Skip to content

Commit

Permalink
Squashed 'src/secp256k1/' changes from 7a30cb0c9d..533571d6cf
Browse files Browse the repository at this point in the history
533571d6cf Merge BlockstreamResearch/secp256k1-zkp#239: sync-upstream: allows providing the local branch via cli
05b207e969 sync-upstream: allows providing the local branch via cli
ff33018fe7 Merge BlockstreamResearch/secp256k1-zkp#232: Backports from libsecp256k1 v0.3.2
39407c3f59 Mark stack variables as early clobber for technical correctness
56a5d41429 Bugfix: mark outputs as early clobber in scalar x86_64 asm
c8c0f55a11 ct: Be cautious and use volatile trick in more "conditional" paths
3e94289966 ct: Use volatile trick in scalar_cond_negate
edcba04c28 Merge BlockstreamResearch/secp256k1-zkp#231: musig: add note about missing verification to partial_sign to doc
4ab4ec38a0 musig: add note about missing verification to partial_sign to doc
f50ad76004 musig: update version number of BIP
4eab2c2fd8 Merge BlockstreamResearch/secp256k1-zkp#230: norm arg: add prove test vectors
f3126fdfec norm arg: remove prove edge tests which are now covered by vectors
847ed9ecb2 norm arg: add verification to prove vectors
cf797ed2a4 norm arg: add prove test vectors
095c1e749c norm arg: add prove_const to tests
ce18267b66 Merge BlockstreamResearch/secp256k1-zkp#229: musig: Fix nits left open in ElementsProject#211
78ed0e09ca Merge BlockstreamResearch/secp256k1-zkp#227: Use relative #include paths and tidy header guards (as in upstream)
e7fc61ff16 Merge BlockstreamResearch/secp256k1-zkp#228: Simple dedicated -zkp README
a0b51afc01 musig: VERIFY_CHECK preconditions of _musig_keyaggcoef_internal()
da7702844e extrakeys: Clarify comparison order of compare/sort functions
4d9d8f92d4 Simple dedicated -zkp README
e444d24bca Fix include guards: No _ prefix/suffix but _H suffix (as in upstream)
0eea7d97ab Use relative #include paths in tests (as in upstream)
c690d6df70 Use relative #include paths in benchmarks (as in upstream)
c565827c1a Use relative #include paths in ctime_test (as in upstream)
4eca406f4c Use relative #include paths in library (as in upstream)
bf7bf8a64f norm arg: split norm_arg_zero into prove_edge and verify_zero_len
a70c4d4a8a norm arg: add test vector for |n| = 0
f5e4b16f0f norm arg: add test vector for sign bit malleability
c0de361fc5 norm arg: allow X and R to be the point at infinity
f22834f202 norm arg: add verify vector for n = [0], l = [0]
d8e7f3763b musig: move ge_{serialize,parse}_ext to module-independent file
050d9b2912 Merge BlockstreamResearch/secp256k1-zkp#226: bppp: align terminology with paper
2c63d17c1e bppp: align terminology with paper (gamma)
dbf2e4d3e1 bppp: align terminology with paper (mu, rho)
f4dd0419aa Merge BlockstreamResearch/secp256k1-zkp#225: sync-upstream: Use --autostash to handle uncommitted changes
13c438cdee sync-upstream: Use --autostash to handle uncommitted changes
6ec1ff6040 Merge BlockstreamResearch/secp256k1-zkp#224: Backport of "ct: Use volatile "trick" in all fe/scalar cmov implementations"
96f4853850 ct: Use volatile "trick" in all fe/scalar cmov implementations
1d25608900 Merge BlockstreamResearch/secp256k1-zkp#223: musig: Update to BIP v1.0.0-rc.4 (Check pubnonce in NonceGen vectors)
d23c23e24d musig: Update to BIP v1.0.0-rc.4 (Check pubnonce in NonceGen vectors)
c4862f6869 Merge BlockstreamResearch/secp256k1-zkp#215: musig: include pubkey in secnonce and compare when signing
a1ec2bb67b musig: add test for signing with wrong secnonce for a keypair
bd57a017aa musig: include pubkey in secnonce and compare when signing
4f57024d86 Merge BlockstreamResearch/secp256k1-zkp#211: Update musig module to BIP MuSig2 v1.0.0-rc.3
8ec6d111c8 Merge BlockstreamResearch/secp256k1-zkp#205: Bulletproofs++: Norm argument
d7fb25c8ca Make sure that bppp_log2 isn't called with value 0
e5a01d12c6 Rename buletproof_pp* to bppp*
