Finish sync to upstream #260

…clude 68b16a1 bench: Make sys/time.h a system include (Tim Ruffing) Pull request description: just because it is minimally more correct ACKs for top commit: hebasto: ACK 68b16a1, I've skimmed through the whole codebase and did not find any more similar cases. Tree-SHA512: 0a929b36202100abf0d14e9328a2dc2b4c9db5532f95514315cb04dd0a970dbbb1dc02c6275be0ec109dc88f6090f6ce48a65003c852fd4dc750decf07e563c4

Also full stops have been added to the option help texts for consistency in cmake-gui.

69e1ec0 Get rid of secp256k1_fe_const_b (Pieter Wuille) Pull request description: Replaces #1282. Its only remaining use is in a test introduced in #1118, and it is easily replaced by the new `secp256k1_fe_add_int` from #1217. ACKs for top commit: real-or-random: utACK 69e1ec0 Tree-SHA512: 6ada192e0643fc5326198b60f019a5081444f9ba0a5b8ba6236f2a526829d8e5e479556600a604d9bc96c7ba86e3aab813f93c66679287d2135e95a2b75f5d3e

…256k1_fe_set_b32 162da73 tests: Add debug helper for printing buffers (Tim Ruffing) e9fd3df field: Improve docs and tests of secp256k1_fe_set_b32 (Tim Ruffing) ca92a35 field: Simplify code in secp256k1_fe_set_b32 (Tim Ruffing) d93f62e field: Verify field element even after secp256k1_fe_set_b32 fails (Tim Ruffing) Pull request description: ACKs for top commit: jonasnick: ACK 162da73 Tree-SHA512: b3ed8e45c969d0420275ff154462f3820b72b57832ccba1f6f427e0cfd9cff3e27440c20994f69ea33a576b1903eb7f04a989f0dbd574bbd96ee56c6dd4500f7

This follows the automake conventions more, see: https://www.gnu.org/software/automake/manual/html_node/Clean.html

This directory may not exist in a VPATH build, see bitcoin/bitcoin#27445 (comment) .

…acro c4062d6 debug: move helper for printing buffers into util.h (Jonas Nick) 3858bad tests: remove extra semicolon in macro (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: utACK c4062d6 hebasto: ACK c4062d6, I have reviewed the code and it looks OK. Tree-SHA512: a2c97433d82c1ab2ba976c4fd8aaf337de5f225abcd459e84dcdab689e77e43d4ed654c971ab7f11f27af12e7a744122a0fdd9ece8e635d7a7041c45e9484de8

…on" MSVC warnings in examples dc0657c build: Fix C4005 "macro redefinition" MSVC warnings in examples (Hennadii Stepanov) Pull request description: This PR: - fixes C4005 "macro redefinition" MSVC warnings in examples - removes warning suppressions in both build systems, Autotools-based and CMake-based ones ACKs for top commit: real-or-random: utACK dc0657c Tree-SHA512: fe3bb8f06b3ff1d51e5e20754a289e0e6b99ddf4c0bd4e6e4786e2558e71e043ab23ff7782a83a902df5db28d18ae65312674c373fdc49f5af252763a22bd0fb

ce5ba9e gitignore: Add CMakeUserPresets.json (Tim Ruffing) 0a446a3 cmake: Add dev-mode CMake preset (Tim Ruffing) Pull request description: To use, invoke `cmake` with argument `--preset dev-mode`. One disadvantage over `./configure --enable-dev-mode` is that CMake does not provide a way to "hide" presets from users. That is, `cmake --list-presets` will list dev-mode, and it will also appear in `cmake-gui`, even though it's not selectable there due to a bug in cmake-gui. Solves one item in #1224. ACKs for top commit: hebasto: ACK ce5ba9e theuni: ACK ce5ba9e Tree-SHA512: c14bd283bd5bf64006bf3a23d72e6e55777b084aff71eb2a002f8ddde1d3549ccb2f08feb2b83366a24272209ab579cac8b73cfc020919adf7f039beb65bc9cc

…ts after bumping CMake up to 3.13 a273d74 cmake: Improve version comparison (Hennadii Stepanov) 6a58b48 cmake: Use `if(... IN_LIST ...)` command (Hennadii Stepanov) 2445808 cmake: Use dedicated `GENERATOR_IS_MULTI_CONFIG` property (Hennadii Stepanov) 9f8703e cmake: Use dedicated `CMAKE_HOST_APPLE` variable (Hennadii Stepanov) 8c20170 cmake: Use recommended `add_compile_definitions` command (Hennadii Stepanov) 04d4cc0 cmake: Add `DESCRIPTION` and `HOMEPAGE_URL` options to `project` command (Hennadii Stepanov) 8a8b653 cmake: Use `SameMinorVersion` compatibility mode (Hennadii Stepanov) Pull request description: This PR: - resolves two items from #1235, including a bugfix with package version compatibility - includes other improvements which have become available for CMake 3.13+. To test the `GENERATOR_IS_MULTI_CONFIG` property on Linux, one can use the "[Ninja Multi-Config](https://cmake.org/cmake/help/latest/generator/Ninja%20Multi-Config.html)" generator: ```sh cmake -S . -B build -G "Ninja Multi-Config" ``` ACKs for top commit: real-or-random: ACK a273d74 theuni: ACK a273d74 Tree-SHA512: f31c4f0f30bf368303e70ab8952cde5cc8c70a5e79a04f879abcbee3d0a8d8c598379fb38f5142cb1f8ff5f9dcfc8b8eb4c13c975a1d05fdcc92d9c805a59d9a

This change drops tinkering with the `COMPILE_OPTIONS` directory property. Also `try_add_compile_option()` can handle a list of flags now, if they are required to be checked simultaneously. An explanatory comments have been added as well.

Actually, `try_append_cflags()` can handle a list of flags, and the new name is similar to the one used in `configure.ac`.

…er flag checks a8d059f cmake, doc: Document compiler flags (Hennadii Stepanov) 6ece150 cmake, refactor: Rename `try_add_compile_option` to `try_append_cflags` (Hennadii Stepanov) 19516ed cmake: Use `add_compile_options()` in `try_add_compile_option()` (Hennadii Stepanov) Pull request description: This PR: - drops tinkering with the `COMPILE_OPTIONS` directory property in `try_add_compile_option()` and renames it to `try_append_cflags()` - copies related comments from `configure.ac` ACKs for top commit: theuni: ACK bitcoin-core/secp256k1@a8d059f . Tree-SHA512: 7ac011c135e12a65c45f4feb7cd74fd2d961ed77252afecf3a66e2af1d57facab446120c63696507b5ecd5bdb3eee1521760a53028b914c429652d00d03a4462

…OJECT_IS_TOP_LEVEL` variable 71f746c cmake: Include `include` directory for subtree builds (Hennadii Stepanov) 5431b9d cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL` (Hennadii Stepanov) 162608c cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21 (Hennadii Stepanov) Pull request description: This PR: 1. Emulates [`PROJECT_IS_TOP_LEVEL`](https://cmake.org/cmake/help/latest/variable/PROJECT_IS_TOP_LEVEL.html) variable for CMake versions where it is not available. 2. Makes the `SECP256K1_INSTALL` option dependent on `PROJECT_IS_TOP_LEVEL` (a [follow up](bitcoin-core/secp256k1#1263 (comment)) of bitcoin-core/secp256k1#1263). 3. Makes integration of this project as a subtree easier. A top project can `#include <secp256k1.h>` with no additional `target_include_directories()` commands. For example, see https://github.com/hebasto/secp256k1-CMake-example/tree/subtree. ACKs for top commit: theuni: utACK 71f746c. Tree-SHA512: 8ccdbcc94b26f36e772611ebaab0f2846debd6ad20f9e361be31a8d2128a14273acb692b0631026e12cc6cdef6d445dce0fd3beb4f71af47b46dfcf840a18879

…ycheproof 7e977b3 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing) 2418d32 autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing) 8764034 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing) e1b9ce8 autotools: Use same conventions for all pregenerated files (Tim Ruffing) 08f4b16 autotools: Move code around to tidy Makefile (Tim Ruffing) 529b54d autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing) Pull request description: Follow-up to bitcoin-core/secp256k1#1245. This builds on top of bitcoin-core/secp256k1#1276. Let's only merge bitcoin-core/secp256k1#1276 as a hotfix for the Core build. ACKs for top commit: hebasto: ACK 7e977b3 Tree-SHA512: 42e09feaed15d903e759360e1dfbd1afce9da07a55512e2e791147b72d9b6477e34ae6028439af57dbcae318081a37ddcf3a630f9617bfea95c130135ba2313f

This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.

An executable target in the `COMMAND` option will automatically be replaced by the location of the executable created at build time. This change fixes tests for Windows binaries using Wine.

