Update to libsecp256k1 v0.3.0

The latest version of libsecp256k1 has a new doubling algorithm that picks out a different representative in Jacobian coordinates than it did before.
This requrires a new Simplicity specification of doubling and hence this changes the CMR of this jet and any jet that depends on doubling.

Author: roconnor-blockstream

C/primitive/elements/checkSigHashAllTx1.c

@@ -4,31 +4,31 @@
  *     Simplicity.Programs.CheckSig.Lib.checkSigVerify' Simplicity.Elements.Programs.SigHash.Lib.sigAllHash
  *     (Simplicity.LibSecp256k1.Spec.PubKey 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63)
  *     (Simplicity.LibSecp256k1.Spec.Sig 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
- *                                       0x48d05bd9ffdacec16661040ede83ebff68a671474d6c543629f4aaba692e6d92)
+ *                                       0xf4df42d6b3f202dea72dc49fd03b2ecbe504042a13eec3127ac4bc8c9d7c2b9d)
  * with jets.
  */
 const unsigned char elementsCheckSigHashAllTx1[] = {
   0xd3, 0x69, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3b, 0x78, 0xce, 0x56, 0x3f, 0x89, 0xa0,
   0xed, 0x94, 0x14, 0xf5, 0xaa, 0x28, 0xad, 0x0d, 0x96, 0xd6, 0x79, 0x5f, 0x9c, 0x63, 0x47, 0x07, 0x02, 0xc0, 0xe2, 0x8d,
   0x88, 0x11, 0xe9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1d, 0xbc, 0x67, 0x2b, 0x1f,
-  0xc4, 0xd0, 0x76, 0xca, 0x0a, 0x7a, 0xd5, 0x14, 0x56, 0x86, 0xcb, 0x6b, 0x3c, 0xaf, 0xce, 0x31, 0xa4, 0x68, 0x2d, 0xec,
-  0xff, 0xed, 0x67, 0x60, 0xb3, 0x30, 0x82, 0x07, 0x6f, 0x41, 0xf5, 0xff, 0xb4, 0x53, 0x38, 0xa3, 0xa6, 0xb6, 0x2a, 0x1b,
-  0x14, 0xfa, 0x55, 0x5d, 0x34, 0x97, 0x36, 0xc9, 0x00
+  0xc4, 0xd0, 0x76, 0xca, 0x0a, 0x7a, 0xd5, 0x14, 0x56, 0x86, 0xcb, 0x6b, 0x3c, 0xaf, 0xce, 0x31, 0xfa, 0x6f, 0xa1, 0x6b,
+  0x59, 0xf9, 0x01, 0x6f, 0x53, 0x96, 0xe2, 0x4f, 0xe8, 0x1d, 0x97, 0x65, 0xf2, 0x82, 0x02, 0x15, 0x09, 0xf7, 0x61, 0x89,
+  0x3d, 0x62, 0x5e, 0x46, 0x4e, 0xbe, 0x15, 0xce, 0x80
 };
 
 const size_t sizeof_elementsCheckSigHashAllTx1 = sizeof(elementsCheckSigHashAllTx1);
 
 /* The commitment Merkle root of the above elementsCheckSigHashAllTx1 Simplicity expression. */
 const uint32_t elementsCheckSigHashAllTx1_cmr[] = {
-  0x8efb609eu, 0xde751a04u, 0xfbf80acbu, 0xc7472decu, 0x1a014fc3u, 0x8b31f67cu, 0x02e30799u, 0x5780ccfdu
+  0x14a5e0ccu, 0x13da9acdu, 0xd5f758aeu, 0x71868021u, 0x37143e06u, 0xc8dcba10u, 0x019ffec7u, 0x90359ee7u
 };
 
 /* The identity Merkle root of the above elementsCheckSigHashAllTx1 Simplicity expression. */
 const uint32_t elementsCheckSigHashAllTx1_imr[] = {
-  0x6615a39fu, 0x72a48607u, 0x5d17eb2du, 0xeed1ae0au, 0xe0f19ae6u, 0x77c52b81u, 0x4d773844u, 0x891a4230u
+  0x39caee91u, 0x1d52b173u, 0xb54ce938u, 0xac226665u, 0x0f3ea162u, 0xbfd74e39u, 0x99c99066u, 0x5a08c18au
 };
 