c983186872 transcript: add tests
73edc75528 norm arg: add verification vectors
13ad32e814 norm arg: add tests for zero length and zero vectors
34c4847a6a ci: add bulletproofs
2574516483 Add testcases for bulletproofs++ norm arugment
46c7391154 Add norm argument verify API
b43dd83b43 musig: add missing static keyword to function
068e6a036a musig: add test vectors from BIP MuSig
36621d13be musig: update to BIP v1.0.0-rc.2 "Add ''pk'' arg to ''NonceGen''"
d717a4980b musig: update to BIP v0.8 "Switch from X-only to plain pk inputs."
304f1bc96d extrakeys: add pubkey_sort test vectors from BIP MuSig2
ae89051547 extrakeys: replace xonly_sort with pubkey_sort
98242fcdd9 extrakeys: add secp256k1_pubkey_cmp
73d5b6654d musig: update to BIP v0.7.0 (NonceGen)
060887e9d7 musig: update to BIP v0.5.1 "Rename ordinary tweaking to plain"
d9145455bb Add bulletproofs++ norm argument prove API
8638f0e0ce Add internal BP++ commit API
412f8f66a0 Add utility functions required in norm argument
420353d7da Add utilities for log2
17417d44f3 Add utilities from uncompressed Bulletproofs PR
48563c8c79 bulletproofs: add API functionality to generate a large set of generators
048f9f8642 bulletproofs: add new empty module
6162d577fe generator: cleanups in Pedersen/generator code
0a6006989f Revert "Remove unused scalar_sqr"
87373f5145 MOVE ONLY: move Pedersen commitment stuff to generator module from rangeproof module
b1f1675375 Merge BlockstreamResearch/secp256k1-zkp#214: sync-upstream: Fix $REPRODUCE_COMMAND for "select"
cbe2815633 musig: update to BIP v0.4 "Allow the output of NonceAgg to be inf"
206017d67d musig: update to BIP v0.3 (NonceGen)
d800dd55db musig: remove test vectors
a58c7d29bd Merge BlockstreamResearch/secp256k1-zkp#213: Update macOS image for CI
e04c660b11 sync-upstream: Fix $REPRODUCE_COMMAND for "select"
3b2c675955 Update macOS image for CI
d22774e248 Merge BlockstreamResearch/secp256k1-zkp#203: MuSig doc fixes
dd83e72d52 Add ordinary tweak info
d26100cab2 Exclude nonce_process from pre-processing steps
b7607f93f2 Fix reference to xonly_tweak_add
f7e9a8544f Merge BlockstreamResearch/secp256k1-zkp#201: rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
6b6ced9839 rangeproof: add more max_size tests
34876ecb5f rangeproof: add more static test vectors
310e517061 rangeproof: add a bunch more testing
f1410cb67a rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
c137ddbdff Merge BlockstreamResearch/secp256k1-zkp#200: build: automatically enable module dependencies
0202d839fb Merge BlockstreamResearch/secp256k1-zkp#199: surjectionproof: make sure that n_used_pubkeys > 0 in generate
5ac8fb035e surjectionproof: make sure that n_used_pubkeys > 0 in generate
7ff446df8b Merge BlockstreamResearch/secp256k1-zkp#198: rangeproof: add a test for all-zero blinding factors
5a40f3d99b replace memcmp with secp256k1_memcmp_var throughout the codebase
92820d944b rangeproof: add a test for all-zero blinding factors
171b294a1c build: improve error message if --enable-experimental is missed
58ab152bb4 build: move all output concerning enabled modules at single place
1493113e61 build: automatically enable module dependencies
4fd7e1eabd Merge BlockstreamResearch/secp256k1-zkp#197: fix include paths in all the -zkp modules
347f96d94a fix include paths in all the -zkp modules
d1d6e47c17 Merge BlockstreamResearch/secp256k1-zkp#196: surjectionproof: fail to generate proofs when an input equals the output
d1175d265d surjectionproof: use secp256k1_memcmp_var rather than bare memcmp
bf18ff5a8c surjectionproof: fix generation to fail when any input == the output
4ff6e4274d surjectionproof: add test for existing behavior on input=output proofs
71a206fa5b Merge BlockstreamResearch/secp256k1-zkp#194: extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation
db648478c3 extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation

git-subtree-dir: src/secp256k1
git-subtree-split: 533571d6cf6cc03f9bd3ce54e28765b16d59e4cb
  • Loading branch information
delta1 committed Jul 18, 2023
1 parent 35d6112 commit 9d8eede
Show file tree
Hide file tree
Showing 81 changed files with 5,881 additions and 1,738 deletions.
64 changes: 17 additions & 47 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ env:
WHITELIST: no
MUSIG: no
ECDSAADAPTOR: no
BPPP: no
### test options
SECP256K1_TEST_ITERS:
BENCH: yes
Expand Down Expand Up @@ -72,12 +73,12 @@ task:
<< : *LINUX_CONTAINER
matrix: &ENV_MATRIX
- env: {WIDEMUL: int64, RECOVERY: yes}
- env: {WIDEMUL: int64, ECDH: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
- env: {WIDEMUL: int64, ECDH: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes, BPPP: yes}
- env: {WIDEMUL: int128}
- env: {WIDEMUL: int128, RECOVERY: yes, SCHNORRSIG: yes}
- env: {WIDEMUL: int128, ECDH: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
- env: {WIDEMUL: int128, ECDH: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes, BPPP: yes}
- env: {WIDEMUL: int128, ASM: x86_64}
- env: { RECOVERY: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes}
- env: { RECOVERY: yes, SCHNORRSIG: yes, EXPERIMENTAL: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes, BPPP: yes}
- env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETEST: no, BENCH: no}
- env: {CPPFLAGS: -DDETERMINISTIC}
- env: {CFLAGS: -O0, CTIMETEST: no}
Expand Down Expand Up @@ -108,6 +109,7 @@ task:
GENERATOR: yes
MUSIG: yes
ECDSAADAPTOR: yes
BPPP: yes
matrix:
- env:
CC: i686-linux-gnu-gcc
Expand All @@ -119,63 +121,29 @@ task:
<< : *CAT_LOGS

