Squashed 'src/secp256k1/' changes from 3967d96bf1..ff4714e641

ff4714e641 Merge pull request ElementsProject#105 from jonasnick/update-musig
3fb4d6db9c travis: run musig test whenever schnorrsig tests are run
b9d91b3ecb musig: add pubkey_tweak_add function to allow taproot tweaking
0d71b6c61f Merge pull request ElementsProject#112 from jgriffiths/missed_rename
4721bec0ef Update renamed decl missed in e0ced690cff035b61763686cb69b7d06571e23e2
ebf57dc2f5 Merge pull request ElementsProject#107 from thomaseizinger/secp256k1-zkp
4d20713425 Remove unused context initializer functions
38a8b20991 musig: fix memory leak in musig test
5b4eb18ec5 musig: shorten partial nonce byte array from 33 to 32 bytes
62f0b2d867 musig: make musig partial nonces byte arrays instead of "pubkeys"
73792e4a27 musig: represent a combined_nonce as an xonly_pubkey
2117e7466a musig: improve variable naming and be consistent with schnorrsig module
ebc31f1f9d musig: add ARG_CHECKs to functions to help debuggability
ac2d0e6697 musig: add magic to session to detect if session is uninitalized
29b4bd85d7 musig: simplify state machine by adding explicit round to session struct
6370bdd537 Merge pull request ElementsProject#104 from jonasnick/temp-merge-835
e0ced690cf Rename rands64 to testrandi64
b0917f3de1 Merge remote-tracking branch 'upstream/master' into temp-merge-835
81052ca411 Merge ElementsProject#103: Merge upstream schnorrsig PR
9e5939d284 Merge ElementsProject#835: Don't use reserved identifiers memczero and benchmark_verify_t
96b9236c42 re-enable musig module
23900a0d86 Fix the MuSig module after integrating bip-schnorr updates
005fe79262 Merge commit '8ab24e8d' into tmp
a11250330b (actually) remove schnorrsig module
bac746c55e (temporarily) disable musig module
d0a83f7328 Merge ElementsProject#839: Prevent arithmetic on NULL pointer if the scratch space is too small
903b16aa6c Merge ElementsProject#840: Return NULL early in context_preallocated_create if flags invalid
1f4dd03838 Typedef (u)int128_t only when they're not provided by the compiler
ebfa2058e9 Return NULL early in context_preallocated_create if flags invalid
29a299e373 Run the undefined behaviour sanitizer on Travis
7506e064d7 Prevent arithmetic on NULL pointer if the scratch space is too small
e89278f211 Don't use reserved identifiers memczero and benchmark_verify_t
73acc8fef6 Merge pull request ElementsProject#102 from jonasnick/temp-merge-797
8b70795b5e Fix BE platforms by updating endianness macros to match upstream
d1b13b0014 Merge commit 'f3733c54' into temp-merge-797
23bf5b732b Merge pull request ElementsProject#101 from jonasnick/temp-merge-778
0a5b60d8b0 Merge commit '6034a04f' into temp-merge-778
caa5d24446 Merge ElementsProject#99: [upstream PR ElementsProject#774]: tests: Abort if malloc() fails during context cloning tests
1789183cba Merge commit '40412b19' into temp-merge-774
a39b08d672 Merge ElementsProject#95: [upstream PR ElementsProject#741]: Remove unnecessary sign variable from wnaf_const
a3a3a17f47 Merge pull request ElementsProject#94 from apoelstra/temp-merge-1309c03c45beece646a7d21fdb6a0e3d38adee2b
fabc8f74e7 Fix typo in MuSig documentation.
96201b4f6e Require message in musig protocol in an earlier state. In particular, remove the set_msg function and require the message in get_public_nonce at the latest.
4fd0d56e37 Fix my_index in musig state machine tests
b74f2dc478 Remove mentions of DER in H derivation.
b368a5d163 Fix ARG_NONNULL macro usage in musig include
bedff79848 Add cplusplus directive to musig include
9957307c3f Fix explanation of H derivation. It doesn't use DER encoding.
d924027765 Add tweak32 parameter to musig_partial_sig_combine which allows to sign for p2c/taproot commitments
a4410ac779 Add musig module tests to travis
d6738e890e surjection proof: Reject proofs with too many used inputs in reduced mode
