Squashed 'src/secp256k1/' changes from 43dd1f4fe..44db4d801

44db4d801 Merge pull request #57 from apoelstra/2019-04-surjectionproof-stack
f7e4d08da surjection proof: Reject proofs with too many used inputs in reduced mode
112edb2c6 allow reducing surjection proof size (to lower generation stack usage)
d512d7865 surjectionproof: introduce `SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS` constant and set it to 16
a118acc02 surjectionproof: reduce stack usage
e7f4ff4c6 Merge pull request #70 from apoelstra/2019-06-surjection-count
f94d46e65 Merge pull request #71 from real-or-random/fix-trailing-test
49a1e0173 surjectionproof: fix malleability in surjection proof parsing
55311b0e0 Fix read of wrong buffer (and OOB) in surjectionproof tests
290a27bb7 surjectionproof: add test vectors for "set padding bits"
7bc3daa48 surjectionproof: add fixed test vectors
6f3b0c05c Improve comments for surctionproof init+alloc/destroy funcs
250ebb364 work in progress: add _allocate_initialized/destroy funcs
4a7763361 Improve explanation of key cancellation attack in whitelist.md
898c9f05b Clarify how to derive alternative generator H
15d92782d Add bench_generator and bench_rangeproof to .gitignore
86240b207 Clean up ./configure help strings (zkp extensions)
865b76186 Fix a small typo in the generator parameter name
cd5ba5c3b generator: remove `CHECK` abort calls exposed by public API
ff1665127 musig: add user documentation
0ad6b6036 Add 3-of-3 MuSig example
b61a1a9d9 Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures.
5d5374f92 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
a8ae6baff add chacha20 function
9a8a71e8b use proper types for rangeproof min/max
14769b964 rangeproof: reduce iteration count in unit tests
0593861cc Enable more builds with rest of experimental flags
e9fea7427 Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting
dec1b9ce2 Add comment to explain effect of max_n_iterations in surjectionproof_init
ea62bfe22 add unit test for generator and pedersen commitment roundtripping
e32924f0e rangeproof: fix serialization of pedersen commintments
972d056fa rangeproof: verify correctness of pedersen commitments when parsing
2cc4c6fef generator: verify correctness of point when parsing
65ffea43d rangeproof: check that points deserialize correctly when verifying rangeproof
cb786d6d1 rangeproof: add fixed vector test case
b387ba038 Expose generator in shared library
8da432855 fix spelling in documentation
6f14fe40d Test for rejection of trailing bytes in range proofs
ab4fbc1be Test for rejection of trailing bytes in surjection proofs
c908c97d6 Reject surjection proofs with trailing garbage
f723bf5b3 Minor bugfix. Wrong length due to NUL character.
6872069de Add whitelisting benchmark
6ceccb75b add whitelist_impl.h to include for dist
a3ad4a866 generator: add API tests
e93e886cb generator: remove unnecessary ARG_CHECK from generate()
f1d6e4b83 Fix generator makefile
68be61131 Fix pedersen_blind_generator_blind_sum return value documentation
51fc58ae6 Add n_keys argument to whitelist_verify
36b100c77 Fix checks of whitelist serialize/parse arguments
c8f54e12e whitelist: fix serialize/parse API to take serialized length
56fca5077 Fix include/secp256k1_rangeproof.h function argument documentation.
4617f0478 rangeproof: add API tests
cd4e438a3 surjectionproof: rename unit test functions to be more consistent with other modules
2cc7f1e04 surjectionproof: add API unit tests
c4097f758 surjectionproof: tests_impl.h s/assert/CHECK/g
5ee6bf341 rangeproof: fix memory leak in unit tests
94e81a250 add surjection proof module
a66ea3522 Implement ring-signature based whitelist delegation scheme
2bb513361 rangeproof: several API changes
9b00b61d9 Expose generator in pedersen/rangeproof API
54fa2639e Constant-time generator module
023aa86ac rangeproof: expose sidechannel message field in the signing API
89e7451d4 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
f126331bc Pedersen commitments, borromean ring signatures, and ZK range proofs.
e1fb4af90 Add 64-bit integer utilities
e541a90ef Merge #629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3f3 Merge #630: Note intention of timing sidechannel freeness.
8d1563b0f Note intention of timing sidechannel freeness.
1669bb286 Merge #628: Fix ability to compile tests without -DVERIFY.
ecc94abcc Merge #627: Guard memcmp in tests against mixed size inputs.