…test()` command 755629b cmake: Use full signature of `add_test()` command (Hennadii Stepanov) Pull request description: This PR fixes tests for Windows binaries using Wine: ``` $ cmake -S . -B ../mingw -DCMAKE_TOOLCHAIN_FILE=cmake/x86_64-w64-mingw32.toolchain.cmake $ cmake --build ../mingw $ cmake --build ../mingw -t check Test project /home/hebasto/git/secp256k1/mingw Start 1: noverify_tests Could not find executable noverify_tests ... ``` ACKs for top commit: real-or-random: ACK 755629b Tree-SHA512: d1b24a1f1de2e8b70203132f4f6e685b9a120a987302cefe033fa916dfe7a135dbacaf8174d4046e30be170e92a16d070db54292c038cd2acdecc334f7f516dd

This change fixes MSVC level-3 warning C4334. See: https://learn.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-3-c4334 Required to enable level 3 warnings (/W3).

bef448f cmake: Fix library ABI versioning (Hennadii Stepanov) Pull request description: This change emulates Libtool to make sure Libtool and CMake agree on the ABI version. To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`: - incrementing of `*_LIB_VERSION_CURRENT` - setting `*_LIB_VERSION_REVISION` to zero - incrementing of `*_LIB_VERSION_AGE` ACKs for top commit: real-or-random: ACK bef448f diff looks good and I tested on Linux Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5

…ustom` For the sake of completeness, add the missing descriptions for the return value and parameters (`ctx`, `sig64`, `keypair`), in the same wording/style as for the function `secp256k1_schnorrsig_sign32`.

This should fix mingw exports, specifically hiding the following: secp256k1_pre_g_128 secp256k1_pre_g secp256k1_ecmult_gen_prec_table This changes our visibility macros to look more like gcc's recommendation: https://gcc.gnu.org/wiki/Visibility#How_to_use_the_new_C.2B-.2B-_visibility_support

Our RNG has been replaced with Xoshiro256++, a well-analyzed RNG. Our unit tests should not be resposible for verifying its statistical qualities.

…on for `secp256k1_schnorrsig_sign_custom` 149c41c docs: complete interface description for `secp256k1_schnorrsig_sign_custom` (Sebastian Falbesoner) Pull request description: ACKs for top commit: real-or-random: utACK 149c41c jonasnick: ACK 149c41c Tree-SHA512: ee677ed6b474b547066ce149688edab7ba6d2572acfbc0989256a669341fff4cf2e17b451cd3fc6fff3944a896647f0f5c1411056678505fa85ba71e8cfe6229

…ench_sign_data; merge them 2e65f1f Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille) Pull request description: The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one. ACKs for top commit: stratospher: ACK 2e65f1f. real-or-random: utACK bitcoin-core/secp256k1@2e65f1f Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814

Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. Update docs for it to make it clear that it is not constant time in A (the input point). It never was constant time in Q (and would be a little complicated to make constant time in A). If it was later made constant time in A, infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.

…finity) works, and group verification bbc8344 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille) 0a2e0b2 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille) f202667 Add invariant checking to group elements (Pieter Wuille) a18821d Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille) 3086cb9 Expose secp256k1_fe_verify to other modules (Pieter Wuille) a0e696f Make secp256k1_ecmult_const handle infinity (Gregory Maxwell) Pull request description: Rebase of #791. * Clean up infinity handling, make x/y/z always initialized for infinity. * Make secp256k1_ecmult_const handle infinity. * Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. * Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output. * Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`). * Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode. ACKs for top commit: jonasnick: ACK bbc8344 real-or-random: ACK bbc8344 Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19

Also split secp256k1_fe_verify into a generic and an implementation specific part.

…nitude/normalized logic 7fc642f Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille) 4e176ad Abstract out verify logic for fe_is_square_var (Pieter Wuille) 4371f98 Abstract out verify logic for fe_add_int (Pieter Wuille) 89e324c Abstract out verify logic for fe_half (Pieter Wuille) 283cd80 Abstract out verify logic for fe_get_bounds (Pieter Wuille) d5aa2f0 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille) 3167646 Abstract out verify logic for fe_from_storage (Pieter Wuille) 76d31e5 Abstract out verify logic for fe_to_storage (Pieter Wuille) 1e6894b Abstract out verify logic for fe_cmov (Pieter Wuille) be82bd8 Improve comments/checks for fe_sqrt (Pieter Wuille) 6ab3508 Abstract out verify logic for fe_sqr (Pieter Wuille) 4c25f6e Abstract out verify logic for fe_mul (Pieter Wuille) e179e65 Abstract out verify logic for fe_add (Pieter Wuille) 7e7ad7f Abstract out verify logic for fe_mul_int (Pieter Wuille) 65d82a3 Abstract out verify logic for fe_negate (Pieter Wuille) 1446708 Abstract out verify logic for fe_get_b32 (Pieter Wuille) f7a7666 Abstract out verify logic for fe_set_b32 (Pieter Wuille) ce4d209 Abstract out verify logic for fe_cmp_var (Pieter Wuille) 7d7d43c Improve comments/check for fe_equal{,_var} (Pieter Wuille) c5e788d Abstract out verify logic for fe_is_odd (Pieter Wuille) d3f3fe8 Abstract out verify logic for fe_is_zero (Pieter Wuille) c701d9a Abstract out verify logic for fe_clear (Pieter Wuille) 19a2bfe Abstract out verify logic for fe_set_int (Pieter Wuille) 864f9db Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille) 6c31371 Abstract out verify logic for fe_normalize_var (Pieter Wuille) e28b51f Abstract out verify logic for fe_normalize_weak (Pieter Wuille) b6b6f9c Abstract out verify logic for fe_normalize (Pieter Wuille) 7fa5195 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille) b29566c Merge magnitude/normalized fields, move/improve comments (Pieter Wuille) Pull request description: Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field. This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation. Fixes #1060. ACKs for top commit: jonasnick: ACK 7fc642f real-or-random: ACK 7fc642f Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4

97c63b9 Avoid normalize conditional on VERIFY (Pieter Wuille) Pull request description: In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not. ACKs for top commit: real-or-random: utACK 97c63b9 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed jonasnick: ACK 97c63b9 Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f

- secp256k1_scalar_cadd_bit - secp256k1_modinvXX_normalize_YY - secp256k1_modinvXX_divsteps_ZZ - ECMULT_CONST_TABLE_GET_GE Even though those code loations are not problematic right now (with current compilers).

d1e48e5 refactor: Make 64-bit shift explicit (Hennadii Stepanov) b2e29e4 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK d1e48e5 jonasnick: ACK d1e48e5 Tree-SHA512: fd07c8c136b1c947900d45b5a4ad4963e2c29884aca62a26be07713dfd1b0c5e7655f07a0b99217fc055bf3266e71cb5edabbd4d5c145a172b4be5d10f7ad51c

712e7f8 Remove unused scratch space from API (Jonas Nick) Pull request description: Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff. ACKs for top commit: sipa: ACK 712e7f8 real-or-random: utACK 712e7f8 Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44

17fa217 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing) 5fb336f ct: Use volatile trick in scalar_cond_negate (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 17fa217 jonasnick: ACK 17fa217 Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121

…ariable-length messages cd54ac7 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing) 28687b0 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing) 97a98be schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK cd54ac7. I didn't verify the included test vectors match the BIP. jonasnick: ACK cd54ac7 Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816

…al default callbacks 1907f0f build: Make tests work with external default callbacks (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 1907f0f jonasnick: ACK 1907f0f Tree-SHA512: 198598f7bf5292bf5709187f9a40ddf9a0fba93e8b62afb49df2c05b4ef61c394cea43ee07615b51ceea97862228d8ad351fddef13c190cb2e6690943ed63128

… normalizing variants 5b32602 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille) Pull request description: Follow-up to #1205. This splits the `secp256k1_fe_set_b32` function into two variants: * `secp256k1_fe_set_b32_mod`, which returns `void`, reduces modulo the curve order, and only promises weakly normalized output. * `secp256k1_fe_set_b32_limit`, which returns `int` indicating success/failure, and only promises valid output in case the input is in range (but guarantees it's strongly normalized in this case). This removes one of the few cases in the codebase where normalization status depends on runtime values, making it fixed at compile-time instead. ACKs for top commit: real-or-random: ACK 5b32602 jonasnick: ACK 5b32602 Tree-SHA512: 4b93502272638c6ecdef4d74afa629e7ee540c0a20b377dccedbe567857b56c4684fad3af4b4293ed7ba35fed4aa5d0beaacdd77a903f44f24e8d87305919b61

In the existing code, the compiler is allowed to allocate the RSI register for outputs m0, m1, or m2, which are written to before the input in RSI is read from. Fix this by marking them as early clobber. Reported by ehoffman2 in bitcoin-core/secp256k1#766

In the field 5x52 asm for x86_64, stack variables are provided as outputs. The existing inputs are all forcibly allocated to registers, so cannot coincide, but mark them as early clobber anyway to make this clearer.

…ck if it's really supported c6bb29b build: Rename `64bit` to `x86_64` (Hennadii Stepanov) 0324645 autotools: Add `SECP_ARM32_ASM_CHECK` macro (Hennadii Stepanov) ed4ba23 cmake: Add `check_arm32_assembly` function (Hennadii Stepanov) e5cf4bf build: Rename `arm` to `arm32` (Hennadii Stepanov) Pull request description: Closes bitcoin-core/secp256k1#1034. Solves one item in bitcoin-core/secp256k1#1235. ACKs for top commit: real-or-random: ACK c6bb29b tested on x86_64 but not on ARM Tree-SHA512: c3615a18cfa30bb2cc53be18c09ccab08fc800b84444d8c6b333347b4db039a3981da61e7da5086dd9f4472838d7c031d554be9ddc7c435ba906852bba593982

…y clobber 8c9ae37 Add release note (Pieter Wuille) 350b4bd Mark stack variables as early clobber for technical correctness (Pieter Wuille) 0c729ba Bugfix: mark outputs as early clobber in scalar x86_64 asm (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK 8c9ae37 jonasnick: ACK 8c9ae37 Tree-SHA512: 874d01f5540d14b5188aec25f6441dbc6631f8d3980416040a3e250f1aef75150068415e7a458a9a3fb0d7cbdeb97f5c7e089b187d6d3dd79aa6e45274c241b6

This reverts commit 712e7f8.