 /* The annotated Merkle root of the above elementsCheckSigHashAllTx1 Simplicity expression. */
 const uint32_t elementsCheckSigHashAllTx1_amr[] = {
-  0x07ae1442u, 0x19ff5865u, 0x60af036eu, 0x93f84e0eu, 0x1e565ce9u, 0xa1a13cdbu, 0x6e90fc07u, 0xe15e21c8u
+  0xc73b637fu, 0x11694855u, 0xd0d8073du, 0x7a41559eu, 0x95c40075u, 0x9a7d0c06u, 0x17781437u, 0x1d2c1d35u
 };

C/primitive/elements/checkSigHashAllTx1.h

@@ -8,7 +8,7 @@
  *     Simplicity.Programs.CheckSig.Lib.checkSigVerify' Simplicity.Elements.Programs.SigHash.Lib.sigAllHash
  *     (Simplicity.LibSecp256k1.Spec.PubKey 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63)
  *     (Simplicity.LibSecp256k1.Spec.Sig 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
- *                                       0x48d05bd9ffdacec16661040ede83ebff68a671474d6c543629f4aaba692e6d92)
+ *                                       0xf4df42d6b3f202dea72dc49fd03b2ecbe504042a13eec3127ac4bc8c9d7c2b9d)
  * with jets.
  */
 extern const unsigned char elementsCheckSigHashAllTx1[];