544435fc9 Merge #578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e9e Merge #595: Allow to use external default callbacks
e49f7991c Add missing #(un)defines to base-config.h
77defd2c3 Add secp256k1_ prefix to default callback functions
908bdce64 Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e65 Allow usage of external default callbacks
6095a863f Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e02c Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7a3 Merge #600: scratch space: use single allocation
98836b11f scratch: replace frames with "checkpoint" system
7623cf2b9 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f2c scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0bb9 scratch: unify allocations
c2b028a28 scratch space: thread `error_callback` into all scratch space functions
0be1a4ae6 scratch: add magic bytes to beginning of structure
92a48a764 scratch space: use single allocation
40839e21b Merge #592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf392027 Fix ability to compile tests without -DVERIFY.
a484e0008 Merge #566: Enable context creation in preallocated memory
0522caac8 Explain caller's obligations for preallocated memory
238305fdb Move _preallocated functions to separate header
695feb6fb Export _preallocated functions
814cc78d7 Add tests for contexts in preallocated memory
ba12dd08d Check arguments of _preallocated functions
5feadde46 Support cloning a context into preallocated memory
c4fd5dab4 Switch to a single malloc call
ef020de16 Add size constants for preallocated memory
1bf7c056b Prepare for manual memory management in preallocated memory
248bffb05 Guard memcmp in tests against mixed size inputs.
36698dcfe Merge #596: Make WINDOW_G configurable
a61a93ff5 Clean up ./configure help strings
2842dc523 Make WINDOW_G configurable
1a02d6ce5 Merge #626: Revert "Merge #620: Install headers automatically"
662918cb2 Revert "Merge #620: Install headers automatically"
14c7dbd44 Simplify control flow in DER parsing
ec8f20bab Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3b3 Parse DER-enconded length into a size_t instead of an int
912680ed8 Merge #561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3ace Merge #620: Install headers automatically
5df77a0ed Merge #533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e0d Merge #617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde04 Merge #619: Clear a copied secret key after negation
16e86150d Install headers automatically
069870d92 Clear a copied secret key after negation
8979ec0d9 Pass scalar by reference in secp256k1_wnaf_const()
84a808598 Merge #612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a59 Allow field_10x26_arm.s to compile for ARMv7 architecture
b19c00006 Merge #607: Use size_t shifts when computing a size_t
4d01bc2d9 Merge #606: travis: Remove unused sudo:false
e6d01e934 Use size_t shifts when computing a size_t
7667532bd travis: Remove unused sudo:false
248f04661 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7b1 Use trivial algorithm in ecmult_multi if scratch space is small
ee99f12f3 Merge #599: Switch x86_64 asm to use "i" instead of "n" for immediate values.
d58bc93f2 Switch x86_64 asm to use "i" instead of "n" for immediate values.
05362ee04 Merge #597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
83483869a Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
aa15154a4 Merge #568: Fix integer overflow in ecmult_multi_var when n is large
2277af5ff Fix integer overflow in ecmult_multi_var when n is large
dbed75d96 Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e09 Keep LDFLAGS if `--coverage`
85d0e1bcc Merge #591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
14196379e Merge #580: Add trivial ecmult_multi algorithm which does not require a scratch space
a697d82da Add trivial ecmult_multi to the benchmark tool
bade61741 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points.
5545e13de Merge #584: configure: Use CFLAGS_FOR_BUILD when checking native compiler
20c5869df Merge #516: improvements to random seed in src/tests.c
b76e45d5d Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
870a97764 Merge #562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
be40c4d0b Fixup for C90 mixed declarations.
c71dd2c08 Merge #509: Fix algorithm selection in bench_ecmult
6492bf88c Merge #518: Summarize build options after running configure
0e9ada194 Merge #567: Correct order of libs returned on pkg-config --libs --static libsecp2…