…e from API" 3ad1027 Revert "Remove unused scratch space from API" (Jonas Nick) Pull request description: This reverts commit 712e7f8. Removing the scratch space from the API may break bindings to the library. ACKs for top commit: sipa: ACK 3ad1027 real-or-random: ACK 3ad1027 Tree-SHA512: ad394c0a2f83fe3a5f400c0e8f2b9bf40037ce4141d4414e6345918f5e6003c61da02a538425a49bdeb5700f5ecb713bd58f5752c0715fb1fcc4950099fdc0e6

697e1cc changelog: Catch up (Tim Ruffing) 76b43f3 changelog: Add entry for #1303 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 697e1cc jonasnick: ACK 697e1cc Tree-SHA512: cfeb513effc69925bdedd3a298b1e2e5bf7709f68b453a5f157c584560b5400c3dc8b9ce87a775281cdea9db7f44e7e1337fbc93563f6efe350fe5defacbc4f6

d490ca2 release: Prepare for 0.3.2 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK d490ca2 hebasto: ACK d490ca2 jonasnick: ACK d490ca2 Tree-SHA512: 0785e9654974b25977dcdb00fe2e91d79a941143d278e315b96238e18c7aedd5814c2534c0aff356d8d4bb456ff8b815bea3657b99243e0a8296bbe635329cfb

…r 0.3.2 95448ef release cleanup: bump version after 0.3.2 (Pieter Wuille) Pull request description: ACKs for top commit: hebasto: ACK 95448ef real-or-random: ACK 95448ef Tree-SHA512: 82724afd8c4b3a383a9a6b6db787fe9dd8dabd76df896a5e1d1a90733ef1c6a2fbbd6dd1d82faee359eb98fe3c636fb31ec659d49e70e17c649ded6155b9a71d

31b4bbe Make fe_cmov take max of magnitudes (Pieter Wuille) Pull request description: This addresses part of #1001. The magnitude and normalization of the output of `secp256k1_fe_cmov` should not depend on the runtime value of `flag`. ACKs for top commit: real-or-random: utACK 31b4bbe stratospher: ACK 31b4bbe. Tree-SHA512: 08bef9f63797cb8a1f3ea63c716c09aaa267dfee285b74ef5fbb47d614569d2787ec73d21bce080214872dfe70246f73cea42ad3c24e6baccecabe3312f71433

…utation binaries 5768b50 build: Enable -DVERIFY for precomputation binaries (Tim Ruffing) Pull request description: because... why not?! I realized that this can't hurt when working on #1313. ACKs for top commit: sipa: ACK 5768b50 Tree-SHA512: 2412cb93097f5c7904cfded6816bc5cdc69d958b4023ddaffd6e7575615ac5bfcd3a7cfc9ce2c0b0e6526a6f000dd84ecd32909d9d207a3644aadb5d34905911

… set_b32_limit 6433175 Do not invoke fe_is_zero on failed set_b32_limit (Pieter Wuille) Pull request description: Noticed in the CI output of #1313 (https://cirrus-ci.com/task/5117786435878912) The code violates the field element contract that states that a field element that comes out of a failed `secp256k1_fe_set_b32_limit` call cannot be used before overwriting it. This is not an issue in practice, as such failure can only occur with negligible probability, but the experimental compiler in that CI setting is technically correct in detecting this possibility. Fix it by setting it to 1 based on a `secp256k1_fe_normalizes_to_zero` test rather than a `secp256k1_fe_is_zero` one (which does not require normalization). ACKs for top commit: stratospher: ACK 6433175 real-or-random: utACK 6433175 Tree-SHA512: 49da4535181c4607c1f4d23d1fd7cd65e7751c7cfa68643f1da77f3ec7961754fc8553bb415137fd61d86c805fe69f5adf97c05b9dc4d3bf357ae7c6409cc51a

Don't ask me why this makes a difference. It may be some permission problem even though everything in Cirrus CI runs as root anyway. In any case, I'll probably get mad if I investigate this further. Fixes #1326.

…oid error D8037 in cl.exe 27504d5 ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe (Tim Ruffing) Pull request description: Don't ask me why this makes a difference. It may be some permission problem even though everything in Cirrus CI runs as root anyway. In any case, I'll probably get mad if I investigate this further. Fixes #1326. ACKs for top commit: hebasto: ACK 27504d5, tested in my personal Cirrus account. Tree-SHA512: 08bb1734827579b59c705a44ee8fad6d504031eb5659c2743649be95fb048794b95ac0869a994bfa732f7f0714b4d12674c325637fe079b2266f18a3c14bbec0

ad84603 release process: clarify change log updates (Jonas Nick) 6348bc7 release process: fix process for maintenance release (Jonas Nick) 79fa50b release process: mention targeted release schedule (Jonas Nick) 1652067 release process: add sanity checks (Jonas Nick) Pull request description: Fixes #1176 ACKs for top commit: real-or-random: ACK ad84603 hebasto: re-ACK ad84603 Tree-SHA512: 215b469f4ecc6ecb2b07ba4d29b6b01fc0dda752d9cfffc3f5ec518f2efb5ec9ae027056b113758fadbebcdfdd549ff5803c3d7257761da6e3859ff6131cc137

…to W3 1549db0 build: Level up MSVC warnings (Hennadii Stepanov) Pull request description: Solves one item in bitcoin-core/secp256k1#1235. ACKs for top commit: sipa: utACK 1549db0 real-or-random: ACK 1549db0 Tree-SHA512: 769386f734709537291ddee45c7fbee501185d3eebe9daa117d36e13e8504fabd1127857bc661a751fdf63f2eee1e7e9507121bdb020c97eb87b8758cb0879f8

…OVERAGE` are defined e83801f test: Warn if both `VERIFY` and `COVERAGE` are defined (Hennadii Stepanov) Pull request description: Solves one item in bitcoin-core/secp256k1#1235. Also see: bitcoin-core/secp256k1#1113 (comment). ACKs for top commit: sipa: utACK e83801f real-or-random: ACK e83801f Tree-SHA512: 25e10a09ba2c3585148becd06f2a03d85306208bda333827c9ba73eb7fd94ad15536f10daf1b335703e5cb0539584f001501ce9c578f478ff1ebc1051aefde7d

…calar_{zero,one}` constants ade5b36 tests: add checks for scalar constants `secp256k1_scalar_{zero,one}` (Sebastian Falbesoner) 654246c refactor: take use of `secp256k1_scalar_{zero,one}` constants (Sebastian Falbesoner) Pull request description: Rather than allocating a (non-constant) scalar variable on the stack with the sole purpose of setting it to a constant value, the global constants `secp256k1_scalar_{zero,one}` (apparently introduced in 34a67c7, PR #710) can be directly used instead for the values 0 or 1. There is very likely not even a difference in run-time, but it leads to simpler and less code which might be nice. ACKs for top commit: sipa: utACK ade5b36 real-or-random: utACK ade5b36 Tree-SHA512: 0ff05a449c153f7117a4a56efef04b2087c2330f4692f3390a0b1d95573785ac7ae3fe689ed0ec2ecc64b575d2489d6e341d32567e75a1a4b4d458c3ecd406a1

This seems to be a typo that was introduced with commit 4371f98 (PR #1066).

…56k1_fe_add_int` 605e07e fix input range comment for `secp256k1_fe_add_int` (Sebastian Falbesoner) Pull request description: This seems to be a typo that was introduced with commit 4371f98 (PR #1066). ACKs for top commit: sipa: ACK 605e07e real-or-random: ACK 605e07e Tree-SHA512: 7ee99cf7140c698d1146072734ba986de7328f78b2c076ee445067ef64a6a335c8669f1e733e10f5e14f98b566c799cc4c51b3eb0f036cd178b3c93476c6df2e

This reverts commit 27504d5.

The underlying issue is now worked around in upstream, see mstorsjo/msvc-wine#47 for details.

…ttempt 2) db29bf2 ci: Remove quirk that runs dummy command after wineserver (Tim Ruffing) c7db494 ci: Fix error D8037 in `cl.exe` (Hennadii Stepanov) 7dae115 Revert "ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe" (Hennadii Stepanov) Pull request description: Since the mstorsjo/msvc-wine@2146cbf, the `msvc-wine` effectively initializes the WINE prefix when running the `install.sh` script. See [`install.sh`#L143](https://github.com/mstorsjo/msvc-wine/blob/2146cbfaf037e21de56c7157ec40bb6372860f51/install.sh#L143): ```sh WINEDEBUG=-all wine64 wineboot &>/dev/null ``` Our following `wine64 wineboot --init` just messes up with the prefix. This PR fixes this issue. Also bitcoin-core/secp256k1#1327 has been reverted as apparently it does not work. And bitcoin-core/secp256k1#1320 has been combined into this one. ACKs for top commit: real-or-random: ACK db29bf2 Tree-SHA512: 59e61bde0060f67501f93da8b4e193f2bfcda85d849c16bb017e38af7aa9e3b569fe2fd4aa5cdb658c3b2345cc42fad98323e329b519389b2e881ecfd403d147

The removed header includes have not been needed since PR1231.