C/primitive/elements/primitiveJetNode.inc

@@ -23,7 +23,7 @@
 ,[BIP_0340_VERIFY] =
 { .tag = JET
 , .jet = bip_0340_verify
-, .cmr = {{0xccafd80bu, 0x8a1c8eb2u, 0x5f237409u, 0x8a24829fu, 0x0070bb1cu, 0xf06602dfu, 0xa9bde7f8u, 0x9e1de251u}}
+, .cmr = {{0xaf924cbeu, 0xc941fd9bu, 0x9e8293efu, 0x903e237bu, 0x01dbcb34u, 0x2b9610beu, 0xf95f59b8u, 0x136ef804u}}
 , .sourceIx = ty_w1Ki
 , .targetIx = ty_u
 }
@@ -100,7 +100,7 @@
 ,[CHECK_SIG_VERIFY] =
 { .tag = JET
 , .jet = check_sig_verify
-, .cmr = {{0x686023a6u, 0x928954f3u, 0xc618864cu, 0x21f8c326u, 0x0ef7e505u, 0x492a3c61u, 0x15114da0u, 0x180859d7u}}
+, .cmr = {{0x297459d8u, 0x373f8727u, 0xda9f92dau, 0xeab7196bu, 0xed0bd523u, 0x64405521u, 0x4455723au, 0xbac0b085u}}
 , .sourceIx = ty_ppw256w512w512
 , .targetIx = ty_u
 }
@@ -345,28 +345,28 @@
 ,[GEJ_ADD] =
 { .tag = JET
 , .jet = gej_add
-, .cmr = {{0x344a27e5u, 0xb67fba55u, 0xa05ad62bu, 0x1aea06b7u, 0x9567c4b9u, 0x26631b6bu, 0xf34c3c62u, 0x63005d9fu}}
+, .cmr = {{0x285485c4u, 0x70844925u, 0x10373df4u, 0x3df53407u, 0xacec8fb1u, 0xbd010380u, 0x897b517cu, 0x39cd6319u}}
 , .sourceIx = ty_ppw512w256pw512w256
 , .targetIx = ty_pw512w256
 }
 ,[GEJ_DOUBLE] =
 { .tag = JET
 , .jet = gej_double
-, .cmr = {{0x8a77c127u, 0x4a4dcbf2u, 0x0e1258b4u, 0x4c29588fu, 0xf6e4afddu, 0x25364290u, 0xc68570afu, 0xea8bd2e7u}}
+, .cmr = {{0x71077458u, 0x5775f91fu, 0x4ce578adu, 0x8d1e6445u, 0x41e21fc6u, 0xc810abdbu, 0x3b3ed211u, 0x5e39cdaeu}}
 , .sourceIx = ty_pw512w256
 , .targetIx = ty_pw512w256
 }
 ,[GEJ_GE_ADD] =
 { .tag = JET
 , .jet = gej_ge_add
-, .cmr = {{0x4f2143fau, 0xae3fe86eu, 0x88c3fe03u, 0x7909e3e8u, 0x584453f1u, 0x6143f5dcu, 0x641532d1u, 0x87fa6d43u}}
+, .cmr = {{0x7d7f426eu, 0x42458e45u, 0x771291ccu, 0x9e607e67u, 0x267a3885u, 0xadbebdc3u, 0x69df5966u, 0x3220befbu}}
 , .sourceIx = ty_ppw512w256w512
 , .targetIx = ty_pw512w256
 }
 ,[GEJ_GE_ADD_EX] =
 { .tag = JET
 , .jet = gej_ge_add_ex
-, .cmr = {{0x450c56f0u, 0x364ad9d4u, 0xff2e5b31u, 0xb690dee2u, 0xb98e5453u, 0x2f24d5bau, 0xfdf389a1u, 0x0bde9e28u}}
+, .cmr = {{0xcddae78du, 0x33a22128u, 0xbc2f72a6u, 0x02e0066fu, 0x63fe1862u, 0x57ea348cu, 0x2bb1f7e9u, 0xbf9b0d73u}}
 , .sourceIx = ty_ppw512w256w512
 , .targetIx = ty_pw256pw512w256
 }
@@ -429,7 +429,7 @@
 ,[GENERATE] =
 { .tag = JET
 , .jet = generate
-, .cmr = {{0xf532787au, 0xce24188au, 0x81c887bbu, 0x179932d4u, 0x73c58d62u, 0x9856649fu, 0x86b9ca09u, 0x69a67d81u}}
+, .cmr = {{0x0e91f455u, 0x7cb7d4c3u, 0xbbf3f2d0u, 0x74dd6946u, 0x423a3b4fu, 0xacb57a00u, 0xcae43fd6u, 0xa7352a13u}}
 , .sourceIx = ty_w256
 , .targetIx = ty_pw512w256
 }
@@ -660,14 +660,14 @@
 ,[LINEAR_COMBINATION_1] =
 { .tag = JET
 , .jet = linear_combination_1
-, .cmr = {{0x2b6fb7d6u, 0x100029b6u, 0xe6cd30cau, 0xa82e5831u, 0xcacf48ddu, 0x130c4d69u, 0x056c530du, 0x25633f89u}}
+, .cmr = {{0x950786efu, 0xa65a7122u, 0xe2554c6fu, 0xb55124f9u, 0xe5acd82cu, 0x29817affu, 0xc19fc7a9u, 0x27d3a070u}}
 , .sourceIx = ty_ppw256pw512w256w256
 , .targetIx = ty_pw512w256
 }
 ,[LINEAR_VERIFY_1] =
 { .tag = JET
 , .jet = linear_verify_1
-, .cmr = {{0x6fb2c331u, 0xcdf2e736u, 0x425704f2u, 0xc3ac15d6u, 0x23777480u, 0x0898522au, 0xb8267b4eu, 0x426eb455u}}
+, .cmr = {{0x635571b1u, 0x27c01565u, 0x7c1bfb1du, 0x9267bb84u, 0x6a7bf949u, 0x7507aea6u, 0x65373574u, 0x08e711a3u}}
 , .sourceIx = ty_pppw256w512w256w512
 , .targetIx = ty_u
 }
@@ -842,7 +842,7 @@
 ,[POINT_VERIFY_1] =
 { .tag = JET
 , .jet = point_verify_1
-, .cmr = {{0x518de762u, 0x3870e865u, 0x46392850u, 0x02cb2064u, 0x515bfcadu, 0x962675c5u, 0xb64901e7u, 0xd5527c29u}}
+, .cmr = {{0x6a089d61u, 0xca200a42u, 0x58e8b5b4u, 0xfe5c08d5u, 0x74856249u, 0x8d75f6c6u, 0x2609bb68u, 0xc98b407cu}}
 , .sourceIx = ty_pppw256pbw256w256pbw256
 , .targetIx = ty_u
 }
@@ -919,7 +919,7 @@
 ,[SCALE] =
 { .tag = JET
 , .jet = scale
-, .cmr = {{0xb192675au, 0xe82f0964u, 0xdb948030u, 0x9508f15cu, 0x75a3bd36u, 0x458121ceu, 0x0891ca01u, 0x809c7dd4u}}
+, .cmr = {{0x229c9fafu, 0xadd9745eu, 0x00d108b8u, 0x2b836205u, 0x9e83570du, 0xfc36cb1au, 0x2ce9c5c2u, 0xd913c644u}}
 , .sourceIx = ty_pw256pw512w256
 , .targetIx = ty_pw512w256
 }

