pull request description: This implements a generalization of Peter Dettman's sqrt-less x-only random-base multiplication algorithm from BlockstreamResearch#262, using the Jacobi symbol algorithm from #979. The generalization is to permit the X coordinate of the base point to be specified as a fraction $n/d$: To compute $x(q \cdot P)$, where $x(P) = n/d$: * Compute $g=n^3 + 7d^3$. * Let $P' = (ng, g^2, 1)$ (the Jacobian coordinates of $P$ mapped to the isomorphic curve $y^2 = x^3 + 7(dg)^3$). * Compute the Jacobian coordinates $(X',Y',Z') = q \cdot P'$ on the isomorphic curve. * Return $X'/(dgZ'^2)$, which is the affine x coordinate on the isomorphic curve $X/Z'^2$ mapped back to secp256k1. This ability to specify the X coordinate as a fraction is useful in the context of x-only [Elligator Swift](https://eprint.iacr.org/2022/759), which can decode to X coordinates on the curve without inversions this way. ACKs for top commit: jonasnick: ACK 0f86420 real-or-random: ACK 0f86420 Tree-SHA512: eeedb3045bfabcb4bcaf3a1738067c83a5ea9a79b150b8fd1c00dc3f68505d34c19654885a90e2292ae40ddf40a58dfb27197d98eebcf5d6d9e25897e07ae595
e5de454 tests: Add Wycheproof ECDSA vectors (RandomLattice) Pull request description: This PR adds a test using the Wycheproof vectors as outlined in #1106. We add all 463 ECDSA test vectors. These vectors cover: - edge cases in arithmetic operations - signatures with special values for (r,s) that should be rejected - special cases of public keys The vectors are pulled from the Wycheproof project using a python script to emit C code. All the new ECDSA Wycheproof vectors pass. ACKs for top commit: sipa: ACK e5de454 real-or-random: ACK e5de454 Tree-SHA512: e9684f14ff3f5225a4a4949b490e07527d559c28aa61ed03c03bc52ea64785f0b80b9e1b1628665eacf24006526271ea0fb108629c9c3c1d758e52d214a056f1
Co-authored-by: Pieter Wuille <pieter@wuille.net>
898e1c6 release: Prepare for 0.3.1 (Tim Ruffing) 1d9a13f changelog: Remove inconsistent newlines (Tim Ruffing) 0e09166 changelog: Catch up in preparation of 0.3.1 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 898e1c6 jonasnick: ACK 898e1c6 Tree-SHA512: 941b1524f8b34ca803a2ede55a7baf54d2faa69a4c5e47254297e96cc4ac2121094ed90e7cd64a708f3e9af830b0de0ef3c755dfee1b01ce958cc998fc1a1311
6a37b2a changelog: Fix link (Tim Ruffing) Pull request description: Top commit has no ACKs. Tree-SHA512: 70d50c8fe958a197eb527e51c6f8120609e3166d93bfc1bbec75a3cb565c406d5ba0e6d088a724dcfda422b6594abf53f507211946a0533515df371d5d2a91bf
|
ACK otherwise |
ecbbfd4
to
a9a5c24
Compare
Oops sorry, should be fixed now.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK a9a5c24
still testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK a9a5c24
[bitcoin-core/secp256k1#1228]: release cleanup: bump version after 0.3.0
[bitcoin-core/secp256k1#1236]: Update comment for secp256k1_modinv32_inv256
[bitcoin-core/secp256k1#1243]: build: Ensure no optimization when building for coverage analysis
[bitcoin-core/secp256k1#1238]: build: bump CMake minimum requirement to 3.13
[bitcoin-core/secp256k1#1246]: Typo
[bitcoin-core/secp256k1#1247]: Apply Checks only in VERIFY mode.
[bitcoin-core/secp256k1#1242]: Set ARM ASM symbol visibility to
hidden
[bitcoin-core/secp256k1#1250]: No need to subtract 1 before doing a right shift
[bitcoin-core/secp256k1#1244]: Suppress
-Wunused-parameter
when building for coverage analysis[bitcoin-core/secp256k1#1241]: build: Improve
SECP_TRY_APPEND_DEFAULT_CFLAGS
macro[bitcoin-core/secp256k1#1257]: ct: Use volatile "trick" in all fe/scalar cmov implementations
[bitcoin-core/secp256k1#1226]: Add CMake instructions to release process
[bitcoin-core/secp256k1#1252]: Make position of * in pointer declarations in include/ consistent
[bitcoin-core/secp256k1#1118]: Add x-only ecmult_const version with x specified as n/d
[bitcoin-core/secp256k1#1245]: tests: Add Wycheproof ECDSA vectors
[bitcoin-core/secp256k1#1266]: release: Prepare for 0.3.1
[bitcoin-core/secp256k1#1269]: changelog: Fix link
This PR can be recreated with
./contrib/sync-upstream.sh -b sync-upstream range v0.3.1
.Tip: Use
git show --remerge-diff
to show the changes manually added to the merge commit.*
consistent in -zkpinclude/
files.