An alternative would be to introduce special helpers for reading/writing uint64_t in big endian `secp256k1_{read,write}_be64`.

…ly_,}pub` From an API perspective, the functions `secp256k1_keypair_pub` and `secp256k1_keypair_xonly_pub` always succeed (i.e. return the value 1), so the other cases in the `pubkey` parameter descriptions never happen and can hence be removed. Note that the "1 always" return value description was previously done in commit b8f8b99 (PR #1089), which also explains why invalid inputs for the affected functions are in practice only possible in violation of the type system.

…iptions for `secp256k1_keypair_{xonly_,}pub` f364428 docs: correct `pubkey` param descriptions for `secp256k1_keypair_{xonly_,}pub` (Sebastian Falbesoner) Pull request description: ACKs for top commit: real-or-random: ACK bitcoin-core/secp256k1@f364428 because it's consistent with the other docs jonasnick: ACK f364428 Tree-SHA512: cc4db4637301335ea9d23ac43bb3a78de54af79a5262dba2013945f87d80670c7ae1e106101a59c04225eb077e9a9e0ecc9d9d3bfe2d11cdc90f098ebd479f49

…read,write}_be32` helpers 887183e scalar: use `secp256k1_{read,write}_be32` helpers (4x64 impl.) (Sebastian Falbesoner) 52b8423 scalar: use `secp256k1_{read,write}_be32` helpers (8x32 impl.) (Sebastian Falbesoner) Pull request description: This refactoring PR takes use of the `secp256k1_{read,write}_be32` helpers (introduced in PR #1093, commit 8d89b9e) in the scalar <-> byte array conversion functions, for both the 8x32 and 4x64 implementations. (An alternative for the latter would be to introduce special helpers for reading/writing uint64_t in big endian `secp256k1_{read,write}_be64`). Verified via `objdump -D libsecp256k1.a` that `secp256k1_scalar_set_b32` for 4x64 compiles to the same code on master and the PR (`secp256k1_scalar_get_b32` is apparently always inlined) on amd64 with clang 13.0.0. ACKs for top commit: sipa: utACK 887183e Tree-SHA512: 915cb4624c6da0530dce4ec3ac48e88dd735386302cd2e15759e3c30102d81186f382ffe71493ddd0538069f1b558db543d9bb900dfdb69acb60effedc33f705

After calculating the right-hand side of the elliptic curve equation (x^3 + 7), the field element `x3` has a magnitude of 2 (1 as result of `secp256k1_fe_mul`, then increased by 1 due to `secp256k1_fe_add_int`). This is fine for `secp256k1_fe_equal_var`, as the second parameter only requires the magnitude to not exceed 31, and the normalize_weak call can hence be dropped.

See #1001.

…x64 impl.)

This can be reviewed with `--ignore-all-space` (or `-w`), to ignore already existing code that was only indented.

The output ge is normalized when sizeof(secp256k1_ge_storage) = 64 but not when it's not 64. ARG_CHECK at the end of the function assumes normalization. So normalize ge in the other code path too.

…k1_{read,write}_be64` helpers 7067ee5 tests: add tests for `secp256k1_{read,write}_be64` (Sebastian Falbesoner) 740528c scalar: use newly introduced `secp256k1_{read,write}_be64` helpers (4x64 impl.) (Sebastian Falbesoner) Pull request description: This is a simple follow-up to #1339, as suggested in comment bitcoin-core/secp256k1#1339 (comment). ACKs for top commit: stratospher: ACK 7067ee5. real-or-random: utACK 7067ee5 Tree-SHA512: f9bc2ab610099948ffac1e6bb3c822bd90b81a7110ab74cec03175e2c92ed27694a15f9cdaa7c4f1b460fe459f61c3d1d102c99592169f127fdd7539a1a0c154

…k1_pubkey_load f165252 Normalize ge produced from secp256k1_pubkey_load (stratospher) Pull request description: The output `ge` in secp256k1_pubkey_load is normalized when `sizeof(secp256k1_ge_storage) = 64` but not when it's not 64. ARG_CHECK at the end of the function assumes normalization. So normalize ge in the other code path too. context: [#1129(comment)](https://github.com/bitcoin-core/secp256k1/pull/1129/files#r1196167066) ACKs for top commit: sipa: utACK f165252 real-or-random: ACK f165252 tested by changing the two `== 64` checks to `== 65` Tree-SHA512: 0de1caad85ccdb42053f8e09576135257c88fda88455ef25e7640049c05a1e03d1e9bae1cd132d2e6fc327fd79929257a8b21fe1cc41c82374b6cd88e6744aa3

The scheme implemented is described below, and largely follows the paper "SwiftEC: Shallue–van de Woestijne Indifferentiable Function To Elliptic Curves", by Chavez-Saab, Rodriguez-Henriquez, and Tibouchi (https://eprint.iacr.org/2022/759). A new 64-byte public key format is introduced, with the property that *every* 64-byte array is an encoding for a non-infinite curve point. Each curve point has roughly 2^256 distinct encodings. This permits disguising public keys as uniformly random bytes. The new API functions: * secp256k1_ellswift_encode: convert a normal public key to an ellswift 64-byte public key, using additional entropy to pick among the many possible encodings. * secp256k1_ellswift_decode: convert an ellswift 64-byte public key to a normal public key. * secp256k1_ellswift_create: a faster and safer equivalent to calling secp256k1_ec_pubkey_create + secp256k1_ellswift_encode. * secp256k1_ellswift_xdh: x-only ECDH directly on ellswift 64-byte public keys, where the key encodings are fed to the hash function. The scheme itself is documented in secp256k1_ellswift.h.

These include both test vectors taken from BIP324, as randomized unit tests.

Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>

…./include/secp256k1.h"` e449af6 Drop no longer needed `#include "../include/secp256k1.h"` (Hennadii Stepanov) Pull request description: The removed header includes have not been needed since bitcoin-core/secp256k1#1231. Test suggestions: 1. Using Autottols-based build system: ``` ./autogen.sh ./configure make clean-precomp make ``` 2. Using CMake-based build system: ``` cmake -B build -DCMAKE_C_INCLUDE_WHAT_YOU_USE="include-what-you-use" cmake --build build --target secp256k1_precomputed ``` ACKs for top commit: sipa: utACK e449af6 real-or-random: utACK e449af6 Tree-SHA512: 5aed7a88e1e03fcc2306c43817712c0652ecf6145679dd17f4719376818d372f619e4180bdaee548f2e82aaccbe6a2ff4c37203121d939af545128c8c48b933e

90e360a Add doc/ellswift.md with ElligatorSwift explanation (Pieter Wuille) 4f09184 Add ellswift testing to CI (Pieter Wuille) 1bcea8c Add benchmarks for ellswift module (Pieter Wuille) 2d1d41a Add ctime tests for ellswift module (Pieter Wuille) df633cd Add _prefix and _bip324 ellswift_xdh hash functions (Pieter Wuille) 9695deb Add tests for ellswift module (Pieter Wuille) c47917b Add ellswift module implementing ElligatorSwift (Pieter Wuille) 79e5b2a Add functions to test if X coordinate is valid (Pieter Wuille) a597a5a Add benchmark for key generation (Pieter Wuille) Pull request description: ACKs for top commit: Davidson-Souza: tACK 90e360a. Full testing backlog: real-or-random: ACK 90e360a jonasnick: ACK 90e360a Tree-SHA512: cf59044c1b064f9a3fd57fd1c4c6ab154305ee6ad67a604bc254ddd6b8ee78626250d325174e10d2f2b19264ab0d58013508dc763aa07f5a1e6417e03551a378

…_sqrt() 5779137 field: Document return value of fe_sqrt() (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 5779137 theStack: ACK 5779137 Tree-SHA512: 706f8c6a26bf85f6c23af3bb053173b2cdee6838dd930cb2b1e2f851f47cfebafccecbd7d84b8152f2fea12f0676c1ddd700bb32beebec3f3e0f4300e878d0f5

… `secp256k1_u128_rshift` on MSVC 5b7bf2e Use `__shiftright128` intrinsic in `secp256k1_u128_rshift` on MSVC (Hennadii Stepanov) Pull request description: Closes bitcoin-core/secp256k1#1324. As the `__shiftright128` [docs](https://learn.microsoft.com/en-us/cpp/intrinsics/shiftright128) state: > The `Shift` value is always modulo 64... it is not applicable for the `n >= 64` branch. ACKs for top commit: sipa: utACK 5b7bf2e real-or-random: ACK 5b7bf2e tested with MSVC x64 Tree-SHA512: bc4c245a9da83c783a0479e751a4bc2ec77a34b99189fcc4431033a5420c93b610f3b960d3f23c15bce2eb010beba665b3e84d468b3fdab3d5846d4f27016898

bc7c8db abi: Use dllexport for mingw builds (Cory Fields) Pull request description: Addresses the first part of #1181. See the discussion there for more context and history. After this, all that remains is a (platform-independent) exports checker for c-i. Or perhaps a linker script or .def file could be tricked into testing as a side-effect. This should fix mingw exports, specifically hiding the following: `secp256k1_pre_g_128` `secp256k1_pre_g` `secp256k1_ecmult_gen_prec_table` This changes our visibility macros to look more like [gcc's recommendation](https://gcc.gnu.org/wiki/Visibility#How_to_use_the_new_C.2B-.2B-_visibility_support). Edit: Note that we could further complicate this by supporting `__attribute__ ((dllexport))` as well, though I didn't bother as I'm not sure what compiler combo would accept that but not the bare dllexport syntax. Edit2: As the title implies, this affects this ABI and could affect downstream libs/apps in unintended ways (though it's hard to imagine any real downside). Though because it's win32 only, I'm imagining very little real-world impact at all. ACKs for top commit: hebasto: re-ACK bc7c8db, only a comment has been adjusted since my recent [review](bitcoin-core/secp256k1#1295 (review)), real-or-random: utACK bc7c8db Tree-SHA512: 378e15556da49494f551bdf4f7b41304db9d03a435f21fcc947c9520aa43e3c655cfe216fba57a5179a871c975c806460eef7c33b105f2726e1de0937ff2444e

The code has been copy-pasted from the `precompute_ecmult_gen.c` source file.