task:
name: "x86_64: macOS Catalina"
name: "arm64: macOS Ventura"
macos_instance:
image: catalina-base
image: ghcr.io/cirruslabs/macos-ventura-base:latest
# tasks with valgrind enabled take about 90 minutes
timeout_in: 120m
env:
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_INSTALL_CLEANUP: 1
# Cirrus gives us a fixed number of 12 virtual CPUs. Not that we even have that many jobs at the moment...
MAKEFLAGS: -j13
# Cirrus gives us a fixed number of 4 virtual CPUs. Not that we even have that many jobs at the moment...
MAKEFLAGS: -j5
matrix:
<< : *ENV_MATRIX
env:
ASM: no
WITH_VALGRIND: no
CTIMETEST: no
matrix:
- env:
CC: gcc-9
CC: gcc
- env:
CC: clang
# Update Command Line Tools
# Uncomment this if the Command Line Tools on the CirrusCI macOS image are too old to brew valgrind.
# See https://apple.stackexchange.com/a/195963 for the implementation.
## update_clt_script:
## - system_profiler SPSoftwareDataType
## - touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
## - |-
## PROD=$(softwareupdate -l | grep "*.*Command Line" | tail -n 1 | awk -F"*" '{print $2}' | sed -e 's/^ *//' | sed 's/Label: //g' | tr -d '\n')
## # For debugging
## - softwareupdate -l && echo "PROD: $PROD"
## - softwareupdate -i "$PROD" --verbose
## - rm /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
##
brew_valgrind_pre_script:
# Retry a few times because this tends to fail randomly.
- for i in {1..5}; do brew update && break || sleep 15; done
- brew config
- brew tap LouisBrunner/valgrind
# Fetch valgrind source but don't build it yet.
- brew fetch --HEAD LouisBrunner/valgrind/valgrind
brew_valgrind_cache:
# This is $(brew --cellar valgrind) but command substition does not work here.
folder: /usr/local/Cellar/valgrind
# Rebuild cache if ...
fingerprint_script:
# ... macOS version changes:
- sw_vers
# ... brew changes:
- brew config
# ... valgrind changes:
- git -C "$(brew --cache)/valgrind--git" rev-parse HEAD
populate_script:
# If there's no hit in the cache, build and install valgrind.
- brew install --HEAD LouisBrunner/valgrind/valgrind
brew_valgrind_post_script:
# If we have restored valgrind from the cache, tell brew to create symlink to the PATH.
# If we haven't restored from cached (and just run brew install), this is a no-op.
- brew link valgrind
brew_script:
- brew install automake libtool gcc@9
- brew install automake libtool gcc
<< : *MERGE_BASE
test_script:
- ./ci/cirrus.sh
Expand All @@ -199,6 +167,7 @@ task:
GENERATOR: yes
MUSIG: yes
ECDSAADAPTOR: yes
BPPP: yes
CTIMETEST: no
<< : *MERGE_BASE
test_script:
Expand Down Expand Up @@ -293,6 +262,7 @@ task:
GENERATOR: yes
MUSIG: yes
ECDSAADAPTOR: yes
BPPP: yes
CTIMETEST: no
matrix:
- name: "Valgrind (memcheck)"
Expand Down
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
bench
bench_bppp
bench_ecmult
bench_generator
bench_rangeproof
bench_internal
bench_whitelist
tests
example_musig
exhaustive_tests
precompute_ecmult_gen
precompute_ecmult
Expand Down Expand Up @@ -66,4 +69,4 @@ src/stamp-h1
libsecp256k1.pc
contrib/gh-pr-create.sh

musig_example
musig_example
4 changes: 4 additions & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,10 @@ clean-precomp:

EXTRA_DIST = autogen.sh SECURITY.md

if ENABLE_MODULE_BPPP
include src/modules/bppp/Makefile.am.include
endif

if ENABLE_MODULE_ECDH
include src/modules/ecdh/Makefile.am.include
endif
Expand Down
87 changes: 19 additions & 68 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,85 +1,36 @@
libsecp256k1
============

[![Build Status](https://api.cirrus-ci.com/github/bitcoin-core/secp256k1.svg?branch=master)](https://cirrus-ci.com/github/bitcoin-core/secp256k1)

Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.

This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

Features:
* secp256k1 ECDSA signing/verification and key generation.
* Additive and multiplicative tweaking of secret/public keys.
* Serialization/parsing of secret keys, public keys, signatures.
* Constant time, constant memory access signing and public key generation.
* Derandomized ECDSA (via RFC6979 or with a caller provided function.)
* Very efficient implementation.
* Suitable for embedded systems.
* Optional module for public key recovery.
* Optional module for ECDH key exchange.
* Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
* Optional module for ECDSA adaptor signatures (experimental).

Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.

Implementation details
----------------------

* General
* No runtime heap allocation.
* Extensive testing infrastructure.
* Structured to facilitate review and analysis.
* Intended to be portable to any system with a C89 compiler and uint64_t support.
* No use of floating types.
* Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
* Field operations
* Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
* Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
* Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
* This is an experimental feature that has not received enough scrutiny to satisfy the standard of quality of this library but is made available for testing and review by the community.
* Scalar operations
* Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
* Using 4 64-bit limbs (relying on __int128 support in the compiler).
* Using 8 32-bit limbs.
* Modular inverses (both field elements and scalars) based on [safegcd](https://gcd.cr.yp.to/index.html) with some modifications, and a variable-time variant (by Peter Dettman).
* Group operations
* Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
* Use addition between points in Jacobian and affine coordinates where possible.
* Use a unified addition/doubling formula where necessary to avoid data-dependent branches.
* Point/x comparison without a field inversion by comparison in the Jacobian coordinate space.
* Point multiplication for verification (a*P + b*G).
* Use wNAF notation for point multiplicands.
* Use a much larger window for multiples of G, using precomputed multiples.
* Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
* Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
* Point multiplication for signing
* Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
* Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
* Access the table with branch-free conditional moves so memory access is uniform.
* No data-dependent branches
* Optional runtime blinding which attempts to frustrate differential power analysis.
* The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.
libsecp256k1-zkp
================