bd70820123 allow reducing surjection proof size (to lower generation stack usage)
56f69d979f surjectionproof: introduce `SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS` constant and set it to 16
b8a3ff5f3b surjectionproof: reduce stack usage
68d937fe11 surjectionproof: fix malleability in surjection proof parsing
41bc9ce129 surjectionproof: add test vectors for "set padding bits"
b0644d4ab3 surjectionproof: add fixed test vectors
c0415eb0cb Fix read of wrong buffer (and OOB) in surjectionproof tests
00fffeb172 Improve comments for surctionproof init+alloc/destroy funcs
2dc868f35b work in progress: add _allocate_initialized/destroy funcs
0d4ee3c62d Improve explanation of key cancellation attack in whitelist.md
2a1750dedd Clarify how to derive alternative generator H
ed7394f005 Add bench_generator and bench_rangeproof to .gitignore
9dd117fd2b Clean up ./configure help strings (zkp extensions)
f35b5e271f Fix a small typo in the generator parameter name
068f03c35b generator: remove `CHECK` abort calls exposed by public API
3424cb1fa3 musig: add user documentation
13ef445721 Add 3-of-3 MuSig example
b86c210747 Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures.
c59c602dd6 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
a1f16a0a53 add chacha20 function
3cdc02ef8a use proper types for rangeproof min/max
cf21c9d715 rangeproof: reduce iteration count in unit tests
0dfb356f95 Enable more builds with rest of experimental flags
4c231568fb Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting
f416e039bb Add comment to explain effect of max_n_iterations in surjectionproof_init
936d62f248 add unit test for generator and pedersen commitment roundtripping
e06540de8c rangeproof: fix serialization of pedersen commintments
edb879f578 rangeproof: verify correctness of pedersen commitments when parsing
fca4c3b62f generator: verify correctness of point when parsing
c50b218698 rangeproof: check that points deserialize correctly when verifying rangeproof
c33e597245 rangeproof: add fixed vector test case
0c5cb7cd08 Expose generator in shared library
dbc49df80c fix spelling in documentation
47be098bac Test for rejection of trailing bytes in range proofs
16aaa4a02c Test for rejection of trailing bytes in surjection proofs
949e994cb3 Reject surjection proofs with trailing garbage
c87618157e Minor bugfix. Wrong length due to NUL character.
fc3dc94049 Add whitelisting benchmark
edc7cb6cdd add whitelist_impl.h to include for dist
4320490e88 generator: add API tests
126493ef01 generator: remove unnecessary ARG_CHECK from generate()
253f131310 Fix generator makefile
3997128ad9 Fix pedersen_blind_generator_blind_sum return value documentation
04f4c09111 Add n_keys argument to whitelist_verify
dbf3d752a8 Fix checks of whitelist serialize/parse arguments
29d0d562dc whitelist: fix serialize/parse API to take serialized length
660ad39fb3 Fix include/secp256k1_rangeproof.h function argument documentation.
e13bdf2f23 rangeproof: add API tests
18c5c62b45 surjectionproof: rename unit test functions to be more consistent with other modules
5f1ad03d00 surjectionproof: add API unit tests
f858a4e3d5 surjectionproof: tests_impl.h s/assert/CHECK/g
002002e735 rangeproof: fix memory leak in unit tests
ba8b4f53ef add surjection proof module
8c77fe1590 Implement ring-signature based whitelist delegation scheme
94425d4a67 rangeproof: several API changes
f6c84a02f3 Expose generator in pedersen/rangeproof API
360e218043 Constant-time generator module
e7a8a5f638 rangeproof: expose sidechannel message field in the signing API
a88db4a744 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
16618fcd8d Pedersen commitments, borromean ring signatures, and ZK range proofs.
3cf8f70ba1 Add 64-bit integer utilities

git-subtree-dir: src/secp256k1
git-subtree-split: ff4714e6417c56f7235b287d4a9e555df10e09af