7c7467a Refer to ellswift.md in API docs (Pieter Wuille) c32ffd8 Add ellswift to CHANGELOG (Pieter Wuille) Pull request description: A follow-up with a CHANGELOG entry for #1129. ACKs for top commit: real-or-random: ACK 7c7467a theStack: ACK 7c7467a Tree-SHA512: 4f066e4b8d5e130f2b5bea0ed4c634e9426bc576342aad6c306e0805a8354e27a5e679b15ec869d4e7d36eb5d53174e46b3bf5e15d19a7e165afc82e46ddfcf5

67887ae Fix a typo in the error message (Hennadii Stepanov) Pull request description: The code has been copy-pasted from the `precompute_ecmult_gen.c` source file. ACKs for top commit: real-or-random: ACK 67887ae Tree-SHA512: d6874949310197e5d2d6c43f5a7c2165b4ee0f6cbe3cc1491d0f97163fa5329ebeab2b2adf10246c87382016fbe738c69dfd3f2253e93c906bf404cbf439b12a

The recently merged ellswift PR (#1129) introduced a helper `secp256k1_ge_x_on_curve_var` to check if a given X coordinate is valid (i.e. the expression x^3 + 7 is square, see commit 79e5b2a). This can be used for code deduplication in the `ecmult_const_mult_xonly` test.

…12 "bookworm" c862a9f ci: Adjust Docker image to Debian 12 "bookworm" (Hennadii Stepanov) a178209 ci: Force DWARF v4 for Clang when Valgrind tests are expected (Hennadii Stepanov) 8a72734 Help the compiler prove that a loop is entered (Tim Ruffing) Pull request description: Since the [release](https://www.debian.org/News/2023/20230610.html) of Debian 12 "bookworm", it has become the "stable" one that our `ci/linux-debian.Dockerfile` relies on. Last time the Docker image was built basing on Debian Bullseye. Changes in packages are significant, for instance: - `gcc` 10.2. --> 12.2 - `clang` 11.0 --> 14.0 - `wine` 5.0 --> 8.0 which requires certain adjustments provided in this PR. The first commit has been cherry-picked from bitcoin-core/secp256k1#1313. ACKs for top commit: sipa: utACK c862a9f real-or-random: ACK c862a9f Tree-SHA512: 2a62a8865f904a460274f1f3ec02d2b0b72c84b25722a383c6455cfe672c1d93382941a5027e8dceb2c0f5fe0f0efd49a0ed6b72303982f9e32991f1535538eb

…256k1_ge_x_on_curve_var` 7d8d5c8 tests: refactor: take use of `secp256k1_ge_x_on_curve_var` (Sebastian Falbesoner) Pull request description: The recently merged ellswift PR (#1129) introduced a helper `secp256k1_ge_x_on_curve_var` to check if a given X coordinate is on the curve (i.e. the expression x^3 + 7 is square, see commit 79e5b2a). This can be used for code deduplication in the `ecmult_const_mult_xonly` test. (Found this instance via `$ git grep add_int.*SECP256K1_B`, I think it's the only one where the helper can be used.) ACKs for top commit: sipa: utACK 7d8d5c8 real-or-random: utACK 7d8d5c8 Tree-SHA512: aebff9b5ef2f6f6664ce89e4e1272cb55b6aac81cfb379652c4b7ab30dd1d7fd82a2c3b47c7b7429755ba28f011a3a9e2e6d3aa5c77d3b105d159104c24b89f3

… affecting magnitude are constant be8ff3a field: Static-assert that int args affecting magnitude are constant (Tim Ruffing) Pull request description: See #1001. Try to revert the lines in `tests.c` to see the error message in action. ACKs for top commit: sipa: ACK be8ff3a. Verified by introducing some non-constant expressions and seeing compilation fail. theStack: ACK be8ff3a Tree-SHA512: 8befec6ee64959cdc7f3e29b4b622410794cfaf69e9df8df17600390a93bc787dba5cf86239de6eb2e99c038b9aca5461e4b3c82f0e0c4cf066ad7c689941b19

There is a function `random_fe_test` which does exactly the same, so use that instead. Note that it's also moved up before the `random_group_element_test` function, in order to avoid needing a forward declaration.

There are several instances in the tests where random non-zero field elements are generated by calling `random_fe_test` in a do/while-loop. This commit deduplicates all these by introducing a `random_fe_non_zero_test` helper. Note that some instances checked the is-zero condition via `secp256k1_fe_normalizes_to_zero_var`, which is unnecessary, as the result of `random_fe_test` is already normalized (so strictly speaking, this is not a pure refactor).

…ro `random_fe_test()` results 5a95a26 tests: introduce helper for non-zero `random_fe_test` results (Sebastian Falbesoner) 304421d tests: refactor: remove duplicate function `random_field_element_test` (Sebastian Falbesoner) Pull request description: There are several instances in the tests where random non-zero field elements are generated by calling `random_fe_test` in a do/while-loop with is-zero condition. This PR deduplicates all these by introducing a `random_fe_non_zero_test` helper. Note that some instances checked the is-zero condition via `secp256k1_fe_normalizes_to_zero_var`, which is unnecessary, as the result of `random_field_element_test` is already normalized (so strictly speaking, this is not a pure refactor, and there could be tiny run-time improvements, though I doubt that's measurable). Additionally, the first commit removes the function `random_field_element_test` as it is logically a duplicate of `random_fe_test`. ACKs for top commit: real-or-random: ACK 5a95a26 Tree-SHA512: 920404f38ebe8b84bfd52f3354dc17ae6a0fd6355f99b78c9aeb53bf21f7eca5fd4518edc8a422d84f430ae95864661b497de42a3ab7fa9c49515a1df2f1d466

This is no longer necessary as of cirruslabs/cirrus-ci-docs#791 (comment) .

…commit 98579e2 ci: Drop manual checkout of merge commit (Tim Ruffing) Pull request description: ACKs for top commit: jonasnick: ACK 98579e2 Tree-SHA512: fe5305322e6fa616af4664db7c151acdfb8119feb0255a65190b9c185ae5383eab37debe76085dfc8137c691e0ff55cb20d9e51993f6cc871bc6c5c945ed66bf

This change adds the same functionality to Windows containers that is already available in Linux containers.

a7bec34 ci: Print commit in Windows container (Hennadii Stepanov) Pull request description: This PR is a follow-up to bitcoin-core/secp256k1#1368 and adds the same functionality to Windows containers that is already available in Linux containers. See: bitcoin-core/secp256k1#1368 (comment). ACKs for top commit: real-or-random: ACK a7bec34 seems to work: https://cirrus-ci.com/task/4919320090771456?logs=git_show#L2 Tree-SHA512: 0998e0f7231e3057a7e358a27b34071c73ca556973da20494db84fc67f2a72ad2fe582e59647a425ee41e7d9103a0a22fb3cdf0ace6fe0aed1d21f2f75c8ec53

It is a non-Libtool-specific way to explicitly specify the user's intention to consume a static `libseck256k1`. This change allows to get rid of MSVC linker warnings LNK4217 and LNK4286. Also, it makes possible to merge the `SECP256K1_API` and `SECP256K1_API_VAR` into one.

This change provides a way to build a shared library that is not tired to the Libtool-specific `DLL_EXPORT` macro.