[![Build Status](https://api.cirrus-ci.com/github/BlockstreamResearch/secp256k1-zkp.svg?branch=master)](https://cirrus-ci.com/github/BlockstreamResearch/secp256k1-zkp)

A fork of [libsecp256k1](https://github.com/bitcoin-core/secp256k1) with support for advanced and experimental features such as Confidential Assets and MuSig2

Added features:
* Experimental module for ECDSA adaptor signatures.
* Experimental module for ECDSA sign-to-contract.
* Experimental module for [MuSig2](src/modules/musig/musig.md).
* Experimental module for Confidential Assets (Pedersen commitments, range proofs, and [surjection proofs](src/modules/surjection/surjection.md)).
* Experimental module for Bulletproofs++ range proofs.
* Experimental module for [address whitelisting](src/modules/whitelist/whitelist.md).

Experimental features are made available for testing and review by the community. The APIs of these features should not be considered stable.

Build steps
-----------

libsecp256k1 is built using autotools:
libsecp256k1-zkp is built using autotools:

$ ./autogen.sh
$ ./configure
$ make
$ make check # run the test suite
$ sudo make install # optional

To compile optional modules (such as Schnorr signatures), you need to run `./configure` with additional flags (such as `--enable-module-schnorrsig`). Run `./configure --help` to see the full list of available flags.
To compile optional modules (such as Schnorr signatures), you need to run `./configure` with additional flags (such as `--enable-module-schnorrsig`). Run `./configure --help` to see the full list of available flags. For experimental modules, you will also need `--enable-experimental` as well as a flag for each individual module, e.g. `--enable-module-musig`.

Usage examples
-----------
Usage examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`.
* [ECDSA example](examples/ecdsa.c)
* [Schnorr signatures example](examples/schnorr.c)
* [Deriving a shared secret (ECDH) example](examples/ecdh.c)
To compile the Schnorr signature and ECDH examples, you also need to configure with `--enable-module-schnorrsig` and `--enable-module-ecdh`.

Test coverage
-----------
Expand All @@ -105,7 +56,7 @@ To create a HTML report with coloured and annotated source code:

Benchmark
------------
If configured with `--enable-benchmark` (which is the default), binaries for benchmarking the libsecp256k1 functions will be present in the root directory after the build.
If configured with `--enable-benchmark` (which is the default), binaries for benchmarking the libsecp256k1-zkp functions will be present in the root directory after the build.

To print the benchmark result to the command line:

Expand Down
5 changes: 5 additions & 0 deletions ci/cirrus.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ valgrind --version || true
--with-ecmult-gen-precision="$ECMULTGENPRECISION" \
--enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
--enable-module-ecdsa-s2c="$ECDSA_S2C" \
--enable-module-bppp="$BPPP" \
--enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \
--enable-module-schnorrsig="$SCHNORRSIG" --enable-module-musig="$MUSIG" --enable-module-ecdsa-adaptor="$ECDSAADAPTOR" \
--enable-module-schnorrsig="$SCHNORRSIG" \
Expand Down Expand Up @@ -51,6 +52,10 @@ then
$EXEC ./bench_ecmult
$EXEC ./bench_internal
$EXEC ./bench
if [ "$BPPP" = "yes" ]
then
$EXEC ./bench_bppp
fi
} >> bench.log 2>&1
fi

Expand Down
Loading

0 comments on commit 9d8eede

Please sign in to comment.