C/schnorr0.c

@@ -21,15 +21,15 @@ const size_t sizeof_schnorr0 = sizeof(schnorr0);
 
 /* The commitment Merkle root of the above schnorr0 Simplicity expression. */
 const uint32_t schnorr0_cmr[] = {
-  0x1af6b2c4u, 0x1a54f830u, 0xb59bdfafu, 0x8c32b92cu, 0x4ab72e14u, 0xd5450dc6u, 0x3d2d2d1au, 0xd4ce33bdu
+  0x7bc56cb1u, 0x6d84999bu, 0x977b58e1u, 0xbc71dbe9u, 0xedcc3365u, 0x0afc8a6eu, 0xe05cfef8u, 0xd608132bu
 };
 
 /* The identity Merkle root of the above schnorr0 Simplicity expression. */
 const uint32_t schnorr0_imr[] = {
-  0x5bd6f796u, 0xec846f6bu, 0x76cbc158u, 0x52a17a0du, 0x69ad6d42u, 0x7428c380u, 0xaf0c0193u, 0xadb34264u
+  0x00ee3d3eu, 0x7b7a65fcu, 0xd77b6309u, 0xc4d8464fu, 0x176f13c9u, 0x2d8d6923u, 0x8eb0158fu, 0x70c8a4dfu
 };
 
 /* The annotated Merkle root of the above schnorr0 Simplicity expression. */
 const uint32_t schnorr0_amr[] = {
-  0x6dc24749u, 0x18b95d42u, 0xd85810acu, 0x4e7409b5u, 0x26cb5a3bu, 0xdb5ded52u, 0x44e521abu, 0x8b095d06u
+  0x02796d1du, 0x7d906a15u, 0xd0a1ebedu, 0x9d702e33u, 0x4b21e9ccu, 0x52a578c2u, 0x4fca0fb7u, 0xbe82fac0u
 };

C/schnorr6.c

@@ -21,15 +21,15 @@ const size_t sizeof_schnorr6 = sizeof(schnorr6);
 
 /* The commitment Merkle root of the above schnorr6 Simplicity expression. */
 const uint32_t schnorr6_cmr[] = {
-  0x515f2482u, 0x4880de59u, 0x9979fa41u, 0x7e1355e8u, 0xe131aea2u, 0xd7edb208u, 0x7b2bb6e6u, 0xb60cdd0bu
+  0x77814ff8u, 0x11b80ad9u, 0xb6b7f172u, 0xaa11ad6au, 0x2b2b6335u, 0xcfe4de42u, 0xe991a545u, 0x97ca5c5du
 };
 
 /* The identity Merkle root of the above schnorr6 Simplicity expression. */
 const uint32_t schnorr6_imr[] = {
-  0x87c3025eu, 0xc742da62u, 0x7f734d1au, 0xd286714cu, 0x983b6d50u, 0xc1a6af52u, 0x7dc191c8u, 0xa541a033u
+  0x467137a4u, 0xb61bdb0cu, 0xf8ae388eu, 0x77628c6du, 0xe731639cu, 0xc588c526u, 0x139bfbdcu, 0xe072d7a2u
 };
 