05873bb tweak_add: fix API doc for tweak=0 (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: ACK 05873bb Tree-SHA512: ef587a680c3355c6328dd61e0f5fcac80ea995f6045b4392fe35f3ee1c04ee1bd941662c120758ad641588670c1f0f53bfb17a802821f54100f1385b8bb7375a

… compiling with `gcc -O1` 5b9f37f ci: Add `CFLAGS: -O1` to task matrix (Hennadii Stepanov) a6ca76c Avoid `-Wmaybe-uninitialized` when compiling with `gcc -O1` (Hennadii Stepanov) Pull request description: Fixes bitcoin-core/secp256k1#1361. CI tasks have been adjusted to catch similar issues in the future. ACKs for top commit: real-or-random: utACK 5b9f37f jonasnick: tACK 5b9f37f Tree-SHA512: 8aa5ec22ed88579ecd37681df68d64f8bab93cd14bdbf432a3af41cadc7ab3eba86c33c179db15bf3a3c798c33064bd845ebdedb02ee617ef634e98c596838c2

By requiring that the input group element's X coordinate (`a->x`) has a magnitude of <= 31, the normalize_weak call and also the field element variable `r2` are not needed anymore and hence can be dropped.

restoring wycheproof files restoring wycheproof files2

b6b9834 small fixes (Alejandro) Pull request description: Corrected some typos ACKs for top commit: real-or-random: ACK b6b9834 Tree-SHA512: c40c22c66f1067ecca351f08cca07a78b00bb98af2f6cfb08c25d0b1db6845e0e32ace1954c386db7020cf9fc7ae973ff15bd6d9c0144f3d21ea28c15741050f

…bility logic on Windows (attempt 3) c6cd2b1 ci: Add task for static library on Windows + CMake (Hennadii Stepanov) 020bf69 build: Add extensive docs on visibility issues (Tim Ruffing) 0196e8a build: Introduce `SECP256k1_DLL_EXPORT` macro (Hennadii Stepanov) 9f1b190 refactor: Replace `SECP256K1_API_VAR` with `SECP256K1_API` (Hennadii Stepanov) ae9db95 build: Introduce `SECP256K1_STATIC` macro for Windows users (Hennadii Stepanov) Pull request description: Previous attempts: - bitcoin-core/secp256k1#1346 - bitcoin-core/secp256k1#1362 The result is as follows: 1. Simple, concise and extensively documented code. 2. Explicitly documented use cases with no ambiguities. 3. No workarounds for linker warnings. 4. Solves one item in bitcoin-core/secp256k1#1235. ACKs for top commit: real-or-random: utACK c6cd2b1 Tree-SHA512: d58694452d630aefbd047916033249891bc726b7475433aaaa7c3ea2a07ded8f185a598385b67c2ee3440ec5904ff9d9452c97b0961d84dcb2eb2cf46caa171e

…n `secp256k1_ge_is_valid_var`/`secp256k1_gej_eq_x_var` 07c0e8b group: remove unneeded normalize_weak in `secp256k1_gej_eq_x_var` (Sebastian Falbesoner) efa76c4 group: remove unneeded normalize_weak in `secp256k1_ge_is_valid_var` (Sebastian Falbesoner) Pull request description: This PR removes unneeded normalize_weak calls in two group element functions: * `secp256k1_ge_is_valid_var`: After calculating the right-hand side of the elliptic curve equation (x^3 + 7), the field element `x3` has a magnitude of 2 (1 as result of `secp256k1_fe_mul`, then increased by 1 due to `secp256k1_fe_add_int`). This is fine for `secp256k1_fe_equal_var`, as the second parameter only requires the magnitude to not exceed 31, and the normalize_weak call is hence not needed and can be dropped. Note that the interface description for `secp256k1_fe_equal` (which also applies to `secp256k1_fe_equal_var`) once stated that _both_ parameters need to have magnitude 1, but that was corrected in commit 7d7d43c. * `secp256k1_gej_eq_x_var`: By requiring that the input group element's X coordinate (`a->x`) has a magnitude of <= 31, the normalize_weak call and also the field element variable `r2` are not needed anymore and hence can be dropped. ACKs for top commit: sipa: utACK 07c0e8b jonasnick: ACK 07c0e8b Tree-SHA512: 9037e4af881ce7bf3347414d6da06b99e3d318733ba4f70e8b24d2320c2f26d022144e17bd6b95c1a4ef1be3825a4464e56ce2d2b3ae7bbced04257048832b7f

Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: Tim Ruffing <crypto@timruffing.de>

…(with create+decode roundtrip) 2792119 Add exhaustive test for ellswift (create+decode roundtrip) (Sebastian Falbesoner) Pull request description: This PR adds the basic structure for ellswift exhaustive tests. Right now only a `secp256k1_ellswift_create` + `secp256k1_ellswift_decode` indirect roundtrip (exhaustive loop scalar -> ellswift pubkey -> decoded pubkey -> decoded group element, compared with exhaustive precomputed group element) is included. The exhaustive tests passes locally with all currently supported orders (n=13 [default] and n=199). Note that for n=7, the test is skipped, as the used curve in this case is even-ordered and ellswift only supports odd-ordered curves. ACKs for top commit: sipa: utACK 2792119 real-or-random: utACK 2792119 Tree-SHA512: c51d3d99e9839793b3c15d75b9a29f01080db160ab8819973abd877288f9f0af972ea4264290220ab1cd035fdebcfac7767436aa39154d924ef0bf6a5733a55d

c7d900f doc: minor ellswift.md updates (stratospher) Pull request description: ACKs for top commit: sipa: ACK c7d900f real-or-random: ACK c7d900f Tree-SHA512: 161c17d038eb1eed9f5811c3eb92975a821a5274e7f69aa386bfbe5376b3f06f3d0d2887ea3310efbec83424f09ea8e4082e8c02b2fcad3b915625ce5c2007d2

That is, use it also in the definition and not only the declaration. I believe this was the intention of commit be82bd8, but it was omitted there.

TODO: Make sure the Docker image is actually rebuild

… to Python3) Some of the C source files contain contain in-comment Sage code calculating secp256k1 parameters that are already defined in the file secp256k1_params.sage. Replace that by a corresponding load instruction and access the necessary variables. In ecdsa_impl.h, update the comment to use a one-line shell command calling sage to get the values. The remaining code (test `test_add_neg_y_diff_x` in tests.c) is updated to work with a current version based on Python3 (Sage 9.0+, see https://wiki.sagemath.org/Python3-Switch). The latter can be seen as a small follow-up to PR #849 (commit 13c88ef).

…er to secp256k1_params.sage, update to Python3) 600c5ad clean up in-comment Sage code (refer to secp256k1_params.sage, update to Python3) (Sebastian Falbesoner) Pull request description: Some of the C source files contain contain in-comment Sage code calculating secp256k1 parameters that are already defined in the file secp256k1_params.sage. Replace that by a corresponding load instruction and access the necessary variables. In ecdsa_impl.h, update the comment to use a one-line shell command calling sage to get the values. The remaining code (test `test_add_neg_y_diff_x` in tests.c) is updated to work with a current version based on Python3 (Sage 9.0+, see https://wiki.sagemath.org/Python3-Switch). The latter can be seen as a small follow-up to PR #849 (commit 13c88ef). ACKs for top commit: sipa: ACK 600c5ad real-or-random: ACK 600c5ad Tree-SHA512: a9e52f6afbce65edd9ab14203612c3d423639f450fe8f0d269a3dda04bebefa95b607f7aa0faec864cb78b46d49f281632bb1277118749b7d8613e9f5dcc8f3d

… in fe_sqrt b79ba8a field: Use `restrict` consistently in fe_sqrt (Tim Ruffing) Pull request description: That is, use it also in the definition and not only the declaration. I believe this was the intention of commit bitcoin-core/secp256k1@be82bd8, but it was omitted there. edit: Changed the description. I'm not entirely sure but after looking at the standard, I tend to think this is more than a cosmetic change, and only this change actually makes the parameters `restrict`. Anyway, I believe making them `restrict` was simply forgotten in be82bd8. ACKs for top commit: sipa: utACK b79ba8a Tree-SHA512: eecec7674d8cef7833d50f4041b87241ca8de4839aa8027df1c422b89f5a1bcef3916ac785057a596c459ce1aa9d41e5a21ecb6fed9c5d15a1d9f588c7ee208e

…of GCC and Clang 981e5be ci: Fix typo in comment (Tim Ruffing) e9e9648 ci: Reduce number of macOS tasks from 28 to 8 (Tim Ruffing) 609093b ci: Add x86_64 Linux tasks for gcc and clang snapshots (Tim Ruffing) 1deecaa ci: Install development snapshots of gcc and clang (Tim Ruffing) Pull request description: ACKs for top commit: hebasto: re-ACK 981e5be jonasnick: ACK 981e5be Tree-SHA512: a36ef6f3c30a7f6e09e186e67b8eeb6e16e05de3bd97f21342866e75e33275103d463b6a12603ce235da7e26e4acdef4d811f62f369f18db9ac4e7ff06749136

When configured with `--disable-module-ecdh --enable-module-recovery`, then `./tests 64 81af32fd7ab8c9cbc2e62a689f642106` fails with ``` src/modules/ellswift/tests_impl.h:396: test condition failed: secp256k1_memcmp_var(share32_bad, share32a, 32) != 0 ``` This tests verifies that changing the `party` bit of the `secp256k1_ellswift_xdh` function results in a different share. However, that's not the case when the secret keys of both parties are the same and this is actually what happens in the observed test failure. The keys can be equal in this test case because they are created by the `random_scalar_order_test` function whose output is not uniformly random (it's biased towards 0). This commit restores the assummption that the secret keys differ.