.gitignore

@@ -1,6 +1,8 @@
 bench_inv
 bench_ecdh
 bench_ecmult
+bench_generator
+bench_rangeproof
 bench_schnorrsig
 bench_sign
 bench_verify

.travis.yml

@@ -17,23 +17,26 @@ compiler:
   - gcc
 env:
   global:
-    - WIDEMUL=auto  BIGNUM=auto  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  WITH_VALGRIND=yes RUN_VALGRIND=no EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no SCHNORRSIG=no EXPERIMENTAL=no CTIMETEST=yes BENCH=yes ITERS=2
+    - WIDEMUL=auto  BIGNUM=auto  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  WITH_VALGRIND=yes RUN_VALGRIND=no EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no SCHNORRSIG=no EXPERIMENTAL=no CTIMETEST=yes BENCH=yes ITERS=2 GENERATOR=no RANGEPROOF=no WHITELIST=no SCHNORRSIG=no MUSIG=no
   matrix:
+    - WIDEMUL=int64   EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128  EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes  SCHNORRSIG=yes MUSIG=yes
     - WIDEMUL=int64   RECOVERY=yes
-    - WIDEMUL=int64   ECDH=yes  EXPERIMENTAL=yes SCHNORRSIG=yes
+    - WIDEMUL=int64   ECDH=yes  EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes
     - WIDEMUL=int128
-    - WIDEMUL=int128  RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes
-    - WIDEMUL=int128  ECDH=yes EXPERIMENTAL=yes SCHNORRSIG=yes
+    - WIDEMUL=int128  RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128  ECDH=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes
     - WIDEMUL=int128                    ASM=x86_64
     - BIGNUM=no
-    - BIGNUM=no       RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes
+    - BIGNUM=no       RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes
     - BIGNUM=no       STATICPRECOMPUTATION=no
     - BUILD=distcheck WITH_VALGRIND=no CTIMETEST=no BENCH=no
     - CPPFLAGS=-DDETERMINISTIC
     - CFLAGS=-O0 CTIMETEST=no
+    - CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" BIGNUM=no ASM=x86_64 ECDH=yes RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes CTIMETEST=no
     - ECMULTGENPRECISION=2
     - ECMULTGENPRECISION=8
-    - RUN_VALGRIND=yes BIGNUM=no ASM=x86_64 ECDH=yes  RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes EXTRAFLAGS="--disable-openssl-tests" BUILD=
+    - RUN_VALGRIND=yes BIGNUM=no ASM=x86_64 ECDH=yes  RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes EXTRAFLAGS="--disable-openssl-tests" BUILD=
 matrix:
   fast_finish: true
   include:
@@ -81,7 +84,7 @@ matrix:
             - libc6-dbg:i386
     # S390x build (big endian system)
     - compiler: gcc
-      env: HOST=s390x-unknown-linux-gnu ECDH=yes RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes CTIMETEST=
+      env: HOST=s390x-unknown-linux-gnu ECDH=yes RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes CTIMETEST=
       arch: s390x
 
 # We use this to install macOS dependencies instead of the built in `homebrew` plugin,

Makefile.am

@@ -151,10 +151,30 @@ if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include
 endif
 
+if ENABLE_MODULE_MUSIG
+include src/modules/musig/Makefile.am.include
+endif
+
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif
 
+if ENABLE_MODULE_GENERATOR
+include src/modules/generator/Makefile.am.include
+endif
+
+if ENABLE_MODULE_RANGEPROOF
+include src/modules/rangeproof/Makefile.am.include
+endif
+
+if ENABLE_MODULE_WHITELIST
+include src/modules/whitelist/Makefile.am.include
+endif
+
+if ENABLE_MODULE_SURJECTIONPROOF
+include src/modules/surjection/Makefile.am.include
+endif
+
 if ENABLE_MODULE_EXTRAKEYS
 include src/modules/extrakeys/Makefile.am.include
 endif

configure.ac

@@ -126,11 +126,31 @@ AC_ARG_ENABLE(module_ecdh,
     [enable_module_ecdh=$enableval],
     [enable_module_ecdh=no])
 