e96901a4b Merge #587: Make randomization of a non-signing context a noop
58df8d03a Merge #511: Portability fix for the configure scripts generated
2ebdad772 Merge #552: Make constants static:
1c131affd Merge #551: secp256k1_fe_sqrt: Verify that the arguments don't alias.
ba698f883 Merge #539: Assorted minor corrections
949e85b00 Merge #550: Optimize secp256k1_fe_normalize_weak calls.
a34bcaadf Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker
2d5f4cebd configure: Use CFLAGS_FOR_BUILD when checking native compiler
b408c6a8b Merge #579: Use __GNUC_PREREQ for detecting __builtin_expect
619837521 Make randomization of a non-signing context a noop
c663397f4 Use __GNUC_PREREQ for detecting __builtin_expect
3cb057f84 Fix possible integer overflow in DER parsing
89a20a894 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
d3cb1f95e Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
496c5b43b Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B;
bf8b86cc0 secp256k1_fe_sqrt: Verify that the arguments don't alias.
9bd89c836 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
52ab96fed clean dependendies in field_*_impl.h
deff5edd4 Correct math typos in field_*.h
4efb3f8dd Add check that restrict pointers don't alias with all parameters.
3965027c8 Summarize build options in configure script
0f0517369 Fix algorithm selection in bench_ecmult
8b3841c91 fix bug in fread() failure check
cddef0c0b tests: add warning message when /dev/urandom fails
270f6c80d Portability fix for the configure scripts generated
REVERT: 43dd1f4fe Merge pull request #40 from instagibbs/size_t
REVERT: 6532fa0a9 Merge pull request #39 from instagibbs/more_builds
REVERT: 2b2429dfa rangeproof: reduce iteration count in unit tests
REVERT: 12b0e5dda Enable more builds with rest of experimental flags
REVERT: 8c444eef6 use proper types for rangeproof min/max
REVERT: 53ad841ca Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting
REVERT: 71c5fe0f6 Add comment to explain effect of max_n_iterations in surjectionproof_init
REVERT: 85fd42fb7 add unit test for generator and pedersen commitment roundtripping
REVERT: 2ccf88541 rangeproof: fix serialization of pedersen commintments
REVERT: 60c173b64 rangeproof: verify correctness of pedersen commitments when parsing
REVERT: 32d7526cd generator: verify correctness of point when parsing
REVERT: ae14e8a9d rangeproof: check that points deserialize correctly when verifying rangeproof
REVERT: 44fe43d75 rangeproof: add fixed vector test case
REVERT: e065d7df9 Expose generator in shared library
REVERT: fb1ba329a fix spelling in documentation
REVERT: fb75faa14 Test for rejection of trailing bytes in range proofs
REVERT: 9b2cf1708 Test for rejection of trailing bytes in surjection proofs
REVERT: a3a1800ba Reject surjection proofs with trailing garbage
REVERT: 0c77ae9a7 Minor bugfix. Wrong length due to NUL character.
REVERT: b1f31bc4b Add whitelisting benchmark
REVERT: 52a9f8f8f add whitelist_impl.h to include for dist
REVERT: a707865bc generator: add API tests
REVERT: ec1ef040f generator: remove unnecessary ARG_CHECK from generate()
REVERT: b0e9aa828 Fix generator makefile
REVERT: 526c65499 Fix pedersen_blind_generator_blind_sum return value documentation
REVERT: b51886e72 Add n_keys argument to whitelist_verify
REVERT: 37c57de08 Fix checks of whitelist serialize/parse arguments
REVERT: 9b8a9d91e whitelist: fix serialize/parse API to take serialized length
REVERT: 7f1751560 Fix include/secp256k1_rangeproof.h function argument documentation.
REVERT: 0d817020d rangeproof: add API tests
REVERT: 417bb0643 surjectionproof: rename unit test functions to be more consistent with other modules
REVERT: 1e2d5c1a2 surjectionproof: add API unit tests
REVERT: 7878a298b surjectionproof: tests_impl.h s/assert/CHECK/g
REVERT: e609591b6 rangeproof: fix memory leak in unit tests
REVERT: 0c17f7972 add surjection proof module
REVERT: c174f0c60 Implement ring-signature based whitelist delegation scheme
REVERT: a2bc6604f rangeproof: several API changes
REVERT: 21bfb3c91 Expose generator in pedersen/rangeproof API
REVERT: f4620de04 Constant-time generator module
REVERT: d46fc3c19 rangeproof: expose sidechannel message field in the signing API
REVERT: cf40b1bed [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
REVERT: 6d28767c7 Get rid of precomputed H tables (Pieter Wuille)
REVERT: ae1e576f6 Pedersen commitments, borromean ring signatures, and ZK range proofs.
REVERT: efc61dc0c Add 64-bit integer utilities