…o temp-merge-1115

63a3565 6a873cc 3efeb9d 9f8a13d 694ce8f a43e982 e13fae4 c2ee917 ' into temp-merge-1146

…erge-1156

…ailure when swapping sides c424e2f ellswift: fix probabilistic test failure when swapping sides (Jonas Nick) Pull request description: Reported by jonatack in bitcoin/bitcoin#28079. When configured with `--disable-module-ecdh --enable-module-recovery`, then `./tests 64 81af32fd7ab8c9cbc2e62a689f642106` fails with ``` src/modules/ellswift/tests_impl.h:396: test condition failed: secp256k1_memcmp_var(share32_bad, share32a, 32) != 0 ``` This tests verifies that changing the `party` bit of the `secp256k1_ellswift_xdh` function results in a different share. However, that's not the case when the secret keys of both parties are the same and this is actually what happens in the observed test failure. The keys can be equal in this test case because they are created by the `random_scalar_order_test` function whose output is not uniformly random (it's biased towards 0). This commit restores the assumption that the secret keys differ. ACKs for top commit: sipa: utACK c424e2f real-or-random: utACK c424e2f Tree-SHA512: d1ab61473a77478f9aeffb21ad73e0bba478c90d8573c72ec89d2e0140434cc65c9d5f4d56e5f259931dc68fc1800695c6cd5d63d9cfce4c1c4d6744eeaa2028

… ' into temp-merge-1055

6ec3731 Simplify test PRNG implementation (Pieter Wuille) fb5bfa4 Add static test vector for Xoshiro256++ (Tim Ruffing) 723e8ca Remove randomness tests (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: utACK 6ec3731 jonasnick: ACK 6ec3731 Tree-SHA512: 4cbbb9c42e31f067b17dd9169ae5d5e68bce77d1253452db9df523d3be2b5d61002d5a4203e5a153f257ec63c5ff2113555743eeb402d4b6c573069ea494d407

2a39ac1 0eb3000 cbe41ac cc3b8a4 ' into temp-merge-1187

Upstream PRs 1174, 1154, 1178, 1177, 1171, 1158, 1183, 1185, 1186, 1188, 1187

233822d 5fbff5d 2b77240 1bff200 e1817a6 5596ec5 8ebe5c5 1cca7c1 1b21aa5 cbd2555 09b1d46 5757318 8962fc9 9d1b458 eb8749f 6048e6c ' into temp-merge-1222

7e91936 ci: Always define EXPERIMENTAL variable (Tim Ruffing) 0a99156 sync-upstream.sh: Add "git show --remerge-diff" tip (Tim Ruffing) 9b6a1c3 sync-upstream.sh: Fix position of "-b" option in reproduce command (Tim Ruffing) 05b207e sync-upstream: allows providing the local branch via cli (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: utACK 7e91936 Tree-SHA512: 4527cb6a2493d210eb7ba6d8f6e717b2acbc07aebdc1c4011cffe23490876a4e795d656a69df2cd50e4e3fe8742c123d9ea493914c148c8fbc93d7d3799e7447

…95, 1170, 1172, 1200, 1199, 1203, 1201, 1206, 1078, 1209, 979, 1212, 1218, 1217, 1221, 1222 5d8f53e Remove redudent checks. (Russell O'Connor) d232112 Update Changelog (Tim Ruffing) b081f7e Add secp256k1_fe_add_int function (Pieter Wuille) 2ef1c9b Update overflow check (Russell O'Connor) 5660c13 prevent optimization in algorithms (Harshil Jani) ce3cfc7 doc: Describe Jacobi calculation in safegcd_implementation.md (Elliott Jin) 6be0103 Add secp256k1_fe_is_square_var function (Pieter Wuille) 1de2a01 Native jacobi symbol algorithm (Pieter Wuille) 04c6c1b Make secp256k1_modinv64_det_check_pow2 support abs val (Pieter Wuille) 5fffb2c Make secp256k1_i128_check_pow2 support -(2^n) (Pieter Wuille) e433034 ci: Shutdown wineserver whenever CI script exits (Tim Ruffing) 9a5a611 build: Suppress stupid MSVC linker warning (Tim Ruffing) 739c53b examples: Extend sig examples by call that uses static context (Tim Ruffing) 914276e build: Add SECP256K1_API_VAR to fix importing variables from DLLs (Tim Ruffing) e089eec group: Further simply gej_add_ge (Tim Ruffing) ac71020 group: Save a normalize_to_zero in gej_add_ge (Tim Ruffing) 8c7e0fc build: Add -Wreserved-identifier supported by clang (Tim Ruffing) 9b60e31 ci: Do not set git's `user.{email,name}` config options (Hennadii Stepanov) ef39721 Do not link `bench` and `ctime_tests` to `COMMON_LIB` (Hennadii Stepanov) c241586 ci: Don't fetch git history (Tim Ruffing) 0ecf318 ci: Use remote pull/merge ref instead of local git merge (Tim Ruffing) 9b7d186 Drop no longer used Autoheader macros (Hennadii Stepanov) eb6beba scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs (Jonas Nick) 7f49aa7 ci: add test job with -DVERIFY (Jonas Nick) 620ba3d benchmarks: fix bench_scalar_split (Jonas Nick) e39d954 tests: Add CHECK_ILLEGAL(_VOID) macros and use in static ctx tests (Tim Ruffing) 61841fc contexts: Forbid randomizing secp256k1_context_static (Tim Ruffing) 4b6df5e contexts: Forbid cloning/destroying secp256k1_context_static (Tim Ruffing) 8f51229 ctime_tests: improve output when CHECKMEM_RUNNING is not defined (Jonas Nick) 2cd4e3c Drop no longer used `SECP_{LIBS,INCLUDE}` variables (Hennadii Stepanov) 613626f Drop no longer used `SECP_TEST_{LIBS,INCLUDE}` variables (Hennadii Stepanov) d6ff738 Ensure safety of ctz_debruijn implementation. (Russell O'Connor) ce60785 Introduce SECP256K1_B macro for curve b coefficient (Pieter Wuille) 4934aa7 Switch to exhaustive groups with small B coefficient (Pieter Wuille) e03ef86 Make all non-API functions (except main) static (Pieter Wuille) 0f088ec Rename CTIMETEST -> CTIMETESTS (Pieter Wuille) 74b026f Add runtime checking for DECLASSIFY flag (Pieter Wuille) 5e2e6fc Run ctime test in Linux MSan CI job (Pieter Wuille) 1897406 Make ctime tests building configurable (Pieter Wuille) 5048be1 Rename valgrind_ctime_test -> ctime_tests (Pieter Wuille) 6eed6c1 Update error messages to suggest msan as well (Pieter Wuille) 8e11f89 Add support for msan integration to checkmem.h (Pieter Wuille) 8dc6407 Add compile-time error to valgrind_ctime_test (Pieter Wuille) 0db05a7 Abstract interactions with valgrind behind new checkmem.h (Pieter Wuille) 4f1a54e Move valgrind CPPFLAGS into SECP_CONFIG_DEFINES (Pieter Wuille) d4a6b58 Add `noverify_tests` to `.gitignore` (Hennadii Stepanov) e862c4a Makefile: add -I$(top_srcdir)/src to CPPFLAGS for precomputed (Matt Whitlock) Pull request description: ACKs for top commit: real-or-random: tACK 0d540ec Tree-SHA512: bc54ccf752163ab6e1a12bb8c4e1f9339f4421d2e4f7716c408549514b3c902f2e9f727655799f1eecb085b0026761b04735b17be3c95c6cf54e07fbf7e86477

…erge-1223

b40adf2 release: prepare for 0.3.0 (Jonas Nick) 8be82d4 cmake: Rename project to "libsecp256k1" (Hennadii Stepanov) 756b61d readme: Use correct build type in CMake/Windows build instructions (Tim Ruffing) 92098d8 changelog: Add entry for CMake (Tim Ruffing) e1eb337 ci: Add "x86_64: Windows (VS 2022)" task (Hennadii Stepanov) 10602b0 cmake: Export config files (Hennadii Stepanov) 5468d70 build: Add CMake-based build system (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK dc73359 Tree-SHA512: ded76837ee78d3a99daf5e9dbdb3912a1f7efb8b9ea329535e5b5452f8bf6d02bc290dd2378b17a20e1d33b4811c1d88482bf46a57d6c414855b64cf55e38e99

1d8f367 afd8b23 2bca0a5 2d51a45 4e68262 a0f4644 145078c 7b7503d ec98fce 346a053 ' into temp-merge-1269

4f8c5bd refactor: Drop unused cast (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK 4f8c5bd jonasnick: ACK 4f8c5bd Tree-SHA512: cc94b524f53e393bd843383e92bbc5b84dd7557d8121241f2d0461b960a0706236147d02b6f5bfc433272849f517c62eb6f1e0cfae892e1b8054817c27365430

5b0444a a6f4bcf 5ec1333 f6bef03 1f33bb2 1c89536 6b7e5b7 596b336 4b84f4b 024a409 222ecaf 4b0f711 3c81838 f30c748 1cf15eb 24c768a 341cc19 c63ec88 54d34b6 073d98a 9eb6934 ab5a917 fb3a806 006ddc1 3353d3c b54a067 7d4f86d e8295d0 3e3d125 acf5c55 ' into temp-merge-1312

This is similar to the upstream commit "Normalize ge produced from secp256k1_pubkey_load".