+AC_ARG_ENABLE(module_musig,
+    AS_HELP_STRING([--enable-module-musig],[enable MuSig module (experimental)]),
+    [enable_module_musig=$enableval],
+    [enable_module_musig=no])
+
 AC_ARG_ENABLE(module_recovery,
     AS_HELP_STRING([--enable-module-recovery],[enable ECDSA pubkey recovery module [default=no]]),
     [enable_module_recovery=$enableval],
     [enable_module_recovery=no])
 
+AC_ARG_ENABLE(module_generator,
+    AS_HELP_STRING([--enable-module-generator],[enable NUMS generator module [default=no]]),
+    [enable_module_generator=$enableval],
+    [enable_module_generator=no])
+
+AC_ARG_ENABLE(module_rangeproof,
+    AS_HELP_STRING([--enable-module-rangeproof],[enable Pedersen / zero-knowledge range proofs module [default=no]]),
+    [enable_module_rangeproof=$enableval],
+    [enable_module_rangeproof=no])
+
+AC_ARG_ENABLE(module_whitelist,
+    AS_HELP_STRING([--enable-module-whitelist],[enable key whitelisting module [default=no]]),
+    [enable_module_whitelist=$enableval],
+    [enable_module_whitelist=no])
+
 AC_ARG_ENABLE(module_extrakeys,
     AS_HELP_STRING([--enable-module-extrakeys],[enable extrakeys module (experimental)]),
     [enable_module_extrakeys=$enableval],
@@ -146,6 +166,16 @@ AC_ARG_ENABLE(external_default_callbacks,
     [use_external_default_callbacks=$enableval],
     [use_external_default_callbacks=no])
 
+AC_ARG_ENABLE(module_surjectionproof,
+    AS_HELP_STRING([--enable-module-surjectionproof],[enable surjection proof module [default=no]]),
+    [enable_module_surjectionproof=$enableval],
+    [enable_module_surjectionproof=no])
+
+AC_ARG_ENABLE(reduced_surjection_proof_size,
+    AS_HELP_STRING([--enable-reduced-surjection-proof-size],[use reduced surjection proof size (disabling parsing and verification) [default=no]]),
+    [use_reduced_surjection_proof_size=$enableval],
+    [use_reduced_surjection_proof_size=no])
+
 dnl Test-only override of the (autodetected by the C code) "widemul" setting.
 dnl Legal values are int64 (for [u]int64_t), int128 (for [unsigned] __int128), and auto (the default).
 AC_ARG_WITH([test-override-wide-multiply], [] ,[set_widemul=$withval], [set_widemul=auto])
@@ -197,6 +227,12 @@ else
     CFLAGS="-O2 $CFLAGS"
 fi
 
+AC_MSG_CHECKING([for __builtin_popcount])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_popcount(0);}]])],
+    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_POPCOUNT,1,[Define this symbol if __builtin_popcount is available]) ],
+    [ AC_MSG_RESULT([no])
+    ])
+
 if test x"$use_ecmult_static_precomputation" != x"no"; then
   # Temporarily switch to an environment for the native compiler
   save_cross_compiling=$cross_compiling
@@ -252,6 +288,12 @@ else
   set_precomp=no
 fi
 
+AC_MSG_CHECKING([for  __builtin_clzll])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() { __builtin_clzll(1);}]])],
+    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_CLZLL,1,[Define this symbol if  __builtin_clzll is available]) ],
+    [ AC_MSG_RESULT([no])
+    ])
+
 if test x"$req_asm" = x"auto"; then
   SECP_64BIT_ASM_CHECK
   if test x"$has_64bit_asm" = x"yes"; then
@@ -432,10 +474,30 @@ if test x"$enable_module_ecdh" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module])
 fi
 
+if test x"$enable_module_musig" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_MUSIG, 1, [Define this symbol to enable the MuSig module])
+fi
+
 if test x"$enable_module_recovery" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
 fi
 