 /* The annotated Merkle root of the above schnorr6 Simplicity expression. */
 const uint32_t schnorr6_amr[] = {
-  0xb0b9d7fbu, 0x04e82a4au, 0x3b05d5f4u, 0xa7747272u, 0xeae14aadu, 0x86327935u, 0x638dafb8u, 0x3d58873fu
+  0xcd11f8adu, 0xd83967e4u, 0x4fbb1197u, 0x88e40e74u, 0xe88a842fu, 0x8211592eu, 0xac98e6c7u, 0xb5b3814cu
 };

C/secp256k1/README.md

@@ -1,16 +1,16 @@
-This directory contains a modified copy of the libsecp256k1 branch `9a5a87e0f1276e0284446af1172056ea4693737f` from <https://github.com/bitcoin-core/secp256k1/commit/9a5a87e0f1276e0284446af1172056ea4693737f>.
+This directory contains a modified copy of the libsecp256k1 at `bdf39000b9c6a0818e7149ccb500873d079e6e85` from <https://github.com/bitcoin-core/secp256k1/tree/v0.3.0>.
 In general, the files in this directory should be compared with the corresponding files in the `src` directory from libsecp256k1.
 There are some exceptions however:
 
+* `precompute_ecmult.h` should be compared with `src/precompute_ecmult.c`
 * `secp256k1.h` should be compared with `include/secp256k1.h`.
 * `secp256k1_impl.h` should be compared with `src/secp256k1.c`.
 * `extrakeys.h` should be compared with `include/secp256k1_extrakeys.h`.
 * `extrakeys_impl.h` should be compared with `src/modules/extrakeys/main_impl.h`.
 * `schnorrsig.h` should be compared with `include/secp256k1_schnorrsig.h`.
 * `schnorrsig_impl.h` should be compared with `src/modules/schnorrsig/main_impl.h`.
 
-
-Our use of libsecp256k1 for various jets requires access to the internal functions that are not exposed by the their API, so we cannot use libsecp256k1's normal interface.
+Our use of libsecp256k1 for various jets requires access to the internal functions that are not exposed by their API, so we cannot use libsecp256k1's normal interface.
 Furthermore, because Simplicity has no abstract data types, the specific details of the representation of field and group elements computed by jetted functions ends up being consensus critical.
 Therefore, even if libsecp256k1's interface exposed the functionality we needed, we still wouldn't be able perform libsecp256k1 version upgrades because different versions of libsecp256k1 do not guarantee that their functions won't change the representation of computed field and group elements.
 Even libsecp256k1's configuration options, including `ECMULT_WINDOW_SIZE`, all can affect the representation of the computed group elements.
@@ -20,12 +20,29 @@ Simplicity computations are on public data and therefore we do not jet functions
 In particular, we only need to jet variable-time algorithms when there is a choice of variable-time or constant-time algorithms.
 
 In incorporating the libsecp256k1 library into the Simplicity library, there is a tension between making minimal changes to the library versus removing configuration options and other code that, if they were activated, could cause consensus incompatible changes in functionality.
-Because we will not be able to easily migrate to newer versions of libsecp256k1 anyways, we have take a heavy-handed approach to trimming unused configuration options, dead code, functions specific to working with secret data, etc.
+Because we will not be able to easily migrate to newer versions of libsecp256k1 anyways, we have taken a heavy-handed approach to trimming unused configuration options, dead code, functions specific to working with secret data, etc.
 In some cases we have made minor code changes:
 