Usage was removed in 6fe5043 .

b097a46 util: remove unused checked_realloc (Cory Fields) Pull request description: Usage was removed in 6fe5043 . This should be a NOOP. Noticed when analyzing for zenbleed exposure: stdlib calls that aren't optimized away. In this case realloc isn't making it into the final binary, but as far as I can tell this is completely dead code and should be dropped. ACKs for top commit: jonasnick: ACK b097a46 real-or-random: ACK b097a46 Tree-SHA512: d4249215eddd4035be2b50a8bb48b8a681abdab4ab41ca53f6c2a2507edfbc9ffa39ba22eb48e7da52f978e224198294495ce64f9d571d98c19283b20b82a63a

...like the other modules.

…SECP_CONFIG_DEFINES 78ca880 build: enable ellswift module via SECP_CONFIG_DEFINES (Jonas Nick) Pull request description: ...like the other modules. ACKs for top commit: sipa: utACK 78ca880 real-or-random: utACK 78ca880 Tree-SHA512: c157a1ed912b9aa1a318aa0a70859a3ac67cb22303993f08ff00ed601e6ac197380dd503d3b361cbc4e698fc6489b5283b782f570f2703809d23668f3ebe5ba6

4692478 ci: print $ELLSWIFT in cirrus.sh (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: ACK 4692478 Tree-SHA512: 84c6021e2135857541def6ba058d9c9a1c180fd32a625854ff82d51d0561a4dd243623d38d335aeaf40200501581c0678878a9166f4a96ae3fb32717b8d39fbd

d75dc59 debf3e5 bf29f8d 60556c9 cb1a592 67214f5 45c5ca7 30574f2 0702ecb 705ce7e 3c1a0fd 1083683 926dd3e ac43613 fd491ea 799f4ee ' into temp-merge-1356

For background, see: https://developercommunity.visualstudio.com/t/c-compiler-incorrect-propagation-of-const-qualifie/390711

…33, 1330, 1334, 1337, 1341, 1339, 1350, 1349, 1338, 1129, 1347, 1336, 1295, 1354, 1355, 1356 525b661 bppp/build: Fix linkage of benchmark (Tim Ruffing) 4c70cc9 Suppress wrong/buggy warning in MSVC <19.33 (Tim Ruffing) 579999b scalar: adjust muladd2 to new int128 interface (Jonas Nick) b160486 ecdsa_adaptor: add missing include (Jonas Nick) c862a9f ci: Adjust Docker image to Debian 12 "bookworm" (Hennadii Stepanov) a178209 ci: Force DWARF v4 for Clang when Valgrind tests are expected (Hennadii Stepanov) 8a72734 Help the compiler prove that a loop is entered (Tim Ruffing) 67887ae Fix a typo in the error message (Hennadii Stepanov) 7c7467a Refer to ellswift.md in API docs (Pieter Wuille) c32ffd8 Add ellswift to CHANGELOG (Pieter Wuille) bc7c8db abi: Use dllexport for mingw builds (Cory Fields) 5b7bf2e Use `__shiftright128` intrinsic in `secp256k1_u128_rshift` on MSVC (Hennadii Stepanov) 5779137 field: Document return value of fe_sqrt() (Tim Ruffing) 90e360a Add doc/ellswift.md with ElligatorSwift explanation (Pieter Wuille) 4f09184 Add ellswift testing to CI (Pieter Wuille) 1bcea8c Add benchmarks for ellswift module (Pieter Wuille) 2d1d41a Add ctime tests for ellswift module (Pieter Wuille) df633cd Add _prefix and _bip324 ellswift_xdh hash functions (Pieter Wuille) 9695deb Add tests for ellswift module (Pieter Wuille) c47917b Add ellswift module implementing ElligatorSwift (Pieter Wuille) 79e5b2a Add functions to test if X coordinate is valid (Pieter Wuille) a597a5a Add benchmark for key generation (Pieter Wuille) e449af6 Drop no longer needed `#include "../include/secp256k1.h"` (Hennadii Stepanov) f165252 Normalize ge produced from secp256k1_pubkey_load (stratospher) 7067ee5 tests: add tests for `secp256k1_{read,write}_be64` (Sebastian Falbesoner) 740528c scalar: use newly introduced `secp256k1_{read,write}_be64` helpers (4x64 impl.) (Sebastian Falbesoner) 887183e scalar: use `secp256k1_{read,write}_be32` helpers (4x64 impl.) (Sebastian Falbesoner) 52b8423 scalar: use `secp256k1_{read,write}_be32` helpers (8x32 impl.) (Sebastian Falbesoner) f364428 docs: correct `pubkey` param descriptions for `secp256k1_keypair_{xonly_,}pub` (Sebastian Falbesoner) db29bf2 ci: Remove quirk that runs dummy command after wineserver (Tim Ruffing) c7db494 ci: Fix error D8037 in `cl.exe` (Hennadii Stepanov) 7dae115 Revert "ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe" (Hennadii Stepanov) 605e07e fix input range comment for `secp256k1_fe_add_int` (Sebastian Falbesoner) ade5b36 tests: add checks for scalar constants `secp256k1_scalar_{zero,one}` (Sebastian Falbesoner) 654246c refactor: take use of `secp256k1_scalar_{zero,one}` constants (Sebastian Falbesoner) e83801f test: Warn if both `VERIFY` and `COVERAGE` are defined (Hennadii Stepanov) 1549db0 build: Level up MSVC warnings (Hennadii Stepanov) ad84603 release process: clarify change log updates (Jonas Nick) 6348bc7 release process: fix process for maintenance release (Jonas Nick) 79fa50b release process: mention targeted release schedule (Jonas Nick) 1652067 release process: add sanity checks (Jonas Nick) 27504d5 ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe (Tim Ruffing) 6433175 Do not invoke fe_is_zero on failed set_b32_limit (Pieter Wuille) 5768b50 build: Enable -DVERIFY for precomputation binaries (Tim Ruffing) 31b4bbe Make fe_cmov take max of magnitudes (Pieter Wuille) 95448ef release cleanup: bump version after 0.3.2 (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: tACK 525b661 Tree-SHA512: edee04b48ebcede0ad48b165b18a7542b48d6e5d9db034154682fa89bf76ec90569f8073cff8ce57f8abb016671604bcdec58a3a0c1aade911e62dcb63d4acd1

0aacf64 9e6d1b0 332af31 afd7eb4 c9ebca9 cc55757 0f7657d 907a672 b40e2d3 c545fdc 2bd5f3e 0e00fc7 c734c64 26392da ' into temp-merge-1386

The test is supposed to create an invalid sign byte. Before this PR, the generated sign byte could in fact be valid due to an overflow. Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>

Unused since a112503.

Commits on May 15, 2023

Make fe_cmov take max of magnitudes

sipa committed May 15, 2023

Configuration menu

View commit details

Copy full SHA for 31b4bbe

Browse repository at this point

Copy the full SHA

31b4bbe View commit details

Browse the repository at this point in the history

Commits on May 25, 2023

build: Level up MSVC warnings

hebasto committed May 25, 2023

Configuration menu

View commit details

Copy full SHA for 1549db0

Browse repository at this point

Copy the full SHA

1549db0 View commit details

Browse the repository at this point in the history

Commits on Jun 23, 2023

Refer to ellswift.md in API docs

sipa committed Jun 23, 2023

Configuration menu

View commit details

Copy full SHA for 7c7467a

Browse repository at this point

Copy the full SHA

7c7467a View commit details

Browse the repository at this point in the history

Finish sync to upstream #260

Finish sync to upstream #260

Commits on Apr 21, 2023

Commits on Apr 25, 2023

Commits on Apr 26, 2023

Commits on Apr 27, 2023

Commits on Apr 28, 2023

Commits on Apr 29, 2023

Commits on Apr 30, 2023

Commits on May 2, 2023

Commits on May 3, 2023

Commits on May 8, 2023

Commits on May 9, 2023

Commits on May 10, 2023

Commits on May 11, 2023

Commits on May 12, 2023

Commits on May 13, 2023

Commits on May 15, 2023

Commits on May 17, 2023

Commits on May 19, 2023

Commits on May 23, 2023

Commits on May 24, 2023

Commits on May 25, 2023

Commits on May 26, 2023

Commits on May 30, 2023

Commits on May 31, 2023

Commits on Jun 1, 2023

Commits on Jun 2, 2023

Commits on Jun 3, 2023

Commits on Jun 4, 2023

Commits on Jun 6, 2023

Commits on Jun 10, 2023

Commits on Jun 11, 2023

Commits on Jun 12, 2023

Commits on Jun 13, 2023

Commits on Jun 16, 2023

Commits on Jun 17, 2023

Commits on Jun 18, 2023

Commits on Jun 20, 2023

Commits on Jun 21, 2023

Commits on Jun 23, 2023

Commits on Jun 24, 2023

Commits on Jun 25, 2023

Commits on Jun 26, 2023

Commits on Jun 27, 2023

Commits on Jun 28, 2023

Commits on Jul 1, 2023

Commits on Jul 2, 2023

Commits on Jul 3, 2023

Commits on Jul 4, 2023

Commits on Jul 5, 2023

Commits on Jul 6, 2023

Commits on Jul 10, 2023

Commits on Jul 11, 2023

Commits on Jul 13, 2023

Commits on Jul 17, 2023

Commits on Jul 18, 2023

Commits on Jul 20, 2023

Commits on Jul 21, 2023

Commits on Jul 24, 2023

Commits on Jul 25, 2023

Commits on Jul 26, 2023

Commits on Jul 27, 2023

Commits on Jul 28, 2023

Commits on Aug 1, 2023