+if test x"$enable_module_generator" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_GENERATOR, 1, [Define this symbol to enable the NUMS generator module])
+fi
+
+if test x"$enable_module_rangeproof" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_RANGEPROOF, 1, [Define this symbol to enable the Pedersen / zero knowledge range proof module])
+fi
+
+if test x"$enable_module_whitelist" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module])
+fi
+
+if test x"$enable_module_surjectionproof" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module])
+fi
+
 if test x"$enable_module_schnorrsig" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
   enable_module_extrakeys=yes
@@ -455,14 +517,48 @@ if test x"$use_external_default_callbacks" = x"yes"; then
   AC_DEFINE(USE_EXTERNAL_DEFAULT_CALLBACKS, 1, [Define this symbol if an external implementation of the default callbacks is used])
 fi
 
+if test x"$use_reduced_surjection_proof_size" = x"yes"; then
+  AC_DEFINE(USE_REDUCED_SURJECTION_PROOF_SIZE, 1, [Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16, disabling parsing and verification])
+fi
+
 if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([******])
   AC_MSG_NOTICE([WARNING: experimental build])
   AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
+  AC_MSG_NOTICE([Building NUMS generator module: $enable_module_generator])
+  AC_MSG_NOTICE([Building range proof module: $enable_module_rangeproof])
+  AC_MSG_NOTICE([Building key whitelisting module: $enable_module_whitelist])
+  AC_MSG_NOTICE([Building surjection proof module: $enable_module_surjectionproof])
+  AC_MSG_NOTICE([Building MuSig module: $enable_module_musig])
   AC_MSG_NOTICE([Building extrakeys module: $enable_module_extrakeys])
   AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
   AC_MSG_NOTICE([******])
+
+
+  if test x"$enable_module_schnorrsig" != x"yes"; then
+    if test x"$enable_module_musig" = x"yes"; then
+      AC_MSG_ERROR([MuSig module requires the schnorrsig module. Use --enable-module-schnorrsig to allow.])
+    fi
+  fi
+
+  if test x"$enable_module_generator" != x"yes"; then
+    if test x"$enable_module_rangeproof" = x"yes"; then
+      AC_MSG_ERROR([Rangeproof module requires the generator module. Use --enable-module-generator to allow.])
+    fi
+  fi
+
+  if test x"$enable_module_rangeproof" != x"yes"; then
+    if test x"$enable_module_whitelist" = x"yes"; then
+      AC_MSG_ERROR([Whitelist module requires the rangeproof module. Use --enable-module-rangeproof to allow.])
+    fi
+    if test x"$enable_module_surjectionproof" = x"yes"; then
+      AC_MSG_ERROR([Surjection proof module requires the rangeproof module. Use --enable-module-rangeproof to allow.])
+    fi
+  fi
 else
+  if test x"$enable_module_musig" = x"yes"; then
+    AC_MSG_ERROR([MuSig module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$enable_module_extrakeys" = x"yes"; then
     AC_MSG_ERROR([extrakeys module is experimental. Use --enable-experimental to allow.])
   fi
@@ -472,6 +568,18 @@ else
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_generator" = x"yes"; then
+    AC_MSG_ERROR([NUMS generator module is experimental. Use --enable-experimental to allow.])
+  fi
+  if test x"$enable_module_rangeproof" = x"yes"; then
+    AC_MSG_ERROR([Range proof module is experimental. Use --enable-experimental to allow.])
+  fi
+  if test x"$enable_module_whitelist" = x"yes"; then
+    AC_MSG_ERROR([Key whitelisting module is experimental. Use --enable-experimental to allow.])
+  fi
+  if test x"$enable_module_surjectionproof" = x"yes"; then
+    AC_MSG_ERROR([Surjection proof module is experimental. Use --enable-experimental to allow.])
+  fi
 fi
 