 * `secp256k1_fe_sqrt` has been modified to call `secp256k1_fe_equal_var` (as `secp256k1_fe_equal` has been removed).  The function has been renamed to `secp256k1_fe_sqrt_var` and similar for other indirect callers.
-* The uses of secp256k1's `hash.h` for Schnorr signatures has been replaced with calls to Simplicity's internal `sha256.h` implementation.  This removes the duplication of functionality and replaces the non-portable use of the `WORDS_BIGENDIAN` flag in `hash_impl.h` with our portable implementation.
-* `checked_malloc` and `checked_realloc` have been removed along with any functions that called themm.
+* The use of secp256k1's `hash.h` for Schnorr signatures has been replaced with calls to Simplicity's internal `sha256.h` implementation.  This removes the duplication of functionality ~~and replaces the non-portable use of the `WORDS_BIGENDIAN` flag in `hash_impl.h` with our portable implementation~~.
+* `checked_malloc` and `checked_realloc` have been removed along with any functions that called them.
 * `ARG_CHECK` doesn't call the callback.
 * Callbacks have been removed.
 * `secp256k1_context` has been removed.
+
+Additionally, some changes have been made to ensure that the `infinity` flag of `secp256k1_gej` always corresponds to whether or not the z-coordinate is zero or not.
+Adjustments have been made in the following functions:
+
+* `secp256k1_gej_set_ge`
+* `secp256k1_gej_double_var`
+* `secp256k1_gej_add_zinv_var`
+
+Also, our jets are designed to operate on off-curve points.
+However, the ecmult algorithms in libsecp256k1 are not designed to handle extremely low order, off-curve points[^1].
+We have patched `secp256k1_gej_add_ge_var` to ensure `rzr` is set even when `a` is infinity.
+
+Lastly, all active uses of normalize are replaced with the variable-time implementation.
+
+[^1]: More specifically, the when a point has a very low and odd order, the `ai` values in the `secp256k1_ecmult_odd_multiples_table` can reach infinity, violating libsecp256k1's assumption that `secp256k1_gej_add_ge_var`'s `a` parameter is never infinity.
+The value we set to the `rzr` in this case does not matter since it ends up only being multiplied with zero in `secp256k1_ge_table_set_globalz`.
+It just needs to be set to some value to avoid reading uninitalized memory.

C/secp256k1/assumptions.h

@@ -10,6 +10,9 @@
 #include <limits.h>
 
 #include "util.h"
+#if defined(SECP256K1_INT128_NATIVE)
+#include "int128_native.h"
+#endif
 
 /* This library, like most software, relies on a number of compiler implementation defined (but not undefined)
    behaviours. Although the behaviours we require are essentially universal we test them specifically here to
@@ -55,7 +58,7 @@ struct secp256k1_assumption_checker {
 
         /* To int64_t. */
         ((int64_t)(uint64_t)0xB123C456D789E012ULL == (int64_t)-(int64_t)0x4EDC3BA928761FEEULL) &&
-#if defined(SECP256K1_WIDEMUL_INT128)
+#if defined(SECP256K1_INT128_NATIVE)
         ((int64_t)(((uint128_t)0xA1234567B8901234ULL << 64) + 0xC5678901D2345678ULL) == (int64_t)-(int64_t)0x3A9876FE2DCBA988ULL) &&
         (((int64_t)(int128_t)(((uint128_t)0xB1C2D3E4F5A6B7C8ULL << 64) + 0xD9E0F1A2B3C4D5E6ULL)) == (int64_t)(uint64_t)0xD9E0F1A2B3C4D5E6ULL) &&
         (((int64_t)(int128_t)(((uint128_t)0xABCDEF0123456789ULL << 64) + 0x0123456789ABCDEFULL)) == (int64_t)(uint64_t)0x0123456789ABCDEFULL) &&
@@ -71,7 +74,7 @@ struct secp256k1_assumption_checker {
         ((((int16_t)0xE9AC) >> 4) == (int16_t)(uint16_t)0xFE9A) &&
         ((((int32_t)0x937C918A) >> 9) == (int32_t)(uint32_t)0xFFC9BE48) &&
         ((((int64_t)0xA8B72231DF9CF4B9ULL) >> 19) == (int64_t)(uint64_t)0xFFFFF516E4463BF3ULL) &&
-#if defined(SECP256K1_WIDEMUL_INT128)
+#if defined(SECP256K1_INT128_NATIVE)
         ((((int128_t)(((uint128_t)0xCD833A65684A0DBCULL << 64) + 0xB349312F71EA7637ULL)) >> 39) == (int128_t)(((uint128_t)0xFFFFFFFFFF9B0674ULL << 64) + 0xCAD0941B79669262ULL)) &&
 #endif
     1) * 2 - 1];