git-subtree-dir: src/secp256k1
git-subtree-split: 44db4d801fff3cd94105136cb443d603683baad2

.gitignore

@@ -1,9 +1,11 @@
 bench_inv
 bench_ecdh
 bench_ecmult
+bench_generator
+bench_rangeproof
+bench_schnorrsig
 bench_sign
 bench_verify
-bench_schnorr_verify
 bench_recover
 bench_internal
 tests

.travis.yml

@@ -1,5 +1,5 @@
 language: c
-sudo: false
+os: linux
 addons:
   apt:
     packages: libgmp-dev
@@ -68,4 +68,3 @@ script:
  - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
  - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
  - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-module-rangeproof=$RANGEPROOF --enable-module-whitelist=$WHITELIST --enable-module-generator=$GENERATOR --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
-os: linux

Makefile.am

@@ -8,6 +8,7 @@ else
 JNI_LIB =
 endif
 include_HEADERS = include/secp256k1.h
+include_HEADERS += include/secp256k1_preallocated.h
 noinst_HEADERS =
 noinst_HEADERS += src/scalar.h
 noinst_HEADERS += src/scalar_4x64.h
@@ -114,7 +115,7 @@ exhaustive_tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src $(SECP_INCLUDE
 if !ENABLE_COVERAGE
 exhaustive_tests_CPPFLAGS += -DVERIFY
 endif
-exhaustive_tests_LDADD = $(SECP_LIBS)
+exhaustive_tests_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif
@@ -151,15 +152,14 @@ endif
 
 if USE_ECMULT_STATIC_PRECOMPUTATION
 CPPFLAGS_FOR_BUILD +=-I$(top_srcdir)
-CFLAGS_FOR_BUILD += -Wall -Wextra -Wno-unused-function
 
 gen_context_OBJECTS = gen_context.o
 gen_context_BIN = gen_context$(BUILD_EXEEXT)
 gen_%.o: src/gen_%.c
 	$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@
 
 $(gen_context_BIN): $(gen_context_OBJECTS)
-	$(CC_FOR_BUILD) $^ -o $@
+	$(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@
 
 $(libsecp256k1_la_OBJECTS): src/ecmult_static_context.h
 $(tests_OBJECTS): src/ecmult_static_context.h
@@ -178,6 +178,14 @@ if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include
 endif
 
+if ENABLE_MODULE_SCHNORRSIG
+include src/modules/schnorrsig/Makefile.am.include
+endif
+
+if ENABLE_MODULE_MUSIG
+include src/modules/musig/Makefile.am.include
+endif
+
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif

README.md

@@ -45,8 +45,10 @@ Implementation details
   * Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
 * Point multiplication for signing
   * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
-  * Access the table with branch-free conditional moves so memory access is uniform.
-  * No data-dependent branches
+  * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
+    * Access the table with branch-free conditional moves so memory access is uniform.
+    * No data-dependent branches
+  * Optional runtime blinding which attempts to frustrate differential power analysis.
   * The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
 
 Build steps