 AC_CONFIG_HEADERS([src/libsecp256k1-config.h])
@@ -486,11 +594,17 @@ AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$use_exhaustive_tests" != x"no"])
 AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_GENERATOR], [test x"$enable_module_generator" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_RANGEPROOF], [test x"$enable_module_rangeproof" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_WHITELIST], [test x"$enable_module_whitelist" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
+AM_CONDITIONAL([ENABLE_MODULE_SURJECTIONPROOF], [test x"$enable_module_surjectionproof" = x"yes"])
+AM_CONDITIONAL([USE_REDUCED_SURJECTION_PROOF_SIZE], [test x"$use_reduced_surjection_proof_size" = x"yes"])
 
 dnl make sure nothing new is exported so that we don't break the cache
 PKGCONFIG_PATH_TEMP="$PKG_CONFIG_PATH"

contrib/travis.sh

@@ -17,7 +17,8 @@ fi
     --with-test-override-wide-multiply="$WIDEMUL" --with-bignum="$BIGNUM" --with-asm="$ASM" \
     --enable-ecmult-static-precomputation="$STATICPRECOMPUTATION" --with-ecmult-gen-precision="$ECMULTGENPRECISION" \
     --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
-    --enable-module-schnorrsig="$SCHNORRSIG" \
+    --enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \
+    --enable-module-schnorrsig="$SCHNORRSIG"  --enable-module-musig="$MUSIG"\
     --with-valgrind="$WITH_VALGRIND" \
     --host="$HOST" $EXTRAFLAGS
 

include/secp256k1_generator.h

@@ -0,0 +1,93 @@
+#ifndef _SECP256K1_GENERATOR_
+# define _SECP256K1_GENERATOR_
+
+# include "secp256k1.h"
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+#include <stdint.h>
+
+/** Opaque data structure that stores a base point
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
+ *  If you need to convert to a format suitable for storage, transmission, or
+ *  comparison, use secp256k1_generator_serialize and secp256k1_generator_parse.
+ */
+typedef struct {
+    unsigned char data[64];
+} secp256k1_generator;
+
+/** Parse a 33-byte generator byte sequence into a generator object.
+ *
+ *  Returns: 1 if input contains a valid generator.
+ *  Args: ctx:      a secp256k1 context object.
+ *  Out:  gen:      pointer to the output generator object
+ *  In:   input:    pointer to a 33-byte serialized generator
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_generator_parse(
+    const secp256k1_context* ctx,
+    secp256k1_generator* gen,
+    const unsigned char *input
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a 33-byte generator into a serialized byte sequence.
+ *
+ *  Returns: 1 always.
+ *  Args:   ctx:        a secp256k1 context object.
+ *  Out:    output:     a pointer to a 33-byte byte array
+ *  In:     gen:        a pointer to a generator
+ */
+SECP256K1_API int secp256k1_generator_serialize(
+    const secp256k1_context* ctx,
+    unsigned char *output,
+    const secp256k1_generator* gen
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Generate a generator for the curve.
+ *
+ *  Returns: 0 in the highly unlikely case the seed is not acceptable,
+ *           1 otherwise.
+ *  Args: ctx:     a secp256k1 context object
+ *  Out:  gen:     a generator object
+ *  In:   seed32:  a 32-byte seed
+ *
+ *  If successful a valid generator will be placed in gen. The produced
+ *  generators are distributed uniformly over the curve, and will not have a
+ *  known discrete logarithm with respect to any other generator produced,
+ *  or to the base generator G.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_generator_generate(
+    const secp256k1_context* ctx,
+    secp256k1_generator* gen,
+    const unsigned char *seed32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Generate a blinded generator for the curve.
+ *
+ *  Returns: 0 in the highly unlikely case the seed is not acceptable or when
+ *           blind is out of range. 1 otherwise.
+ *  Args: ctx:     a secp256k1 context object, initialized for signing
+ *  Out:  gen:     a generator object
+ *  In:   seed32:  a 32-byte seed
+ *        blind32: a 32-byte secret value to blind the generator with.
+ *
+ *  The result is equivalent to first calling secp256k1_generator_generate,
+ *  converting the result to a public key, calling secp256k1_ec_pubkey_tweak_add,
+ *  and then converting back to generator form.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_generator_generate_blinded(
+    const secp256k1_context* ctx,
+    secp256k1_generator* gen,
+    const unsigned char *key32,
+    const unsigned char *blind32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif